Week 39 – 2017


  • Martino Jerian at Amped Software shares some information about Apple’s move to the HEIF file format in iOS 11. Interestingly, the file’s format may be switched back to JPEG when transferring the file. From the image in the post it looks like the file also keeps its EXIF data which is nice.
    HEIF Image Files Forensics: Authentication Apocalypse?

  • Avoiding Atrophy Forensics has a post on using FTK Imagers command line version.
    Command Line FTK Imager

  • Brett Shavers talks about the importance of debriefs and discussing cases. “Debriefing your casework and the casework of others will bring up things that were done wrong and things that could have been done better.  Debriefing cases makes future cases better.” He also discusses the importance of case-building – putting disparate pieces of information together to lead you towards your defined goal.
    Placing the Beard Behind the Keyboard

  • Oleg Afonin at Elcomsoft shows how to locate Saved Wifi networks and their passwords using Elcomsoft Phone Viewer
    Accessing iOS Saved Wi-Fi Networks and Hotspot Passwords

  • Marcos at ‘Follow The White Rabbit’ has a post regarding the Windows Registry and the various tools built around Regripper. This included my GUI for Regripper, so thanks for the shout out Marcos 🙂
    Windows registry? Prepare the coffeemaker! Using #RegRipper

  • Alexander Sevtsov at Lastline examines “a malicious Hangul Word Processor (HWP) document file”
    Uncovering Nation-Specific, Targeted Attacks ( . . . without Knowing Korean)

  • The guys at Magnet Forensics interviewed Bob Elder, the CEO of Teel Technologies Canada and “discussed what he and his team were up to and the importance of partnership in providing meaningful solutions to the forensics community”.
    Magnet Forensics and Teel Technologies are Partnering on a Demo Roadshow

  • Jamie McQuaid at Magnet Forensics walks through using the newly released Axiom Cloud to extract data from various cloud sources.
    How to Acquire and Analyze Cloud Data with Magnet AXIOM Cloud

  • Marc Padilla examines his network traffic to understand the contents of encrypted BitTorrent traffic.
    Determine the Contents of Encrypted BitTorrent Traffic

  • Lorna Hutcheson at the SANS Internet Storm Centre was asked a question by a reader regarding TCP flags.
    Good Analysis = Understanding(tools + logs + normal), (Fri, Sep 29th)

  • Heather Mahalik at Smarter Forensics takes a look at parsing the SMS database from iOS 11. She also shares some of her testing methodology which shows how different tools interpret the data, or how different extraction methods result in different data being presented. I also liked her point about it being a requirement for vendors to provide access to the databases/configuration files. This is both for manual verification, and for accessing the data from apps that aren’t supported.
    Time is NOT on our side when it comes to messages in iOS 11

  • Over on my ThinkDFIR site, I decided to play around with APFS and have a look at how some of the tools interpreted the volume. On Windows, none of the tools can do anything with the drive; the most recent update to X-Ways will identify that the volume is APFS but that’s it. So as Steve Whalen said in his presentation, you will need a Mac in the equation (or at least OSX….Hackintosh/VM may work). I also just added another part at the bottom for mounting an APFS image so that a user can look at its contents on OS X High Sierra (I think that you can only use High Sierra, but haven’t checked if it will work on the previous OSX). My next test will be to take Blacklight and see if I can examine the mounted drive in a logical fashion.
    Playing with APFS

  • Yogesh Khatri at Swift Forensics shares some code for 010 editor and Python for interpreting APFS timestamps, which are represented as the “number of nano-seconds since 1-1-1970”.
    APFS timestamps







  • Elcomsoft updated their Phone Viewer tool to version 3.50, adding iOS 11 support, as well as an Application and WiFi view to see which applications and wireless networks are stored on the device.
    Elcomsoft Phone Viewer 3.50 Adds iOS 11 Support, New Applications and Wi-Fi Plugins

  • Phil Harvey updated ExifTool to v10.62 (development release), adding some new tags and fixing some bugs.
    ExifTool 10.62

  • Adam at Hexacorn updated DeXRAY to version 2.02, adding “Zemana <hash> files+quarantine.db”.
    DeXRAY 2.02 update

  • Mobiledit Forensic Express 4.2 has been released with support for iOS 11, as well as other feature improvements and app parsers.
    Forensic Express 4.2 Released!

  • X-Ways Forensics 19.4 SR-2 was released with a few bug fixes and the “ability to recognize APFS volumes”. It should be noted that the update doesn’t allow X-Ways to parse the APFS volumes, just identify what they are, allowing an examiner to identify which direction their examination needs to take.
    X-Ways Forensics 19.4 SR-2

  • X-Ways Forensics 19.5 Preview 1 was released with a variety of new features.
    X-Ways Forensics 19.5 Preview 1

And that’s all for Week 39! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s