Week 40 – 2017


  • Hideaki Ihara at the Port 139 blog examines the Security ID of a file and then looks for that ID in the $Secure file.
    Security Id と $Secure

  • Eric Zimmerman has a post regarding the recent updates to Amcache on Windows 10’s Fall Creators update. He has also updated his AmcacheParser to deal with the new format and advises that “any tool that has been parsing amcache.hve will break when used on these new formats as the old keys and value names no longer exist”. Whilst the update removes MFT information and volume information for each file entry as well as the “key for each program that tracked a (generally accurate) list of all the files associated with said program”, it also adds a lot more new data.
    (Am)cache still rules everything around me (part 2 of 1)

  • The Blackbag Training Team has posted some information about dealing with APFS. Their current recommendation is to copy “the files to a DMG formatted as HFS+ so that the examiner can lock it and import easily into BlackLight”. They also released a how-to guide for imaging workaround using Macquisition 2017 R1.
    Apple File System in Mac Forensic Imaging and Analysis

  • The guys at Cyber Forensicator shared a presentation by Tomer Teller at Microsoft regarding “how unique insights from Microsoft help you defend against attacks”.
    Cloud attacks illustrated: How unique insights from Microsoft help you defend against attacks

  • They also shared an article from the Journal of Digital Investigation (volume 22, supplement) on DJI Phantom III forensic analysis.
    DROP (DRone Open source Parser) your drone: Forensic analysis of the DJI Phantom III

  • Jason Hale at Digital Forensics Stream shares a Win10 registry subkey that can be used to identify program execution and file access. Eric Zimmerman also has completed a Registry Explorer plugin to extract the data.
    RecentApps Registry Key

  • Oleg Afonin at Elcomsoft covers “the steps required to access the list of apps installed on an iOS device” using Elcomsofts tools.
    Obtaining Detailed Information about iOS Installed Apps

  • Alex Maestretti at Netflix provides an update on their project of moving “towards a streaming model for disk forensics by updating various existing tools that are built around the concept of imaging a single machine and creating a file.”
    Update: Disk Forensics as a Microservice

  • Jessica Hyde at Magnet Forensics explains that it’s possible to force a cloud backup on an iOS 11 device without knowing the unlock PIN. If the user has setup 2FA then it’s possible to obtain the verification code using the users fingerprint. You will still need the user’s iCloud credentials.
    How to Acquire an iOS 11 Device Without the PIN/Passcode

  • Jeremy Scott at NTT Security shows how to use Volatility to identify malware within a memory image.
    Hunting Malware with Memory Analysis

  • Andrea Fortuna at ‘So Long, and Thanks For All The Fish” has a few posts this week
  • Patrick Olsen at System Forensics has begun a series on Office 365 with the intent of covering “a range of use cases and address them from a security monitoring and response standpoint”. This post covers his setup and compares E3 and E5 licenses.
    Office 365 (O365) Security Use-Case Series

  • Howard Oakley at ‘The Eclectic Light Company’ has reverse-engineered Apple’s logarchive bundle format and “as a result, a new version of MakeLogarchive will generate logarchives which can be opened using Consolation, Apple’s Console, and the log command in Terminal”. Howard then provides a walkthrough of using the tool.
    MakeLogarchive enables Consolation to read individual log files

  • Pieces0310 points out that Encase (version unknown, but it’s 7 or 8) may not list all previously connected devices in “USB Records”. This was shown by examining the link files and seeing that another device had been connected that had not been observed in the previous section. It appears that the author then examined the registry with another tool to provide additional information about the other device.
    EnCase missed some usb activities in the evidence files – Pieces0310


  • Monty St John at Cyber Defenses shows how to apply YARA detection to downloaded HTML pages.
    A YARA Adventure in HTML

  • Adam at Hexacorn shows a registry entry related to winsock that can be used to execute a DLL
    Beyond good ol’ Run key, Part 66

  • Jared Atkinson at SpecterOps shares the pros and cons of “three different concepts [they] use to describe detections”.
    Thoughts on Host-based Detection Techniques

  • Henrik Johansen shares a system for automating memory forensics across an environment. By using scheduled memory dumps across the entire organisation (using a scheduled task and f-response), and extracting relevant artefacts (using Volatility), “we no longer have to work with a dump — we can work with data from all of them.” (using a log management tool, in this case, Humio).
    Automating large-scale memory forensics






And that’s all for Week 40! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s