Week 41 – 2017


  • Hideaki Ihara at the Port 139 blog looks into the USN Journal on NTFS. He creates a test file and monitors what happens to the journal.

  • Hideaki also takes a look at the ‘enablerangetracking’ feature of the fsutil command on Win10.
    USN と range tracking

  • Adam Harrison at 1234n6 took a look at the Windows Subsystem for Linux (WSL) introduced in the Windows 10 Anniversary update in a couple of posts.
    • The first examines the “Windows Subsystem for Linux (WSL) and how to identify it is installed on a system you are analysing”. I like that Adam also provides a method for installing the WSL for systems not connected to the Internet (and wish Microsoft would make an easier way to do this). Examiners can identify that WSL has been enabled by locating bash.exe, as well as the “Lxss\rootfs” directory and associated registry key.
      Windows Subsystem for Linux and Forensic Analysis
    • The second provides some insight into some of the user activity based artefacts that can be found on the WSL. Interestingly you can have multiple instances of the WSL installed, not only for each user but “multiple userlands can be installed side by side” (although this is unconfirmed). There’s a lot of useful information in here that people should refer back to if the WSL has been used on a system.
      Forensic Analysis of Systems which have Windows Subsystem for Linux Installed

  • Marco Fontani at Amped explains how Amped Authenticate can be used to determine if two photos were taken with the same camera. this is performed by analysing the Photo Response Non-Uniformity (PRNU) noise and recently they released an update for the tool as “many of our users told us that the filter was hard to configure, and results were not easy to interpret.”
    PRNU-based Camera Identification in Amped Authenticate

  • The Blackbag Training Team has updated their blog post from last week to add in the method for mounting images of drives with 4k sectors.
    Apple File System In Mac Forensic Imaging And Analysis

  • Brett Shavers walks through a case study involving digital evidence. There’s also an important announcement at the end regarding his webinar and course.
    Case study – Placing the Suspect Behind the Keyboard

  • Brett also recommends that prospective LE employees probably shouldn’t refer to themselves as hackers as this is a red flag.
    If you are a “Self-Proclaimed Hacker” looking for a job in LE…

  • Cheeky4n6Monkey has been dissecting the new HEIF/HEIC image format. This post includes methods of viewing or converting HEIF photos and videos, as well as what he’s learnt about the file format itself.
    Monkey takes a .heic

  • Jon Baumann at Ciofeca Forensics takes a look at iCloud Notes and provides a script to decompress and extract them.
    There’s Gold In Them There Blobs!

  • The guys at Cyber Forensicator shared a few articles this week
  • Digital Forensics Corp shared a tool called psad, which “is a lightweight system daemon [which] is designed to work with Linux iptables/ip6tables/firewalld firewalling code to detect suspicious traffic such as port scans and sweeps, backdoors, botnet command and control communications, and more.”
    Intrusion Detection and Log Analysis

  • Nanni Bassetti has an article on Forensic Focus showing how to use Imm2Virtual to boot a forensic image as a virtual machine. Imm2Virtual uses a combination of Arsenal Image Mounter and Virtual Box “to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it”.
    Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File

  • Also on Forensic Focus, Haider H. Khaleel has posted a paper on different digital forensics methodologies. “This paper proposes a new methodology, Focused Digital Forensic Methodology (FDFM), that is capable of eliminating the data volume issue and the lack of focus with the current digital forensic methodologies.”
    Focused Digital Forensic Methodology

  • Christopher Vance at Magnet Forensics walks through the process of examining an unknown iOS app. In this case he takes a look at the data stored by the Anti-Chat app; Not shown specifically, but afterwards, Chris built a custom artefact which means that this knowledge will be saved and shared.
    Supporting the Unsupported: Locating and Analyzing Information from New Mobile Apps

  • Alex Maestretti at Netflix shares some thought on memory forensics on a variety of topics – Desktops vs Datacenters vs Microservices, System vs Process Memory, Cloud Deployments, Containers, and Interpreted Languages.
    Memory Forensics in Clouds and Containers

  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ has a post covering a variety of topics on the NTFS file system including the structure of the file system, the MFT, last access times, and Alternate Data Streams.
    Some thoughts about NTFS Filesystem

  • Howard Oakley at ‘The Eclectic Light Company’ provides some information about the unified logging found across Apple’s operating systems.
    Inside the macOS log: logd and the files that it manages

  • Howard also showed that the logd log can also help identify which processes were used on which day (up to months in the past). “Although the information contained in the logd logs is very detailed, and very extensive, it doesn’t discriminate between users, and doesn’t show what anyone was doing with those processes”. “It does, though, give great insight into the activity of different processes on that Mac over a surprisingly long period.”
    What’s your Mac been up to for the last 3 months? Inside macOS’s hidden activity records


  • Countercept have a post about the importance of network analysis in threat hunting. “It’s important to analyse other data sources to corroborate the indicators found at endpoints and create further opportunities to detect stealthier attacks. Foremost among these other sources are log and network analyses.”
    What Is Good Network Analysis?

  • Monty St John at CyberDefenses demonstrates using hashes in YARA rules.
    YARA Hashing Magic

  • Didier Stevens shared “2 Suricata rules to detect Active Directory replication traffic between a domain controller and a domain member like a workstation”.
    Quickpost: Mimikatz DCSync Detection

  • Joe Desimone at Endgame investigates “an emerging trend of adversaries using .NET-based in-memory techniques to evade detection.” Joe discusses “both eventing (real-time) and on-demand based detection strategies of these .NET techniques”.
    Hunting for In-Memory .NET Attacks

  • Kathayra at ‘Happy Threat Hunting’  describes the roles in a threat hunting team, as she explains that individual hunters work well for small organisations but the model doesn’t scale well. These roles are the hunt lead, gatherer, hunter, and tracker.
    Pack Hunting

  • Didier Stevens at NVISO Labs shares a couple of “YARA rules to detect [Dynamic Data Exchange] in Office Open XML files (like .docx)”. “These rules can be used in combination with a tool like zipdump.py [or ClamAV] to scan XML files inside the ZIP container with the YARA engine”.
    Detecting DDE in MS Office documents

  • Didier also examines some of the documents captured with the rules.
    YARA DDE rules: DDE Command Execution observed in-the-wild

  • Scott Koegler at IBM’s Security Intelligence blog lists five questions to consider when developing an incident response plan.
    How an Effective Incident Response Plan Can Help You Predict Your Security Future

  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ looks at Process Hollowing and detecting it with Volatility.
    Understanding Process Hollowing

  • Pablo Delgado at Syspanda shows what sysmon logs one would see when a user clicks on an e-mail and subsequently executes a malicious macro-laden document.
    Threat Hunting with Sysmon: Word Document with Macro




  • ACELab have updated their PC-3000 UDMA board, improving data transfer speeds, as well as overall stability.
    New enhanced PC-3000 UDMA is getting even more efficient!

  • Kate Brew at AlienVault commented on a previous poll she put up on Twitter regarding coding in InfoSec. It seems that some people think that coding is a requirement and some that think there are many ways to contribute. My two cents is that learning to write basic scripts at school and university made me in no ways a proficient programmer, but I can mess around with the scripts I find online and see what their doing (and more often than not, understand why I can’t get them to execute). It’s not a requirement, but it a) makes it easier to figure out why things aren’t working and b) compartmentalise your knowledge so that you don’t make mistakes later and can easily share your work with others.
    Do InfoSec Folks Need to be Able to Write Code?

  • Chris Sanders provides some strategies for applying deliberate practice to InfoSec. A key takeaway from Malcolm Gladwell’s book “Outliers” is that 10,000 hours of a skill is what is required to become a master. This has largely been misquoted, and in actuality what Gladwell was proposing was based Anders Ericsson’s work, suggesting that deliberate practice is what makes someone a master. Chris shows how doing so helped him improve in one aspect of his life, and how a practice plan can assist practitioners in tracking tasks to assist their improvement.
    Gaining Technical Experience with Deliberate Practice

  • Dave at Demux looks into the units that the “Duration Slider in the Clip Attributes panel uses.”
    DVR Examiner – Features – Clip Attributes

  • DFIR Guy at DFIR.Training has a post about sharing and DFIR Door Kickers. First off; Yes, I dislike that my name is in the title of a blogpost, but that comes with putting your work out there; Yes I’m going to hide in my corner now 🙂 Thankfully, my workplace affords me a lot of out-of-office time, so I choose to spend that time learning and reading; putting it out weekly means I have a deadline to force myself to keep up. Without everyone else actually doing the research I’d have little to talk about. Regarding this “If you don’t write anymore, or you don’t write enough, don’t worry. You won’t be in his blog”; this is only a partially true statement – it’s not about how often you write, if you write it and I can find it (note: if I can’t find it, then a lot of people can’t find it either), then I’ll share it. The caveat is if it’s obvious marketing stuff and has little “value” to practitioners then I’m not including it (or if you specifically ask me not too, which doesn’t happen often). And hopefully, we can get more people writing more – you never know when some small piece of information can help someone solve their problem – is also gives me more content to write about, but hey what better way to spend a Sunday than sitting in a food court because they have free wifi 🙂
    The Phill Moore Effect

  • Marcos at ‘Follow The White Rabbit’ walks through various aspects of Eric Zimmerman’s Registry Explorer (which if it isn’t one of your go-to registry viewers I’d suggest taking a look).
    Another view of Registry: I do It with #RegistryExplorer. And you?

  • The guys at Forensic Focus posted a couple of interviews this week
  • Megan Sawle at Infosec Institute took a look at the salaries one can expect in the digital forensics field.
    Average Forensic Computer Analyst Salary 2017

  • Victoria Berry at Magnet Forensics interviewed Lee Whitfield about his background and the famous Forensic 4:Cast awards. Lee has done a great job with the awards for the better part of a decade, and I’m very excited to see what happens next year (and also not confident how I’d fare against AboutDFIR and DFIR.Training in a category). If I’m lucky I’ll be able to watch the awards live at the 2018 DFIR Summit as well :).
    The 4:cast is Bright: a Q&A with Lee Whitfield

  • Nick Raedts’ blog has been awarded as one of the top 15 forensics blogs on Feedspot. Congrats Nick!
    Awarded top 15 Forensic blog

  • Vitaliy Mokosiy at Atola Technology explains the difference between a variety of storage technologies.
    Untangling terms: M.2, NVMe, USB-C, SAS, PCIe

  • Nick Harbour at FireEye shares the winners and solutions to the 2017 Flare-On Challenge.
    2017 Flare-On Challenge Solutions


And that’s all for Week 41! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s