Week 42 – 2017


  • Hideaki Ihara at the Port 139 blog creates a test file on an NTFS file system to see how the $LogFile is populated.
    $LogFile (1)

  • Adam Harrison at 1234n6 continues his investigation into the Windows subsystem for Linux. After a recent update, Adam was able to confirm that “an individual user can install multiple userlands/distributions side by side”. Installation via the Windows store results in these distros being stored within the WindowsApps folder. The associated file systems are then created within the users local appdata Packages directory. Interestingly, because the new WSL’s are Windows Store apps, “prefetch is not created or updated (unlike when launching Bash installed via the Beta method).”
    Further Forensicating of Windows Subsystem for Linux

  • Arsenal Consulting tweeted out a comparison between last write times from the active SOFTWARE hive and the Fast Boot SOFTWARE hive in Win8/8.1/10. This shows the last write time fo time for the same keys were different (with the fast boot hive’s being later).  
    Check out @ArsenalArmed’s Tweet

  • The Blackbag Training Team has taken a look at the iOS 11 Do Not Disturb While Driving feature. I like how they explain the feature as the user would use it before looking at the plists the devices uses to store the data.
    iOS11- Do Not Disturb While Driving Analysis

  • The guys at CCL Group have compiled some information about the HEVC/HEIF files on iOS11 and various ways to access and convert the files for viewing.
    iOS 11: HEVC and HEIF (heic) files

  • Jason Hale at Digital Forensics Stream has a post “focused on the new information concerning storage devices tracked in the amcache, specifically in the Root\InventoryDevicePnp key”. “The amcache doesn’t store the depth of USB device information found in the SYSTEM hive or other well-known locations, but it provides an additional data point that helps to corroborate and/or supplement data harvested from other areas.”
    Amcache and USB Device Tracking

  • Dave at EasyMetaData has updated his FindUSBMSC script.
    Update to FindUSBMSC.py for #macos #USBMSC parsing #dfir

  • Oleg Afonin at Elcomsoft compares iOS and Android’s security and how they affect physical data acquisition. Basically, over time the devices are getting more and more secure out of the box.
    iOS vs. Android: Physical Data Extraction and Data Protection Compared

  • There were a couple of posts on the Forensic Focus blog this week
    • They shared a paper by Frank Block and Andreas Dewald on Linux memory analysis. This report is an extended version of their DFRWS paper.
      Linux Memory Forensics: Dissecting the User Space Process Heap
    • They (well Scar shared an article co-written by herself) also shared a paper by Oleg Skulkin & Scar de Courcier on creating a forensic image of a drive using FTK Imager and Dc3dd, and then mounting the image with Arsenal Image Mounter.
      Windows Drive Acquisition

  • Russ McRee at HolisticInfoSec has started a two-part series based on his presentation titled “DFIR Redefined: Deeper Functionality for Investigators with R”. This shows how to use R can be applied to DFIR to “interface with data via file ingestion, database connection, APIs and benefit from a wide range of packages and strong community investment”.
    toolsmith #128 – DFIR Redefined: Deeper Functionality for Investigators with R – Part 1

  • There were a couple of papers shared on the SANS Information Security Reading Room this week
  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish” has written a few posts this week
  • Over on my ThinkDFIR site, I wrote an article about one of the documents that I create to assist my analysis jobs. This is an examination report document that I write as a sort of stream-of-consciousness for me to digest at a later stage (ie before Court) and quickly get back up to speed with the job and my findings/thinking at the time of my examination.
    Documenting My Work

  • Troy Schnack has started a new blog and for his inaugural post has written up about the “Hide It Pro” Android app. This is an app that hides data for the user and has the ability to encrypt files. I’ve had a look at a few of these apps and this is one of the only ones I’ve seen that legitimately encrypts the files it says it will (I’ve seen other apps that say they do, but they just change the filename). If the app is deleted and you don’t have the passcode you’d have to pull the APK code, find the decryption algorithm, and write your own brute-forcer.
    Hide It Pro App Forensics – Android


  • Mari Degrazia at ‘Another Forensics Blog’ has started a short series on malicious Powershell scripts. This post covers hunting for malicious PowerShell artefacts and decoding obfuscated scripts. Mari walks through a few examples where she locates obfuscated PowerShell artefacts and then is able to recover some useful IoCs.
    Finding and Decoding Malicious PowerShell Scripts

  • Adam Orton at Countercept provides “a short analysis of the various layers and components of [WSF payloads both on client networks and uploaded to open-source malware repositories that are obfuscated using the “MegaCrypter”] that need to be decoded”. Adam also provides a YARA rule and decoder script.
    Why Megacrypter is a ‘megafail’

  • Digital Forensics Corp shared a couple of articles this week
  • Giovanni Vigna at Lastline shares his thoughts on breach detection systems and threat hunting.
    From Trapping to Hunting: Intelligently Analyzing Anomalies to Detect Network Compromises

  • Nina Smith and Ramnath Venugopalan at McAfee Labs share the findings from a recent study of “more than 700 IT and security professionals around the world to better understand how threat hunting is used in organizations and how they hope to enhance their threat hunting capabilities.” They also list six core logs that top-tier SOCs use to identify attacks.
    Tips for Effective Threat Hunting

  • There were a couple of posts on the SANS Internet Storm Centre this week
  • Pablo Delgado at Syspanda shares a script “that was created to check on the health for Logstash and Elasticsearch nodes”. “This is very helpful if you aren’t running x-pack, or if you aren’t using other 3rd party tool to check the health status of your ELK nodes.”
    Logstash Master Script  for ELK

  • US-CERT has released some details on a “multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector”
    Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors


  • AccessData will be hosting a number of webinars based on some of their “most popular hits of the recent past”.
    By Popular Demand – Live Training Webinars!

  • Brett Shavers hosted a webinar during the week, which apparently had audio issues; as a result, he’s going to keep doing them. The downside is that they are limited to 50 attendees, and “the sessions will not remain online past the dates presented as recordings.  These are one-time training sessions not to be repeated.” Information about the next case study can be found here
    Drop the mic…please.

  • Katana Forensics will be hosting a webinar on their new Lantern Triage product on Nov 1st at 1pm ET
    Please register for ‘ Lantern Triage Webinar’

  • Jessica Hyde at Magnet Forensics will be hosting a webinar on how IoT devices will impact forensics on November 13th @ 1:00PM EDT.
    Making IoT Relevant

  • Magnet Forensics will be hosting two webinars on Atlas, the case management tool that they recently purchased. These webinars will take place Tuesday, November 7th @ 9:00AM EDT and Wednesday, November 8th @ 1:00PM EDT
    From Intake to Court: Using Case Management to Stay on Track





  • Didier Stevens has updated oledump to version 0.0.29, adding “support to decode strings like UNICODE strings (-t), and can dump strings (-S)”
    Update: oledump.py Version 0.0.29

  • Didier also updated base64dump.py to version 0.0.8 adding “support to decode strings like UNICODE strings.”
    Update: base64dump.py Version 0.0.8

  • Digital Detective updated NetAnalysis to v2.7 and HstEx to v4.7. “This version of NetAnalysis® introduces support for a number of new browsers as well as adding support for the latest release versions of existing browsers which are already supported. “. “This release of HstEx® adds the ability to recover a number of new artefacts as well as adding support for three new browsers. We have also made a number of changes to support the updates released by the browsers already supported.”
    NetAnalysis® v2.7 and HstEx® v4.7 Released

  • Phil Harvey has updated ExifTool to version 10.64 (development release), adding new tags and fixing some bugs.
    ExifTool 10.64

  • Sarah Edwards at Mac4n6 updated her Mac MRU Parser to version 1.3 to support the new .sfl2 MRU files.
    Script Update – Mac MRU Parser v1.3 – New 10.13 *.sfl2 MRU Files

  • Magnet Forensics updated Axiom to version 1.2.1, adding support for iOS11 and Android Oreo, as well as other improvements.
    Magnet AXIOM 1.2.1 Supports iOS 11 and Brings Other Enhancements

  • Microsystemation has released XEC v2.0 and Kiosk and Tablet v7.5. XEC adds a “Tailored personalization for each export type in the updated GUI [and a]
    new option to archive the output into one or more .zip files”. “Kiosk and Tablet v7.5 can now be networked”
    New XEC v2.0 now available: XEC Director, Export & Express and MSAB Kiosk v7.5

  • Passmark updated OSForensics to version V5.2.1001 with some bug fixes and updates to the triage wizard.
    V5.2.1001 – 18th of October 2017

  • Stroz Friedberg released plistutils; a library that provides a “number of convenience functions for dealing with Apple Property List files” with the goal of providing “a single, comprehensive Python library for dealing with all aspects of Plist parsing.”

  • Both the version 4.5.0 of the Sleuth Kit and Autopsy were released during the week with some new features and bug fixes. The correlations database in Autopsy is interesting – it stores artefacts in a separate database so that you can identify connections between different cases.

  • “A new download of v8.5.3 of the viewer component is now available. It includes one security fix, apparently to protect the software against malformed TIFF files (just a guess, did not find an official description). The update is probably recommendable.”
    X-Ways Viewer Component

And that’s all for Week 42! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s