Week 43 – 2017

I wanted to start this post slightly differently; last week a colleague lost his fight with cancer – he was one of the founding members of the organisation that I work at, and the lack of his presence will be noticed across the command.

Some people have been very kind to donate to my work on the monthly podcast, and I’m planning on passing on the donations for this month to Lifehouse, a cancer treatment and research centre in Sydney, in Johns memory.

If anyone would like to contribute (you can sign up and then cancel the recurrent next week), I’ll be sending whatever money is received when the podcast is posted on Tuesday.

Rest in peace mate.

And now onto the forensics news of the week


  • Hideaki Ihara at the Port 139 blog takes a look at how the defragmentation process affects the NTFS $LogFile.
    $LogFile (2) と Defrag

  • Brett Shavers continues to expound the benefits of case studies – applying how he was forced to sink or swim in a number of occasions and how analysing what others had done before him had helped.
    Case studies are more helpful than you may think

  • Jon Baumann at Ciofeca Forensics has released a new tool, SQLite Miner. This tool goes through the blog data in an SQLite database and assists in identifying what that data may be (based on magic numbers). “SQLite Miner is one tool that could be very beneficial for the forensic examiner to inform that manual analysis of a new application, find relevant data within a SQLite database of interest, or search across a larger set of backup folders to automatically export all embedded files for easier searching.” Jon then explains various cases where this tool would be useful.
    Mining Hidden Gems WIth SQLite Miner

  • Jon also released his Make Analysis Great Again (MAGA) tool to assist in automating some of the command line input for the tools used in the SANS500 course. I’m in two minds about scripts like this – on one hand, it’s awesome to remove the typing and potential errors (and why I wrote a similar script for my regripper GUI). But on the other, I would also want students not to rely on it – sometimes the tools aren’t displaying all of the data by default for example. Either way, I do like the concept of removing the typing etc and just getting you the data to analyse; that’s always useful.
    Make Analysis Great Again (or never type the same thing twice)

  • The guys at Cyber Forensicator posted a few times this week
  • Vladimir Katalov at Elcomsoft covers a couple of topics in this post (although I think the marketing rant wasn’t necessarily related to the post). The marketing section is 100% to be read though – I read a lot of advisories by companies about how their tool is the most amazing thing and usually it’s good to read them with a grain of salt. Not every tool is the panacea, but they should be considered for their merits because everyone picks different sections of this enormous field to focus on. Vladimir then walked through a case study where they used a variety of their tools to obtain data from iCloud.
    How To Obtain Real-Time Data from iCloud and Forget About 2FA with Just an Old iTunes Backup. No Passwords Needed

  • Ryan Duquette has a guest post on the Magnet Forensics blog on how to use Axiom to assist in an inside threat investigation.
    Insider Threats! Using Magnet AXIOM to Prevent and Investigate Intellectual Property Theft

  • Mark Mckinnon has released an Autopsy plugin for custom reporting.
    Custom Reports For You

  • Joe Babineau at Nuix has a post about deduplication, including a video on the ways that Nuix performs the task.
    Mastering Global and Custodial Deduplication in Nuix

  • Heather Mahalik at Smarter Forensics provided a list of her favourite mobile forensics tools and her reasons why.
    My Handy Smartphone Toolbox

  • There were a couple of posts on the Leahy Center for Digital Investigation blog
    • “The VMWare Analysis team is researching the differences between a Windows 7 machine and Windows 7 virtual machine (VM) as well as the changes between a Windows 10 machine and VM” and shared their first update. “So far, the only identified difference between the VM and the Machine is in the prefetch files”.
      VMWare Analysis Update 1
    • The Application Analysis team shares their first update. They will be looking at the artefacts left on Win10 by the Steam, LastPass, and Fitbit applications.
      Application Analysis Update 1

  • Pieces0310 briefly mentions that Responder Pro 3.1.3 can be used to analyse Win10 memory dumps.
    Responder Pro new version could analyze Win10 memory dump – Pieces0310

  • Pieces0310 also shows that USB device information can be found in the “Microsoft-Windows-Kernel-PnP%4Configuration.evtx” event log on Win10.
    How to find missing USB Records? – Pieces0310







And that’s all for Week 43! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s