Week 44 – 2017

Just wanted to say thanks first up to the Patreon donors for the latest podcast episode. For those that didn’t see last weeks post, I’ll be donating the proceeds from this months show to the Lifehouse cancer research and treatment centre.

FORENSIC ANALYSIS

  • Dan Pullega at 4n6k posts how he identified the answer to a question I posted on Twitter. I kept coming back to the prefs.js file, however didn’t realise that the file would only update when the program was closed. As Firefox is open source, Dan was able to assist by pulling the source code and locating the relevant sections relating to my query. Thanks Dan!
    Forensics Quickie: Identifying “Clear Recent History” Settings for an Old Version of FireFox

  • John Walther at Carpe Indicium has a post regarding the forensic artefacts left by the program Eraser when it is installed and opened.
    Forensic Artifacts of Eraser – part 1

  • There were a number of posts by Cyber Forensicator this week
  • The guys at Digital Forensics Corp shared a paper by Cosimo Anglano, Massimo Canonico, and Marco Guazzone titled “Forensic Analysis of Telegram Messenger on Android Smartphones”.
    Forensic Analysis of Telegram Messenger

  • Vladimir Katalov at Elcomsoft has a couple of posts this week
    • The first discusses the major issues with getting into a locked iPhone. Overall, Apple’s security has improved a lot in recent years, meaning locked devices are getting harder and harder to get into. Vladimir lists a few scenarios and the information that you’re able to obtain in those situations.
      Can You Unlock That iPhone?
    • The second is a fairly lengthy look at the history of iOS security and forensics. It covers topics including iOS backups (and the data that isn’t backed up), trust relationships with computers, physical acquisition of older iOS devices, iCloud acquisitions.
      The art of iOS and iCloud forensics

  • Cindy Murphy at Gillware Digital Forensics describes a recent examination where an employee’s workstation showed up with the files cleared off it. During her investigation, she identified that the user had run a Windows system reset, which deleted the user’s files (and made them orphaned so easily recoverable with metadata intact). Cindy also explains that Windows logged a lot of the activity.
    Forensic Case Files: Windows Update Did It!

THREAT INTELLIGENCE/HUNTING

UPCOMING WEBINARS/CONFERENCES

PRESENTATIONS/PODCASTS

MALWARE

MISCELLANEOUS

  • Atola have shared their Insight manual online
    Check out @atola_insight’s Tweet

  • Brett Shavers had a couple of posts this week
    • The first introduces Brett’s new case study series. For $125 (a year I’m guessing), Brett will give you access to the various case studies that he has, and will, record. He intends to produce between 4 and 8, 15-45 minute case studies a month. Brett also has a “short-run promo price that includes a 3-month access the Case Studies Series and also to the X-Ways Forensics Practitioner’s Guide Online Course for $95”. I’ve recently completed the X-Ways course, and it was really great – especially when you’ve got the tool open and need to remember how to do something, you can jump to the relevant video and watch Brett do it.
      A bundle of case studies and X-Ways Forensics Practitioner’s Guide training
    • The second discusses the benefits of sharing and compares the military view on sharing (pro-sharing) with the private sector view. I think that people might think it takes longer than it does; realistically you’re doing the testing or research anyways, so writing it down coherently shouldn’t be that much extra work. And the main question is will you ever have to do that research again in a year….which took longer, the time it took you to write everything down, or to re-do your research?
      Sharing is caring

  • Alex Caithness and Arun Prasannan at CCL had a nice summary of the history of smartphone operating systems. If anything, this shows that even though there are two major operating systems on mobile, there’s been a variety over the years so there’s always work in DFIR…
    The Smartphone Graveyard

  • Tyler Schlecht at DME Forensics provides an update on the pending release of DVR Examiner. Version 2.2, expected in January 2018, includes the new update framework, as well as a change in licensing. Instead of paying for updates and retaining access to the last version that you had an active subscription to, soon you won’t be able to process evidence without an active license.
    Upcoming DVR Examiner Updates: More DVRs, Faster!

  • Tom Bytes at Forensic Bytes discusses the difference between private and public sector digital forensics.
    Digital Forensics Career Overview – Part 3

  • There were a few posts on the Forensic Focus blog this week
  • Sean Morrissey at Katana Forensics has noticed a new feature that will roll out soon for WhatsApp that allows users to delete messages that have been sent off the receiver’s device. As the feature hasn’t been released yet it’s difficult to say if the message will be recoverable from the database.
    The Forensic Issue with WhatsApp’s New Feature!

  • There were a few articles on the Magnet Forensics blog this week
    • Victoria Berry interviewed Tayfun Uzun on the Cloud product and how it integrates with Axiom.
      AXIOM Cloud Q&A with Tayfun Uzun: Part 2
    • Christa Miller wrote an article on taking the stand in a trial, particularly surrounding presenting yourself when opposing counsel asks questions (and my documentation post even got a shout-out, so thanks!).
      How to Maintain Your Expert Credibility on the Stand
    • Christa also interviewed Jamie McQuaid and Jessica Hyde on the benefits of researching in digital forensics. One of the things they touch on is how examiners do their own research (which includes validation testing) and how a goal should be to learn one new thing a week. The next step would be to share that one thing you learn; if it took you time to figure it out, no doubt someone else will benefit from the time you spent. Other good methods of research and expanding your knowledge is picking a topic and presenting at a conference, or going through some of the DF challenges that others have compiled.
      Making Time for Forensic Curiosity: Digital Forensic Research

  • Nick Raedts at Raedts.BIZ has tested six imaging tools to compare their performance and features. Overall his top picks were the more fully featured tools – FTK Imager, Belkasoft Acquisition Tool, and Paladin.
    TESTED: Forensic imaging tools

  • Patrick Olsen at System Forensics provides a security overview of AWS.
    AWS Security Overview – Part I

  • Howard Oakley ‘The Eclectic Light Company’ has a post covering the updated copy/clone mechanism in OSX 10.13. Would be interesting for someone to dive into this from a forensic perspective. ie: what happens on the file system (timestamps mainly) when a user clones a file, and also how to ensure you’re examining the final version of a file.
    Taking Stock: Using APFS in High Sierra 10.13.1

  • Christopher Schmitt at FireEye introduces GoCrack, a tool “that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI … to create, view, and manage tasks.”
    Introducing GoCrack: A Managed Password Cracking Tool

SOFTWARE UPDATES

And that’s all for Week 44! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s