Week 45 – 2017


  • Hideaki Ihara at the Port 139 blog looks at the effect on a file/folders MFT entry when sdelete is used.
    Win 10 と sdelete

  • Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator take a look at a few artefacts on OSX that may assist in identifying files copied to a connected volume. They also show a file called devices.tingo, which appears to have a lot of very useful information, but I’m not sure what application it relates to.
    The Hitchhiker’s Guide to macOS USB Forensics

  • Cindy Murphy at Gillware Digital Forensics explains a new “feature” in iOS 11 that allows users to reset their backup password. The feature means that backups on their own are protected, but users that have forgotten their passwords (a problem Apple would have to deal with because people would definitely forget them) can reset their settings, which will clear the password. This is fairly good news from a forensics side because, as Cindy mentions, breaking iOS backup passwords can be tricky. One of the key takeaways was how Cindy was able to update a phone to iOS 11, and then remove the backup password (if someone was looking for a project then taking a look at what changes on the device would be very useful)
    Forensic Case Files – A New Solution for Previously Encrypted iOS Backups

  • Oleg Afonin posted a couple times on the Elcomsoft blog this week
    • The first explains the information that can be obtained from locked iOS devices with and without a lockdown file.
      The iPhone is Locked-Down: Dealing with Cold Boot Situations
    • The second walks through the process of removing the backup password from an iOS 11 device and then acquiring it. It’s an interesting stance for Elcomsoft to take that this step is backwards – realistically, the process has been simplified for device owners or those in possession of the device’s passcode. If found on their own, the backups are still secured with the passcode. This really only makes a difference to the phone owners (who have the passcode because it’s their phone) that have since forgotten their backup password – which would be a problem that Apple would have to deal with because unhappy customers are a top priority for many companies. From a law enforcement perspective, the examiner would still need to have the device, and the passcode to perform an extraction (with the passcode being required to trust the computer on iOS 11). As a byproduct of this change, LE examiners just wouldn’t need to necessarily break the backup password afterwards; which means reducing the number of hurdles that LE examiners (who should be examining the device under the appropriate authority) have to jump through.
      iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password

  • Jake Williams tweeted a diagram explaining how ewfmount can be used to allow legacy EWF images (E01) to be mounted under Linux.
    Check out @MalwareJake’s Tweet

  • SalvationDATA have a case study on recovering footage from a fire damaged DVR system.
    [Case Study] Detailed Steps for Extracting Data from Burned & Watered Hard Drive of DVR System



  • The CFP for DFRWS USA 2018 has been announced. DFRWS will take place in Providence next July. The CFP for papers closes January 12, 2018.
    Check out @nolaforensix’s Tweet




  • Daniel Pistelli at Cerbero advises that “the upcoming 2.8 version of Profiler Advanced comes with full-fledged support for raw Windows memory image”
    Windows Memory Forensics: Close to Release

  • Chris Sanders posted some notes from the first week of the Cuckoo’s Egg book reading. These include thoughts on locard’s exchange principle, as weltimestamps, and the recording will be available until the 16th.
    Cuckoo’s Egg – Week 1 Notes

  • “Wiley has announced a new book by Nick Furneaux – “Cryptocurrency Forensics”. The book is expected to be published in June 2018”
    Cryptocurrency Forensics

  • DFIR Guy at DFIR.Training shares his thoughts on presenting for free at conferences. Obviously, you need to bring the goods when it comes to content, but his opinion is that “the presenters are the glue and fabric to any conference, yet the vast majority are not paid”. It’s an interesting perspective, and I guess it comes down to your negotiation abilities. This all applies to conferences that are for-profit; the exceptions are the smaller grassroots not-for-profit cons and groups. For anyone interested, this topic was also covered recently on the Art of Charm podcast.
    Experts do it for free, but why?

  • The guys at Digital Forensics Corp shared a post describing how to mount and decrypt APFS volumes on OSX.
    Unlock or decrypt an APFS drive

  • Scar at Forensic Focus has shared Angus Marshall’s survey on digital forensics tool development.
    Digital Forensics Tool Development Survey

  • Tracy Maleeff at InfoSecSherpa shares a recent IR scenario where a customer/end user had clicked on a suspicious link and she utilised empathy in her response.
    Empathy in Incident Response

  • There’s a post on the Katana Forensics blog regarding the recent mass shooting in Texas. Although the FBI hasn’t confirmed the phone that the shooter had, it is suspected to be an iPhone, so the author runs through the scenario to (based on public information) see what the FBI is able to achieve. There’s also an interesting editorial about how far Apple is willing to push this stance.
    Apple and the Texas Shooter

  • David Longenecker at ‘Security for Real People’ has started a list of tools that are useful in IR work. The list can be found here
    IR Toolkit

  • Danny Akacki at Sqrrl has shared his top InfoSec Twitter accounts. Somehow I made the list, thanks Danny!
    Threat Hunting Influencers: Top InfoSec Twitter Accounts to Follow

  • Patrick Olsen discusses Identity Access Management on AWS.
    AWS Security Overview – Part II – IAM

  • The students at LCDI share “the math and code that will calculate our Bluetooth device’s position.”
    Bluetooth Device Tracking Update 2

  • Troy Schnack relates about an old song regarding remembering both the old and the new to DF work. He advises that whilst the new artefacts are worth chasing, we shouldn’t forget the foundational artefacts as well.
    One is Silver and the other Gold



  • CRU have released the new Ditto Shark, and Network Tap Module. The Ditto shark “is a slim, standalone network capture device designed to sniff and collect traffic on a network – including VOIP – with virtually no packet loss at sustained network traffic speeds of 100 Mbps or short burst gigabit network traffic.” The Network Tap module adds network data capture capability to the Ditto/Ditto DX.

And that’s all for Week 45! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s