Week 46 – 2017

Just to start, I’ve signed up to Amazon’s Affiliate program so if you click on the Amazon links I’ll get a referral bonus. That being said, I’m going to be providing the non-referral link, as well, for anyone that wants to use that.

Also; apologies for the formatting and if some posts from the week haven’t been shared. Something’s up with my Feedly/IFTTT apparently. Adding to the post after it’s been published destroys the formatting.



  • Chris Sanders shares the notes from the chapters the Cuckoo’s Egg that were reviewed this week
    Cuckoo’s Egg – Week 2 Notes

  • Paula at CQURE Academy walks through the process of creating  Sysmon config file.
    Building A Perfect Sysmon Configuration File

  • The guys at Digital Forensics Corp shared an article by Brian Reitz at Spectre Ops on hiding registry keys. “RegEdit will throw an error when viewing the key, while reg query and PowerShell’s Get-ItemProperty won’t return a value hidden in this way. However, using the Autoruns tool from Sysinternals, we can see (and delete) the value we just created”.
    Hiding Registry keys

  • Chenming Xu, Dan Caselden, Justin Warner, Stephen Hinck at Iceberg provide a case study that “demonstrates how an understanding of the underlying vulnerability [in Apache Struts] as well as exploitation techniques can be combined and applied to create more robust detections.”
    Exploiting Apache Struts: A Case Study In Writing Better Detections

  • There’s a post on the NTT Security blog that uses an example to show the difference between attack information and threat intelligence.
    What does threat intelligence actually mean?

  • The SANS InfoSec Reading Room shared Brian P. Kime’s white paper on “how CTI can support DFIR at each level of intelligence and operations – tactical, operational, and strategic – and during each phase of the incident response lifecycle – preparation; detection and analysis, containment, eradication, and recovery; and lessons learned”
    Cyber Threat Intelligence Support to Incident Handling

  • Kaspersky Lab have posted an article in response to the article by “the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system”. The article lists a number of questions that they started their internal investigation and shares their findings.
    Investigation Report for the September 2014 Equation malware detection incident in the US

  • Matthew Hosburgh at Sqrrl shows how to hunt for the use of the voice recording app on Windows systems.
    Hunting for Evidence of Eavesdropping





  • Belkasoft have a post explaining that “the updated Forensic Toolkit (FTK) v.6.3 integrates Belkasoft-made analytics core”; this was announced back in April.
    AccessData and Belkasoft announce the release of Forensic Toolkit (FTK) with Belkasoft-made built-in analytics core.

  • Josh Huff at ‘Learn All The Things’ shares a few blogs that he has found useful. Thanks for the mention!
    Sharing DFIR research

  • Brett Shavers has a couple of posts this week
    • First, he shares his opinion of the requirement for regulation in the DFIR industry. This is something that I can see happening at some point, and a lot of labs/examiners will want to push back from it. On the plus side, you won’t have Joe IT guy rocking up to court with his expert report, but on the other, your employer may not be able to afford the training requirements. Brett also has a bit of a soapbox rant about certifications and training courses; most of the courses I’ve sat in people have engaged and been involved, but I’ve also sat in a couple where some of the folks paying good money to be there are either not at the right skill level to take the class, or don’t really want to be there; which I never like seeing because of the whole “paying good money” thing. I like the concept of certifications; I don’t like how much some of them cost (on top of the training course you take). I think that overall obtaining a certification is a good acknowledgement that you paid attention in class, or at least can apply some of the things you’ve learned (on your own or in class).
      The last thing we want in DF/IR is the first thing we need in DF/IR (aka: regulations…)
    • Second, DONT STEAL PEOPLES STUFF. In this niche community it’s a much better idea to say “I’m working on this, who wants to help” than it is to go it alone (or in this case, join a project and then decide to post on your own). I’m with Brett, I much prefer to post my ideas up (at least I mean to on my ThinkDFIR site when I get around to it) and either get contributors, collaborators, or others that ask if they can do it instead. If someone announces a project, you’re within your rights to start your own project to “compete” but it’s better for everyone if you collaborate. It’s not cool if you start collaborating and then decide you’re better off competing.
      Thinking of Writing a #DF/IR Book? Here’s a tip that may or may not work out for you.

  • Whilst he’s been talking about it for a little bit, DFIR Guy is retiring and as a result, wants to pass the torch for the website and Twitter account. Hopefully whoever takes it over can offer the same level of commitment to keeping it alive and updated.
    Goin’ fishing, the kind with a real fishing pole..

  • Matt Edmondson at Digital Forensics Tips describes a couple of methods for identifying password hash formats.
    Resources to Help Identify Password Hash Formats

  • Compelson announced on Forensic Focus that they will be releasing MobilEdit Forensic Express v5 this week, but I haven’t seen anything else on their site about it.
    New MOBILedit 5.0 Will Be Launched In Abu Dhabi, Hong Kong And China

  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares the installation instructions for Santoku, which can be used for Android forensic analysis.
    Santoku, a linux distribution for Android forensic analysis

  • Patrick Olsen at System Forensics describes what the “cloud” is.
    AWS Security Overview – Part 0 – What is Cloud
  • Christa Miller at Magnet Forensics has a post about the discovery process when researching forensic techniques and artefacts. In this she interviews Cheeky4n6Monkey about some of the steps that he follows when tasked with parsing data that the forensics don’t present.
    Being Forensically Curious: The Process of Discovery


  • James Habben at 4n6IR has updated Evolve to version 1.6. The update documents the API and adds plugin search. James also explains the background for writing Evolve and some of the headaches that the approach he took caused.
    Evolve Version 1.6

  • Daniel Pistelli at Cerbero announced the release of Profiler v2.8, the memory analysis tool.
    Profiler 2.8 – Windows Memory Forensics

  • DVR Examiner 2.1 has been released, adding improved support for E01 images, forensic imaging, additional file systems as well as other improvements and bug fixes.
    DVR Examiner 2.1 Has Arrived!

  • ExifTool was updated to v10.67 adding new tags and bug fixes.
    ExifTool 10.67

  • Katana Forensics released Lantern v4.70 adding iOS 11 support and fixing the iOS messaging parsing bug.

  • X-Ways Forensics 19.4 SR-6 was updated to fix a bug (It says SR-6 on the site, but there was another SR-6 released a couple weeks ago so it could be a typo).
    X-Ways Forensics 19.4 SR-6

  • X-Ways Forensics 19.5 Beta 2 was released with some improvements and bug fixes.
    X-Ways Forensics 19.5 Beta 2

  • Magnet Forensics released updates for Axiom, IEF, and Acquire during the week although there wasn’t a public notification. Information about the release has been shared here

  • Oxygen Forensics released a maintenance version of their Detective product. “Detective v.10 comes with the breakthrough algorithms of cloud data acquisition, extended drone support, updated bypass screen lock methods and advanced app data parsing.”
    Introducing the new Oxygen Forensic® Detective v.10!

And that’s all for Week 46! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s