Week 50 – 2017


  • Hideaki Ihara at the Port 139 blog takes a look at registry transaction log files and shows to examine them using Maxim Suhanov’s YARP tool.
    RegistryとTransaction log files
  • The guys at Digital Forensics Corp shared an article from GBHackers on the Windows registry and some useful registry keys.
    Windows Registry Analysis
  • Todd A. Faulkner has a guest post on the Paraben blog explains the benefits of seizing a suspect’s Bluetooth devices to assist in unlocking their mobile device via the Smart Lock feature.
    Using Bluetooth & NFC as a Smartphone Backdoor
  • The students at LCDI shared their final update on application analysis. This update covers the artefacts identified in the Fitbit App.
    Application Analysis Update 3


  • Chris Long has released “Detection Lab [which] is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices”
    Introducing: Detection Lab
  • Daniel Lunghi, Jaromir Horejsi, and Cedric Pernet at TrendLabs provide some information on “Patchwork (also known as Dropping Elephant)”, who are “a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets”
    Untangling the Patchwork Cyberespionage Group


  • The CFP for the next ADFSL conference, “held at The University of Texas at San Antonio, San Antonio, TX from May 17 to 18, 2018” is open, and will close January 15, 2018.
  • Paraben announced on Forensic Focus that their Paraben’s Forensic Innovation Conference (PFIC) 2018 will be running on “September 5th and 6th at the Park City Marriott hotel”, Park City, Utah.
    PFIC & Park City – Together Again!


  • The presentations from LASCON 2017 have been uploaded to their YouTube channel
  • On this week’s Digital Forensic Survival Podcast, Michael discusses a method for conducting an eDiscovery investigation using the built-in features of Office 365.
    DFSP # 095 – freE-DISCOVERY?
  • Richard Davis shares a short video explaining a short survey that he’s put together to gather information about what content people would like to see in the future.
    Channel Update and Survey
  • Steve Watson provided a brief summary of day one of the first Data Finders event.
    Day One Update


  • Eric Merritt at Carbon Black shares some “details of how Smoke Loader infects the system, attempts to evade analysis, and persist on the system.”
    Smoke and Mirrors
  • R3mrum at ‘Reverse Engineering Malware’ analyses some Emotet malware and introduces “a new tool that will help you analyze heavily obfuscated PowerShell scripts”.
    From Emotet, PSDecode is born!


  • Darlene Alvar at Amped Software shares an article that “takes a look at two cases involving the authentication of digital images and the importance of the questions asked of the analyst during those investigations”
    Investigating Image Authenticity
  • Jimmy Schroering at DME Forensics explains that they have “developed an internal database of what types of system are (or may be) supported by DVR Examiner”. Their “goal is to make this information available to users at some point in some fashion”, however, they haven’t worked out how yet.
    How Can You Tell If Your DVR is Supported?
  • Jake Williams at Rendition InfoSec has shared the news of their new challenge running until December 24th. They will be posting a new challenge daily with cash prizes for the best responses.
    Introducing Infosec Advent
  • Over on my ThinkDFIR blog, I wrote a list of things that I had learned about the DFIR Netwars contest. These are things that I would like to consider the next time I do one of these events, or for those that haven’t had a chance to play yet. (Also, Rob Lee liked the write-up!)
    Things I Wish I Knew Before DFIR Netwars


  • Apache Tika v1.17 was released adding “new support for automatic image captioning, as well as numerous bug fixes and upgrades to dependencies”
    Release 1.17 – December 8, 2017
  • Berla updated iVe to version 1.13.4. “This release introduces support for a significant number of Hyundai vehicles manufactured from 2011 to present, as well as select Kia vehicles.” iVe also “now includes photos of all supported systems for a given vehicle within the acquisition wizard.”
    iVe v1.13 Released
  • Cellebrite released Analytics Desktop v6.3 adding project VIC integration, the ability to “view tags from UFED Physical Analyzer in Analytics Desktop” and “improved media review”.
    Analytics Desktop 6.3 [December 2017]
  • Cyber Triage was updated to v2.1.8 and Brian Carrier has a post about their recent Phantom integration. “The Phantom integration makes your response team more efficient by automatically starting an analysis of a remote system so that the data is waiting for you when you have time to start working on the alert.”
    Phantom Integration Allows for Faster Responses
  • Katana Forensics Updates Lantern Triage to 1.1712.81.
  • MobilEdit App Analyzer version 2017-12-15-01 was released, adding app support for iOS Evernote, and Android Maxthon Browser, and improving deleted data recovery for Uber’s Android app.
    App Analyzer update version  2017-12-15-01
  • NIST have released the “federated testing tools, [which] is designed to help law enforcement and forensic practitioners with a critical early step in evidence collection: making a copy of the data from a seized electronic device”. “The federated testing tools allow authorities to run tests in advance on their digital forensic software to make sure ahead of time that it will not fail them when a suspect’s personal computer, media or device arrives in the forensic science lab”
    New NIST Forensic Tests Help Ensure High-Quality Copies of Digital Evidence
  • Passware Kit 2017 v5 was released. V5 “recovers passwords for McAfee Drive Encryption, extracts macOS High Sierra account passwords from memory images, decrypts LUKS drives, and supports iOS 11. GPU-accelerated password recovery is now up to 350% faster for TrueCrypt system partitions. A new, efficient Passware dictionary is available for download for our customers.”
    New In Passware Kit 2017 v5
  • Yogesh Khatri at Swift Forensics has released “Version 0.2 of mac_apt … with APFS support.”
    mac_apt + APFS support

And that’s all for Week 50! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s