Week 51 – 2017

Merry Christmas and Happy Holidays! Hope everyone’s enjoying their break…although the last couple weeks have been 120+ links shared a week, and this week is no exception.

FORENSIC ANALYSIS

  • Hideaki Ihara at the Port 139 blog uses eventlogedit to delete an Event Log record.
    EventLogとEVTX

  • There were a few posts by the guys at Cyber Forensicator this week
  • Marcos at ‘Follow the White Rabbit’ describes various methods for creating timelines in multiple formats. This is a good post for showing you the steps that you can take to generate both a standard MFT timeline, as well as a supertimeline.
    About the timelines: The limit, your imagination

  • Mark Lohrum at ‘Free Android Forensics’ shows how to extract and unpack the boot and recovery kernels from an Android device (as well as some brief non-related Star Wars talk)
    Unpacking boot and recovery kernels

  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ has a couple of posts this week
  • TM4n6 walks through the process of acquiring data from an Android device using Android Debug Bridge (ADB). This is performed on a Linux system and shows how to create a logical (non-rooted device) and physical image (rooted device). It is possible to install an image over the recovery partition using something like ODIN and TWRP (or Magnet Acquire) and then manually perform your acquisition using a combo of ADB, DD, and netcat without rooting your device, as long as you can overwrite the recovery partition. Some phones are locked down though so this might not be possible.
    Android Forensics with ADB

THREAT INTELLIGENCE/HUNTING

PRESENTATIONS/PODCASTS

MALWARE

MISCELLANEOUS

SOFTWARE UPDATES

And that’s all for Week 51! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s