Week 52 – 2017

Last weekly post for the year! It’s both good and bad that the year ends on a Sunday. It does round things off nicely, but it also means that I have a podcast to put together next. Thank you to everyone that reads this every week, and also shares it around with others. I really appreciate the support

Looking forward to an exciting 2018!


  • Brett Shavers discusses the need for continued education. I liked Brett’s point about saving important blog articles to PDF as I have found that some blogs get taken down. Generally, it’s a good idea to save them in your case notes if you’re referencing them. It is time-consuming to do your own research, but it’s worth it; A new-ish paradigm is to work through it live (Test Kitchen style) that some may find useful because they can have others help guide them and everyone learns together. Wyatt Roersma also did some live streamed work.
    Don’t look back.  Try to keep up.  This is #DFIR.

  • Brian Moran at BriMor Labs and Jessica Hyde from Magnet Forensics have shared out a cheat sheet they made “summarizing the URLs to query from Amazon to return some of the Amazon Echosystem data”
    Amazon Alexa Forensic Walkthrough Guide

  • Over on my ThinkDFIR blog I wrote up my notes from Dave Cowen’s recent Forensic Lunch Test Kitchen videos. I didn’t get to watch them all in the week that they came out (I think it was ~5 hours of content all up), so I figured I’d write it up now.
    Documenting a week of DFIR cookups


  • Monty St. John at CyberDefenses explains the Malware component of the CHRIME acronym
    CHRIME and Malware

  • Jack Crook at ‘DFIR and Threat Hunting’ shares how he chains interesting events together using ELK.
    Hunting with ELK

  • Adam at Hexacorn shows how psexec has a command line option “that allows you to create a service name as per your liking”.
    PsExec going places…

  • Adam at Hexacorn shows another method for abusing a configuration setting to obtain persistence. If a specific value is set in the registry, the system will look for an external .manifest file, which can be used to reference malicious DLLs.
    Beyond good ol’ Run key, Part 69

  • Sergey Golovanov and Igor Soumenkov at Securelist share a script that they use “to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers were moving through the network”
    Happy IR in the New Year!


  • Matt Bromiley announced that he will be doing a two-part webcast series on Windows Event logs next month. The first, “What Event Logs? Part 1: Attacker tricks to remove event logs” is running on January 11th, 2018 at 15:30 UTC. The second, “What Event Logs? Part 2: Lateral movement without event logs” is running on January 18th, 2018 at 15:30 UTC
    Check out @mbromileyDFIR’s Tweet


  • Wyatt Roersma live streamed many many hours of coding and memory/malware analysis during the week. There’s not enough time left in the year to watch all of it, but you can see his Twitch channel here


  • The guys at Digital Forensics Corp shared a tweet by Eduardo Novella showing how to deobfuscate a packed dex file using Simplify.
    Deobfuscating dex files

  • Reverse Engineering Malware has released an update to PSDecode to allow it to “override methods within system classes typically used by malware authors”. “As the malicious script is run through PSDecode, these actions are stored and, when complete, the actions are printed to the screen in the order in which they occurred.”
    PSDecode Update: New-Object override + Actions output


  • The guys at Digital Forensics Corp shared a number of articles this week
    • They shared an article by Check Point Research on a vulnerability found in Huawei Home Routers that would allow them to join a variant of the Mirai botnet.
      Routers in Botnet Recruitment
    • They advised that “Apktool v2.3.1 has been released”. “Apktool is a tool for reverse engineering 3rd party, closed, binary Android apps.”
      Apktool v2.3.1 has been released
    • They advised that “Dolphin Data Lab has released a new adapter for chip-off. The adapter’s name is DFL eMMC Chip Reader All in One.”
      DFL eMMC Chip Reader
    • They shared a link to an online forgery detection tool; playing around with the test image is very interesting.


  • ExifTool 10.70 (development release) was released, with minor improvements and bug fixes.
    ExifTool 10.70

  • Paraben has released v1.6 of their E3 platform with new features including exporting data to HTCI MapLink, additional support for the DJI Go 4, and “new unlock and enhanced support for over a dozen new LG devices.”
    What’s New in E3:Universal Aurora Edition 1.6

  • Radare2 r2-2.2.0 Tió De Nadal was released

  • Maxim Suhanov has updated his registry parsing utility, YARP, to version 1.0.9

And that’s all for Week 52/2017! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s