Week 1 – 2018

Happy New Year!

It was a bit hectic last week posting a few times on New Year’s Eve; in case you missed it, I posted my monthly podcast episode, as well as a wrap up for the year.


  • Hideaki Ihara at the Port 139 blog posted a couple of times this week
    • The second checks “the relationship between Thumbnail CacheId and thumbnail cache on Windows 10 ver 1709 environment.”
      Windows 10とThumbnailCacheId

  • Mari DeGrazia at ‘Another Forensics Blog’ has a couple of posts about mounting APFS images on Windows and Linux
    • The first shows how to mount an APFS drive as a logical image into any forensic tool using the Paragon APFS preview Windows driver. I tested this process using a couple of test APFS images that I had created and it worked great for the unencrypted one. Still no success with the filevault2 one 😦 Also, It’s been pointed out that you may not be able to see the Extended Attributes. I haven’t confirmed this however
      How to mount Mac APFS images in Windows
    • The second shows a similar process for mounting APFS images on Linux. Mari wasn’t able to test it (yet) but apparently this process can support encrypted images.
      Mounting an APFS image in Linux

  • There were a few posts by the guys at Digital Forensics Corp this week
    • They shared an article on Kitsploit regarding “ADRecon, [which] is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.”
      ADRecon Overview
    • They shared a Github repository maintained by Meir Wahnon
      that contains “a curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.”
      A List of Incident Response sources

  • Aaron at DigitalResidue provides a primer on virtual memory and explains a few Volatility plugins
    damn blogger.com

  • Preston Miller at ‘DPM Forensics’ describes some additional data that can be obtained from a users Google account outside the official Google Takeout app. This includes data from a users activity in Google Drive, as well as that which is stored in a users ‘My Activity’ page.
    500 Words or Less: Getting more from Google Accounts

  • Mark Lohrum at ‘Free Android Forensics’ shows how to use the MTPwn to obtain select data from a locked Samsung device via the MTP protocol.

  • Steven Alexander at ‘The Bug Charmer’ shows how Apple Safari tracks “which sites were configured to play Flash video” in the com.apple.Safari.plist (as of OSX 10.10). The “PlugInPageURL” key is shown to contain a URL that has been accessed.
    Safari Plugin Forensics – com.apple.Safari.plist


  • Monty St. John at CyberDefenses explains the Execution component of the CHRIME acronym.
    CHRIME and Execution

  • There were a couple of posts on the Sqrrl blog this week
    • Kristina Sisk at Sqrrl describes the need for a hunting calendar to determine your team’s schedule for the year. She also lists a number of things one should consider in the planning process.
      Setting your Threat Hunting Calendar for 2018


  • On this week’s Digital Forensic Survival Podcast, Michael talked about some fundamentals that newer examiners should focus on; that is to understand that answers don’t always come easy, and forensic artefacts are more important than tool training.
    DFSP # 098 – Back to basics 2018

  • Richard Davis has uploaded a video describing shellbags and showing how to examine them using Eric Zimmerman’s Shellbag Explorer
    Shellbag Forensics


  • Floser Bacurio and Wayne Low at Fortinet “discuss the history of sandbox detection”, discuss “the malware families that KTIS has observed from spear-phishing emails that attempt to bypass the user-mode API hook in order to evade sandbox detection”, and  “share the mitigation method we use to harden the Cuckoo sandbox against this bypass technique.”
    Prevalent Threats Targeting Cuckoo Sandbox Detection and Our Mitigation

  • Matt Everson at Tenable has uploaded the post on Triton to indicate the malware utilises the TriStation protocol and not the TSAA protocol which was indicated earlier.
    Triton: What You Need to Know


  • DriveSavers have a post on the different types of legal documents that may be required before acquiring e-mail evidence so that it is admissible in court.
    Legal Email Collection

  • Jack Crook at ‘DFIR and Threat Hunting’ has a non technical/DFIR post that I thought would be worth sharing. Jack’s health took a turn in 2017 and explains how he has managed to get himself back on track. He also dresses the importance of maintaining a healthy lifestyle.
    My 2017

  • Belkasoft announced on Forensic Focus that they’ve extended their customer survey. Customers that fill out the survey go into the draw to win a free years license of BEC
    Belkasoft Customer Survey Extended

  • “Researchers have discovered how to identify smartphones by examining just one photo taken by the device.” There are a couple of products on the market that I know of that have similar capability, however, I think they require some training (using other photos taken by the device).
    Tiny details in photos identify your unique phone

  • Howard Oakley at ‘The Eclectic Light Company’ shows how moving a file from MacOS to iCloud Drive removes some of the extended attributes. The test he performed was moving a file from Sierra to High Sierra via iCloud Drive; I’m unsure if moving a file between the same OS will cause the same activity.
    iCloud Drive can strip (meta)data from your documents


  • Plaso 20171231 was released, making the SQLite Plaso storage file default, adding a “new SQLite parser plugin to handle Safari’s newer history format” and “nicer looking partition and VSS overviews in log2timeline”, as well as updates to DFVFS.
    Plaso 20171231 released

  • ExifTool 10.73 (development) was released, decoding some new tags and fixing some bugs
    ExifTool 10.73

  • GetData updated Forensic Explorer to version with some additional features and improvements

  • Tableau Firmware Update (TFU) version 7.21 has been released, with firmware updates for the TD2u Forensic Duplicator (version 1.3), TDP6 SAS Expansion Module (version 1.1.1), and TFU Utility (version 7.21)
    Tableau Firmware Update (TFU) version 7.21

  • Mark Russinovich announced that Sysmon v7 has just been released “which includes file version information and can dump old configuration schema versions.”
    Check out @markrussinovich’s Tweet

  • Maxim Suhanov has updated his registry parsing utility, YARP, to version 1.0.11

And that’s all for Week 1! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s