Week 2 – 2018


  • Hideaki Ihara at the Port 139 blog took a look at the Win10 Thumbnail index database, thumbcache_idx.db.
    Win10 と Thumbnail Index
  • Brian Maloney stumbled across a Windows event log, Microsoft-Windows-MBAM/Operational, that tracks RemovableDriveMounted and RemovableDriveDismounted (event ID 39 and 40)
    Check out @bmmaloney97’s Tweet
  • There were a few posts on the Cyber Forensicator blog this week
    • Maxim Suhanov guest posted about his “Yet Another Registry Parser” tool, specifically relating to the registry file carving feature. “According to the tests, approximately 10-25% of fragmented registry files can be reconstructed using the yarp-carver tool”
      Carving Fragmented Registry Files
  • There were a couple of posts by Elcomsoft this week
    • Oleg also shows how to use Elcomsoft various tools to extract Google Chrome and Google account saved passwords. Oleg then briefly describes some case studies where these passwords can be used. Stored passwords are a great repository to call on when building password cracking dictionaries.
      Extracting and Making Use of Chrome Passwords
  • Arman Gungor at Metaspike lists some considerations to take into account when collecting email evidence. This includes correctly identifying sources, dealing with the security that the owner has in place, storing the data in the correct format, using adequate tools, and verifying the accuracy of the downloaded emails.
    Forensically Collecting Emails — 5 Things to Know
  • Howard Oakley at ‘The Eclectic Light Company’ posted a couple of items of interest this week


  • Jack Crook at ‘DFIR and Threat Hunting’ poses the question “what are your tools detecting”. Jack explains that if your EDR solution is looking for malware this may not adequately detect an adversary that can live off the land. He also shares “some tests that you can use to verify the capabilities of your tools when it comes to recon, lateral movement and data staging”
    What are your tools detecting
  • Olaf Hartong has shared “a repository of sysmon configuration modules”
  • There were a couple of articles on Syspanda this week
    • Pablo Delgado shows how to go about “setting up a Logstash filter that will look for Event Ids that match the Security Group Management logs generated by your Domain Controller for long term storage. This will allow us to look back through historical data and see when groups were created, deleted, and whether users were added/removed.”
      Monitoring Domain Group Membership Changes With ELK


  • The 4Cast is returning (at least for one episode, hopefully more). Lee will be hosting “4:cast Award winner Cindy Murphy, 4:cast Award nominee Sarah Edwards, Ryan Benson and Jessica Hyde” at 7PM Central on 14th January 2018.
    Forensic 4:cast Live
  • The CFP deadline for DFRWS USA 2018 has been pushed back to 21 January, 2018. 
  • Jessica Hyde at Magnet Forensics will be hosting a webinar looking “into vault and security apps with a focus on Cheetah Mobile apps including file managers, cleaning apps, private browsers and app locks”. The webinar will take place Tuesday, January 30, 2017 at 1:00PM Eastern Standard Time (New York, GMT-05:00).
    How the on-set of security apps is impacting investigations
  • Michael Gough and Brian Boettcher will be starting up a new DFIR podcast called the “Brakeing Down Incident Response Podcast”
    ANNOUNCING The BD-IR Podcast



  • Daniel Pistelli at Cerbero shows how to use Profiler to extract a Powershell command embedded in a Word document using DDE
    Microsoft Office DDE Detection
  • The guys at Digital Forensics Corp shared an article from Security Affairs on the new VirusTotal Graph feature, which allows “investigators working with multiple reports at the same time, to try to pivot between multiple data points (files, URLs, domains and IP addresses)”
    VirusTotal Graph Overview
  • Justin Warner at Icebrg provides a “walkthrough of an attack campaign [distributing cryptocurrency mining malware] that ICEBRG has witnessed in the wild over the past several weeks and break down some key lessons learned from the attack.”
    Coin Mining By Opportunistic And Automated Threats
  • Alexander Sevtsov at Lastline goes through “the details of how document files can achieve remote code execution by using monikers crafted to evade signature-based detection techniques relying on blacklisted CLSIDs, and how these monikers function under the hood.”
    When Scriptlets Attack: The Moniker
  • Patrick Wardle at Objective-See examines the MaMi MacOS malware.
    Ay MaMi


  • James Habben at 4n6IR shares his thoughts on breaches, stating “A PCI data breach is good for a company”. This is because it forces the company to look at their security and usually afterwards “this is the safest that network has ever been”.
    Reputations and PCI Data Breaches
  • AboutDFIR has added a research topics page which allows people to propose research topics (as broad or as specific as you want – I’d suggest going specific). From there people can indicate that they would like to work on the problem. It would also be helpful for those new to the field to partner up with mentors and work through the problems together.
    DFIR Research
  • It was identified that the Forensic Wiki is shutting down, and as a result there was a flurry of activity on Twitter in an attempt to preserve the data. I’m not entirely sure why it’s being shutdown but it is apparently being archived on Archive.org. There is also a Google Group which I think intends on coming up with a plan for hosting the wiki elsewhere. Coincidently, Brett Shavers has also started a Forensic Artifact database on DFIR.training.
    Check out @bitsgalore’s Tweet
  • Dan Pullega noticed that Nuix Proof Finder is no longer going to be sold. This was a great tool (because it was just Nuix with a 15gb injest limit) that was very cheap and very useful. It’s a shame that it’s goign to cease working once your current license expires. Worse yet, if you have saved data in a Proof Finder case the only way you’ll be able to access it is by purchasing a full copy of Nuix.
    Check out @4n6k’s Tweet
  • Lee Whitfield has opened the 2018 Forensic 4:cast Awards nominations! Last year this blog was one of the top 3 nominated for “Blog of the year” which was very much appreciated. If you’d like to nominate anyone across all of the categories you can head over here. You’re allowed to nominate multiple times so you can get all the different blogs/hardware/software/resources/people etc that you think are deserving of some recognition, and then the top 3 will go into the finals. Nominations close March 31, 2018.
    Forensic 4:cast Awards 2018 – Nominations are Now Open
  • Jordan Wright and Nick Steele and Pepijn Bruienne at Duo Labs have also shared their writeup of the holiday hack challenge
    SANS Holiday Hack 2017 Writeup
  • Jessica Hyde at Magnet Forensics has written a comprehensive post for those looking to get into the DFIR field (or even move around, a lot of the stuff mentioned can be applied across the board).
    Job Hunting in the DFIR Field
  • Michael Cohen at the ‘Rekall Forensics blog’ describes a process for configuring and compiling tools to run on older Linux server environments. Some tools require libraries that are not and cannot be installed on EOL’d servers and as a result, Michael shares his research and work-arounds for getting some newly developed tools to work.
    ELF hacking with Rekall


  • Blackbag Technologies have released Blacklight 2017 R 1.1 which included some new enhancements and bug fixes. This includes updated FSEvents parsing, “support for Windows 10 Fall Creators Update (Version 1709) memory images”, and “enhanced Volume Shadow Copy (VSC) display”
    Blacklight 2017 R 1.1 Now Available!
  • ExifTool 10.75 was released, adding some new tags and bug fixes
    ExifTool 10.75
  • Eric Zimmerman updated Timeline Explorer to version
    TLE Update
  • GetData updated Forensic Explorer to v4.1.2.6936 with some minor updates and improvements

And that’s all for Week 2! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s