Week 6 – 2018


  • Chirath De Alwis has posted an article on Forensic Focus regarding memory dump formats covering raw, crashdump, hibernation files, EWF and HBGary’s HPAK format. Another format worth mentioning is AFF4, which is used by Google Rekall/winpmem suite.
    Memory Dump Formats

  • Stefan Bildhaeuser at my4n6 shows how to mount a BTRFS volume using Linux and then share it to your Windows machine via NFS. After this is shared, an examiner can add this share to X-ways for examination. You don’t get to see deleted files, or file system metadata, but you can at least examine the content.
    Using unsupported file systems in X-Ways Forensics


  • Matt Suiche at comae technologies advises that a recent update to Swishdbgext allows examiners to use “Yara rules to hunt process in memory”
    YARA scans in WinDbg

  • Quentin Jerome at RawSec introduces an engine “designed to match signatures in Windows events.”
    Go Evtx SigNature Engine


  • Scott Lorenz and Shahar Tal will be hosting a webinar for Cellebrite on the “Emergency Download mode (EDL) capability can provide you with forensically-sound access to extract physical data from devices”. The webinar will take place February 21, 2018 at 10AM New York (3PM London/4PM Belgium)
    Access mobile device evidence faster using Emergency Download (EDL) mode

  • The CFP for the 11th International Workshop on Digital Forensics has opened, and will close April 30, 2018. The workshop is “to be held in conjunction with ARES 2018, August 27 – August 30, 2018 in Hamburg, Germany”.
    [CFP] 11th International Workshop on Digital Forensics


  • Wyatt Roersma live streamed some malware analysis a few times this week
    vTriple – Twitch


  • Xavier Mertens at /dev/random shares a module that he wrote “to interconnect the malware analysis framework Viper and the malware analysis platform A1000 from ReversingLabs.”
    Viper and ReversingLabs A1000 Integration

  • Luis Rocha at ‘Count Upon Security’ provides a “brief overview about the PlugX builder, analyze and debug the malware installation and do a quick look at the C2 traffic”
    Malware Analysis – PlugX



  • Eric Zimmerman has released SDB Explorer, which “is a GUI program that allows for interacting with Microsoft Shim databases”
    Introducing SDB Explorer

  • Mobiledit Forensic Express 5.1 was released, improving it’s phone unlock capabilities, as well as adding other new features
    Forensic Express 5.1 Released

And that’s all for Week 6! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s