Week 7 – 2018




  • SalvationData will be hosting a webinar on decrypting and recovering WhatsApp data on non-rooted smartphones along with releasing a free tool. The webinar will take place on Wed, Mar 7, 2018 9:00 AM – 10:00 AM GMT.
    WhatsApp Forensics Free Tool Release Webinar

  • Jason Jordaan will be hosting a webinar for SANS to “help the first time or inexperienced witness to understand some of the core legal concepts you will need to be familiar with, understand how to effectively interact with lawyers, and the duties and responsibilities you have as a witness.” The webinar will be run Tuesday, February 27th, 2018 at 3:30 PM EST (20:30:00 UTC).
    Webcast 2: Working With The Lawyers

  • SANS released the agenda for the upcoming DFIR Summit in June.
    SANS DFIR Summit Agenda


  • Adrian Crenshaw has uploaded the presentations from BSides Tampa 2018

  • Dave and Matthew hosting Dr Joe Sylve and Ashley Hernandez from Blackbag Technologies to talk about the latest updates from Blackbag including their recent Macquisition and Blacklight releases, as well as APFS and FSEvents. They will also be running another broadcast next week at a time I’ll be awake for so hopefully I can watch live! Happy days.
    Forensic Lunch: 2/16/18

  • Arizona HTCIA shared out three presentations put on by Jessica Hyde from Magnet Forensics (1, 2, and 3)

  • Nuix uploaded a couple of videos this week
  • On this week’s Digital Forensic Survival Podcast, Michael revisited the UserAssist artefact
    DFSP # 104 – UserAssist Forensics

  • Richard Davis has uploaded a video regarding the Windows Remote Desktop Protocol (RDP) Cache
    RDP Cache Forensics

  • Wyatt Roersma live streamed some random DFIR things a few times this week
    vTriple – Twitch



  • Brett Shavers has released another DFIR case study.
    DFIR Case Studies #7

  • Brett Shavers at DFIR.Training has posted a few times this week
    • Brett advised to try and use the right tool for the job, rather than just using the tool you’ve got in front of you – thankfully a lot of the good tools are free or open source. That being said, if someone was looking for a project you can always write up tool parsing comparisons (for example like Mari did a few years ago)
      Stop forcing the square #DFIR peg into the round hole.
    • A classified ads page has been added to the site to help connect people that are trying to get rid of gear.
      DFIR Classified Ads
    • A compilation of keyword lists has also been added, and Brett comments on the effectiveness of using lists like these in an investigation.
      Keyword Lists.  Lazy way or good technique?

  • The Digital Forensic Compass launched this week. Currently, the website compiles supported device lists from a number of hardware and software based tools, mainly for mobile devices. This looks like a great database for assisting examiners that are tasked with obtaining data, particularly from devices that aren’t necessarily supported by the big players or aren’t Android/iOS. I can see the project expanding to include additional information such as pin-outs for JTAG/ISP and walkthroughs for complicated extraction methods if people would like to share them.
    Digital Forensic Compass

  • There were a few posts on Forensic Focus this week
  • David Cowen at the ‘Hacking Exposed Computer Forensics’ blog shares his commitments for the year with regards to the Forensic Lunch and his SANS FOR500 classes.
    2018 Updates and Teaching SANS Windows Forensics FOR500 in Singapore

  • Jamie Mcquaid at Magnet Forensics comments on the various methods that are available to acquire mobile devices, mainly from a perspective that device support list should not dictate whether an examiner says “it can’t be done and stops there”. An examiners role when acquiring data from a mobile device may change, and often they will be tasked with obtaining data from new, password-protected or otherwise unsupported devices. Combining chipset-based physical extractions with logical and file system OS-based backup/extraction options is a good way of getting by for “unsupported” phones. Examiners shouldn’t be solely relying on the support list of a single tool when acquiring data as often there are many different methods and some might get you the data easier than others.
    Device Agnostic Mobile Acquisition – Who Needs Model Numbers?

  • Microsystemation shared an article from the February edition of Digital Forensics Magazine by Joel Bollo and David Kovar regarding drone forensics
    Investigators face new forensic challenges and opportunities with growing use of UAVs

  • Daan Raman at Nviso Labs shows how to use data visualisation to assist in improving understanding of captured network traffic
    Going beyond Wireshark: experiments in visualising network traffic


  • Blackbag Technologies have released BlackLight 2018 R1. In the post, Julie Urban explains how to use Macquisition in combination with Blacklight to examine APFS images. I haven’t played around with the update but apparently, it will decrypt filevault2 images within the program itself (rather than pushing it out to MacOS); which means that you will be able to open these images on the Windows version of Blacklight as well, which is very useful. Julie also explains that you can use the logical container option to extract the files into a sparse image for examination (which I think a number of tools support). I’d still recommend getting a physical of disk0 if you can because then you can boot that to an external hard drive (which is good for visualisation).
    End-To-End Solution For APFS Now Available

  • Didier Stevens updated a few of his tools
  • Evimetry v3.0.7 has been released, fixing a few bugs.
    Release 3.0.7

  • Evimetry v3.1.5 (unstable) has also been released, which provides updates to the deadboot imager.
    Release 3.1.5-UNSTABLE

  • ExifTool was updated to version 10.79, adding new tags and bug fixes
    ExifTool 10.79

  • Teru Yamazaki at Forensicist shares the latest NRSLJP hashset

  • Katana Forensics updated Lantern Triage to version 1.1802.120, adding in the ability to map locations from call detail records

  • MobilEdit Forensic Express 5.1.1 was released, fixing some bugs and making some minor improvements.
    Forensic Express 5.1.1 released

  • Sanderson Forensics have updated a couple of his tools this week
  • Encase Forensic 8.06 has been released with various improvements. Unfortunately, their website is a little cumbersome to find details of the release, or notification that it came out; but I found it elsewhere to share out.
    Encase Forensic 8.06

  • Tableau have updated the TFU to v7.22 to update the TX1 Imager to version 1.2. This appears to be a very large update with new features, enhancements, and bug fixes.
    Tableau Firmware Update Revision History for v7.22

  • Maxim Suhanov released yarp v1.0.13.

And that’s all for Week 7! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s