Week 8 – 2018


I’ve been told I need to promote the Patreon link. It’s here if you’re interested 🙂


  • Kasasagi at ‘Apprentice forensic ‘s note’ has identified the ‘bam’ key in the Windows registry that stores the full path of an executable and the last execution time. It is indicated that this is only written when the computer is shut down so checking the registry on a live system may not be accurate (without parsing memory).
    About bam key (execution trace?) (Last update: 2018/02/23 02:23)

  • Hideaki Ihara at the Port 139 blog looks at verifying some of the data found in the ‘bam’ key.
    bam key と Program execution

  • Zak Thoreson at ‘Aqueous Analytics’ shares an incident response process for dealing with VMWare incidents.
    VMWare Incident Response: A Process

  • The guys at Cyber Forensicator shared a few articles this week
  • Mikeltxus at Follow The White Rabbit continues his Star Wars themed DFIR case study, looking further into memory, file system, network, and Windows artefacts.
    Rogue APT: Una historia de #DFIR – Episodio 2

  • Mark Lohrum at ‘Free Android Forensics’ walks through reversing a basic Android app. Also, congrats on the pending little one!
    Deep dive into an app

  • Matthew Green shares his research into “Background Intelligent Transfer Service (BITS) [which] is a Windows component used to transfer files asynchronously between a client and a server.”
    Sharing my BITS

  • Jonathon Poling at ‘Ponder The Bits’ has compiled some information about “RDP-related Windows Event Log ID’s/entries for tracking and investigating RDP usage on a Windows Vista+ endpoint”
    Windows RDP-Related Event Logs: Identification, Tracking, and Investigation

  • The SANS InfoSec Reading Room shared a couple of whitepapers this week
  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shows how to boot a computer using a Linux boot disk and take a forensic image over a network using DD and netcat. If you would like to include verification information then a number of the forensic distros have ewftools installed.
    Forensic disk acquisition over the network

  • There were a couple of posts by the students at Champlain College
    • The first introduces a project to look into “Pick Up Where I Left Off”, which is a feature coming to Win10 in the near future. This feature is meant to be a “cross-platform version of Apple’s Handoff and Auto Resume features”
      Windows Fall Creator Introduction
    • The second project relates to examining a large number of popular apps across Android, iOS, and Windows Phones. I’m never sure if it’s good to include Windows Phone in these projects; on one hand, they’re very rarely seen, and on the other, they’re a pain because there’s little research on them because they’re so rarely seen.
      Mobile Device Forensics Update 1



  • Rey Navarro at Griffeye will be hosting a webinar on 16th March 2018 at 9am EST (15:00 CET) on visual media investigations.
    Griffeye 101: A Crash Course In Visual Media Investigations

  • Jad Saliba at Magnet Forensics shares a video of the Magnet User Summit which will take place in a number of cities across Europe and the US this year. (I’m aiming to attend the Las Vegas one if all goes to plan!)
    Magnet User Summit  //  2018

  • SANS have uploaded a brief video for the DFIR Summit (where I will be speaking on some research into Google Home) emulating the Stranger Things title sequence.

  • Stephen Mathezer and Kevin Ripa will be hosting a SANS webinar on March 1st, 2018 at 3:30 PM EST (20:30:00 UTC) on bringing value during a pentest, as well as deep-dive forensics – I’m not sure if this is going to be about file carving or parsing artefacts though.
    Check out @sansforensics’s Tweet


  • Adrian Crenshaw has uploaded the presentations from BSides NOVA 2018

  • John Strand at Black Hills Information Security has uploaded a presentation on network threat hunting
    WEBCAST: Tales from the Network Threat Hunting Trenches

  • Cysinfo have uploaded a few of the presentations from their 12th meetup
    Forensic Lunch: 2/23/18

  • Dave and Matthew ran a Forensic Breakfast instead this week, to allow us Australians to watch at a more reasonable time. Dave asked me to come on to talk about my work on this blog, including the podcast and patreon, and also my movements at a few conferences in May and June. Afterwards, Brad Schatz spoke about his recent updates to Evimetry; in particular, the new deadboot agent. Something I forgot to mention re how do I find things. the TLDR is I check a number of sources weekly, and try to find what people share out across various platforms. If you have RSS, great, if you don’t it goes on a list which I check before the post goes out. What’s been happening more recently is people are telling me prior to their release or letting me know if I missed something (which is great, because I do miss things). Really the only things I don’t share are marketing things or stuff that’s been reshared multiple times. I’d much prefer someone asks why I missed something since chances are it was just overlooked (or IFTTT didn’t run properly, which has happened recently). Overall, the best thing from my perspective is if you’re starting something new or sharing out something you want the DFIR community to know about, let me know and I’ll get it out there. After all, if I can’t find it, there’s a good chance many others can’t either.
    Forensic Lunch: 2/23/18

  • Erik Hjelmvik at Netresec have uploaded a video tutorial covering “how to analyze SPAM email traffic from the Kelihos botnet”
    Analyzing Kelihos SPAM in CapLoader and NetworkMiner

  • OALabs have uploaded a video showing how to “use x64dbg to unpack a new Emotet / Geodo malware (Stage 1)”
    Unpacking Emotet / Geodo (Stage 1) Using x64dbg – Subscriber Request

  • Paraben Corporation uploaded a few videos this week
  • On this week’s Digital Forensic Survival Podcast, Michael interviewed a mobile forensics examiner, Robert, about his work in data extraction relating to JTAG and ISP.
    DFSP # 105 – from Zero to JTAG

  • Robert M Lee talks about the updates to the Cyber Threat Intelligence course (FOR578) as well as the new GCTI certification.
    Why and How to Take the GCTI   The Industry’s Cyber Threat Intelligence Certification

  • On Talino Talk, Steve and Jason talk about the recent changes to Talino and Sumuri and how that will affect things going forward.
    TALINO Talk ep12

  • Alan Orlikoski shared out his recent presentation to the Alamo ISSA regarding CCF-VM, installing the GCP version, and discussing the possibilities and risks of automation.
    Check out @AlanOrlikoski’s Tweet

  • Wyatt Roersma live streamed some random DFIR things a few times this week
    vTriple – Twitch



  • Eric Huber at ‘A Fistful of Dongles’ has started a series on DFIR life after working in LE. This post covers the decision to leave LE to join the private sector and things people should consider. My main take away is: “you should always be preparing for the next job even if you aren’t actively looking for the next job”; I’m quite happy where I am at the moment, but one of the reasons I started this blog was because it would force me to keep up with what’s going on around the industry (not just necessarily the stuff I deal with at work) so I was better preferred if I decided to move on. (If my employers are reading this, I’m not looking to move on, don’t worry :P)
    Life After Law Enforcement: Do I Stay Or Do I Go?

  • Brett Shavers wrote a couple of posts this week
    Making Ham Sandwiches in DFIR

  • The first expounds the benefits of writing clearly, for your intended audience. If you write your report, and your audience doesn’t understand it, then it doesn’t really count.
    Making Ham Sandwiches in DFIR

  • Brett also talks about the difference in perspectives, from responder to user, regarding an incident in a workplace.
    Cyber Health

  • Brett Shavers at DFIR.Training is looking for some advice about whether people would be interested in a sub-contracting listserv or directory.
    DFIR Sub Work List?

  • DME Forensics have shared details of the new tags feature in DVR Examiner.
    DVR Examiner Feature Highlight: Tags

  • Forensic Focus interviewed Nick Sharples from Nuix about his previous life “as a consultant to UK Law Enforcement”, his work going forward at Nuix
    Interview With Nick Sharples, Senior Solutions Consultant, Nuix

  • Pelle Garå at Griffeye expounds the benefits of incorporating various databases maintained and contributed to by groups as “powerful intelligence and investigative resources that let specialized investigators share data with colleagues”.
    Using technology to get results

  • Adam at Hexacorn has written a lengthy piece of advice for new SOC analysts to take onboard when starting (although a lot of this advice can be applied across the board).
    How to become the best SOC Analyst E-V-E-R

  • Paul Kincaid at Malwarebytes Labs has started a series on building an effective incident response program in response to GDRP. This post outlines “some of the regulatory requirements documented in the GDPR”
    How to build an incident response program: GDPR guidelines

  • Vitaliy Mokosiy at Atola Technology provides a list of forensics conferences for 2018 and 2019 (including approximate prices where possible). Forensic Focus also shared a code for a discount for Techno Security (which I’ll be attending this year!)
    Top forensic conferences 2018-2019

  • Blackbag Technologies have changed the devices that they will be distributing Macquisition on. Macquisition will now come on a 120GB solid state drive, and is upgradable to 1TB. I wouldn’t rely on imaging to the 120GB drive, only because most Mac laptop models are minimum 256GB (only the air comes with 128GB), and I wouldn’t want to rely on the compression; but for data collection and memory capture it’ll be great!
    Macquisition’s New Device Sizes Provide Supersized Imaging


And that’s all for Week 8! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s