Week 19 – 2018


Magnet Forensics wrote a blog post reminding you to go and vote in the Forensic 4Cast Awards. Only a couple more weeks till voting closes!
3 Reasons to Vote Magnet Forensics for Forensic 4:cast Digital Forensic Organization of the Year

Brett Shavers at DFIR.Training shared some stats for the site, as well as asked for the vote for Resource of the Year
Top 3 Reasons to Visit www.dfir.training

You can head over here to cast your vote (*cough* vote for me! *cough*)




  • Belkasoft will be hosting a webinar on SQLite forensics. “During this session the following questions will be explained: freelists, unallocated space, journal files, write-ahead log (WAL) files and carving deleted SQLite databases”. “The webinar will be conducted on May 18, time and join link will be sent to you upon the registration”.
    Join us for a free webinar on SQLite Forensics!

  • Sarah Edwards will be hosting a webinar on the 29th May at 3:30pm EST on the updates to the FOR518 Mac and iOS Forensic Analysis & Incident Response course.
    Check out @sansforensics’s Tweet

  • “Registration for VB2018, the 28th Virus Bulletin Conference, which will take place in Montreal 3-5 October this year, is now open.”
    Registration for VB2018 now open!




  • Andrew Case tweeted out that 44 new OS X profiles were just added to Volatility.
    Check out @attrc’s Tweet

  • Kent Ickler at ‘Black Hills Info Sec’ demonstrates how to “use a custom dictionary to crack Microsoft Office document encryption”
    How to Crack Office Passwords with a Dictionary

  • The CFP for the “Special Issue on Security and Forensics of Internet-of-Things” is open, and closes August 15, 2018.
    Call-for-papers for Special Issue on Security and Forensics of Internet-of-Things: Problems and Solutions

  • Roger A. Grimes at CSO interviewed Rob Lee about his work as a threat hunter.
    Who wants to go threat hunting?

  • There were a couple of posts on Cyber Forensicator this week
  • Elcomsoft drummed up some fear/rejoice this week when Oleg Afonin warned of a new feature in the iOS 11.4 Beta, called USB Restricted Mode, that cuts the USB connection if the phone hasn’t been unlocked in 7 days.

    Patrick Howell O’Neill at Cyberscoop commented on this and advised that the feature was also in a previous beta, but clarified “that USB Restricted Mode is not in the current iOS 11.4 beta”. That’s not to say that it won’t be in the final release, or a future version, as this is clearly something Apple may want to use to combat LE utilising phone brute-forcing services.

    In response to this, Vladimir Katalov shared their testing of 11.4 beta 2 and 3 and found that the lockdown record was able to be used after 14 days (well past its 7 day expiration) and stands by the statement that “USB Restricted Mode does kick in after 7 days” on these versions.

    Vladimir also mentions that we don’t have accurate estimates of password cracking speeds, and that you can acquire the data from the phones after they’re unlocked using their iOS toolkit. He mentioned that a number of vendors are supporting the Graykey images, but said images are no different to those acquired by the Elcomsoft tool. My understanding is that the Graykey solution will get you slightly more data but I haven’t played with it. Either way, the main benefit of the password cracking solutions is that passwords are required to obtain extractions from locked iOS devices, and lockdown records aren’t always readily available.

    I got a bit of a negative impression from that section, not sure if it was intentional; you can use iOS Toolkit for some things (or maybe you’re not allowed to jailbreak devices in your lab making their physical aka file system acquisition moot), but when faced with a locked device and no computer it’s been attached to then you’ve got a few issues.
    Thankfully Elcomsoft has put together a lot of articles to familiarise yourself with to see what options you have available if you’re unable to procure the password-cracking services.

  • There were a few posts on Forensic Focus blog
  • Lenny Zeltser has written a cheat sheet with some writing tips for IT pros
    Technical Writing Tips for IT Professionals

  • Magnet Forensics shared five case studies about how their tools were able to assist law enforcement.
    5 Magnet Forensics Mobile Success Stories

  • “NIST has published a guide that describes procedures for documenting and populating test data on a mobile test device.”
    NIST Publishes Guide on Mobile Test Devices for Digital Forensics: Special Publication 800-202

  • Harlan Carvey at Nuix walks through the process of adding Yara and Regripper to Nuix workstation.
    Step-by-step Guide: Adding Yara and RegRipper to Nuix Workstation

  • Andrew Torgan at Project VIC announced that they are working with ForceForge to create “VICLabs”, “to incubate collaborative solutions [that] will lead to positive outcomes for children worldwide, as well as improved processes for law enforcement.”
    Project VIC Announces Partnership with ForceForge.org to Fight Domestic and International Child Exploitation

  • Andrew also announced the requirements collection phase timeline for the update to VICS 1.4.
    Project VIC Announces Requirements Collection for VICS Data Model 1.4 Focused on Vulnerable Communities


And that’s all for Week 19! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s