Week 24 – 2018

I’m back! Thankfully was able to get the post done today before jetlag set in.

I’ll probably do a recap of the trip this week if I get a chance to jot down some thoughts. Overall it was fantastic and I had a great time, but it’s good to get home; 4 weeks away is a long time.


  • Adam Harrison at 1234n6 shares his answer to last weeks Sunday Funday challenge regarding Extended MAPI properties.
    Using Extended MAPI Properties to determine email sent time

  • Tony at the new Archer Forensics (*cough* my suggestion *cough*) subdomain of AboutDFIR has started the Zeltser challenge
    • The first post describes Tony’s reasoning for starting the blog.
      Removing the Cloak
    • The second shares his GCFA Gold Paper on file system timestamps, and the indication that he’s going to be revising it soon.
      So, who am I?

  • Christian Rossow shares a tool written by Michael Brengel “to compress memory dumps of malware sandboxes”
    Check out @christianrossow’s Tweet

  • Oleg and Igor at Digital Forensics Corp show how to acquire data from LinkedIn directly from the site.
    How to acquire a LinkedIn account?

  • Cindy Murphy at Gillware Digital Forensics presented some interesting research into USB drive firmware manipulation. This is reminiscent of Courtney Webb’s talk at the 10th DFIR Summit on hard drive firmware manipulation. Cindy showed that “it is possible for multiple USB devices to leave behind forensic artifacts that appear to be generated by a single unique device”.
    USB Pwny Express – Counterfeit USB Devices and Anti-Forensics

  • David Cowen at the Hacking Exposed Computer Forensics Blog posted a number of times this week
  • Bradley Schatz at Schatz Forensics shows how to analyse AFF4 Linux memory images in Volatility.
    How to analyse AFF4 linux memory images

  • SANS have posted an ‘STI Graduate Student Research’ whitepaper by Ferenc Kovacs on using Win10 as a forensics platform. The paper covers some basic configuration, tool installation, and a comparison of imaging times between FTK Imager and Encase Imager.
    Windows 10 as a Forensic Platform

  • Volume 25 of the Digital Investigation Journal was released.

  • T3k-forensics shared their top 10 challenges in mobile forensics.
    10 challenges in Mobile Forensics

  • Hoyt Harness at ‘The Positronikal Chronikal’ continues to describe his CarnivoreLE triage tool.
    A New Live Triage Tool Taking Shape, Part 2

  • Jaco at ‘The Swanepoel Method’ walks through his testing process to get Axiom to parse data from an APFS image. Jaco provides a method that allows him to review the data using Axiom; the additions I’d make to the process are using an HFS+ container and using a command like rsync to preserve the metadata, as Jaco indicated that the metadata changed when moving the files.
    Parsing APFS with Axiom before the thing from Lost eats you

  • Over on my ThinkDFIR page, I wrote a quick post about Zone Identifiers and how not all ZoneID alternate data streams are created equal (I’m thankful Chrome has such a big market share because of all the valuable data in theirs)
    Zone Identifier == kMDItemWhereFroms?

  • Costas K shared an interesting registry key that tracks program execution along with a filetime last execution timestamp. It appears to be associated with whether the programs jumplist was populated but also was seen to be inconsistent. A bit of testing on my end showed that it didn’t populate when jumplists weren’t on, and if jumplist tracking was turned off it would delete the key entirely. I also found that it was refreshed every 24 hours; which wasn’t replicated on others systems. Further testing is required, but this looks like an interesting program execution artefact for some applications.
    Check out @sv2hui’s Tweet







And that’s all for Week 24! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s