Week 25 – 2018


  • Hideaki Ihara at the Port 139 blog tests out Erics MFTECmd in examining a file stored in NTFS’s $ EA attribute.
    MFTECmd と $EA

  • Somehow I missed Mari’s post last week so it’s here this week! Mari’s post covers PowerShell scripts that may be hiding in the registry as their persistence mechanism.
    Malicious PowerShell in the Registry: Persistence

  • Craig Ball at ‘Ball In Your Court’ looks into a request about MAC times in 7z/Zip containers. The test that he ran showed that copying a file out of a zip container didn’t modify the MD5, but did change the creation time. The addendum also provided the requisite parameters to ensure that 7z preserves the Access and Creation times. A couple other options are to preserve the $MFT along with the physical files, or use a container created by a forensic tool to preserve the files of interest.
    Preserving MAC Times Collecting Files in E-Discovery

  • Brian Moran at BriMor Labs walks through his acquisition of a problematic LG Aristo phone using Magnet Axiom. Curiously the trust prompt showed up in MTP, but then the connection protocol had to be changed to PTP for acquisition.
    Who’s Down With PTP?

  • Luis Rocha at ‘Count Upon Security’ describes a number of Windows artefacts that can be used to identify program execution.
    Digital Forensics – PlugX and Artifacts left behind

  • The guys at Cyber Forensicator posted a couple of times this week
  • Vladimir Katalov at Elcomsoft describes some of the caveats around Elcomsoft’s iOS extraction process.
    Breaking Deeper Into iPhone Secrets

  • Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times this week
    • The first three related to more MAPI data examination. The first looked at what forwarding an email does to Extended MAPI data.
      Daily Blog #397: Exploring Extended MAPI part 8
    • The second looks a some of the other fields related to “a MAPI property [that is] only set on sent messages that records the type of Client connection that existed when the message was sent.” This may be something that can be used to profile the sender’s mailbox.
      Daily Blog #398: Exploring Extended MAPI part 9
    • The third is about the ClientInfo property, and how it appears to be “populated/provided within an Exchange server organization.” Dave also provides a use case where you may be able to use this information to “get through all the messages the employees received and identify even faster which ones came from the attacker by isolating which Clients which employees were using and which the attacker was using.”
      Daily Blog #399: Exploring Extended MAPI part 10
    • The Magnet CTF challenge images have been uploaded, and Jessica Hyde also uploaded the processed Axiom case as well.
      Daily Blog #400 – Forensic challenge image for the Magnet User Summit
    • The CTF site has also been opened up so you can play along at home.
      Daily Blog #401: Magnet User Summit CTF is now open to the public
    • Dave shared my solution to his Sunday Funday challenge on ZoneIDs. Overall, I found that different applications create different ZoneIDs, and tested a number of ways to download a file onto my Win10 machine. Turns out other applications outside of browsers set a ZoneID (ie o365, Windows Mail, Skype). Plenty more things to test; my suspicion is that more Microsoft apps will set them.
      Daily Blog #402: Solution Saturday 6/23/18
    • Lastly, Dave posted this week’s Sunday Funday challenge; this time regarding the “timezone field to document which timezone a timestamp was populated with” on an ExFat volume.
      Daily Blog #403: Sunday Funday 6/24/18

  • Jamie McQuaid at Magnet Forensics shows how to ingest the files output by the GrayKey device into Axiom.
    Loading GrayKey Images into Magnet AXIOM

  • Patrick Wardle at Objective-See raises a security concern regarding QuickLook cache on MacOS. This may be useful for those trying to determine if a file has been copied to external media (regardless of encryption status/security concerns)
    Cache Me Outside

  • Chapin Bryce at ‘Pythonic Forensics’ has returned to blogging!
    • The first shows how to interact with the registry using the registry-python library.
      Python as a Forensic Tool
    • The second looks at registry timestamps and shows how to perform frequency analysis on timestamp updates in an effort to determine the activity that modifies timestamps that we may be interested in. Say a key of interest is modified, then looking at the other keys modified at the exact same time may give us clues as to what activity occurred (such as Windows updates)
      Trusting Registry Timestamps

  • SalvationData share a case study showing how to use their tools to repair and image a damaged hard drive.
    [Case Study] Computer Forensics: Data Recovery & Extraction From Platter Scratched Hard Drives

  • Stacey Randolph at ‘The Knowledge Bean’ posted a number of times this week
    • She shares details of her favourite presentations from the SANS DFIR Summit
      #2 – SANS DFIR Summit
    • She shares a method of acquiring data from iOS devices without fancy forensic tools; iTunes! And then iBackupBot to review the data.
      #3 – iTunes Backups
    • She also describes how she ended up in digital forensics
      #4 – Taking a Step Back
    • Back to iTunes backups; Stacey shows what can be found in the Info plist
    • As well as the Manifest
    • and Status Plists
    • Lastly, she shows the iTunes Backup Manifest.db, which is an “SQLite database storing information about the iTunes backup.”
      #8 – iTunes Backup Manifest.db

  • Jaco at ‘The Swanepoel Method’ replicated and expanded on some of my findings on Zone.Identifiers. Jaco was able to test what I found as well as test some use-cases surrounding the Edge browser.
    Highway To The Danger Zone.Identifier

  • There’s a post on TM4n6 showing how to examine alternate data streams on Linux and Windows.
    Extracting ADS using Linux

  • Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’ has released her “guide on data leakage and IR in the cloud.”



  • Rich Frawley at ADF will be hosting a webinar on Wednesday, June 27, 2018 at/ 2:00 PM EDT on “fraud investigation best practices”. “Rich will showcase how investigators and Digital Crimes Units are saving time using ADF’s intelligent approach to investigating cases quickly thereby reducing the need to image every device and reducing forensic backlogs.”
    Webinar: Solve Fraud & Economic Crimes

  • Comae Technologies will be re-running their intro to memory forensics webcast on Tuesday 26, June – 11AM PST and Tuesday 3, July – 11AM PST.
    Webcast: Introduction to Memory Forensics With Comae

  • Heather Mahalik will be running a SANS webcast titled “No tool fits all – Why Building a solid Toolbox Matters” on July 10th at 3:30pm EST.
    Check out @sansforensics’s Tweet





And that’s all for Week 25! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s