Week 27 – 2018

I’ve decided to formalise the support page for the project, which can now be accessed from the top menu. I figured that it would be a good idea to put it all in the one place. I’m still holding out from the advertising model, although I think that’s more of a personal preference more than people vocally being against it.

Thanks to all those that have donated/patreon’d so far, very much appreciated.


  • Hideaki Ihara at the Port 139 blog posted a couple of times this week
  • Adam Harrison at 1234n6 wrote a couple of posts about exFAT this week
  • Arun Prasannan at CCL Group discusses how some macOS metadata is affected by copying to a non-Apple file system using Macquisition/rsync. I’d be interested in seeing what happens when using the same methodology from APFS to HFS+, and whether metadata is lost in the file transfer.
    Messing about with Windows metadata when analysing a Mac

  • Oleg and Igor at Cyber Forensicator finished off their walkthrough of the Magnet User Summit CTF covering the Exfiltration and Intrusion questions

  • Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times (I’ve changed the order slightly)
    • Congrats to Paul Bryant on his winning submission on exFAT timestamps.
      Daily Blog #409: Solution Saturday 6/30/18
    • Last weeks Sunday Funday was on the “level of access an examiner has during the upgrade process on a windows 10 system that is bitlocker encrypted during the reboot. “
      Daily Blog #410: Sunday Funday 7/1/18
    • Don’t take anything from my answer as being factual or correct. It won by virtue of being one of the only submissions; someone definitely should actually do the testing and figure out the actual answers though.
      Daily Blog #416: Solution Saturday 7/7/18
    • This weeks Sunday Funday relates to information that can be obtained from o365 under two different conditions. Adam Harrison and I have already posted our answers. At some point Dave will ask us to stop, we have yet to reach that point.
      Daily Blog #417: Sunday Funday 7/8/18
    • More importantly, Dave gave a little bit of insight into why he started his daily blogging challenge and pointed out that it’s not really about the daily posting, but more about pushing yourself to learn a little bit more each day. A lot of other blog authors say they have received the same benefit from doing say; it’s why I do what I do too. Daily blogging isn’t for everyone, but it’s good to set a goal to work towards. Once a month for example…12 blog posts a year! I’m sure that everyone can find it in them to put out 12 posts a year – you can even ask Devon to host the site for you.
      Daily Blog #412: The importance of blogging,,, daily
    • Back to MAPI: This time testing an Excel document as an attached file.
      Daily Blog #408: Exploring Extended MAPI Part 15
    • And then a Word document. He found that “the creation time is being set to when the message was sent”
      Daily Blog #411: Exploring Extended MAPI Part 16
    • Dave then moved onto Outlook Web Access and found “that even though the message was marked unread and read again that the last modification time didn’t change from the time it was originally. In fact going through all the dates i didn’t find any updates made at all.”
      Daily Blog #413: Exploring Extended MAPI part 17
    • Lastly, he found that in OWA, replying to a message didn’t affect the MAPI data on the message in Outlook.
      Daily Blog #414: Exploring Extended MAPI part 18

  • Greg Smith at TrewMTE shared some resources relating to the Herrevad database relating to mobile geolocation artefacts.
    Update – HERREVAD Databases Geo Location Artefacts

  • Volume 25 of the Journal of Digital Investigation was released.

  • Jaco at ‘The Swanepoel Method’ shows how to use log2timeline to process the Security event log to detect time changes.
    Detecting Time Changes with L2T (Ain’t Nobody Got Time For That)





  • To start off this section I wanted to address the unicorn in the room; the closure of the o365 activities API, which has been the talk of the town. There were a few posts, listed below, showing how to get access to the data, and also Dave Cowen’s commentary on disclosure of secret evidence sources. The main point of interest is that whilst we all agree that sharing is vital in this industry, there is always the concern that disclosing methodology in some way may force a companies hand; There are similar concerns with sharing encryption bypasses or mobile device acquisition techniques. By disclosing this information you run the risk of the research and development time and effort, as well as capability, disappearing. As a result, it becomes a minefield when trying to determine the ethics surrounding sharing certain information publically. That being said, there is still plenty of information that can be shared publicly that runs a far lower risk of a vendor caring about – usually surrounding parsing data that is required to keep a product functioning as intended.
  • Eric Huber at ‘A Fistful of Dongles’ interviewed Mike Swindells on his role as “a Sergeant with the Calgary Police Service”
    AFoD Interview with Mike Swindells

  • Atola have released a software update (2018.1.2) for the TaskForce which adds Chinese language support
    Chinese version of TaskForce launched!

  • Matt at ‘Bit of Hex’ shows how he dealt with confusion caused when an artefact was be being presented correctly by a tool, but written incorrectly by an application in the first place. I’m not sure how relevant to DF the actual bug was, but it shows that when looking into odd results it’s a good idea to go look at the data directly to see where the bug may be.
    Your forensic tools are wrong, because your application is lying

  • Blackbag Technologies have released an eBook on “conducting investigations in Windows Registry with BlackLight”
    Check out @blackbagtech’s Tweet

  • Brett Shavers posted a few times across his blogs
    • He responded to a section of some recently produced research relating to synchronisation artefacts. Apparently, the researchers indicated that many computer forensic examiners don’t regard synchronisation during their examinations; whilst I don’t disagree, I would like to know how they came to that conclusion – was there a survey, or just that there isn’t a huge amount of research in the area?
      Snap! Oh no you didn’t.
    • Over at DFIR.Training, he shows in graphs: “The faster the information is disseminated, then faster it disappears, or worse, is never seen”. He also suggests that documenting your research will help you in the long run, preferably via a more lasting medium such as a blogpost or article.
      The Dearth of Documentation in DFIR
    • Lastly, he clarifies some points about the DFIR Rapid Peer Review idea.
      Getting Your Blog Post Officially DFIR Peer Reviewed – An Update

  • There were two posts on dumping domain password hashes; one on Hacking Articles, and another on Penetration Testing Lab

  • Forensic Focus posted a couple of times this week
  • Griffeye posted a couple of times this week
  • Bradley Schatz at Inside Out shares some data acquisitions speeds of a 1TB NVMe drive. It would be interesting to see all the imaging tool vendors pitted against each other; granted, they all have their lanes, so even if you’re not the fastest imager, you may still have damaged drive support, or improved portability, or support for a wide range of drives. That being said, a speed race is probably not going to happen.
    Which forensic imager is the fastest?

  • Magnet Forensics posted twice this week
  • Monnappa K A announced that his book “Learning Malware Analysis” has been released.
    Check out @monnappa22’s Tweet

  • Basil Alawi S.Taher at the SANS Internet Storm Centre walks through the use of the “AutorunsToWinEventLog [which] is a PowerShell script that runs autorunsc and converts it to Windows Events.”
    Using AutorunsToWinEventLog , (Fri, Jul 6th)

  • Scar de Courcier describes her process for choosing the section headings for the book that she co-authored, “Windows Forensic Cookbook”.
    Choosing Your Section Headings


And that’s all for Week 27! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s