Week 31 – 2018

Just an FYI I’m over in Las Vegas next week for DEF CON; two things. 1) If you’re around, shoot me a message on Twitter or through the contact form. Some people have reached out after I’ve been state-side and said things like “oh you looked busy”; if I’m busy, I’ll tell you, otherwise come say hi!; and 2) that means links only next week. Bit busy at the moment so rather than trying to push through and get everything done I’ll have to put the blog on the backburner for the week.

Also, seeking a bit of feedback re the way I’ve been formatting things: Do people prefer when I just list out the items, or when they’re grouped/correlated ie putting the answers to Sunday Funday in the link to the question?


  • Delaney Jester describes what data can be obtained from the Cortana app on Android; she showed the manual process that she had to follow and compared it with UFED PA, which didn’t extract any of the data. Tools like PA do a great job, but can’t automatically parse the data they don’t know about, and there are a lot of apps that the tools don’t know about because covering them all is an impossible task.
    The Forensics of Cortana on Android

  • Hideaki Ihara at the Port 139 blog tests the jumplist activity when copying a directory in Win10.
    Jumplist and File copy

  • Adam Harrison at 1234n6 looks into Win10’s recent retirement of the RegBack registry backups. I checked my system and saw that the last modified times roughly matched up with the latest update, and that my hives were all zero’d out. Looks like Microsoft might not be giving us that artefact any more.
    Has RegBack been retired?

  • Justin Boncaldo shows how to parse the SAM hive using RegistryExplorer and the RegRipper GUI. There’s also the RegRipper command line (which I generally prefer), or you can use my RegRipper GUI (which I probably need to package with Regripper and compile…eventually).
    4n6 Quick! #01 -Windows Users list & Login Count

  • Alex Caithness at CCL looks at the Windows Facebook application and notices iOS-like features (plists on Windows!?). I see two possible outcomes from this; either we’ll be missing data because scanners won’t be looking for iOS artefacts on a Windows system, or because the apps will be the same across operating systems, it’ll be easier for the parsers to remain up to date. Maybe both even!
    What the Blazes?! – Why are there iOS Artefacts in my Windows 10 Applications?

  • Craig Wilson at Digital Detective posted an article on his DataDump tool, “which allows you to dump segments of data from an original source image or physical/logical device.”

  • Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times this week
    • Sunday Funday this week is about the inbuilt anti-forensics task found on Win10 that cleans up plug and play devices. Adam Harrison has posted his answer. Adam found that if you had the task it will remain through the upgrade process, but newer versions shouldn’t ship with the task. If rolling out Win10 across an organisation it’s probably ideal to delete the task anyways.
      Daily Blog #437: Sunday Funday 7/29/18
    • Dave links to Hideaki’s post, seen above.
      Daily Blog #438: Validating the Windows 10 Copy Paste artifact
    • He also comments on the maximum storage limit of shell items in Windows jumplists (2000 items), and explains that Jumplist Explorer has a function to recover deleted entries that haven’t been overwritten.
      Daily Blog #439: Jumplist maximum storage
    • He looks at the Win10 Notification Database for interesting tables/data, and shows that “we can recover the sender, subject and first lines of an email in the notification database even if the email has been purged from the system otherwise”
      Daily Blog #440: Windows 10 Notifications Database
    • Dave mentions the need for regression testing with different feature updates of Win10 since each feature update adds and removes different functionality (who knows why). I have ideas for this, so if someone’s an AutoIT ninja then reach out and we can discuss if there’s a way to automate some of this.
      Daily Blog #441: Changes in Windows 10
    • Lastly, Dave asks the community to help compile a list of known anti-forensics tools that they’ve seen used in the wild
      Daily Blog #442: Anti Forensic Tools in the wild

  • Alexis Brignoni at Initialization vectors has released a tool for parsing the data found in the Microsoft Translate Android app. Alexis’ post shows that a number of apps are storing data in JSON now as well as SQLite, which may not be as easy to automatically parse with functions within tools (think Dynamic App Finder in IEF/Axiom and Cellebrite’s SQLite builder – although both of those tools do have JSON/XML viewers).
    JSON-ception and the need for mobile DFIR scripting courses

  • Jon Poling tweeted out that examiners can “collect both iCloud Backup Logs and a full ASL log archive for analysis” using the “brctl” utility
    Check out @JPoForenso’s Tweet

  • Brian Maloney shares a script for converting the Windows 10 Notification database’s write-ahead log to an SQLite database for examination.
    Windows 10 Notification WAL database

  • There were a couple of posts on ØSecurity
  • SalvationData have a post on extracting data from a Seagate hard drive with corrupt firmware using their Data Recovery System (DRS) tool.
    [Case Study] Computer Forensics: How to Forensically Extract Data from an Unidentified Seagate HDD

  • I posted my ‘This Month in 4n6’ podcast for July.
    This Month In 4n6 – July – 2018

  • Twitter user Wyv3rnSec has posted a table of Ext4 timestamp changes based on a variety of interactions. This is similar to the table for NTFS on the SANS Windows Forensic Analysis poster.
    Check out @Wyv3rnSec’s Tweet

  • Accenture Security have posted a report on the use of the Socksbot malware family in the Goldfin campaign
    GOLDFIN: A Persistent Campaign Targeting CIS Countries with SOCKSBOT







And that’s all for Week 31! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

As always, thanks to everyone for their support!

One thought on “Week 31 – 2018

  1. I like separate sections for podcasts, presentations, and software. The rest could possibly be lumped into one since there is overlap in the DFIR fields (also less work for you). Looking forward to seeing you in Vegas! Twice in one year – it’s like Christmas!

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s