Week 34 – 2018

FORENSIC ANALYSIS

  • Brian Gerdon at Arsenal Recon digs into the URLs generated by Gmail to try and trace user actions. Google tends to track a lot of interaction information, and even better, it’s stored in URLs for us. Awesome find that the message ID is actually a timestamp, looks like I’ll have to update GSERPent
    Digging into Gmail URLs 
  • Brian Carrier has a post on the recent “data source-level changes” to Autopsy 4.8.0.
    Data Source-level Focus in Large Cases 
  • Matteo at Forensics Matters shows how to extract GPS data from the EXIF data within a JPEG image using imago.
    Extract GPS data from JPEG using imago 
  • Cindy Murphy at ‘Gillware Digital Forensics’ shares a case study where the Smartphone user dictionary proved critical to providing a date range in a case. Cindy showed that the dictionaries are generally populated sequentially, and by attributing some of the words to items with known timestamps (such as text messages or web searches) then you may be able to provide a rough time for words that are between the known timestamps.
    My Favorite Artifacts, Part One: Smartphone User Dictionary Files 
  • Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times this week (and I’ve distributed his posts around a little bit)
  • Alexis Brignoni has posted a couple times this week
  • Yogesh Khatri at Swift Forensics has released an open source spotlight parser to parse the MacOS Spotlight database. Yogesh has also added this to his mac_apt parser.
    An open source spotlight parser

THREAT INTELLIGENCE/HUNTING

UPCOMING WEBINARS/CONFERENCES

  • Rich Frawley at ADF will be hosting a webinar on how ADF can be utilised in fraud investigations. The webinar will take place September 13, 2018 at 10:00 AM EDT.
    Webinar: Solve Fraud & Economic Crimes 
  • The agenda for OSDFCon 2018 has been announced. 
  • Nathan Little from Gillware Digital Forensics and Jamie McQuaid from Magnet Forensics will be hosting a webinar presenting “a real case to demonstrate how Magnet AXIOM can be used to help identify the source of an intrusion and what sensitive data was taken by the attackers.” The webinars will run September 25th at 1:00PM EDT, and September 26th at 9:00AM EDT
    Fraud, IP Theft, and an Intrusion: A Case Study with Gillware Digital Forensics 
  • Red Canary and Carbon Black will be hosting three webinars September 20, October 2, and October 18, all at 1:00 PM EST, on “Threat Hunting with ATT&CK™”.
    Check out @Redcanaryco’s Tweet

PRESENTATIONS/PODCASTS

  • Brandon Dixon advised that RiskIQ has published a threat hunting workshop on YouTube, which comes in two parts
    Check out @9bplus’s Tweet

  • The guys at Cyber Forensicator shared Jamie Levy’s presentation from Lockdown 2018 titled “Taking Memory Forensics To The Next Level”
    Taking Memory Forensics To The Next Level 
  • Forensic Focus shared the webinar and transcript by Geoffrey MacGillivray and Cody Bryant at Magnet Forensics titled “Using Technology To Find Information Faster And Build Stronger Cases”.
    Webinar: Using Technology To Find Information Faster And Build Stronger Cases 
  • Dave Cowen posted two Test Kitchens this week, and Brett Shavers (rightly so) appears to be a big fan of them.
    • The first tested a Win7 Enterprise SP1 system for the creation of jumplist entries. Win7 and Win10 act quite differently, and Dave showed that a number of actions such as creating, accessing, and renaming folders, or creating a file did not result in new jumplist entries. If you do access a file, then an entry is created for the file and the folder that it was stored in. Similarly, a LNK file was created for the folder when a file was accessed.
      Daily Blog #460: Test Kitchen 8/22/18
    • The second looked at the creation of ObjectIDs on Win7 and Win10, expanding on Dave’s post during the week about the same. If you create a file in Win10 then a LNK is created as well, and as a result the file also has an ObjectID. On Win7 however, a LNK file isn’t created on the creation of a file, and an ObjectID is also not created. Therefore, you can say that if a file has an ObjectID then that file has probably been opened, even if there is no associated LNK file. Hideaki Ihara also confirmed that ObjectIDs were created on file open on Win10 systems. Dave later expanded on this and suggested that maybe we can triage a system to identify all the files in userland not created by a user on the system directly (ie downloaded from the web). This may be useful in conjunction with something like a ZoneID (which doesn’t always get created, or can be removed).
      Daily Blog #461: Test Kitchen 8/23/18 
  • Jamie McQuaid at Magnet Forensics shows how to acquire a phone with an MTK (MediaTek) chipset using Axiom
    Acquring MediaTek (MTK) Phones with Magnet AXIOM 
  • Magnet Forensics shared the recent webinar by Jamie McQuaid and Dr. Liam Owens from Semantics21 “showcasing how these tools work together to save time identifying and rescuing child victims and apprehending offenders.”
    Recorded Webinar: Saving Valuable Time on Child Exploitation Investigations with Magnet Forensics and Semantics21 
  • On this week’s Digital Forensic Survival Podcast, Michael talked about Process IDs
    DFSP # 131 – PIDS

MALWARE

MISCELLANEOUS

SOFTWARE UPDATES

And that’s all for Week 34! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

As always, thanks to everyone for their support!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s