Week 37 – 2018


  • Hideaki Ihara at the Port 139 blog takes a look at the $ObjectID file and shows that there can be references for deleted files. From some testing, it would be arguable that the file with that name has been accessed, which may be useful to know.
    NTFS $ObjID and ObjectID
  • Justin Boncaldo provided an overview of the Shellbag artefact. Something that’s important to note is that an item may appear in shellbags, but may not have been accessed – the activity of clicking on the folder icon will add it as an entry to the user’s shellbags.
    DFS #5: Which folders have been opened? (Shellbags)
  • There were a few posts on Cyber Forensicator this week
    • They also shared the update that the next Win10 version will have the ability to use the clipboard as a list rather than a single variable. As a result, examiners may have more useful information (passwords even!) to examine. Work is underway to determine how best to access this data, as it may be encrypted
      Windows 10 October 2018 Update Brings Clipboard History Feature
    • Lastly, they shared the Telegram group that they have created; as a side note, there’s some good information shared on these chatroom-like apps (Discord, Slack, Telegram), and a lot of the time it’s difficult to follow as people will ask multiple questions and answers. If you have a question and get an answer on a chat or listserv that is probably worth sharing, please write it up; it doesn’t have to be perfect, but it might help others as well that aren’t on whatever space you’re looking at. I’m happy to chat with people are getting stuff written up and shared, even if it’s anonymous.
      Join our Telegram DFIR group!
  • Matteo at Forensics Matters shares three methods of obtaining the Windows installation date timestamp from the registry. It’s important to note that Win10 updates the Install Date when a major update occurs.
    Find out Windows installation date
  • Over on my ThinkDFIR site, I shared a script to extract all the records that contain a timestamp in the iOS powerlog database into a timeline.
    Playing with the iOS Powerlog



  • Carbon Black, Mitre, and Red Canary will be hosting a webinar on “how to use the MITRE ATT&CK framework to hunt for adversary tactics and techniques across the attack matrix, develop and test hypotheses against known techniques, obtain a broader set of evidence by hunting for adversarial techniques, and increase the efficacy of their threat hunting programs.”
    How The ATT&CK™ Framework Can Mature Your Threat Hunting Program


  • In the eDiscovery realm (which I don’t usually cover), there were a couple of videos people may be interested in. I haven’t watched them through, but Craig Ball and Tom O’Connor talked about forensic examination protocols, and Nuix acquired Ringtail and uploaded a demonstration webinar.
  • On this week’s Digital Forensic Survival Podcast, Michael talked about OfficeMalScanner, which is a useful tool for scanning malicious Office documents
    DFSP # 134 -OfficeMalScanner
  • Scott Piper shared his presentation from IRespondCon titled “Mining CloudTrail logs to uncover and respond to breaches in AWS”
    Check out @0xdabbad00’s Tweet


  • The ASERT team at Arbor Networks provide details about the Bondupdater trojan, which is associated with the OilRig group.
    Tunneling Under the Sands
  • The Microsoft Secure team share details of the integration between o365 applications and “Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior”.
    Office VBA + AMSI: Parting the veil on malicious macros


  • Brett Shavers has added a Patreon page for DFIR Training, which allows you to support the project and also get access to a few extra perks for doing so. A rule I generally go by; If you get value from a project and would be affected if it went away, then I think it’s worth throwing a few dollars at it (if you’re able to of course).
    DFIR Training is on Patreon!
  • Magnet Forensics listed a variety of ways to identify a suitable candidate for the Magnet Forensics Community Award. Also, “Nominators also receive a Magnet Forensics prize pack as a thank-you to taking the time to nominate the winner”; having won a couple of these through a couple of CTFs, they’re pretty good prize packs.
    5 Ways to Identify a Candidate for the Magnet Forensics Community Award
  • Mark Hallman updated the Plaso Cheat Sheet, now at v1.03. Mark let me know that this happened, which is very much appreciated. If you think that I might be missing something, I’m happy to chat about it; it’s entirely possible I’ve missed stuff, it’s also possible that it’s not shared in a way that makes it easy to identify that updates have been made.
    Plaso Cheat Sheet


  • Berla released iVe 2.0.3, which “includes a change for tracklog parsing in some newer Ford SYNC generation 3 systems”
    iVe Software v2.0.3 Release
  • Sanderson Forensics released Forensic Browser for SQLite v3.3.0 to add speech bubbles to reports
    New release 3.3.0
  • TZWorks released their September 2018 build package, adding updates to tac and pescan, as well as a Windows Push Notification database parser, wpn.
    Sep 2018 build (package)

And that’s all for Week 37! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

As always, thanks to everyone for their support!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s