Week 45 – 2018







  • Barnaby Skeggs at B2Dfir shares “an Excel incident management and documentation workbook”
    Free Incident Response Management and Documentation Workbook

  • Craig Ball advises how to use Apple’s Takeout feature to download your data.
    Cloud Takeouts: Can I Get That to Go?

  • Matt at ‘Bit of Hex’ has written a list of questions that may come up in an interview for an LE DF position as well as the points that he would want covered.
    Digital Forensics Interviews: Law Enforcement Edition

  • Ariel Watson at Cellebrite has a post about the overwhelming amount of digital data facing law enforcement and, not to be critical, serves to be an advertisement for their Digital Intelligence Platform. I don’t usually share posts like this but I wanted to talk about a couple of things; the first being that vendors will need to work on speeding up existing processes to get to answers faster, which they may read as implementing AI or other features to assist in review, but they should also be looking at speeding up acquisition times and reducing the amount of interaction required that may halt processing. Using an iOS acquisition in UFED PA as an example, after acquisition completes you still have to process the dump and export the report (which requires user interaction in the middle to go from acquisition to UFDR). All time-intensive processes, especially for larger devices, and generally if things like this can be improved it would assist LE in getting through the massive amounts of data. The other thing I wanted to mention was that any way of processing extractions with multiple tools, supported by vendors, would be greatly appreciated in assisting get the most out of the data (on the speed front, by being able to do it all automatically, examiners would save time with configuration and be able to set and forget overnight). This is not to be critical of Cellebrite or other vendors, I understand that they are in a competitive industry with limited resources and features sell product, just my personal perspective as someone trying to get as much useful data out of the mountain of devices as I can with the time afforded.
    Law Enforcement Overwhelmed by Digital Data

  • Christine McGarry has shared her thoughts on preparing for a CTF
    From Novice to Apprentice: How to Start Participating in Capture the Flag Events

  • There were a few posts on the Computer Forensics World blog this week
  • Cyber Forensicator have advised that Andrea Fortuna is selling a copy of his FOR508 index on Amazon, titled “The Little Handbook of Windows Forensics”.
    The Little Handbook of Windows Forensics

  • Brian Carrier and Chris Ray at Cyber Triage describe the technique that they use to push their collection agent to a host without leaving admin credentials on the endpoint. As a side note, Chad Tilbury did a great presentation on credentials and how the keys to the kingdom may accidentally end up on an endpoint at the SANS DFIR Summit 2017.
    Robust Use of PsExec That Doesn’t Reveal Password Hashes

  • There were a couple of posts on Forensic Focus this week
  • Griffeye shared an article from Police Tech Pioneers, “that looks at how new technology startups are set to transform policing was released”
    New report lists most promising police tech companies

  • Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
    • This week’s Sunday Funday covers cutting and pasting across NTFS volumes. I submitted an answer again this week, and it can be found here. I didn’t find anything unsurprising really, outside of he rounding in FTK Imager was slightly different to AnalyzeMFT/MFTECmd.
      Daily Blog #528: Sunday Funday 11/4/18
    • He comments on the general misinterpretation of the timestamp in the shimcache.
      Daily Blog #529: Human Bias and Shimcache
    • Dave advises that he is teaching FOR500 at the SANS CTI Summit in January 2019
      Daily Blog #530: Teaching SANS Windows Forensics in the USA
    • Dave is writing a new book, and pushing chapters out as they are done. This looks like a really interesting idea and I look forward to seeing it in action.
      Daily Blog #531: DFIR In Depth: Windows Forensics
    • He’s also listed the reasons why he’s going the self-publishing route. Based on a few conversations with people, I’m not really sure there’s a good enough incentive any more to go with a publisher. Since we’re in a niche industry, then word of mouth and the author’s profile will probably be enough to sell the book. The book may not end up in stores but then Amazon’s made sure that isn’t so much a problem. On the positive side, the author has more control, makes more money, and can update/release new editions as they see fit.  
      Daily Blog #532: Why self publish?
    • And shares the initial outline of the new book
      Daily Blog #533: Windows Forensics DFIR InDepth proposed outline

  • MediaClone have released a new Supercopier Desktop 8 Nvme Ports Drive Duplicator and SuperImager Plus 8″ NVMe + SATA Forensic Field unit

  • MobilEdit have uploaded a database of all of the apps that they support, per platform, and the type of data obtained
    Database of supported apps now online!


And that’s all for Week 45! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

As always, thanks to those who give a little back for their support!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s