Week 10 – 2019

Lee Whitfield has opened up nominations for the Forensic 4cast awards, held during the SANS DFIR Summit. This site has been nominated as blog of the year the last two years running, and it is greatly appreciated if you could take the time to nominate it again.
Forensic 4:cast Awards 2019 – Nominations are Open

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

  • Lee Whitfield at ‘Forensic 4cast’ has a post on the RecentDocs key and some of the intricacies around its reliability. As a general rule, it’s better to rely on multiple artefacts when drawing a conclusion rather than just the one
    Updates to the RecentDocs Key in Windows 10
  • Jaco at ‘The Swanepoel Method’ compares Axiom, FTK, and Encase in their abilities to parse Firefox and Chrome histories. Mostly everything appeared fine, except that Encase hasn’t updated their Firefox support since 2017. Browser forensics can be tricky at best; browsers are updated aggressively, and their release cycles are significantly faster than most major tool vendors. Ideally a vendor would highlight the version of the software on the system compared to their latest support to identify whether they could be missing something but I have yet to see anyone do this. Instead, you may need to determine the version yourself and then try to identify the latest supported version in the release notes.
    EnCase you were hoping to parse Firefox

THREAT INTELLIGENCE/HUNTING

UPCOMING WEBINARS/CONFERENCES

PRESENTATIONS/PODCASTS

MALWARE

MISCELLANEOUS

  • First.Org have announced “The Incident Response Hall of Fame to recognize visionaries, leaders and luminaries who have made significant contributions to the development and advance of global security. Make your nominations by Apr 1, 2019”
    Check out @FIRSTdotOrg’s Tweet
  • SwiftOnSecurity shared an article on digital forensics gone wrong where campus IT appears to have determined that a student was hacking their systems to change her grades. As a result, the student was expelled. The main takeaways are that DFIR is a specialist skill, and just because you have a computer or work in IT doesn’t mean you understand the intricacies of a forensic investigation. Brett Shavers also shared his comments here
    Check out @SwiftOnSecurity’s Tweet!

SOFTWARE UPDATES

  • Kshitij Kumar and Jai Musunuri at CrowdStrike have released “AutoMacTC, an open-source triage collector utility that helps investigators swiftly gather the relevant data, find answers and then eradicate adversaries from their environments.”
    AutoMacTC: Automating Mac Forensic Triage
  • CRU updated their WriteBlocking Validation Utility to v2019.03.06, but I couldn’t find any release notes. For those that aren’t aware, you can run this tool against a hard drive connected to any write blocker to see how it fares against direct write and read commands.
    Download CRU’s WriteBlocking Validation Utility
  • Eric Zimmerman updated EZViewer, TimelineExplorer and MFTECmd, as well as a new version of KAPE with a number of new features.
    ChangeLog
  • Evimetry 3.2.0 was released with bug fixes and improvements.
    Release 3.2.0
  • ExifTool 11.31 was released with a number of new tags and bug fixes
    ExifTool 11.31
  • “A new version of MISP (2.4.103) has been released with significant UI improvements (including a new flexible attribute filtering tool at the event level), many bug fixes and a fix to a security vulnerability (CVE-2019-9482) which was affecting sighting visibility.”
    MISP 2.4.103 released (aka UI improvements)

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s