Week 17 – 2019

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!


  • Mark Lohrum at ‘Free Android Forensics’ gives a Marvel-themed overview of Magnet’s recently released App Simulator
    Magnet Forensics App Simulator 
  • Howard Oakley at ‘The Eclectic Light Company’ describes the quarantine xattribute on MacOS, which can be useful in DFIR investigations
    🎗 Quarantine: Documents 
  • Maxim Suhanov has identified that in the latest beta of Win10, users can create drives with very large cluster sizes. According to Maxim, many tools will be unable to deal with this at this time
    NTFS: large clusters 


  • Mor Levi at Cybereason looks at how to threat hunt using different techniques including IOCs, research reports, Google dork queries, Mitre ATT&CK, and intelligence from previous incidents.
    How to Generate a Hypothesis for a Threat Hunt 



  • Blackbag Technologies have uploaded a short video on where the “Last Executed” tab in Blacklight gets some of its data
  • On this week’s Digital Forensic Survival Podcast, Michael talks about the svchost process, which is commonly targeted by malicious actors
    DFSP # 166 – SVCHOST Abuse 
  • Mark Scanlon shared the presentation that he gave with Taj Atwal and Nhien-An Le-Khac at DFRWS EU on MacOS Spotlight
    Check out @mrkscn’s Tweet 
  • Richard Davis at 13Cubed has uploaded a video on building his DFIR home lab
    DFIR Home Labs 
  • The presentations from Troopers19 were released


  • On Objective-See’s Blog, Patrick Wardle looks at Mac adware that may be related to Pirrit.
    Mac Adware, à la Python 


  • Jean-Philippe shares a repository to “archive associations between Apple Team Identifiers, Bundle Identifiers and domain names”
    Check out @Jipe_’s Tweet 
  • Matthew Green describes the “practical new features implemented in a recent refactor of Invoke-LiveResponse”
    Live Response Script Builder 
  • Yulia Samoteykina at Atola describes the multi-pass imaging functionality of the Atola products. The demonstration is of the TaskForce, however this works on the Insight as well.
    Multi-pass imaging of damaged drives


  • Autopsy 4.11.0 was released with a variety of new features and bug fixes
    Autopsy 4.11.0 
  • Binalyze IREC version 1.8.0 was released with a number of new features and bug fixes
    Version 1.8.0 
  • DVR Examiner version 2.6.1 was released 
  • Eric Zimmerman updated KAPE to v0.8.3.1 
  • ExifTool 11.38 was released with new tags and bug fixes
    ExifTool 11.38 
  • “A new version of MISP (2.4.106) has been released with a host of improvements, including new features such as a feed cache search, CLI tools to manage your MISP instance along with improved diagnostics.”
    MISP 2.4.106 released (aka Too many improvements) 

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

One thought on “Week 17 – 2019

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s