Week 44 – 2019

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!


  • Alexis Brignoni at ‘Initialization Vectors’ examines the database on Android that stores app/widget/folder icons and positioning, as well as sharing a script to take the hard work out of decoding the data.
    Recreate Android apps, folders, and widget positions from a forensic extraction.

  • Lucy Carey-Shields at Amped discusses an amazing feature of Authenticate that allows an examiner to compare reference images taken on a device and determine a probability as to whether another image was captured with the same camera. I’ve seen something similar in another tool before and it was pretty cool; we were able to take photographs on two separate iPhones, and using this method of comparison could determine which photographs (to a degree of certainty) came from which camera (based on knowing where the reference set came from).
    The Power of Amped Authenticate for Investigating CSE Cases

  • There’s a post on Cyber Triage about the importance of checking whether an attacker has modified system configuration settings during an investigation
    How to Detect System Configuration Changes – Intro to Incident Response Triage (Part 9) in 2019

  • Ian Whiffin has started a blog and share some interesting research
    • The first goes into detail about the KnowledgeC database, as well as various other useful databases located on iOS
      KnowledgeC (and Friends)
    • Ian next walks through the structure of a plist and the various data structures that comprise them
      PList Decoding
    • And lastly decodes a “plist” file used to store Snapchat data; however whilst the extension is plist, the file is actually a completely different format
      SnapChat PList (chatConversationStore.plist)

  • Chad Tilbury at SANS has a post on acquiring data from cloud storage that is located on an endpoint. Chad will be hosting a webcast on the topic on December 3th, 2019 at 3:30 PM EST (20:30:00 UTC).
    “Cloud Storage Acquisition from Endpoint Devices”

  • Yogesh Khatri at ‘Swift Forensics’ describes the recent volume changes in MacOS Catalina (which caused me no end of grief this week when the update resulted in logins failing and me having to wipe the system and start again!)
    macOS 10.15 Volumes & Firmlink magic







And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s