Creating disk images and virtual hard disks can be super useful for testing, which I’ll demonstrate in a future post (that I’ve mostly written, but needed this one to go out beforehand!)
I wrote this a while back, and have finally gotten around to posting it!
Recently tested the use of Certutil to download a file and look for the artefacts. I didn’t find much in the DFIR realm about what this might look like on a system so thought best to post it up!
I wanted to take a quick and dive into this week’s Sunday Funday challenge but didn’t have a whole lot of time, I basically set a timer for an hour or so at the end of the day and found as much as I could, and then compiled it all today. Gotta set a time limit or else the rabbit-hole never ends 🙂
Oleg has already shared his answer and done a decent amount of work to answering the questions. I’m not going to be reinventing the wheel a whole lot, just expanding on what has already been found.
(Note: I’m not going to be answering all of the questions)
It’s nomination time again for the Forensic 4cast Awards, held at the SANS DFIR Summit in Austin, Texas. I thought I would post up my nominations to recognise all the people and teams that have contributed to the #DFIR community over the last year.
There’s less than a week to go, so get your nominations in to show your appreciation!
DFIR Commercial Tool of the Year
- Magnet AXIOM – They made some great strides with adding a variety of artefacts and features. The big thing was the Mac artefacts and the re-done timeline.
- X-Ways Forensics – A powerful forensic suite that has some amazing features.
- Cellebrite UFED – Mainly for adding full file system extractions based on Checkra1n into the hands of all examiners. Previously this level of access was only for LE or jailbroken devices.
- Arsenal Image Mounter – This tool is my current go-to image mounting tool, and the instant virtualisation has been fantastic too.
DFIR Non-commercial Tool of the Year
- KAPE – KAPE in principle is a very simple tool. It collects and parses artefacts based on a series of targets and modules. But the speed and versatility of this tool makes it really awesome. If you haven’t looked at it yet I’d highly recommend it!
- Velociraptor – This open source agent (and server, and sometimes not agent, it does a lot) allows for network-wide host-based DFIR collection, analysis, remediation, and monitoring.
- iLEAPP – Alexis Brignoni has done an amazing job combining all the available iOS parsers into an easy-to-use package.
DFIR Show of the Year
- Forensic Lunch – Dave and Matt do a great job every time they run a Forensic Lunch (usually twice a month). DIdn’t really run that much so far this year
- Digital Forensic Survival Podcast – Michael has a show every week without fail. It’s a great resource for examiners to go back to and refresh themselves on the variety of topics that are covered.
- 13cubed by Richard Davis – well produced and informative videos
- I’ll also throw the ‘This Month In 4n6‘ monthly podcast in the ring, although it’s not nearly as deserving as the others.
DFIR Blog of the Year
There are so many great blogs, and people who I wish had more time to post more!
- HECFBlog – Dave is a given nomination for blog of the year, even though he only posted for half the year.
- Initialization Vectors – Alexis Brignoni has consistently put out some great research and tools on his blog. If you do mobile forensics you should be reading this.
- The Binary Hick – Josh Hickman puts a considerable amount of effort into every post that he does, as well as putting out well documented Android dumps for people to play with.
- Elcomsoft – Oleg and Vladimir regularly put out some great content, primarily focusing on mobile devices, and encryption.
DFIR Book of the Year
- Good question! I don’t actually have a nomination for this one.
DFIR Article of the Year
DFIR Social Media Contributor of the Year
DFIR Degree Program or Training Class of the Year
- I’m biased as I’m on my way to being a FOR500 instructor. So I’ll say the FOR500 class!
- We also saw the debut of the FOR498 class which I’ve heard great things about.
DFIR Groundbreaking Research of the Year
- Sysdiagnose – The research conducted by Mattia Epifani, Heather Mahalik, and Cheeky4n6Monkey
- Checkm8 – The discovery of the Checkm8 vulnerability by axi0mX has been able to allow for an amazing advance to mobile iOS forensics. Whilst previously the ability to obtain a full file system extraction was limited to jail breaking or LE-only tools, now this level of access is afforded to everyone.
- Analysis of the Amcache – Blanche Lagny put out a very comprehensive paper about the Amcache that’s well worth a read.
- Blackbags work on acquiring physical images from Macs with T2 chips.
DFIR Newcomer of the Year
DFIR Resource of the Year
These all go without saying. If you don’t go to any of these sites you’re missing out on valuable information
DFIR Team of the Year
- My team! Klein and co.
- The SANS DFIR team.
Yes I’m biased.
Digital Forensic Investigator of the Year
Usually I put multiple people here. I’m just putting one this time. Not because there aren’t others that aren’t deserving. I just know that he qualifies as an investigator, and does a ridiculous amount to help others, particularly in the mobile forensics space.
There are plenty of others in every category, and if you believe that someone should be nominated, then definitely go ahead and nominate them.
Coming soon to a town near
DFRWS is expanding into APAC this year, with an inaugural event in Sydney to correspond with the IAFS conference.
I’m Workshop Co-Chair along with Matthew Simon so if you have some interesting ideas for workshops let me know soon.
If you want to submit a research paper or presentation you have until January 31, 2020 to submit an abstract or workshop.
I was recently reviewing some event logs on a Windows server and noticed a few items that I hadn’t seen before. These events related to Applocker, which was released a long time ago, but I hadn’t really seen much in the forensic analysis space. This post will cover a brief intro to setting up Applocker, some resources for configuration, and some event logs that you should probably keep an eye out for.
TLDR: Turn on applocker on servers you own (workstations too if your users wont kill you). Also look out for applocker events during your event log analysis!
Special thanks to Troy Larson for helping me out with this research
Did you know Velociraptors were about the size of a chicken and had feathers! Apparently the later was only discovered in 2007 according to this site, so we’ll give Jurassic Park a pass for now.
Anyways, I wanted to have a play with Velociraptor and put together some instructions on how to spin it up in AWS and connect it to a Google Domain; so I grabbed the official documentation and worked through it.
I had a need to identify the MAC address of a computer from an image (actually a whole bunch of images) recently and went looking through the registry to try solve my problem. Who doesn’t love a bit of registry analysis, and of course Eric’s tools come to the rescue yet again for this kind of hunting. Also side note, you should support Eric’s tool-making.
The makers of the Deepspar Disk Imager recently jumped into the write blocker scene with their Guardonix USB write blocker. They asked me for my opinion and (full disclosure) sent me out a test unit to play with.
I recently had the opportunity to take the AX200 Magnet AXIOM Examinations class (On-Demand) and wanted to share my experience for those thinking about taking the class.
Full disclosure: I did get access to this course for free from Magnet in exchange for feedback, but they didn't ask me to write this post in return.
Whether On-Demand works for you or not is really personal preference; some people like that they can work through it at their own pace and repeat sections as required. My preference would have been to take the class in person as I feel like you get a better experience in the class, not to mention you can focus on the task at hand. Unfortunately I missed my opportunity as the class was run nearby when I was overseas.