It’s nomination time again for the Forensic 4cast Awards, held at the SANS DFIR Summit in Austin, Texas. I thought I would post up my nominations to recognise all the people and teams that have contributed to the #DFIR community over the last year.
Lee changed things up a little bit this year, meaning that you have to provide a reason for your nomination. I think this is a good change and hopefully it will flow into the voting process, encouraging people to explain what they have done in the year for you to win their vote.
DFIR Commercial Tool of the Year
- Cellebrite UFED – Overall the breadth of acquisitions available by Cellebrite has meant that it’s a great tool to go in the kit if you see a lot of different phones. I also particularly like UFED Reader to provide results to case agents so they can produce subset reports specifically to their liking rather than deciding for them. Mobile forensics is constantly evolving so it’s good to see that there are monthly updates to the tools.
- Magnet AXIOM – I use this (or IEF) on almost every case. As above, they have the ability to export the data into a portable case and have monthly updates. AXIOM excels in the fact that it can be used to cover a variety of device types (computer, mobile, cloud), and has very responsive support. I used it to get a lot of answers in three CTFs and two Netwars so there’s that too.
- Blackbag Blacklight – This was the first tool to be released with native APFS support (on both Mac and Windows). It was also the only tool available for a while, but since then there’s been a number of options for examining APFS file systems.
- X-Ways – Consistently a great forensics tool that is lightning quick and very inexpensive. I’ve often used X-Ways to report on data that has been exported from other tools that only get me partway.
DFIR Non-commercial Tool of the Year
- APOLLO – Sarah released this framework last year to combine all of her research on the various databases made available in a full file system acquisition of an iPhone. If you have access to a full file system dump of an iPhone I would highly recommend having a play with this tool.
- Eric’s toolkit also warrants recognition, although it’s hard to pick just one (this year at least, KAPE next year for sure)
DFIR Show of the Year
- Forensic Lunch – Dave and Matt do a great job every time they run a Forensic Lunch (usually twice a month).
- Digital Forensic Survival Podcast – Michael has a show every week without fail. It’s a great resource for examiners to go back to and refresh themselves on the variety of topics that are covered.
- 13Cubed by Richard Davis – Richard regularly produces high quality, informative videos on a variety of digital forensics topics
- I’ll also throw the ‘This Month In 4n6‘ monthly podcast in the ring, although it’s not nearly as deserving as the others.
DFIR Blog of the Year
- This Week in 4n6 – There is some contention whether my site belong in Blog or Resource (as it’s both), but I figure asking for the nomination here as well helps my chances!
- HECF Blog – Dave Cowen came back to daily blogging last year and I’m truely amazed at the breadth of his knowledge. If you aren’t following Dave’s testing and commentary you’re missing out!
- Initialization Vectors by Alexis Brignoni – Alexis mainly focuses on mobile forensics but is really pushing out a lot of great work, and demonstrating that amount of data you can uncover by going beyond the tools.
DFIR Book of the Year
- SQLite Forensics – Paul Sanderson released his text on understanding SQLite. Considering how prolific SQLite databases are this is a book to read.
- Investigating Windows Systems – Harlan Carvey has written a number of books however this one follows a slightly different track, focusing on how Harlan would go about achieving his analysis goals on a variety of cases.
DFIR Article of the Year
- I found this article by Sarah Edwards really insightful. And I appreciate her patience when I excitedly tell her what I found, and then go back and read her research and found she posted about it years ago…
- Jon Poling’s article on endpoint event log tracking of RDP events is also a great reference for remote desktop events.
DFIR Social Media Contributor of the Year
DFIR Degree Program or Training Class of the Year
- I’m biased as I’m slowly working towards being a FOR500 instructor. So I’ll say the FOR500 class!
Most Valuable Threat Intel Contribution
- I don’t recall what my actual nomination was, but I think the work that Dave, Maxim, and Eric did on the Syscache and CTI database is worth nominating. That being said, I need to revisit it to get my head around their findings.
- The documentation of the BAM/DAM keys for process execution by Kasasagi. New process execution artefacts are always exciting!
DFIR Groundbreaking Research of the Year
- The release of the APFS fork of The Sleuth Kit by Blackbag Technologies. Blackbag implemented their APFS parsing without a formal specification from Apple, and according to Dr Joe were 95% right, so that’s pretty cool. By providing this support back to the community it can be utilised by all.
- Similary, Grayshift came onto the scene with a bang last year, and it’s probably safe to say that they provided a capability to law enforcement that helped a lot of victims. I saw a demonstration of the device at last years Techno Security and it is designed to brute force and perform a full file system acquisition of supported iOS devices (according to the research you can get a lot more from a full file system than an advanced logical). Whether they’ll keep up with the cat and mouse game remains to be seen as Apple is constantly updating the security of their products.
DFIR Newcomer of the Year
- Mike Cary started sharing some great stuff last year and I’m looking forward to what else he can put out there.
- Justin Boncaldo also wrote quite a few informative posts and will be someone to follow in the future
DFIR Resource of the Year
These all go without saying. If you don’t go to any of these sites you’re missing out on valuable information
DFIR Team of the Year
- As there is no longer an ‘Organisation of the Year’ category, I nominated Magnet Forensics for all of the content that they produce throughout the year.
Digital Forensic Investigator of the Year
This is always an interesting category because I can’t say I’ve seen any of the people I’m nominating in an investigation capacity. But they all are well deserving for their contributions last year (and forthcoming contributions because they seemingly can’t help themselves drag us all forward one post/webinar/presentation/tool/video/competition/ctf at a time!)
And that’s it. I’m pre-emptively starting next years nominations so I can keep a better idea on stuff, but thankfully I have this handy record of everything I’ve read so I can go back and see what’s been posted 🙂
You can post your nominations here!