Digital Forensics Round-Up, December 05 2024

A round-up of this week’s digital forensics news and views:


University Receives $1.5 M Grant to Expand Digital Forensic Lab

Harding University in Arkansas is advancing cybersecurity and criminal defense workforce development with a $1.5 million state grant to its digital forensics lab. The funding, along with a donation from LeadsOnline, expands lab staff and cutting-edge forensic equipment, offering students hands-on training in recovering and analyzing digital evidence. Launched in Fall 2024, the lab collaborates with law enforcement, providing critical insights for legal and cybersecurity cases, and is among a few U.S. university labs serving this role. The initiative supports Arkansas’ workforce goals and prepares students for high-demand careers nationwide.

Read more (Forensic Mag)


SOF-ELK®’s Evolution: A Comprehensive Update for Enhanced Digital Forensics

Lewes Technology Consulting has released a major update to SOF-ELK, a free, open-source virtual machine preconfigured with a custom Elastic Stack for forensic and security workflows. The latest version adopts the Elastic Common Schema (ECS), enhancing field consistency for streamlined analysis across tools. It introduces data enrichments like geolocation, network provider lookups, and Community ID hashes for network conversations, alongside interactive dashboards for visualizing large datasets. With extensive parsing capabilities for logs and network data, SOF-ELK simplifies investigations and is widely used in SANS courses, providing a turnkey solution for professionals and students in DFIR and security operations.

Read More (SANS)


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.



iCatch v1.2 is out

iCatch v1.2 introduces key updates, including reported device speed and direction as optional fields, enhanced latitude/longitude accuracy to six decimal places, and microsecond timestamp precision. Other improvements include ordering CSV outputs by timestamp, improved horizontal accuracy to two decimal places, and a redesigned logo. These updates enhance the tool’s precision and usability for investigators. An NW3C webinar on December 12, 2024, will demonstrate how to utilize iCatch for forensic investigations.

Read More (GitHub)


Revolutionizing Mobile Data Collection: Streamline Investigations With Cellebrite Inseyets

Cellebrite’s recent webinar introduced Inseyets for Enterprise, a comprehensive suite designed to streamline mobile data investigations. Featuring tools like UFED for advanced data extraction and the updated Inseyets Physical Analyzer, the platform enables investigators to decode, analyze, and report data efficiently. New features include Streamline automation, quick insights into device data, and full integration with eDiscovery platforms like RelativityOne through Legalview. With capabilities for accessing data from the latest mobile devices, including popular apps like WhatsApp and Telegram, Inseyets revolutionizes workflows, saving time and enhancing investigative precision.

Read More (Forensic Focus)


Mastering Sysmon free DFIR e-book release

The new guide, Mastering Sysmon: Deploying, Configuring, and Fine-Tuning, is now available for free, tailored for digital forensics and incident response professionals. This step-by-step mini eBook offers practical advice on deploying and configuring Sysmon, fine-tuning logs to focus on critical events, and building a sysmon configuration file while monitoring performance. Designed for immediate application, the guide equips readers with actionable insights to quickly start logging and analyzing evidence.

Read More (DFIR Insights)


Combating Anti-forensics: Timestomping

Timestomping, a technique used to obscure file metadata and hinder forensic investigations, can complicate timeline reconstruction by altering timestamps such as creation and modification dates. However, forensic tools like Eric Zimmerman’s MFTECmd and NTFS Log Tracker can reveal the original metadata by analyzing NTFS journaling data stored in $MFT, $LogFile, and $J files. These logs preserve crucial information, such as the moment timestomping occurred, and provide access to unaltered timestamps like the EventTime. By leveraging NTFS journaling analysis, investigators can recover critical metadata and mitigate the impact of timestomping.

Read More (Wise Forensics)


Puzzle Pieces: RDP Bitmap Cache

RDP Bitmap Cache, a performance optimization feature of Remote Desktop Protocol, can offer valuable forensic insights into threat actor activities by storing fragments of the remote display. While limited by incomplete views and its location on the originating system, the cache can reveal crucial details like GUI content, commands executed, and exfiltration indicators. Investigators can collect cache files using tools like KAPE and extract images with BMC Tools. For analysis, RDP Cache Stitcher aids in reconstructing session fragments to piece together evidence. Despite its limitations, RDP Bitmap Cache can provide critical clues in reconstructing events during forensic investigations.

Read More (The DFIR Journal)


Cloud Digital Forensics and Incident Response — Elastic Kubernetes Service Takeover Leads to Cryptominer Deployment

The fourth article in this series on cloud forensics and threat detection explores a simulated attack on AWS Elastic Kubernetes Service (EKS), demonstrating how a command injection vulnerability in a web application can lead to privilege escalation, Kubernetes API access, and AWS resource compromise. The investigation examines logs from containers, CloudWatch, and CloudTrail to trace the attacker’s activities, including running cryptominers using hijacked credentials. Key detection opportunities include spotting anomalous service account activity, unauthorized AWS API calls, and command injection attempts in application logs, highlighting the importance of robust monitoring and detection in cloud environments.

Read More (Adam Messer, Medium)

1 thought on “Digital Forensics Round-Up, December 05 2024”

Leave a Comment