A round-up of this week’s digital forensics news and views:
Essential Certifications for Digital Forensics
Despite being labeled as ‘entry level,’ Digital Forensics positions often demand extensive certifications, with over thirty options available. A job seeker analyzed over fifty job listings to identify the most sought-after certifications, revealing the GIAC Certified Forensic Analyst (GCFA) as the top choice, followed by general GIAC certifications and the GIAC Reverse Engineering Malware (GREM). The analysis also highlighted the financial burden of certifications, with GIAC options costing $975 each, compared to more affordable alternatives like the Cisco Certified Network Analyst (CCNA) at $300. The choice of certification ultimately depends on the job seeker’s background and career goals, underscoring the need for careful decision-making in this costly and competitive field.
Read More (Eliora Horst, LinkedIn)
Book Your Place At The Refuge Tech Safety Summit 2024
Refuge, a domestic abuse charity, is set to host its first Tech Safety Summit in September, a two-day virtual event aimed at tackling the growing issue of technology-facilitated domestic abuse. Known as ‘tech abuse,’ this form of abuse includes the misuse of technology such as stalkerware, AI, and smart home devices to harass, stalk, or control victims. Refuge, which established a specialist service in 2017, has seen a 258% increase in such cases since 2018. The summit will feature experts from various sectors, including the Domestic Abuse Commissioner, technology companies, and cybersecurity specialists, aiming to raise awareness and collaborate on solutions to eradicate tech-facilitated abuse.
Radoslav Gadzhovski announces TRACE (Toolkit for Retrieval and Analysis of Cyber Evidence)
TRACE, or the Toolkit for Retrieval and Analysis of Cyber Evidence, offers an intuitive interface designed to help forensic examiners analyze disk images, supporting a variety of image file formats. TRACE includes a comprehensive suite of functionalities that streamline the extraction and viewing of digital evidence, making it a valuable asset in forensic investigations.
Read More (Radoslav Gadzhovski, GitHub)
The UN finally advances a convention on cybercrime . . . and no one is happy about it
The UN’s new draft convention on cybercrime, if adopted, would become the first global treaty of its kind, but critics warn it poses serious risks to human rights, cybersecurity, and national security. Championed by Russia and its allies, the convention’s broad scope includes compelling states to share data on any serious crime involving technology, which could enable authoritarian regimes to misuse these powers for surveillance and repression. Rights groups and tech experts, including Microsoft, argue that the treaty’s vague safeguards and expansive reach could undermine global cybersecurity and legitimize invasive state practices.
UFADE (Universal Forensic Apple Device Extractor) v0.9.1 from Christian Peter now available
The latest version of UFADE (Universal Forensic Apple Device Extractor) v0.9.1 by Christian Peter has been released, featuring the newest pymobiledevice3 version with support for legacy Apple devices running iOS/tvOS versions below 9 and initial support for AppleTV devices. The update also addresses zip-compatibility by adjusting timestamps before 1980 when pulling data via afc, along with minor bug fixes.
Read More (Christian Peter, Github)
Secure by Design: iOS 18’s privacy evolution and its impact on the DFIR
With the upcoming release of iOS 18, Apple introduces a suite of new privacy features, including locked and hidden apps, granular contact sharing, a dedicated Passwords app, and advanced on-device processing, all of which pose significant challenges for digital forensics and incident response (DFIR) professionals. These enhancements create additional barriers for accessing critical evidence, such as new authentication layers, encrypted storage, and data processed privately in the cloud, requiring updated tools and strategies to navigate this evolving landscape. DFIR experts must now focus on advanced extraction techniques, real-time analysis, and legal avenues to access data while ensuring adherence to evolving privacy regulations and ethical considerations.
Exploring Windows Artifacts: Notepad Files
AbdulRhman Alfaifi’s blog post explores a newly identified artifact in Windows 11 related to Notepad’s TabState files, which store valuable forensic information about both saved and unsaved data. Located in the LocalState directory, these files include paths, content, and other metadata, structured with unique elements like UTF-16LE encoding and uLEB128 encoding for file sizes and timestamps. Through a combination of hex editing and reverse engineering tools like Ghidra and x64dbg, Alfaifi uncovers the intricacies of TabState data, revealing potential insights for forensic investigators, including file paths, content, unsaved data indicators, and various flags—all protected by CRC32 checksums to ensure data integrity.
Read More (AbdulRhman Alfaifi)
BlackSuit Ransomware – A detailed account of a sophisticated Cobalt Strike intrusion from The DFIR Report
In December 2023, a cyber intrusion was detected that began with the execution of a Cobalt Strike beacon and culminated in the deployment of BlackSuit ransomware. The threat actor used a variety of tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1, Cobalt Strike, and ADFind, alongside built-in system tools, with command and control traffic routed through CloudFlare to obscure their Cobalt Strike server. Fifteen days post-initial access, the BlackSuit ransomware was deployed via SMB to admin shares and executed through RDP sessions, prompting the addition of three new rules to our private ruleset.
Read More (The DFIR Report)
LSU Computer Science PhD Student Wins Pair of Best Paper Awards
LSU Computer Science Ph.D. student Taha Gharaibeh, from Irbid, Jordan, won two Best Paper awards this summer at the DFRWS USA 2024 Conference and the ARES Conference in Vienna, Austria. His DFRWS-winning paper, co-authored with LSU faculty Ibrahim Baggili and Nash Mahmoud, introduced the FAME framework to enhance memory forensics with Volatility without altering its source code. At ARES, his award-winning paper, co-authored with Baggili, Elias Bou-Harb, Steven Seiden, and Cisco’s Mohamed Abouelsaoud, detailed automated methods for investigating the state of containers. Gharaibeh’s advisor, Baggili, praised his perseverance and determination, noting that these awards highlight the value of resilience in research.