Every year around this time, we get to submit nominations for our favorite tools and people in the DFIR industry for the Forensic 4:cast awards. I really like these awards because they’re the closest thing we have to peer or examiner focused awards. You might consider it like the people’s choice awards for digital forensics. There are two steps to the process: nominations and voting. Currently, nominations allow us to select our favorites for any of the categories and write in why we chose to nominate them (the full list of categories and rules can be found here.)
Once nominations are finished, Lee Whitfield picks the top three nominations for each category and everyone gets the chance to vote for the favorite. Here at Magnet Forensics, a few of our examiners always pick a few of our favorites and write a blog about our reasons why. I avoid reading or discussing the picks of my colleagues before making my choices because I don’t want them to influence my choices (after writing this, apparently Jessica and I were on the same page for a lot of things ?, anyway here’s my list):
DFIR Groundbreaking Research of the Year
Given that my vote last year for this topic was to nominate the exploitation work done by Grayshift and their GrayKey tool which opened up a whole new world in how we do iOS investigations, it’s no surprise that my vote this year goes to the checkm8 exploit developed by @axi0mX. This bootrom exploit has allowed anyone to access any iOS device up to the A11 chipset (iPhone X) and set the groundwork for other tools to build exploits and extraction methods built on top of this exploit to gain access to the most valuable data stored on iOS devices. This will enable anyone to conduct research on iOS data that otherwise might have been restricted before. I don’t think there’s been a breakthrough that has benefited the DFIR community as much as this exploit in 2019.
DFIR Article of the Year
This year I’ve chosen to nominate Bradley Schatz’s article: “AFF4-L: A Scalable Open Logical Evidence Container”. AFF4 as a forensic image format has been around for several years (since 2009) and is starting to pick up traction in forensic tools because of its well defined and well thought out structure that balances evidence integrity, performance, and storage use. Dr. Schatz has expanded his work on AFF4 to include the AFF4-L format for logical containers.
The AFF4-L image format for logical containers is needed even more in our industry today as more often than not, physical images are becoming less and less relevant. Mobile acquisitions, remote computer collections, and cloud sources almost always output as logical data and it is not efficient (or sometimes possible) to obtain a physical drive or full volume from those sources. Existing logical evidence formats don’t accommodate for these needs and anyone interested in the future of how to handle digital evidence from these important sources needs to read the article.
DFIR Resource of the Year
This past year, I’ve become quite fond of the 13Cubed videos published on YouTube. A ton of great, quick videos showing various topics in DFIR and some security in general. I’ve done quite a few howto videos in my years here at Magnet Forensics and can attest to how challenging a good video can be. These videos are always clear, straight-forward, and most of all, easy to follow for new and experienced examiners alike. Many of the videos are on topics I’ve always been interested in but never had a chance to dive into myself, or some topics I’ve spent years investigating and just want a quick refresh to potentially catch anything new or I might have missed. All the videos strike a good balance of length and details which isn’t always easy to do.