In this series, a few forensics experts within Magnet Forensics are sharing their suggestions for nominations in this year’s Forensic 4:cast Awards. In this fourth (and final) installment, Trey Amick, Forensics Consultant, highlights people in the DFIR community who are making valuable contributions. You can submit your nominations (including Magnet AXIOM for DFIR Commercial Tool of the Year and MAGNET App Simulator for DFIR Non-Commercial Tool of the Year) here. You can also catch up on the other installments here: Part 1, Part 2, Part 3.
Since 2009, Lee Whitfield has organized, promoted, and published the annual Forensic 4:cast Awards. Lee does this as a community event with both a nomination and a voting phase. During the nomination phase, you can nominate as many tools, projects, and people as you want for each category. The rules and list of categories can be found here.
For myself, I’ve highlighted a couple of categories listed below. My colleagues shared their nominations in previous posts: Tarah Melton provided some of her favorite picks here in Part 3, while Jamie McQuaid provided his insights in part 2. Jessica Hyde kicked off our Forensic 4:cast series, naming her picks in Part 1, so if you haven’t seen those articles make sure and take a look. These are my personal opinions, not the official opinions of Magnet Forensics.
DFIR Groundbreaking Research of the Year
As soon as I read “Groundbreaking Research” I knew who I wanted to nominate for this category: Grayshift, makers of GrayKey. For years, forensicators have been challenged when confronted with iOS investigations due to the limited access Apple allows in most circumstances. Casework revolving around iOS investigations, specifically for law enforcement, received quite a surprise last year when this new technology was announced, allowing for both file system level acquisitions and password cracking. For the first time in years, law enforcement investigators have a tool backed by amazing research that provides a new avenue for gaining access to information that can be invaluable in an investigation.
In the year since GreyKey was released, I’ve heard countless stories from my brothers and sisters in blue, where data being acquired has been the difference between closing the case, and it remaining open with little hope of being solved. Grayshift has changed many department’s iOS processing procedures over the last year, based off the research that went into allowing for a collection that far exceeds the logical / iTunes based backup that forensics professionals were left with in years past.
DFIR Blog of the Year
Since my last nomination revolved around research on iOS security, my next pick continues the trend with DFIR Blog of the Year, which I would like to nominate Sarah Edwards (@iamevltwin) for! Sarah consistently provides valuable research and tools for the DFIR community on her website, http://www.mac4n6.com. The website is packed full of great macOS and iOS forensic blogs, while also including links to the different presentations Sarah has given. Sarah is also the brains behind the popular SANS Mac Forensic Analysis class, FOR518.
The Apple Pattern of Life Lazy Output’er (APOLLO) project was released by Sarah in early November at the Objective by the Sea Conference, with many updates coming in the form of her blog series since. APOLLO is a collection of Python scripts, or as they are referred to on the blog, modules, for SQL queries from various databases found from within iOS and macOS systems. Since November of 2018, http://www.mac4n6.com has had consistent updates to the research and modules for APOLLO, which is a fantastic resource for the DFIR community. If you haven’t yet, make sure you bookmark Sarah’s blog!
There has been tremendous work done by so many researchers in the DFIR community over the last year, and while I’ve only named a couple here, make sure to vote for as many nominees as you can for this year’s Forensic4:Cast awards. As I mentioned earlier, you can nominate as many individuals, projects, and software as you want!