Sunday, August 6, 2017

Caught red-handed: if plagiarism is bad, denying it is worse

On September 5th 2015, I published on this blog an article titled  Windows Phone 7.8 Forensics.
It was about the analysis of a Nokia Lumia 800 mobile device. This is the tweet related to it:

On July 29th 2017, I found out about an article that had been published a few days before. The article is titled Windows Phone Forensics and was written by a guy named Hashim Shaikh at Infosec Institute. Unfortunately his article contains an unauthorized reproduction of my article and I wasn't even given credit for the research.


I immediately tried to leave a comment by going through Disqus. My comment has never been approved and is still pending.

I then tried to make Infosec Institute aware of it with a tweet. Till now there's been no answer from them.

"Please remove it" seems to me a straightforward, simple and clear request. Apparently it's not.

Since there was no reaction at all from Infosec Institute, I posted another tweet. I'm very grateful to all the people who have decided to read, comment and retweet my message. What has happened to me could have happened and could happen to anybody else.

Actually it seems that Infosec Institute is not new in plagiarizing other people's work according to

On August 4th 2017 in the morning (Italian time) I posted a similar message on Linkedin in which I mentioned both Infosec Institute and Hashim Shaikhthen. After a short while I received an invitation from the guy.

I decided not to accept his invitation and made him aware of that by posting a public comment. In my opinion a public issue has to be solved publicly. There's no room for private messages. Not after all this silence.

I  soon received a surreal comment from him that he deleted later. Deleting evidence is never a smart move.

Luckily I took a screenshot. It's so funny if you think about it: I'm fighting copy&paste with another copy&paste! Here below you can read his reply.

Wtf?! As you may imagine this was my reaction:


Treating honest researchers as morons doesn't sound a clever move to me. Moreover, deleting a public message where you admit the truth and still deny part of it appears to be an even worse behavior. At Infosec Institute, have you ever heard the words "apology" and "ethics"?  

As a general reminder: research is the desire to understand, learn and share. It takes a lot of effort in terms of time and money. Just because this is a freely available blog doesn't mean you can grab content and take credit for someone else's work. If you can't live ethically, I'm afraid there's no place for you in the DFIR field.

Replying to his nonsense message was pointless. What I'm about to write here is a better reply.

From this part of the article I'll provide a lot of evidence to show and regain the authorship of my work. I'll stick to facts as I always do in my day-to-day job as a forensic analyst. 

We all know from school that changing the order of the addends does not change the sum. That means that simply changing the words in a sentence doesn't turn a plagiarized article into an original work. It still remains a plagiarized piece of junk.

For next time (I really hope there won't be one) I recommend the guy to use an easier tool for checking. Let me describe it: it's free, it's a search engine and doesn't forget a single detail. People call it "Google". I'm sure the guy already knows it. Apparently "Google" is the only thing he changed while copying & pasting. Do you see that unique timestamp in both articles? What a coincidence!

I also have some Google searches for other very unique keywords extracted from my research article. All these searches produce only two hits. And guess what: all the oldest hits are always related to my article ;)

If you want to double check for yourlself, these are the syntaxes for the searches:

At this point I think I deserve a public apology. Dear Infosec Institute, I'll repeat it one more time: remove the unauthorized reproduction of my article from your website.

As an analyst I rely a lot on my human brain and skills. True professionals, no matter what the field, never rely on a single tool.

I'll now let pictures speak for themselves. What follows is a comparison of the two articles: mine (on the left) and Infosec Institute's unauthorized copy (on the right - at the time of writing this blog post).

Probably somebody should think twice before writing something that is far from being the truth.

Here are some more comparisons:

Authors are damaged twice by plagiarism: 1) by plagiarists who take credit for somebody else's work; 2) by all the people who share in good faith plagiarized articles.

We live in an age where we are daily overwhelmed by a lot of information and none of us has the time to double-check if an article is original or not. That doesn't mean that companies or people can take advantage of that for whatever reason.

Good reputation is something that is won over the years with sweat and tears, but at the same time it's something that can be lost in a blink of an eye.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[UPDATE August 9th, 2017]

InfoSec Institute took down my work from their website! Hopefully forever.
I'd like to thank those who have supported me by joining the protest that started on Twitter when I shared this blog post. 

Tuesday, June 20, 2017

Virtualization of a raw image of an Apple OS X system

Years ago Jimmy Weg wrote an awesome blog post on how to create a VMware virtual machine from a raw image file. This is my follow-up on how to virtualize Apple Mac OS X.

Bear in mind that, according to this article in the VMware Knowledge Base: The End User License Agreement (EULA) for Apple Mac OS X legally and explicitly binds the installation and running of the operating system to Apple-labeled computers only.

Having said that, these are the steps to follow.

  1. WinVMDKCreator (the tool was developed by Dana McNeil and was originally available on Jimmy Weg's blog) 
  2. VMware Workstation (this guide was tested against version 12 Pro)
  3. Patch Tool for VMware (see Install Patch Tool for VMware in the article available here). The two pictures below show the difference before and after installing the patch.


#Step 1
Open the raw image with your favorite tool. The following picture shows a Mac mini A1347 I imaged during an investigation. Strangely no encryption was set on that Mac. I haven't tried yet with an encrypted image. I guess you can skip to #Step 3 in that case.

#Step 2
Check which OS X version was installed by looking at the .plist SystemVersion.plist.

In my case the Mac mini was running Mac OS X 10.12 (macOS Sierra).

#Step 3
Launch the WinVMDKCreator tool. Select the image to virtualize under File Data. Tick Set disk image segment file attributes to Read Only. Then press Generate to create the .vmdk file.

#Step 4
Edit with a text editor the .vmdk file just created. Change the value of ddb.virtualHWVersion according to the version used of VMware Workstation.

For instance, if you're using VMware Workstation 12: ddb.virtualHWVersion = "12"

#Step 5
Launch VMware Workstation. From File choose New virtual machine (custom) and set these settings:

Hardware compatiblity Workstation 12.x
Guest Operating System Installation I will install the operating system later
Select a Guest Operating System Apple Mac OS X
Virtual machine name/Location whatever you prefer
Firmware Type EFI (default setting)
Processor Configuration (default settings)
Memory for the Virtual Machine increase to 4096 MB
Network Type Do not use a network connection
SCSI Controller LSI Logic (default setting)
Virtual disk type SATA (default setting)
Select a Disk Use an existing virtual disk
Existing Disk File Click Browse and Open the .vmdk file we previously created with WinVMDKCreator

Click Finish and close VMware Workstation.

#Step 6
Use a text editor to modify the <VirtualMachineName>.vmx file stored in the VM folder.

Append this line at the end of the file:

smc.version = "0"

Without the line above, the VM won't start and will show an error message saying "unrecoverable error: (vcpu-0)".

#Step 7
  • Launch VMware Workstation
  • Take a snapshot of the VM
#Step 8
Now you're ready to fire up the VM!


Saturday, April 1, 2017

RegRipper plugin to parse Foxit Reader

Foxit Reader is a popular free PDF Reader. Like any other program it keeps a file history. This is the Recent Files list shown to the user when the program is launched:

Foxit Reader stores the MRUs under the File MRU and Place MRU subkey in the NTUSER.DAT hive. They are named Item1 – Item50 and hold up to 50 of the last PDF file/path opened. Item 1 contains the most recent value while Item 50 is the oldest last. History\LastOpen contains additional details that I'll mention later.

As a test, I opened 50 different files named with numbers: I first opened a file named 01.pdf, then 02.pdf and so on up to 50.pdf.

Under History\LastOpen, Foxit Reader stores for each file some important information like the page number of the last page read, the zoom level used and the view mode. As you can notice from the picture below, the page number counter starts at "0". That means that page number "1" in a PDF file is stored as "0" in the registry.

I wrote a plugin for RegRipper to parse all these values by adapting a couple of existing plugins ( by H. Carvey and by E. Rye). The code I wrote is far from perfect since I've never programmed in Perl...but it works ;) 

My plugin can be downloaded from here.

[UPDATE 11/April/2017]: My plugin was added to the official RegRipper repository. Thanks Harlan!

Friday, March 31, 2017

Customizing the filter type in X-Ways Forensics

The Filter:Type in X-Ways Forensics is one of my favorite filters. After many uses, I started thinking on how to make it more suitable for my needs.

This is my tweaked version:

This is a quick summary of the changes:
  • the categories are sorted alphabetically;
  • some categories were renamed;
  • there are now new categories like Network/Packets and Memory;
  • some extensions were moved to other categories;
  • some new extensions/filenames were added to the list.

If you want to give it a try, replace the two files "File Type Categories.txt" and "File Type Categories User.txt" in your installation folder with the ones you can download from my repository xways-forensics .


[UPDATE 03/April/2017]: I added the category Malware, Ransomware which is based on the Ransomware Overview document.
[UPDATE 11/July/2017]: The custom filter types was added to the Bookmarks menu in the latest version of XWFIM X-Ways Forensics Installation Manager (v1.7.0.0). Thanks Eric!