FORENSIC ANALYSIS
- Justin Boncaldo walks through a few of the artefacts that are useful for tracking USB devices on a Windows system. Justin also described his recent internship at Califorensics
DFS# 03: Was a USB drive inserted into my Windows computer? - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times this week
- He shared link and images for the DEFCON CTF, which was a lot of fun.
Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public - As well as the winners; Including Charlotte Hammond who was the first person to get a perfect score.
Daily Blog #453: Winners of the Unofficial Defcon DFIR CTF - Dave shared a presentation by Minoru Kobayashi and Hiroshi Suzuki from Blackhat 2018 titled “Reconstruct the World From Vanished Shadow: Recovering Deleted VSS Snapshots”
Daily Blog.#452 Dealing with deleted shadow copies - And links to Brian Maloney’s blog post about examining the WAL from the Win10 Notification database.
Daily Blog #454: SQLite Write Ahead Logs and Python - Lastly, Dave shared Lodrina Cherne’s winning solution to the previous Sunday Funday challenge on file uploads in popular browsers.
Daily Blog #456: Solution Saturday 8/16/18
- He shared link and images for the DEFCON CTF, which was a lot of fun.
- Alexis Brignoni at Initialization vectors shows how to extract and parse Discord chats found on an iOS device.
Finding Discord chats in iOS - Josh Lemon “walks through mounting the HFS section of a .dmg file on a Linux system to allow the extraction of files for further analysis.”
Expanding a macOS DMG file for Analysis - SalvationData share a case study on recovering data from an Access Database. They show that like with most databases, “after deletion, the raw user data still remains”
[Case Study] Computer Forensics: Access Database Forensic Analysis
THREAT INTELLIGENCE/HUNTING
- Xavier Mertens at ‘/dev/random’ shows how to detect SSH username enumeration.
Detecting SSH Username Enumeration - Zachary Burnham walks through the process of creating a single-node ELK stack.
Creating a Single-Node ELK Stack - Didier Stevens shares his thoughts on JA3, which is “a method for creating SSL/TLS client fingerprints that are easy to produce and can be easily shared for threat intelligence.”
Quickpost: Revisting JA3 - Anjum Ahuja at Endgame walks through “the basics of DNS tunneling, some challenges with detection, and offer recommendations for detecting these attacks while limiting false positives.”
Plight at the End of the Tunnel - Adam at Hexacorn describes another persistence mechanism that utilises the “TreatAs” key as a COM hijack.
Beyond good ol’ Run key, Part 84 - Nextron Systems released Thor-util version 1.2.4, as well as updating Spark Core, adding the ability to encrypt your custom signatures during deployment.
New Feature: THOR-util and SPARK-Core-util Signature Encryption - fl0x2208 at ‘That security and Intel blog’ describes why cyber threat intelligence is important and provides guidance on building a threat intelligence program.
Cyber Threat Intelligence. Is it for me?
UPCOMING WEBINARS/CONFERENCES
- Dr. Vico Marziale at Blackbag Technologies is hosting a webinar on the data held within the macOS Spotlight metadata store. The webinar will take place at 6:00 PM on Tuesday, August 28, 2018
Ask the Expert: How to Get a Better View with Spotlight - Jamie McQuaid from Magnet Forensics and Dr. Liam Owens from Semantics21 will be hosting a webinar on their latest integration. The webinar will take place at 11am EST, Tuesday 21st of August 2018.
Saving Valuable Time on Child Exploitation Investigations with Magnet Forensics and Semantics21 - Joe Church and John Patzakis will be hosting a webinar on collecting social media evidence from the dark web. The webinar will take place at 4:00 PM on Tuesday, August 28, 2018
Social Media Investigations within the Dark Web
PRESENTATIONS/PODCASTS
- AccessData shared a video by Keith Lockhart about the Quin-C web review platform.
Supercharge Friday Webinars Quin-C Session 1 - Colin Hardy posted a video “to showcase my analysis techniques and thought processes when analysing malicious macros”
Analysing Obfuscated VBA – Extracting indicators from a Trickbot downloader - Hoke Smith at Nuix “showcases how to use Nuix Adaptive Security to find insider threats or detect them as they operate on your organization’s network”
- Dave Porcello at PacketBeard Labs shares the “slide deck, packet captures, and packet mining commands” from the “packet mining workshop at Defcon 26”.
Defcon packet mining workshop – course materials on GitHub - On this week’s Digital Forensic Survival Podcast, Michael talks “about scoping network connections as part of incident response triage”
DFSP # 130 – Network Scoping - Richard Davis at 13Cubed published a video on various commonly used persistence mechanisms on Windows systems.
Persistence Mechanisms
MALWARE
- Check Point researchers share details of the infection chain from a “wave of the Ursnif malspam campaign targeting Italy.”
VBEtaly: An Italian Ursnif MalSpam Campaign - There were a couple of posts on the Cofense blog this week
- Marcel Feller describes a phishing email that distributes a malicious Powershell script via a LNK file.
An Analyst’s View of Surging PowerShell-based Malware - Jason Meurer and Darrel Rendell share details of a malicious Publisher document distributed by a recent campaign involving the Necurs botnet.
Necurs Targeting Banks with PUB File that Drops FlawedAmmyy
- Marcel Feller describes a phishing email that distributes a malicious Powershell script via a LNK file.
- Cyber Forensicator share a link to ViperMonkey, which is “a VBA Emulation engine written in Python” written by Philippe Lagadec
Deobfuscate malicious VBA Macros with ViperMonkey - Hod Gavriel at Cyberbit examines a new variant of Trickbot
Latest Trickbot Variant has New Tricks Up Its Sleeve - Naivenom at “Follow The White Rabbit” walks through reversing the Lotto executable from the Pwnable challenges using Radare2.
Introducción al Reversing con radare2 – 0x06 Lotto - Kyle Hanslovan at Huntress Labs shares a couple of strategies that attackers are using to mask their executables.
Attackers Abuse Trust with Indirection - Jay Rosenberg at Intezer examines a new version of the Foudre malware.
Prince of Persia: The Sands of Foudre - Vishal Thakur has a guest post on ‘Lemon’s InfoSec Ramblings’ examining the Keymarble trojan.
Malware Analysis – Keymarble - Brad Duncan at the SANS Internet Storm Centre shares some IOCs for some malspam “distributing password-protected Word docs with malicious macros designed to infect vulnerable Windows computers with ransomware”
More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware, (Wed, Aug 15th) - Orkhan Mamedov and Fedor Sinitsyn at Securelist examine the keypass ransomware
KeyPass ransomware - Homer Pacag at Trustwave SpiderLabs shares details of a malicious Microsoft Publisher document.
Malspam Campaign Targets Banks Using Microsoft Publisher - Rohit Sharma at Symantec examines a new version of jRAT
改良された jRAT、解析回避の新たな手法を備えて登場 - Zerophage Malware takes “a look at a HookAds campaign leading to Rig EK”
Rig EK via HookAds drops AZORult loading Quasar RAT
MISCELLANEOUS
- Matt at ‘Bit of Hex’ shares his thoughts on Cliff Stoll’s “The Cuckoo’s Egg”.
The Cuckoo’s Egg: Redux - Brett Shavers shares his X-Ways Cheat Sheet….well, at 21 pages it’s more of a cheat booklet.
X-Ways Forensics Cheat Sheet and “Three Things” - Brett also shares some thoughts on vendor marketing over at DFIR.Training
And now a quick word from our sponsors. - The DFRWS 2018 Challenge has been released and relates to an investigation of a drug lab containing a variety of devices. The challenge closes March 20, 2019.
DFRWS 2018 Challenge - Oleg Afonin at Elcomsoft shows how the inbuilt Intel GPU can be utilised for additional power in password cracking in “Elcomsoft Distributed Password Recovery 4.0 (and newer)”.
Using Intel Built-in Graphic Cores to Accelerate Password Recovery - There were a few posts on Forensic Focus this week
- They reposted Richard Press’ article from the NIST website on regarding the addition of a number of drone datasets, contributed by VTO Labs.
Drone Forensics Gets A Boost With New Data On NIST Website - They also interviewed Eric Oldenburg from Griffeye
Interview With Eric Oldenburg, Tech Evangelist, Griffeye - John (Zeke) Thackray reviewed the Logicube Forensic Falcon-NEO
Review Of Forensic Falcon-NEO From Logicube - Scar shared her round-up for forum posts from the last month
Forensic Focus Forum Round-Up
- They reposted Richard Press’ article from the NIST website on regarding the addition of a number of drone datasets, contributed by VTO Labs.
- Magnet Forensics announced an upcoming series of monthly posts regarding how various components of Axiom may be useful in corporate investigations.
Introducing a New Corporate Industry Insights Series - Brad Duncan at Palo Alto Networks shares some customisation options for Wireshark to assist in investigating malicious network traffic.
Customizing Wireshark – Changing Your Column Display - Luis Martinez has started a new blog, Persistent 4n6, and starts by describing his journey in the DFIR, as well a few resources to use to continue learning about the field.
The Journey Begins - FireEye have announced the fifth annual Flare-On challenge which will run from 8:00 p.m. ET on Aug. 24, 2018 to 8:00 p.m. ET on Oct. 5, 2018.
Announcing the Fifth Annual Flare-On Challenge - Something I missed last week; Michael Cohen launched the Velociraptor Incident Response blog, along with a new project, Velociraptor, which is built on the shoulders of Google Rapid Response.
Velociraptor Incident Response - Ted Smith at X-Ways Clips advises that the Beta version of X-Ways 19.7 has experimental support for APFS
Apple APFS Disks now supported by X-Ways Forensics v19.7
SOFTWARE UPDATES
- Atola Insight Forensic 4.11 was released, adding “APFS support in Imaging, File Recovery and Diagnostics, as well as extended Artifact search functionality and other great features”
Atola Insight Forensic 4.11 with APFS support - Belkasoft Evidence Centre 2018 v9.2 was released, adding support for the APFS file system and other improvements.
What’s New in Belkasoft Evidence Center 2018 Version 9.2 - Didier Stevens updated a couple of his tools this week
- DME Forensics released DVR Examiner 2.4 adding “updates and improvements across the program, as well as redesigned reporting features.”
Announcing DVR Examiner 2.4! New Software Update Available - Elcomsoft Distributed Password Recovery 4.0 was released, improving performance on NVIDIA video cards and graphic cores built into Intel CPUs.
Elcomsoft Distributed Password Recovery 4.0 with Automatic Dictionary Distribution and Intel GPU Acceleration - Elcomsoft also updated their Forensic Disk Decryptor 2.10 adding support for Veracrypt and “TPM enhanced BitLocker configurations including TPM-only and TPM+password modes.”.
Forensic Disk Decryptor 2.10 with VeraCrypt and TPM Support - Eric Zimmerman updated Timeline Explorer to version 0.8.5.3.
TLE - ExifTool 11.10 (development release) was released with some new tags and bug fixes
ExifTool 11.10 - GetData released Forensic Explorer v4.3.5.7660 with some bug fixes and improvements.
15 August 2018 – v4.3.5.7660 - GetData also updated Mount Image Pro to v6.3.0.1855 to fix activation issues.
15 Aug 2018 – v6.3.0.1855 - LYLC released JParser, an NTFS USN Journal parser for Mac and Linux.
JParser - Magnet Forensics updated Axiom to v2.4, with performance improvements, additional data from iOS file system images, as well as improvements to O365 and Magnet AI.
Working Cases Faster Than Ever in Magnet AXIOM 2.4 - Vound released Intella 2.2 and Intella Connect 2.2 with a number of new features and improvements.
Vound Releases Intella® 2.2 and Intella® Connect 2.2 - X-Ways Forensics 19.6 SR-7 was released with a few bug fixes and minor improvements.
X-Ways Forensics 19.6 SR-7 - YARA v3.8.1 was released with a few bug fixes.
v3.8.1 - Maxim Suhanov released YARP 1.0.21 which features “the carving of registry fragments that don’t start with a distinguishable header”
1.0.21
And that’s all for Week 33! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!