FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog takes a look at the $ObjectID file and shows that there can be references for deleted files. From some testing, it would be arguable that the file with that name has been accessed, which may be useful to know.
NTFS $ObjID and ObjectID
- Andrew Odendaal at “Ao” provides some sources and commands to extract useful information from a Linux system.
Forensic Analysis on Linux (Unix)
- Justin Boncaldo provided an overview of the Shellbag artefact. Something that’s important to note is that an item may appear in shellbags, but may not have been accessed – the activity of clicking on the folder icon will add it as an entry to the user’s shellbags.
DFS #5: Which folders have been opened? (Shellbags)
- There were a few posts on Cyber Forensicator this week
- They shared a video by Pragmatic Works about a new feature in SQL Server 2016 called “Temporal Tables”
Using SQL Server 2016 Temporal Tables for Data Forensics and Auditing
- They also shared the update that the next Win10 version will have the ability to use the clipboard as a list rather than a single variable. As a result, examiners may have more useful information (passwords even!) to examine. Work is underway to determine how best to access this data, as it may be encrypted
Windows 10 October 2018 Update Brings Clipboard History Feature
- Lastly, they shared the Telegram group that they have created; as a side note, there’s some good information shared on these chatroom-like apps (Discord, Slack, Telegram), and a lot of the time it’s difficult to follow as people will ask multiple questions and answers. If you have a question and get an answer on a chat or listserv that is probably worth sharing, please write it up; it doesn’t have to be perfect, but it might help others as well that aren’t on whatever space you’re looking at. I’m happy to chat with people are getting stuff written up and shared, even if it’s anonymous.
Join our Telegram DFIR group!
- They shared a video by Pragmatic Works about a new feature in SQL Server 2016 called “Temporal Tables”
- Andrew Skatoff has started a blog, DFIR TNT, and walks through the usage of OSXCollector, and ingesting the output with Splunk
Using Mac OSXCollector with Splunk
- Matteo at Forensics Matters shares three methods of obtaining the Windows installation date timestamp from the registry. It’s important to note that Win10 updates the Install Date when a major update occurs.
Find out Windows installation date
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- My solution to Dave’s last Sunday Funday challenge was selected as the winner (most likely from a pool of 1 #default). I went to long way around and ran fsutil across an entire path; the reason being that a) it was easier and b) I could run it on the specific folder I had created with test data.
Daily Blog #472: Solution Saturday 9/8/18
- Sunday Funday returns, with another $ObjectID challenge. This time the request is a Python script for parsing the $ObjtID:$O ADS directly.
Daily Blog #473: Sunday Funday 9/9/18
- Dave showed how Microsoft-Windows-Application-Experience%4Program-Telemetry event log on a Win Server 2008R2 instance can be used to track executables.
Daily Blog #474: Application Experience Program Telemetry
- There were three test kitchens on ObjectID testing which I haven’t been able to watch. If someone was looking for a project, going back and watching all of these and formalising the research would be great.
- Dave also uploaded his ObjectID scanner to GitHub
Daily Blog #478: Github repository for the Test Kitchen
- And sadly didn’t receive any solutions to the previous Sunday Funday challenge.
Daily Blog #479: Solution Saturday 9/15/18
- My solution to Dave’s last Sunday Funday challenge was selected as the winner (most likely from a pool of 1 #default). I went to long way around and ran fsutil across an entire path; the reason being that a) it was easier and b) I could run it on the specific folder I had created with test data.
- Sarah Edwards at Mac4n6 has produced a great post about the knowledgeC database located on iOS devices and provides a number of useful queries for tracking user activities.
Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db
- There were a couple of posts by on the Magnet Forensics blog this week
- Jamie McQuaid at Magnet Forensics describes the various databases on Android that may be used to store SMS/MMS messages
Android Messaging Forensics – SMS/MMS and Beyond
- They also posted a few methods of putting a Qualcomm phone into EDL mode.
How to Put a Qualcomm Phone into EDL Mode
- Jamie McQuaid at Magnet Forensics describes the various databases on Android that may be used to store SMS/MMS messages
- Matt Seyer shares a tool that he wrote for parsing the Win10 Activities Cache database into JSON format.
Windows Activity Cache in JSONL
- Arman Gungor at Meridian Discovery has written an interesting case study about Word document manipulation and what an examiner may be able to tell about the timestamps.
Word Forensic Analysis and Compound File Binary Format
- Over on my ThinkDFIR site, I shared a script to extract all the records that contain a timestamp in the iOS powerlog database into a timeline.
Playing with the iOS Powerlog
THREAT INTELLIGENCE/HUNTING
- There were a couple of posts on the Carbon Black blog this week
- Rick McElroy shares his thoughts on the recent SANS THIR Summit and Carbon Black’s goals for giving back to the infosec community.
SANS THIR Summit Wrap Up – “We Have 15 Minutes”
- Jimmy Astle shows how to use ATT&CK, in combination with “Red Canary’s Atomic Red Team and Cb Defense prevention rules” to research attacker behaviours.
Using MITRE ATT&CK When Researching Attacker Behavior in a Post-Compromise World
- Rick McElroy shares his thoughts on the recent SANS THIR Summit and Carbon Black’s goals for giving back to the infosec community.
- Jack Crook at ‘DFIR and Threat Hunting’ shares his thoughts on some of the presentations from the recent SANS Threat Hunting Summit
Thoughts After the Sans 2018 ThreatHunting Summit
- Richard Gold at Digital Shadows maps activity by the Lazarus group to the MITRE ATT&CK framework.
MITRE ATTACK and the North Korean Regime-Backed Programmer
- Infosec Samurai at ‘Measured Response’ describes the relationship between Threat Hunting and Threat Intelligence.
Infosec’s Hunter Gather Relationship
- Grotez shares a series of attributes that make for a successful hunt, and hunter
Intelligence Analysis — For Cyber Threat Intelligence.
- Nextron Systems updated their Antivirus Event Analysis Cheat Sheet to v1.4
Antivirus Event Analysis Cheat Sheet v1.4
- Red Canary posted John Wunder, Phil Hagen, and Rick McElroy’s responses to the “top questions on ATT&CK and threat hunting.”
Q & A: How to Use the MITRE ATT&CK™ Framework to Mature Your Threat Hunting Program
UPCOMING WEBINARS/CONFERENCES
- Steve Sunday at AccessData will be presenting a short webinar on examining live remote system with AD Enterprise 6.5.
Targeted Search on Live Remote Systems with AD Enterprise
- Carbon Black, Mitre, and Red Canary will be hosting a webinar on “how to use the MITRE ATT&CK framework to hunt for adversary tactics and techniques across the attack matrix, develop and test hypotheses against known techniques, obtain a broader set of evidence by hunting for adversarial techniques, and increase the efficacy of their threat hunting programs.”
How The ATT&CK™ Framework Can Mature Your Threat Hunting Program
PRESENTATIONS/PODCASTS
- Active Countermeasures shared the slides from their recent Threat Hunting Beacon Analysis webcast.
Threat Hunting Beacon Analysis Webcast from September 11, 2018
- Didier Stevens uploaded a video showing how to deal with DOSfuscated maldocs as per his previous ISC diary entry.
Maldoc with DOSfuscation: example 2
- In the eDiscovery realm (which I don’t usually cover), there were a couple of videos people may be interested in. I haven’t watched them through, but Craig Ball and Tom O’Connor talked about forensic examination protocols, and Nuix acquired Ringtail and uploaded a demonstration webinar.
- On this week’s Digital Forensic Survival Podcast, Michael talked about OfficeMalScanner, which is a useful tool for scanning malicious Office documents
DFSP # 134 -OfficeMalScanner
- Richard Davis at 13Cubed walks through examining malicious documents using Didier Stevens tools.
Payload Distribution Format
- SANS uploaded Mari DeGrazia’s presentation from the 2018 DFIR Summit on hunting for malicious PowerShell scripts
Finding and Decoding Malicious Powershell Scripts – SANS DFIR Summit 2018
- Scott Piper shared his presentation from IRespondCon titled “Mining CloudTrail logs to uncover and respond to breaches in AWS”
Check out @0xdabbad00’s Tweet
MALWARE
- The ASERT team at Arbor Networks provide details about the Bondupdater trojan, which is associated with the OilRig group.
Tunneling Under the Sands
- Feixiang He, Bogdan Melnykov, and Andrey Polkovnichenko at Check Point Research examine the Black Rose Lucy Malware-As-A-Service product
Meet Black Rose Lucy, the Latest Russian MaaS Botnet
- Jerome Doaty and Garrett Primm at Cofense examine the Astaroth trojan, which is being used a new campaign targeting South Americans.
We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan
- Wee-Jing Chung at Countercept continues analysing the Sharpshooter malware
Analyzing Sharpshooter Part 2
- Amit Serper at Cybereason posted a couple of articles this week
- He examines a .NET dropper using dnSpy
The anatomy of a .NET malware dropper
- He also takes a look at a wannamine attack that exploits EternalBlue
Wannamine cryptominer that uses EternalBlue still active
- He examines a .NET dropper using dnSpy
- Ayako Matsuda and Irshad Muhammad at Fire Eye examine some activity attributed to APT10.
APT10 Targeting Japanese Corporations Using Updated TTPs
- The Microsoft Secure team share details of the integration between o365 applications and “Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior”.
Office VBA + AMSI: Parting the veil on malicious macros
- Kyle Wilhoit and Robert Falcone at Palo Alto Networks share details of recent activity by the OilRig group, and the use of an updated version of the Bondupdater trojan.
OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
- There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens shares a video showing “how to analyze shellcode with a reverse tcp shell, by setting up a server listening on the appropriate TCP port.”
Video: Using scdbg to analyze shellcode, (Sat, Sep 8th)
- Didier also examines a malicious PowerShell script appended to an LNK file, obscured by using the string “dikona”.
“What is dikona or glirote3?”, (Mon, Sep 10th)
- Xavier Mertens examines a malicious MHT file
Malware Delivered Through MHT Files, (Thu, Sep 13th)
- Didier Stevens shares a video showing “how to analyze shellcode with a reverse tcp shell, by setting up a server listening on the appropriate TCP port.”
- The Securelist Great team examines a trojan that “injected into the lsass.exe system process memory” by an NDISProxy driver signed by Chinese company LeagSoft.
LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company
- Shahar Tavor and Limor Kessem at IBM’s Security Intelligence blog examine the Android ExoBot malware.
IBM X-Force Delves Into ExoBot’s Leaked Source Code
- Ian Kenefick at TrendLabs takes a look at the PyLocky ransomware.
A Closer Look at the Locky Poser, PyLocky Ransomware
- Vitali Kremez reverse engineers and analyses “the latest “Dridex” banking malware loader and its usage of Avast “snxk.dll” hooking library.”
Let’s Learn: Dissecting Dridex Banking Malware Part 1: Loader and Avast “snxk.dll” Hooking Lib
- Kaspars Osis at WeLiveSecurity takes a look at a cryptominer campaign that exploits the Kodi media platform.
Kodi add-ons launch cryptomining campaign
MISCELLANEOUS
- Matt at Bit of Hex shares a mindmap of useful Volatility commands.
Mind Mapping Volatility
- Brett Shavers has added a Patreon page for DFIR Training, which allows you to support the project and also get access to a few extra perks for doing so. A rule I generally go by; If you get value from a project and would be affected if it went away, then I think it’s worth throwing a few dollars at it (if you’re able to of course).
DFIR Training is on Patreon!
- There were a couple of posts on Forensic Focus this week
- Scar reviewed Griffeye’s Analyze DI Pro
Review Of Analyze DI Pro From Griffeye
- Richard Press advised that the NIST NSRL has expanded to include hashes for computer games.
Database of Software “Fingerprints” Expands to Include Computer Games
- Scar reviewed Griffeye’s Analyze DI Pro
- Magnet Forensics listed a variety of ways to identify a suitable candidate for the Magnet Forensics Community Award. Also, “Nominators also receive a Magnet Forensics prize pack as a thank-you to taking the time to nominate the winner”; having won a couple of these through a couple of CTFs, they’re pretty good prize packs.
5 Ways to Identify a Candidate for the Magnet Forensics Community Award
- Mark Hallman updated the Plaso Cheat Sheet, now at v1.03. Mark let me know that this happened, which is very much appreciated. If you think that I might be missing something, I’m happy to chat about it; it’s entirely possible I’ve missed stuff, it’s also possible that it’s not shared in a way that makes it easy to identify that updates have been made.
Plaso Cheat Sheet
SOFTWARE UPDATES
- Berla released iVe 2.0.3, which “includes a change for tracklog parsing in some newer Ford SYNC generation 3 systems”
iVe Software v2.0.3 Release
- Eric Zimmerman updated most of his tools this week.
Everything gets an update, Sept 2018 edition
- Blacklight 2018 R3.1 released with a number of bug fixes.
Blacklight 2018 R3.1 Release Notes
- Log-MD Free v2.1 was released.
Check out @HackerHurricane’s Tweet
- Magnet Forensics updated Axiom to v2.5, with a number of performance updates among other feature improvements.
Big Improvements Make Magnet AXIOM 2.5 the Fastest Version Yet
- Sanderson Forensics released Forensic Browser for SQLite v3.3.0 to add speech bubbles to reports
New release 3.3.0
- TZWorks released their September 2018 build package, adding updates to tac and pescan, as well as a Windows Push Notification database parser, wpn.
Sep 2018 build (package)
And that’s all for Week 37! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!
This Week In 4n6 