Written by Phill Moore

Week 8 – 2016

Week 8!

  1. Software Updates:

    • Paul Sanderson made an update to Forensic Browser for SQLite with a few bug fixes. It’s now at version 2.7.5 (although the forum post says not yet released)

    • FTK Imager has been updated to version 3.4.2. This update was mainly bug fixes but the major takeaway is that AD1’s are created in the new version 4 format, which is unreadable by previous versions across the AD product line.
      AccessData Imager 3.4.2 Release Notes

    • X-Ways updated late last week (and I missed it) to version SR-4. This release includes minor improvements and bug fixes.
      X-Ways Forensics 18.7 SR-4

  2. A few weeks ago the Scientific Working Group of Digital Evidence released a few papers that some might find interesting. The documents released include the Best Practices for Chip-Off, Best Practices for Collection of Damaged mobile devices, Image Processing Guidelines, Linux Tech Notes, and Training Guidelines For Video Analysis, Image Analysis and Photography. Of these, I’ll find the Linux Tech Notes the most useful; it explains a number of key components of the Linux operating system for those that don’t interact with or analyse these systems too often.
    Public Documents

  3. Mari DeGrazia published a post shedding some new light on the Trust Records section of the Windows Registry. This post will be quite useful for those having to investigate a breach and covering off the bases of user-run macros.
    More on Trust Records, Macros and Security, Oh My!

  4. In response to Mari’s post Harlan Carvey has updated his trust records plugin and conducted a bit of his own analysis on the keys. Harlan also updated the ‘termserv’ regripper plugin. The remainder of the post speaks about process creation monitoring, malicious LNK files, and an 8KB one-liner located within a macro.
    Links: plugin updates and other things

  5. Akshay Sudan at Checkmate has a post up detailing a new vulnerability with the “export to spreadsheet” feature of Microsoft CRM tool. This feature allows an adversary to add malicious code into a field that will autorun when the csv is opened. The example used is innocuous but of course any executable can be run.
    CSV INJECTION

  6. Udit Pathak at Checkmate makes comment about a vulnerability patched by Microsoft in 2014 regarding obtaining the local admin account for a domain controller by examining SYSVOL. The post provides a few different locations that an actor can examine to locate the password.
    Hunting Passwords In SYSVOL

  7. The students at Champlain College have three posts up this week. The first is an introduction to a bluetooth security testing project. The students will be “setting up extensive testing schema to quickly and accurately assess the vulnerability of modern Bluetooth-enabled devices”.
    BLUETOOTH SECURITY INTRODUCTION
    The second post is an update to the Amazon Echo forensics project. The students are halfway through the semester and have performed preliminary examinations on both the data on the device (or at least the app running on a nexus tablet) and the data in transit. The team intends on continuing their research in the coming weeks, looking into the artefacts created when interacting with the Echo through additional devices as well as the security aspects of the communications.
    AMAZON ECHO FORENSICS UPDATE 1
    The third post is provides an update form the team examining wearable devices. They stated they had an issue with imaging the gear s2 watch however did explain a process of obtaining data. I do hope they include the full process in their report. Unfortunately the team seems to be hitting roadblocks at actually interacting directly with the devices. It may be that the only way to download the data is via a JTAG or chip off extraction (which even then may result in a nil find if there’s encryption on the data). There should be another update in a few weeks with more findings.
    WEARABLE TECHNOLOGY FORENSICS UPDATE 1

  8. Jimmy Schroering at DME forensics has a post up about analysing Hikvision systems – in particular identifying times in videos. I really like the approach here; add support for the artifacts to the tool and then explain the manual process. This is something I see quite regularly in open source utilities but I haven’t seen it that often in the commercial stuff. This post describes a technique that can be very useful in tying carved frames to specific time periods (provided the time is embedded at the end of each frame). Of course this may not always be the case, but you might get lucky with a system.
    Analysis of Hikvision Date/Time

  9. Eric Zimmerman has a new post on his research into Windows Jumplists. This research precedes his new Jumplist parsing tool which will hopefully be released shortly. Why do we need a new jumplist parser? Well because we do, and the few that I’ve tried have broken on occasion, or don’t include certain data; so it’s good for validation. That and apparently Harry Parsonage of Meaning of LIFE fame requested it. The post describes jumplists starting with customDestinations parsing and moving onto the OLE file format (in-depth means really in-depth, but at least there’s pictures) and then destlist parsing. Apparently the desalts format has changed as of Windows 10, so examiners need to be aware that tools may crash or silently drop data if they haven’t been updated. I do like the bit at the end about tool testing; It’s something I’d like to look into in the future because there are a number of tools available that all have their pros and cons, features and bugs and it’s good to have a handle on what tests you’ve performed and how everything faired.
    Jump lists in depth: Understand the format to better understand what your tools are (or aren’t) doing

  10. Two new articles on Forensic Focus this week. The first is a review by Neil Beet of Cellebrite’s UFED Cloud Analyzer Product. This review covers both the features and limitations of the product and is a good read for anyone looking at purchasing the product. I particularly like how in depth the walkthrough is.
    Reviews – 2016 Cellebrite’s UFED Cloud Analyzer Product Review
    The second is a call for participants to a survey of the preferred investigative methodologies of digital forensics professionals. There is a £300/€400 prize for a lucky entrant, although no indications if this is restricted to just EU/UK contributors.
    Call for participants: Survey of digital forensic investigation professionals

  11. Jared Atkinson has another forensic Friday post; thus time commenting on the get-forensicmftslack cmdlet.
    Forensic Friday: Get-ForensicMftSlack

  12. Microsystemation have announced their intentions to build an ecosystem for the XRY platform covering XRY, XAMN and XEC. This announcement also comes with the news that MSAB will be creating a Professional Services Department that will cover strategies (Identifying user demands and recommending solutions), implementation (Installation, resourcing and adaptation of organisation resources to setup and fine tune processes), training and support.
    Launching the MSAB Ecosystem

  13. Oleg Afonin at Elcomsoft provides an update on the really interesting debate happening about Apple and the FBI. The post explains a lot about what can be done with the iPhone in question and then why things cant be done. The post doesn’t appear to pick one side or another, which is refreshing.
    Apple vs. The government: follow up

  14. Expanding on the Apple debate is Heather Mahalik, Cindy Murphy and Sarah Edwards posted an article on the SANS blog which includes a lot of information regarding the scenario and the current capabilities. 
    A Technical Autopsy of the Apple – FBI Debate using iPhone forensics
    SANS have also released a poster explaining how to get started with their two free examination platforms (SIFT and REMnux). The poster covers both installing the operating systems as well as utilising a range of tools (with sample command line arguments) to achieve specific goals.
    SANS DFIR Linux Distributions: SIFT Workstation and REMnux Poster Version 1.1

  15. Weare4n6 has a couple posts up this week. The first post relates to two new forensics books, Practical Digital Forensics, and Practical Mobile Forensics (2nd Edition), that are available for preorder through Packt Publishing. Practical Digital Forensics professes to offer an overview of the digital forensics field including case studies and simulations to help you to “apply the knowledge of the theory gained to real-life situations”. Practical Mobile Forensics has been updated to its 2nd Edition covering current mobile operating systems and data extraction techniques using commercial and open source tools of both on device and cloud data.
    Packt has announced two new digital forensics books
    The second post is an article about utilising the WhatsApp Key/DB Extractor script to extract the WhatsApp cipher key on non-rooted phones. I vaguely recall some of the commercial tools also have this feature, however its always good to have an open source version.
    Extracting WhatsApp database and the cipher key from a non-rooted Android device

  16. There was an extra long episode of the Forensic Lunch this week (1 hour and 18 minutes!). This weeks primary topic was Blackbag’s Blacklight forensic suite. The Blackball guys will be releasing an update to Blacklight shortly and this new release continues their expansion into the Windows forensic analysis market. The new release adds additional support for volume shadow copies including some great new features for showing all the files found in VSC’s individually or grouped together. The tool allows examiner to interact with VSC’s in a similar fashion to a partition, which means you can run most of the parsing utilities that Blacklight has to offer. Basic Windows memory forensics has also been added (although interestingly enough not Mac memory image processing – although it’s on their road map). The memory forensics parsers work for hibernation files up to Windows 7, raw dumps and crash dumps and allow for image carving and process, libraries, sockets, handles and driver examination. The team also showcased the journal parsing, which I’m sure would have been slightly intimating in front of the guys who pioneered journal forensics. I’m looking forward to playing around with this new release on some of my Windows examinations in the future.
    Forensic Lunch 2/26/16

  17. Lastly, Ken Pryor has announced his retirement on his blog. I met Ken a few years ago at the SANS DFIR summit and he is a genuinely great person. All the best in your retirement.
    The End

And that’s all for Week 8! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s