- Software Updates:
Sumuri have updated Paladin Edge64 to version 6.08, to support newer technologies such as nvRAM and eMMC flash drives found in popular products such as the newer MacBooks and HP Stream computers.
PALADIN (64-bit) – Version 6.08
Passware updated to 2016 v.2 with a few new features including data acquisition from iCloud Drive, Password recovery for iOS 9 backups and improvements to distribution and GPU acceleration.
Passware Kit 2016 v.2 Acquires Data From iCloud Drive, Is Up To 120% Faster On GPU, Enables Automatic Software Updates without User Interaction
Didier Stevens updated his emldump tool to v0.0.7 and then v0.0.8 to assist in dealing with obfuscated MIME Type files. The new version detects some (simple) types of obfuscation, and also filters out certain sections of the file that are known to cause the parser to crash – I’m guessing the rational behind this is it’s better to have some data if it can be parsed than just an error message. Version 0.0.8 now detects all lines without a colon in the first block.
More Obfuscated MIME Type Files
Even More Obfuscated MIME Type Files
Arsenal Consulting announced the release of Registry Recon Beta v2.2.0.0037. The update includes improvements to searching, exporting, and carved hive handling.
Registry Recon Beta v2.2.0.0037 released!
X-Ways updated (again) to SR5. This release includes minor improvements and bug fixes.
X-Ways Forensics 18.7 SR-5
James Habben at 4n6ir has a post up about building python package. James explains that he was required to create a Python package so that Evolve could be included with the SIFT workstation. He describes the process that he used to create the package, as well as the solutions he found to include the HTML aspect of the code (as PyPI doesn’t recognise these files as code).
Building Python Packages, By a Novice
LCDI at Champlain have a post regarding the importance of mobile device forensic practitioners. As has been mentioned a number of times for close to a decade mobile devices are the most prominent source of information during an investigation. The post describes the challenges that practitioners face when dealing with the changing technologies in mobile devices as well as the multitude of different devices to be examined.
Investigating Mobile Forensics
Syed Naqvi explains his role at the university of Birmingham. The University currently offers a Bsc (Hons) Forensic Computer and MSc in Cyber Security with plans to start an Msc in Digital Forensics in the near future. Naqvi explains that DF students should have a core knowledge of systems, practical knowledge of the industry standard tools and a critical mindset. Apparently there is also a shortage of skilled DFIR professionals that are willing to teach; with the few people putting their hands up to actively share information this is unsurprising. He also describes his thoughts about standardisation in the industry.
Interview with Syed Naqvi, Senior Lecturer in Cyber Security and Forensics, Birm
Adam at Hexacorn is up to part 35 of his “Beyond good ol’ Run key” series. The post talks about hijackingg the DLL relating to Rich Edit to execute malicious code each time the app utilising said control is launched.
Beyond good ol’ Run key, Part 35
Weare4n6 have a post relating to utilising Belkasoft’s free “Live RAM Capturer” tool to create a live RAM dump. According to the post, LRC operates in kernel mode, leaves the smallest footprint possible, is portable and uses read-only access.
How to capture memory dumps with Live RAM Capturer
SANS uploaded a new webcast by Rob Lee and Lenny Zeltser regarding the poster they released last week about SIFT and REMnux. For those that haven’t had much experience with either workstation it’s a good explanation of how to get started and what to expect from each one.
SIFT and REMnux Wonder Twin Powers Activate!
Pascquale Stirparo at Zena Forensics has a detailed analysis of a malicious office document delivering the Dridex banking Trojan. This is the variant that doesn’t include the Locky ransomware. This walkthrough describes their process in obtained the macros from the DOCM file and decoding the addresses of the server that it tries to call back to.
Analysis of a Dridex maldoc pre-Locky
Jared Atkinson has a new Forensic Friday post on the Get-ForensicCHildItem cmdlt. This cmdlc obtains a directory listing with the Windows API. “It parses the MFT to find the entry for the target directory and outputs a list of files the directory contains”.
Forensic Friday: Get-ForensicChildItem
Blackbag have a post up describing how to create RAIDs in OS X 10.11 (El Capitan). According to the post Apple has removed the ability using the Windowed application however the command line still remains fully functional. RAIDs in OS X are an interesting concept – they’re relatively easy to create, and filevault, and if a practitioners intel isn’t up to scratch (ie use a mac to examine a mac) they may not realise that an additional piece is missing. If you do plug part of a RAID into OS X it should tell you that it’s missing a piece though. Definitely need to put a bit more time into researching identifying the different types of DMGs/disk configurations. Also playing with softRAIDs using DMGs may result in your computer crashing (/end ramble)
Creating a RAID in OS X 10.11
DFRWS have released this years challenge and it relates to Software Defined Networking. The scenario calls for applicants to examine a memory image from an SDN switch, along with a capture of the network traffic between the SDN switch and its controller. The submission deadline is 8th July 2016.
DFRWS 2016 Forensics Challenge
And that’s all for Week 9! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.