Week 9 – 2016

Week 9!

  1. Software Updates:
  2. James Habben at 4n6ir has a post up about building python package. James explains that he was required to create a Python package so that Evolve could be included with the SIFT workstation. He describes the process that he used to create the package, as well as the solutions he found to include the HTML aspect of the code (as PyPI doesn’t recognise these files as code).
    Building Python Packages, By a Novice

  3. LCDI at Champlain have a post regarding the importance of mobile device forensic practitioners. As has been mentioned a number of times for close to a decade mobile devices are the most prominent source of information during an investigation. The post describes the challenges that practitioners face when dealing with the changing technologies in mobile devices as well as the multitude of different devices to be examined. 
    Investigating Mobile Forensics

  4. Syed Naqvi explains his role at the university of Birmingham. The University currently offers a Bsc (Hons) Forensic Computer and MSc in Cyber Security with plans to start an Msc in Digital Forensics in the near future. Naqvi explains that DF students should have a core knowledge of systems, practical knowledge of the industry standard tools and a critical mindset. Apparently there is also a shortage of skilled DFIR professionals that are willing to teach; with the few people putting their hands up to actively share information this is unsurprising. He also describes his thoughts about standardisation in the industry.
    Interview with Syed Naqvi, Senior Lecturer in Cyber Security and Forensics, Birm

  5. Adam at Hexacorn is up to part 35 of his “Beyond good ol’ Run key” series. The post talks about hijackingg the DLL relating to Rich Edit to execute malicious code each time the app utilising said control is launched.
    Beyond good ol’ Run key, Part 35

  6. Weare4n6 have a post relating to utilising Belkasoft’s free “Live RAM Capturer” tool to create a live RAM dump. According to the post, LRC operates in kernel mode, leaves the smallest footprint possible, is portable and uses read-only access.
    How to capture memory dumps with Live RAM Capturer

  7. SANS uploaded a new webcast by Rob Lee and Lenny Zeltser regarding the poster they released last week about SIFT and REMnux. For those that haven’t had much experience with either workstation it’s a good explanation of how to get started and what to expect from each one. 
    SIFT and REMnux Wonder Twin Powers Activate!

  8. Pascquale Stirparo at Zena Forensics has a detailed analysis of a malicious office document delivering the Dridex banking Trojan. This is the variant that doesn’t include the Locky ransomware. This walkthrough describes their process in obtained the macros from the DOCM file and decoding the addresses of the server that it tries to call back to.
    Analysis of a Dridex maldoc pre-Locky

  9. Jared Atkinson has a new Forensic Friday post on the Get-ForensicCHildItem cmdlt. This cmdlc obtains a directory listing with the Windows API. “It parses the MFT to find the entry for the target directory and outputs a list of files the directory contains”.
    Forensic Friday: Get-ForensicChildItem

  10. Blackbag have a post up describing how to create RAIDs in OS X 10.11 (El Capitan). According to the post Apple has removed the ability using the Windowed application however the command line still remains fully functional. RAIDs in OS X are an interesting concept – they’re relatively easy to create, and filevault, and if a practitioners intel isn’t up to scratch (ie use a mac to examine a mac) they may not realise that an additional piece is missing. If you do plug part of a RAID into OS X it should tell you that it’s missing a piece though. Definitely need to put a bit more time into researching identifying the different types of DMGs/disk configurations. Also playing with softRAIDs using DMGs may result in your computer crashing (/end ramble)
    Creating a RAID in OS X 10.11

  11. DFRWS have released this years challenge and it relates to Software Defined Networking. The scenario calls for applicants to examine a memory image from an SDN switch, along with a capture of the network traffic between the SDN switch and its controller.   The submission deadline is 8th July 2016.
    DFRWS 2016 Forensics Challenge


And that’s all for Week 9! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s