Written by Phill Moore

Week 10 – 2016

Week 10!

  1. Software Updates:

    • Craig Wilson at Digital Detective has updated his Blade file carving tool to version 1.12 and added a few new features and bug fixes. The main features are improved carving of OLE2 and ZIP files. I’m not sure if Datadump was previously part of blade but Wilson explains it’s a standalone tool for exporting out segments of data from an original source image or physical/logical device.
      Blade® v1.12 Released

    • Celebrate released version 5.0 of Cloud Analyser. This new version includes Google contacts, search and web history access, the ability to download data from the social services Instagram and Vkonakte as well as emails from several mail providers including Yahoo and Yandex
      UFED Cloud Analyser Release Notes Version 5.0

    • Blackbag has released their update to blacklight. The post goes into depth about the new features mentioned at the forensic lunch (https://www.youtube.com/watch?v=5zPZOnyNy4Y) a couple weeks back. The main thing I’m excited about here is the fsevents parsing. I recently attended a presentation by Derrick Donnelly (Blackbag CTO/Founder) about fsevents and he explained how useful these log files can be in determining file operations and user activity. The fsevents do delete after a period, however can be carved and imported back into Blacklight. With a bit of fiddling around you may be able to determine when files were created/deleted etc within a rough time frame.
      BlackLight 2016 R1

    • Oxygen Forensics Detective version 8.4 was released. The major new feature is the ability to create a physical extraction of Android devices running the spreadtrum chipset. There’s also additional support for popular Windows phone apps and added support for swarm (foursquare) cloud acquisition.
      Oxygen Forensic® Detective introduces physical extraction from Android Spreadtrum devices!

    • GetData forensics updated their Forenisc Explorer tool to version 3.5.7.5178. According to the changelog this update has numerous small fixes and improvements.
      Forensic Explorer

    • Weare4n6 published a post announcing Belkasoft 7.4 build 1455; I’m not sure if they’re announcing the build update, so I thought best to include it anyways. Belkasoft released version 7.4 back in December.  
      Belkasoft Evidence Center: New Release of v.7.4

    • Didier Stevens updated oledump to version 0.0.23 with an update to the cut option and a new plugin: plugin_hifo. The new plugin looks for streams that end with /o and then searches for strings starting with http.
      Update: oledump.py Version 0.0.23

    • X-ways 17.4 SR6 has been released with minor improvements and bug fixes
      X-Ways Forensics 18.7 SR-6

       

  2. Eric Zimmerman is on a roll with his artefact parsing tools, and has released his new Jumplist parser. His rationale was that the existing tools don’t provide all the available information (as per his link parser) and haven’t yet all been updated to support the new format found in Windows 10. Interestingly Eric explains that one should export all the embedded lnk files and then use LECmd to analyze them rather than just using the -ld option through JLECmd. I look forward to playing around with this tool and give Eric my feedback!
    Edit: Eric explained that you’ll get enough detail using JLECmd but if you want all the details then exporting and running a dedicated tool is the best way to go.
    Introducing JLECmd!

     

  3. Belkasoft released a webinar showcasing the new features in their 2016 update to the Belkasoft Evidence Centre.
    Webinar: Investigating Computer And Mobile Artifacts With New Belkasoft Evidence Center

     

  4. Blackbag also published a post the first of a series of posts about Windows memory forensics. The post begins by explaining the importance and value of Memory forensics and then how to proceed with the examination in Blacklight. The major takeaways are all data goes through RAM and must be unencrypted when a user accesses it, there’s also some data that is only resident in memory. I look forward to playing around with this new feature in Blacklight.
    Windows Memory Forensics

     

  5. The students at champlain have three posts up this week. The Amazon Echo team has published their second update on their project. As expected the Echo communicates with Amazon and Google over secure channels. The team will now progress to examining the Android device used during the data generation and the forensic image of the laptop that was used in testing.
    Amazon Echo Forensics Update 2
    The Wearable Tech team has also published their second update. The team has still been unable to extract the entire 2GB data storage of the Samsung Gear S2 via ADB. They were also inhibited by their tools lack of support in extracted WatchOS data from iCloud from the Apple Watch perspective. The team has made claim that “getting data significant to the Apple Watch will be extremely difficult, if not impossible”. Lastly the team has created a parsing script for the data extracted from a users Fitbit account and added the Fitbit Surge to their list of devices to explore.
    Wearable Technology Forensics Update 2
    This first update explains the different services to be examined and the data each team expects to obtain. The services include Dropbox, Microsoft OneDrive, Apple iCloud and Google Drive. The team also explained that they’re now going to obtain the data using virtualized environment. I can definitely see the benefit when doing regression testing because you can just refresh the VM and try everything again. 
    Cloud Forensics Update 1

     

  6. Shahaf Rozanski, Director of Forensic Products at Cellebrite, posted an article on the value of cloud data in an investigation and the importance of using specific cloud analysers (n.b.: I had to laugh because of their aptly named UFED Cloud Analyser)  to extract the data in a forensically sound manner. I do agree however that utilising the API to extract the available data and hashing it on the fly is good practice, and having a tool to automatically do all these things is very useful.
    Peering Through The Cloud

     

  7. James Billingsley has an opinion piece at Forensic Focus. James claims that keyword searching is struggling to keep up with the explosion of data and devices and that data visualisation offers better ways to present the results to investigators. This would make the data more easy to digest and comprehend. The post provides examples where visualisation has made the available data point the investigation in the right direction and in turn identify key points of interest. To answer James’ question, I think that data visualisation is a great tool to have, and very useful, but keyword search is still quite a valid analysis technique in locating very specific information.
    Beyond Keywords: Is Keyword Search Becoming Obsolete In The New Age Of Forensic Digital Investigation?

     

  8. Chad Tilbury at Forensic Methods provides some interesting insight into PowerShell. PowerShell allows attackers an easy-to-use and hard to stop attack vector that until recently (version 5) did not adequately log the commands executed. It seems that, if possible, it’s a good idea to upgrade to PowerShell v5 if you’re worried at all about threat actors utilising PowerShell for “privilege escalation, credential theft, lateral movement, data destruction, persistence, data exfiltration” etc.
    Investigating PowerShell: Command and Script Logging

     

  9. Adam at Hexacorn has two posts up this week. The first is a continuation of last weeks “Bgork” and lists a summary of various versions of the DLL side loading persistence trick that PlugX malware uses. Adam request that if anyone has any more triplets describing the PlugX components then let him know and he’ll add it to the list.
    Beyond good ol’ Run key, Part 36
    The second post relates to Adams DeXRAY tool. This tool allows an examiner to decrypt various types of Quarantine files. The post explains the tools features and how to use it.
    DeXRAY

     

  10. Weare4n6 have an interesting post up about forensic analysis of SQLite Write-Ahead Log. The post explains the use of the WAL as well as how to parse the data using both a commercial (Belkasoft) and open source (Walitean https://github.com/n0fate/walitean ) utility.
    Forensic analysis of SQLite Write-Ahead Log (WAL)

     

  11. Thomas at Tribal Chicken has released a post assisting practitioners in recoveryng bootlicker keys from newer versions of Windows. He explains that the previous method, that worked for Windows 7, no longer works for Windows 8 and later. The post cumulates in a new (beta) volatility plugin that works for win7 plus. I imagine that this will be useful in situations where you have access to the live computer and need to extract the keys from memory before you shut it down (or so you can access it after shutdown). Thomas explains this plugin is still under development but works on win7 and win8+ with some quirks.
    Recovering Bitlocker Keys On Windows 8.1 and 10

     

  12. Harlan Carvey has a new post revisiting Windows Event logs. The post mainly describes the use of Harlans EVT and EVTX parsing scripts and the importance of using the right tool to parse the right artefact. The post ends with a few different ways to create event logs programmatically should you want to do so. Harlan also mentions that “evtparse” includes a switch for listing event records sequentially, displaying only the record number and time generated value for each event record. I updated evtxparse to have a similar feature, and can be found here. I also added the ability to output to my TLN8 format, which is a variation of Harlan’s TLN format.
    Event Logs

     

  13. Coincidently DFIR Blog has also published a post about parsing Windows Event Logs. The post showcases using both PowerShell and Logparser to obtain useful information out of Event Logs. Each method has worked examples and can be used as a sort of cheatsheet.
    How To Parse Windows Eventlog

     

  14. This weeks Forensic Lunch was a comparison of the commonly used carving tools. David and James described their testing methodology as well as the performance of the tools they examined; X-ways, Blade, Bulk Extractor and Blacklight. According to their testing they were able to determine that X-ways is “filesystem aware”, and utilises the file system to assist in recovering files. Also, by default, X-ways will not carve allocated space and only carves unallocated. This can be controlled in options. David explains that an examiner may want to use this when carving through memory dumps or the page file.
    In Davids opinion the customisation features in Blade delivers the most granular control in providing an unknown carving signature; even if its base set of file signatures aren’t as extensive as x-ways.
    James noted that the free Bulk Extractor tool was very good at utilising all the available computing power to perform it’s carve. I think this would mean that it works faster, but it’s not great if you plan on working concurrently whilst the carve is being performed.
    From their results it appears that Blade recovered the most, however these were not all actual files and did take a lot longer than the others. As a side note, Blade also appears to create three copies of each recovered office document and the user must then manually determine if the file is an xlsx, docx or pptx file.
    The major takeaway from this episode is that not all carvers are the same.
    These carvers primarily focused on documents and Windows artefacts as that’s what David’s analysis commonly requires. They did ask about picture carvers; I’ve found Adroit to be one of the better carvers because it does some post processing to make a recovered file “viewable”. It hasn’t been developed in a few years but it’s still a good tool (I really think someone should license the technology; I’ve used it on examinations ranging from regular file carves to extracting useful frames from a broken Dashcam).
    Unfortunately the sound quality in this weeks lunch want fantastic so it may require a couple listens to get across all of the information, but it’s well worth the listen as usual.
    Forensic Lunch 3/11/16

     

  15. Tyler Schlecht at DME Forensics has released a post about the staffing movements at DME. This new hire showcases their move into expanding their capabilities in audio forensics and training
    2016 Update!

And that’s all for Week 10! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s