Week 12 – 2016

Week 12!

I’ve had to cut this week short by a day because of other commitments, but I’ll just add the rest to next weeks update.

  1. Software updates
  • Adam at Hexacorn updated dexray to version 0.6. The update adds support avast quarantine files.
    DeXRAY – Update
  • Oxygen forensics detective has updated to version 8.3. The update enables encrypted credentials and tokens decoding from Windows Phone 8 physical images, physical imaging of fat32 and ext memory cards and parsing iOS backups up to version 9.3.
    Oxygen Forensic® Detective decrypts passwords from Windows Phone devices and parses iOS 9 iCloud backups
  • IEF updated to version 6.7.6 adding support for the latest version of Snapchat (iOS/Android), Dolphin and Puffin Browsers (Android) and decrypting Dropbox on Win8/10.
  1. Whilst not strictly a forensics subject, Oleg at Elcomsoft has a post up about encryption on iOS and Android. This post delves into the different versions of the operating system and handsets and the effects of the encryption used.
    Smartphone Encryption: Why Only 10 Per Cent of Android Smartphones Are Encrypted
  1. Dale McGleenon at Chip_DFIR has a post announcing Kevin Breen’s new VolUtility GUI front-end for Volatility. The post serves to get the word out about the tool, as I don’t think Kevin has posted it up on his site yet. It looks quite useful and simple to use from the photos; especially for those not super comfortable with all of the messing around with the command line.
    VolUtility – Web Application for Volatility
  1. Didier Stevens has released a new YARA rule to use with oledump to detect malicious VBE (VBScript Encode scripts) scripts. The example shows a malicious VBE script detected within a ZIP file.
    YARA Rule To Detect VBE Scripts
  1. Sunday (27th March) is the last day to get nominations in for the 2016 Forensic 4Cast awards covering the 2015 calendar year. Voting should begin shortly after nominations have closed.
    Nominations Closing Soon
  1. MediaClone Inc. announced their new SuperImager Plus Desktop units on Forensic Focus. The standalone device looks quite useful if you need to image a large number of drives (ie a RAID) quickly.
    SuperImager® Plus Desktop Pro Gen-2 Forensic Lab units – Dual-Boot Linux/Win 7
  1. Forensic Focus has a short interview with David-Olivier Jaquet-Chiffelle, the event chairman of DFRWS EU. The event is being held March 29 to 31 in Lausanne, Switzerland
    Interview With David-Olivier Jaquet-Chiffelle, Event Chairman, DFRWS EU
  1. Pip pip at Sketchymoose’s blog has a quick run down on a cryptowall variant. Its a good quick  analysis of the powershell program that will undoubtedly cause someone some harm. Of course, the script is easily available on Github.
    Looking at a CryptoWall Drop
  1. Weare4n6 have a step by step guide of downloading the data partition of a Samsung GT-I9300 (Galaxy S3) running Android 4.1.2 with USB debugging disabled. The process appears fairly simple to follow along and can be performed using freely available tools.
    Physical acquisition of a locked Android device
  1. An article by Aoleg (I’m assuming of Elcomsoft fame)  was posted on Forensic Focus covering Bitlocker on Windows systems – the post explores existing methods of recovering BitLocker volumes, examines what has changed with November Update, and reviews the remaining acquisition paths. With the update to Win10 it appears that password cracking may be even more difficult if Bitlocker is enabled. The article explains that the best course of action here is to create a list of known passwords and enumerate that way rather than try to brute force. Overall this is a good article to read through to understand how you may (or may not) be able to deal with a Bitlocker encrypted computer.
    BitLocker: What’s New in Windows 10 November Update, And How To Break It
  1. Harlan Carvey has a new post up. This post introduces a new plugin for Cortana searches (written by Patrick Seagren), shares his opinions about process creation monitoring, ransomware and attribution, sharing knowledge of tool testing (wrapped in the carving header but the major take-away is that this sort of testing shows the strengths and weaknesses of different tools so as to allow an examiner to make an informed decision about which tool to use), as well as malware analysis and threat intel.
  1. The CYB3RCRIM3 blog has an interesting post up about the legal aspects on charging someone with child abuse material (CAM) located within “unallocated space”. I won’t delve into the case’s specifics, but the post explains that the court was not provided with sufficient evidence to suggest that the defendant had knowledge of the files located in unallocated space. In my experience, if ever files are recovered from unallocated space it’s imperative that the examiner shows that the files were at the very least accessed/interacted with in some way by a user. Otherwise it’s hard to justify that the user did not just identify that the files were CAM and delete them. This case however, since the user was shown to have possessed and shared other CAM that may go as to explain why the defendant was found guilty of possession of the deleted material.
    Child Pornography, Unallocated Space and “Possession”
  1. Registration is now open to Magnet User Summit in Myrtle Beach.  The event is hosted in partnership with the 2016 Techno Security & Forensic Investigations Conference and is held on the 8th June.
    Magnet User Summit
  1. And lastly there’s only 6 days to go of the Black T-Shirt Cyber Forensics Challenge. Submissions are  due by 11:59PM on April 1, 2016. I started the challenge late last month but had to give it up due to other commitments. It was really interesting though, so if you miss out this time I’d highly recommend jumping on the next one.

And that’s (mostly) all for Week 12! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s