Week 13 – 2016

Week 13

  1. Software updates
  • X-ways 17.4 SR8 has been released with minor improvements and bug fixes
    X-Ways Forensics 18.7 SR-8
  • Craig Wilson updated NetAnalysis to version 2.4 and HstEx to version 4.4. “This release brings support for Google Chrome’s History Provider Cache and Network Action Predictors, Microsoft’s Internet Explorer and Edge Typed URLs and Bookmarking across the various supported Browsers”. It appears that support for the Chromium and Firefox based browsers were all updated.   See the full change logs here, NetAnalysis Change Log v2.4, and here, HstExV4 Change Log v4.4
    NetAnalysis® v2.4 and HstEx® v4.4 Released
  • DExray updated to version 1.0. Adam updated the script several times this week; adding support for AhnLab, Avira, BitDefender, Panda,  QuickHeal, and Vipre Quarantine files.
    DeXRAY – one more update, DeXRAY – yet another update , DeXRAY – one more DeXRAY – Quaranthon continues
  • PECmd, LECmd and JLECmd were all updated to version 0.7.0.0. This update added timeline output to PECmd as well as full precision timestamps for LECMD as well as other minor improvements across the tools.
    PECmd, LECmd, and JLECmd updated!
  • DVR Examiner updated to version 1.20.1. This version added support for the DFS3_264 and G2FDbMagic filesystems, as well as adding improvements to file system detection and bug fixes.
    DVR Examiner 1.20.1 – Support for EyeMax, JetView, Speco and many other DVRs
  • Cellebrite updated their UFED line to version 5.0. Major updates include temporary root (ADB) solution for selected Android devices running OS 4.3-5.1.1, Enhanced physical extraction while bypassing lock of 27 Samsung Android devices with APQ8084 chipset, file system and logical extraction and decoding support for iPhone SE, Samsung Galaxy S7 and LG G5 device, physical extraction and decoding support for a new family of TomTom devices, and decryption and extraction of a number of apps.
    From the release notes the part I’m most excited about is merging multiple reports. The merging ability should allow an examiner to perform multiple extractions and merge them into one deduplicated file. I’ve found that its usually a good idea to perform a logical and file system extraction on certain devices to ensure you obtain the most complete data set, however until now there hasn’t been a good way of merging all of the data back together.
    UFED 5.0 Release Notes
  • Cru-Inc has updated their write blocker validation utility to version 1.0.3.1, however I haven’t been able to locate a change log so I’m unsure what’s been fixed/added.
    Download WriteBlocking Validation Utility
  • Encase Forensic has been updated to version 7.12. The post indicates that the new version adds enhanced support for Mac Operating Systems for the EnCase agent, updated parsing abilities for Windows 10 artifacts, and faster Hash Analysis and Filtering.
    Guidance Software Introduces Enhanced Forensic Solution
  • Paul Sanderson updated DateDecode to version 1.1.1. I can see that GPS times were added to the list of dates that be decoded, however I’m not sure what else.
    DateDecode
  • Paul also updated Forensic Browser for SQLite to version 2.7.8 which added some an update mechanism and bug fixes.
    New Release 2.7.8

  1. There was a Forensic Lunch last week that I was unable to review until this week. This (last) week was an incident response based forensic lunch. The crew had Maxime Lamothe-Brassard of Refraction Point talking about his project Lima Charlie, which is an open source endpoint monitoring tool. They also spoke with Ryan Nolette, Security Operations Lead at Carbon Black, who talked about all of the ransomware variants he’s been seeing and how shadow copies are affected. This quick intro was a teaser for Ryan’s talk at the DFIR summit.
    Forensic Lunch 3/25/16

  1. Blackbag released a really useful blogpost in resolving the sender of deleted messages. The process involves looking up the handle table of the sms.db and comparing that with the data found within the recovered databases.
    Resolving Deleted Messages

  1. There were two updates posted by the students at Champlain College. The iOS team identified a browser-based jailbreak for iOS 9.2.1 devices, however haven’t been able to locate a jailbreak for the latest version of iOS (9.3). The team also performed a comparison of data extracted from forensic tools, such as Cellebrite, Magnet Forensics, and XRY, on non jailbroken devices. The outcome isn’t clear however it appears Cellebrite provided more information than XRY. It isn’t stated which versions of software is used; I imagine this will be in the final report.
    IOS 9 Final Blog
    The Cloud Forensics teams progress with data generation scripting. The team has performed the OneDrive data generation and have commenced examination using Encase. The iCloud data generation script was modified slightly as the iCloud data generation was performed on a Mac VM. The post identified that the next stage of the project is data analysis.
    Cloud Forensics Update 2

  1. Didier Stevens released a python script to decode encoded VBScripts. The script appears to print out the contents of the VBE script.
    Decoding VBE

  1. Voting is now open for the 2016 Forensic 4cast awards. Voting is open until June 5 with the award ceremony taking place at the SANS DFIR Summit in Austin, Texas.  2016 Forensic 4:cast Awards – Voting is now open!

  1. Michael Maurer at DiFT showed one of the features of the Efetch Forensic Timeline Viewer. Efetch is entirely web based and can be modified by the user by adjusting the URL parameters.
    Quick Look at Efetch the Customizable Forensics Timeline Viewer

  1. Adam at Hexacorn has two posts up this week (outside of the myriad of DeXRAY updates). The first identifies a process that users can use to detect whether Wine is in use on a system; the main takeaway is that “there exist APIs that used to be present in the old versions of Windows but have been removed and are no longer exported by the OS libraries. Yet, Wine continues to offer them as an export – most likely for compatibility reasons”. Adam has also written a proof-of-concept program that can be used which will flag whether the program is executing on Windows or the Wine sandbox.
    Detecting Wine via internal and legacy APIs
    The second post is article 37 in the “Beyond good ol’ Run Key” series. This post relates to an old method of abusing Windows program execution when the quotation marks are forgotten. As anyone who’s forgotten quotation marks in the Windows command line has observed, the following command “echo hello > C:\Program Files\hello.txt” would not actually create hello.txt in the “C:\Program Files” folder; similarly when a program is intended to be executed, an attacker could store their malware as “C:\Program.exe”. From the end of the post however this doesn’t appear to work as an exploit vector any more.
    Beyond good ol’ Run key, Part 37

  1. Jared Atkinson has a new Forensic Friday post, this time focusing on the Get_forensicRunKey cmdlet of his PowerForensics tool. This cmdlet “parses the registry for entries in the numerous system and user based “run” keys. This cmdlet is built on top of PowerForensics’ MFT and Registry Parser, so all of this data is gathered from a live system without relying on the Window’s API.”
    Forensic Friday: Get-ForensicRunKey

  1. Jonathan Zdzairski performed a NAND mirroring attack using a jailbreak. The hardware etc is out of his hands but I would like to see an example of using a chip reader to read and write the data, with an IP box type data input device entering the codes – of course this would require an additional widget to enter the codes since the USB input is disabled, but I imagine that would be too difficult to make. For the test the password would have to be set to something simple at first just to show the concept but that procedure should be able to be scaled to defeat any 4-6 digit passcode. At least until Apple finds a way to stop that as well. Although according to a later JZ post it shouldn’t affect those phones with the secure encalve so there’s that. This appears to be a good attack vector that can be utilised; It’s understandable, but a shame, that Apple will try to figure out a way to block putting in the effort getting into locked phones. It makes it really difficult for those on the side of the fence trying to do right by the victims and put the bad guys away.
    NAND “Mirroring” Concept Demonstration

  1. Tony Knutson has published a whitepaper on the SANS reading room regarding Filesystem Timestamps. This is a very comprehensive paper on the differences in metadata fields on various file systems and the effects of file operations of various file and operating systems. This paper may require a couple of read throughs to really grasp everything that’s going on as there’s a lot to take away.
    Filesystem Timestamps: What Makes Them Tick?

  1. Oleg Afonin at Elcomsoft has a new post regarding Apple’s Two-Factor authentication compared to its Two Step verification. The post describes the process of verifying your identity on each device and the factors to be considered when using Elcomsoft’s products. TFA/TSV is definitely something that will inhibit investigators in obtaining user data if it’s enabled however guides like this one serve to provide them with information about how best to go about doing so.
    Apple Two-Factor Authentication vs. Two-Step Verification

  1. DFRWS EU 2016 was held in Lausanne, Switzerland this week. There are a number of presentations worth reading through. There did appear to be a large focus on memory forensics. Unfortunately haven’t had a chance to go through things in detail but will attempt to find some useful bits of information and pass them along in the future.
  • Evaluating atomicity, and integrity of correct memory acquisition methods
  • Automatic profile generation for live Linux Memory analysis
  • Pool tag quick scanning for windows memory analysis
  • Authorship verification for different languages, genres and topics
  • Generic RAID reassembly using block-level entropy
  • A method and a case study for the selection of the best available tool for mobile forensic devices using decision analysis
  • Lest we forget: Cold-boot attacks on scrambled DDR3 memory
  • Tiered forensic methodology model for Digital Field Triage by non-digital evidence specialists
  • Digital evidence, ‘absence’ of data and ambiguous patterns of reasoning
  • Forensic investigation of cyberstalking cases using Behavioural Evidence Analysis
  • Forensic analysis of cloud-native artifacts
  • TLSkex: Harnessing virtual machine introspection for decrypting TLS communication
  • Facilitating forensic examinations of multi-user computer environments through session-to-session analysis of Internet history

Journal of Digital Investigation Volume 16, Supplement

  1. Marcus Thompson shared a presentation regarding jailbreaking and imaging an AppleTV. The process appears to be fairly straightforward but does require an Apple Developer membership. I’m not sure if this process is just a proof-of-concept for a device owned by the owner, or can be utilised to examine a device for an investigation.
    Apple TV acquisition

  1. Weare4n6 wrote a quick post about decrypting encrypted whatsapp databases if you are able to locate the key. It doesn’t appear that the article explains anything more than that you need to locate the key file to decrypt the databases, and that the databases can be located on external media. I haven’t had much experience with decrypting whatsapp using common forensic tools however there do appear to be some online services that provide the capability provided you can supply the databases and key.
    Decrypting encrypted WhatsApp databases without the key

  1. Paul Sanderson uploaded a few posts last week regarding sqlite forensics that I missed. The first post relates to utilising a correlated subquery to identify which records appear to be deleted in a list of live records. Paul explains that “if we can identify unique records that do not appear in the list of live records based on the MD5 hash of all of the fields (not including the fields that the Browser adds) we can determine for ourselves which appear to be deleted.”
    WAL timelining Correlated subquery
    The second post relates to utilising an SQL query in Paul’s Forensic Browser tool to identify records in the write ahead log. As Forensic Browser has the ability to recover deleted records, the user was able to achieve their goal of locating deleted messages from an SMS database relating to a specific phone number.
    Identifying deleted records in DB and WAL
    The third article builds off the previous post and attempts to ascertain when the records were deleted. This process appears to rely on a date being set by the application when a record is modified. This post is quite technical and may require a couple read throughs to understand (I’m a few read throughs away still).
    Detecting when a record was deleted in SQLite

And that’s all for Week 13! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

One thought on “Week 13 – 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s