Written by Phill Moore

Week 14 – 2016

Week 14!

  1. Software updates
  • Tz works released their March update last week. Several of their tools were updated including jmp, pf, vssenum, cafae,  as well as various bug fixes. The updates were as follows:
    – Jump List Parsing – jmp (version 0.38)- updated to support Win10 jumplists
    – Prefetch Parsing – pf (version 1.16) – Increased robustness to handling corrupted prefetch files. Also added a -verbose option to extend the data outputted when used in CSV mode.
    – Volume Shadow Service – vssenum (version 0.16) – A new feature was added to allow for copying desired files form a Volume Snapshot to a specified results directory. If the file is locked by the OS the authors advise to use ntfscopy.
    – User Password Hashes – cafae (version 0.4) – Cafae now decrypts password hashes (which can then be decrypted to the password). Additional metadata has also been added to the output of the user account data that is extracted from the SAM hive report.
    – There was also a general enhancement mentioned (it may have changed the version numbers on other tools but I haven’t checked that, highly recommend that you download the entire package regardless). The general enhancement adds a new -filter option for tools that incorporate the -pipe option. This option allows for some basic filtering on the files that are passed in. Basic filtering, as defined here, means filtering on multiple partial names and/or extensions

Mar 2016 Build

  • Adam has updated DeXRAY again, this time to version 1.3.  The update adds support for Baidu .qv, CMC Antivirus *.cmc, and F-Prot .tmp Quarantine files. Adam also confirmed that Lavasoft AdAware uses BitDefender’s Quarantine files (.bdq), and that Comodo stores Quarantine files without encryption
    DeXRAY – Twentin Quarantino
  1. John Lukach has a post up explaining the process of setting up an internal server to validate NSLR metadata matches. I reached out to John to get a bit more information enjoy matchmeta. Currently the project is used to identify unknown (to the NSLR) files. It’s been integrated into Autopsy and Evolve with the intention of adding some analytics to the examination process and assist investigators in determining if files aren’t where they should be.
    MatchMeta.Info

  2. The students at Champlain College have two posts up this week. The Bluetooth Security team have released their final post. The team has covered the benefits of bluetooth MAC spoofing as well as utilised the Ubertooth One to scan and examine the data obtained from bluetooth devices. Their goal is to determine what data the Ubertooth One can obtain and ascertain the dangers bluetooth users face from this device.
    Bluetooth Security Final Blog
    The Mac RAM analysis team have their first update up this week. The students used Pmem to dump ram and analysed with Volatility. They also ran into errors on el capital and as a result their testing is covering OS X Yosemite. The team intends to analyse the resultant data for their next update. It’s probably outside the scope however I would like to see if they have any method of downloading RAM from a computer without authorisation to run external software; Macquisition for example has the ability to capture RAM, however this will only work with the users administration password; something they’re not always willing to give up.
    Mac RAM Analysis Update 1

  3. Lenny Zeltser has a few tips and tricks on sharing malware samples with other researchers. Apparently the industry standard method of zipping a file with the password “infected” may cause issues as virus scanners. This is a little bit confusing since malware is really only an issue if it executes on unknowing victims. If it’s password protected, especially with a password known to be used specifically by malware researchers then what’s the harm.
    How to Share Malware Samples With Other Researchers: Beyond “infected”

  4. Michael Hale Ligh posted on the Volatility blog that the Volatility plugin contest is now live until October 1st. The prizes were also bumped up a little during the week due to a generous donation by Airbnb
    The 2016 Volatility Plugin Contest is now live!

  5. Harlan has released the 2nd edition of Windows Registry Forensics. It’s already sold out at the few places I looked, so hopefully I should receive my copy in the next month. To accompany the release he published a blog post giving an overview of the chapters and encouraging feedback. Harlan even tried a contest but unfortunately didn’t get much in the way of submissions. I think maybe the request for feedback is a bit vague, and from his many posts over the years it’s basically a response to people constantly asking for a silver bullet without actually knowing what they want. I’ve dealt with Harlan a few times and he is very responsive and always keen to assist when he can. He has asked for very little other than a direction that people want him to move in; the problem with being at the forefront of things like registry forensics is everyone else is still catching up and I don’t think we really know where we want him to go.
    Windows Registry Forensics, 2E
    Harlan’s second post was a link and his comments on a WMI persistence mechanism posted to the Dell SecureWorks site this week.
    Cool Stuff, re: WMI Persistence

  6. Daniel G has started a new blog, 43nsicBot. I’m ignoring the first post since it’s just a Hello World, but the second post covers a him identifying a strange device installed on a friends computer. The post sets an initial goal of identifying the device, and then explains in detail the process that Daniel went through to answer the questions he set out. I am curious as to why he wasn’t able to examine the setupapi log, however the Windows Event Logs and Registry appeared to contain all of the information required.
    The Curious Case Of The Chan Pelana Device

  7. Corey Harrell has a post up at his Journey into Incident Response blog. This post is a very thorough solution to the practical exercise he posted in January. The post begins with a recap of the scenario and then describes the different places that important information can be located. As someone who doesn’t perform much in the way of intrusion detection I like that Corey’s model (Detection, Triage, Compromised, Malware Identified, Root Cause Analysis, Quarantine) is presented in a diagram and then described. I also like how succinctly Corey explained how he would go about doing his analysis; working through Prefetch to identify potential executables of interest and then expanding into available file system metadata. He uses a fairly targeted approach, rather than parsing everything into a massive timeline and potentially losing sight of the important information.
    Triage Practical Solution – Malware Event – Proxy Logs Prefetch $MFT IDS

  8. Blackbag has two posts up this week. The first showcases Blacklight’s new VSC parsing feature. To parse VSC’s one must run the Advanced Processing options. The paragraph on special fonts is quite useful; “In the ‘Browser’ view, files that exist in a Volume Shadow Copy but not in the parent volume are shown in red strikethrough italic font, indicating the file was deleted from the active file system but a version remains in one or more Volume Shadow Copies”. This is a great example of a tool automating a bit of the analysis process for an examiner.
    Viewing Volume Shadow Copies in BlackLight
    The second is a notification that both Blacklight and Mobilyze will be unable to download a few LG devices (LG G3, LG G Stylo, LG MS345, and LG VK700) without updating a specific LG driver mentioned in the post. If the problem persists, the going advice is to try another connection method.
    Issues Acquiring Certain LG Devices

  9. Weare4n6 has shared a post regarding a new book, Mastering Mobile Forensics by Soufiane Tahiri, announced by Packt Publishing. The book should be published June 2016 and covers Android, iOS and Windows Phone forensics.
    Packt announced a new mobile forensics book
    Their second post this week was a quick overview of Autopsy’s Android parsing capabilities. Autopsy includes a dedicated Android Analyzer module, however other modules such as keyword searching and file carving can also be incorporated into an examination. Autopsy requires the data to be extracted into a forensic image; I don’t believe it has the capability to extract the data from the device directly.
    Android forensic analysis with Autopsy

  10. Heather Mahalik ran a webinar regarding the strengths and pitfalls of mobile forensics tools as well as when to trust or not trust their results. I wasn’t able to watch the cast live, but hopefully SANS will post it up to their YouTube channel for later viewing
    To trust or not to trust: The relationship between you & your mobile forensics tool

  11. Magnet Forensics has announced that it will be expanding its Magnet User Summit this year to three locations: Las Vegas, Myrtle Beach and Dallas. The summits include training and lectures as well as the usual networking opportunities and access to the Magnet Forensics experts.
    Magnet Forensics Announces the Magnet User Summit 2016 Series

  12. David Cowan has made a triumphant return to daily blogging, which is both great and terrible for me. More to cover, but then again, more to cover! My favourite part of David’s year of blogging has to have been the Sunday Funday challenges; they encourage people to answer some tough questions and win some prizes. I will be entering the competitions for sure!
    The first post introduced David’s return, as well as provided an explanation as to DFVFS and how it will affect the future of David’s work; both with Triforce and in last years  “Automating DFIR” blogpost series.
    Daily Blog #366: The return to Daily Blogging and pytsk vs dfvfs
    The next post restarts the “Automating DFIR” series again, this time using DFVFS instead of PyTSK. The advantage of using DFVFS is that “dfVFS has all sorts of helper functions built in to determine the image format and load the right library for you to access the underlying data”.
    David then updates the code from the first part of the series, which prints information about the partition/volumes on the image, and goes through and explains each section.
    Daily Blog #367: Automating DFIR with dfVFS part 1
    This week’s Sunday Funday challenge was regarding PowerShell Forensics, and asks entrants to “Explain what changes and what doesn’t from executing the powershell script to extracting the file”. Submissions close Monday 4/11/16 3PM CST (GMT -5) and the prize is a $200 Amazon gift card.
    Daily Blog #370: Sunday Funday 4/10/16

  13. This week’s Forensic Lunch webcast covered Jared Atkinson’s PowerForensics tool. Jared explained that his rationale for writing a PowerShell based forensics tool was because PowerShell provides the same versatility as C/C++ and can be easily deployed on Windows 7 and above systems since PowerShell is included by default. Jared showcased a number of different features that can be run in PowerForensics (NB: commands work for both live and deadbox forensics). Around 36 minutes in Jared explains why PowerForensics is forensically sound. This is quite an important part for those that would like to use this tool; PowerForensics doesn’t use the Windows API to interact with files and uses a read-only handle, as a result it isn’t changing any data on the disk. Jared also mentioned that PowerShell Portable is available to run on remote systems, however it is still in the proof-of-concept stage. Jared’s been mentioned a few times on this blog as he does an (almost) weekly Forensic Friday post showcasing PowerForensics; You can read his blog here
    Forensic Lunch 4/8/16

  14. HTCIA has announced its Call For Speakers at their International Conference & Training Expo in Summerlin, NV. The conference will be held August 28th to 31st and submissions close May 30th, 2016
    Call For Speakers

  15. Adam at Hexacorn has a blogpost about EICAR files; probably more information than anyone cares to know about EICAR files but was still interesting. EICAR files are used to test the response of anti-virus programs without having to use real viruses. Also did you know that anagrams of EICAR are ERICA, CERIA and AREIC. As Adam mentions they serve no purpose in the article, but thank you for pointing them out 🙂
    A few things about EICAR that you may be not aware of…

  16. Tal Eliyah has posted an article on memory forensics in the eForensicsMag. The article lists a series of commands within Volatility along with pictures and explanations. I have recently purchased the Art of Memory Forensics, but as that book is significantly larger than this article, this may be a good introduction.
    Practical Memory Forensics by Tal Eliyah

  17. To end on a sad note, Kenneth Johnson passed away this week. From the few posts, and the words shared on twitter, Ken will be greatly missed by those in the community. I didn’t know Ken at all, but I completely agree with Lee’s sentiment “If you drive drunk, you are a criminal and no friends of mine. You also deserve everything that happens to you as a result”. It’s horrible when someone is taken before their time, and even worse when it’s because someone else is selfish and negligent.
    Rest in Peace Ken.
    Ken Johnson A Legend Among The Rest Of Us
    Farewell to a Friend
    Ken Johnson

And that’s all for Week 14! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

One thought on “Week 14 – 2016

  1. Pingback: Daily Blog #376: Saturday Reading 4/16/16 : Learn DFIR

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s