Week 15!
- Software updates
- Oxygen Forensics updated their Detective product to version 8.3.1. The new version adds physical acquisition for newer Samsung Galaxy devices, improves support for certain Blackberry, iOS and Android apps, extracts information about Wi-Fi connections from Windows Phone devices and small interface and usability improvements have been made to the inbuilt mapping feature
Oxygen Forensic® Detective introduces additional password bypass and physical support for most popular Samsung Android devices
- According to the IACIS mailing list, Magnet was meant to release a patch for their latest version of IEF to prevent certain parsers from crashing the application. I haven’t seen any notification that that has happened yet, so if you’re a Magnet customer keep an eye out for that this week.
- X-ways 17.4 SR-9 has been released with minor improvements and bug fixes
X-Ways Forensics 18.7 SR-9 - Cellebrite released a maintenance release, version 5.0.1, for the UFED products, which fixes a number of issues.
- Weare4n6 have shared that RIFF JTAG box users will now have the ability to upgrade the tool for the ISP/Direct eMMC process with a simple upgrade to the software/firmware.
Good news for RIFF JTAG Box Users - Decalage updated the rtfobj python script (part of oletools) to version 0.45 to assist in identifying the listed tricks that malware authors are using to prevent analysts from identifying the RTF files as malicious.
Anti-Analysis Tricks in Weaponized RTF
- Oxygen Forensics updated their Detective product to version 8.3.1. The new version adds physical acquisition for newer Samsung Galaxy devices, improves support for certain Blackberry, iOS and Android apps, extracts information about Wi-Fi connections from Windows Phone devices and small interface and usability improvements have been made to the inbuilt mapping feature
- Oleg Afonin at Elcomsoft has released a comprehensive post regarding locked iPhones and the current state of play with obtaining access. Without getting into MDM, if you have a newer, up-to-date iOS device, with a complex screen passcode that wipes after 10 failed attempts, complex backup password, 2 factor authentication and is off when it’s seized then your device is pretty secure outside of 0-day exploitation; and those in law enforcement are in a bit of trouble. I’m slightly conflicted about this whole process because on one hand I agree that devices should be secure from cyber attacks or nefarious actors, but at the same time I don’t want those same nefarious actors to have protection from prosecution when they’re caught. The post did mention that examiners can look into iCloud and device backups, however did not mention utilising Berla’s iVe to perform an extraction on any data that may be stored on the owners car’s infotainment system. Granted that’s not always an option, but it should be remembered by practitioners when all else fails.
Dealing with a Locked iPhone - Carpe Indicium has a great example of utilising the program that created the data to parse it. This is something I do quite regularly; it’s a lot easier to get an idea of what the user sees by using the application they use. It’s also easier than writing your own parser for the data. This post described how the writer used the local Evernote application to parse a database located in the files of interest. In a similar theme to the above post about locating data in different sources, they were able to find email saved to Evernote.
Quick and Dirty Recovery of Local Evernote Databases - Blackbag has continued its series on Windows Volume Shadow Copies with a post describing how to remove volume shadow copies from a Blacklight case.
More on Volume Shadow Copies
The second post is a quick background about iPhone Encrypted backups. For those that don’t use iPhones, they include the ability to encrypt the backup as well as put a lock on the screen. This creates an issue with forensic tools that create a backup for examination; the backup password will then need to be brute-forced with tools like Elcomsoft’s Phone Password Breaker or Passware.
Encrypted Backup Password and PIN Code – Not the Same Thing - The students at Champlain College have two posts up this week. The
Wearable Technologies team has their final update of their project. They are still unable to get any data off the Apple watch due to reliance on a jailbreak and may have to rely on data interception (NB: This may become a common theme). Their next focus was the Fitbit surge, where they were able to obtain heart rate data using their extraction script, however were unable to identify location data. This will be the team next goal. Lastly they attempted to extract data from a Samsung Gear 2 over a private wireless network using the Samsung Debug Bridge tool but were unsuccessful. The main theme I’m noticing here is that data extraction from wearable tech for the most part is quite difficult.
WEARABLE TECHNOLOGY FINAL BLOG
The second post was a slight change of pace from the previous and described the experience of someone who started as an office assistant before moving around and settling into a programmer role at the LCDI. The major takeaway from this was that the individual took their role quite seriously, regardless of what it was, and continuously looked for opportunities to grow. This links back with Harlan’s post about training philosophy; it is up to you to influence your personal growth. You can sit and wait till the right opportunities present themselves, but if you’re not working towards taking them you’ll be overlooked. Something that I keep as a personal philosophy is “don’t give them a reason to say no”. No one is really out there fighting for you, except you. The reason why the writer of this post moved out of the office assistant position is because they were seen as someone who could get their main duties done, and add on additional work. Then when given the additional work they hit it out of the park.
THE LCDI EXPERIENCE - Weare4n6 has a few articles up this week. For the next month they are offering their services to recover data from damaged Windows 10 phone devices which can be requested through their contact form.
Recover data from a damaged Windows 10 phone for free!
The second post is a continuation from last weeks Autopsy Android examination; this week providing a walkthrough on parsing data from a logical image, taken by Magnet Acquire, of a Samsung Galaxy S II Plus (GT-I9105).
Forensic analysis of an Android logical image with Autopsy - Belkasoft published a short video on their YouTube channel on how to use Belkasoft Evidence Center to examine a memory dump. The tool allows users to load in their memory dump and carve for both loaded and unloaded processes. I do like that you can drill down into each process and review related information quite easily; especially pictures.
Belkasoft Evidence Center: Live RAM Process Analysis - Mary Ellen at “Whats a Mennonite doing in Manhattan” has self-published her presentation on malware triage. Unfortunately her presentation wasn’t picked up to present at a conference, but she decided that it was better out in the open than locked in a drawer. I’ve recently run into a malware investigation so I will be reading through this quite thoroughly. I quite like the sandboxing section as it is relevant to my current analysis, but I’m also interested in the dynamic analysis section, mainly for the capturing call-backs. There’s too much to summarise but it’s a quick read and definitely worth it if you’re new to malware analysis.
Gone Phishing! - David Cowans daily blog begins with the answer to last week’s Sunday Funday challenge.
The question asked related to executing PowerForensics to extract the MFT, and what changes would be made. The answer covered the changes made by the execution and installation of the script, as well as that no changes would be made to the disk where the $MFT is extracted from.
Daily Blog #371: Sunday Funday 4/10/16 Winner!
The next few posts continued the Automating DFIR with dfVFS series. The first post (part 2) expanded on the previous explanation of the path specification objects used in the previous code sample.
Daily Blog #372: Automating DFIR with dfVFS part 2
Part 3 expands the code base to allow for examination of RAW images and Live disks (if you have a look at the list of supported volumes in part 1 you’ll notice those are missing)
Daily Blog #373: Automating DFIR with dfVFS part 3
Part 4 adds the ability to extract a file. From my understanding the code will now print the name and inode number of the file being extracted and then extract it. I’m just not entirely sure which file is getting extracted since the I’m not sure where the “file_entry.name” object is set.
Daily Blog #374: Automating DFIR with dfVFS part 4
The last post a quick video on how to ensure that dfVFS has installed correctly. Someone really needs to make a downloader/installer that will sort this all out. Not sure if anyones looking for a project, but it would be useful.
Daily Blog #375: Video Blog showing how to verify and test your dfVFS install - PowerShell.org published a video on Jared Atkinson’s PowerForensics. I wasn’t able to watch the video in it’s entirety but it appears to be a similar presentation to that done on the Forensic Lunch last week. If you use PowerForensics, or want a refresh (from last week, but still there are questions asked throughout the presentation that may be useful), the link is below.
Digital Forensics with PowerShell Atkinson - Kevin at Tech Anarchy has posted an overview of his Volatility web front-end called named VolUtility. Dale McGleenon at Chip_DFIR spilled the beans about this tool a few weeks ago. It looks like it’ll be quite useful for those that want to quickly get some results without having to play around with the command line.
VolUtility a web front end for the volatility framework - Harlan Carvey has two blog posts up this week. The first is his thoughts on the Ramdo malware, elements of his new book Windows Registry Forensics 2e, Mimikatz and the use of PowerShell in attacks. The common theme appears to be “process creation monitoring”; how it could assist in investigating a breach and how many organisations aren’t doing it.
Links
The second post regarded Harlan’s thoughts on training. In this industry, it’s hard to take time off to go do a training course, and when you get to, it’s expensive. As a result it’s really up to the individual to take their education into their own hands. The link to the Forensic Challenges is quite useful; especially for anyone trying to get into the field. I agree with Harlan that learning is a matter of doing; there are a number of places to obtain forensic images, and many people have published walkthroughs where you can take open source tools and examine for specific data. It’s all available, just have to find (make) the time, which of course is much easier to say than do.
Training Philosophy - And whilst we’re on Registry Forensics (tenuous link, but Harlan is often linked to Registry Forensics so I thought it was fitting). Willi Ballenthin shared a link to mushanov’s Github, where he/she has been updating a Windows Registry file format specification. The spec covers from Windows XP up to the Windows 8.1 registry.
Windows registry file format specification - Patrick J. Siewert posted a review of the X-Ways Forensics training that is put on by X-Ways themselves. The course runs over 4 days where the instructors lead participants through a series of use cases using XWF. Something the writer points out is that he had been using XWF for a few years but learnt a lot about the intricacies of the tool and improved his efficiency, whilst learning about new features. I think it’s quite important, if you get the opportunity, prior to signing onto a training course to get a bit of a background using a tool or examining artifacts; that way you’re able to focus on the important parts of the training rather than get left behind. As usual, preparation is key.
Training Review: X-Ways Forensics - SANS published Kenneth Hartman’s GIAC GCIA Gold Certification paper titled “BitTorrent & Digital Contraband”. The paper explained how the BitTorrent protocol worked, as well as how it can be used to obtain evidence in an investigation (as well as some defenses).
BitTorrent & Digital Contraband - The Call for Papers for the 8th International Conference on Digital Forensics and Cyber Crime (ICDF2C) has been extended to April 25th. The conference is being held September 28 – 30, 2016 in New York City. The main theme of this years conference is “Usage and implications of machine learning in digital forensics” and “Big data and digital forensics”.
8th EAI International Conference on Digital Forensics & Cyber Crime - Bsides NOLA was on this weekend, and a few of the presentations have been shared on twitter for those interested. I’ve only been able to locate a couple, but if I can find more next week I’ll post them up:
And that’s all for Week 15! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.
This Week In 4n6 