Week 16 – 2016

Week 16!

  1. Software updates
    • Magnet Forensics updated IEF to version 6.7.7. It’s important to note that this version no longer works on 32-bit Windows.  This version contains improvements to SQL database searches, adds support for iOS 8/9 SMS/MMS, Shareaza library files, history and bookmarks in the iOS Dolphin and Puffin Browsers, Android TextNow and Textfree Application support along with various bug fixes.
    • Didier Stevens updated his decode-vbe python script to version 0.0.2 adding support for zip files.
      Update: decode-vbe.py Version 0.0.2
    • X-ways 18.8 has been released. The new release has a host of new features, as well as bug fixes. New features include updated support for file type verification, web cache, win10 artefacts, improved carving and improvements to JPEG, email, case reporting and usability.
      X-Ways Forensics 18.8
    • VolUtility was updated to version 0.2. The update provided several bug fixes and general code tidying, as well as support for Linux and Mac memory images, improved yara scanner, documentation and more.
      VolUtility Release 0.2
      .
  2. Jason Hale at Digital Forensics Stream has post up exploring Recycle Bin $I files on Windows 10. Jason didnt like the current tools available so instead decided to write his own and in his testing discovered some minor differences in win7/8 and $I files. The major difference between $I files is that pre win10 the size of the files was set to 544 bytes, whereas win10 $I files are dynamically sized based on the length of the filename.
    Fun with Recycle Bin $I Files & Windows 10

  3. Two reviews were posted on Forensic Focus this week. The first was Scar de Courcier’s take on the Nuix Foundations – Investigations Training he attended in London. The training covered installing and setting up Investigator (version 6.2.7) and utilising it to perform common analysis tasks. Scar’s general opinion was that this course was a must for anyone looking to get the most out of Nuix.
    Review Of Nuix Foundations – Investigations Training, London
    The second post was Scar’s overview of DFRWS Europe which took place in Switzerland last month. The link to the papers presented is posted in Week 13.
    DFRWS EU – Recap

  4. As usual David has been busy with his daily blogging, starting with Sunday’s Sunday Funday challenge. David read through my post last week and decided to post my suggestion as the challenge for the week. I had a look into the steps required to write the script and thought it was a bit much for me to try and write before the due date, so apologies if the suggestion caused anyone grief.
    Daily Blog #377: Sunday Funday 4/17/16
    And apparently it did cause people grief, because no one submitted anything. We’ll see next week if anyone else has submitted anything. The remainder of the post provided a bit more detail about the path spec objects mentioned last week.
    Daily Blog #378: Automating DFIR with dfVFS part 5
    Part 6 works to expand the codebase to support images (would storage objects be a better term?) with multiple partitions.
    Daily Blog #379: Automating DFIR with dfVFS part 6
    The last post for the week indicated that David was off to the National Collegiate Cyber Defense Competition in San Antonio where he leads the Red Team. According to Twitter they’ve had some success.
    Daily Blog #380: National CCDC 2016

  5. Magnet forensics announced their new new digital investigation platform named AXIOM. AXIOM purports to “automate all the acquisition and processing tasks required to prepare evidence for analysis for a single device or multiple devices in a queue”, expanding on IEF’s existing analysis capabilities. This tool should be released later in Spring 2016 (I’m thinking mid-late May as a guess). The tool will be on display at the Magnet User Summit series throughout the year.
    Magnet Forensics to Launch New Digital Investigation Platform

  6. SANS shared a couple of white papers relating to Honeypots and Amazon EC2 Incident Response. Unfortunately I didn’t have time to read through them all but decided to share them nonetheless.
    Catching Flies: A Guide to the Various Flavors of Honeypots
    Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud

  7. Weare4n6 were very busy this week, sharing and writing a number of articles.
    The first post described a process for unpacking Android APK files to obtain the Android Manifest XML file and .CLASS (JAR) files. These files can be used to determine the permissions that the application uses as well as the application code.
    Basics of Android Malware Forensics
    The second post links to Anti-Reversing.com which shared a post regarding cached zip container credentials on Win8+. “When you open a password protected zip archive using Windows Explorer (“Extract All…”), in Windows 8.x/10 the password is automatically cached in the Credentials Manager for the life of the logon session.”
    Would you like decrypt an encrypted ZIP file?
    The third post shared a Google Sheet compiled by Mosh (@nyxbone) containing a list of Ransomware and relevant IOC’s/decryption information.
    Do not pay hackers
    The fourth shared a link to the blogpost written by Gabriele Zambelli for parsing WhatsApp’s databases for Windows Phone 7.
    WhatsApp chat parser for Windows Phone 7
    They also shared the link to the course material that was used by RPISEC to teach Malware Analysis at Rensselaer Polytechnic Institute in Fall 2015.
    Course materials for Malware Analysis by RPISEC
    The last post showed the UFED Phone Detective app for Android and iOS. The app appears to allow users to determine the device support for the UFED devices.
    UFED Phone Detective

  8. Belkasoft has an excellent post covering solid state storage (SSD and eMMC) imaging. The post is actually an expansion on two previous posts on the subject. The post describes M.2, PCI-E and NVM express as well as describing how to use the Atola Disksense to image the devices.
    SSD and eMMC Forensics 2016 – Part 1

  9. Ashwini Varadkar at Checkmate has provided a write up of the Mumblehard Malware which has apparently been eradicated from the Internet.
    Malware Mumblehard

  10. Blackbag shared some information regarding the iOS feature to automatically delete SMS/MMS/iMessages from the Messages app. The app allows users to specify to keep messages from 30 days, to 1 year to forever. The caveat is that if a user selects an option the operating system will implement it immediately, that is if the user selects 30 days then all messages that are 31 days old and above are deleted. This setting is stored in /mobile/Library/Preferences/com.apple.MobileSMS.plist.
    Are the Messages Being Automatically Deleted?
    Restoring Functionality to Disk Utility in OS X 10.11

  11. Sam Maccherola at Access Data shared 5 best practices for Incident Response learnt from the NSA gleaned from an interview with the director of the NSA and commander of U.S. Cybercommand, Admiral Mike Rogers on PBS. The 5 key points were 1) continuous planning, 2) documentation, 3) auditing, 4) collaboration, and 5) embracing new incident response technologies.
    Learning from the NSA: 5 Best Practices for Cyber Incident Response

  12. Angela Bunting at NUIX shared a post describing how journalists are using tools like NUIX to determine connections within the Panama Papers data dump.
    Finding Connections: From the Boston Globe to the Panama Papers and Your Next eDiscovery

  13. Daniel G posted up his thoughts on BSides NOLA which took place last week. His post reflected a major theme across the industry; tools are important, but it’s the analysts thought process that is the most important.
    BSides NOLA and Threat Hunting

  14. Kevin DeLong at Access Data posted his thoughts on the AD User Summit which took place at the beginning of April in Florida. You can view the keynotes on Youtube here. The two keynotes covered encryption and the Apple/FBI court case and importance of Information Governance and how it relates to Incident Response. The conference documentation can be found here; there’s a lot of useful information here regarding Windows 10 artefacts.
    Leading experts in the field of digital forensics and e-discovery share their insights at the AccessData® User Summit.

  15. Brian Moran has a quick post about the squiblydoo vulnerability that allows a malicious actor to utilise the regsvr application to access external sites. Reading the MS documentation, “this command-line tool registers .dll files as command components in the registry”; allowing it to access external sites apparently allows for backdoors to be created that aren’t easily identifiable on the system. Brian found that an open source process creation monitoring tool was able to assist him in identifying if regsvr was run, and potentially saving the cmdline arguments in a screenshot emailed across.
    Very quick blog post on “squiblydoo”

  16. Adam at Hexacorn has a post (and script) for creating IDT/IDS files for IDA from MS libraries with symbols. Adam explains that “an IDT (or its compressed version IDS) file is a ‘translator’ between ordinal numbers and actual API names”. Apparently IDA doesn’t contain all of the relevant IDT/IDS files and as a result users may have to generate their own.
    Creating IDT/IDS files for IDA from MS libraries with symbols

  17. Mary Ellen has posted her thoughts on searching for foreign language signatures to identify malware. She identified the main challenge that if you scan for foreign language signatures you may get some false positives if you have offices where those foreign languages are prevalent. She also suggested that certain cultures may influence the code-base and that may help direct an investigation.
    What Language Does Malware Dream In?

  18. A couple more Bsides NOLA presentation have bene released.
  19. The submission deadline for the 9th International Workshop on Digital Forensics (WSDF 2016) was extended to May 9th 2016. The conference is being held in Salzburg, Austria August 31 – September 2, 2016.

And that’s all for Week 16! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s