Week 17 – 2016

Week 17!

  1. Software updates
    • Eric Zimmerman has updated bstings to version 1.1. The new version adds a few new switchings to allow output suppression, regex matching for individual matches as opposed to the entire string and inputting search strings from a file. There were also minor performance improvements.
      bstrings v1.1 released!
    • Eric also updated LECmd and JLECmd (version due to a bug in the LNK parsing library. In previous versions of the tool the Target Accessed and Target Last Written dates were transposed.
      LECmd and JLECmd updated
    • Didier Stevens has updated translate.py to version 2.3.0. Translate.py is a Python script to perform bitwise operations on files (like XOR, ROL/ROR, …). This update has added support for searching and replacing with regular expressions.
      Update translate.py Version 2.3.0
    • Microsystemation have updated XRY to version 7.0 as well as released the new tool XAMN Spotlight (version 1.0, official beta). XRY version 7 introduces the new XRY cloud product, integration of XRY Camera and a 64-bit version. Several improvements were also made to the product to increase device support. The release notes can be found here. A valid XRY license also gives you access to a free license to the new XAMN Spotlight tool. XAMN focuses on “data review, reporting and analysis”. Spotlight appears to be the equivalent of Cellebrite’s Physical Analyser; allowing the examiner a more indepth view of the extraction. It also has an inbuilt plist viewer, which is always a good thing considering the proliferation of iOS devices. Hopefully I’ll get to play around with it soon. The release notes can be found here.
      Launch of new MSAB Ecosystem Products
    • Atola announced the forthcoming version 4.5 update to their imaging software (although it may also be an update to the Atola itself). The new imaging engine is shown in the post to reach up to 30Gb per minute.
      Imaging speed improvements preannounced in Atola Insight Forensic 4.5
    • Blackbag has released Mobilyze 2016 R1. This newest release features Android 6.0 Marshmallow support and an updated drivers pack.
      Mobilyze 2016 R1 Release
    • Mark Woan released a python script to help analyse the newer Microsoft Office file formats.It is currently at version 0.0.1. You can download the script on the Infoassure Github
    • X-ways released a preview version of X-Ways Forensic 18.9 which added improvements to event log processing, photoDNA hashsets, file export and other minor improvements.
      X-Ways Forensics 18.9
  2. Daniel Garcia posted his full review of the newly released Windows Registry Forensics 2nd Edition. TLDR is that he enjoyed the book which is usually the consensus when Harlan releases a new reference guide.
    Book Review: Windows Registry Forensics 2E 
  3. Chris Brewer at Nuix has an explanation of Ransomware up on the Nuix blog. The post covers the myriad of ways that programs can execute on a device, ranging from drive-by downloads, the browser exploits and malicious documents. It concludes with a listing of a few different ransomware variants, and the promise of dynamic malware analysis on some of the available samples.
    Ransomware Part 2: Recent Variants and How They Work 
  4. Adrian has a new post (after months of pestering him!) up about Windows Phone 10 forensics.  The post covers a number of different artifacts and explains them in detail – mainly that the store.vol file is the key to Windows phone forensics.
    An Initial Peep at Windows 10 Mobile (Lumia 435) 
  5. David Cowen shared his the Redteam Debrief from his weekend of hacking down at the National Collegiate Cyber Defense Competition. The presentation shows a few of the fun things that went on during the attacks and then described a few things that future blue teams can work on. I particularly liked the Agents of SHIELD/Simpsons cross-reference.
    Daily Blog #381 National CCDC Redteam Debrief 
  6. David was absent from this week’s Forensic Lunch, and instead it was hosted by Nicole Ibrahim, Mari Degrazia, Cindy Murphy, Heather Mahalik, Sarah Edwards and Shelly Giesbrecht. The notes say that Alissa Torres was meant to be on the call but it doesn’t appear she was able to make it. The group discussed what they were up to which appears to mainly focus on mobile forensics and working on their python coding.
    Forensic Lunch 4/29/16 Ladies Edition 
  7. Mary Ellen has a post that philosophises over the term malware, and how anti-virus vendors will occasionally target good software because it performs similarly to known bads.
    I Heart Malware 
  8. Magnet has a new post to promote their Magnet User Summit in Las Vegas on the 23rd May. This event conflicts slightly with Enfuse, which Magnet will no longer be attending. Magnet advises that this is due to their release of their Axiom product, which competes with Guidance’s Encase. All attendees will get a chance to rub shoulders with the developers of Magnets product as well as a free license to Axiom.
    The Top Three Reasons to Attend Magnet User Summit // Las Vegas 
  9. SANS have released Scott Perry’s white paper on “Creating a Secure and Compliant Digital Forensics and Incident Response Network with Remote Access”. The paper lists the relevant areas that must be considered when creating a secure network to conduct DFIR investigations.
    Creating a Secure and Compliant Digital Forensics and Incident Response Network with Remote Access 
  10. Andrew Case at Volatility Labs has announced additional training dates for the Windows Malware and Memory Forensics Training in New York City, Amsterdam and Reston/Herndon. Apparently spots fill up very quickly so contact them as soon as possible to guarantee your spot!
    Windows Malware and Memory Forensics Training coming to NYC, Amsterdam, and Reston! 
  11. Weare4n6 produced a number of articles this week.
    • The first article of interest related to the authors opinions that many forensic labs can suffice using JTAG and chip removal when examining mobile devices. I’d agree that having JTAG and chip-off techniques are quite useful and practically a requirement if you see the range of mobile devices that are currently available, however having access to the mobile forensic suites (Cellebrite/XRY/Oxygen etc) can be a time saver that’s worth the expense. Realistically it just depends on the device’s you’re expected to support.
      The Future of Mobile Forensic Hardware
    • There was a problem with Magnet’s Internet Evidence Finder’s portable case feature in one of the latest versions (I think it’s been fixed in last week’s release); apparently installing Microsoft Visual C++ 2012 Redistributable on the computers required to open the case will fix the problem.
      How to fix IEF portable cases problem
    • They also shared an article written by Stephen Fisher Davies explaining the process of downloading data from a moto 360 smart watch using ADB and Bluetooth.
      Forensic Bluetooth Acquisition of Android Wear Device
    • Lastly, they wrote a short article on the client and server features of Google’s GRR Rapid Response; an incident response framework focused on remote live forensics.
      GRR Rapid Response: remote live forensics for incident response 
  12. Eforensicsmag shared an interesting infographic created by ISACA that showcases the increasing frequency of attacks resulting in major financial impact and the distinct lack of cybersecurity professionals being trained to fill the vacancies.
    Cybersecurity Skills Crisis – Infographic by ISACA 
  13. Besides Charm ran on the 23rd-24th March in Baltimore. I’ve only been able to find Brian Moran’s slides so far.
    • Brian’s presentation regarded smart watches. He explored the data stored on a Samsung smartphone by a Microsoft Band 2 and a Pebble smartwatch.
      Who Watches The Smart Watches?

And that’s all for Week 17! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

One thought on “Week 17 – 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s