Week 18!
- Software updates
- DVR Examiner was updated to version 1.21.0 adding support to the ICATCH_264 and JDX_264 file systems as well as correcting some bugs and making improvements to existing file system support.
DVR Examiner 1.21.0 – Support for ICATCH, ELEC and more! - Nuix version 7 has been released to their customers and apparently improves the data processing engine to support petabytes of data (due to an implementation of Elasticsearch). According to the article Nuix 7 also expands support for forensic artifacts improves data visualization and analytics.
Conquer Your Data Challenges Today And Build Hyper-Scaled Capacity For Tomorrow - Didier Stevens updated his numbers-to-hex.py to version 0.0.3. This update adds an option to deal with signed bytes. The script expects input to be from 0-255, and therefore will be unable to deal with signed bytes (which range from -128 to 127). The video attached shows that numbers-to-hex is used to convert certain output from oledump.
Update: numbers-to-hex.py Version 0.0.3 - Matthieu Suiche at Comae Technologies (formerly Moonsols) released the first beta of Hibr2bin which is a (free? Or free for now?) tool to extract the contents of the hibernation file. From the description this appears to work on all post XP versions of Windows.
HIBR2BIN (BETA 1) - X-ways have released a number of updates this week.
version 8.5.3 of the viewer component has been released. This update appears to be because of an update to Oracle.
X-Ways Viewer Component
18.8 SR-1 was released which included a number of bug fixes and minor improvements.
X-Ways Forensics 18.8 SR-1
18.9 Preview 2 which includes updates to PhotoDNA processing, conventional hash sets, minor internal improvements in XFS support including tentative support for v3 inodes, as well as general fixes and minor improvements.
X-Ways Forensics 18.9 Preview 2 - Eric Zimmerman updated his AppCompatCacheParser to version 0.0.8.0. The update appears to updated some back-end packages, change default date format and allow for custom formats via the –dt argument
AppCompatCache v0.0.8.0
arg
- DVR Examiner was updated to version 1.21.0 adding support to the ICATCH_264 and JDX_264 file systems as well as correcting some bugs and making improvements to existing file system support.
- Heather Mahalik and Rohit Tamma published an article on the Packt Publishing blog regarding Mobile Forensics. The first half of the post provides an introduction to mobile forensics, and the statistics behind mobile phone usage around the world. In some instances mobile phones are a person’s primary computing device; which has led to claims that mobile phones contain the most useful information per byte of data. The post describes a number of difficulties in mobile forensics. I’ve compressed a few of them into main categories, but the authors go into more detail.
- Multitude of devices, operating systems, and operating system versions
- Security features such as encryption, hardware security modules, passcodes, data wiping processes.
- Lack of resources and tools
- Preventing data modification – Evidence on the phone is not write blocked and therefore can be easily altered, whether by the use of the phone, the passage of time, or accidently by the examiner. There are also a number of different methods of data extraction, and some of these may result in changes made to the phone. In some instances, such as chip removal, a minor error on the part of the examiner may result in the data being irrecoverable.
- Malware
- Legal issues
Overall, mobile phones are a critical component in an investigation due to the amount of communication data available; but at the same time, the issues surrounding mobile phone examinations are significantly more complex than deadbox hard drive forensics. Simple questions like “I have an iPhone, can you get the data off” are answered less often with “yes no problem” and more with “It depends”. Thankfully there are a number of people out there sharing the research they’re doing to help the community at large!
Mobile Forensics and its challenges - James Habben at 4n6ir has written a post about writing reports. James goes into detail about why report writing is critical during an examination; documenting your findings, justifying the time you spend, detailing the thoroughness of your work, showing the history of users/groups, justifying your future purchases and measuring personal growth.
Recently I’ve decided to change the way that I document my findings throughout an investigation so this post really struck a cord. In the past I have documented what I have done, as well as what I’ve seen but then when going back to referring to it, it’s been a mess. With my later cases I’ve taken the time to write thorough documentation of what I did and why I came to the conclusions that I did. Now in a number of these cases this information isn’t going to be passed on in its current format, as James mentions, there are people that care about the outcome and not the process; but in a year or two when I have to come back to explain my actions it’s a lot easier (especially under pressure) to read a well written narative that follows a logical progression rather than trying to compile a list of disparate pieces of information.
Report Rapport - Gabriele Zambelli at Forense nella Nebbia has released a how-to on decrypting WhatsApp crypt9 databases. After you have obtained the relevant files, you can use an Android Emulator such as BlueStacks to decrypt a whatsapp database using the required key file. After the decryption process has taken place you are left with an msgstore.db SQLite database. I haven’t tried this but a quick Google search resulted in a msgstore.db viewer that may be useful.
Decrypting WhatsApp crypt9 - Yuri Gubanov and Oleg Afonin have released part 2 of their SSD and eMMC Forensics article. This article provides an overview of external SSDs and eMMC and covers TRIM in eMMC. eMMC chips are basically SD cards that are soldered onto the board, but implement a number of the features of SSDs. “The eMMC standard correctly defines trimming of empty blocks”, however “does not define either DRAT (definite read after trim) or DZAT (definite zeroes after trim), which leaves it to the eMMC manufacturer to define what exactly the storage controller returns when an attempt is made to read a trimmed data block”. In the authors experience a JTAG or chip-off extraction will allow an examiner to read trimmed blocks. Both eMMC and SSDs contain over provisioned areas however this is generally inaccessible even to more advanced data recovery techniques.
The authors corrected a previous claim regarding TRIM for USB-connected SSDs; apparently there is a new protocol named USB Attached SCSI (UAS or UASP) which allows for TRIM provided that a number of criteria are met.
On Windows 8+, the authors claim that “once a file is deleted from an eMMC disk in Windows, you may assume its disk space has been trimmed (but not necessarily erased by the eMMC controller).”
Part 3 will cover real world examples of SSD usage and the problems that may arise.
SSD and eMMC Forensics 2016 – Part 2 - Carpe Indicum has a walkthrough on how to use fls and log2timeline on an EWF image to create a file system and super timeline.
Filesystem timeline and supertimeline cleanup - Scar de Courcier at Forensic Focus posted an article about the challenges of dealing with live streamed child abuse content. Identification of perpetrators and victims is the key concern here and live streaming content has made this more difficult. Digital Forensics examiners can use processes such as hashing to assist in reducing the amount of content that has to be reviewed however with streaming video, offending videos may never be saved. Having said that, there are people that are notorious collectors; anything streamed has the potential to be saved. The major issue that I foresee with capturing the offenders is jurisdictional. If an offender resides in a country with limited capabilities in identifying, catching and prosecuting them then there might not be much that can be done.
The Investigative Challenges Of Live Streamed Child Abuse - Mark Spencer from Arsenal Consulting also posted on Forensic Focus about utilising an analysis technique known as “Anchors in Relative Time” to reveal critical details about the attacks. The article doesn’t go into much more detail than that however the author will be presenting at the Internet Security Operations and Intelligence conference in San Francisco, CA on May 12 and the High Technology Crime Investigation Association’s Mid-Atlantic Chapter meeting in Manassas, VA on May 19. I would be curious to see what his findings showed.
Arsenal Reveals Sophisticated Evidence Tampering Involving Turkish Journalists - Jimmy Schroering at DME Forensics has a very useful post about DVR Examiner’s RAID support. He starts by listing the caveats where DVR Examiner will be of no use. It was quite interesting to hear that some DVR companies advertise that they use a RAID configuration but in reality just fill up one drive before moving seamlessly (for the user) onto the next.
The general gist of the post is that DVR Examiner will support a volume of data; so if you do come across a RAIDed system it’s best to rebuild the RAID into a single volume and take a forensic image of that.
Does DVR Examiner support systems with RAID? - Ghetto Foreniscs has a guest post up by Tony Cook regarding GrrCon 2015’s memory forensics challenge. The post describes the thought process for each of the questions. Tony does a great job of breaking down each step to explain why he came to his conclusions; although in question 3/4 he did state that the malware was trying to inject itself into another process and I’m not entirely sure how he figured that out. I particularly liked the Mr Robot reference in question 5 (that were also hinted at in question 3). A lot of work went into this post so I’d highly recommend reading through it if you’re interested in memory forensics. The files are available here if you want to play along at home
GrrCon 2015 – Memory Forensics – Grabbing all the Flags… - Magnet posted up five reasons to use their smartphone (Android/iOS) acquisition tool Acquire. I have yet to use the tool, but as it’s free it’s something that people should have at their disposal. I have been told by a colleague that they’ve had success with Acquire on phones that were unsupported by other tools. And it’s free, which is always a plus.
Five reasons why Magnet ACQUIRE should be your go-to tool for smartphone acquisitions - Weare4n6 shared a number of articles this week
- The first was Chet Hosmers webinar on the Access Data Youtube channel about Python Forensics. I didn’t have time to watch it but it looks like it’ll be quite an interesting watch for those interested in developing their own tools (and following along with David’s series.
Using Python in Forensics - The Electronic Discovery Reference Model has released an update to its glossary of terms. This is quite useful as it provides an easily searchable database that you can use in your reports.
Upgrade your glossary - Igor and Oleg wrote a short article about how to utilise the Encase Processor to parse information and generate reports. I have to admit I don’t usually use the processor for data parsing (preferring Corey Harrell’s autorip) however I might play around with it on future cases.
How to use the EnCase Processor - This post shares the link to Tom Andreas Mannerud’s Tom’s AD Object Recovery 1.0 which can be used “for querying your Active Directory for deleted computer, user, group, or other objects and restore them on-the-fly.”
Active Directory deleted objects recovery - They also share a link to an old (hasn’t been updated in a number of years) blog called Dr Fu’s Security blog that has a 34 different blog posts on malware reverse engineering. After clicking through a few of the posts they appear to be quite comprehensive.
Malware Analysis Tutorials - The last post shares the news that a book written by Oleg Afonin and Vladimir Katalovook of Elcomsoft fame is due for release in September 2016 by Packt Publishing.
Mobile Forensics: Advanced Investigative Strategies
- The first was Chet Hosmers webinar on the Access Data Youtube channel about Python Forensics. I didn’t have time to watch it but it looks like it’ll be quite an interesting watch for those interested in developing their own tools (and following along with David’s series.
- Harlan Carvey at Windows Incident Response has three posts up this week.
- The first article shows Harlan’s frustrations with people constantly asking him whether his book covers X, Y and Z in the latest version of Windows. Harlan is only person and appears to be fighting the good fight when it comes to producing valuable references for people to use when conducting Windows based forensics. My only comment on this article is that maybe he could be slightly more transparent with how he’s going in the book writing process. I recall seeing a couple of posts about the competition, and then the next one was that he had completed the book. Unfortunately I missed the boat in passing on some research into the SAM file (by several months) however Harlan posted about it here.
With that in mind, I imagine he will be working on an update to Windows Forensic Analysis to cover some additional Windows 10 artifacts (and potentially further updates to other versions). Maybe a call out (yes, I know these haven’t been super successful in the past; maybe a call out to specific people? Or universities?) looking for assistance on either compiling general information that’s been published or even a “hey, who wants to do some research on this, that and whatever that may relate to broad topics such as lateral movement, user activity, general artifact parsing”. I think the people are there, but maybe they just need a mentor. Just a thought.
Thoughts on Books and Book Writing - Harlan has written a new Regripper plugin called shimcache.pl that parses all available control sets for AppCompatCache entries.
And almost as if he’d read my above comments (without them being published yet), Harlan has asked that people should offer to contribute to the compendium of knowledge that is the Windows Forensic Analysis and Windows Registry Forensics series.
Lastly he shares his comments on an article on Finding Unknown Malware (a blog I’ll add to next week’s post). Harlan’s opinion is that process execution should be the first thing an analyst does before performing the long winded processes of AV scans, hashing etc. Of course, if you have the facilities then by all means, but I tend to agree with Harlan. My preference is to export certain file groups (registry, events, link/jumplists, prefetch, setupapi) and see what I can find whilst the longer processing tasks are running. For the most part these artifacts can be parsed on much less powerful machines and can be done concurrently.
Updates - Harlan’s last post for the week describes a number of different artifacts that can be used to recover historical registry information; restore points, regback and VSC’s, hibernation files, deleted keys and the Windows.old directory that is created when a user updates (I imagine we’ll see a lot of these due to the Windows 10 free update).
Accessing Historical Information During DF Work
- The first article shows Harlan’s frustrations with people constantly asking him whether his book covers X, Y and Z in the latest version of Windows. Harlan is only person and appears to be fighting the good fight when it comes to producing valuable references for people to use when conducting Windows based forensics. My only comment on this article is that maybe he could be slightly more transparent with how he’s going in the book writing process. I recall seeing a couple of posts about the competition, and then the next one was that he had completed the book. Unfortunately I missed the boat in passing on some research into the SAM file (by several months) however Harlan posted about it here.
- Lenny Zeltzer wrote a post about setting up Canarytokens to detect intrusions. Canarytokens items that appear enticing to a would-be attacker but when they interact with the object, notify the security team. The post explains the process of setting up a Canarytoken system and shows the results of activating one.
How You Can Set up Honeytokens Using Canarytokens to Detect Intrusions - Also I managed to come across this python script by Phil Hagen for shifting syslog times. Hopefully someone will find it useful.
syslog-timeshift
And that’s all for Week 18! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.
This Week In 4n6 
“My only comment on this article is that maybe he could be slightly more transparent with how he’s going in the book writing process.”
How so? In the past, I’ve posted to my blog, asking for thoughts…and not received anything. When you say, “…more transparent…”, what are you referring to?
LikeLike
I’m not sure of what the best way to do it, because I haven’t written a book so of course I’ll accept you saying I don’t know what I’m talking about; But say you have an outline of the current book as a page on your site where you could indicate where you’re going and where you’re stuck (ie “I need a Vista registry hive to examine for xyz” or “I’m updating this section for Windows 10”, even a “this book will be submitted to the publishers on this date”).
I think that people read your blog and if they aren’t currently working on something that they could forward to you it might slip their mind at a later stage.
I’ve sent you information in the past, however I guess I didn’t realise how close you were to finalising your previous book or maybe I would have stopped procrastinating and compiled information faster; which is on me.
It may be yet another thing you try that the community doesn’t engage with, but it’s an idea I guess.
LikeLike