Week 19!
Trying a slightly different format this week to divide thing up a bit better.
SOFTWARE UPDATES
- Cellebrite have released a maintenance release for UFED Physical and Logical Analyzer, now at version 5.0.2. The main feature of this update is decryption of the new Whatsapp Crypt9 backup databases. (If you don’t have a copy of UFED PA you can always do it manually). The release also had some minor bug fixes.
Cellebrite UFED 5.0.2 maintenance release - Paul Sanderson has updated Forensic Browser for SQLite to version 3.0.0. “This release addresses a few small bugs and one major bug affecting the recovery of deleted records”. The two major enhancements include the ability to see a page from a database, journal or write-ahead log in HEX with record highlighting and a structured storage tool for decoding and viewing blog data.
New release 3.0.0 - X-ways have released SR-2 of X-Ways Forensics 18.8. This update has bug fixes for the entropy check, ext partition file system checks, virtual file timestamp fixes and some minor improvements.
X-Ways Forensics 18.8 SR-2
Stefan also advised that the Viewer Component requires the Microsoft Visual C++ 2013 Redistributable Package instead of the Microsoft Visual C++ 2005 SP1 Redistributable Package
Viewer Component - Oxygen Forensics released version 8.4 of their Oxygen Forensics Detective software. The new version adds iCloud Drive/Photos data extraction as well as updating support for some messaging, social network, navigation and browser apps.
Oxygen Forensic® Detective now extracts evidence from iCloud Photos and iCloud Drive! - Didier Stevens updated emldump.py to version 0.0.9. This update included small changes to handle obfuscation.
Update: emldump.py Version 0.0.9
Software Releases
- Didier Stevens has also released a new script for the 010 Editor. This script converts selected text into an XOR encoded message. It does so by taking two bytes and XOR-ing them together, then XOR-ing the result with the next byte until the end of the selection.
MovingXORSelection.1sc - Magnet Forensics have launched their new product AXIOM. This post details the reasoning behind the tool and the breakdown of the platform. AXIOM is split into two parts, with one being data acquisition and the other data processing and presentation. I’m looking forward to trialing this software as it allows a user to connect up a drive and set it to image and then run IEF/artifact parsers automatically. Most of the time if I set a drive to image it will complete overnight and then there’s a large portion of wasted time that could be taken up by pre-processing; this should assist in reducing that overhead. (Caveat being that if time is the issue you can export some important artifacts and process concurrently!). I’m also looking forward to the review platform. I think that their timeline feature is quite useful however I often find the information presented in it is fairly sparse and instead you have to rely on the IEF window to understand the context. Hopefully my suggestion for allowing users to group artifacts together (ie cache images, or hits for the same data in unallocated or across VSS) gets incorporated.
Welcome to Magnet AXIOM!
Conferences/Training/Webcasts
- David Cowen will be hosting a webcast on Monday 16th May 1PM Eastern Daylight Time (5PM UTC, 3AM AEST; would be great if some of these talks were a bit later) on Shell Items. You can register here.
@sansforensics’s Tweet - Dr. Philip Polstra has posted up a complete Linux Forensics online course. The syllabus is here and I have to say it looks fairly comprehensive. Students will the basics of the Linux OS and EXT File system, file/network/live/memory forensics, malware analysis, data acquisition, timeline analysis and report writing. Live training will also be run at Shakacon in July.
@ppolstra’s tweet - Magnet has a webinar on their new product, Axiom, 17th May, 2016 at 12:00PM
Eastern Standard Time (New York, GMT-05:00). I’m taking this time directly off their site, but I’m slightly confused why the SANS cast is in EDT and this is in EST.
Introduction to AXIOM
Forensic Analysis
- The Blackbag Training team has a short post regarding the absence Superfetch and Prefetch files. Both of these file types are used to speed up application load times however aren’t usually seen on Solid State Drives. The team did find however that there may be super/prefetch files when the OS is installed prior to the OS determining that it’s running on an SSD.
Missing Superfetch and Prefetch Files? - John Lukach at 4n6ir has shared a module that he’s developed for Autopsy to dump the hashes of files into a database that can be accessed using Autopsy’s multi-user feature.
Autopsy Python Multi-User Modules - Cheeky4n6monkey (name withheld, your secret is safe with me!) has a post up on e.MMC Flash memory forensics. The post describes the process of determining the storage chip on a device (in this case the Amazon Echo) and then runs through the basics of e.MMC.
Also if you want to see Cheeky Monkey in action, he’s on a panel at the summit.
The Chimp That Pimps And An Introduction to e.MMC Flash Memory Forensics - Patrick J. Siewert at Pro Digital Forensic Consulting has a post up about creating a holistic view of data. In many investigations there are two sides of the story; in criminal investigations there’s usually a person/persons of interest and a victim, and the author posits that it’s a good idea to conduct an examination on both sides of the equation. Doing so provides you with a more complete picture of what happened and also provides a way to verify your findings (ie the dates/times on the text messages should roughly line up).
Don’t Forget the Victim (And Their Device)! - Chris Sanders had a couple of posts up (one was last week but I just found it and wanted to share it still).
- The first post describes Chris’ investigation method which consists of a series of observations which lead to questions/answers/hypotheses and ultimately a conclusion. Chris goes through an example of an IDS alert. I quite like having the question defined and then working through the process. Having this documented, including your hypotheses and questions means that you have a defined set of items to go through. When an investigation is quite open-ended it can be quite easy to get stuck in a spiral and jump on the next shiny artifact without getting anywhere. Having a defined goal really dials you in and when your client comes and asks where you’re at you will have some answers to give them.
How Analysts Approach Investigations - Chris then tried to discern the difference between those who are determined to be experts in the field, independent of the length of time they’ve spent in it. He reviewed a number of case studies and determined “there was a significant difference between the number of responses given by novice and expert analysts was rule-based reasoning”. Experts then build their library of rules; “Gaining expertise is more about optimizing the analyst’s ability to build mental rules than arbitrarily waiting for the passage of time”.
Accelerating Experience With Investigation Heuristics
- The first post describes Chris’ investigation method which consists of a series of observations which lead to questions/answers/hypotheses and ultimately a conclusion. Chris goes through an example of an IDS alert. I quite like having the question defined and then working through the process. Having this documented, including your hypotheses and questions means that you have a defined set of items to go through. When an investigation is quite open-ended it can be quite easy to get stuck in a spiral and jump on the next shiny artifact without getting anywhere. Having a defined goal really dials you in and when your client comes and asks where you’re at you will have some answers to give them.
- Yogesh Khatri at Swift Forensics has returned after a blogging hiatus with a post about the Amcache on Windows 7. Apparently an update last year (KB2952664) means that you may find the Amcache.hve and RecentFileCache.bcf on Windows 7 machines. More information on amcache can be found here and here.
Amcache on Windows 7 - Michael Karsyan at EventlogXP has a blog post describing how to examine Windows security auditing events to identify file/folder access. If the security auditing is enabled a user can filter for event ID 4663 and identify the user which deleted the folders identified in the path. If you add successful logon events you can also obtain the IP address of the computer. I’m unsure which version of Windows this will work from/for.
Tracking down who removed files - Scar de Courcier at Forensic Focus has a post detailing the current challenges in Digital Forensics which is the result of a survey conducted in September last year as well as a review of a number of papers. The graph provided shows that encryption and the Cloud are the major challenges presented, however there’s quite an even distribution across many other areas such as triage and an increase in digital crime as well a lack of training and resources. Ultimately the main takeaway is that sharing information and cross-collaboration between agencies, private companies and academic institutions is the best way forward for the field; however a number of practitioners have called for that in the past, and have had limited success.
Current Challenges In Digital Forensics - Lee Whitfield has a short post regarding the nominations for the 4cast awards (held annually at the summit. Apparently it’s a regular occyrance that vendors/people ask why they weren’t nominated. As Lee says, it’s your responsibility to nominate yourself if you don’t think someone will do it on your behalf! I look forward to seeing the other emails Lee receives.
As Promised - Glenn at Hidden Illusion has a post regarding Prefetch files. This post runs through a process of identifying the drive that an executable resided on when the prefetch file was created. The author explains that you can use a combination of device path, known file directory and filename extracted from the Prefetch file. This is an extensive post regarding this artifact, so I’d recommend reading through it to learn a bit more about program execution.
Go Prefetch Yourself
Glenn also shared this script for extracting common files off a mounted file system.
Tweet by @hiddenillusion
- Weare4n6 had a few posts up this week
- Igor and Oleg started this week with a walkthrough of decrypting an iTunes backup using Elcomsoft’s Password Breaker. According to the authors “this tool is able to crack backup passwords of Apple devices of all generations released to date, including the iPhone 6S Plus and iOS 9”. As the tool uses either a dictionary or brute-force attack your results may vary.
Decrypting encrypted iTunes backups - Next they shared a link to Soufiane Tahiri’s Windows Phone 8.1 logical acquisition tool that allows a user to extract their contacts and appointments. The software creator advises that you need to developer unlock the device and sideload the application; I can’t speak to it’s forensic-soundness, especially considering it copies to the Pictures folder, but if you have no other options it may be useful to know about.
Windows Phone 8.1 logical acquisition tool - Lastly they shared a recently released article from Microsoft that details some of the security auditing features of Windows 10.
Windows 10 Security Auditing and Monitoring Reference
- Igor and Oleg started this week with a walkthrough of decrypting an iTunes backup using Elcomsoft’s Password Breaker. According to the authors “this tool is able to crack backup passwords of Apple devices of all generations released to date, including the iPhone 6S Plus and iOS 9”. As the tool uses either a dictionary or brute-force attack your results may vary.
- Harlan Carvey at Windows incident response has a post recounting the days of old showing his collection of floppy disks and CD’s. I wasn’t quite old enough to have to deal with installing software from floppy directly but I do remember seeing the 30 or so that you would have to painstakingly insert to install something like Office.
…back in the Old Corps…
Malware
- SANS has posted Roberto Nardella’s GIAC (GSEC) Gold Certification paper on basic reverse engineering with Immunity Debugger. The paper goes through a few examples that utilise some simple operating system operations (ie rename a file, move a file, winAPI calls) and shows both the code for the “malware” and how to examine the executable using the debugger. You can download Immunity Debugger here.
Basic Reverse Engineering with Immunity Debugger
SANS has also released a Cyber Threat Intelligence Consumption poster.
Cyber Threat Intelligence Consumption - Kevin Breen at Tech Anarky has followed Brian Baskin and Tony Cook’s lead and published his own walkthrough of the GrrCon15 Memory Challenge using his VolUtility tool. The thing I like about this walkthrough was that Kevin was able to see his tool in action attempting to answer multiple different questions that a practitioner may face. He was then able to update the code to improve the overall process. It’s also great to show another way to go about answering the problems for those that want to run through the challenge themselves.
Solving GrrCon15 Memory Challenge with VolUtility - This is from last week but I only found it late last Sunday and still wanted to include it. Vineet Bhatia has posted a multi-part series on finding unknown malware on Windows.
- The author’s post runs through hashing every file, removing known good files using the NIST database, carving unallocated and then utilising Bulk_Extractor to “quickly extract known data elements from files and folder structures”. I agree with Harlan’s sentiments regarding the process employed; this process is very time intensive, so wouldn’t be good for identifying quickly if a machine is infected. That being said, if you’re setting up a drive to image anyways (say you know it’s infected already), then if you’re going to have time, over a weekend for example, it could be a good idea to run.
Finding Unknown Malware on Windows (Part 1 of 5) - The second part covers mounting the image and examining RAM/hiberfil, as well as uploading the MD5’s to VirusTotal to scan for known malware and then searching the file system for common Indicators of Compromise.
Finding Unknown Malware on Windows (Part 2 of 5)
- The author’s post runs through hashing every file, removing known good files using the NIST database, carving unallocated and then utilising Bulk_Extractor to “quickly extract known data elements from files and folder structures”. I agree with Harlan’s sentiments regarding the process employed; this process is very time intensive, so wouldn’t be good for identifying quickly if a machine is infected. That being said, if you’re setting up a drive to image anyways (say you know it’s infected already), then if you’re going to have time, over a weekend for example, it could be a good idea to run.
- There were a few articles posted to Fireeye’s blog this week
- Varun Jain and Ronghwa Chong have a post describing some of the improvements in the Locky ransomware. “Locky has moved from using simple encoding to obfuscate its network traffic to a complex encryption algorithm using hardware instructions that are very hard to crack.”
Locky Gets Clever! - Dhanesh Kizhakkinan, Yu Wang, Dan Caselden, and Erica Eng have a writeup of a malicious downloader named PUNCHBUGGY. This downloader is used to download the aptly named PUNCHTRACK which targets POS systems and track payment card data. Like the above writeup, the authors go into detail about the code and how it interacts with a system.
Threat Actor Leverages Windows Zero-Day Exploit In Payment Card Data Attacks - Jonell Baltazar, Joonho Sa, and Sudeep Singh have a writeup of the Cerber Ransomware that’s been around since February this year. The authors identified that “same distribution framework used by Dridex seems to be the one delivering this Cerber campaign” and has mainly been identified in the US. Again, this is a macro based downloader that drops a VBScript file that downloads the Cerber payload. Cerber is most likely to become another problem child along with Locky and Dridex.
Cerber Ransomware Partners with the Dridex Spam Distributor - The common trend I’m seeing here is malicious Word documents that trick the users into running macros. From the Punchbuggy article: “In addition, effective mitigations exist to prevent social engineering attacks that utilize Office macros. Individual users can disable Office macros in their settings and enterprise administrators can enforce a Group Policy to control macro execution for all Office 2016 users. More details about Office macro attacks and mitigations are available here.”
- Varun Jain and Ronghwa Chong have a post describing some of the improvements in the Locky ransomware. “Locky has moved from using simple encoding to obfuscate its network traffic to a complex encryption algorithm using hardware instructions that are very hard to crack.”
- Following on from Fireeye’s posts, Jesse Moryn at Gillware has a link to an hour long presentation on ransomware and its implications. The blog post also has a summary of the video, which is always great to have. To summarise the summary, ransomware is a problem because it costs 10’s of millions globally, and is fairly difficult to get around once it hits you. It’s easy to distribute, and relies on people’s ignorance or lapses in concentration; once it gets you, you could be in a lot of trouble. The author also lists a few tips to protect yourself and your users. I’d also add disabling macro’s as a matter of course. I do wonder if there’s a way to request from your virus scanner to scan incoming documents for embedded macros and popup a dialog that says “this document contains macros, type yes if you’re certain you need the macros in here, otherwise email them back and ask for a PDF etc”. Maybe clean up the language a bit, but force people to have a second think about the potential damage they could cause.
An In-Depth Look at Ransomware/ - Samuel Alonso posted a short review of “Malware forensics field guide for Windows systems”. Apparently if you’re in the field of IR and threat intelligence then the exercises and references found in this book will be quite useful.
Malware forensics field guide for Windows Systems - Digital Residue has a post up about his process and answers to Project 4 from Sam Bowne’s Practical Malware Analysis. The author advocates running the malware in a VM connected to the Internet in order to analyse traffic. Although the author then uses a fake DNS VM to redirect traffic rather than send it out on the open Internet which creates a type of sandbox. Unfortunately the author was unable to get inetsim working so it doesn’t appear was able to complete the lab.
Practical Malware Analysis. Lab’s 3 – 1 (Dynamic Analysis + Inetsim)
And that’s all for Week 19! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.
This Week In 4n6 