Week 20 – 2016

SOFTWARE UPDATES

  • Magnet released IEF version 6.7.8 however I wasn’t able to get a copy of the release notes to summarise them.
    .
  • Didier Stevens has published a new YARA rule for identifying portable executables created with pyinstaller. This post here explains the impetus for the rule and what it looks for.
    New YARA Rule: PE_File_pyinstaller

  • Didier also update his pecheck script to version 0.5.0 adding support for YARA rules and overlays.
    Update: pecheck.py Version 0.5.0

  • Atola Technology released their update to the Atola Insight Forensic (verison 4.5) that they pre-announced last month. This comparison table on the post shows the raft of speed improvements made between this version and the last due to the upgraded imaging engine. Apart from speed there’s improved logging verbosity, enhanced media map manager and some additional configuration options allowing the user more control of the imaging process.
    Atola Insight Forensic 4.5 release

  • Cellebrite updated Cloud Analyzer to version 5.1. This update added support for iCloud and Microsoft OneDrive as well as improved reporting to incorporate adherence to regulatory/legal requirements.
    UFED Cloud Analyzer Release Notes 5.1 (May 2016)

  • Paul Sanderson updated Forensic Browser for SQLite to version 3.0.1 to fix a few bugs in the new features from last week’s 3.0.0 release.
    Forensic Browser for SQLite New release 3.0.1

  • X-Ways Forensic 18.8 was updated to SR-3 which included fixes for a number of bugs, as well as minor improvements. The noteable updates include PNG picture processing, exception errors for very large search results (more than 134 million search hits, might be worth rethinking the search strings there :)), as well as importing plain text files of PhotoDNA hashes and fixed a bug when reporting child objects in a evidence file container.
    X-Ways Forensic 18.8 SR-3

  • X-Ways Forensic 18.9 Preview 3 was also released. New features include:
    • An algorithm to calculate a files “relevance” based on its metadata and other factors in the hopes of allowing an examiner to start at the potentially most interesting files.
    • Updating the format of the “Generators Signature.txt”
    • Generator signatures are now output also for PDF documents
    • Better reporting of conflicts in the ProjectVic database.
    • Slightly improved handling of huge search hit counts.
    • Minor bug fixes and improvements
      X-Ways Forensics 18.9 Preview 3

  • Metadriver updated to version 2.5.0. The update allows for configuration of the data output for each file type as well as third-party controls (ie regex search) and filters as well as various bug fixes.
    METADIVER 2.5 RELEASED!

  • Eric Zimmerman has been busy this week with a post and a few tool updates
    1. Firstly he has updated his AppCompatCache Parser (version 0.9.0.0) and included a blog post showing his testing. The update extracts entries from all available ControlSet keys rather than just the current control set; there were also configuration changes to allow the user to choose specific control sets as well as relevant output adjustments. The post continues to show the differences between various parsers (and in Mandaint’s case shows that their parser has been updated since their bugs were discovered) which highlighted a few bugs that might otherwise be missed. I particularly like the table created at the end that clearly shows where each tool falls short.
      AppCompatCacheParser v0.9.0.0 released and some AppCompatCache/shimcache parser testing
    2. Eric also updated his LECmd and JLECmd projects to version 0.8.0.0. The JLECmd project got an additional switch (-fd) to dump the same information for links as LECmd does. OleCf project was also updated to handle larger jumplists (which is also part of the jumplist update). Eric advises that there’ll be another update next week for JLECmd as well.
      OleCF Updated
      LECmd/JLECmd Updated
    3. Lastly he appears to be doing some work on parsing the OpenSavePidlMRU value of Comdlg32 for his Registry Explorer tool.
      OpenSavePidlMRU done

SOFTWARE/PRODUCT RELEASES

  • Media Clone have released their Mobile M.2 Complete kit which contains a number of different adapters for SSDs. A lot of the slimmer laptops have moved away from spinning disks and as a result you either resort to booting into Paladin/Macquisition (both fine choices for imaging, but occasionally don’t work) or pulling the drive and connecting it to an adapter if you have one. I have yet to have to use one of these adapters in the field but I imagine it would be great to have a complete kit to grab if you work on a client’s premises. Unfortunately I wasn’t able to locate pricing on their site.
    Mobile M.2 Complete KIT

  • Melissa at Sketchy Moose has released a python script for parsing Chrome history files and exports keyword searches, downloaded files and visited URLs into separate CSV files.
    Chrome History Parser (CHP)

  • Mari Degrazia shares a script that she wrote to parse the sqlite database relating to the OS X Quicklook feature. The script parses the database, but also extracts the plist stored with a BLOB data type. The data found in this database relates to files that are shown using the Quicklook feature, and I think also as thumbnails in a folder. As a side note, I did a little bit of research into Quicklook a while ago because I was interested in finding an artifact similar to the thumbs.db/thumbcache on Windows. In the same folder as the sqlite database there is also a thumbnails.data file, which contains sections of the thumbnails. I wasn’t able to get it successfully working but you can take elements from the thumbnails table of the index.sqlite database and generate a header for the data. I recall finding an Enscript that you can use to extract these images, although I would like to see the functionality built into Blacklight.
    QuickLook Python Parser – all your BLOBs belong to us

  • I published the Perl script that I wrote as part of the last Sunday Funday Challenge for installing DfVFS onto a Windows machine. It’s not 100% complete yet; I only tested it on my machine and the tests didn’t pass completely (one of the tests looks for a file in the test_data folder that doesn’t appear to exist). If anyone else is happy to give it a run I’d appreciate the feedback.
    installDFVFS_0.01.pl

FORENSIC ANALYSIS

  • Vladimir Katalov at Elcomsoft wrote a post covering the anti-theft mechanisms for Android, iOS, Windows Phone, Blackberry OS. His conclusions show that Apple produces the most solid device protection and Blackberry comes in last due to a backdoor. The comment about Blackberry claiming to have the most secure mobile OS on the planet was interesting; I feel like the claim refers to data protection, not necessarily device re-use once it’s lost or stolen.
    Understanding and Bypassing Reset Protection Understanding and Bypassing Reset Protection

  • The Blackbag Training Team posted up instructions on how to import custom hash sets into BlackLight.
    Using Custom Hash Sets in BlackLight

  • Brett shavers shared his opinion that when you review a book you should be also checking its accuracy; is this all the information on the topic, or could the author have added more from available sources. He also shared the a link to a review of his latest book.
    Reviewing a tech book technically makes you a peer reviewer…

  • Dan Embury posted up a series of questions and answers from a recent webinar on UFED Physical Analyzer (shared at the bottom of their post). There’s a lot of disparate topics covered so it’s hard to summarise them all but the post covers Android, iOS, Blackberry, Windows Phone, and TomTom extractions and parsing.
    Discover Best Practices and Advanced Decoding with UFED Physical Analyzer: Q&A from Cellebrite’s webinar

  • The author of dfirblog posted up some statistics that they collected on a series of honeypots they’d set up. The post is fairly comprehensive regarding what the honeypots looked like, the stats on the attacks including the services attacked (ftp/mssql mainly) and the countries they came from (US/China) as well as details about the exploits used. The author sums up their findings with the penultimate line “All in all, nothing interesting in this data”.
    Funny Honey – tracking hackers in cyberspace part1

  • SANS is after two Social Media Ambassadors to share their experiences at the DFIR Summit in Austin. This is a great opportunity to participate in the event, network, and receive a lethal forensicator coin all for free. Well, it’s a work-for-rent arrangement, but if you’re happy to put in the work for 2 days I can see how it’s worth it.
    Digital Forensics & Incident Response (DFIR) Summit Social Media Ambassadors

  • Tyler Schlecht at DME Forensics has a synopsis of their talk at ENFUSE next week. Their talk covers the manually and automatically recovering data from DVRs (including data that’s been formatted or deleted).
    Heading to Enfuse?

  • Didier Stevens RSS feed came up with a number of videos utilising his scripts. Some of these were uploaded a little while ago, but if you use any of his scripts it may be worth spending a few minutes watching the relevant walkthrough.
    1. BlackEnergy .XLS Dropper
    2. numbers-to-hex.py
    3. oledump: VBA UserForm
    4. VBE
    5. translate.py: With regex
    6. CMD.DLL: From DLL To VBA
    7. Creating CMD.XLS
    8. xor-kpa.py: XOR Known-Plaintext Attack

  • The students at Champlain College released a few final reports this week
    • The Splunk team sought to examine the option of using the data analytics tool Splunk for digital forensics. The team set out a few questions about whether Splunk was a valid and effective forensic timelining tool and what it can tell us about the data. I’m slightly confused by a few of the lines in the report regarding Splunk not “digging deep” to identify information. In the data collection section the team showed that they only parsed out the MFT metadata, so Splunk, which isn’t necessarily an artifact parser relies on the data it’s given. I would be interested to see them perform a comparison of how other data analytics tools go about presenting the same data, and what features they possess to assist the examiner in quickly identifying items that may be of interest in a timeline (see X-Ways “Relevance” indicator in the above update).
      Splunk Project Report
    • The iOS Jailbreak team chose to focus on jailbreaking iOS 9; explaining how jailbreaking works, what type of data becomes available during forensics analysis both prior to a jailbreak and after, and finally to offer a better understanding of the iOS file structure to aid investigators and future researchers. Unfortunately the team was unable to jailbreak iOS 9 and therefore did not answer all the questions they set out for themselves. The team were “able to thoroughly document where data is natively stored on
      an unmodified device”. I still would like to see the process conducted on a device that can be jailbroken. In some instances tools allow for physical imaging of jailbroken devices and it would be good to have a reference to explain what’s changed – this may not work for the latest iOS devices, but law enforcement no doubt see a vast range of different operating systems and devices
      iOS Jailbreak Report
    • The Bluetooth team set out to explore Bluetooth security; primarily the current vulnerabilities, how to exploit them and how to patch the vulnerabilities. One of the vulnerabilities the team found that once Bluetooth devices have been paired they don’t do any further authentication and instead just connect to the device presenting the same MAC address. This may have ramifications for both smart unlocking of mobile devices, as well as connected door locks.
      Bluetooth Security Report

  • Corey Harrell has a short story about a squirrel in a window-well that serves as an anecdote for routine. My main takeaway from this was one of the final lines: “Every now and then when you are performing routine analysis tasks take the time to stop and think about what you are doing, what you are trying to accomplish, and what you are seeing”. I think the “what you are trying to accomplish” part is particularly important. You can very easily get sucked into running tools and processes to obtain information, but if that information isn’t relevant to your goal then it may not be relevant.
    Breaking Out Of Routines

  • Weare4n6 have a couple articles up this week
    • The first post describes the process of using the Linux Memory Extractor (LiME) to obtain a memory dump on a Linux system (in case the tool’s name threw you). The process appears to be compiling the program specifically for the subject systems kernel version, then loading the program onto a USB and running it to dump RAM (in this case in lime format, onto the USB drive).
      Linux memory forensic acquisition
    • They also shared a volatility plugin that can be used to extract bitlocker keys from hibernation files and memory dumps. This is an alternative to this plugin shared by Tribal Chicken.
      Volatility Framework plugin for extracting BitLocker FVEK

MALWARE

  • There were a couple posts from Fireeye’s Threat Research blog
    • Richard Hummel, John Miller, David Mainor, Adam Greenberg, and Ronghwa Chong shared some interesting statistics about ransomware. The graph showing the massive spike in March is also quite worrying; the expectation that ransomware isn’t going anywhere seems to hold true.
      Ransomware Activity Spikes In March, Steadily Increasing Throughout 2016
    • Junfeng Yang has a written a post describing the various methods that RTF files can be used to distribute malware, as well as the different techniques that exploit writers will use to avoid signature-based detection. The author goes into depth about a few techniques that would be missed by traditional signature scanning methods.
      How RTF Malware Evades Static Signature-based Detection

  • WeLiveSecurity wrote a post about the new decryptor, written by ESET, for the TeslaCrypt ransomware. Apparently one of the analysts contacted the developers of the now defunct malware and requested the universal master decryption key, which they promptly provided. The decrypter works for version 3.0.0 to 4.2 of this ransomware.
    ESET releases new decryptor for TeslaCrypt ransomware

  • Lenny Zeltser compiled some ideas on how to detect and stop ransomware on a machine. His suggestions include flag processes that write to many files too quickly, detecting changing entropy of files, or using canary files that would otherwise not be affected by the user. He also suggested that there may be ways of identifying that malware is being run and slowing its actions to allow the user to react. I quite like the idea of the sinkhole however I feel like the malware authors will find a way to claw their way out.
    How Would You Detect and Impede Ransomware on an Endpoint?

And that’s all for Week 20! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s