Week 23 – 2016

SOFTWARE UPDATES

  • DME Forensics’ DVR Examiner has been updated to version 1.22.0. This update adds support for PAVS_264, IFLY_264 and IFS_M file systems, improving support for IXDVRDISK, hikfat,  KSF_RSF, and KSF_dc file systems as well as some bug fixes.
    DVR Examiner 1.22.0

  • Paraben’s DS has been updated to version 7.5. The update adds acquisition of Android backup data during logical acquisition, support for logical acquisition of the latest version of iOS, new versions of a few apps as well some bug fixes.
    Paraben’s DS 7.5 Release Notes

  • Eric Zimmerman updated LECmd to version 0.9.0.0 which added support for LNK files referencing ZIP files. Eric assured us that the bug fix did not affect the accuracy of data parsed to date and just related to 2 new shell item IDs that turned out to be related to zip files.
    LECmd updated

  • X-Ways Forensic 18.8 updated to SR-7 which was all bug fixes.
    X-Ways Forensics 18.8 SR-7

  • X-Ways Forensic 18.9 was also updated to Beta 3 with minor bug fixes and improvements.
    X-Ways Forensics 18.9 Beta 3

SOFTWARE/PRODUCT RELEASES

  • Avishai Shafir has a post identifying the obstacles that Cellebrite wishes to address with the update to their  UFED InField 5.2. I haven’t really looked into the InField unit as I’ve mainly just used the UFED Ultimate but watching the video this device appears to be a large touch screen all-in-one PC that allows investigators a bit more control of the data they wish to extract from a device. From a volume crime standpoint, I like the idea that an investigator can easily extract specific information ie all data from the last week, because it means that they’re only presented with what is relevant. From a forensics perspective, I’m cautious because occasionally I’ve seen automated tools ignore data because it’s not in the exact format it’s after, and also if the case goes beyond the general investigator then it may need further examination by an expert and if the phone’s been returned, well that can make life a bit harder. I do think the targeted downloads may alleviate some concerns in certain jurisdictions by law enforcement extracting more data than the public deems necessary to prosecute an alleged crime (ie: if a person is pulled over for texting whilst driving, the extraction doesn’t necessarily need to cover their personal photographs).
    Forensic focus also has an article expounding the benefits of the updated Infield unit which can be read here.
    Cellebrite launches actionable forensics data in the field

PRESENTATIONS

  • Jim KempVanEe and Shahaf Rozanski had an hour long video on utilising social media and cloud data in investigations, which also focused on the use of Cellebrite’s Cloud Analyser tool. The webinar covered obstacles in cloud forensics, different methods of obtaining the data from the cloud and then a case study with Cloud Analyser in action.
    Leveraging Social Media & Cloud Data to Accelerate Investigations

  • I just found a podcast by Michael Leclair called Digital Forensics Survival. The podcast is released weekly and focuses on the presenters process as well as forensic artifacts he’s found useful. He’s aiming the show at newer people but I think that it’s always good to go over the basics even if you’re a seasoned examiner. This week’s episode begins a series on password cracking, with this episode covering password psychology. Michael goes through a few studies that have been conducted regarding the common passwords that people use, as well as the common rules that they follow. Ie if you are told to have a capital and a number the password will probably begin with a capital and end with a number. The aim of this episode is to try and identify what type of attack one should use to obtain the passwords they require. I’ve used a number of different tricks to ascertain passwords in the past, some successful some not. These range from searching for the users email addresses on websites like Have I Been Pwned, identifying stored passwords in web browsers and locating passwords in hibernation files (which Passware is great at, but I would highly recommend then searching for the located password manually to identify any surrounding information).  Lastly one can generate wordlists (which I’ve had limited success), or use hash tables and brute force as a last resort.
    DFSP # 016 – Password Psychology

  • Britec posted a video showing viewers how to use shadow explorer to extract files from volume shadow copies.
    Easy Way to Recover Files and Folders using Shadow Volume Copies

FORENSIC ANALYSIS

  • Volume 17 of the Journal of Digital Investigation was released. Unfortunately this issue isn’t open access. It contained the following articles:
    • A forensic insight into Windows 10 Jump Lists – Bhupendra Singh, Upasna Singh
    • Extraction and analysis of non-volatile memory of the ZW0301 module, a Z-Wave transceiver – Christopher W. Badenhop, Benjamin W. Ramsey, Barry E. Mullins, Logan O. Mailloux
    • Rapid Android Parser for Investigating DEX files (RAPID) – Xiaolu Zhang, Frank Breitinger, Ibrahim Baggili
    • Forensic analysis of Kik messenger on iOS devices – Kenneth M. Ovens, Gordon Morison
    • Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study – Jongseong Yoon, Doowon Jeong, Chul-hoon Kang, Sangjin Lee
      Volume 17

  • CRU have released an infographic expounding the benefits of the newly released Ditto DX. We can see drives getting larger every year, so having the ability to extract a logical image can be quite useful in terms of extraction speeds. Even having the ability to extract a logical image prior to taking a physical may speed up your examination as you can work on the data prior to the long-winded physical extraction process. As mentioned in a previous post, the Ditto DX has also included USB3 ports so that should assist as well. It also appears that the original Ditto is still going to be sold as well.
    Ditto DX vs. Ditto

  • The Blackbag Training Team shared a couple of posts:
    • Their first post covered their findings on the use of Continuity; a feature of iOS/OS X that allows a user to continue their browsing across multiple devices. What the team found was that if the user syncs their internet history with iCloud then even if they delete their history off one device, it will remain on the other. The only downside to this is that the other device will contain both devices internet history, with no way to discern which device was used to access the web pages (Although I suppose this is the case. This can cause issues should a practitioner choose to use the fact that a webpage was accessed by a person with exclusive use of a device as a critical component of their examination.
      Safari History and Continuity: Was the Page Viewed?
    • Their second post continues their research into Windows memory forensics. The post describes a few different memory formats (although this includes the Windows files hiberfil, crashdump and pagefile) and explains their advantages and disadvantages.  The list of acquisition tools is quite useful since it provides a little bit of information about the tools themselves.
      Windows Memory Forensics – Part 2

  • Sarah Edwards has released a new python script to extract all location information from certain iOS databases and export them to CSV and KML.
    New Script – iOS Locations Scraper

  • Ryan at Obsidian Forensics has decided to look into the potential wealth of information contained within the Amazon Echo ecosystem by examining the Echo app stored on his iPhone. (Help @cheeky4n6monkey get an Echo to dissect by clicking here. I propose he call it “Will it blend? If so, is this an effective method of chip extraction?”).
    Ryan has produced a python script that parses the extracted database, although I don’t think it extracts the audio files. For the Android side of the equation, the students at Champlain produced this report a few weeks back.
    Alexa, Tell Me Your Secrets

  • Brett Shavers has a new post describing the different types
    internet_dog
    credit: Wikipedia

    of identities a person can have and the importance on generated a complete identity of a person. This post is primarily aimed at investigators who have to identify a physical person from the series of monikers that they may go by on the internet.
    A complete identity comprises of a person’s physical traits (looks, gait, DNA and other biometrics) and their online persona/s and internet usage.
    A person can have multiple online personalities, whether they are intentional or not, but analysis of their usernames, internet history, even the folder structure on multiple computers may give them away.
    Compiling Identity in Cyber Investigations

  • Forensic Focus interviewed Noora Al Mutawa, Head of Computer Examinations at the Dubai Police, at DFRWS in Lausanne in March. Noora presented her research on using behavioural evidence analysis with digital forensics techniques  on a number of different cyberstalking cases investigated by the Dubai Police. Noora explained the difficulties that she was presented in establishing a physical identity based on an online persona, not too dissimilar to Brett’s post above.
    Interview With Noora Al Mutawa, Head of Computer Examination, Dubai Police

  • Juan Aranda has started up a new blog called RaptIR, releasing a python script for parsing the RecentDocs registry key into a pseudo-timeline. The script goes through the RecentDocs key and pulls out the last write times as per Dan’s blog post.
    I wrote a regripper plugin to do this a couple of years ago which can be used to double check the output; although I don’t know how well regripper (or the Windows command prompt) deals with unicode. That and I should probably revisit the plugin since the name clashes with a script Harlan wrote that extracts just the last file access times and doesn’t create the pseudo timeline, and the extracted times are in UNIX time which isn’t particularly readable.
    RecentDocs Python Script

  • Harlan Carvey has a couple of posts this week
    • The first shares Mari’s recent post on the OS X QuickLook artefact as well as one of James Habben’s posts on report writing along with his thoughts. I agree that report writing is a critical component of an examination and one should take the time to write a concise report for the client; maybe not 140 characters, but it’s probably best not to add in extra $10 words or unnecessary paragraphs. I’ve found that ultimately it’s best to have a document that describes exactly what you’ve done, that’s easy to read when you’re called to discuss the case months or years later, and another report that is provided to the client with all the information that they need (because they ultimately don’t care that you checked x, y and z to say you couldn’t find something).
      Wait…There’s More…
    • Harlan’s second post describes a couple of updates that he’s made to the lastloggedon and shimcache regripper plugins as well as when they may be used in an investigation. He also shared Yogesh’s previous post on the Win10 Notification database, his experience with the Amcache.hve (or rather having limited success with located programs that have been executed, as opposed to the appcompatcache) and lastly Luis Rocha’s post on prefetch files.
      Updates

  • James Habben has written a post about peer reviewing reports. James suggests that practitioners should have at least two people review their work; one being a peer, and another a manager. This has the benefit of getting a quality check, asking for suggestions for improvements in both writing and workflow, and even getting noticed by peer and manager alike. Reporting is a critical component of forensics works, because as Harlan mentioned in the article above “you can be the smartest, best analyst to ever walk the halls of #DFIR but if you can’t share your findings with other analysts, or (more importantly) with your clients, what’s your real value?”
    Reporting: Benefits of Peer Reviews

  • Gillware posted a few articles this week however they were mainly hard drive recovery case studies. A list of the case studies can be found here. There was one that was interesting from a DFIR standpoint that covered the recovery of a damaged, pin locked mobile phone. The team at Gillware were provided with a ZTE N9132 “Prestige” chip extraction which wasn’t supported for passcode-bypass by any of the tools they had available to them. The device was extremely damaged, and should it have been supported I imagine they would have gone the easy route and repaired it. The team determined that the best method of extraction was chip off and sought a test phone to ensure that their process was repeatable and worked. This is the critical point worth mentioning; rather than “giving it a go”, they took the time and resources to perform an extraction on a test phone before undertaking the exhibit. Upon extracting the physical image the team was able to parse the data using UFED Physical Analyzer, which can ingest the raw dump. As a side note, I’ve recently found that sometimes you can get a full physical extraction that “parses” with UFED PA and reports no errors but doesn’t give you all the data. By comparing the extracted data with an external source (in this case call logs), I was able to determine that the first extraction wasn’t “complete” and needed to be redone. This is one of the main issues with forensics; verifying that the data you are presenting matches the data on the device. Usually with phones it’s relatively simple, unless you remove the chip, or it’s badly damaged and won’t turn on again. Also if anyone has any suggestions on virtualizing a phone extraction (maybe using the Android/iOS developer toolkits) that would be great.
    Forensic Case Study: ZTE N9132 “Prestige” Prepaid Boost Mobile Chip Off

  • Part 2 of DFIRBlog’s “Tracking Hackers In Cyberspace” is up. This time tracking would-be attackers trying to SSH into the honeypots and throwing up a number of interesting statistics about how they attempted to get in, and what they did if they succeeded.
    Funny Honey – Tracking Hackers In Cyberspace Part 2

  • Michael Karsyan at Event Log Explorer has a post on the events generated from running an executable if process auditing is enabled (and how to use their product to identify this information). The two events generated in the security log are 4688 for process creation and 4689 for process exit. Apparently in Win10 the event description should also contain the name of the parent process (as a “Creator Process Name” field).
    Process tracking with Event Log Explorer

  • Two posts showed up on Elcomsoft’s blog.
    • Oleg Afonin posted the first part of a comparison of Apple and Google’s fingerprint unlocking capabilities. The article begins by describing Apple’s Touch ID which includes the variety of features Apple has implemented to secure the user’s data. The author then lists the process to follow to give you the best chance in retaining access to a seized iOS device (ie faraday bag, if it’s unlocked change the settings so it doesn’t lock).
      Fingerprint Unlock Security: iOS vs. Google Android
    • Vladimir Katalov has posted part 1 of a 2 part series on BitLocker Encryption. This post details the differences between Forensic Disk Decryptor, which utilises the decryption key extracted from memory or recovery key and the Distributed Password Recovery tool which uses a dictionary or brute-force approach.
      The author then describes the different ways one is able to obtain the keys; mainly extract from hiberfil or live memory capture (the link to the Moonsols tool is incorrect as the company has changed names. Get their updated memory acquisition tool here) although it’s also possible to acquire memory through Firewire in some instances. The post then shows screenshots of the tool in use.
      Breaking BitLocker Encryption: Brute Forcing the Backdoor (Part I)

  • Yuri Gubanov and Oleg Afonin at Belkasoft have released part 3 on their SSD and eMMC forensics series. They started by covering TRIM, the feature on where an SSD will clear blocks that are no longer considered in use, and covered the different levels of TRIM support that one might need to know about. Lastly they linked to their newly released SSD TRIM check tool on Github.
    SSD and eMMC Forensics 2016 – Part 3

  • Adam at Hexacorn has three posts this week:
    • The first post shows how he stumbled upon Unicode characters in the Win10 registry. These characters, taken from the universal character set, appear to be three globes. Tool makes may have to update their code to display these characters, although Win10’s cmd.exe can’t display them either.
      Win10, Registry, and fun with UCS/UTF16
    • Adam also updated his table showing a list of all the registry keys parsed by all RegRipper plugins available.
      Minor update to 3R
    • This post shows a few error messages that Adam has received during his automated malware testing in VMWare. Occasionally, files will cause the VM to crash (which is bound to happen when you run a large number of samples in an automatic fashion).
      Enter Sandbox – part 11: Breaking the sandbox, literally 🙂

  • Weare4n6 have written/shared a few articles this week
    • Nihad Ahmad Hassan and Rami Hijazi have written a new book titled “Data Hiding Techniques in Windows OS: A Practical Approach to Investigation and Defense” and which is due out 15th October 2016.
      Data Hiding Techniques in Windows OS
    • The next post is walkthrough on examining an iTunes backup with Oxygen Forensics; also including a brief background of the locations and files involved.
      iTunes backup forensic analysis
    • They shared a post from the Acunetix blog on examining Apache log files to identify a breach. The post includes a number of very useful search strings which can be used to locate entries of interest.
      Using logs to investigate a web application attack
    • Lastly they shared a new book that should be released in August called “Practical Forensic Imaging: Securing Digital Evidence with Linux Tools” by Bruce Nikkel. As the title suggests the book appears to cover the acquisition process using Linux tools across a range of practical scenarios.
      Practical Forensic Imaging: Securing Digital Evidence with Linux Tools

MALWARE

  • Didier Stevens presented a case study where he was given a partially encrypted PDF file and was able to recover a large majority of it by rebuilding the unencrypted sections.
    Recovering A Ransomed PDF

And lastly Devon Ackerman has sent me a link to his “Digital Forensics / Incident Response – The Definitive Compendium Project” which he has allowed me to share. It’s a Google Sheet which contains a list of certifications and training, undergraduate and postgraduate degrees, associations and memberships, forums, wikis, magazines, books, blogs and challenges available to the community. I’m sure Devon would appreciate anyone that heads over and submits some extra information to put up.

And that’s all for Week 23! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s