Week 24 – 2016

SOFTWARE UPDATES

  • Didier stevens updated oledump to version 0.0.24. This update adds the ability to decompress macro streams before calculating the md5 of the stream. This allows users to take two different samples and determine that the internal macro code is similar or different. Update:oledump.py Version 0.0.24

  • MSAB updated XRY to version 7.0.1 and XAMN Spotlight v1.1 Beta.
    • In XRY they updated 39 new app versions, added support for recent WhatsApp encrypted databases, improved the ability to identify deleted records from SQLite databases and added an option for the selection of XRY Camera image resolution.
    • In XAMN Spotlight 1.1 they added additional export functionality, a QR code decoder, XAMN viewer to view 1 XRY file without a license as well as other minor improvements.
      XRY v7.0.1 & XAMN Spotlight v1.1 beta

  • Eric Zimmerman has updated Registry Explorer to version 0.8.1.0. The major part of this update is the ability to use plugins, as well as various other features such as exporting values to various formats, base64 decoding, usability updates and various bug fixes. Eric’s post goes into depth on how to use the tool and how the plugins work, and he’s written a 79 page document to go along with it.
    Registry Explorer 0.8.1.0 released!

  • X-Ways Forensic 18.8 was updated to SR-8 which provided a couple of bug fixes.
    X-Ways Forensics 18.8 SR-8

  • X-Ways Forensic 18.9 updated to Beta 4 and then 5 during the week. The updates added command line support for creating cases, adding images and refining the volume snapshot, updates to various X-tensions, as well as other minor improvements and bug fixes.
    X-Ways Forensics 18.9 Beta 5

PRESENTATIONS

FORENSIC ANALYSIS

  • The Blackbag Training Team had a couple of posts up this week
    • Since Apple has discontinued support for QuickTime support on Windows BlackLight 2016 R2 has been updated to use whatever the default app may be for playing media files. The team recommends using Windows Media Player 12 and downloading non-default codecs from the link provided in the post.
      Life After QuickTime for Windows – Not So Bad
    • The second post advises that F-Response Universal and Now can be used with BlackLight as F-Response recently added native examiner functionality for Mac OS X.
      Using BlackLight with F-Response’s Universal/Now

  • Ayman Shaaban and Konstantin Sapronov, author of the book Windows OS Forensics, describe the skills required in an incident responder – covering both the technical skills, as well as the soft skills of communication, presentation, teamwork etc. There’s a list of equipment in the middle of the post that I think is quite useful. As an addition, I would format some of the hard drives to HFS (unless you carry a Mac with you), for live acquisitions, and also spare batteries for the camera. And dongles, cannot forget the precious dongles. They then explored live response of volatile and non-volatile data. Towards the end of the post are some useful commands to run on a live machine to save some of the volatile data (although not memory acquisition), registry and other artifacts of interest.
    Incident Response and Live Analysis

  • Cindy Murphy shared her impressions of her new career in the private sector, working at Gillware Digital Forensics. Her first impression was the extent to which her current employer is being utilised by the public sector, the second, the amount of information that can be learnt from the data recovery community, and lastly the “distractions” in the office are used to spur productivity.
    Reflections on the First Month at Gillware Digital Forensics

  • Mari DeGrazia has started a series on imaging Macs starting with the Linux Live distro Caine. Caine has some nifty features to ensure that the user doesn’t inadvertently mount the internal hard drive, and the user can then use an imaging tool such as Guymager to create a forensic copy of the data. The post also describes Mari’s experience using Kali Linux for data acquisition.
    How to image a Mac with Live Linux bootable USB

  • Digital Residue describes the different files that can be utilised in memory analysis. These include the pagefile, hiberfil, swapfile, vmware files as well as a capture of physical memory. The author then goes on to show how you can use FTK imager from a USB drive, or Mandiant Redline to acquire the physical memory. The post is quite similar to this one on Blackbag’s blog last week regarding memory files.
    There is a bit about running FTK Imager from a USB drive through a write blocker; I’d advise against this, because you’ll have to write your memory image back out to your drive, and the write blocker will inhibit your ability to do that, without affecting the impact your actions have on the target system (would probably make it worse if the write blocker requires drivers, and you’d need to connect an additional drive to store your output)
    Memory Acquisitions. (Memoryze, FTK imager, Sleuthkit, etc.)

  • Thomas White has written a tool to convert a memory image from raw to padded. The Python script uses the original proc/iomem file from the system or a file containing the “BIOS-provided physical memory map”, with plans to automatically analyse the file to extract the requisite information in the future. Most of this went over my head, but the walkthrough at the end shows the tool in action, taking a memory dump that was previously unable to be examined by Volatility and converting it into something that can.
    Converting a memory image from raw to padded

  • Patrick Siewert AT Pro Digital Forensic Consulting shared his thoughts on holistic investigations with respect to mobile devices. Patrick explains that this means combining the evidence obtained by (multiple) forensic tools on the device itself with external information such as call logs from the provider and router IP logs. The author then continues to describe a number of different cases where this type of analysis would be useful.
    Holistic Mobile & Cellular Investigations

  • Weare4n6 shared a few posts
    • The first post shows how you can use the free tool, iFunBox, to acquire files from an iOS device.
      Direct iOS devices acquisitions with iFunbox
    • The second shares an article from SecurityAffairs which shows how attackers are tricking people into providing their 2FA code. The attackers ingeniously will attempt to login to an account, and then, if they’re able to determine the victim’s mobile phone number, text the victim advising that they require the 6 digit code they (read: Google) are sending to “temporarily lock the account”. Of course the attackers will then use the credentials to login.
      How to bypass two-factor authentication with a text message
    • They shared a lab posted on InfoSec Institute regarding how to conduct memory analysis using Mandiant’s free Redline tool. The article has samples to work with and lots of pictures to make sure you can follow along.
      Memory Analysis Using Redline
    • They shared a link to Apple’s developer notes on the new file system, APFS, that was announced at last week’s WWDC. This filesystem will be on new Macs going forward from the next operating system release. I imagine existing updates will remain on HFS but Macs purchased once the OS/FS is released will be on APFS. It will be interesting to see how quickly the tool developers are able to support the new FS….I really wish the companies would all standardise on one file system though.
      APFS – a Next-Generation Apple File System
    • They advised that the EC Council have updated their set of computer forensics books to include a number of second editions released this year.
      Update your library

And that’s all for Week 24! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s