Week 27 – 2016

SOFTWARE UPDATES

  • ExfiTool was updated to version 10.22. This update adds read support for BPG images, minor changes to a few of the new Nikon tags and updated the Windows version to include all 10.21 updates.
    ExifTool 10.22

  • Andrilla updated to version 2.6.0.1, adding support for several WhatsApp backup databases, GUI improvements, and various bug fixes. Thanks to We Are 4n6 for sharing this.
    Changelog 2.6.0.1

  • Paraben Corporation updated  P2 Commander to version 4.5. This version adds support for Outlook 2013/2016 OST databases, Safari History for iOS 8x, as well as partial support for iOS 9 backups. Import of hash databases has been added, as well as exporting from Outlook x64 to PST and bug fixes and performance improvements.
    Paraben’s P2C 4.5 Release Notes

  • DME Forensics updated DVR Examiner to 1.23.0. This release added support for various file systems as well as bug fixes.
    DVR Examiner 1.23.0 – Support for Digimerge, Amcrest, Q-See, Digital Watchdog and more!

  • Ryan Benson updated the cookie time discrepancy plugin for his Chrome Forensics tool.
    Detecting Clock Changes Using Cookies

  • Paul Sanderson updated Forensic Browser for SQLite to version 3.1.4 with a few bug fixes.
    New release 3.1.4

  • If a user identifies an error in EDB database processing in the latest X-Ways Forensic, try redownloading the binary as a DAT file has been replaced..
    X-Ways Forensics 18.8 SR-10

  • X-Ways Forensic 18.9 Beta 6c was released with bug fixes and then later 18.9 has officially been released.
    X-Ways Forensics 18.9

SOFTWARE/PRODUCT RELEASES

  • Didier Stevens advised that if you purchase one of his products you will get access to the original MP4 files of the videos on his YouTube channel.
    YouTube Video Promo

  • I’ve seen rumours that Encase 8 Forensic has been released, however I haven’t been able to get my hands on it yet, nor has the Guidance twitter account announced it.
  • Guidance have also released their PCIe Card and M.2 SSD adapters for their  Forensic Universal Bridge product. These were mentioned in the Forensic Lunch held at Enfuse.
    PCIe Adapters

  • Dan O’Day at 4n68r has released a small utility to view pictures and videos and their EXIF data. If the EXIF data also contains location data then this is presented on a map in the bottom right hand corner.
    Simple Image/Movie Metadata Reader

PRESENTATIONS

  • Patrick J. Siewert has returned with a new Forensicator podcast, this time interviewing Jamie McQuaid from Magnet Forensics. If you haven’t heard, Magnet has a new tool called Axiom. The interview covers Jamie’s history, coming from Blackberry and moving to Magnet, and what led to the development of Axiom (much of which has been covered previously in their webcasts). Jamie advised that the product is in constant development so they definitely value feedback and they any artifact updates to IEF will be seen in Axiom and vice versa.
    Link to Forensicator Podcast #103: Magnet Axiom

  • This week’s Digital Forensics Survival podcast covered the AmCache forensic artefact. The AmCache is an artefact that replaces the RecentFileCache.bcr as of Win8, however there have been some reports of it showing up on Win7 systems. This file may contain indications of program execution, however your results may vary as Harlan found in this blogpost. As always, examining this artefact can be a useful piece of the puzzle. The shownotes provide examples of the AmCache parser released by Eric Zimmerman as well as links to other tools and information about the artefact.
    DFSP # 020 – Amcache Forensics – Find Evidence of App Execution

  • Blackbag shared a sneak peek into a feature coming to Blacklight 2016 R2. The new feature allows examiners to create multiple instances of the File Content Viewer. This means that you can have multiple copies on a separate screen showing additional data ie one showing the file preview, and another showing the file metadata. These viewers will dynamically update to the currently selected file.
    BlackLight 2016 R2 SNEAK PEEK – Tear Off Windows!

  • Belkasoft uploaded a video showing how to examine encrypted iTunes backup files with their Evidence Center product.
    Belkasoft Evidence Center: Working with encrypted iTunes backups

  • Nuix went up against SentinalOne’s Endpoint Protection Platform to wins Forensic Product Of The Year At the Cyber Security Awards 2016. Congratulations to the entire team at Nuix.
    Nuix Wins Forensic Product Of The Year At Cyber Security Awards 2016

FORENSIC ANALYSIS

  • Mari Degrazia has continued her series on imaging macs, this time publishing a tutorial on imaging a Mac using Single User Mode. This method makes minor changes to the drive (as you have to create a mountpoint for your destination drive), however allows an examiner to decrypt the source drive if the filevault is enabled and the username and password are supplied.
    How to image a Mac using Single User Mode

  • Sarah Edwards has posted some links on the happening in the Mac world this week. This post covers a couple pieces of malware, presentations, tools, blogposts, media, publications and her upcoming classes and presentations.
    Mac News & Updates – 07/06/15

  • Cindy Murphy shares her experience with the Computer Fraud and Abuse Act and explains that data theft is no longer just the realm of hackers and crackers; insider threats are even more dangerous, as they come from a trusted source. She also shares some advice for companies on how best to preserve electronic evidence in the wake of data theft.
    CFAA – Not Just for Hackers Anymore

  • DFIR.Training, the new website whose goal is to store a list of all of the available forensic tools and training courses has two posts this week.
  • Digital Residue posted a short review of “Penetration Testing: A Hands-on Introduction to Hacking”, by Georgia Weidman and continued with showcasing exploiting the MS08_067 vulnerability in Windows XP using Metasploit. This is a fairly straight forward vulnerability to take advantage of, so it’s a good start for students learning Metasploit. Digital Residue explains that it’s a good idea for a responder to understand how an attacker was able to access a system so they know what to look for.
    Introduction to Metasploit. (Georgia Weidman pt.1)

  • Michael Maurer’s latest post covers examining Log2timeline output over a large timeframe with Kibana. A common starting place for identifying malicious executables is examining Prefetch files. The author then goes on to show how one can visualise uncommon events using Kibana.
    Log2timeline to Kibana (4.x) Part 4: Finding Evil

  • Foxton Forensics provides a short walkthrough on mounting a forensic image using FTK imager and then running their Browser History Examiner tool to parse Firefox history. Unfortunately it doesn’t show the output but they do explain you can get a free trial.
    Examining internet history in forensic images

  • Adrian Leong, (AKA Cheeky4n6monkey, cat’s out of the bag Adrian) shared his thoughts on his panel experience at the DFIR summit. This was his first speaking gig so as expected he was a little timid and instead he decided to share his thoughts in this post – my preference of course since I wasn’t able to make it to the Summit. The topics he covered were: Curiousity, Creativity, Scientific Method, Perseverance, Teamwork/Collaboration and Luck; Each section was also beautifully illustrated the only way Monkey knows how.
    The quick (well it started quick, but it isn’t, sorry!) summary is basically that a skilled examiner is one that identifies an area of the field that they would like to know more about, and attempts to document it (Documentation is key, day’s are lost when you do the work but don’t write down what you did or what you found). Along the way you will notice the parts that aren’t adequately documented, or don’t quite do it justice. Compiling available research lets an examiner identify the gaps in knowledge. This step is quite important, because one shouldn’t reinvent the wheel every single time. There are plenty of books, blogs, papers and people that one can get in touch with. One of the reasons I started this blog was because I found that there wasn’t a good place where the information is centralised and provided to the community. There is research being published, but sometimes it just doesn’t reach that many people. I’m looking at you PhD’s and Masters thesis’. Moving on!
    Many people in this industry are quite happy to help but it’s usually a good idea to do the research first. And if they don’t respond straight away, they’re usually busy not ignoring you. That being said, I’m guilty of this as well, a good response is “I’m busy right now but remind me again tomorrow/next week etc”.
    And lastly, you make your own luck; you want to get noticed, show people what you’re capable of, and if you’re not currently capable of anything you can jump onto any of the free resources and training and get educated. One of the things about Adrian getting his job at Monkeytown was that I had followed his research for a few years and when the job came up said to Bossman he’ll hit the ground running. That’s something that I would think is important when hiring in a senior position; showing capability.
    One of the lines that actually hits home for me is that when you ask someone for help they are often going to be spending their free time assisting you. This is something that I’ve always struggled with, because I don’t really like approaching people and saying “stop what you’re doing and focus on my problem”. With that in mind, those that are willing to help can sometimes be too kind to say “heres the bag of tools, give it a go yourself first and then come back to me”.
    And then of course the quote at the end “Successful innovation is not a single breakthrough. It is not a sprint. It is not an event for the solo runner. Successful innovation is a team sport, it’s a relay race”. If we all explain the artifacts that we locate and share our findings, we’re better as a community.
    Panel Beaten Monkey

  • Christa M. Miller has posted on the Forensic Focus blog about the general anxiety people feel when sharing their knowledge. I imagine it’s something that everyone feels, or has felt at some point “I’m sure everyone knows this, so people will laugh at me for sharing something so obvious”. Christa’s absolutely right to try and dispel this. This community is slowly growing, and with that, something you find obvious will be brand new to someone who doesn’t do what you do on a daily basis. I commented on Adrian’s post above in response to an anonymous comment about sharing the information. Basically saying it takes 5 minutes to start a blog, and put out any sort of content – It doesn’t have to be groundbreaking, or even brand new, but it might be brand new to someone, which is useful. And if you do, send me the link and I’ll spread the word to the best of my ability.
    How to Stop Worrying and Learn to Love Your Inner Impostor
    What’s so hard about asking for help?

  • Adam B at Hexacorn has a couple new posts this week
    • The first is part 41 in the “Beyond the good ol’ run key” series. This covers applications packaged by VMWare ThinApp (formerlly Thinstall) and explains how it could be used to launch an executable. Adam covers modifying environmental variables and dropping DLLs into locations the application looks for. Adam also acknowledges that this method of application execution is probably very low on the list of processes that a malicious actor may use.
      Beyond good ol’ Run key, Part 41
    • The second introduces a Perl script for re-aligning PE files that have been dumped from memory. The fixed file won’t execute, but apparently makes more sense when dumped into IDA.
      PEFix – simple PE file re-aligner

  • We Are 4n6 shared a few articles this week
    • Alessandro Garino at StrangeLoops wrote a blog post on performing a network acquisition of a webpage. The author explains that one should document and record their tools/environment and findings (video recording and network monitoring), as well as generate a hash of the resultant data to ensure its integrity.
      Network Forensics Acquisition
    • They shared their experience at the Belkasoft: White Nights conference (held at the end of June). The post doesn’t cover much technical-wise but they did win a license to a image forgery detection tool created by SMTDP which may be worth looking into.
      Belkasoft White Nights Recap
    • They shared some links to some ransomware decryption tools.
      Ransomware decryption tools
    • And also a spreadsheet containing a list of Ransomware including their properties and decryptors (if available). I’ve added the list to my new Knowledge Base page.
      Ransomware Overview
    • Dr. Philip Polstra, author of “Linux Forensics”, shared his thoughts on digital forensics. This short conversation is a high level overview of what digital forensics is, and where it can be used. Interestingly enough he was asked where can someone go to get a list of tools to use, and he said that there isn’t a centralised location; Thankfully our friends at DFIR.training have that covered now.
      Philip Polstra Discusses Digital Forensics
    • They shared a video created by Rob Meijer the MattockFS Computer Forensics Filesystem, that is a userspace file system that runs ontop of the Linux platform. This was developed as part of the research project he undertook whilst completing his M.Sc Forensic Computing and Cybercrime Investigations at the University College Dublin.
      Mattock File System
    • They shared a tool called MARA which standards for Mobile Application Reverse Engineering and Analysis.
      Mobile Application Reverse Engineering and Analysis Framework

  • Harlan Carvey has a post covering a variety of different topics. The first being registry analysis and timestomped keys – to identify manipulated LastWrite times an examiner can look at the same keys in the VSC’s/System Restore Points if they are available. If the key should exist, based on LastWrite time in a previous registry hive and doesn’t then that could be an indication. The second covers Powershell and provides links to enabling the logging features, which of course is incredibly useful should an attacker utilise this. Thirdly he provides an interesting presentation on CLI tool development and the link to the DFIR.Training website. Lastly he briefly introduces the premise of his talk on ransomware at Archcon and malware execution.
    Updates and Stuff

  • Magnet have announced a new certification program, Magnet Certified Forensics Examiner (MCFE) Certification. The certification can be taken by anyone that has completed the Magnet IEF Essentials – Computer course, and comprises of “45 questions that are a mix of theory and practical questions. There is an 80-minute time limit and a passing score is 80% or higher”. They also announced an online transition course to learn how to best use Axiom; this course is free if you’ve taken an Essentials course in 2016, otherwise it appears to be $800USD. Lastly they announced that they are bundling (and discounting) their training packages.
    Magnet Forensics Opens Registration for Certification Program, Launches Special Offers and a New AXIOM Course

MALWARE

And that’s all for Week 27! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

2 thoughts on “Week 27 – 2016

  1. Just wanted to take a moment and say thank you for taking the time to pull all this information together. This site is one that I visit each and every week to catch up on what is happening in the industry.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s