SOFTWARE UPDATES
- A couple weeks ago Guidance released EnCase 7.13. This is the last update for encase 7. It mainly contained bug fixes.
. - Exiftool was updated to version 10.23 (development release). This update added some new tags and file support, as well as a new commandline option, and the “ability to geotag only GPS date/time if no position information is available”
ExifTool 10.23 - Paraben updated Network Email Examiner to version 7.1, which mainly included stability improvements as well as ‘Export Selected’ and ‘Export To’ logs including the count of exported messages.
Paraben’s Network E-mail Examiner 7.1 Release Notes - X-Ways Forensic 18.9 SR-1 was released with a fairly important bug fix (among others). “The time zone information shown in the evidence object properties of partitions with a Windows installation is now taken from the “current” control set instead of control set 1”. There were also a few other bug fixes.
X-Ways Forensics 18.9 SR-1 - A preview version of X-Ways Forensic 19 is available with some new features. These include improved Edge Browser support and better report formatting, among other features and improvements.
X-Ways Forensics 18.9 PR-1
SOFTWARE/PRODUCT RELEASES
- I was able to get my hands on the release notes for Encase 8.01.01. Notable features include integration with Project Vic, introduction of pathways to streamline workflows (which includes reporting), a refresh button, the return of the fourth pane, as well as various interface and menu changes among other changes.
I had a short time to play around with it last week, and it’s very similar to v7 with a few tweaks. It seems like much of the processing was the same; the artefact processor isn’t as robust as I’d like (ie doesn’t parse jumplists) and I struggle to make use of the timeline view. I still would like a way that I can easily add specified items to a timeline. I’m sure there’s an EnScript for that but I feel like some things should be built into the tool. Guidance also released this blogpost covering the release.
. - Nir Sofer has released a new tool, PreviousFilesRecovery “that allows you to scan the shadow copies of your local hard drive and find deleted files as well as older versions of existing files”.
Find and recover deleted files and previous versions of existing files from Windows shadow copies
PRESENTATIONS
- Cellebrite are hosting two webinars on UFED Reader. The webinars will cover what the tool is, it’s viewing capabilities, and report generation. The webinars will take place on Tuesday July 26 at 8:00AM UTC and Wednesday, July 27 at 3:00PM UTC.
Analyzing Extracted Mobile Data with UFED Reader: A Live Product Demonstration - Guidance Software is hosting a 30 minute webinar showcasing the features of the newly released EnCase Forensic 8. The webinar will be at 11:00 AM Pacific Daylight Time on July 26, 2016.
Best Practices in Digital Investigations using EnCase Forensic 8 Webinar - This week’s episode of the Digital Forensics Survival podcast provides an overview of the Honeynet Project. The project provides a series of challenges and information covering compromised systems and malware. The challenges look quite interesting, especially if you don’t do incident response work day-to-day. And as Michael mentions if you’re planning on getting into IR then completing challenges like these are great at showing initiative.
DFSP # 021 – The Honeynet Project - On this week’s Brakeing Down Security podcast Bryan and Brian covered SANS DFIR training, Mac malware and a bit of news. Brian Boettcher went on the SANS508 training and shared his thoughts. One of the topics of discussion was how forensics wasn’t necessarily relevant in an incident because of logging – I don’t do IR work so take my response with a grain of salt, but I think that mainly applies where you’re part of the security team of an organisation. If you’re an incident responder that’s being hired by an organisation, then chances are either they don’t have a security team, or they haven’t been able to identify the cause of the problem – which may also mean they don’t have the right logging enabled. That would be where generating timelines of Windows artefacts would assist in identifying what happened on a system. As was mentioned, a number of the logging features in Windows aren’t enabled by default (although for servers in particular I’m not sure why).
2016-027: DFIR conference, DFIR policy controls, and a bit of news - After a short hiatus the Forensic Lunch is back. This episode covered what Matt and Dave are working on at the moment. They covered Pancake Viewer, Event Monkey, Event Monkey Monitor and pytskUSBDeviceForensics.
I’m quite interested in the talk on Pancake Viewers module/plugin system; I mainly use Encase as my primary MFT viewer, but I find that the way that I use it is really only conducive to finding and examining content. I tend to export the artefacts out and parse them with other tools either individually or out into a timeline. I think that having a viewer that a) automatically parses the standard Windows artefacts and b) allows you to send them out to other parsers/executables and ingest them back in would be great. Mainly because I’ve run the same artefacts through multiple tools to confirm findings, or identify different data that either tool wasn’t aware of. My 2 cents on the plugin system is that you should be able to load in single command line arguments that pipe out to a timeline format of some sort.
Also thanks for the shout-out for my DFVFS downloader script. You can find it here, yes it needs work to improve its robustness, but it works for now 🙂
Forensic Lunch 7/15/16
FORENSIC ANALYSIS
- Brett Shavers shared an anecdote about obtaining examples of data breaches from presentations. It’s almost a weekly occurrence now that some big company has been breached; which I guess keeps a lot of people in our industry employed…so silver lining?
Never a shortage of examples - Carpe Indicum has a nice walkthrough of how to use Plaso (log2timeline) to generate a timeline. The walkthrough is easy to follow and the commands are explained and provided in a manner conducive to copying and pasting.
Next Generation Timelining with Plaso - The author of DFIR.Training has a new post covering the recent outage, as well as providing a bit of background as to why they developed the site. The next tool category to be added will be “Hacker Tools”. I can see a benefit in a “hardware” section, say for things like the IP Box, SV Strike, or other pieces of equipment that people might find useful but I can see how this may become very general, and limit its use. I think the reviews will be useful, but to really get the most out of it people should be doing tool comparisons – which is something that takes a lot of time and understanding, and I don’t really think too many people will take the necessary resources to do it justice. I hope to be proven wrong, but even I’ve struggled to put together the time to do the comprehensive tool comparison I’d like to do.
dfir.training is back online and moving full-steam ahead - Daniel G shared his thoughts on certifications; a quick summary would be that certifications can be useful to force an examiner to learn something, but you may need to have a base level of knowledge prior, and you must put in the work during the certification/training process to ensure that you come out of it a better examiner. Ultimately you should attempt to incorporate what you’ve learnt in some way. I have noticed a lot of job applications put a professional certification as a preference for hiring, and as some have mentioned this is probably just to use as a baseline. I went through the process of getting the CFCE and I think the process was fairly useful at getting you to think through the problems presented, and the mailing list is quite useful as well.
I agree with Harlan’s comment regarding obtaining the cert; if you do the requisite training course you should come away with the cert without too much difficulty…but at the same time you should then be able to apply what you’ve learnt to your examinations. But then ‘should’ and ‘do’ are two different things. Having a supervisor that understands what you do would be beneficial as it will ensure that the employees are performing to the appropriate standard.
Re the question of showing the value of certification; It really depends on the individual I think. If someone is largely self taught, then getting that certification might validate everything that they’ve learnt. It also means if they get questioned on their qualifications they can say that they have proficiency in the area of which they’re providing “expert” knowledge. Being able to say “I performed this task in accordance with the steps provided during xyz training course” is a good start when questioning one’s method. It also allows people a chance to test their examination skills where there is a known answer.
A word on certs and RFC… - Didier Stevens has been busy this week
- The first post provides a workaround for a driver error in hashcat 3.00. Didier determined that a driver update was needed to fix the error, but the workaround compiles new kernels. He then goes on to explain that updating the drivers later fixed the error.
hashcat 3.00 “fatal error: ‘inc_vendor.cl’ file not found” - The second post shares a NTDS.DIT database file and SYSTEM hive from a Windows Server 2003 Standard Edition with SP1 (English) VM to allow examiners to practice extracting password hashes.
Practice ntds.dit File Part 1 - The next post provides a step-by-step guide for extracting hashes from the NTDS.DIT file; first in a format suitable for John the Ripper and then Hashcat.
Practice ntds.dit File Part 2: Extracting Hashes - The third part in this series covers using hashcat and the “rockyou” database to crack both LM and NTLM passwords.
Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist - The fourth part of the series covers cracking passwords using a brute force method in hashcat. The commands provided will bruteforce LM and NTLM passwords (in time, depending on the power of your CPU/GPUs).
Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force - This post introduces a Python script to generate hashcat toggle rules.
Tool To Generate Hashcat Toggle Rules
- The first post provides a workaround for a driver error in hashcat 3.00. Didier determined that a driver update was needed to fix the error, but the workaround compiles new kernels. He then goes on to explain that updating the drivers later fixed the error.
- Quite a few articles on Forensic Focus this week
- Cheryl A. Purdy has shared a review of Registry Recon by Arsenal Recon. She covers a number of the features; I think a number of which are also available in freely available tools, however a couple of features do stand out. The first being the automatic detection of registry hives in a forensic image (which includes locating hives in containers such as other forensic image files). The second is the reporting – Cheryl shows how quick and easy it is to export a report showing connected USB devices that is presentable.
Review Of Registry Recon - There was an interview with Liam Owens from Semantics 21. Liam explains his background as well as the various products that Semantics 21 makes. Their products primarily designed for law enforcement, through the use of automation attempts to speed up the multimedia review and categorisation process to “allow investigators to find ‘key’ evidence faster including victim identification, reducing investigation time, decreasing costs and the time investigators spend reviewing potentially disturbing material”. I quite liked the response to the question regarding increased reliance on GUI tools. On one hand we would all like to have to the time to conduct research to stay on the forefront of the field, however we know this is not a reality. When people are able to document and share their research and tools developed (paid or free), then it allows people to access data they may otherwise miss.
Interview With Liam Owens, Director, Semantics 21 - This is an article published by the Guardian regarding the investigation and ultimately correction of a number of paedophiles by Strike Force Argus of the Queensland Police in Australia. The investigation required law enforcement to identify the owner of the forum, and then upon his arrest, assume his identity to track down the other users. There’s a bit of debate at the moment about whether or not the FBI should have left a website serving child abuse material online, however citing this as an example, it may assist in identifying and ultimately catching those users.
The Takeover: How Police Ended Up Running A Paedophile Site - Nuix shared the report they compiled upon querying “over 200 digital forensic investigators around the world to discover how they used keyword searches and other analytical investigation techniques”.
Global Report: Making The Case For Visual Analytics In Digital Investigations - Scar has shared a post on the forum by Tootypeg regarding a project on the standardisation of witness statements and reporting. I think it can be a bit dangerous having a standard for reporting – only because I’ve heard of places where law firms won’t accept any tool other than EnCase for example. This leads to a situation where the tool is more important than the data. Maybe reporting is slightly different and I am open to a discussion about what should go into a report. I’ve been considering a project for a while on compiling the different ways that people reports because I more or less had to develop my own style. Maybe I’ll start to make some time to do it.
Collaborators Sought For Standardization Panel
- Cheryl A. Purdy has shared a review of Registry Recon by Arsenal Recon. She covers a number of the features; I think a number of which are also available in freely available tools, however a couple of features do stand out. The first being the automatic detection of registry hives in a forensic image (which includes locating hives in containers such as other forensic image files). The second is the reporting – Cheryl shows how quick and easy it is to export a report showing connected USB devices that is presentable.
- Chad Tilbury at Forensic Methods has a post regarding proactive log review to detect when someone is performing reconnaissance on your systems. Chad explains that people often spend a lot of time looking at their Internet facing servers, rather than the internal systems. Even though an attacker has made it into the system they will still have to perform reconnaissance on the internal network; “Scanning activity should also be easy to identify, particularly once you filter out your own vulnerability scanner activity”.
Blue Team: Reconnaissance Detection - Hana Gazoli at Cellebrite has an article about the feature within UFED Cloud Analyzer 5.1 to extract saved passwords from a user’s Chrome browser or Android phone if the password synchronisation is enabled.
Gain Access to User Credentials saved in Google Account with UFED Cloud Analyzer 5.1 - Sarah Edwards has released a new Python script to parse a number of Plists in OS X (with the most coming from OS X 10.11+). These plists’s relate to files/folders/applications that have been most recently opened.
New Script! – MacMRU (Most Recently Used) Plist Parser - Vitaliy Mokosiy at Atola has posted a series of questions and answers that were asked at the recent Enfuse and Techno Security conferences. He explains that the Atola Insight can write block and image drives to DD or E01 very quickly, and has the ability to interact with damaged drives. Hard drive recovery might not be the core business of a digital forensics shop, but having the ability to image drives that have been damaged can definitely be a bonus. The Insight can also do a drive restore and is significantly faster than EnCase although I don’t think it can interpret E01’s.
Q&A during Enfuse and Techno Security conferences - The Blackbag Training Team have a walkthrough on acquiring data from an iOS 10 device with BlackLight. Apple has changed the format in which iOS creates backups so the workaround shows how to take a backup using the latest version of iTunes, and then modifying the resultant backup before loading it into BlackLight. I’m sure once iOS has been released the process will be automated.
Acquiring iOS 10 Devices with BlackLight - James Billingsley at Nuix has an article that explains that digital forensics examiners should do their best to provide as much information to investigators, whilst being investigators themselves. He then goes on to explain the myriad of tools available within the Nuix platform. And finally provides his answer to the age old question, DF – Art or Science: falling right in the middle, which I agree with.
Picasso: The Digital Investigator - OMENScan at Music, Security, And Technology shares an open source tool called AChoir, which they wrote to obtain artifacts over a network from a remote machine and store them on a server. The post covers setting everything up and explains how the pieces fit together.
Agentless Remote Triage/Artifact Acquisition using AChoir, CIFS, and PsExec - Don Murdoch’s whitepaper was posted to Sans Reading Room. It covered “how to build a portable forensic workstation that provides several virtual environments installed together with supplemental hardware, such as multiple NICs and modern managed switch in order to provide a network forensic tool”.
Portable System for Network Forensics Data Collection and Analysis - Weare4n6 shared a few articles this week
- They shared an article on Hacker Lists of Deobfuscation Tools
13 Awesome Deobfuscation Tools For Reverse Engineers - They have provided a write up of a number of different software write blocking methods; covering Linux, DOS and Windows. Many of the write blockers covered are paid tools and the authors pose the question why they aren’t as popular as hardware write blockers. I have done a small amount of testing on software write blockers and found that in some cases it’s possible to modify data using a hex editor. The software write blocker I had in place utilised the registry hack to prevent writes, so going around that meant that data could be changed. Using a hardware write blocker I have yet to modify data in testing.
Software write blockers overview - They shared an hour long presentation called Introduction to Digital Forensics by Paul van Ramesdonk. I wasn’t able to watch it, but flicking through the slides the talk is a high level overview of how computer forensics came to be, the age of question of what is digital forensics (including the definition, locations of digital evidence and process), and the misconceptions created by the CSI-type TV shows and movies.
Introduction to Digital Forensics
- They shared an article on Hacker Lists of Deobfuscation Tools
MALWARE
- Cindy Murphy at Gillware Digital Forensics has a post explaining some basic techniques for malware analysis on Android devices. The two basic methods being static (“identifying what permissions the app leverages, what sites it contacts, its file name, hashes values, file type, file size and recognition by antivirus detection tools”) and dynamic, where one looks at the code and also examines it whilst it’s running. Cindy also explains that you can upload Android programs to sites like virustotal for further information.
The Buzz About HummingBad - Chris Brewer at Nuix has published part 4 of his series on ransomware. Chris executed the CTB-Locker malware in a controlled environment and captured the results using Wireshark, Regshot, and Process Monitor. He then used Network Miner to examine the packet capture, as well as the three tools used for data capture to examine the packets manually, as well as changes to the file system and registry.
Ransomware Part 4: Analyzing the Results - Thomas Reed at Malwarebytes Lab has a post describing an interesting method of program execution on OS X found in the new Keydnap malware. The malware puts a space after the extension in the file name which prevents OS X from seeing the proper file extension. The malware then operates similarly to other Mac malware, however also utilises a PoC tool to obtain keychain data. Interestingly, because of GateKeeper, when you open the executable that’s purporting to have a different extension you will have to enable it in Security; this should be a warning to people, although it probably wont.
Mac malware OSX.Keydnap steals keychain - Also on the Malwarebytes Lab blog, the Hasherezade has an analysis on the “fileless” Kovter malware, particularly its persistence methods. The malware uses multiple registry keys to unpack and run the payload. The summary at the end shows have many different elements are used during the execution of this malware; it’s very broad – covering batch files, javascript, PowerShell, shellcode, registry keys and environmental variables.
Untangling Kovter’s persistence methods - Hasherezade also posted on her own blog how she went about decrypting a malware sample that a reader had sent her after the steps she provided originally didn’t work as planned. I like the conclusion at the end of the post “There are various mutation of this packing technique – but many of them follow the same general idea. Sometimes we need to fiddle around a bit to find out the familiar patterns” as I feel like it can be applied to many things and not just malware analysis.
Unpacking NSIS-based Crypter – part 2 - The Microsoft Malware Protection Center Threat Research and Response blog has released part 3 of the DUBNIUM APT. This part covers “the overall infection chain structure and the Stage 2 executable details.”
This malware utilises a LNK file that has an icon of a Word document however the command in the LNK file utilises PowerShell (noticing a theme here) to download a binary file. The LNK also downloads a word document to make the LNK file seem harmless. The post then continues to examine the behaviour of the Stage 2 executables and provides a list of hashes for the various infection vectors and other IoCs.
Reverse engineering DUBNIUM –Stage 2 payload analysis - Infosec Diaries has a couple of Malware related posts this week
- Xavier Mertens has written a diary entry on improving the detection of malware on Windows computers through the use of MISP and OSSEC. Xavier has written a Python script that searches “a MISP database for recent IOC’s and inject them into the OSSEC configuration”.
Hunting for Malicious Files with MISP + OSSEC - Didier Stevens shows how to use his YARA rule that identifies malware compiled with PyInstaller and then uses “pyinstxtractor.py to extract the Python code from the EXE”. Now if all malware could be written in Python or .NET that would be great.
Python Malware – Part 3
- Xavier Mertens has written a diary entry on improving the detection of malware on Windows computers through the use of MISP and OSSEC. Xavier has written a Python script that searches “a MISP database for recent IOC’s and inject them into the OSSEC configuration”.
- There were a couple articles of interest on the Darknet blog
- This post shares a Python script called TekDefense-Automater by 1aN0rmus which “given a target (URL, IP, or HASH) or a file full of targets … will return relevant results from [various] sources”.
Automater – IP & URL OSINT Tool For Analysis - They also extolled the benefits of the Cuckoo Sandbox. Having recently played around with various sandboxing utilities there’s definitely a benefit in running the malware in a live environment and logging what it does on the system and where it calls out to.
Cuckoo Sandbox – Automated Malware Analysis System
- This post shares a Python script called TekDefense-Automater by 1aN0rmus which “given a target (URL, IP, or HASH) or a file full of targets … will return relevant results from [various] sources”.
And that’s all for Week 28! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 