Week 30 – 2016

SOFTWARE UPDATES

  • Evimetry was updated to version 2.1.2 with some bug fixes and acquisition improvements.
    Release 2.1.2

  • Blackbag released Blacklight 2016 R2 with a host of new updates; improved offline maps, additional email parsing and analysis, a new data ingestion user interface and the ability to tear-off the ‘File Content Viewer’ and more. The post has more detail, including pictures, so is worth checking out.
    Blacklight 2016 R2 Is Now Available!

  • Elcomsoft updated their Distributed Password Recovery tool to version 3.02.959. This update adds support for the NVIDIA Pascal GPU architecture, optimisation of  ZIP and RAR/RAR 5 recovery and GPU-accelerated recovery for FileVault 2 containers, OS X user account and password-protected DMG files.
    Elcomsoft Distributed Password Recovery Enhances MacOS Forensics, Adds Amazon EC2 Support, Breaks ZIP and RAR Archives Faster

  • VMRay Analyzer updated to version 1.11 adding automated file submission by CarbonBlack, redesigned dashboards, YARA rules support, remote VNC access through the browser, auto-detonation of links in Office documents among other features.
    VMRAY Analyzer V 1.11: YARA, CarbonBlack And More

  • Didier Stevens updated a couple of scripts this week
  • Phil Harvey released a new developmental build of ExifTool (now at version 10.24) which added support for a number of new tags.
    ExifTool 10.24

  • Guidance Software released a firmware update for the TD3, the T356789iu, and the DI UltraBay 4d (v7.15). The update adds writing to NTFS and HFS+ destination filesystems, improved iSCSI read and write performance and various bug fixes to the TD3, and improved imaging performance and NVMe PCIe M.2 detection/mounting for the T356789iu, and the DI UltraBay 4d
    Tableau Firmware Revision History

  • Oxygen Forensics released a point update to their Detective product (now at version 8.5.1) specifically to parse the iOS and Android Pokémon Go apps.
    Oxygen Forensic® Detective extracts data from Pokémon Go!

  • Eric Zimmerman updated his Link File parser LECmd to version 0.9.2.0 with a minor bug fix.
    LECmd Updated

  • X-Ways Forensic 18.9 was updated to SR-5 with a number of bug fixes and enhancements.
    X-Ways Forensics 18.9 SR-5

  • X-Ways Forensics 19.0 PR4 was released. This added some new columns in the directory browser, as well as improvements to dealing with hash databases.
    X-Ways Forensics 19.0 PR-4

PRESENTATIONS

  • Dave and Matthew hosted Phil Hagen and Eric Zimmerman on this week’s Forensic Lunch. Phil spoke about the SOF-ELK VM which was created for the SANS FOR572 course and put a security and forensic twist on the ElasticSearch, LogStash and Kibana stack. Eric showed the latest beta of his Jumplist Explorer tool which is a GUI for JLCMD.
    Forensic Lunch 7/29/16

  • SANS DFIR uploaded a talk by Jake Williams from the DFIR Summit 2016 on the potential for false flag operations in the DNC hack.
    DFIR Summit 2016: Potential for False Flag Operations in the DNC Hack

  • This week’s episode of the Digital Forensics Survival podcast presents a short comparison of X-Ways, Encase and FTK. Michael explains that X-Ways wins on price and the ability to run on a less powerful machine however the reporting in FTK and Encase is generally better. Michael also explains that FTK comes with the Password Recovery Toolkit and the Registry Viewer application (although the later is freely available, but I’ve found it crashes a lot), and has good shadow copy and hashing support (due to the Known File Filter). Encase however is easier to use when dealing with hidden partitions (or partitions that don’t mount automatically; I’ve found it useful for dealing with corrupted MBR’s).
    DFSP # 023 – Battle Royale: FTK vs EnCase vs WinHEX
    .
  • Scott Moulton has shared three hours of content from his hard drive recovery course. If you’re unsure whether to take his class I would suggest starting here and getting an idea of what you’re getting yourself into.
  • Cellebrite is hosting a 30 minute live product demonstration of UFED Analytics Desktop on Tuesday, August 02, 2016 at 8:00AM and 3:00 PM UTC. You can register at the link below.
    UFED Analytics Desktop  LIVE Product Demonstration

  • Blackbag is hosting a webinar on BlackLight 2016 R2’s New Features at 4:00 PM GMT on Wednesday, August 3rd.
    BlackLight 2016 R2 New Features Webinar

FORENSIC ANALYSIS

  • Brett Shavers is in the process of updating his X-Ways Forensics course and creating a new Forensic Boot CD Course, which replaces the WinFE online course. This new course covers “Linux forensic CDs along with some updated WinFE information”. Brett also provides a link to download the Mini-WinFE builder.
    Mini-WinFE and XWF

  • Cheeky4n6Monkey has been hard at work in Monkeytown doing some research into the stock Android Gallery3D app. As per usually he goes through the structure of the artefact, showing examiners how to manually perform the task before providing a Python script to get all the data for you. I particularly like how he included the testing process that was used, which should make it easier for someone to validate before relying on the output of the script on their device.
    A Timestamp Seeking Monkey Dives Into Android Gallery Imgcache

  • Adam at Hexacorn has two posts this week
    • The first post is a new addition to the “Beyond good ol’ Run key” series. This post shows that in Win10 when a user logs in with a remote desktop session the operating system will query a specific registry key and if it exists, it will load the DLL stored in the “path” value.  Adam then goes on to show how this can be used maliciously.Beyond good ol’ Run key, Part 43
    • The second covers dummy, retired, or unfinished code found in current DLLs. Several library functions will return consistent known values and Adam describes a “number of potential tricks we can pull using APIs returning predictable, or very specific values, or behaving in a predictable way”.
      Returning the call – ‘moshi moshi’, the API way (a.k.a. API cold calling)

  • Didier Stevens has released a short video on how to use the secretsdump Python script to extract hashes from the ntds.dit database.

    Video: ntds.dit: Extract Hashes With secretsdump.py

  • Oleg Afonin at Elcomsoft posted a few articles this week
    • This first post covers using Elcomsoft Distributed Password Recovery tool to brute force BitLocker encrypted volumes. They also covered using GPU acceleration to improve the number of passwords per second EDPR can throw at the file. The scary statistic is how much time it would take (7000 years) to brute force an 8-symbol alphanumeric password, and highlights the importance for building up a wordlist before relying on the hail mary brute force attack.
      Breaking BitLocker Encryption: Brute Forcing the Backdoor (Part II)
    • This post covers FileVault2 which is found on OS X 10.9 and above. Oleg covers the 256-bit XTS-AES Key located in RAM, which can be used to unlock a mounted volume, the Recovery Key, which is provided when the volume is setup and may be stored in iCloud (or written on a piece of paper), and decrypting volumes with multiple users. Oleg then walks you through using EDPR to “attack plain-text passwords (in addition to user account passwords) protecting disk volumes encrypted with FileVault 2.”
      Mac OS Forensics: Attacking FileVault 2
    • A few months back NVIDIA released the GTX 1080, which Oleg shows has significantly improved on previous models. Elcomsoft has built in support for the new architecture in the latest EDPR.
      NVIDIA Pascal: a Great Password Cracking Tool
    • The last post covers the seemingly painless process of creating an Amazon EC2 instance to assist in password cracking. Oleg mentions that the EC2 instances use graphics cards that function around 2.8 times slower than the new GTX 1080’s, so it may be worth doing the math on purchasing your own password decryption machines if this is something you will do regularly.
      Building a Distributed Network in the Cloud: Using Amazon EC2 to Break Passwords
  • Quite a few updates from DFIR Guy at DFIR.Training
  • David Dym at the RRTX Blog has a post on different tools for parsing metadata from files. These tools include Apache Tika, Phil Harvey’s EXIFTool and David’s own MetaDiver. As has been mentioned by many others, David expounds the benefits of parsing artefacts with multiple tools in case your current tool doesn’t know how to properly deal with the file of interest (and failing that you’ll have to go digging into the structure yourself).
    Extract document #metadata – #Tika and #exiftool

  • Ken Pryor has returned to blogging to promote this year’s ArchC0n, taking place later next month.
    ArchC0n 2016

  • Cindy Murphy at Gillware Digital Forensics provided a short study of an employee data theft case she recently worked on. Unfortunately Cindy had to deal with an overzealous client who decided to look for the evidence themselves, which in turn made her job harder. She then utilised a number of free and paid tools to examine the restore points taken shortly after the theft and examine the system as it was then.
    Case Study: Employee Data Theft

  • Rob the Hex Ninja returns after a short hiatus with a post on his favourite Hex Editors. Rob provides a short description or WinHex, HexWorkshop, 010 Editor, Notepad++ (with the Hex Editor plugin) and HxD before showing an example of his hex-fu in manually carving JPEG images.
    Hex Editors Phoaar

  • Jared Greenhill at Just Another DFIR Blog has shared his analysis of question 5 of Forensic Challenge #4 shared by Binary Zone last year.
    Solving the Binary Zone Forensic Challenge #4 (question #5)

  • Pasquale Stirparo on the SANS ISC Diary regarding the pros and cons of sharing intel information. There are two schools of thought; on one hand we shouldn’t let people know what we know, on the other we should assist our fellow compatriots so that the field can progress. It’s hard to fault either side, because you don’t want the vendors to fix a flaw that you can exploit to solve crime (in LE DFIR), but at the same time, if you share the information and another investigator can solve a crime, do you have a duty to do so?
    Sharing (intel) is caring… or not?

  • Jonathan Zdziarski has written a post on privacy implications of the WhatsApp messaging app on iOS so that people have an idea of what the current state of play is in forensic analysis. When deleting messages WhatsApp doesn’t immediately vacuum the sqlite database and as a result those deleted messages may be able to be recovered. Jonathan then goes on to explain how a user can secure their device to improve their security/privacy. Ultimately he’s advocating for the app to protect the user’s privacy by securely deleting messages and not allowing the database to be backed up. I’m in two minds about his calls to ensure that deleted data cannot be retrieved, on one hand once a user has deleted their data that data should be irretrievable because that’s what the user is expecting, but on the other the bad folk delete their communications, so it would really inhibit law enforcements chances of recovering wrong-doers communications.
    WhatsApp Forensic Artifacts: Chats Aren’t Being Deleted

  • Weare4n6 shared a few articles this week

MALWARE

  • Malwarebytes shared a couple of interesting articles
    • This post shows a few tricks for decoding javascript downloaders used to obtain the Locky malware.
      From Locky With Love
    • They also examined “one of the malicious executables recently delivered by RIG Exploit Kit”, which was a .NET cryptor. As the code was written in .NET the examiner was able to decompile and examine the code.
      Unpacking yet another .NET crypter

  • SANS ISC Diary have a couple of entries of interest
    • Didier Stevens continued his series on Python Malware; this time showing that you may come across Python bytecode after running pyinstxtractor.py, and you will need to add an 8 byte header to the file before running it through a Python bytecode decompiler like Easy Python Decompiler
       Python Malware – Part 4
    • Didier also showed how to use his new Python script rtfdump.py (version 0.0.2) to examine a malicious RTF file. The post goes through the various elements of the script used to analyse the file.
      Malicious RTF Files
    • And lastly Didier links to Philippe Lagadec’s rtfobj (developmental release v0.48) which can also be used to examine the malicious RTF file.
      rtfobj

Lesley Carhart has reached out in a blog post for spare and unwanted infosec con tickets that people wish to donate to military veterans and military members interested in the field. If you wish to be on the giving or receiving end then DM the Infosec_VetTix Twitter account.
InfoSec tickets for Veterans & Twitter Feed!

And that’s all for Week 30! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s