Week 31 – 2016


  • Elcomsoft updated their Cloud Explorer product to version 1.10.12742. This version allows examiners to download Gmail data through the Gmail API (which is faster than IMAP) and additional HTML reports.
    Collecting Evidence From Google Accounts Gets Easier

  • Magnet Forensics recently updated AXIOM to version 1.0.4. This contains the same app support level as IEF 6.8.1. This post covers the Uber (rider) app, and identifies that Axiom/IEF can recover a plethora of information including origin, route, destination, and driver details.
    Magnet AXIOM Adds Forensic Support for Uber

  • Victor M. Alvarez at VirusTotal pushed the latest update to YARA (version 3.5.0) during the week with various performance updates and bug fixes.
    YARA 3.5.0

  • Didier Stevens made a small update to rtfdump.py (now at version 0.0.3) and added new rules to rtf.yara. The blog post also includes videos that he’s uploaded showing his examination on a couple of RTF files containing known exploits.
    rtfdump: Update And Videos


  • Peter Kacherginsky at Fireeye shared a post describing their new tool, FakeNet-NG, which is a Python rewrite of the Fakenet tool developed by Andrew Honig and Michael Sikorski. FakeNet-NG “allows you to intercept and redirect all or specific network traffic while simulating legitimate network services”. This post covers how to obtain and run the tool and what it’s capable of (identifying the executable thats generating the traffic, storing the traffic in a PCAP, listening on various known service ports (HTTP, HTTPS, DNS, SMTP, TCP/UDP 1337), and more).


  • This week’s episode of the Digital Forensics Survival podcast covers RAM capture. Michael explains that the examiner should be aware of the footprint that the capture tool leaves on the machine (as any tool running on a live system is going to affect memory, but how much may come into question later down the track). He advises that for faster acquisition an external hard disk or SSD should be used, and then covers the benefits of extracting RAM – obtaining running processes, determining which program performed an action, potentially obtain encryption keys etc
    DFSP # 024 – RAM Extraction Tools – Part 1

  • There was a bit of commentary by Eric Zimmerman on last week’s DFS podcast that I thought I’d link to as he felt that X-Ways wasn’t fairly represented. X-Ways is by far the cheapest forensic tool out of the three, and does appear to provide a lot of value for money. Eric mentioned that X-Ways VSC support, hashing, and search is superior to the others, and that the tools reporting has improved a lot. I think Eric makes a good case for X-Ways being a tool that people give a good look at; even if it was exactly the same functionality-wise, it’s significantly cheaper and if you’ve followed this blog, there’s an update almost every week. The same cannot be said for Guidance or AccessData.
    Check out @EricRZimmerman’s Tweet

  • DFIR Guy at DFIR Training also put out a call for a proper comparison, which can be a monumental task if done properly. Maybe it needs to be broken down into discrete tasks and then it may be more manageable? It would require the examiner to run the tools on the same machines for all tests though, and that may be a deal breaker if resources are tight. Not to mention I think I recall seeing for optimal performance you should run FTK with multiple machines.
    Comparison FTK/Encase/WinHex

  • On this week’s Brakeing Down Security podcast Bryan and Brian covered Mimikatz including its uses and defenses against it. Mimikatz is a very easy way to obtain credentials on a system, so it’s worth a listen (and read through of the links in the show notes) if you have to defend against it.
    2016-030: Defending Against Mimikatz and Other Memory based Pas…


  • Oleg Afonin at Elcomsoft provided more information on how their Cloud Explorer product utilises the Gmail API to forensically acquire Gmail data. “Once the messages are downloaded, you’ll be able to browse, search and filter messages, navigate through communication threads, group messages by their respective Gmail labels, and basically do everything else offline”.
    Using Gmail API: The Forensic Way to Acquire Email

  • Patrick Olsen at System Forensics has returned to blogging after a year away (Back Online) and has two posts this week
    • His first post covers the Arduino and some basic forensics, including the technical details of the Arduino, software used to obtain an extraction, commands used to dump EEPROM and Flash, and then a quick hex/strings dump of the outputted data.
      Arduino Forensics
    • This is a long post about using JTAG to obtain data from phones. Patrick has also provided a list (and costs) of all the equipment that he purchased to perform his JTAG extractions, which is quite useful for those looking to add that functionality to their repertoire. Overall it cost him under $1400 and then eBay provided him with some very cheap Nokia phones. The post then goes on to show how he wired the phone up and performed an extraction.
      JTAGing Mobile Phones

  • Narinder Purba shared an article on We Live Security regarding Android notifications. Google will soon be notifying users when a new device is added to their account. I’m not sure but I imagine this may affect cloud examination products that are designed to download mobile data.
    Android users to receive notifications when new devices added to account

  • Adam at Hexacorn shared his Endpoint Detection and Response (EDR) solutions sheet and then provided an explanation in a second post. Thankfully he’ll be transferring the data onto Google Sheets for easier collaboration and access. This post provides a detailed explanation of the columns in the spreadsheet.
    EDR Sheet, explained

  • Cheeky Monkey has updated his blogpost from last week regarding the Android imgcache artefact. He did some additional testing for recovering video thumbnails and produced a slightly modified Python script. A user also posted some additional testing they have done on a different phone and provided a minor update to the script; as Monkey would have to re-do his validation testing he hasn’t included this into the main script, but you can see the code in the comments.
    A Timestamp Seeking Monkey Dives Into Android Gallery Imgcache

  • James Habben shared a Python script that he wrote to workaround a problem he was having the Internet Evidence Finder GUI. The Python script takes the underlying IEF SQLite database and allows the user to search for a URL and outputs to an SQLite database.
    GUIs are Hard – Python to the Rescue – Part 1

  • Jack Crook has a new blog called “DFIR and Threat Hunting”.
    • His first post covers his thoughts on threat hunting. He identifies the various steps that an attacker will take from locating a host to exfiltrating data and explains that an examiner should play around with some of the commonly available tools to get a feel for the artefacts that are left behind. He advises that an examiner should “Define what you are looking for, Know what it looks like, Identify the data you have available to find it, Create and schedule searches; and Regular review of data”.
      My Thoughts On Threat Hunting
    • The second post covers hunting lateral movements on servers with Windows event logs. Jack covers the questions one should ask regarding process execution, tool movement (via administrative shares) and authentication.
      Hunting Lateral Movement

  • Oxygen Forensics has announced a new 3 day training course that utilises their Detective product.
    Oxygen Forensics Announces Training Schedule For 3-Day Complete Course

  • Igor Mikhaylov and Oleg Skulkin at Weare4n6 wrote an article on chip removal for mobile forensics. They showed a few tools that can be used to read the extracted chips – Visual NAND Reconstructor (Rusolut) and ACE Lab’s PC 3000 Flash. The software to examine the resultant extraction is the usual suspects of mobile forensics – XRY, UFED PA, Oxygen, as well as Belkasoft, Axiom and Autopsy. According to the authors the main things to consider when desoldering are:
    • Use an IR station with automatic temperature regulator
    • Don’t heat the chip or the board too long
    • “To extract a chip from a smartphone board we recommend heating it to 240 °C and then use a blade to extract it.”
    • Chips can be glued down as well as soldered and the temperatures you should heat them too will vary
    • Clean the glue off the chip, the most effective way in their experience is melting it with hot air and remove with solder wick; and
    • Work in a well ventilated area.
      They concluded with a variety of cases they’ve worked on where chip removal and examination was the only option.
      Chip-Off Technique In Mobile Forensics


  • Matthew Molyett and Martin Lee at Cisco’s Talos Blog have a short writeup on the Office 2007 XML-based file format (DOCX) and how macros can be embedded within. Even though Microsoft attempted to make DOCX a format one could trust as being secure (whilst DOCM being the one to look out for), Windows doesn’t compare the file signature to the extension; which means if you change the file extension of a .DOCM file to .RTF then it will still open in Word, and Word will then check the internal XML file and see it has macros.
    Macro Intruders: Sneaking Past Office Defenses

  • Wayne Chin Yick Low at Fortinet shared a few techniques that malware authors are using to avoid detection by anti-malware programs. Malware authors are “Tackling the automatic update components of anti-malware” and “tackling the exclusion components of anti-malware”. Malwriters (is that a term people use?) have also been utilising zero-day vulnerabilities in anti-malware products.
    New Era in Anti-Virus Detection Evasions

  • Eric Merritt at the Trustwave SpiderLabs blog shares an examination of an autoIT script that employed a variety of obfuscation techniques to hinder analysis. The first is a simple obfuscation that replaces strings with character functions (A = chr(65) for example). The second is “Flow of execution obfuscation”, where the author observed “case statements wrapped in while loops continue … while kernel DLLs are loaded and system API’s are called” through the autoIT debugger. The shellcode is also obfuscated and requires decoding.
    To Obfuscate, or not to Obfuscate

  • Andrew Case at Volatility Labs shared a methodology that has been “successfully used in many investigations to confirm the presence, or absence, of known malware on a system” through the memory analysis. The process involves extracting Windows executables and DLL’s from the memory image and then running over them with clamscan to catch the low hanging fruit. Andrew explains that “although it would make our jobs quite interesting if every investigation involved analyzing new malware samples and families, the reality is that many malware investigations only require analyzing memory samples in order to verify (or hunt for) an infection by malware previously discovered in the wild”. Andrew continues with the advantages and disadvantages of this approach, as well as some things to consider.
    Automating Detection of Known Malware through Memory Forensics

  • Hasherezade has a fairly comprehensive analysis of the Smoke Loader bot on the Malwarebytes Lab blog. The post starts by covering the Windows artefacts that can be examined (Run key, startup VBScript, %temp%, %appdata%) and then drills deeper into the binary analysis.
    Smoke Loader – downloader with a smokescreen still alive

  • Amanda Rousseau at Secured.org shared her malware proof-of-concept diagram from her Instagram exploitation presentation.
    Woot! I got to speak @ DefCon-CryptoVillage

And that’s all for Week 31! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s