Written by Phill Moore

Week 32 – 2016

SOFTWARE UPDATES

  • Cellebrite has released version 5.2 of their UFED Physical Analyzer tool (along with UFED Logical Analyzer, UFED/2 and UFED4PC). This update brings with it the ability to obtain some information (pictures and videos from 6 and higher, more information from 5.1.1 and prior) from locked Samsung devices, as well as support for devices running iOS 10 Beta and app updates (including Pokemon Go). A number of bugs were also fixed.
    UFED 5.2 Release Notes

  • GetData’s Forensic Explorer updated to version 3.6.2.5642 which fixed various bugs, improved top down caching of gallery thumbnails and added additional logging to Index Search completion.
    Forensic Explorer Download Page

  • Elcomsoft updated their iOS Toolkit to version 2.1, adding logical extraction and physical support for jailbroken devices up to version 9.3.3
    Elcomsoft iOS Forensic Toolkit Adds Logical Acquisition

  • DME Forensics updated DVR examiner to version 1.24.0 adding support for a few filesystems (including improved identification), bug fixes and a few small features surrounding error logging and exporting a listing of the clips presented.
    DVR Examiner 1.24.0

  • G-C Partners updated Eventmonkey to version 1.2.1, which adds functionality to ingest records from EVTXtract’s extracted json, allows adding descriptions and tags to Security events, as well as methods to add elastic options
    EventMonkey Changelog

  • Paul Sanderson updated Forensic Browser for SQLite to version 3.1.5 with various bug fixes and enhancements including support for char(xx) expression in query builder, improved data import for structured storage and updated mapping.
    New release 3.1.5

  • X-Ways Forensic 19.0 updated to Preview 8 (after going through 3 other iterations through the week) and contained various improvements to PhotoDNA and EDB database processing.
    X-Ways Forensics 18.9 PR-1

PRESENTATIONS/CONFERENCES/TRAINING

PODCASTS

  • This week’s episode of the Digital Forensics Survival podcast benchmarks four different ram extraction utilities: Moonsols dumpit, Belkasofts RAM capturer, Magnet Forensics Magnet RAM Capture and FTK Imager Lite’s memory acquisition feature. Michael explains that the important features he looks for in a RAM acquisition tool are the tools footprint, the mode it runs in (kernel or user mode where kernel is preferable), speed (and suggests using external hard drives rather than flash media for speed improvement), and lastly available options/ease of use/compression/splitting/collection information displayed.
    Some examiners choose to use FTK Imager to triage a live system; Michael suggests running Dumpit and then triaging the system with FTK rather than using it to download RAM, as FTKi doesn’t run in kernel mode.
    If you don’t have time to listen to the episode I would recommend going through the show notes. Michael has included a brief summary of each tool and their pros and cons, as well as a table comparison of his tests.
    DFSP # 025 – RAM Extraction Tools – Part 2

  • On this week’s Brakeing Down Security podcast Bryan and Brian, and their guest Brian Ventura discussed the SANS508 training course again. Previously Mr Boettcher had claimed that a number of the areas covered in the SANS course could have been replaced by “check the logs”, which apparently generated some discussion. Mr Boettcher explains that using a tool like Log-MD allows analysts to identify events quickly and easily. You can then use a log forwarder and set an event that if someone escalates privileges or clears the log files a red flag will be raised. Mr Ventura explained that you may not always be the person in charge of the systems and you may be attending an incident where the attackers have been around for a while. My two cents is that you can set the logs for systems you have control over, but if you’re an incident responder or LE DFIR examiner you have to utilise multiple artefacts to improve your confidence in an event. There was a question about what the difference is between a timeline and a supertimeline; my understanding is that originally, the timeline was just the file system metadata sorted sequentially. In Kristinn Guðjónsson’s GIAC (GCFA) Gold Certification he released the first iteration of his log2timeline tool and explained that a super timeline should comprise of the file system metadata, as well as the many dates and times stored within log files (event, antivirus etc), program execution artefacts, file access artefacts, registry times etc, webpage accesses, to give a more complete picture of what happened on a system.
    2016-027: DFIR conference, DFIR policy controls, and a bit of news

  • This week brought us another Forensic Lunch. David, Matthew and their guest Matt Bromiley discussed their Blackhat and DEFCON 2016 experiences. This year’s DEFCON had a Forensic CTF, which David competed in (and won with 22 out of 30!). Whilst the results will not be released publically you can still read up about the challenge here and download the challenge files here. Apparently you can send your results to the organiser, Andrei, and he will grade you. During the broadcast they ran through each of the 16 tasks and explained each problem (without giving any answers) which showed the breadth of knowledge required for the challenge. According to the organiser the questions aren’t necessarily designed to be the most difficult, but within the two day time period provided I imagine they would have seemed to be. They also covered their latest update to EventMonkey, which came about because of one of the challenges.
    Forensic Lunch 8/12/16

FORENSIC ANALYSIS

  • There was an e-mail that went around on the IACIS list serve regarding the way that Encase6/7/(probably 8) deal with resident files on a 4k sector disk. Apparently the files aren’t presented accurately, and when exported will have a different hash to those exported with FTK or X-Ways. Jared Atkinson suggested that it could be a hardcoding issue, as “the sector size & MFT record size should be derived from the VBR”. Overall this will require Guidance to issue a fix, however is entirely possible that since Encase Forensic 8 has been released that’s the only version that they will update; which is their prerogative, but I’m sure there are a large number of people still using version 6 that would appreciate the bug fix.
    Eric’s Tweet

  • Patrick Olsen at System Forensics has done some additional research on the HFS+ Date Added attribute. According to his testing a files kMDItemDateAdded extended attribute was updated when the file was moved (assuming the volume was being indexed by spotlight). This data is stored within the Spotlight Index (of which there isn’t a free/open source parser that Patrick is aware of), as well as the catalog file. Patrick did a bit of digging and was able to locate the date within the hex by reading through the documented source code and identify how to manually parse it. On top of that he explained how TSK was missing the date and submitted an issue request to fix it.
    Mac DFIR – HFS+ Date Added Timestamp

  • Carpe Indicum posted the searches that can be used in Kibana to perform the artefact checks shown in the SANS ‘Evidence of’ poster.
    Kibana and SANS Evidence of… (part 2)

  • Cindy Murphy at Gillware Digital Forensics shared a Python script written by a Gillware engineer Maggie O’Leary that can be used to obtain lat-long information from the Pokemon Go Android app. Cindy explains that the script looks at the “comm.crittercism” folder and decodes the timestamp along with the location of the “encounter”. Cindy and Maggie also aren’t sure what an “encounter” represents, so further testing is required.
    Can Pokémon GO Users’ Movements be Determined Using Forensic Artifacts?

  • SANS reposted Cindy’s previous post on Pokemon Go which alerted me to the update that she made shortly it’s initial release. The updated post describes the process for decoding location information in the Android Crittercism folder.
    Oh, No – Pokémon Go! A Sneak Peek at Forensic Artifacts

  • Expanding on the above post, Cheeky4n6Monkey has released two Python scripts that convert lat, long and cellid level to a 64 bit Google S2 cellid, and reverse.
    Google S2 Mapping Scripts

  • Adam at Hexacorn has updated his EDR sheet, incorporating the various comments, and promises that the next version will be on Google sheets.
    Updated EDR sheet

  • Magnet shared a post of the various view screens in Magnet AXIOM; covering Multi-Artifact vs. Single Artifact, columns, chat-threading, classic, histogram, row, thumbnail, timeline and world map view, along with when the best use of each view is.
    Analyzing data with Centralized Views in Magnet AXIOM

  • Sarah links to various blogs, presentations, papers on Mac forensics, security, malware etc as well as Sarah’s upcoming classes.
    Mac News & Updates – 08/11/16

  • Oleg Afonin at Elcomsoft has a blogpost regarding the new logical acquisition option in the Elcomsoft iOS Forensic Toolkit. Oleg explains that logical acquisition provides the examiner access to the keychain as well as the ability to extract devices locked with a passcode (provided a lockdown file can be located). The lockdown file will only work if the device hasn’t been power cycled.
    iOS Logical Acquisition: The Last Hope For Passcode-Locked Devices?

  • Cellebrite announced a new feature coming in the next update to Cloud Analyzer. The new feature provides examiners “the ability to recover a user’s list of passwords saved in Google Cloud from various websites and cloud services” (provided the user  is using the Google Account passwords sync service)
    Gain Access To User Credentials Saved In Google Account With UFED Cloud Analyzer

  • Pasquale Stirparo has a post on the InfoSec Handler Diaries regarding iOS messaging applications; primarily the iOS native messaging app, WhatsApp, Telegram and Signal. Pasquale lists the databases where each app stores data, it’s activity surrounding data storage/deletion, and how it handles attachments. He also covers the feature the iOS utilises to show the user a screenshot of the app in the fast-app-switching interface.
    Looking for the insider: Forensic Artifacts on iOS Messaging App

  • Harlan Carvey shared two posts this week.
    • His first post shared his thoughts on a few topics. On data exfiltration, if the compromised system contains a webserver component then the attackers may have utilised GET requests, which would be evident in the log files (or endpoint detection). The BITS qmgr0.dat or qmgr1.dat files and Windows event logs may also have artefacts of interest. On lateral movement, “the difference in artifacts on the source vs the destination system during lateral movement needs to be clearly delineated”. And on InfoSec presentations, he believes that people have a lot of content that they may be “not only afraid to create a presentation and speak, they’re also afraid to ask questions, or offer their own opinion on a topic”. Ultimately you don’t need to put together an hours worth of content to share something meaningful, there’s always blogposts or SANS360 6 minute presentations.
      Links
    • His second post shares some information about the registry keys that the LANDesk softmon utility utilises. Softmon stores information about an application which can persist even after the application has been removed.
      LANDesk in the Registry

  • For those with multiple Atola Insight Forensic units, Vitaliy Mokosiy shared a post on how to share the backend database across a network.
    Network database setup in Atola Insight Forensic

  • DFIR Guy at DFIR.Training has an update on his happenings. He has added a page for college and university programs and is going through an adding more and more training courses.
    More stuff!

MALWARE

  • There’s a post on Darknet about an extension to the Cuckoo sandbox that allows for the execution and analysis of Android applications.
    CuckooDroid – Automated Android Malware Analysis

  • Hasherezade posted an article on decrypting the Chimera Ransomware on the Malwarebytes Labs blog. In the post she explains how to utilise the leaked keys to decrypt files that have been encrypted with Chimera, provided that the key is in the leak. The post describes how she determined the decryption function utilised by the malwriters decryptor and a script to rotate through the leaked keys until it either found a match or reached the end of the list.
    Decrypting Chimera ransomware

  • Also on the Malwarebytes Labs blog is a writeup of the Venus Locker ransomware. Interestingly enough the authors have chosen to use .NET, it really seems like a patterns emerging, or just the malware analysts are posting more about the ransomware coded in .NET.
    Venus Locker another .NET Ransomware

  • Melissa at Sketchy Moose shared a new malware sharing platform called Das Malwerk. She also wrote a Python script that “can list all the malware currently in the zoo OR it can search via SHA256 and if found, download the sample”.
    Das Malwerk: Der Jaeger

And that’s all for Week 32! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s