Week 34 – 2016

I’m on holiday in beautiful Tuscany so I’ve had to cut a few things shorter this week and publish a little earlier than usual. I suppose there are worse places to finish a post

IMG_20160827_145901.jpg

SOFTWARE UPDATES

  • Blackbag released Macquisition 2016 R1. This update improves RAM acquisition capabilities by adding support for OS X 10.11, as well as a dialog box that notifies the user if the version of OS X is not currently supported. There were also additional bug fixes and minor improvements.
    MacQuisition 2016 R1 is Now Available!
    .
  • Didier Stevens updated his Python script xor-kpa to version 0.0.3, adding a manual page.
    Update: xor-kpa.py Version 0.0.3 With Man Page
    .
  • Christian Wojner at CERT Austria has updated DensityScout to build 45 to fix issues dealing with filenames/paths that included multi-byte characters.
    DensityScout can handle multi-byte characters, now!

  • Autopsy was updated to version 4.1.1 to fix some bugs.
    Download Version 4.1.1 for Windows
    .
  • An update was released for the Prefetch Volatility plugin (located in the Volatility Community repository) to fix a major bug.
    Volatility’s Tweet
    .
  • Dave Lassalle updated his USN Parser, Parseusn.py, to output to the TLN format.
    Superponible’s DFIR Github Repository
    .
  • HashCat and SpiderFoot updated to version 3.10 and 2.7.0 respectively.
    Red Team Tools Updates: hashcat and SpiderFoot
    .
  • Tableau released a critical firmware update (v7.15b) to the Tableau Universal Bridge, model T356789iu. From reading the notes it appears that this version of the Tableau Firmware Updater rolls back the firmware on the device to version 1.3.0 as version 1.4.3 can “create images with corrupt data under specific configurations”. Tableau is currently testing the bug fix.
    Tableau Firmware Revision History
    .
  • Nir Sofer at Nirsoft has updated a number of his tools “for recovering passwords from external hard drive contains the most recent versions of Windows”. He shows an example of using this feature to recover passwords found within a volume shadow copy.
    Recovering previous/old passwords using NirSoft password recovery tools and shadow copies of Windows.
    .
  • Belkasoft has announced some details on the next major release to their Evidence Centre product (version 8.0 2017). The new version comes with BelkaImager, a social graph builder, improved volume shadow copy support as well as other improvements.
    New Revolutionary BEC 2017 v.8.0
    .
  • Paul Sanderson updated Forensic Browser for SQLite to version 3.1.5c with some minor bug fixes and enhancements.
    New release 3.1.5c
    .
  • F-Response Universal/Now has been updated to version 2.0.1.14. The update provides “Remote Stop and Remove options for Universal Subjects regardless of how they were deployed. In addition there were multiple licensing option updates for customers looking to use F-Response on VSphere clustered environments.”
    F-Response Universal/Now 2.0.1.14 Released
    .
  • Forensic Explorer updated to version v3.6.8.5692. This update contained various bug fixes and improvements, including improved handling of corrupt registry files in Triage and improved detection of target operating system version and
    Download Forensic Explorer
    .
  • X-Ways Forensic 18.9 SR-7 was released with some minor improvements and fixes
    X-Ways Forensics 18.9 SR-7
    .
  • X-Ways Forensic 19.0 Preview 10 was released with some minor improvements.
    X-Ways Forensics 19.0 PR-10
    .
  • X-Ways Forensic 18.8 was also updated to fix a problem with Windows.edb processing.
    X-Ways Forensics 18.8

PRESENTATIONS

PODCASTS

  • Dave and Matthew hosted the fortnightly Forensic Lunch on Friday. They discussed a number of different conferences that they will be presenting at (OSDFCon, FireEye Cyber Defense Summit, unannounced conference). David also showcased his Intel NUC Skull Canyon miniPC that he setup to run multiple VM’s using a free version of vSphere. Dave also shared a secret on how to get cheap MSDN access (here).
    They will be broadcasting next Friday instead of in two weeks from now.
    Forensic Lunch 8/26/16
    .
  • This week’s episode of the Digital Forensics Survival podcast covers using a Mac for forensic examinations.  Michael recommends using the older non-Retina Macbook Pro as it comes with a spinning hard disk, upgradeable memory and a variety of different ports. The benefit of using a Mac as an analysis machine is the familiarity you gain from using it, and also it’s generally advised to use a Mac to analyse a Mac. I’ve found in my investigations that often dealing with certain artefacts it’s a lot easier to use OSX (ie: dmgs, keychain). Often there are Windows based tools that can be used whoever the Mac comes with these natively.
    As a side note, Michael also recommends having two machines for examination; the first is used for heavy processing and the other for lightweight work and field-based triage. In a number of my examinations I will setup my processing options and export a number of key artefacts to parse on another machine (also helps if your processing machine crashes, which
    never happens, but it’s better to be safe).
    DFSP # 027 – Mac as a forensic platform

  • This weeks Brakeing Down Security podcast kicked off a series called “2nd Chances: Rejected Talks” where people who’ve had their talks rejected by conferences are given the mic to present their findings. I wasn’t able to listen to the episode but the show notes indicate that Bill Voecks gave a talk on deploying and securing Privileged Access Workstations.
    2016-033: Privileged Access Workstations (PAWs) and how to impl…

FORENSIC ANALYSIS

  • Suraj Singh at Microsoft posted this last weekend but I missed it so I thought I’d share it now. This post covers using the Logparser tool to examine Windows Event logs for various artefacts such as tracking logon success and failure attempts, services generated, process creation, NTFS info and USN Info.
    Logparser play of a forensicator
    .
  • Also on Event Logs, Samuel Alonso shared a paper from ICIMP 2016 regarding how to build IOC’s with Windows Event ID’s.
    Intrusion Detection with Windows Event ID’s
    .
  • Eric Zimmerman has begun what appears to be a series on workflow testing
    • This post describes how to conduct a keyword and index search, as well as file carving in X-Ways, FTK and Encase. Eric also lists a few pros and cons about the way each tool works for these features.
      Workflow overview
    • Eric ran Auto Disk Benchmark over a series of Azure and Amazon VMs (as well as his own machine),  and listed their max image disk read speed as well as their cost/per month. From the table it appears that his workstation processes the same as the Azure GS5 instance, which costs $7179/month.
      Testing configurations

  • Darknet shared a tool called IGHASHGPU which is a command line hash cracking utility that allows users to utilise the processing power of their GPUs.
    IGHASHGPU – GPU Based Hash Cracking – SHA1, MD5 & MD4
    .
  • Adam at Hexacorn has part 45 of the beyond good ol’ Run key series. Expanding on his previous work on DLL execution via RDP, he has identified a registry key relating to addins whose intended function is to allow a DLL to be loaded on RDP connection; this of course can be exploited by malicious actors.
    Beyond good ol’ Run key, Part 45
    .
  • Jessica Hyde describes a new feature in Axiom that allows examiners to tag data in the Hex or Text view and add it to your report. She showcases this feature in a phone dump that is not yet supported by Axiom and therefore cannot be parsed automatically. Using the new feature an examiner is able to perform a search, say for phone numbers, and then tag each result so that they can be reported on.
    Exploring Magnet AXIOM’s Examiner-Created File System and Registry Artifacts
    .
  • Oleg Afonin at Elcomsoft has a post explaining how their Phone Breaker tool is able to download photos that have been deleted from iCloud. The guys at Elcomsoft had to create their own API to access photos stored in the iCloud Photo Library and in the process discovered that they were able to recover photos that had been deleted up to 6 months prior. Oleg explains that this is probably a bug and that the photos aren’t able to be accessed through the web interface after they’ve been deleted (unless they’ve been moved to the Recently Deleted section where they are meant to remain for 30 days before being deleted).
    iCloud Photo Library: All Your Photos Are Belong to Us
    .
  • Jack Crook at DFIR and Threat Hunting shares his thoughts on identifying “behaviors and the artifacts that those behaviors would create”. He shares a short case study on what to look for should an attacker utilise a WMIC/PowerShell command to laterally move across hosts.
    Hunting From The Top
    .
  • Michael Maurer ‏published a DFIR focused cheat sheet for Kibana (ELK)
    Michael Maurer’s Tweet
    .
  • There were several papers published on the SANS Institute InfoSec Reading Room
  • Weare4n6 shared a few articles this week
    • They shared a tool that parses older versions of Crypt database used by WhatsApp. According to the GitHub page, the tool was last updated a couple of years ago.
      WhatsApp Viewer
    • They have a short walkthrough on how to image a flash drive and mobile phone using the Belkaimager tool. This tool is currently in development and is available to through the early access program.
      Imaging Drives And Mobile Devices With Belkaimager
    • They linked to a blog post by Silas Baertsch at the Compass Security Blog regarding Exchange forensics.
      Exchange Forensics

MALWARE

  • Mandiant released a report named “Lessons from Operation RussianDoll” covering an APT campaign that they discovered last year. “This paper provides tools and techniques that help security professionals recognize and conduct enhanced malware analysis.”
    FireEye’s Tweet
    .
  • Hasherezade has dissected a piece of malware claiming to be McAfee on the Malwarebytes Labs blog. She explains that the tool is packaged with a signed, old version of McAfee but calls an unsigned DLL that decrypts an external file containing the RAT. The current version of McAfee isn’t vulnerable to this type of attack. She concludes that this malware is interesting because each component is not malicious and therefore scanning each file will not detect anything.
    Unpacking the spyware disguised as antivirus

  • Lookout published an “in-depth technical look at a targeted espionage attack being actively leveraged against an undetermined number of mobile users around the world”. This covered a number of zero-day vulnerabilities found in iOS which have recently been patched in iOS 9.3.5 as a result of the work.
    Technical Analysis of Pegasus Spyware

MISCELLANEOUS

  • There were a few posts of interest on the Forensic Focus blog
    • Brad Robin reviewed the Oxygen Forensic Complete Training class. Brad explains that the course covers the basics of mobile phone forensics, and then moves onto using the Oxygen Forensic Detective tool. His opinion is that this class is worth taking if you use the Detective product.
      Reviews – 2016 Oxygen Forensic Complete Training
    • Arsenal Consulting shared an article written on Motherboard regarding a Turkish Journalist who was framed for Terrorism. The analysts at Arsenal Consulting examined the man’s computer and determined that the files of interest had been copied onto the computer by attackers who had removed the hard drive. Attackers (probably the same) had also attacked the computer multiple times with malware.
      Turkish Journalist Jailed for Terrorism Was Framed, Forensic Report Shows
    • Scar interviewed Shahar Tal, the Director of the Research Group at Cellebrite on his role at Cellebrite and what he foresees in the future of mobile digital forensics (hint: encryption is causing some headaches).
      Interview With Shahar Tal, Director Of The Research Group, Cellebrite
      .
  • Meir Wahnon at the Demisto blog shares a number of DFIR communities across different social networks and mailing lists.
    Digital Forensics and Incident Response Community Resource
    .
  • Magnet has a short Q&A session with Chuck Cobb, their new VP of Training. Chuck explains that he will be producing a quality certification that “delivers both technical knowledge and hands-on skills used in the student’s daily work” based on a “solid understanding of your audience and their needs and workflows”.
    Q&A: Chuck Cobb, Magnet Forensics’ New VP of Training
    .
  • Cindy Murphy at Gillware Digital Forensics reminisces of her time at the Madison Police Department as she officially announces her retirement.
    Moving forward, looking back
    .
  • Heather Mahalik at Smarter Forensics provided some tips for those looking to break into the field. She suggests taking training, reading books, meeting people at conferences, and basically showing you have an interest in the field. If you don’t have a job and are looking you really need to show how much you want to work in DFIR. Certain people have had a lot of success by making a name for themselves in their free time and ultimately it’s paid dividends. There are plenty of challenges and free tools to work with, and many people are happy to chat over Twitter or e-mail.
    So You Want To Break Into The Field Of Digital Forensics…
    .
  • DFIR Guy at DFIR Training has added Forensic Hardware to the ever-growing resource that is the Tool Database hosted on the site. The Hardware section is grouped by item type (ie write blocker) and then sorted by vendor.
    More goodies.

And that’s all for Week 34! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s