Week 35 – 2016

This week’s post comes courtesy of the free WIFI on the train to Amsterdam.

Also, a very extravagantly bearded train ticket inspector saw me watching the Forensic Lunch and stopped to tell me that he thought Matthew has a nice beard.

SOFTWARE UPDATES

  • Didier Stevens updated his Python script rtfdump to version 0.0.4 to improve dealing with files that are not RTF.
    Update: rtfdump Version 0.0.4 
  • Atola Technology has updated their Insight Forensic product to version 4.6. The most notable update is the inclusion of a scripting language. The full changelog can be found here. The post also includes a few example scripts.
    Atola Insight Forensic 4.6 – Scripting 
  • Magnet’s Internet Evidence Finder was updated to version 6.8.2.3062, however, the only release notes I was able to get my hands on before publishing this weeks post were translated from Japanese. 
  • GetData updated Forensic Explorer to version 3.6.8.5718 with various bug fixes and minor improvements.
    Download Forensic Explorer

SOFTWARE/PRODUCT RELEASES

PRESENTATIONS/PODCASTS

  • AekSecurity Tech Blog posted a video on YouTube demonstrating “the process of analyzing a variant of fileless malware known as Kovter”.
    Analyzing Fileless Malware – Kovter 
  • There was another Forensic Lunch this week. The broadcast covered Matthews new tool for extracting BitLocker Volume Key Identifiers as well as Eric’s tool comparison testing (see below). David and Matthew had a scenario where a client used BitLocker to encrypt their company’s computers, however, occasionally would be provided with a laptop without any information regarding its owner. As a result, they needed a way to extract the given Volume Key identifier from the device so they could look it up in ActiveDirectory. BitRocker can be found here.
    The second part of the broadcast covered Eric’s mammoth tool testing blogpost. Most of my comments are found in the section below, but Eric explained that he’s adding a larger sample to the tests, as well as adding RAW (and potentially AFF4) to the tests.  He also said that if any vendor is happy to share their tools with him he can run a few of the tests on his machines.
    Eric explains that the reason he performed the testing was because his day job was looking at whether they could do some processing in the cloud and whether more resources (and cost) scaled to better performance.
    They also discussed searching; David explained that the reason why dtSearch in FTK only works for Unicode strings is because it applies the Unicode code page to the entire chunk of unallocated. This is because the tool doesn’t know which code page is best to apply and therefore defaults to Unicode. To get around this you should carve first so that the tool can figure out how best to search through the data.
    The next broadcast is on Sept 23rd and they will be talking about Evimetry.
    Forensic Lunch 9/2/16

FORENSIC ANALYSIS

  • Eric Zimmerman has posted his forensic suite processing comparison extravaganza. He compared the core competencies of DF, covering: hashing images, processing a case, creating an index, searching, and carving. I’m glad he acknowledges his bias towards X-Ways, although it’s largely unnecessary as following his Twitter, it’s very evident, and he wrote a book about it the tests encompassed processes that have minimal user interaction. His testing was performed on an E01 image rather than a DD, however, during the Forensic Lunch, he added DD to the list of test cases. I’ve found that there’s a speed increase when using DD images for drive restores and file copies. I would also like to see how Evimetry’s WireSpeed stacks up as it boasts significant speed increases. Also interestingly, one of the pictures on Evimetry’s website  suggests that an XWF-create E01 will process faster than one taken by Macquisition, which is another reason why I think DD might be a better test.
    The data from Eric’s test has also been turned into some graphs that can be found 
    here.
    Onto things I learnt from this testing:

    • Eric’s laptop seems to be faster than his desktop (It has twice as many cores, but half as much memory)
    • Encase uses a ridiculous amount of memory (OK, I already knew that)
    • “FTK only indexes Unicode strings – Because of this, it is even more important to do a live search in order to find all non-Unicode encoded strings”
    • For FTK and Encase, “both an index and a keyword search is required to ensure all data is covered”
    • As part of X-Ways processing it generates a timeline. I hadn’t really explored this but I will have to look into it further.
    • The numbers suggest that X-Ways hashes, carves, indexes and searches fastest. Encase 8 ran it’s processing options the fastest but I think the options are different for each tool.
      Let the benchmarks hit the floor: Autopsy vs Encase vs FTK vs X-Ways (in depth testing) 
  • Whilst we’re on the topic of speed testing, Devon Ackerman pointed me towards a Google Sheet which contains the results of imaging a 128GB SSD with a variety of tools using a range of different settings.
    Check out @aei4n6’s Tweet 
  • Examiners at H-11 Digital Forensics were “able to extract the data from phones that were previously not accessible to which use the UFS BGA95 and UFS BGA 153 chips” using their “no heat Chip-Off method and UFS programmer”.
    First Successful Chip-Off Read of a Samsung Galaxy S6 and S6 Edge 
  • Oleg Afonin at Elcomsoft explains how to use Elcomsoft’s Phone Breaker tool to decrypt a FileVault2 encrypted drive. The examiner can provide the user’s iCloud password (and 2nd factor if it’s setup), or a “non-expired binary authentication token extracted from the user’s computer” along with the image and the tool will obtain the relevant decryption key from iCloud and decrypt the image.
    Breaking FileVault 2 Encryption Through iCloud 
  • Brett Shavers explains that VM’s can be a very easy way for the bad guys to hide their wrongdoings. By running their badness in a VM (or even worse, bootable ISO through a VM), they can very easily obstruct examination, or destroy evidence, leaving very little for the investigator to examine. An example of this can be seen here.
    Virtual Machines, like anything else in technology, can be used for bad 
  • Paul Sanderson explains the Structured Storage Manager in the Forensic Browser for SQLite and how it enables decoding and querying of data found within XML, Bplist and Facebook Orca BLOBs.
    Forensic Browser for SQLite – Structured Storage Manager 
  • Harlan Carvey at Windows Incident Response wrote two posts this week
    • He shared links to various write-ups on the Dell SecureWorks blog, as well as a correction to Ryan Nolette’s BSidesBoston2016 presentation.
      Links and Updates
    • The second post covers a variety of topics; A RegRipper plugin written several years ago is still of value today as it parses a value manipulated by current malware. He posed the question “what Windows Event Log record is generated when a service fails to start that I should look for with respect to a specific Registry value?”. He shares a tool that allows users to set malicious Outlook rules for persistence. He asks if anyone has seen the new variant of the China Chopper web shell and if so, what does it “look like” if you’re monitoring process creation events on the system. Lastly his thoughts on Eric’s testing, that he appreciates the effort and praises Eric’s commitment and dedication, but the results haven’t changed his examination process. I see Harlan’s point with regards to setting up a device overnight to perform the longer form processing, however, this gets a bit harder with multiple devices. One of my more recent cases had several terabytes spread across multiple devices, so even just imaging, verifying and hashing, small speed improvements can be quite important. The basic premise was that Harlan’s approach to his examinations is very targeted, which I think it a good way to work. It means you can get to the relevant information quite quickly by examining the source. It also means you can use a less powerful machine. My favoured approach is a blend of the two; extract the useful artefacts and process them on a separate machine whilst the verify/search/carve etc is running on a more powerful system.
      Updates

  • Mari DeGrazia has updated her Google Analytic Cookie Cruncher to support Firefox up to version 48 and added fixed a bug that causes her script that parses Google Analytics from Safari binary cookies to crash when it comes across URL encoded strings. She released a simple parsing script for Chrome’s Internet History and Downloads that extracts some basic information into TLN format, as well as a Volatility plugin that extracts the computer name from the registry.
    Cookie Cruncher Update, Timelines, Chrome Parser and more

  • Marc Padilla extols the benefits of converting a CSV file into an SQLite database. The main advantage is speed because text editors don’t do a good job of opening hundred megabyte CSVs.  Marc also shows us how to use the mac/*nux inbuilt SQLite tool to import CSVs.
    Importing a CSV into SQLite for Faster Queries 
  • Casey at SubTee shows how to using the .SCT file format (COM scriptlets), malicious actors may be able to circumvent tools that monitor executables on the wire. Application whitelisting should pick this up even if the Network Security Monitors don’t, and that DLL whitelisting is worth the time/effort in setting up.
    Advanced Use Case For .SCT Files 
  • Patrick Olsen at System Forensics provides a walkthrough on how to use the Sleuth Kit and DD to identify and extract the first 4k of a partition and examine the volume header of an HFS+ file system (both manually, and automatically).
    Mac DFIR – HFS+ Volume Header 
  • Igor Mikhaylov and Oleg Skulkin at Weare4n6 showed how to use the tool Chainbreaker by n0fate to decrypt the System keychain on OS X. The tool works on both Windows and Mac and when provided the 24-byte master key from the “Systemkey” file will decrypt the System keychain.
    OS X System Keychain Forensic Analysis

MALWARE

  • SANS Institute InfoSec Reading Room posted a white paper by Sourabh Saxena on using DNS sink-holes and live traffic analysis to assist in understanding malware traffic.
    Demystifying Malware Traffic 
  • Luis Rocha at Count Upon Security continues his thorough analysis of the Dridex Loader using OllDbg.
    Malware Analysis – Dridex Loader – Part 2 
  • Alexander Sevtsov at Lastlist Labs has started a series on VBA downloaders and starts by describing a few of the tricks that malwriters use to obfuscate code. He first shows a series of methods for adding redundant lines to the code,         and then includes a brief overview of how attackers can use WMI and multi-component downloaders to increase their evasiveness. So far this is a good start if someone wanted to write a code deobfuscator.
    Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 1] 
  • Alden Pornasdoro and Vincent Tiu at Microsoft Malware Protection Center Threat Research & Response Blog have a write up of a malicious OLE embedded script. The malwriter has inserted a malicious obfuscated JS file inside a DOCX and is attempted to use social engineering to get the user to execute it. The JS file drops a series of PowerShell scripts and a certificate used to intercept HTTPS traffic.
    Double-click me not: Malicious proxy settings in OLE Embedded Script 
  • Sarah (Qi) Wu and He Xu at Fortinet have a write-up of a Python-based ransomware which hopes to emulate that seen on Mr Robot. The ransomware appears incomplete; it uses a hardcoded key to encrypt files using a known algorithm (although since it’s Python you can see the code), there are unfinished routines left to encrypt network shares and the payment instructions page doesn’t load on execution. The authors suggest that this may be an early iteration and the malwriters may improve on it in the future. In the meantime, they have provided a decryptor.
    Take it Easy, and Say Hi to This New Python Ransomware 
  • Guy Bruneau at the SANS ISC Handler Diaries shared how he used a JavaScript beautifier to make an obfuscated JS sample more readable.
    Spam with Obfuscated Javascript

MISCELLANEOUS

And that’s all for Week 35! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

One thought on “Week 35 – 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s