Last week of vacation, this time, I’m writing overlooking Bangkok!
Also, less than 2000 words! closest thing I get to a slow news week 🙂
SOFTWARE UPDATES
- Willi Ballenthin updated his Windows Event Log parser, python-evtx, to version 0.5.0. The update adds py3 support.
Check out @williballenthin’s Tweet - Microsystemation updated XRY to version 7.1; adding support for iOS 10, Pokémon GO, Android backup extraction of blocked apps, decoding Outlook PST files, as well as approximately 1,000 new device profiles. The release notes can be found here.
XRY Just Got Better! - Eric Zimmerman updated JLECmd to version 0.9.6.0 to support a condition where a Jumplist has more directory entries than identified in the DestList. As a result, there’s a new argument that allows users to extract information of just the entries located in the DestList, or print all of the available directory entries.
JLECmd v0.9.6.0 released - Eric also updated his AppCompatCache Parser to version 0.9.2.0, improving the OS detection. The updated parser can be found here
- Mark Woan released Exe finder v 1.0.3, which contained updated regexes used to find suspiciously located files
Check out @woanware’s Tweet - Katana Forensics released a new version of Lantern, version 4.5.9 to provide a fix for connections to iOS Devices.
Katana Forensics Customer Portal - YARA 3.5.0 was released. The release notes indicate various bug fixes, performance improvements and updates.
YARA 3.5.0 Released - GetData’s Forensic Explorer was updated to version v3.6.8.5740 with some minor bug fixes and improvements.
Download Forensic Explorer - X-Ways Forensics 18.8 SR-12 was released, however, is only available on request. It incorporates some of the fixes introduced in later versions.
X-Ways Forensics 18.8 SR-12 - X-Ways Forensics 18.9 SR-8 was released with various minor updates and bug fixes.
X-Ways Forensics 18.9 SR-8 - X-Ways Forensics 19.0 was updated to Beta 1 and then 2. This update added the ability to set “multiple text interpretations of binary data in the hex editor’s text display at the same time depending on the license type”, a file system offset column, improved verification, revised comparison function, increased size of block hash matches, and other minor improvements .
X-Ways Forensics 19.0 Beta 2
SOFTWARE/PRODUCT RELEASES
- Mark Woan released lookuper (version 0.0.1). This tool “performs lookups against VirusTotal/ThreatExpert/Google Safe Browsing data for data types such as MD5, SHA256, URL, IP, Domains, Strings e.g. mutexes” as is compiled for Linux and Windows.
Check out @woanware’s Tweet - Simon Key at Guidance Software tweeted out a couple of Enscripts.
- The first is a new Enscript that converts Mac OS X Mail. The script appears to take mail files located in Users Outlook folder and parse them into the Artifacts tab (shown in Encase 8).
Check out @SimonDCKey’s Tweet - The second is version 2.2 of the PST/OST deleted file recovery script.
Check out @SimonDCKey’s Tweet
- The first is a new Enscript that converts Mac OS X Mail. The script appears to take mail files located in Users Outlook folder and parse them into the Artifacts tab (shown in Encase 8).
PRESENTATIONS/PODCASTS
- Stuart Davis at Mandiant Consulting will be presenting a webinar on a real case study on combating an APT. This will take place on September 13th at 11:00 AM UTC.
Enterprise Incident Response Through a Lens - Bradley Schatz posted his “Accelerating forensic and IR workflow” talk from the recent HTCIA conference. This is an updated version of the presentation that I wrote about here.
Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging – HTCIA 2016 - Lee Reiber from Oxygen Forensics will be hosting a webinar Wednesday, 14th September at 7 am PDT / 2 pm UTC. The webinar will cover the need to understand appdata to conduct a complete examination of a mobile device.
Webinar: Deep Diving for Forensic Gold – Applications and Deleted Data - SANS Digital Forensics posted a number of presentations from the DFIR Summit and Threat Hunting Summit from 2016.
- Trust But Verify – SANS DFIR Summit 2016
- To Automate or Not To Automate: That is the Incident Response Question
- All About That (Data)Base – SANS DFIR Summit 2016
- FLOSS Every Day: Automatically Extracting Obfuscated Strings from Malware- SANS DFIR Summit 2016
- Start-Process PowerShell: Get Forensic Artifact- SANS DFIR Summit 2016
- iOS of Sauron: How iOS Tracks Everything You Do- SANS DFIR Summit 2016
- Train Like You Fight – Threat Hunting Summit 2016
- This week’s episode of the Digital Forensics Survival podcast covers Mac “double files”, or those annoying hidden files you see on your USB drive after you plug it into a Mac. Files are comprised of resource and data forks on an HFS+ file system. The extended attributes of a file are stored in the resource fork. When a user copies a file to a FAT/exFAT volume the resource fork is stored in a hidden file that begins with a “.” followed by the filename. When the file is copied back to the HFS+ volume the resource and data forks are combined again. According to Michael, the resource fork is stored in an Alternate Data Stream on NTFS (however this would require additional drivers as OS X doesn’t write to NTFS natively – as a side note, inbuilt cross compatibility of the file systems would be nice). These “double files” can be used by an examiner to show that a file may have at one point been on a device, and may contain important information (as they are extended attributes).
DFSP # 029 – Mac Cooties?!
FORENSIC ANALYSIS
- Harlan Carvey at Windows Incident Response provided his thoughts on a few articles and explained some code that he has written to parse .pub files. These files follow the OLE structured storage format so he modified one of his existing Perl scripts to extract stream information, including dates. The script appears to be complementary to Didier’s oledump.
More Updates - The Int’l Man of Leisure has started a blog, aptly named, 4n6tacoHut “because all of the good DFIR blog names were already taken”. The inaugural post covers stitching together and mounting LVM2 virtual hard disks (apparently the major forensic suites don’t do a good job at combining multiple VMDKs together into a single volume (for mounting the file system and/or creating a forensic image of the entire thing). The author uses SIFT to take two VMDK-turned-DD images and combine them together into one logical volume which he’s then able to mount (and image if required).
Mounting and imaging Logical Volume Manager (LVM2) - Michael Maurer at Distributed Forensic Timeline shared Virtual File Tools (vftools), “a small collection of Sleuth kit-esque command line digital forensics tools designed to provide read only access to a large range of digital storage”. VFtools only has three commands, vfls, vfcat, and vfinfo, and uses pathspec’s instead of inodes.
vftools – first look
MALWARE
- Amanda at Secured.Org created a video showing how she creates malware diagrams using Photoshop. She downloaded a fresh sample of the Zepto ransomware, which is a derivative of locky, and walked through the breakdown of the tool, culminating in a useful diagram.
Zepto Ransomware Diagram How-To
- There was a post on the VMRay blog that covers a JAR archive that, if executed, will modify certain Windows security settings, inject itself into Explorer, and maintain persistence by surprise surprise, the run key; the Run key is really one of the first places to look when looking for malware infection. Especially because it appears that the files the malware downloads are stored in the “Public” user profile, which may evade a cursory glance. Interestingly, the downloader downloads DLL’s (in the form of txt files) and executes them with regsvr32, which was mentioned here by Casey Smith.
Malware uses Java Archive (JAR) - Casey Smith explains how to use the DynamicWrapperX DLL which “advertises that you can execute win32 calls inside of Jscript / VBScript”. According to the comments section, “this is the technique used in metasploit vbsmem payload. They say it’s a “fileless” payload, but they first drop dynawrap.dll to disk”. I’d imagine a quick look on a system for dynawrap.dll would probably alert a responder to a potential attacker.
Shellcode Via JScript / VBScript – Happening Now! - Orkhan Mamedov and Fedor Sinitsyn at SecureList describe a new version of the RAA cryptor that works in conjunction with the Pony stealer Trojan. The downloader is an obfuscated JS file that’s located within a password protected ZIP file. Once executed the script will conduct the usual ransomware operations, and also execute a Trojan that will package up a variety of passwords and bitcoin password wallets and send them off to the scammers.
A malicious pairing of cryptor and stealer - Xavier Mertens, on the SANS ISC Handler Diaries, identified a few instances of malicious macros located in Microsoft Publisher (pub) files. Apparently, a lot of the sandbox environments don’t have Publisher installed which makes the sample impossible to analyse.
Malware Delivered via ‘.pub’ Files - Mohamed Morad provided a static and dynamic analysis of a malicious .pub file.
The case of Malicious .pub file Attachments - Joe Security at Automated Malware Analysis describes two malware samples that he has come across recently. The first checks for the Zone Identifier ADS which wouldn’t be available on an EXT file system, which many sandboxes utilise, and also examines the RecentDocs key. The second attempts to determine if the compromised machine is part of a corporate environment by checking the Domain settings. Joe explains that “deep malware analysis” enables examiners to spot evasion techniques, and open platforms assist in preventing the evasions.
Will it blend? This is the Question, new Macro based Evasions spotted
MISCELLANEOUS
- Cyrill Bannwart at Compass Security shares his thoughts on Black Hat USA 2016 and DEF CON 24, providing a brief overview of a number of talks.
Black Hat USA 2016 / DEF CON 24 - Amanda Johnson at Champlain College shares her Enfuse 2016 experience by reviewing the ““Five Mistakes You Don’t Want to Make When Providing Forensics Testimony” session. The main takeaways are be prepared, be patient, answer the question asked, don’t exceed your knowledge, be impartial and stick to the facts, and finally examine the computer of interest.
Enfuse 2016 Reflections – Amanda Johnson - SANS announced their Call For Presentations at the Threat Hunting and Incident Response Summit to be held 18th-19th April 2017 in New Orleans. Call for Presentations closes on 21st October 2016.
SANS Threat Hunting and Incident Response Summit – Call For Presentations - The Call For Presentations for DFRWS-EU and IMF 2017 closes on 3rd October.
CFP – Deadline October 03 – DFRWS-EU and IMF 2017 Joint Conference - The Call For Papers for the Thirteenth Annual IFIP WG 11.9 International Conference on Digital Forensics in Orlando, Florida, USA ends 16th September 2016.
- Jonathan Zdziarski posted a screenshot of a Mac OS X Terminal window showing Windows registry files.
Check out @JZdziarski’s Tweet - DFIR Guy at DFIR Training has provided updates about the site; running smoothly and has over 600 DFIR tools listed.
More updates than you can shake a stick at
And that’s all for Week 36! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 