Back in Sydney again! Unfortunately, I ran out of time this week (jet lag doesn’t help productivity) so some of the summaries may be a bit sparse (you may be able to tell which ones I did when I had more time, maybe not).
SOFTWARE UPDATES
- Sumuri released Paladin version 7. The update adds support for eMMC and nvRAM as well as other hardware, provides updates for a number of inbuilt tools, includes the ability to image across a network to NFS or SMB (samba), as well as various bug fixes.
Paladin 7 - Tableau released a firmware update for the Tableau Universal Bridge, model T356789iu, which resolves the bug mentioned here. It is highly recommended you update your TUB’s to the latest firmware.
Tableau Firmware Update Revision History for v7.16 - Cellebrite updated their UFED line to version 5.3, adding “physical extraction and decoding of rooted and unencrypted Samsung Galaxy S7 and Note 7 devices”, Android Nougat and iOS 10 support, various extraction methods for the iPhone 7s/7s+, verification of file system extractions through hashing, and various bug fixes.
UFED Touch2, UFED Touch, UFED 4PC, UFED Physical Analyzer and UFED Logical Analyzer 5.3 (September 2016) - Phil Harvey updated ExifTool to version 10.26 (development release), adding support for additional metadata tags and fixing minor bugs.
ExifTool 10.26 - Adam at Hexacorn updated DeXRAY to version 1.7. The 1.6 update that occurred earlier in the week adds support for ccSubSdk files. These files apparently contain metadata for files, even those that have been deleted, which is always interesting. The 1.7 update “added a buggy routine that attempts to interpret the content of the decrypted ccSubSdk files; this is based purely on looking at the file properties”
DeXRAY 1.6 – ccSubSdk files
DeXRAY 1.7 – ccSubSdk files – part 2 - GetData’s Forensic Explorer was updated to version 3.6.8.5752 to fix an issue extracting DOCX metadata, and minor GUI updates.
Download Forensic Explorer - Mark Woan at Woanware updated lookuper to version 0.0.2 to fix a bug “when single file reports or URL’s were requested”.
Check Out @woanware’s Tweet - Cyber Triage was updated to version 1.6.1, and Brian Carrier has written a blog post to explain that this version comes “both fully and partially automated analysis on the programs that were run”. The program will identify previously run applications (based on registry and prefetch data), scan them if they’re available and then present the information to the user to filter/review.
Finding Suspicious Program Activity - Paul Sanderson updated Forensic Browser for SQLite to 3.1.6.a, adding for Facebook orca tuples, improving orca blob decoding and the structured storage backend as well as various bug fixes.
New release 3.1.6a - X-Ways Forensics 19.0 Beta 3 was released with improved instance loading (showing which case is loaded in each instance) among other minor updates.
X-Ways Forensics 19.0 Beta 3
SOFTWARE/PRODUCT RELEASES
- Nir Sofer at Nirsoft has released a couple of new event log utilities; FullEventLogView and EventLogChannelsView. FullEventLogView is similar to the MyEventViewer utility, however, works for the EVTX format. “EventLogChannelsView is a new utility for Windows 10/8/7/Vista that shows the list of all event log channels on your system, including the channel name, event log filename, enabled/disabled status, current number of events in the channel, size of the event log file, and more”.
New event log utilities for Windows 10/8/7/Vista
PRESENTATIONS/PODCASTS
- This week’s episode of the Digital Forensics Survival podcast covers OS X’s indexing engine, Spotlight. Spotlight stores it’s data in the “store.db” file which is buried in the .Spotlight-V100 directory on a volume. The database stores a large amount of metadata and the service also support plugins for non-Apple products. The blog post provides the commandline command to mount a DMG as read-only “with a shadow file that allows “writes” to the volume without actually writing to the evidence”.
DFSP # 030 – OS X Spotlight - Hasherezade uploaded her slides from her talk on the Petya ransomware at Security Case Study 2016.
Check out @hasherezade’s Tweet - Adrian Crenshaw uploaded a number of presentations from BSides Augusta 2016. I’ve linked to the ones that might be of interest, but they can all be found here.
- Living In America06 Automating Malware Analysis for Threat Intelligence Paul Melson
- Living In America04 Using Ransomware Against Itself Tim Crothers and Ryan Borres
- Super Bad01 Incident Response Awakens Tom Webb
- Living In America05 Hunting Defense Against The Dark Arts Jacqueline Stokes Danny Akacki and Stephen
- Living In America00 A worm in the Apple examining OSX malware Wes Widner
FORENSIC ANALYSIS
- Eric Zimmerman has continued his processing testing, this time adding a larger data set and RAW images. For the larger data set, X-Ways was significantly faster than FTK at everything except processing a case. Overall there appeared to be a speed increase when using RAW images over E01, and local machine processed faster than virtual.
Benchmark followup: Big(ger) data and Raw vs E01 - Patrick J. Siewert at Pro Digital Forensic Consulting lists a variety of different places that one can look for evidence when investigating a distracted driving case. This includes the device, call charge records, online service provider records and the car itself.
Digital Evidence in Distracted Driving Cases: Text Messages & Beyond - Blackbag announced that “Apple’s iTunes 12.5.1 update, released September 13th, 2016, will cause BlackLight and Mobilyze to stop working with iOS devices on OS X”. An update is expected for BlackLight and Mobilyze that should fix the bug.
Apple iTunes 12.5.1 - Michael Byrne at Motherboard shared a file analysis challenge posted earlier in the year by the British Intelligence service MI5. Michael also went to the trouble of showing us how to extract the some of metadata from the file using Python, however, ran into a bit of trouble. As mentioned in the article ExifTool is much less painful, and probably less fun :). This produces the first clue, the rest of the puzzle is a little more difficult (but also a little anti-climactic).
Hack This: Extract Image Metadata Using Python - Hana Gazoli at Cellebrite explains a feature in UFED Cloud Analyzer 5.2 that allows examiners to parse WhatsApp backups stored in Google Drive. The device key is important as otherwise you will only be able to view the photos and videos, this can be obtained through Physical Analyser.
Access Historical WhatApp Conversations with UFED Cloud Analyzer - Davide Gabrini, Andrea Ghirardini, Mattia Epifani and Francesco Acchiappati shared the results of a forensic challenge that came their way, on Forensic Focus. The phone was a Jolla White 16GB JP-1301 running Sailfish 2.0.1.11 that had previously been reset twice by the owner, was protected by a 5-digit PIN, with no encryption on the internal storage, and developer mode was not active. The examiners were able to determine a method of connecting the device to a Linux terminal and connecting via telnet, where they were then able to take a forensic image using DD and Netcat. Unfortunately the resultant dump was unable to be parsed by available tools, however, X-Ways parsed the GPT partitioning, and they had to resort to examining the BTRFS file system in Linux. Using various tools the team was able to carve out a number of pictures, emails, databases etc containing data of interest.
Meeting A Forensic Challenge: Recovering Data From A Jolla Smartphone - Harlan Carvey expanded on his post last week where he discussed created a Perl script to parse Microsoft Publisher files. This post describes some of the conclusions he came to after examining a number of different malicious pub files attempting to identify commonalities.
- all of the “directory” streams had the same time stamp
- Most of the files had ‘Summary Information’ and ‘Document Summary Information’ streams were blank.
- Some of the files had a populated “Authress:” entry in the ‘Summary Information’ section.
- All of the files had Trash sections that were blank, however “it’s difficult to determine specifically if this is a result of the file being created by whichever application was used (sort of a ‘default’ configuration), or if this is the result of an intentional action.”
- Many files contained a second stream, named “Module1” with an embedded macro; Module1 contained an empty function, which had a unique name.
OLE…OLE, OLE, OLE!
- Jack Crook shares his thoughts on categorising what is abnormal on a system to detect a breach. Jack explains that understanding the difference between normal and abnormal can allow an examiner to detect anomalous behaviour without the need for baselining. Jack lists the four categories as “Communication between machines, User authentication, Processes execution, and Filesystem activity“. “If we build generic queries around least occurrence and first seen we have a chance of identifying the above as well as many other types of lateral movement or actions on objective”.
Categories of Abnormal - Florian Roth shared version 1.0 of a cheat sheet for Kibana and ElasticSearch made by himself and Thomas Patzke.
Check out @cyb3rops’s Tweet - Sergei Skorobogatov published a paper called “The bumpy road towards iPhone 5c NAND mirroring” that presented a cheap method for unlocking a locked iPhone 5c using under $100 worth of equipment. The method allowed the examiner to enter passcodes (6 attempts before the OS enforced timeout), determine the bits that had been changed and refresh them from the master copy of the data and then try again. The process was fairly manual but allowed a password to be obtained in under 40 hours, but the author suggested various improvements to automate the process. Due to the nature of the process, the author advises not to use this method to obtain a 6-digit passcode as “it would require over 160 thousand rewrites and will very likely damage the Flash memory storage”. This is great news for those in the LE forensic community whom now have a process for obtaining a locked iPhone’s data; however, the author did make some suggestions for preventing this method of “attack” so I’m not sure how long this will last. Working in law enforcement, I would be quite happy if Apple didn’t prevent us from getting at the data.
The bumpy road towards iPhone 5c NAND mirroring - Heather Mahalik at Smarter Forensics has performed an initial examination of iOS 10 and has confirmed that there doesn’t appear to be a drastic change from iOS 9. There has been a change in the structure of the iOS device backups. The Manifest.mbdb is now an SQLite database file – Manifest.db, and the files of the backup are stored in folders. Upon reviewing the device backup she realised that she had backup encryption enabled, and the resulting files were unable to be viewed, even when entering the correct password into the tools. As a result, she advises:
- “Do not update to the latest version of iTunes if you are creating backups as forensic images. It causes issues.”
- “Do not select to “Encrypt” the backup in Physical Analyzer when obtaining an Advanced Logical Extraction. That too will render your data encrypted.”
- “Hope that the user never used iTunes encryption!”
- If encryption is enabled, you will have to obtain the password and “manually remove the iTunes restriction and back the data up again until the tools adapt to handle iOS 10 backup file encryption.”
A Glimpse Of iOS 10 From A Smartphone Forensic Perspective
- Serge Petrov, Igor Mikhaylov and Oleg Skulkin at WeAre4n6 provide an overview of a variety of methods for detecting digital image forgery. The next post will cover the methods in practice.
Methods of Digital Image Forgery Detection - WeAre4n6 also shared the two DFIR challenges that were created by Dr. Ali Hadi (binaryz0ne).
Digital Forensic Challenge Images (Datasets) - Blake Strom and Paul Ewing on the Endgame blog explore detecting the COM Object Hijacking persistence tactic.
How to Hunt: Detecting Persistence & Evasion with the COM
MALWARE
- Casey at SubTee shows how a malicious actor can inject code into signed Microsoft binaries and bypass Device Guard, which coincidently, can also be used to protect against the vulnerability.
Bypassing Application Whitelisting using MSBuild.exe – Device Guard Example and Mitigations - Josh Reynolds and Emmett Koen at Cisco’s blog shared a three-part series on the H1N1 malware
- The analysis of the malware found “unique obfuscation techniques, a novel DLL hijacking vulnerability resulting in a User Account Control bypass, information stealing capabilities and self-propagation/lateral movement capabilities”. The malware propagates through Office macros, and the infected files have a payment/insurance themed naming convention. The remainder of the post covers the obfuscation techniques used by the malware
H1N1: Technical analysis reveals new capabilities - The second post explores the seldom publicised DLL hijacking method for UAC bypass, which the researchers could only find evidence of on a couple of Russian forums (potential malware authors?). It also covers how the malware stops specific services, steals information from Firefox and IE as well as Outlook and deletes shadow copies/disables system recovery options. Lastly, the malware propagates over USB and network drives. The propagation technique is quite interesting; the malware is copied onto the drive, it renames and hides each folder, and adds an LNK file with the folders original name, which is set to run the malware and open the linked folder (to avoid suspicion).
H1N1: Technical analysis reveals new capabilities – part 2 - The third post covers how AMP Threat Grid protects endpoints against H1N1 and explores the network of domains and IP’s relating to the analysed H1N1 sample using Threat Grid and Maltego.
Protecting against the latest variant of H1N1
- The analysis of the malware found “unique obfuscation techniques, a novel DLL hijacking vulnerability resulting in a User Account Control bypass, information stealing capabilities and self-propagation/lateral movement capabilities”. The malware propagates through Office macros, and the infected files have a payment/insurance themed naming convention. The remainder of the post covers the obfuscation techniques used by the malware
- Pieter Arntz at Malwarebytes Labs provides a brief analysis of a sample that uses HTML Application (.HTA) email attachments to transmit malware. As with WSF, VBS and JavaScript executables, the protection here is to change the file association for HTA files to something innocuous like Notepad.
Surfacing HTA infections - Floser Bacurio Jr. and Kenny Yongjian Yang at Fortinet explore unpacking the Locky ransomware “from its Nullsoft package loader”.
Locky NSIS-based Ransomware is Embracing Its New End of Summer Shape - Nicholas Griffin at Forcepoint covers the “newly released trojan downloader known as Quant Loader”. The loader copies itself to %appdata% as svchost.exe, adds a firewall rule, modifies file/folder permissions, the run key (which is then set to Read only to preserve persistence), decrypts its command-and-control (C&C) addresses and downloads a number of executables and libraries.
Locky Distributor Uses Newly Released Quant Loader Sold on Russian Underground - Stefan Ortloff at Securelist analyses Backdoor.OSX.Mokes, which is an “OS X variant of a cross-platform backdoor”. The malware is capable of stealing data and executing commands.
The Missing Piece – Sophisticated OS X Backdoor Discovered - Gavin Phillips showcases a variety of nation-state created malware.
When Governments Attack: Nation-State Malware Exposed
MISCELLANEOUS
- There were a few Enfuse 2016 highlights posted on the Champlain College blog this week.
- The first post, by Cedric Thompson, covers the EnCE which is free for Enfuse attendees.
Enfuse 2016 Highlight- Cedric Thompson - The second post, by Nancy Champagne, covers her thoughts on the “Convergence Forensics” session by Heather Mahalik and Rob Lee.
Enfuse 2016 Highlight – Nancy Champagne - Jake Nicastro shares his thoughts on Paul Shomo’s presentation, “Forensics Matters in Security: 360 Degree Visibility”.
Enfuse 2016 Highlight- Jake Nicastro
- The first post, by Cedric Thompson, covers the EnCE which is free for Enfuse attendees.
- FireEye announced their third annual Flare-On reverse engineering contest, which will start on 23rd September and end 4th November 2016 at 8pm ET.
Announcing The Third Annual Flare-On Challenge
- Enfuse 2017’s call for speakers is now open and closes October 28th. Presenters will receive complimentary full-conference registration, conference meals and networking receptions included and industry recognition and promotion as a speaker on social media and on the conference mobile app.
- TekDefense posted a network forensics challenge that closes September 25, 2016. The scenario is that a client has provided a PCAP file containing traffic after “a snort signature alerted for files downloaded from an HFS server”.
NETWORK CHALLENGE – 001 – LINUX - Guidance Software has changed the name of Encase Enterprise to Encase Basic, but no functionality has changed.
ENCASE ENTERPRISE IS NOW ENCASE BASIC
- And lastly, the Digital Forensics Magazine shares the story of a man named Stephen Cabrinety, who passed away in the 90’s at age 29, but left behind a home filled with old video games and software. Forensic examiners at NIST and Stanford combined to preserve the collection electronically, which proved to be a challenge considering the variety of data storage formats that have since been forgotten.
Digital Forensics Rescues Retro Video Games and Software
And that’s all for Week 37! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
My highlight of the week is reading your posts – many thanks for taking the time to put this together every week, it’s very much appreciated.
LikeLike
Totally agree with John. Brilliant weekly reviews!
LikeLike
Thanks guys
LikeLike
Great work! Thanks a lot!
LikeLike