Week 38 – 2016


  • Plaso has been updated to version 1.5, codenamed Gná. This version has back-end performance updates and new and improved plugins, as well as support for YARA rules. It’s important to note that because of the backend updates, this version isn’t compatible with storage files generated by older versions. (As a side note, a way I get around this sort of thing is storing my tools in my case data so that when I archive it, it should have the tools that were used to re-read the data).
    What flies there? What fares there? Or moves through the air? Plaso 1.5 – Gná released 
  • Matt Suiche at Comae Technologies has announced that DumpIt and Hibr2Bin have returned! The tools are updated to version 3.0.0 and support “all the versions of Windows from XP up to 10 x64”. Another update for DumpIt is that it now “provides extra information during the acquisition such as displaying the Directory Table Base and the address of the debugging data structures”.
    Your favorite Memory Toolkit is back… FOR FREE! 
  • Didier Stevens updated his Python script translate.py to version 2.3.1, which added the -e option which can be used to execute extra statements.
    Update: translate.py Version 2.3.1 
  • Magnet Forensics updated AXIOM to version 1.0.5, adding support for “several Internet of Things (IoT) artifacts for Android and iOS devices”, as well as file hashing.
    Magnet AXIOM 1.0.5 Helps Forensics Professionals Wade into IoT Waters 
  • Joe Security released Joe Sandbox 16, which Joe Sandbox Mobile 5.0.0 and Joe Sandbox X 2.2.0. This update included new behaviour signatures, support for Windows 10 x64, support for bare metal analysis on Android, new anti-evasions, support for many new file extensions, web Interface improvements, new Cookbook commands as well as other minor improvements.
    New Release: Joe Sandbox 16 out! 
  • Phil Harvey released version 10.27 (developmental release) of ExifTool adding some additional EXIF tags, and minor bug fixes
    ExifTool Version History 
  • Elcomsoft updated Elcomsoft Phone Breaker to version 6.10.14158 to deal with the latest iOS 10 backup files. Oleg Afonin explains that they have identified a vulnerability in the iOS 10 backup protection mechanism which has dramatically increased the password-cracking speed.
    iOS 10: Security Weakness Discovered, Backup Passwords Much Easier to Break

  • Blackbag has released BlackLight 2016 R2.1 and Mobilyze 2016 R1.1 to add support for iOS 10 and the Windows 10 Anniversary update, as well as other minor improvements.
    BlackLight & Mobilyze Support iOS 10 & Windows 10 AE Memory

  • GetData’s Forensic Explorer was updated to version minor GUI updates and bug fixes.
    Download Forensic Explorer

  • Compelson’s MOBILedit Forensic Express was updated last week adding a variety of new features, data analysis improvements and bug fixes.
    Forensic Express 3.5.2 released



  • The Forensic Lunch has returned! This week Dave and Matthew covered a tonne of valuable topics.
    Firstly they had Dr Bradley Schatz on to talk about his Evimetry product. Bradley gave a quick background of AFF4 format and then provided an overview of the tool. Using Evimetry you can image devices locally, remotely or in the cloud. I’ve linked to the AFF4/Evimetry presentation a couple of times but if you want to see the tool in motion check this out. A few tidbits that weren’t in the previous presentations – if you are remotely accessing a drive, when you access the files they are copied into the storage container. This has the benefit of logging what you’ve done and building the image as you go along. The other thing is that the tool isn’t really supported widely yet, but there is a way to convert the AFF4 file to EWF quickly or mount it as a virtual RAW.
    Next, Scott Wahlstrom of KPMG showed off the variety of GoKits that they have put together to deploy on engagements. Scott explains that sometimes the data has to be processed onsite, and therefore a field kit has to be shipped across. These kits ranged from Dell workstations transported in pelican cases to mobile racks.
    Lastly, and I’ll preface this by saying I’m going to have to rewatch this a few times and then do a bunch of testing before a Win10 examination, David and Matthew covered some of the changes they’ve identified in Windows 10 surrounding file creation/modification/movement artefacts. In Win10, when a user creates or renames a file a LNK file and RecentDocs entry is created. Shellbags have stayed the same for folders on the Desktop, but if created outside the Desktop, and entry is created. When a folder is renamed, the previous name is logged into shellbags but the new name isn’t. Another interesting discovery is that the “File Explorer” jumplist  is updated when files are created. Considering a jumplist can have up to 2048 objects before rolling over, this will be invaluable. Copying and pasting operations are also stored in the jumplist, although I’m not sure if this was just for directories or files as well. Long story short, Win10 looks great for adding data points for user activity.
    Forensic Lunch 9/23/16 – Evimetry, Forensic GoKits and Windows 10 Forensics 
  • Forensic Focus uploaded a recording of the webinar “Discover Mobile Forensics Best Practices And Advanced Decoding With UFED Physical Analyzer” by Dan Embury, CAIS Technical Director, at Cellebrite. The transcript of the recording can be found here.
    Discover Mobile Forensics Best Practices and Advanced Decoding with UFED Physical Analyzer

  • Didier Stevens uploaded three videos this week
    • The first shows how to examine a Microsoft Publisher file containing a malicious macro, using his tools. He first opens the macro using oledump.py then grep’s for the “chr” function. Combining this with his translate and numbers-to-string scripts he is able to obtain a command line string which the maldoc executes. He also posted about it here.
      Maldoc VBA: .pub File
    • Next, he shows a dynamic analysis of a malware sample using FakeNet-NG, which emulates a number of different servers so that the malware thinks it’s connected to the Internet.
      Malware: FakeNet-NG
    • Lastly, he shares a simple dynamic analysis of the previous malware sample using Process Explorer and Procmon
      Malware: Process Explorer & Procmon

  • This week’s episode of the Digital Forensics Survival podcast covers the Home folder on OS X. Michael examined OS X version 10.10 (current version 10.12), however, explains that this version is still seen in the wild, and also a number of the points raised still apply across the various versions of the OS. Michael lists the various folders and provides a brief description as well as some forensic tidbits. For example, the DS_Store file in the Trash folder will contain where the file was originally prior to deletion. DS_Store is similar to the Windows shellbag artefact, and is created by accessing a folder.
    DFSP # 031 – Mac User Home Folder 
  • Guidance Software has announced a webinar with Dmitry Sumin from Passware on 5th October at 11:00 AM Pacific Daylight Time (6:00 pm UTC). Dmitry will talk about the “pitfalls that can slow down your protected-file investigation strategy”, “best practices for investigating protected files” and “the options available from Guidance Software”.
    Developing Your Protected-File Investigation Strategy


  • Int’l Man of Leisure at 4n6tacoHut continued last week’s post on mounting and imaging LVM2 volumes.This post shows how to umount the newly created DD image of the combined LVM2 volumes, as well as the components it was made up of (forcibly).
    Part 2 – Mounting and imaging Logical Volume Manager (LVM2)

  • Harlan Carvey posted twice this week
  • Mari DeGrazia posted a speed test between FTK Imager and the native DD command for live imaging mac’s, along with the commands required to obtain a DD image (with MD5 hashing). Unfortunately to run the live imaging tools you’ll need the user’s password, which may be difficult at times to obtain.
    Mac Live Imaging: Functionality Versus Speed

  • Samuel Alonso at Cyber-IR linked to a number of interesting presentations and posts surrounding lateral movement, as well as a post by Shusei Tomonaga at the JPCERT/CC blog regarding the most abused Windows commands.
  • Adam at Hexacorn has another post in the Beyond Goold Ol’ Run key series, this time, surrounding that annoying balloon in Windows XP asking if you want to take a tour. This results of clicking this notification are stored within a registry key, which can be linked to an executable. Microsoft has kept this “feature” in Windows 10.
    Beyond good ol’ Run key, Part 46

  • Reminiscent of Adams series, Matthew Demaske at Adapt Forward worked with Casey Smith to show how netsh can be used to launch a malicious DLL. This DLL is stored in the HKLM\Software\Microsoft\NetSH registry key and stands out pretty clearly; it’s the only one with a path (although I think if you store it in system32 it wouldn’t need one). Would be fairly easy to write a regripper plugin that alerts an examiner if there’s a “\” in there. Matthew also provides a list of general tips/methods to stop or detect this attack:

  • Heather Mahalik explains that Cellebrite and Elcomsoft have updated their tools to deal with the iTunes backup issue she posted about last week. From the next version of UFED PA you should be able to enter a valid password, and obtain a logical extraction of a phone or examine a backup. As a side note, when asked if you would like to add a password to an Advanced Logical extraction you should, as this will give you access to the keychain. Heather also reaffirms that the location data provided does not just indicate where the phone was, it may also indicate where the recipient was.
    Update: Solutions For iOS10 – Encrypted Backup Files, Cracking Passwords And Data Acquisition

  • Journal of Digital Investigation Volume 18 was published and included a special issue on Cloud Forensics. This edition contained the following articles:
    • Focused digital evidence analysis and forensic distinguishers
    • Cloud forensics: State-of-the-art and future directions
    • Cloud forensics–Tool development studies & future outlook
    • A RAM triage methodology for Hadoop HDFS forensics
    • Integrity verification of the ordered data structures in manipulated video content
    • Digital video tampering detection: An overview of passive techniques
    • A survey of mutual legal assistance involving digital evidence
    • Detecting predatory conversations in social media by deep Convolutional Neural Networks
    • iCOP: Live forensics to reveal previously unknown criminal media on P2P networks
    • A suspect-oriented intelligent and automated computer forensic analysis
      Journal of Digital Investigation Volume 18

  • Basil Alawi S.Taher posted two diaries on ISC Handler Diaries
  • Gordon Fraser published a white paper for the GIAC (GCIA) Gold Certification that showed that it is possible to setup a home lab that is specifically “architected to collect the artifacts using open source tools and validated the implementation of the architecture through a test scenario”. This, in turn, was used “to see if, by using the network artifacts collected by the proposed architecture, an analyst could reconstruct the actions taken by the tester” and was successful.
    Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response 
  • John Lambert from Microsoft Threat Intelligence Center shared an online document he has compiled with “post-compromise activity seen in RDP brute force sessions in Azure”. The document has the commands run, as well as some commentary about what they’re achieving.
    Check Out @JohnLaTwC’s Tweet

  • Weare4n6 shared a couple of articles of interest
    • They shared Alan Orlikoski’s Cold Disk Quick Response (CDQR) which is a tool that uses a plaso backend to quickly parse some forensic artefacts out of disk images and mounted drives. I’m a big fan of Corey Harrell’s auto_rip, so I’ll be adding this to my list of tools to check out.
      Alan Orlikoski’s Forensic Artifact Parsing Tool
    • They also wrote a post about the error patterns of images with known modifications. Getting an idea of what these look like will allow an examiner to identify when something is out of place in a modified image.
      Blurring Detection Using ELA


  • Manuel Caballero at Broken Browser shares a post explaining that malware authors are adding code to “detect installed applications straight from within the browser and serve the bad bits only to unsavvy users”. The initial vulnerability was patched last week, however, Manuel has come up with a bypass, which he explains in the post (but went over my head!).
    Detecting analysts before installing the malware

  • Brad Duncan shared some analysis of Locky malspam on the ISC Handler Diaries. Brad noticed that the malware was executed using JS and WSF downloaders, and that JS-downloaded files “generated post-infection callback traffic”, which was not seen in WSF-downloaded files.
    Those never-ending waves of Locky malspam

  • Cysinfo shared a variety of presentations covering exploitation, malware analysis and reverse engineering from their 8th Quarterly Meetup, which took place 17th September 2016.

  • Monnappa K A from Cysinfo also wrote a couple of articles
    • The first article “looks at different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis” and shares a volatility plugin, Hollowfind, that the author has published on his GitHub. The post begins by explaining what process hollowing is, and how an analyst can detect it in memory.
    • The second article covers the Psinfo Volatility plugin, which “collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Environment Block) and displays the collected information and suspicious memory regions for all the processes running on the system”.

  • The guys over at ProofPoint posted a couple of articles
    • The first explains a few of the changes that they have identified in macros used by an actor they’ve previously come across. These changes were made to evade analysis in a sandbox. The authors also examine the macros used in the malicious document.
      Ursnif Banking Trojan Campaign Ups The Ante With New Sandbox Evasion Technique
    • The second was some information about a new strain of ransomware they’ve dubbed MarsJoke that appears to be targeting schools and governments. The ransomware is distributed via emails that purport to relate to package delivery/tracking information.
      MarsJoke Ransomware Mimics CTB-Locker

  • Chris Gerritz at Infocyte shared a fun story about following an alert down the rabbit hole and identifying a potential attack, which may or may not be attributable to APT3.
    Chasing APTs: How a Hunt Evolves

  • Ankit Anubhav and Dileep Kumar Jallepalli at FireEye provide an overview of the Hancitor malware. When the malware is executed it “drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable, which perform data theft and connect to a command and control (C2) server”. They observed a few different approaches by the malicious document to deliver the malware.

  • Anton Cherepanov at WeLiveSecurity shares an analysis of malware that focuses specifically on Libya. The malicious actors would compromise social media profiles and send emails linking to the malware, however, the code is written in .NET and is not obfuscated. This is quite useful as the malware sends data back to specific hard coded email addresses using SMTP, or uploaded via HTTP to a C&C.
    Book of Eli: African targeted attacks

  • Anton Kivva at SecureList has written a short article about a malicious Android trojan, Tordow, which is being injected into a variety of commonly used apps, that are downloaded from locations other than the official Google Play store. The malware obtains full root privileges and can then be used to steal the victim’s identity.
    The banker that can steal anything

  • Pieter Arntz at MalwareBytes Labs explains what the hosts file is and how it can be altered by malware to redirect users to sites they want you to access, rather than the one you intend to go to.
    Hosts file hijacks


  • David Cowen shared a easy 7 step process for setting up a virtual lab using ESXi on an Intel SkullCanyon NUC, showcased on a previous Forensic Lunch.
    Building your own travel sized virtual lab with ESXi and the Intel SkullCanyon NUC

  • Christa M. Miller posted a list of her top 10 DFIR blogs, on Forensic Focus. I was very grateful to make the list, and I definitely saw a spike in traffic because of it. Thanks, Christa!
    10 DFIR Blogs You Don’t Want to Miss

  • Christa also posted on her personal blog about the comparisons between coding and writing. She explains that there is a lot of similarities; people think it takes skill to produce content or code, that they do not possess the skills, and that they have nothing new to say. The general consensus from a number of writers and coders is that everyone was new once, and with practice, you will improve. Looking back at the first few posts on my blog, I can definitely see improvement in formatting and clarity at the very least. Not to mention, even if your code isn’t perfect, if it handles a use case that no one else has you can always ask for some assistance.
    Even if you’re not new to the field, I find that writing my thoughts out coherently gets them out of my head so that I can think them through better. Harlan has mentioned a number of times, the stuff that you see on a daily basis, someone else might never see, or might not even notice they’re missing. Documenting and sharing this information, even if it’s not going to win any awards is still worth it.

    Coding and writing: two sides of a creative coin

  • Daniel White at All things time related has shared the link to the Plaso User Survey, which has so far found that users are commonly using air gapped Ubuntu to examine Windows-based machines outputting to L2TCSV rather than the default output.
    Plaso User Survey 2016

  • Jason Ehlers at Champlain College shares his thoughts on Enfuse 2016.
    Enfuse 2016 Highlight- Jason Ehlers

  • Adam at Hexacorn shares “a bunch of ideas that EDR vendors should look into to protect themselves against being shut down”.
    rEDRoviruses – Whether you’re a AV or whether you’re a EDR, You’re stayin’ alive, stayin’ alive…

  • Forensic Focus has an interview with Paul Slater, the Executive Director for EMEA at Nuix, covering UK post-Brexit data protection regulation and how UK companies can prepare themselves for the eventual changes.
    Interview With Paul Slater, Executive Director for EMEA, Nuix

  • DFIR Guy at DFIR.Training has added an OnDemand course list to his site and explained what a course does and doesn’t have to include to make the cut; Paid and  reputable pretty much.
    On-Demand Course List

  • The winners of the IDA plugin contest were announced, and a write-up of the 8 submissions included in the post. Congratulations to the winners!
    Hex-Rays Home > Plug-In Contest Plug-In Contest 2016

  • Speaking of contests, Guidance Software has announced a contest to win a $100 Amazon gift card. To enter you need to send them your favourite tip, trick, or shortcut in Encase8 by October 21st.

Phew, long one this week. If you got to the end of it click here!

And that’s all for Week 38! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s