I would like to mention that my site is not a replacement for reading the actual material. I just write a brief summary of the article (or just mention it) and use the site search when I need to jog my memory.
Anyone that would like me to stop covering their blog, or would like to discuss what I’ve written (maybe I missed a key point or misinterpreted something), shoot me an email!

SOFTWARE UPDATES

• Belkasoft has released Belkasoft Evidence Centre v.8.0 with a host of new updates, as well as a new imaging tool called BelakImager.
  Belkasoft Releases Evidence Center 2017 And New Free Acquisition Tool

• Cellebrite updated UFED Physical Analyser during the week but haven’t uploaded their release notes here yet. The release fixes an issue with the “Advanced logical extraction process when the iTunes versions below 12.5.5 are not installed on the computer”, as well as a decoding issue with the Vkontakte app for Android.

• MOBILedit Forensic Express 3.5.3 has been released adding support for the iPhone 7 and improved iTunes Backup password cracking (taking advantage of the flaw in password security in backups taken using iOS 10)
  Utilize critical iOS 10 vulnerability to break 30% of iPhones in 1 sec
  
  
• Microsystemation released a micro release for XRY v7.1, as well as Kiosk/Tablet v7.1. “The new XRY v7.1 micro release includes support for 55 new app versions as well as Apple’s latest release, iPhone 7”. The updates to the kiosk/tablet include updated Default Settings, hiding export functions in Kiosk Viewer, as well as the addition of Kiosk Windows Support
  XRY v7.1 Micro Release & Kiosk/Tablet v7.1 Released Today
  
  
• Paraben updated Device Seizure to version 7.6 adding a new Android Samsung Bootloader Physical plug-in, support for iOS 10 and Android Marshmallow as well as additional bug fixes and improvements.
  Paraben’s DS 7.6
  
  
• Darryl at Kahu Security has updated a Converter (v0.14), Registry Dumper (v0.2), Text Decoder Toolkit (v0.2) and URL Revealer (v0.2).
  Tools Update
  
  
• Passware has released Passware Kit 2016 v4  adding support for iOS 10, macOS Sierra and VeraCrypt, introduces a substitution attack modifier, and is now twice as fast on NVIDIA GTX 1080 graphics cards.
  New In Passware Kit 2016 v4
  
  
• GetData’s Forensic Explorer was updated to version v3.6.8.5740 with some minor bug fixes and improvements.
  Download Forensic Explorer
  
  
• X-Ways Forensics 19.0 Beta 4 was released improving multithreading support, and adding the “Ability to parse Ext* file systems with a block size that is smaller than the sector size of the surrounding physical image” among other minor improvements.
  X-Ways Forensics 19.0 Beta 4
  

SOFTWARE/PRODUCT RELEASES

• WeAre4n6 shared a couple posts about some new books that are available for preorder
  • The first is called ‘Learning iOS Forensics’ by Mattia Epifani and Pasquale Stirparo.
    Learning iOS Forensics – Second Edition
  • The second is ‘Contemporary Digital Forensic Investigations of Cloud and Mobile Applications’ by Kim-Kwang Raymond Choo and Ali Dehghantanha.
    Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
    
    
• Didier Stevens has released two new Python scripts this week
  • The first is a beta of a script called decoder-search.py, which “does brute-forcing and searching of a file like XORSearch, but instead of simple operations like XOR, ROL, …, it can handle more complex translations”
    decoder-search.py Beta
  • The second, radare2-listing.py, adds information to Radare2 disassembly listings.
    Quickpost: Enhancing Radare2 Disassembly Listing
    
    
• Nir Sofer at Nirsoft has released CredentialsFileView, “a new utility for Windows that decrypts and displays the passwords and other data stored inside Credentials files of Windows”.
  New utility that decrypts the Credentials files of Windows
  
  
• Amped Software have released DVRConv, a tool designed to “easily and quickly convert unplayable/proprietary video files from surveillance cameras and digital video recorders”.
  Amped DVRConv is finally here!
  
  
• David Pany has released a Python script that acts as a wrapper for RegRipper “for simplified bulk parsing or registry hives”.
  Check Out @DavidPany’s Tweet
  
  
• Tyler H (@0xtyh) released a “volatility plugin to find known bad in processes or memory”
  FindEvil
  

PRESENTATIONS/PODCASTS

• AccessData has announced a three-part webinar series on Privacy & Security in the Age of Global Investigations.
  The first, on 4th October, covers “Data Security and Data Protection in the EU: What You Need to Know”. “Challenges Mobile Devices Pose in Global Investigations: What are “Reasonable Measures?”” will be run on 11th October, and lastly “Key EU Privacy and Data Confidentiality Requirements: The State of the Art” will be on 1st November. All webinars will be held at 9:00AM ET / 2:00PM UK / 3:00PM CEST
  Privacy & Security in the Age of Global Investigations
  
  
• Tayfun Uzun at Magnet Forensics will host a webinar talking about “the latest trends in chat and social apps and discuss how to analyze and interpret data from these apps using Magnet AXIOM”. The webinar will take place Thursday, October 20, 2016 – 10:00AM Eastern Standard Time (2:00PM UTC)
  User Webinar: Using Custom Artifacts and Dynamic App Finder to Investigate Mobile Chat Apps
  
  
• Adrian Crenshaw uploaded a number of videos from Derbycon 2016 to his YouTube channel. Here’s a quite a few that I thought looked interesting
  • 120 Hardening AWS Environments and Automating Incident Response for AWS Compromises Andrew Krug Alex
  • 539 PacketKO Data Exfiltration Via Port Knocking Matthew Lichtenberger
  • 118 Attacking ADFS Endpoints with PowerShell Karl Fosaaen
  • 216 Yara Rule QA Cant I Write Code to do This for Me Andrew Plunkett
  • 121 Invoke Obfuscation PowerShell obFUsk8tion Techniques How To Try To
  • 410 Garbage in garbage out generating useful log data in complex environments Ellen Hartstack and Ma
  • 314 DNS in Enterprise IR Collection Analysis and Response Philip Martin
  • 310 Anti Forensics AF int0x80 of Dual Core
  • 208 Living Off the Land 2 A Minimalists Guide to Windows Defense Matt Graeber
  • 315 Reverse engineering all the malware and why you should stop Brandon Young
  • 540 Ransomware An overview Jamie Murdock
  • 109 Defeating The Latest Advances in Script Obfuscation Mark Mager
  • 307 From Commodity to Advanced APT malware are automated malware analysis sandboxes as useful as you
  • 517 Malicious Office Doc Analysis for EVERYONE Doug Burns
  • 312 Using Binary Ninja for Modern Malware Analysis Dr Jared DeMott Mr Josh Stroschein
  • 213 Python 3 Its Time Charles L Yost
  • 523 Overcoming Imposter Syndrome even if youre totally faking it Jesika McEvoy
  • 520 Finding Your Balance Joey Maresca
  • 521 Hashcat State of the Union EvilMog
  • 319 Hashview a new tool aimed to improve your password cracking endeavors Casey Cammilleri Hans Lakh
  • 121 Invoke Obfuscation PowerShell obFUsk8tion Techniques How To Try To DeTect Them Daniel Bohannon
  • 119 Introducing PowerShell into your Arsenal with PSAttack Jared Haight
  • 106 PowerShell Secrets and Tactics Ben0xA
  • 211 Introducing DeepBlueCLI a PowerShell module for hunt teaming via Windows event logs Eric Conrad
    
    
• Cellebrite shared a short video highlighting a few features of the UFED Analytics Desktop program
  UFED Analytics Desktop
  
  
• Didier Stevens uploaded two videos to his YouTube channel. Anyone that’s getting into malicious document analysis should watch all of these videos. I don’t really need to do it very often (read: at all) but it’s a great resource to have available.
  • The first shows how Didier would examine a specific malicious document to showcase the use of a special spreadsheet he created called Decode.xls. Decode.xls is used to run a function over hex data that is stored in the cells of the spreadsheet. To do this, Didier will extract the relevant encoded data from the malicious document, and the decoder function and then execute it in decoder.xls. It’s important to examine function for API calls or object creation so it doesn’t infect your computer.
    After executing the function two new sheets are created in ASCII and Unicode, and contain the shellcode that he’s looking for.
    Lastly, he confirms that the extracted data is shellcode using radare2
    Maldoc VBA: decoder.xls
  • The second examines the shellcode extracted in the previous video using 010 Editor and extracts the PE file.
    Maldoc VBA: Shellcode

• Episode 384 of the CyberJungle was released this week from HTCIA 2016, bringing us an interview with Dr Fred Cohen, on new approaches to infosec and Dr Brian Carrier. Brian Carrier gave a brief overview of Autopsy’s new collaboration features, as well as the plugin architecture and OSDFCon.
  September 29 2016, Episode 384, Show Notes
  
  
• Lee Reiber from Oxygen Forensics recently hosted a webinar on Forensic Focus, and it has now been uploaded with a transcript. The webinar is titled “Deep Diving for Forensic Gold – Applications and Deleted Data”.
  Webinars – 2016 Deep Diving for Forensic Gold – Applications and Deleted Data
  
  
• This week’s episode of the Digital Forensics Survival podcast covers file formats commonly seen on OS X (plist and SQLite), the various folders named Library and lists the locations of the different Keychain files and what they can contain.
   DFSP # 032 – Mac Formats, Libraries & Keychains
  

FORENSIC ANALYSIS

• Christian at CYINT Analysis has a write-up of the recently published TekDefense PCAP challenge.
  TekDefense PCAP Challenge Write-Up
  
  
• Serge Petrov at WeAre4n6 continues his series on picture forensics by talking a bit more about Error Level Analysis and shows how it can be used to detect images that have been modified with fragments containing a different error level.
  Error Level Analysis
  
  
• Not strictly Forensics but good to know anyways; Daniel Miessler has done some investigation into macOS Sierra’s iCloud Drive, and accessing the files through the command line. Files in the iCloud Drive are stored under ~/Library/Mobile Documents.
  Accessing iCloud Drive via Terminal.app
  
  
• The folks at Senrio have a fairly lengthy post on the history of JTAG, what it is and isn’t, and how to go about decoding the information. The authors then show how to use JTAG to root the firmware of a router.
   JTAG Explained (finally!): Why “IoT”, Software Security Engineers, and Manufacturers Should Care
  
  
• Patrick Olsen at Sysforensics identified that VMWare Fusion “uses a pre-formatted HFS+ volume”, aptly named preformattedHFSVolume.vmdk, when building a new Mac VM. As a result, they will all have the volume header timestamp of 0xC4D48244 (which is HFS+ 32bit Big Endian Hex Value for 2008-08-22 14:48:36 UTC).
   Mac DFIR – HFS+ VMware Fusion Volume Header Timestamp
  
  
• Arsenal Consulting have made some updates to their case study on the work they did in the Odatv case in Turkey. I’m not exactly sure what’s been added since their previous updates, but it’s worth a look. Also for those that haven’t looked at Mark Spenser’s work on Anchor Relative Time, this may be an interesting article.
  Odatv: A Case Study in Digital Forensics and Sophisticated Evidence Tampering
  

MALWARE

• Adam at Hexacorn has a couple of posts this week
  • The first post documents how to obtain decompiled Lua scripts from the Flame malware.
    Old Flame Never Dies (a.k.a. decompiling LUA)
  • Secondly, he shared a method of process execution that, from the sounds of things, most probably won’t be seen too often, if at all. The DLL must be placed in the system32 directory, signed, compiled with the /INTEGRITYCHECK option on, and “change the owner to modify the access rights and grant the permissions to add/modify the keys”.
    Beyond good ol’ Run key, Part 47
    
    
• Chad Loeven at VMRay has started a series covering sandbox evasion techniques commonly used by today’s malware. The first post explains the three categories of approaches malwriters are using to evade sandbox detection.
  • “Sandbox Detection: Detecting the presence of a sandbox (and only showing benign behavior patterns on detection)
  • Exploiting Sandbox Gaps: Exploiting weaknesses or gaps in sandbox technology or in the ecosystem
  • Context-Aware Malware: Using time/event/environment-based triggers (that are not activated during sandbox analysis)”
    Sandbox Evasion Techniques – Part 1
    
    
• Kafeine at Malware Don’t Need Coffee shares a small data drop about a fork of the Pony trojan, called Fox stealer.
  Fox stealer: another Pony Fork
  
  
• The author at Malwaretech has a quick write-up of an instance of Dridex that has found it’s way to the UK. The malicious RTF file was encrypted with a password provided by e-mail, which would prevent anti-virus from scanning it. It also includes a ping to Google’s DNS server to delay execution.
  Dridex Returns to the UK With Updated TTPs
  
  
• Joie Salvio at Fortinet has a descriptive post on a new piece of ransomware called Mamba. This malware installs DiskCryptor, an open-source disk encryption tool and then encrypts your disk. It even uses NirSofts netpass tool to try and identify cached network passwords to encrypt the files on network attached drives. Due to the time it takes to perform the full-disk encryption the author believes that this is not going to become a trend.
  Dissecting Mamba, the Disk-Encrypting Ransomware
  
  
• Floser Bacurio, Rommel Joven and Roland Dela Paz at Fortinet provide an overview of Locky’s development this year.
  We’re Up All Night To Get Locky
  
  
• There were a few posts on the SANS ICS Diary of interest
  • Didier Stevens shared a VBA P-code disassembler called pcodedmp.py written by Dr. Bontchev
    BA and P-code
  • Brad Duncan examines “another case of Afraidgate using Rig EK”.
    Rig Exploit Kit from the Afraidgate Campaign
  • Basil shares the Volatility commands you can use to examine files that store memory data on Windows systems (hiberfil, pagefile etc)
    Back in Time Memory Forensics
  • Xavier Mertens examined a malicious Word document using both static and dynamic analysis. During his analysis, he was even able to determine the attacker’s email address and the credentials to his mail server.
    Another Day, Another Malicious Behaviour
    
    
• There were two posts on Malwarebytes Labs
  • Thomas Reed has a write-up of the Komplex Mac malware identified by Palo Alto Networks. Thomas explains that this malware is most probably linked to a piece of malware that was discovered last year.
    Komplex Mac backdoor answers old questions

• Hasherezade talks about the lesser-known tricks that social engineers are using to encourage execution of their malware. The first is the use of the .pif extension, which “hides the real extension even if the user has disabled the feature of extension hiding on Windows”. The second is RTLO – Right To Left Override, which hides the actual file extension in the name of the file – ie malexe.txt.
  Lesser known tricks of spoofing extensions
  
  
• Ben Baker, Edmund Brumaghin, and Jonah Samost at Talos/Cisco have a very thorough post covering the GozNym malware, which combines features of the Gozi and Nymaim malware. The authors explain that the malware is delivered via a malicious-macro-laden Word document and employs a variety of techniques to make analysis difficult. Several scripts were also released to assist in the examination of the malware.
  Threat Spotlight: GozNym
  
  
• Casey Smith demonstrates “the ability to load an arbitrary exe into csi.exe … on a PC running Windows Device Guard”. This takes advantage of misplaced trust, “we need to trust many of the binaries signed by Microsoft”.
  Application Whitelisting Bypass – CSI.EXE C# Scripting
  
  
• Philippe Lagadec has written an article explaining how to use his tool, ViperMonkey, to “analyze obfuscated macros and extract hidden strings/IOCs”. Whilst the author advises that the tool is very incomplete, it looks like it works similarly to Didier Stevens tools.
  Using VBA Emulation to Analyze Obfuscated Macros
  
  
• Ryan McCombs at CrowdStrike walks through “the methods leveraged by CrowdStrike to recover a COZY BEAR WMI backdoor”.
  Bear Hunting: Tracking Down COZY BEAR Backdoors
  
  
• Anton Ivanov, Fedor Sinitsyn and the Kaspersky Lab’s Global Research & Analysis Team at Securelist have a write-up of the Xpan ransomware, created from scratch by a team in Brasil. They also compared this malware with a previous version called Xorist. Interestingly the attacks are performed manually, with the preferred intrusion mechanism being RDP brute forcing. Kaspersky have also reversed the encryption and are able to assist on request.
  TeamXRat: Brazilian cybercrime meets ransomware
  
  
• Micah Yates and Tom Lancaster at Palo Alto Networks examine two similar malware families that “abuse legitimate web services … to retrieve a command and control address” “to abuse legitimate websites, their connections to each other, and their connections to known espionage campaigns”. The malware has been named CONFUCIUS_A and CONFUCIUS_B, and utilises “Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains”
  Confucius Says…Malware Families Get Further By Abusing Legitimate Websites
  
  
• Luis Rocha at Count Upon Security has a short write-up of the RIG Exploit Kit.
  RIG Exploit Kit Analysis – Part 1
  
  
• Also on the RIG EK, Rami Kogan at the TrustWave SpiderLabs blog discusses some of the changes that they have identified recently.
  RIG’s Facelift
  

MISCELLANEOUS

• Scar at Forensic Focus provides a fairly comprehensive overview of InSig2 LawTech 2016, held in Brussels on the 7th and 8th November.
  InSig2 LawTech 2016 – Brussels 7th – 8th November
  
  
• The Gruqq shared this tweet explaining  “the EU proposed controls on exporting surveillance software now includes digital forensics tools”.
  Proposal for setting up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items (recast)
  
  
• K. Gus Dimitrelos at Cyber Forensics 360 provided a review of Oxygen Forensic Detective by Oxygen Forensics on the Forensic Focus blog. His review provides 10 reasons why he is switching his lab over to the Detective product. The overarching theme that I noticed in the review is that Detective has everything built in. Reading through it I recognised things like UFED’s Cloud Analyser and Link Analyser products are built into the one Detective product. I haven’t looked into how they compare cost-wise though. When I’ve used Detective in the past however I have liked some of the little things like the plist viewer, which UFED PA doesn’t have last I checked.
  Reviews – 2016 Oxygen Forensic Detective From Oxygen Forensics
  
  
• Stuart Clarke at Nuix talks about the challenges of cloud-based data. I agree that the data acquisition shouldn’t be the main hurdle. Thankfully a number of vendors are getting better at downloading the data from cloud providers, which really just leaves the challenge of legal authority.
  It’s In the Clouds and Out of Reach—Or Is It?
  
  
• Chris Sanders has published a shortened version of a paper he has written regarding the effects of opening move selection on investigation speed. “The goal of the present research is to determine which common data source analysts were more likely to use as their opening move, and to assess the impact of that first move on the speed of the investigation.”
  The Effects Of Opening Move Selection On Investigation Speed
  
  
• Matt Edmondson at Digital Forensics Tips has written a batch file to help automate Windows enumeration for privilege escalation.
  A Script to Help Automate Windows Enumeration for Privilege Escalation
  
  
• The Champlain College blog has a couple more Enfuse Highlights posts
  • The first one, by Kelsey Ward, expounds the benefits of attending Enfuse; from the talks she attended to the vendor area and extracurricular activities. This post is really written from the perspective of what a student can gain from attending the conference.
    Enfuse 2016 Highlight – Kelsey Ward
  • The second, by Mike Albrecht, talked about Herbert Joe’s panel “From Katz to Riley (and beyond): How SCOTUS Views Evolving Technology”. The presentation covered a variety of cases and posed a series of questions that are important for forensics practitioners in the law enforcement industry to be aware of.
    Enfuse 2016 Highlight – Mike Albrecht
    
    
• Jack Crook at ‘DFIR and Threat Hunting’ has published a bunch of older articles from his previous site, Handler Diaries.  
  • IR Do’s and Don’ts
  • Don’t wait for an intrusion to find you
  • Answering those needed questions
  • Feeds, feeds and more feeds
  • To silo or not to silo
  • Building analysts from the ground up
  • Thoughts on Incident Response Teams
  • Forensic Analysis of Anti-Forensic Activities
    
    
• Weare4n6 shared a free 3-hour online course by Logical Operations on “how to investigate cybersecurity incidents”.
  Free Course: Investigating Cybersecurity Incidents
  
  
• Paul Sanderson has created a mobile forensics slack channel for anyone interested. To join, follow the instructions in his tweet.
  Check Out @sandersonforens’s Tweet

And that’s all for Week 39! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!