Week 40 – 2016


  • ExifTool was updated version 10.29 (development release), adding new tags and updates to various options.
    ExifTool 10.29

  • DME Forensics released an update to DVR Examiner (version 1.26.0), adding “additional filesystems, as well as a few small improvements and bug fixes.”
    DVR Examiner 1.26.0

  • Elcomsoft updated their Cloud Explorer product to version 1.20.14403. Oleg Afonin has an article explaining that due to the update to the Android Compatibility Document that states that “manufacturers certifying their Android devices for Google services are now required to enforce encryption out of the box”, Cloud extractions are more important than ever. The update to ECE allows examiners to download synced call logs if the user is running a device on Android 6.0+. The tool will also extract synced Wi-Fi passwords and SSIDs.
    Elcomsoft Cloud Explorer: Extracting Call Logs and Wi-Fi Passwords

  • AChoir has been updated to version 0.75, adding the ability to copy files directly from the NTFS volume. The author has also gone to a lot of effort to describe the process in the post below.
    Implementing NTFS Raw Copy into AChoir

  • Passmark Software have released the Beta of OSForensics version 4. The beta expires on the 15th November. There are a lot of updates in this version so it would be beneficial to read through the release notes to get an idea of everything. I haven’t played with the tool yet, but it looks interesting.
    OSForensics V4 Beta release

  • MISP 2.4.52 was released and included new features, improvements and bug fixes.
    MISP 2.4.52 released including new features and major improvements

  • X-Ways Forensics 18.9 SR-9 was released with minor improvements and bug fixes.
    X-Ways Forensics 18.9 SR-9


  • Chet Hosmer has announced that his new book “Integrating Python with Leading Forensic Platforms” has been released. The book’s goal is “to provide details on how to directly integrate Python into key forensic platforms”.
    Integrating Python with Leading Forensic Platforms – Book Released

  • Joesecurity released ‘Pafish for Office’ Macro. “Pafish is a tool to check recent anti-malware analysis tricks and evasions against your favorite sandbox”. They “put all known VBA / Macro based sandbox checks and evasions into a single Microsoft Office Word document and released [it] on Github”.
    Pafish for Office Macro



  • Mari DeGrazia has published some code to extract thumbnail images from OS X’s QuickLook thumbnail.data file. This file is similar to the centralised thumbcache on Windows, however, the only other tool that I know of to do this is an enscript for Encase. As usual, Mari explains the artefact and how to perform the task manually and has then written a Python script to automate the task.
    QuickLook thumbnails.data parser

  • TekDefense has posted the winning write-up to the Network Challenge that was posted last month.
    Network Challenge – 001 – Solution

  • The Photo Investigator has made a start explaining the “Maker Apple” EXIF tag embedded in iPhone (iOS/OSX?) photos. The post explains that an examiner can determine an acceleration vector, the orientation of the phone, a timestamp as well as some additional data that was unable to be decoded.
    Coincidently, Exiftool’s latest update has “Decode a new Apple tag” in the release notes; I haven’t tested whether it can handle the “Maker Apple” tag.
    What is the “Maker Apple” Metadata in iPhone Photos?

  • Dr. Neal Krawetz at Hacker Factor provides a brief analysis of a photo uploaded to FotoForensics and then goes on to identify the photo’s potential owner, as well as the number of places that it appears online in dating profiles.
    Pretty in Pink

  • Chris Gerritz lists a variety of post-compromise detection strategies that hunters can employ to detect an adversary in their systems. Chris explains each strategy (Data-centric Hunting, Hunting on the Endpoint, Deception), their advantages and disadvantages as well as a brief conclusion regarding their effectiveness.
    Approaches to Threat Hunting

  • John Lukach at 4n6ir has written a Python script to scan a network using Nmap and identify devices.
    Know Your Network

  • SANS published the whitepaper by Dr Eric Cole on acknowledging insider threats
    Taking Action Against the Insider Threat

  • Aidan Jewell at Nuix has a short write-up of the data he was able to recover from the DJI Go iOS app, and then using Nuix to create a KML file to view the flight in Google Earth. Drone Forensics isn’t a particularly large field, so if you’re interested in learning more, check out David Kovar’s presentation from last years DFIR Summit.
    Investigating the Unfriendly Skies

  • Weare4n6 shared a variety of links and articles
    • They shared a link to “Lenas Reversing for Newbies”, a collection of 40 tutorials aimed at new reverse engineers.
      Reversing for Newbies
    • They shared a tool by Martin Korman called VolatilityBot, which seeks to automate some of the initial stages of memory analysis
      Martin Korman’s VolatilityBot
    • They shared a tool called DensityScout, which can be used to calculate the density of a file.
      Find malware on a potentially infected system with DensityScout
    • They shared a link to a video held by Berkeley Labs last year regarding incident detection and analysis with BRO. A number of videos from this session were uploaded to the BRO YouTube channel which may be of interest.
      Incident Detection And Analysis With BRO
    • They provided a brief description of steganography and explained the 2 different LSB steganographic methods: LSB Replacement and LSB Matching
      Steganography… what is that?
    • Lastly they shared a paper by Changwei Liu, Anoop Singhal and Duminda Wijesekera that “describes a probabilistic model that applies Bayesian Network to constructed evidence graphs, systematically addressing how to resolve some of the above problems by detecting false positives, analyzing the reasons of the missing evidence and computing the probability for an entire attack scenario”
      A Probabilistic Network Forensic Model For Evidence Analysis


  • Mark Mager at Endgame has a nice blogpost about script de/obfuscation techniques. He starts by advising the basics of the environment required, and some resources that can be utilised, and then proceeds to explain a variety of different methods that the obfuscation routines utilise to muddy the code. Mark also explains that when deobfuscating, it’s helpful to employ good coding practices (think whitespace, comments, variable/function naming if possible) to ensure that the code is easy to read – easy to read code is easier to understand.
    I’m actually quite interested in script de-obfuscation, mainly because it seems like there are a few conventions regarding junk code that can be automatically removed. You can replace a number of the variable/sub/function routine names quite easily, automatically indent based on basic control structures, and remove a number of the useless mathematical commands (ie =6+”2” can just be replaced with =8). I wrote a short script that does this for VBScript, but it’s fairly basic, doesn’t do a great job, and I need more test data to improve it. If anyone has any suggestions for automatic code deobfuscation (even if it’s just a helper script) I’d be interested to hear about it.

    Defeating the Latest Advances in Script Obfuscation

  • Paul Ewing at Endgame shares a post on identifying malware that’s hiding on a system. Paul explains that “legitimate processes will be running from %SystemRoot% or %ProgramFiles%”; removing these may result in easier identification of malicious processes. He also suggests filtering for signed executables, and hashing and removing known good, before examining the files using an automated tool such as VirusTotal. (NB: Buyer beware with tools like VirusTotal because the information is then public.)
    How to Hunt: The [File] Path Less Traveled

  • Joie Salvio and Floser Bacurio Jr. at Fortinet have identified a new variant of Locky, which now uses the “odin” file extension. This post compares Locky with its variants, Zepto and now Odin and shows their similarities and differences (they’re basically 99% the same).
    The Locky Saga Continues: Now Uses .odin as File Extension

  • Luis Rocha at Count Upon Security has released part 2 of his RIG Exploit Kit analysis.
    RIG Exploit Kit Analysis – Part 2

  • The Malware Hunter at Hunting Malware has a write up of the Raum malware, which seeks to infect gamers PCs for bitcoin mining and password stealing.
    Der Dritte Raum, Die Forschung!

  • There were a couple of articles at Proofpoint
  • Brian Bartholomew and Juan Andrés Guerrero-Saade have published a paper on Securelist, covering the “current state of attribution in targeted attack research and at deliberate attempts by the adversary to obstruct this process. The paper includes common bases for attribution, practical and methodological complications, and examples of purposeful abuse by sophisticated threat actors in the wild.”
    Wave your false flags!

  • Anton Ivanov, Orkhan Mamedov and Fedor Sinitsyn have posted an article on SecureList comparing the ransomware Polyglot to CTB Locker. The authors found that whilst Polyglot was not a fork of CTB Locker it was definitely inspired by it, with a number of similarities in its implementation and presentation. The authors also examined Polyglots C&C traffic and the encryption algorithm.
    Polyglot – the fake CTB-locker

  • There were a couple articles on Palo Alto Networks this week
  • Susan Bradley’s GIAC (GSEC) Gold Certification paper was posted on the SANS Reading Room. This paper was on the topic of Ransomware and lists a number of useful techniques for preventing ransomware (and malware in general) execution.

  • Alexander Sevtsov at Lastline Labs has a second post on VBA malware downloaders. He covers macro’s utilising the Document_Close/Autoclose function (execute routine when document is closed), attempting to identify sandboxes, and examining Zone Identifiers,
    Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 2]

  • Muhammad Hasib Latif and Dr. Farrukh Shahzad at FireEye examined a number of malware samples for instances of the sample using WMI to evade anti-virus/anti-malware products and detecting virtualisation, services, and processes.
    Increased Use Of WMI For Environment Detection And Evasion

  • Pieter Arntz at Malwarebytes labs has a post explaining how WMI hijackers work, and why they are effective (it’s usually not a good idea to disable WMI, unlike some of the other infection vectors). The author also shows an example of a WMI script that modifies the shortcuts of the available web browsers, and save Chrome, is file-less.
    Explained: WMI hijackers


  • Lesley Carhart provides a crash course in cyber threat intelligence; listing a few questions that threat intelligence should assist in answering. “If threat intelligence is not contextual or is frequently non-actionable in your environment, you’re doing “cyber threat” without much “intelligence” (and it’s probably not providing much benefit).”
    The $5 Vendor-Free Crash Course: Cyber Threat Intel

  • A couple more Enfuse 2016 highlights were posted this week
  • Kevin Black has written an interesting piece in the Edenbridge Chronicle on how the Surrey Police, with assistance from various universities, were able to prove that multiple images were taken with the same camera.
    Digital forensics technique traps man for school vouyerism

And that’s all for Week 40! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s