SOFTWARE UPDATES

• ExifTool was updated version 10.29 (development release), adding new tags and updates to various options.
  ExifTool 10.29
  
  
• DME Forensics released an update to DVR Examiner (version 1.26.0), adding “additional filesystems, as well as a few small improvements and bug fixes.”
  DVR Examiner 1.26.0
  
  
• Elcomsoft updated their Cloud Explorer product to version 1.20.14403. Oleg Afonin has an article explaining that due to the update to the Android Compatibility Document that states that “manufacturers certifying their Android devices for Google services are now required to enforce encryption out of the box”, Cloud extractions are more important than ever. The update to ECE allows examiners to download synced call logs if the user is running a device on Android 6.0+. The tool will also extract synced Wi-Fi passwords and SSIDs.
  Elcomsoft Cloud Explorer: Extracting Call Logs and Wi-Fi Passwords
  
  
• AChoir has been updated to version 0.75, adding the ability to copy files directly from the NTFS volume. The author has also gone to a lot of effort to describe the process in the post below.
  Implementing NTFS Raw Copy into AChoir
  
  
• Passmark Software have released the Beta of OSForensics version 4. The beta expires on the 15th November. There are a lot of updates in this version so it would be beneficial to read through the release notes to get an idea of everything. I haven’t played with the tool yet, but it looks interesting.
  OSForensics V4 Beta release
  
  
• MISP 2.4.52 was released and included new features, improvements and bug fixes.
  MISP 2.4.52 released including new features and major improvements
  
  
• X-Ways Forensics 18.9 SR-9 was released with minor improvements and bug fixes.
  X-Ways Forensics 18.9 SR-9
  

SOFTWARE/PRODUCT RELEASES

• Chet Hosmer has announced that his new book “Integrating Python with Leading Forensic Platforms” has been released. The book’s goal is “to provide details on how to directly integrate Python into key forensic platforms”.
  Integrating Python with Leading Forensic Platforms – Book Released
  
  
• Joesecurity released ‘Pafish for Office’ Macro. “Pafish is a tool to check recent anti-malware analysis tricks and evasions against your favorite sandbox”. They “put all known VBA / Macro based sandbox checks and evasions into a single Microsoft Office Word document and released [it] on Github”.
  Pafish for Office Macro
  

PRESENTATIONS/PODCASTS

• Forensic Focus have uploaded the webinar held by Jeremy Kirby, Director of Sales at Susteen on breaking passcodes and patterns on locked Android phones.
  Webinar: How To Break Passcodes / Patterns On Locked Android Phones
  
  
• Forensic Focus also announced a panel webinar covering the challenges that mobile devices pose in global investigations. This will be held on 11 October at 9:00AM ET / 2:00PM UK / 3:00PM CEST.
  Webinar: Challenges Mobile Devices Pose in Global Investigations
  
  
• Magnet Forensics have uploaded the webinar that was held a couple weeks ago by Christopher Vance regarding Android Marshmallow analysis.
  Taking the Mystery out of Android Marshmallow Analysis
  
  
• Wirespeed Forensics uploaded a video showing how it’s possible to utilise Evimetry to take a partial acquisition of a running server (in this case running on Rackspace), and then examine the network-mounted drive using Encase.
  Live Cloud Partial Acquisition & Analysis with Evimetry & EnCase: Rackspace Cloud
  
  
• Amit Malik at Cysinfo has released a 20-minute video (I’m assuming the beginning of a series), on macro analysis using Python.
  Cyber Security With Amit Malik – Episode 1 – Macro Analysis
  
  
• Steve Whalen from Sumuri uploaded a video showing how to take a forensic image of a Surface Pro 4 using Paladin 7.
  Forensic Image of Surface Pro 4 with PALADIN 7
  
  
• Adrian Crenshaw uploaded a number of presentations from GrrCon 2016 to his YouTube channel. Two that caught my eye are listed below
  • 307 Getting to the Root of Advanced Threats Before Impact Josh Fazio
  • 205 Threat Detection Response with Hipara J Brett Cunningham
  • 207 Quick and Easy Windows Timelines with Python MySQL and Shell Scripting Dr Phil Polstra
  • 214 Tales from the Cryptanalyst Jeff Man
  • 216 Binary Ninja Jared Demott

• Didier Stevens published a new post this week linking to some of the videos that he has created in the past showcasing his rtfdump Python script. The videos introduce the tool and run a couple of malicious RTF files through it.
  rtfdump Videos

• Atola Technology have published a video showing how easy it is to create scripts for the latest version of their Atola Insight Forensic product.
  Writing a script from scratch in Atola Insight Forensic 4.6
  
  
• Frode Hommedal released the first 155 slides from the presentation he did at FIRST TC on CSIRT models. Even if you don’t read through the content, the way that he has done the presentation is pretty cool
  Incident Response – Taking Csirt Modeling To The Next Level
  
  
• This week’s episode of the Digital Forensics Survival podcast covers some of the OS X plists that Michael suggests examiners should look at in an initial triage. Michael also says his preference is to use Plist Editor Pro instead of the Xcode plist editor. The plists mentioned are the systemversion.plist, com.apple.loginwindow.plist, com.apple.timemachine.plist, and com.apple.bluetooth.plist.
  DFSP # 033 – PLISTS for Mac Triage
  

FORENSIC ANALYSIS

• Mari DeGrazia has published some code to extract thumbnail images from OS X’s QuickLook thumbnail.data file. This file is similar to the centralised thumbcache on Windows, however, the only other tool that I know of to do this is an enscript for Encase. As usual, Mari explains the artefact and how to perform the task manually and has then written a Python script to automate the task.
  QuickLook thumbnails.data parser
  
  
• TekDefense has posted the winning write-up to the Network Challenge that was posted last month.
  Network Challenge – 001 – Solution
  
  
• The Photo Investigator has made a start explaining the “Maker Apple” EXIF tag embedded in iPhone (iOS/OSX?) photos. The post explains that an examiner can determine an acceleration vector, the orientation of the phone, a timestamp as well as some additional data that was unable to be decoded.
  Coincidently, Exiftool’s latest update has “Decode a new Apple tag” in the release notes; I haven’t tested whether it can handle the “Maker Apple” tag.
  What is the “Maker Apple” Metadata in iPhone Photos?
  
  
• Dr. Neal Krawetz at Hacker Factor provides a brief analysis of a photo uploaded to FotoForensics and then goes on to identify the photo’s potential owner, as well as the number of places that it appears online in dating profiles.
  Pretty in Pink
  
  
• Chris Gerritz lists a variety of post-compromise detection strategies that hunters can employ to detect an adversary in their systems. Chris explains each strategy (Data-centric Hunting, Hunting on the Endpoint, Deception), their advantages and disadvantages as well as a brief conclusion regarding their effectiveness.
  Approaches to Threat Hunting
  
  
• John Lukach at 4n6ir has written a Python script to scan a network using Nmap and identify devices.
  Know Your Network
  
  
• SANS published the whitepaper by Dr Eric Cole on acknowledging insider threats
  Taking Action Against the Insider Threat
  
  
• Aidan Jewell at Nuix has a short write-up of the data he was able to recover from the DJI Go iOS app, and then using Nuix to create a KML file to view the flight in Google Earth. Drone Forensics isn’t a particularly large field, so if you’re interested in learning more, check out David Kovar’s presentation from last years DFIR Summit.
  Investigating the Unfriendly Skies
  
  
• Weare4n6 shared a variety of links and articles
  • They shared a link to “Lenas Reversing for Newbies”, a collection of 40 tutorials aimed at new reverse engineers.
    Reversing for Newbies
  • They shared a tool by Martin Korman called VolatilityBot, which seeks to automate some of the initial stages of memory analysis
    Martin Korman’s VolatilityBot
  • They shared a tool called DensityScout, which can be used to calculate the density of a file.
    Find malware on a potentially infected system with DensityScout
  • They shared a link to a video held by Berkeley Labs last year regarding incident detection and analysis with BRO. A number of videos from this session were uploaded to the BRO YouTube channel which may be of interest.
    Incident Detection And Analysis With BRO
  • They provided a brief description of steganography and explained the 2 different LSB steganographic methods: LSB Replacement and LSB Matching
    Steganography… what is that?
  • Lastly they shared a paper by Changwei Liu, Anoop Singhal and Duminda Wijesekera that “describes a probabilistic model that applies Bayesian Network to constructed evidence graphs, systematically addressing how to resolve some of the above problems by detecting false positives, analyzing the reasons of the missing evidence and computing the probability for an entire attack scenario”
    A Probabilistic Network Forensic Model For Evidence Analysis
    

MALWARE

• Mark Mager at Endgame has a nice blogpost about script de/obfuscation techniques. He starts by advising the basics of the environment required, and some resources that can be utilised, and then proceeds to explain a variety of different methods that the obfuscation routines utilise to muddy the code. Mark also explains that when deobfuscating, it’s helpful to employ good coding practices (think whitespace, comments, variable/function naming if possible) to ensure that the code is easy to read – easy to read code is easier to understand.
  I’m actually quite interested in script de-obfuscation, mainly because it seems like there are a few conventions regarding junk code that can be automatically removed. You can replace a number of the variable/sub/function routine names quite easily, automatically indent based on basic control structures, and remove a number of the useless mathematical commands (ie =6+”2” can just be replaced with =8). I wrote a short script that does this for VBScript, but it’s fairly basic, doesn’t do a great job, and I need more test data to improve it. If anyone has any suggestions for automatic code deobfuscation (even if it’s just a helper script) I’d be interested to hear about it.
  Defeating the Latest Advances in Script Obfuscation
  
  
• Paul Ewing at Endgame shares a post on identifying malware that’s hiding on a system. Paul explains that “legitimate processes will be running from %SystemRoot% or %ProgramFiles%”; removing these may result in easier identification of malicious processes. He also suggests filtering for signed executables, and hashing and removing known good, before examining the files using an automated tool such as VirusTotal. (NB: Buyer beware with tools like VirusTotal because the information is then public.)
  How to Hunt: The [File] Path Less Traveled
  
  
• Joie Salvio and Floser Bacurio Jr. at Fortinet have identified a new variant of Locky, which now uses the “odin” file extension. This post compares Locky with its variants, Zepto and now Odin and shows their similarities and differences (they’re basically 99% the same).
  The Locky Saga Continues: Now Uses .odin as File Extension
  
  
• Luis Rocha at Count Upon Security has released part 2 of his RIG Exploit Kit analysis.
  RIG Exploit Kit Analysis – Part 2
  
  
• The Malware Hunter at Hunting Malware has a write up of the Raum malware, which seeks to infect gamers PCs for bitcoin mining and password stealing.
  Der Dritte Raum, Die Forschung!
  
  
• There were a couple of articles at Proofpoint
  • This article is a brief overview of the Hades locker ransomware, which the authors indicate mimics locky.
    Hades Locker Ransomware Mimics Locky
  • This article, by Matthew Mesa, Axel F and the Proofpoint Staff, describes a technique attackers are using to social engineer recipients into executing malware.  The attackers were seen to use the Windows Troubleshooting Platform to download a PowerShell script (after convincing the user to open a malicious Word document).
    Looking for Trouble: Windows Troubleshooting Platform Leveraged to Deliver Malware
    
    
• Brian Bartholomew and Juan Andrés Guerrero-Saade have published a paper on Securelist, covering the “current state of attribution in targeted attack research and at deliberate attempts by the adversary to obstruct this process. The paper includes common bases for attribution, practical and methodological complications, and examples of purposeful abuse by sophisticated threat actors in the wild.”
  Wave your false flags!
  
  
• Anton Ivanov, Orkhan Mamedov and Fedor Sinitsyn have posted an article on SecureList comparing the ransomware Polyglot to CTB Locker. The authors found that whilst Polyglot was not a fork of CTB Locker it was definitely inspired by it, with a number of similarities in its implementation and presentation. The authors also examined Polyglots C&C traffic and the encryption algorithm.
  Polyglot – the fake CTB-locker

• There were a couple articles on Palo Alto Networks this week
  • Josh Grunzweig and Robert Falcone published some information about the OilRig malware campaign, which in recent months has been updated. A few VBS variants have been released, with “upd.vbs” being the most current, actively developed copy.
    OilRig Malware Campaign Updates Toolset and Expands Targets
  • Richard Wartell, Jacob Soo, Anthony Kasza, Josh Grunzweig, Gabriel Kirkpatrick and Tyler Halfpop share the solutions the Random track of the LabyREnth CTF.
    LabyREnth Capture the Flag (CTF): Random Track Solutions
    
    
• Susan Bradley’s GIAC (GSEC) Gold Certification paper was posted on the SANS Reading Room. This paper was on the topic of Ransomware and lists a number of useful techniques for preventing ransomware (and malware in general) execution.
  Ransomware
  
  
• Alexander Sevtsov at Lastline Labs has a second post on VBA malware downloaders. He covers macro’s utilising the Document_Close/Autoclose function (execute routine when document is closed), attempting to identify sandboxes, and examining Zone Identifiers,
  Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 2]
  
  
• Muhammad Hasib Latif and Dr. Farrukh Shahzad at FireEye examined a number of malware samples for instances of the sample using WMI to evade anti-virus/anti-malware products and detecting virtualisation, services, and processes.
  Increased Use Of WMI For Environment Detection And Evasion
  
  
• Pieter Arntz at Malwarebytes labs has a post explaining how WMI hijackers work, and why they are effective (it’s usually not a good idea to disable WMI, unlike some of the other infection vectors). The author also shows an example of a WMI script that modifies the shortcuts of the available web browsers, and save Chrome, is file-less.
  Explained: WMI hijackers
  

MISCELLANEOUS

• Lesley Carhart provides a crash course in cyber threat intelligence; listing a few questions that threat intelligence should assist in answering. “If threat intelligence is not contextual or is frequently non-actionable in your environment, you’re doing “cyber threat” without much “intelligence” (and it’s probably not providing much benefit).”
  The $5 Vendor-Free Crash Course: Cyber Threat Intel
  
  
• A couple more Enfuse 2016 highlights were posted this week
  • Matthew Fortier attended James Habben’s “Down and Dirty With Python” talk, which showcased using Python as a method of simplifying a forensic task.
    ENFUSE 2016 HIGHLIGHT- MATTHEW FORTIER
  • David D’Amico wrote a glowing review of the conference and his experience attending as a freshman.
    FINAL ENFUSE 2016 HIGHLIGHT- DAVID D’AMICO
    
    
• Kevin Black has written an interesting piece in the Edenbridge Chronicle on how the Surrey Police, with assistance from various universities, were able to prove that multiple images were taken with the same camera.
  Digital forensics technique traps man for school vouyerism

And that’s all for Week 40! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!