Week 41 – 2016



  • Oleg Afonin at Elcomsoft has posted news that their first book, Mobile Forensics – Advanced Investigative Strategies, has been released.
    Our First Book is Officially Out

  • Atola Technologies have released a battery unit for their Atola Insight Forensic product. The battery boasts a 3 hours 30 minutes use time, when imaging source HDD to target HDD with MD5 calculation, and multiple units can be chained together.
    Battery for Atola Insight Forensic

  • Jim Clausing has posted on the SANS ISC Handler Diaries about a new Python script he wrote called docker-mount. This script aims to “help with forensics on Linux systems that have docker containers”.
    New tool: docker-mount.py


  • Magnet Forensics will be hosting a webinar on Tuesday, November 22, 2016 at 10:00AM EST (3:00PM UTC). “In this session, we will discuss some of the most popular secondary browsers and the artifacts that are available. We will also discuss how these and other browsers sync data across devices using cloud accounts.”
    Investigating the Most Popular Browsers You’ve Never Heard Of

  • Matt Bromiley and Lance Spitzer will be presenting a webinar for SANS on identifying what human risks to prioritise. The webinar will take place Wednesday, October 26th, 2016 at 11:00:00 EDT (27/10/16 3:00 am UTC).
    The Most Common Human Incidents – A Forensicator’s Tale

  • This week’s episode of the Digital Forensics Survival podcast covers a variety of Mac tools that Michael utilises to examine Macs. The show notes has the list of tools and where to get them.
    DFSP # 034 – Forensic tools for your Mac


  • Jamie McQuaid at Magnet Forensics puts forward his argument for showing false positives in tool results. I agree with his reasoning; often I have examined the results of an IEF extraction and found that the data has been recovered but not parsed correctly because it’s been malformed by one process or another. The data is still intelligible to a person, but hasn’t been placed in the correct location – “I would rather get 10 false positives than miss one false negative”. One of the things I’d like to see in IEF is the ability to highlight false positives and hide them from view (think the opposite of bookmarks). Jamie also suggests critically analysing the data presented as well as verifying your findings with another tool or parsing the data structure manually.
    Why False Positives Are Important

  • Foxton Forensics explains the importance of verifying your findings with regards to Internet history timestamps and provides a list of how the timestamps are recorded.
    Timestamps in internet history

  • Jasper Bongertz has started a series on network packet captures. This post explains network topologies and the problems that can arise from capturing on them, as well as various methods of packet capture.
    The Network Capture Playbook Part 1 – Ethernet Basics

  • Paul Sanderson released this post a month ago, but I must have missed it; thankfully he tweeted it out during the week. The article describes the structure of the iOS SMS database and the table relationships, as well as the standard methods of identifying those communicating when messages are deleted, and a new method that Paul has figured out. Using this method, Paul was able to identify the third party in an SMS conversation that other tools were unable to determine.
    SMS recovered records and contacts – three ways

  • David Kennedy at Binary Defense Systems explains that using Event Log analysis an examiner is able to detect “Pass the Hash” attacks.
    Reliably Detecting Pass the Hash Through Event Log Analysis

  • Lee Whitfield shares his findings on file timestamps from some basic operations (file creation, duplication, moves etc) on MacOS.
    MacOS File Movements

  • We Are 4n6 released a couple of articles
    • They wrote an article about JPEG Quantisation Tables, which can be used to identify image processing software and cameras as well as detect double compressed files. The tables embedded in the images may depend on the quality or settings of the camera/software used.
      Surprises of JPEG Quantization Table
    • They advised that an HTTP log parsing tool, BooLet, was updated to version 1.2. The update added YARA rules support, automatic anomaly detection, and YAML configuration file.
      BooLet 1.2 Released


  • Adrian at Bit Therapy utilises JPEXS Free Flash Decompiler to analyse an obfuscated SFW file. After extracting the SFW file from memory the code is de-obfuscated and analysed.
    Analyzing Obfuscated SWFs

  • Joie Salvio at Fortinet has a write up of a keylogger located in a spam email that he was able to trace back to the Malware-as-a-Service (MaaS) platform OffensiveWare. The email contains a malicious document, but the interesting thing is that the macro extracts the downloader code from within the text of the document rather than download the malware directly. The spyware package utilises “publicly available password-extraction tools developed by SecurityXploded” and then e-mails the extracted data, along with logged keystrokes, and system screenshots to a Gmail address.
    OffensiveWare: A New Malware-as-a-Service Platform Takes a Fitting Label

  • Lilia Elena Gonzalez Medina presents some analysis of a malicious URL that downloaded a ZIP file. “The compressed file also contained a Jar that downloaded additional files, created Visual Basic scripts and a scheduled task, and executed a malicious DLL that injected itself into a legitimate process to steal the login credentials typed by the user on specific websites”.
    A Brazilian Trojan Using A Jar File, VB Scripts And A DLL For Its Multi-Stage Infection

  • Pieter Arntz at Malwarebytes Labs talks about the Youndoo malware that attempts to get Chrome users to use Youndoo as their search page. If you are affected by the hijacker you will notice that a new account has been logged in on Chrome called “user0” and your start page will be “www.youndoo.com.”
    Youndoo creates new Chrome profile

  • Casey at subTee has a post on “injecting shellcode via In-Memory patches and injecting a DLL into a 32bit process” and “detection and shim artifacts”.
    Using Application Compatibility Shims

  • Ido Naor and Noam Alon have a post on SecureList about a new piece of Python based ransomware, called CryPy, that has been identified.
    CryPy: ransomware behind Israeli lines

  • Darryl at Kahu Security ran through deobfuscating some malicious PHP scripts that were identified on a hacked Joomla website and were “related to WordPress hacks via MailPoet back in 2014”.
    Deobfuscating a Malicious PHP Downloader

  • Rodel Mendrez at Trustwave SpiderLabs examines an MSG file containing malware that was attached to an unsolicited e-mail. The MSG file, which is an OLE2 file, was unpacked and it’s contents deflated to find another OLE file! This contained a heavily obfuscated JavaScript downloader.
    Down the Rabbit Hole: Extracting Maliciousness from MSG Files Without Outlook

  • ProofPoint have released their key takeaways from the third quarter of 2016; JavaScript attachments are increasing, Locky is popular but other variants are being seen more regularly, iOS and Android are predominantly targeted (along with popular apps) among other findings.
    The Storm After the Calm: Proofpoint Q3 Threat Summary Tracks Locky Ransomware, Social Threats, BEC, and More

  • The Talos Group at Cisco “discuss a new Locky configuration extractor that Talos is releasing, which we are naming ‘LockyDump’”. “This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky ie; .locky, .zepto & .odin based ransomware.”
    LockyDump – All Your Config Are Belong To Us

  • Jason Reaves at ThreatGeek has posted a technical analysis of TrickBot, which he explains is clearly linked to the Dyre banking trojan. He does mention that it’s missing some elements of Dyre.
    TrickBot: We Missed you, Dyre

  • Brad Duncan has posted on the SANS ISC Handler diaries looking at an “infection from the pseudoDarkleech campaign”
    pseudoDarkleech Rig EK

  • Also on the ISC Handler diaries, Didier Stevens shares his analysis of a “malicious Word document has some anti-analysis tricks”. He also shares a few tips on how to step through the malware and assist your examination (for example, using input boxes so you can copy out decoded strings).
    Maldoc VBA Anti-Analysis


  • Samuel Alonso at Cyber IR has posted a review of “Incident Response & Computer Forensics 3rd edition”. He explains that it’s a solid IR book that covers investigating Windows and OS systems, including a variety of OS, memory and file system artefacts.
    Book: Incident Response & Computer Forensics 3rd edition

  • Greg Smith at TrewMTE explains that because of the “introduction of a UK Forensic Science Regulator (FSR) there are now mandated ‘Codes of Practice and Conduct’, standards and accreditation applicable to mobile phone forensic evidence”. He also explains some of the details surrounding this.
    QA and Laboratory Accreditation

  • Greg also shares an article on small-team (under three people) lab accreditation.
    ISO/IEC 17025/17020 – One-Person Organisation

  • Lesley Carhart has posted an FAQ on Nation State Threat Attribution from the perspective of seven different infosec professionals. “This article’s primary target audience is IT staff and management at traditional corporations and non-governmental organizations who do not deal with traditional military intelligence on a regular basis”
    Nation State Threat Attribution: a FAQ

  • Adam at Hexacorn has two posts this week
    • The first post is a list of warnings to those seeking to pay vendors to give them a product that will detect all intruders/stop all malware/track all the things.
      The cyberchild of Omelas
    • The second post explains the two categories Adam divides threat hunting into; the first is based on IOCs, and the second is “based on assumptions and scenarios that attempt to detect stages of malicious/hacking activity”. Adam explains that with “the current state of threat hunting is that we finally know what to log and what to look at. We have absolutely no clue though how to sift through this data in a realistic, scalable way to ensure we don’t miss a single threat”.
      Threat Hunting – A Tale of Wishful Thinking and Willful Ignorance …

  • The folks at Sqrrl have started a blog series they’re calling ‘The Hunter’s Den’ which covers the “Tools, Tips, and Techniques for Threat Hunting”. The first post describes the three threat hunting categories: Tactical, Operational and Strategic hunts.
    Welcome to The Hunter’s Den: Tools, Tips, and Techniques for Threat Hunting

  • James Habben at 4n6ir provides a quick registry hack that allows a program with elevated privileges to circumvent UAC when interacting with network shares.
    Windows Elevated Programs with Mapped Network Drives

  • The students at Champlain College have started their projects for the semester. First up is a team covering Bluetooth security. The team intends to utilise Pwnie Express’s BlueHydra and Econocom Digital Security’s Btlejuice and report on the information that they are able to collect using these tools.
    Bluetooth Security Forensics Introduction

  • An article was posted on the Forensic Focus blog by Oxygen Forensics that explains that they have come to some sort of agreement with the Mitre Corporation that will improve data extraction times for Android devices. The article doesn’t explain much more than that, but this coincides with the latest release of their Detective product; maybe a speed comparison of the major vendors is in order?
    Oxygen Forensics Speeds Up Forensic Processing of Android Devices

  • Didier Stevens posted on the SANS ICS Diaries about rahash2, a tool in the Radare2 framework. This tool can “split the file in blocks and calculate the entropy for each block”, which, for example, is useful in determining if a file has been completely encrypted by ransomware.
    Radare2: rahash2

And that’s all for Week 41! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s