Week 42 – 2016

Publishing slightly earlier this week due to university commitments, anything else published today will get rolled into next week’s post.


  • Didier Stevens updated oledump.py to version 0.0.25, adding “a couple of new options (–decoderdir and –plugindir) and a bugfix”.
    Update: oledump.py Version 0.0.25

  • Didier also updated his cut-bytes.py Python script to version 0.0.4, adding the ability to perform a variety of dumps.
    Update: cut-bytes.py Version 0.0.4

  • Belkasoft updated their Belkasoft Evidence Centre product to version 8.1. The update “offers support of new iOS 10, quicker and more robust acquisition of mobile devices and cloud data, a number of new and updated apps, with a pack of bugfixes and improvements”.
    What’s New in Version 8.1

  • Matthew Seyer at G-C Partners updated the GcLinkParser to version 1.1, adding output to SQLite.
    Check Out forensic_matt’s Tweet

  • ExifTool was updated version 10.31 (development release), adding new tags and bug fixes.
    ExifTool 10.31

  • The MISP Project released MISP 2.4.53. The update includes a variety of features including UI improvements, a new CSV import module and quick search when adding new tags, as well as some security and bug fixes.
    MISP 2.4.53 released

  • Elcomsoft updated their Phone Breaker tool to version 6.11. The update “fixes several problems with iCloud backups (mostly related to iOS 10), and adds password recovery for 1Password containers in iOS 10 backups”.
    Elcomsoft Phone Breaker 6.11

  • Compelson’s MOBILedit version 8.7 was released adding support for a number of new devices, as well as “support for opening cloud backups created by mobile Android Phonecopier application” and the addition of an iOS MOBILedit application. There were also minor improvements and bug fixes.
    New MOBILedit 8.7

  • AccessData updated Forensic Toolkit (FTK) and AD Lab to version 6.1.
    • AD Lab fixed a variety of issues, as well as adding new features such as additional  filter options, support for FlashMail and FoxMail, and decryption of Dell Data Protection | Encryption (DDPE) 9.2 Server as well as the addition of user groups and user management improvements.
      AD Lab Version 6.1
    • The update to FTK incorporates the same additional features as AD Lab and corrects a number of previous issues.
      Forensic Toolkit (FTK) version 6.1

  • X-Ways Forensics 19.0 has officially been released. To see the full set of release notes you can read the newsletter here. The full release has a couple of new features from Beta 7 including selective removal of large files when hashing, the ability to discard file buffers, revision of MP3 metadata extraction, and an additional checkbox to “make X-Ways Forensics reveal which sub-operation is currently applied to the currently processed file”.
    X-Ways Forensics 19.0


  • Nir Sofer at NirSoft has released a new tool, EncryptedRegView, “that scans the Registry of your current running system or the Registry of external hard drive you choose and searches for data encrypted with DPAPI (Data Protection API)”.
    New tool that shows encrypted data stored inside the Registry of Windows

  • Arsenal Consulting have released Hibernation Recon (Beta v1.0.0.33), a tool that extracts information from Microsoft Windows® XP, Vista, 7, 8, 8.1, and 10 hibernation files. The release of this tool spurred some interesting discussion on Twitter so it will be interesting to see how this tool stacks up against Comae’s hibr2bin. If you look at the comments of this article, there are links to a variety of presentation slides regarding the tool posted to Twitter.
    Arsenal Recon Launches Breakthrough Microsoft Windows Hibernation Forensic Tool

  • The Talos Group have released a new tool called MBRFilter, “that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device”. This tool was developed in direct response to malware such as Petya, which overwrites the MBR and encrypts the MFT. The authors, Edmund Brumaghin and Yves Younan, advise that as “MBRFilter has been intentionally made difficult to remove … test thoroughly before deploying within production environments”.
    MBRFilter – Can’t Touch This!


  • Didier Stevens has uploaded a video analysing another malware sample using the VBA interpreter to decode the strings through the decoding function. According to this post, this is the video version of the analysis posted here.
    Maldoc VBA: Decoding With Excel

  • This week’s episode of the Digital Forensics Survival podcast covers OS X plists that store the recently accessed files on a Mac. The show notes provide the locations of various application specific plists that store references to files that have been accessed. One of the things you can see in the pictures posted is the “Bookmark” field, which contains a large amount of metadata, however, there are limited resources that I’m aware of for decoding the data.
    DFSP # 035 – “Recent” File Listings on a Mac

  • Bruce Hunter at Blackbag will be hosting a webinar on iOS 10, and iTunes backup encryption, on 27th October 2016 at 4:00 PM – 4:30 PM GMT
    Implications of iOS 10 on Mobile Forensics

  • A variety of presentations from last week’s DFIR Prague Summit 2016 have been uploaded onto the SANS Summit archives.
    Community: Summit Archives


  • Lee Whitfield has added to his work on MacOS timestamp changes;
    • The first post covers NTFS – both copying from NTFS to HFS and then using Tuxera’s NTFS driver to copy to a drive.
      More MacOS File Movements
    • The second post continues down the rabbit hole and identifies a number of useful extended attributes that can provide additional context to a file. For example, kMDItemLastUsedDate indicates when a file is opened, whereas the filesystem ‘Accessed date’ is when the entry is accessed, not necessarily when the file is opened. There is a lot of useful information here that could go into a timeline.
      MacOS Timestamps from Extended Attributes and Spotlight

  • Keven Murphy at SANS shows off a triage tool built upon the sleuthkit called RIFT. This tool can be used to easily extract a preconfigured list of files off a system.
    Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1

  • Kevin at TechAnarchy explains how to extract LastPass site credentials from memory.  I like that the article starts with the test setup and method and ends with “here’s a plugin to automate this”.
    Extracting LastPass Site Credentials from Memory

  • Koen Van Impe shares a post that “contains some of the settings you should take into consideration when configuring your proxy server” [for incident response]. This includes time synchronisation, log retention (minimum 1 year) and tracking of a variety of information. He also lists a variety of events that should raise alerts and shares a link for using ELK to analyse BlueCoat proxy logs.
    Proxy server logs for incident response

  • This post relates to a project regarding “the various features and forensic value of Mobile Device Managers (MDM)”. The project seeks to examine “three main MDMs: MobileIron, Samsung Knox and IBM MaaS360” and “determine whether or not a forensic investigator could use an MDM to recover any forensic artifacts without having a physical device”. This post covers the MaaS360 MDM. The author was unable to identify data on a Cellebrite physical acquisition of a Nexus 5. They did, however, find that “the password settings, application information, location information, and network settings would be the most useful aspects of my MDM for a digital investigator”.
    Mobile Device Management – MAAS360

  • For those interested in understanding the underlying file structure of a PDF file Guillaume Endignoux posted a follow-up to his previous post on PDF basics.
    Pitfalls of PDF parsing and guidelines for file formats

  • We Are 4n6 shared a few tools and articles this week


  • The folks at VMRay have continued their series on Sandbox Evasion Techniques, this time focusing on Sandbox Detection.
    Sandbox Evasion Techniques – Part 2

  • Palo Alto Networks wrote a couple of articles this week
    • This post, by Robert Falcone and Bryan Lee,  covers a tool that generates weaponised documents, that they’ve named DealersChoice. The documents are “RTF documents containing embedded OLE Word documents further containing embedded Adobe Flash (.SWF)”. Files
      ‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform
    • Brandon Levene and Brandon Young have written a post about a spambot commonly downloaded by the Andromeda malware, that is part of Sarvdap family. “ Sarvdap is particularly interesting not due to its scale, but rather due to its attempts to increase overall spam delivery by abusing reputation blacklists.”
      Can I spam from here: An Unusually Clever Spambot Tests Blacklists

  • There are a couple of posts by Jérôme Segura at Malwarebytes Labs
  • Luis Rocha at Count Upon Security continues his series on the RIG Exploit Kit, this time “looking at the shellcode that is executed when the exploit code is successful”.
    RIG Exploit Kit Analysis – Part 3

  • Felix at Uperesia has also written a post analysing a RIG infection.
    Analyzing RIG Exploit Kit

  • There were a couple of articles shared on the MMPC Threat Research & Response Blog
  • Artem Semenchenko and Joie Salvio at Fortinet have a write-up of a “new open-source PHP ransom malware” called JapanLocker. Interestingly the Fortinet investigation team “not only found the archive of this malware’s source, which enabled us to analyse its encryption process, it has also uncovered an Indonesian hacking team who used to specialize on defacing web sites, but now uses those same skills to encrypt web site files for profit.”
    “JapanLocker”: An Excavation to its Indonesian Roots

  • There were a couple of posts on the Cisco Security blog
    • Ross Gibb documents a way for malicious code to execute on opening a document that doesn’t use the “Document_open” or “Auto_open” events.
      “The InkPicture Painted event is triggered upon document open, just like the Document_Open event. Using ActiveX controls like InkPicture and events associated with it, an attacker can create malicious documents that launch VB macro code when the document is opened without using the standard document open event triggers”
      Malicious Microsoft Office Documents Move Beyond InkPicture
    • Jan Kohout, Veronica Valeros and Petr Somol explain how machine learning algorithms and smart representations of gathered information “to identify malicious behavior even in encrypted traffic”. Using the “sizes and timings of transferred information” can assist in generating useful information when correlated correctly.
      Piecing Together Malicious Behavior in Encrypted Traffic

  • Adam at Hexacorn documents a way to execute code through a VBE Add-in. “Each Add-in has a dedicated subkey where it lists the properties”, so adding in a couple of extra entries will allow you to execute code.
    Beyond good ol’ Run key, Part 48

  • The guys at Proofpoint have identified a malicious Word document that distributes the Kovter malware when a user click on an embedded image.
    Spike in Kovter Ad Fraud Malware Riding on Clever Macro Trick

  • Roland Dela Paz at Forcepoint documents “a strain of attacks that appear to target Pakistani nationals” that they have named BITTER. Spear phishing emails were sent to prospective victims using a popular Microsoft Office exploit to download and execute a remote access trojan. The attackers “use a few iterations of their RAT with the main difference being the RAT’s command and control (C2) communication method”.
    BITTER: A Targeted Attack Against Pakistan

  • Darryl at Kahu Security runs through an obfuscated WSF Downloader Script that downloads Locky.
    Deobfuscating the Nemucod Downloader Script

  • Herrcore from Open Analysis has posted the training materials for their IOC workshop. 224 slides of malware analysis goodness.
    Check out @herrcore’s Tweet

  • Brad Duncan posted on the SANS ISC Handler Diaries regarding an e-mail he received containing the NanoCore RAT.
     Malspam delivers NanoCore RAT


  • Jack Crook posts his response to Adam at Hexacorn’s article on threat hunting. Jack’s attitude towards threat hunting is slightly different: “How can I use the knowledge I have about actors and behaviors to apply to hunting so that I can get closer to the events that need to be investigated”. He then goes through a few different behaviours that would seem anomalous on a network and worth investigating, such as executing a combination of lateral movement/host recon tools, using psexec with the same credentials across the network, and identifying odd processes. Lastly, Jack adds his thoughts on knowledge transfer, specifically regarding people’s attitudes to alerts; “ If the analyst doesn’t react with the same sense of urgency to the alert as you feel it deserves, it may not be a failure on their part, but more of a failure on your part for not giving them the proper knowledge transfer and ensuring they understand what they are looking at.”
    Threat Hunting – Getting Closer to Anomalous Behavior

  • Adam at Hexacorn has a couple of posts this week
  • The Blackbag Training Team posted a brief summary of how Blacklight was used to examine a Mac by the Saskatoon Police Service. Utilising various artefacts such as fsevents and plists, which Blacklight interprets, the examiner was able to show that the user had accessed and renamed various files inside a DMG container.
    Blackbag Helps Saskatoon Police Service Put A Criminal Behind Bars

  • Jad Saliba at Magnet Forensics posted a quick article explaining one of the updates from the latest version of Axiom. Apparently Axiom processing time was significantly slower than IEF and as a result processing speed was greatly improved in 1.0.6.
    New Performance Enhancements in Magnet AXIOM Mean Faster Results

  • Brendan Dolan-Gavitt at Push the Red Button posted about a student-run security event run by the NYU School of Engineering that combines security and open source topics. The inaugural Security: Open Source (SOS) workshop, is being held November 10 at NYU Tandon.
    NYC Area Security Folks – Come to SOS!

  • Mike Evans at ThreatGeek has a post listing five (of ten) things that you can do by examining metadata.
    Ten Impossible Things You Can Do with Metadata, Part 1

And that’s all for Week 42! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s