Written by Phill Moore

Week 43 – 2016

SOFTWARE UPDATES

  • Didier Stevens updated his virustotal-search Python script to version 0.1.4,  now accepting input from standard input.
    Update: virustotal-search.py Version 0.1.4

  • Cellebrite updated UFED Physical analyser to version 5.3.6, adding support for iOS 10.1 backups, as well as various bug fixes.
    UFED PHYSICAL ANALYZER 5.3.6 HAS BEEN RELEASED

  • Autopsy was updated to version 4.2.0 adding a variety of improvements and bug fixes. This version added credit card account search, encoding/decoding of extracted files to avoid anti-virus alerts/quarantine and interface improvements.
    Autopsy 4.2.0 was released

  • DME Forensics released DVR Examiner 1.27.0, which included support for additional file systems, as well as improvements to their integration with iNPUT-ACE.
    DVR Examiner 1.27.0

  • GetData’s Forensic Explorer was updated to version v3.8.8.5896 with some minor bug fixes and improvements.
    Download Forensic Explorer

  • Mount Image Pro was updated to version 6.1.3.1662 to fix a minor bug.
    25 October 2016 – 6.1.3.1662

  • X-Ways Forensics 19.0 SR-1 was released, fixing a few bugs. There was also an additional update to SR-1b for X-Ways Investigator only to fix an error in File mode.
    X-Ways Forensics 19.0 SR-1

  • X-Ways also updated their Viewer Component to v8.5.3 after Oracle provided a security patch.
    Viewer Component

SOFTWARE/PRODUCT RELEASES

  • Kim Spilker announced that “Troubleshooting with the Windows Sysinternals Tools, Second Edition” has been released. This book, by Mark Russinovich and Aaron Margosis, covers utilising the Sysinternals tools “to solve real-world cases involving error messages, hangs, sluggishness, malware infections, and much more”. The post lists a variety of places you can get it, although, for Australian pricing, Book Depository seems cheapest. Thanks to Dan Pullega for the heads up.
    New book: Troubleshooting with the Windows Sysinternals Tools, Second Edition

  • Brian Moran has released his Perl script “allyouruarecordrebelongtous.pl” from his presentation at last week’s OSDFCon. “This Perl script will allow the user to parse out data from SQLite databases associated with Under Armour Record stored on an Android device and present that information in an easy to read format”.
    Public release of “allyouruarecordarebelongtous” Perl script

PRESENTATIONS/PODCASTS

  • The Forensic Lunch returns, this time from OSDFCon. Unfortunately, the audio isn’t very good, so it’s a bit hard to watch. This week Dave and Matthew had Mark McKinnon and Richard Macuisdein on the show to discuss what they’re up to. Mark spoke about the 12 plugins that he submitted for the Autopsy plugin contest. Richard, who was the only person to beat the forensic challenge that Dave published, gives a bit of info about his background at the Defense Cyber Investigation Training Academy and the service they offer.
    Forensic Lunch 10/26/16 Live from OSDFCon

  • There was a second Forensic Lunch in as many days, this time interviewing Mark Spenser from Arsenal Consulting about their new tool Hibernation Recon. The tool, released last week, allows examiners to extract data from the hiberfil and then parse it with 3rd-party tools. Mark explains the various ways that data can be stored within the hibernation file and how they had a need to develop a tool that wasn’t currently available. David and Matthew also shared their slides from OSDFCon which is linked to below.
    Forensic Lunch 10/28/16 Hibernation Recon

  • SANS Digital Forensics YouTube channel uploaded Alissa Torres’ webcast on Win10 Memory Forensics. “This presentation will provide insight into the significant changes introduced with Windows 10 and how they will affect your investigative process”.
    Know Normal, Find Evil Windows 10 Memory Forensics Overview

  • Magnet Forensics have shared Tayfun Uzun’s webinar on “the latest trends in chat and social apps” and “how to analyze and interpret data from these apps using Magnet AXIOM”.
    User Webinar: Using Custom Artifacts and Dynamic App Finder to Investigate Mobile Chat Apps

  • Paula Januszkiewicz at CQURE Academy shares some interesting places to look for evidence after an intrusion. She explains that examiners should check the ProfileList in the registry, prefetch data, RDCache, jumplists, and the USN Journal. There is also a blogpost which contains links to the tools used. Thanks to We Are 4n6 for the link.
    What to do after hack – 5 unusual places where you can find evidence

  • The sessions from Sector 16 were uploaded last week and can be accessed below.
    Sector 2016 Sessions

  • Amit Malik at Cysinfo has released the second episode in his series on Macro Code deobfuscation, this time using VBScript debugger.
    Cyber Security with Amit Malik – Episode 2 – Macro Code De-obfuscation using VBScript Debugger

  • This week’s episode of the Digital Forensics Survival podcast covers iCloud Forensics. Michael provides a brief overview of iCloud and the data that can be stored and then goes into the plists associated (MobileMeAccounts.plist).
    DFSP # 036 – iCloud Forensic Evidence

  • ThreatGeek shared a recent interview on the Bloomberg Technology’s Decrypted Podcast where Fidelis Cybersecurity Senior VP Mike Buratowski discussed “the malware and other data that attackers used to pull off the breach of the Democratic National Committee’s (DNC) server”.
    Podcast: How Experts Traced the DNC Hack to Russian Spies

  • OSDFCon was held during the week and from this a couple of presentations have been shared:

FORENSIC ANALYSIS

  • Barnaby Skeggs has started a new blog called B2dfir and posted for the first time last week covering the “Waitlist.dat” artefact on Windows 8+. Barnaby explains that he was able to identify metadata and content for a large number of emails within this file. After explaining the artefact, he also provides a Python script WLrip.py to parse the contents of the file, based on his understand of the data structure.
    Touch Screen Lexicon Forensics (TextHarvester/WaitList.dat)

  • Alistair Ewing posted an article on LinkedIn regarding his examination of a laptop that had been put back into circulation for two years. In this instance, Alistair was still able to conduct his examination due to the Windows.old folder retaining a majority of the information. I imagine over time companies will learn to take a forensic image of the drives when an employee hands back their computer (although in certain countries I don’t think they’re allowed due to the possibility of storing personal data). Either way, the cost of retaining a few hundred GB’s of forensic images for a defined period far outways not being able to conduct an examination to identify if company secrets have been stolen.
    HR! IT! Don’t Throw Away or Reuse that Ex-Employee’s Hard Disk – Computer Forensics

  • A couple of articles were posted on Forensic Focus this week
    • Yuri Gubanov and Oleg Afonin from Belkasoft have posted an article cover the “I’ve Been Hacked” defence which arises more often than it probably needs to. The article suggests that examiners compile all available location data to identify the movements of the user, which may indicate where the user was at the time of the incident/offence. They then listed a variety of Windows artefacts that can be used to show user activity (such as logon, file access, device connection, thumbnail generation), which are typical of a user interacting with a device more so than malware. They also mention that certain activities, whilst not illegal, may look suspicious, such as executing a file cleaning program immediately after an alleged crime.
      The “I’ve Been Hacked” Defence
    • Alissa Torres has written an article covering the new normal in Windows 10 process execution. She also explains that Win10 expanded the use of memory compression, which may make examination more difficult and using a tool like Rekall will assist in identifying which version of Windows the memory acquisition was taken from.
      Malware Can Hide, But It Must Run

  • Hacker Hurricane have updated their Windows Logging, Windows File Auditing, and Registry Auditing  cheat sheets to include Windows 10. “LOG-MD is currently being updated to incorporate the changes”.
    The Windows Logging, File and Registry Auditing Cheat Sheets updated for Windows 10 and some cleanup and additions

  • David Kovar shared a tool by Rowland Johnson called DatCon “for analyzing DJI Phantom 3 log files in Java”.
    DJI Phantom 3 Log Analysis Tool

  • Arsenal Consulting has updated their Odatv case study, adding information about the e-mail attacks.
    Odatv: A Case Study in Digital Forensics and Sophisticated Evidence Tampering

  • Jamie McQuaid at Magnet Forensics posted an article covering the variety of ways that examiners can search and filter using their AXIOM.
    Improved Searching and Filtering in Magnet AXIOM

  • SANS posted Patrick Neise’s GIAC GCIA Gold Certification whitepaper on “Intrusion Detection Through Relationship Analysis”. The paper identifies “the tools and techniques necessary to extract relevant network information, create the data model within a graph database, and query the resulting data to identify potential malicious activity”.
    Intrusion Detection Through Relationship Analysis

  • Matt Bromiley has written a SANS Spotlight article that’s been posted to the InfoSec Reading Room. The article covers anomaly detection and provides a few different techniques that may be useful.
    Keys to Effective Anomaly Detection

  • Brett Shavers has updated his X-Ways online training (after trolling people with the post’s title). The course has been updated to cover up to X-Ways v19. If you register before November 8, 2017, you get 50% off tuition and a printed copy of the X-Ways Forensics Practitioner’s Guide
    X-Ways Forensics Sucks….

  • Michael Cohen has shared a whitepaper on the Rekall agent, “a new experimental IR/Forensic endpoint agent that appears in Rekall versions 1.6”, which is the next major release. Michael explains that the agent is a collection agent for endpoint memory acquisition, as most users will utilise external tools to perform their analysis. The whitepaper covers how the agent works, how to deploy it and how to use it. If this is something that you will utilise I’d recommend reading through the whole thing.
    The Rekall Agent Whitepaper

  • Yogesh Khatri has a post covering “the new compression scheme [in Windows 10] and how it affects forensic analysts”. The problem Yogesh raises is that, currently, no tools will recognise and decompress files compressed by Win10 (using the “compression algorithms are XPRESS (4K, 8K, 16K) or LZX”). As a result, reading, keyword searching, and extracting these files shouldn’t work. Yogesh tested the latest versions of SIFT, Autopsy, X-Ways, Encase and FTK and found they weren’t able to cope with the compression; although if you use SIFT you can install a plugin for the ntfs-3g FUSE driver to get it to work. If you use Windows you can mount the file system on a Win10 machine to decompress the files. Interestingly, this mostly applies to system files however users can utilise the Compact.exe to compress files manually
    WofCompressed streams in Windows 10

  • The MDM team at Champlain College has a second post, this time covering Samsung Knox, but “were ultimately unable to demonstrate that this MDM would prove useful as a forensic tool”.
    Mobile Device Management – Samsung Knox

  • Kevin at TechAnarchy has posted his answers (and process) of the GrrCon 2016 DFIR Challenge.
    Solving GrrCon 2016 DFIR Challenge

  • We are 4n6 shared a PowerShell script called Get-Hashes that allows examiners to hash files recursively across remote machines.
    Get-Hashes – a script for remote hashes collection

  • We are 4n6 also shared an article by Dr Bernard Parsons on the five key steps for DFIR. Gather human intelligence, Plan your approach, Obtain evidence, Analyse the evidence, and Report on your findings
    Five Key Steps For Digital Forensics And Incident Response

MALWARE

  • The guys at VMRay continue their series on Sandbox Evasion Techniques, this time covering malware that exploits “weaknesses or gaps in sandbox technology or in the ecosystem”. They explain that the malware can either blind the monitor or the ecosystem and that a sandbox analysis environment shouldn’t rely on modifying the target environment, run ‘gold’ images as target environments, and “monitor all malware-related activity, regardless of application or format”.
    Sandbox Evasion Techniques – Part 3

  • Michael Gorelik at Morphisec has a post on the fileless Kovter trojan attacks. The trojan propagates via a malicious Word document sent via e-mail. The malware then utilises PowerShell, a LNK file and the registry to store and execute itself. Kovter was also documented by Microsoft back in July.
    New Wave of Fileless Kovter Backdoor Trojan Attacks Via “Targeted” Macro-Based Malspam Campaign

  • Xiaopeng Zhang at Fortinet breaks down a password-protected Word document detected as “WM/Agent.60F9!tr” by the Fortinet AntiVirus service. Interestingly the downloaded malware (macro, creates vbs, downloads and decrypts exe) only executes when there’s mouse movement (anti-sandboxing technique). The malware then is seen to steal email and contact information, as well as keylog. This data is zipped and stored in the %temp% folder. .bin appears to be a common file extension for keylogs in the %temp% folder.
    Information-stealing Malware Is Spread Via Word Document

  • There were a couple of posts on the Malwarebytes Labs blog this week
    • Hasherezade has posted a technical analysis of TrickBot. On execution, the malware copies itself into %appdata% and generates additional files and a folder. It maintains persistence using a Scheduled Task called “bot” (imaginative naming :)).  The post then continues with an in-depth breakdown of the internal layers of the malware
      Trick Bot – Dyreza’s successor
    • Pieter Arntz has a write up about a RAT with keylogger capabilities located on Pastebin. The dropper pretends to be VMWare but then calls itself WindowsInstaller, which then downloads and decodes the data from Pastebin.
      Get your RAT on Pastebin

  • Anthony Kasza and Esmid Idrizovic at Palo Alto Networks outline the technical details of a new version of Hworm (or Houdini) and document “an attack campaign making use of the backdoor”. The attack came in the form of SFX files, which when executed, “opens a decoy document, video, or URL, and eventually executes an Hworm payload in the background”.
    Houdini’s Magic Reappearance

  • There were a couple of posts on Kaspersky’s Securelist
    • GReAT has posted a write-up of a variant of the Xpan ransomware which is “protected by the popular .NET obfuscator SmartAssembly” and masks itself in an Alternate Data Stream. It also uses the “Windows application ‘migwiz.exe’ in order to bypass the UAC screen”.
      The “notification” ransomware lands in Brazil
    • Researchers, Alexey Shulmin and Sergey Yunakovsky have discovered a Gootkit variant that checks an environment variable called ‘crackme’ “in the downloader’s body”. The malware, written in NodeJS, is designed to steal banking data and is downloaded from the C&C server at the end of a chain of downloaders. This variant also has sandbox detection. The malware then intercepts banking data by web injections into HTTPS traffic.
      Inside the Gootkit C&C server

  • Warren Mercer & Edmund Brumaghin on the Cisco Talos blog shared their recent experiences with the latest Locky malware campaign. The post highlights some of the distinct characteristics that were observed for three campaigns with the latest one having the word Pumpkin showing up a lot in the .HTA downloader.
    Pumpkin Spiced Locky

  • After a long time of malicious macros being a problem, a “new feature in Office 2016 allows an enterprise administrator to block users from running macros in Office documents”. They also included it in an update to Office 2013.
    Next, Microsoft can remove JS/WSF/VBS from natively running without a bit more user interaction by default (maybe they don’t run at all unless the functionality is turned on? And even then scripts have to be signed in some way?).
    Office 2013 can now block macros to help prevent infection

  • Tal Liberman at Breaking Malware introduces a new code injection technique for Windows called AtomBombing, “which exploits Windows atom tables and Async Procedure Calls (APC)”.
    AtomBombing: Brand New Code Injection for Windows

  • Dr. Johannes B. Ullrich posted on the SANS ISC Handler Diaries regarding the Windows “Atom Bombing” attack shared by Ensilo. He explains that “there is nothing you have to change in the way you are doing things due to this issue. Future versions of anti-malware may be able to intercept respective API calls to inspect any read/write access to these atom tables.”
    Windows “Atom Bombing” Attack

  • Casey at subTee shares a method for camouflaging command line execution using a Windows-native tool, ODBCCONF.EXE.
    Command Line Camouflage – ODBCCONF.EXE

  • Lesley Carhart has a short post explaining how to extract DLL’s from memory using Volatility, put the hashes into a text file and then upload to Team Cymru’s Malware Hash Registry, lastly filtering out the noise to identify any malware.
    Using Team Cymru’s MHR with Volatility

MISCELLANEOUS

  • Michael Maurer provided a brief overview of his Efetch product (version 0.4); covering how to install it, the file systems/formats it supports, and how to create plugins.
    Efetch: File Explorer, Viewer, and Analyzer

  • Jasper at Packet-Foo shares his thoughts on the inaugural Wireshark developer and user conference in Europe.
    Sharkfest Europe 2016 Retrospective

  • Chris Sanders describes “three types of information that are useful in a SOC when displayed on a shared dashboard”. Using these group dashboards can “help analysts save time or be more efficient in their investigations”.
    Three Useful SOC Dashboards

  • Dr. Neal Krawetz at the Hacker Factor Blog has released a “search-by-image service that has indexed the collections at the Internet Archive”.
    Introducing RootAbout

  • William Tsing at Malwarebytes Labs describes what attribution is not, as a means of introducing his next post on what attribution is. William explains that Attribution isn’t a smoking gun, it’s not binary, or a state-sponsored thing. A single artefact shouldn’t be used to attribute an IOC, and anonymous isn’t a group.
    Attribution, and when you should care: Part 1

  • DFIR Guy at DFIR Training has written a post “about controlling training costs from vendors to get into the #DFIR field and creating your own system to continue training after you get into the field without flattening your bank account”. He also shares a spreadsheet that he uses to calculate the cost of training to determine it’s “value”.
    DFIR training is expensive (if you let it be expensive)

And that’s all for Week 43! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s