Week 44 – 2016


  • Philippe Lagadec has updated oletools to version 0.50 including updates to olevba, mraptor, mraptor_milter, rtfobj and setup, as well as Python 3 support.
    OLETools Readme

  • GetData’s Forensic Explorer was updated to version v3.9.4.5950 with some minor bug fixes, and minor GUI and translation improvements.
    Download Forensic Explorer

  • FireEye’s FLOSS has been updated to add shellcode support; now allowing users to “extract obfuscated strings from those exploit payloads”
    Check out Williballenthin’s Tweet

  • Guidance Software’s Encase Basic (formerly Enterprise) was updated to version 7.14.01, however, I haven’t been able to find the release notes online.

  • A new version of MISP (2.4.54) was released including new features, bug and security fixes. The full changelog is available here.
    MISP 2.4.54 released

  • Berla released iVe 1.9.2 a couple of weeks ago adding “additional support for GM brands of vehicles”. The update also adds geographic search, which “allows users to choose a point on the map or enter in a location, and iVe will find any parsed data contents from the surrounding area”. Other improvements include the tracklog summary, a consolidated notification centre, preprocessing large files in the background, better error handling and post-acquisition hashing and indexing
    iVe v1.9 Released

  • Oxygen Forensics updated their Detective product to version 9.0.1 adding “functionality and interface improvements of Oxygen Forensic® Cloud Extractor, Oxygen Forensic® Maps and Export Engine”, as well as adding and improving support for various apps and devices.
    Oxygen Forensic® Detective adds support for new applications and devices!

  • Paul Sanderson updated Forensic Browser for SQLite to version 3.1.7, added some enhancements and fixing a large number of bugs.
    New release 3.1.7

  • X-Ways Forensics 19.0 SR-2 and SR-3 were released with various minor improvements and bug fixes. Stefan also advised that “the anti-virus software Webroot SecureAnywhere causes random crashes”.
    X-Ways Forensics 19.0 SR-3

  • The X-Ways Viewer Component was updated to v8.5.3. The new version “includes the main DLLs of the Visual C++ 2013 Redistributable Package, so that even on live systems that lack that package you can use the latest version of the viewer component without installing any software”. This is still in testing.
    Viewer Component v8.5.3


  • Paraben Corporation has released Electronic Evidence Examiner (E3) Aurora Edition 1.0. This is a “comprehensive digital forensic analysis tool designed to handle more data, more efficiently while adhering to Paraben’s P2 Paradigm of specialized focus of the entire forensic exam process“. The release notes can be found here
    E3 Aurora Edition Released!

  • The Foundstone IR Group has released a new tool called Volatize which is an “automation tool for the Volatility Memory Forensics Framework”. “The usage of Volatize is intended to fix this by digitizing your visios, processes, or notes into a digital playbook for memory forensics”.

  • ADF Solutions have released Digital Evidence Investigator, “an end-to-end solution designed to streamline digital investigations”. “DEI is a fully automated and highly configurable artifact and file collection tool”, that can also deal with various web-based and Internet artefacts.
    All-new, End-to-end Forensic Tool Now Available: Digital Evidence Investigator™


  • Justin Seitz will be presenting a 30-minute webinar next week on Thursday 10th November at 7:00 pm (UTC). The presentation will cover memory and malware forensics using the SNOW platform. Thanks to We Are 4n6 for the heads up.
    Live Remote Memory Forensics with SNOW

  • Joshua James at Cybercrime Technologies shared a video showing how to acquire a forensic image of a device using Guymager on Linux.
    [How To] Forensic Acquisition in Linux – Guymager

  • This week’s episode of the Digital Forensics Survival podcast covers Michael’s system for storing and organising his DFIR knowledge. The aim of the DFIRONOMICON is storing what you’ve learnt in an easily searchable form that means that what you learn can be integrated into your future workflow. The main benefit of documenting what you’ve done is avoiding re-doing it in the future. It also allows you to share that work with others. Bonus points if you can automate it! Michael suggests using iBook Author on OSX; on the Windows side there’s tools like OneNote/Evernote and Scrivener, the later being primarily used by authors.
    Michael also did some testing using Regripper and Mandiant’s Shimcacheparser.py on Win10 shimcache. There are a couple of minor points that probably are worth mentioning. The GUI that Michael refers to is rr.exe and runs the Profiles (collection of plugins) that are found in the Regripper plugin directory. I’ve found it’s usually easier to run the plugins directly (using rip.pl/exe), and modify them if I’m finding the output needs a bit of massaging to look the way I want. As a side note, I have actually been working on a GUI that runs the plugins directly, but it’s not quite ready for prime-time. I also really like Corey Harrell’s
    autorip, as this processes the plugins and put the output into relevant categories.
    The other point is Michael’s mention that shimcacheparser.py is a Linux tool – it’s true it probably runs on SIFT right out of the box, but it also runs fairly easily on Windows once you’ve got the Willi Ballenthin’s 
    python-registry module installed (note: the program will run without the module, it just won’t do anything).

  • This week’s Forensic Lunch covered Log-MD by Michael Gough. The idea behind Log-MD is to assist examiners in detecting compromises quickly and easily. Michael then provides a walkthrough of Log-MD-Pro (there is a free version as well) and the various csv/txt files that it produces. They ended with a quick sneak peak of some SRUM analysis, an artefact found on Win8.1+, which will be covered on the next lunch (last week of November).
    Forensic Lunch 11/4/16


  • Sturzi at ‘Yet Another Cyber Forensics Blog’ shared links to Brent Muir’s presentation and a PDF published by Champlain College/LCDI on Windows 10 Forensics artefacts.
    Windows 10 Forensics: OS Artifacts

  • Paul Ewing at Endgame explains two different masquerading techniques; Filename masquerading and Filename mismatching. Filename masquerading is where a legitimate filename is used in an illegitimate location. Filename mismatching is where a filename has been changed to appear to be legitimate, but on further inspection is found not to be so. For filename masquerading, Paul recommends building a “list of files which have masquerade potential”, called an Anchor list. He also recommends examining the resource section of binaries to detect filename mismatching.
    How To Hunt: The Masquerade Ball

  • SANS Reading Room posted Fred Speece’s GIAC (GCIA) Gold Certification white paper regarding “Detecting Penetration Testers on a Windows Network with Splunk”. The paper “discusses the configuration and setup of those alerts and the logging behind them. It also covers the thought process behind the alert and attack(s) it is trying to defend against”. ”This paper is targeted for a Windows majority network with Active Directory in an organization with an immature security posture, using Splunk as their SIEM”.
    Detecting Penetration Testers on a Windows Network with Splunk

  • Mark at Sneakymonkey has a couple of posts this week
    • The first post is a walkthrough of the first four questions of level 1 of the GrrCon 2016 CTF.
      GrrCon 2016 DFIR Write up – Part 1
    • The second is instructions on how to build “a RaspberryPi 3 NSM (Network Security Monitor) based on Bro, Netsniff-NG, Loki and Critical Stack”.
      RaspberryPi NSM

  • Russ McRee at Holistic InfoSec explains a PowerShell script called snapshot.ps1, which is part of the download package for SEC505: Securing Windows and PowerShell Automation and written by Jason Fossen, the courses author. The script “dumps a vast amount of configuration data for the sake of auditing and forensics analysis” and allows you to “compare snapshot files created at different times to extract differences.”
    Toolsmith – GSE Edition: snapshot.ps1

  • The Bluetooth team at Champlain College’s LCDI have begun their “analysis of current Bluetooth vulnerabilities and how hard it actually is to exploit them”. They were able to unlock a Schlage Sense Smart Deadbolt remotely using Econocom Digital Security’s Btlejuice. “The BlueHydra Team is currently in the process of configuring an Ubertooth One Dongle (an opensource Bluetooth monitoring tool) for better use with the BlueHydra program”.
    Bluetooth Vulnerability Assessment 2.0

  • We are 4n6 shared a variety of articles this week
    • They shared an article by David Both containing a high-level overview of Linux file system concepts.
      An Introduction To Linux Filesystems
    • They shared a tool called SysScout which “is a fully encapsulated script by Josh Brunty that quickly and easily pulls local machine information from Linux-Based systems”.
      Collect info from Linux-Based systems with SysScout
    • They shared a free course on Cybrary by Max Alexander on Incident Response handling.
      Free Course: Incident Response And Advanced Forensics
    • Lastly, Serge Petrov wrote an article about clone detection in pictures. Users can utilise various utilises such as “Amped Authenticate, or MATLAB Code written in Image and Communication Lab and available publicly” to detect cloning. Serge advises “to find all problem parts clone detection algorithms must count scaling, rotation, flipping and changing of colour and brightness”, which will use a lot of computing power.
      Attack Of The Clones

  • Paul Sanderson has posted a detailed article explaining “how you can use the database schema and in particular foreign key constraints and triggers to understand why deleting one item [in an SQLite database] can have a knock on affect and how the schema can be used explain why these records are no longer available”.
    Why can’t I see who sent that deleted iOS SMS message

  • Blackbag Tech has posted a quick recap of Bruce Hunter’s webinar on iOS 10. The TLDR version is iOS 10 is very widely adopted (75% of all devices) and requires iTunes 12.5.1 in order to perform an extraction. The lockdown file is protected which may cause issues trying to use that to obtain an extraction from a locked device. iOS 10 has shut off file acquisition via Apple File Conduit (AFC). Backups are now encrypted, but encrypted may result in more data being extracted (if the password is known). There were also improvements to Apple’s Mobile Device Management.
    Implications Of iOS 10 On Mobile Forensics

  • Jasper at Packet-Foo has a post about speed, duplex and drops with regards to network captures.
    The Network Capture Playbook Part 2 – Speed, Duplex and Drops

  • On the topic of packet captures, Xavier Mertens has posted on the SANS ISC Handler Diaries sharing his thoughts on an alternative to a full packet capture. “Instead of deploying a full packet capture solution for the entire network, you can focus on more sensitive assets and collects locally”. Xavier creates docker containers and places them on the critical servers, and then uses TCPDump to capture a “sliding window of 10 x 1GB” of traffic.
     Full Packet Capture for Dummies

  • Stuart Clarke at Nuix has a post describing POLE: a timelining technique that utilises peoples, objects, locations and events to ascertain what is happening in a specific situation. He then explains how Nuix Insight Analytics & Intelligence can be used to graphically identify the relationships between POLE entities.
    Drawing a Line in the Sand with POLE

  • There’s a post on the Sqrrl Blog beginning a series on “practical tips and techniques for threat hunting”. The first part is the “Threat Hunting Loop, which outlines a process for threat hunting”. It then continues onto internal reconnaissance, which typically takes place in the final stage of the cyber kill chain (Actions on objectives).
    The Hunter’s Den: Internal Reconnaissance (Part 1)

  • Andrew Swartwood has posted a CTF with 17 questions for interested parties to work through.
    Forensic CTF: Baud.. James Baud..


  • There were a few of articles on Fortinet this week
    • Kai Lu dissects an Android banking trojan that masquerades to be a Flash player.
      Android banking malware masquerades as Flash Player, targeting large banks and popular social media apps
    • Sarah (Qi) Wu and Jacob (Kuan Long) Leong document the release of Cerber 4.10, which can be categorised by a four-character file extension which is set to the “fourth segment of the MachineGuid value of the HKLM\Software\Microsoft\Cryptography registry key”. Cerber has been updated quite regularly and quickly, with version 3 only being released a month before version 4.
      The First Major Update of Cerber 4 Ransomware Has Surfaced
    • Joie Salvio and Rommel Joven review a new spam campaign of Hancitor, that mentions Fortinet in the source. The strings and codes are hidden inside form controls, which is a technique used to circumvent AV detection. The authors then review the form to locate the encrypted shellcode. They also found that there’s a bug in Visual Basic being exploited where text fields in the Properties section will allow text of any length to be stored, however, will only display said text if it’s less than 1248 characters. If 1248 or above the box will appear blank.
      The Angry Spam and The Tricky Macro Delivers Updated Hancitor

  • Marius at JOE Security has written a post announcing “Joe Sandbox I – the first automated malware analysis system for iOS that combines dynamic and static analysis for deep malware forensics”.
    Introducing Joe Sandbox I – Deep iOS Malware Analysis

  • Jérôme Segura at Malwarebytes Labs explains the HookAds campaign “which leverages decoy adult portals to spread malware”. Targets are then hit with the RIG-v exploit kit.
    The HookAds malvertising campaign

  • There were a couple of posts on Cisco’s Talos blog regarding Exploit Kits
    • Nick Biasini provided some information about the Sundown Exploit Kit, which operates on “a relatively small infrastructure footprint, but had what appeared to be one of the largest domain shadowing implementations” they had seen. Nick explains that this means that the EK will “largely evade traditional blacklisting solutions”. The author then goes onto describing how the EK is used against its victims and some analysis of the domains/subdomains used.
      Sundown EK: You Better Take Care
    • Holger Unterbrink provides a high-level overview of the RIG EK’s infection process, and then goes into the technical details, including decoding the various VBS and JS files used to download the payload. The interesting thing is that the scripts all do the same thing (download the malware), but attempt to exploit the machine in different ways in the hopes of one getting through.
      Take the RIG Pill: Down the Rabbit Hole

  • Brooks Li and Joseph C. Chen at the TrendLabs Security Intelligence Blog have a post about a variant of Sundown EK called Bizarro Sundown, which was identified in October and primarily affected users in Taiwan and Korea. “Bizarro Sundown shares some features with its Sundown predecessor but added anti-analysis features”.
    New Bizarro Sundown Exploit Kit Spreads Locky

  • Didier Stevens has posted his analysis of a new Hancitor maldoc sample. “This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it”. Using a combination of his tools, Didier is able to extract the payload, which he dutifully submitted to VirusTotal.
    Maldoc With Process Hollowing Shellcode

  • The author of the Deriving Cyber Threat Intelligence blog has posted their analysis of a weaponised Word document containing a password protected malicious VBA macro. The author found a novel (for me anyways) way of gaining access to the password protected VBA; by replacing certain sections of the code they were able to force it to break in a debugger, revealing the code. Interestingly they also found that code was being stored in the “ControlTipText” property of the frame object within the form, as the Fortinet guys did above (although it wasn’t hidden). The author then continues the post describing what the malware does (including helpful screenshots).
    Multistage Attack using protected code and Unusual CallBacks

  • Marco Cova at Lastline Labs examines the use of evasion in JScript scripts. The techniques covered include stalling code, COM Object emulation detection, timebombs, and environment detection. Using these techniques, “a JScript program running in the WSH can use to distinguish analysis systems from a real user’s environment, and, in turn, to avoid triggering a detection”.
    Evasive JScript

  • Adam at Hexacorn has a couple of posts this week
    • This post talks about Office Macros and the misconceptions about how they are stored. Adam explains that macros aren’t only in files with macro-indicating file extensions (ie docm), and there are a large number of file extensions that are associated with Office programs. Office also attempts to determine the file type by its content rather than just its extension. Adam also explains that whilst blocking macro execution works in theory, in practice it is significantly harder to implement.
      Office Macros – file extensions, file format (content), and a few handling stereotypes…
    • The next post shows a piece of old malware that uses the desktop.ini / folder.htt combo to increase its chance of survival.
      Beyond good ol’ Run key, Part 49

  • Darryl at Kahu Security posted a wild-west-esqe Wanted poster containing the most recently utilised exploit kits, the ones that may be on the way out, and those that aren’t in active use.
    Wild Wild West – 11/2016

  • Karsten Hahn and Tilman Frosch at the G Data Security Blog put together the four flavours of open source ransomware that various researchers have shared. These include: Ransomware Simulators, Partially Functional Open Source Ransomware, Fully Functional Open Source Ransomware, and Closed Source Proof-of-Concept Binaries. They explain that the developers of the code really have to “weigh up the pros and cons carefully before they publish ransomware for educational purposes”, as ransomware can very easily be misappropriated and cause a lot of harm.
    It’s Educational – On the No 1 Argument for Open Source Ransomware

  • The author of Ropgadget provides a walkthrough for identifying “the address of the LoadLibraryA function inside of kernel32.dll”. This mostly went over my head, but if you need to find a function address in a PE file I’m sure it’ll be helpful.
    02NOV2016 – A walk along the PEB: Stepping through PE structures to find function addresses

  • Dr. Johannes B. Ullrich has posted on the SANS ISC Handler Diaries about how he is able to extract malware that infects his honeypot DVR. He has set up a system that, upon compromise, will alert him and record all packets to and from the honeypot. He then uses a small Perl script to extract the malware. After infection, he uses a remotely controlled power supply to restart the DVR so it can get infected again!
    Extracting Malware Transmitted Via Telnet


  • Samuel Alonso at Cyber IR has written a sequel to his post regarding Threat Infrastructure from July this year, this time focusing on the technology available, and also mentioning what Samuel believes to be “one of the most innovative solutions available today in the market to disrupt and research threat infrastructure”.
    Hunting down Threat Infrastructure (2, with PassiveTotal)

  • There were two posts on the 4n6ir blog this week
    • John Lukach provides a tutorial on building the hashdb package on Ubuntu
      Building Ubuntu Packages
    • James Habben posted his experience of BSides Los Angeles, as well as his slides for his presentation titled “USB Device Analysis”. The presentation explains the dangers of USB Devices as an attack vector, and provides the steps for analysis and tools that can be used to examine various malicious documents as well as USB device firmware. Lastly, James provides a few devices that can be utilised in an attack.
      BSides Los Angeles – Experience and Slides

  • Michael Evans at ThreatGeek has a post listing items six to ten of the things that you can do by examining metadata.
    Ten Impossible Things You Can Do with Metadata, Part 2

  • Dr. Paulo Henrique’s course on “Live Analysis with Rekall (W25)” launched last week. The course costs $219.00 and is self-paced. The course covers memory acquisition and analysis using Rekall
    Check Out eForensics_Mag’s Tweet

  • Jeremy Kirby has posted a short article on Forensic Focus announcing a new service available for law enforcement agencies allowing the unlocking of locked devices for a fee. I’m assuming they will primarily be using a combination of their SV Strike, and new Burner Breaker tool.
    Susteen’s New Service To Break Pincodes / Passcodes On Thousands Of Cell Phones

  • John Patzakis, Esq. at the X1 Discovery blog comments on the recently published “Best Practices for Authenticating Digital Evidence”, specifically regarding the preservation of Internet website and social media evidentiary authentication. “The guide provides many examples of circumstantial evidence that can be used to authenticate social media evidence”
    Federal Rules Advisory Committee Provides Key Guidance on Authenticating Social Media Evidence

  • Daniel Miessler posted some analysis of the IoT Botnet Traffic.
  • There were a couple of posts on Crowdstrike’s blog this week
    • Eben Kaplan explains Presidential Policy Directive 41 (PPD 41), which “establishes principles for how the U.S. government will respond to cyber incidents — including incidents on private sector networks”. Eben explains that directive defines “swim lanes” for various agencies “to focus on threat response and investigation, asset protection and recovery, and intelligence support” and “a federal entity for coordinating the response whenever two or more federal agencies are involved”. He also shares his thoughts on incident response plans in general and how PPD 41 may affect those with and without them.
      Uncle Sam Gets an Incident Response Plan
    • This post provides an excerpt from the CrowdStrike white paper, “The Role of Proactive Hunting in Stopping the ‘Mega Breach’”. The post lists the three “investigation initiator categories” according to the research firm Gartner, and provides a brief overview of the process that follows: trigger, investigation, resolution.
      The Three Steps of Proactive Threat Hunting

  • Brett Shavers has a few posts this week
    • The WinFE training course, tentatively titled “Bootable Forensic Operating Systems” is in the process of being updated. The update will improve on the existing course material regarding WinFE, as well as add Linux distros.
      Ye ol’ Windows FE
    • Brett is also going to be re-posting Jimmy Weg’s articles from justaskweg.com as Jimmy is retiring the domain. For those that haven’t read through Jimmy’s work, it’s a fantastic resource (especially surrounding booting VMs) so Thanks Brett for keeping it alive (and thanks to Jimmy again for writing it!).
      Jimmy Weg’s blog archive
    • Lastly, he shares his experiences as a teacher at the University of Washington and expounds the benefits of conversing with your peers in the classroom. By communicating you’re able to get a different perspective and learn from their experiences. Brett also suggests that people consider tertiary education from a university rather than exclusively relying on tech/DFIR certs.
      Learn by drawing out the experiences of others

  • Nick Harbour at FireEye has posted the solutions to the 2016 Flare-on challenge. There were 124 people across 38 countries that solved the entire challenge.
    2016 Flare-on Challenge Solutions

  • The Call for Papers for the Techno Security & Digital Forensics Conference in Myrtle Beach, SC, USA is now open and closes December 16th.
    Call For Papers 2017

  • Diablo Horn has documented the correct combination of options to run Windows 10 Pro x64 with secure boot enabled within VMWare Fusion
    Win10 secure boot inside vmware fusion

  • Jerry Gamblin shared two posts this week
    • The first explains how to setup scheduled nmap scans for continuous monitoring on networking using “a small shell script, a $5 a month Digital Ocean Droplet and a free Sendgrid account”. This ultimately saved the company he was working with $40k.
      Continuous Network Monitoring
    • He then continues by posting about slackmap, which can be used to “continually nmap a network and post the differences to slack”.
      Continuous Network Monitoring With Slack Alerting

  • An interesting article was posted on the BBC regarding the number of mobile devices that are being seized by UK law enforcement only to get examined after a significant delay. It is interesting that the review highlighted the need for training/resources with regards to digital crime, especially surrounding the more basic tasks – the phones and CCTVs that aren’t broken, locked or otherwise just being difficult. It’s something that makes sense but may be difficult to implement due to the cost. Digital evidence, primarily stored on mobile devices, isn’t going away, and LE has to make sure that they’re able to deal with the data.
    Police forces ‘overwhelmed’ by digital evidence, watchdog finds

  • Dr. Kathryn Seigfried-Spellar has posted the second draft of a Professional Code of Ethics in DF. The draft will be available for 15 days (at the time of this post probably 11-12 days).
    Professional Code of Ethics – Second Draft

  • I wasn’t able to read through it, however, a draft International Convention on Electronic Evidence has been published. The convention is a supplement to Volume 13 of the 2016 Digital Evidence and Electronic Signature Law Review.
    Draft Convention on Electronic Evidence

And that’s all for Week 44! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s