Week 45 – 2016

SOFTWARE UPDATES

  • ExifTool was updated to 10.33 (developmental release) adding support for new tags, and minor bug fixes
    ExifTool 10.33

  • Paul Sanderson released version 3.1.7b of Forensic Browser for SQLite to fix a couple of bugs.
    3.1.7b

  • Mark Woan updated lookuper to version 0.0.7) with support for https://haveibeenpwned.com/ data
    Check Out Woanware’s Tweet

  • AccessData updated a raft of programs during the week.
    • Forensic Toolkit (FTK) International version 6.1 was released, although this appears to have the same release notes as FTK 6.1, which was released a couple weeks ago. The release notes don’t indicate any speed improvements, however the PR release says indexing speeds improved by roughly 68%. The release notes can be found here.
    • Password Recovery Toolkit (PRTK) and Distributed Network Attack (DNA) version 8.0.0 were released, adding veracrypt and removing the 32-bit version, as well as fixing a variety of issues. The release notes can be found here
    • FTK Imager was updated to version 3.4.3, fixing a vulnerability in loading DLLs. The release notes can be found here.
    • AccessData also updated their AD1 image format to version 4, which can only be read by Imager 3.4.1+, FTK 6.0+, Summation 6.0+ and eDiscovery 6.0+
      AccessData Releases New Versions of AD eDiscovery®, FTK® and AD Lab, with 68 Percent Average Increase in Indexing Speed Across Portfolio

  • Oxygen Forensics has released an update for their Detective product to version 9.0.1, offering “functionality and interface improvements of Oxygen Forensic® Cloud Extractor, Oxygen Forensic® Maps and Export Engine”. The release also included updates to a number of different apps, and additional Android devices.
    Oxygen Forensic® Detective adds support for new applications and devices!

  • Passmark have released version 4.0.1 of their OSForensics product. There were a number of new features and the full release notes can be found below.
    V4.0.1000

  • GetData’s Forensic Explorer was updated to version v3.8.8.5968, updating language translation, improving the registry filter and restricting “unauthorized filename characters when renaming evidence”.
    8 Nov 2016 – v3.8.8.5968

  • X-Ways Forensics 19.0 SR-4 was released with minor bug fixes
    X-Ways Forensics 19.0 SR-4

  • X-Ways Forensics 19.1 Preview 1 is available, with various new features including Google Chrome Internet History parsing,improvements to the relevance score and revised TAR archive support.
    X-Ways Forensics 19.1 Preview 1

SOFTWARE/PRODUCT RELEASES

  • ADF Solutions have released Triage-Investigator, which is the latest evolution of their previous triage product.
    New Release Of Industry-leading Forensic Triage Software Now Available: Triage-investigator®

  • Thomas Franco, Saâd Kadhi, and Jérôme Leonard have released a tool called TheHive, which is “a scalable, open source incident response platform designed for SOCs & CERTs to collaborate, elaborate, analyze and get their job done”. “TheHive is an open source and free software released under the AGPL (Affero General Public License)”
    Introducing TheHive

PRESENTATIONS/PODCASTS

  • This week on Brakeing Down Security, Bryan and Brian discussed chain of custody of digital evidence. Chain of Custody means documenting the movements of a piece of evidence from its collection (including the actions taken to obtain the evidence and ensure its integrity) to its presentation at court. They suggested that you may be able to contact local law enforcement for assistance or referrals to people that may be able to help. I think any large organisation should probably train their low level support in forensic evidence collection because it’s fairly easy to do, and also an easy point that lawyers can latch onto.
    The only correction I could make was the discussion of the (exorbitant) cost of EnCase, which is roughly $4000 for a dongle-based license (although there is network licensing).
    2016-044: Chain of Custody, data and evidence integrity

  • This week’s episode of the Digital Forensics Survival podcast covers an examination of the plist associated with the OS X Finder Sidebar (com.apple.sidebarlists.plist). The plist can provide examiners with information regarding file use and knowledge, primarily surrounding mounted devices and favourite folders. The tags may also be useful, except I don’t think I’ve ever seen them used. Michael explains that the devices are added into the plist in sequential order and include the name of the volume (which unfortunately may not provide much value if it’s UNTITLED or the default for an external drive). There is also a Bookmark record per device, but I can’t remember off the top of my head what data it stores.
    DFSP # 038 – Finder Sidebar Forensics

  • Martin Schmiedecker shared the presentation that he did at IT-Secx16 on using  open-source solutions (like osquery and GRR) to examine a large number of IoT devices. The other talks from this conference can be found here.
    Towards IoT Forensics: Headless and Remote

  • A number of presentations from DEFCON 24 have been uploaded to YouTube and can be found here.

  • Three new videos were uploaded to the SANS DFIR YouTube Channel.
    • Phil Hagen provides an overview of the latest update to the FOR572 Advanced Network Forensics Analysis which goes into production in December.
      FOR572 Course Update from the Future: Where We’re Going, We Don’t Need Roads
    • Eric Zimmerman’s talk on AmCache has been uploaded. The talk explains “how data is structured and [how it’s] interrelated in the different parts of an Amcache hive” and provides “free, open source tools that can process these hives quickly and efficiently”.
      (Am)Cache rules everything around me
    • Heather Mahalik discusses the trust relationship between you and your tools with regards to mobile forensics. “In this webcast, we will take a look at the strengths and the pitfalls of mobile forensics tools, we will show you when to trust or not trust their results but most importantly, how to rely on your own skills to conduct successful mobile device investigations.”
      To trust or not to trust: The relationship between you your mobile forensics tools

FORENSIC ANALYSIS

  • Michael Maurer has identified some inconsistent results in Plaso 1.5.1. Apparently, the “issue is with how Plaso handles multi-threading”. It’s been reported to the developers and will hopefully have a fix soon.
    Plaso 1.5.1 Inconsistent Results

  • Mark at Sneaky Monkey has released the second part of his writeup of the GrrCon 2016 DFIR challenge. This covers level 2, which is questions 5 to 15.
    GrrCon 2016 DFIR Write up – Part 2

  • The Extreme Coding blog has two challenge writeups, the first being the 2016 FLARE-On Challenge, and the second being the APTeaser component of the Hack the Vote 2016 CTF
    FLARE-On Challenge 2016 Write-up
    Hack the Vote 2016 CTF – APTeaser writeup

  • Blaine Stancill and Joshua Wang at Endgame also worked through the FLARE-On Challenge, sharing some of the lessons that they learnt. The lessons include performing your analysis in a VM, breaking down the assembly into pseudo code and recommend a variety of debugging and disassembly tools.
    0 to 31337 Real Quick: Lessons Learned By Reversing The Flare-On Challenge

  • Jim Hoerricks at the Forensic Multimedia Analysis blog explains how Amped Software products meet both the Daubert and Frye legal standards. He explains that the algorithms used all come from peer-reviewed and publicly available sources. The reports produced by the tools also “gives the user the plain English explanation, the more detailed scientific/academic explanation, as well as the filter settings, and the reference source for each filter that is applied within the workflow”.
    Is Photoshop a verb?

  • SANS have published two whitepapers this week on the InfoSec Reading Room.
    • The first, by Matt Koch, on implementing full network packet capture.
      Implementing Full Packet Capture
    • The second, by Wes Whitteker, “investigates the growth of encrypted Internet traffic (i.e. HTTPS) and its impact on Cybersecurity. This paper also proposes an open source solution for decrypting and inspecting Internet traffic accommodating IPv4 and v6 for both home and small-to-medium sized business (SMB) use.”
      The Age of Encryption

  • Josh Liburdi and George Aquila at Sqrrl have continued the Hunters Den series, taking a look at “the types of data and the various hunting techniques that you can use to hunt for the various kinds of internal reconnaissance”. The two types of data covered are process execution and network connection metadata, and the authors note “in general, process execution metadata is preferred over network connection metadata because it provides coverage for many internal reconnaissance hypotheses”. The techniques covered include searching, grouping and visualisation. They finish the post with an example hunt, using the hypotheses laid out in part 1.
    The Hunter’s Den: Internal Reconnaissance (Part 2)

  • Alek Rollyson at FireEye describes Integrity Measurement Architecture (IMA), which is a feature of Linux, that when coupled with auditd, adds executable logging capability, similar to Sysmon. This post focuses on “a minimum baseline configuration and policy in order to get file execution logs into a format that can be ingested by your SIEM”.
    Extending Linux Executable Logging With The Integrity Measurement Architecture

  • Matt Bromiley at 505 Forensics digs into the SysInternals tool PsExec. This post provides a number of artefacts that will be created when PsExec is used on a system. This includes file system artefacts, registry keys, and file execution artefacts such appcompatcache and prefetch.
    Matt also recommends that people pick up Mark Russinovich’s new SysInternals book. He also recommends people become familiar with the SysInternals tools as he has observed them being used by malicious actors “in almost every step of the attacker lifecycle”.
    Digging Into SysInternals: PsExec

  • There were two posts by the students of Champlain College
    • The Mobile App Forensics team has shared some information they’ve uncovered from analysing the Pokemon Go iOS app. The team didn’t find much in the way of recoverable data, but were able to locate “timestamps and location data that trace us back to when and where we first downloaded the game and set up the user profile”. They appear to hit the same road block as Cindy Murphy did with the obfuscated data.
      The Android team looked into UnderArmor’s Map My Run, and were “able to locate user information, timestamps, average speed, altitude and location data for the entirety of [their] walks”.
      Mobile App Forensics: First App Completion
    • The Mobile Device Management team looked at the Mobile Iron MDM. They found that it had a variety of useful features with regards to tracking the devices and pushing policies/configurations, however with regards to assisting an investigation it doesn’t do much more than that.
      Mobile Device Management: Mobile Iron

  • I’ve just found the Another InfoSec Guy blog, which appears to be posting daily on DFIR/InfoSec topics. I only just found it so I’ve listed this week’s posts below. Some of the posts also include a video where the author walks through the process.

MALWARE

  • Adam at Hexacorn has found that the Print Spooler or Fax services service on Windows Server 2012 loads a DLL on startup. If the user has admin rights, they can replace the DLL and execute code when the service is started.
    Beyond good ol’ Run key, Part 50

  • Malwarebytes have a couple of items of interest
    • Hasherezade unpacks the Floki dropper, including the various countermeasures it uses against detection tools.
      Floki Bot and the stealthy dropper
    • Jérôme Segura provides an overview of a number of Exploit Kits that they have captured using their honeypots. These EK’s are the RIG variants, Sundown, Bizarro Sundown, Magnitude and Neutrino-v, and includes a summary as well as the exploits and payloads utilised.
      Exploit Kits: Fall 2016 Review

  • There were a couple of posts on ThreatGeek this week
    • Threat Research Team at Fidelis Cybersecurity have shared some information about a new version of  H-W0rm (Hworm) remote access trojan. The post contains technical descriptions of the payload, domains observed, correlations with other RATs as well as YARA rules to detect the VBS/PE versions of the malware.
      Down the H-W0rm Hole with Houdini’s RAT
    • Jason Reaves has a writeup of a recent change made to the DGA implementation in the Vawtrak banking trojan. This change came about because of a previous post that they had written about the trojan. The changes aren’t significant, but “are just enough to throw off our previous analysis”.
      Vawtrak DGA Round 2

  • Arsh Arora guest-posts on the CyberCrime & Doing Time blog about the Kelihos botnet that has been targeting Australia, Italy, United Kingdom and United States. The post displays the various emails that have been sent to people in the different countries and identifies that the links download the Kronos Banking Trojan in the form of a word document. Surprise surprise, the document contained malicious macros.
    Kronos Banking Trojan and Geo-Targeting from Kelihos

  • The final post in VMRay’s series on ‘Sandbox Evasion Techniques’ covers “Context-Aware Malware: a.k.a. Environment-sensitive malware. Using time/event/environment-based triggers (that are not activated during sandbox analysis)”. These triggers include time bombs, system events, identifying user interaction, and activating only on a specific system.
    Sandbox Evasion Techniques – Part 4

  • Russ Taylor at Hats Off Security posted an overview of the 2016 Cyber Security Challenge Masterclass set and created by PwC. The challenge took place over 3 days and contestants were given a scenario regarding a variety of topics including disk, network, and memory forensics, and penetration testing, completing with a presentation to the board of directors of the fictional company.
    Cyber Security Challenge Masterclass 2016

  • Nikita Buchka and Anton Kivva at SecureList break down an Android banking trojan, Trojan-Banker.AndroidOS.Svpeng.
    Disassembling a Mobile Trojan Attack

  • Clemens Kolbitsch, Alexander Sevtsov, and Arunpreet Singh at Lastline Labs have posted the third part in their series on VBA Malware downloaders, this time focusing on the “limited coverage of security solutions on the different parts of the attack chain”. The authors explain that it’s important for a security solution to examine the entire attack to identify malware ie the e-mail that the malware was sent from, as well as the file itself. They also advise that various file types (ie DOTM, MHT, MIME-encoded etc) can contain malicious code and that the security solution should be able to categorise and identify the content appropriately.
    Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 3]

  • David Maciejak and Rommel Joven at Fortinet have identified the author of Cyperine 2.0, now Medusa and share their findings. During testing the malware’s author appears to have infected himself, and David and Rommel were able to review his stored information to discern his identify.
    Unmasking the Bonasira Cyperine Author

  • Samuel Alonso has written a brief review of Ken Dunham’s ‘Android Malware and Analysis’ book.
    Book: Android Malware and Analysis by Ken Dunham.

  • Digital Forensics Corp, formerly We Are 4n6, have shared a list of 5 places that ransomware/malware can hide. They explain that malware can hide in critical system files or temporary folders, execute using the registry (using the run key for example) or shortcut/LNK files (to local or online hosted malware), as well as be found in Word (and other macro based document formats) documents.
    5 Places Ransomware And Malware Can Hide

  • Antiy CERT have published an article on the a variety of malware attributed to the Equation Group APT. This article was written in Chinese so Google Translate was helpful in getting an idea of what it was about.
    From the “formula” to “equations”: Full platform capabilities EQUATION advanced malicious code attacks analysis

  • Microsoft have released a whitepaper called ““Ransomware protection in Windows 10 Anniversary Update”, which details “a full set of technologies Microsoft has developed or enhanced to provide Windows customers with an array of protection options.”
    No payment necessary: Fighting back against ransomware

  • There were a few posts on the SANS ISC Handler Diaries
    • Didier Stevens has identified a Hancitor malware variant that uses process hollowing and doesn’t write the executable to disk. The encoded executable is embedded as part of a 1 pixel PNG in the document, which upon execution is decoded and run as explorer (64bit) or svchost (32bit). This technique circumvents application whitelisting, and “most anti-virus will not detect the embedded EXE because it is never written to disk.”
      Hancitor Maldoc Bypasses Application Whitelisting
    • Dr Johannes B. Ullrich provides a list of open source, automated tools that use libPCAP that can provide full packet captures. These include daemonlogger, snort, dumpcap, pcapdump, netsniff-ng, and tshark, and also includes the commands to run them.
      Packet Capture Options
    • Rick Wanner has a small PSA about a piece of malware called Reincarna/Linux.Wifatch, which “purports to being a memory resident malware that defends the device from more malicious malware”. This malware has apparently been around for a little while but it’s still interesting to hear about some “malware” doing some good.
      Benevolent malware? reincarna/Linux.Wifatch
    • Didier Stevens was asked about whether EMET would stop the Hancitor malware mentioned above. From the looks of things, EMET’s Export address table Access Filtering (EAF) will detect the shellcode injection, or the shellcode looking up the API functions it needs (I’m not sure which it will detect), and then kill the Word process.
      VBA Shellcode and EMET

MISCELLANEOUS

  • Jasper at Packet Foo has released part 3 of the Network Capture Playbook, this time covering Network cards for wired captures. In particular; access rights, destination MAC filters and “Promiscuous Mode”, passiveness, Network card processing capabilities, and packet mix and capture efficiency
    The Network Capture Playbook Part 3 – Network cards

  • There was an interview on Forensic Focus with Ezra Kohavi, CEO of MediaClone. The interview covered Ezra’s background, his interest in DF, MediaClones product, and the challenges they face.
    Interviews – 2016 Ezra Kohavi, CEO, MediaClone

  • EForensics Mag have released an infographic by Maryville University on Computer Forensics, including what the field is, key US legislation and a variety of cases where DF has been crucial.
    When Computer Forensics Grows Up: Digital Forensics Explained – Infographic by Maryville University

  • Gavin Reid at Cisco’s Security Blog identifies “six precursors to incident response that can help drive a stronger return on your team’s investment”. These include: Systems of Record, Standardization, Logging, Network Taps, Authority and Scope, and Communication.
    Is Your Race to SOC Headed for an Epic Crash?

  • Berla has announced a strategic partnership with MSAB, makers of XRY/XAMN. Berla has identified a large amount of mobile device data in their analysis of car infotainment systems, so partnering with a phone forensics company makes sense. This will allow Berla to focus on extracting data from the systems and parsing specific information relating to the use of the vehicle. MSAB also announced the partnership.
    Berla and MSAB Announce Strategic Partnership

  • Also on strategic partnerships, Belkasoft and BlueBear have integrated their digital forensic products, Belkasoft Evidence Center and LACE. “The integration enables forensic experts to perform automated search for illicit images and videos containing child abuse material”. Examiners will now be able to “extracting all possible pictures and videos from even hidden or tricky places” using BEC and “running sophisticated analysis on big data sets” using LACE.
    Belkasoft and BlueBear Announce Integration of Belkasoft Evidence Center and LACE

  • Mariko and Wataru from Watch and Warning Group from JP-CERT were in Indonesia for to run an APT (Advanced Persistent Threat) workshop and log analysis class. This post provides an overview of the class that they presented.
    APT workshop and Log analysis training in Jakarta

  • Jerry Gamblin has continued to build automated scanning utilities with Slack notifications, this time focusing on W3AF and Burp Suite.

  • Jake Williams has written his thoughts about the recent FBI e-mail investigation; mainly that even though there were 650k e-mail, using automated search/deduplication/filtering it’s fairly easy to reduce a large number of e-mails quite quickly.
    How forensics really works (a post for my mom)

  • DFIR Guy at DFIR.Training has moved over to X-Ways and advises that if you’re going to take the plunge, take some sort of training (and suggests Brett’s online training course). He also found that he was able to complete his examinations just as well with X-Ways as with Encase.
    I worked the same case twice this week

  • Richard W Brown posted that Project VIC turned 3 years young during the week. “The Project has created standards and has fostered the use of new technologies, such as PhotoDNA Image and F1 Video Fingerprinting Technologies”. Congratulations!
    Project VIC turns 3 years young today!

  • Adam Belsher at Magnet Forensics has written a response to the recent report by the UK’s HMIC regarding the amount of digital evidence and the backlogs it causes. He reiterates many of the points that HMIC made in their report, and explains how Magnet is continuing to develop their tools to assist reduce the backlog and streamline workflows through automation.
    The Growth of Digital Evidence Backlogs and Making Them a Thing of the Past

  • Amanda at Secured.org has started an “In Securities” comic illustrating her and her dog’s (Malware Research Dog) adventures.
    In Securities Comic

  • SANS have announced the dates for the DFIR Summit next year in Austin, Texas. The Summit dates are June 22-23, 2017 with the training courses starting immediately after the Summit. For anyone that hasn’t been, it’s a great networking and learning opportunity to attend the Summit.
    Digital Forensics Summit & Training

And that’s all for Week 45! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s