Week 46 – 2016


  • Magnet Forensics updated Axiom to version 1.0.7. The update adds support for the Pebble Watch app (iOS/Android), extracting artefacts from RAR containers, improved  localization and language support as well as various other artefacts.
    Magnet AXIOM Now Supports Pebble Watch, LINE for Android, Artifacts from RAR Containers, and More

  • Magnet also updated Internet Evidence Finder to version with similar updates to that of Axiom above as well as various bug fixes. Thanks to Focus-S for sharing the release notes.

  • Mark Woan updated his Log Viewer tool version 0.0.9, fixing a minor bug regarding the horizontal scrollbar.
    Check Out Woanware’s Tweet!

  • Cellebrite released version 4.5 of their UFED tools, adding physical extraction to a variety of new phones, improved app support, bug fixes and additional functionality including a new user interface. They also shared this YouTube video on the release.
    UFED 5.4 Release Notes

  • Philippe Lagadec has updated oletools to version 0.51; it can now “extract files embedded into MS Office 97-2003 files as OLE objects “.
    Check Out Decalage2’s Tweet!

  • F-Response v6.0.3.5 and Imager were released. The update to F-Response “focuses on improvements to the F-Response Connector” and the Imager updates focused on “the messages window and the reporting of error messages to that window”.
    F-Response v6.0.3.5 and Imager Released

  • GetData’s Forensic Explorer was updated to version v3.9.4.6004 with some minor bug fixes and improvements – particularly around improved MFT reading speed and live boot logging.
    Download Forensic Explorer

  • GetData also updated Mount Image Pro to version v6.1.3.1663 with an “update to Wibu Codemeter network dongle activation.”
    Download Mount Image Pro v6

  • Passmark Software updated OSForensics to version 4.0.1001 with improvements to the Case Manager, Case Log Viewer, Decryption & Password Recovery, Forensic Copy process and Recent Activity section.
    V4.0.1001 – 16th of November 2016

  • Elcomsoft updated a few of their tools this week
    • They updated Distributed Password Recovery tool to v3.23.1030 with various bugs fixed.
      Maintenance update of Elcomsoft Distributed Password Recovery
    • They updated their Phone Breaker to version 6.20.16009 to include the functionality for downloading users call logs. The post explains that this can be done using the user’s credentials, or iCloud authentication token (which bypasses 2FA). The Elcomsoft Phone Viewer was also updated to version 3.10.15966 to show the synced call logs and contacts.
      Elcomsoft Phone Breaker 6.20 Update

  • Eric Zimmerman updated LECmd to version, adding the ability to decode Darwin blocks back to GUIDs.
    LECmd Releases

  • Johan Berggren announced the release of Timesketch version 2016.11, codename “Looper”, which “introduces new features like advanced search, search templates and editable views”.
    Your timeline is a story worth telling

  • Didier Stevens updated a few of his tools this week
  • X-Ways Forensics 18.9 SR-11 was released, adding some of the fixes from later versions.
    X-Ways Forensics 18.9 SR-11

  • X-Ways Forensics 19.0 SR-5 and SR-6 was released with various bug fixes.
    X-Ways Forensics 19.0 SR-6

  • X-Ways Forensics 19.1 Beta 2b was released with several improvements and bug fixes
    X-Ways Forensics 19.1 Beta 2b


  • Eric Zimmerman has released the beta versions of his Timeline Explorer and JumpList Explorer tools. The former is a Log2timeline CSV viewer that allows filtering, sorting etc, and the later is a GUI version of Eric’s JumplistCMD tool.
    Check out EricRZimmerman’s Tweet

  • Sumuri have released the 64bit version of Paladin Edge v7. This version “has been compiled with the latest Linux kernel which adds support for the newest hardware devices like the Surface Pro 4 and newest MacBooks”.
    PALADIN EDGE (64-Bit) – Version 7

  • Kevin at Tech Anarchy has released version 1.0 of VolUtility, a web front-end for Volatility. The release adds “an Extensions framework that allow you to add features and functionality to the data that is returned from Volatility plugins”.
    VolUtility Version 1.0 Release

  • ADF Solutions has released Triage-G2, which appears to be the next generation of their Triage product. I couldn’t really figure out what was updated in this version from the last though.
    New Release Of Industry-leading Media Exploitation Software Now Available: Triage-G2®



  • Elcomsoft has been busy with a few posts this week on their blog and Forensic Focus primarily on iOS devices.
    • They posted an article on Forensic Focus on the forensic implications of the iOS lockdown records. The article explains the files themselves, along with the process of obtaining and viewing the extraction.
      Forensic Implications of iOS Lockdown (Pairing) Records
    • Oleg Afonin explains that Apple will sync your call logs to all of your devices via iCloud with no obvious way to turn it off. Oleg’s recommendation is to turn off iCloud Drive sync if this is an issue for you. I’d be interested in finding out if there was a way to determine which device the call originated from
      iPhone User? Your Calls Go to iCloud
    • Vladimir Katalov has done some testing as to which features on iOS enable call syncing. He tested Continuity and Facetime, and found that disabling them had no effect. He also details the other call-related data that can be synced and explains that if someone syncs your call records you will not receive any notifications.    
      iOS Call Syncing: How It Works
    • Vladimir Katalov has listed the variety of different blog posts Elcomsoft have written regarding iOS security and the data that can be obtained. He’s also unsatisfied with Apple’s response to the question of why iOS call logs are synced across devices. I’m not really sure what the big deal is though; Apple syncs call logs so that if you get a missed call on your iPhone, you can pick up your iPad and see that – security aside, users may enjoy the functionality of being able to interact with their data on any decide they own (as long as it’s Apple branded of course). Apple may provide the ability to turn off the data that is synced (rather than just the catch-all iCloud Drive), but then again, Apple sometimes decides they know best.
      “We take privacy very seriously” – Apple, we do not buy it, sorry
  • Digital Forensics Corp, formerly We Are 4n6 shared a few articles of interest
  • There were a few articles on the Blackbag Tech blog
    • Kelley has an article on imaging a MacBook with Single USB-C Port. The original macbook is fairly simple and can be inaged using mq, a USB-cc adapter and a USB hub. The newer model is slightly more complicated as mq won’t work and you’ll need to image it through target disk mode with a USB-c-to-a adapter.
      Imaging a MacBook with Single USB-C Port
    • The Blackbag Training Team reports an issue with BlackLight not parsing out chat sessions from WhatsApp on devices running iOS10. They’ve provided a workaround where examiners can export the relevant folders into a similarly nested folder structure, rename the export and re-add them to Blacklight. The video then shows the WhatsApp data being parsed correctly.
      Examining WhatsApp 2.16 For iOS10 In Blacklight
    • The Blackbag Training Team has “found a solution in BlackLight 2016r3 to acquire iOS devices with a [Mobile Device Management] Profile installed and encrypted backups enabled”. 2016r3 is still in Beta. “If the device has never been backed up, a backup password must be configured in iTunes before BlackLight will be able to acquire it.” This is changing data on the device and must be documented as the password cannot be disabled later. If the device is “supervised” then “the device cannot be acquired unless it is attached to the supervising computer”.
      Troubleshooting iOS 10 Devices With Mobile Device Management Configurations

  • Keven Murphy has written a post on the SANS DFIR blog explaining how to use Forensic Response ACquistion (FRAC) and Retrieve Interesting Files Tool (RIFT) to gather required files across an entire organisation.
    Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2

  • Carpe Indicium provides the steps needed to get TimeSketch up and running on the SIFT workstation. (Anyone looking for a fun project could probably throw most of this in a bash script).
    Delving into Timesketch


  • Tal Liberman at Breaking Malware shows the “AtomBombing modifications to enable us to inject code into CFG-protected processes”. This expands on the previous post that showed the AtomBombing technique crashing MSPaint.exe.
    AtomBombing CFG Protected Processes

  • Sarah (Qi) Wu and Donna Wang at Fortinet have a writeup of a piece of malware that locks users’ computers and makes them fill out a survey; although the website hosting the survey is down. The authors were able to decompile the .NET malware and obtain the password to unlock the screen, as well as the administrator control panel credentials that were hardcoded in.
    PC Locker – A New Survey Locker in the Wild

  • Researchers at ProofPoint have uncovered a variant of a piece of malware they called Ransoc, which “scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information.”
    Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles

  • Brian Hussey at TrustWave presents the known IoC’s for some new attacks thought to be carried out by the Carbanak crime group. The post analyses two separate AdobeUpdateManagementTool.vbs files, where the second version arrived two weeks after their investigation began.
    New Carbanak / Anunak Attack Methodology

  • The Microsoft Malware Protection Center Threat Research & Response Blog describes the TrojanDownloader:JS/Crimace (and the ransomware,  Ransom:Win32/WinPlock.B, that it downloads). As a side note, there really seems to be a massive benefit flagging e-mails with password protected files and redirecting executable scripts like WSF to something innocuous like notepad.
    Fake fax ushers in revival of a ransomware family

  • The guys at Joe Security explain how they were inspired by a “method proposed by Kacper Szurek in his latest research on VBA macro analysis” leading to improvements to their Joe Sandbox product. This leads to a variety of new features for VBA analysis including “Arguments and return value logging for predefined set of VBA APIs”, and “Heuristic detection of string encryption function”
    Generic VBA Instrumentation for Microsoft Office Documents

  • Matt Nelson at ENIGMA0X3 shows how to use DNX (Microsoft .NET Execution environment) to bypass application whitelisting. He also explains “these “misplaced trust” bypasses can be mitigated via code integrity policy FilePublisher file rules”.
    Bypassing Application Whitelisting By Using DNX.exe

  • Hasherezade has prepared an experimental keygen and decryptor tool for the Princess Locker ransomware and shared its usage on her site.
    Princess Locker decryptor

  • Jaydee Valdez at the G DATA Security Blog takes a look at the newer Locky variants .SH*T and .THOR. He identifies the “more flexible argument string that is usually pre-defined within Locky’s script component” in the newer versions compared to ODIN. The author also shares the IP’s used, and their various locations, primarily in Russia and Ukraine.
    The Rampage of Locky

  • Marion Marschalek at Cyber WTF discusses his and Raphael Vinot’s “findings regarding exploits present in known targeted attacks, the obstacles we faced during analysis and how we worked our way around”. These findings surrounded ssdeep, binary compilation timestamps, acquisition of exploits/0-days,  and the APT exploit landscape.
    The Kings In Your Castle Part 3 -Ssdeep being fuzzy while exploits are being scarce

  • There were a several entries on the SANS ISC Handler Diaries
    • Brad Duncan has obtained some examples of KaiXin EK infection traffic and performed some analysis. The EK downloads and executes a VBS to the temp directory and uses that to download additional malware. Brad also lists the IP addresses, TCP ports, and domain names associated with the infections.
      2016-11-18 example of KaiXin EK activity
    • Didier Stevens has “tested the process replacement maldoc (Hancitor Maldoc Bypasses Application Whitelisting) on Windows 10 and Word 2016” and found that it’s not blocked. Apparently the maldoc isn’t stable however, so Didier created his own PoC and found that EMET would successfully block the shellcode execution.
      VBA Shellcode and Windows 10
    • Xavier Mertens “found a website delivering a malicious PE file” and was able to identify additional information by examining the upper directory structure of the site. Analysing the resultant data, Xavier was able to identify the attackers gmail address, and also that the attacker had banned several IP addresses (of hosting providers) and user-agent strings that would commonly be used by researchers and analysts.  
      Example of Getting Analysts & Researchers Away
    • Brad Duncan also identified “malicious spam (malspam) distributing Troldesh ransomware”. Brad downloaded and executed the malware, which confirmed that it was the Troldesh ransomware, analysed the resultant traffic and shares the identified IoC’s.
      Malspam distributing Troldesh ransomware


  • Andrew Case has joined the DFRWS 2017 organising committee – his role is to bring the practitioners and researcher together. Andrew explains the variety of ways that a conference can accept presentations and from the sounds of things the double-blind peer review research paper + feedback sounds like the most beneficial. As someone who doesn’t get to go to many conferences due to geographical restrictions, presentations can give you a lot of the information, but I’m sure not all of it. It also means that the information can be critiqued before it’s finally presented. Andrew then goes onto to promote why he believes DFRWS is the epicentre for top DFIR research – including the important fact that DFRWS is being held in Austin next year, so if you don’t like the conference at least you have the BBQ and live music.
    Bringing together the DFIR Industry and Academia at DFRWS 2017

  • Cheryl Biswas at CyberWatch gives her thoughts on the Sector 2016 conference and shares the video to her presentation on the SWIFT network.
    Sector 2016

  • Carolyn Casey at AccessData lists the rules that recently took effect for Department of Defense contractors with regards to their incident response requirements.
    New Incident Response Demands Hit DoD Contractors

And that’s all for Week 46! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s