SOFTWARE UPDATES
- Magnet Forensics updated Axiom to version 1.0.7. The update adds support for the Pebble Watch app (iOS/Android), extracting artefacts from RAR containers, improved localization and language support as well as various other artefacts.
Magnet AXIOM Now Supports Pebble Watch, LINE for Android, Artifacts from RAR Containers, and More - Magnet also updated Internet Evidence Finder to version 6.8.4.3639 with similar updates to that of Axiom above as well as various bug fixes. Thanks to Focus-S for sharing the release notes.
- Mark Woan updated his Log Viewer tool version 0.0.9, fixing a minor bug regarding the horizontal scrollbar.
Check Out Woanware’s Tweet! - Cellebrite released version 4.5 of their UFED tools, adding physical extraction to a variety of new phones, improved app support, bug fixes and additional functionality including a new user interface. They also shared this YouTube video on the release.
UFED 5.4 Release Notes - Philippe Lagadec has updated oletools to version 0.51; it can now “extract files embedded into MS Office 97-2003 files as OLE objects “.
Check Out Decalage2’s Tweet! - F-Response v6.0.3.5 and Imager 2.0.1.23 were released. The update to F-Response “focuses on improvements to the F-Response Connector” and the Imager updates focused on “the messages window and the reporting of error messages to that window”.
F-Response v6.0.3.5 and Imager 2.0.1.23 Released - GetData’s Forensic Explorer was updated to version v3.9.4.6004 with some minor bug fixes and improvements – particularly around improved MFT reading speed and live boot logging.
Download Forensic Explorer - GetData also updated Mount Image Pro to version v6.1.3.1663 with an “update to Wibu Codemeter network dongle activation.”
Download Mount Image Pro v6 - Passmark Software updated OSForensics to version 4.0.1001 with improvements to the Case Manager, Case Log Viewer, Decryption & Password Recovery, Forensic Copy process and Recent Activity section.
V4.0.1001 – 16th of November 2016 - Elcomsoft updated a few of their tools this week
- They updated Distributed Password Recovery tool to v3.23.1030 with various bugs fixed.
Maintenance update of Elcomsoft Distributed Password Recovery - They updated their Phone Breaker to version 6.20.16009 to include the functionality for downloading users call logs. The post explains that this can be done using the user’s credentials, or iCloud authentication token (which bypasses 2FA). The Elcomsoft Phone Viewer was also updated to version 3.10.15966 to show the synced call logs and contacts.
Elcomsoft Phone Breaker 6.20 Update
- They updated Distributed Password Recovery tool to v3.23.1030 with various bugs fixed.
- Eric Zimmerman updated LECmd to version 0.9.4.0, adding the ability to decode Darwin blocks back to GUIDs.
LECmd Releases - Johan Berggren announced the release of Timesketch version 2016.11, codename “Looper”, which “introduces new features like advanced search, search templates and editable views”.
Your timeline is a story worth telling - Didier Stevens updated a few of his tools this week
- Shellcode2vba.py was updated to version 0.5, adding the –suffix option, which “allows you to instruct the program to add a suffix to the VBA function names”.
Update: shellcode2vba.py Version 0.5 - Byte_stats was updated to version 0.0.4, adding the ability to counts unique bytes.
Update: byte_stats.py Version 0.0.4 - Zipdump was updated to version 0.0.4, which now “displays the ZIP comment (if present) and also counts unique bytes”.
Update: zipdump.py Version 0.0.4
- Shellcode2vba.py was updated to version 0.5, adding the –suffix option, which “allows you to instruct the program to add a suffix to the VBA function names”.
- X-Ways Forensics 18.9 SR-11 was released, adding some of the fixes from later versions.
X-Ways Forensics 18.9 SR-11 - X-Ways Forensics 19.0 SR-5 and SR-6 was released with various bug fixes.
X-Ways Forensics 19.0 SR-6 - X-Ways Forensics 19.1 Beta 2b was released with several improvements and bug fixes
X-Ways Forensics 19.1 Beta 2b
SOFTWARE/PRODUCT RELEASES
- Eric Zimmerman has released the beta versions of his Timeline Explorer and JumpList Explorer tools. The former is a Log2timeline CSV viewer that allows filtering, sorting etc, and the later is a GUI version of Eric’s JumplistCMD tool.
Check out EricRZimmerman’s Tweet - Sumuri have released the 64bit version of Paladin Edge v7. This version “has been compiled with the latest Linux kernel which adds support for the newest hardware devices like the Surface Pro 4 and newest MacBooks”.
PALADIN EDGE (64-Bit) – Version 7 - Kevin at Tech Anarchy has released version 1.0 of VolUtility, a web front-end for Volatility. The release adds “an Extensions framework that allow you to add features and functionality to the data that is returned from Volatility plugins”.
VolUtility Version 1.0 Release - ADF Solutions has released Triage-G2, which appears to be the next generation of their Triage product. I couldn’t really figure out what was updated in this version from the last though.
New Release Of Industry-leading Media Exploitation Software Now Available: Triage-G2®
PRESENTATIONS/PODCASTS
- Ted Smith demonstrates how to do a search for whole and non-whole words at the same time using X-Ways.
Video 53 – Searching for Whole and Non-Whole Words At the Same Time - Paula at CQure Academy has uploaded a tutorial for recovering files off a disk using PowerShell (and Jared Atkinson’s PowerForensics). The video has an accompanying blog post which is linked below.
How to Recover Deleted Files from the Drive?
- This week’s episode of the Digital Forensics Survival podcast covers Apache Weblogs. Michael explains that the Access and Error logs found in the /var/log/httpd folder are the “catch-all” for web server logging. He also recommends looking at the /etc/http/conf/httpd.conf file for the apache configuration information. There is a link in the show notes to Manoj Jasawat’s YouTube video on the subject that’s worth checking out if you need to understand how these logs work.
Michael also has an announcement about the Surviving Digital Forensics training series; it is now being hosted and looked after by Sumuri, which means that there will be more trainers producing videos. Open enrollment opportunities will continue as before.
DFSP # 039 – Apache Weblogs & SDF Announcement - Joshua James at Cybercrime Technologies has created a tutorial on how to use Photorec to carve files from a physical disk image.
[How To] Forensic Data Recovery in Windows – Photorec
- Adrian Crenshaw uploaded a number of videos from the SecureWV/Hack3rcon 2016 to his YouTube channel. There were quite a few that looked to relate to DFIR;
- 300 Evidence Collection John Sammons Part 1
- 300 Evidence Collection John Sammons part 2
- 303 Network Forensics using Kali Linux andor SANS Sift Josh Brunty
- 202 Python Scripting Adam Byers Part 1
- 202 Python Scripting Adam Byers Part 2
- 111 Windows Timelines in Minutes Dr Philip Polstra
- 302 Key to Forensic Success Examination Planning John Sammons Part1
- 302 Key to Forensic Success Examination Planning John Sammons Part2
- There’s a SANS webcast with Rob Lee on the 21st November at 1PM ET where Rob will be discussing what’s new in the FOR 508 course.
Check Out @sansforensics’ Tweet
FORENSIC ANALYSIS
- Elcomsoft has been busy with a few posts this week on their blog and Forensic Focus primarily on iOS devices.
- They posted an article on Forensic Focus on the forensic implications of the iOS lockdown records. The article explains the files themselves, along with the process of obtaining and viewing the extraction.
Forensic Implications of iOS Lockdown (Pairing) Records - Oleg Afonin explains that Apple will sync your call logs to all of your devices via iCloud with no obvious way to turn it off. Oleg’s recommendation is to turn off iCloud Drive sync if this is an issue for you. I’d be interested in finding out if there was a way to determine which device the call originated from
iPhone User? Your Calls Go to iCloud - Vladimir Katalov has done some testing as to which features on iOS enable call syncing. He tested Continuity and Facetime, and found that disabling them had no effect. He also details the other call-related data that can be synced and explains that if someone syncs your call records you will not receive any notifications.
iOS Call Syncing: How It Works - Vladimir Katalov has listed the variety of different blog posts Elcomsoft have written regarding iOS security and the data that can be obtained. He’s also unsatisfied with Apple’s response to the question of why iOS call logs are synced across devices. I’m not really sure what the big deal is though; Apple syncs call logs so that if you get a missed call on your iPhone, you can pick up your iPad and see that – security aside, users may enjoy the functionality of being able to interact with their data on any decide they own (as long as it’s Apple branded of course). Apple may provide the ability to turn off the data that is synced (rather than just the catch-all iCloud Drive), but then again, Apple sometimes decides they know best.
“We take privacy very seriously” – Apple, we do not buy it, sorry
- They posted an article on Forensic Focus on the forensic implications of the iOS lockdown records. The article explains the files themselves, along with the process of obtaining and viewing the extraction.
- Sarah Edwards shares some information on a new macOS Sierra forensic artefact called Unified Logging. This logging platform will replace syslog and Apple System Logs (although they still currently exist). Thankfully, Apple has included an inbuilt utility to parse the generated log files.
New macOS Sierra (10.12) Forensic Artifacts – Introducing Unified Logging
- Digital Forensics Corp, formerly We Are 4n6 shared a few articles of interest
- They shared a GUI for Volatility developed by Waqas Ahmad aptly named Volatility GUI.
Use the Graphics User Interface for Volatility - They shared the inaugural edition of the Digital 4n6 Journal, India’s first Digital Forensics journal, which was released in August. The journal appears to be produced quarterly and is fairly inexpensive to subscribe to.
Read Free Version Digital 4n6 Journal - This article shows how “principal component analysis (PCA) can be used to detect forgery”.
Forgery detection using PCA
- They shared a GUI for Volatility developed by Waqas Ahmad aptly named Volatility GUI.
- There were a few articles on the Blackbag Tech blog
- Kelley has an article on imaging a MacBook with Single USB-C Port. The original macbook is fairly simple and can be inaged using mq, a USB-cc adapter and a USB hub. The newer model is slightly more complicated as mq won’t work and you’ll need to image it through target disk mode with a USB-c-to-a adapter.
Imaging a MacBook with Single USB-C Port - The Blackbag Training Team reports an issue with BlackLight not parsing out chat sessions from WhatsApp on devices running iOS10. They’ve provided a workaround where examiners can export the relevant folders into a similarly nested folder structure, rename the export and re-add them to Blacklight. The video then shows the WhatsApp data being parsed correctly.
Examining WhatsApp 2.16 For iOS10 In Blacklight - The Blackbag Training Team has “found a solution in BlackLight 2016r3 to acquire iOS devices with a [Mobile Device Management] Profile installed and encrypted backups enabled”. 2016r3 is still in Beta. “If the device has never been backed up, a backup password must be configured in iTunes before BlackLight will be able to acquire it.” This is changing data on the device and must be documented as the password cannot be disabled later. If the device is “supervised” then “the device cannot be acquired unless it is attached to the supervising computer”.
Troubleshooting iOS 10 Devices With Mobile Device Management Configurations
- Kelley has an article on imaging a MacBook with Single USB-C Port. The original macbook is fairly simple and can be inaged using mq, a USB-cc adapter and a USB hub. The newer model is slightly more complicated as mq won’t work and you’ll need to image it through target disk mode with a USB-c-to-a adapter.
- Keven Murphy has written a post on the SANS DFIR blog explaining how to use Forensic Response ACquistion (FRAC) and Retrieve Interesting Files Tool (RIFT) to gather required files across an entire organisation.
Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2 - Carpe Indicium provides the steps needed to get TimeSketch up and running on the SIFT workstation. (Anyone looking for a fun project could probably throw most of this in a bash script).
Delving into Timesketch
MALWARE
- Tal Liberman at Breaking Malware shows the “AtomBombing modifications to enable us to inject code into CFG-protected processes”. This expands on the previous post that showed the AtomBombing technique crashing MSPaint.exe.
AtomBombing CFG Protected Processes - Sarah (Qi) Wu and Donna Wang at Fortinet have a writeup of a piece of malware that locks users’ computers and makes them fill out a survey; although the website hosting the survey is down. The authors were able to decompile the .NET malware and obtain the password to unlock the screen, as well as the administrator control panel credentials that were hardcoded in.
PC Locker – A New Survey Locker in the Wild - Researchers at ProofPoint have uncovered a variant of a piece of malware they called Ransoc, which “scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information.”
Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles - Brian Hussey at TrustWave presents the known IoC’s for some new attacks thought to be carried out by the Carbanak crime group. The post analyses two separate AdobeUpdateManagementTool.vbs files, where the second version arrived two weeks after their investigation began.
New Carbanak / Anunak Attack Methodology - The Microsoft Malware Protection Center Threat Research & Response Blog describes the TrojanDownloader:JS/Crimace (and the ransomware, Ransom:Win32/WinPlock.B, that it downloads). As a side note, there really seems to be a massive benefit flagging e-mails with password protected files and redirecting executable scripts like WSF to something innocuous like notepad.
Fake fax ushers in revival of a ransomware family - The guys at Joe Security explain how they were inspired by a “method proposed by Kacper Szurek in his latest research on VBA macro analysis” leading to improvements to their Joe Sandbox product. This leads to a variety of new features for VBA analysis including “Arguments and return value logging for predefined set of VBA APIs”, and “Heuristic detection of string encryption function”
Generic VBA Instrumentation for Microsoft Office Documents - Matt Nelson at ENIGMA0X3 shows how to use DNX (Microsoft .NET Execution environment) to bypass application whitelisting. He also explains “these “misplaced trust” bypasses can be mitigated via code integrity policy FilePublisher file rules”.
Bypassing Application Whitelisting By Using DNX.exe - Hasherezade has prepared an experimental keygen and decryptor tool for the Princess Locker ransomware and shared its usage on her site.
Princess Locker decryptor - Jaydee Valdez at the G DATA Security Blog takes a look at the newer Locky variants .SH*T and .THOR. He identifies the “more flexible argument string that is usually pre-defined within Locky’s script component” in the newer versions compared to ODIN. The author also shares the IP’s used, and their various locations, primarily in Russia and Ukraine.
The Rampage of Locky - Marion Marschalek at Cyber WTF discusses his and Raphael Vinot’s “findings regarding exploits present in known targeted attacks, the obstacles we faced during analysis and how we worked our way around”. These findings surrounded ssdeep, binary compilation timestamps, acquisition of exploits/0-days, and the APT exploit landscape.
The Kings In Your Castle Part 3 -Ssdeep being fuzzy while exploits are being scarce - There were a several entries on the SANS ISC Handler Diaries
- Brad Duncan has obtained some examples of KaiXin EK infection traffic and performed some analysis. The EK downloads and executes a VBS to the temp directory and uses that to download additional malware. Brad also lists the IP addresses, TCP ports, and domain names associated with the infections.
2016-11-18 example of KaiXin EK activity - Didier Stevens has “tested the process replacement maldoc (Hancitor Maldoc Bypasses Application Whitelisting) on Windows 10 and Word 2016” and found that it’s not blocked. Apparently the maldoc isn’t stable however, so Didier created his own PoC and found that EMET would successfully block the shellcode execution.
VBA Shellcode and Windows 10 - Xavier Mertens “found a website delivering a malicious PE file” and was able to identify additional information by examining the upper directory structure of the site. Analysing the resultant data, Xavier was able to identify the attackers gmail address, and also that the attacker had banned several IP addresses (of hosting providers) and user-agent strings that would commonly be used by researchers and analysts.
Example of Getting Analysts & Researchers Away - Brad Duncan also identified “malicious spam (malspam) distributing Troldesh ransomware”. Brad downloaded and executed the malware, which confirmed that it was the Troldesh ransomware, analysed the resultant traffic and shares the identified IoC’s.
Malspam distributing Troldesh ransomware
- Brad Duncan has obtained some examples of KaiXin EK infection traffic and performed some analysis. The EK downloads and executes a VBS to the temp directory and uses that to download additional malware. Brad also lists the IP addresses, TCP ports, and domain names associated with the infections.
MISCELLANEOUS
- Andrew Case has joined the DFRWS 2017 organising committee – his role is to bring the practitioners and researcher together. Andrew explains the variety of ways that a conference can accept presentations and from the sounds of things the double-blind peer review research paper + feedback sounds like the most beneficial. As someone who doesn’t get to go to many conferences due to geographical restrictions, presentations can give you a lot of the information, but I’m sure not all of it. It also means that the information can be critiqued before it’s finally presented. Andrew then goes onto to promote why he believes DFRWS is the epicentre for top DFIR research – including the important fact that DFRWS is being held in Austin next year, so if you don’t like the conference at least you have the BBQ and live music.
Bringing together the DFIR Industry and Academia at DFRWS 2017 - Cheryl Biswas at CyberWatch gives her thoughts on the Sector 2016 conference and shares the video to her presentation on the SWIFT network.
Sector 2016 - Carolyn Casey at AccessData lists the rules that recently took effect for Department of Defense contractors with regards to their incident response requirements.
New Incident Response Demands Hit DoD Contractors
- Bart at Blaze’s Security Blog has created a template/form to assist in cybercrime reporting.
Cybercrime Report Template - Forensium has posted a chronological list of forensic models/workflows.
Forensics workflow - Didier Stevens shares the command to view the Zone Identifier alternate data stream of a file using Notepad.
Quickpost: - Jasper at Packet-Foo describes the steps an examiner needs to take to sanitise a PCAP before sharing, using a tool called TraceWrangler.
The Wireshark Q&A trace file sharing tutorial - Chris DiGiamo at FireEye shares some information about the FireEye Cyber Defense Summit being held at the Washington Hilton in Washington, DC at the end of this month. For further information and to register you can go here.
FireEye Cyber Defense Summit 2016: The Incident Response Track – Technical Details And Solutions That Work - Cindy Murphy at Gillware Digital Forensics provides some situations where digital forensics can be used to detect employee misconduct.
Employee Misconduct and Digital Forensics - Jim Hoerricks provides some advice on how to identify an expert (for court matters). This advice really comes down to checking the examiners credentials and being satisfied that what they’re saying in them is accurate.
Those who know don’t tell and those who tell don’t know. - Carolyn Casey at AccessData has a post about a recent webinar that AD conducted. As we know, digital investigators are being presented with an enormous amount of data across various devices, and data acquisition from live devices is becoming the norm. The other issue raised is communication and presentation of information. “Communicating and collaborating with vendors that house data you need, or that come in to help with the investigation, is also key”.
New Breed of Digital Investigators Emerges in Corporations - The training team at Magnet Forensics “has opened registration for a new AXIOM certification, and unveiled two new courses, launching in 2017: AXIOM Examinations and IEF Examinations”.
Magnet Forensics Launches New Training Curriculum and AXIOM Certification - Brendan Brown shares his experiences at the LCDI Internship program. I’d be interested in seeing the results of their ToolEval project; hopefully they post these in a future blogpost.
FOR 190 Internship Experience: Brendan Brown - Scott Vaughan at Berla explains that the average lifespan of a car in the US, and the number of cars on the road are increasing. The head-units in newer vehicles are therefore being built to last longer.
Average Lifespan for U.S. Vehicles - Mary Ellen has created a countdown clock to this year’s SANS Holiday Hack Challenge.
Unofficial Holiday Hack Countdown - The guys over at the MISP project list the variety of ways to contribute to the MISP project.
Independence and Threat Intelligence Platforms - Sergio Caltagirone at ActiveResponse has reviewed 2016 covering the major victims of cyber incidents, the capabilities used (macros and evasion techniques), and threat intelligence.
2016 Targeted Threats in Review – What We’ve Learned - Joshua James at Cybercrime Technologies shared a link to the No More Ransom site, which is a collection of tools and information regarding ransomware and unlocking files that have been affected by it. Joshua also recommends using a service like CrashPlan to backup your data regularly. Backing up data means that ransomware’s effects are significantly reduced.
No More Ransom – Detecting and unlocking ransomware without paying - Intaforensics have created and shared a DFIR Glossary of Terms.
A Guide to Digital Forensics Terminology
- Yuka from JPCERT/CC shares her experiences at the APCERT Annual General Meeting & Conference 2016.
APCERT Annual General Meeting & Conference 2016 in Tokyo and JPCERT/CC’s 20th Anniversary - The 12th Annual ADFSL Conference on Digital Forensics, Security and Law will be held on May 17-19, 2017. The venue for the conference will be on the campus of Embry-Riddle Aeronautical University in Daytona Beach, Florida. The deadline for submissions is 11:59 p.m. EST, 7 January 2017.
12TH ANNUAL ADFSL CONFERENCE ON DIGITAL FORENSICS, SECURITY AND LAW
And that’s all for Week 46! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 