Week 47 – 2016


  • ExifTool was updated to version 10.36 (production release) adding support for new tags, and fixing some bugs.
    Nov. 24, 2016 – Version 10.36 (production release)

  • Didier Stevens updated his base64dump Python script to version 0.0.5 to support additional encodings (hexadecimal (hex), \u unicode (bu) and %u unicode (pu))
    Update: base64dump.py Version 0.0.5

  • A new version (transient release) of MISP 2.4.55 has just been released, including bug fixes and improvements.
    MISP 2.4.55 released

  • John Lambert updated his PyPowerShellXray Python script to version 0.6. The script attempts to decode “common encoded PowerShell scripts.”
    Check Out @JohnLaTwC’s Tweet

  • Belkasoft updated their Evidence Center product to version 8.2, improving malware detection, adding support for flash cookies, as well as various other improvements and bug fixes. Further information about the release can be found here.
    Belkasoft Evidence Center V.8.2 Has Released

  • Oxygen Forensics updated their Detective product to version 9.0.2, adding support for a number of new devices (including the new LG Android smartphones), and additional app support.
    Oxygen Forensic® Detective adds screen lock bypass and extracts data from the most popular dating app!

  • MOBILedit Forensic Express 3.6 was released adding a host of new features including “support for iOS 10.2 including the new iTunes Backup encryption”, improvements to the password breaker, new and updated application analysers, and bug fixes.
    New Forensic Express 3.6 just released!

  • Evimetry Wirespeed was updated to version 2.1.4, with various bug fixes and the release of a “Light Agent x64 build for Microsoft Windows”.
    Release 2.1.4

  • GetData’s Forensic Explorer was updated to version v3.9.7.6040 with some minor bug fixes and improvements.
    Download Forensic Explorer

  • X-Ways Forensics 19.0 SR-7b was released with performance improvements, “support for previously unsupported SQLite database files”, and bug fixes.
    X-Ways Forensics 19.0 SR-7b

  • X-Ways Forensics 19.1 Preview 3 was released, adding the “same additional features as v19.0 SR-7.”
    X-Ways Forensics 19.1 Preview 3



  • Joshua James has posted an overview of the tsk_recover file recovery tool. Joshua walks through each option and explains how they work. In the example, he used it only copied allocated files into the output directory however the man page states it will also recover unallocated files.
    [How To] Forensic Data Recovery in Linux – tsk_recover

  • This week’s episode of the Digital Forensics Survival podcast covers the OS X Syslog. For this Michael recommends using the inbuilt OS X console application. I would love to see a 3rd party app that’s as good as the Console app, that allows users to select items to add to a timeline, or incorporates an event map of sorts (ie comments known events).
    DFSP # 040 – Mac Log Files

  • Tayfun Uzun at Magnet Forensics will be hosting an hour-long webinar on privacy (and working around it) in mobile chat apps. The webinar will take place 14th December 2016 at 11:00 EST, (4:00 pm UTC).
    Forensic Examination of Privacy-Focused Mobile Chat Apps

  • Cysinfo posted the presentations from their quarterly meetup covering various topics in security, malware analysis and forensics.
    9th Quarterly Meetup – 19th November 2016

  • Adrian Crenshaw uploaded a few more videos from SecureWV/Hack3rcon 2016, of which one appears to relate to DFIR.
    304 Mobile Forensics An Introduction Josh Brunty

  • There’s a new podcast to listen to called Cyber Security Interviews, hosted by Douglas A. Brush. Three episodes were released this week, although I think it’s going to be a weekly podcast. Overall I got a lot out of both of the interviews and am looking forward to the future episodes.
    • The first was an introduction to the host, Douglas, and his background in computing and infosec.
    • The second was an interview with Chris Pogue, CISO at Nuix. Chris shares his life and love affair with DFIR and the security industry, having started out as a pentester before moving into digital forensics and incident response, working with the likes of Harlan Carvey, Kristinn Guðjónsson, Corey Altheide, Matt Shannon to name a few. One of the main things I took away from this interview are his comments on examinations using the scientific method – get the data together and determine what it’s telling you, formulate a theory and then try to prove it wrong. Chris also mentioned that training employees helps as companies are hiring people but not investing them; as a result, examiners are getting the data but not knowing what to do with it, as seen in various breaches as of late. Examiners also need to be able to present their technical findings to a non-technical audience. One of the interesting comments he made was how people should be training like the military trains – fire 10,000 practice rounds down a range so that when you need to fire the one that counts you can hit the target. Having just participated in the FOR408 challenge day you can really see the benefit of streamlining your process so that you can perform in an instant rather than taking your time. It’s worth taking advantage of some of the automated processes in the tools and double-checking that they’re accurate when you have time so that you can trust (but verify) them when you need answers fast.
      #001 – Chris Pogue: Like A Chihuahua On A Pork Chop
    • The third was an interview with David Cowen of GC-Partners and Forensic Lunch fame. Dave provided a bit of background about how he got into the industry and how he started his forensic practice. The tips for those starting out are great – pick a topic and learn about it, document it, and share it. Skills can be taught, but interest is a hard thing to come by. Someone that wants to figure out the puzzle, and thinks about the field on their own time makes a valuable employee. Dave also shares some information about becoming a testifying expert; tell the truth is always a good one, followed by backing up your findings with testing and facts. Also present to your audience using analogies that they can relate to (echoing Chris’s comments above). This is something that is quite important to know when testifying. Often lawyers and judges will want to know the technical details but their eyes glaze over when you give it to them. Finding a way to explain it to them so that they understand the technical side is very important when getting your point across.
      #002 – David Cowen: Standing On The Shoulders Of Giants


  • Mattia Epifani and Pasquale Stirparo have an article (excerpt from their book?) on the Packt Publishing blog about computer and mobile forensics. My main takeaway from the article was the list of things to identify when commencing your mobile forensics exam – basically note down the characteristics of the device and it’s additional storage devices (sim/memory card). I’d also add check the serial/IMEI on the device, as well as in the settings, as well as date/time sync settings. They also explain the importance of removing the device from the network, and pros and cons of each approach.
    Digital and Mobile Forensics

  • Patrick Siewert at Pro Digital Forensics talks about the importance of problem-solving in digital forensics and touches on the various issues that the field is currently facing with regards to encryption and data acquisition of mobile devices. The final line of the piece is the main takeaway; “The fundamentals of forensics can be taught, but only experience working cases of varying type and degree can serve to separate those who can solve problems from those who cannot”, that is, pushing buttons can only get you so far before you have to figure out how to get a result your automation doesn’t provide.
    Problem Solving Digital Forensics

  • Mark at Sneaky Monkey has posted the final part of his GrrCon 2016 DFIR writeup covering questions 16 to 21.
    GrrCon 2016 DFIR Write up – Part 3

  • Jasper at Packet Foo continues the Network Capture Playbook this time providing an in-depth look at the SPAN port
    The Network Capture Playbook Part 4 – SPAN Port In-Depth

  • Tim Collyer has posted a white paper on the SANS InfoSec Reading Room regarding the Border Gateway Protocol (BGP). “ This paper explores the incident response options currently available to security teams to prevent, detect, and where possible, respond should a BGP incident arise.”
    BGP Hijinks and Hijacks – Incident Response When Your Backbone Is Your Enemy

  • Russ Taylor at Hats Off Security has shared the location of the Win10 lock screen images (otherwise known as Spotlight).
    Windows Spotlight Image Location

  • Greg Carson at Red Blue Team explains a recent ransomware investigation where he was required to identify the initial source of infection without the use of browser history (it had been cleared by the user or malware) or centralised logging. He was able to use Jared Atkinson PowerForensics to locate a start time in the USN Journal, and from there identify the IIV HTM and SWF file. Greg also included some additional installation instructions for PowerForensics.
    Ransomware IR with PowerForensics and the USN Journal

  • Jamie McQuaid at Magnet explains how hashing works in their Axiom product. Axiom allows examiners to calculate hashes of each file, and then compare them to a variety of different hashsets (ProjectVIC, CAID, PhotoDNA, NSRL, and your own generated hashset).
    A Deeper Look at Magnet AXIOM’s Improved Hashing

  • Angela Bunting at Nuix has a post about the adoption of technology assisted review by regulators. In the case mentioned, an expert report was requested that details the “processes undertaken by the vendor so the court can review them for best practice”. TAR is something that can be utilised across the entire forensic field; in the state of New South Wales where I work my branch has put in a considerable amount of effort to use statistical sampling to limit the exposure of our police officers and civilian staff to child abuse material through the use of TAR and statistical sampling. Our process has been published here for those that would like to know more; but the basic gist is that an automated process is run over a data set that then provides a sample of files across the drive (excluding temporary locations and deleted material; this is only meant to provide files that a user could know about). Examiners review the sample set and categorise them on an internationally accepted scale before the process generates a report conservatively estimating the number of CAM-containing files that appear in the entire set. This reduces our workload considerably and reviewers aren’t required to spend days on end reviewing material that no one should be looking at.
    Technology Assisted Review Heating Up in Australia


  • There were a couple of articles on the Fortinet blog this week
    • Kai Lu has disassembled “an Android banking malware masquerading as an email app that targets several large German banks”. Kai displays and describes the code that the malware uses to perform its tasks, as well as the communication with the C2 server. The article concludes with some advice on how to remove the malware once it’s identified on a device.
      Android Banking Malware Masquerading as Email App Targets German Banks
    • Kai’s second post of the week analyses a variant of the previous Android banking trojan. This version attempts to trick the user into entering their credit card details and personal information, and adds additional target banks and C2 servers. Fortinet also discovered “Two other variants … [that] … masquerade as flash player apps” and social media apps which again phish for credit card details.
      Android Malware Masquerades as Banking App, Part II

  • Roland Dela Paz at Forcepoint has identified that “cybercriminals have started to utilize compromised OneDrive for Business accounts for hosting [multiple families of] malware”. This can cause issues as the links generated for documents stored on OneDrive for Business appear to be/are legitimate.
    Compromised Microsoft Onedrive For Business Accounts Used To Spread Malware

  • There were a few interesting posts on Malwarebytes
    • Hasherezade has broken down the PrincessLocker malware, and in doing so identified some mistakes made by the developer (which she isn’t disclosing so they don’t get fixed). This led to the decryptor that she shared last week.
      PrincessLocker – ransomware with not so royal encryption
    • Nathan Scott has created a decryptor for the TeleCrypt ransomware, which uses the Telegram API to communicate with its C&C. To use the decryptor users will need both an encrypted and un-encrypted version of the same file (backup, people!). This post explains how the ransomware communicates with the creators, explains the encryption algorithm and how to use the decryptor.
      TeleCrypt – the ransomware abusing Telegram API – defeated!
    • Pieter Arntz discusses the Windows Firewall and shows how an elevated program can manipulate the firewall with a single command.
      Configuring the Windows firewall

  • Duc Nguyen and Wei Li at Microsoft Malware Protection Center Threat Research & Response Blog unpack some malspam that delivers Locky via the downloader Nemucod. The malspam delivers an obfuscated JS file, which is Nemucod, that then downloads a DLL version of Locky.
    Don’t let this Black Friday/Cyber Monday spam deliver Locky ransomware to you

  • Nick Biasini at Cisco’s Talos blog analyses the way that attackers distribute the Fareit trojan via email. Nick identified that an MHT (MIME HTML) file was being utilised which references an HTA file containing some odd metadata on a compromised server. Then, because the original source had been taken down, he was able to leverage “intelligence information and data sources … to find all necessary files to recreate the infection chain”.
    Fareit Spam: Rocking Out to a New File Type

  • Vicky Ray, Robert Falcone, Jen Miller-Osborn and Tom Lancaster at Palo Alto Networks analyse the Tropic Trooper campaign which has targeted the Taiwanese Government. The attackers utilised a combination of Yahoyah malware, Poison Ivy RAT and PCShare malware as part of their toolkit. The article explains the spear-phishing e-mail and the document it contains, followed by an analysis of the document, “that exploits CVE-2012-0158”. Interestingly the exploit document wasn’t always picked up as malicious by many AV vendors.
    Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy

  • There were a couple articles on the G data Security blog.
    • Eruel Ramos analyses the Ursnif malware which is transmitted through malspam, a macro document, and malicious VBScript executing from a temp directory. Unfortunately, the malware won’t execute in a VM which makes analysis slightly more irritating (not difficult, just annoying).         The author provides some information about the way Ursnif utilises C2 communications which can be used to transmit collected data or send commands.
      Analysis: Ursnif – spying on your data since 2007
    • Sabrina Berkenkopf comments on the Tech Support scam malware that has been circulating that locks users screens until they pay the ransom.
      Haunted not only for Halloween rum: Microsoft support fraudster

  • Adam at Hexacorn posted a few articles
    • First, he reversed some code in vbe6.dll/vbe7.dll, which plays creates a window and plays a MIDI resource.
      The Archaeologologogology #1 – vbd6.dll and vbe7.dll MIDI file
    • The second explains a few different persistence mechanisms that can be utilised in Microsoft Office products – both system-wide and user specific. Word, for example, will look in a few different directories for DLL’s to execute on startup, and if modified this can be used to execute arbitrary code.
      Beyond good ol’ Run key, Part 51
    • Lastly, he shared some statistics on compilation timestamps of the samples that he’s collected. Even though the timestamps aren’t 100% reliable it’s still interesting to see fewer executables were compiled on the weekend.
      3M samples – random stats

  • Thomas Chopitea has written a tutorial on writing volatility plugins. He walks us through how plugins work, extracting the Locky Malware configuration data from memory and lastly how to write a volatility plugin to automate the extraction.
    Tutorial – Volatility plugins & malware analysis

  • Yotam Gottesman at Breaking Malware continues the research on elevating privileges by environment variables expansion with a few more scenarios. The methods described “rely on an attacker having some access to the machine and possessing some privileges to initiate an attack.”
    Command Injection/Elevation – Environment Variables Revisited

  • Adrian at Bit Therapy analyses a maldoc and identifies the use of process hollowing by the embedded shellcode. Lastly, he provides a number of IOC’s and advises that the malware behaves like Hancitor / Chanitor
    Malicious Document Analysis – Macro to Shellcode

  • Researchers at ProofPoint have identified “several YouTube videos with links to phishing kits, templates, or links for further information”. Upon inspecting the (decoded) code they were able to locate the author’s Gmail address, which may be useful in identifying them. They then worked through the code and could show that authors included “backdoors to harvest phished credentials even after new phishing actors purchased the templates for use in their own campaigns”.
    No Honor Among Thieves: Phishing Templates Sold On YouTube With Backdoors

  • Matt Nelson shows how to use rcsi.exe, a new binary that is found in Microsoft Roslyn CTP, to execute unsigned code thanks to the introduction of C# Scripting. Matt also explains that “these “misplaced trust” bypasses can be mitigated via code integrity policy FilePublisher file rules”.
    Bypassing Application Whitelisting By Using Rcsi.exe

  • Jacob Soo and @Pete909 have posted a walkthrough on analysing malicious HWP files. HWP files appear to be OLE compound files, and, in this case, contain malicious JavaScript. This JavaScript uses an exploit (which the author’s state is most probably based on CVE-2013-0808) to drop a malicious payload (which was decoded, but outside the scope of the article).
    [ Technical Teardown: Exploit & Malware In .HWP Files ]

  • There were a number of interesting posts on the SANS ISC Handler Diaries
    • Didier Stevens requested assistance with identifying a program that displays the comment in a ZIP file. The ZIP file contained malware and displayed a comment with the password.
      ZIP With Comment
    • With help from the audience, it was determined that WinRAR displays the comment of the previous ZIP by default.
      Update:ZIP With Comment
    • Tom Webb maps out the attacker lifecycle with regards to a series of malicious documents that made it through their first-layer protections. “These emails have a word document that spawns a command shell that kicks off a PowerShell script”. Tom lists all of the controls utilised to prevent the attack.
      Mapping Attack Methodology to Controls


  • Samuel Alonso shares his thoughts on threat hunting and the recently announced updates to the SANS FOR508 course. “Internal discovery of a compromise is gaining momentum with an increase from 20% to nearly 50 % and therefore the dwell time is getting shorter thus reducing risk for organizations”, thanks to the increased focus on threat hunting.
    The right ingredients for Threat Hunting

  • Jack Crook shares his thoughts on the different stages of a typical hunting cycle, based on his experience. The stages are; define the task, research the problem, availability of data, develop queries, automate those queries, knowledge transfer/document each hunt, operationalise your findings so that another team can injest it into existing processes, and track the results.
    He also listed a number of objectives that one can use to measure their success; sure there’s finding the intrusion, but Jack suggests one should think broader than just a series of singular successes. From my understanding, the basic premise is ‘what did you learn and how did the result of your last hunt influence your security practice’. Ultimately you should aim to fill the gaps from the previous breach
    The Hunting Cycle and Measuring Success

  • Scott Vaughan at Berla comments on Porsche’s decision to drop Android Auto from their 2017 911 Carrera and Carrera S. Apparently Google wanted a lot of data. He does mention that despite this Android Auto is still seen across a number of vehicles and has been increasing in use.
    Android Auto, CarPlay, and Data Tracking

  • Digital Forensics Corp shared some thoughts on Android Encryption based on an article by Matthew Green called ‘The limitations of Android N Encryption’. They explain that Android has a different implementation to iOS, and “in 2016 Android is still trying to deploy encryption, which reaches (lock screen) security that Apple has figured out six years ago”.
    Gen Info About Android N Encryption

  • Shafik G. Punja has posted a review of Belkasoft’s Evidence Center on the Digital Forensics Corp. Overall BEC looks like a solid tool with some interesting features, having an inbuilt plist and SQLite viewer and the ability to modify timestamps on the fly is always a good thing.
    Review Of Belkasoft Evidence Center (BEC)

  • The call for papers has opened for DFRWS-USA 2017. The conference will run from 6th to 9th August in Austin Texas. The submission deadline for research papers is 1st February 2017, and the submission deadline for presentations is 31st March 2017.

And that’s all for Week 47! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s