Week 49 – 2016

SOFTWARE UPDATES

  • Mark Woan has released new versions of his autorun logger (UI v1.0.4 and Server v1.0.9) with “Fairly major changes such as shows linked Autoruns, can hide/acknowledge alerts”.
    Mark advises that it’s “best to drop the database and then recreate with the new schema”.
    UI Release, Server Release

  • Didier Stevens updated his Python script pecheck to version 0.5.2. “The new displays information about the signature (provided pyasn1 is installed), and adds option -g to extract data (pefile.get_data) from the pefile like resources”.
    Update: pecheck.py Version 0.5.2

  • A new version of MISP 2.4.56 has been released, including bug fixes and improvements. The major improvement is MISP Galaxy , which is “a simple method to express large objects called cluster that can be attached to MISP events or (in the near future) attributes.”
    MISP 2.4.56 released

  • Cellebrite have updated their UFED Analytics Desktop product to version 5.2.1 to resolve an issue regarding regional settings. Thanks to Digital Forensics Corp for the link.
    UFED Analytics Desktop Version 5.2.1 has been released

  • Cellebrite also released version 2.0 of their UFED Analytics Enterprise. They even also posted a video about the update.
    UFED Analytics Enterprise Release Notes

  • MicroSystemation have updated XRY (v7.2) and XAMN (v3.1).  XRY’s additions include “ Multiple simultaneous extractions, Updated app downgrade functionality, and Android extraction over Wi-Fi” as well as support for browser-based apps and new app versions. XAMN v3.1 comes with the addition of a “Soundex Filter” and “Geographic map view of geo-tags”. They also uploaded a YouTube video about the update.
    XRY v7.2 Release & XAMN v1.3 Released Today

  • Magnet Forensics updated their Axiom product to version 1.0.8. The update adds file system keyword search, iOS 10.1.1 iTunes backup decryption (with password), Android P2P Torrent client artefacts, RAW picture file support and E01 image verification.
    The Top Five New Features in Magnet AXIOM 1.0.8

  • Susteen has updated their Secure View and Burner Breaker products. The post doesn’t have version numbers or changelogs so I can’t tell specifically was updated. They did announce that their new Cloud Analyzer product will be released in January and is freemium for law enforcement.
    Susteen Secure View And Burner Breaker Updates: Cloud Analyzer-Chinese Chipsets

  • X-Ways Forensics 19.0 SR-8 was released with a variety of bug fixes.
    X-Ways Forensics 19.0 SR-8

  • X-Ways Forensics 19.1 Preview 5 was released, adding some new features surrounding the creation of empty-data segments for corrupt E01 files as well as a few others.
    X-Ways Forensics 19.1 Preview 5

  • Paul Sanderson updated his DateDecode tool to include parsing Google EI timestamps. If you don’t know what Google EI timestamps you can read about them here or hit me up.
    Check Out @sandersonforens’s Tweet!

SOFTWARE/PRODUCT RELEASES

  • Jason Antrim has released a Python script for analysing the Info.plist file associated with iOS Backup files.
    iosbackupexaminer

UPCOMING WEBINARS

  • Magnet Forensics will be hosting a webinar on the Forensic Examination of Privacy-Focused Mobile Chat Apps. The webinar will be held on Wednesday, December 14, 2016, at 11:00AM Eastern Standard Time (New York, GMT-05:00).
    Forensic Examination of Privacy-Focused Mobile Chat Apps

PRESENTATIONS/PODCASTS

  • Blackbag Technologies have released a couple of short videos in anticipation of their 2016 R3 release of Blacklight. The first video showcases the new functionality regarding parsing Apple System Logs. I’m quite excited for this addition to Blacklight as I’ve found it’s OS X log parsing ability to be lacking. Hopefully the developers will add in parsing for all the different types of logs available on OS X into an easily sortable/filterable view. They also shared a video on examining Windows Event Logs in Blacklight.
    Apple System Logs, Windows Event Logs

  • Joshua James shares a video on “using LiME to acquire a memory image in a suspect Linux system”.
    [How To] Forensic Memory Acquisition in Linux – LiME

  • Rishikesh Ojha has posted a walkthrough of acquiring a disk using FTK Imager.
    Forensics Imaging Live Practical for computer forensic examiner

  • Stuart Davis at Mandiant has presented about the recently discovered Shamoon 2.0 malware hitting the Middle East and how to protect yourself.
    Shamoon 2.0 – what you need to know now. Protecting against wiper malware

  • Blackhill Infosec shared the webcast on “How Threat Intelligence Can Go Wrong” given by John Strand and Paul Asadoorian.
    WEBCAST: How Threat Intelligence Can Go Wrong

  • Paula at CQuire breaks down “how cached logon data works, what is inside, how we’re able to overwrite it and what kind of threat it exposes”.
    Cached Credentials: Important Facts That You Cannot Miss

  • Digital Forensics Corp shared a video REWA Technology uploaded last week on recovering data from a damaged iPhone.
    iPhone 6 Data Recovery From Dead Logic Board

  • Chris Sanders has shared his slides from his presentation “Abstract Tools for Effective Threat Hunting”
    Abstract Tools for Effective Threat Hunting

  • David Kovar shared the slides from his presentation at the LISA conference in Boston on 7th December 2016.
    UAVs, IoT, and Cybersecurity

  • Binary-Zone shared a presentation from February this year on Anti-Forensics.
    Anti-Forensics: Leveraging OS and File System Artifacts

  • This week’s episode of the Digital Forensics Survival podcast covers the Windows 10 Prefetch files. Michael explains that with Win10 prefetch you may have difficulties examining these files on a Win7 system. This is important to play around with especially if your forensic system runs a Win7 build as company policy. You can may need to create a few different VMs to compare the parsing results on different OS’s. Michael recommends using Nirsoft’s WinPrefetchView to extract the data within.
    DFSP # 042 – Windows 10 Prefetch

  • Lenny Zeltser was on the Cybersecurity Interviews podcast this week. He discussed how he got into the industry, and then pioneered malware analysis, ultimately starting the course for SANS. As with the other interviewees, Lenny said people should focus on communication skills on top of their technical chops. He also suggested that just because you don’t know how to do something now, doesn’t mean you should discount yourself from ever doing it.
    Lenny explained that the engineering mindset is to walkthrough the whole process and leave the conclusion to the end; except we don’t always present to engineers and the lay person prefers the conclusion up front (and trusts the method is sound). Lenny also advises that certifications can be useful as a signalling method: to pass the exam the person would have to have learnt the material, studied and applied it; Which even if you disagree with the usefulness of certs, it still shows a skill.
    #003 – Lenny Zeltser: You Can Never Know Everything

  • The Forensic Lunch is back! David, Matthew and Nicole hosted Matt Bromiley for a discussion about what Matt’s up to. Matt announced he will be blogging every day for the next year, which is great for the community! Also means more content for me! Matt outlined what his weekly schedule will be, covering forensic topics across Linux, Windows, memory/malware etc. I like their point about “write for yourself”. That makes the entire thing a zero-sum game. Even if you have no viewers, you’re getting something out of it.
    Matthew Seyer then provided some information about the happenings with eventmonkey, the GC-Partners Windows Event Processing Utility. Matt has created a library that can be utilised to import Python functions and use them within your SQLite query.
    Also thanks guys for the shoutout; there’s no trick to my work, it’s basically neurotically checking feedly, twitter, listservs, and more, and then going through the list of sites that don’t have RSS and trying to figure out if what they’ve posted is new. That and for some reason want to stay indoors on the weekend; I’m working on that.
    Forensic Lunch 12/9/16

FORENSIC ANALYSIS

  • Igor Mikhaylov & Oleg Skulkin have a new site, “Cyber Forensicator”, and have written a post on obtaining memory on a Mac using Rekall’s OSXPMem tool.
    Mac Memory Imaging with OSXPMem

  • The Paraben blog lists the variety of useful information that can be found in the Tinder app (Android or iOS) using their Device Seizure tool. Unfortunately the post appears to be cut-off towards the bottom.
    Tinder – the ticket to dating and data?

  • Paul Ewing explains how to utilise baselining in your hunt for malicious activity. “By comparing workstations to the baseline image, you can simply perform the delta analysis to help hone your hunt”. Paul also explains how to baseline using Endgame to speed up your hunt.
    How to Hunt: Finding the Delta

MALWARE

  • Didier Stevens has posted on the NVISO Labs blog regarding a malicious document sample that he has analysed using Philippe Lagadec’s VBA emulator ViperMonkey. He also posted a video on YouTube.
    Analyzing an Office Maldoc with a VBA Emulator

  • Andrew Dove at Airbus outlines “the API calls used in Process Hollowing” and explains “how to follow the mechanism in OllyDbg, in order to be able to attach to the new process before it can execute any of the malicious code”
    Following Process Hollowing in OllyDbg

  • Marion Marschalek at Cyber WTF covers sophistication in malware, “what complexity from a malware analyst’s perspective means, why malware intends to be undecipherable and why it sometimes just wouldn’t even try”. Marion also presents their “findings on commodity RATs within the corpus of malware we analyzed, as part of our talk at Troopers conference in March”.
    The Kings In Your Castle Part 4 – Packers, Crypters and a Pack of RATs

  • There were a few posts on Fortinet this week
    • Xiaopeng Zhang examines a maldoc that downloads the TrickBot malware. The malware is stored in the Roaming folder of the user and maintains persistence through a scheduled task. There is also a check to make sure that it’s been executed by the SYSTEM account (i.e. Task Scheduler) rather than executed by the user. This is interesting to be aware of when conducting malware analysis as an examiner may just execute it with a system monitor and think it’s not doing anything.
      Deep Analysis of the Online Banking Botnet TrickBot
    • Joie Salvio takes a look at the Mamba Ransomware that hit the MUNI system in San Francisco last week. He concludes that this version of the malware hasn’t been developed significantly since the first sample that they discovered and doesn’t have any “fancy encryptions, anti-sandbox, or anti-debugging mechanisms”. Overall though, it seemed to be fairly effective at causing some pain without being fancy.
      A Closer Look at the Mamba Ransomware that Struck San Francisco Rail System
    • Douglas Jose Pereira dos Santos, and Artem Semenchenko have analysed the recent Shamoon malware and share their findings.
      Research: Furtive Malware Rises Again
    • Sarah (Qi) Wu and Jacob (Kuan Long) Leong have identified an unversioned copy of the Cerber ransomware, which makes minor changes to achieve the same result (although with more file ext’s added to the list of encryption targets).
      Research: A New Christmas Decorated Cerber Ransomware Has Arrived

  • Various authors at Malwarebytes Labs have posted this week
  • There were a couple of articles on the Nuix blog this week
  • Ursula Ron at Morphisec provides some information about the latest variant of Hancitor which was conveniently e-mailed directly to the Morphisec CEO. The infection vector is fairly standard (doc+macro → shellcode → more trojans → profit) but the attacker sent the email from a legitimate-sounding email address and is constructed in a way that appears to be a response from a previous e-mail.
    Attack Alert: Another Month, Another Hancitor Variant

  • Ben Baker, Edmund Brumaghin, Mariano Graziano, and Jonas Zaddach at Cisco’s Talos blog examine the Floki Bot malware that adds new features to the leaked-code of the infamous Zeus trojan. They also showcased how they used their FIRST framework “to collect and document functionality present within the Floki Bot samples that were analyzed” and shared the scripts they wrote to help automate portions of the analysis.
    Floki Bot Strikes, Talos and Flashpoint Respond

  • Federico Maggi at Trend Micro has compiled some information regarding the trend in Android ransomware that uses a locking mechanism to restrict access to a device.
    Mobile Ransomware: Pocket-Sized Badness

  • Shusei Tomonaga has a post on the JPCert CC blog examining the LNK files used to execute malware on Windows systems. The LNK files appear to be dropped onto the victim’s systems and (unintentionally I’m sure) contain information about the attacker’s. Shusei examines metadata including the Code page number, Volume serial number, ŸNetBIOS name, and ŸMAC address to assist in learning more about the malwriters.
    Evidence of Attackers’ Development Environment Left in Shortcut Files

  • Tyler Borosavage at Vmray shared a couple of articles this week
  • Ben Tedesco at Carbon Black shares a ““suspicious” PowerShell query that alerts in Carbon Black whenever PowerShell is launched using certain interesting parameters”. Ben then explains a PowerShell-based attack that had been identified by Cb Response that would have “completely slipped by traditional IDS & IPS style defenses”.
    Decoding Malicious PowerShell Streams

  • Josh Grunzweig at Palo Alto Networks provides an update on the happenings of the SamSa actors which have attacked the healthcare industry with targeted malware.
    SamSa Ransomware Attacks: A Year in Review

  • Mathieu Letourneau at the Microsoft Malware Protection Center Threat Research & Response Blog has analysed the “Depriz” malware used by TERBIUM. I think Depriz is another name for Shamoon 2.0 which has been covered by a number of other sources; I haven’t thoroughly compared them, but the drive wiping on a specific date, using the Eldos RawDisk driver sounds familiar. Windows 10’s DeviceGuard and Windows Defender should protect against this malware.
    Windows 10: protection, detection, and response against recent attacks

MISCELLANEOUS

  • The results are in the 2016 Volatility Plugin Contests. This year saw 21 plugins submitted from 16 different authors. Congratulations to all of the winners!
    Results from the 2016 Volatility Plugin Contest are in!

  • John Patzakis, Esq. comments on a new rule in the US Federal courts regarding electronic data. Under the new rule, electronic evidence must be self-authenticating; that is, have a hash attached that can be reproducible. John explains that this may have a significant impact on the eDiscovery and law enforcement communities as it will enforce best practices, primarily surrounding website/social media collection; this, in turn, will remove the “print screen” collection method. Hopefully courts don’t remove the admissibility of data obtained by the “print screen” method however as a) there are a number of times where that’s the only way to obtain data ie some mobile phones, and b) that would mean that all photographs need expert qualification; An observation is still valid regardless of its content – “I came to the computer and on the screen was a picture of X, which I photographed as presented as exhibit A”. “If the Supreme Court approves these amendments as expected, they will become effective on December 1, 2017 absent Congressional intervention.” David Cohen at Reed Smith will be hosting a webinar discussion on the changes on December 15 at 10:00 am PST / 1:00 pm EST. You can register here.
    New Federal Rule of Evidence to Directly Impact Computer Forensics and eDiscovery Preservation Best Practices

  • Chris Sanders has announced a new training course on Investigation Theory. The course outline explains that students will learn how to approach an investigation, obtain and analyse evidence, understand the attackers and effectively communicate your findings. Chris also mentions that a portion of the proceedings will be donated to charity.
    Announcing the Investigation Theory Online Course

  • Mary Ellen has shared a spreadsheet containing “a repository of Threat Intelligence portals, Hunt tactics and more malware links”. The spreadsheet is quite comprehensive so I’d implore people to check it out.
    Threat Intelligence

  • The students at Champlain College are finalising their research for the semester; this week the BlueTooth team explains a bit of their progress since their last post. They’ve hit a couple of bumps along the way but it appears that they’re working through them in preparation of their final report.
    BLUETOOTH VULNERABILITY ASSESSMENT 3.0

  • Belkasoft has posted a survey on Forensic Focus seeking to improve their current line of products. As a thank you “all who completed the survey in December will get a fully functional 3-month trial license of latest Belkasoft Evidence Center 2017 (including all the recent functions and Photo Forgery Detection module). Besides, one lucky winner will get a full one-year license of the powerful Belkasoft product”.
    Belkasoft Conducts Customer Survey: Fill And Win Evidence Center License!

  • Lee Wingfield at IntaForensics has posted a guide for legal professionals in choosing the right digital forensic provider. I haven’t had a chance to read through it, but whilst this may not be directed specifically at the forensic examiners that read this blog, it’s useful to know what legal professionals are looking for if you’re trying to position yourself as a qualified candidate.
    A Guide to Choosing the Right Digital Forensic Provider

  • DFIR Guy at DFIR.Training wants you to share! The post explains that people can be a bit timid about sharing their findings/tools etc and he wants to encourage people to send him their stuff directly to share on his site. I’m on board with this message, I want to know about your new blogs/tools/research/presentations etc to help get the word out. There have been a few people who have reached out to me and said “hey I’ve started a new blog” or “can you mention this”; for the most part I’m happy to do it, but if it’s just shared on Twitter or a listserv, I might miss it.
    Share your stuff!

  • BSidesNOLA 2017 will be held on April 1st in the New Orleans CBD! CFP and Registration coming soon.
    Check Out @BSidesNOLA’s Tweet!

  • SANS have opened their CFP for the 2017 DFIR Summit in Austin, Texas. Submit your talks here! I have to say I’m inspired at the moment to try put together a talk. It’ll be a lot of work, so we’ll see if I can make the time to do it 🙂

And that’s all for Week 49! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s