Week 51 – 2016

Posting a little earlier this week because of the holiday. Merry Christmas! Happy Hannukah! Happy Festivus! Here is my present to you 🙂


  • Phil Harvey updated ExifTool to version 10.37 (development release) adding support for new tags and additional information, as well as bug fixes and minor improvements.
    Dec. 19, 2016 – Version 10.37

  • The MISP Project have released MISP 2.4.57 and then 2.4.58 with a few major improvements (among others), and bug fixes. The two improvements in 2.4.57 are “addition of new attribute types and categories to support the new use-cases in MISP”, and “the ability to enforce the warning-lists via the API”. In 2.4.58 update includes “bug fixes and a specific improvement to the correlation feature”.
    MISP 2.4.57 released, MISP 2.4.58 released

  • Elcomsoft updated their Phone Breaker product to version 6.30 adding “the ability to extract information about the user’s recent Web browsing activities, notes and calendars from the cloud”. “Elcomsoft Phone Viewer also receives an update to display synced call notes, calendars and Safari data.”
    Elcomsoft Phone Breaker 6.30 Extracts iPhone Synced Data in Real Time

  • Katana Forensics has released Lantern 4.6.5, adding iOS 10 support and fixing a variety of issues.

  • John Lambert has updated his PyPowerShellXray Python script to version 0.07.

  • X-Ways Forensics 19.0 SR-10 was released, fixing a number of bugs.
    X-Ways Forensics 19.0 SR-10

  • X-Ways Forensics 19.1 Preview 7 was released, improving the viewer component among other new features.
    X-Ways Forensics 19.1 Preview 7

  • Forensic Explorer was updated to v3.9.7.6140, fixing a variety of bugs
    23 Dec 2016 – v3.9.7.6140


  • Willi Ballenthin has released EVTXtract, which is a tool that “recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images”.

  • Arsenal Consulting have released their CyberGate Keylogger Decryption Tool that can be used “to decode the cipher text an return the original plaintext that was captured by the RAT.”
    Check Out @ArsenalArmed’s Tweet


  • The slides from HITCON Pacific 2016 have been published and can be found here. 

  • Joshua James shows how to “use volatility to collect information about a memory image, recover the processes that were running in the system at the time of acquisition, and try to find malicious processes within the memory image”
    [How To] Digital Forensic Memory Analysis – Volatility

  • “Belkasoft’s Yuri Gubanov demonstrates how to acquire data from a wide range of devices using the new free Belkasoft Acquisition Tool”.
    Acquiring Removable Drives, Mobile Devices, RAM And Cloud Storage

  • Malware Analysis for Hedgehogs has posted part 3 of her Full Analysis of Fleercivet. This video shows the analysis of the “encrypted data file that was dropped by Fleercivet using IDA and HxD.”
    Malware Analysis – Full Analysis of Fleercivet (Part 3)

  • Magnet Forensics have uploaded their webinar on “”Forensic Examination of Privacy-Focused Mobile Chat Apps” by Tayfun Uzun that ran a couple of weeks ago.
    Forensic Examination of Privacy-Focused Mobile Chat Apps

  • Lee Rieber’s Mobile Forensic Minute talks about how to start your mobile forensic investigation. Lee advises that you should create a list of search terms and run them across the whole image, rather than just the parsed data. This has the benefit of locating information that might not be parsed by the tool.
    Mobile Forensic Minute 102

  • On this week’s Surviving Digital Forensics podcast, Michael talks “about a useful automated file intelligence resource for dead box exam as well as IR investigations”. The show notes are fairly comprehensive for this episode so if you’re interested in running Keith J Jones’ Fileintel Python script then have a look through them.
    DFSP # 044 – Automated File Intelligence

  • Virus Bulletin have uploaded a number of videos on malware analysis to their YouTube channel from VB2015 in Prague, Czech Republic.


  • Digital Forensics Corp posted a number of articles this week
  • Pieces0310 examines the physical extraction of a smartphone to determine how a file was transferred to the device. Thanks to Digital Forensics Corp for the link
    Find out files transfered via Bluetooth.

  • Matt Bromiley continues the Zeltser Challenge.
    • Post 9 describes how to use Willi Ballenthin’s newly released EVTXtract Python script.
      Sunday GrabBag: EVTXtract by Willi Ballenthin
    • Post 10 is Malware Monday, covering the use of XOR, and Base64 encoding by attackers to hide malware and stored data. Matt also provides some helpful hints to keep in mind whilst looking for obfuscated data.
      Malware Monday: Obfuscation
    • Post 11 focuses on the /etc/passwd and /etc/shadow found on Linux systems and examines their forensic usefulness in profiling users.
      Torvalds Tuesday: User Accounts
    • Post 12 examines the Volume Shadow Service, focusing on the “copy-on-write shadow copies”, which contain the differences between the current VSC and the previous clone, and more specifically the “System Restore” process. Matt explains how to examine them on a live and dead box system using the CLI and provides some useful tips at the end.
      Windows Wednesday: Volume Shadow Copies
    • Post 13 provides an overview of Google’s Timesketch written by Johan Berggren. “Timesketch is an open source tool that allows for analysis of and collaboration on system timelines within the browser”.
      Tooling Thursday: Timesketch
    • Post 14 works through a Traffic Analysis Exercise posted by Brad Duncan last week.
      Full Packet Fridays: MTA Christmas Surprise

  • The SecureWorks Incident Response Team analysed two compromised web servers and uncovered defensive evasion techniques used by threat actors, most likely in an attempt to avoid detection. The attackers were using “OwaAuth and China Chopper web shells” and the attackers had changed the configuration of the web servers so that they didn’t store any logs. “By disabling logging and deleting logs, the threat actor attempted to disrupt the network defenders’ ability to conduct log analysis as part of the investigation”. “Both observed techniques (disabling web server logging functionality, and web shell redirection) appeared to be attempts to avoid detection”
    Log Disabling and Web Shell Redirection

  • Elcomsoft published a number of articles this week
  • Andrew Swartwood at “Between two DFIRns” (Probably my favourite blog name so far), has released the answers to his Forensic CTF
    Forensic CTF: Baud.. James Baud ANSWERS

  • The guys at Cyber Forensicator shared “Tobias Zillner’s presentation about memory forensics using virtual machine introspection for cloud computing from Black Hat USA 2016”.
    Memory Forensics Using Virtual Machine Introspection for Cloud Computing

  • Will Ascenzo at Gillware Digital Forensics provides a write-up of a recent job completed by Cindy Murphy regarding forged certification documents created by an employee of a client. Will explains that Cindy was able to recover a significant number of the forged documents (that had been deleted) and parsed their internal metadata to garner additional insight.
    Forensic Case Files: Impersonating Your Ex-Boss

  • Scott J Roberts compares waiting and passivity in DFIR and provides some key questions to ask yourself. The question arose during a monitoring engagement when the options were to notify the owner, which would destroy the resource, or continue to monitor it and notify when the time is right (after gaining more intel, but potentially allowing others to fall victim). Waiting for the right moment (say after you have a better idea of the situation) is different to being passive, that is, standing still.
    Waiting vs Passivity in DFIR

  • The LCDI’s Mobile App Forensics team has posted their final blog post of the semester. This post summarises some of their process and key findings from their analysis of various iOS and Android apps, which appear to have a focus on location.
    Mobile App Forensics: Final Blog Update

  • There were a couple of articles on Forensic Focus this week
    • “Oxygen Forensics … announced today that it is teaming [up] with Passware Inc. to provide customers the ability for instant extraction of iOS Photo Stream files.”
      Oxygen Forensics and Passware Team Up to Provide Extraction of iOS Photo Stream
    • W.Chirath De Alwis has posted an article that focuses on “the importance of volatile memory analysis and identifies the limitations of conventional forensic methods. It also identifies the browser-based information that is stored in the volatile memory and how this evidence can be retrieved for investigational purposes”. Chirath identified a limitation in existing memory forensics tools in “extracting email and social media artifacts”, as well as carving images. He mentions that the tool has been developed as a Proof of Concept however I was unable to locate a link in the article.
      Digital Forensic Investigational Tool For Volatile Browser Based Data Analysis in Windows 8 OS

  • Jesus Olguin at TrustWave SpiderLabs discusses the various aspects of Steganalysis; that is looking for steganography. Jesus describes the three branches of steganalysis are “Chi-square” , Distinguishing Statistic, and the Blind Classifier Methods. He also shows how an examiner can identify an image that has been manipulated using a histogram.
    Steganalysis, the Counterpart of Steganography

  • Heather Mahalik has performed some very thorough testing in an attempt to locate a file called GeoHistory.mapsdata, which is associated with the Apple Maps app. Unfortunately, it seems that the existence (or visibility) of this file is inconsistent across devices and versions of iOS.
    How The Grinch Stole Apple Maps Artifacts… Or Did He Just Hide Them?

  • Whilst the Journal of Digital Investigation’s December edition hasn’t been released yet, 504ensics Labs has published the paper that they wrote on their site. This paper covers “the new hibernation file format that is used in Windows versions 8, 8.1, and 10. We also discuss several changes in the hibernation and shutdown behavior of Windows that will have a direct impact on digital forensic practitioners who use hibernation files as sources of evidence.”
    Modern Windows Hibernation File Analysis

  • The guys at Belkasoft have written an article on examining Skype databases using BEC 2017.
    Comprehensive Skype chat analysis with Belkasoft Evidence Center

  • Paraben list the various boot modes for Samsung Android devices which can be used when performing an examination.
    Android Bootloaders: Risk vs. Reward


  • Roman Unuchek at Securelist examines “a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that … can encrypt user data”. As a result “the new Faketoken version can not only extort money by blocking the screen but also by encrypting user files”.
    The banker that encrypted files 
  • Nicholas Griffin at Forcepoint provides an overview of Locky as well as a brief timeline of it’s various iterations.
    The Many Evolutions Of Locky

  • David Sancho and Numaan Huq at TrendMicro unpack “a new family of ATM malware called Alice”, which “is meant solely to empty the safe of ATMs”.
    Alice: A Lightweight, Compact, No-Nonsense ATM Malware 
  • Crowdstrike have released an intelligence report “detailing the use of the trojanized ‘Попр-Д30.apk’ application by the Ukrainian military and the deadly repercussions inflicted on that platform by Russian forces”. “In-depth reverse engineering revealed the APK contained an Android variant of X-Agent”, which has been associated with FANCY BEAR.
    Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units 
  • Rodel Finones and Francis Tan Seng at the Microsoft Malware Protection Center Threat Research & Response Blog provide some information on the latest improvements to the Cerber ransomware. After the summary of changes they deep-dive into the spam campaign, downloader (Word doc utilising Macros, PowerShell, surprise surprise), and downloaded malware.
    No slowdown in Cerber ransomware activity as 2016 draws to a close
  • The Swiss Governmental Computer Emergency Response Team examine the Tofsee malware which they explain uses a Domain Generating Algorithm that generates domains with the Swiss TLD (which apparently is rare). “This blog post first describes the analysis of the DGA. We then give a reimplementation of the DGA in Python, as well as a list of the generated domains for the next 52 weeks. We conclude with measure[s] that we took to deal with algorithmically generated .ch domains.”
    Tofsee Spambot features .ch DGA – Reversal and Countermesaures 
  • Analysts at Proofpoint have observed a phishing campaign that utilises a password-protected XOR-encoded HTML file attachment to “harvest credit card account numbers and personal information from account holders”.
    Phishing Actors Take a Cue From Malware-Distributing Brethren

  • Alex Hinchliffe at Palo Alto Networks describes the “malware trends seen in the EMEA (Europe Middle East and Africa) region over the last six months of 2016”
    Review of Regional Malware Trends in EMEA: Part 1


And that’s all for Week 51! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s