Written by Phill Moore

Week 1 – 2017

First post of 2017 and it’s a big one! Also, thanks to everyone who retweeted/mentioned my site in the last week. Really saw a jump in the numbers 🙂

SOFTWARE UPDATES

  • Oxygen Forensics updated their Detective product to version 9.1.1, adding a SIM card extraction module, additional application and device support as well as other minor improvements. They also produced a YouTube video showcasing the update.
    Oxygen Forensic® Detective extracts current and deleted SIM card data

  • Kevin Breen at Tech Anarchy has updated VolUtility to version 1.2 adding an optional Authentication module and fixing some issues.
    VolUtility Release v1.2 – With Authentication Module

  • Phil Harvey updated ExifTool to version 10.38 (developmental release) adding additional tags and bug fixes.
    Jan. 5, 2017 – Version 10.38

  • Paraben Corporation have released E3:Universal Aurora Edition 1.1 improving artefact support, data acquisition and import, and fixing various bugs.
    E3 1.1 is now available!

  • 0x4D at Seclist advises that Xplico, an open source network forensic analysis tool has been updated to version 1.2.0 fixing various bugs.
    Xplico V1.2.0 – Open Source Network Forensic Analysis Tool (NFAT)

  • Also on Seclist, HoChi-Minh announced the update for Powermemory to version 1.4. The update allows users to “dump local passwords hashes with last logon time and password last set.”
    Powermemory V1.4 – Exploit The Credentials Present In Files And Memory

  • Eric Zimmerman updated a number of his tools (AmcacheParser 0.9.1.0, AppCompatCacheParser 0.9.5.0, JLECmd 0.9.8.0, LECmd 0.9.5.0, PECmd 0.9.0.0). The major change is the ability for JLECmd to take AppIds from an external list (also on that topic can everyone that reads appid lists standardise on a format, bar separated is good). I also found that you can install all of Eric’s tools using Chocolatey on Windows.
    Check Out @EricRZimmerman’s Tweet

  • Philippe Lagadec updated his olefile python package to version 0.44, “fixing several bugs, removing support for Python 2.5, added support for incomplete streams and incorrect directory entries (to read malformed documents), added getclsid,” and has moved the documentation to ReadTheDocs.
    olefile 0.44

  • Get Data updated Forensic Explorer to version 3.9.7.6152 adding minor updates.
    8 Jan 2017 – v3.9.7.6152

  • X-Ways Forensics updated version 18.9 to SR-12 to incorporate many of the fixes from later versions.
    X-Ways Forensics 18.9 SR-12

  • X-Ways Forensics SR-11 was released, fixing various bugs.
    X-Ways Forensics 19.0 SR-11

  • X-Ways Forensics Beta 1 was released adding some new features such as “Event extraction from Apple FSEvent logs” and new options regarding hash sets, as well as various minor improvements and bug fixes.
    X-Ways Forensics 19.1 Beta 1

SOFTWARE/PRODUCT RELEASES

PRESENTATIONS/PODCASTS

  • Joshua James at Cybercrime Technologies shares a video showing how to conduct a preliminary analysis of a disk image using The Sleuth Kit (TSK) command line tools.
    [How to] Beginner Introduction to The Sleuth Kit (command line)

  • Joshua also uploaded a video showing how to compile code, in this case The Sleuth Kit, in Linux.
    Compiling Software in Linux: The Sleuthkit

  • Forensic Focus has uploaded a webinar by Olga Koksharova from Elcomsoft on the “available acquisition methods and … iOS acquisition tools for legacy (32bit) and new (64bit) Apple mobile devices”.
    iOS acquisition methods

  • Lee Reiber spent this Mobile Forensic Minute talking about the logs.db file found on Samsung Android devices (found at the path /data/com.sec.android.logsprovider/databases/logs.db). This file may contain call logs, sms’s, and e-mail snippets.
    Mobile Forensic Minute 104

  • Victoria Berry provided a quick overview of the 8 webinars that Magnet Forensics produced in 2016.
    A Round-Up of the Rich Library of Webinars Magnet Forensics Offered in 2016

  • On this week’s Digital Forensics Survival Podcast, Michael talks about the areas examiners can choose if they’d like to pick something new to focus on in 2017.
    The first is to set up a regimented self-training program. Michael continues to suggest people look into mobile, virtual machine, and memory forensics, as well as learning to code and planning your certification route.
    DFSP # 046 – DFIR New Year

  • Douglas Brush at Cyber Security Interviews has done a quick recap of what he’s taken from the last 5 interviews that were conducted on the show.
    #007 – What I Am Learning So Far

FORENSIC ANALYSIS

  • Russ McRee has provided his commentary on Matt Swans Incident Response Hierarchy of Needs, and maps the “Center for Internet Security Critical Security Controls Version 6.1 (CIS CSC) … to each of Matt’s hierarchical entities and phases”.
    The DFIR Hierarchy of Needs & Critical Security Controls

  • Ted Smith at X-Ways Clips has a post showing how to use X-Ways to generate file listings (including adding your own comments).
    Narrative 54 – Creating Data Schedules of Your Reviewed Evidence

  • Cyber Forensicator shared a number of articles this week
    • They shared a throwback segment from Paul’s Security Weekly where Heather Mahalik presented on advanced mobile device forensics.
      Advanced Mobile Device Forensics with Heather Mahalik
    • They shared “Patrick Wardle’s presentation from RSA Conference USA 2016 on practical OS X malware detection and analysis”.
      Practical OS X Malware Detection and Analysis
    • They shared “Andrew Case’[s] presentation on memory forensics of Linux and Mac systems from Enfuse 2016”.
      Memory Forensics of Linux and Mac Systems
    • They shared a paper by Pankaj Choudhary, Upsana Singh, Nitesh K Bharadwaj, and Bhupendra Singh presented at the 11th Annual Symposium on Information Assurance (Asia ’16) on Facebook Forensics for Windows 10. This paper covers the Facebook app on Win10 that utilises the Universal App platform feature and maintains its data in an SQLite database.
      Facebook Forensics for Windows 10
    • They shared a paper by the European Union Agency for Network and information Security that provides an “overview of the current status of the forensic analysis techniques and processes of cloud incidents”
      Exploring Cloud Incidents

  • Digital Forensics Corp shared a number of articles this week
  • John H. at 909Forensics shares some “useful one-liners to extract info from Windows logs with PowerShell.”
    Windows Log Hunting with PowerShell

  • Jonathon Poling talks about the importance of understanding your tools. He also lists a series of questions that you should ask yourself when evaluating a tool. Jonathon’s belief is that the examiner should understand what the tool is providing them, and what it’s missing. At the same time, once an examiner identifies an issue they should attempt to contact the vendor/author to fix it.  
    Knowing Your Tools

  • Patrick J. Siewert at Pro Digital Forensics covers the various ways that an investigator can determine “that emails were [or weren’t] sent from a particular device at a specific location”.
    Conducting an Electronic Investigation: A Case Study in Virginia Politics

  • Matt Bromiley continues the Zeltser challenge!
    • This post explains DHCP including “the four key steps in a DHCP initial lease allocation: Discover, Offer, Request, Acknowledge (or ACK) (DORA)
      Full Packet Friday: DHCP
    • This post explains the new “inspect” feature in RedSketch which will “parse a SQLite table and see what tables have any data in them”.
      Scripting Saturday: Continuing Redsketch Development
    • This post covers Matt’s effort to index his posts; thankfully he’s started it at the beginning of his challenge. The index can be found here.
      Happy New Year!
    • This post showcases a tool called Regshot which “allows an analyst to perform before and after snapshots of the Windows Registry.” Regshot also has the ability to monitor a folder for changes. “If the analyst had a suspicion about their malware dropping or altering files, you could place a directory under watch and see what changes were made.”
      Malware Monday: Regshot
    • This post unpacks the identification of “exposed, unsecured MongoDB instances”, resulting in them being held for ransom. This has occurred because the attack is very easy to perform, and can be very expensive to recover from. Matt explains how to perform the attack and a rough timeframe in which it can occur (read: it doesn’t take long) and thankfully provides some remediation steps to either limit the damage or identify the potential problem.
      It’s 10PM; Do You Know Where Your MongoDB Is?
    • Continuing on from the previous days post on MongoDB, Matt explores the logging available on the platform and expands in the greater DFIR lessons that can be learned. The lessons, which are expanded on in the post, are: “Don’t make a statement about results if you aren’t looking at all the evidence”, “Understand the complexities of your evidence”, “Explore alternative options to achieve XYZ”, and “consider the context of the situation”.
      MongoDB Ransoms: Part 2
    • Returning to regularly scheduled programming, Matt talks about the tools that come with Joachim Metz’s libewf library. These tools include ewfmount (mounting EWF files), ewfinfo (displaying metadata found within EWF files), ewfrecover (recovering data from corrupt EWF files), ewfacquire/ewfacquirestream (creating EWF files), and ewfexport (exporting data from an EWF file). Jonathon Poling also made mention of ewfverify to verify EWF files.
      Tooling Thursday: libewf
    • Building on last weeks post on understanding DHCP, Matt looks at parsing DHCP traffic from a PCAP file using Python.
      Full Packet Friday: Parsing DHCP Traffic
    • And we’re back to Mongo! Matt setup a honeypot to capture some automatic ransom scripts and has a look at the resultant data.
      MongoDB Ransoms: Round 3

  • Cheeky4n6Monkey provides an overview of Hak5’s LAN Turtle. Monkey explains how to setup the device, and then progresses to examine the artefacts it leaves behind when connected.
    Monkey Plays (LAN) Turtle

  • Josh Liburdi at Sqrrl demystifies the threat hunting concepts he feels trip up practitioners.
    Demystifying Threat Hunting Concepts

  • Josh also shows an example of using visualisations to assist in a hunt for malicious PowerShell activity on your network.
    Hunting for PowerShell Using Heatmaps

  • Robin Brocks at Forensic Focus documents how to create a Win10 Portable Edition boot disk to use in digital forensic examinations.
    Windows 10 PE for Digital Forensics

  • Adam at Hexacorn shares another persistence mechanism, this time regarding PowerShell’s PSScripts.ini. Apparently, autoruns will detect the system-specific scripts, but not the user-specific ones.
    Beyond good ol’ Run key, Part 52

  • Benoit Hamelin at Arc4dia talks about detecting process hollowing through a couple of case studies.
    Process hollowing analysis for malware detection

  • Anton at Have You Secured shows how to use Sysmon to detect the use of the tool Responder. He then shows how to use a PowerShell script to attempt to determine if the IP that the computer has connected to is nefarious.
    (Attempting) to Detect Responder with Sysmon

  • Matt at Enigma0x3 “set out to find an alternate way of pivoting to a remote system” that doesn’t use the usual WMI/psexec/at etc. To do so he utilises a “DCOM application [MMC20.Application] and the ExecuteShellCommand method to obtain code execution on a remote host”. Apparently though Windows Firewall will detect this by default.
    Florian Roth advises that Sysmon will be of assistance in detecting child processes spawning off a main process.
    Lateral Movement Using The Mmc20.application COM Object

MALWARE

  • The folks at ClearSky examine malicious files dropped after a spear phishing campaign by Iranian threat agent OilRig. “The entire bundle (VPN client and malware) was digitally signed with a valid code signing certificate issued by Symantec to AI Squared, a legitimate software company that develops accessibility software”.
    Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford

  • Robert Lipovsky and Peter Kálnai report that “ESET researchers have discovered a Linux variant of the KillDisk malware”, which “renders Linux machines unbootable, after encrypting files and requesting a large ransom”. The authors then explain that the malware traverses from the root directory up to 17 subdirectories down, and encrypts files, also rendering the computer unbootable. The worst part is that the researchers determined that the keys were generated on the host, and not sent to the C&C, which means that even if you pay the malicious actors aren’t able to provide you with the decryption key.
    KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt

  • Carrie Roberts at Black Hills Info Sec shows how to modify the Invoke-Mimikatz PowerShell script to avoid AV detection.
    How to Bypass Anti-Virus to Run Mimikatz

  • Nicholas Griffin at Forcepoint examines two new version of the MM Core “file-less APT” malware, “which is executed in memory by a downloader component”. This malware is also Cheryl Biswas’ Catch of the Day
    MM Core In-memory Backdoor Returns As “bigboss” And “sillygoose”

  • Zhouyuan Yang at Fortinet examines the recent PHPMailer vulnerability which affects versions prior to 5.2.18 and shows how to reproduce the attack.
    Analysis of PHPMailer Remote Code Execution Vulnerability (CVE-2016-10033)

  • Patrick Wardle at Objective-See posted a couple of articles about malware analysis this week
    • He examines the use of document handlers on OS X as a persistence mechanism, as seen in the ‘Mac File Opener’ malware. The post covers “how an application can register to be a ‘document handler’, how the OS processes such an app to automatically register it as a handler, [and] at runtime, how such a handler is resolved, then invoked”.
      Click File, App Opens
    • He compares various Mac-based malware samples from 2016 as a preview for his RSA 2017 talk. The samples include KeRanger, Eleanor, Keydnap, Fake File Opener, Mokes, and Komplex.
      Mac Malware of 2016

  • There were a couple articles of interest on the Palo Alto Networks blog
  • Hasherezade and Jérôme Segura at Malwarebytes Labs examine “an atypical case of Sundown EK in the wild”. “The landing page for this variant has almost no obfuscation” which is unusual. They then analysed the dropped malware, which is a cryptocurrency miner (Monero instead of BitCoin). After a bit of analysis, they were even able to find the malware on GitHub.
    The curious case of a Sundown EK variant dropping a Cryptocurrency Miner

  • Adam at Hexacorn suggests that when monitoring a sandbox using Unfollow “may be quite beneficial for readability and processing purposes.” This allows an analyst to hide certain data which removes clutter from their final report.
    Enter Sandbox – part 13: Sometimes it’s better to unfollow…

  • There were a couple of posts of interest on the SANS ISC Handler Diaries
  • Amanda at Secured.org examines a PHP web-shell she was provided.
    Just a PHP Web-Shell Sold in Dark Forums

MISCELLANEOUS

And that’s all for Week 1! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s