Written by Phill Moore

Week 2 – 2017

SOFTWARE UPDATES

  • Nir Sofer has updated CredentialsFileView to version 1.05. The new version “allows you to decrypt the data stored inside Windows Credentials files of the current user without login password.”
    Check out @Nirsoft’s Tweet

  • Mark Woan updated Aurorun Logger UI to version 1.0.6, and Autorun Logger Server to version 1.0.10, adding “new features, improved UI, shows linked autoruns”.
    Check Out @woanware’s Tweet

  • Blackbag has released Blacklight 2016 R3.1 featuring “many fixes and improvements, including iOS 10.2 encryption support and an updated EWMounter.”
    Blacklight 2016 R3.1 Is Now Available!

  • Phil Harvey updated ExifTool to version 10.39 (development release) adding additional tags and bug fixes. This was then updated immediately to 10.40 (production release), fixing “tests that were failing on some platforms”
    Jan. 14, 2017 – Version 10.40 (production release)

  • X-Ways Forensics 19.0 SR-12 was released, fixing various bugs.
    X-Ways Forensics 19.0 SR-12

  • X-Ways Forensics 19.1 Beta 2 was released. The update improves HFS+ support, interface enhancements, as well as other improvements.
    X-Ways Forensics 19.1 Beta 2

SOFTWARE/PRODUCT RELEASES

  • The guys at Phrozen Software have released a tool that scans Windows Shortcut (LNK) files and marks them as Broken, Suspicious, or Dangerous. Dangerous Shortcut files are those that match a set criteria that have been seen to be malicious, and is listed in the post. The tool can be found here.
    Shortcut Scanner

PRESENTATIONS/PODCASTS

  • Last week on Paul’s Security Weekly, Dr. Doug White talked about file carving using WinHex and FTK. The group also discussed the various ways of destroying data.
    Paul’s Security Weekly #495 – Forensic Toolkit (FTK), Doug White

  • Lee Reiber talks about cookies (cookies.binarycookies) on iOS. This cookie file contains date/times/URLs of websites accessed that can be used even if the user has purged their history.db file. The file may also contain apps that have been downloaded from the iTunes store.
    Mobile Forensic Minute 105

  • Shahaf Rozanski, Director of Product Management Forensics at Cellebrite, and Jim KempVanEe, Director of Digital Forensics at LogicForce Consulting posted a webinar on “Leveraging Social Media And Cloud Data To Accelerate Investigations” on Forensic Focus. The webinar has been posted to YouTube and the transcript is below.
    Webinars – 2017 Leveraging Social Media And Cloud Data To Accelerate Investigations

  • This week’s Digital Forensics Survival Podcast covers Epoch times relating to mobile devices. Epoch time represents the number of seconds/nanoseconds since a given date. The three epoch’s that Michael covers are 01/01/1970, 01/01/1980, and 06/01/1980. There are a number of ways to convert these timestamps; I alternate between DCode and Excel. Michael also shares the OS X Terminal command. Other useful date decoding tools include Paul Sanderson’s DateDecode, and Paul Tew’s TimeLord.
    DFSP # 047 – Epoch Time Survival

  • This week on Cyber Security Interviews, Douglas Brush interviewed Dr. Darren Hayes, Director of Cybersecurity and Assistant Professor at Pace University. They discuss “how he supports law enforcement, developing teaching skills, the importance of problem solving abilities, the challenges when authoring books, misinformation in the media, his involvement with HTCIA, gender roles in information security, foundational skills necessary to be good in information security, immigration challenges, real-world physical threats from cyber attacks, the growth of ransomware, the “brain drain” in the government sector, how to learn cyber security on a budget, and much more.”
    #008 – Darren Hayes: Be Cautious And Think It Through

FORENSIC ANALYSIS

  • Cyber Forensicator
  • Digital Forensics Corp posted a few times this week
    • They noticed that DFIR.Training has a new page for DFIR Forms and Example Affidavits, Search Warrants, Court Orders, Intake Forms, Policies and miscellaneous documents.
      DFIR Forms and Examples
    • They also compiled a “list of 10 conferences in the information security industry in 2017”.
      The Top Information Security Conferences of 2017
    • They shared an article from Netmux for building a password cracking rig for under $5000 (USD I’m assuming).
      How To Create Hardware For Brute Force Analysis
    • Serge Petrov posted an article showing how to use a combination of techniques to determine if a mask has been placed over a section of the video. In the video, a mask has been used to hide an object, but once it’s revealed at the end of the post when you watch the video you can see something is off.
      When The Mask Comes Off
    • They shared an article by Kevin Parrish on how “Hackers could gain complete control of an Intel-based PC using a USB 3.0 port”.
      Get Complete Control Of A Pc Using A USB 3.0 Port

  • Jasper at Packet-Foo walks through some network forensics; introducing a scenario and then asking a couple of common questions. This post shows how to deal with large PCAPs using tshark, the pitfalls of filtering in WireShark with regards to SSH traffic, and banner inspection. The post finishes by showing us how to geolocate incoming SSH connections with WireShark.
    Network Forensics Playbook – Banner Inspection and Client Origin

  • Matt Bromiley continues the Zeltzer challenge
    • This post releases Redsketch version 0.2.0. This version adds the inspect feature mentioned last which, as well as the “-p switch to specify which tables the analyst would like to parse”.
      Redsketch 0.2.0
    • Malware Monday introduces OfficeMalScanner of Frank Boldewin’s OfficeMalScanner suite, which can be used to investigate suspicious Office documents. Matt walks through some of the options and runs its over a maldoc. This looks like a good alternative to the declage and Didier Stevens toolkits.
      Malware Monday: OfficeMalScanner
    • Tovalds Tuesday covers the etc folder on *nix systems and explains the key files found within the directory. “If you find yourself performing analysis, lean on the etc folder to tell you the location of logs, what level of logging to expect, and other details about the system and third party applications.“
      Torvalds Tuesday: /etc
    • Windows Wednesday expands on the previous post on AppCompatCache at the request of a reader. The post explores how AppCompatCache will record the application name/path even if it’s not executed, and includes drives mapped by RDP. RDP has the ability to map a local drive to the remote computer at connection time.
      Windows Wednesday: More AppCompatCache
    • Returning to the current crisis hitting ransomed database servers, apparently ransomware is now targeting Elasticsearch. Matt recommends adding authentication and security to your ELK stacks as the attackers appear to be deleting data.
      NoSQL Ransoms Spreading Further
    • Full Packet Friday covers the tool NGREP, which “is a tool that provides grep capabilities at the network layer”.
      Full Packet Friday: ngrep

  • Jamie McQuaid at Magnet Forensics answers the frequently asked questions that came out of the “Investigating the Most Popular Browsers You’ve Never Heard of” webinar. Key takeaways include: IE private browsing history can be carved from disk, Chrome/Firefox only resides in memory so look in the pagefile/hiberfil or RAM capture if you’ve got it. Synced browsing history can be found in the SyncData.sqlite database in Chrome, and the places.sqlite’s moz_historyvisits table in Firefox. The Browser Activity section of IEF/Axiom contains all of the “URLs we find on the system, but cannot attribute to a given browser or app”.
    Investigating the Most Popular Browsers You’ve Never Heard of – Webinar Q&A

  • The Blackbag Training Team explain the Windows Jumplist artefact, which can be used to show file access and program execution. The authors explain that in Win10 this is on by default and the user doesn’t have the ability to modify the number of items displayed (outside of turning them off), without modifying value in the registry. I haven’t really looked through it, but this page suggests that one has to modify the JumplistItems_Maximum value.
    Windows 10 Jump List Forensics

  • Miguel Ángel Mendoza at We Live Security provides an overview of José Miguel Baltazar Gálvez’s “study entitled Identifying the Original Source of a Digital Image” at last month’s Computer Security Congress. The analysis techniques covered in the study include Metadata, Analysis of the quantization or quantification matrix, and Analysis of Photo Response Non-Uniformity (PRNU). José Miguel also “presented the “AnálisisJPEG” tool for automatically comparing metadata and quantization matrices”.
    Forensic analysis techniques for digital imaging

  • Patrick J. Siewert at Pro Digital Forensics looks at an iOS 10.2 backup using Cellebrite PA and Magnet’s IEF and talks about the difficulties one may encounter. Firstly, a user may set a backup password, which will be required to be entered or brute-forced before being able to examine the backup. Secondly, UFED PA, at the time, would not parse out the ““analyzed data” into chats, web history, etc. like it used to with older versions of iOS”. Patrick then used IEF to carve out the data (rather than parse it). From Cellebrites perspective, I’m a little surprised that they aren’t able to put some of the key data in the analysed section when adding a new backup – the SMS.db, for example, in an unencrypted dump can easily be analysed if you go to the right file, which is the SHA1 of the sms.db path. It’s probably something that will be correctly shortly, as Cellebrite have typically been quite responsive to changes in iOS.
    Mobile Forensics Monkey Wrench: iOS 10.2 and Encryption

  • Pieces0310 shows how to locate the MACB timestamps using FTK Imager and WinHex.
    How to check all timestamps of a file

  • Adam at Hexacorn continues the Beyond good ol’ Run key series, this time focusing on VMWare’s poweroff, poweron, resume and suspend batch scripts as persistence mechanisms.
    Beyond good ol’ Run key, Part 53

  • Josh Liburdi at Sqrrl explains Command and Control and takes a look at how to hunt for C2 activity.
    The Hunter’s Den: Command and Control

  • John Meyers at NTT Security shows how to enable DNS logging and explains why you should incorporate DNS logs into your threat hunting. He also recommends attaching a sniffer to your egress points as “some malware hard-codes public DNS servers to request their command and control URLs”.
    DNS Threat Hunting

MALWARE

  • Cody Smith has a guest post on the Black Hills Info Sec blog about the various lessons he learnt from a client run-in with the Osiris malware (Locky variant).
    My Ransomware Post-Mortem

  • There were a couple of posts by Palo Alto Networks this week
  • Simon Kenin and Arseny Levin at the Trustwave SpiderLabs blog examine the Terror Exploit Kit. Apparently just before they were going to publish the post “the landing page has been totally rewritten and it is sort of an un-obfuscated Sundown”. To make things more interesting “it looks like the author stole Sundown exploits after trying out the kit for a few weeks”.
    Terror Exploit Kit? More like Error Exploit Kit

  • Jake Williams has identified a piece of malware that tries to connect to Google prior to executing as a sandbox evasion technique. The malware looks for the “<!do” characters that are found at the start of the Google HTML page, which it usually won’t find using tools like FakeDNS+web server.
    Novel malware sandbox evasion

  • Federico Maggi at TrendMicro examines the EyePyramid malware which was supposedly used to exfiltrate “sensitive data from high-profile Italian targets” in a spear-phishing campaign. The malware was written in .NET, which can be reversed, however, some key components were heavily obfuscated. The malwriters used a paid library, MailBee.NET.dll APIs, ”used for building mail software … to send the exfiltrated data out to dropzones (i.e., email addresses) in use by the attacker”, which is what “led the authorities to the identity of the person behind the campaign.”
    The Eye of the Storm: A Look at EyePyramid, the Malware Supposedly Used in High-Profile Hacks in Italy

  • The guys at Securelist also had a look at EyePyramid and share a YARA rule based on the information provided in the declassified report.
    The “EyePyramid” attacks

  • Hasherezade and Jérôme Segura at Malwarebytes Labs analyse a spam campaign distributing Neutrino.
    Post-holiday spam campaign delivers Neutrino Bot

  • Daniel Regalado at FireEye dissects Ploutus-D, a “previously unobserved version of Ploutus”. “Ploutus is one of the most advanced ATM malware families we’ve seen in the last few years”.
    New Variant Of Ploutus Atm Malware Observed In The Wild In Latin America

  • FireEye also released their report on their “visibility into the operations of APT28”, titled APT28: At the Center of the Storm.

  • Danny Howerton at Proofpoint examines a spear-phishing attempt where the attackers used a maldoc containing an obfuscated “embedded object rather than macros to avoid detection”.
    Targeted Threat Leads to Keylogger via Fake Silverlight Update

  • Artem I. Baranov at Artem On Security has posted a couple rootkit analyses
  • Brad Duncan’s post on the ISC Handler Diaries “describes a wave of Hancitor/Pony/Vawtrak malspam from Tuesday 2017-01-10”.
    Hancitor/Pony/Vawtrak malspam

MISCELLANEOUS

And that’s all for Week 2! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s