Written by Phill Moore

Week 3 – 2017

SOFTWARE UPDATES

SOFTWARE/PRODUCT RELEASES

PRESENTATIONS/PODCASTS

  • Forensic Focus has posted the webinar by Richard Frawley, ADF Solutions, called “Streamline Your Digital Investigations”. The presentation and transcript can be found here
    Webinar: Streamline Your Digital Investigations

  • Jamie McQuaid at Magnet Forensics will be hosting a webinar on RAM capture and analysis using Magnet RAM Capture and Axiom. The webinar will take place on Thursday, February 16, 2017, at 10:00 AM EST (3 PM UTC).
    User Webinar: Memory Analysis with Magnet RAM Capture and Magnet AXIOM
  • Matt Bromiley held a webinar on the recent spate of NoSQL database ransoms. The webinar discusses how easy the attacks are to perform, the artefacts left behind, and how to secure your instances going forward. The webinar has been archived and can be accessed through a SANS portal account.
    Attacks on Databases: When NoSQL became NoDatabase

  • John Strand at Black Hills InfoSec has a webcast on “Live Forensics & Memory Analysis” based on the SANS 504 course.
    WEBCAST: Live Forensics & Memory Analysis

  • Lesley Carhart was on Paul’s Security Weekly last week discussing her history and her advice for those in security dealing with incident responders.
    Paul’s Security Weekly #496 – Lesley Carhart, Motorola Solutions/US Air Force Reserve

  • Karsten Hahn has started a podcast called “Ask An Analyst” on YouTube where he asks analysts questions about their day-to-day roles in security and malware analysis.
    The first two episodes are up on YouTube and the two guests, Sarah and Fabian, first answer questions “about hobbies, avatars and interests”, and then “about our daily work and what we like in analysing malware.”
    Ask an Analyst – Fabian and Sarah Explain their Polar Bear Obsession, Ask An Analyst – Frustrating and Exciting Sides of our Job

  • The Forensic Lunch was on this week where Dave and Eric Zimmerman updated us on their work. Eric ran through the updates to his latest iteration of Shellbag Explorer, and a bit of Registry Explorer. Dave gave an update on the happenings at G-C Partners; Dave and Matt will be attending Enfuse to give their presentation on linking LNK and Shellbag data, and DEFCON, where he will be hosting a suite for DFIR people to hang out and competing in the forensic challenge, as well as the DFIR Summit and DFRWS (as a side note, living in Australia has it’s downsides when it comes to attending these fantastic conferences). Dave also mentioned the usefulness of the Event Tracing Logs, which hopefully he and Nicole will be able to document and share out. There will also be an episode next week!
    Forensic Lunch 1/20/17

  • On this week’s Cyber Security Interview, Douglas Brush interviewed Ismael Valenzuela. “In this interview we will discuss learning security on his own, scoping penetration testing projects, security in the healthcare industry, running international teams, how to drive an internal security culture, developing internal training programs, threat hunting and his rastrea2r threat hunting tool, lessons learned from his IR work, and much more.”
    #009 – Ismael Valenzuela: Let’s See What Happens

  • This week’s Surviving Digital Forensics podcast, Michael talk’s about considerations for digital evidence integrity when collection evidence on-scene from a live system. As Michael notes, integrity of evidence is very important, especially if the information is going to pass in front of an attorney.
    DFSP # 048 – Evidence Integrity On-Scene

FORENSIC ANALYSIS

  • Matt Bromiley continues the Zeltser challenge
  • Adam at Hexacorn adds a few posts to the Beyond good ol’ Run key series
    • The first shows how to abuse the “Legacy CPL Mapping” to execute programs whenever the CPL’s in Windows are opened (ie date/time or firewall settings).
      Beyond good ol’ Run key, Part 54
    • Secondly, he shows how a malicious actor can replace the referenced executables under the “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer“ subkey with malicious files for persistence.
      Beyond good ol’ Run key, Part 55
    • He shows how modifying the HREF tag in a SysLink control can be used to execute a program (rather than link to a website). Although, Adam admits this is a stretch to see in the wild.
      Beyond good ol’ Run key, Part 56

  • The Blackbag Training Team posted a couple of times
    • This post covers the change in OS X from storing recently accessed files in the com.apple.recentitems.plist to “ a new type of file called LSShareFileList”. Each category has its own LSShareFileList (binary plist) file. The post walks through the various SFL files on MacOS Siera and shows what data is available. I would like to see further investigation into the Alias/Bookmark (BOOK) data held in the “Data” field of some of the entries. I’ve done a small amount of research into it using Simon Key’s alias decoding Enscript and I recall I found a couple of dates that may be of use. If someone wants a project…
      Recent Items In MacOS Sierra
    • On the Windows Forensic Essentials side, the author explores the Recycle Bin on Windows 10.
      Examining The Windows 10 Recycle Bin

  • The guys at Cyberforensicator shared a number of journal articles this week
    • They shared a journal article by Buhupendra Singh and Upasna Singh published in DFRWS Europe 2016, on “a forensic insight into Windows 10 Jump Lists”
      A forensic insight into Windows 10 Jump Lists
    • They shared a journal article by Christopher John Lees published in the December 2016 Journal of Digital Investigation on “GVFS metadata: Shellbags for Linux”
      GVFS metadata: Shellbags for Linux
    • They shared a journal article by Ahmad Ghafarian and Seyed Amin Hosseini Seno published in the August 2016 International Journal of Computer Applications on “Forensics Evaluation of Privacy of Portable Web Browsers”.
      Forensics Evaluation of Privacy of Portable Web Browsers
    • They shared an article by Charalambous Elisavet, BBratskas Romaios, Koutras Nikolaos, Karkas George, and Anastasiades Andreas published in the Journal of Polish Safety and Reliability Association Summer Safety and Reliability Seminars Vol7 No. 1 2016 on “Email Forensic tools: A Roadmap To Email Header Analysis Through A Cybercrime Use Case”
      Email Forensic Tools: A Roadmap to Email Header Analysis Through a Cybercrime Use Case

  • Digital Forensics Corp shared a couple of articles this week
    • They shared Rhys P Evans’ book, Windows 10 Forensic Analysis, which purports to be “a documented, investigative framework for the forensic analysis of the Windows 10 operating system conducive to the forensic practitioner.” This conversation was had on Forensic Focus where it doesn’t seem as if many people have read the book yet. It looks like the author has self-published his honours thesis – not to say there can’t be anything useful in it, just that I’m a little wary of dropping money on a book without any recommendations.
      The Book “Windows 10 Forensic Analysis”
    • They shared Annie John’s i2 Analyst’s Notebook Overview
      I2 Analyst’s Notebook Overview

  • Foxton Forensics show how to keyword search in their Browser History Examiner tool.
    Analysing web browser history by URL category

  • Jonathon Poling at Ponder The Bits has written a response to the SANS post “The Cloud Is Evil” (which was here, but has been taken down. Thanks to Google, it’s been cached here). Jonathon’s stance is that the cloud isn’t evil and that top-tier providers, such as AWS and Azure, facilitate the ability to conduct a full forensic examination – “I contend that it is actually easier to acquire and analyze a system within AWS than it is in most any on-premises environment”. On the same note, if we’re lucky, we’ll see his presentation on the subject at the DFIR Summit in June.
    A Response to “The Cloud is Evil…”

  • There were a couple papers posted to the SANS InfoSec Reading Room
    • Taurean B. Dennis’s white paper compares data analytics tools with forensics tools for specific use cases – primarily index and search. I’ll have to read through it again when it’s back online (there are no pictures in the cached version) but from the looks of things, Taurean ran the Index module in Case Processor over the E01 image, and then compared that to the time that Tableau Desktop and ElasticSearch took to index/keyword search a plaso timeline of the same data. The author acknowledges this error, however, I’m not sure if that makes the test valid. The searches conducted in Encase would have been run across the entire drive, rather than the metadata extracted through plaso; this would explain the time differences seen in searching. I do agree with his point that there is a convergence happening with forensics and data analytics tools. I would, however, like to see the tools stay separate so that we can have very good deep dive forensic suites, and very good data analytics suites…rather than half cooked versions of both. For additional information on speed testing, you can check out Eric’s post from last year.
      How Data Analytics Saved Me Money On My Digital Forensics Services
    • Dave Shackleford posted a product review of LogRythm’s NetMon Freemium product.
      Packets Don’t Lie: LogRythm NetMon Freemium Review

  • Johnny Appleseed (Jordan Potti?) has posted an article with the basics of Windows IR including the various artefacts and commands to examine them.
    Basics of Windows Incident Response

MALWARE

  • Karl Denton at Malware Musings unpacks a JavaScript Malware Downloader that randomly downloads different malware each time it’s run.
    A Thousand Monkeys Writing a JavaScript Malware Downloader: De-obfuscating the JavaScript

  • Samuel Alonso at Cyber IR analyses the memory dump that he captured previously and looks into rogue process identification.
    Memory Forensics with Vshot and Remnux (rogue process identification,2)

  • Dr. Ralf Hund at VMRay examines Spora, a new Ransomware variant only targeting Russian-speaking users. The HTA dropper extracts a malicious JScript file, “which does a bit of deobfuscation and AES decryption to get to the next payload”. The second payload downloads Spora and a corrupt docx file.
    Spora Ransomware Dropper Uses HTA To Infect System

  • Karsten Hahn at G Data Security Blog also examines Spora. Something that the previous article didn’t mention is that the core Spora executable has a hardcoded filename, 81063163ded.exe, which I’m sure will change in the next version. This article then breaks down the payload and shows how it utilises LNK files to execute. Not to compliment the malwriter, but the malware hides all “files and folders on the desktop, in the root of removable drives and the system drive”, replaces them with a shortcut that opens the files/folders, whilst executing the malware, and modifies the registry so shortcuts don’t show up with their characteristic icon. Karsten then provides an overview of the encryption used, some statistics about encrypted files, as well as the IOCs.
    Spora – the Shortcut Worm that is also a Ransomware

  • Thanassis Diogos at TrustWave SpiderLabs has shared some information about the movements of the Carbanak group from mid-2016. This post summarises the advanced threat report that SpiderLabs has produced.
    Operation Grand Mars: a comprehensive profile of Carbanak activity in 2016/17

  • Nicholas Griffin at Forcepoint examines a weaponised document linked to the Carbanak group. The RTF document “has an embedded OLE object which contains [an encoded] VBScript file”. One of the modules within the VBScript file “is capable of using Google services as a C&C channel”. “Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.”
    Carbanak Group Uses Google For Malware Command-and-control

  • There were a couple of posts by Fortinet this week
  • Thomas Reed at Malwarebytes Labs examines some Mac malware, which they’ve named OSX.Backdoor.Quimitchin, that “seems to be targeting biomedical research centers”. Thomas also mentions that the malware, with the exception of one of the files, will also run on Linux.
    New Mac backdoor using antiquated code

  • “Palo Alto Networks Unit 42 threat intelligence team has just released new research that has uncovered a previously unknown second wave of Shamoon 2 attacks“. “Full technical details including associated indicators of compromise (IOCs) that can be used for more detailed analysis and protection, can be found [in] the full report.”
    Threat Brief: Second Wave of Shamoon 2 Attacks Reveal Possible New Tactic

  • Nick Biasini at Talos has authored a post on a couple of Locky spam campaigns that are currently running whilst the Necurs botnet is offline. One of the campaigns even downloads Kovter as well as Locky to hit the victim even if they pay the ransom.
    Without Necurs, Locky Struggles

  • Monnappa K A at Cysinfo “describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing emails to target officials in the Indian Embassies and Indian Ministry of External Affairs (MEA)”. The e-mails contained a maldoc which downloads the encoded payload from Pastebin. “The dropped file was determined as modified version of njRAT trojan.
    Uri Terror Attack & Kashmir Protest Themed Spear Phishing Emails Targeting Indian Embassies And Indian Ministry Of External Affairs

  • Federico Maggi at TrendLabs continues to examine the EyePyramid malware. Apparently, a number of samples were uploaded to VirusTotal which the researchers believe to be false flags. This article explains how the malware has evolved, its features, how it was analysed, and more.
    Uncovering the Inner Workings of EyePyramid

  • Benkow has started a new blog called “Malware Lab_” and the inaugural post examines the recent Ursnif campaign, which utilises a JScript dropper spread via fake invoices.
    A journey inside Ursnif campaign

  • There were a couple of posts at McAfee’s “Securing Tomorrow, Today” blog
    • Thomas Roccia shows a POC for protecting your PC against malware by using the anti-VM detection techniques against it. The tool that Thomas has shared takes a number of the known anti-sandbox techniques that are used by malware and recreates them on the non-VM computer so that when the malware runs it thinks it’s in a VM and doesn’t execute.
      Stopping Malware With a Fake Virtual Machine
    • Sudhanshu Dubey has posted part 1 of 2 on the KillDisk ransomware seen on both Linux and Windows systems. This post shares some basic information about the malware, as well as describes the whitelisting method it uses to prevent analysis.
      Analyzing KillDisk Ransomware, Part 1: Whitelisting

  • Blaine Stancill and Joshua Wang at Endgame dive into Challenge #2 of the FireEye 2016 Flare-On challenge
    Dude! Where’s My Ransomware?: Solving A Flare-On Challenge

  • Brad Duncan has posted on the SANS ISC Handler Diaries regarding the Sage 2.0 malware that he has examined
    Sage 2.0 Ransomware

MISCELLANEOUS

  • There were a few posts on Forensic Focus this week
  • Scott J Roberts discusses a potential answer to the interview question: “What happens when you put a URL in the address bar of a browser and hit enter?” and then proceeds to offer his opinions on better questions. I liked the part about practical tests, allowing someone to work through the problem in a real-world scenario.
    The “What happens when you use a browser?” Question

  • Oleg Afonin at Elcomsoft has a few posts this week
  • Magnet Forensics has a post regarding the Canadian Centre for Child Protection. “This week, the Canadian Centre for Child Protection launched a tool to combat the proliferation of child sexual abuse material on the Internet”. “Project Arachnid is an automated crawler that detects images and videos of illegal content and helps reduce the online availability of this type of material.”
    Magnet Forensics Raises Funds to Help the Canadian Centre for Child Protection

  • Chris Pogue at Nuix shares his thoughts on causation and attribution. As Chris explains, attribution is difficult and warns “that the evidence used to attribute a malicious actor’s origination point … are relatively easy to manipulate”.
    Attribute With Context to Prevent Erroneous Responses

  • Marc Padilla has examined an Amazon Echo Dot system image and provides some thoughts on how it could be compromised.
    Amazon Echo Dot System Image

  • The CFP for IoT-SECFOR 2017 is open until 23rd February 2017. This event is held in conjunction with the 10th IEEE International Conference on Internet of Things (iThings 2017) in Exeter, UK, 21-23 June 2017.
  • The CFP deadline for the 2017 ADFSL Conference on Digital Forensics, Security and Law has been extended to 11:59 p.m. EST, 31 January 2017.
  • David Spreadborough at Amped walks through the beginner’s guide to installing and using Amped’s DVRConv product. DVRConv is a product used to convert unplayable video files.
    Amped DVRConv: The Beginners Guide

  • Yulia Samoteykina at Atola shows how to limit the size of your (SATA) target drive to the size of your source drive by modifying the size of the Host Protected Area when creating a duplicate copy. This is useful when you would like the hash of the target drive to be the same as the source.
    Clip Target Drive to Source Evidence Size

  • DFIR Guy at DFIR.Training has a post about the dilemma surrounding the legal authority to access someone’s data. He also shares a handy little diagram to help guide people through the decision-making process (spoiler alert: if you can perform the requested task, get legal authority first).
    Just because you can doesn’t mean you can.

  • In industry exclusive news, the “Threat Intelligence Spreadsheet” (by Mary Kennell) and the “Digital Forensics / Incident Response – The Definitive Compendium Project” (by Devon Ackerman) have merged and re-launched as a redefined and re-imagined project fresh for 2017.  Now with more than 19 categories of information revolving around DFIR to include Certifications, Training, Degrees, Malware Analysis, Threat Hunting, DFIR Communities, Articles, Blogs, Books, Videos, and more.  Devon and Mary appear to have a lot planned so it will be interesting to watch the site grow and mature. The site can be accessed at AboutDFIR.

And that’s all for Week 3! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

* Apologies for the formatting errors, I tried to get most of them but eventually gave up because the editor is frustrating 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s