Week 6 – 2017

Nominations for the 2017 Forensic 4Cast Awards are still opened! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open

A colleague made a suggestion to reorder the categories slightly, so I’m giving it a go.


  • The guys at CyberForensicator have a couple of posts this week
  • There were a number of articles shared on Digital Forensics Corp this week
    • They shared an article by Jake Liefer at Security Risk Advisors on detecting mimikatz with sysmon.
      Detecting Mimikatz
    • They shared Scott J. Roberts and Rebekah Brown’s book, “Intelligence-Driven Incident Response : Outwitting the Adversary ” where they explain “the basics of intelligence analysis and the best ways to apply it to the function response to incidents”.
      Intelligence – Driven Incident Response
    • They shared a YouTube video by Anthony van der Meer called “Find my Phone – Subtitled” which is a documentary where the creator follows a stolen phone using spyware.
      Find My Phone
    • They shared an article by Will Strafach where he presents some findings ”related specifically to iOS applications which are vulnerable to silent interception of (normally) TLS-protected data while in use”.
      Malicious Code In iOS Applications
  • Elcomsoft have a couple of posts this week
    • Oleg Afonin has started a series on breaking passwords. The article advises that password lists collated from the various security breaches/password leaks can be a good starting point, breaking roughly 30% of passwords in seconds/minutes (depending on the number of items in the list).
      How to Break 30 Per Cent of Passwords in Seconds
    • Vladimir Katalov explains how Elcomsoft’s phone breaker tool has the ability to extract Apple Safari history from the cloud, which includes deleted records. During their research they “discovered that discovered that deleting a browsing history record makes that record disappear from synced devices; however, the record still remains available (but invisible) in iCloud“. Elcomsoft also reached out the media about the “issue” and it appears that Apple has responded by purging the deleted records, leaving only those records deleted up to two weeks ago.
      ElcomSoft Extracts Deleted Safari Browsing History from iCloud
  • Robert Craig and Michael Lambert have a post on Forensic Focus on the cache files created by Samsungs sBrowser. They found that the cache files referenced the domain, “however, the specific webpage of the source URL in the web page cache files was not referenced”.
    Samsung sBrowser – Android Forensics: A Look Into The Cache Files

  • After a short hiatus, Matt Bromiley continues the Zeltser challenge
  • The Incident Response Team at SecureWorks explain a recent investigation where “an adversary gained access to an application server that allowed Terminal Services connections directly from the Internet”. An examination of the compromised system identified important information to the investigation, however “examining a single system does not provide sufficient context to determine if a threat is contained because it contains a limited number of artifacts, many of which may be quickly overwritten”. “The search [of process creation data from the endpoint service] revealed that the compromised domain administrator account was used exclusively on the compromised system and had not been used to move laterally to other systems in the network”. This shows the importance of additional sources of information outside of the compromised machine to identify the actions taken by an attacker.
    Effective Incident Response Requires Visibility

  • Ben S Knowles at DFIR Notes has documented some analysis tips for the use or Port Proxy, which he describes as a “clever use of built in Windows service control and network utilities (sc, netsh) [used] by some attackers”
    Port Proxy detection

  • The Blackbag Training Team have a post discussing “some of the new features of the 2016 MacBook Pro and how they may affect your forensic examinations”. The main takeaway is that the computer will turn on as soon as power is applied, or the lid is opened, and therefore examiners should hold the option key immediately to stop it from booting. They also advise that the current process of obtaining a forensic image of the drive is to boot an examination Mac into Macquisiton, and then using an appropriate adapter (see the post for the list), connect the target-disk-mode-booted suspect Macbook Pro.
    Forensic Examination Of The 2016 Macbook Pro

  • A new Mobile App analysis team has taken over from last years group, this time focusing on Signal, Passkeep, Facebook Lite and (possibly) Circle with Disney. Their “goal is to find any artifacts of forensic value left behind by these new mobile apps.”
    Mobile App Analysis Introduction

  • The guys at Paraben look at some of the data stored in the SQLite database associated with the Amazon Echo Android app
    Amazon Echo: New IoT Witness


  • Michael Haag wrote a couple of posts this week
    • The first post describes how to utilise Sysmon to perform threat hunting. Michael shows how he breaks things up between “high fidelity alerting, broad reporting, [and] “reporting by process name ”.
      Splunking the Endpoint: Threat Hunting with Sysmon
    • Next, he released a “simple generic Splunk App to help anyone almost instantly operationalize Sysmon data”.
      Hunting with Sysmon
  • Chris Brewer at Nuix lists a variety of open source resources that defenders can use to keep up with the latest threats. He also shows how to use them to create IOCs – using an example of a new maldoc that downloads a number of malicious executables.
    Open Source Threat Hunting

  • Jack Crook at “DFIR and Threat Hunting” shows how to identify “the use of net commands for enumeration and lateral movement, the scheduling of remote tasks, the use of psexec for tool execution, [and the] copying of files via command line” using the Windows security events.
    Patterns of Behavior

  • Chris Gerritz at Good Hunting talks about the two different types of Threat Hunter Personas – Threat Intel Analyst Hunters, and DFIR Hunters. The former being those that like to take network-wide data and query the whole lot, whilst the later prefers to drill down deep into the host. Chris explains that whilst the DFIR Hunters’ techniques are hard to scale, but are an important component of a mature hunting team.
    The Two Threat Hunter Personas

  • Ryan Wegner at CrowdStrike identifies a malicious PowerShell command that “has one of the hallmark identifiers of malicious PowerShell execution” (-windowstyle hidden). “Typically if the intentions are malicious, the command will also contain “-executionpolicy bypass“.” This is part of a large malware infection to drop Trickbot on a target system.
    Blocking Malicious PowerShell Downloads

  • Emmett Koen at Cisco explains what Indicators of Compromise are, and their usefulness, as well as the list of IOC feeds that AMP Threat Grid uses.
    Indicators of Compromise and where to find them


  • Jessica Hyde at Magnet Forensics will be hosting a 1-hour webinar on “new methods for discovering and parsing data from these unsupported applications”. Viewers will “learn how to test, find, parse, and script to obtain forensic evidence in new applications using a physical forensic image”. The webinar will take place 28th March 2017, 1 PM (GMT-5, 6 PM GMT). This webinar is also on the following day.
    Methods for parsing new applications

  • Paul Slater and Carl Barron at Nuix will be hosting a webinar on “the trends and challenges in acquiring and analysis mobile devices”. The webinar will be held March 1st, 2017 at 11:00 AM GMT.
    Bridging the Gap Between Mobile and Computer Forensics 


  • Cyberspeak has returned (kind of)! Cyberspeak is being rebooted, and in the meantime, Bret Padres has launched a new show on the channel called Hacker Ninja Scissors. The inaugural show had Brett interview Robert M. Lee about his background and writing his books, as well as the Little Bobby comic.
    HackerNinjaScissors – Robert M Lee – Cyber Threat Intel

  • This week’s episode of the Digital Forensic Survival Podcast covered using Didier Stevens’ analyzepesig tool to examine portable executable (PE) files.
    DFSP # 051 – Analyzing PE Signatures
  • Douglas Brush interviewed Cindy Murphy this week on Cyber Security Interviews. Cindy, previously of the Madison Police department, is now president and lead examiner at Gillware Digital Forensics. The interview covered Cindy’s background, her developments in the field of mobile forensics (including the SANS training course), privacy in the mobile era, mobile malware and it’s usefulness in an examination, women in DFIR (or the lack of, that is slowly improving) and more. Cindy also advises that it’s a good idea to find what you’re passionate about in the field and then sell that skillset to potential employers – As an employer, passion and creativity is something that she finds important in a candidate.
    #012 – Cindy Murphy: Learn How To Learn

  • On this week’s Forensic Lunch, David Cowen and Matthew Seyer host Matt Bromiley, and Michael Louis. Michael Louis, a tax attorney, was on to talk about how lawyers choose expert witnesses and tips for improving your public speaking and presentation skills. Michael explained that he will look at your resume and practical experience, and then sit down and hear from what you can add to the case. Using a lunch-related analogy he displays how it’s important to be able to take a complex concept and turn it into an understandable metaphor. To get noticed, one should build a portfolio of work (ie presentation and articles, getting your name out there), as attorneys will more likely approach you based on recommendations than doing a Google search for “DFIR Expert Witness”. You can also look up the publicly available testimony of yourself, and use Toastmasters to work on your public speaking. Matt Bromiley also announced BBQCon for November this year in Dallas. BBQCon looks to be a slightly different type of conference; it feels similar to DFRWS in nature. Teams get together and solve a problem, and the conference is the presentation of your solution/tool. They will also interleave the con with delicious BBQ (including tours of the premises), and move to a different location each year. Lastly, Dave unboxed his new Sager laptop
    Forensic Lunch 2/10/17

  • SANS have released the presentations from the Cyber Threat Intelligence Summit 2017.
    Community: Summit Archives

  • The presentations for BlueHat IL 2017 have been uploaded.
    BlueHat IL 2017 Presentations

  • Adrian Crenshaw has been uploading the videos from BSides Tampa 2017 to YouTube. Some of them are linked up here.

  • Cybercrime Technologies have uploaded a video showing “how to use a hash database with Autopsy 4”.
    How to add a hash database to Autopsy 4


  • Dinesh Venkatesan at Symantec examines the Android.Lockdroid.E malware that has recently been “used to deliver ransomware to Android devices”. As far as ransomware goes, however, apparently it’s difficult for the victim to pay the ransom.
    Android ransomware repurposes old dropper techniques

  • Greg Linares at Vectra has a writeup of “a malicious component that appears to be used in conjunction with spear-phishing-delivered malicious documents”. “These documents use PowerShell to download and execute the reconnaissance tool to start their foothold in the victim’s network. This tool, known as ISM, appears to be a full-fledged standalone tool that allows remote operators to data-mine systems prior to removing their tracks with Shamoon 2.”
    An analysis of the Shamoon 2 malware attack

  • Gregory Paul and Shaunak at VinRansomware have also posted an analysis on Shamoon 2 along with the various IOCs.
    Detailed threat analysis of Shamoon 2.0 Malware

  • Byte Atlas has a post describing how to setup a Win7 x64 VM for malware analysis (along with explanations about why each step was taken).
    Knowledge Fragment: Hardening Win7 x64 on VirtualBox for Malware Analysis

  • Didier Stevens at NVISO Labs examines a maldoc that uses an exploit rather than VBA. This post focuses on extracting the payload.
    Maldoc: It’s not all VBA these days

  • The students at Champlain College have documented the tools that they plan to use to analyse freely available malware without compromising their host machines. They intend on using AWS, ThreatAnalyzer, REMnux, and HoneyDrive.
    Malware Analysis Introduction

  • Jason Reaves at ThreatGeek unpacked the SmokeLoader Downloader, that was recently observed delivered by the SunDown EK.
    Understanding The SmokeLoader Downloader

  • Massimiliano Felici at My Infected Computer manually examines an unknown RTF file and identifies a flash object that is used to eventually deploy Cobalt Strike.
    From RTF to Cobalt Strike passing via Flash

  • Michael Viscuso at Carbon Black explains that fileless attacks are on the rise with “almost every Carbon Black customer (97%) was targeted by a non-malware attack in 2016”. From the example provided it seems that the reason is that the applications already on the endpoint (read: powershell), attackers don’t really need to drop an initial file.
    What Is a Non-Malware (or Fileless) Attack?

  • The guys at GReAT have a post at Securelist on fileless attacks, specifically looking at the use of meterpreter and mimikatz detected in the memory of a domain controller.
    Fileless attacks against enterprise networks

  • There were a couple of posts on the Palo Alto Networks blog
  • Kristopher L Russo’s whitepaper has been published on the SANS InfoSec Reading Room. The whitepaper “demonstrates a sample code framework that is easily and dynamically expanded on” and “ shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems”.
    Obfuscation and Polymorphism in Interpreted Code

  • Brad Duncan has posted on the SANS ISC Handler Diaries regarding a recent infection of CryptoShield from EITest Rig EK, and Hancitor/Pony malspam


  • Dr. Neal Krawetz at the Hacker Factor has an update on the new features of his FotoForensics website. He’s added SSL, a (developers only) API, and “a TOR hidden service for accessing the Internet Archive”.

  • Devon Ackerman at Kroll has written an article describing the “three best practices that can help facilitate digital forensics on company-provided mobile devices”. These include: “establish and maintain defensible data access policies and consent/release/authorization forms, know [the] device passwords or control remote access with an enterprise security solution, [and] ensure device backups are available.”
    Navigating the world of smartphones & digital forensics

  • Registration for the Magnet User Summit 2017 Series is now open. The events will take place at the Hilton London Kensington on May 2, 2017, and Harrah’s Las Vegas Hotel & Casino on May 22, 2017.
    Registration for the Magnet User Summit // 2017 Series is Now Open

  • “The list of speakers & abstracts for BSidesNOLA 2017 is now online!”
    Check Out @BSidesNOLA’s Tweet

  • DFIR Guy at DFIR.Training explains that “the front page [of DFIR.Training] lists the most recent posts in categories of DFIR, Podcasts, eDiscovery, Security, and Hacking”. I agree with his sentiment that adding a date to your posts makes them much easier to determine how recent the information is; when going through pages I tend to skip the sites when I can’t tell if the post was put up (or updated) in the last week.
    Don’t be that DFIRer


  • Brian Baskin updated Noriben to version 1.7 adding numerous filters, updates to the hashing feature, and multiple small fixes to code and implementation styles.
    Check Out @bbaskin’s Tweet

  • VMRay Analyzer has been updated to version 2.0 (pending release). “The latest release has many new features including the addition of a built-in reputation engine …, support for the analysis of new sample types …, a new severity status label for threat classification, redesigned dashboards, simpler ways to create database backups and several improvements to the VMRay analyzer engine.”
    Vmray Analyzer V 2.0: Introducing The Reputation Engine

  • Cellebrite released version 6.0 of their UFED platform, adding a number of new devices* for physical and file system extraction, as well as a variety of new features including changing the colour palette, fuzzy modelling, and an SQLite wizard for building queries. They also released a video.
    *(Also, as a side note, if anyone from Cellebrite reads this, it’d be great to include the chipset in your supported device list.)
    UFED 6.0 Release Notes

  • Philippe Lagadec has updated his olevba Python script (v0.51dev1 development release) to fix a couple of issues.
    Check Out @decalage2’s Tweet

  • Matt Seyer updated his RustyUSN tool to version 0.3.0, adding “buffering with the seek_bufread library for better File IO operations”, and speed improvements, as well as “ human readable flags by default and [an] option for integer flags”.
    RustyUsn 0.3.0

  • “A new version of MISP 2.4.65 (and 2.4.64) has been released, including bug fixes and new features”, including “API access added to the MISP statistics”, “Mass tagging of attributes … at the event view level”, and “an advanced correlation mechanic has been added to support new extended correlations.”
    MISP 2.4.65 released

  • Phil Harvey updated ExifTool to version 10.42 (development release), fixing some bugs and adding new features surrounding reading and writing EXIF tags.
    Feb. 10, 2017 – Version 10.42

  • Elcomsoft updated their Phone Breaker tool to version 6.40 adding “the ability to extract deleted Safari browsing history records from iCloud”. Elcomsoft Phone Viewer was also updated to version 3.25 adding “the ability to filter deleted Safari browsing history records”.
    Elcomsoft Phone Breaker 6.40 Extracts Deleted Safari Browsing History from iCloud

  • X-Ways Forensics 19.1 SR-3 was released, fixing some bugs
    X-Ways Forensics 19.1 SR-3

  • Preview 1 of X-Ways Forensics 19.2 has been released with a variety of new features and improvements.
    X-Ways Forensics 19.2 Preview 1


  • Nir Sofer has released a new tool for Windows called LoadedDllsView, which “scans all running processes on your system and displays the list of all DLL files loaded by these processes and the number of processes that load each DLL in the list”.
    New utility that shows all loaded DLLs on your system

  • Paraben Corporation have released a faraday bag with a window. “This new bag measures 10” x 12.5” … [and] contains the same capabilities for shielding as Paraben’s other StrongHold products, but with a viewable area for the device.”
    StrongHold with Window patented

And that’s all for Week 6! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s