Nominations for the 2017 Forensic 4Cast Awards are still opened! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open
FORENSIC ANALYSIS
- The Blackbag Training Team show the various aspects of the Windows registry and setupapi.dev.log that contain information about USB device connections.
Analyzing USB Entries in Windows 7 - There were a few articles shared by CyberForensicator this week
- They shared an article by Alexandre Dulaunoy on using SquashFS as a Forensic Container
SquashFS as a Forensic Container - They shared an article by Narmeed Shafqat in the IJCSNS International Journal Of Computer Science and Network Security called “Forensic Investigation of User’s Web Activity on Google Chrome using various Forensic Tools”.
Forensic Investigation of User’s Web Activity on Google Chrome using various Forensic Tools - They shared a tool by Lasha Khasaia called SSMA, which “is a simple malware analyzer written in Python 3”
Simple Static Malware Analyzer - They shared Mark Baggett’s Srum-dump tool for parsing the “System Resource Utilization Manager” artefact
Extract data from System Resource Usage Monitor database with srum-dump
- They shared an article by Alexandre Dulaunoy on using SquashFS as a Forensic Container
- Samuel Alonso at Cyber IR runs through a number of plugins in the Vshot script, that was run against a system infected with Stuxnet.
Memory Forensics with Vshot and Remnux (process objects, network artifacts and attacker activity,3) - Didier Stevens shows how to “have ClamAV decrypt and scan a password protected ZIP file.”
Quickpost: ClamAV and ZIP File Decryption - There were quite a few articles shared by Digital Forensics Corp this week
- They shared an article by David Harley on “Next-gen security software: Myths and marketing”. “In this article, he questioned the virus scan algorithm between new and old antivirus.”
Security Software: Myths and Marketing - They shared an article by Samir B. on using Windows Security Event Logs to detect Mimikatz.
Mimikatz detection - They shared an article released by Microsoft that walks through “the credential theft attack techniques by using readily available research tools on the Internet. At each point of the attack we will show how Microsoft’s Advanced Threat Analytics (ATA) helps IT organizations gain visibility into these post-infiltration activities happening in their environments”.
Advanced Threat Analytics - They shared an article by James Scott at the Institute for Critical Infrastructure Technology claiming that “signature based malware detection is dead” and “critical infrastructure cybersecurity must rely on predictive, preventative, and protective solutions that detect and mitigate threats preexecution”.
Is Signature Based Malware Detection Dead? - They shared an article by Gibin John which highlights a “few API calls which are commonly used by malware’s to accomplish certain task.”
Malware’s APIs - They shared a link to Microsofts new Police Analyzer tool, which “is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies.”
New Microsoft tool: Policy Analyzer - They shared a cheat sheet from @ovid that may be useful for reverse engineers.
Amazing note for reverse engineers - They shared a post by Riccardo Tani on “DFIR and Log Analysis with EmEditor”
DFIR and Log Analysis
- They shared an article by David Harley on “Next-gen security software: Myths and marketing”. “In this article, he questioned the virus scan algorithm between new and old antivirus.”
- Oleg Afonin at Elcomsoft shows how to use their Elcomsoft Internet Password Recovery tool to export a password list from a computer’s cached passwords. This password list can then be combined with a number of mutations to aid in password cracking.
How to Break 70% of Passwords in Minutes - Chris Cohen has written an article for Forensic Focus on imaging a Linux Virtual Private Server (VPS). This includes the various steps required and potential pitfalls
Asking A VPS To Image Itself - David Cowen at the HECF Blog has posted a guide for building DFIR Lab Standard Operating Procedures (SOPs). Dave gives a run through of a sample SOP for examining Prefetch on a system, and then shows how you can chain various SOP’s together. The Do’s and Don’t section is also particularly helpful for those looking to write out a series of examination SOPs.
SOPs in DFIR - Jessica Hyde at Magnet Forensics “gives an overview of Portable Case [feature of IEF and AXIOM) and its benefits”. Portable cases allow examiners to export the results for review without requiring a license. The comments/bookmarks etc can then be merged back into the case at a later stage.
Deep Dive on Portable Case Part One - Mark McKinnon has created a module for Autopsy that allows you to run plaso against your image, or import a plaso storage file.
Plaso Autopsy Python Plugin(s) Module - Matt Bromiley takes a look at the MongoAudit tool, which “is an automated command-line testing tool for MongoDB”. Matt explains that this tool can hit the low hanging fruit and also provide a high-level scorecard of your MongoDB instance.
Tool Review: mongoaudit - The Bluetooth team at Champlain College have begun their investigation into Bluetooth security using the BlueHydra and Btlejuice. They began their ‘recon phase’, where they compiled their list of devices and the relevant information that they were able to discover such as “such as how they were discovered, their MAC addresses, and the version of Bluetooth they’re running.”
Bluetooth Security Forensics 2.0
THREAT INTELLIGENCE/HUNTING
- Samuel Alonso at Cyber IR shares a list of his favourite network threat hunting books
Network Threat Hunting Books - Didier Stevens at NVISO Labs shows how to use YARA rules with ClamAV to hunt for malicious files
Hunting with YARA rules and ClamAV - Henrik Johansen has set up an extensive honeypot network where he can watch attackers perform. Interestingly, he wants to subject the attackers to controlled experiments by changing stimuli and recording the results.
Deception — turning the tables on your adversaries
UPCOMING WEBINARS
- Josh Liburdi and Chris McCubbin at Sqrrl will be hosting a webinar on how to leverage DNS to surface attacker activity. The webinar will take place Wednesday, March 1st at 2:00 pm ET / 11:00 am PT (7:00 pm UTC). You can register here.
PRESENTATIONS/PODCASTS
- On this week’s Digital Forensics Survival Podcast, Michael talks about using FreeMind to visualise your findings. The show notes have an example diagram on how Michael sets out his mindmap. I had to do this for a job just recently but chose to use Visio because it gave me a bit more freedom in moving the sections around (and adding in Clip Art, of course). Regardless of the tool, visualising a case can make understanding it and explaining it a lot easier.
DFSP # 052 – Free Your Mind - Lee Reiber has posted another Mobile Forensics Minute talking about the “data/com.android.providers.media/databases/” database, which contains metadata for images on an SD card, even if the images/SD Card have been removed.
Mobile Forensic Minute 109 - Fabian Wosar has posted a live stream of reversing the HERMES ransomware. It’s 4 hours long, so buckle in if this is something you’re interested in.
Reversing HERMES ransomware - Karsten Hahn at MalwareAnalysisForHedgehogs unpacks Spora and has “a look at the part of Spora’s encryption prodecure that encrypts the .KEY file.”
Malware Analysis – Exploring Spora’s Encryption Procedure - OALabs have posted a video walking through “unpacking a Visual Basic 6 ( VB6 ) packer using API hooks with IDA Pro and the remote debugger”.
Unpacking VB6 Packers Like A BO$$ - Paula Januszkiewicz at CQURE has posted her slides from RSA 2017 on her talk on the artefacts left on disk.
RSA Conference 2017: What System Stores on the Disk Without Telling You - Mark Russinovich released his presentation from RSA 2017 on threat hunting with Sysmon
Check Out @markrussinovich’s Tweet - John Strand at Black Hills Info Sec has posted a video analysing memory on a compromised systems. The video covers “the tools to dump memory from a system and some of the basic tools to look at the memory of a system which may be compromised”.
WEBCAST: Windows Memory Forensics - Nicole Lamoureux has posted links to the presentations from BSidesSF 2017.
Resource: BSidesSF 2017 Talks
MALWARE
- The SANS Reading Room has posted Kevin Kelly’s whitepaper on the TeslaCrypt malware. “This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network”
Indicators of Compromise TeslaCrypt Malware - The guys at Bad Cyber have provided a technical analysis of an attack that is being seen across several Polish banks. A malicious JS file was used to download malware ” to the workstation, where, once executed, connected to some foreign servers and could be used to perform network reconnaissance, lateral movement and data exfiltration.”
Technical analysis of recent attacks against Polish banks - The guys at the BAE Systems Threat Research Blog have also looked into the attacks on Polish financial institutions, and also analyse the Lazarus malware
Lazarus & Watering-hole Attacks - Winston M at Cysinfo analyses a maldoc that drop’s Loki Bot using the UAC bypass technique that utilises eventvwr.exe.
Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries! - The ‘Finding Vulnerabilities’ blog analyses the Rovnix dropper, first performing some information gathering steps, such as static analysis of the file, online research, execution in VM (and subsequent examination of FakeNet data), and briefly loading the sample in IDA Pro. After determining that the sample was packed, they then show how to unpack the binary.
- Floser Bacurio and Joie Salvio at Fortinet demonstrate how the REMCOS RAT “is being used in an attack, and what its latest version (v1.7.3) is capable of doing”.
REMCOS: A New RAT In The Wild - Tim Berghoff at the G Data Security Blog advises that G Data’s researchers have observed an increased number of infections by the ZeuS banking malware. He also provides a brief explanation about how banking trojans work.
Zeus Panda is back - Yu Nakamura at the JPCERT/CC Blog provides some information on the ChChes malware, including how it communicates. “ChChes is a type of malware that communicates with specific sites using HTTP to receive commands and modules. There are only few functions that ChChes can execute by itself. This means it expands its functions by receiving modules from C&C servers and loading them on the memory.”
ChChes – Malware that Communicates with CC Servers Using Cookie Headers - There were a couple of posts on the Lastline Labs Blog
- Marco Cova has a look at the various evasion techniques used by malicious JScript files. These include stalling code, COM object emulation detection, timebombs, and environment checking
Evasive JScript - Clemens Kolbitsch, Alexander Sevtsov, and Arunpreet Singh continue the series on VBA downloaders, this time looking at the “limited coverage of security solutions on the different parts of the attack chain”. The authors explain that malicious actors take advantage of social engineering, password protected files (that are harder to scan), unusual program types (such as Publisher files), as well as misleading file types such as DOCM and MHT, to infect unsuspecting users.
Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 3]
- Marco Cova has a look at the various evasion techniques used by malicious JScript files. These include stalling code, COM object emulation detection, timebombs, and environment checking
- MalwareTech shows how to unpacked the Dridex loader
Let’s Unpack: Dridex Loader - Macro Ramilli dissects a copy of Crypt0L0cker
Crypt0l0cker Revival ! - There were a couple of posts on the McAfee Labs blog
- Sudhanshu Dubey continues to analyse the KillDisk ransomware. Two variants have been uncovered, one which encrypts the data, and the other which overwrites it. Sudhanshu also shows how to unlock the screen when the ransom information is shown.
Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking - Yerko Grbic documents a malicious Excel doc downloader that uses MacScript (instead of PowerShell) to execute. The doc checks to see if WScript.Shell is present, and if it isn’t, executes the macshell module.
Macro Malware Targets Macs
- Sudhanshu Dubey continues to analyse the KillDisk ransomware. Two variants have been uncovered, one which encrypts the data, and the other which overwrites it. Sudhanshu also shows how to unlock the screen when the ransom information is shown.
- There were a number of posts on the Palo Alto Networks Blog this week
- Robert Falcone takes a look at the macOS variant of XAgent including the commands that it is sent by the C2, it’s keylogging functionality, and infrastructure.
XAgentOSX: Sofacy’s XAgent macOS Tool - Bryan Lee and Robert Falcone take a look at “a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016”, which they have named Magic Hound. The attackers used weaponized documents “which were designed to call Windows PowerShell to retrieve additional tools”. The attackers also used the open source Python RAT called Pupy. “The toolset used by the Magic Hound campaign was an assortment of custom tools, as well as open sourced tools available to the general public. None of the tools we uncovered were found to be exploit-driven, and relied exclusively on social engineering tactics to compromise targets”
Magic Hound Campaign Attacks Saudi Targets - Jen Miller-Osborn and Josh Grunzweig provide some additional information about ChChes, mentioned previously by JPCERT/CC.
menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
- Robert Falcone takes a look at the macOS variant of XAgent including the commands that it is sent by the C2, it’s keylogging functionality, and infrastructure.
- Ido Naor at Securelist takes a look at a recent attack against Israeli soldiers around the Gaza Strip, where a malicious APK was installed by the victims.
Breaking The Weakest Link Of The Strongest Chain - The SecureWorks Counter Threat Unit Research Team also provide some information on the Magic Hound Campaign, including a brief look at the PupyRAT as well as various IOCs.
Iranian PupyRAT Bites Middle Eastern Organizations - David Longenecker at Security For Real People shows how to use Didier Stevens’ PDF parsing utilities to examine a malicious PDF file sent in a phishing email. David also provides a number of red flags which identify that the file is malicious, even though VirusTotal doesn’t identify it as such.
Quick and dirty malicious PDF analysis - There were a couple of posts on TrendMicro this week
- Giannina Escueta has a writeup on a new trojan designed to distribute Mirai to Windows machines. “The Windows Trojan targets more ports than the original Linux Mirai, hunting for every possible avenue of infection. It checks if the following ports are open: 22 (SSH), 23 (Telnet), 135 (DCE/RPC), 445 (Active Directory), 1433 (MSSQL), 3306 (MySQL) and 3389 (RDP)”.
Mirai Widens Distribution with New Trojan that Scans More Ports - Marvelous Pelin and Gilbert Sison document a new variant of Cerber that goes out of its way “to avoid encrypting security software”. The variant “queries for the contents of three WMI classes… for firewalls, antivirus, and antispyware product … [and] extracts the directories where these are installed and adds them to the list of whitelisted folders, which are spared from any encryption”. “Aside from this security software detection, the behavior of these variants is similar to other CERBER variants”.
CERBER Changes Course, Triple Checks for Security Software
- Giannina Escueta has a writeup on a new trojan designed to distribute Mirai to Windows machines. “The Windows Trojan targets more ports than the original Linux Mirai, hunting for every possible avenue of infection. It checks if the following ports are open: 22 (SSH), 23 (Telnet), 135 (DCE/RPC), 445 (Active Directory), 1433 (MSSQL), 3306 (MySQL) and 3389 (RDP)”.
- Eduardo Altares, Patrick Nguyen, and Xinlei Cai at Symantec explain that “Symantec Security Response has recently discovered the Sage 2.0 ransomware (Ransom.Cry) being delivered by the Trojan.Pandex spambot”. The malware purports to be a PDF document and sports some similar routines to Cerber, although the authors did not identify a definitive link between the two.
Sage 2.0 ransomware delivered by Pandex spambot, mimics Cerber routines - There were a couple of posts on the SANS ISC Handler Diaries
- Xavier Mertens analyses of a suspicious piece of JavaScript
Analysis of a Suspicious Piece of JavaScript - Brad Duncan examines some malspam that he received containing some AutoIt-based malware.
Brazilian malspam sends Autoit-based malware
- Xavier Mertens analyses of a suspicious piece of JavaScript
MISCELLANEOUS
- Josh Liburdi explains how to get Lockheed Martin’s Laika BOSS to work with Bro.
Laika BOSS + Bro = LaikaBro (?!) - Casey Cammilleri at #_shellntel shows how to build a 8 GPU password cracker in 3 hours.
How to build a 8 GPU password cracker - Extreme Coders show how to detect encrypted pyinstaller executables, and then how to decrypt said files using the key found within key the pyimod00_crypto_key file.
Extracting encrypted pyinstaller executables - Cheryl Biswas shares some resources for those trying to put together a CFP
How to Give a Talk in InfoSec - Jason Roslewicz at Sumuri posted a couple of times this week
- First, explains how to fix USB issues that have been occurring with their TALINO workstations and Cellebrite’s software.
Cellebrite USB Driver Workarounds - He also explains the process that Sumuri uses to create the TALINO workstations.
What It Takes to Build the Best Selling Forensic Computer
- First, explains how to fix USB issues that have been occurring with their TALINO workstations and Cellebrite’s software.
- Michael G. Kessler cautions those looking for bargain digital forensics examiners and advises that they should be trained, qualified, appropriately licensed, insured, and otherwise suitable to the task that they have been hired for.
Bargain Digital Forensics Examiners – Too Good To Be True - DFIR Guy at DFIR.Training defends dead box forensics. The entire DFIR field is quite broad so I can understand why people might think something doesn’t happen because they don’t have exposure to it. Maybe dead box forensics will slowly die away, but I can’t see that happening for a while – people will continue to require expertise for criminal and civil litigation.
Dead-box forensics is not dead
SOFTWARE UPDATES
- DME Forensics have updated DVR Examiner to version 1.30.0, adding additional support for various file systems, as well as bug fixes
- Phil Harvey updated ExifTool to version 10.43 (development release) with some minor improvements and bug fixes.
ExifTool 10.43 - Magnet Forensics updated their Axiom product to version 1.0.10, adding “decryption of iOS 10.2 iTunes backups, chat thread preview cards in all views, faster PhotoDNA, [and] support for KakaoTalk and Zalo”
Magnet AXIOM 1.0.10 Now Lets You Decrypt iOS 10.2 iTunes Backups - Alan Orlikoski has updated the Cold Disk Quick Response tool to version 3.1, improving the reporting feature.
CDQR 3.1 - Mark Russinovich at Microsoft has released an updated version of the Sysinternals Suite
Sysinternals Suite - X-ways Forensics 19.1 SR-4 was released, fixing some bugs, and adding “support for one previously unsupported component of the PIDL data structure in OpenSavePidlMRU items in the Windows Registry.”
X-Ways Forensics 19.1 - X-Ways Forensics 19.2 Preview 2 was released, adding some minor improvements.
X-Ways Forensics 19.2 Preview 2 - GetData updated Forensic Explorer to version 3.9.7.6230, improving bookmarks, and improving support for DMG image files.
17 Feb 2017 – v3.9.7.6230 - Elcomsoft updated Elcomsoft Internet Password Breaker to version 3.0, adding “a one-click tool to generate filtered wordlists from extracted passwords”.
Elcomsoft Internet Password Breaker 3.0 to Instantly Extract Passwords, Build Custom Wordlist for Faster Dictionary Attacks
SOFTWARE/PRODUCT RELEASES
- The guys at GoSecure have released a tool called Malboxes, which “creates Windows Virtual Machines (VMs) without any user interaction”. “Those VMs are preconfigured with malware analysis tools and security settings tailored for malware analysis”.
Introducing Malboxes: a Tool to Build Malware Analysis Virtual Machines - Basis Technology have released version 2.0 of their Cyber Triage tool. The update includes “a new interface that exposes more of the collected data, a timeline of incidents to give context indicators, [and] Cyber Triage Lite, a free version that does not include malware scanning or analytics”
Basis Technology releases a free Cyber Triage version at RSA - Andrew Hoog released an iOS Triage tool on Github. The tool is a “Node.js cli for iOS incident response. [The] Program will extract, process and report (including diffs) on iOS device and app telemetry.”
Ios-triage - The guys at DEFT Linux have released DEFT Zero, which is a “light version of Deft specifically designed to the forensic acquisition of the digital evidence.”
DEFT Zero (2017.1) ready for download
And that’s all for Week 7! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 