Week 8 – 2017

Nominations for the 2017 Forensic 4Cast Awards are still opened!

If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open


  • Mari DeGrazia at Another Forensic Blog posted twice this week
    • First, she noticed that Windows install dates will update sometimes, and therefore not indicate when Windows was actually installed. She observed that a Windows Update appeared to be the culprit, and also cleared her event logs. I noticed something similar on my machine but wasn’t sure what caused it. I’m also on version 1607 and would have updated to it shortly after it came out – so it looks like version 1607, which was a major update to Windows changes the install date/install time value. The previous versions were 1511, and 1507 – I wonder if they modified the value as well.
      When Windows Lies
    • She also has written a Python script “to help automate the process of checking a list of IP addresses against Tor Relays and Bridges, [called] Onion Peeler.”
      Onion Peeler: Batch Tor Lookup Program

  • The Blackbag Training Team shared a few posts this week
    • They shared a listing of the Windows Forensic Essential Blog SeriesWindows Forensic Essentials Blog Series
    • They have a post showing how Blacklight can be used to triage a Windows memory image. They show a specific example of identifying IP addresses that the Shareaza file sharing client was connecting to.
      Why Windows RAM Should Be Part of Triage
    • They also show how to use Macquisition to obtain a memory image. If you do not have the admin password, they advise that you can perform a soft reboot into Macquisition and then acquire memory that way (you’ll lose a small amount of RAM, but <1GB out of 16GB is pretty good). They also advise imaging to RAW format rather than E01. Examiners are then able to load the image into Blacklight, which interestingly, doesn’t have the same level of support for OS X images as it does for Windows images. After loading the image, you can perform keyword searches for various inbuilt keyword, or specify your own.
      Mac RAM Imaging and Analysis

  • Keren Carmeli at Cellebrite explains how to use the new SQLite wizard in UFED Physical Analyser. I haven’t played around with it but the interface looks very familiar for those that have used Paul Sanderson’s Forensic Browser for SQLite. Keren also describes the fuzzy models feature which is a new function that “scans and analyzes all the databases and all tables within the databases, and automatically maps the records into a known model”
    Solve more cases with access to more applications using unique engines

  • The guys at Cyber Forensicator shared a number of articles this week
    • They shared a tool by Lancelot Bogard Robin Marsollier called BTG, “which allows you to qualify one or more potential malicious markers of different type (URL, MD5, SHA1, SHA256, SHA512, IPv4, IPv6, domain, etc)”
      Make your IOC searches faster with BTG
    • They shared a book compiled by André Årnes due to be released in August 2017 called “Digital Forensics”. “Each chapter was written by an accomplished expert in his or her field, many of them with extensive experience in law enforcement and industry. “
      Digital Forensics by André Årnes
    • They shared the link to the Google Security blog about the recent discovery of the “first practical technique for generating a SHA-1 collision”
      Announcing the first SHA1 collision
    • They shared an old article by Jesse Kornblum “about using SHA-3 for forensics”.Which Flavor of SHA-3 Should We Use for Forensics?

  • The guys at Digital Forensics Corp shared a couple of articles this week
  • There were a couple of posts on Forensic Focus this week
    • Scar de Courcier reviewed Nuix Web Review & Analytics. The premise of Web Review is to allow the examiner to perform the backend processing and then let the case officer (or equivalent) remotely view the data and tag relevant information. Overall she found that “the interface is highly intuitive and in general users need a maximum of two hours’ basic training before they are able to use WR&A.”
      Nuix Web Review & Analytics
    • Azeem reviewed Blackbag’s BlackLight 2016 R3. Blacklight is an all-in-one forensic analysis tool that can be used to examine Mac/Windows/iOS/Android devices. Azeem explains that he liked the interface and functionality of the tool, however, found the timeline feature to be lacking. Having played around with the timeline feature I’d be inclined to agree. I’m still looking for a GUI tool that will automatically parse the data and allow you easily select items to add to your mini-timeline (whilst also allowing you to generate the kitchen sink timelines).
      Review: BlackLight 2016 R3 From BlackBag

  • Russ McRee shares his thoughts on the new Sysmon (“you should always run it everywhere”), as well as select slides from Mark Russinovich’s presentation
    Toolsmith Release Advisory: Sysmon v6 for Securitay

  • Marc Padilla has identified a ramdump.sh script that “appears to create new memdump logs”, however, he was unable to knowingly trigger it.
    The Amazon Echo Dot has a dump-ramdump.sh script

  • Greg Smith at TrewMTE shows some old Nokia phones with some interesting messaging capabilities. The Nokia 6303 was capable of sending flash messages which only resided in RAM, as well as support for applications that will convert text into Morse code and send it.
    Secrets and Evidence of Older Mobiles

  • Oxygen Forensiс Detective v.9.2 was released, adding WebKit parsing, expanding cloud extraction capabilities for Google accounts, “improves deleted data recovery by adding the ability to recover files from Ext3/Ext4 partitions from the file system journal”, as well as adding support for the Uber and Lyft apps, and “devices with new Chinese MTK chipsets: MT6750, MT6755, MT6737, MT6738”.
    Oxygen Forensiс Detective extracts WebKit data from iOS and Android devices

  • Jonathon Poling at Ponder The Bits takes a look at Mac memory acquisition using OSXpmem (which is part of Rekall). He provides the commands required to create the image, as well as generate the profile required to parse it with Volatility
    OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility

  • The SANS InfoSec Reading Room posted a couple of interesting white papers this week
    • They posted David M. Martin’s whitepaper on configuring OS X as a forensic platform. See below for a summary from Matt Bromiley, I think that he did a great job at summarising the paper
      OS X as a Forensic Platform
    • They also shared Aron Warren’s whitepaper on Tor Browser artefacts in Win10. “This paper will provide a forensic analysis of the Tor Browser version 5 client on a Windows 10 host for an individual or group interested in remnants left by the software. This paper will utilize various free and commercial tools to provide a detailed analysis of filesystem artifacts as well as a comparison between pre- and post- connection to the Tor network using memory analysis.”
      Tor Browser Artifacts in Windows 10

  • Matt Bromiley continues the Zeltser challenge
    • He has started a series examining “Microsoft SQL Server on Linux”. “This series of weekly posts will break down a SQL server install on Linux, various artifacts, and how to parse/interpret them. This week will be pretty quick, as we look at installation options to get up and running.”
      Torvalds Tuesday: Microsoft SQL Server on Linux
    • Matt has also posted what appears to be a daily post called the “Morning Read”, where he recommends and discusses “a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.” For this morning read he covered David M. Martin’s whitepaper mentioned above.
      Morning Read: OS X as a Forensic Platform
    • “Today’s Morning Read is details on the lawsuit between Waymo and Otto & Uber, alleging that Waymo LiDAR technology was stolen”. Matt goes through the article and suggests where the evidence may have been uncovered. Also, the wise words of wisdom regarding the inside threat being as critical as the APT.
      Morning Read: Waymo’s Lawsuit against Otto & Uber

  • The Mobile Application Forensics team at Champlain College have started to generate data on an Android and iOS device to examine the Signal app.
    Mobile App Analysis Part 2


  • Jack Crook at ‘DFIR and Threat Hunting’ shares his thoughts about chaining events together to hunt for malicious activity. He explains that certain actions may generate millions of events per day, that may or may not be malicious. “If someone was looking at each action individually they may be easily glossed over, but when combining them you may begin to see clusters of anomalous behavior”. Using chains to detect malicious activity is an interesting addition to a threat hunters repertoire.
    Hunting for Chains

  • Håkon Olsen at Sqrrl explains what threat hunting is, and why it should be done. The author explains that threat hunting is the “activity of hunting for intruders in your computer systems, and then locking them out”, and provides an example ‘day in the life of a threat hunter’.
    What is Threat Hunting in Cybersecurity Defense


  • Decipher Forensics will be hosting a webinar on “Social Media in eDiscovery”, during which they will review the types of social media information available, “how to collect and review it, and most importantly, how to present it”. The webinar will take place Thu, Mar 30, 2017, 8:00 PM – 9:00 PM GMT.
    Social Media in eDiscovery

  • The schedule for BSides NOLA 2017 has been uploaded.
    BSides NOLA 2017



  • Neal Dennis at Arbor Networks provides some additional insights on the Shamoon2 attack. Neal examines a few new samples and provides related domains, IP’s, and hashes. Also, he was able to identify a potential link to the Iranian state-sponsored actors, Kittens, mentioned last week utilising PupyRAT.
    Additional Insights on Shamoon2

  • Sergei Shevchenko and Adrian Nish at BAE Systems continues their analysis on the malware hitting Polish financial institutions. They examined the 5 samples, and also looked at “the ‘false flag’ approach employed by the attackers in order to spoof the origin of the attack”. The authors utilised Russian in one of the samples, however “it is evident that the malware author is not a native Russian speaker.” The authors also continued their analysis of the SWF file identified in the last post.
    Lazarus’ False Flag Malware

  • Bart at Blaze’s Security Blog analyses a malicious Android app that downloads the Marcher banking trojan. Bart also provides disinfection and general prevention tips.
    Android malware on the rise

  • Mila at Contagio has put together a list of posts that analyse the malware identified in the ATP 28 reports. Mila also posted a list of the malware including SHA1/SHA256/MD5 hashes
    Russian APT –  APT28 collection of samples including  OSX XAgent

  • Casey Gately at Endgame shows how to deobfuscate a binary, starting with simple XOR obfuscation, and progressing to double obfuscated binaries that forced him to decode it manually.
    Lessons from the Trenches: Obfuscation and Pattern Recognition

  • Finding Vulnerabilities continues their analysis of the Rovnix Dropper, this time looking at Anti Analysis (Static & Dynamic), Bypassing UAC to execute a driver, and Driver and Bootkit Installation.

  • Andrew Tappert at Forcepoint shows how to use their Second Look product to examine “Subversive”, “a Linux rootkit that uses x86 debug registers to hook the operating system kernel”.
    Detecting Register-Hooking Linux Rootkits with Forcepoint Second Look

  • Bahare Sabouri and He Xu at Fortinet examine the Dyzap Malware and “explain how the malware steals user accounts, acts as a keylogger, and communicates with its C&C server”.
    Keep Your Account Safe by Avoiding Dyzap Malware

  • Andra Zaharia at Heimdal Security examines a new spam campaign that utilises the TeamSpy malware. “This current attack relies on social engineering and careless use to trick victims into installing the TeamSpy malware. The malicious technique used is DLL hijacking, which tricks a legitimate software program to perform unauthorized actions.”
    Security Alert: TeamSpy Malware Spammers Turn TeamViewer into Spying Tool in Targeted Attacks

  • Shusei Tomonaga at JP CERT CC examines the “two structural changes observed in [the] PlugX [malware] since April 2016”. These changes are “the way API is called, [and] the format of main module changed from PE to raw binary code”
    PlugX + Poison Ivy = PlugIvy? – PlugX Integrating Poison Ivy’s Code

  • Diwakar Dinkar and Rahamathulla Hussain at McAfee’s Securing Tomorrow blog examine a spam campaign that distributes Spora. “The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to evade detection from some email scanners and maximize its outreach”. “At runtime the HTA file drops a JavaScript file in the %Temp% folder. Further JavaScript extracts an executable with a random name (in this case: goodtdeaasdbg54.exe) in %TEMP% and executes”. They then analyse the dropped executable.
    Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

  • Rick Wanner at the SANS Internet Storm Centre advises that “Google has announced that they have succeeded in developing a technique which makes it practical to craft two PDF files with the same SHA-1 digital signature”. From a forensic perspective this shouldn’t really change too much; there are a couple of options if you wanted to avoid the collision question; 1) change to SHA256, 2) perform MD5 and SHA1 hashing as I’m sure the ‘collided’ files wouldn’t have the same MD5 as well.
    Practical collision attack against SHA-1 , (Thu, Feb 23rd)

  • Dinesh Venkatesan at Symantec dissects the Android.Lockdroid.E malware, which requires the user to speak the password to unlock the phone.
    Android ransomware requires victim to speak unlock code

  • Ankit Anubhav and Dhanesh Kizhakkinan at FireEye examine a recent attack on individuals in the Mongolian government that utilised the Poison Ivy RAT. “The threat actors behind this attack demonstrated some interesting techniques, including: customized evasion based on victim profile, fileless execution and persistence, [and] decoy documents”.
    Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government

  • Trend Micro provide some information about two variants of the RAMNIT malware, VBS_RAMNIT.SMC and PE_RAMNIT. “VBS_RAMNIT.SMC executes once a user accesses the website in which it is hosted, after which it drops and executes PE_RAMNIT, a malware which is notable for having high damage potential with both backdoor and information theft capabilities. PE_RAMNIT then uses C&C communication to receive remote commands and send information such as stolen cookies and sensitive account data. It also injects malicious codes into bank webpages in order to access confidential client information from unsuspecting victims. Furthermore, PE_RAMNIT proves itself to be a stubborn malware by injecting itself into all running processes to remain memory-resident, and deleting antivirus-related registry keys to make it undetectable.”.
    RAMNIT: The Comeback Story of 2016

  • Dr. Ralf Hund at VMRay shows how to use VMRay Analyzer V 2.0 to analyse a malicious Microsoft Publisher document.
    Analyzing Malware Embedded in MS Publisher Files

  • The guys at We Live Security shared a couple of posts this week
    • Jean-Ian Boutin and Matthieu Faou share a new whitepaper on the cybercrime group RTM. The group utilises Delphi-based malware “to spy on its victims in a variety of ways, such as monitoring keystrokes and smart cards inserted into the system.”
      RTM: Stealthy group targeting remote banking system
    • Marc-etienne M. Léveillé talks about “a new ransomware campaign for Mac. This new ransomware, written in Swift, is distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software”. This is another piece of malware that has no communication to a C&C and therefore even if victims paid the ransom they wouldn’t be able to receive the decryption key.
      New crypto-ransomware hits macOS


  • Will Ascenzo at Gillware Digital Forensics has a writeup of a case study where the digital forensics team was tasked with identifying whether ex-employees were taking data with them to their new employer. The examiners were able to identify a number of files that were accessed, and transferred to a network share, however no concrete evidence of the file transfer of sensitive information.
    Forensic Case Files: Virtual Machine Matryoshka

  • The CFP for the 2017 HTCIA International Conference is open. The conference will take place in Anaheim, CA from October 1-4, 2017. The CFP closes April 1st.
    2017 International Conference Call for Papers

  • Mark McKinnon has created a short survey “to get some input about the plaso plugin module and if changes to some current modules should be made and what modules should be create in the future”.
    Autopsy Python Plugin Modules Short Survey

  • Yulia Samoteykina at Atola Technologies explains that the “Atola Insight Forensic’s high-capacity multi-core CPU supports up to 15 concurrent tasks, that can be assigned to different drives or image files.”
    Multitasking Capabilities of Atola Insight Forensic

  • Ryan McGeehan has set up a new twitter account that tweets intimidating breach scenarios. The idea behind it is that “thinking critically through worst case scenarios will make you better at security, and better at articulating these risks to others.”
    Fun with incident response on Twitter.

  • The Web Application Analysis team at Champlain College “has been assigned to examine desktop-based web applications for both Mac and PC and determine what kind of artifacts can be found from them”. They will be looking at the apps Discord, Dropbox, Slack, and Twitter.
    Application Analysis: The Prep


  • Didier Stevens has updated his base64dump Python script to version 0.0.6. The update adds the option (-e) “to try out all encodings, and report all found strings ordered by increasing length. And with option -u, you can limit the output to unique decoded strings.”
    Update: base64dump.py Version 0.0.6

  • Didier also updated rtdump to version 0.0.5, adding “object extraction (-E) and can also handle objects obfuscated with \dde0000…”
    Update: rtfdump.py Version 0.0.5

  • Phil Harvey updated ExifTool to version 10.44 (developmental release) adding and improving various tags, as well as bug fixes
    ExifTool 10.44

  • “A new version of MISP 2.4.67 has been released, including improvements to the sighting feature, user management and activity visualisation.”
    MISP 2.4.67 released

  • Microsystemations have announced a new version of XAMN Spotlight (version 2.0). “This upgraded version is faster and more user-friendly; you have the option to print and export the result, and there is a powerful search capability.”
    Introducing a more powerful XAMN Spotlight

  • Paul Sanderson updated the Forensic Browser for SQLite to version 3.2.2 adding various enhancements and bug fixes.
    New release version 3.2.2

  • Cellebrite released version 6.0.1 of their UFED software, resolving a couple of issues.
    UFED Touch, UFED Physical Analyzer and UFED Logical Analyzer 6.0.1 Maintenance Release (February 2017)

  • X-Ways Forensic 19.1 SR-5 was released with some minor improvements and bug fixes
    X-Ways Forensics 19.1 SR-5

  • X-Ways Forensic 19.2 Preview 3 was released with improvements to a couple of X-Tensions, the ability to decompress password-protected archives using any “password listed in the case’s password collection”, and the “ability to recognize Linux MD RAID container partitions”.
    X-Ways Forensics 19.2 Preview 3

  • Evimetry version 2.1.6 was released, fixing a couple of bugs.
    Release 2.1.6

And that’s all for Week 8! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s