Week 9 – 2017

Nominations for the 2017 Forensic 4Cast Awards are still open! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open




  • Rajan Udeshi, Robert Batzloff, and Matt McFadden at Guidance Software will be hosting a 1-hour webinar on “How To Complete More Efficient Investigations with EnCase Forensic 8”. The webinar will take place Tuesday, March 07, 2017 at 11:00 AM Pacific Standard Time (7:00 PM UTC)
    How To Complete More Efficient Investigations with EnCase Forensic 8



  • There were two posts on Cisco’s Talos Blog this week
  • Shusei Tomonaga at the JPCERT-CC blog shares some additional findings about ChChes. The victim is infected with a malicious shortcut file, which in turn downloads a PowerShell script from an external server. “The PowerShell script and the injected ChChes are not saved as files in the infected machines, and ChChes itself only exists in the memory.” Indications of the attack can be seen in Event logs where PowerShell v5.0 is installed.
    Malware Leveraging PowerSploit

  • Darryl at Kahu Security examines a malicious RTF file that contained an embedded SWF file. Darryl walks through the entire process of analysing the malware, including how he updated his tools as he went along to support the interesting things he found.
    Static vs Dynamic Analysis and the Amusing Outcome

  • Kafeine at ‘Malware Don’t Need Coffee’ has identified that a new exploit kit has surfaced called Nebula
    Bye Empire, Hello Nebula Exploit Kit

  • Malwarebytes have a few posts this week
    • Hasherezade and Jérôme Segura examine “a recent version of the multi-purpose Neutrino Bot (AKA Kasidet)”. They conclude that the authors “did not make any significant improvements to the main bot’s structure. However, they added one more protection layer which is very scrupulous in its task of fingerprinting the environment and not allowing the bot to be discovered”.
      New Neutrino Bot comes in a protective loader
    • Thomas Reed shares instructions on how to decrypt files affected by the Filezip malware
      Decrypting after a Findzip ransomware infection

  • Thomas also compiles some information about the two Mac backdoors that have recently been discovered.
    Two new Mac backdoors discovered

  • David Biser at NTT Security shares his thoughts on fileless malware – primarily that it is a growing threat, but not a new one
    Fileless Malware

  • There were a couple of posts on the Palo Alto Networks blog
    • Anthony Kasza and Dominik Reichel have an article about the Gamaredon Group which has been “recently observed … distributing new, custom developed malware”, although they have “been active since at least 2013”. They advise that antimalware solutions have had trouble detecting the malware utilised by the group, most likely due to the “modular nature of the malware, the malwares heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes.”
      The Gamaredon Group Toolset Evolution
    • Brad Duncan shares the “delivery, exploitation, and installation components” of Blank Slate campaign
      “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware

  • There were a couple of posts on the SANS Internet Storm Center
  • The Symantec Security Response describe the two stages of the Shamoon2 attack by the Timberworm group, operating out of the Middle East.
    Shamoon: Multi-staged destructive attacks limited to specific targets

  • TrendMicro provide some information about RATANKBA, malware that was tied to “attacks against banks in Poland, [and also] a string of similar incidents involving financial institutions in Mexico, Uruguay, the United Kingdom, and Chile”.
    RATANKBA: Delving into Large-scale Watering Holes against Enterprises

  • The Swiss Government CERT published a whitepaper on their approach to “deobfuscate the code [of Nymaim]” in IDA.
    Taking a Look at Nymaim

  • There were a couple of posts on IBM’s Security Intelligence blog
    • Magal Baz shares that IBM X-Force has identified that Dridex has updated to v4, and features the use of AtomBombing.
      Dridex’s Cold War: Enter AtomBombing
    • Gadi Ostrovsky and Limor Kessem analyse a recent GootKit sample. “Research into GootKit’s inner workings unveiled its new network interception method, which now proxies internet traffic through the malware instead of placing hooks on the browser. GootKit also bypasses certificate validation by hooking other relevant APIs to continue its malicious operation unhindered.”
      GootKit Developers Dress It Up With Web Traffic Proxy


  • Matt Coatney at AccessData shares his thoughts on AI in Digital Forensics – “Digital forensics is ripe for disruption by AI technologies”. “AccessData’s AD Lab … provides investigators with an “intelligent assistant” that allows them to process sensitive forensic information with only minimal technical knowledge about the hardware from which the data is being collected or the software that is doing the actual evidence processing.”
    The Coming AI Revolution in Digital Forensics

  • Chris Sanders is offering full scholarships for his online training courses “to individuals employed by non-profit human services organizations”
    Training Course Scholarships

  • Lance Mueller has moved his Enscripts and therefore his repository is temporarily down. He advises to email him directly for Enscripts in the meantime.
    EnScripts Currently Offline – being moved

  • Darren Freestone at Lock And Code has shared his thoughts on the recent SHA1 collision and its impact on digital forensics. Overall it seems that SHA1 can still be used for DFIR but examiners should have a basic understanding of what has happened to the algorithm. My opinion is that the collision has existed the entire time we’ve used the algorithm, and we were happy to use it before – moving to SHA256 will probably result in the same issue. I think the best bet is to actually rely on a combination of hashes as I (may be wrong but) think it would be harder to create a collision across two hashing algorithms.
    What Are The Implications Of The SHA1 Collision On Digital Forensics?

  • Demisto have a post describing the “top seven steps for conducting a post-mortem following a security incident”
    The Top Seven Steps for Conducting a Post-Mortem Following a Security Incident

  • DFIR Guy at DFIR.Training lists the three steps to be a DFIR superhero are knowing your job, your tools, and what your client wants.
    3 Steps to be a DFIR Superhero

  • Jamie McQuaid continues Jessica Hyde’s explanation of Axiom/IEF’s portable case feature. Jamie provides a step-by-step in setting up a portable case, reviewing and reporting on the data provided. He also summarises the limitations of the portable case feature.
    Deep Dive on Portable Case Part Two

  • Paul Sanderson tweeted that his book on SQLite Forensics is well under way.
    Check Out @sandersonforensc’s Tweet

  • “In memory of Ken Johnson, [a DFIR practitioner that tragically passed away last year], the SANS Institute and KPMG LLP created a scholarship that was introduced at the SANS DFIR Summit in June 2016 and will be awarded annually in early June.”
    “Ken Johnson DFIR Scholarship”

  • The students at Champlain College continue their work on Bluetooth Security Forensics.
    Bluetooth Security Forensics 3.0

  • Lesley Carthart answers a variety of InfoSec questions
    Ask Lesley InfoSec Advice Column: 2017-02-26

  • Arsenal Consulting have updated their Odatv case study with the 17 questions that the court Turkish court ordered local DFIR experts to answer
    Check out @arsenalarmed’s Tweet


  • Amped have released update 9010 for their FIVE product. The updates include new filters, and additional analysis tools for video analysis, such as “Frame Analysis, GOP Analysis and Hex View”.
    Amped FIVE Update 9010 Part 1: Resize 1:1, Perspective Aligner, Block Difference, Frame Analysis

  • Joe Security have released Joe Sandbox 18.0.0 with new features including VBA Macro Winapi Instrumentation, SCAE (Static Code Analysis Engine) Library Code Detection, automatic launching of PE files that were dropped and not executed, GitHub based Yara Rules, and many others.
    Joe Sandbox 18.0.0 is ready!

  • Eric Zimmerman updated a couple of his tools this week
    • He updated his TLE tool to version
      TLE Update
    • He also updated ShellBags Explorer to version, which is, as he claims, “the biggest and most comprehensive update for ShellBags Explorer to date”. The accompanying post goes on to explain the various additions. I think the thing I like the most about the update is the testing methodology – it means in the future he can make changes without necessarily worrying about it breaking any of the previous functionality.
      ShellBags Explorer released!

  • Cellebrite updated their UFED Analytics Desktop tool to version 6.0. The latest release adds an additional context view, support for additional data types, previewing generated PDF reports, document thumbnails (DOC/PDF) and tooltips on the map view.
    UFED Analytics Desktop Release Notes 6.0 (March 2017)

  • Didier Stevens updated a couple of his tools this week
  • Elcomsoft updated their Phone Viewer tool to version 3.30, adding “support for viewing unread device notifications included in iOS backups, [and] support for iOS notifications extracted from iCloud backups as well. Oleg Afonin shared a post regarding why this could be useful.
    Elcomsoft Phone Viewer 3.30 Shows Unread Notifications Extracted from Device Backup

  • Phil Harvey updated ExifTool to version 10.45 (developmental release), OS X extended attributes and other MacOS system tags, as well as making some API changes,
    ExifTool 10.45

  • GetData updated Forensic Explorer to version adding a variety of updates and bug fixes
    1 Mar 2017 – v3.9.8.6298

  • Magnet Forensics updated Axiom to version 1.0.11. The update adds support for the Signal app, carving speed improvements, as well as bug fixes.
    Magnet AXIOM is the First Platform to Support Signal Forensics

  • Compelson released MOBILedit Forensic Version 9.0, and Forensic Express 4.0. The update to MOBILedit “brings improved support of iOS, updated support of Android 7.0, advanced filtering and many other improvements.” The updates to Forensic Express added a variety of improvements, and “new and updated application analyzers”.

  • Atola Technologies have released Atola Insight Forensic version 4.8, adding a variety of new features and a number of bug fixes
    Atola Insight Forensic 4.8 release

  • X-Ways Forensics 19.2 Beta 1 was released, adding a variety of new features and improvements
    X-Ways Forensics 19.2 Beta 1

  • Jesse Kornblum has updated hashdeep to produce sha3 hashes. The new tool, which is in beta, is called sha3deep and produces SHA3-384 hashes.
    Beta version of sha3deep produces SHA-384 hashes


  • Didier Stevens released a couple of tools this week
    • He has released a tool, password-history-analysis.py, that “will make a report of users who “recycle” their previous passwords by using a common string.”
      Password History Analysis
    • He also released a new Python script called sets.py, which “allows you to perform operations on sets: union, intersection, subtraction and exclusive or. A set is a list of lines in a file, or a stream of bytes in a file.” He also published a YouTube video showing how the tool works.
      New Tool: sets.py

  • Susteen has released a version of their new Cloud Analyzer free to all law enforcement agencies. This tool allows LE agencies to “acquire data from Facebook, Twitter, Dropbox, iCloud and more”
    Susteen releases their new Social Media Cloud Analyzer free for all law enforcement agencies

And that’s all for Week 9! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s