Nominations for the 2017 Forensic 4Cast Awards are still open! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open
FORENSIC ANALYSIS
- James Habben at 4n6ir explores the SCCM database, and after using the tool produced by the guys at FireEye, identifies that “it can only parse the namespaces from the database if the data is not ‘corrupted’”. This corruption can take place when imaging a live system. As a result, James went through the process of carving relevant records and produced an Enscript to allow others to do the same. James also tweeted that the “LastUsedTime” with CCM_RecentlyUsedApps is “is closest to ‘Executed Time’”.
Secret Archives of Execution Evidence: CCM_RecentlyUsedApps - The guys at Cyber Forensicator shared a few articles this week
- They shared a paper from the Volume 143 of the 2016 International Journal of Computer Applications written by Amirullah Amirullah, Imam Riadi, Ahmad Luthfi. The paper was titled ‘Forensics Analysis from Cloud Storage Client Application on Proprietary Operating System”
Forensics Analysis from Cloud Storage Client Application on Proprietary Operating System - Igor Mikhaylov & Oleg Skulkin wrote an article on decrypting iTunes backups. If the backup is encrypted with a weak password, they recommend using Elcomsoft’s Phone Breaker. If it’s a stronger password they suggest looking in the user’s keychain (provided you have the password, and they stored their password there).
How to Find Passwords for Encrypted iTunes Backups - They shared a paper by Brian Cusack and Raymond Lutui from the Australian Digital Forensics Conference on “Google Earth Forensics on IOS 10’s location service”
Google Earth Forensics on iOS 10’s Location Service
- They shared a paper from the Volume 143 of the 2016 International Journal of Computer Applications written by Amirullah Amirullah, Imam Riadi, Ahmad Luthfi. The paper was titled ‘Forensics Analysis from Cloud Storage Client Application on Proprietary Operating System”
- Didier Stevens shows how to extract password history from the ntds.dit file
Practice ntds.dit File Part 9: Extracting Password History Hashes - The guys at Digital Forensics Corp shared a few articles this week
- They shared an article that indicated that Microsoft is working on an update to Win10 that will block the installation of Win32 applications.
Microsoft announced a new level of Security - They shared an article by Erik Hjelmvik on how to “enable file extraction from PCAP with NetworkMiner in six steps”
PCAP Analysis with NetworkMiner - They also shared a link to a number of videos of presentations from RSA 2017.
RSA Conference 2017 Video Series
- They shared an article that indicated that Microsoft is working on an update to Win10 that will block the installation of Win32 applications.
- Will Ascenzo at Gillware Digital Forensics provides a brief overview of chip-off data extraction, and then explains how the team were able to remove the data storage module from a Samsung Galaxy Tab 4
Forensic Case Files: A Chip-Off Our Shoulders - Matt Bromiley continues the Zeltser challenge
- In this post, Matt shares his DFIR takeaways from a story about driverless cars. “Car forensics is getting closer”, driverless cars can make mistakes and cause property damage or loss of life, and as much of the data sits on the company’s servers “third-party analysis is going to be crucial”.
Morning Read: A Lawsuit Against Uber Highlights the Rush to Conquer Driverless Cars - In this post, Matt looks at an article discussing the data storage requirements of police departments.
Morning Read: Police Digital Forensics: Storing and Using an Overflow of Video Data - In this post, Matt shares his thoughts on a whitepaper “published by Cesar Cerrudo and Lucas Apa at IOActive” called “Hacking Robots Before Skynet”.
Morning Read: Hacking Robots Before Skynet
- In this post, Matt shares his DFIR takeaways from a story about driverless cars. “Car forensics is getting closer”, driverless cars can make mistakes and cause property damage or loss of life, and as much of the data sits on the company’s servers “third-party analysis is going to be crucial”.
- Nick B at The Negative.Zone performs memory analysis after performing “lateral movement using MMC20.Application”
Memory Analysis of DCOM Lateral Movement Using MMC20.Application - Mark at Sneaky Monkey shows “a few methods of how to carve data out of PCAPs”
Blue Team Basics – PCAP File Extraction
THREAT INTELLIGENCE/HUNTING
- Roberto Rodriguez at Cyber Wardog Lab shows how to building a sysmon dashboard on top of ELK
Building a Sysmon Dashboard with an ELK Stack - Andreas Sfakianakis at Tilting at Windmills shared a paper called “Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives”, and the various key findings of the authors.
TIPs: An Exploratory Study of Software Vendors and Research Perspectives
UPCOMING WEBINARS
- Rajan Udeshi, Robert Batzloff, and Matt McFadden at Guidance Software will be hosting a 1-hour webinar on “How To Complete More Efficient Investigations with EnCase Forensic 8”. The webinar will take place Tuesday, March 07, 2017 at 11:00 AM Pacific Standard Time (7:00 PM UTC)
How To Complete More Efficient Investigations with EnCase Forensic 8
PRESENTATIONS/PODCASTS
- Black Hills Information Security have published a video walking through “the installation and usage of Real Intelligence Threat Analytics (RITA). RITA is an open-source framework from the folks at Black Hills Information Security and Offensive CounterMeasures.”
WEBCAST: RITA - Cellebrite have published a video showing the SQLite Wizard and Fuzzy methods features that were recently added to their Physical Analyser product
SQLite Wizard and Fuzzy methods for Physical Analyzer 6.0 - The guys at Cysinfo held their quarterly meetup and shared the presentations in the link below.
10th Quarterly Meetup – 25th February 2017 - Philippe Lagadec has shared his presentation from the Toulouse Hacking Convention 2017 about Malicious VBA Macros.
VBA Macros Pest Control – THC 2017 - On this week’s Digital Forensics Survival Podcast, Michael explains what he looks for when deciding whether to attend a conference or not.
DFSP # 054 – Surviving the Conference Season - Hasherezade uses the Immunity Debugger to unpack the Dridex loader.
Unpacking Dridex loader - Nuix has released a presentation by Paul Slater, Carl Barron, and Mark Wootton, on “Bridging the gap between mobile and computer forensics”
Bridging the gap between mobile and computer forensics - On the technical segment of this week’s Paul’s Security Weekly, “Doug White delivers a demonstration/rant about incident response and forensic reporting”
Incident Response & Forensic Reporting, Doug White – Paul’s Security Weekly #503 - SANS published two videos from the Cyber Threat Intelligence Summit 2017, the first on Threat Intelligence At Microsoft, and the second on Hunting Cyber Threat Actors with TLS Certificates
- Secure View uploaded a YouTube video on how their Passcode Breaker tool works, as well as showed off their Social Media Cloud analysis tool, Cloud Explorer
Cloud Forensics 20170209 2006 1 - Sergei Frankoff shared that the presentations from Countermeasure 2016 have been uploaded.
MALWARE
- There were two posts on Cisco’s Talos Blog this week
- Alexander Chiu provides some IOCs for malware detected this week.
Malware Round-up For The Week of Feb 27 – Mar 3 - Edmund Brumaghin and Colin Grady examine a “malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel”,
Covert Channels and Poor Decisions: The Tale of DNSMessenger
- Alexander Chiu provides some IOCs for malware detected this week.
- Shusei Tomonaga at the JPCERT-CC blog shares some additional findings about ChChes. The victim is infected with a malicious shortcut file, which in turn downloads a PowerShell script from an external server. “The PowerShell script and the injected ChChes are not saved as files in the infected machines, and ChChes itself only exists in the memory.” Indications of the attack can be seen in Event logs where PowerShell v5.0 is installed.
Malware Leveraging PowerSploit - Darryl at Kahu Security examines a malicious RTF file that contained an embedded SWF file. Darryl walks through the entire process of analysing the malware, including how he updated his tools as he went along to support the interesting things he found.
Static vs Dynamic Analysis and the Amusing Outcome - Kafeine at ‘Malware Don’t Need Coffee’ has identified that a new exploit kit has surfaced called Nebula
Bye Empire, Hello Nebula Exploit Kit - Malwarebytes have a few posts this week
- Hasherezade and Jérôme Segura examine “a recent version of the multi-purpose Neutrino Bot (AKA Kasidet)”. They conclude that the authors “did not make any significant improvements to the main bot’s structure. However, they added one more protection layer which is very scrupulous in its task of fingerprinting the environment and not allowing the bot to be discovered”.
New Neutrino Bot comes in a protective loader - Thomas Reed shares instructions on how to decrypt files affected by the Filezip malware
Decrypting after a Findzip ransomware infection
- Hasherezade and Jérôme Segura examine “a recent version of the multi-purpose Neutrino Bot (AKA Kasidet)”. They conclude that the authors “did not make any significant improvements to the main bot’s structure. However, they added one more protection layer which is very scrupulous in its task of fingerprinting the environment and not allowing the bot to be discovered”.
- Thomas also compiles some information about the two Mac backdoors that have recently been discovered.
Two new Mac backdoors discovered - David Biser at NTT Security shares his thoughts on fileless malware – primarily that it is a growing threat, but not a new one
Fileless Malware - There were a couple of posts on the Palo Alto Networks blog
- Anthony Kasza and Dominik Reichel have an article about the Gamaredon Group which has been “recently observed … distributing new, custom developed malware”, although they have “been active since at least 2013”. They advise that antimalware solutions have had trouble detecting the malware utilised by the group, most likely due to the “modular nature of the malware, the malwares heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes.”
The Gamaredon Group Toolset Evolution - Brad Duncan shares the “delivery, exploitation, and installation components” of Blank Slate campaign
“Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware
- Anthony Kasza and Dominik Reichel have an article about the Gamaredon Group which has been “recently observed … distributing new, custom developed malware”, although they have “been active since at least 2013”. They advise that antimalware solutions have had trouble detecting the malware utilised by the group, most likely due to the “modular nature of the malware, the malwares heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes.”
- There were a couple of posts on the SANS Internet Storm Center
- Didier Stevens extracts the malicious Powershell downloaders from a maldoc shared by Guy Bruneau the previous day
CRA Maldoc Analysis, (Sun, Feb 26th) - Xavier Mertens deobfuscates a malicious PHP script that has a detection score of 0/54 on VirusTotal
Analysis of a Simple PHP Backdoor, (Tue, Feb 28th)
- Didier Stevens extracts the malicious Powershell downloaders from a maldoc shared by Guy Bruneau the previous day
- The Symantec Security Response describe the two stages of the Shamoon2 attack by the Timberworm group, operating out of the Middle East.
Shamoon: Multi-staged destructive attacks limited to specific targets - TrendMicro provide some information about RATANKBA, malware that was tied to “attacks against banks in Poland, [and also] a string of similar incidents involving financial institutions in Mexico, Uruguay, the United Kingdom, and Chile”.
RATANKBA: Delving into Large-scale Watering Holes against Enterprises - The Swiss Government CERT published a whitepaper on their approach to “deobfuscate the code [of Nymaim]” in IDA.
Taking a Look at Nymaim - There were a couple of posts on IBM’s Security Intelligence blog
- Magal Baz shares that IBM X-Force has identified that Dridex has updated to v4, and features the use of AtomBombing.
Dridex’s Cold War: Enter AtomBombing - Gadi Ostrovsky and Limor Kessem analyse a recent GootKit sample. “Research into GootKit’s inner workings unveiled its new network interception method, which now proxies internet traffic through the malware instead of placing hooks on the browser. GootKit also bypasses certificate validation by hooking other relevant APIs to continue its malicious operation unhindered.”
GootKit Developers Dress It Up With Web Traffic Proxy
- Magal Baz shares that IBM X-Force has identified that Dridex has updated to v4, and features the use of AtomBombing.
MISCELLANEOUS
- Matt Coatney at AccessData shares his thoughts on AI in Digital Forensics – “Digital forensics is ripe for disruption by AI technologies”. “AccessData’s AD Lab … provides investigators with an “intelligent assistant” that allows them to process sensitive forensic information with only minimal technical knowledge about the hardware from which the data is being collected or the software that is doing the actual evidence processing.”
The Coming AI Revolution in Digital Forensics - Chris Sanders is offering full scholarships for his online training courses “to individuals employed by non-profit human services organizations”
Training Course Scholarships - Lance Mueller has moved his Enscripts and therefore his repository is temporarily down. He advises to email him directly for Enscripts in the meantime.
EnScripts Currently Offline – being moved - Darren Freestone at Lock And Code has shared his thoughts on the recent SHA1 collision and its impact on digital forensics. Overall it seems that SHA1 can still be used for DFIR but examiners should have a basic understanding of what has happened to the algorithm. My opinion is that the collision has existed the entire time we’ve used the algorithm, and we were happy to use it before – moving to SHA256 will probably result in the same issue. I think the best bet is to actually rely on a combination of hashes as I (may be wrong but) think it would be harder to create a collision across two hashing algorithms.
What Are The Implications Of The SHA1 Collision On Digital Forensics? - Demisto have a post describing the “top seven steps for conducting a post-mortem following a security incident”
The Top Seven Steps for Conducting a Post-Mortem Following a Security Incident - DFIR Guy at DFIR.Training lists the three steps to be a DFIR superhero are knowing your job, your tools, and what your client wants.
3 Steps to be a DFIR Superhero - Jamie McQuaid continues Jessica Hyde’s explanation of Axiom/IEF’s portable case feature. Jamie provides a step-by-step in setting up a portable case, reviewing and reporting on the data provided. He also summarises the limitations of the portable case feature.
Deep Dive on Portable Case Part Two - Paul Sanderson tweeted that his book on SQLite Forensics is well under way.
Check Out @sandersonforensc’s Tweet - “In memory of Ken Johnson, [a DFIR practitioner that tragically passed away last year], the SANS Institute and KPMG LLP created a scholarship that was introduced at the SANS DFIR Summit in June 2016 and will be awarded annually in early June.”
“Ken Johnson DFIR Scholarship” - The students at Champlain College continue their work on Bluetooth Security Forensics.
Bluetooth Security Forensics 3.0 - Lesley Carthart answers a variety of InfoSec questions
Ask Lesley InfoSec Advice Column: 2017-02-26 - Arsenal Consulting have updated their Odatv case study with the 17 questions that the court Turkish court ordered local DFIR experts to answer
Check out @arsenalarmed’s Tweet
SOFTWARE UPDATES
- Amped have released update 9010 for their FIVE product. The updates include new filters, and additional analysis tools for video analysis, such as “Frame Analysis, GOP Analysis and Hex View”.
Amped FIVE Update 9010 Part 1: Resize 1:1, Perspective Aligner, Block Difference, Frame Analysis - Joe Security have released Joe Sandbox 18.0.0 with new features including VBA Macro Winapi Instrumentation, SCAE (Static Code Analysis Engine) Library Code Detection, automatic launching of PE files that were dropped and not executed, GitHub based Yara Rules, and many others.
Joe Sandbox 18.0.0 is ready! - Eric Zimmerman updated a couple of his tools this week
- He updated his TLE tool to version 0.3.3.0.
TLE Update - He also updated ShellBags Explorer to version 0.9.0.0, which is, as he claims, “the biggest and most comprehensive update for ShellBags Explorer to date”. The accompanying post goes on to explain the various additions. I think the thing I like the most about the update is the testing methodology – it means in the future he can make changes without necessarily worrying about it breaking any of the previous functionality.
ShellBags Explorer 0.9.0.0 released!
- He updated his TLE tool to version 0.3.3.0.
- Cellebrite updated their UFED Analytics Desktop tool to version 6.0. The latest release adds an additional context view, support for additional data types, previewing generated PDF reports, document thumbnails (DOC/PDF) and tooltips on the map view.
UFED Analytics Desktop Release Notes 6.0 (March 2017) - Didier Stevens updated a couple of his tools this week
- He updated his translate Python script to version 2.4.0 allowing content to be passed in the argument.
Update: translate.py Version 2.4.0 - He updated his re-search.py Python script to version 0.0.3, adding “a regular expression for strings to the library.”
Update: re-search.py Version 0.0.3
- He updated his translate Python script to version 2.4.0 allowing content to be passed in the argument.
- Elcomsoft updated their Phone Viewer tool to version 3.30, adding “support for viewing unread device notifications included in iOS backups, [and] support for iOS notifications extracted from iCloud backups as well. Oleg Afonin shared a post regarding why this could be useful.
Elcomsoft Phone Viewer 3.30 Shows Unread Notifications Extracted from Device Backup - Phil Harvey updated ExifTool to version 10.45 (developmental release), OS X extended attributes and other MacOS system tags, as well as making some API changes,
ExifTool 10.45 - GetData updated Forensic Explorer to version 3.9.8.6298 adding a variety of updates and bug fixes
1 Mar 2017 – v3.9.8.6298 - Magnet Forensics updated Axiom to version 1.0.11. The update adds support for the Signal app, carving speed improvements, as well as bug fixes.
Magnet AXIOM is the First Platform to Support Signal Forensics - Compelson released MOBILedit Forensic Version 9.0, and Forensic Express 4.0. The update to MOBILedit “brings improved support of iOS, updated support of Android 7.0, advanced filtering and many other improvements.” The updates to Forensic Express added a variety of improvements, and “new and updated application analyzers”.
- Atola Technologies have released Atola Insight Forensic version 4.8, adding a variety of new features and a number of bug fixes
Atola Insight Forensic 4.8 release - X-Ways Forensics 19.2 Beta 1 was released, adding a variety of new features and improvements
X-Ways Forensics 19.2 Beta 1 - Jesse Kornblum has updated hashdeep to produce sha3 hashes. The new tool, which is in beta, is called sha3deep and produces SHA3-384 hashes.
Beta version of sha3deep produces SHA-384 hashes
SOFTWARE RELEASES
- Didier Stevens released a couple of tools this week
- He has released a tool, password-history-analysis.py, that “will make a report of users who “recycle” their previous passwords by using a common string.”
Password History Analysis - He also released a new Python script called sets.py, which “allows you to perform operations on sets: union, intersection, subtraction and exclusive or. A set is a list of lines in a file, or a stream of bytes in a file.” He also published a YouTube video showing how the tool works.
New Tool: sets.py
- He has released a tool, password-history-analysis.py, that “will make a report of users who “recycle” their previous passwords by using a common string.”
- Susteen has released a version of their new Cloud Analyzer free to all law enforcement agencies. This tool allows LE agencies to “acquire data from Facebook, Twitter, Dropbox, iCloud and more”
Susteen releases their new Social Media Cloud Analyzer free for all law enforcement agencies
And that’s all for Week 9! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 