Nominations for the 2017 Forensic 4Cast Awards are still open! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open
FORENSIC ANALYSIS
- Blackbag updated their blog on iOS 10 and Mobile Device Management.They “have added instructions on how to create an encrypted backup password for an iOS 10 device with MDM profile using iTunes.”
Check Out @blackbagtech’s Tweet - Brian Moran shares his process for accessing data within a SQL Server backup file without using a Microsoft SQL Server instance.
How to load a SQL .bak file for analysis, without SQL Server previously installed - The guys at Cyber Forensicator shared a presentation by Michael Perklin “about the investigation of the Shapeshift.io hack”.
A Digital Forensic Expert’s Story of the Shapeshift.io Hack - Diablo Horn shares a script to capture network traffic from raw sockets with Python
Python raw sockets sniffing & pcap saving - The guys at Digital Forensics Corp have a few posts this week
- They shared an article by Raj Chandel on understanding HTTP authentication basic and digest
Understanding HTTP Authentication Basic and Digest - They shared an article by Igor Mikhaylov & Oleg Skulkin on the principles of Android malware detection
Principles of Android Malware Detection - They shared Danielle Kelly and Xavi Bilbao’s Volatility User guide. “This user guide contains basic steps for creating and exploring memory dumps”.
Volatility User Guide - They shared Fioravante Souza’s bank phishing incident analysis
The Sample of Bank Phishing Incident Analysis - They shared a video by Salvation Data on their SmartPhone Forensic System (SPF), which “is an integrated mobile forensics system specifically designed for data acquisition, recovery, analysis and triage from mobile devices”.
Mobile Forensics with Salvationdata
- They shared an article by Raj Chandel on understanding HTTP authentication basic and digest
- Andrea Lazzarotto has a post on EForensics Mag on extracting data from damaged NTFS drives. After explaining the manual process, Andrea, who is the developer of RecuperaBit, provides an example of how to use the tool to recover lost data.
Extracting data from damaged NTFS drives | by Andrea Lazzarotto - The guys at Magnet Forensics published an artefact profile on Google Chrome, listing the location of the data stores as well as the useful information that can be extracted from them.
Artifact Profile: Google Chrome - Mark Mckinnon has written an Autopsy plugin to parse the CCM_RecentlyUsedApps artefact that James Habben posted about last week.
CCM_RecentlyUsedApps - Dr. Neal Krawetz at The Hacker Factor explains Google’s WebP format and it’s implications for investigators; WebP has the capability to store metadata although often it is excluded during the conversion process, no cameras create WebP formatted files and therefore it had to be downloaded using a Chrome-based browser, and therefore is not the original (and only copy of the) image.
File Format Expectations - Russ Taylor at Hats Off Security explains the answer to an interview question on TTL values found in DNS logs.
TTLs and where to find them - Will Ascenzo at Gillware Digital Forensics has a writeup of a recent case where the team examined a civil defendants devices (and gmail) to determine if specific files existed that were the property of their former employer
Forensic Case Files: Exonerating an Employee of Data Theft
UPCOMING WEBINARS
- Jessica Hyde at Magnet Forensics will be hosting two 1 hour webinars on parsing data from new applications. Viewers will “learn how to test, find, parse and script to obtain evidence in new applications using a physical forensic image.” The webinars will take place Tuesday, March 28, 2017 at 1:00 PM EST and Wednesday, March 29, 2017 at 9:00 AM EST.
Methods for parsing new applications - The CFP for R2Con 2017, held around September 7th-9th in Barcelona (although the date/location haven’t been confirmed), is opened. There doesn’t appear to be a close date yet.
Check Out @radareorg’s Tweet - The session guide for Enfuse 2017 has been posted. The event will take place May 22-25 at Caesars Palace in Las Vegas.
Guidance Software Unveils Deepest Cyber Incident Response Agenda For Enfuse Conference 2017 - The CFP for The 10th International Workshop on Digital Forensics (WSDF 2017) is opened. The event will take place in Reggio Calabria, Italy, on August 29 – September 2, 2017. The submission deadline is April 15, 2017.
WSDF 2017 - “DFRWS USA invites submissions to present workshop sessions”. DFRWS will take place August 6-9, 2017 in Austin, Texas. Submission deadline is March 31, 2017 (midnight GMT).
Call for Workshops
PRESENTATIONS/PODCASTS
- Didier Stevens shared a couple of videos on maldoc deobfuscation covering both Character Removal, as well as the oledump plugin ‘sub-str’.
- Dave and Matthew hosted Lee Whitfield on this week’s Forensic Lunch. Lee spoke about the Forensic 4cast awards, as well as the talk he will be giving at the DFIR Summit and Enfuse on MacOS timestamps. The guys also discussed the recent CIA leaks and the SHA1 collision. Matt then talked about his work with ArangoDB and other NoSQL databases that he has used to assist in linking data sources, as well as his new Rust-based Prefetch parser.
Forensic Lunch 3/10/17 - On this week’s Mobile Forensic Minute, Lee Reiber lists the various areas on iOS and Android that applications are installed; this, in turn, can be used to identify spyware, as it would have to be installed on the system to run.
Mobile Forensic Minute 111 - On this week’s Digital Forensics Survival Podcast, Michael talked about Hostintel by Keith Jones. HostIntel will take a list of domain names and IPs and return all of the open source information that it can find. “This is [a] great tool for Incident Response triage where you may be looking to generate leads for follow-up from log files or traffic captures. For disk forensics this tool pairs well with malware triage efforts.”
DFSP # 055 – Automated Host Intelligence - SANS posted a few videos from the recent CTI Summit. These videos were Ronnie Tokazowski’s Fun with Strings in Malware, Robert M. Lee’s Knowing When to Consume Intelligence and When to Generate It, as well as Cliff Stoll’s opening keynote, (Still) Stalking the Wily Hacker.
- Coleman Kane tweeted that the lectures from Weeks 1 through 7 of the University of Cincinnati Malware Analysis class have been updated. This includes both slides and videos of the lectures.
Check Out @colemankane’s Tweet
MALWARE
- The Malware Analysis team at Champlain College have provided an update on their progress getting an AWS client up and running with ThreatAnalyzer to submit samples to. They also performed some analysis on NJRAT, and a fake Adobe Flash Player update.
Malware Analysis Blog 2 - The guys at JoeSecurity analyse a malicious WSF file distributing Locky. They also show how “PowerShell’s logging functionality is really helpful to understand malware”.
PowerShell ScriptBlockLogging rocks! - Eric O’ Neill at Carbon Black comments on the Vault 7 release regarding the CIA’s use of fileless attacks.
WikiLeaks’ Vault 7 CIA Report Reveals How Non-Malware Attacks Are Being Leveraged - Oren Koriat and Andrey Polkovnichenko at Check Point unpack the Skinner Android malware found on the Google Play store. “Skinner tracks the user’s location and actions, and can execute code from its Command and Control server without the user’s permission”.
The Skinner adware rears its ugly head on Google Play - EForensicsMag shared an infographic by Con Mallon at Crowdstrike showing how ransomware uses PowerShell to infect users.
How Ransomware Uses Powershell | Infographic by CrowdStrike - The Threat Research & Adversary Prevention Unit at Endgame takes a look at a DridexV4 sample.
Dropping AtomBombs: Detecting DridexV4 in the Wild - Xiaopeng Zhang at Fortinet unpacks two malicious Excel documents
Microsoft Excel Files Increasingly Used To Spread Malware - Josh Lospinoso shares “a technique for hiding all of a program’s executable code in non-executable memory”, which he calls Gargoyle.
gargoyle, a memory scanning evasion technique - There were a number of posts on the Malwarebytes Labs blog this week
- Nathan Collier unpacks a malicious Facebook client for Android
Mobile Menace Monday: Facebook Lite infected with Spy FakePlay - The team released the inaugural edition of their “Cybercrime Tactics and Techniques Report”, which is a quarterly report looking at the current threat landscape.
Malwarebytes Labs Presents: The Cybercrime Tactics and Techniques Report - Jérôme Boursier shows how to isolate an untrusted VMs from the host LAN for malware testing/analysis purposes using VirtualBox, Tor, and Whonix.
Torify and analyze traffic for your VM - Nathan Scott takes a look at the CryptoBlock ransomware and, with a bit of online digging, found the credentials for the C2 server.
CryptoBlock ransomware and its C2 - Hasherezade provides an in-depth explanation of the Spora ransomware
Explained: Spora ransomware - Jérôme Segura shares the top exploit kit usage of Winter 2017. “There haven’t been any major changes in the past little while and exploit kit-related infections remain low compared to those via malicious spam”. “RIG EK remains the most popular exploit kit at the moment used both in malvertising and compromised websites campaigns”.
Exploit kits: Winter 2017 review
- Nathan Collier unpacks a malicious Facebook client for Android
- Sudhanshu Dubey at McAfee Labs analyses “a new variant of the Dorkbot botnet.”
Analyzing a Fresh Variant of the Dorkbot Botnet - There were a couple of posts by NVISO Labs this week
- Jonas Bauters analyses some malware droppers “to determine where the actual malware is hosted”.
Analyzing obfuscated scripts using nothing but a text editor - Didier Stevens provides a “PoC Lua script to detect PDF documents with name obfuscation.”
Developing complex Suricata rules with Lua – part 1
- Jonas Bauters analyses some malware droppers “to determine where the actual malware is hosted”.
- There were a couple of posts by Palo Alto Networks this week
- Jeff White shows how PowerShell’s EncodedCommand parameter is being used in the wild to hide from defenders. He does so by “analyzing 4,100 recent samples … to see how PowerShell is being used and what techniques are being used in the wild for PowerShell attacks”. He also catalogues “the PowerShell code with examples of each decoded sample to aide in future identification or research”.
Pulling Back the Curtains on EncodedCommand PowerShell Attacks - Robert Falcone and Josh Grunzweig unpack the RanRan malware that has been observed attacking Middle Eastern government organisations (but is not connected to Shamoon 2.0).
Targeted Ransomware Attacks Middle Eastern Government Organizations for Political Purposes
- Jeff White shows how PowerShell’s EncodedCommand parameter is being used in the wild to hide from defenders. He does so by “analyzing 4,100 recent samples … to see how PowerShell is being used and what techniques are being used in the wild for PowerShell attacks”. He also catalogues “the PowerShell code with examples of each decoded sample to aide in future identification or research”.
- There were a couple of posts on the SAN ISC Handler Diaries this week
- Didier Stevens shares a sample that is obfuscated by adding extra characters
Another example of maldoc string obfuscation, with extra bonus: UAC bypass - Xavier Mertens examines a sample that executes every minute (via a scheduled task), and drops an executable that captures passwords for well-known applications and transmits them via “a simple TCP session via port TCP port 1340”.
Not All Malware Samples Are Complex
- Didier Stevens shares a sample that is obfuscated by adding extra characters
- Costin Raiu, Mohamad Amin Hasbini, Sergey Belov, Sergey Mineev at Securelist have published a report on the recent Shamoon 2.0 attacks; during their investigation they uncovered a previously unknown wiper malware that they’re calling StoneDrill. “StoneDrill has several “style” similarities to Shamoon, with multiple interesting factors and techniques to allow for the better evasion of detection”.
From Shamoon to StoneDrill - Matthew Molyett, Holger Unterbrink and Paul Rascagneres at Cisco’s Talos blog provide details (and IOCs) of the Crypt0l0cker ransomware.
Crypt0l0cker (TorrentLocker): Old Dog, New Tricks - There were a few posts on FireEye’s blog this week
- Steve Miller, Jordan Nuce, and Barry Vengerik take a look at a recent spear phishing campaign that distributes malware they’ve called POWERSOURCE. “POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage”.
FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings - James T. Bennett introduces “two small tools that can aid in the task of reverse engineering Cocoa applications for macOS”, as well as giving a “whirlwind tour of reverse engineering Cocoa applications”.
Introduction to Reverse Engineering Cocoa Applications - Brandon Arvanaghi introduces a new approach to locating UNIX systems on a network, as well as a new PowerShell tool called SessionGopher. “SessionGopher is designed to identify these [Windows] remote access tools and extract any auxiliary information about the hosts to which they connect”. It does so by querying the registry for stored data from commonly used tools such as Putty, WinSCP, RDP, and Filezilla (among others).
Using the Registry to Discover Unix Systems and Jump Boxes
- Steve Miller, Jordan Nuce, and Barry Vengerik take a look at a recent spear phishing campaign that distributes malware they’ve called POWERSOURCE. “POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage”.
MISCELLANEOUS
- John Patzakis, Esq. at the Next Gen eDiscovery Law & Tech Blog provides various examples of how important proper collection of web-based/cloud-stored data can be. Apparently many courts are scrutinising screen-captures of data, and in some cases “disallowing or otherwise calling into question social media evidence” presented in this form.
ILTA eDiscovery Survey Reflects Increased Social Media Discovery - Yulia Samoteykina at Atola Technologies explains how their Insight product handles hard drives that freeze.
Imaging Freezing Damaged Drives - Matt Bromiley shares a few “Morning Read’s”
- He shares some snippets from the recently leaked Vault 7 documents. These snippets relate to suggestions for how to make DFIR more difficult
Morning Read: DFIR Snippets from Vault 7 - He has collected some posts “surrounding recent disclosures and issues with Western Digital’s My Cloud products”. Apparently, these My Cloud products are very vulnerable, so the current recommendation is to remove them from the internet.
Morning Read: Western Digital My Cloud Issues - He also comments on breach notification and advises that urgency is key – “As you build out your incident response teams and plans, make sure that urgency is one of the top priorities”. Matt also explains that cyber insurance relies on the client not violating the policy, so it’s a good idea to make sure you comply with the terms.
Morning Read: Lloyd’s MGA, CFC Underwriting, Launches Cyber Incident Response App
- He shares some snippets from the recently leaked Vault 7 documents. These snippets relate to suggestions for how to make DFIR more difficult
- Martino Jerian at Amped Software has an article on Forensic Focus advising examiners to be cautious of Google’s new image enhancement (creation?) algorithm.
Unscrambling Pixels: Forensic Science Is Not Forensic Fiction - David Spreadborough at Amped provides some more information about the 9010 update for Amped FIVE including the various enhancements and features, and bug fixes.
Amped FIVE Update 9010 Part 2: Filter Updates and Interface Enhancements… too much for one post! - There’s a post on BugRoast showing two executables that produce different outputs producing both the same MD5 and SHA1. Not sure how they did it either, outside of MD5’s known collision. It’s entirely possible the two files are the exact same and they use something external to change the value.
Eat more hashes 🙂 - Adam at Hexacorn has updated his EDR (Endpoint Detection and Response) spreadsheet
Updated EDR Sheet - Kurt Bertone at Threat Geek lists the 5 requirements for stopping modern intrusions. Kurt explains that to accurately detect and stop an intrusion, investigators need real-time deep visibility and alerting of network content and endpoints as the intrusion is happening, as well as in the past (so as to capture all phases of the attack).
5 Requirements for Stopping Modern Intrusions - DFIR Guy at DFIR.Training explains that successful DFIR examiners should be like a bloodhound, think like a squirrel, and work like a honey badger. He also promotes the benefits of further education every day as this is a field that is constantly changing.
3 Animalistic Tips to Bust Open Your DFIR Job.
SOFTWARE UPDATES
- Didier Stevens updated a couple his scripts this week
- He updated his cut-bytes Python script to version 0.0.5, updating the manual to explain ‘here documents’. He also uploaded a video about the update.
Update: cut-bytes.py Version 0.0.5 - He also updated oledump.py to version 0.0.27 adding “some extra features for YARA rule scanning”. He also uploaded a video about the update.
Update: oledump.py Version 0.0.27
- He updated his cut-bytes Python script to version 0.0.5, updating the manual to explain ‘here documents’. He also uploaded a video about the update.
- Phil Harvey updated ExifTool to version 10.46 (development release) with various bug fixes and minor improvements
ExifTool 10.46 - Adam at Hexacorn has updated DeXRAY to version 2.0, adding and improving support for some more quarantine files.
DeXRAY 2.0 released - The guys at MISP released version 2.5.69 and shortly after 2.4.69. The new version includes multiple bug fixes, and a few new features and improvements.
MISP 2.4.69 released - Ryan Benson at Obsidian Forensics has released Hindsight v2, which introduces easier installation through pip, a web GUI, and cache parsing
Hindsight v2 Released – Web UI and Cache Parsing - Arsenal Consulting have released Hibernation Recon v 1.1.0.55 Beta which includes a “free mode”. This mode allows “output of active memory and statistics”. The guys at Digital Forensics Corp also found this announcement that explains that “the latest Hibernation Recon now provides a streamlined graphical user interface, parallel processing of multiple hibernation files, and advanced NTFS metadata recovery”. Arsenal also published a video showing their Hibernation Recon tool “process Windows hibernation files in parallel, incl. advanced NTFS metadata recovery”.
Check Out @ArsenalArmed’s Tweet - GetData updated Forensic Explorer, fixing a number of bugs, as well as other minor improvements
10 Mar 2017 – v3.9.8.6356
PRODUCT/SOFTWARE RELEASES
- Chris Sanders has announced the release of Practical Packet Analysis 3rd Edition.
Practical Packet Analysis 3rd Edition Released! - Microsystemation have released a tool, Android Exploit Dongle, which is a lightweight, discreet hardware device for field-based operations that “enables you to recover physical data from Android devices”.
Recover deleted data on Android devices with this lightweight tool - Matt Seyer has released a Prefetch parser on his Github page.
RustyPrefetch 0.0.0
And that’s all for Week 10! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
One thought on “Week 10 – 2017”