Nominations for the 2017 Forensic 4Cast Awards are still open! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open
FORENSIC ANALYSIS
- James Habben at 4n6ir has posted a follow-up to his previous post on the CCM_RecentlyUsedApps artefact, presenting “what [the] properties mean and how they can be used”.
CCM_RecentlyUsedApps Properties & Forensics - Andrew Swartwood at Between Two DFIRns walks through Dr. Ali Hadi’s “Web Server Case”
Ashemery.com: Challenge #1 – Web Server Case Write-up - Matt Raeburn at Context has a write-up of how he tried to boot a forensic image into a VM and came across the “Operating System not found” error. He, along with a colleague, delved into the MBR and ultimately identified a solution within VirtualBox to boot the VM. I’ve had a lot of success using a combination of VMware+Jimmy Weg’s method, Forensic Explorer, and LiveView/OpenLV to get VM’s booted; they definitely give you a good idea of what the user saw.
Forensic Imaging. So this should now boot… right? - The guys at Cyber Forensicator shared a few articles and links this week
- They shared a tool written by Shujian Yang, “called btrForensics, which can be used for performing Btrfs forensic analysis”.
Forensic Analysis Tool for Btrfs File System - They shared an article by Travis Smith on fileless malware
Is Fileless Malware Really Fileless? - They shared a link to DEFT Zero (2017.1)
DEFT Zero (2017.1) ready for download
- They shared a tool written by Shujian Yang, “called btrForensics, which can be used for performing Btrfs forensic analysis”.
- Digital Forensics Corp shared a number of articles this week
- They shared a paper by Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and Gianluca Stringhini from the University College London, and University of the West of England called “MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models”
Detecting Android Malware - They shared an article by Igor Kuksov at Kaspersky on how “metadata can turn a normal digital document into compromising intel.”
Microsoft Office Document Metadata in Incident Response - They shared an article by Thomas White at Tribal Chicken on “recovering BitLocker keys on Windows 8.1 and 10”
How to Recover BitLocker Keys - They shared a paper by “researchers from the University of Stuttgart and the University of Munich Ludwig-Maximilian [who] created a technique for “thermal attacks”. In this work, they examined the effect of the PIN / Pattern property on its vulnerability to thermal attacks.”
Thermal Attacks on Mobile-based User Authentication - They shared an article describing how researchers were able to modify data on devices using sound waves and the accelerometer.
Sound waves may be used to hack our gadgets - They shared an article by Fernand Lone Sang on the proprietary bootloader named SBOOT, used in various Samsung Exynos based smartphones. Fernand describes “how to determine SBOOT’s base address for the Samsung Galaxy S6 and how to load it into IDA Pro.”
Reverse Engineering Samsung SBOOT - They shared a presentation by Alex Ionescu titled “Getting Started with a Type-C USB Cable”.
Windows 10 RAM Forensics and UEFI Attacks
- They shared a paper by Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and Gianluca Stringhini from the University College London, and University of the West of England called “MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models”
- Adam at Hexacorn has two posts this week
- He shared another registry location that can be used as a persistence mechanism. The key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup, executes a given DLL, and can be “used to copy files during the system start”. Adam, however, advises that this trick may not work on Win10.
Beyond good ol’ Run key, Part 60 - He also identified a registry key in Win10 that “is looked at during the system boot by the smss.exe process and the latter attempts to read” various entries underneath. “These entries will be used to deliver the redirection functionality intended to support a full isolation of the container”.
More contained redirections coming to Registry near you…
- He shared another registry location that can be used as a persistence mechanism. The key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup, executes a given DLL, and can be “used to copy files during the system start”. Adam, however, advises that this trick may not work on Win10.
- Sarah Edwards shares her research on the Aggregate Dictionary database on iOS, which can be obtained in a physical acquisition. The database aggregates data for the last 7 days. Sarah digs into the database to try and obtain some additional information about a user’s locking and unlocking the device. Using some of the information provided an examiner may be able to tell when a user changed their passcode from one type to another (ie removed the passcode).
Pincodes, Passcodes, & TouchID on iOS – An Introduction to the Aggregate Dictionary Database (ADDataStore.sqlite) - Mark Mckinnon has combined many of the Windows Autopsy plugins into one Windows Internals plugin.
And Many Become One, The Best of Both Worlds. - Lee Holmes shows how to detect and prevent PowerShell downgrade attacks. Examiners can look for Event ID 400 in the “Windows PowerShell” classic event log.
Detecting and Preventing PowerShell Downgrade Attacks - Patrick Siewert at ProDigital 4n6 explains that when an employee is fired timing is critical if a client needs the employee’s devices examined. Patrick advises that the devices should be seized when the employee is notified, and examined by a trained forensic specialist rather than general IT staff. He also provides a list of helpful information to provide to the forensic specialist.
Digital Forensic Discussion: So You Fired An Associate - There were a couple of papers shared on the SANS Reading Room this week
- First, was Balaji Balakrishnan’s whitepaper on AWS security monitoring. The paper provides an overview of AWS CloudTrail and CloudWatch Logs, and shows how they can be used to detect attackers.
Cloud Security Monitoring - They also shared Xiaoxi Fan’s paper on detecting system clock modifications on Windows. Xiaoxi lists a number of artefacts that contain both a timestamp and a sequential ID, which can be used to show clock modification as one would expect the ID’s to increment along with the time. One of the additions I could make to the paper is relating to the timestamps identified in Google URLs which I hope to present soon.
Detection of Backdating the System Clock in Windows
- First, was Balaji Balakrishnan’s whitepaper on AWS security monitoring. The paper provides an overview of AWS CloudTrail and CloudWatch Logs, and shows how they can be used to detect attackers.
- Matt Bromiley wrote a couple of Morning Reads this week
- He shared the lessons learnt from an article on automation – don’t take on too much too quickly, avoid becoming tool dependent, and don’t let one vendor control your ecosystem
Morning Read: Three Automation Mistakes You Should Avoid - Matt also highlights some points from an article by Bruno Zenlato at Sucuri on credit card scrapers.
Morning Read: Credit Card Scrapers Continue to Target Magento
- He shared the lessons learnt from an article on automation – don’t take on too much too quickly, avoid becoming tool dependent, and don’t let one vendor control your ecosystem
- Thomas White at Tribal Chicken walks through Windows IOT Core Kernel Debugging, and also memory acquisition using Windbg.
Adventures with Windows IoT Core Kernel debugging.
THREAT INTELLIGENCE/HUNTING
- Roberto Rodriguez at Cyber Wardog Lab has begun a series on “how to develop hunting techniques”. This post focuses on using “Sysmon in order to hunt for when Mimikatz is reflectively loaded in memory”.
Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK – Part I (Event ID 7) - Daniel Bohannon has a blog post about PowerShell Execution Argument Obfuscation (& How It Can Make Detection Easier!)
- Dave Shackleford’s paper on the results of the 2017 CTI Survey was released on the SANS Reading Room.
Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey - Richard Bejtlich at Tao Security explains the origins of the term “threat hunting”, which he attributes to his article “Become a Hunter”, in Information Security Magazine that he wrote in spring of 2011.
The Origin of Threat Hunting - James Antonakos at Trustwave’s Spiderlabs blog shares a tool that he developed to generate DNS logs. Using this tool he was able to practice his threat hunting much faster than if he had to wait for cases with large log files.
Hey Buddy, Can You Spare a Log? Adventures in Log-Based Threat Hunting
PRESENTATIONS/PODCASTS
- Bret Padres interviewed Lauren Pearce on her role as a malware analyst. “Lauren shares with us her journey to become a malware analyst and talks about the importance of flailing and mentorship.”
HackerNinjaScissors – Lauren Pearce – Journey of a Malware Analyst - Atola Technologies have uploaded a short video showing their product imaging a drive with damaged heads.
Screencast: Imaging Drives with Damaged Heads - The guys at OA Labs have published a video walking through the manual decoding of a malicious VBS file
Open Analysis Live: Viewer Submission – Decoding Malicious .vbs Scripts - Michael Leclair talks about Solid State Drives on this week’s episode of the Surviving Digital Forensics podcast. He provides a brief overview of the various features of SSDs, and lists a few tools that can be used to hash files on the drive.
DFSP # 056 – Surviving Solid State Drives
MALWARE
- Dennis Schwarz at Arbor Networks examines the Acronym malware, which may be linked to the Win32/Potao Malware Family
Acronym: M is for Malware - Arnaud Delmas has performed a thorough analysis of the FlokiBot dropper and payload. “FlokiBot is yet another malware kit based on ZeuS, with some pieces of code directly taken from the Carberp leak. Nevertheless, its dropper, its unhooking routine and its PoS malware feature make it an interesting malware to analyse. Also, its obfuscation techniques are simple enough to be reversed statically with some IDA scripts without making use of AppCall.”
Analyzing and Deobfuscating FlokiBot Banking Trojan - Jared Myers at Carbon Black explains a recent fileless attack where the attackers used “a malicious Excel document … to create a PowerShell script, which then used the Domain Name System (DNS) to communicate with an Internet Command and Control (C2) server”. The author decodes and explains each component of the attack.
Attackers Leverage Excel, PowerShell and DNS in Latest Non-Malware Attack - Brian Baskin, Chris Lord, Paul Drapeau and Sarah Miller at Carbon Black describe the second attack against the Ask Partner Network (APN). This attack occurred when a component of the update process, apnmcp.exe, connected to a VPS “not associated with the APN environment”, and then downloaded a RAT
Second Ask Partner Network (APN) Compromise Highlights How Attackers Are Commandeering Widely Used General Tools for Sophisticated Targeted Attacks - Check Point list their top 10 most wanted computer malware, and top 3 most wanted mobile malware.
Hancitor Makes First Appearance in Top Five ‘Most Wanted’ Malware in Check Point’s February Global Threat Impact Index - Michael Evans at Threat Geek shows how to use the Fidelis Network dashboard to identify the source of an infection caused by a phishing email.
Phind the Phish – Reducing Phishing Detection from Months to Minutes - Winston at Cysinfo examines some malspam that distributes the Ursniff malware.
New Password Protected Macro Malware evades Sandbox and Infects the victims with Ursnif Malware !! - Abel Toro at Forcepoint examines two samples that appear to relate to the njRAT malware family. “However, as it turns out, despite being two different versions of the same malware and even having compilation timestamps within a day of each other, the obfuscation methods used by the samples are quite different.”.
A Tale of Two Crypters - There were a couple of posts by Fortinet this week
- Axelle Apvrille unpacks a variant of the Ztorg Android malware, looking at the way that it “silently downloads a remote encrypted APK“, and then what the APK does.
Teardown of Android/Ztorg (Part 2) - David Wang and He Xu offer a quick insight into a variant of the Grabbot botnet.
Grabbot is Back to Nab Your Data
- Axelle Apvrille unpacks a variant of the Ztorg Android malware, looking at the way that it “silently downloads a remote encrypted APK“, and then what the APK does.
- Alexander Sevtsov at Lastline Labs “looks into the delivery mechanisms for ransomware, which file types are commonly used for ransomware distribution, and how an infection typically takes place”. Ransomware is distributed through e-mail and websites (via exploit kits) and typically comes in the form of a script file (WSF/JavaScript)
Ransomware Delivery Mechanisms [Part 1] - Hasherezade has commenced unpacking Diamond Fox. She provides a behavioural analysis of the malware, and then unpacks the file so that she can “decompile it by a Visual Basic Decompiler to see all the insights of the code”. She also produced a video showing the process,
Diamond Fox – part 1: introduction and unpacking - Andrea Lelli at Microsoft’s Malware Protection Center Blog explains that MMPC has seen “a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code”. The update loaders place encrypted code in memory and execute its code area which “further decrypts the code, eventually decrypting and running the final payload”.
Ransomware operators are hiding malware deeper in installer packages - Michael Gorelik at Morphisec provides a technical analysis of a fileless attack most likely perpetrated by the same threat group that utilised the “DNS PowerShell messenger attack discovered by Talos on March 3rd”.
Morphisec Discovers New Fileless Attack Framework - Josh Grunzweig at Palo Alto Networks examines the NexusLogger, which “is a cloud-based keylogger that uses the Microsoft .NET Framework and has a low level of sophistication”.
NexusLogger: A New Cloud-based Keylogger Enters the Market - The guys at Proofpoint have analysed an Android POS app that “does not include any POS implementation, but is instead a robust information stealer”.
Mobile Malware Masquerades as POS Management App - There were a few posts on the SANS Internet Storm Center Handler Diaries
- Guy Bruneau examines a VBE script that he located on his honeypot.
Honeypot Logs and Tracking a VBE Script, (Sun, Mar 12th) - Xavier Mertens explains that retro hunting in your logs “to detect malicious activity that occurred in the past” can be very useful. The name ‘retro hunting’ “comes from a VirusTotal feature that allows the creation of YARA rules and to search backwards for samples that match them”.
Retro Hunting!, (Wed, Mar 15th) - Xavier also analyses some malspam that distributes the Fareit trojan
Example of Multiple Stages Dropper, (Sat, Mar 18th)
- Guy Bruneau examines a VBE script that he located on his honeypot.
- Anton Ivanov and Fedor Sinitsyn at Securelist unpack the PetrWrap trojan. This Trojan is distributed by the attackers breaking in and using tools like “Mimikatz to obtain the necessary credentials for installing ransomware throughout the network”
PetrWrap: the new Petya-based ransomware used in targeted attacks - Domenico Raguseo at Security Intelligence shared an IBM X-Force Research report on the lessons learned from Stuxnet.
Lessons Learned From Stuxnet - Sachin Deodhar at Trustwave’s SpiderLabs blog analyses a variant of the PAS Web Shell. “Unlike typical web shells that use encoding and/or obfuscation techniques to evade detection and make the code difficult to analyze, this [variant of the] web shell uses an uncommon form of encryption of its PHP code to thwart attempts to gain access to and/or analyze the web shell’s capabilities.”
Authentication and Encryption in PAS Web Shell Variant - Rohit at Symantec examines some malspam that distributes Difobot
Spam campaign targets financial institutions with fake security software - The Cyber Safety Solutions Team at TrendLabs examine the MajikPOS point-of-sale malware. “MajikPOS is a reflection of the increasing complexity that bad guys are predicted to employ in their malware to neuter traditional defenses”
MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks
MISCELLANEOUS
- Cyberscoop has interviewed their top women in cybersecurity for 2017.
Top Women in Cybersecurity - Jonathon Poling at Ponder The Bits discusses scoping, which he describes as an “often-overlooked, admittedly very unsexy, but nonetheless integral piece of performing effective DFIR”. He lists a range of important points to consider across a number of key questions including: what has happened, what response has already taken place, what artefacts are available, and what is the goal of the engagement (and priority). I would also add ‘establish a time frame to complete the work’, although I would say that the timeframe for an incident would usually be “get it done by yesterday”.
The Importance of Incident Scoping/Assessment - Jason Lang at #_shellntel provides his thoughts on an argument regarding block Powershell from a pen tester (attacker) and defenders perspective.
Thoughts on Blocking Powershell.exe - James Habben at 4n6ir has shared his thoughts on the BsidesSLC, as well as an offer to assist anyone that wants to get started with blogging.
BsidesSLC Experience and Offer to Help - Danielle Russell at AlienVault looks at “how centralized log management changes in the public cloud as well as the native logging and monitoring services and components provided by AWS and Azure”, as well as centralising your log data.
Centralized Logging in the Cloud - Lee Whitfield has announced the end of the nominations period for the 4cast awards. Lee will be taking nominations until the end of the month and then announce the top 3 in each category. The awards are taking place at the DFIR Summit (which I forgot to post the agenda for last week). Lee also covered his current happenings (talk at Enfuse, DFIR summit, and employment with SANS).
Awards Nomination Closing Date and News - Scar at Forensic Focus interviewed Devon Ackerman; of Kroll and AboutDFIR.com fame. Devon explains his background, starting at the FBI and moving on to become a senior director at Kroll, as well as how AboutDFIR came about.
Interview With Devon Ackerman, Senior Director, Kroll - Didier Stevens at NVISO Labs provides some tips on streamlining Lua program development
Developing complex Suricata rules with Lua – part 2 - The guys at Sumuri have posted a scathing rant about other vendors copying their forensic machines. Apparently, another company has released a product that is identical to their Talino KA-L Omega laptop.
INNOVATE or COPY? - Chris Sanders describes “a new case management system called TheHive”. Chris describes TheHive as “a purpose built case management system to facilitate the investigation of security incidents”, and provides an overview of various components of the system
Investigation Case Management with TheHive - Devon Ackerman has written an article on “The Hill” about attribution in cyberspace. Devon explains that we must ultimately base our findings on “our training, education, and experience” and that “we must be diligent in examining our own potential assumptions and always remember that forensic science ultimately deals in evidence and actualities.”
CIA’s #Vault7 leak opens a Pandora’s box of doubt - David Spreadborough at Amped explains the File Info section of the latest updated to FIVE.
Advanced File Information – A Closer Look! - Lesley Carhart answers questions for those looking to get into the InfoSec field. One of the questions I quite liked the answer to explains the difference between a person that can use a tool and the other that understands how the tool works, and the usefulness of the later.
Ask Lesley InfoSec Advice Column: 2017-03-16
SOFTWARE UPDATES
- Cellebrite updated their UFED line to version 6.1, changing their interface, adding new devices and apps, and introducing an advanced ADB physical extraction that apparently allows physical extraction for previously unsupported phones. “To perform this extraction using an external USB storage device, you will need cables OTG 501 and 508”.
UFED Touch2, UFED Touch, UFED 4PC, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 6.1 (March 2017) - Elcomsoft released a maintenance release of their Elcomsoft Phone Breaker tool, now at version 6.45. The update adds support for cloud backups produced by iOS 10.3 devices, fixes authentication issues for devices tied to Microsoft Account, and includes numerous fixes and improvements for GPU-accelerated password recovery attacks. “The tool can now extract text messages from Microsoft Accounts with both Windows Phone and W10M devices on the same account”. They also updated Elcomsoft Explorer for WhatsApp to version 2.01.
- Belkasoft released version 8.3 of their Evidence Centre product, updating the UI and providing a 64-bit build. Additional release notes can be found here.
Belkasoft Evidence Center 8.3 Is Out with New UX and 64-bit Edition - Mount Image Pro was updated to version 6.2.0.1691, adding “support for Microsoft BitLocker drives.”
13 Mar 2017 – v6.2.0.1691 - GetData also updated Forensic Explorer to version 3.9.8.6364, improving “performance reading large drives with large unallocated clusters”, “UNIMO .umv carving”, and fixing a bug relating to Google Earth KML’s in Turkish and German
17 Mar 2017 – v3.9.8.6364 - Passware Kit 2017 v2 has been released adding new features including “Instant Decryption of Passwords Stored in iOS Keychain, Password Recovery for WPA/WPA2, [and] Export and Import of Known Passwords”
New In Passware Kit 2017 v2 - Radare version 1.3.0 was released with various updates and bug fixes.
Radare 1.3.0 Released – Codename: Refactor Forever - X-Ways Forensics 19.1 SR-6 was released, with various bug fixes and minor improvements
X-Ways Forensics 19.1 SR-6 - X-Ways Forensics 19.2 Beta 3 was released with some minor improvements.
X-Ways Forensics 19.2 Beta 3
SOFTWARE RELEASES
- Nir Sofer at Nirsoft has released a new tool, DataProtectionDecryptor, that allows users to “decrypt passwords and other information encrypted by the DPAPI (Data Protection API) system” on Window.
New DPAPI decryption tool - Jim Clausing has shared a Python script that he wrote to calculate various hashes
New tool: sigs.py, (Mon, Mar 13th)
And that’s all for Week 11! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 