Nominations for the 2017 Forensic 4Cast Awards are still open until the end of the month. If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open
FORENSIC ANALYSIS
- Andrew Swartwood at Between Two DFIRns shares both a walkthrough, as well as his answers to his ‘Bob’s Chili Burgers Website Hacked’ Forensic CTF.
- The guys at Cyber Forensicator shared a few articles this week
- They shared a paper by Isak Mrkaic from The 8th International Conference on Business Information Security called “Android Forensic Using Some Open Source Tools”
Android Forensics Using Some Open Source Tools - They shared a platform called Yeti, which is “meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository”.
Yeti – open, distributed, machine and analyst-friendly threat intelligence repository - They shared Apples latest version (March 2017) of their iOS Security guide.
iOS 10 Security Guide - They shared an article by Howard Oakley regarding the length of time that OS X Sierra keeps logs for.
How far back does Sierra’s new log go?
- They shared a paper by Isak Mrkaic from The 8th International Conference on Business Information Security called “Android Forensic Using Some Open Source Tools”
- The guys at Digital Forensics Corp shared a number of articles this week
- They shared a video from Dateline where “Digital forensic detective Nick Herfordt explains how he uncovered critical evidence from [Anthony Garcia’s] phone.”
A Sample of Smartphone Forensic Analysis - They shared an article by Pierluigi Paganini at Security Affairs on “a new method that leverages App Paths to bypass the User Account Control (UAC) only on Windows 10”, devised by Matt Nelson.
Bypass User Account Control in Windows 10 - They shared a YouTube video on the SANS SEC564 course.
Understanding Threats Through Red - They shared an article by Bill Brenner at Sophos about the various threats and defences for Mac systems
Mac Systems Malware Defence - They shared an article by Salvation Data “on the restoration of files from XFS file systems”
How to Recover Files from XFS File Systems - They advised that “Rusolut added SQLite analysis functionality to their top software Visual NAND Reconstructor.”
SQLite Forensics with Visual NAND Reconstructor - For those that didn’t see Brett’s announcement last year, Brett has archived Jimmy Weg’s site onto his.
Jimmy Weg’s site
- They shared a video from Dateline where “Digital forensic detective Nick Herfordt explains how he uncovered critical evidence from [Anthony Garcia’s] phone.”
- Magnet have announced that they will soon be releasing a whitepaper on Android Marshmallow forensics. You can register to receive the paper when it’s released here
How to Solve Digital Forensics Challenges? Be Curious - Paul Sanderson at Sanderson Forensics explains SQLite’s Foreign Keys, along with a practical example of how they can be used to assist an examiner in reporting on a database of which they have little knowledge.
Investigating a database using foreign keys - Volume 20 of the Journal of Digital Investigation has been released.
- Matt Bromiley wrote a few posts this week
- The first was a Morning Read about a bug disclosure from a security researcher named Jason Doyle on vulnerabilities in Google Nest and Dropcam Cameras. The vulnerabilities allow for the devices to be remotely disabled via bluetooth. Matt recommends that “if you work in an organization that utilizes smart devices heavily, your team must be diligent about securing these devices”, and that if possible, use a device that allows you to store the footage locally rather than rely on an external cloud service.
Morning Read: Disabling Google Nest Security Cameras - Matt also has linked to the information about the The Ken Johnson DFIR Scholarship.
The Ken Johnson DFIR Scholarship - Lastly, Matt shares information of the UNC Health Care data breach where sensitive data was mistakingly transmitted to a local county health department
Morning Read: UNC Health Care Informs 1,300 Prenatal Patients of Possible Data Breach
- The first was a Morning Read about a bug disclosure from a security researcher named Jason Doyle on vulnerabilities in Google Nest and Dropcam Cameras. The vulnerabilities allow for the devices to be remotely disabled via bluetooth. Matt recommends that “if you work in an organization that utilizes smart devices heavily, your team must be diligent about securing these devices”, and that if possible, use a device that allows you to store the footage locally rather than rely on an external cloud service.
- The students a Champlain College continued their examination of the iOS and Android Signal apps. “The iOS team was not able to find important artifacts on the phone in respect to Signal. The Android team, however, was able to find artifacts pertaining to Signal”, including contacts, SMS/MMS.
Mobile App Analysis Part 3 - The Bluetooth Team at Champlain College have also provided an update on their progress.
Bluetooth Security Forensics 4.0
THREAT INTELLIGENCE/HUNTING
- Roberto Rodriguez at Cyber Wardog Lab has posted part 2 of his hunt for “In-Memory Mimikatz with Sysmon and ELK”. In this post, Roberto shows “how we can add to the detection of in-memory Mimikatz by focusing on processes opening the Local Security Authority (Lsass.exe) process and reading the memory contents of it”.
Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK – Part II (Event ID 10) - The guys at Digital Forensics Corp shared an article by Ely Kahn on popular hunting techniques
Threat Hunting Techniques - Jake Williams shared an article he was interviewed for on esecurityplanet regarding Threat Intelligence.
Ins and outs of Cyber Threat Intelligence - Bob Stasio has posted an article on IBM’s Security Intelligence blog regarding “a new paradigm for threat hunting”. Bob explains that “in this new paradigm, we understand three truths: you can’t prevent all attacks, your network will be compromised, [and] one hundred percent security doesn’t exit”. Bob also identifies that “organizations should keep three key items in mind when creating a threat hunting program”: “a security information and event management (SIEM) solution, which properly aggregates internal structured data within a network”, along with “statistical analysis engines and intelligence analysis tools”. The second item required is a skilled threat hunter/analyst combining “skills related to information security, forensic science and intelligence analysis”. Lastly, “The most important starting point when executing threat hunting is establishing prioritized intelligence requirements (PIR)”. He also links to a webinar on “why you need to be hunting cyber threats”.
Understanding Cyber Threat Hunting
UPCOMING WEBINARS
- Jessica Hyde at Magnet Forensics will be hosting a webinar on exploring “new methods for discovering and parsing data from … unsupported applications”. The webinars will take place Tuesday, March 28 at 1:00PM EST / 10:00AM PST / 5:00PM GMT, and Wednesday, March 29 at 9:00AM EST / 6:00AM PST / 1:00PM GMT.
Webinar: Methods For Parsing New Applications - Scar de Courcier at Forensic Focus shared the program overview for the 2017 Techno Security conference taking place in Myrtle Beach, 4th – 7th June.
Techno Security 2017 – Myrtle Beach 4th – 7th June - Paul Shomo at Guidance Software, along with Rishi Bhargava at Demisto will be hosting a webinar “on March 29, 2016 for a live demo of our brand new bi-directional integration.” The 1 hour demo will take place at 11:00 AM Pacific Daylight Time.
EnCase + Demisto: Streamlining Incident Response
PRESENTATIONS/PODCASTS
- Douglas Brush interviewed Hal Pomeranz on this week’s Cyber Security Interviews. In this episode, they discussed “Linux and Unix forensics, his start at Bell Labs, helping others in the industry, data enterprises should collect, running your own security firm, and so much more.”
#018 – Hal Pomeranz: Take a Deep Breath and Relax - Amit Malik at Cysinfo shares a video on using their APITacker tool for shellcode analysis
Episode 3 – Shellcode Analysis with APITracker - Dave and Matthew hosted Lee Whitfield on the Forensic Lunch this week to provide his take on this week’s news. They discussed this story regarding hiding data in plain sight, as well as a final reminder to get your Forensic 4Cast Awards nominations in. Matthew then gave a bit of an update regarding getting Python bindings for Rust, as well as research into the unknown sections of the Prefetch format. Lastly, Dave explained the happenings of his Shell items project.
Forensic Lunch 3/24/17 - Adrian Crenshaw has uploaded the presentations from Bloomcon 2017.
Bloomcon 2017 Videos - Nuix have shared a “one-hour webinar examining the audio data Snohomish Power used in the Enron case. Brian Tuemmler, Information Governance Program Architect at Nuix, will detail the applicable eDiscovery and compliance efforts that could have been exponentially simplified using the latest technology available today. Michael Lappin, Nuix Director of Solutions Engineering, will demonstrate how Nuix Voice easily turns recorded and live speech into accurate and fully-punctuated transcripts for analysis, search, and additional downstream processing.”
Big Audio in the Enron Data Set - This week on the Digital Forensics Survival Podcast, Michael talks about webmail collection. Michael explains that using a mail client can allow an examiner to obtain a copy of the data stored on a mail server. He also warns that written legal authority is required so that there is no question that anything that you need to do was allowed to be done. Michael also suggests that you run a test account first so that you can ensure that the integrity of the data remains (ie no dates/times changed, the data isn’t deleted from the server, read flags aren’t changed etc), and then hash the evidence after the download is completed.
DFSP # 057 – Webmail Collections - SANS uploaded a number of presentations from the recent CTI Summit
Cyber Threat Intelligence Summit 2017
MALWARE
- The guys at Threat Geek share a YARA rule “to detect obfuscations in PDF files” based on the work previously done by NVISO Labs
Using Yara for Intrusion Prevention - Feixiang He at Check Point shares some information found by researchers with Tencent Security about the Swearing Trojan affecting Chinese Android devices.
Swearing Trojan Continues to Rage, Even After Authors’ Arrest - Xiaopeng Zhang & Chris Navarrete at Fortinet analyse a maldoc that can target both (64-bit) Windows and Mac computers.
Microsoft Word File Spreads Malware Targeting Both Apple Mac OS X and Microsoft Windows - Malwarebytes Labs shared a couple of articles this week
- Zammis Clark analyses “an installer for a China-developed WiFi hotspot application, targeting English speakers, and being dropped by one of the major PUP bundler networks”
Chinese PUPs and backdoor drivers: making systems less secure since 2013 - The Labs team analyses a maldoc being sent as part of a “phishing campaign … targeting Saudi Arabia governmental organizations”
New targeted attack against Saudi Arabia Government
- Zammis Clark analyses “an installer for a China-developed WiFi hotspot application, targeting English speakers, and being dropped by one of the major PUP bundler networks”
- Marco Ramilli performs a quick analysis of some malware that originated from a malicious website. The malware ultimately encrypts files with the .REVENGE extension.
A quick REVENGE Analysis - Michel Coene at NVISO Labs examines “a malicious office document (529581c1418fceda983336b002297a8e) that tricks the user into clicking on an embedded LNK file which in its turn uses the Microsoft Background Intelligent Transfer Service (BITS) to download a malicious binary from the internet.”
.LNK downloader and bitsadmin.exe in malicious Office document - Patrick Wardle at Objective-See examines an XagentOSX/Komplex.B sample, and identifies that some of the codebase is taken from “HackingTeam’s leaked Mac implant”. Patrick also celebrated the second birthday of his website and shares the news of its past and future.
From Italy With Love? - There were a few posts on the SANS ISC Handler diaries this week
- Xavier Mertens shares a regular expression he uses to identify Base64 encoded PE files using their header strings
Searching for Base64-encoded PE Files, (Sun, Mar 19th) - Brad Duncan analyses some malspam sending a password protected Word document containing embedded obfuscated VBS files.
Malspam with password-protected Word documents, (Tue, Mar 21st) - Brad also analysed some malspam that was part of the “Blank Slate” campaign. The name for this campaign originates from the fact that the malspam doesn’t contain any message text, and the subject lines and attachment names are “vague and usually consist of random numbers”.
“Blank Slate” campaign still pushing Cerber ransomware, (Wed, Mar 22nd) - Tom Webb shares a Python script named SSMA which “is handy tool for quickly getting an idea if a file is malicious”.
SSMA Usage, (Thu, Mar 23rd) - Xavier Mertens deobfuscates some “malicious JavaScript code” located in a phishing email
Nicely Obfuscated JavaScript Sample , (Fri, Mar 24th)
- Xavier Mertens shares a regular expression he uses to identify Base64 encoded PE files using their header strings
- Paul Rascagneres and Alex McDonnell at Cisco’s Talos blog analyse some malspam that distributes the Loki Bot stealer. “The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers.” “Despite the known vulnerability, many security products fail to identify the exploit because they are unable to correctly classify the RTF file format and scan the embedded OLE document within in the RTF. Even open-source parsers such as rtfobj.py from oletools have difficulties extracting the embedded OLE. This article explains how the malware author modified the RTF file in order to bypass security protection and frustrate malware researchers.”
How Malformed RTF Defeats Security Engines - Cedric Pernet at TrendMicro examines a backdoor being utilised by the Winnti group that abuses “GitHub by turning it into a conduit for the command and control (C&C) communications”.
Winnti Abuses GitHub for C&C Communications
MISCELLANEOUS
- Scott Vaughan at Berla explains that many car companies will utilise the same system across their range, or sell the same vehicle in different markets worldwide under different brands/vehicle names – this is called platform sharing and rebadging/badge engineering. As a result, the same infotainment units will be used worldwide, which influences the decisions for which systems to support in iVe. “Before choosing which infotainment and telematics systems to support in iVe, Berla’s team conducts a great deal of research to make informed decisions as to which systems are found most often across an automaker’s global lineup”.
Some Notes on iVe’s Global Support - Similarly to the article on the ProDigital4n6 blog, A. Ross at Elvidence has published an article on what to do from a digital data perspective when an employee leaves. Whilst not exactly a DFIR topic, this may assist people who make recommendations to their clients, or will maybe give them an idea of where to look for additional data
Every time we say goodbye – why you need a policy for digital separation - Brian Carrier shares a bit of information about the new look to Cyber Triage (v2.0). “This post covers how the new user interface makes it even easier for companies to perform a mini-forensic investigation of endpoints without needing agents to be deployed.”
Cyber Triage Has a New Look - DFIR Guy at DFIR.Training suggests that if you’re stuck on a problem then you should let someone else take a look at it. The reason being that they can come at it from a different perspective. Another suggestion is explaining the problem to another person; not only can they make suggestions but often it will allow you to put your findings into words, and that might help you understand it better.
The #1 Tip to Solve your DFIR Case Problem - David Cowen at the ‘Hacking Exposed Computer Forensics Blog’ shares a war story where employees had identified a breach but did nothing about it. By combining the forensic artefacts with the various elements of the story obtained from the SOC and (later) the employees they were able to put together a good picture of what had happened.
DFIR Exposed #1: The crime of silence - Yulia Samoteykina at Atola Technologies explains how to wipe multiple drives simultaneously using the Insight.
Wiping multiple drives simultaneously - Chet Hosmer has shared a brief overview of the presentation, Asset Mapping with Python, he will be giving at Enfuse.
enfuse 2017 - Richard Bejtlich shares his thoughts on Henry Jiang’s Map of Cybersecurity Domains v2.0, which is an extension of a mindmap created by Vladislav Bukin
Cybersecurity Domains Mind Map - Keith Wilson at Witfoo lists the justifications for undertaking continued education and training, as well as describing the various problems (time/money/travel) that people may face when trying to get the training signed off
The Training Trade Off
SOFTWARE UPDATES
- Phil Harvey updated ExifTool to version 10.47, adding support for new tags and fixing a couple of bugs
ExifTool 10.47 - GetData have updated Forensic Explorer to version v3.9.8.6376, with minor bug fixes and updates. They have also released a Beta, v3.9.8.6390, with some minor improvements.
23 Mar 2017 – v3.9.8.6390 (Beta) - Oxygen Forensics have released a maintenance version (Version 9.2.1) of their Detective product. This update “decrypts private and group chats, contacts and account details of the popular secure messenger Wickr Me”, as well as the ability to “use USB modem commands to remove [the] lock screen password” for LG Android devices (as seen here)
Oxygen Forensic® Detective now decrypts Wickr Me data
SOFTWARE RELEASES
- CERT Société Générale have released an open-source malware analysis framework called FAME.
Introducing FAME - Shusei Tomonaga at the Japan CERT CC blog shares a new tool, impfuzzy for Neo4j, which “is a tool to visualise results of malware clustering using a graph database, Neo4j”
Malware Clustering using impfuzzy and Network Analysis – impfuzzy for Neo4j – - Christopher Truncer at FireEye has released “WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell”.
WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell
And that’s all for Week 12! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!