Week 12 – 2017

Nominations for the 2017 Forensic 4Cast Awards are still open until the end of the month. If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open


  • Andrew Swartwood at Between Two DFIRns shares both a walkthrough, as well as his answers to his ‘Bob’s Chili Burgers Website Hacked’ Forensic CTF.

  • The guys at Cyber Forensicator shared a few articles this week
  • The guys at Digital Forensics Corp shared a number of articles this week
  • Magnet have announced that they will soon be releasing a whitepaper on Android Marshmallow forensics. You can register to receive the paper when it’s released here
    How to Solve Digital Forensics Challenges? Be Curious

  • Paul Sanderson at Sanderson Forensics explains SQLite’s Foreign Keys, along with a practical example of how they can be used to assist an examiner in reporting on a database of which they have little knowledge.
    Investigating a database using foreign keys

  • Volume 20 of the Journal of Digital Investigation has been released.

  • Matt Bromiley wrote a few posts this week
    • The first was a Morning Read about a bug disclosure from a security researcher named Jason Doyle on vulnerabilities in Google Nest and Dropcam Cameras. The vulnerabilities allow for the devices to be remotely disabled via bluetooth. Matt recommends that “if you work in an organization that utilizes smart devices heavily, your team must be diligent about securing these devices”, and that if possible, use a device that allows you to store the footage locally rather than rely on an external cloud service.
      Morning Read: Disabling Google Nest Security Cameras
    • Matt also has linked to the information about the The Ken Johnson DFIR Scholarship.
      The Ken Johnson DFIR Scholarship
    • Lastly, Matt shares information of the UNC Health Care data breach where sensitive data was mistakingly transmitted to a local county health department
      Morning Read: UNC Health Care Informs 1,300 Prenatal Patients of Possible Data Breach

  • The students a Champlain College continued their examination of the iOS and Android Signal apps. “The iOS team was not able to find important artifacts on the phone in respect to Signal. The Android team, however, was able to find artifacts pertaining to Signal”, including contacts, SMS/MMS.
    Mobile App Analysis Part 3

  • The Bluetooth Team at Champlain College have also provided an update on their progress.
    Bluetooth Security Forensics 4.0


  • Roberto Rodriguez at Cyber Wardog Lab has posted part 2 of his hunt for “In-Memory Mimikatz with Sysmon and ELK”. In this post, Roberto shows “how we can add to the detection of in-memory Mimikatz by focusing on processes opening the Local Security Authority (Lsass.exe) process and reading the memory contents of it”.
    Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK – Part II (Event ID 10)

  • The guys at Digital Forensics Corp shared an article by Ely Kahn on popular hunting techniques
    Threat Hunting Techniques

  • Jake Williams shared an article he was interviewed for on esecurityplanet regarding Threat Intelligence.
    Ins and outs of Cyber Threat Intelligence

  • Bob Stasio has posted an article on IBM’s Security Intelligence blog regarding “a new paradigm for threat hunting”. Bob explains that “in this new paradigm, we understand three truths: you can’t prevent all attacks, your network will be compromised, [and] one hundred percent security doesn’t exit”. Bob also identifies that “organizations should keep three key items in mind when creating a threat hunting program”: “a security information and event management (SIEM) solution, which properly aggregates internal structured data within a network”, along with “statistical analysis engines and intelligence analysis tools”. The second item required is a skilled threat hunter/analyst combining “skills related to information security, forensic science and intelligence analysis”. Lastly, “The most important starting point when executing threat hunting is establishing prioritized intelligence requirements (PIR)”. He also links to a webinar on “why you need to be hunting cyber threats”.
    Understanding Cyber Threat Hunting


  • Jessica Hyde at Magnet Forensics will be hosting a webinar on exploring “new methods for discovering and parsing data from … unsupported applications”. The webinars will take place Tuesday, March 28 at 1:00PM EST / 10:00AM PST / 5:00PM GMT, and Wednesday, March 29 at 9:00AM EST / 6:00AM PST / 1:00PM GMT.
    Webinar: Methods For Parsing New Applications

  • Scar de Courcier at Forensic Focus shared the program overview for the 2017 Techno Security conference taking place in Myrtle Beach, 4th – 7th June.
    Techno Security 2017 – Myrtle Beach 4th – 7th June

  • Paul Shomo at Guidance Software, along with Rishi Bhargava at Demisto will be hosting a webinar “on March 29, 2016 for a live demo of our brand new bi-directional integration.” The 1 hour demo will take place at 11:00 AM Pacific Daylight Time.
    EnCase + Demisto: Streamlining Incident Response


  • Douglas Brush interviewed Hal Pomeranz on this week’s Cyber Security Interviews. In this episode, they discussed “Linux and Unix forensics, his start at Bell Labs, helping others in the industry, data enterprises should collect, running your own security firm, and so much more.”
    #018 – Hal Pomeranz: Take a Deep Breath and Relax

  • Amit Malik at Cysinfo shares a video on using their APITacker tool for shellcode analysis
    Episode 3 – Shellcode Analysis with APITracker

  • Dave and Matthew hosted Lee Whitfield on the Forensic Lunch this week to provide his take on this week’s news. They discussed this story regarding hiding data in plain sight, as well as a final reminder to get your Forensic 4Cast Awards nominations in. Matthew then gave a bit of an update regarding getting Python bindings for Rust, as well as research into the unknown sections of the Prefetch format. Lastly, Dave explained the happenings of his Shell items project.
    Forensic Lunch 3/24/17

  • Adrian Crenshaw has uploaded the presentations from Bloomcon 2017.
    Bloomcon 2017 Videos

  • Nuix have shared a “one-hour webinar examining the audio data Snohomish Power used in the Enron case. Brian Tuemmler, Information Governance Program Architect at Nuix, will detail the applicable eDiscovery and compliance efforts that could have been exponentially simplified using the latest technology available today. Michael Lappin, Nuix Director of Solutions Engineering, will demonstrate how Nuix Voice easily turns recorded and live speech into accurate and fully-punctuated transcripts for analysis, search, and additional downstream processing.”
    Big Audio in the Enron Data Set

  • This week on the Digital Forensics Survival Podcast, Michael talks about webmail collection. Michael explains that using a mail client can allow an examiner to obtain a copy of the data stored on a mail server. He also warns that written legal authority is required so that there is no question that anything that you need to do was allowed to be done. Michael also suggests that you run a test account first so that you can ensure that the integrity of the data remains (ie no dates/times changed, the data isn’t deleted from the server, read flags aren’t changed etc), and then hash the evidence after the download is completed.
    DFSP # 057 – Webmail Collections

  • SANS uploaded a number of presentations from the recent CTI Summit
    Cyber Threat Intelligence Summit 2017


  • The guys at Threat Geek share a YARA rule “to detect obfuscations in PDF files” based on the work previously done by NVISO Labs
    Using Yara for Intrusion Prevention

  • Feixiang He at Check Point shares some information found by researchers with Tencent Security about the Swearing Trojan affecting Chinese Android devices.
    Swearing Trojan Continues to Rage, Even After Authors’ Arrest

  • Xiaopeng Zhang & Chris Navarrete at Fortinet analyse a maldoc that can target both (64-bit) Windows and Mac computers.
    Microsoft Word File Spreads Malware Targeting Both Apple Mac OS X and Microsoft Windows

  • Malwarebytes Labs shared a couple of articles this week
  • Marco Ramilli performs a quick analysis of some malware that originated from a malicious website. The malware ultimately encrypts files with the .REVENGE extension.
    A quick REVENGE Analysis

  • Michel Coene at NVISO Labs examines “a malicious office document (529581c1418fceda983336b002297a8e) that tricks the user into clicking on an embedded LNK file which in its turn uses the Microsoft Background Intelligent Transfer Service (BITS) to download a malicious binary from the internet.”
    .LNK downloader and bitsadmin.exe in malicious Office document

  • Patrick Wardle at Objective-See examines an XagentOSX/Komplex.B sample, and identifies that some of the codebase is taken from “HackingTeam’s leaked Mac implant”. Patrick also celebrated the second birthday of his website and shares the news of its past and future.
    From Italy With Love?

  • There were a few posts on the SANS ISC Handler diaries this week
  • Paul Rascagneres and Alex McDonnell at Cisco’s Talos blog analyse some malspam that distributes the Loki Bot stealer. “The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers.” “Despite the known vulnerability, many security products fail to identify the exploit because they are unable to correctly classify the RTF file format and scan the embedded OLE document within in the RTF. Even open-source parsers such as rtfobj.py from oletools have difficulties extracting the embedded OLE. This article explains how the malware author modified the RTF file in order to bypass security protection and frustrate malware researchers.”
    How Malformed RTF Defeats Security Engines

  • Cedric Pernet at TrendMicro examines a backdoor being utilised by the Winnti group that abuses “GitHub by turning it into a conduit for the command and control (C&C) communications”.
    Winnti Abuses GitHub for C&C Communications


  • Scott Vaughan at Berla explains that many car companies will utilise the same system across their range, or sell the same vehicle in different markets worldwide under different brands/vehicle names – this is called platform sharing and rebadging/badge engineering. As a result, the same infotainment units will be used worldwide, which influences the decisions for which systems to support in iVe. “Before choosing which infotainment and telematics systems to support in iVe, Berla’s team conducts a great deal of research to make informed decisions as to which systems are found most often across an automaker’s global lineup”.
    Some Notes on iVe’s Global Support

  • Similarly to the article on the ProDigital4n6 blog, A. Ross at Elvidence has published an article on what to do from a digital data perspective when an employee leaves. Whilst not exactly a DFIR topic, this may assist people who make recommendations to their clients, or will maybe give them an idea of where to look for additional data
    Every time we say goodbye – why you need a policy for digital separation

  • Brian Carrier shares a bit of information about the new look to Cyber Triage (v2.0). “This post covers how the new user interface makes it even easier for companies to perform a mini-forensic investigation of endpoints without needing agents to be deployed.”
    Cyber Triage Has a New Look

  • DFIR Guy at DFIR.Training suggests that if you’re stuck on a problem then you should let someone else take a look at it. The reason being that they can come at it from a different perspective. Another suggestion is explaining the problem to another person; not only can they make suggestions but often it will allow you to put your findings into words, and that might help you understand it better.
    The #1 Tip to Solve your DFIR Case Problem

  • David Cowen at the ‘Hacking Exposed Computer Forensics Blog’ shares a war story where employees had identified a breach but did nothing about it. By combining the forensic artefacts with the various elements of the story obtained from the SOC and (later) the employees they were able to put together a good picture of what had happened.
    DFIR Exposed #1: The crime of silence

  • Yulia Samoteykina at Atola Technologies explains how to wipe multiple drives simultaneously using the Insight.
    Wiping multiple drives simultaneously

  • Chet Hosmer has shared a brief overview of the presentation, Asset Mapping with Python, he will be giving at Enfuse.
    enfuse 2017

  • Richard Bejtlich shares his thoughts on Henry Jiang’s Map of Cybersecurity Domains v2.0, which is an extension of a mindmap created by Vladislav Bukin
    Cybersecurity Domains Mind Map

  • Keith Wilson at Witfoo lists the justifications for undertaking continued education and training, as well as describing the various problems (time/money/travel) that people may face when trying to get the training signed off
    The Training Trade Off


  • Phil Harvey updated ExifTool to version 10.47, adding support for new tags and fixing a couple of bugs
    ExifTool 10.47

  • GetData have updated Forensic Explorer to version v3.9.8.6376, with minor bug fixes and updates. They have also released a Beta, v3.9.8.6390, with some minor improvements.
    23 Mar 2017 – v3.9.8.6390 (Beta)

  • Oxygen Forensics have released a maintenance version (Version 9.2.1) of their Detective product. This update “decrypts private and group chats, contacts and account details of the popular secure messenger Wickr Me”, as well as the ability to “use USB modem commands to remove [the] lock screen password” for LG Android devices (as seen here)
    Oxygen Forensic® Detective now decrypts Wickr Me data


And that’s all for Week 12! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s