Nominations for the 2017 Forensic 4Cast Awards closed during the week, but Lee has tallied the nominations and voting is now open until May 31. Thank you to everyone who nominated this blog, as a result it was one of the top three, and therefore able to be voted for!
If you’d like to vote this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting
FORENSIC ANALYSIS
- James Habben at 4n6ir has been busy digging into the internals of Prefetch files. He has provided both a high level overview, as well as the technical details of his findings. He has also adding the extra data into his fork of PoorBillionaire’s Windows Prefetch Parser , and I imagine other tool developers will be updating their tools shortly as well.
- Daniel Berger at Compass Security gives his rundown of the Insomnihack conference, as well as links the writeups of the CTF challenge. Alex Joss’s writeup related to a challenge “about memory forensics on Android devices. The challenge provided a memory dump of an Android device along with the task to retrieve some encrypted information from it.”
Fun at Insomni’hack - Igor Shorokhov & Oleg Skulkin at Cyber Forensicator dynamically analyse a maldoc containing malicious VBScript files.
Basic Dynamic Analysis of a Malicious VBScript - Philippe Lagadec was asked by Didier Stevens to “add a method to olefile that returns bytes that are appended to an OLE file”, and accepted the challenge. Philippe outlines a method that he has implemented that works for some use cases but not others (ie modifying the last FAT records), and indicates that he plans to address this case in the next version of olemap.
How to find data hidden at the end of an OLE file - The guys at Digital Forensics Corp shared a number of articles this week
- They shared an intrusion detection checklist on Linux by Balaji N at “Gbhackers on Security”.
Linux Machine – Intrusion Discovery - They shared a playbook by the Microsoft Advanced Threat Analytics Team on “How to simulate and detect attacks with the Advanced Threat Analytics Playbook”.
Advanced Threat Analytics Playbook - They shared an article by AArti Singh on Raj Chandel’s Blog on how to “Capture [a] VNC Session of Remote PC using SetToolkit”
Capture VNC Session of Remote PC - They shared an article by Salvation Data on “cellphone audio file data extraction”.
Extracting Audio Messages from Instant Messengers - They shared an article by David Balaban containing a “comprehensive report on ransomware-related events covering a time frame of May 2016 – March 2017”.
Ransomware Timeline - They shared an article by Filippo Valsorda “on how to install and un-encrypt hard drives on Macs”.
Understanding Mac OS full disk encryption
- They shared an intrusion detection checklist on Linux by Balaji N at “Gbhackers on Security”.
- Gabriele Zambelli at Forense nella Nebbia has created a regripper plugin to parse the MRU list from Foxit Reader. He’s created a pull request, however, until the developer accepts it you can get the plugin from here
RegRipper plugin to parse Foxit Reader - Adam at Hexacorn shows how the NTSD debugger process can be called when LSM.exe is executed. Adam then explains the process required for the debugger to be hijacked.
Beyond good ol’ Run key, Part 61 - Russ McRee at HolisticInfoSec walks through some packet carving with a packet analyzer called Dripcap.
Toolsmith #124: Dripcap – Caffeinated Packet Analyzer - Jan Engman at Malware Maloney has a post explaining how a bug was identified in Jeff Bryner’s NBDServer, and how he fixed it. The updated version allows examiners to obtain a memory dump over a network when memory is greater than 4GB (previously this would cause the computer to blue screen). Jan’s pull request has also been accepted into the main build.
NBDServer - Matt Seyer explains his RustyPrefetch project. I’m interested in learning more about how he utilises ArangoDB to “create automated systems to look for known things”, and hopefully Matt will be sharing the examples he mentioned soon.
Prefetch, Rust, Python, Big Data… DFIR - The Mobile Application Forensics team at Champlain College has provided an update on their progress analysing the Android/iOS Bumble app.
Mobile App Analysis Part 4
THREAT INTELLIGENCE/HUNTING
- Roberto Rodriguez at Cyber Wardog Lab wrote a couple of posts this week
- The first post shows how to hunt for WMImplant using sysmon and ELK
Chronicles of a Threat Hunter: Hunting for WMImplant with Sysmon and ELK – Part I (EID 1,12, 13, 17 & 18) - The second was the third part in his series on “hunting for In-Memory Mimikatz with Sysmon, Win Event Logs, and ELK”. This post focuses on “how we can also hunt for Mimikatz when it is used to move laterally in the network.”
Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon, Win Event Logs, and ELK – Part III (Overpass-the-Hash – EIDs 10, 4624, 4648, 4768)
- The first post shows how to hunt for WMImplant using sysmon and ELK
- On this month’s Cyber Beat Live, Bob Stasio talked with Scott Schober and Morgan Wright about “The Art of Threat Hunting”.
The Art of Threat Hunting - Ryan McGeehan shares the lessons he’s learnt in detection engineering. There’s a lot here so if this is something that you deal with regularly I’d recommend spending the time going through it.
Lessons Learned in Detection Engineering
UPCOMING WEBINARS
- Jamie McQuaid at Magnet Forensics will be hosting two 1 hour webinars on the use and examination of Android emulators. These will take place Wednesday, April 19, 2017 – 1:00PM EST (GMT-05:00), and Thursday, April 20, 2017 – 9:00AM EST (GMT-05:00)
Android Emulators Forensics: When an Android Device Isn’t an Android Device
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has shared the presentations from Cyphercon 2.0
- Chris Sanders has released a new podcast called Source Code interviewing “practitioners from every facet of information security about their origin story.” “Source Code is focused on the people that push information security forward and battle in the trenches every day”. On the first episode, he interviewed Ed Skoudis.
Introducing the Source Code Podcast - Sarah Edwards at Mac4n6 uploaded her presentation, “Logs Unite! – Forensic Analysis of Apple Unified Logs”, from Bsides NOLA
New Presentation: Logs Unite! – Forensic Analysis of Apple Unified Logs - Jamie McQuaid at Magnet Forensics shows how to acquire an Android phone using Magnet Acquire and TWRP. This method allows you to install TWRP on a device without having to use a tool like Odin.
How To Physically Acquire Android Phones with Magnet ACQUIRE & TWRP - On this week’s Digital Forensics Survival Podcast, Michael talks about “Linux forensics and breakdown some useful artifacts that may generate leads for investigations.”
DFSP # 058 – Linux FU&K Artifacts - Martijn Grooten at VirusBulletin shares a presentation by “Symantec researchers Himanshu Anand and Chastine Menrige” from VB2016 on “One-click fileless infection”.
VB2016 paper: One-Click Fileless Infection - Ted Smith at ‘X-Ways Forensics’ Video Clips shows how to convert an AD1 file container to an X-Ways container by mounting the AD1 container in FTK Imager and then adding the mounted volume to X-Ways. You can then either continue as usual or convert the mounted container to X-Ways CTR container.
Video 55 – Converting FTK Imager CTR Custom Image Data To X-Ways Forensics CTR Evidence Containers
MALWARE
- Mila at Contagio shares a list of samples attributes to APT29 aka Fancy Bear
Part II. APT29 Russian APT including Fancy Bear - Winston M at Cysinfo examines some spam that distributes a maldoc and during his examination identifies a brand new variant of the ‘Agent Tesla’ malware.
“Agent Tesla” New Spyware Variant plucked from Hacker’s Arena ! - There were a couple of posts on the Forcepoint blog
- Roland Dela Paz analyses the dropper for a new RAT they have named KHRAT. “The latest dropper [DragonOK] used is disguised as an Adobe Reader installer and installs” KHRAT.
Trojanized Adobe Installer used to Install DragonOK’s New Custom Backdoor - Luke Somerville & Abel Toro analyse the ‘Felismus’ malware, which was named “in reference to the ‘Tom & Jerry’ encryption key used by the malware”
Playing Cat & Mouse: Introducing the Felismus Malware
- Roland Dela Paz analyses the dropper for a new RAT they have named KHRAT. “The latest dropper [DragonOK] used is disguised as an Adobe Reader installer and installs” KHRAT.
- Chris Navarrete & Xiaopeng Zhang at Fortinet show how the maldoc they covered in a previous post utilises meterpreter for post exploitation. This requires the attacker to be running a metasploit server instance as “the reverse_https payload was used by the attacker for secure communication”.
Microsoft Word File Spreads Malware Targeting Both Mac OS X and Windows (Part II) - There were a couple of posts on the Malwarebytes Labs blog
- Pieter Arntz explains the terms “packer, crypter, and protector in the context of how they are used in malware”. Packers, most often used in malware, “are also known as “self-extracting archives””, and the executable is unpacked into memory. Crypters, “not only encrypt the file, but the crypter software offers the user many other options to make the hidden executable as hard to detect by security vendors as possible”. Lastly, “a protector in this context is software that is intended to prevent tampering and reverse engineering of programs. The methods used can, and usually will, include both packing and encrypting.”
Explained: Packer, Crypter, and Protector - Hasherezade dissects a sample of the Sage ransomware
Explained: Sage ransomware
- Pieter Arntz explains the terms “packer, crypter, and protector in the context of how they are used in malware”. Packers, most often used in malware, “are also known as “self-extracting archives””, and the executable is unpacked into memory. Crypters, “not only encrypt the file, but the crypter software offers the user many other options to make the hidden executable as hard to detect by security vendors as possible”. Lastly, “a protector in this context is software that is intended to prevent tampering and reverse engineering of programs. The methods used can, and usually will, include both packing and encrypting.”
- Charles Crofford and Douglas McKee at McAfee Labs examine why the Nullsoft Scriptable Install System (NSIS) “delivery mechanism works, why it is used, and the challenges it poses to researchers attempting to investigate the malware.”
Ransomware Families Use NSIS Installers to Avoid Detection, Analysis - There were a couple of posts by NVISO Labs this week
- Didier Stevens examines a maldoc that delivers Hancitor. The gang behind Hancitor has changed the encoding slightly again.
New Hancitor maldocs keep on coming… - Jeroen Beckers has provided the question and answer for the ‘Trace Me’ challenge from Cybersecurity Challenge Belgium 2017.
CSCBE Challenge Write-up – Trace Me
- Didier Stevens examines a maldoc that delivers Hancitor. The gang behind Hancitor has changed the encoding slightly again.
- There were a few posts on the Palo Alto Networks blog
- Robert Falcone and Bryan Lee “determined that the actors conducting the Shamoon 2 attacks use one compromised system as a distribution point to deploy the destructive Disttrack Trojan to other systems on the targeted network, after which the Disttrack malware will seek to propagate itself even further into the network”. They examine the use of the “combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network”.
Shamoon 2: Delivering Disttrack - Christopher Budd, also regarding Shamoon 2, covers the use of credential theft in the attacks.
Threat Brief: Credential Theft – The Keystone of the Shamoon 2 Attacks - Brandon Levene, Dominik Reichel and Esmid Idrizovic examine some malspam that distributes the Dimnie malware
Dimnie: Hiding in Plain Sight
- Robert Falcone and Bryan Lee “determined that the actors conducting the Shamoon 2 attacks use one compromised system as a distribution point to deploy the destructive Disttrack Trojan to other systems on the targeted network, after which the Disttrack malware will seek to propagate itself even further into the network”. They examine the use of the “combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network”.
- Jen Miller-Osborn and Josh Grunzweig analyse the MoonWind RATs seen used in an attack against Thai organisations
Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations - Xavier Mertens at the SANS Internet Storm Centre shares a “very small Javascript sample” containing “a trick to avoid the detection of the string ‘Shell.Application’ which often searched by automated tools”. He also shares a reminder of how the EncodedCommand parameter can be used in PowerShell
Diverting built-in features for the bad, (Thu, Mar 30th) - Artem at Security/malware blog analyses the EquationDrug rootkit.
EquationDrug rootkit analysis (mstcp32.sys) - Matthew Dunwoody at FireEye explains how “APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS.”
APT29 Domain Fronting With TOR - Michael Mimoso at Threatpost comments on Matt Nelson’s “Fileless” UAC bypass using SDCLT.EXE, which if his previous UAC bypass is anything to go by, will be seen used by attackers in the wild soon.
Fileless UAC Bypass Uses Windows Backup and Restore Utility - Gilbert Sison at TrendLabs Security Intelligence Blog examines a new version of Cerber that uses “a new technique to make itself harder to detect: it is now using a new loader that appears to be designed to evade detection by machine learning solutions”
Cerber Starts Evading Machine Learning - Steven Adair at Volexity advises “that your alerts for a Gh0st RAT infection are likely false positives and the result of inbound scanning. “
Have you been haunted by the Gh0st RAT today?
MISCELLANEOUS
- Bradley Schatz has announced that the AFF4 Standard Specification v1.0 document has been released. “The release of the AFF4 Standard coincides with the limited release of Evimetry Community Edition, a freely licensed subset of the AFF4 based forensic tool, and in the coming days, a C++ implementation and patches to the Sleuth Kit, and support for Volatility and Rekall.”
AFF4 Standard v1.0 Released - Jim Hoerricks at Amped shows how a filter in their FIVE product can be used to identify important details of a dark photo
Can you see in the dark? - The Blackbag Training Team have written a workaround for “Windows users trying to generate a BlackLight PDF report that contains Apple emoji characters.”
BlackLight PDF Reports Containing Apple Emojis Workaround for Windows - Bart at Blaze’s Security Blog shared the results of his survey on “Red team / Pentest / Attacker methods & tools.”
Popular attacker tools & techniques: survey results - Chris Sanders has announced a new training course, “Practical Packet Analysis”. This course is based on his book of the same name and is targetted at the beginner to intermediate level. “This course is only taught periodically and space is limited. Registration deadline is the 9th June, and the session begins June 12th.
Announcing the Practical Packet Analysis Online Course - The guys at the Extreme Coders Blog shared a couple of posts this week
- They took a look at one of the challenges on EasyCTF regarding 67,085 PE files. “The task was to reverse engineer each of them and combine their solutions to get the flag”, and as a result, a Python script was written to complete the task.
67,000 cuts with python-pefile - They also showed how to use HTTP tunnelling to attach a remote process to IDA for debugging.
Remote debugging in IDA Pro by http tunnelling
- They took a look at one of the challenges on EasyCTF regarding 67,085 PE files. “The task was to reverse engineer each of them and combine their solutions to get the flag”, and as a result, a Python script was written to complete the task.
- Adam Bridge at Context had a bit of trouble mounting an EWF image of a Bitlocker-ed Windows volume. After some trial and error and consultation with the VBR layout, he figured out that using Arsenal Imager Mounted and a Hex Editor he could modify the “Number of Hidden Sectors” in the VBR and Windows would mount the volume.
Making an NTFS Volume Mountable by Tinkering with the VBR - DFIR Guy at DFIR.Training gives his takeaways from Kevin Mitnick’s “The Art of Invisibility” – “the reassurance that no matter what a criminal does with computer technology, if you look long enough and have patience, you can catch them”. Unfortunately, the time is not always afforded, but we do what we can with the resources available.
We catch the smart criminals too. - There were a few posts on the DME Forensics blog this week
- Katie Mongi compares writeblockers and portable imaging devices. The minor issue with the post is that she states that writeblockers are capable of allowing users to write data – this is more the combodocks (which have both read-only and read-write modes). Writeblockers shouldn’t allow users to write data to the drive. I would also argue that creating a forensic image isn’t really a “highly-detailed process”, however, has major implications if not done correctly – a writeblocker, whilst less functional, ensures that there’s a physical distinction between the source and target drives, and reduces the possibility of accidentally overwriting your evidence if you mix them up.
Write Blocker vs Imaging Device - Jason Latham advises what to look for when hiring a digital forensic expert, primarily their “curriculum vitae and participation in the forensic community [professional organizations].”
Not All that Glitters is Gold: What to Look For in a Forensic Expert - Tyler Schlecht has written about the new “Temporal Decompression” feature in DVR Examiner 2.0 (*take note of the post date*)
DVR Examiner 2.0’s Best New Feature
- Katie Mongi compares writeblockers and portable imaging devices. The minor issue with the post is that she states that writeblockers are capable of allowing users to write data – this is more the combodocks (which have both read-only and read-write modes). Writeblockers shouldn’t allow users to write data to the drive. I would also argue that creating a forensic image isn’t really a “highly-detailed process”, however, has major implications if not done correctly – a writeblocker, whilst less functional, ensures that there’s a physical distinction between the source and target drives, and reduces the possibility of accidentally overwriting your evidence if you mix them up.
- Gabriele Zambelli at Forense nella Nebbia has shared a modified filter:type list for X-Ways.
Customizing the filter type in X-Ways Forensics - Microsystemations shared an article from February’s Digital Forensics Magazine by Joel Bollo (MSAB) and Ben LeMere (Berla) on the information can be obtained from vehicle forensics.
Vehicles solve crime - Jonathon Poling at Ponder The Bits expands on Int’l Man of Leisure posts on mounting LVM’s. Instead of converting the image to RAW format, Jonathon uses a tool called “QEMU”.
Quick(er) Mounting and Dismounting of LVM’s on Forensic Images - Bruce Schneier at Schneier on Security gives his thoughts on automation in incident response. “Automation has its place in incident response, but the focus needs to be on making the people effective, not on replacing them security orchestration, not automation”. “From within an orchestration model, automation can be incredibly powerful. But it’s the human-centric orchestration model – the dashboards, the reports, the collaboration – that makes automation work. Otherwise, you’re blindly trusting the machine. And when an uncertain process is automated, the results can be dangerous.”
Security Orchestration and Incident Response - Amanda Rousseau at Secured.org has shared her Reverse Engineering Malware 101 course
SOFTWARE UPDATES/RELEASES
- Eric Zimmerman has updated his AppCompatCacheParser to version 0.9.7.0 to accomodate the tweak to the format of the shimcache in the creator’s update to Win10. He also advised Mandiant of the issue, and it appears that their tool should be updated shortly.
Windows 10 Creators update vs shimcache parsers: Fight!! - Blackbag released Mobilyze 2017 R1. “Some of the improvements include support for Apple iOS 10.3 with encrypted backups, Android 7.1.1 Nougat, iOS 10 third party applications, such as Kik and WhatsApp, [and an] improved report generator”
Mobilyze 2017 R1 is Now Available! - Elcomsoft have updated their Cloud Explorer tool to version 1.22. “The update fixes the issue with History download, re-enables the downloading of mp3 files related to Google’s Voice Search History, and renamed the “Service” column to “Application” in Voice Search History.”
Elcomsoft Cloud Explorer 1.22 Fixes History and Voice Search History Access - Guidance Software released updates to Encase 8.04, and Encase 7.16, however, I wasn’t able to get the release notes off their portal.
- Katana Forensics released Lantern v4.6.8, improving support for Android 6 and 7 Devices
- MISP 2.4.70 was released “including new features, improvements and important bug fixes.”
MISP 2.4.70 released - Paraben Corporation have released E3: Universal Aurora Edition 1.2 with a variety of new features and stability improvements.
E3 1.2 is now available! - Paul Sanderson updated Forensic Browser for SQLite to version 3.2.4, fixing a variety of bugs.
New release 3.2.4 - TZWorks released a package update, improving both their LNK and USNJournal parser, as well as bug fixes for their ‘dup’ tool.
Mar 2017 build (package) - X-Ways Forensics 19.1 SR-7 was released, fixing a variety of bugs.
X-Ways Forensics 19.1 SR-7 - X-Ways Forensics 19.2 was officially released (and then updated to SR-0) with additional improvements.
X-Ways Forensics 19.2 SR-0 - The Innovation and Custom Engineering (ICE) Applied Research Team at FireEye have released Monitor.app, “a simple GUI application for monitoring common system events on a macOS host”.
Introducing Monitor.app for macOS
And that’s all for Week 13! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 