Week 13 – 2017

Nominations for the 2017 Forensic 4Cast Awards closed during the week, but Lee has tallied the nominations and voting is now open until May 31. Thank you to everyone who nominated this blog, as a result it was one of the top three, and therefore able to be voted for!
If you’d like to vote this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting


  • James Habben at 4n6ir has been busy digging into the internals of Prefetch files. He has provided both a high level overview, as well as the technical details of his findings. He has also adding the extra data into his fork of PoorBillionaire’s Windows Prefetch Parser , and I imagine other tool developers will be updating their tools shortly as well.

  • Daniel Berger at Compass Security gives his rundown of the Insomnihack conference, as well as links the writeups of the CTF challenge. Alex Joss’s writeup related to a challenge “about memory forensics on Android devices. The challenge provided a memory dump of an Android device along with the task to retrieve some encrypted information from it.”
    Fun at Insomni’hack

  • Igor Shorokhov & Oleg Skulkin at Cyber Forensicator dynamically analyse a maldoc containing malicious VBScript files.
    Basic Dynamic Analysis of a Malicious VBScript

  • Philippe Lagadec was asked by Didier Stevens to “add a method to olefile that returns bytes that are appended to an OLE file”, and accepted the challenge. Philippe outlines a method that he has implemented that works for some use cases but not others (ie modifying the last FAT records), and indicates that he plans to address this case in the next version of olemap.
    How to find data hidden at the end of an OLE file

  • The guys at Digital Forensics Corp shared a number of articles this week
  • Gabriele Zambelli at Forense nella Nebbia has created a regripper plugin to parse the MRU list from Foxit Reader. He’s created a pull request, however, until the developer accepts it you can get the plugin from here
    RegRipper plugin to parse Foxit Reader

  • Adam at Hexacorn shows how the NTSD debugger process can be called when LSM.exe is executed. Adam then explains the process required for the debugger to be hijacked.
    Beyond good ol’ Run key, Part 61

  • Russ McRee at HolisticInfoSec walks through some packet carving with a packet analyzer called Dripcap.
    Toolsmith #124: Dripcap – Caffeinated Packet Analyzer

  • Jan Engman at Malware Maloney has a post explaining how a bug was identified in Jeff Bryner’s NBDServer, and how he fixed it. The updated version allows examiners to obtain a memory dump over a network when memory is greater than 4GB (previously this would cause the computer to blue screen). Jan’s pull request has also been accepted into the main build.

  • Matt Seyer explains his RustyPrefetch project. I’m interested in learning more about how he utilises ArangoDB to “create automated systems to look for known things”, and hopefully Matt will be sharing the examples he mentioned soon.
    Prefetch, Rust, Python, Big Data… DFIR

  • The Mobile Application Forensics team at Champlain College has provided an update on their progress analysing the Android/iOS Bumble app.
    Mobile App Analysis Part 4





  • Mila at Contagio shares a list of samples attributes to APT29 aka Fancy Bear
    Part II. APT29 Russian APT including Fancy Bear

  • Winston M at Cysinfo examines some spam that distributes a maldoc and during his examination identifies a brand new variant of the ‘Agent Tesla’ malware.
    “Agent Tesla” New Spyware Variant plucked from Hacker’s Arena !

  • There were a couple of posts on the Forcepoint blog
  • Chris Navarrete & Xiaopeng Zhang at Fortinet show how the maldoc they covered in a previous post utilises meterpreter for post exploitation. This requires the attacker to be running a metasploit server instance as “the reverse_https payload was used by the attacker for secure communication”.
    Microsoft Word File Spreads Malware Targeting Both Mac OS X and Windows (Part II)

  • There were a couple of posts on the Malwarebytes Labs blog
    • Pieter Arntz explains the terms “packer, crypter, and protector in the context of how they are used in malware”. Packers, most often used in malware, “are also known as “self-extracting archives””, and the executable is unpacked into memory. Crypters, “not only encrypt the file, but the crypter software offers the user many other options to make the hidden executable as hard to detect by security vendors as possible”. Lastly, “a protector in this context is software that is intended to prevent tampering and reverse engineering of programs. The methods used can, and usually will, include both packing and encrypting.”
      Explained: Packer, Crypter, and Protector
    • Hasherezade dissects a sample of the Sage ransomware
      Explained: Sage ransomware

  • Charles Crofford and Douglas McKee at McAfee Labs examine why the Nullsoft Scriptable Install System (NSIS) “delivery mechanism works, why it is used, and the challenges it poses to researchers attempting to investigate the malware.”
    Ransomware Families Use NSIS Installers to Avoid Detection, Analysis

  • There were a couple of posts by NVISO Labs this week
  • There were a few posts on the Palo Alto Networks blog
    • Robert Falcone and Bryan Lee “determined that the actors conducting the Shamoon 2 attacks use one compromised system as a distribution point to deploy the destructive Disttrack Trojan to other systems on the targeted network, after which the Disttrack malware will seek to propagate itself even further into the network”. They examine the use of the “combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network”.
      Shamoon 2: Delivering Disttrack
    • Christopher Budd, also regarding Shamoon 2, covers the use of credential theft in the attacks.
      Threat Brief: Credential Theft – The Keystone of the Shamoon 2 Attacks
    • Brandon Levene, Dominik Reichel and Esmid Idrizovic examine some malspam that distributes the Dimnie malware
      Dimnie: Hiding in Plain Sight

  • Jen Miller-Osborn and Josh Grunzweig analyse the MoonWind RATs seen used in an attack against Thai organisations
    Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations

  • Xavier Mertens at the SANS Internet Storm Centre shares a “very small Javascript sample” containing “a trick to avoid the detection of the string ‘Shell.Application’ which often searched by automated tools”. He also shares a reminder of how the EncodedCommand parameter can be used in PowerShell
    Diverting built-in features for the bad, (Thu, Mar 30th)

  • Artem at Security/malware blog analyses the EquationDrug rootkit.
    EquationDrug rootkit analysis (mstcp32.sys)

  • Matthew Dunwoody at FireEye explains how “APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS.”
    APT29 Domain Fronting With TOR

  • Michael Mimoso at Threatpost comments on Matt Nelson’s “Fileless” UAC bypass using SDCLT.EXE, which if his previous UAC bypass is anything to go by, will be seen used by attackers in the wild soon.
    Fileless UAC Bypass Uses Windows Backup and Restore Utility

  • Gilbert Sison at TrendLabs Security Intelligence Blog examines a new version of Cerber that uses “a new technique to make itself harder to detect: it is now using a new loader that appears to be designed to evade detection by machine learning solutions”
    Cerber Starts Evading Machine Learning

  • Steven Adair at Volexity advises “that your alerts for a Gh0st RAT infection are likely false positives and the result of inbound scanning. “
    Have you been haunted by the Gh0st RAT today?


  • Bradley Schatz has announced that the AFF4 Standard Specification v1.0 document has been released. “The release of the AFF4 Standard coincides with the limited release of Evimetry Community Edition, a freely licensed subset of the AFF4 based forensic tool, and in the coming days, a C++ implementation and patches to the Sleuth Kit, and support for Volatility and Rekall.”
    AFF4 Standard v1.0 Released

  • Jim Hoerricks at Amped shows how a filter in their FIVE product can be used to identify important details of a dark photo
    Can you see in the dark?

  • The Blackbag Training Team have written a workaround for “Windows users trying to generate a BlackLight PDF report that contains Apple emoji characters.”
    BlackLight PDF Reports Containing Apple Emojis Workaround for Windows

  • Bart at Blaze’s Security Blog shared the results of his survey on “Red team / Pentest / Attacker methods & tools.”
    Popular attacker tools & techniques: survey results

  • Chris Sanders has announced a new training course, “Practical Packet Analysis”. This course is based on his book of the same name and is targetted at the beginner to intermediate level. “This course is only taught periodically and space is limited. Registration deadline is the 9th June, and the session begins June 12th.
    Announcing the Practical Packet Analysis Online Course

  • The guys at the Extreme Coders Blog shared a couple of posts this week
    • They took a look at one of the challenges on EasyCTF regarding 67,085 PE files. “The task was to reverse engineer each of them and combine their solutions to get the flag”, and as a result, a Python script was written to complete the task.
      67,000 cuts with python-pefile
    • They also showed how to use HTTP tunnelling to attach a remote process to IDA for debugging.
      Remote debugging in IDA Pro by http tunnelling

  • Adam Bridge at Context had a bit of trouble mounting an EWF image of a Bitlocker-ed Windows volume. After some trial and error and consultation with the VBR layout, he figured out that using Arsenal Imager Mounted and a Hex Editor he could modify the “Number of Hidden Sectors” in the VBR and Windows would mount the volume.
    Making an NTFS Volume Mountable by Tinkering with the VBR

  • DFIR Guy at DFIR.Training gives his takeaways from Kevin Mitnick’s “The Art of Invisibility” – “the reassurance that no matter what a criminal does with computer technology, if you look long enough and have patience, you can catch them”. Unfortunately, the time is not always afforded, but we do what we can with the resources available.
    We catch the smart criminals too.

  • There were a few posts on the DME Forensics blog this week
    • Katie Mongi compares writeblockers and portable imaging devices. The minor issue with the post is that she states that writeblockers are capable of allowing users to write data – this is more the combodocks (which have both read-only and read-write modes). Writeblockers shouldn’t allow users to write data to the drive. I would also argue that creating a forensic image isn’t really a “highly-detailed process”, however, has major implications if not done correctly – a writeblocker, whilst less functional, ensures that there’s a physical distinction between the source and target drives, and reduces the possibility of accidentally overwriting your evidence if you mix them up.
      Write Blocker vs Imaging Device
    • Jason Latham advises what to look for when hiring a digital forensic expert, primarily their “curriculum vitae and participation in the forensic community [professional organizations].”
      Not All that Glitters is Gold: What to Look For in a Forensic Expert
    • Tyler Schlecht has written about the new “Temporal Decompression” feature in DVR Examiner 2.0 (*take note of the post date*)
      DVR Examiner 2.0’s Best New Feature

  • Gabriele Zambelli at Forense nella Nebbia has shared a modified filter:type list for X-Ways.
    Customizing the filter type in X-Ways Forensics

  • Microsystemations shared an article from February’s Digital Forensics Magazine by Joel Bollo (MSAB) and Ben LeMere (Berla) on the information can be obtained from vehicle forensics.
    Vehicles solve crime

  • Jonathon Poling at Ponder The Bits expands on Int’l Man of Leisure posts on mounting LVM’s. Instead of converting the image to RAW format, Jonathon uses a tool called “QEMU”.
    Quick(er) Mounting and Dismounting of LVM’s on Forensic Images

  • Bruce Schneier at Schneier on Security gives his thoughts on automation in incident response. “Automation has its place in incident response, but the focus needs to be on making the people effective, not on replacing them ­ security orchestration, not automation”. “From within an orchestration model, automation can be incredibly powerful. But it’s the human-centric orchestration model –­ the dashboards, the reports, the collaboration –­ that makes automation work. Otherwise, you’re blindly trusting the machine. And when an uncertain process is automated, the results can be dangerous.”
    Security Orchestration and Incident Response

  • Amanda Rousseau at Secured.org has shared her Reverse Engineering Malware 101 course


  • Eric Zimmerman has updated his AppCompatCacheParser to version to accomodate the tweak to the format of the shimcache in the creator’s update to Win10. He also advised Mandiant of the issue, and it appears that their tool should be updated shortly.
    Windows 10 Creators update vs shimcache parsers: Fight!!

  • Blackbag released Mobilyze 2017 R1. “Some of the improvements include support for Apple iOS 10.3 with encrypted backups, Android 7.1.1 Nougat, iOS 10 third party applications, such as Kik and WhatsApp, [and an] improved report generator”
    Mobilyze 2017 R1 is Now Available!

  • Elcomsoft have updated their Cloud Explorer tool to version 1.22. “The update fixes the issue with History download, re-enables the downloading of mp3 files related to Google’s Voice Search History, and renamed the “Service” column to “Application” in Voice Search History.”
    Elcomsoft Cloud Explorer 1.22 Fixes History and Voice Search History Access

  • Guidance Software released updates to Encase 8.04, and Encase 7.16, however, I wasn’t able to get the release notes off their portal.

  • Katana Forensics released Lantern v4.6.8, improving support for Android 6 and 7 Devices

  • MISP 2.4.70 was released “including new features, improvements and important bug fixes.”
    MISP 2.4.70 released

  • Paraben Corporation have released E3: Universal Aurora Edition 1.2 with a variety of new features and stability improvements.
    E3 1.2 is now available!

  • Paul Sanderson updated Forensic Browser for SQLite to version 3.2.4, fixing a variety of bugs.
    New release 3.2.4

  • TZWorks released a package update, improving both their LNK and USNJournal parser, as well as bug fixes for their ‘dup’ tool.  
    Mar 2017 build (package)

  • X-Ways Forensics 19.1 SR-7 was released, fixing a variety of bugs.
    X-Ways Forensics 19.1 SR-7

  • X-Ways Forensics 19.2 was officially released (and then updated to SR-0) with additional improvements.
    X-Ways Forensics 19.2 SR-0

  • The Innovation and Custom Engineering (ICE) Applied Research Team at FireEye have released Monitor.app, “a simple GUI application for monitoring common system events on a macOS host”.
    Introducing Monitor.app for macOS

And that’s all for Week 13! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s