If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting
FORENSIC ANALYSIS
- James Habben at 4n6ir has updated his CCM_RecentlyUsedApps record structure Enscript carver to support unicode characters.
CCM_RecentlyUsedApps Update on Unicode Strings - The Blackbag Training Team share an introduction to the Windows Registry.
Windows Registry Demystified – Part One - The guys at Cyber Forensicator shared a number of articles this week
- They shared an article by Usama Salama “about Internet of Things (IoT) forensics”
Smart Forensics for the Internet of Things (IoT) - They shared an article from DFRWS 2017 Europe by Dario Lanterna and Antonio Barili named “Forensic Analysis of Deduplicated File Systems”
Forensic Analysis of Deduplicated File Systems - They shared an article from the International Journal of Engineering and Science by Naing Linn Htun and Mie Mie Su Thwin named “Proposed Workable Process Flow with Analysis Framework for Android Forensics in Cyber-Crime Investigation”
Proposed Workable Process Flow with Analysis Framework for Android Forensics in Cyber-Crime Investigation - They shared an article from DFRWS 2015 Europe by A.Boztas, A.R.J Riethoven, and M. Roeloffs named “Smart TV forensics: Digital traces on televisions”
Smart TV Forensics: Digital Traces on Televisions - They shared a whitepaper by Jim Olmstead at Foundstone Services on the 10 ways to prepare for incident response
Ten Ways to Prepare for Incident Response - They shared an upcoming book by Thomas Holt, Adam Bossler and Kathryn Seigfried-Spellar called ‘Cybercrime and Digital Forensics: An Introduction 2nd Edition’, due to be released November 2017.
Cybercrime and Digital Forensics: An Introduction (Second Edition)
- They shared an article by Usama Salama “about Internet of Things (IoT) forensics”
- Samuel Alonso at Cyber IR continues his series on “Memory Forensics with Vshot and Remnux”, this time covering code injection.
Memory Forensics with Vshot and Remnux (code injection, 4) - Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp look at the “process of creating a forensic image of a hard drive” using Belkasofts imaging tool.
How to Make the Forensic Image of the Hard Drive - Jimmy Schroering at DME Forensics discusses the considerations when choosing the method of shutting down a DVR system. As with computers, pulling the plug may result in data corruption, but shutting down the system may invoke processes that destroy data.
Surveillance DVRs – Shut down or pull the plug? - Magnet Forensics have released their whitepaper on Android Marshmallow, titled “Demystifying Android Marshmallow Forensic Analysis”.
Demystifying Android Marshmallow Forensic Analysis - Ryan McGeehan has uploaded a document to GitHub regarding securing and investigating an incident relating to Vault.
Check out @Magoo’s Tweet - The Application Analysis team at Champlain College have continued their research into the Slack and Dropbox desktop apps.
Application Analysis: A Closer Look At Business Apps - The Bluetooth team detail their progress of capturing the GATTs from a “Schlage Smart Sense Lock using btlejuice”. “Generic Attribute Profile (GATT) is the necessary profile that is used to send data between Bluetooth devices”.
Bluetooth Security Forensics 5.0
THREAT INTELLIGENCE/HUNTING
- Irfan Shakeel at Alienvault shares his tips for preparing an effective threat intelligence team. These tips include “establish an intelligence priorities framework, incorporate and consolidate intelligence sources, mapping intelligence collection, specialized threat intelligence experts, [and] adapting finished products to the audience”.
How to Prepare an Effective Threat Intelligence Team
PRESENTATIONS/PODCASTS
- A number of presentations from the Art Into Science: A Conference for Defense conference were uploaded to YouTube. This included both a General playlist, and the Ops Track, Day 1.
- Adrian Crenshaw uploaded a number of presentations from the Appalachian Institute of Digital Evidence (AIDE) 2017 conference.
AIDE 2017 - “Carbon Black’s Rick McElroy teams up with Joe Moles from Red Canary to talk about how to automate threat hunting and build it into your security operations.”
VIDEO: How to Build Threat Hunting into Your Security Operations - On this week’s Forensic Lunch, Dave, Matthew, and Nicole hosted Ashley Hernandez from Guidance Software, and Lee Whitfield. Ashley talked about the upcoming Enfuse conference and Forensic Lunch viewers can use the code ForLunch for $200 off. Lee then ran through the nominees for the upcoming Forensic 4Cast Awards. Lastly, Nicole gave a presentation on Event Trace Logs. Nicole has produced a tool to parse the ETL files, however, hasn’t released it yet.
Forensic Lunch 4/7/17 - Hasherezade has posted another example of “unpacking [the] Cerber ransomware and dumping the configuration”.
Unpacking Cerber ransomware (example #3) - Magnet Forensics shared a couple of webinars this week. They shared Methods for Parsing New Applications by Jessica Hyde. They also shared Jamie McQuaid’s webinar on imaging devices using Magnet Acquire 2.0.
- On this week’s Digital Forensics Survival Podcast, Michael covers thumbcache found on Windows systems.
DFSP # 059 – Thumbcache Forensics - Eric Zimmerman ran a SANS Webinar during the week on “his new Cheat Sheet to help you maximize the capabilities of his tools.”
NEW SANS DFIR Cheat Sheet: A Guide to Eric Zimmerman’s command line tools
MALWARE
- Adrian Nish and Tom Rowles at BAE Systems Threat Research blog share their research into operation Cloud Hopper, which is the campaign linked to APT10.
APT10 – Operation Cloud Hopper - Eric Merritt at Carbon Black examines “a compiled AutoIT script that pretends to be an installer for Photoshop CS6 portable.” This post walks through “the techniques used by this malware to increase the difficulty of discovering the final payload and the methods used to maintain persistence on the system, [and looks at] the tools, tactics, and techniques for reverse engineering this type of AutoIT script.”
Latest Malware Uses Compiled AutoIT Script to Masquerade As Photoshop CS6 Installer - Amanda Rousseau at Endgame provides some background to the REM-101 workshop that she shared last week.
Reverse Engineering Malware 101 Workshop - Roland Dela Paz at Forcepoint analyses a maldoc that distributes a variant of the Philadelphia ransomware
Off-the-shelf Ransomware Used to Target the Healthcare Sector - There were a few posts by Fortinet this week
- Kai Lu presents “a case study on how to repair a DEX file in which some key methods are erased with NOPs and decrypted dynamically when ready to be executed”
How to repair a DEX file, in which some key methods are erased with NOPs - Jasper Manuel and Artem Semenchenko analyse a sample of malware dubbed BADNEWS, “which is actively being used in the MONSOON APT campaign”. The first post looks at the backdoor, and the second attempts to attribute the sample.
- Kai Lu presents “a case study on how to repair a DEX file in which some key methods are erased with NOPs and decrypted dynamically when ready to be executed”
- Shusei Tomonaga at JPCERT/CC introduces details of the RedLeaves malware and the results of their “analysis including its relation to PlugX, and a tool which is used as the base of this malware”
RedLeaves – Malware Based on Open Source RAT - Hasherezade at Malwarebytes continues her analysis of “a Diamond Fox bot delivered by the Nebula Exploit Kit”. This post takes a “deeper look into the code and analyze the bot’s features and code design.”
Diamond Fox – part 2: let’s dive in the code - Andy at Malware Soup shares some “observations on detecting malicious Microsoft Office documents using Sysmon”. The first post covers detecting “documents leveraging malicious macros to launch a command shell – either cmd.exe or PowerShell” and “documents with malicious scripts embedded as objects”. The second post covers detecting “documents that use malicious macros – or possibly leveraging an exploited vulnerability – to execute shellcode”.
- Michel Coene at NVISO Labs examines the internal metadata of the LNK file that was extracted in a previous post. Michel also shared this video created by “Didier Stevens … on how to extract the .LNK file from the Word document and analyze it with lnkanalyzer.exe”
Tracking threat actors through .LNK files - There were a few posts on the Palo Alto Networks blog this week
- Tomer Bar and Tom Lancaster have shared the “joint research between Unit 42 and Eyal Sela [at] ClearSky Cyber Security”. This research looks at two new Windows malware families named “KASPERAGENT and MICROPSIA” and “two families of Google Android malware … SECUREUPDATE and VAMP”.
Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA - Claud Xiao, Cong Zheng and Yanhui Jia examine the Amnesia botnet, which is “a new variant of the IoT/Linux botnet “Tsunami””.
New IoT/Linux Malware Targets DVRs, Forms Botnet - Anthony Kasza and Micah Yates analyse a maldoc “with recent compilation and distribution timestamps that has code, infrastructure, and themes overlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta.” They were then able to expand their analysis by analysing other maldocs from the same attackers.
The Blockbuster Sequel
- Tomer Bar and Tom Lancaster have shared the “joint research between Unit 42 and Eyal Sela [at] ClearSky Cyber Security”. This research looks at two new Windows malware families named “KASPERAGENT and MICROPSIA” and “two families of Google Android malware … SECUREUPDATE and VAMP”.
- The guys at Securelist compile information about the Lazarus group and its effect on the financial industry.
Lazarus Under The Hood - Amanda Lemmers at Cisco explains the benefits of using Netflow and packet capture data in concert. This “allows investigators to be quicker, more agile, and more responsive to threat activity.”
Harnessing the Power of NetFlow and Packet Analysis - Warren Mercer and Paul Rascagneres at Cisco’s Talos blog analyse the attack chain used to distribute the ROKRAT malware.
Introducing ROKRAT - Melissa at Sketchymoose’s Blog shows how to edit a maldoc that has locked the macros behind a password. Turns out modifying one specific character with a hex editor turns off the password requirement.
Dealing with Macros: Step One – Password Workaround! - The guys at Threat Geek share an article by Fidelis Cybersecurity on a campaign that is most probably run by the APT10 (aka Stone Panda) threat actors. The campaign distributes the “reconnaissance malware known as the ‘Scanbox’ framework”.
Operation TradeSecret: Cyber Espionage at the Heart of Global Trade - There were a couple of posts on FireEye’s Threat Research blog this week
- Matthew Dunwoody shares details of a backdoor that they have named POSHSPY used by APT 29. “POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI)”
Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) - FireEye iSIGHT Intelligence team provides their take on the APT10 campaign including an overview of the tools utilised, and other observations of the threat actors actions.
APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat
- Matthew Dunwoody shares details of a backdoor that they have named POSHSPY used by APT 29. “POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI)”
MISCELLANEOUS
- Richard Hickman at Decipher Forensics discusses metadata, including whether it’s discoverable and whether parties have a duty to preserve it.
Data on Data on Data - JJ at DFIR IT shared a walkthrough for TekDefense’s Network Challenge.
TekDefense Network Challenge 001 – Walkthrough - DFIR Guy at DFIR.Training shares his votes for the 4cast Awards. Unfortunately DFIR.Training didn’t get nominated for an award, despite its impressive visit count. And my site appears to have taken the vote for Blog of the Year so I can say I’ve at least got 1 vote. Thanks!
Forensic 4:cast Awards - Oleg Afonin at Elcomsoft looks into the timeframe to expect when attempting password recovery. Oleg covers the various file formats that can be bypassed and methods that can be used to obtain a password. He also explains the major factors that should be taken into consideration when cracking a password.
How Long Does It Take to Crack Your Password? - Cindy Murphy at Gillware Digital Forensics provides some tips for “preventing and recovering from ransomware”
Rename Your Roses: Tips for Preventing and Recovering from Ransomware - Mark Mckinnon has released an Autopsy plugin to allow Autopsy to submit files to Cuckoo.
I’m Cuckoo For Autopsy - Yulia Samoteykina at Atola Technology illustrates how the Insight is able to image a drive with a “large number of errors”.
Screenshot Analysis: Imaging a Freezing Drive - Patrick J. Siewert at Pro Digital Forensic Consulting shares the retention periods of call detail records by the major US carriers
Cellular Provider Record Retention Periods - Mary Ellen at What’s A Mennonite Doing In Manhattan?! has given her elevator pitch for voting for About DFIR for the Forensic 4Cast Award of “Organization of the Year”.
The Little Engine That Could?
SOFTWARE UPDATES/RELEASES
- AccessData have updated FTK and AD Lab to version 6.2 with a host of new additions, improvements, and bug fixes.
- Cyber Triage have released Cyber Triage Lite, and this post shows the differences between the lite and full versions, as well as a comparison with sysinternals tools.
Get Free Endpoint Visibility - DVR Examiner version 1.31.0 has just been released, adding support for the Mirage_HiSi and UWARE_264 filesystems, “adjusted scanning for the FE family (including DHFS_41, DHPT, zlav, HUAYI, WFS, etc) to work around corrupted index entries, [and] updating API access for downloading native players and updating the license database”.
- Phil Harvey updated ExifTool to version 10.48 (development release), adding new tags and values.
ExifTool 10.48 - Matt Shannon at F-Response has announced the release of F-Response v7 (version 7.0.1.101). The tool is currently in Beta and is “initially only … available for F-Response Field Kit, Consultant, Consultant+Covert, and Enterprise customers.”
Better late than never, F-Response v7 - GetData have updated Forensic Explorer to v3.9.8.6414, improving bookmarking speed, adding the partition into the export file path when exporting files, as well as other minor updates
5 Apr 2017 – v3.9.8.6414 - Guidance Software have announced an update to Tableau Password Recovery, now at version 1.3. The update adds “full support for TrueCrypt files.”
Guidance Software And Passware Announce Enhanced Password Recovery Solutions - Microsystemation have updated XAMN Spotlight to version 2.0, and XRY to version v7.3. The update to XRY adds support for new devices, apps, and operating system versions, as well as “Better location data reporting, [and an] Android Chip-off profile”.
- Sanderson Forensics released version 3.2.5 of the Forensic Browser for SQLite, fixing a couple of bugs.
New release 3.2.5 - There was a bit of movement at Evimetry this week with the release of the v3.0.0-RC5 release candidate and the free Community Edition. The release candidate fixed a variety of bugs, and added new features including “Remote physical memory acquisition for Windows, MacOS and Linux”, “Improved speed on striped images”, and updated AFF4 support. “With the Community Licenced Evimetry Controller, you can create Linear AFF4 Images on your Windows based analysis system, verify the integrity of AFF4 images, and convert between AFF4, E01/EWF and Raw images. You can also mount AFF4 images as virtual disks and analyse with your preferred forensic tools”. In my opinion, offering the free tool is an absolute must have if the community is to adopt the AFF4 standard.
- Bradley Schatz at Schatz Forensics/Evimetry has announced the availability of “both a set of patches to the Sleuth Kit and an open source C/C++ implementation for reading AFF4 Standard v1.0 disk images”.
Sleuth Kit support for the AFF4 Standard v1.0 Released - Sumuri have released a new Mac imaging tool, which allows examiners to “image all Intel® Based Macs, including the 2016 MacBook Pro with Touch Bar, [and] supports Apple FileVault, Fusion and Core Storage volumes”.
Recon Imager - X-Ways Forensics 19.2 SR-1 was released with a few bug fixes, as well as support for “metadata extraction from certain irregular DOCX files” and “improved internal handling of FlexFilters”.
X-Ways Forensics 19.2 SR-1
UPCOMING WEBINARS
- And in self-promotion news, I submitted a talk to the SANS DFIR Summit and unfortunately was rejected, however, they offered to let me present my talk as a webcast instead. The talk that I submitted regarded parsing the URLs that Google generates from performing searches. I’ve found a few interesting artefacts with regards to timestamps and user activity. The talk will be at 11 AM EST/3 PM GMT on the 11th May (and lucky me, 1 AM AEST on the 12th). You can register at the link below.
www.google.com/search?q=what+does+this+all+mean?
And that’s all for Week 14! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 