If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting
FORENSIC ANALYSIS
- The Blackbag Training Team show how Blacklight can be used to examine the Windows Registry
Windows Registry Demystified – Part Two - Joanna Shemesh at Cellebrite explains how to utilise the Advanced ADB method in Cellebrite’s latest update to their UFED platform.
Access Evidence From 95%+ Of Android Devices Fast - The guys at Cyber Forensicator shared a number of articles this week
- They shared an article from the January 2015 edition of the International Journal of Scientific & Engineering Research by Jithin S, Satheesh Kumar S, Jinu Kumar S V on “A Novel Method for Windows Phone Forensics”
A Novel Method for Windows Phone Forensics - They shared a link to “Packet-o-matic NG or pom-ng [which] is a real time network forensic tool.”
pom-ng: a real time network forensic tool - They shared a paper by M A Hannan Bin Azhar and Thomas Edward Allen Barton from Canterbury Christ Church University named “Forensic Analysis of Secure Ephemeral Messaging Applications on Android Platforms”
Forensic Analysis of Secure Ephemeral Messaging Applications on Android Platforms - They linked to yarox24’s evtkit Python script, “which can help a computer forensic examiner to fix acquired Windows Event Log files”
Fix acquired EVT files with evtkit - They shared a paper by Saed Alrabaee, Paria Shirani, Mourad Debbabi, and Lingyu Wang from Concordia University “On the feasibility of malware authorship attribution”
On the Feasibility of Malware Authorship Attribution - They shared a paper by Nhien-An Le-Khac, Mark Roeloffs, and M-Tahar Kechadi at the University College Dublin titled “Forensic analysis of TomTom navigation application”
Forensic Analysis of TomTom Navigation Application - They shared “Vladimir Katalov’s … presentation from HITB Security Conference 2017 about iCloud syncing and two-factor authentication”
iCloud syncing and 2FA: friend or foe? - They have also created a Telegram group to make it easier to get in touch with them.
Join our Telegram DFIR group!
- They shared an article from the January 2015 edition of the International Journal of Scientific & Engineering Research by Jithin S, Satheesh Kumar S, Jinu Kumar S V on “A Novel Method for Windows Phone Forensics”
- Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp looked at the various methods of data extraction from an iOS device and then showed how to perform an acquisition using Belkasoft Imager.
Acquisition and Forensic Analysis of Apple Devices - Magnet Forensics have added a new artefact profile for Google Chrome.
New Google Chrome Artifact Profile Added for Assistance in Digital Forensics - Magnet Forensics have also started their campaign for your vote for the three categories of 4Cast awards they’ve been nominated for. “We’ve got a lot of exciting news that we’ll be posting over the next few weeks, which we think will showcase our leadership and innovation in smartphone and computer forensics—and our commitment to being your Digital Forensics Organization of the Year!”
Forensic 4:cast Awards: Help Magnet Forensics Win 3! - Zac Brown at Microsoft’s Office 365 Security team has a post on intrusion detection using event trace logs and Microsoft Message Analyzer
Hidden Treasure: Intrusion Detection with ETW (Part 1) - Erik Iker at Cisco shares a case study of lateral movement using the PAExec tool. After testing the executable, the team “was able to conclude the direction and time of lateral movement by the attacker despite a lack of event logs from the machines, or any aggregated logging for network visibility.”
Lateral Movement “Whack-a-Mole” - The Mobile App Forensics team at Champlain College present some of their findings since their last post. The “iOS team … showcase their findings for The Weather Channel app, and the Android team … showcase their findings so far for Facebook Lite, and Messenger Lite.”
Mobile App Analysis Part 5 - Deep Shankar Yadav at ‘The Supreme Perception’ has a post on using docker containers for DFIR
Digital Forensics and Incident Response (DFIR) using Docker
THREAT INTELLIGENCE/HUNTING
- Roberto Rodriguez at Cyber Wardog Lab shows you “what the attack [lateral movement after compromising NT LAN Manager (NTLM) password hashes by leveraging PsExec-Style techniques] looks like from a hunter’s perspective”. Roberto has also started to compile his findings into A ThreatHunter-Playbook, which is a project to “share knowledge and aid the development of techniques and hypothesis for hunting campaigns.”
Chronicles of a Threat Hunter: Hunting for Remotely Executed Code via Services & Lateral Movement with Sysmon, Win Event Logs, and ELK - Matthew Green has a post on LinkedIn regarding WMI “and in particular an interesting use case for potential use in older environments with Process Monitoring gaps”.
Blue team Hacks – WMI Eventing - Michael Haag and Jarrett Polcari have combined their “two Splunk Apps to make a single great Splunk App for Sysmon”.
Sysmon Splunk App - Jacob Baines at Tenable discusses a couple of scenarios that their newly released YARA plugins, YARA Memory Scan (Linux) and YARA File Scan (Linux) (Solaris), will be useful in.
Hunting Linux Malware with YARA
UPCOMING WEBINARS
- The submission deadline for the 10th International Workshop on Digital Forensics (WSDF 2017) has been extended to May 1st 2017. The conference is being held in Reggio Calabria, Italy August 29 – September 2, 2016.
PRESENTATIONS/PODCASTS
- Chris Sanders has posted the second episode of the Source Code podcast, interviewing Doug Burks, “the creator of the Security Onion Linux distribution”
Source Code S1: Episode 2 – Doug Burks - Douglas Brush spoke with Magnet’s Jad Saliba on Cyber Security Interviews. They discussed Jad’s career history – turning his computer science and law enforcement background into a company that produces highly regarded computer forensics software, as well as the “Operation Underground Railroad sting, being a police officer vs. running a business, the most important skill an investigator needs, his favorite tool outside of his, cloud forensics, and so much more.”
#020 – Jad Saliba: The Thirst For Knowledge - Joshua I. James at Cybercrime Technologies shows how to use “tesseract-ocr to extract text from images in English and Korean.”
Using Tesseract-OCR to extract text from images - Hasherezade posted two videos to YouTube this week
- She shares a demo of her new tool imports_unerase, which can be used “to recover erased imports”
Demo: imports_unerase – tool to recover erased imports - She also demonstrates a possible malware persistence method – “Hijacking extensions registered for the current user”
DEMO: extension hijacker
- She shares a demo of her new tool imports_unerase, which can be used “to recover erased imports”
- The guys at LOG-MD have posted a video showing how to use LOG-MD Professional to identify malware artefacts after an infection
Infection and Malware Discovery using LOG-MD Professional – no audio - Kastern Hahn unpacks a “Dridex sample that uses process hollowing for memory execution.”
Malware Analysis – Process Hollowing - Lee Reiber has posted another Mobile Forensic Minute, this time focusing on a couple of Android log files that can be used to identify wireless networks that the phone has been connected to, as well as if the phone has been reset.
Mobile Forensic Minute 112 - Didier Stevens presents a day in the life of a malware analyst at SecAppDev 2017
A day in the life of a malware analyst – Didier Stevens - The guys at OA Labs have posted a video of a walk through of “the process of locating, reverse engineering, and replicating a domain generation algorithm (DGA)”
Open Analysis Live: Reverse Engineering a DGA (Domain Generation Algorithm) - On this week’s Digital Forensics Survival Podcast, Michael talks about the Edge Browser on Win10
DFSP # 060 – Browsing on the Edge - Melissa at Sketchymoose shares a video showing how to bypass password protected macros
Malicious Document : Macro Password Removal - Steve Whalen at Sumuri walks through the features and provides an overview of their latest product Recon Imager.
RECON IMAGER | Product Overview - Jack Crook was unable to present at the upcoming x33fcon and SANS Threat Hunting Summit due to health issues. He has shared the slides for his presentation, “Billions and Billions of Logs” on Twitter. Wishing Jack a speedy recovery.
Check Out @Jackcr’s Tweet
MALWARE
- The Check Point Threat Intelligence Research Team has released their March 2017’s Top 10 ‘Most Wanted’ Malware and top 3 ‘Most Wanted’ mobile malware.
March’s ‘Most Wanted’ Malware List: Exploit Kits Rise Again in Popularity - Alexander Sevtsov and Clemens Kolbitsch at Lastline continue their series on overt malware. This post looks into how ransomware works, particularly relating to the file encryption employed, and how ransomware prevents file recovery.
Ransomware: Too Overt to Hide - Adam McNeil at Malwarebytes Labs examines some malspam that distributes 3 different malware families – Nymaim, Kovter, and Boaxxe.
USPS-themed malspam now delivering 1-2-3 knock-out - Didier Stevens at NVISO Labs analyses an RTF document that utilises CVE-2017-0199, as well as providing a YARA rule for its detection.
Analysis of a CVE-2017-0199 Malicious RTF Document - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens shared a report by an ISC reader on how he was able to use Didier tools to garner some information on “how often our users made use of a shared string when constructing their passwords, and also how ‘secure’ our users passwords actually are.”
Password History: Insights Shared by a Reader, (Mon, Apr 10th) - Rob VandenBrink shows how to use Microsoft Message Analyser, the successor to NETMON, to filter packet captures by process.
Packet Captures Filtered by Process, (Thu, Apr 13th)
- Didier Stevens shared a report by an ISC reader on how he was able to use Didier tools to garner some information on “how often our users made use of a shared string when constructing their passwords, and also how ‘secure’ our users passwords actually are.”
- There were a couple of posts on Securelist
- Kaspersky Lab’s Global Research & Analysis Team provide an overview of the Longhorn threat actor, who they refer to as “The Lamberts”
Unraveling the Lamberts Toolkit - Suguru Ishimaru examines the Wali dropper from the XXMM malware toolkit. Interestingly the file is larger than 100mb, which may allow it to “stay below the radar of incident responders and forensic analysts who use YARA rules to scan harddrives.”
Old Malware Tricks To Bypass Detection in the Age of Big Data
- Kaspersky Lab’s Global Research & Analysis Team provide an overview of the Longhorn threat actor, who they refer to as “The Lamberts”
- Maksim Shudrak and Limor Kessem at IBM’s Security Intelligence blog examine the EmbusteBot malware
Brazilian Malware Never Sleeps: Meet EmbusteBot - Artem at Artem On Security has analysed the Stuxnet drivers, which the author explains, that various vendors had mentioned but didn’t provide technical information on.
Stuxnet drivers: detailed analysis - Symantec Security Response have provided some information about the Longhorn group that have been using the “spying tools and operational protocols detailed in the recent Vault 7 leak”.
Longhorn: Tools used by cyberespionage group linked to Vault 7 - The students at Champlain College have shared their dynamic and static analysis of the DarkComet RAT and Hicurdismos malware.
Malware Analysis Blog 3 - There were a couple of posts on FireEye’s blogs regarding the CVE-2017-0199 exploit.
- Genwei Jiang, Rahul Mohandas, Jonathan Leathery, Alex Berry, and Lennard Galang examine two malicious documents that utilise the CVE-2017-0199 exploit.
CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler - Ben Read and Jonathan Leathery “discuss some of the campaigns … observed leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released”.
CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware
- Genwei Jiang, Rahul Mohandas, Jonathan Leathery, Alex Berry, and Lennard Galang examine two malicious documents that utilise the CVE-2017-0199 exploit.
MISCELLANEOUS
- Greg Smith at TrewMTE asks the question “Could ISO/IEC 27037:2012 be the better option for handling and obtaining digital forensic evidence?”, however, it doesn’t appear that he has followed up with a comparison with ISO/IEC 17025 yet.
Digital Evidence ISO/IEC 27037 -v- ISO/IEC 17025 - Brett Shavers posted a couple times this week
- He has heavily discounted his X-Ways training course. If you retweet his tweet before April 17, you’ll get “the course for ONLY $119, plus receive a FREE COPY of the X-Ways Forensics Practitioner’s Guide*!”. I’m currently working my way through the course and I’m very impressed with it; it’s great to get an understanding of how to utilise X-Ways Forensics, especially since you can do it at your desk at your own pace.
The 2 Fastest and Least Expensive Ways to Learn X-Ways Forensics - He has also put out his request to vote for his book for the 4Cast Award for Book of the Year.
Forensic 4:cast awards…. VOTE FOR MY BOOK!! (pretty please)
- He has heavily discounted his X-Ways training course. If you retweet his tweet before April 17, you’ll get “the course for ONLY $119, plus receive a FREE COPY of the X-Ways Forensics Practitioner’s Guide*!”. I’m currently working my way through the course and I’m very impressed with it; it’s great to get an understanding of how to utilise X-Ways Forensics, especially since you can do it at your desk at your own pace.
- DFIR Guy at DFIR.Training gives his tips for “avoiding the 90% of material you don’t need”. These tips centre around focusing on the information that you require to learn, as well as choosing the right trainers for the job. He also recommends learning something new every day; 30 minutes a day adds up to quite a bit over the course of a year.
I only do 10%. - There were a couple of posts by the guys at DME Forensics
- Tyler Schlecht shares a list of tips and tricks to use when faced with a non-working DVR
11 Tips When Faced with a Non-working DVR - Jason Latham provides some things to consider when sending staff to training and suggests that hosting the training may be a better option. He then provides a series of considerations for hosting training.
On Site Training – What It Takes to Pull It Off
- Tyler Schlecht shares a list of tips and tricks to use when faced with a non-working DVR
- Scar de Courcier at Forensic Focus has interviewed Professor Peter Sommer on his past, his current work including the survey “on the effectiveness of and potential problems associated with ISO 17025”, The Digital Evidence Handbook, and his teaching, as well as the current and emerging problems in digital forensics.
Interview With Professor Peter Sommer - Scar has also compiled this month’s popular discussions on the Forensic Focus Forum
Forensic Focus Forum Round-Up - Mike Shanoudi shares the “7 most common mistakes when it comes to Incident response (IR) and lessons to learn from”
Seven Un-Wonders Of Incident Response - John Patzakis, Esq. at the X1discovery blog discusses the revisions to the Sedona Principles, now in their 3rd edition. John’s post focuses on “the over-use of forensic disk imaging for eDiscovery preservations”. The commentators of the principles indicate that forensic disk imaging has its place, however, practitioners should focus their time on (correctly) extracting the necessary data, rather than performing the time-intensive imaging process. As storage device capacities increase there’s a strong push to only extract the relevant data unless the rest is required.
Updated Sedona Principles Disfavor Forensic Imaging and Over-collection for Routine eDiscovery Preservation - Yulia Samoteykina at Atola Technology shows how to use the Atola Insight to create an E01 image of a drive (with MD5 and SHA1 hashing).
Imaging a Source Drive to an E01 File with a Double Hash
SOFTWARE UPDATES/RELEASES
- Eric Zimmerman has updated his Timeline Explorer tool to version 0.4.0.0. This post describes how to utilise the tool.
Introducing Timeline Explorer v0.4.0.0 - Didier Stevens updated his re-search.py Python script to version 0.0.4, adding the -G (grep all) argument.
Update: re-search.py Version 0.0.4 - Phil Harvey updated ExifTool to version 10.49 (development release). The update adds a couple of new tags, fixes various bugs, includes an API change, and adds the new “‘DateFmt’ utility function for use in advanced formatting expressions”
ExifTool 10.49 - The guys at Hunting Malware have released a beta version of the Linux sandbox based on Cuckoo v2
Hey, psh… cyberkids! our favorite bird e’[at] nix malware! - A new version of MISP 2.4.72 has been released “including new features, improvements and important bug fixes.”
MISP 2.4.72 released - Oxygen Forensics released a maintenance version of their Detective product, now at version 9.2.2. “The new version decrypts user data from the secure messaging apps, … extracts files, messages, contacts, geo coordinates and other available data from Instagram account, … [and] significantly improves the algorithm of deleted files recovery from Android devices and adds support for Samsung S8 and S8+.”
Oxygen Forensic® Detective enhances support for encrypted communications apps - OSF V5 is now available for beta testing.
OSForensics V5 Beta release - Daniel Plohmann at Byte Atlas has released a new library, ApiScout, whose main goal “is to allow a faster migration from memory dumps to effective static analysis.”
ApiScout: Painless Windows API information recovery - Adam Witt updated his USN Journal Parser to include Python 3 support, and ‘mactime’ and ‘TLN’ body output.
Check Out @_TrapLoop’s Tweet
And that’s all for Week 15! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 