If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting
FORENSIC ANALYSIS
- Jonas Plum has started to reverse engineer the new Apple File System (APFS) and shares his research.
APFS filesystem format - The guys at Cyber Forensicator shared a few posts this week
- They shared an article by Andreas Dewald and Sabine Seufert from DFRWS 2017 Europe on “Advanced forensic Ext4 inode carving”
AFEIC: Advanced Forensic Ext4 Inode Carving - They shared a “cheat sheet by Forensic Proof, showing USB device tracking artifacts on Linux and Mac OS X”.
USB Device Tracking Artifacts on Linux and Mac OS X - They shared “a cheat-sheet [by Preston Miller] on tracking web-account activity”
Website Account Activity Identification - They shared an article by Vitor Hugo Galhardo Noia and Marco Aurelio A. Henriques from SBSeg 2016 named “A comparison of encryption tools for disk data storage from digital forensics point of view”
A Comparison of Encryption Tools for Disk Data Storage from Digital Forensics Point of View - They shared a presentation by Safaa Hraiz on BTRFS forensic analysis
BTRFS Forensic Analysis - They shared a new book, “Seeking the Truth from Mobile Evidence”, by John Bair, “expected to be published in November 2017”
Seeking the Truth from Mobile Evidence: Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations
- They shared an article by Andreas Dewald and Sabine Seufert from DFRWS 2017 Europe on “Advanced forensic Ext4 inode carving”
- Daniel Miessler shows how he monitors his Ubuntu-based web server for SSH brute forcing attempts by loading the logs into Splunk.
Monitoring SSH Bruteforce Attempts Using Splunk - Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp recount a phishing attack on a client.
“Hello. Team of TeamViewer is calling you… “. An anthology of the attack. - Scar at Forensic Focus has briefly listed some items of Digital Forensics News from April.
Digital Forensics News April 2017 - David Cowen at HECF Blog shares information about a Scheduled Task observed in Win8.1+ that will routinely remove entries relating to Plug And Play. David also mentions that Woanware’s USBDeviceForensics has not been updated to identify the devices that have been removed, however, TZWorks updated their USP tool to show the deleted devices, as well as when they were deleted.
Windows, Now with built in anti forensics! - Adam at Hexacorn continues his series on program execution methods. This method shows how to run an Excel macro even though the settings prevent macro execution. Adam does this by creating a malicious XLSB file, and “dropping any macro sheet inside the XLSTART folder and opening it from there will not show the macro warning”
Beyond good ol’ Run key, Part 62 - Magnet Forensics have posted an article about the Gatekeeper password storage in Android 6.0 (Marshmallow)
Gatekeeper Password Storage: How Android Secures Devices - Mark Mckinnon has released the Volatility Autopsy Python plugin module.
Volatility Autopsy Plugin Module - Greg Smith at TrewMTE shares two parts of an essay answering a question regarding potential evidence contamination. The question he answers is: “What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?”
Contaminating Evidence ONE and TWO - The SANS InfoSec Reading Room shared Deepak Bellani’s whitepaper on “The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it”
The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it - The Bluetooth Security Forensics team at Champlain College share their recent findings regarding the use of Btlejuice and Bluehydra
Bluetooth Security Forensics Conclusion - Michael Hale Ligh at Volatility Labs advises that the “the 2017 Volatility Plugin contest is now live and accepting submissions until October 1st, 2017”
The (5th Annual) 2017 Volatility Plugin Contest is Live! - Pieces0310 shows how to resolve IP addresses in a PCAP to their physical location using a GeoIP database and Wireshark.
How to trace the Geolocation of network traffic – Pieces0310 - Dr. Neal Krawetz at the Hacker Factor blog examines a White House picture that had been altered for security purposes to see if he could detect the changes.
The Secret That Donald Trump Doesn’t Want You To Know
THREAT INTELLIGENCE/HUNTING
- The guys at Carbon Black share some sections of the free eBook: “Threat Hunting for Dummies.”
What is Threat Hunting? - Ryan Cobb has written a post attempting to “reproduce the results found by Lee [Holmes] in his article and provide a wrapper script for his work that can be used to detect obfuscated scripts”
Trying to Detect PowerShell Obfuscation Through Character Frequency - Samuel Alonso at Cyber IR reviews Sqrrl’s continuous security monitoring solution.
Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement) - The guys at Sqrrl puts forward their argument for adding “human-driven analysis to the list of “appropriate activities to identify the occurrence of a cybersecurity event”.” The three reasons they provide are “Automated Detection and Threat Hunting Aren’t the Same Thing, “Threat Hunting” Is Arguably the Biggest Trend in Cybersecurity, [and] “Threat Hunting” is Proven to Reduce Attacker Dwell Time”.
3 Reasons the Next NIST Update Should Include Threat Hunting
UPCOMING WEBINARS
- AccessData will be hosting a webinar on Wednesday, April 26, 2017, 7:00 pm
GMT Summer Time (London, GMT+01:00) on the latest updates to FTK.
Event Information: AccessData 6.2: Take your investigations to new heights - Bob Petrachek and Bruce Hunter at Blackbag Technologies will be hosting a webinar on April 25th, 2017 at 9:00 AM – 9:30 AM PDT regarding Volume Shadow Copies, Memory Analysis, and Jump Lists
Webinar Registration: Advanced Windows Artifacts - The CFP for OSDFCon is opened and closes June 1st. The conference will take place October 17 at the Hyatt Regency Dulles in Herndon, VA. There is also an Autopsy module competition which closes October 2nd.
Check out @sleuthkit’s Tweet
PRESENTATIONS/PODCASTS
- A few more presentations from Art Into Science: A Conference for Defense conference were uploaded to YouTube.
ACoD Ops Track, Day 2 - Adrian Crenshaw has uploaded videos from Bsides Nashville 2017.
BSides Nashville 2017 Videos - Joshua James at Cybercrime Technologies acquires “an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), netcat and dd using a Linux forensic workstation”. He uploaded two videos, one for Windows and the other for Linux
- Didier Stevens shared two videos related to his previous analysis of a CVE-2017-0199 maldoc
CVE-2017-0199 - “Sharon Nelson and John Simek talk to Craig Ball about the intricacies of preserving digital evidence”, specifically, social networking and online information. Craig explains that preserving social media and the like doesn’t always require a trainer forensic analyst and can be performed appropriately by the law firms employed; provided that they are adequately trained and follow approved procedure. Craig also talks about the various methods of preserving data; screenshots (which he says have a place but are not preferable), Google and Facebook’s takeout features, as well as the various tools specifically designed for social media and online preservation.
Practical Approaches to Preserving New (and Not-So-New) Media - “The Forum of Incident Response and Security Teams (FIRST) today announced it is making available a public repository of conference presentations from the last twenty years of FIRST events”
FIRST releases twenty years of conference materials - Karsten Hahn analyses “a hook injection PoC by Robert Kuster and partially fix it for Windows 7.”
Malware Analysis – Hook Injection PoC by Robert Kuster - Corey Tomlinson sat down with Gerard Ryle from the International Consortium of Investigative Journalists about how Nuix has been instrumental in compiling and reviewing the data from the Panama Papers.
Interview With Gerard Ryle – International Consortium of Investigative Journalists - On this week’s Digital Forensics Survival Podcast, Michael gave a brief overview of the relevant artefacts involved in the Firefox web browser.
DFSP # 061 – Firefox Forensics - Recorded Future, in conjunction with The CyberWire, have started a new podcast on Threat Intelligence, the first episode was out last week covering what threat intelligence is, and the second covers ThreatIntel feeds.
Threat Intelligence Podcast - SANS have released all of the slides from the recent Threat Hunting Summit.
Threat Hunting and IR Summit (April 2017) - Alex Pinto has shared his slides for his presentation at the 2017 Threat Hunting Summit, “Pushing the Boundaries of Threat Hunting Automation”
Check out @alexcpsec’s Tweet - DFIR Guy from DFIR.Training tweeted out Simon Biles presentation from the FlossUK 2017 Spring Conference called “Are We Ready for Open Source Digital Forensics”.
Check Out @DFIR_Guy’s Tweet - David Cowen shared out his NCCDC redteam debrief.
Check Out @HECFBlog’s Tweet
MALWARE
- Didier Stevens analyses “a PDF with an embedded file and JavaScript”.
Malicious Documents: The Matryoshka Edition - Lenny Zeltser describes fileless malware, “malware that operates without placing malicious executables on the file system”, and provides a history of the various forms that fileless malware has taken.
The History of Fileless Malware – Looking Beyond the Buzzword - There were a couple of posts by Malwarebytes Labs this week
- Jérôme Segura analyses an ISFB variant that is distributed as part of the ‘Binary Options’ campaign.
Binary Options malvertising campaign drops ISFB banking Trojan - The Labs team unpacks the Moker trojan
Elusive Moker Trojan is back
- Jérôme Segura analyses an ISFB variant that is distributed as part of the ‘Binary Options’ campaign.
- Duc Nguyen, Jeong Mun, and Alden Pornasdoro at the Microsoft Malware Protection Center examine some “Java malware files [that] are variants of old malware with updated code that attempt to evade detection by security products”.
Combating a spate of Java malware with machine learning in real-time - Nettitude Labs have posted a quick analysis of the latest Shadow Brokers dump
- Josh Grunzweig at Palo Alto Networks unpack the Carp downloader that distributes the Cardinal RAT.
Cardinal RAT Active for Over Two Years - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Johannes Ullrich shares a “python script [by Countercept] that can be used to scan systems for the presence of” the Double Pulsar, SMB cover channel.
Detecting SMB Covert Channel (“Double Pulsar”), (Sun, Apr 16th) - Xavier Mertens examines a malicious Excel spreadsheet that utilised text hidden in the cells to download a malicious PE file.
Hunting for Malicious Excel Sheets, (Wed, Apr 19th) - Xavier also examines an obfuscated maldoc.
Analysis of a Maldoc with Multiple Layers of Obfuscation, (Fri, Apr 21st) - Lastly, Xavier explains how attackers can use “standard DNS requests to exfiltrate data”.
DNS Query Length… Because Size Does Matter, (Thu, Apr 20th)
- Johannes Ullrich shares a “python script [by Countercept] that can be used to scan systems for the presence of” the Double Pulsar, SMB cover channel.
- Melissa at Sketchy Moose shared a video and blogpost describing some simple debugging of a malicious macro.
Dealing with Macros: Wading in VBEditor - TrendLabs Security Intelligence Blog posted a couple of articles this week
- The Cyber Safety Solutions Team explain how the RawPOS RAM scraper malware has been updated to search for Drivers License data “to aid in the threat group’s malicious activities.”
RawPOS: New Behavior Risks Identity Theft - Echo Duan and Jason Gu examine the MilkyDoor Android malware
DressCode Android Malware Finds Apparent Successor in MilkyDoor
- The Cyber Safety Solutions Team explain how the RawPOS RAM scraper malware has been updated to search for Drivers License data “to aid in the threat group’s malicious activities.”
MISCELLANEOUS
- The “CIBOK Editorial Committee … announced its establishment and the 1st edition “Cybercrime Investigation Body Of Knowledge” (CIBOK) published work. CIBOK is designed to provide a new standard for law enforcement organizations and enterprises around the globe with knowledge, skills and behaviors required to solve or prevent today’s complex and sophisticated cybercrime.”
New standard for cybercrime investigation launches as Cybercrime Investigation Body Of Knowledge - Philippe Lagadec shares a process for “downloading thousands of [legitimate] MS Office files for testing”
Tip: How to download thousands of MS Office files for testing - Trent Leavitt at Decipher Forensics addresses “the absolute necessity for deleted data in civil cases.” The post provides an overview of preservation letters, data collection, analysis, and presentation.
Deleted Data in Civil Litigation - DFIR Guy at DFIR.Training shares a recent (non-technical) case study about an employee deleting data from his employer’s server and stealing equipment. The police were called however classed it a civil matter. In my opinion, it’s a bit of a grey area because it would depend on when the employee performed his various malicious activities for it to be classed as a civil or criminal matter (in the state that I live in in Australia). Down here, there’s a specific section of law covering unauthorised access – so, in my opinion, the analyst would be required to determine what actions were taken and when, and whether the company indicated that he was no longer to have access to the system. Once that was shown, however, LE may have enough information to charge with the unauthorised access/destruction offence (if it exists in the jurisdiction). I recall reading about a case in the States a few weeks ago regarding a sys-admin performing malicious activities, however, at the time he was still employed, so it was entirely a civil matter – there was no unauthorised access. That being said, I think the physical theft would still be considered criminal, but then again I’m not a lawyer, a police officer, or in the jurisdiction where the actions took place.
3 Tips to Keep Your Name out of the News - Cat Ianni at DME Forensics list a few reasons why examiners should consider using DVR Examiner on their DVR cases.
Convincing Your Agency to Buy DVR Examiner - Kent Walker at Google explains that the MLAT process is too cumbersome for today’s investigations and that he will be “sharing more thoughts about the legal frameworks that can address some of these challenges in the coming weeks and months”. I think the major paragraph is the following: “Without better and faster ways to collect cross-border evidence, countries will be tempted to take unilateral actions to deal with a fundamentally multilateral problem. A sustainable framework for handling digital evidence in legitimate cross-border investigations will help avoid a chaotic, conflicting patchwork of data location proposals and ad hoc surveillance measures that may threaten privacy and generate uncertainty, without fundamentally advancing legitimate law enforcement and national security interests”.
An international framework for digital evidence - Devon Ackerman has updated his iOS Dashboard “to include recent iOS releases, iPhone releases and unlocking services”
Forensics – Apple iOS & Watch OS Artifacts - Guidance Software has created a campaign on BugCrowd to reward researchers for finding new forensic artefacts. Researchers are encouraged to submit information about previously undocumented artefacts. Guidance verified that the researchers still maintain the control of their research and are able to share it publicly if they wish. “The goal of the program is to reward researchers for work already being done to contribute to the industry.” The campaign will remain open until 11:59 PST on the 31st August. On a personal note, I think that this is a good move by the company to encourage more people to share their research. There are a lot of people doing so, but they’re doing so for free for the most part, so a potential reward is always nice.
Guidance Software – Forensic Artifact Research Program - Matt McFadden at Guidance Software announced on Twitter that the new “EnCase training website has launched”.
Check Out @cybr4n6’s Tweet - Jordan Potti listed his various experiences that led to his start in infosec
How I Got Started in InfoSec - Jeff Hamm posted on Linkedin that the book that he has co-authored with Katrin Franke, André Årnes, and others, “Digital Forensics 1st Edition”, is finished and could be published in June. The book purports to be a “definitive text for students of digital forensics, as well as professionals looking to deepen their understanding of an increasingly critical field”.
Check out Jeff Hamm’s Post - Magnet Forensics have a post advising that their Magnet Certified Forensics Examiner (MCFE) certification, and Forensic Fundamentals is now available. This post also includes a video by Chuck Cobb on the training courses offered by Magnet.
Magnet AXIOM MCFE Certification & New Forensic Fundamentals Course Launched - Richard Wartell and Tyler Halfpop at Palo Alto Networks have advised that LabyREnth CTF 2017, “a new Unit 42 Capture the Flag (CTF) challenge, is coming on June 9, 2017”.
LabyREnth CTF 2017: We’re At It Again…
SOFTWARE UPDATES
- Arsenal Consulting have released “Hibernation Recon v1.1.0.56 with support for Windows 10 Creators Update (v1703) hibernation”
Check Out @ArsenalArmed’s Tweet - Eric Zimmerman has updated his lnk project and all of its dependencies. This brings LECmd to version 0.9.6.0, JLECmd to version 0.9.9.0, and JumpList Explorer to version 0.4.0.0
- Phil Harvey has released ExifTool 10.50 (production release), adding and improving a couple of tags, and fixing a couple of bugs
ExifTool 10.50 (production release) - Katana Forensics’ Lantern product has been updated to version 4.6.8, and now “has support for iOS 10.3.1 and Android 7 devices”.
- David Pany updated his PyWMIPersistenceFinder and CCM_RUA_Finder Python scripts.
WMI_Forensics Commits - Oxygen Forensiс have released an update to their Detective product, now at version 9.3. There are a number of updates including data extraction from Huawei cloud, decryption of WhatsApp data saved to iCloud, and parsing of encrypted Apple Notes.
Oxygen Forensic® Detective extracts data from Huawei cloud - Radare2 v1.4 has been released, and “comes with 12768 new lines of new features, bug fixes and enhancements”.
Codename: “no comments” - Thomas Patzke has released an open source Python library, Elasticsearch Query Language. “The main goal of EQUEL is to provide access to as many Elasticsearch features as possible with a query language that is easy to understand and write for humans.” The author indicates that the tool is still in its early development stage and shares the future plans (as well a request for assistance in implementing these plans).
Introducing EQUEL, an Elasticsearch QUEry Language - Pestudio has been updated to version 8.58. You can download the latest version here
- X-Ways Forensics 19.2 SR-2 was released, fixing a variety of bugs.
X-Ways Forensics 19.2 SR-2 - The Viewer Component was updated to version 8.5.3 to include several non-security related patches.
Viewer Component
And that’s all for Week 16! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 