If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting
FORENSIC ANALYSIS
- As an update to a post by Mari, there’s been a bit of talk about a newly located registry subkey that indicates the actual install date of Windows 10. I had a quick look on my Win10 system and identified three subkeys named Source OS (Updated on MM\DD\YYYY HH:MM:SS)” which contained an InstallDate or InstallTime value. Converting these times, however, did not necessarily match up with the time in the text of the subkey. More research will have to be done to determine whether the lastwrite time of the Source OS subkey indicates when the update was started or complete, and what the OS is doing when it creates the data inside it. As a guess, Windows might be copying the previously existing data into this area as a backup – which means looking at the first one should give you the install date of the OS.
When Windows Lies - Brett Shavers shares his thoughts on two “games” that are commonly seen in infosec (although this post can relate to many enterprises I’m sure). The two games are “hot potato”, where the responsibility is passed on down the chain, and “are we there yet”, where people prefer to await the inevitable, rather than plan and prepare to avoid the issue.
The 2 Worst Games to Play in #infosec - Luis Rocha at Count Upon Security posted an introduction to Linux forensics where he examines a compromised Red Hat system. He covers mounting the file system, using TSK and plaso to generate timelines, and recover and examines deleted files.
Intro to Linux Forensics - The guys at Cyber Forensicator shared a few articles this week
- They shared a paper from the International Journal of Computer Science and Information Security 2017 by Desti Mualfah and Imam Riadi titled “Network Forensics For Detecting Flooding Attack On Web Server”
Network Forensics for Detecting Flooding Attack on Web Server - They shared a presentation of PsychoHasher, “a Java based open source tool for generating and verifying hashes for text, files, combined digest for multiple files.”
PsychoHasher: A Cross Platform Hashing Tool - They shared an article by Brenton Morris, who “published an interesting blog post about using r2pipe for automatic malware unpacking”.
Generic Unpacking with r2pipe - They shared a paper from the International Conference on Computational Modeling and Security 2016 by Sheik Khadar Ahmad Manoj and D. Lalitha Bhaskari titled “Cloud Forensics – A Framework for Investigating Cyber Attacks in Cloud Environment”
Cloud Forensics – A Framework for Investigating Cyber Attacks in Cloud Environment
- They shared a paper from the International Journal of Computer Science and Information Security 2017 by Desti Mualfah and Imam Riadi titled “Network Forensics For Detecting Flooding Attack On Web Server”
- Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp list the various artefacts on iOS and Android that can be used to assist in identifying the owner of a device.
Who is the owner of the mobile device? - Brewster Rolland-Keith at DME Forensics lists four ways for extracting data from a DVR – using DVR examiner, using the DVRs export feature, using a capture card and replaying the footage, and lastly seeking assistance directly from DME Forensics.
The 4 main ways of recovering video from a DVR - Preston Miller at DPM Forensics examines the appinfo files created by VMWare’s Unity mode (I’m not sure if the files are created prior, or as a result of the user using Unity mode). “The names of these files are simply the MD5 checksum of the application’s file path as recorded within the .appinfo file. The create and modify timestamps of these files correlate to when the application was installed within the VM.” He then explains the Python script that he wrote to parse the files.
Hasty Scripts: Summarizing Installed Applications on Encrypted VMs - Mark Mckinnon has released a new Autopsy plugin that is “an extension of the research that Ken Johnson did on Windows File History. ”
Windows File History Plugin - Pete James at Precision Discovery shows how a Microsoft Office Alert can be used to identify file activity. An ex-employee had accessed a file, and made a modification to it before closing it; this showed the dialog box asking if the user would like to save the file. As a result, an event was created indicating “the date, time, software program being used, and the name of the file”. I haven’t explored this log, however, the author doesn’t indicate whether the entry is different if the user does or doesn’t save the item. This information would be useful when coupled with other file access artefacts.
Oh, the Traces You Leave on Your Computer: O-Alerts and the Executive - Dan O’Day has identified an issue with RAM capture using Dumpit on large (64GB) memory captures. If I’m to understand correctly, Dumpit can’t necessarily decode parts of the memory in 64-bit systems so it’s advisable to take a crashdump instead of a raw capture. Dan did indicate that he “was able to successfully acquire and analyze the RAM using winpmem 2.1.post4 and Rekall 1.6.0 (Gotthard), respectively (your mileage may vary)”. Brian Moran also weighed in, saying that Belkasoft’s RAM capture utility also is not affected by the issue.
Big RAM and the kernel debugger data block - Lee Whitfield has started a new company and blog. His first post lists his company’s philosophy, and the second lists the events he’ll be attending in the coming months.
Say hello to my little friend! - The students at Champlain University have shared some information about their analysis of the Discord app. “The uses of caching and SQLite formatting allowed [the team] to recover artifacts such as the … chat logs to the images and files uploaded”
Application Analysis: Conclusion - Yogesh Khatri looked into the /private/var/folders in OS X. He also explores how the folder names are generated so that an examiner can tie them back to the specific user account (aside from looking up “the owner uid of the folder”).
The mystery of /var/folders on OSX
THREAT INTELLIGENCE/HUNTING
- The guys at Carbon Black have shared another chapter of their ‘Threat Hunting for Dummies’ eBook. This section covers the various people/processing/training/technologies/intelligence required to prepare for a hunt.
Threat Hunting: Preparing to Hunt - Jack Crook at DFIR and Threat Hunting shares a few of his thoughts on the presentation that he was scheduled to give at the SANS Threat Hunting Summit and x33fcon, but was unable to due to surgery.
Billions and Billions of Logs; Oh My - Jon-Louis Heimerl at NTT Security has announced the release of the “Global Threat Intelligence Report (GTIR)”.
The 2017 Global Threat Intelligence Report is out now - There were a few posts on the SANS InfoSec Reading Room this week
- They shared Greg Lalla’s whitepaper on using Excel to examine log data should a SIEM or similar product not be available.
Hunting through Log Data with Excel - They uploaded the results of the 2017 Threat Hunting survey
The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey - They also shared Muhammad Elharmeel’s paper on threat hunting in packet captures using BRO
Hunting Threats Inside Packet Captures
- They shared Greg Lalla’s whitepaper on using Excel to examine log data should a SIEM or similar product not be available.
- Kyle Bubp at the Savage Security Blog shows how to setup Microsoft’s Local Admin Password Solution to mitigate the threat of lateral movement in a network.
Mitigating the Threat of Lateral Movement - Cliff Kittle at SecureWorks explains why healthcare organisations such as hospitals should proactively hunt for threats in their networks. “You can’t always block attackers, but you can break the kill chain so they’re not successful. Human behavior analysis is critical to detecting and responding quickly to this type of threat. That is accomplished by performing regular pro-active threat hunting to identify indicators of an attack.”
Hospitals Need Proactive Targeted Threat Hunting
UPCOMING WEBINARS
- Mattia Epifani and Arnon Tirosh at Cellebrite will be hosting a webinar 10th May 2017 at 9:00AM UK time about how Cellebrite’s Advanced Investigative Services can assist in investigations, primarily unlocking locked devices.
Don’t Get Locked Out Of Your Investigation - Jad Saliba at Magnet Forensics will be hosting two webinars next week on the latest update to Axiom. These webinars will be held Tuesday, May 30 at 9:00AM EST, and Wednesday, May 31 at 1:00PM EST.
Webinar: Dig Deeper with Magnet AXIOM 1.1
PRESENTATIONS/PODCASTS
- Adrian Crenshaw at Iron Geek has uploaded a number of presentations from BSides Charm 2017
BSidesCharm 2017 Videos - BlackBag Technologies have uploaded their webinar held by Bruce Hunter and Bob Petrachek on Advanced Windows Artefacts
BlackBag Webinar: Advanced Windows Artifacts - Didier Stevens has uploaded a video unpacking a malicious PDF document containing a maldoc.
Malicious Documents: The Matryoshka Edition - Dave and Lee hosted a few guests on this week’s Forensic Lunch. Paul Shomo came on to talk about the newly announced Forensic Artifact Research Program by Guidance Software. Phil Hagen walked through his newly released FOR572 poster. Matt Bromiley then covered the Ken Johnson DFIR scholarship, and Lee touched on the 4Cast awards and the benefits of attending the DFIR Summit in Austin in June.
Forensic Lunch 4/28/17 - Magnet Forensics have released Jamie McQuaid’s recorded webinar ‘Android Emulator Forensics: When an Android Device isn’t an Android Device’.
Android Emulator Forensics: When an Android Device Isn’t an Android Device - Microsystemation have released a short video about XAMN Spotlight.
XAMN Spotlight – Get your answers faster, easier and with more precision - John Douglas shares a brief case study of how his company used Nuix in an incident response case.
First Response investigates cyberespionage and insider threats with Nuix - The Nuix YouTube channel has uploaded a presentation by Nick Pollard and James Billingsley on the inside threat.
It’s Human Nature The Insider Threat - On this week’s Digital Forensics Survival Podcast, Michael explains the pain-points regarding using VirtualBox to create a Forensic examination VM.
DFSP # 062 – Building a Forensic VM with VirtualBox - SalvationData have uploaded a video about their Data Recovery System, an “all-in-one forensic data recovery tool which can help you acquire and recover data from both good and damaged storage media like HDD simply and easily”.
SalvationDATA DRS(Data Recovery Software) for Efficient Computer Forensics - SalvationData also uploaded a video regarding their Video Investigation Portable tool which is a “forensically sound system for video extraction, recovery and analysis from CCTV DVRs of video surveillance system during investigations”
VIP Deleted Video Materials Recovery - Lenny Zeltzer at SANS shares the updates to the FOR610 Reverse Engineering Malware course.
2017 What is new in FOR610: Reverse-Engineering Malware Analysis course - “Manny and Jason walk through a sampling of the high quality components that make up a TALINO Forensic Workstation, and why they make it an enterprise level system”. I haven’t spent much time looking into the Talino systems however it definitely makes sense to get the better components in your workstations if you’re doing a lot of heavy duty processing.
What Makes a TALINO Enterprise Class? – TALINO Talk – Episode 2 - Martijn Grooten at Virus Bulletin shared two presentations from VB2016.
- The first was a presentation by Benoît Ancel and Mehdi Talbi who wrote a language called Haka and show how it can be used for “monitoring, debugging and controlling malicious network traffic”
VB2016 paper: Debugging and monitoring malware network activities with Haka - The second was a presentation by Peter Kalnai and Martin Jirkal where they examined the “KeyRanger ransomware and the Keydnap credentials-stealer”.
VB2016 video: Last-minute paper: A malicious OS X cocktail served from a tainted bottle
- The first was a presentation by Benoît Ancel and Mehdi Talbi who wrote a language called Haka and show how it can be used for “monitoring, debugging and controlling malicious network traffic”
MALWARE
- Bart at Blaze’s Security Blog examines the Sem Solução ransomware and identifies the hardcoded decryption password (123).
Ransomware, fala sério! - Ofer Caspi at Check Point examines the Dok malware that is affecting OS X systems.
OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic - Luke Somerville at Forcepoint examines an email campaign that distributes “a new variant of the Geodo/Emotet banking malware”
New Variant of Geodo/Emotet Banking Malware Targets UK - Dario Durando & David Maciejak at Fortinet examine the Android banking malware, BankBot, which is a variant of the code posted online for it’s predecessor, BankBotAlpha.
BankBot, the Prequel - The guys at Hackers Arise walk through a ransomware infection and examines the Chimera ransomware.
Anatomy of Ransomware, Part 1: Chimera - There were a couple of posts on the Malwarebytes Labs blog this week
- Jérôme Segura shows how UTF encoding can make two files appear to have the same name.
A story of fonts by the EITest HoeflerText campaign - Thomas Reed examines the behaviour of the OSX.Dok malware.
New OSX.Dok malware intercepts web traffic
- Jérôme Segura shows how UTF encoding can make two files appear to have the same name.
- Michael Gorelik at Morphisec examines a maldoc that takes advantage of CVE 2017-0199 “to install a fileless variant of the Helminth Trojan agent.”
Iranian Fileless Attack Infiltrates Israeli Organizations - Didier Stevens at NVISO Labs shows how he was able to use a YARA rule to identify other samples on VirusTotal that were created on the same machine as a previously examined LNK file.
Hunting malware with metadata - There were a couple of posts on the Palo Alto Networks Blog this week
- Brad Duncan examines a spam campaign “using United States Postal Service (USPS)-themed emails with links that redirected to fake Microsoft Word online sites. These fake Word sites asked victims to install malware disguised as a Microsoft Office plugin”. The campaign distributes a new ransomware named “Mole”.
Mole Ransomware: How One Malicious Spam Campaign Quickly Increased Complexity and Changed Tactics - Robert Falcone takes a look at two months of the OilRig attack campaign and compares how the threat group has changed it’s delivery documents.
OilRig Actors Provide a Glimpse into Development and Testing Efforts
- Brad Duncan examines a spam campaign “using United States Postal Service (USPS)-themed emails with links that redirected to fake Microsoft Word online sites. These fake Word sites asked victims to install malware disguised as a Microsoft Office plugin”. The campaign distributes a new ransomware named “Mole”.
- Xavier Mertens has a post on the SANS Internet Storm Centre about unpacking a maldoc that encourages users to click on the embedded obfuscated JS downloader.
Another Day, Another Obfuscation Technique, (Fri, Apr 28th) - There were a few posts on Securelist this week
- Anton Ivanov, Fabio Assolini, Fedor Sinitsyn, and Santiago Pontiroli examine an early variant of the Xpan ransomware.
XPan, I am your father - The Global Research and Analysis Team “discuss the targeted attack highlights from the first quarter of 2017, and discuss some emerging trends that demand immediate attention”. This includes the Shamoon/StoneDrill and BlueNorff/Lazarus group attacks, as well as the adoption of fileless malware.
APT Threat Evolution in Q1 2017 - Alexey Shulmin and Sergey Yunakovsky examine the Denis malware, which uses DNS tunnelling for communication with its C&C server
Use of DNS Tunneling for C&C Communications
- Anton Ivanov, Fabio Assolini, Fedor Sinitsyn, and Santiago Pontiroli examine an early variant of the Xpan ransomware.
- Nick Carr, Saravanan Mohankumar, Yogesh Londhe, and Barry Vengerik at FireEye’s Threat Research Blog examine the infection chain used by FIN7, who they describe as a “financially-motivated threat group”.
FIN7 Evolution and the Phishing LNK - Michal Malik and ESET Research at WeLiveSecurity examine the LuaBot malware; although whilst it is a bot written in Lua, it “represents a new family, and is not related to previously seen Luabot malware”. As a result, this malware has been named Shishiga.
Linux Shishiga malware using LUA scripts
MISCELLANEOUS
- There were a number of posts on Forensic Focus this week
- Belkasoft announced a strategic alliance with AccessData. “The result is AD LAB users can now seamlessly parse an additional 250 artifact types directly into the Forensic Toolkit (FTK) database.”
Belkasoft Announces Technology Partnership with AccessData - The guys at Oxygen have posted a primer on the Visual Query Builder that has been included in the latest update to Oxygen Forensic Detective. “The Visual Query Builder is a simple tool that allows the expert to build SQL queries within the Oxygen Forensic® SQLite Viewer using simple drag and drop procedures.”
The New Visual Query Builder In Oxygen Forensic Detective v.9.3 - Scar shares an article on The Guardian about how a victim’s FitBit data poked holes in the accused’s alibi.
FitBit Step Counting Data Used In Murder Investigation - Scar also interviewed Abdeslam Afras, VP Of International Markets at AccessData “about the upcoming international roadshows” regarding the updates to their products.
Interview With Abdeslam Afras, VP Of International Markets, AccessData
- Belkasoft announced a strategic alliance with AccessData. “The result is AD LAB users can now seamlessly parse an additional 250 artifact types directly into the Forensic Toolkit (FTK) database.”
- Paraben Corporation have announced “a new certification available to all examiners using E3:DS in their investigations.” The new certification is the DS Certification Mobile Operator aimed at “those just getting started with Paraben’s E3:DS.”
DSMO Certifications Are Now Available For Paraben’s Mobile Forensic Tools - Christa Miller at Magnet Forensics explains the benefits of being curious – it allows you to do the research, and find the data, that solves cases: “making just a small investment of time to dig deeper, to learn to look at evidence in new ways or to try new ways to obtain it, could be a lifesaver later on as you apply your learnings to build stronger cases”.
Does Justice Depend on How Forensically Curious You Are? - Greg Smith at TrewMTE continues his essay on contaminating evidence, this time covering standard operating procedures when it comes to testing and examining damaged SIM cards.
Contaminating Evidence THREE - Yulia Samoteykina at Atola Technologies talks about the hashing options using the Insight.
Calculating Hash During Imaging - Thomas Patzke has posted an article showing “the usage of EQUEL in combination with WASE, the Web Audit Search Engine, a tool that feeds an Elasticsearch instance with HTTP request/response data from the Burp Suite or from the included proxy server”. The post “describes briefly the crawling of URLs with curl and WASEProxy” and then “how nested documents can be searched and aggregated with EQUEL”.
Querying and Aggregating Nested Elasticsearch Documents with EQUEL - Lesley Carhart shares another infosec advice column.
Ask Lesley InfoSec Advice Column: 2017-04-26 - Leslie also shows what she pack in her day bag when she goes to Hacking Cons.
What’s in my (Hacking Con) bag? - Mark at Sneaky Monkey shares his tips for getting started in the InfoSec community.
Infosec Newbie
SOFTWARE UPDATES/RELEASES
- AccessData released FTK and AD Lab 6.2.1 improving WeChat parsing and adding support for encrypted iOS 10 backups.
AccessData Forensic Toolkit 6.2.1 Release Notes - AccessData also updated Password Recovery Toolkit (PRTK) and Distributed Network Attack (DNA) to version 8.1.0. The update supports recovering “BitLocker passwords when a user-generated password was used for the encryption”, as “support for iOS 10 backup passwords”.
Password Recovery Toolkit (PRTK) version 8.1.0 Release Notes - Brian Baskin updated Noriben to v1.7.2, fixing some bugs and adding the headless option. He also added a new script, NoribenSandbox.py, which “allows you to automate the execution of Noriben within a guest VM and retrieve the reports” (on OSX). Brian has also released a video of this in action.
Noriben malware sandbox 1.7.2 with Frontend - Didier Stevens released a new Python script that runs a Python command against each line of an input text file.
New Tool: python-per-line - Elcomsoft updated Cloud Explorer to v1.30. The update allows examiners “to extract SMS text messages from Android backups made with Google Pixel/Pixel XL smartphones and devices running Android O Developer Preview”. CE has also been updated to “correctly identify, extract and process user’s routes and display places they visited (based on Google’s POI)” from Google Location data. Oleg Afonon wrote this post explaining how CE can be used to parse the data from Google, as well as this post regard extracting SMS’s.
Elcomsoft Cloud Explorer 1.30 Supports Android O, Extracts SMS Text Messages, Routes and Places from Google Account - Eric Zimmerman released a minor update to his Timeline Explorer tool, now at version 0.4.0.1
- Peerlab by Kuiper Forensics has been updated to version 2.02.
Version history – v2.02 (25.04.2017) - Magnet Forensics have updated their Axiom product to version 1.1. The update adds machine learning to assist in child abduction cases by examining chat (more information here), support for various types of encryption, as well as improved speed, and functionality allowing new evidence to be added to a case. They have also released this video about the update.
Magnet AXIOM 1.1 Launches with New Artificial Intelligence Support - MobilEdit have released Camera Ballistics 2.0, with GUI, performance, and accuracy improvements, multi-threading support, as well as a “new generation of camera ballistics algorithms”
Camera Ballistics 2.0 just released! - Microsystemations have updated XEC to version 1.3, and Kiosk to version 7.3. “The latest XEC enables you to manage users effectively with the central user & system management”. “The newest version of Kiosk v7.3 also gives Kiosk users video and watchlist support, supports XRY v7.3 and more” (ref)
Achieve higher operational efficiency today with XEC v1.3 & Kiosk v7.3 - Adam Witt has updated his USN Journal Parser to v4.0.1, refactoring the code “to better handle records carved from unallocated space” and halving processing time.
Check Out @_TrapLoop’s Tweet - Recon Imager has been updated to version 1.01 with some minor feature improvements including “a popup notification to notify the examiner if any FileVault volumes exist on startup”, and adding imaging speed to the progress bar.
RECON IMAGER Version 1.01 Now Released - Matias Bevilacqua at FireEye announces a new tool, AppCompatProcessor. The new tool “handles both AppCompat and AmCache artifacts, has modules for processing more than 11 different formats, and contains some novel analytics to redefine the way we look at execution trace artifacts.”
Evolving Analytics for Execution Trace Data - X-Ways Forensics 19.2 SR-3 was released with a variety of bug fixes.
X-Ways Forensics 19.2 SR-3
And that’s all for Week 17! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 