If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting
UPCOMING WEBINARS
- In self-promotion news (yes, I moved this section to the top of the site this week ;)), I will be presenting a SANS webcast on Thursday at 11 AM EST/3 PM GMT/1AM AEST. My talk will cover some interesting information that can be obtained from the URLs Google generates when you use the site, mainly to do with a few timestamps, and some parameters that assist in understanding what the user did.
Webinar: https://www.google.com/search?what+does+all+this+mean? - DME Forensics will be hosting a webinar regarding the release of DVR Examiner 2.0. The webinar will take place May 18th 9:00am – 11:00am MST, and you can register here
- Registration for DFRWS USA 2017 opened during the week.
Check Out @DFRWS’s Tweet
FORENSIC ANALYSIS
- The Blackbag Training Team provide an overview of the MFT and a few of the key attributes, along with how to examine the records in Blacklight.
Master File Table Basics - The guys at Cyber Forensicator shared a couple of articles this week
- They shared an article by Rootsecdev showing how to enable print logging for DFIR purposes.
Automating print logging for DFIR purposes - They shared a paper by Akshaya M, Ashwini K S, Deepika N, Meenukumari S, and C Merlyne Sandra Christina from the International Journal of Latest Engineering Research and Applications released March 2017 called “Authorship Attribution for Social Media Forensics”.
Authorship Attribution for Social Media Forensics - They shared a tool, “PPEE or Professional PE Explorer (also known as puppy)”.
PPEE: cross-platform PE explorer
- They shared an article by Rootsecdev showing how to enable print logging for DFIR purposes.
- Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp explain how Oxygen Forensics Detective uses LG’s Advanced Flash technology to obtain a physical extraction. Unfortunately, if the user has enabled device encryption the extracted data will still be encrypted.
Creating physical dumps and unlocking Android LG phones - Cindy Murphy at Gillware Digital Forensics shares a case study where she was required to identify what had occurred on a laptop after an ex-employee had taken it with them upon exiting.
Adventures in Laptop Forensics - Matt Seyer at the Hacking Exposed Computer Forensics blog shows how to manually and automatically parse a USNJournal ($J) file that has been exported using FTK Imager. Even though the $J file is a sparse file, FTKi exports the file with sections of unallocated data (0x00’s), so Matt has written a tool to carve out the records and reduce the file size of the exported $J quite considerably. Interestingly, @superponible recommends using Joakim Schicht’s ExtractUsnJrnl which he advises that he hasn’t seen the additional 0x00’s in between records.
Contents in sparse mirror may be smaller than they appear - John Lehr at Linux Sleuthing explores the world of epochs and shares a Python function for parsing win, unix and mac epochs.
Time Perspective - There were a few posts on the SANS Digital Forensics and Incident Response Blog
- Paul Henry talks about the wealth of information that can be obtained from a vehicle infotainment system. He walks through the extraction process of a Silverado’s infotainment system using Berla’s iVe tool and shows the data that is extracted.
Digital Forensics – Automotive Infotainment and Telematics Systems - Adam Kramer demonstrates his new tool, ‘rapid_env’, “which allows for the instant, template based provisioning of a Windows environment. This can include elements such as files, registry keys, processes and mutex, all of which can alter the way that many of the current threats behave”.
Rapid Provisioning of a Malware Analysis Environment - Keven Murphy continues his series on triage, this time showing how to mass process AT job files.
Mass Triage Part 3: Processing Returned Files – At Jobs
- Paul Henry talks about the wealth of information that can be obtained from a vehicle infotainment system. He walks through the extraction process of a Silverado’s infotainment system using Berla’s iVe tool and shows the data that is extracted.
- Francesco Picasso at Zena Forensics explains Windows Dropbox DBX files and shares a new tool, decwindbx, to assist in decrypting these files.
Brush up on Dropbox DBX decryption
THREAT INTELLIGENCE/HUNTING
- Dimitrios Slamaris at ((0x64 ∨ 0x6d) ∨ 0x69 ) shares some testing that he has conducted for hunting for mimikatz by examining OpenProcess().
Hunting mimikatz with sysmon: monitoring OpenProcess()
PRESENTATIONS/PODCASTS
- Joshua James at Cybercrime Technologies has uploaded a video showing “how to export file metadata using Autopsy 4 into two formats. TSV ‘text’ file, or a body file.”
[How To] Autopsy 4: Exporting file metadata and Bodyfile creation - Karsten Hahn at Malware Analysis For Hedgehogs has uploaded a video looking at the “malware Gatak which uses WriteProcessMemory and CreateRemoteThread to inject code into rundll32.exe.”
Malware Analysis – Code Injection via CreateRemoteThread & WriteProcessMemory - On this week’s Digital Forensics Survival Podcast, Michael talked about Bulk Extractor and its potential use cases. Many of these use cases are located within the (very useful) manual he shared by Jessica R. Bradley and Simson L. Garfinkel.
DFSP # 063 – Triage with Bulk Extractor - SANS uploaded a number of videos from the 2017 Threat Hunting Summit
- On this week’s Talino Talk, Manny and Steve talk about the Amfeltec SSD RAID controllers in the Talino machines.
How To Accelerate Forensic Work With Amfeltec SSD Cards – TALINO Talk – Episode 3 - Ryan Cobb shares his presentation from BSides Austin called “Obfuscating The Empire”.
Check Out @cobbr_io’s Tweet
MALWARE
- Didier Stevens shows how to “decompress a gzip compressed file, stored inside a McAfee quarantine file”.
Gzip Decompression Via Pipes - Xiaopeng Zhang at Fortinet examines “a JS file that functions as a malware downloader to spread a new variant of the Emotet Trojan”.
Deep Analysis of New Emotet Variant - Michael Gough at Hacker Hurricane talks about fileless malware and proposes a number of new terms for the variety of ways that “fileless” malware can be distributed (along with creating a new “Malware Archaeology Malware Attack Chain” diagram). Michael was also on this week’s Brakeing Down Security podcast to talk about the post.
Fileless Malware? Not so fast, let’s consider new terms - Gilbert Sison at the TrendLabs Security Intelligence Blog provides a brief timeline of the Cerber malware, and analyses the latest; version 6.
Cerber Version 6 Shows How Far the Ransomware Has Come (and How Far it’ll Go) - Shusei Tomonaga at JPCERT CC has released a Volatility plugin “to detect RedLeaves in the memory.”
Volatility Plugin for Detecting RedLeaves Malware - Darryl at Kahu Security has updated his exploit kit infographic.
Wild Wild West – 05/2017 - Thomas Reed posted a couple of times on the Malwarebytes Labs blog this week
- The first post shares some information on a dropper that usually downloads the Dok malware, however, “instead of installing OSX.Dok, this dropper installs an open-source backdoor named Bella”.
Another OSX.Dok dropper found installing new backdoor - In the second post, he unpacked the Mac version of the Snake malware (“also known as Turla and Uroburos”).
Snake malware ported from Windows to Mac
- The first post shares some information on a dropper that usually downloads the Dok malware, however, “instead of installing OSX.Dok, this dropper installs an open-source backdoor named Bella”.
- Sapna Juneja and Jyotsna Jain at McAfee’s Securing Tomorrow blog unpack a self-extracting archive containing the Cerber malware.
Cerber Ransomware Evades Detection With Many Components - Bill Brenner at Naked Security analyses the malicious Google Play app, Super Free Music Player.
Super Free Music Player in Google Play is malware: a technical analysis - Patrick Wardle at Objective-See analyses the recently compromised OS X version of Handbrake.
HandBrake Hacked! - Brandon Levene, Robert Falcone and Tyler Halfpop at Palo Alto Networks examine the Kazuar backdoor trojan, which “may be linked to the Turla threat actor group (also known as Uroburos and Snake)”.
Kazuar: Multiplatform Espionage Backdoor with API Access - Paul Rascagneres at Cisco’s Talos blog examines a new RAT they have called KONNI.
KONNI: A Malware Under The Radar For Years - James Antonakos at Trustwave’s SpiderLabs blog examines a malicious RTF document associated with the Carbanak group.
Carbanak Continues To Evolve: Quietly Creeping into Remote Hosts - There were a couple of posts on FireEye’s Threat Research blog this week
- Matthew McWhirt, Jon Erickson, and DJ Palombo explain how FIN7 “leveraged an application shim database to achieve persistence on systems in multiple environments”.
To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence - Swapnil Patil, Yin Hong Chang, Sudeep Singh, and Robert Venal examine a PDF downloader that downloads both the Dridex malware.
Dridex and Locky Return Via PDF Attachments in Latest Campaigns
- Matthew McWhirt, Jon Erickson, and DJ Palombo explain how FIN7 “leveraged an application shim database to achieve persistence on systems in multiple environments”.
- Martijn Grooten at VirusBulletin shared Kathy Wang and Steve Brant’s VB2016 presentation titled “Building a Local PassiveDNS Capability for Malware Incident Response”.
VB2016 paper: Building a local passiveDNS capability for malware incident response - Emre Güler at VMRay examines “a JScript dropper containing the Sage Ransomware 2.2”.
Undetected JScript Dropper Installs SAGE Ransomware
MISCELLANEOUS
- Yulia Samoteykina at Atola Technologies shows how to use the Insight to remove the HPA/DCO (permanently, or until the next power cycle).
Lifting HPA and DCO restrictions - AccessData are celebrating their 30th year, which is a fairly significant milestone in a company’s life cycle.
Happy 30th Anniversary to AccessData! - Paul Slater at Nuix suggests that implementing a technological solution can assist LE with their backlogs, rather than just throwing bodies at the problem.
Police Backlogs—Is Throwing Bodies at the Problem the Answer? - Chris Sanders has announced a contest for those that have purchased his latest book, Practical Packet Analysis 3rd Edition. The person that sends Chris the most creative picture with his book will win a free seat in his new training course. The contest ends May 10th.
Practical Packet Analysis Photo Contest - Chris has also continued his series on knowing your bias, this time explaining the availability heuristic, which “is a mental shortcut that relies on recalling the most recent or prevalent example that comes to mind when evaluating data to make a decision”.
Know Your Bias – Availability Heuristic - There were a couple of articles on the DME Forensics blog this week
- Brewster Rolland-Keith shares some tips for a first responder to triage a DVR system. Should that be unsuccessful, DVR Examiner may be able to be used to extract and parse the footage.
Recovering CCTV Video in the Field - Patrick Supples provides some suggestions on how to verify the data that you have extracted from a DVR system, or parsed with DVR Examiner.
How do I know that DVR Examiner is finding all of the video on my drive?
- Brewster Rolland-Keith shares some tips for a first responder to triage a DVR system. Should that be unsuccessful, DVR Examiner may be able to be used to extract and parse the footage.
- DFIR Guy at DFIR.Training posted a couple times this week
- The first regarded updates to the site. He has removed the event calendar, added additional search warrants and templates, and will be playing around with the RSS feeds on the homepage. If you find that the RSS feed isn’t working, just read this site the following week 😉
Website Updates (more search warrants, affidavits, forms, etc..) - The second was a list of the various DFIR books that he has read, along with recommendations about whether he liked it or not (or if he believes it’s required reading). Pretty sure I have all (except one) of the required reading books, so I’m happy about that.
My #DFIR Books of the Month
- The first regarded updates to the site. He has removed the event calendar, added additional search warrants and templates, and will be playing around with the RSS feeds on the homepage. If you find that the RSS feed isn’t working, just read this site the following week 😉
- Not to be outdone by Guidance, Magnet have announced an artefact exchange of their own (although there isn’t a mention of any compensation in the post). Magnet would like users to submit artefacts in an XML or Python based format and further information should be posted in the near future. There was some interesting discussion regarding these new walled gardens of artefacts; both Guidance and Magnet are calling for the community to assist them in improving their products, both are explaining that those that submit are still able to share their submissions. It seems that some people believe that the submitters won’t necessarily share their findings. I’m in two minds about the whole thing, because currently the artefact parsing can be held behind closed doors, at least this way it can be shared (and in some instances even rewarded). I like this suggestion of an open standard, which I think this is meant to be but I haven’t thoroughly explored it.
The Magnet Artifact Exchange is Coming Soon - MSAB have an article about their XRY Library mobile app. This app can be used to determine whether a device is supported by XRY, but unfortunately, requires a customer login. I’ve never been a fan of hiding device support behind a customer ID because it makes it harder for me to determine if I need to become a customer of a product or not.
Review full extraction & decoding capabilities of XRY easily - Joshua Faust has posted a dump of Cowrie Honeypot data, which contains a number of malicious binaries and scripts. These are being shared for educational and/or research purposes.
I’m publishing all my Cowrie Honeypot Binaries weekly - Lee Whitfield at 337 Forensics has announced that his new venture will be sponsoring the 4Cast Awards this year.
337 Forensics – Forensic 4:cast Award Sponsors - John Patzakis at the X1Discovery blog shares some cases that have been sanctioned for data spoliation. These cases relate to situations where data has been intentionally destroyed, unwittingly destroyed due to lack of process, or reliant on custodian self-collection.
The Three Categories of eDiscovery Spoliation Sanctions - Scar at Forensic Focus shared a paper by Nadeem Alherbawi, Zarina Shukur & Rossilawati Sulaiman titled “A Survey On Data Carving In Digital Forensics”
A Survey On Data Carving In Digital Forensics
SOFTWARE UPDATES
- Cellebrite released an update to their UFED line of products, now at version 6.1.6, adding “support for 180 new app versions for iOS and Android devices”, and fixing a number of issues.
UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 6.1.6 Maintenance Release (April 2017) - Dave at EasyMetaData has announced the first beta release of MetaDiver 3.0. The new release adds a variety of new features including keyword searching, picture review in the review window, performance improvements, including various bug fixes and other enhancements.
MetaDiver 3.0 beta is released #dfir #infosec #metadata - Elcomsoft have released an update to their Phone Breaker tool, now at v6.46. “The update fixes the iCloud authentication issue and resolves the Invalid Credentials error, enabling customers to download iCloud backups and have continued access to files stored in iCloud Drive, synced data, and iCloud Photo Library.”
ElcomSoft Phone Breaker 6.46 Fixes iCloud Authentication and Invalid Credentials Problem - Evimetry released v3.0.0-RC6 to “fix regression in iSCSI virtual disk on Windows 10.”
Release 3.0.0-RC6 (UNSTABLE) - Phil Harvey has updated ExifTool to version 10.51 (developmental release). The update adds some new tags, as well as other minor improvements.
ExifTool 10.51 - FireEye released RedLine version 1.2 with a variety of new updates, including support for Win10 systems, and bug fixes. This thread on Twitter was also interesting; apparently, a bug has been introduced that “removed the ability to process existing memory images and removed MRI score”, which is being looked at currently.
RedLine Release Notes - Magnet’s IEF was also updated last week, now at version 6.8.9.5711. The release notes aren’t publically available, and it doesn’t appear that Magnet are sharing information on the release on their blog as readily as they are regarding Axiom. I was able to find a copy of the release notes online combining the IEF and Axiom release notes (because my understanding is they share the same processing engine, so the artefact updates and bug fixes should transfer). I am slightly worried that the company will be phasing out IEF and pushing their users further towards Axiom – something that comes with increased functionality sure, but also an increased price tag – I’m not sure how that will go down with some organisations that already have defined workflows or limited budgets.
2017.05.01 MagnetForensics software update - Microsystemation have released updates to a few of their tools.
- XAMN Spotlight was updated to version 2.0, adding search filters, “source Mode to allow review of original hex data”, as well as other features.
MSAB Announces XAMN Spotlight 2.0 - They also updated XRY and Kiosk to v7.3.1, adding “support for iOS 10.3 in iCloud Backup extraction, improved chat decoding for Viber on iOS”, and a couple of bug fixes.
Released today: XRY & Kiosk v7.3.1
- XAMN Spotlight was updated to version 2.0, adding search filters, “source Mode to allow review of original hex data”, as well as other features.
- Nir Sofer at Nirsoft has released a new tool, UninstallView, “that collects information about all programs installed on your system and displays the details of the installed programs in one table”.
New uninstall tool for Windows - Paul Sanderson at Sanderson Forensics has updated Forensic Explorer for SQLite to v1.2.2, adding a number of enhancements and bug fixes.
New Release 1.2.2 - TZWorks updated a variety of their tools, including evtwalk, evtx_view, wacu, cafae, yaru, and dup.
May 2017 build (package) - X-Ways Forensics 19.2 SR-4 was released fixing a variety of bugs.
X-Ways Forensics 19.2 SR-4 - X-Ways Forensics 19.3 Preview 1, and then Preview 2 were released with a variety of new features.
X-Ways Forensics 19.3 Preview 2
And that’s all for Week 18! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 