If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting
FORENSIC ANALYSIS
- The guys at Cyber Forensicator have shared the news that Joseph Muniz and Aamir Lakhani book, titled “Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer”, is due to be released in December 2017.
Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer - They also shared a video by Mark Baggett on how to use his SRUM-DUMP tool.
SANS How To’s: SRUM-DUMP (System Resource Utilization Monitor) Tool - Didier Stevens has shared a list of Internet Zone IDs that are located in the Zone.Identifier ADS (also Microsoft, please can you put a URL in there as well)
Quickpost: Internet Zone IDs - Igor Mikhaylov, Oleg Skulkin, and Igor Shorokhov at Digital Forensics Corp show “how to analyze a logical image created with [Magnet] Acquire using UFED Physical Analyzer”.
Mobile Forensics: UFED vs Magnet ACQUIRE - Preston Miller at DPM Forensics explains how to recover data from a damaged USB drive by transferring the NAND chip (provided it’s functioning) to a donor USB drive.
Recovering Data from Damaged USBs - Will Ascenzo at Gillware Data Recovery explains how the Data Recovery team was able to recover some deleted CCTV footage by carving for H.264 raw frames and stitching them back together into a video.
DVR Video Recovery Case Study: Deleted Footage - Adam Kramer at the SANS DFIR blog shares a PoC Python script that compares system snapshots – the script “gathers the output from the executed subprocess and compares it against an array of previously observed results. If there is something new, that hasn’t been seen before, it displays it to the user along with a timestamp, and then adds it to the array to prevent future duplication.” He then works through an example to show it in action.
Turning a Snapshot into a Story: Simple Method to Enhance Live Analysis - Mary Braden Murphy, a student at Champlain College, shares a website she created explaining chip-off data extraction and her personal testing. DFIR Guy at DFIR Training was suitably impressed.
Check Out @marybraden_m’s Tweet - Pieces0310 shows how to use DCFLDD to image and hash a CD/DVD ROM on Linux.
How to image a CD/DVD ROM and generate hash value – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Dimitrios Slamaris at ((0x64 ∨ 0x6d) ∨ 0x69 ) shares some information on detecting “the DNS server level plugin dll injection”.
Hunting DNS Server Level Plugin dll injection - Keith McCammon at Carbon Black shows how to detect the presence of the Snake malware on an endpoint
Partner Perspectives: Detecting Snake Malware Using Cb Response - Zac Brown at Microsoft’s Securing Office 365 blog shares “the ways in which you can consume ETW and then talk about filtering and reducing event volume efficiently.”
Hidden Treasure: Intrusion Detection with ETW (Part 2) - Nick B at The Negative.Zone shares his setup with regards to how he has his “configured to capture and consume Sysmon(Windows Logs), Packetbeat, Bro and Procmon”.
Analyzing Endpoints With ELK
PRESENTATIONS/PODCASTS
- Adrian Crenshaw uploaded the presentations from Converge 2017 and Bsides Detroit 2017
- Joff Thyer at Black Hills InfoSec discusses “using Python regular expressions, and dictionaries to extract useful data for frequency analysis”.
Log File Frequency Analysis with Python - Joshua James at Cybercrime Technologies shows how to build a Linux profile using Volatility.
Volatility Memory Analysis: Building Linux Kernel Profiles - On this week’s Digital Forensics Survival Podcast, Michael talks about Google Chrome forensics and recommends a few Nirsoft tools to examine the data. I would also add Ryan Benson’s Hindsight, which Rob Lee says is “by far the most complete capability for Chrome analysis in #DFIR”.
DFSP # 064 – Chrome Forensics - SalvationData shared a number of videos this week
- USB Flash Drive Data Recovery
- How to Recover Data When Partition Error Occurs
- Advanced Image Selective Head Imaging DRS Disk Imaging Function Video Demo
- Normal Hard Drive Quick Imaging DRS Disk Imaging Function Video Demo
- How to Remove Password of Encrypted Seagate Drive by DRS
- Valid and Invalid Data Imaging DRS Disk Imaging Function Video Demo
- Advanced Image Drive with Bad Sectors DRS Disk Imaging Function Video Demo
Digital Forensics Laboratory Overview 1 - Digital Forensics Laboratory Overview 2
- On this week’s Talino Talk, Manny and Steve talk about the new Talino Cryptanalysis server which uses GPU acceleration in a server rack to speed up password cracking. Manny also mentions that there are liquid cooled free-standing machines which they may do a video about.
Cryptanalysis at the Speed of TALINO! – TALINO Talk – Episode 4
MALWARE
- Jared Myers at Carbon Black analyses the Red Leaves malware.
Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading - Monnappa K A at Cysinfo analyses an attack campaign targeting “officials of the Central Bureau of Investigation (CBI) and possibly the officials of Indian Army” with malware.
Cyber Attack Impersonating Identity of Indian Think Tank to Target Central Bureau of Investigation (CBI) and Possibly Indian Army Officials - Roland Dela Paz, Michael Pantridge, and Luke Somerville at Forcepoint analyse the Jaff ransomware (and it’s connections with Locky)
Jaff’ Enters the Ransomware Scene, Locky-Style - There were a couple of posts on the Fortinet blog this week
- Xiaopeng Zhang continues analysing the new Emotet variant.
Deep Analysis of New Emotet Variant – Part 2 - Dehui Yin has a writeup of an analysis of the Esteemaudit tool shared by the Shadow Brokers from the Equation Group.
Deep Analysis of Esteemaudit
- Xiaopeng Zhang continues analysing the new Emotet variant.
- Thomas Reed at Malwarebytes Labs analyses the “new variant of Proton malware” distributed by the compromised version of Handbrake.
HandBrake hacked to drop new variant of Proton malware - Thorsten Schroeder at ModZero shares the news of a keylogger located on HP computers that was built into an audio driver. My understanding is that this was placed in by the developers for debugging purposes and wasn’t turned off – and makes for a very interesting forensic artefact to keep in mind. Diablo Horn shows how to turn this vulnerability into a remote keylogger.
[EN] Keylogger in Hewlett-Packard Audio Driver - Patrick Wardle at Objective-See analyses the OSX/Proton.B malware distributed by the trojaned Handbrake disk image
OSX/Proton.B; a brief analysis, 6 miles up - Alex Hinchliffe at Palo Alto Networks examines the evolution of the Nemucod downloader malware.
Practice Makes Perfect: Nemucod Evolves Delivery and Obfuscation Techniques to Harvest Credentials - There were a couple of posts on the SANS Internet Storm Center (not counting the Wcry ones)
- Brad Duncan examines some traffic associated with the Rig exploit kit
Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan, (Thu, May 11th) - Xavier Mertens takes a look at a backdoored version of the RC-Shell webshell.
When Bad Guys are Pwning Bad Guys…, (Fri, May 12th)
- Brad Duncan examines some traffic associated with the Rig exploit kit
- Nick Biasini, Edmund Brumaghin, and Warren Mercer at Cisco’s Talos blog examine the Jaff ransomware.
Jaff Ransomware: Player 2 Has Entered The Game - Genwei Jiang, Alex Lanstein, Alex Berry, Ben Read, Dhanesh Kizhakkinan, and Greg Macmanus at FireEye examine some malware that exploits “vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office”.
EPS Processing Zero-Days Exploited by Multiple Threat Actors - There were a lot of articles posted about the Wcry ransomware attack, so I’ve listed a number of them below. The most important one is probably this one by Malwaretech who stopped the attack from being much worse.
- Carbon Black – Protect Your Organization From WannaCry Ransomware
- Comae Technologies – WannaCry — The largest ransom-ware infection in History
- Didier Stevens – Quickpost: WannaCry Killswitch Check Is Not Proxy Aware
- Forcepoint – WannaCry Ransomware-Worm Targets Unpatched Systems
- Heimdal Security – Security Alert: WannaCry Leaves Exploited Computers Vulnerable to Round Two
- Kaspersky – WannaCry: Are you safe?
- Krebs on Security – Microsoft Issues WanaCrypt Patch for Windows 8, XP
- Krebs on Security – Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far
- Malwarebytes Labs – WanaCrypt0r ransomware hits it big just before the weekend
- Malwarebytes Labs – The worm that spreads WanaCrypt0r
- McAfee Labs – An Analysis of the WANNACRY Ransomware outbreak
- McAfee Labs – WannaCry: The Old Worms and the New
- SANS – WannaCry Ransomware Threat : What we know so far – Slides
- SANS – WannaCry Ransomware Threat : What we know so far – Webcast
- SANS ISC – Microsoft Released Guidance for WannaCrypt , (Sat, May 13th)
- Securelist – WannaCry ransomware used in widespread attacks all over the world
- Talos – Player 3 Has Entered the Game: Say Hello to ‘WannaCry’
- SpiderLabs – The WannaCry Ransomware Campaign
- Symantec – What you need to know about the WannaCry Ransomware
- TrendLabs – Massive WannaCry/Wcry Ransomware Attack Hits Various Countries
- Windows Security – WannaCrypt ransomware worm targets out-of-date systems
MISCELLANEOUS
- James Habben at 4n6ir shares his thoughts on improving the soft skills – although in my opinion the list of steps can be transferred to most skill acquisition – realise the deficiency, commit, be accountable, find a mentor, and don’t waste time. All very valuable things when ensuring your improvement. I would also recommend listening to The Art of Charm podcast, which I’ve found to be interesting and focused almost entirely on soft skills acquisition (skip the earlier episodes). And thanks for the shout out! 😀
Real Self Improvement - Martino Jerian at Amped shares his thoughts on a paper by Matthew P. J. Ashby titled “The Value of CCTV Surveillance Cameras as an Investigative Tool: An Empirical Analysis”.
CCTV is more useful than we may perceive - DFIR Guy at DFIR.Training shared a couple of posts this week
- The first is regarding the various ways that people can get into the DFIR field. I think regardless of the way that one gets into the field, the steps laid out in the second half of the post are quite important – basically do your research, read and educate yourself, share your findings, mentor/teach etc – don’t rely on anyone else for your improvement.
The 2 Easiest Ways to get into DFIR - The second indicates, what appears to be, his frustration in purchasing software from certain vendors that require you to give them information in exchange for a price (which also may vary depending on the information you give them).
Trading Personal Information for Price Quotes. Why do we do it?
- The first is regarding the various ways that people can get into the DFIR field. I think regardless of the way that one gets into the field, the steps laid out in the second half of the post are quite important – basically do your research, read and educate yourself, share your findings, mentor/teach etc – don’t rely on anyone else for your improvement.
- Didier Stevens shows how to crack a password protected zip file using John The Ripper on Windows
Quickpost: ZIP Password Cracking With John The Ripper - Matt Hernandez at DME Forensics shares some information about the new previewing feature in DVR Examiner 2.0
DVR Examiner 2.0 Sneak Peak – Previewing - Oleg Afonin at Elcomsoft forecasts the future of cloud-based storage/authentication – they recently had to update their Phone Breaker tool to deal with an update by Apple. Also, the guys at Elcomsoft found that “Apple locks some iCloud accounts after downloading iCloud backup, requiring a change of password to continue using Apple ID-related services”.
ElcomSoft vs. The Cloud: a Game of Cat and Mouse - “A number of the EU’s leading digital forensic experts have called for the adoption of the Cyber-investigation Analysis Standard Expression (CASE) as a standard digital forensic format”. A number of companies have been listed as implementing the standard.
EU Forensic Experts Call For Action On New Cyber Investigation Standard - There were a few posts on Forensic Focus this week
- Flashpoint shared their report on how cybercriminals communicate online.
How Do Criminals Communicate Online? - Scar interviewed Sabidur Rahman, a PhD student at University of California, Davis, on his research paper regarding IoT forensics.
Interview With Sabidur Rahman, PhD Student, University of California - Scar also interviewed David Spreadborough from Amped Software.
Interview With David Spreadborough, International Trainer, Amped Software
- Flashpoint shared their report on how cybercriminals communicate online.
- Greg Smith at TrewMTE continues his series on evidence standard operating procedures
- The first refers to adding a “removal of doubt (ROD)technique”, whose purpose is to assist “the examiner’s comprehension from the outset of the 5-Ws rule of thumb”.
Contaminating Evidence FOUR - The second relates to APDU (application protocol data unit) command’s that can be run “to select particular data from a SIM card”.
Contaminating Evidence FIVE
- The first refers to adding a “removal of doubt (ROD)technique”, whose purpose is to assist “the examiner’s comprehension from the outset of the 5-Ws rule of thumb”.
- Microsystemation explain that they have simplified the driver installation process for XRY, replacing all of the separate drivers with a single one.
Say hello to a single driver that lets you access your data hassle-free - OmenScan shares a post on using AChoir to copy files based on file signatures. AChoir allows an examiner “to load all the signatures into a table, and copy any files that match any of the extensions or signatures.”
AChoir – Copying based on File Signatures - Yulia Samoteykina at Atola Technologies shows how to extract or reset the password on a variety of hard drives.
Extracting and Resetting an Unknown ATA Password - Richard Wartell and Tyler Halfpop at Palo Alto Networks walkthrough how to obtain access to the LabyREnth 2017 teaser site.
LabyREnth Teaser Site - SANS have announced that the numbering for the Windows Forensic Analysis class will be changed from SANS 408 to SANS 500.
FOR408: Windows Forensic Analysis has been renumbered to FOR500: Windows Forensics Analysis - Wolfgang Ettlinger at SEC Consult shares an advisory of an exploit in Encase Forensic Imager which allows an attacker to execute code on a machine provided that a specially crafted LVM2 partition is loaded. I’m not sure if this will apply to Encase which I imagine shares a similar codebase. I’m also not sure how critical this is for those that use their forensic tools on an air-gapped network, which I imagine would be most law enforcement labs (considering it reduces the likelihood of a remote break, distributing a lot of badness). Guidance also doesn’t appear to think that threat is very serious.
Chainsaw of Custody: Manipulating forensic evidence the easy way - Brad Garnett at Cisco shares some information about the workshop on Triage methodology that he will be teaching with Shelly Giesbrecht at Cisco Live! US 2017 on June 27th.
Triage Forensics: Leveraging Digital Forensics during Incident Response - The Volatility twitter account tweeted a link to information regarding “critical details on using volatility 2.6 with Windows 10 / Server 2016 Anniversary and Creators Update”
Check out @Volatility’s Tweet - Also if anyone reads this post from AccessData, the stylesheet for the product versions page appears to be having issues.
SOFTWARE UPDATES/RELEASES
- Alan Orlikoski advises that “CCF-VM has been updated with updated CDQR 3.1.3 & CyLR 1.3.2 versions”.
Check out @AlanOrlikoski’s Tweet - Didier Stevens updated his zipdump Python script to version 0.0.6 to accommodate password protected files
Crack A ZIP Password, And Fly To Dubai … - Didier also updated his re_search Python script to version 0.0.5 to fix a bug.
Update: re_search.py Version 0.0.5 - Guidance Software announced Encase Mobile Investigator (which I think is a revival of their previous Neutrino product). They also announced “the release of EnCase Forensic and EnCase Endpoint Investigator 8.05.” All three are expected to be out late June.
Guidance Software Announced Encase® Mobile Investigator - “A new version of MISP 2.4.73 has been released including new features, improvements and bug fixes.”
MISP 2.4.73 released - I have released a new tool that parses URLS generated by Google Search. SANS have also uploaded the webcast that I gave on my research. I do intend on converting the tool to Python once I get around to learning Python…which will have the added benefit of becoming a Hindsight plugin
Introducing GSERPent - James Habben has updated his Firefox Cache parser to extract data from a flags field
Check out @JamesHabben’s Tweet - X-Ways Forensics 19.3 Preview 3 was released adding a new feature for setting an alternative name of a file, a new menu command for collapsing the file tree, and some fixes.
X-Ways Forensics 19.3 Preview 3
And that’s all for Week 19! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 