Week 20 – 2017 – This Week In 4n6

If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting

FORENSIC ANALYSIS

The guys at Cyber Forensicator shared a couple of articles this week
- They shared a paper by Abdulalem Ali, Shukor Abd Razar, Siti Hajar Othman, Arafat Mohammed, and Faisai Saeed from Taiz University called “A metamodel for mobile forensics investigation domain”
  A metamodel for mobile forensics investigation domain
- They announced that Igor Mikhaylov’s new book, Mobile Forensics Cookbook, is “expected to be published in September 2017”.
  Mobile Forensics Cookbook
- They announced that Preston Miller and Chapin Bryce’s new book, “Python Digital Forensics Cookbook”, is also expected to be published in September 2017.
  Python Digital Forensics Cookbook
- They shared a blog post by “Ahmed Hashad from 701 Labs … on using JTAG acquisition in mobile forensics”
  JTAG Acquisition in Mobile Forensics: The Forensics Analyst’s Guide
- They shared a post by “Eyal Neemany … on how to use PowerShell to expose command line shells history”
  Exposing Command Line Shells History with PowerShell
Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp explain the concept of the Device Firmware Upgrade (DFU) mode, also known as Recovery mode, which allows a user to load a custom image. Using this image, examiners are able to obtain a physical extraction of the device. They then explain the various tools that utilise custom recovery images.
Mobile Forensics: Device Firmware Upgrade
Patrick Bell at Practical Forensics shows how to obtain a physical extraction from a Samsung Galaxy S7 Edge without wiping the data. This method requires an unencrypted device and the user’s PIN code.
How to Root Galaxy S7 Edge without wiping data to obtain a Physical Extraction
Patrick J. Siewert at Pro Digital Forensic Consulting provides a case study showing how useful cellular call detail record (CDR) analysis can be, even in civil cases.
Case Study: Call Detail Records Analysis in Civil Domestic Litigation

THREAT INTELLIGENCE/HUNTING

Barry Hensley at SecureWorks cautions the use of free threat intelligence as your only source of intel. “There is a lot to be gained from open source intelligence analysis, including free threat intelligence feeds, but the cost to extract that value is not insignificant and relies on gaining an understanding of what the data represents, how it is collected, when it was collected and perhaps crucially, what is missing.”
Cyber Intelligence as a Free Lunch: Let the Buyer Beware
Lesley Carhart shares a list of publically noted malware sinkholes.
Consolidated Malware Sinkhole List

PRESENTATIONS/PODCASTS

Adrian Crenshaw uploaded a number of presentations from NolaCon 2017
Monnappa K’s presentation from Blackhat Asia 2017 titled “What Malware Authors Don’t Want You to Know – Evasive Hollow Process Injection” was uploaded to YouTube
What Malware Authors Don’t Want You to Know – Evasive Hollow Process Injection
Dave and Matthew hosted Cindy Murphy, Matt Linton, and Ryan Pittman on the Forensic Lunch. The guests talked about their research into “how music and forensics goes together and the impact of listening to music on solving technical issues”. Dave then showed some shell interaction artefacts on Win10. In Win10 an LNK file is created on file creation for some extensions (ie excluding EXE’s for example). He also showed that creating or executing a file in a temp directory, however, will not create a LNK file. Dave suggests that you should always carve for LNK files because Windows will remove them during its operation – ie when two files with the same name are accessed (the first is deleted, and a new one is created). Matt suggested a research project – if someone wants to look for the list in Windows which contains the directories that Win10 doesn’t create LNK files for, that would be quite useful.
Forensic Lunch 5/19/17
Hasherezade has shared her presentation from AppSec EU Allstars, and CONfidence 2017, titled “Wicked malware persistence methods”
Wicked malware persistence methods
Magnet Forensics released a number of videos this week on Magnet Axiom and their Artifact Exchange
On this week’s Digital Forensics Survival Podcast, Michael takes a look at the CompTia’s CSA+ certification.
DFSP # 065 – Is CSA+ Certification right for you?
The guys at Talos have started a new threat intelligence podcast, and although this blog post appeared this week, there’s already 4 episodes to get through!
Beers with Talos Podcast Now Available

MALWARE

Xiaopeng Zhang and Hua Liu at Fortinet analyse a new Loki variant distributed by a PDF file.
New Loki Variant Being Spread via PDF File
Adam at Hexacorn shows how use the RegisterApplicationRestart function for sandbox evasion
Using RegisterApplicationRestart as a (lame) sandbox evasion
Andrew Case is “building a database of kernel-level malware (rootkits) that operate on Windows 8 and/or Windows 10” and “would greatly appreciate any references, URLs, papers, file hashes, or similar.”
Check out Andrew’s post on LinkedIn
Jaewon Min at McAfee Labs examines the Chrysaor/Pegasus Android malware.
Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code
Daan Raman at NVISO Labs shows how to use their new tool, binsnitch, “during the analysis of a malware sample”. “Binsnitch can be used to detect silent (unwanted) changes to files on your system. It will scan a given directory recursively for files and keep track of any changes it detects, based on the SHA256 hash of the file”. I feel like using a similar type of tool can be used to stop ransomware from encrypting files – do a header check, if the header for a file has changed since the last scan, either figure out the process that caused it and ask if it was you, or just shutdown the computer (preferably the first one).
Using binsnitch.py to detect files touched by malware
Kafeine at Proofpoint examines a “very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz”
Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar
Holger Unterbrink and Emmanuel Tacheau at Cisco’s Talos blog take a look at the attack chain utilised by the Terror Exploit Kit.
Terror Evolved: Exploit Kit Matures
Artem I. Baranov at Artem On Security examines the GrayFish rootkit.
GrayFish rootkit analysis
There were a couple of posts on the TrustWave SpiderLabs blog this week
- Bryant Smith shows how to use Suricata Lua Scripting to perform advanced malware detection. “Suricata has the ability to invoke Lua scripts which, in turn, gives us the ability to decode this type of [encoded] malware traffic and peer into what is being sent.”
  Advanced Malware Detection with Suricata Lua Scripting
- Nicholas Ramos examines the latest campaign distributing the URSNIF malware
  URSNIF is Back Riding a New Wave of Spam
Nick Carr at FireEye shares some information about a cyber espionage actor, “designated by FireEye as APT32 (OceanLotus Group)”.
Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
The guys at TredLabs compare WannaCry with UIWIX, and explain that according to their analysis, UIWIX is a new malware family that also utilises MS17-010, rather than an evolution of WannaCry.
After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit
Julius Sewing at VMRay analyses a PDF that distributes the Jaff ransomware.
Jaff Ransomware Hiding in a PDF document
Wcry coverage continues! This includes some further analysis, as well as a decryptor for those affected, provided the computer hasn’t been restarted.

MISCELLANEOUS

Kevin DeLong at Avairy Forensic Solutions has described a number of important skills that a digital forensics practitioner should have/learn.
Essential Skills for a Digital Forensic Examiner
Ryan Francis at CSO interviewed Ryan Benson, senior threat researcher at Exabeam and author of Hindsight, covering a day in his work life…yet skipping the important questions like toothpaste and breakfast cereal 🙂
A day in the life of a threat researcher
Philippe Lagadec has released “a python library to create, parse and edit cyber incident reports using the IODEF v1 XML format”, called iodeflib.
iodeflib – a python library to create, parse and edit IODEF incident reports
There were a couple of posts on the DME Forensics blog this week
- Jimmy Schroering explains how DME Forensics was founded.
  Growth in a Small Forensics Company – The Beginning
- Jason Latham has a post on looking at an examiners certifications when reviewing their CV, covering “Vendor/Tool Specific and Discipline Specific Certification.” Ultimately a certification should show “do you have the knowledge (test) and can you use this knowledge to solve a problem with a known outcome or solution (practical exam)”. When reviewing a CV you should question the certifications that a person has, especially if they’re not known to you, and weigh up the level of expertise required to obtain the certification. As a side note, I’m not a huge fan of certifications that show you’re competent in using a tool, only because I don’t want the court system to require an examiner to be certified in every tool that they use. This has massive implications for organisations that use multiple tools and have a limited budget.
  Not all that glitters is gold: What to look for in a Forensics Expert – Part II – Certification
Vladimir Katalov at Elcomsoft shares his thoughts on Elcomsoft’s ability to recover iCloud data that Apple assures is removed. Elcomsoft have reported a number of instances to Apple regarding their ability to extract data from iCloud that was supposedly deleted, however, Apple hasn’t necessarily responded appropriately. I do think it’s interesting that Elcomsoft identifies and extracts this data, which is no doubt very useful to their law enforcement customers, and then gets Apple to patch the bug. It’s always a complicated issue because people want security for their devices, but LE needs to be that adversary that finds their way in to put the bad guys away.
On Apple iCloud security and ‘deleted’ notes
Scar at Forensic Focus will be attending Enfuse next week and requested that “if there are any topics you’d particularly like us to cover, or any speakers you think we should interview” then to let her know in the comments. She then progressed to provide an overview of the conference.
Enfuse 2017 – Las Vegas 22-25 May
There were also a couple of papers shared on Forensic Focus’ blog this week
- K M Sabidur Rahman, Matt Bishop, and Albert Holt shared their paper on “Internet Of Things Mobility Forensics”
  Internet Of Things Mobility Forensics
- Mhd Wesam Al Nabki, Eduardo Fidalgo, Enrique Alegre & Ivan de Paz shared their paper on “Classifying Illegal Activities On Tor Network Based On Web Textual Contents”.
  Classifying Illegal Activities On Tor Network Based On Web Textual Contents
The CFP for the 9th International Conference on Digital
Forensics and Cyber Crime (ICDF2C) has been extended until May 29th. The conference will be held in Prague, Czech Republic October 9-11, 2017.
The guys at Magnet Forensics show how improvements in data processing speeds have improved performance of IEF and Axiom by 30%. It does appear that Axiom is slightly faster than IEF.
An Update on Magnet AXIOM Processing Speed Performance
Magnet Forensics have announced that they will be releasing a whitepaper later this month on their new Magnet AI; “Magnet Forensics’ machine learning algorithm that helps triage devices to identify whether there is content or data on the devices that could show intent to lure, or groom, children for illicit sexual activity.”
How to Identify Child Luring: New White Paper Coming Soon!
Greg Smith at TrewMTE continues his thesis on contaminating evidence regarding SIM card examination.
Contaminating Evidence SIX
Dr Graeme Horsman is seeking “assistance from practitioners, in-house test and examination departments and laboratories regarding thoughts on testing in terms of the tools that are used” in the Institute for Digital Forensics LinkedIn group. “Access to content and discussions is open to LinkedIn members who request and are approved for membership to the group”.
Study into Carving Validation
Yulia Samoteykina at Atola Technologies explains the benefits of segmented hashing when imaging damaged hard drives. When verifying a damaged drive using segmented hashing “only the hash of the damaged segment will become invalid” rather than the whole hash. She then shows how to verify segmented hashing using Insight.
Verifying Damaged Target Images with Segmented Hashing
Lesley Carhart asks a number of InfoSec professionals whether it’s worth, or is a requirement to, go to college. This also spurred some discussion on Twitter; here and here
College and Infosec: To Degree or not to Degree?
Paul Melson created an Incident Response Scorecard that people may find useful.
Check Out @pmelson’s Tweet

SOFTWARE/PRODUCT RELEASES/UPDATES

Amped FIVE Update 9223 was released with a variety of new features and bug fixes.
Amped FIVE Update 9223: New Hikvision Loader, New Tool, New Functions
Eric Zimmerman has updated his Timeline Explorer tool to version 0.5.0.0, adding a few new features and fixing a bug.
Timeline Explorer 0.5.0.0 released
Eric also updated his Registry Explorer tool to version 0.9.0.0 with a large number of updates. The accompanying blog post goes through the new features.
Registry Explorer v0.9.0.0 released!
Cellebrite updated their UFED series of software to v6.2 including new features such as LG device lock screen bypass, additional Android devices for Advanced ADB, app updates, bug fixes and more.
UFED Touch2, UFED Touch, UFED 4PC, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader, UFED Cloud Analyzer (v6.0.1) 6.2 (May 2017)
Didier Stevens updated his re_search Python script to version 0.0.7, adding a regex for Bitcoin addresses, as well as validation routines.
Update: re_search.py Version 0.0.7
Didier also updated his zipdump Python script to version 0.0.7 to add support for password lists.
Update: zipdump.py Version 0.0.7
Elcomsoft updated a couple of their tools this week
- They updated Explorer for WhatsApp to version 2.02 fixing a number of issues.
  Elcomsoft Explorer for WhatsApp 2.02 Fixes iCloud Authentication Issues
- “Elcomsoft Phone Breaker 6.50 adds the ability to extract deleted notes from iCloud and fixes the issue of accessing iCloud backups”. Oleg Afonin also wrote a blog post about Notes syncing, and how to extract the data using EPB.
  Elcomsoft Phone Breaker 6.50 Extracts Deleted Notes from iCloud
Phil Harvey has released ExifTool 10.53 (developmental release), adding “support for “MeSa” Photoshop IRB resource”, “[making] XMP-GSpherical tags writable”, and improving German translations.
ExifTool 10.53
Johan Persson at MSAB explains a couple of the features of XRY v7.3.1. Full support for extracting iCloud Backup data has been restored, after a change by Apple “meant that any iCloud Backup that was downloaded with XRY v7.3 would not include data that had been created or changed in iOS 10.3, only data from previous iOS versions.”
XRY v7.3 upgrade tackles implications of iOS 10.3
Nader Shalabi at No Secure Code has released a tool called Sysmon View, which can be used to visualise sysmon events.
Sysmon View
Oxygen Forensic updated their Detective product to version 9.3.1, adding support for a variety of app versions, “improvements to the Cloud Extractor module”, a number of Android devices, and more.
Oxygen Forensic® Detective adds support for 240+ new apps versions!
Phil Hagen released a major update to the SOF-ELK VM Distribution, the release notes can be found here
XWays Forensics 19.3 Beta SYMOE (Sell Your Mouse On eBay) was released. This adds the “option to define up to 10 custom keyboard shortcuts for commands in the directory browser context menu”, “user-defined keyboard shortcuts”, and more.
X-Ways Forensics 19.3 Beta SYMOE
Guidance Software announced that “EnCase Endpoint Security Version 6 is scheduled for general availability at the end of Q2 2017.”
Guidance Software Announces Encase® Endpoint Security Version 6
Guidance Software have also released a new imaging tool, the Tableau TX1. The device is a handheld device with a variety of inputs, “including SATA, USB 3.0, PCIe, SAS, FireWire 800 & IDE”. I’m not sure if it has the capability but it would be amazing if this could work as a write blocker as well – meaning you can just buy one piece of kit (which of course doesn’t benefit the company, but almost guarantees sales because why wouldn’t you buy it). If I was going on site I would love to have a piece of equipment that lets me write block a device to triage it and act as an imager if necessary as well, especially if it can function concurrently.
Guidance Software Announces Tableau TX1 Forensic Imager

And that’s all for Week 20! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

Week 20 – 2017

FORENSIC ANALYSIS

THREAT INTELLIGENCE/HUNTING

PRESENTATIONS/PODCASTS

MALWARE

MISCELLANEOUS

SOFTWARE/PRODUCT RELEASES/UPDATES

Leave a Reply Cancel reply

FORENSIC ANALYSIS

THREAT INTELLIGENCE/HUNTING

PRESENTATIONS/PODCASTS

MALWARE

MISCELLANEOUS

SOFTWARE/PRODUCT RELEASES/UPDATES

Share this:

Like this:

Related

Leave a Reply Cancel reply