If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂 Only a few more days to go till voting closes too.
2017 Forensic 4:cast Awards – Voting
FORENSIC ANALYSIS
- Luis Rocha at Count Upon Security talks about the USNJrnl artefact on NTFS, and how to examine it using Joakim Schicht’s UsnJrnl2Csv utility.
Digital Forensics – NTFS Change Journal - The guys at Cyber Forensicator shared a paper by Arafat Al-dhaqm, Shukor Razark, Siti Hajar Othman, Asri Ngadi, Mohamad Nazir Ahmed, and Abdulalem Ali Mohammed on the “Development and validation of a Database Forensic Metamodel”
Development and validation of a Database Forensic Metamodel (DBFM) - Brian Carrier has started a series “about responding to an endpoint and what to look for.” The first article looks into a variety of tools and evaluates them against a criteria.
Intro to IR Triage: Buyer’s Guide - Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp talk about SIM card and how to extract the data they hold using Oxygen Software Extractor.
SIM cards Forensic Analysis with Oxygen Software - Preston Miller at DPM Forensics shows how to use Python and simpleKML to present location data in a KML format for easy viewing in Google Earth.
Spotlight: Tracking a User’s Whereabouts with simplekml - Lee Whitfield at Forensic 4Cast shows why blanket statements can be dangerous by providing a few examples of deleting files and the changes to their MAC times as a result. Deleting a file on Windows may result in the Entry Modified time being changed, however this is because the filename is changed. If the file is deleted without going through the Recycle Bin (ie shift-delete), then the removal process doesn’t update any timestamps. “There will be instances where metadata may change immediately before the deletion took place, especially when using third-party tools, but the MAC times are not updated on file deletion”
Deleted vs “Deleted” - Jim Hoerricks shares a quick report formatting tip for Amped Five.
A report formatting tip for FIVE - Jim also shows how to use Five to unroll an image from a 360 degree camera into a panorama shot.
Unroll 360 degree camera views with one click - Lastly, Jim shows how to use “Auto Selection Mode, [which] automatically identifies frequencies to remove without user intervention” in Amped Five/Axon Five
FFT for video – yes, video - Foxton Forensics blog has a post showing how Browser History Examiner (BHE) can “help analyse internet history for any plain text passwords that might be inadvertently stored there.”
Uncovering plain text passwords in internet history - Darryl at Kahu Security shares some information from an analysis of an infected PC where “an attacker used several NSA tools just four days after the Shadow Brokers’ dump then it burned the PC with ransomware when they were done with it.” He warns that attackers are going to be playing around with these NSA tools and these tools don’t really leave much of a trace behind.
Not Your Typical Ransomware Infection
THREAT INTELLIGENCE/HUNTING
- The SANS InfoSec Reading Room shared Etrik Eddy’s whitepaper on “Intrusion detection through traffic analysis from the endpoint using Splunk Stream”
Intrusion detection through traffic analysis from the endpoint using Splunk Stream - Chris Sanders has a guest post on the Sqrrl blog about retracing your investigation steps, and then how to perform this task using Sqrrl.
Retracing Investigation Steps - Michael Mimoso at ThreatPost shares a research paper by the “Georgia Institute of Technology, the IMDEA Software Institute and EURECOM” called “A Lustrum of Malware Network Communication Evolution and Insights”. They “posit that a better approach would be an analysis of network traffic to suspicious domains that would potentially cut detection times down by weeks or even months.”
Malware Network Communication Provides Better Early Warning Signal
PRESENTATIONS/PODCASTS
- Chris Sanders released episode 5 of the Source Code podcast, interviewing Gerald Combs on growing up in Kansas City and his experience in building Wireshark.
Source Code S1: Episode 5 – Gerald Combs - The Down the Security Rabbithole podcast travelled to Las Vegas this week for Enfuse and produced a few shows.
- On the first show, Rafal and James spoke with Lori Chavez, VP of Corporate Marketing at Guidance about the Enfuse, as well as the history of the conference. She also briefly mentions the new imaging tool that Guidance is releasing.
DtSR FeatureCast – Enfuse Conf 2017 – Preamble - On the next show they spoke with Patrick Dennis, CEO of Guidance about what’s happening with the company.
DtSR FeatureCast – Enfuse Conf 2017 – Keynote Patrick Dennis - The guys interviewed a couple of students from USC about their experience at Enfuse, and their program at university. It sounds like an interesting program where the students are taught everything from imaging and analysing computers, to presenting the information in mock court.
DtSR FeatureCast – Enfuse Conf 2017 – DFIR Students - Lastly, the guys interviewed Theresa Payton about her experiences in charge of the computer security at the Whitehouse, as well as her work on the show “Hunted”
DtSR FeatureCast – Enfuse Conf 2017 – Theresa Payton
- On the first show, Rafal and James spoke with Lori Chavez, VP of Corporate Marketing at Guidance about the Enfuse, as well as the history of the conference. She also briefly mentions the new imaging tool that Guidance is releasing.
- Four Forensic Lunches this week! So much to watch, and Dave, you’re right, I wasn’t going to be up at 3AM watching, but thanks for the shout out!
- Day 1 at Enfuse! Dave and Matthew hosted Amber Schroader, Matt Mcfadder, and Matt Bromiley. Amber spoke about her presentation on IoT, particularly in relation to kids toys (that bear was creepy), and the Paraben Symposium and Paraben’s E3 platform. Matt M, the director of training at Guidance spoke what’s changing in the world of training, changes to the EnCE (focusing on version 8)., and the Certified Forensic Security Responder (CFSR) certification. Matt B then discussed WannaCry and the other tools dumped by the Shadow Brokers.
Forensic Lunch 5/23/17 - On Day 2, Dave and Matthew hosted Steve Whalen, Jake Williams, and Dmitri Sumin. Steve introduced Recon Imager, Sumuri’s new Mac imaging product and why they decided to produce it (it’s a low cost alternative to Macquisition for those that haven’t played around with it. It doesn’t have the triage capability, but it’s imaging and RAM acquisition seems to be good). Jake spoke about Wannacry, as well as Rendition Sec’s 24/7 SOC. Dmitri then spoke about Passware’s products and cloud acquisition, as well as GPU acceleration.
Forensic Lunch 5/24/17 - On Day 3, Dave hosted Lesley Carhart, Bradley Schatz, and Ashley Hernandez. Lesley spoke about her experience winning the first Enfuse Women in Technology prize (congrats!), as well as her current research interests including win10, win internals, memory forensics, private browsing artefacts. She requested if anyone’s interested in working with her on her research to get in touch. Next, Bradley spoke about his work on Evimetry and the AFF4 standard. The AFF4 standard is very interesting from an efficiency standpoint, and is responsible for a number of the cool things that Evimetry can do. Bradley also briefly spoke about the imaging device that Evimetry has put together to speed up the imaging process. If people haven’t seen the tool in action I’d highly recommend checking it out – Bradley explained that he is able to image a 500GB NVME drive to 2 highspeed SSD’s (in a RAID) in about 5 minutes. Bradley also spoke about DFRWS which is taking place in Austin in August. Lastly, Ashley Hernandez, Director of product management at Guidance came on to speak about the future of Encase and some of their offerings. Guidance is going to be moving some of the most used enscripts into core Encase, which is a great move. She also provided some more details on the new Mobile Investigator product, which has two components. The first allows examiners to acquire devices and is built into Endpoint and Forensic. The output is stored into a Logical Evidence File. The second component, which is a paid addition, does the parses the various artefacts in the LEF.
Forensic Lunch 5/25/17 - Lastly, Dave hosted Jessica Hyde and Brian Moran to talk about their upcoming presentation on IoT device forensics at the DFIR Summit. Jessica and Brian shared that they were able to determine a non-destructive acquisition method for getting data of an Amazon Echo and Dot, as well as what data that can be found on there. Jessica then gave a bit of information about what Magnet Forensics is up to including their artefact exchange, Magnet AI, and how Axiom can be used to correlate data.
Forensic Lunch 5/26/17
- Day 1 at Enfuse! Dave and Matthew hosted Amber Schroader, Matt Mcfadder, and Matt Bromiley. Amber spoke about her presentation on IoT, particularly in relation to kids toys (that bear was creepy), and the Paraben Symposium and Paraben’s E3 platform. Matt M, the director of training at Guidance spoke what’s changing in the world of training, changes to the EnCE (focusing on version 8)., and the Certified Forensic Security Responder (CFSR) certification. Matt B then discussed WannaCry and the other tools dumped by the Shadow Brokers.
- Guidance Software released a number of videos on their YouTube channel, mainly about EnCase Endpoint Security (although there were a couple of videos about transitioning to Encase v7, which may need to be replaced with videos about v8)
- EnCase Endpoint Security Technical Overview
- EnCase Endpoint Security and IOCs
- EnCase Endpoint Investigator Technical Overview
- DFIR with EnCase Endpoint Security
- Detection with EnCase Endpoint Security
- v7 Transition Video
- Transition to V7 Video
Tableau Password Recovery Overview - Whats New in EnCase Endpoint Security 6
- Root Cause Analysis with EnCase Endpoint Security
- The EnCase Agent
- Response Automation with EnCase Endpoint Security
- Remediation with EnCase Endpoint Security
- Angela Bunting and Peter Fetzer at Nuix have a presentation on using audio in discovery and investigations
Four myths about using audio in discovery and investigations - On this week’s Digital Forensics Survival Podcast, Michael goes over the Skype application and the data that can be examined. Michael mentioned the Nirsoft Skype viewer, I would also recommend Skyperious; I really like the way that conversations are laid out in it.
DFSP # 066 – Skype Forensics - Richard Davis shared “an introduction to memory forensics and a sample exercise using Volatility 2.6 to analyze a Windows 10 image.”
Introduction to Memory Forensics
MALWARE
- Jeff Edwards at Arbor Networks shares some recent findings with regards to the Zyklon malware.
Zyklon Season - Bart at Blaze’s Security Blog answers some frequently asked questions about WannaCry.
WannaCry: frequently asked questions - The guys at Countercept have post part 1 of 2 on dissecting VBA macros using olevba by Decalage. “Part two of this blog post will look into using dynamic analysis to analyze the binaries dropped by the malicious macro.”
Dissecting VBA Macros – Part 1 of 2 - The Cylance Threat Guidance Team unpack the Qakbot malware
Threat Spotlight: The Return of Qakbot Malware - Didier Stevens shares a video on how to analyse a WannaCry sample with his tools.
WannaCry Simple File Analysis - Hasherezade has a post with the “details of extension handler hijacking”. She also shared a video “demonstrating how it looks in action”.
Hijacking extensions handlers as a malware persistence method - Brad Duncan has a post on the SANS Internet Storm Centre Handler Diaries regarding the distribution of the Jaff ransomware by the Necurs botnet.
Jaff ransomware gets a makeover, (Wed, May 24th) - Nikita Slepogin at Securelist has compiled a history of the Dridex trojan, including a brief analysis of each version up to version 4.
Dridex: A History of Evolution - There were a couple of posts on Cisco’s Talos blog
- Alexander Chiu shares some information about the use of the ETERNALBLUE and DOUBLEPULSAR exploits in malware.
Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks - Vanja Svajcer analyses a phishing campaign that distributes a modified version of the Zyklon HTTP bot.
Modified Zyklon and plugins from India
- Alexander Chiu shares some information about the use of the ETERNALBLUE and DOUBLEPULSAR exploits in malware.
- There were a couple of posts on the TrendLabs Security Intelligence Blog
- Benson Sy explains how attackers used a “combination of LNK, PowerShell, and the BKDR_ChChes malware in targeted attacks against Japanese government agencies and academics.” Analysis on this malware has also been conducted by JPCERT.
A Rising Trend: How Attackers are Using LNK Files to Download Malware - Stephen Hilt analyses a malware sample, detected as JOKE_CYBERAVI, that contains a RickRoll.
Yara Used to RickRoll Security Researchers
- Benson Sy explains how attackers used a “combination of LNK, PowerShell, and the BKDR_ChChes malware in targeted attacks against Japanese government agencies and academics.” Analysis on this malware has also been conducted by JPCERT.
- More WannaCry coverage! Although significantly less this week.
- Symantec – WannaCry: Ransomware attacks show strong links to Lazarus group
- Tenable – WannaCry 2.0: Detect and Patch EternalRocks Vulnerabilities Now
- FireEye – WannaCry Malware Profile
- FireEye – SMB Exploited: WannaCry Use of “EternalBlue”
- Trend Micro – The Latest on WannaCry, UIWIX, EternalRocks and ShadowBrokers
- WeLiveSecurity – WannaCryptor, aka WannaCry interview with Stephen Cobb and Marc Saltzman
- Anton Cherepanov at WeLiveSecurity shares some information about the XData ransomware, “detected by ESET as Win32/Filecoder.AESNI.C”. “Once it infects a computer, the main file drops a legitimate system utility – SysInternals PsExec – and then executes dropped ransomware sample (Win32/Filecoder.AESNI.C.).”
XData ransomware making rounds amid global WannaCryptor scare
MISCELLANEOUS
- Darlene Alvar at Amped interviewed Marco Fontani from FORLAB on his work in image and video forensics.
Interview with Marco Fontani, Forensics Consultant, FORLAB - Scott Vaughan at Berla has released two spotlights on new iVe features: Exporting XRY Files and Velocity Logs
- Matt Suiche at Comae Technologies has announced a beta program for Comae Stardust, which “works by collecting memory snapshots of machines and inspecting them in depth”.
Analyze Your System with Comae Stardust - DFIR Guy at DFIR.Training has a post about the transition period that the DFIR field is/has undertaken. Previously, there were fewer conferences and significantly less of a community, Today, anyone can instantly start a blog and document their findings, and communicate with the top people in the field over e-mail and Twitter. The downside is that if you’re not doing that, you may get left behind when competing for a top job.
Digital Immigrants - Patrick Supples at DME Forensics explains how to get in touch with DME, and what information to provide, to request support for an unsupported DVR.
DVR Examiner DVR Implementation Process - Oleg Afonin at Elcomsoft shares some statistics about Android Encryption and shows that roughly 13.4% of Android (v6/7) devices are encrypted (Apparently the performance hit is enough for manufacturers to not turn it on out of the box). He also covers the types of encryption available on Android devices, and how to extract data from unencrypted phones.
Android Encryption Demystified - Scar at Forensic Focus shares her roundup of the month’s news
Digital Forensics News May 2017 - Compelson Labs have also posted on the Forensic Focus blog about the benefits of using Camera Ballistics v2. This software can be used to compare photographs taken on a device and gives a score as how certain both photographs were taken on the same camera. This can be very useful in law enforcement scenarios, particularly around child abuse cases.
Verify If A Photo Was Really Taken By A Suspected Camera – Camera Ballistics 2.0 - Magnet Forensics posted a few articles this week
- They opened their Artifact Exchange, which allow examiners to share custom artefacts through either Python or XML. They also produced this video on how to get started.
Artifact Exchange Opens Today for Sharing Custom Artifacts - They shared seven reasons why they believe that their tools are best in class.
Seven Reasons to Choose Magnet Forensics Tools - Chuck Cobb “shares the importance of Digital Forensics Certification while talking about the expanding certification landscape and how finding the right certification for your role can have a bigger effect than having a number of disparate certifications.”
How the Right Digital Forensics Certification Makes an Impact
- They opened their Artifact Exchange, which allow examiners to share custom artefacts through either Python or XML. They also produced this video on how to get started.
- “Debian/stretch AKA Debian 9.0 will include a bunch of packages for people interested in digital forensics.”
The #newinstretch game: new forensic packages in Debian/stretch - Greg Smith at TrewMTE shares a questionnaire created by Dr. Horsman for his “Study into Carving Validation”.
Survey: Digital Forensics Tool Testing - Yulia Samoteykina at Atola Technologies answers a few of the questions that were posed at the Forensic Europe Expo regarding the Atola Insight.
Q&A during Forensic Europe Expo - Oxygen Forensics have announced a 3 day certification training course starting June 1 that will be through their online portal. “The certification examination is included with a purchase of the course, and Oxygen Forensics is offering a $1,000 discount for the online certification course for those that purchase a license for Oxygen Forensic® Detective through July 1, 2017”.
Oxygen Forensics Launches Online Certification Course June 1 - The SANS InfoSec Reading Room shares the whitepaper by Ryan D. Pittman, Cindy Murphy, and Matt Linton, regarding their research into music and DFIR professionals. This whitepaper goes along with the presentation the group will be giving at the DFIR Summit in Austin in June. (I had a listen through some of the playlist and was quite surprised when the Wiggles started playing at one point). Cindy also wrote a brief introduction to the paper on her blog (which was also nominated for Blog of the Year)
Beats & Bytes: Striking the Right Chord in Digital Forensics (OR: Fiddling with Your Evidence) - The guys at Talos updated file2pcap to version 1.25. Martin Zeiser and Joel Esler explain the background of the tool, as well as the supported protocols.
File2pcap – The Talos Swiss Army Knife of Snort Rule Creation
SOFTWARE UPDATES
- Berla released an update to iVe, now at version 1.11. “Headlining this release is support for SYNC generation 3, the latest version of Ford’s SYNC systems that are used in much of the Ford lineup throughout the world”. “Additionally, iVe 1.11.4 includes the ability to export files in .xry format for use in MSAB’s XRY suite, plus several minor improvements to the user interface and experience.”
iVe v1.11 Released - Didier Stevens updated his zipdump tool to version 0.0.8 to add “handling of zlib errors when performing a dictionary attack.”
Update: zipdump.py Version 0.0.8 - Evimetry 3.0.0 was released with major features and bug fixes/improvements. One of the major updates is the adoption of the AFF4 Standard v1.0, for more information on the release watch Bradley Schatz’s talk during the Enfuse Day 3 Forensic Lunch.
Release 3.0.0 - Phil Harvey released ExifTool 10.54 (developmental release), adding support for a number of new tags, and features.
ExifTool 10.54 - GetData updated Forensic Explorer to v3.9.8.6498 with some minor improvements/fixes.
22 May 2017 – v3.9.8.6498 - Willi Ballenthin updated python-evtx to version 0.6.0 with “lots of enhancements to improve code quality”.
Release v.0.6.0 - Magnet Forensics updated Axiom to version 1.1.1. The update adds “the ability to create Custom Artifacts using Python”. They also added automated searching 7-zip containers (although I’m not sure if this includes password protected files…maybe there’s an option to add a list of password?), and filtering conversations in column view.
AXIOM’s Custom Artifacts Now Supports Python Development - Jean-David Gadina released a macOS keychain cracker on Github
Check Out @macmade’s Tweet - Adam Witt has released a “Python script to carve Windows Prefetch artifacts from arbitrary binary data”.
Check Out @_TrapLoop’s Tweet - X-Ways updated X-Ways Forensic 19.1, 19.2, and 19.3.
- X-Ways Forensics 19.1 was updated to include “many of the fixes and some very few of the minor improvements introduced in later versions.”
X-Ways Forensic 19.1 SR-8 - X-Ways Forensics 19.2 was updated to SR-5 with a few bug fixes
X-Ways Forensic 19.2 SR-5 - X-Ways Forensics 19.3 Beta 3 was released with a few new features
X-Ways Forensic 19.3 Beta 3
- X-Ways Forensics 19.1 was updated to include “many of the fixes and some very few of the minor improvements introduced in later versions.”
And that’s all for Week 21! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 