Voting has closed for the 4Cast award, thanks for the votes! I’ll be attending the DFIR Summit where the awards are given out this year. Hopefully, the next time I post about this it will be a picture of the prize!
FORENSIC ANALYSIS
- Albert Barsocchini and Sam Maccherola at AccessData list three challenges when extracting data from cloud sources: collection tools may not be forensically sound, there are international data protection regulations, and “the built-in collection tools for Office 365 are inadequate for large-scale collections, [which forces] digital forensics teams to use a piecemeal approach involving the use of other software tools to complete the collection.”
3 Challenges to Data Collection in the Cloud - Paula at CQURE Academy shows how to extract stored passwords from popular browsers.
How to extract password from the browser? - The guys at Digital Forensics Corp explain why imaging RAM in ransomware cases is important, and then show how to acquire memory using Belkasoft Live RAM Capturer.
Why RAM imaging in ransomware cases is a must - Tom O’Connor and Andrew Tappert at Forcepoint expound the benefits of memory analysis to identify malicious executables and focus on performing this task on Linux systems.
Using Memory Forensics Effectively for Linux Incident Response (and Threat Hunting) - There’s an article on hackers-arise about how to extract EXIF data from photos using Exifreader
Digital Forensics, Part 9: Extracting EXIF Data from Graphics Files - Russ Taylor at Hats Off Security walks through the “Poor Internet Connection” forensic challenge from the RingZer0 Team Online CTF
Ringzer0team – Forensics Challenge 35 – Poor internet connection - James Grant shares his “analysis of a Ford Sync first generation module”
Analysis of a Ford Sync Gen 1 Module - Alex Maestretti has a post on LinkedIn Pulse about AWS forensics at Netflix. Alex explains that they have hit some roadblocks with the current state of the tools they use (plaso/timesketch/elasticsearch) and has needed to work with the developers to improve the tools. I like this kind of thinkings because I’m sure there are other companies that have the same issues, so working together should improve everything for everyone.
Building a Disk Forensics Pipeline in the Cloud (join us!) - Mark Mckinnon has released “a plugin that will export the /.fseventsd directory to the temp folder and will then call an executable program that will parse the data into a SQLite database and import it into Autopsy into the Extracted Content area.”
Mac FS Events Parser - Greg Smith at TrewMTE shares a couple of videos on iPhone 5C chip removal and asks a few questions that people should consider: “(1) should the operator be wearing anti-static glovers?; (2) how would you keep contemporaneous notes (CN) simultaneously whilst removing a chip?; and (3) should you be testing chip off tools to understand their limitations before using them for chip removal and chip reading?”
Forensic Chip Off – Notes in Progress - The June Edition of the Journal of Digital Investigation has been released.
- Aaron Varrone at Cisco explains the importance of prioritising log sources for threat hunting and incident response.
The Significance of Log Sources to Building Effective Intelligence-Driven Incident Response - Cyphershark at Security In Formation has an article on the typical linux folder structure. and understanding permissions.
Investigating Linux Systems - Ted Smith at ‘X-Ways Forensics’ Video Clips explains how to use X-Ways Investigator CTR to facilitate remote viewing of digital data.
Video 56 – Remote Viewing using X-Ways Investigator Investigator or CTR
THREAT INTELLIGENCE/HUNTING
- Chris Pogue at Nuix applies the “Left Of Bang” methodology created by US Secretary of Defense Mattis to cybersecurity. Left of Breach in this instance would be threat intelligence and proactive hunting, whilst the right would be the DFIR space. “Cybersecurity professionals need to understand the tactics and techniques of their adversaries as well so that they too can learn to predict the movements of their adversary”. “You need to understand what attacks look like, how your adversary is going to engage them, and how to stop them—staying Left of Breach.”
Learn to Understand and Stay ‘Left of Breach’
UPCOMING WEBINARS
- Jamie McQuaid at Magnet Forensics will be hosting a webinar on “the value of each type of location data and what it can actually tell you, versus what might not be important to your investigation”. The webinar will take place on June 20 at 1:00PM EST and June 22 at 9:00AM EST.
Webinar: The good, the bad, and the useless: the truth about geolocation data
PRESENTATIONS/PODCASTS
- Xavier Mertens shares the presentation that he gave at OWASP Belgium Chapter on webshells.
HTTP… For the Good or the Bad - The last Down The Security Rabbithole podcast from Enfuse 2017 was an interview with Amber Schroader from Paraben on the proliferation of IoT devices and their impact on digital forensics.
DtSR Episode 247 – Internet of Things Forensics - Chad Tilbury shared an interview by the team at FIRST (Forum of Incident Response and Security Teams) about his “upcoming presentation on Windows credential attacks at their annual conference”.
Credential Attack Podcast - Geoff MacGillivray at Magnet Forensics presents on the recent update to Axiom
Dig Deeper with Magnet AXIOM 1.1 - On this week’s Digital Forensics Survival Podcast, Michael shared his thoughts on Mary Ellen Kennel’s IR A-Z document that can be found here.
DFSP # 067 – IR A-Z - The Reply-To-All Information Security blog shared the presentation slides for a talk on lateral movement on Windows systems given at the PHD Conference
Hunting Lateral Movement in Windows Infrastructure - Lesley Carhart was interviewed on SecurityGuyTV at Enfuse 2017 about her background and work at Motorola, as well as her blog and a discussion about getting into the field today.
Check Out @chuckharold’s Tweet - Martijn Grooten at VirusBulletin shares a presentation from VB2016 by Jaromír Horejší and Jan Širmer called “Malicious proxy auto-configs: an easy way to harvest banking credentials”.
VB2016 video: Last-minute paper: Malicious proxy auto-configs: an easy way to harvest banking credentials
MALWARE
- Bahare Sabouri and He Xu at Fortinet examine an RTF file that utilises CVE-2017-0199. You can find other examples of analysis of this exploit here.
Spear Phishing Fileless Attack with CVE-2017-0199 - Brian Maloney at Malware Maloney has created a tutorial for writing a plugin for ProcDOT, “a malware analysis tool created by Christian Wojner (CERT.at – CERT Austria) … designed to correlate Procmon logs and PCAP data.” The first part shows how to create a basic plugin, and the second improves on this basic plugin.
- Jyotsna Jain, Amit Dutta and Sagar Gulhane at McAfee Labs examine a malicious document that was distributed when attacks gained access to an internal DocuSign system.
Misuse of DocuSign Email Addresses Leads to Phishing Campaign - Anton Ivanov, Fedor Sinitsyn, and Orkhan Mamedov at Securelist identify a few errors in a Wannacry sample that may allow files to be recovered (in some instances they aren’t securely deleted, and others they aren’t encrypted even though they’re meant to be).
WannaCry mistakes that can help you restore files after infection - Michael Oppenheim, Kevin Zuk, Matan Meir, and Limor Kessem at IBM X-Force Research examine the QakBot malware, which is “known to target businesses to drain their online banking accounts”.
QakBot Banking Trojan Causes Massive Active Directory Lockouts - Nicholas Ramos at SpiderLabs analyses a spam campaign that distributes the FakeGlobe and Cerber ransomware.
FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry - Ali Islam, Christopher Glyer, Barry Vengerik, Zain Gardezi, and Haroon W Malik at FireEye show how attackers are using the EternalBlue exploit to distribute Backdoor.Nitol and Trojan Gh0st RAT. “The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities”
Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads
MISCELLANEOUS
- James Habben at 4n6ir shares his observations about people’s attention at the recent conference he attended. He shares a couple of tips to ensuring that you remain “present” during conversations and meetings, as well as identifying when others aren’t present.
Soft Skills: Be Present - Martino Jerian at Amped Software answers the most common questions asked regarding Amped software’s validity in a legal setting.
Are Amped Software products validated or certified officially for forensic use? - The guys at Cyber Forensicator have shared news about a new book, “Digital Forensics and Incident Response” by Gerard Johansen, which “is expected to be published in July 2017”.
Digital Forensics and Incident Response - Tom Webb at Dark Reading has a post on the importance of collecting metrics in IR work. By collecting useful metrics you can use data to support the directions you wish to take, or your claims for additional resources.
How to Succeed at Incident Response Metrics - The guys at Digital Forensics Magazine shared a couple of articles of interest this week
- They shared a paper by Fadi Abu Zuhri on the current challenges in Cyber Forensics.
Cyber Forensic Challenges - Yitzhak Vager from Verint Systems has a post describing what computer forensics is.
Taking Control of Your Forensics
- They shared a paper by Fadi Abu Zuhri on the current challenges in Cyber Forensics.
- Jimmy Schroering at DME Forensics continues his series on starting a small forensics company, this time dealing with the dilemma of service pricing, and also showing the benefits of scripting. To solve a couple of cases they developed some carving scripts that have since evolved into DVR Examiner.
Growth in a Small Forensics Company – Going Full Time - There were few posts on the Forensic Focus blog this week
- Probity Inc has announced “the release of Truxton 2.0, a digital forensics platform designed to automate big data investigations.”
Truxton 2.0 to Premier at Techno Security and ICAC Atlanta 2017 - Mattia Epifani provides a recap of Enfuse 2017 including a variety of talks and vendors.
Enfuse 2017 – Recap - The results from a recent survey on the effectiveness of the the ISO 17025 scheme have been posted.
Challenges Of ISO 17025 Accreditation – Survey Results
- Probity Inc has announced “the release of Truxton 2.0, a digital forensics platform designed to automate big data investigations.”
- Tim Berghoff at G Data Security addresses “some of the strategic considerations about incident response and readiness.”
Fighting virtual fires: are you incident-ready? - Jerry Gamblin shows how to create a small network of honeypots using “Digital Ocean and Anomali‘s Modern Honey Network” for around $40 a month.
Build Your Own Honeypot Network In Under An Hour - Magnet Forensics list five reasons why they believe that they should win the 4Cast Award for Digital Forensics Organisation of the Year. These reasons range from the tools they create, their customer service, and their vision for the future.
Five Reasons Why Magnet Forensics is the Digital Forensic Organization of the Year - Yulia Samoteykina at Atola Technologies shows how to use the case management system in the Atola Insight Forensic application.
Case Management: Finding and Opening a Case - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Guy Bruneau shares a link to CyberChef, a very useful tool created by GCHQ.
CyberChef a Must Have Tool in your Tool bag!, (Sun, May 28th) - Pasquale Stirparo explains the “Analysis of Competing Hypotheses (ACH), developed by Richards J. Heuer, Jr.”
Analysis of Competing Hypotheses (ACH part 1), (Sun, May 28th) - Pasquale then applies ACH to Wcry attribution.
Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2), (Wed, May 31st)
- Guy Bruneau shares a link to CyberChef, a very useful tool created by GCHQ.
SOFTWARE UPDATES
- “Apache Tika 1.15 has been released! This release includes integration with Google’s Tensorflow Object Recognition via the OpenCV API, a new ‘tika-eval’ module, configurable encoding detectors and several new parsers.”
Apache Tika 1.15 - Both Autopsy and The Sleuth Kit have been updated this week.
- GetData released Forensic Explorer v3.9.8.6522 adding a “Child Endangerment Filename search script” and fixing a couple of bugs.
31 May 2017 – v3.9.8.6522 - “A new version of MISP 2.4.74 has been released including new features, improvements and bug fixes.”
MISP 2.4.74 released - Microsystemation released a microrelease for XRY, now at version 7.3.2. The release improves support for various apps and operating systems.
Released today: XRY v7.3.2 - Passmark Software have released V5.0.1000 of OSForensics including a variety of bug fixes and new features; including a plist viewer, a $UsnJrnl viewer, and much more.
V5.0.1000 – 1st of June 2017 - Passmark have also released beta version of Volatility Workbench, a Windows GUI for Volatility.
Volatility Workbench Beta Release - Sumuri released a v1.02 of Recon Imager, adding “the ability to perform verification hash of a forensic image”. I played around with the update last week and it seems to work pretty well for taking an image although I couldn’t find a way to check the date/time on the system (probably user error).
RECON IMAGER Version 1.02 Now Released – Details Inside - SalvationData updated their SmartPhone Forensic System (SPF) to v3.54.7.0 to add additional features, and fix some bugs, and their Data Recovery System (DRS) to v17.7.3.263, adding a variety of new features.
PRODUCT RELEASES
- MediaClone has announced the “release of SuperImager® Plus Field Forensic Unit with Thunderbolt port”. Interestingly, it appears that the unit is not just an imager, and can run applications such as Encase
SuperImager® Plus Field Forensic Unit With Thunderbolt port – Linux/Windows Dual
And that’s all for Week 22! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 