FORENSIC ANALYSIS
- The guys at Cyber Forensicator had a couple of posts this week
- They shared a paper by Baljit Singh, Dmitry Evtyushkin, Jesse Elwell, Ryan Riley, and Iliano Cervesato titled “On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters” from the 2017 ACM on Asia Conference on Computer and Communications Security.
On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters - They shared a presentation by Michael Gough from ShowMeCon 2017 (the link to the rest of the videos is in the Presentations section)
Windows IR made easier and faster – Find the head of the snake using AutoRuns, Large Registry Keys, Logs, IP/WhoIs and Netflow
- They shared a paper by Baljit Singh, Dmitry Evtyushkin, Jesse Elwell, Ryan Riley, and Iliano Cervesato titled “On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters” from the 2017 ACM on Asia Conference on Computer and Communications Security.
- Brian Carrier at Cyber Triage has a post regarding the various indicators first responders can look for when triaging a system. This includes system configuration changes, malicious programs (including whether they’re on disk, in memory, or set to run at a defined event), as well as user activity information.
Intro to IR Triage (Part 2): Analysis Categories - DFIR Guy at DFIR.Training shares his takeaways from the recent NSA leaking investigation of Reality Winner – logging/visibility/forensic examination of the files/metadata is critical to go along with the physical evidence examination and investigation (I couldn’t think of a better way to describe interviews/police-work etc)
Reality Winner wins the Captain Obvious contest - The guys at Digital Forensics Corp shared FastIR collector, which is a live acquisition tool to extract various “artefacts on live Windows and records the results in csv or json files.”
FastIR Collector - Preston Miller at DPM Forensics has put out a request for topics to cover in his latest book, Python Digital Forensics Cookbook. He would like people to get in touch with “a particular topic you would like to see explored, or a script you would like to see developed”, and will randomly select a winner on June 18th, 2017 at 6:00 PM EST to receive a digital copy of his previous book, Learning Python for Forensics.
Giveaway: Learning Python for Forensics eBook - Robert Graham at Errata Security shows how to examine the little “invisible” dots placed on printed documents by some printers.
How The Intercept Outed Reality Winner - There were a few posts on Forensic Focus this week
- Scar interviewed Chuck Easttom on his research into utilising graph theory, “a part of discrete mathematics and it is used to study the relationship between objects”, in digital forensics.
Interview With Chuck Easttom, Computer Scientist & Consultant - Martin Harran, William Farrelly & Kevin Curran have written a paper showing how they can insert a digital certificate into a JPEG file and that can be used to “prove integrity, authenticity and provenance of the digital content within the file”. Of course, if they can store a digital certificate within a file they can also store badness as well, including malicious executables.
A Method For Verifying Integrity And Authenticating Digital Media - Larry Lieb has a lengthy post on DF in the trade secret investigation space which includes triage/examination, relevant laws, and a case study.
An Introduction To Theft Of Trade Secrets Investigations
- Scar interviewed Chuck Easttom on his research into utilising graph theory, “a part of discrete mathematics and it is used to study the relationship between objects”, in digital forensics.
- Nicole Ibrahim shares some research on “Apple FSEvents logs that are stored to disk including background information and [the] behavior of FSEvents”. I wasn’t able to get through the whole thing but it’s worth the read if you deal with iOS/OSX devices. Nicole also updated the G-C Partners FSEParser to v2.1.
Apple FSEvents Forensics - Magnet Forensics have released their paper on “The Technology of Child Luring: And How Machine Learning Helps Investigators to Spot it”.
The Technology of Child Luring: And How Machine Learning Helps Investigators to Spot it - Magnet also announced that they have plans for their Axiom product to provide “deeper integration with Griffeye and Project VIC for enhanced digital forensics analysis in child exploitation cases.”
Magnet Forensics to Offer Enhanced Integration with Project VIC and Griffeye - Mark Mckinnon has updated his Autopsy plugin to utilise the updated FSEventsParser and incorporate Nicole’s latest research
FSEvents Autopsy Plugin Redux… - Hal Pomeranz has added to his previous series on the EXT4 file system documenting how directories are structured.
“Understanding EXT4 (Part 6): Directories”
THREAT INTELLIGENCE/HUNTING
- Chris Sanders has “put together a Security Onion cheat sheet that highlights important information that will help you use, configure, and customize your installation.”
Security Onion Cheat Sheet - Matt Suiche at Comae Technologies has provided an overview of an investigation performed by TV5Monde/ANSSI on an attack from 2015 – the original presentation was in French, so thankfully he’s translated it for us.
Lessons from TV5Monde 2015 Hack - Luis Rocha at Count Upon Security explains how to use Matias Bevilacqua’s AppCompatProcessor. This tool ingests data from Mandiant’s ShimCacheParser, which Eric points out has not been updated to deal with the latest Win10 update (something to keep in mind).
Threat Hunting in the Enterprise with AppCompatProcessor - Itai Grady at Microsoft’s Advanced Threat Analytics Team explains how attackers are using non-malware attacks (ie PowerShell) to laterally move in a network to avoid detection. This makes this kind of attack difficult for anti-malware solutions to identify.
How Fileless malware challenges classic security solutions
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the videos from ShowMeCon 2017 and CircleCityCon 2017
- Chris Sanders interviewed Matt Swann about his work at Microsoft
Source Code S1: Episode 6 – Matt Swann - Doug and Russ at Securing Digital Life discuss the need for a degree in Cyber Security (and when it is or isn’t required). I wasn’t able to watch the whole thing, but it may be useful for those wondering whether they should start a degree in the field.
College Degrees in Cybersecurity – Secure Digital Life #18 - On this week’s Digital Forensics Survival Podcast, Michael covered device/port scanning on-scene to ascertain which devices are connected. This can be useful when looking for hidden devices (ie the server in the roof) or identifying IP cameras.
DFSP # 068 – Is Scanning On-Scene Legit? - Richard Davis has published an intro to Windows Forensics on Youtube, “covering topics including UserAssist, Shellbags, USB devices, network adapter information and Network Location Awareness (NLA), LNK files, prefetch, and numerous other common Windows forensic artifacts.”
Introduction to Windows Forensics - Phi Hagen at SANS has a walkthrough of the new Network Forensics poster for the SANS FOR 572 course.
Elevating Your Analysis Tactics with the DFIR Network Forensics Poster
MALWARE
- Dennis Schwarz at Arbor Networks examines a malicious sample they’ve named “Matrix Banker”.
Another Banker Enters the Matrix - Osanda Malith analyses a maldoc that uses the CVE-2017-0199 exploit
APT attack in Bangladesh - The guys at Countercept have a post about “using dynamic analysis techniques to study the behavior of the dropped binaries”
Dissecting VBA Macros - The Cylance Threat Guidance Team have provided an overview of the WannaCry malware.
Threat Spotlight: Inside the WannaCry Attack - There were a few posts on the Fortinet blog this week
- Xiaopeng Zhang and Hua Liu analyse a “PDF sample that is used to spread a new Loki variant.”
New Loki Variant Being Spread via PDF File - Dario Durando, Kenny Yang, and David Maciejak examine a malicious Android app called Android Marcher
Spring Parade for Refreshed Android Marcher - Rommel Joven and Wayne Chin Yick Low take a look at a MacRansom variant
MacRansom: Offered as Ransomware as a Service
- Xiaopeng Zhang and Hua Liu analyse a “PDF sample that is used to spread a new Loki variant.”
- Brian Maloney at Malware Maloney continues his tutorial on ProcDot plugin writing, this time using what was covered in the previous two posts to “create a plugin that lists the servers in the graph”.
ProcDOT plugin writing. Part 3 – Creating a Main Menu plugin - There were a couple of posts on the Malwarebytes Labs blog this week
- Wendy Zamora interviewed Pieter Arntz, a malware researcher with the company.
Interview with a malware hunter: Pieter Arntz - Hasherezade dissected a sample of the LatentBot trojan. She also produced a video showing how to utilise an IDA Script to deobfuscate some strings
LatentBot piece by piece
- Wendy Zamora interviewed Pieter Arntz, a malware researcher with the company.
- Carl Woodward and Raj Samani at McAfee Labs compile some of their research on WannaCry
Is WannaCry Really Ransomware? - Michael Gorelik at Morphisec analyses a recent phishing attack by the FIN7 group. “The [emailed] Word document executes a fileless attack that uses DNS queries to deliver the next shellcode stage (Meterpreter). However, in this new variant, all the DNS activity is initiated and executed solely from memory – unlike previous attacks which used PowerShell commands.”
FIN7 Takes Another Bite at the Restaurant Industry - Didier Stevens at NVISO Labs walks through the analysis of a PowerPoint document that executes PowerShell when a user mouses-over a particular link. It’s important to note that this attack doesn’t use macros. Didier also produced this video for the post.
Malicious PowerPoint Documents Abusing Mouse Over Actions - Didier Stevens produced two diaries on the SANS Internet Storm Centre this week regarding decoding XOR-encoded payloads. As a result, he also updated his xor-kpa Python script to version 0.0.5 and released a video of it in action.
- There were a couple of posts on the Securelist blog this week
- Roman Unuchek examines the Dvmap Android trojan, which is “the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times.”
Dvmap: the first Android malware with code injection - Mikhail Kuzin, Yaroslav Shmelev, and Dmitry Galov examine the EternalRed vulnerability (aka SambaCry), interestingly the payload was a cryptocurrency miner.
SambaCry is coming - Homer Pacag at TrustWave takes a look at the recent Necurs botnet PDF campaigns and compares a few samples.
Necurs Recurs
- Roman Unuchek examines the Dvmap Android trojan, which is “the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times.”
- Rubio Wu and Marshall Chen at TrendMicro’s TrendLabs analyse a sample that exploits “the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint slideshow”. “This technique is employed by a Trojan downloader (detected by Trend Micro as TROJ_POWHOV.A and P2KM_POWHOV.A)”.
Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan - Ian Richardson at VMRay analyses a maldoc using VMRay Analyzer
VMRay Analyzer Identifies Resume Containing Evasive Malware - David Kaplan, Stefan Sellmer, and Andrea Lelli at Microsoft examine an updated version of “PLATINUM’s file-transfer tool, one that uses the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication.”
PLATINUM continues to evolve, find ways to maintain invisibility
MISCELLANEOUS
- Eric Brown at AlienVault has put together some suggestions for those looking to get involved in a CTF.
Capture The Flag (CTF): What Is It for a Newbie? - Jim Hoerricks at Amped shows how to change the frame rate of a video using their Five product.
Changing a Video’s Frame Rate - Nick Pollard at Nuix expounds on the importance in having visibility into endpoints
Finding Insider Threat Truths at the Endpoint - Brian Carrier provides an overview of some of the new triage features in the latest update to Autopsy (v4.4.0)
Triage Media With Autopsy 4.4.0 - Matt Suiche has announced Comae’s Summer of Code where university students can “work with Comae developers on a 2 month programming project during their break from school.”
Comae Summer Of Code ! - Greg Linares at Cylance has a post on ways to present yourself when looking to stand out in the InfoSec interview selection process. This includes documenting your infosec related hobbies, asking questions in technical assessments, and “[researching problems you had] yourself and send a follow-up email explaining what you learned’.
How to Hire Passionate Contributors in InfoSec - Katie Mongi at DME Forensics explains that DVR video carving is a fairly difficult process to do manually. I think the subtext is that using DME’s DVR Examiner will take some of the burden away from the examiners so they can spend their time investigating rather than figuring out how each DVR/file system functions.
Why Traditional Computer Forensics Fails on Embedded DVRs - Garrett Pewitt at Forensic Expedition has written a short review on Eoghan Casey’s “Handbook of Digital Forensics and Investigation”.
Currently Reading… - Lee Reiber at The Mobile Device Examiner provides a brief overview of his Forensic Kill Chain concept that he introduced at TechnoSecurity.
The Forensic Kill Chain - Greg Smith at TrewMTE comments on “discomfort amongst labs, academia, businesses and practitioners” regarding ISO/IEC 17025. On the same topic, Peter Sommer was interviewed by The Register.
Not Comfortable Fit for Digital Forensics – ISO17025 - OMENScan at Musectech has a post regarding the new Interactive/Console Mode in AChoir.
AChoir – Interactive/Console Mode - Richard Wartell and Tyler Halfpop at Palo Alto Networks have announced the launch of the 2017 LabyREnth CTF.
LabyREnth CTF 2017 Launch Day: The Challenge Starts Now! - Dan Pullega’s Tweet led to some interesting thoughts on when a tool should/shouldn’t be made open source.
Check Out @4n6k’s Tweet - James Habben’s tweet led some interesting discussion about training in DFIR (and training feedback)
Check Out @JamesHabben’s Tweet - Jerry Bell went on a great rant regarding the “Infosec job problem” – re people struggling to get into the field.
Check Out @MaliciousLink’s Tweet - Andrew Case at Volatility Labs provides a list of the recent additions to the Malware and Memory Forensics training course.
Our Newly Updated Memory Forensics and Malware Analysis Course is Headed to Herndon and London!
SOFTWARE UPDATES
- Bradley Schatz has pushed an AFF4 java reader library to GitHub
Check out @blschatz’s Tweet - Eric Zimmerman has released v0.9.0.1 of ShellBags Explorer with “tons of new GUIDs, new shell bag types, more property store data, and Excel filtering for dates”.
Check out @EricRZimmerman’s Tweet - Cellebrite released an update (v.6.2.1) for their UFED line of products with support for “decoding of the new SMS Rich Communication Services (RCS) format” as well as bug fixes.
UFED Touch2, UFED Touch, UFED 4PC, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 6.2.1 Maintenance Release (June 2017) - Phil Harvey has released ExifTool v10.55 (production release), as well as v10.56 (development release). The updates add various new tags and fix some bugs.
- GetData updated Forensic Explorer v3.9.8.6536 improving sorting speed and video display.
8 June 2017 – v3.9.8.6536 - Oxygen Forensics have updated their Detective product to version 9.4 adding “data extraction from Samsung Cloud and WhatsApp backup decryption from Google Drive without the encryption key” among other features.
Oxygen Forensic® Detective boosts data extraction from Android devices and services - Passmark have updated OSForensics to version 5.0.1002, fixing a couple of bugs and adding an “updated version of Volatility Workbench into the install package”
V5.0.1002 – 6th of June 2017 - Paul Sanderson has released v3.2.6 of the Forensic Browser for SQLite with a few enhancements and bug fixes.
New release 3.2.6 - Johan Berggren announced that Timesketch now has Docker support
Check Out @jberrggren’s Tweet - Jesse Kornblum made some minor changes to SSDeep and advised that a new update is in the works.
Check Out @Jessekornblum’s Tweet - X-Ways Forensics 19.2 SR-6 was released, fixing a few bugs.
X-Ways Forensics 19.2 SR-6 - X-Ways Forensics 19.3 Beta 4 was released with a few new features.
X-Ways Forensics 19.3 Beta 4 - YARA 3.6.1 was updated with a few bug fixes
YARA 3.6.1
PRODUCT RELEASES
- AceLab released the PC3000 mobile which incorporates standard USB reading, JTAG/eMMC/FBUS/UART, and direct chip reading.
PC-3000 MOBILE: Unique all-in-one solution for recovering data from mobile devices
And that’s all for Week 23! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 