Aaaaaaaaand we’re back 😀 I am considering going back and fixing up the last two posts, but that depends on both a) interest by readers and b) my time

FORENSIC ANALYSIS

• There were a couple of posts by the guys at Amped Software
  • David Spreadborough shows how to use Amped Five to collaborate in a video analysis and investigation. “The idea is that someone in one of the collaborative forces or local units completes some analysis, restoration or enhancement.”
    Learning & Development
  • Jim Hoerricks shows how to use the Temperature Tint filter
    The Temperature Tint Filter
     

• The guys at Cyber Forensicator shared an article by Arman Gungor at Meridian Discovery “forensic analysis of Microsoft Outlook attachments” particularly in relation to their timestamps.

  Forensic Analysis of Email Attachment Timestamps in Outlook
  

• Eliézer Pereira has a post on the Forensic Focus blog on some simple RAM analysis
  RAM Forensic Analysis

• Garrett Pewitt at Forensic Expedition explains why he uses Microsoft OneNote to document his examination.
  Microsoft OneNote for Forensic Case Notes

• Volume 21 of the Journal of Digital Investigation has been released.
  Digital Investigation – Volume 21 (June 2017)

• Jamie McQuaid at Magnet Forensics shows how to use custom recovery images to acquire supported Samsung Android devices. For those that don’t do mobile forensics often, I’d pay particular attention to the last couple of paragraphs about “how” the recovery partition works. I’d also stress the last line; if you use a custom recovery you will not be able to access the data stored in KNOX. If you suspect that the user is using KNOX then you should seek other means of accessing that data before attempting to use the custom recovery. I’ve also seen instances where custom recovery’s result in the phone going into a boot loop. In that instance, you can download the original firmware (sammobile is a good resource) and reflash it using Odin. To determine the original firmware, take note of it in the bootloader options PRIOR to flashing the recovery partition (as in, it’s a good idea to do this every time).
  Android Recovery Acquisitions with Magnet AXIOM

• The Nuix team shared an article by Erika Namnath at H5 on tips for reducing your eDiscovery workload. Many of the tips can be used for forensic analysis as well.
  Partner Featured Article: eDiscovery Tips to Reduce Stress (and Spend)

• Ryan Benson at Obsidian Forensics shows how to create a visualisation of the metadata in an encrypted iOS backup.
  Visualizing Activity from Metadata

• David Kovar & Greg Dominguez have a post on Paraben’s blog regarding preparing for a UAV examination (including documentation).
  UAV Forensics for First Responders By David Kovar & Greg Dominguez

• Dr. Ali Dehghantanha has a guest post (the first in a series) on the SANS Internet Storm Centre Handler Diaries regarding BitTorrent Sync. “This diary post explains artefacts of directory listings and files of forensic interest of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS.”
  Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud  (Part 1), (Mon, Jun 26th)

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ posted a couple times this week
  • He described a few Volatility functions that can be used to assist in “the identification of the type of memory image”
    Volatility, my own cheatsheet (Part 1): Image Identification
  • He also shows how to create a file system timeline from a VirtualBox VM using FLS and creates a bash script to automate the process.
    Extract filesystem bodyfile from a VirtualBox VM

• Jacob Wilkin at TrustWave SpiderLabs walks through a “lock screen authentication bypass” in the Elephone P9000.
  Elephone P9000 Lock Screen Lockout Bypass
  

THREAT INTELLIGENCE/HUNTING

• K K Mookhey at Network Intelligence has shared the top 10 lessons learned from the last year of breach response
  Breach Response – Lessons learnt in the past one year

• Roberto Rodriguez at Cyber Wardog Lab shows how to “enable enhanced PowerShell logging in your lab environment, create a Logstash Filter for it, and integrate it with other logs to improve your endpoint visibility while hunting for adversaries leveraging PowerShell (not just powershell.exe) during post-exploitation.”
  Enabling Enhanced PowerShell logging & Shipping Logs to an ELK Stack for Threat Hunting

• Jason Smith was interviewed by Sqrrl regarding his work as a threat hunter for Cisco
  Q&A Interview with Jason Smith: Best Data Sources and Basic Techniques For Threat Hunting

  Chris Sanders has a post on the Sqrrl blog “about strategies for [and the benefits of] attack scoping”.
  Cyber Incident Investigation Series: Investigating Attack Scopes
  
  

UPCOMING WEBINARS

• Jennifer Pellerin at Barracuda announced that they will be presenting a webinar July 5 11 am PST, 2 pm EST on the latest Petya/NotPetya/Dave attack.
  Free Webinar – Anatomy of a Hack: Dissecting Petya/NotPetya

• Heather Mahalik will be giving a webinar on the updates to the SANS FOR585 course on July 6th, 2017 at 11:00 AM EDT (15:00:00 UTC).
  A glimpse of the NEW FOR585 Advanced Smartphone Course
  

PRESENTATIONS/PODCASTS

• Videos from Bsides Salt Lake City 2017 have been uploaded to their YouTube Channel

• Magnet Forensics shared Jamie McQuaid’s webinar on geolocation artefacts on mobile devices.
  The Good, The Bad, and The Useless – The Truth about Geolocation Data

• A few presentations from OpenSec2017 were uploaded to Youtube.

• On this week’s Digital Forensics Survival Podcast, Michael discusses “online sandboxes for malware analysis”.
  DFSP # 071 – Automated Malware Triage

• Manny and Steve are back for Talino Talk, this week showing how Sumuri have just purchased an engraving machine so they can put your logo on the side of the plexiglass window in the Talino machines.
  Custom Engraving Comes to SUMURI! – TALINO Talk – Episode 6

• Lesley Carhart shared her keynote from BSidesSLC 2017
  Talk: BSidesSLC Keynote – Together We Could Land a Plane
  

MALWARE

• The guys at Cyber Forensicator shared a couple of articles on malware analysis and detection
  • They shared a tool called yarGen which can be used to “generate YARA rules automatically”.
    Create YARA rules from strings found in malware automatically with yarGen
  • They shared a list of tools by Andrea Fortuna which can be used “for malware detection and analysis”.
    Six python tools for malware detection and analysis

• The Cylance Threat Guidance Team examine the XData ransomware (which is “derived from an older ransomware called AES-NI”).
  Threat Spotlight: AES-NI aka SOREBRECT Ransomware

• Xiaopeng Zhang at Fortinet analyses “a new variant from AgentTesla family” which is written in .Net.
  In-Depth Analysis of .NET Malware JavaUpdtr

• Dan at LockBoxx shows how he setup instances of “Viper, Cuckoo, and MISP” “for malware analysis, CTF binary analysis, or simply to aid in reversing engineering binary files” on Amazon EC2 instances. This ultimately eventuated into a “private, invite-only framework which we will use to instrument multiple tools, automate analysis tasks, and practice reverse engineering”.
  Automated Binary Analysis Framework using Viper

• Tom Lancaster and Esmid Idrizovic at Palo Alto Networks analyse the PlugX malware.
  Paranoid PlugX

• The new ransomware epidemic of the month was Petya (or Not Petya), which appeared to take over the malware analysis blogosphere during the week. As a result, I’ve shared a (large) number of the articles below.
  • Barracuda – NotPetya – Both More and Less than it Seems
  • Carbon Black – Carbon Black Threat Research Technical Analysis: Petya / NotPetya Ransomware
  • Comae Technologies – Byata — Enhanced WannaCry ?
  • Comae Technologies – Petya.2017 is a wiper not a ransomware
  • CrowdStrike – PetrWrap Technical Analysis – A Triple Threat: File Encryption, MFT Encryption, Credential Theft
  • Cyber Forensicator – How to protect yourself from Petya
  • Cylance – Petya-Like Ransomware Reloaded
  • AboutDFIR – Petya Ransomware Recap
  • Errata Security – NonPetya: no evidence it was a “smokescreen”
  • Fortinet – A Technical Analysis of the Petya Ransomworm
  • Hasherezade – Petya Eternal – is the Salsa key lost forever?
  • Kaspersky – ExPetr targets serious business
  • Malware Analysis For Hedgehogs – Malware Analysis – Getting Started with High-Level Petna / Petya
  • Malwarebytes Labs – Petya-esque ransomware is spreading across the world
  • Malwarebytes Labs – EternalPetya and the lost Salsa20 key
  • Malwarebytes Labs – EternalPetya – yet another stolen piece in the package?
  • MalwareTech – Petya Ransomware Attack – What’s Known
  • McAfee – Petya More Effective at Destruction Than as Ransomware
  • McAfee – New Variant of Petya Ransomware Spreading Like Wildfire
  • NVISO Labs – To Petya or not to Petya
  • NVISO Labs – Recovering custom hashes for the Petya/Notpetya malware
  • Palo Alto Networks – Threat Brief: Petya Ransomware
  • SANS ISC – Wide-scale Petya variant ransomware attack noted, (Tue, Jun 27th)
  • SANS ISC – Petya? I hardly know ya! – an ISC update on the 2017-06-27 ransomware outbreak, (Wed, Jun 28th)
  • SANS ISC – Checking out the new Petya variant, (Tue, Jun 27th)
  • Savage Security – PetyaWrap is Wannacry with a Honey Badger Upgrade
  • Securelist – Schroedinger’s Pet(ya)
  • Securelist – ExPetr/Petya/NotPetya is a Wiper, Not Ransomware
  • Securelist – From BlackEnergy to ExPetr
  • SecureWorks – NotPetya Campaign: What We Know About the Latest Global Ransomware Attack
  • SecureWorks – In the Aftermath of the ‘NotPetya’ Attack
  • Cisco – New Ransomware Variant Compromises Systems Worldwide
  • TrustWave – The Petya/NotPetya Ransomware Campaign
  • TrustWave – Petya Ransomware: A glimpse of the past, the present, and the future.
  • Symantec – Petya ransomware outbreak: Here’s what you need to know
  • Duo – PerhapsNotPetya Ransomware: What You Should Know
  • FireEye – Petya Ransomware Spreading Via EternalBlue Exploit
  • Lesley Carhart – Why NotPetya Kept Me Awake (& You Should Worry Too)
  • TrendMicro – Large-Scale Ransomware Attack In Progress, Hits Europe Hard
  • Virus Bulletin – 48 hours after initial reports, many mysteries remain around the latest ransomware/wiper threat
  • Windows Security – New ransomware, old techniques: Petya adds worm capabilities

• SANS InfoSec Reading Room shared Rob Pantazopoulos’s whitepaper on Loki-Bot
  Loki-Bot: Information Stealer, Keylogger, & More!
  
• There were a couple of articles on the SANS Internet Storm Centre Handler Diaries
  • Brad Duncan examines a couple of phishing emails
    A Tale of Two Phishies, (Tue, Jun 27th)
  • Brad also “examines recent developments from the Blank Slate campaign”
    Catching up with Blank Slate: a malspam campaign still going strong, (Wed, Jun 28th)

• Sergey Yunakovsky at Securelist analyses the NeutrinoPOS trojan.
  Neutrino modification for POS-terminals

• Daniel Bohannon and Nick Carr at FireEye examine the obfuscation techniques used by FIN7 and FIN8 to avoid detection.
  Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques

• The guys at Trend Micro have detected and analysed a worm called Retadup that masquerades as a Windows updater and has been hitting Israeli hospitals.
  Information Stealer Found Hitting Israeli Hospitals

• Matt Oh at Microsoft’s Malware Protection Center blog “the WannaCrypt infection routine, … [and the] post-exploitation phases”.
  Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation

• Vitali Kremez walks through unpacking the Osiris ransomware.
  Let’s Learn: How to Unpack Locky “Osiris” Ransomware

MISCELLANEOUS

• Lee Whitfield has uploaded the results from the 2017 Forensic 4Cast Awards that were announced last week. I mentioned it last week but thank you again for the nomination, and congrats to Forensic Focus for taking out the award (for the second year in a row!), as well as all the other winners. Hopefully, I can drum up enough support to pick up the award next year 🙂
  2017 Awards

• Joe Gray at AlienVault gave an overview of his career to date, explaining that he was currently learning about data carving. He also provided a list of resources for those looking to learn more about malware analysis and executable reversing.
  Data Carving in Incident Response – Steps Toward Learning More Advanced DFIR Topics

• Brian Moran at BriMor Labs gave a brief recount of his experience at the DFIR Summit in Austin. Stacey Randolph also recounted her time at the Summit on her blog. It was great hanging out with them both!
  A Brief Recap of the SANS DFIR Summit

• Depak Kumar has shared a brief overview of the DFIR field
  4n6 as a Service

• Scar at Forensic Focus posted a couple of interviews this week
  • First, she interviewed Edewede Oriwoh on her work in IoT security and forensics.
    Interview With Edewede Oriwoh, Independent Cyber-Physical Security Researcher
  • Second, she interviewed Lesley Carhart about how she started, and her work, in the DFIR field.
    Interview With Lesley Carhart, DFIR & OSINT Consultant

• Chirath Dealwis’s paper on the technical, legal, and resource challenges in digital forensics was also shared on Forensic Focus.
  An Introduction To Challenges In Digital Forensics
• Honggang Ren at Fortinet shows how to solve the “ASCII Art Client” flag for the Google CTF
  Google’s 2017 CTF – The “ASCII Art Client” Challenge

• Hasherezade shares her walkthrough of task 3 of the Shabak Airplane challenge.
  Solving the Shabak’s Airplane challenge – Task 3

• There were a couple of posts by Magnet Forensics this week
  • They thanked the community, customers, and team for helping them win both the Computer Forensic Software and Digital Forensic Organization of the Year Forensic 4Cast Awards.
    Magnet Forensics Wins Two Forensic 4:cast Awards!
  • They also shared an interview with Jad Saliba (Magnet Forensics Founder & CTO), by Johann Hofmann (Head of Griffeye) from Techno Security in Myrtle Beach.
    A Conversation with Jad Saliba and Head of Griffeye, Johann Hofmann

• Ken Pryor at Mental Field Trip shared some memories of his accumulated DFIR swag. Ken also said that he has two or three readers, so click on this link and bump up his numbers this week 🙂
  Reminiscing

• “NIST is looking at methods to improve automatic filtering” and has created a short questionnaire that will help “determine which approximate matching algorithms are most needed”
  Approximate Matching (aka Fuzzy Hashing) Requirement Analysis Questionnaire

• Voting for talks at this years OSDFCon has opened. Voting closes July 14. There are quite a few good looking talks there, and it’s pretty cool that you can vote on the ones you want to see. Hopefully, those that don’t get accepted aren’t disheartened and will find another way to present their research.
  OSDFCon Vote for Presentations!

• Samantha Pierre, Richard Wartell, Tyler Halfpop and Jeff White at Palo Alto Networks shares some Tips, Tricks, and Clues to Escape the LabyREnth CTF

• Hadi Hosn at SecureWorks examines the GDPR breach notification requirements.
  GDPR Breach Notification: A Spotlight on Detection Reporting

• Kendra Cooley at Duo compares IR and emergency medical services triage. “Triage is the phase that can make the difference between a good and bad outcome because it changes how and when we respond”.
  We Don’t Always Go Lights and Sirens

• Courtney Allen advised that Scott J Roberts and Rebekah Brown’s new book, Intelligence-Driven Incident Response has gone to production
  Check out @ORMCourtney’s Tweet

• James Habben at 4n6ir updated his post on soft skills to add some suggested reading material (I would recommend reading the whole book, it’s great)
  Check out @JamesHabben’s Tweet

SOFTWARE UPDATES

• Mobile Phone Examiner Plus (MPE+) 5.8.0 was released during the week. Release notes can be found here. The update adds support for iOS 9/10 and Android 6/7, as well as “extracting voice recording data from the Apple Voice Memos app” and “file system and SD card data within a dLogical extraction”.
  Mobile Phone Examiner Plus (MPE+) 5.8.0

• Phil Harvey has released ExifTool 10.58 (development release) adding some new tags and bug fixes.
  ExifTool 10.58

• Guidance apparently updated Encase 8 to 8.05 last week, adding in the Mobile Investigator section. Unfortunately, the release notes aren’t public, but special thanks to the guys at Focus Systems (and Google Translate) for sharing some excerpts. Vendors, please stop putting release notes behind a login screen and make them publically available.
  2017.06.27 EnCase Forensic Software Update / EnCase Mobile Investigator Release

• Adam Witt has patched Mandiant’s ShimCacheParser to add support for Windows 10 Creators Update.
  Updated ShimCacheParser

• Oxygen Forensics have released an update to their Detective product (v9.4.1), including improvements to the SQLite viewer, cloud extractor, and support for additional app versions.
  Enhanced Apps Analysis with SQL queries

• Passcovery have updated their Passcovery Suite to version 3.5, adding “support of Apple iOS 10.2 backup files”, “GPU-enabled processing on NVIDIA GP100 and NVIDIA GK210”, “instant removal of passwords from weakly-protected Microsoft Excel/Word 2013-2016 files”, and “accelerated recovery of passwords for ZIP files with classic encryption”.
  Passcovery has released an update of its professional password recovery solution — Passcovery Suite 3.5

• Peter Van Hove has announced the release of IsoBuster 4.0 with a multitude of changes including “improved and powerful search functionality, an updated GUI, much faster image file access and auto-detection of drive add or removal.”
  IsoBuster 4.0 released

• X-Ways Forensics 19.3 SR-1 was released with various bug fixes, and “some improvements for execution in Wine under Linux”,
  X-Ways Forensics 19.3 SR-1

• YARA 3.6.2 was released with a couple of bug fixes.
  YARA 3.6.2
  

PRODUCT RELEASES

• Tableau have released a PCIe Adapter for Apple PCIe SSD’s.
  Tableau PCIe Adapter for Apple SSD

And that’s all for Week 26! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!