Long one this week…so took me a bit longer than usual, but at least here it is!
FORENSIC ANALYSIS
- Paula Januszkiewicz at CQURE shows how to extract hashes from SQL server
Understand how to extract hashes from SQL server logins before you regret - The guys at Cyber Forensicator shared a few posts this week
- They shared a paper by Alan Reed, Mark Scanlon, and Nhien-An Le-Khac from the University College Dublin on the Epic Privacy Browser
Forensic Analysis of Epic Privacy Browser on Windows Operating Systems - They shared Lenny Zeltser’s post on fileless malware
The History of Fileless Malware – Looking Beyond the Buzzword - They shared a tool by Nishant Grover called Chromensics for parsing Google Chrome artefacts
Chromensics – Google Chrome Forensics - They also announced that Oleg Skulkin (Cyber Forensicator) and Scar de Courcier (Forensic Focus) are publishing a book, Windows Forensics Cookbook, in August 2017.
Windows Forensics Cookbook
- They shared a paper by Alan Reed, Mark Scanlon, and Nhien-An Le-Khac from the University College Dublin on the Epic Privacy Browser
- The guys at Digital Forensics Corp shared a few articles this week
- They shared a blogpost on car forensics by Munk, a computer forensics researcher.
Car Forensics - They shared an article by Raj Handel on understanding browser cookies.
Cookies Forensics - They shared an article by R3MRUM who explains a few methods for analysis password protected maldocs (both unsuccessful and successful attempts).
Analyzing Password Protected Documents - They shared an article by Bob Violino at CSO regarding various cybersecurity degree programs.
Cyber Security Degree Programs
- They shared a blogpost on car forensics by Munk, a computer forensics researcher.
- Preston Miller at DPM Forensics shows how to write a script that utilises libpff to “compare email headers to identify emails where the “From” and “Reply-To” or “Return-Path” addresses do not match.”
Hasty Scripts: Go Phish - Oleg Afonin at Elcomsoft has compared the data that can be extracted from Google Drive, Apple iCloud and Microsoft OneDrive using Elcomsoft’s tools.
Cloud Extraction Compared: What Is Available in iCloud, Google Account and Microsoft Account - evild3ad has a post showing how to compile LibAFF4 on a Mac so that you can start using the AFF4 format.
Adding AFF4 support to The Sleuth Kit and Volatility (macOS) - Marcos at “Follow The White Rabbit” has a post describing how to setup a WinFE boot disk. The article is in Spanish but Google does a decent job of translating most of it.
Windows Forensic Environment – #WinFE Beta - James Zjalic posted an article on Forensic Focus on utilising Electric Network Frequency (ENF) to authenticate audio recordings. Interestingly this can also be used to determine the rough location (based on grid identification), and time that a video or audio recording was taken. This can have dramatic implications for a manhunt/kidnapping situation.
The Future Of ENF Systems - Garrett Pewitt at Forensic Expedition shows how he organises his OneNote notebook “and the sections that go into it” for recording his examination notes.
Microsoft OneNote for Forensic Case Notes – Part Two - Magnet Forensics shared a case study on how a customer in South Africa uses Axiom in civil and criminal cases.
Private Consultants Find a Competitive Advantage in Magnet AXIOM - Mo Morsi performs some further analysis on the “The Resilient FileSystem” (ReFS).
ReFS Part III – Back to the Resilience - Jonathon Poling at Ponder The Bits digs into the hibernation file as he has noticed that a number of the artefacts that we used to get aren’t being extracted since Win8. He advises that Arsenal Consultings Hibernation Recon “appears to be the only tool currently available that supports comprehensive decompression of Windows hibernation files through the latest Windows 10 releases.” Jon then goes through and tests a few scenarios showing how Hibernation Recon can be of use.
Decompressing and Extracting Artifacts from Windows 8 / Server 2012+ Hibernation Files - Patrick Siewert at Pro Digital Forensics discusses how fitness tracking data from wearables and mobile devices can be used to aid a personal injury insurance fraud investigation.
Personal Injury & Insurance Fraud Investigation: Get the Mobile Device! - The SANS InfoSec Reading Room shared Shaun McCullough’s whitepaper on building and sharing complex environments using docker
Using Docker to Create Multi-Container Environments for Research and Sharing Lateral Movement - Johannes Ullrich at the SANS Internet Storm Center shared Dr. Ali Dehghantanha’s second diary post on investigating BitTorrent Sync version 2.0.
Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 2 ? Log Files artefacts), (Wed, Jul 5th) - Andrea Fortuna at “So Long, and Thanks for All the Fish” wrote a couple of articles this week
- He shared part 2 of his cheatsheet for Volatility
Volatility, my own cheatsheet (Part 2): Processes and DLLs - He also describes a number of locations that malicious executables can use to maintain persistence on a Windows system.
Malware persistence techniques
- He shared part 2 of his cheatsheet for Volatility
- Pieces0310 assists in a friend in identifying data on a physical image on an Android phone. I’m not sure what the original acquisition tool was, but it appears that the acquisition could only obtain a partial physical, which was determined by reviewing the acquisition log. There’s a good message here of checking your log files to see if an extraction completed as expected.
Is it a full physical image??? – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Joshua Gideon at MWR Labs shows how to configure Windows auditing/file monitoring to detect access to a honeyfile.
Using Windows File Auditing to Detect Honeyfile Access - Russ McRee has a post on the SANS Internet Storm Centre Handler Diaries describes the benefits of using SOF-ELK for threat hunting
Adversary hunting with SOF-ELK, (Sun, Jul 9th)
UPCOMING WEBINARS
- Cheryl Biswas at CyberWatch shares some information about the upcoming TiaraCon that is being held July 27-28 at Caesar’s Palace Hotel, Las Vegas.
TiaraCon 2017 – Alliances! - Magnet Forensics announced a few upcoming webinars
- “Magnet Forensics and Griffeye Technologies are hosting a new webinar to showcase the power of working together to drive better, deeper results.” The webinars will take place Tuesday, August 22 at 1:00PM EDT and Wednesday, August 23 at 8:00AM EDT.
Webinar: The Power of Integrated Digital Forensics - There will be a webinar on the recent updates to Android, held on Tuesday July 11 at 9:00AM EDT. and Thursday, July 13 at 1:00PM EDT
Webinar: Taking a bite out of Android’s tasty new versions - Tayfun Uzun “will share insights into different recovery methods for smartphones” on August 16 at 9:00AM and 1:00PM EDT
Webinar: Understanding Android Data Recovery in Forensic Investigations
- “Magnet Forensics and Griffeye Technologies are hosting a new webinar to showcase the power of working together to drive better, deeper results.” The webinars will take place Tuesday, August 22 at 1:00PM EDT and Wednesday, August 23 at 8:00AM EDT.
PRESENTATIONS/PODCASTS
- Derek Banks & Joff Thyer at Black Hills Information Security “show you how you can gain visibility into these systems by centrally consolidating Windows event logs using free and open source software”.
WEBCAST: How To Do Consolidated Endpoint Monitoring on a Shoestring Budget - Joshua James at Cybercrime Technologies shows how to “use SSDEEP to create fuzzy hashes of text and image files, and compare the similarity between files in a directory”.
[How To] Fuzzy Hashing with SSDEEP (similarity matching) - Didier Stevens shows how to run a program, in this case, calculator, under a user defined parent process ID using VBA.
Select Parent Process From VBA - The guys at LOG-MD IMF Security uploaded a number of videos this week to YouTube
- AutoRun Hunting with LOG-MD Free Edition
- How To Audit a Windows system and configure it to collect log data using LOG-MD Free Edition
- How to create a Registry Baseline and Compare using LOG-MD Free Edition
- Large Registry Key Hunting using LOG-MD Free Edition
- AutoRuns Hunting using LOG-MD-Professional
- How to create a File Baseline and run a Compare using LOG-MD Free Edition
- On this week’s Digital Forensics Survival Podcast, Michael goes over a variety of ways that one can setup their own training “program” by stacking a variety of different training courses together. I liked his suggestion of people throwing together a “program” by picking a number of different free/low-cost/paid courses that can be used to train new people or upskill existing ones.
DFSP # 072 – Free Training & Free Beer - Heather Mahalik ran a webcast during the week on the updates to the FOR585 Advanced Smartphone Forensics course.
A glimpse of the NEW FOR585 Advanced Smartphone Course - Microsoft Security Response Center (MSRC) has created a new GitHub repo to host some security research. Currently, they have shared a number of presentation slides.
Take a look at @epakskape’s Tweet
MALWARE
- Bogdan Botezatu at Bitdefender Labs shared a technical analysis of the GoldenEye ransomware
A technical look into the GoldenEye ransomware attack - The Check Point Mobile Research Team examined the malicious Android app called CopyCat.
How the CopyCat malware infected Android devices around the world - Cheryl Biswas at CyberWatch shared Amanda Rousseau’s (@malwareunicorn) reversing malware course.
Learning: Reversing Malware - Winston M at Cysinfo analyses the Karo ransomware
Karo Ransomware – Which played Hide n seek behind “Petya” Wiper waves! - Luke Somerville at Forcepoint explains how PsExec and WMI/WMIC can be used by malicious attackers to do damage.
PsExec & WMIC – Admin Tools, Techniques, and Procedures - Furoner at Furoner.Cat analyses a maldoc.Didier Stevens then responds by showing how he would have achieved the same result.
Analysis of “new” RTF malware obfuscation method - The author at Hackers Arise continues their series on reverse engineering malware, this time looking at Windows internals – the post examines “the inner workings or Windows 32-bit systems so that we can better understand how malware can use the operating system for its malicious purposes.”
Reverse Engineering Malware, Part 4: Windows Internals - Shusei Tomonaga at JPCERT/CC shows how to use impfuzzy for Neo4j to analyse two variants of Emdivi
Clustering Malware Variants Using “impfuzzy for Neo4j” - Hasherezade at Malwarebytes Labs advises that the author of the original Petya ransomware has released the decryption key which means “all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back.”
The key to old Petya versions has been published by the malware author - Fernando Ruiz and ZePeng Chen at McAfee Labs analyse the LeakerLocker malicious Android app
LeakerLocker: Mobile Ransomware Acts Without Encryption - Wenjun Hu, Cong Zheng and Zhi Xu at Palo Alto Networks analyse the malicious SpyDealer Android app.
SpyDealer: Android Trojan Spying on More Than 40 Apps - More Petya/NotPetya goodness
- Andrew Hay – Petya Ransomware: What You Need to Know and Do
- Check Point – BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor
- Count Upon Security – Analysis of a Master Boot Record – EternalPetya
- Countercept – NotPetya – Everything you need to know
- Crowdstrike – PetrWrap Technical Analysis Part II: Further Findings and Potential for MBR Recovery
- Didier Stevens – Ransomware: Very Simple IOC Extraction
- Fortinet – Key Differences Between Petya and NotPetya
- Fortinet – Petya’s Master Boot Record Infection
- G Data Security – Who is behind Petna?
- Malwarebytes Labs – All this EternalPetya stuff makes me WannaCry
- Cisco – The MeDoc Connection
- Vitali Kremez – Let’s Learn: Debugging EternalPetya’s MBR Eraser Function with OllyDBG Part I
- VMRay – Petya/NotPetya/ExPetr Cyber Attack is More Wiper Than Ransomware
- WeLiveSecurity – Analysis of TeleBots’ cunning backdoor
- WeLiveSecurity – Everything you need to know about the latest variant of Petya
- The guys at Root9B provide some information about an adversary that is using fileless malware to attack PoS systems
Shelltea + Poslurp Malware: YARA Rules - There were a few posts on the SANS Internet Storm Center Handler Diaries
- Rick Wanner explains how to use nmap to scan for MS17-010 and shares an NSE script to do the same.
Using nmap to scan for MS17-010 (CVE-2017-0143 EternalBlue), (Sat, Jul 1st) - Didier Stevens shows how to use his pecheck tool to scan PE files.
PE Section Name Descriptions, (Sun, Jul 2nd) - Xavier Mertens explains how to search for PE files in Base64 data that contains “unexpected characters randomly spread in the Base64 data”.
A VBScript with Obfuscated Base64 Data, (Sat, Jul 8th)
- Rick Wanner explains how to use nmap to scan for MS17-010 and shares an NSE script to do the same.
- Anton Ivanov and Orkhan Mamedov at Securelist analyse the FakeCry ransomware that also hit the Ukraine during the “Petya” attack. “Its interface and messages closely emulate those of WannaCry, yet this is an entirely different malware.”
In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine - There were a couple of posts on Cisco’s Talos blog
- Paul Rascagneres provides some additional information on an updated version of the KONNI Remote Access Trojan (RAT).
New KONNI Campaign References North Korean Missile Capabilities - Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall analyse a maldoc that “tries to download a template file over an SMB connection so that the user’s credentials can be silently harvested”.
Attack on Critical Infrastructure Leverages Template Injection
- Paul Rascagneres provides some additional information on an updated version of the KONNI Remote Access Trojan (RAT).
- Andrea Fortuna at “So Long, and Thanks for All the Fish” briefly describes fileless malware.
Fileless Malware for Dummies - Jakub Dalek, Geoffrey Alexander, Masashi Crete-Nishihata, and Matt Brooks at The Citizen Lab analyse a phishing attack that distributes the NetWire RAT.
Insider Information: An intrusion campaign targeting Chinese language news sites - Ford Qin at Trend Micro analyses the SLocker Android ransomware.
SLocker Mobile Ransomware Starts Mimicking WannaCry - Javier Vicente Vallejo shares some information about the “Windows api that psexec is using for copying and executing files in a remote machine”
Copy and execute file to remote machine like psexec with the Windows api - Javier also analyses a new variant of the Konni RAT
- Martijn Grooten at Virus Bulletin shared Anton Cherepanov and Robert Lipovsky’s paper on the BlackEnergy group.
VB2016 paper: BlackEnergy – what we really know about the notorious cyber attacks
MISCELLANEOUS
- Starting this section of with a community announcement. Stacey Randolph has created a new hashtag, #DFIRFIT, for those “DFIR folks interested in or working on getting healthier”. Even if you’re not looking to get healthier, or are in (apparently) peak physical condition, then jump on and encouage everyone else!
Check out @4n6woman’s Tweet! - Martino Jerian at Amped shows “how to start with the integration and how the two software [Amped Five and Griffeye Analyze] work together.”
Amped FIVE and Griffeye Analyze: Introducing the Integration - “Microsoft has made a change in the Bing Online Map’s service. As a result, the Online Maps functionality will stop working from June 30th 2017 in the following products”: UFED Logical/Physical/Cloud Analyzer, UFED Analytics Desktop, and UFED InField. “Cellebrite recommends updating these products to the latest version in order to restore the Online Maps functionality.”
Important Update for Online Maps - DFIR Guy at DFIR.Training talks about sharing in the DFIR community and appears to be happy at how far the industry has come with regards to sharing both knowledge, and interesting cases (generally speaking of course). “We finally figured out how to share the issue of specific problems with the result of all of us solving the same problem that we have in our different cases and incidents.”
Times have changed…. - The guys at Digital Forensics Corp shared an article explaining how to enable/disable the various version of SMB.
How to enable and disable SMB - There was a post on Execute Malware regarding setting up an ELK stack to visualise honeypot data.
Honeypot Visualization Revisited - Scar at Forensic Focus interviewed Guidance Software’s Paul Shomo and Ashley Hernandez at Enfuse on their backgrounds, Guidance, gettings into the field, and the forensic artefact awards among other topics.
- Axelle Apvrille at Fortinet gave an overview of the “Symposium sur la sécurité des technologies de l’information et des communications” or SSTIC conference. Apparently, most of the presentations are in French (which is to be expected at a French conference….)
SSTIC 2017 in a Nutshell - A new project has been started called the “Hardware Forensic Database”. The project’s aim is to provide “a collaborative knowledge base related to IoT Forensic methodologies and tools.”
Hardware Forensic Database - Dan at LockBoxx reviews Jeff Bollinger, Brandon Enright, and Matthew Valites’s book “Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan”
Book Review: “Crafting The InfoSec Playbook” - Robert Merriott guest posted on Mobile & Technology Exploration regarding contemporaneous notes using Forensic Notes. I used to use a dedicated note-taking tool, however that produced notes in a proprietary format (which you could extract data from manually but it was a pain), and I was asked to just use Word instead – which makes sense – it doesn’t have tracking etc as noted in the article, however if I’m working on an image it doesn’t really make much difference if I move my notes around to make more sense to the reader. If a defense attorney is calling my evidence into question based on my notes being modified then they should be getting a defense examiner to verify my findings to begin with. It is interesting that “In some American states, it is apparently common practice to destroy both paper and electronic notes once a final examination report has been written.” I have no idea how this makes sense; especially if the court date is years after your examination.
What’s happening with Contemporaneous Notes - OMENScan at Musectech has started a Google Group to track the artefacts created by free and open source live response utilities.
Announcing Google Groups Forensic Utilities Artifacts Forum - Paul Slater at Nuix has published a paper that “lays out how to establish a hyperlab through proper preparation,
treatment of evidence and application of existing and emerging Nuix technology.” “An investigation hyperlab combines planning, process and technology to take
advantage of available resources across geographical gaps and answer the challenge of growing case sizes and backlogs that investigators face today”.
Hyperscaling Digital Investigations - Yulia Samoteykina at Atola Technology shows the variety of hard drives that they use to test their devices.
How we test our devices - Jasper at Packet Foo provided a recap of the 2017 Sharkfest, the annual Wireshark conference.
Sharkfest 2017 US Recap – 10 years of Sharkfest! - Dan Guido has updated the CTF field guide with new section on forensics CTFs
Take a look at @dguido’s Tweet - Mary Ellen at “What’s A Mennonite Doing In Manhattan?!” comments on her recent experience at the DFIR Summit and specifically the lessons learned from being nominated as one of the finalists in the DFIR organisation of the Year category for the 4Cast awards. She also encouraged people to share their research/work because the community “only gets better if everyone contributes.”
How to Lose Like a Champion
SOFTWARE UPDATES
- Didier Stevens updated a number of his tools this week
- base64dump was updated to version 0.0.7, adding the option to “ignore leading null bytes”.
Update; base64dump.py Version 0.0.7 - zipdump was updated to version 0.0.9, allowing users to include YARA rules directly on the commandline
Update: zipdump.py Version 0.0.9 - pecheck was updated to version 0.7.0, adding “an overview of sections”.
Update: pecheck.py Version 0.7.0 - re-search was updated to version 0.0.8 introducing “options –script and –execute to provide your custom Python functions.”
Update: re-search.py Version 0.0.8
- base64dump was updated to version 0.0.7, adding the option to “ignore leading null bytes”.
- Phil Harvey updated ExifTool to v10.59 adding a few new tags and fixing some bugs.
ExifTool 10.59 - Sarah Edwards at Mac4n6 has updated her “‘iOS Location Scraper’ script to be compatible with the same location database found on iOS – the cache_encryptedA.db (and lockCache_encryptedA.db) that are now found on macOS at least as far back as 10.8.”
Script Update – Mac (& iOS) Location Scraper (macOS and iOS 10 Updates) - Microsystemation updated XRY to v7.4 “enabling extraction of location data from drones, and bringing you a significant increase in data recovery with the new Android exploit.”
Released today: XRY v7.4 & XEC Express - Nir Sofer at Nirsoft has released a new tool, NetworkUsageView, “that extracts and displays the network usage information stored in the SRUDB.dat database of Windows 8 and Windows 10”
New utility that shows network usage information collected by Windows 8 and Windows 10 - Passmark updated OSForensics to v5.1.1001 during the week fixing a number of bugs and adding a variety of new features.
V5.1.1001 – 7th of July 2017 - Vitaly Kamluk at Securelist has released his project called BitScout, which is a script for building a digital forensic toolkit on top of Ubuntu.
Bitscout – The Free Remote Digital Forensics Tool Builder - Michael Bailey at FireEye advises that FakeNet-NG now has Linux support and explains how to install, configure, and use it.
Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation
Dynamic Network Analysis Tool - RawSec released an Event Log parser/carver written in Go.
Take a look at @0xrawsec’s Tweet - X-Ways Forensics 19.3 SR-2 was released fixing some bugs and issues with the command line parameters. “The network dongle package has [also] been updated”.
X-Ways Forensics 19.3 SR-2 - YARA 3.6.3 was released fixing a few bugs.
v3.6.3
And that’s all for Week 27! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
It appears the Digital Forensics Corp links in various sections are (mis) quoting the original posts without actually linking to them. Maybe I’m missing some embedded content that’s not loading for me but the actual DFC posts don’t appear to be of value – I just get dead ends!
LikeLike
The links to the original articles are usually at the end. They’re not always immediately apparent because they’re not underlined.
I’d suggest emailing them about fixing that, but I’m going to keep including their content because there’s still value (if you can find the link)
LikeLike