FORENSIC ANALYSIS
- Arsenal Consulting have shared details “about a forged digital forensics report we received during the Odatv trial in Turkey. The report is particularly interesting to us because the report was on our letterhead, with my signature, but we had nothing to do with it or the “case” it related to.”
Forged Digital Forensics Report - There were a couple of posts by the guys at Cyber Forensicator this week
- They shared an article from earlier in the year by the Blackbag Training Team on Mac RAM acquisition and analysis
Mac RAM Imaging and Analysis - They also shared a video by Demisto showing “the interactive investigation capabilities in Demisto using Volatility integration to analysis cridex malware”
Demisto – Volatility Memory Analysis
- They shared an article from earlier in the year by the Blackbag Training Team on Mac RAM acquisition and analysis
- Cindy Murphy at Gillware Digital Forensics shares a recent case where she and the team were required to transplant a chip from a damaged mobile phone to a similar model and then perform a physical extraction.
Forensic Case Files: Chip Off, Chip On, The Chipper! - Adam at Hexacorn has a couple of posts this week
- He provides “a brain-dump of ‘malicious’ ideas that memory forensics will not help with, or will find at least challenging”
If memory doesn’t serve me right… - He also explains that BITS can be used to obtain persistence and describes the locations where it stores task data.
Beyond good ol’ Run key, Part 64
- He provides “a brain-dump of ‘malicious’ ideas that memory forensics will not help with, or will find at least challenging”
- There were a couple of posts on the Kovar & Associates blog this week
- The first shared a recent interview by Gary Mortimer at sUAS News on “the issues facing UAV operators, how we should identify and protect our data, and how we can analyze the available data when UAVs are used maliciously.”
Drone Data Security and UAV Forensics - The second was the various presentations they have given on drone forensics
UAV Forensics and Cybersecurity Presentation Collection
- The first shared a recent interview by Gary Mortimer at sUAS News on “the issues facing UAV operators, how we should identify and protect our data, and how we can analyze the available data when UAVs are used maliciously.”
- Adrian Shaw at Nettitude Labs shared the lessons learned from investigating an Office 365 installation.
Lifting the clouds from cloud investigations - Dr. Ali Dehghantanha continues his series on the SANS Internet Storm Centre Handler diaries regarding BitTorrent Sync (v2.0), explaining artefacts that can be found in memory
Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical Memory artefacts), (Thu, Jul 13th) - The Forensicator has released “a study … which analyzes the file metadata in a 7zip archive file, 7dc58-ngp-van.7z, attributed to the Guccifer 2 persona.” The author has also released some information regarding interpreting the timestamps locating in RAR files.
Guccifer 2.0 NGP/VAN Metadata Analysis
THREAT INTELLIGENCE/HUNTING
- The guys at Digital Forensics Corp shared a paper by Pablo Gonzalez Perez and Francisco Jose Ramirez Vicente called “Hidden Network: Detecting Hidden Networks created with USB Devices”. “This paper reflects the possibilities provided by the so-called Hidden Network and how these can be identified and focused on protection of these issues inside a corporate network.”
Detecting Hidden Networks - Anthony Giandomenico at Fortinet lists the various types of threat actors and threat intelligence
Byline: Know Your Enemy: Understanding Threat Actors
UPCOMING WEBINARS
- Victoria Berry at Magnet Forensics provided an overview of the various upcoming webinars and blogs that Magnet are producing.
New Webinars on Android Recovery, Griffeye Integration and More Coming Your Way - Rob Lee will be hosting a webinar on Friday, July 21st, 2017 at 1:00 PM EDT (17:00:00 UTC) about the updates to the FOR500 (formerly 408) course.
A glimpse into NEW FOR500: Windows Forensics Course: Windows 10 and beyond – what is your digital forensics investigation missing? - The CFP for the 2018 SANS Cyber Threat Intelligence Summit is now open. The Summit will take place January 29 & 30, 2018 in Bethesda, MD, USA.
“SANS Cyber Threat Intelligence Summit 2018 – CALL FOR SPEAKERS NOW OPEN”
PRESENTATIONS/PODCASTS
- Joff Thyer & Derek Banks at Black Hill Information Security have published a writeup of their recent webcast on endpoint monitoring without the expensive SIEM’s.
How To Do Endpoint Monitoring on a Shoestring Budget – Webcast Write-Up - Carbon Black have started a new video series called “The 101”. The first episode covers “Non-malware” attacks. “In this episode we provide a clear definition along with a quick example to help explain exactly what a non-malware attack is, what it can do, and why it is so dangerous.”
“The 101” – Episode 1 – What is a Non-Malware Attack? - Countercept have shared Alex Davies’ talk on threat hunting from Bsides London 2017
Hunt or Be Hunted - The guys at Log-MD IMF Security uploaded a couple of videos on using Log-MD
- Kasten Hahn showcased “a minimal FASM sample that prevents memory dumping. It erases its own header in memory so that dumping tools don’t see a valid PE image anymore.”
Anti-Reversing – Anti-Dump Trick “Header Erase” - On this week’s Digital Forensics Survival Podcast, Michael provides an overview of the usefulness of jumplists. Jumplists are useful at showing that an application or file has been accessed.
DFSP # 073 – Jump Lists - The Forensic Lunch has returned! This week Dave hosted Mary Ellen Kennel and Devon Ackerman of AboutDFIR fame. They discussed the site, as well as their future plans and how you can help. Also thanks for the shoutout 🙂
Forensic Lunch 7/14/17
MALWARE
- Dennis Schwarz at Arbor Networks examines LockPoS
LockPoS Joins the Flock - Ofer Caspi at Check Point provides some additional information about the OSX Dok malware.
OSX/Dok Refuses to Go Away and It’s After Your Money - The guys at Extreme Coders blog have released a tool called ‘Bytecode simplifier’, which “is a tool to deobfuscate PjOrion protected python script”. They also showed how to use it to deobfuscate PjOrion
Introducing Bytecode simplifier - Kai Lu at Fortinet examines a new Android rootnik malware variant
Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part I - Alexander Sevtsov at Lastline takes “a look at how ransomware communicates over the network with its C&C servers.”
Ransomware Network Communication [Part 3] - There were a couple of posts by Malwarebytes Labs
- The team analysed malware that they’ve named Backdoor.DuBled which downloads ffmpeg to record full videos of user activity.
A .NET malware abusing legitimate ffmpeg - Hasherezade provided a history of the various iterations of Petya since its first release “around March 2016”
Keeping up with the Petyas: Demystifying the malware family
- The team analysed malware that they’ve named Backdoor.DuBled which downloads ffmpeg to record full videos of user activity.
- More Petya/NotPetya/Nyetya/ExPetya/GoldenEye/Dave
- There were a couple of posts by Rob Pantazopoulos at Reverse Engineering Malware this week
- The first post shows how to decompile AutoIT malware which can come as both compiled and script+interpreter form.
AutoIT Malware: From Compiled Binary to Plain-Text Script - The second links to his GIAC Gold paper and provides an overview/cheatsheet
Loki-Bot: Inside & Out
- The first post shows how to decompile AutoIT malware which can come as both compiled and script+interpreter form.
- There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens has a post showing how to perform a basic Office document analysis. He also explains how easy it is to create this type of document so that you can practice this type of analysis (without the risk of malware)
Basic Office maldoc analysis, (Mon, Jul 10th) - Didier also examined “an Excel spreadsheet containing a Windows shortcut.”
Office maldoc + .lnk, (Sat, Jul 15th) - Brad Duncan shares a brief history of Nemucod and Kovter and shared some malspam distributing “a new variant called NemucodAES”.
NemucodAES and the malspam that distributes it, (Fri, Jul 14th)
- Didier Stevens has a post showing how to perform a basic Office document analysis. He also explains how easy it is to create this type of document so that you can practice this type of analysis (without the risk of malware)
- Sabrina Sammel and Mike Webber at SecureWorks listed a few questions that you should ask yourself about your organisation’s security and incident response regarding the latest major incident (NotPetya).
12 Incident Response Questions to Ask After the NotPetya Dust Settles - Candid Wueest at Symantec discusses how attackers are increasingly living off the land and utilising system tools for reconnaissance.
Attackers are increasingly living off the land - There were a couple of posts by TrendMicro this week
- Rubio Wu analyses the OSX_DOK malware
OSX Malware Linked to Operation Emmental Hijacks User Network Traffic - Rubio Wu and Marshall Chen examine the Adwind remote access trojan
Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind
- Rubio Wu analyses the OSX_DOK malware
- Javier Vicente Vallejo shares analysis the PoSeidon downloader and keylogger.
Analysis of PoSeidon downloader and keylogger - Vitali Kremez walks through reversing QuantLoader 1.45 and extracting Trickbot Banker IOCs
MISCELLANEOUS
- James Habben at 4n6ir comments on the need for people to take ownership when relaying a message to ensure that all parties “correctly understand the message”.
Soft Skills: Respect - ACELab have released a post explaining how to upgrade your PC-3000 by purchasing the “new Intelligent Power Supply Unit with oscilloscope functions”. “You can replace the previous version of the power supply unit with the new one. There is no need to replace the PC-3000 Express board itself.”
Upgrade your PC-3000 Express to Rev.2.0 with the new Intelligent Power Supply Unit! - Peter Bright at Ars Technica wrote an interesting article about how a document released in the Panama Papers was determined to be forged based on the font selection. The document purported to be from 2006, however, the Calibri font “didn’t actually ship in a stable version of Windows or Office until 2007”. It’s possible that it was used in real documents, it’s just unlikely.
Not for the first time, Microsoft’s fonts have caught out forgers - Blackbag Technologies announced that MacQuisition 2017 is going to be released soon, adding support for the latest Mac’s as well as imaging APFS drives. The only correction I’d make to the article is the claim that “MacQuisition™ is the only forensic solution that runs within a native OS X boot environment”, from speaking to Sumuri, Recon Imager also runs a native OS X boot environment. Regardless, Macquisition is still a great tool to use to acquire Macs (especially when FileVault is involved).
MacQuisition™ 2017 Coming Soon! - Brett Shavers has released a new training course based on his 4Cast award nominated book, “Hiding Behind The Keyboard”. The course contains “more than 12 hours of investigative methods and effective techniques to build a case against criminals who use technology to commit crimes.” There’s even a promo going this week for the first 100 people to purchase the course (at half price too!)
Placing the Suspect Behind the Keyboard online course - Didier Stevens posted a couple times about ClamAV
- He shows how to determine which signature ClamAv uses to detect Mimikatz and then manually decode it
Analyzing ClamAV Signatures – Correction - He shows how to use ClamAV’s sigtool to decode it automatically
ClamAV sigtool –decode-sigs
- He shows how to determine which signature ClamAv uses to detect Mimikatz and then manually decode it
- Deepak Kumar shares a variety of digital forensics models.
Forensics Frameworks/Models - Scar at Forensic Focus interviewed Jad Saliba of Magnet Forensics fame.
Interview With Jad Saliba, Founder & CTO, Magnet Forensics - Garrett Pewitt at Forensic Expedition finishes off his series on using Microsoft OneNote for taking case notes by showing how users can import and export data from their notebook, as well as some of the other features – the previous versions and edit tracking looks like it could be helpful.
Microsoft OneNote for Case Notes – Part Three - John Patzakis, Esq. at X1 Discovery posted an interesting development in Canadian courts where the RCMP used screen recording tools to capture social media evidence instead of a dedicated tool, in this case, X1’s Social Discovery tool. As a result, the evidence was not immediately accepted and instead, additional qualifying information was sought. John mentions that this has significant implications for various courts around the world (mainly Commonwealth countries, but also the US once FRE 902(14) comes into effect). DFIR Guy at DFIR.Training didn’t appear happy with the ruling.
Canadian Court Admonishes Police for Submitting Facebook Screenshots as Evidence - Yulia Samoteykina at Atola Technologies shows how to print reports from Insight Forensic.
Case Management: Print reports from a case - Giselle A. Morales at Precision Discovery explains how analysis of a car’s infotainment system can provide invaluable to various types of cases.
Your Car Is Storing Your Secrets - Andrea Fortuna at “So Long, and Thanks for All the Fish” shared a few posts this week
- The first is a continuation of his Volatility cheatsheet, covering process memory
Volatility, my own cheatsheet (Part 3): Process Memory - The second covers installing and executing Ryan Benson’s Hindsight tool.
Hindsight: Internet history forensics for Google Chrome/Chromium - Lastly, he shares the tool JD, which is “like sed for JSON data”
jq: a lightweight and flexible command-line JSON processor
- The first is a continuation of his Volatility cheatsheet, covering process memory
- The Scientific Working Group on Digital Evidence have published a few papers for comment.
Check out @SWGDE’s Tweet - Martijn Grooten at Virus Bulletin wrote a review of Bsides Athens
Review: BSides Athens 2017
SOFTWARE UPDATES
- Apache Tika 1.16 has been released to extract a number of additional artefacts, as well as bug fixes.
12 July 2017: Apache Tika Release - Cellebrite updated their UFED line of products to version 6.3. The update incorporates hash sets including project VIC, improved carving, as well as various other new features.
UFED Physical Analyzer, UFED Logical Analyzer, UFED Reader 6.3 (July 2017) - Didier Stevens updated his zipdump Python script to version 0.0.10, adding the “option –yarastringsraw … to view just the matched string”
Update: zipdump.py Version 0.0.10 - Elcomsoft updated a couple of their tools this week
- Oleg Afonin explains that the new update to Elcomsoft’s Phone Breaker was due to Apple updating the lifespan of iCloud Authentication tokens. EPB is now at version 6.6
iCloud Outage, New Token Expiration Rules and Fixes for Authentication Issues - Vladimir Katalov advises that they have also updated “iOS Forensic Toolkit to add physical support for some previously unsupported combinations of hardware (32-bit devices) and software (iOS 9.1 through 9.3.4).” iOS Forensic Toolkit is now at version 2.30.
Physical Acquisition Is…
- Oleg Afonin explains that the new update to Elcomsoft’s Phone Breaker was due to Apple updating the lifespan of iCloud Authentication tokens. EPB is now at version 6.6
- Eric Zimmerman has updated Timeline Explorer to v 0.5.5.0, ShellBags Explorer to v 0.9.0.1, and XFIM to v1.7.0.0. You can download the latest versions of these tools here
- “A new version of MISP 2.4.77 has been released including security fixes, bug fixes and various improvements.”
MISP 2.4.77 released - MobilEdit updated a couple of their tools this week
- MobilEdit Forensic 9.1 was released, adding “support for Android 8.0 and iOS 11 beta, new phones and iPads supported and the update brings many other new improvements.”
MOBILedit Forensic 9.1 released! - Forensic Express 4.1 was also released, adding “Cloud Analyzer, support for iOS 11 beta, application downgrade so rooting is no longer needed for applications data analyzer, Documents Analysis feature, faster more stable analysis and more”
Forensic Express 4.1 Released!
- MobilEdit Forensic 9.1 was released, adding “support for Android 8.0 and iOS 11 beta, new phones and iPads supported and the update brings many other new improvements.”
- Nir Sofer at Nirsoft has released a new tool, RegistryChangesView, which “is a new tool for Windows that allows you to take a snapshot of [the] Windows Registry and later compare it with another Registry snapshots, with the current Registry or with Registry files stored in a shadow copy created by Windows”
New tool that compares snapshots of Windows Registry - Radare2 v1.6 has been released. “This release comes with major improvements in GDB Client/Server, Windows support, timeless debugger and many stability bugfixes. Also adds support for PPC VLE, Ethereum Virtual Machine, workaround to properly configure the disassembler on PlayStation2 ELFs and added support for the Hexagon CPU”
radare2-1.6 aka Digital Lettuce - X-Ways Forensics 19.0 SR-15, 19.1 SR-9, and 19.2 SR-7 were released to incorporate “several of the fixes introduced in later versions”
- X-Ways Forensics 19.3 SR-4 (and SR-3) was released during the week fixing a variety of bugs.
X-Ways Forensics 19.3 SR-4 - X-Ways Forensics 19.4 Preview 2 (and preview 1) was released during the week with a number of new features.
X-Ways Forensics 19.4 Preview 2
And that’s all for Week 28! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 