I keep forgetting to mention, if people want to be notified when these posts come out then there’s a place to enter an email address on the left-hand side. I do get to see your email, but I’m not going to be doing anything with the information if that was a concern. Alternatively, there’s RSS 🙂
FORENSIC ANALYSIS
- Jim Hoerricks shows how to use the Line Doubling filter in Amped Five.
What’s wrong with this video? - The guys at Cyber Forensicator shared Willi Ballenthin’s “FUSE file system driver for MFT files”, fuse-mft
fuse-mft: Expose the File System Metadata Stored within an MFT - Didier Stevens has started a series on analysing password dumps and shows how he has used/updated his tools to do so
Analyzing Password Dumps With My Tools – Part 1 - There were a couple of posts from Digital Forensics Corp this week
- They shared PcabPB, which “is a distributed, search-optimized open source packet capture system. It was designed to replace expensive, commercial appliances with off-the-shelf hardware and a free, easy to manage software system.”
PcapDB Overview - They also shared Skycure’s Mobile Threat Intelligence Report for Q1 2017
A Mobile Threat Intelligence Report
- They shared PcabPB, which “is a distributed, search-optimized open source packet capture system. It was designed to replace expensive, commercial appliances with off-the-shelf hardware and a free, easy to manage software system.”
- Marcos at “Follow The White Rabbit” has translated his post describing how to setup a WinFE boot disk, as well as his post on using Bulk Extractor to English
- Hashim Shaikh at Infosec Institute wrote a number of articles this week on mobile device forensics.
- Cindy Murphy at Gillware Digital Forensics shares some information about Apple’s Continuity and how it impacted on a case. Continuity can cause issues if the examiner is not aware of it, as it allows for data to be seamlessly transferred between devices on the same iCloud account. “Forensic examiners must tread carefully around their assumptions about where data came from when multiple devices sync up to the same iCloud account.”
Apple Continuity and iCloud Data Leakage – When Apple Bites Back - Alexis Brignoni at Initialization vectors analyses the Discord Android app using UFED PA and Autopsy to see what information can be obtained.
Discord Android App Review – DFIR - The guys at Kovar & Associates show how they use 3D modelling to map a drones flight path.
The Power of UAV Forensics Combined with 3D Modeling - Mark Jeanmougin shows a less time-consuming process for utilising “the RDS from NSRL to “subtract” out known good files”.
Using the NSRL on a Modern Machine - Mark Mckinnon has released an Autopsy plugin to parse Thumbs.db and Thumbcache.
Thumb.db and Thumbcache Parsers - Greg Smith at Mobile & Technology Exploration shared news of an iPhone 7 unlock tool (which hasn’t really been shown to work) similar to the IP boxes of old.
New IPhone 7 passcode unlock tool - Andrea Fortuna at So Long, and Thanks for All the Fish has a couple of posts this week
- He continues his Volatility cheat sheet, this time looking at network connection information.
Volatility, my own cheatsheet (Part 5): Networking - He also provides some information about bulk_extractor
bulk_extractor: extract useful information without parsing the file system
- He continues his Volatility cheat sheet, this time looking at network connection information.
THREAT INTELLIGENCE/HUNTING
- Irfan Shakeel at Alienvault talks about threat intelligence and how it “is being used to aid in addressing different threats”.
Revealing the Power of Cyber Threat Intelligence - Ryan Murphy at Carbon Black shared an excerpt from the “Threat Hunting For Dummies” book on tips for effective threat hunting.
10 Tips for Effective Threat Hunting - Xavier Mertens at the SANS Internet Storm Center Handler Diaries shows how to setup a small honeypot to capture attacks for research purposes.
TinyPot, My Small Honeypot, (Thu, Jul 27th) - Scott Piper at Summit Route shows how to write a YARA signature to parse “executables for DEP and ASLR support”
YARA sigs for security best practices - Benson Sy, CH Lei, and Kawabata Kohei at TrendLabs look at the ChessMaster campaign “targeting Japanese academe, technology enterprises, media outfits, managed service providers, and government agencies.”
ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal
UPCOMING WEBINARS
- The CFP for the SANS Cyber Threat Intelligence Summit 2018 is open and closes on Monday, 7 August at 5 pm EDT. The event will take place January 29 & 30, 2018 at the Hyatt Regency Bethesda (MD).
SANS CTI Summit 2018 CFP
PRESENTATIONS/PODCASTS
- Matt Suiche at Comae Technologies released his presentation and whitepaper on the Shadow Brokers from Blackhat 2017
The Shadow Brokers — Cyber Fear Game Changers - Jared Greenhill shared his presentation on memory analysis & chasing APT actors
Take a look at @jared703’s Tweet - Jon Rajewski shared his presentation from Enfuse 2017 on IoT forensics
Take a look at @jtrajewski’s Tweet - Kasten Hahn at Malware Analysis For Hedgehogs continues the series on creating a decrypter for Alpha ransomware.
Malware Analysis – Creating a Decrypter for Alpha Ransomware Pt. 3 - On this week’s Digital Forensics Survival podcast, Michael covers “a methodology of capturing websites as evidence using HTTrack”.
DFSP # 075 – Capturing Websites as Evidence - Daniel Bohannon and Lee Holmes at FireEye have released their Blackhat presentation and Revoke-Obfuscation framework.
Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science - David Bianco shared the presentation that he and Robert M. Lee gave at Blackhat 2017 named “Go to Hunt, Then Sleep”.
Take a look at @DavidJBianco’s Tweet
MALWARE
- The guys at Volexity examine a piece of OSX malware called OSX/Leverage.A.
Real News, Fake Flash: Mac OS X Users Targeted - Yogi Gao at Forcepoint analyses a new variant of the Ursnif banking trojan
Ursnif variant found using mouse movement for decryption and evasion - Chris Gerritz at Infocyte looks at “three of the latest techniques that have surfaced to thwart advanced memory scanning techniques”.
Red Teams Advance In-Memory Evasion Tradecraft - There were a couple of posts on Malware Breakdown this week
- The first post shares the infection chain of “The Seamless” campaign as well as various IOCs
The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc. - The second post shares some IOCs for HookAds
Dreambot Dropped by HookAds
- The first post shares the infection chain of “The Seamless” campaign as well as various IOCs
- Hasherezade at Malwarebytes Labs shows how to use her decryptor for the various Petya variants. “It cannot help the victims of pirated Petyas, like PetrWrap or EternalPetya (aka NotPetya).”
Bye, bye Petya! Decryptor for old versions released. - There were a couple of posts on the Palo Alto Networks blog this week
- Kaoru Hayashi shares some information on “The “Tick” group [which] has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan for several years.”
“Tick” Group Continues Attacks - Robert Falcone and Bryan Lee share some information about “activity involving threat actors responsible for the OilRig campaign with a potential link to a threat group known as GreenBug”
OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
- Kaoru Hayashi shares some information on “The “Tick” group [which] has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan for several years.”
- There were a few posts on the SANS Internet Storm Center Handler Diaries this week
- Didier Stevens analyses a malicious link file
Another .lnk File, (Sun, Jul 23rd) - Brad Duncan examines a maldoc and network traffic distributing the Emotet malware.
Malspam pushing Emotet malware, (Wed, Jul 26th) - Didier Stevens also analyses the Emotet maldoc from the previous post
Static Analysis of Emotet Maldoc, (Fri, Jul 28th)
- Didier Stevens analyses a malicious link file
- Sergey Yunakovsky at Securelist examines the CowerSnail backdoor.
CowerSnail, from the creators of SambaCry - Nicholas Ramos, Gerald Carsula, and Rodel Mendez at Trustwave analyse an attack this distributed the Kovter malware.
Spammed JScript Phones Home To Download NemucodAES And Kovter - There were a couple of posts on the FireEye blog this week
- Swapnil Patil and Yogesh Londhe take a look at the HawkEye malware
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign - Peter Kacherginsky has released FLARE VM, “a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers”. He then performs “a basic analysis on one of the samples we use in our Malware Analysis Crash Course.”
FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!
- Swapnil Patil and Yogesh Londhe take a look at the HawkEye malware
- Vitali Kremez shows how “Reverse the second version of the popular credential and payment card information stealer “AZORult””
Let’s Learn: Reversing Credential and Payment Card Information Stealer ‘AZORult V2’
MISCELLANEOUS
- Xavier Mertens at /dev/random shares a short bash script to automatically download the Blackhat 2017 presentations
Lazy BlackHat Presentations Crawler - The guys at Black Hills Information Security share their advice for getting into the information security field.
How to Get into Information Security - Brett Shavers has a post about conducting an investigation. “Define the goal so you know what to look for, know where to look, and figure out how to look for it. Â Apply this to every case and incident you have and your case closure rates will be much better with less work.” Brett mentions that this type of thinking can be applied to any number of investigations, not just the digital ones.
Anonymity: Criminals are only as good as their last mistake - ClearSky have released a report on “Operation Wilted Tulip”, regarding the cyberespionage group CopyKittens. “Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this activity Operation Wilted Tulip.”
Operation Wilted Tulip – Exposing a Cyber Espionage Apparatus - Matt Shannon at F-Response advised of a change in dropbox datetime formatting that “have made it not possible to obtain the modified dates for files at Dropbox with the most recent 6x release”. They are “evaluating either making the change in v6 or moving v7 to production very soon.”
F-Response and Dropbox Dates & Times - There were a few posts on Forensic Focus this wee
- Scar shares her roundup of the month’s news
Digital Forensics News July 2017 - Paraben announced that E3 version 1.4 is “planned for the first of August 2017”. The update will add support for Amazon’s Alexa devices.
Paraben’s IoT Support Increases To Cover The Amazon Echo With 1.4 Version - There was also a post about utilising laminar flow cabinets in data recovery.
Laminar Flow Cabinets And Data Recovery
- Scar shares her roundup of the month’s news
- Brian Baskin at Ghetto Forensics walks through some of the sections of the Palo Alto Networks’ Labyrenth 2017 challenge
Exploring the Labyrenth (2017 Edition) - OpenText has purchased Guidance Software. I’m not sure what this will mean for Encase or Tableau going forward.
OpenText to Acquire Guidance Software - Pieces0310 puts a call out for help – Apparently, they have identified an issue with Encase v8.05 where index searches may or may not work on Win10. They performed testing on a few other installs of Win10 and found that sometimes it works, sometimes it doesn’t.
Something wrong with EnCase v8 index search results – Pieces0310
SOFTWARE UPDATES
- AceLab have released PC-3000 Express/UDMA-E/Portable Ver. 6.3.12, and Data Extractor v.5.6.8 during the week. The updates include “recovering data from locked Seagate F3 Rosewood HDDs”, and “Greatly improved parsing algorithm for damaged XFS and HFS+ file systems”.
Unlocking the Seagate F3 Rosewood drives is possible now! - Alan Orlikoski released CCF-VM v2.0 with various updates to CDQR, Kibana, and ElasticSearch, as well as the inclusion of TimeSketch, Redis & MySQL
CCF-VM v2.0 - Cellebrite updated UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 6.3.5. The update adds “additional capabilities to the extraction summary that enable you to quickly copy and export Device Info and Device Content without needing to generate a full report” as well as updated app versions and bug fixes.
UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader Version 6.3.5 - Didier Stevens updated a number of his tools this week
- He updated his python-per-line python script to version 0.0.2 to process .gz files, “and includes three new predefined Python functions: IFF, RIN and SBC.”
Update: python-per-line.py Version 0.0.2 - He released a new tool called headtail, which combines the head and tail unix commands.
New Tool: headtail.py - He released a new tool called Paste, which functions the opposite way to The Clip Command
The Paste Command - He updated his count Python script to v0.2.0 to utilise a sqlite3 database to improve processing of large files.
Update: count.py Version 0.2.0
- He updated his python-per-line python script to version 0.0.2 to process .gz files, “and includes three new predefined Python functions: IFF, RIN and SBC.”
- DVR Examiner 2.0.1.0 has been released however I wasn’t able to find public release notes
- GetData updated Forensic Explorer to v3.9.8.6618 with various updates and bug fixes.
27 July 2017 – v3.9.8.6618 - Matthew Seyer has released RustyLnk v0.1.1 which, as the name suggests, is a LNK Parser written in Rust
RustyLnk v0.1.1 - Oxygen Forensics have updated their Detective product to v9.4.2 adding the ability to obtain physical extractions from the latest “passcode-locked Motorola devices running Android OS”, as well as new apps and updated support for existing apps.
Oxygen Forensic® Detective gets into locked Motorola devices! - There were a few updates to various X-Ways products this week
- X-Ways Forensics 19.3 SR-5 was released with various bug fixes.
X-Ways Forensics 19.3 SR-5 - “An X-Tension by Ruslan Yushaev, available from http://www.x-ways.net/forensics/x-tensions/, serves as a work-around for a print bug in the Oracle OutsideIn viewer component (missing text when printing certain PDF documents). The bug was found by the author of the X-Tension and reported to Oracle by X-Ways in May.”
Viewer Component - X-Ways Forensics 19.4 Preview 4 was released with a variety of new features.
X-Ways Forensics 19.4 – Preview 4
- X-Ways Forensics 19.3 SR-5 was released with various bug fixes.
And that’s all for Week 30! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 