FORENSIC ANALYSIS
- The guys at Digital Forensics Corp shared a couple of articles of interest this week
- They shared an article on idownloadblog about the recent Apple Watch jailbreak released at DC25.
Apple Watch jailbreaking - They shared an article on Infosec Addicts on performing an Android acquisition.
How to do Physical Acquisition in Android Forensics - They shared a post by Raj Chandel listing a variety of “Computer Forensics Tutorials”
Upgrade Your Library
- They shared an article on idownloadblog about the recent Apple Watch jailbreak released at DC25.
- Mark Mckinnon has released another Autopsy plugin. This plugin parses “the Volume Shadow of an image, extract the changed files and then load them as a new data source and create an extracted view content of each volume shadow”.
Renzik Can Now See His Shadow!
- Packt Publishing shared an article by Oleg Skulkin and Scar De Courcier from their book Windows Forensic Cookbook. The article covers “drive acquisition in E01 format with FTK Imager, drive acquisition in RAW Format with DC3DD, and mounting forensic images with Arsenal Image Mounter.”
Windows Drive Acquisition
- There’s a post on Paraben’s Forensic Impact blog showing some of the data that can be obtained from Alexa (both app and cloud stored data) using the latest update to their E3 platform.
Alexa Your BFF or Worst Nightmare
- Nick Raedts at Raedts.BIZ walks through the process of determining a Windows computer’s last shutdown time using NirSoft’s TurnedOnTimesView.
Examining when a system was turned on and off.
- David Dym at RRTX examines the “Find and Replace” history stored in the registry by Visual Studio 2015, and then privateregistry.bin in Visual Studio 2017.
Visual Studio registry artifacts – part 1 – find & replace #dfir
- Anton Lopanitsyn at Wallarm shows how to parse DS_Store files on an OS X system to identify files/folders in a directory.
Hunting the Files!
- Yogesh Khatri at Swift Forensics lists a few locations on recent versions of OSX (10.9+) that store the serial number of the Mac that they were found on.
Finding the Serial number of a Mac from disk image
- Pieces0310 shares the location of the Index database relating to the WeChat Android app. This index may have indications of previously deleted chat messages.
Dig out WeChat deleted chat messages on Android Phone – Pieces0310
- Pieces0310 also shows how he bypasses a Win10 logon password using Lazesoft’s Recover My Password. I can’t recall if I figured out a way around the Win10 LiveID passwords, might have to put that on the research list. If anyone has a way to extract the cached password/hash then let me know.
How to bypass Win10 logon password? – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Chad Kahl reappropriates the rules of Fight Club to Threat Intelligence.
The Seven Rules of Threat Intelligence Club
PRESENTATIONS/PODCASTS
- Sean Blaton at Carbon Black talks about the different types of malware.
“The 101” – Episode 4 – What are the Different Types of Malware?
. - Douglas Brush interviewed Brett Shavers on Cyber Security Interviews this week. “In this episode we discuss starting forensics in law enforcement, his approaches to investigations, what makes a good DFIR examiner, forensic tools, Windows FE, book writing advice, IoT surveillance, and so much more.”
#028 – Brett Shavers: It’s Not the Machine, But the Examiner - Cysinfo posted the presentations from their 11th Quarterly meetup.
11th Quarterly Meetup – 29TH July 2017 - Didier Stevens shared a couple of videos this week
.ISO Files & autorun.inf- The first shows that an autorun.inf file inside an ISO will not execute when you open an ISO on Win8/10.
.ISO Files & autorun.inf - The second shows that the ZoneID associated with a ZIP file downloaded from the Internet will follow the files found inside it, unlike ISO files where the ZoneID does not follow the contained files.
.ZIP Files With Zone.Identifier
- The first shows that an autorun.inf file inside an ISO will not execute when you open an ISO on Win8/10.
- David Cowen at the HECF Blog has shared the National Collegiate Cyber Defense Competition Red Team Debrief 2017 as well as a bit of background about the competition.
National Collegiate Cyber Defense Competition Red Team Debrief 2017 - On this week’s Digital Forensics Survival podcast, Michael talks about the strings command/executable and its various uses. One time I found this command particularly useful was for a plist that stored data outside of the regular XML tags, so when viewed with a plist viewer critical information wasn’t shown.
DFSP # 076 – Strings! - Steve Whalen at Sumuri reassures the community that Paladin will remain free/donation supported.
A Message to SUMURI’s Customers from CEO Steve Whalen - Dave/Karit has released his presentation from DefCon 2017 on GPS Spoofing & controlling NTP time. This could have a great application for dealing with iPhones whose batteries have died. For those that don’t know, this resets the time to Unix epoch and occasionally you can turn on an iPhone and it’ll tell you there are x million minutes until you can enter the password – even with the correct password, there’s little that you can do. I really should find an iPhone to test this on and see if when it connects to the network if it automatically fixes the date/time.
Take a look at @nzkarit’s Tweet - Patrick Wardle shared his presentation from Blackhat/Defcon 2017 on OSX/FruitFly malware analysis
Take a look at @patrickwardle’s Tweet - I also released the first “This Month In 4n6” podcast during the week. It’s a quick summary of the happenings of the last month, I don’t know if I’ll expand it further than that, but it’s meant to be for the people that don’t want to read through the thousands of words I write each week. It’s in this feed so I’m not sure why I’m mentioning it again. You can find it on iTunes.
MALWARE
- Luca Ebach shares the white paper that he wrote analysing Zeus Panda.
Zeus Panda: Down To The Roots - The Cylance Threat Guidance Team examine a number of cryptocurrency malware that mines various coins for the malware distributors.
Threat Spotlight: Cryptocurrency Malware - Antonio Cocomazzi at Infosec Institute explains the various methods of javascript obfuscation and then walks through a real world example.
Reverse Engineering a JavaScript Obfuscated Dropper - Jack at Linkcabin has a post “concentrating on the initial infection [of the Shade ransomware], in how it unpacks rather easily.”
Opening The Gate For Shade Ransomware – Unpacking with XOR and Base64 - Kasten Hahn at Malware Analysis For Hedgehogs shows “how to unpack a Locky sample with OllyDbg”
Unpacking Locky - The author of “Malware Breakdown” examines the infection chain of a malvertising campaign that drops “Ramnit via RIG EK”, as well as providing various IOCs.
Seamless Campaign Leads to RIG EK at 188.225.35.149, Drops Digitally Signed Ramnit. - “Malware Breakdown” also examines the infection chain of a HookAds campaign that drops Dreambot via the RIG EK, as well as providing various IOCs.
Malvertising Chain Leads to the HookAds Campaign. RIG Drops Dreambot. - There were a couple of posts on Malwarebytes Labs this week
- Nathan Collier examines the Trojan.Clicker.hyj Android malware.
Mobile Menace Monday: Malicious clicker with extra maliciousness included - Hasherezade analyses a new version of the Trickbot malware
TrickBot comes with new tricks – attacking Outlook and browsing data
- Nathan Collier examines the Trojan.Clicker.hyj Android malware.
- Marco Ramilli examines an obfuscated VBS dropper distributing some Ransomware as a Service malware. He then uses what he’s learned to attack the attacker
TOPransom: From eMail Attachment to Powning the Attacker’s Database - There were a couple of posts this week on the Palo Alto Networks Blog
- Robert Falcone and Bryan Lee examine an attack that utilises a webshell that was constructed from two different webshells – as a result, they gave it the name “TwoFace”. Through their examination, they also identified another webshell that they are calling IntrudingDivisor.
TwoFace Webshell: Persistent Access Point for Lateral Movement - Tomer Bar and Simon Conant examine the recent updates to the Foudre malware as well show how they used some of the identified mistakes “to learn more about this campaign.”
Prince of Persia – Ride the Lightning: Infy returns as “Foudre”
- Robert Falcone and Bryan Lee examine an attack that utilises a webshell that was constructed from two different webshells – as a result, they gave it the name “TwoFace”. Through their examination, they also identified another webshell that they are calling IntrudingDivisor.
- Didier Stevens has a post on the SANS Internet Storm Centre Handler Diaries examines a maldoc submitted by a reader.
Maldoc Submitted and Analyzed, (Sat, Jul 29th) - Alexey Shulmin and Evgeniya Krylova at Securelist explain Steganography as apparently malware authors are using it more frequently to conceal communication. They then review “the malicious loader Zero.T” and then show a couple of “statistical methods of analysis”.
Steganography in contemporary cyberattacks - Matthew Molyett at Cisco’s Talos blog shows how to identify a Crypt0l0cker executable on ThreatGrid and then analyse it using First.
Taking the FIRST look at Crypt0l0cker - Andrea Fortuna at So Long, and Thanks for All the Fish shares some Volatility commands relating to the Windows Registry
Volatility, my own cheatsheet (Part 6): Windows Registry - Rodel Mendrez at Trustwave examines a malspam campaign that distributes Nitol and Trickbot.
Tale of the Two Payloads – TrickBot and Nitol - Jason Davison at PhishLabs analyses the Smoke Loader module loader which “has continued to evolve with the addition of more complex anti-analysis techniques” since its initial release.
Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis - There were a few posts on TrendLabs this week
- Ford Qin examines the LeakerLocker Android Ransomware
LeakerLocker Mobile Ransomware Threatens to Expose User Information - Michael Villanueva discusses “a new trojan known as JS_POWMET”.
A Look at JS_POWMET, a Completely Fileless Malware - Lorin Wu takes a look at “a new SLocker variant that mimics the GUI of the WannaCry crypto-ransomware on the Android platform”.
New WannaCry-Mimicking SLocker Abuses QQ Services
- Ford Qin examines the LeakerLocker Android Ransomware
- Vitali Kremez walks through unpacking the GlobeImposter ransomware payload.
Let’s Learn: How to Unpack GlobeImposter “.726” Ransomware
MISCELLANEOUS
- Andrey Malyshev at Elcomsoft discusses “the benefits of using cloud compute units for password recovery, and provide a step-by-step guide on how to add virtual instances to Elcomsoft Distributed Password Recovery.”
Breaking Passwords in the Cloud: Using Amazon P2 Instances - Also on the topic of cloud-based password cracking, Carrie Roberts has a guest post on the Black Hills Information Security blog on setting up an EC2 instance with Kali Linux and performs “some cracking speed comparisons using Hashcat’s benchmarking option”.
How to Crack Passwords in the Cloud with GPU Acceleration (Kali 2017) - The “developers and top engineers [at ACELab] have shot a video guide on how to unlock the Techno Mode in the Seagate F3 HDDs.”
The complete video guide to unlock the Seagate F3 Rosewood drives - Brett Shavers has shared details on the new book he’s working on with Tim Carver called Bitcoin Forensics, to be released next year. The book “will be written for the practitioner, the investigator, and the court officer with duties of trying cases involving cryptocurrency”. He also put out a call for contributors, so if you’ve worked on cases involved in cryptocurrencies, or have done research on them then get in touch with him.
Bitcoin Forensics - The guys at Cyber Forensicator shared a number of articles this week
- They shared Hal Pomeranz’s presentation on EXT4 file recovery from the 2017 SANS DFIR Summit.
Recover EXT File Systems with analyzeEXT - They shared a paper from the International Journal of Scientific Research in Science and Technology by Suci Ramadhani, Yasmira Mandasari Saragih, Robbi Rahim, and Andysah Putera Utama Siahaan called “Post-Genesis Digital Forensics Investigation”
Post-Genesis Digital Forensics Investigation - They shared Parag Rughani’s paper in “Advances in Computational Sciences and Technology” called “IoT Evidence Acquisition – Issues and Challenges”
IoT Evidence Acquisition – Issues and Challenges - They shared a paper by Dominique Fleurbaaij, Mark Scanlon, and Nhien-An Le Khac titled “Privileged Data within Digital Evidence”
Privileged Data within Digital Evidence
- They shared Hal Pomeranz’s presentation on EXT4 file recovery from the 2017 SANS DFIR Summit.
- Deepak Kumar shared a list of DF resources. The list includes the InfoSec Institute, which caused a stir last week after it was determined that they had plagiarised a few people’s work. Also apparently this has happened before.
FORENSICS TUTORIAL-1 - Jimmy Schroering at DME Forensics highlights some of the new features in DVR Examiner 2.0.
DVR Examiner 2.0 is Now Available! - Scar at Forensic Focus posted an interview with Amber Schroader, CEO of Paraben.
Interview With Amber Schroader, CEO & Founder, Paraben - Adam at Hexacorn advised that he updated his EDR sheet to include Nuix.
Updated EDR Sheet - Palo Alto Networks have announced the LabyREnth CTF winners, as well as various walkthroughs.
LabyREnth CTF 2017 Winners! - Brian Reitz at SpecterOps provided his roundup of Blackhat USA/Defcon talks for 2017.
BlackHat USA 2017/DEF CON 25 Roundup - Nick Raedts at Raedts.BIZ reviewed the AccessData Live Online Training that he attended.
AccessData Live Online Training - SANS DFIR Twitter announced that they have released updated versions of the Smartphone Forensics and Memory Forensics posters
- Scott J Roberts has a post on the APT hype cycle
Familiarity Breeds Contempt: APT Edition - Heather Mahalik at Smarter Forensics shares her experience with the latest update to Oxygen Forensic Detective.
A breath of fresh air! Conducting application analysis with Oxygen Detective - The author of “The Forensicator” blog reaffirms one of the conclusions regarding the estimated transfer rate of “the initial file collection operation” in their Guccifer 2.0 NGP/VAN Metadata Analysis study.
The Need for Speed - André Årnes announced that their Digital Forensics textbook has been released. The book is “written by faculty members and associates of the world-renowned Norwegian Information Security Laboratory (NisLab) at the Norwegian University of Science and Technology (NTNU)”.
Take a look at @Andreaarnes’ Tweet
SOFTWARE UPDATES
- Didier Stevens has updated his translate Python script to version 2.5.0, adding the ability “to accept a second file/byte stream”
Update: translate.py Version 2.5.0 - Elcomsoft have updated their Distributed Password Recovery tool to version 3.30.1109 to support Amazon’s “new P2 instances with up to 16 GPU units”.
Elcomsoft Distributed Password Recovery Adds Support for Amazon P2 Instances - Garrett Pewitt at Forensic Expedition has written a powershell script that extracts metadata from images and maps them.
ImageMapper: A PowerShell Metadata and Geo Mapping Tool for Images - GetData released Forensic Explorer v3.9.8.6626 with some minor updates.
1 August 2017 – v3.9.8.6626 - Nader Shalabi at No-Secure-Code has updated Sysmon View to version 1.2, adding the ability to follow “a process through it’s hierarchy”.
Visualizing & Tracking Sysmon events with Sysmon View 1.2 - Atola Technology have released Atola Insight Forensic 4.6, introducing a “new Thunderbolt extension module, which will enable forensically sound imaging and other operations on all generations of MacBooks.” The update also includes other new features and bug fixes.
Atola Insight Forensic 4.9 – Thunderbolt extension
And that’s all for Week 31! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 