FORENSIC ANALYSIS
- Brett Shavers wrote a few articles this week
- The first post discusses the various aspects of a photograph that can be used to place the suspect at the scene of the crime. This includes the content, combining the various elements of data stored in metadata with your knowledge of the case, as well as the examination of the camera itself if you have access to it. One thing that Brett didn’t mention is Camera Ballistics; I haven’t really played with it but it can be used to determine if a camera was used to take a certain photo – if you have the camera in question and the suspect image you can compare reference images with the suspect image to determine the likelihood that the camera was used to take the suspect image. Brett has also generously given readers of his blog a massive discount on his latest course, but the discount offer is only around for a few weeks so act quickly.
Placing the Suspect Behind the Camera - The second is more of a rationale behind writing his latest book and course, and about how some simple mechanisms can be used to blow a case open.
Yes, you can place the suspect behind the keyboard, even if Tor is used. - The third covers the importance of knowing what to do over how to do something – “Learn the individual skills, but also learn when you need to employ those skills and why”.
Knowing “how-to-do-it” is important, but first you need to know “what-to-do”.
- The first post discusses the various aspects of a photograph that can be used to place the suspect at the scene of the crime. This includes the content, combining the various elements of data stored in metadata with your knowledge of the case, as well as the examination of the camera itself if you have access to it. One thing that Brett didn’t mention is Camera Ballistics; I haven’t really played with it but it can be used to determine if a camera was used to take a certain photo – if you have the camera in question and the suspect image you can compare reference images with the suspect image to determine the likelihood that the camera was used to take the suspect image. Brett has also generously given readers of his blog a massive discount on his latest course, but the discount offer is only around for a few weeks so act quickly.
- The guys at Cyber Forensicator shared a few articles this week
- They shared a video on using Adlumin to understand lateral movement.
Understanding lateral movement with Adlumin - They advised that Oleg Skulkin and Scar de Courcier’s new book, Windows Forensics Cookbook, has been released and that it’s on sale for a short period of time (although it doesn’t appear that the sale is running anymore).
Windows Forensics Cookbook for only 10$! - They shared a video made by FoneFunShop of the IP Box 3, which appears to be able to brute force iPhone 7 passcodes. I think this is the same device that was doing the rounds on Twitter a few weeks ago that hadn’t been externally confirmed to work. It can be found on the FoneFunShop site here
IP Box 3 – iPhone 7 Passcode Unlock Tool
- They shared a video on using Adlumin to understand lateral movement.
- Marcos at Follow The White Rabbit walks through the use of the file carving utility Foremost.
My name is #Foremost: I’ve seen things you people wouldn’t believe - Nick Raedts at Raedts.BIZ talks about the different types of forensic images, and forensic image formats, as well as the information that should be documented when taking an image of a drive. Nick also briefly mentions write-blockers, duplicators, and live CDs.
Forensics 101: What is a forensic image? - SalvationData will be hosting free online training on their DVR Forensics tool VIP on September 6th, 2017.
DVR Forensics Online Training (FREE!) - Volume 22, Supplement of the Journal of Digital Investigation has been released, which details the papers presented at DFRWS US 2017.
Volume 22, Supplement - Andrea Fortuna at “So Long, and Thanks for All the Fish” shares the various methods of examining and converting dump/crash files using Volatility
Volatility, my own cheatsheet (Part 7): Analyze and convert crash dumps and hibernation files
THREAT INTELLIGENCE/HUNTING
- Arpan Raval at Network Intelligence has a post looking at “behaviour patterns and features of some Windows system processes and how we can embed that knowledge into a ‘rule’ to then identify any process which does not conform to the rule.”
Threat Hunting for Masquerading Windows Processes - Cheryl Biswas at Cyberwatch shared a number of hunting concept diagrams created by Jack Crook. Jack has released a couple more since this post; on Authentication and Data Movement.
A Hunting We Will Go - Andy Moore at MalwareSoup explains how to setup Neo4j visualisation of ELK/Sysmon data. Andy describes the task of visualising “network connections, process creation, image loads, named pipe interactions, etc.” expanding on the work previously done here.
Sysmon and Neo4j - Steve Borosh and Jeff Dimmock at SpecterOps have a post covering “how to monitor a distributed attack infrastructure with rsyslog to help facilitate quicker counter-response actions.”
Attack Infrastructure Log Aggregation and Monitoring - Wesley Riley at Practical Incident Response has a post regarding getting into threat hunting and a methodology to do so.
Threat Hunting: Experts Not Required - Suzanne Moore at Red Canary has a writeup of how one of their customers used the Red Canary tools during a breach.
Shutting Down a Hands-on Keyboard Attack: Two Joes vs One Threat Actor - Also at Red Canary, Phil Hagen discusses the various types of threat intelligence and provides advice for those looking to build an effective threat intelligence program.
Common Security Mistake #3: Aimless Use of Threat Intelligence - Mark Hofman has a post on the SANS Internet Storm Centre Handler Diaries on an “attack that utilises OWA”, and methods of detecting the behaviour exhibited.
Outlook Web Access based attacks, (Sat, Aug 12th) - Cisco released “GOSINT – the open source intelligence gathering and processing framework.” “GOSINT aggregates, validates, and sanitizes indicators for consumption by other tools like CRITs, MISP, or directly into log management systems or SIEM”.
Open Source Threat Intel: GOSINT - Thomas Bouve at IBM’s Security Intelligence discusses the importance of threat intelligence and then provides some information obtained regarding the Petya campaign. He used Carbon Black Response during his threat hunting session.
Threat Hunting Services Are Now a Basic Necessity - Jordan Wright at Duo shows how to hunt for malicious npm packages. Jordan shares a “quick Python script to find packages with preinstall, postinstall, or install scripts; find files executed by the script; and search those files for strings that could indicate suspicious activity.”
Hunting Malicious npm Packages
UPCOMING WEBINARS
- Rajan Udeshi and Jonathan Arias will be hosting a webinar on the Encase Mobile Investigator on Tuesday, August 15, 2017 11:00 AM Pacific Daylight Time.
Uncovering Mobile App Evidence with EnCase Mobile Investigator - Tayfun Uzun at Magnet Forensics will be hosting two webinars September 26 @ 9:00AM ET, and September 27 @ 1:00PM ET, on “the most popular types of cloud services and what the implications of those services are on evidence acquisition and examination”
Webinar: Artifacts in the Cloud and the Impact on Forensics
PRESENTATIONS/PODCASTS
- Dave and Matthew hosted Elizabeth Schweinsberg on this week’s Forensic Lunch to discuss DFRWS, as well as her presentation on Google Drive forensics. Matthew then shared some of his work on ArangoDB using it to view relationships between artefacts.
Forensic Lunch 8/11/17 - Hasherezade has uploaded a video showing how to unpack TrickBot and decode the config files as per this post
Unpacking TrickBot and decoding config - Kasten Hahn at Malware Analysis For Hedgehogs posted two videos this week
- On this week’s Digital Forensics Survival Podcast, Michael discussed “crypto currency concepts for new computer forensic examiners.”
DFSP # 077 – Crypto Currency 101 - Richard Davis uploaded a video to Youtube on analysing System Resource Utilization Monitor (SRUM) data found on Win8+.
Windows SRUM Forensics - SANS uploaded a couple of presentations from the 2017 DFIR Summit.
- Alan Orlikoski advised that his DEFCON25 workshop with Dan Moor can be found online.
Take a look at @AlanOrlikoski’s Tweet
MALWARE
- Jared Myers at Carbon Black analyses the PNG_dropper
Threat Analysis: Carbon Black Threat Research Dissects PNG Dropper - Cylance Threat Guidance Team analyse the Konni RAT. I think there’s a typo before figure 10 as it indicates that after the RAT puts itself in the Run key it queries the InstallDate value “to check if the host has already been infected”. Not sure why it would query InstallDate instead of the Run key, although it does query for System Information a bit later on.
Threat Spotlight: KONNI – A Stealthy Remote Access Trojan - Xiaopeng Zhang at Fortinet examines a new variant of the GlobeImposter ransomware
Analysis of New GlobeImposter Ransomware Variant - Tim Berghoff at GData shares their whitepaper on ZeuS Panda
Analysis: ZeuS Panda - Omri Ben Bassat at Intezer shares some initial findings from their analysis of Agent.BTZ/ComRAT.
New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2 - Malware Breakdown posted a few articles this week
- The first walks through the infection chain of the Rulan campaign
Rulan Campaign Redirects to RIG EK at 188.225.33.43 and Drops a Miner - The second examines the infection chain of the RIG EK dropping the URLZone banking trojan
Campaign Leads to RIG EK and Fake Flash Player Update Site. RIG Drops URLZone and Fake Flash Player Update Drops a Miner. - Lastly, they examine some malspam that distributes the GlobeImposter ransomware
“IMG_” Malspam Delivers GlobeImposter Ransomware
- The first walks through the infection chain of the Rulan campaign
- Jérôme Segura at Malwarebytes Labs looks at a new technique Magnitude EK is using to distribute Cerber.
Cerber ransomware delivered in format of a different order of Magnitude - Phamus at BabyPhD also provides an analysis of the Mughthesec app/adware.
WTF is SafeFinder/OperatorMac campaign? - Patrick Wardle at Objective-See examines an unidentified binary named Mughthesec that was also undetected on Virus Total. Thomas Reed advises that this looks like a new variant of the OperatorMac adware.
WTF is Mughthesec!? poking on a piece of undetected adware - Jon-Louis Heimerl at NTT Security shares out The NTT Security GTIC 2017 Q2 Threat Intelligence Report
- There were a few posts on the SANS Internet Storm Centre this week
- Brad Duncan analyses an email that distributes the Sharik/Smoke Loader malware, which was then used to download TeamViewer and download the “Diamond Computer Encryption” ransomware.
How are people fooled by this? Email to sign a contract provides malware instead., (Wed, Aug 9th) - Didier Steven analyses an emotet maldoc with ViperMonkey.
Maldoc Analysis with ViperMonkey, (Thu, Aug 10th) - Basil Alawi S.Taher analyses some suspicious executables with pestudio.
Triaging suspicious files with pestudio, (Fri, Aug 11th)
- Brad Duncan analyses an email that distributes the Sharik/Smoke Loader malware, which was then used to download TeamViewer and download the “Diamond Computer Encryption” ransomware.
- Scott Roberts has started a series breaking down Dragos’ Crash Override report, this post describes the posts he intends on writing for the next 5 weeks.
The Crash Override Chronicles - Anton Ivanov and Orkhan Mamedov at Securelist examine the Mamba ransomware.
The return of Mamba ransomware - Paul Rascagneres at Cisco’s Talos blog shows “how to use WinDBG to analyse .js files”
WinDBG and JavaScript Analysis - There were a couple of posts on the TrendLabs blog this week
How Chat App Discord Is Abused by Cybercriminals to Attack ROBLOX Players- Stephen Hilt explains how cybercriminals are using the Discord app as a data exfil channel.
How Chat App Discord Is Abused by Cybercriminals to Attack ROBLOX Players - Feike Hacquebord, Stephen Hilt and Fernando Mercês analyse some OnionDog samples
OnionDog is not a Targeted Attack—It’s a Cyber Drill
- Stephen Hilt explains how cybercriminals are using the Discord app as a data exfil channel.
- Vitali Kremez posted a couple times this week
- He briefly analyses the .diablo6 locky ransomware
Let’s Analyze Locky “.diablo6” Ransomware - He also reverses “the Rig Exploit Kit infection chain leading to Ramnit “demetra” banking Trojan.”
8-10-2017 – Rig Exploit Kit Leads to Ramnit aka “demetra” Banker via CVE-2015-8651
- He briefly analyses the .diablo6 locky ransomware
- Emre Güler at VMRay analyses a password protected maldoc using VMRay Analyzer v2.1
Password Protected Word Document Connects to TOR Hidden Service
MISCELLANEOUS
- Brett Shavers posted the (tentative) table of contents for his upcoming Bitcoin Forensics book. He also requests that if you’re interested in contributing to the book then to e-mail him.
Bitcoin Forensics – The book - Devon Ackerman at AboutDFIR shared an article “written by Mark Vogel of F.A.S.T Forensics.” The article discusses a couple different CPUs and their processing power. It’s a bit of a stream of consciousness so may require a couple of reads
Digital Forensics & CPUs - Keith at “DFIR/Malware Analysis/Threat Analysis after dark” has written an overview of the SANS FOR500 class that he took recently via simulcast (and also a bit about DFIR Netwars/issues downloading files).
SANS FOR500 training write up #DFIR #forensics - The 2017-2018 DFRWS Challenge has been released, this time focusing on IoT. Details, tools, and materials can be obtained here
DFRWS Forensic Challenge: IoT Forensic Challenge (2017 – 2018) - Oleg Afonin at Elcomsoft discusses a few password manager applications and the various support that Elcomsoft’s Distributed Password Recovery tool offers.
One Password to Rule Them All: Breaking into 1Password, KeePass, LastPass and Dashlane - Gabriele Zambelli at Forense nella Nebbia continues his saga on the plagiarism of his article by InfoSec Institute. Shortly afterwards, the ISI article was removed.
Caught red-handed: if plagiarism is bad, denying it is worse - There were a couple of posts on the Forensic Focus blog this week
- Alessandro Guarino’s paper on DF as a big data challenge was posted
Digital Forensics as a Big Data Challenge - Oleg Skulkin & Igor Shorokhov show “a way to perform a physical acquisition of a Samsung Galaxy S7 smartphone running Android 7.0”
Physical Imaging Of A Samsung Galaxy S7 Smartphone Running Android 7.0
- Alessandro Guarino’s paper on DF as a big data challenge was posted
- Collin at IncidentResponse.com shared an “infographic [on] why you should attend Incident Response 2017”.
[Infographic] Incident Response 2017 - Kovar & Associates show the type of report that the URSA tool suite can generate from “any DJI onboard flight log (FLYxxx.DAT), any DJI app log (e.g. DJI Go), and any PixHawk flight controller log.”
An Example UAV Forensic / Investigation Report - Magnet Forensics announced that they will soon be releasing Magnet Axiom Cloud; “either as an add-on to Magnet AXIOM, Magnet IEF, or as a standalone product”
Magnet AXIOM Cloud will Offer Data Extraction for Cloud-Based Services - Yulia Samoteykina at Atola Technology explains “how to connect a MacBook to [the Atola] Insight using [the] Thunderbolt extension” module.
Connecting MacBook using Thunderbolt extension module - Cassie Castrejon at Paraben interviewed Ira Victor on how he selects the tools that he uses and his lengthy experience in the industry.
How an Open Source Forensicator selects tools, an interview of Ira Victor - Matt Olney at Cisco’s Talos blog describes how Talos conveys doubt in their reports and why this is important. From a digital forensics perspective, conveying doubt is an important consideration – often we will get asked questions that are possible, but improbable, and it’s important to be able to convey that information.
On Conveying Doubt - Heather Mahalik at Smarter Forensics announced that there’s currently a 50% LE discount for the FOR585 course. this was later clarified to be US LE only though.
Get FOR585 at 50% off for Law Enforcement - Ryan Benson advised that Microsoft has made a number of Windows VM’s available online, which will be great for testing.
Take a look at @_RyanBenson’s Tweet - Martijn Grooten at Virus Bulletin shares some tips that potential speakers should keep in mind when submitting a CFP.
Five tips for submitting to Calls for Papers
SOFTWARE UPDATES
- Cellebrite released UFED Cloud Analyzer version 6.1, improving Facebook, Twitter, and Instagram support, as well as improvements regarding using stored tokens and dealing with Google’s 2-Step verification
UFED Cloud Analyzer version 6.1 - Cipher Tech Solutions released their zero click imaging tool, IO. “IO automatically enables a software write-block, detects changes to attached devices, and begins producing E01 images from connected target media without any user interaction.”
Imaging for Operations (IO) - Didier Stevens updated his byte-stats Python script to v0.0.6 adding the -r option, that “will print out extra information on the range of byte values (contiguous byte value sequences) found in the analyzed files.”
Update: byte-stats.py Version 0.0.6 - Elcomsoft updated Elcomsoft Distributed Password Recovery to version 3.40, adding support for various password managers.
Elcomsoft Distributed Password Recovery 3.40 Adds Support for Popular Password Managers - F-Response v7 has officially been released and is no longer in beta.
F-Response v7 Production Release - “A new version of MISP 2.4.78 has been released including an important security fix (if you use sharing groups), multiple bug fixes and some new functionalities.”
MISP 2.4.78 released - Nader Shalabi at No-Secure-Code has updated Sysmon Shell to v1.1.
Sysmon Shell – Release 1.1 - Oxygen Forensic released v9.5 of their Detective product, adding extraction capabilities for Telegram Cloud, as well as other features and improvements.
Oxygen Forensic® Detective extracts data from Telegram Cloud - Passmark updated OSForensics to v5.1.1002 adding a variety of new features and bug fixes.
V5.1.1002 – 8th of August 2017 - SalvationData have released their Smartphone Forensic System V3.58.21.0. New features include improved WeChat parsing and “data analysis for backups created by YunOS recovery mode.”
SPFV3.58.21.0 User Guidance Improvement and Allows Access to Even More Lost Data - Amber Schroader advised that Parabens E3 v1.4 update has gone live.
Take a look at @gingerwondermom’s Tweet - X-Ways Forensics 19.4 Preview 5b was released, adding some minor improvements including outputting the various installDates from the registry of a Win10 system, and other fixes.
X-Ways Forensics 19.4 Preview 5b - X-Ways Forensics 19.3 SR-6 was released, adding the “Ability to extract files from GZ archives that are larger than 4 GB” as well as various fixes.
X-Ways Forensics 19.3 SR-6
And that’s all for Week 32! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
One thought on “Week 32 – 2017”