Week 33 – 2017

FORENSIC ANALYSIS

THREAT INTELLIGENCE/HUNTING

  • Kristina Sisk at Happy Threat Hunting describes five different threat hunting models that she hopes “can be used to frame discussions about a threat hunting program and its objectives”
    Building Operational Threat Hunting Models 
  • Rendition Infosec have a post on the importance of examining the intelligence data dumps to “increase your understanding of the capabilities that attackers are repurposing, as we write this, to target your networks”
    The need for dump analysis in Cyber Threat Intelligence (CTI) 
  • Anthony Kasza at Palo Alto Networks shares some information about a recent attack carried out by, or in conjunction with, the group that conducted Operation Blockbuster and Operation Blockbuster sequel.
    The Blockbuster Saga Continues

PRESENTATIONS/PODCASTS

  • John Strand at Black Hills Information Security shared some advice for those trying to get into (or are already in) InfoSec
    WEBCAST: Your 5 Year Plan into InfoSec 
  • FoneFunShop released two videos of a couple of tools that can be used to brute-force iPhone7 iOS10 passcodes. During the IP-Box3 video, it was mentioned that the phone is jailbroken, so I’m not sure if this is permanent or not (but it’s likely). This is something to take into consideration before use. If anyone’s looking for a project, pulling the process apart and looking at the changes the jailbreak makes would be very useful to the community.
  • Dave and Matthew hosted a Forensic Lunch this week. Unfortunately, all their guests cancelled so Matthew ran through more of his work with artefact correlation with ArangoDB and generating visual timelines (with Chuck Norris, and potentially tacos/burritos). Dave also explains a third case for creating shellbags on Win10 (I think, I can’t recall if he said the OS version) – when accessing a folder the shellbag is populated regardless of whether you have accessed the folder; if Windows denies the user then the shellbag is still created. Dave hasn’t yet looked in to whether there is data stored to identify whether the user was able to actually access the folder, so will be interesting to see his findings. Later that day, Dan Pullega expanded on this by playing around with shellbags. I’d highly recommend reading the thread and look forward to Dan’s blogpost where he explains his testing and findings *hint hint*.
    Forensic Lunch 8/18/17 
  • Hasherezade has posted a video showing how she unpacks the BitPaymer ransomware.
    Unpacking BitPaymer ransomware 
  • Bradley Schatz at Inside Out shares the updated version of his presentation “Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging”
    Updated slides: Accelerating your forensic & incident response workflow 
  • Jamie McQuaid at Magnet Forensics shows “how you can use Magnet AXIOM and F-Response Enterprise to conduct remote investigations.”
    Using Magnet AXIOM and F Response Enterprise to conduct Remote Investigations 
  • Magnet Forensics also posted a webinar by Tayfun Uzun on “insights into different recovery methods for smartphones.”
    Understanding Android Data Recovery in Forensic Investigations 
  • Kasten Hahn at Malware Analysis For Hedgehogs shows how to deobfuscate the Loyeetro Trojan-Spy
    Malware Analysis – Deobfuscating Loyeetro Trojan-Spy 
  • Lee Reiber has posted another Mobile Forensic Minute, this time introducing “the concept of preparation and deployment” from the “Forensic Kill Chain”.
    Mobile Forensic Minute 114 
  • On this week’s Digital Forensics Survival Podcast, Michael expanded on last weeks cryptocurrency episode by discussing Bitcoin specifically.
    DFSP # 078 – Bitcoin Forensics 
  • Richard Davis has uploaded a video to his YouTube channel on time stamps on NTFS, as well as “normal timestamp behavior on a Windows 10 system” and time stomping.
    Windows MACB Timestamps (NTFS Forensics)

MALWARE

MISCELLANEOUS

  • Brian Krebs at Krebs on Security talks about the misuse of IOCs in attribution.
    Blowing the Whistle on Bad Attribution 
  • Brett Shavers shared his thoughts on Brian’s article and stresses the importance of verification of findings, as well as how, at best, digital evidence is circumstantial “unless you have the actual devices used and the person in cuffs admitting to it” – therefore the language used to explain findings is critical – One should state “”Based on what we found, the incident points to Suspect A”, and certainly should not state that “Suspect A did it because our electronic evidence proves it”.”
    Kicking in the wrong doors 
  • William Malik at TrendLabs also discusses attribution.
    What are the Benefits of Attribution? 
  • Lance Mueller at ForensicKB shared two Enscripts that he updated this week
  • Vladimir Katalov at Elcomsoft posted a couple of times this week
    • First, he provided a timeline of Apple iCloud security and how Elcomsoft responded to each update.
      The Past and Future of iCloud Acquisition
    • Second, he posted an update to their article on password managers. Apparently their “benchmark numbers for 1Password were questioned”, and so this time they have posted more information, as well as software version information. From the updated testing it looks like 1Password fares very well against a password brute-force attempt compared to other password managers.
      Attacking the 1Password Master Password Follow-Up 
  • Robert Graham at Errata Security provides his opinion on a story regarding the file-copy operation involved in the DNC hack. Robert explains that “while the forensic data-point is good, there’s just a zillion ways of explaining it. It’s silly to insist on only the one explanation that fits [the theory that it was an inside job]”.
    Why that “file-copy” forensics of DNC hack is wrong 
  • Matt Shannon at F-Response advised that they have taken F-Response NOW offline and are deciding whether or not to keep running it.
    F-Response Now 
  • Willi Ballenthin advised that the FLARE-On challenge will begin in less than two weeks
    Take a look at @williballenthin’s Tweet 
  • Magnet Forensics posted an interview with their VP of Product Management, Geoff MacGillivray about some of the new releases, continued support for IEF, new partnerships with various companies, and new features in Axiom.
    An Insider View into Magnet AXIOM and Magnet IEF 
  • Brian Maloney at Malware Maloney shows how to “compare packet captures to Procmon output.”
    Comparing Packet Captures to Procmon Traces 
  • Yulia Samoteykina at Atola Technology shows how to edit case details in Insight Forensic.
    Case Management: Changing Details in a Case 
  • Jack H. Ward at Paraben shared the release notes for E3: Universal Aurora Edition 1.4 which went live last week
    E3 1.4 is now available! 
  • Wesley Riley at Practical Incident Response has an article on the importance of learning the fundamentals of computing and networking when working in DFIR. “I find that analysts that have taken the time to obtain a solid understanding of core CS principles often have better understanding of the threat landscape, can more effectively detect known and unknown threats, are able to more rapidly get up to speed on technical domains that they may have previously had little knowledge of, and are more effective at successfully using or creating novel or unorthodox methods.”
    Close To The Metal: Missing the Basics 
  • Michael Cohen at the “Rekall Memory Forensics blog” introduces the Rekall Agent that was introduced last week at DFRWS. He also explains how to interact with the Rekall Agent demo site.
    Rekall Agent Alpha launch 
  • Guy Bruneau posted on the SANS Internet Storm Centre Handler Diaries about an interesting new feature in tshark; dumping objects from a pcap file.
    tshark 2.4 New Feature – Command Line Export Objects, (Fri, Aug 18th) 
  • Scott J Roberts continues his series on understanding Drago’s CRASHOVERRIDE report, with this post “calling out areas I need to focus on learning & investigating.” As a side note, I found the comments an interesting read as well, particularly because Scott identifies his level or expertise in the area and explains that he is attempting to learn about it…I don’t think anyone should be criticised for saying they don’t know something and trying to learn it; that’s why people end up quitting.
    The Crash Override Chronicles: Overall 
  • I started a new blog! (do I say ‘I’, or go all third-person?) This post just introduces the new site, which I hope to write on when inspiration strikes about various DFIR topics, things I’ve worked on, things I plan to work on, and research I’ve conducted.
    New blog 
  • Charles Herring at WitFoo has started a series on the importance of people in incident response. This post discusses how previous systems were designed with intrusion prevention in mind and not IR – as a result analysts are “digging through logs and using interfaces that were created to stop security breaches not investigate them”. “The analyst receives thousands of useless alarms each day that the machines assert as work for them to perform. The people are working for machines.”
    People > Machines (Part one)

SOFTWARE UPDATES

And that’s all for Week 33! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

5 thoughts on “Week 33 – 2017

      1. I had a look into it and it’s not a really easy task since I don’t pay enough to get CSS access, and it’s not an option in customise.
        Otherwise I have to go through the post and manually correct it. Sorry, recommendation is going to be a browser plugin still.

        Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s