FORENSIC ANALYSIS

• There were a few posts on Cyber Forensicator this week
  • They shared a paper by Andrew Case, Arghya Kusum Das, Seung-Jong Park, J. (Ram) Ramanujam and Golden G.Richard III from DFRWS US 2017 titled “Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks”
    Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks
  • They shared “two scripts by David Pany, which can help an analyst to find evidence in WMI repositories: CCM_RUA_finder.py and PyWMIPersistenceFinder.py”
    WMI Forensics
  • They shared a paper by Michael Cohen called “Scanning Memory With Yara”
    Scanning Memory with Yara 
• Digital Forensics Corp shared a couple of articles this week
  • They shared a post by Bala Ganesh at GBHackers on understanding email headers
    Email Headers Analysis
  • They shared a post from Kitploit on PyREBox, a “Python scriptable Reverse Engineering Sandbox”
    PyREBox Overview 
• Jason Hale at Digital Forensics Stream explores the impact of Win10/Server16 Virtual Secure Mode on memory acquisition. He advises that “if the “Secure System” process is running, make sure you are using a tool that plays nice with virtual secure mode”. He tested a number of tools and lists the ones that do and don’t crash the system during acquisition.
  Memory Acquisition and Virtual Secure Mode 
• Marcos at Follow The White Rabbit walks through the various features and data extraction capabilities of ExifTool
  The secrets that coffee hides, seen with #ExifTool 
• Cindy Murphy at Gillware Digital Forensics shares how she and her team were able to transplant an eMMC chip from a damaged LG G4 to a new phone of the same model.
  Smart Phone Forensics Case Study: Synchronicity & Success with Chip-On Forensics 
• Alexis Brignoni at Initialization Vectors has located the missing letter from usernames and messages in the Android version of the Discord app.
  Discord App – Missing values not missing 
• Kovar & Associates posted a variety of presentations of UAC flight path visualisation, security, and forensics.
  • Geoweb3d UAV Test
  • Forensic Analysis of sUAS aka Drones – SANS DFIR Summit 2015
  • UAV Forensic Analysis – Next Gen – SANS DFIR Summit 2016 SANS Digital Forensics and Incident Response
  • Drone Data Security
  • 2017 Presentation – UAV Forensics for First Responders
  • 2017 sUAS News Round Table – UAV Forensics and Data Security 
• Magnet Forensics announced a new whitepaper that they will be releasing soon on mobile device acquisition methods.
  The evolution of mobile device acquisition methods: New white paper coming soon! 
• Nick Raedts at Raedts.biz saw my post last week regarding Compelson’s Camera Ballistics and happened to have a reason to test it. Thankfully he shares his findings for us to see. I think that whilst the blindly trusting the software can be an issue, at the end of the day, your testing methodology is the important part. If you are going to use the software to say xyz then your statements should be backed up by individual testing conducted for the specific scenario. Then, expanding on lessons from Brett Shavers’ latest posts, adding some additional correlation/verification information would also be useful. so adding the score produced by Camera Ballistics and then the metadata/EXIF information can assist in correlating pictures to cameras.
  TESTED: Camera Ballistics 2 
• The SANS InfoSec Reading Room shared a few papers this week
  • They shared Teri Radichel’s white paper on performing packet captures on AWS.
    Packet Capture on AWS
  • They also shared Mike Mahurin’s white paper on “maximize the capabilities of [Next Generation Intrusion Prevention Systems (NGIPS)] by providing a basic framework on how to effectively manage, tune, and augment a NGIPS solution with Open Source tools.”
    Basic NGIPS Operation and Management for Intrusion Analysts
  • Lastly, they shared Gordon Fraser’s paper, which walks through the IR process after an attack on “A fictitious organization, Winterfell”.
    A Practical Example of Incident Response to a Network Based Attack 
• The SANS DFIR Twitter account shared the updated Windows Forensics poster
  Take a look at @sansforensics’s Tweet

THREAT INTELLIGENCE/HUNTING

• Kristina Sisk at Happy Threat Hunting describes five different threat hunting models that she hopes “can be used to frame discussions about a threat hunting program and its objectives”
  Building Operational Threat Hunting Models 
• Rendition Infosec have a post on the importance of examining the intelligence data dumps to “increase your understanding of the capabilities that attackers are repurposing, as we write this, to target your networks”
  The need for dump analysis in Cyber Threat Intelligence (CTI) 
• Anthony Kasza at Palo Alto Networks shares some information about a recent attack carried out by, or in conjunction with, the group that conducted Operation Blockbuster and Operation Blockbuster sequel.
  The Blockbuster Saga Continues

PRESENTATIONS/PODCASTS

• John Strand at Black Hills Information Security shared some advice for those trying to get into (or are already in) InfoSec
  WEBCAST: Your 5 Year Plan into InfoSec 
• FoneFunShop released two videos of a couple of tools that can be used to brute-force iPhone7 iOS10 passcodes. During the IP-Box3 video, it was mentioned that the phone is jailbroken, so I’m not sure if this is permanent or not (but it’s likely). This is something to take into consideration before use. If anyone’s looking for a project, pulling the process apart and looking at the changes the jailbreak makes would be very useful to the community.
  • IP-Box 3 – Flashing iPhone 7 and Connecting IP Box To iPhone Ready To Crack Passcode
  • Watch “i7 Box iPhone 7 Brute Force Passcode Tool” on YouTube 
• Dave and Matthew hosted a Forensic Lunch this week. Unfortunately, all their guests cancelled so Matthew ran through more of his work with artefact correlation with ArangoDB and generating visual timelines (with Chuck Norris, and potentially tacos/burritos). Dave also explains a third case for creating shellbags on Win10 (I think, I can’t recall if he said the OS version) – when accessing a folder the shellbag is populated regardless of whether you have accessed the folder; if Windows denies the user then the shellbag is still created. Dave hasn’t yet looked in to whether there is data stored to identify whether the user was able to actually access the folder, so will be interesting to see his findings. Later that day, Dan Pullega expanded on this by playing around with shellbags. I’d highly recommend reading the thread and look forward to Dan’s blogpost where he explains his testing and findings *hint hint*.
  Forensic Lunch 8/18/17 
• Hasherezade has posted a video showing how she unpacks the BitPaymer ransomware.
  Unpacking BitPaymer ransomware 
• Bradley Schatz at Inside Out shares the updated version of his presentation “Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging”
  Updated slides: Accelerating your forensic & incident response workflow 
• Jamie McQuaid at Magnet Forensics shows “how you can use Magnet AXIOM and F-Response Enterprise to conduct remote investigations.”
  Using Magnet AXIOM and F Response Enterprise to conduct Remote Investigations 
• Magnet Forensics also posted a webinar by Tayfun Uzun on “insights into different recovery methods for smartphones.”
  Understanding Android Data Recovery in Forensic Investigations 
• Kasten Hahn at Malware Analysis For Hedgehogs shows how to deobfuscate the Loyeetro Trojan-Spy
  Malware Analysis – Deobfuscating Loyeetro Trojan-Spy 
• Lee Reiber has posted another Mobile Forensic Minute, this time introducing “the concept of preparation and deployment” from the “Forensic Kill Chain”.
  Mobile Forensic Minute 114 
• On this week’s Digital Forensics Survival Podcast, Michael expanded on last weeks cryptocurrency episode by discussing Bitcoin specifically.
  DFSP # 078 – Bitcoin Forensics 
• Richard Davis has uploaded a video to his YouTube channel on time stamps on NTFS, as well as “normal timestamp behavior on a Windows 10 system” and time stomping.
  Windows MACB Timestamps (NTFS Forensics)

MALWARE

• Eran Vaknin, Dvir Atias, and Alon Boxiner at Check Point cover a few ways that attackers send malicious files through LinkedIn’s messenger platform
  Is Malware Hiding in Your Resume? Vulnerability in LinkedIn Messenger Would Have Allowed Malicious File Transfer 
• The Cylance Threat Guidance Team “outline all the SMB exploits leaked by “The Shadow Brokers” (EternalBlue/EternalRomance/EternalSynergy/EternalChampion), focusing on the shellcode they use and the DoublePulsar backdoor that is installed by each of the exploits for remotely executing an arbitrary payload DLL.”
  Threat Spotlight: The Shadow Brokers and EternalPulsar Malware 
• Luke Somerville & Abel Toro discuss obfuscation and packing that can be used to avoid AV
  Part One – Security, Performance, Obfuscation & Compression 
• There were a couple of posts on the Fortinet blog this week
  • Floser Bacurio, Joie Salvio, and Rommel Joven examine a part of the new diablo6 variant of the Locky ransomware that “makes it harder to spot the strings during static analysis.”
    Locky Strikes Another Blow, Diablo6 Variant Starts Spreading Through Spam
  • Jasper Manuel analyses the KONNI malware.
    A Quick Look at a New KONNI RAT Variant 
• Ioana Rijnetu at Heimdall Security examines malspam distributing the lukitus variant of Locky, as well as shares some information on a new campaign.
  Security Alert: Locky Adds the .lukitus Extension, Spreads through Waves of Malspam 
• Jack at Linkcabin walks through manually examining malicious PDF documents.
  Analysing/Detecting Malicious PDF’s Primer 
• Malware Breakdown walks through the traffic and host data from an infection by the Seamless and Fobos campaigns
• Amanda Rousseau released her RE102 course: Which is “an introduction to reversing Delphi RTL, shellcode extraction, encryption, unpacking, and evasion”
  Take a look at @malwareunicorn’s Tweet 
• There were a couple of posts on the Malwarebytes blog this week
  Locky ransomware returns to the game with two new flavors 
• Marcelo Rivero shares some information on a new malspam campaign distributing two new variants of Locky
  Locky ransomware returns to the game with two new flavors 
• Hasherezade examines a few samples of the Kronos banking Trojan (which for those playing at home, Marcus Hutchins aka MalwareTech was arrested for allegedly contributing to)
  Inside the Kronos malware – part 1 
• Jeff White at Palo Alto Networks analyses some malware that utilises PowerShell, ultimately “uncovering malicious infrastructure supporting Chthonic, Nymaim, and other malware and malicious websites.”
  The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure 
• There were a number of posts this week on the SANS Internet Storm Centre Handler Diaries
  • Brad Duncan walks through some malspam “pushing the Trickbot banking Trojan”
    Malspam pushing Trickbot banking Trojan, (Tue, Aug 15th)
  • Didier Stevens deobfuscates the content from a suspicious URL to find spam (and not malware, spoiler alert?).
    Sometimes it’s just SPAM, (Mon, Aug 14th)
  • Xavier Mertens examines a phishing kit targeting Paypal
    Analysis of a Paypal phishing kit, (Wed, Aug 16th)
  • Renato Marinho analyses “a malicious extension of Google Chrome capable of capturing the information entered by the user during access to the bank account.”
    (Banker(GoogleChromeExtension)).targeting(“Brazil”), (Tue, Aug 15th)
  • Xavier Mertens provides a brief overview of a “malicious document that (ab)used a Microsoft Word feature: auto-update of links.”
    Maldoc with auto-updated link, (Thu, Aug 17th)
  • Renato Marinho also examines “the main technical aspects of [malware he has named] EngineBox”
    EngineBox Malware Supports 10+ Brazilian Banks, (Fri, Aug 18th) 
• Kaspersky Lab’s Global Research & Analysis Team show “that recent versions of software produced and distributed by NetSarang had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.”
  ShadowPad in corporate networks 
• Ronnie Giagone and Rubio Wu at TrendLabs analyse a sample “exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show”
  CVE-2017-0199:  New Malware Abuses PowerPoint Slide Show 
• Javier Vicente Vallejo shows how to dump executables from malware that unpacks its modules into RWE memory.
  Tools For Unpacking Malware, Part 1. Dumping executables from RWE memory 
• Vitali Kremez posted twice this week
  • In the first post, Vitali shows how to extract the “Cerber ransomware, or CRBR encryptor, configuration leveraging its string compare function StrCmpNIA from SHLWAPI.dll.”
    Let’s Learn: How to Obtain Cerber (CRBR) Ransomware Configurations
  • He then reverses “the latest exploit payload (CVE-2016-0189) from the Rig Exploit Kit (RigEK) and its chain leading to Ramnit”
    Let’s Learn: In-Depth Reversing Rig Exploit Kit’s VBScript Memory Corruption (CVE-2016-0189) 
• Adam at XPN Sec took a look at the APT28 hospitality malware.
  • Analysis of APT28 hospitality malware
  • Analysis of APT28 hospitality malware (Part 2)

MISCELLANEOUS

• Brian Krebs at Krebs on Security talks about the misuse of IOCs in attribution.
  Blowing the Whistle on Bad Attribution 
• Brett Shavers shared his thoughts on Brian’s article and stresses the importance of verification of findings, as well as how, at best, digital evidence is circumstantial “unless you have the actual devices used and the person in cuffs admitting to it” – therefore the language used to explain findings is critical – One should state “”Based on what we found, the incident points to Suspect A”, and certainly should not state that “Suspect A did it because our electronic evidence proves it”.”
  Kicking in the wrong doors 
• William Malik at TrendLabs also discusses attribution.
  What are the Benefits of Attribution? 
• Lance Mueller at ForensicKB shared two Enscripts that he updated this week
  • This first is an “EnScript to send hash values for all executable/DLLs to VirusTotal for analysis” for Encase8.
    EnCase v8 EnScript – Check executables to VirusTotal
  • The second sends hash values of tagged files to VirusTotal and bookmarks the results for hits.
    EnCase v8 EnScript – Check hash values for tagged files to VirusTotal 
• Vladimir Katalov at Elcomsoft posted a couple of times this week
  • First, he provided a timeline of Apple iCloud security and how Elcomsoft responded to each update.
    The Past and Future of iCloud Acquisition
  • Second, he posted an update to their article on password managers. Apparently their “benchmark numbers for 1Password were questioned”, and so this time they have posted more information, as well as software version information. From the updated testing it looks like 1Password fares very well against a password brute-force attempt compared to other password managers.
    Attacking the 1Password Master Password Follow-Up 
• Robert Graham at Errata Security provides his opinion on a story regarding the file-copy operation involved in the DNC hack. Robert explains that “while the forensic data-point is good, there’s just a zillion ways of explaining it. It’s silly to insist on only the one explanation that fits [the theory that it was an inside job]”.
  Why that “file-copy” forensics of DNC hack is wrong 
• Matt Shannon at F-Response advised that they have taken F-Response NOW offline and are deciding whether or not to keep running it.
  F-Response Now 
• Willi Ballenthin advised that the FLARE-On challenge will begin in less than two weeks
  Take a look at @williballenthin’s Tweet 
• Magnet Forensics posted an interview with their VP of Product Management, Geoff MacGillivray about some of the new releases, continued support for IEF, new partnerships with various companies, and new features in Axiom.
  An Insider View into Magnet AXIOM and Magnet IEF 
• Brian Maloney at Malware Maloney shows how to “compare packet captures to Procmon output.”
  Comparing Packet Captures to Procmon Traces 
• Yulia Samoteykina at Atola Technology shows how to edit case details in Insight Forensic.
  Case Management: Changing Details in a Case 
• Jack H. Ward at Paraben shared the release notes for E3: Universal Aurora Edition 1.4 which went live last week
  E3 1.4 is now available! 
• Wesley Riley at Practical Incident Response has an article on the importance of learning the fundamentals of computing and networking when working in DFIR. “I find that analysts that have taken the time to obtain a solid understanding of core CS principles often have better understanding of the threat landscape, can more effectively detect known and unknown threats, are able to more rapidly get up to speed on technical domains that they may have previously had little knowledge of, and are more effective at successfully using or creating novel or unorthodox methods.”
  Close To The Metal: Missing the Basics 
• Michael Cohen at the “Rekall Memory Forensics blog” introduces the Rekall Agent that was introduced last week at DFRWS. He also explains how to interact with the Rekall Agent demo site.
  Rekall Agent Alpha launch 
• Guy Bruneau posted on the SANS Internet Storm Centre Handler Diaries about an interesting new feature in tshark; dumping objects from a pcap file.
  tshark 2.4 New Feature – Command Line Export Objects, (Fri, Aug 18th) 
• Scott J Roberts continues his series on understanding Drago’s CRASHOVERRIDE report, with this post “calling out areas I need to focus on learning & investigating.” As a side note, I found the comments an interesting read as well, particularly because Scott identifies his level or expertise in the area and explains that he is attempting to learn about it…I don’t think anyone should be criticised for saying they don’t know something and trying to learn it; that’s why people end up quitting.
  The Crash Override Chronicles: Overall 
• I started a new blog! (do I say ‘I’, or go all third-person?) This post just introduces the new site, which I hope to write on when inspiration strikes about various DFIR topics, things I’ve worked on, things I plan to work on, and research I’ve conducted.
  New blog 
• Charles Herring at WitFoo has started a series on the importance of people in incident response. This post discusses how previous systems were designed with intrusion prevention in mind and not IR – as a result analysts are “digging through logs and using interfaces that were created to stop security breaches not investigate them”. “The analyst receives thousands of useless alarms each day that the machines assert as work for them to perform. The people are working for machines.”
  People > Machines (Part one)

SOFTWARE UPDATES

• The Sleuth Kit v4.4.2 was released adding a “New NTFS USN log tool, FS fixes, and more”. It can be downloaded here.
  Take a look at @sleuthkit’s Tweet 
• Autopsy v4.4.1 was released and “includes [a] beta of [the] new correlation engine, persistence of column ordering, and more”. It can be downloaded here.
  Take a look at @sleuthkit’s Tweet 
• CCF-VM was updated to V2.1
  CCF-VM v2.1 
• DME Forensics released DVR Examiner version 2.0.2.0.
  ExifTool 10.61 
• Phil Harvey updated ExifTool to v10.61 (development release), adding support for news tags as well as bug fixes.
  ExifTool 10.61 
• Sumuri updated Recon Imager to v1.1 adding support for the 2017 Macbook Pros with Touch Bar.
  RECON IMAGER August Update 
• Rekall 1.7.0RC1 was released last week, and with it came the Rekall Agent Alpha release.
  Rekall 1.7.0RC1 Hurricane Ridge 
• Paul Sanderson updated Forensic Browser for SQLite to v3.2.9 to fix a bug.
  New Browser release 3.2.9

And that’s all for Week 33! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!