FORENSIC ANALYSIS
- The guys at Cyber Forensicator shared an article by Timothy Opsitnick, Joseph Anguilano and Trevor Tucker on how computer forensics can be used to assist to investigate employee data theft.
Using Computer Forensics to Investigate Employee Data Theft - There were a couple of posts on Elcomsoft’s blog this week
- Olga Koksharova at Elcomsoft explains how to use the latest version of Elcomsoft’s Password Breaker to extract the iCloud keychain.
How to Extract iCloud Keychain with Elcomsoft Phone Breaker - Oleg Afonin explains how to use the Phoenix Jailbreak to perform a physical acquisition on devices running iOS 9.3.5
iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak
- Olga Koksharova at Elcomsoft explains how to use the latest version of Elcomsoft’s Password Breaker to extract the iCloud keychain.
- Mark Lohrum at ‘Free Android Forensics’ examines his car’s stereo system which runs Android 4.4 (but not Android Auto). After installation he was able to root the device and image it directly to a connected USB drive, and then identify some useful information in the extraction.
Imaging and examining an Android car stereo - Action Dan at LockBoxx shares a YARA rule that can be used to locate a Bitcoin wallet.dat file on a system.
Searching for Bitcoin - Magnet Forensics shared a few pieces of interest this week.
- Jamie Mcquaid walks through using F-response and Axiom to connect to a remote machine on his network and image/analyse its contents.
Using F-Response and Magnet AXIOM to Conduct Enterprise Investigations - Jamie then discusses target acquisition, which may be more appropriate if the network is slow. I like that Axiom has a quick targeted acquisition feature – thankfully the user profile is copied out because that’ll get you a lot of useful information (logs, thumbcache, jumplists, internet history)
Using F-Response and Magnet AXIOM: Use Case 1 – Targeted Acquisition - They have also released their whitepaper titled “Android Acquisition Methods from Root to Recovery”.
Download White Paper: Android Acquisition Methods from Root to Recovery
- Jamie Mcquaid walks through using F-response and Axiom to connect to a remote machine on his network and image/analyse its contents.
- Brian Maloney at Malware Maloney shows how to parse the USB, USBSTOR, and MountedDevices registry keys using Logparser Studio.
USB forensics with Logparser Studio - The SANS InfoSec Reading Room has posted Martin Boller’s whitepaper on acquiring password hashes from Active Directory and crack them, as well as utilise the pass-the-hash attack. Didier Stevens has a series on the same topic, with a sample ntdis.dit (Active Directory) database for those that want to play around.
Cracking Active Directory Passwords or “How to Cook AD Crack” - They also shared Gregory Pickett’s whitepaper on using threat indicators to triage alerts.
Triaging Alerts with Threat Indicators - Andreas Fortuna at ‘So Long, and Thanks for All the Fish’ finalises his Volatility cheatsheet series with a focus on plugins that deal with file system – mbr and mft parsers.
Volatility, my own cheatsheet (Part 8): Filesystem - Dan O’Day has compiled some information about file times on NTFS as well as file tunneling (as well as references from Microsoft).
Some reminders about Windows file times - The Forensicator returns with additional clarification/corrections to points made in the Guccifer 2.0 NGP/VAN Metadata Analysis.
If you find yourself in a hole, stop digging - They also performed some additional analysis regarding the transfer speeds, some alternative scenarios, and corrections and clarifications regarding “how the media reported on the Forensicator’s analysis”.
- I published a post over on my ThinkDFIR site about manually creating orphaned files on an NTFS drive. The purpose was to show a student what orphaned files look like in FTK Imager. I may expand the post further to identify orphaned files with the other tools I have at my disposal.
Understanding Orphaned Files - Thomas at Tribal Chicken shows how to enable debugging on Windows IoT core running on a Raspberry Pi, which allows him to obtain a memory dump over serial (read: very slowly)
Adventures with Windows IoT Core Kernel debugging.
THREAT INTELLIGENCE/HUNTING
- Dale at Chip_DFIR returns to blogging and shares his experience using GRR on a test environment.
Hunting Evilness – GRR - Shaun Waterman at Cyberscoop shared the news that “omodo recently announced Comodemia, a program that would make its vast database on more than 120 million malware incidents — and the analytics engines used to mine it for insights — available online for university, government, and nonprofit researchers and educators.”
Security companies give public free way to sift through malware research - Kristina Sisk at Happy Threat Hunting shares a “quick look at creating a detection strategy and how it can include your hunt program.”
Applying Detection to the Attacker Lifecycle - Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’ shares a variety of links and lessons learned regarding threat hunting and anomaly detection.
Homegrown Hunt: You Can Do This!
PRESENTATIONS/PODCASTS
- Harold Chun & Norman Barbosa’s presentation at Blackhat USA 2017 was uploaded to YouTube. In it they tell the story of the investigation and arrest of Roman Seleznev. They also included some of the forensic analysis which was very interesting.
Ochko123 – How the Feds Caught Russian Mega-Carder Roman Seleznev - Shaun Walsh at Cylance discussed the problem of attribution with J. Oquendo on the InSecurity podcast.
InSecurity: J. Oquendo on Attribution – Who and Why vs. How and What - Didier Stevens has uploaded a video showing how to analyse a maldoc with VBA macros that was created using Metasploit.
Metasploit’s msf.docm Analysis - Guidance Software uploaded a short video showing how to use the bootloader extraction on a Samsung Galaxy S6 with Encase Mobile Investigator.
EnCase Mobile Investigator Bootloader Demo - Hasherezade posted a couple of videos to her YouTube channel
- The first is “a brief look at the injects made by Kronos malware”, which can be used to monitor traffic passed through the browser.
How Kronos malware is paired with a browser - The second shows a tool that she recently uploaded called hook_finder that is used for “investigating inline hooks (and other in-memory code patches)”
hook_finder – a small tool for investigating in-memory patches
- The first is “a brief look at the injects made by Kronos malware”, which can be used to monitor traffic passed through the browser.
- Magnet Forensics shared Jamie McQuaid & Johann Hofmann’s webinar on the integration between Magnet and Griffeye’s tools.
The Power of Integrated Digital Forensics - On this week’s, Digital Forensics Survival Podcast Michael talks about the implications of the Dash cryptocurrency for forensic investigators.
DFSP # 079 – Thoughts on DASH Forensics - SalvationData have uploaded a video that provides an overview of some of the scanning methods of their Video Investigation Portable product.
VIP-Disk Extraction-SOP-SalvationDATA DVR Forensics Solution - SANS posted Alex Maestretti and Forest Monsen’s talk from the 2017 SANS Threat Hunting Summit on Hunting on Amazon Web Services (AWS).
Hunting on Amazon Web Services (AWS) – SANS Threat Hunting Summit 2017
MALWARE
- Bart at Blaze’s Security Blog provides some information on malware that was located on the Crystal Finance Millennium website. This included Smoke Loader, Chthonic, and PSCrypt.
Crystal Finance Millennium used to spread malware - Sebastian Eschweiler at CrowdStrike walks through decrypting the MFT after it’s been affected by NotPetya/Petya (along with an automated tool to do so)
Decrypting NotPetya/Petya: Tools for Recovering Your MFT After an Attack - Luke Somerville & Abel Toro at Forcepoint advise that “Forcepoint Security Labs have seen a measurable increase in the amount of .NET-based malware samples being delivered in the wild during 2017”. I imagine this is fortunate because my understanding is that .NET can be decompiled into source fairly easily. They then analyse the AgentTelsa keylogger.
Part Two – Camouflage .NETting - Xiaopeng Zhang at Fortinet examines a PowerPoint file that contains a “new variant of Poison Ivy”
Deep Analysis of New Poison Ivy Variant - Nadav Avital at Incapsula analyses “a new web server ransomware called Ronggolawe, [which is] the code name for AwesomeWare ransomware”
Analysis of Ronggolawe Ransomware and How to Block It - Yu Nakamura at JPCERT/CC explains the Dapter malware.
Detecting Datper Malware from Proxy Logs - There were a couple of posts on Malware Breakdown about the Seamless campaign distributing the Ramnit trojan.
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries this week
- Didier Stevens walks through an analysis of a maldoc (both in written and video form).
It’s Not An Invoice …, (Sun, Aug 20th) - Xavier Mertens shares a python module that can be easily used to modify URLs so that they can’t accidentally be clicked on.
Defang all the things!, (Tue, Aug 22nd) - Xavier also examined a malicious downloader script.
Malicious script dropping an executable signed by Avast?, (Wed, Aug 23rd) - Xavier then examines a malicious HTML page which installs the JBifrost RAT
Malicious AutoIT script delivered in a self-extracting RAR file, (Fri, Aug 25th) - Lastly, Didier returns to perform a static analysis on a submitted 7-Zip file.
Malware analysis: searching for dots, (Sat, Aug 26th)
- Didier Stevens walks through an analysis of a maldoc (both in written and video form).
- Roman Unuchek at Securelist examines a few different malicious Android apps that utilise WAP billing – “a form of mobile payment that charges costs directly to the user’s mobile phone bill so they don’t need to register a card or set up a user-name and password.”
WAP-billing Trojan-Clickers on rise - Gerald Carsula at Trustwave SpiderLabs provides a walkthrough for getting the Cuckoo sandbox working on Windows 10’s Linux subsystem.
Cuckoo Linux Subsystem: Some Love for Windows 10 - There were a couple of posts on TrendLabs this week
- Buddy Tancio analyses the infection flow is a fileless Bitcoin miner they detect as TROJ64_COINMINER.QO.
Cryptocurrency Miner Uses WMI and EternalBlue To Spread Filelessly - Stephen Hilt and Lord Alfred Remorin examine a malicious Chrome extension that steals “cookies from the running Roblox process on a Windows PC”.
Malicous Chrome Extensions Stealing Roblox In-Game Currency, Sending Cookies via Discord
- Buddy Tancio analyses the infection flow is a fileless Bitcoin miner they detect as TROJ64_COINMINER.QO.
- Thorsten Eisenhofer at VMRay takes a look at the Powerliks malware
Poweliks Malware – Filelessly Persistent
MISCELLANEOUS
- James Habben at 4n6ir provides some more advice to those that believe they are considered entry level. I disagree this advice should just be restricted to entry level folk though; a lot of this can apply to people that are already in the field.
Skills and Knowledge for InfoSec - Arsenal Recon have announced a new subscription based licensing model for their tools. A subscription will set you back $49/month and provide a single license for all of the tools they produce. They also tweeted out the benefits of the change.
Arsenal Recon Launches Subscription-Based Licensing for Digital Forensics Tools - Brett Shavers comments on the need to search for mistakes made by criminals in an investigation. By identifying the mistakes they make, investigators can piece together the puzzle in an attempt to solve the case.
Luck has nothing to do with it if you are good at what you do. - Cheeky4n6Monkey returns with some python-based reverse engineering of a fictional contact file
Monkey Unpacks Some Python - Demux shared out the release notes for DVR Examiner V2.0.2 which came out last week.
DVR Examiner V2.0.2 released - Didier Stevens shows how to follow streams in Wireshark.
Wireshark: Follow Streams - Deepak Kumar shared a few DFIR resources.
4n6: 1 - The guys at Digital Forensics Corp shared a paper by on Automated PCB Reverse Engineering by Stephan Kleber, Henrik Ferdinand Nölscher, and Frank Kargl.
Automated PCB Reverse Engineering - Pieter Arntz at Malwarebytes Labs provides a brief overview of the digital forensics field.
Explained: digital forensics - Greg Smith at Mobile & Technology Exploration provides an update on the Universal Network Investigations LinkedIn group where members post “to assist telecoms, cyber, forensics, information security, pen testing, and fault-finding investigations”.
Universal Network Investigations Updates - Brian Carrier announced that the agenda for OSDFCon has been released.
Take a look at @carrier4n6’s Tweet - Nick Harbour at FireEye announced that the fourth annual Flare-On challenge will be kicking off Sept. 1, 2017, at 8pm ET.
Announcing the Fourth Annual Flare-On Challenge
SOFTWARE UPDATES
- Cellebrite updated their UFED firmware to v6.3, and the corresponding software to v6.3.6. The updates improve device support for physical extraction and lockscreen bypass, iOS ithmb decoding, as well as other improvements, features, and bug fixes. One of the improvements I’m interested in seeing is the suggestions for extraction methods of unsupported devices. If you come across an unsupported device you may be able to perform an extraction using a similar model, or a generic profile that is based on the CPU chip on the device. Now if only Cellebrite updated their support list to have the CPU that the phone uses for easy searching that would make life a bit easier.
UFED Ultimate & UFED InField v6.3 & UFED Physical Analyzer, UFED Logical Analyzer & Reader 6.3.6 [August 2017] - Brian Carrier explains some of the recent updates to Cyber Triage (now at v2.1.4) including “analytics for user activity” and user’s web artefacts. I wasn’t able to locate full release notes for this update.
Analytics Make User Account Investigations Easier - Elcomsoft Phone Breaker v7.0 was released, “adding the ability to extracts saved passwords, payment data and other sensitive information from Apple’s secure online storage, the iCloud Keychain”. Oleg Afonin commented on the latest update and explains iCloud keychain security
Elcomsoft Phone Breaker 7.0 Extracts Passwords from iCloud Keychain - After a lengthy hiatus, First Response have updated CaseNotes, now at version 2.17.8.20. The update modifies the storage file format, as well as adding a spellchecker, a graphical check-list builder, a template editor, as well as other improvements.
CaseNotes is Back! - Ryan Benson announced that Hindsight has been updated to version 2.1.1 with support for Chrome v1-60 and other improvements.
Hindsight v2.1.1 - Hopefully should be getting notifications for Magnet Software releases soon, but in the meantime, special thanks to Focus Systems for sharing. Axiom was updated to v1.1.4.6064, and IEF was updated to v6.9.3.7144. The updates include some functional improvements to the tools, as well as improved support for Skype and Android SMS, and bug fixes.
Magnet Axiom/IEF Updated - “A new version of MISP 2.4.79 has been released including an important security fix (persistent XSS on comment field), multiple bug fixes and new functionalities.”
MISP 2.4.79 released - Nir Sofer at Nirsoft updated AlternateStreamView to v1.53 to fix a bug. You can download the latest version here
Take a look at @nirsoft’s Tweet - X-Ways Forensics 19.4 Beta 1 was released, adding an option to “always produce a new item in the search term list, even if the keyword that you are looking for is identical to a previously used keyword or a keyword in the same run”. This is useful if you run the same keyword with different settings.
X-Ways Forensics 19.4 Beta 1
And that’s all for Week 34! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 