FORENSIC ANALYSIS
- Adam Harrison has started a new blog, 1234n6, and wrote a couple of articles regarding the analysis of volumes with data deduplication enabled.
- The “first post serves as an introduction to Data Deduplication and speaks to how to identify whether a system or disk image has Data Deduplication enabled”
Windows Server Data Dedupliction and Forensic Analysis - The second post outlines “a number of options available to analysts when performing a forensic analysis of Microsoft Windows Servers that have the “Data Deduplication” feature enabled”
Forensic Analysis of volumes with Data Deduplication Enabled
- The “first post serves as an introduction to Data Deduplication and speaks to how to identify whether a system or disk image has Data Deduplication enabled”
- The guys at Cyber Forensicator shared a paper from the Journal of Forensic Sciences by Ayesha Arshad, Waseem Iqbal, and Haider Abbas titled “USB Storage Device Forensics for Windows 10”.
USB Storage Device Forensics for Windows 10 - David Dym at EasyMetaData has a post showing the MRUs that Visual Studio uses to store recently accessed files/repositories in the registry.
Visual Studio registry artifacts – part 2 – MRUs #DFIR - Alexis Brignoni at Initialization vectors provides step-by-step instructions for injecting data from an Android device extraction into an Android VM to assist in visualising the data as the user would have seen it. I played around with this during the week and found it immensely helpful.
Viewing extracted Android app data using an emulator - Jamie McQuaid at Magnet Forensics shows how to use Axiom and F-Response Enterprise “to preview or analyze the data on a live system with minimal impact to the user or system”.
Using F-Response and Magnet AXIOM: Use Case 2 – Preview No Artifacts - Dan O’Day has “built a simple GUI (C#) Google Analytics Domain Hash Calculator app” which can be used to “try to figure out which domain [a UTMA value] corresponds to”.
Google Analytics Domain Hash Calculator - Over on my ThinkDFIR site, I shared my Google URL Parsing project from earlier in the year.
Google URL Parsing with GSERPENT - There were a few posts on the Port 139 blog by Hideaki Ihara
- The first is an article on orphaned files in FAT32 showing how Autopsy presents a file deleted from a folder, and a file deleted off the root of a FAT32 volume.
FAT32 と犬 - The second post was regarding FireEye’s report on APT28, however, I didn’t have enough time to decipher what Google Translate gave me, so I’m just linking to it for those interested.
APT28と HKCU\Environmentキー - He reviewed the “New Pacifier APT Components Point to Russian-Linked Turla Group”, report and examines the “six types of automatic activation methods for activating malware” that were reported in Autoruns.
Turla の自動起動手口 - Lastly, he examined the autostart technique used by TROJ_ANDROM.SVN
ANDROM と自動起動(Regsvr32)
- The first is an article on orphaned files in FAT32 showing how Autopsy presents a file deleted from a folder, and a file deleted off the root of a FAT32 volume.
THREAT INTELLIGENCE/HUNTING
- Monty St John at AlienVault explains YARA including what it does and how to write rules.
Explain YARA Rules to Me - Corey Nachreiner at Dark Reading comments on a few of the methods that attacks use to hide their malware.
How Hackers Hide Their Malware: The Basics - Lionel Faleiro at SandMaxPrime walks through creating a supertimeline with ELK
Super Timeline Using ELK Stack - Andrew Davis at FireEye discusses “the implementation of the Windows console architecture from years past, with a primary focus on the current implementation present on modern versions of Windows”
- David Cannings at NCC Group develops “a rule which detects PE files where the timestamp (inserted by the linker at the final build stage) does not fall within the validity period of the Authenticode signing certificate”. He also mentions that false positives sometimes are unavoidable but “if properly combined with other detection mechanisms, this is a useful indicator to analysts that a file should be investigated more thoroughly”.
Signaturing an Authenticode anomaly with Yara
UPCOMING WEBINARS
- Mick Douglas at Binary Defense will be hosting a webinar on threat hunting on the 14th September 2017 at 1PM EST.
Threat Hunting: Strategies for Success - Lee Reiber at Oxygen Forensics will be hosting a webinar on “The Forensic Kill Chain”, Thursday, September 7, 2017, at 8 am PDT / 11 am EDT / 4 pm BST
The Forensic Kill Chain
PRESENTATIONS/PODCASTS
- Daniel Bohannon & Lee Holmes’s presentation from Black Hat USA 2017 on Revoke-Obfuscation was shared on the Black Hat YouTube channel.
Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science - Patrick Wardle’s presentation on his analysis of OSX Fruitfly was shared on DEF CONs YouTube channel.
DEF CON 25 – Patrick Wardle – Offensive Malware Analysis: Dissecting OSX FruitFly - Nuix have uploaded a presentation on Cyber Threat Hunting, and Corey Tomlinson shares his thoughts on the webinar.
Security to Zone Three - Paraben released a number of interviews from the recent PFIC 2017.
PFIC 2017 Summary - On this week’s Digital Forensic Survival Podcast Michael talks “about 4 questions about your DFIR unit from an operations standpoint to identify holes and get a better sense of your investigative capabilities.”
DFSP # 080 – DFIR Operational Assessment - Richard Davis has uploaded a video to his YouTube channel on Windows Memory Analysis as a continuation to the “Introduction to Memory Forensics” video.
Windows Memory Analysis - SalvationData have uploaded a video showing the Fragments Scan feature from Video Investigation Portable
VIP-Feature Introduction-Fragments Scan-SalvationDATA DVR Forensics Solution - SANS shared a few presentations from the DFIR Summit and Threat Hunting Summits.
- I recorded my take on the happenings of August 2017 in a short podcast episode. I’ve also been told to make the Patreon link a little bit more visible so it’s up the top in the social media links, as well as at the bottom of the podcast episode itself.
This Month In 4n6 – August – 2017 - All of the materials from HITB GSEC have been released
Check out @dalmoz_’s Tweet
MALWARE
- Jonathan Nicholas at MWR Labs has a post on sharing threat intelligence and introduces a new tool they have developed called Athena.
Threat Information Sharing with Athena - Jared Myers and Brett Williams at Carbon Black analyse a maldoc “which uses the Emotet trojan to create and execute additional malware on the system”
Threat Analysis: Word Documents with Embedded Macros Leveraging Emotet Trojan - Researchers at ClearSky share some IOCs from “new samples and Infrastructure of ISMAgent”.
Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug - The Cylance Threat Guidance Team take a look at a malicious macro used by the Man1 group. They show the “steps of loading the raw code into memory, decoding the malware and providing details on how to extract the malware from a debugged process”.
Threat Spotlight – MAN1 Malware: Temple of Doom - Arunpreet Singh at Lastline Labs takes “a closer look at a couple of emerging malware evasion techniques”.
Malware Evasion Techniques: Same Wolf – Different Clothing - Malware Breakdown examines some malspam that delivers the latest Locky variant.
“IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension. - There were a couple of posts on the Malwarebytes Labs blog this week
- Hasherezade continues her look at the Kronos malware, this time detailing the “malicious actions that Kronos can perform.”
Inside the Kronos malware – part 2 - Marcelo Rivero and Jérôme Segura examine a maldoc that uses an AutoClose macro to download Locky.
Locky ransomware adds anti sandbox feature (updated)
- Hasherezade continues her look at the Kronos malware, this time detailing the “malicious actions that Kronos can perform.”
- There were a couple of posts on the McAfee Labs blog this week
- Jaewon Min and Carlos Castillo examine a fake Chrome Android app they have named “MoqHao”.
Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea - Thomas Roccia illustrates how the Emotet trojan works.
Emotet Trojan Acts as Loader, Spreads Automatically
- Jaewon Min and Carlos Castillo examine a fake Chrome Android app they have named “MoqHao”.
- Didier Stevens at NVISO Labs describes a step-by-step “statistical analysis method that can be applied to certain malware families, such as the Hancitor malicious documents” to assist in malware decoding.
Decoding malware via simple statistical analysis - There were a couple of posts on the Palo Alto Networks blog this week
- Alex Hinchliffe and Jen Miller-Osborn examine the KHRAT malware “used by threat actors to target the citizens of Cambodia”
Updated KHRAT Malware Used in Cambodia Attacks - Brad Duncan reviews recent activity from fake “EITest HoeflerText popups” seen targeting Google Chrome users.
EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware
- Alex Hinchliffe and Jen Miller-Osborn examine the KHRAT malware “used by threat actors to target the citizens of Cambodia”
- There were a few posts on the SANS Internet Storm Centre Handler Diaries this week
- Johannes B. Ullrich repeated his DVR honeypot experiment from back when Mirai ran rampant.
An Update On DVR Malware: A DVR Torture Chamber, (Mon, Aug 28th) - Renato Marinho examines a malicious attachment he has named IDKEY.
Second Google Chrome Extension Banker Malware in Two Weeks, (Tue, Aug 29th) - Xavier Mertens provides some information about a malicious RAR archive.
AutoIT based malware back in the wild, (Sat, Sep 2nd) - Brad Duncan examines some malspam that “had links to fake Dropbox pages”
Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox, (Fri, Sep 1st)
- Johannes B. Ullrich repeated his DVR honeypot experiment from back when Mirai ran rampant.
- There were a few posts on the Securelist blog this week
- Sergey Yunakovsky analyses a rewritten version of the NeutrinoPOS banker malware named Jimmy.
Jimmy Nukebot: from Neutrino with love - The Global Research & Analysis Team share information of the WhiteBear platform, which “is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016”.
Introducing WhiteBear - David Jacoby and Frans Rosén analyse a “Multi Platform Facebook malware that was spread through Facebook Messenger”.
Dissecting the Chrome Extension Facebook malware
- Sergey Yunakovsky analyses a rewritten version of the NeutrinoPOS banker malware named Jimmy.
- Dr. Fahim Abbasi at TrustWave SpiderLabs analyses a malicious email “distributing both FakeGlobe and Cerber ransomwares”
The Spam, JavaScript and Ransomware Triangle - There were a couple of posts on the TrendLabs blog this week
Android Mobile Ransomware: Bigger, Badder, Better? - Lorin Wu examines various Android malicious apps to show the evolution of Android mobile ransomware.
Android Mobile Ransomware: Bigger, Badder, Better? - Byron Gelera describes the malicious files (that they detect as TROJ_ANDROM.SVN) that were distributed by USB drive to install the BKDR_ANDROM.ETIN backdoor.
USB Malware Implicated in Fileless Attacks - Lenny Zeltser has updated his Malware Analysis Cheat Sheet
Check out @lennyzeltsers Tweet - Ahmed Zaki at NCC Group analyses a recent Poison Ivy sample that was “spreading through malicious PowerPoint files”.
Analysing a recent Poison Ivy sample - Javier Vicente Vallejo shares a few methods for unpacking malware that uses weak encryption algorithms
Tools For Unpacking Malware, Part 2. Weak encryption algorithms
MISCELLANEOUS
- Brett Shavers has a post on his blog regarding identifying intent when investigating a crime.
When “intent” is an element of the crime, you better find the intent. - The guys at Cyber Forensicator shared a couple of articles this week
- They shared Ali Dehghantanha’s talk from BSides Manchester titled “Digital Forensics: The Missing Piece Of Internet Of Things Promise”
Digital Forensics: The Missing Piece Of Internet Of Things Promise - They shared news that Forensic Control have recently updated their list of free digital forensics tools
Free Digital Forensic Tools
- They shared Ali Dehghantanha’s talk from BSides Manchester titled “Digital Forensics: The Missing Piece Of Internet Of Things Promise”
- DFIR Guy at DFIR.Training made an interesting point regarding picking the right tool for the job. The basic premise being that the examiner should be able to pick the correct tool for the job and utilise it effectively. Sometimes tools aren’t able to perform the task requested, and the examiner needs to be able to figure out whether it’s it, or them that’s the sticking point.
One thing leads to another, aka; how I learned not to hate on DFIR tools - The guys at Digital Forensics Corp shared a couple of articles this week
- They shared a post by Jeff Gennari explaining the “Pharos Binary Static Analysis Tools”.
Binary Files Analysis - They shared a number of PowerShell scripts by DBHeise that can be used to initialize a system.
Scripts to initialize a windows VM to run all the malwares - They shared an article by AccessData on the future amendments to the Federal Rule of Evidence 902 regarding electronic evidence.
Rule 902 Amendments
- They shared a post by Jeff Gennari explaining the “Pharos Binary Static Analysis Tools”.
- Scar at Forensic Focus shares her forum round-up and top links from the past month, as well as a discount code for the 2017 Techno Security & Digital Forensics Conference
- Ravi Das at InfoSec Institute shares a definition of computer forensics and explains the basic methodology of performing an examination.
An Introduction to Computer Forensics - Johann Hofmann, Head of Griffeye, has a guest post on the Magnet Forensics blog regarding the various silos that can isolate “people and projects, negatively affecting workflow and the chance of success”.
Guest Post: It’s Time to Tear Down the Silos – The Power of Integration - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ provides a brief overview of Jared Atkinson’s PowerForensics framework
PowerForensics: a PowerShell framework for hard drive forensic analysis - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares a list of linux distros that can be used to assist in a digital forensics investigation.
Linux Distributions for forensics investigation: my own list
SOFTWARE UPDATES
- Arsenal Consulting announced that their Image Mounting’s “Professional Mode” “now has Windows native (& fast!) browsing of Volume Shadow Copies w/in disk images.”
Check out @ArsenalArmeds Tweet - Eric Zimmerman updated Jumplist Explorer to v0.5.0.0 and LECmd to v0.9.7.0. LECmd was updated after this exchange on Twitter, and Eric explains the reason it failed here for those interested. The port 139 blog post was also updated.
- XRY & Kiosk/Tablet v7.4.1 were released, improving Android physical/lock screen bypass support, as well as improved app parsing and other updates.
Released today: XRY & Kiosk/Tablet v7.4.1 - Passmark updated OSForensic to V5.1.1003 with a variety of bug fixes.
V5.1.1003 – 28th of August 2017 - SalvationData have updated their DRS (Data Recovery System) to V17.7.3.2.272.
DRS (Data Recovery System) V17.7.3.2.272 — independent Raw Scan & Firmware Recovery for Toshiba HDD is available now! - TZWorks released their August/September build which includes a new tool, tela, for parsing ETL files, as well as updates to cafae, yaru, pescan, pe_view, and usp.
Aug/Sept 2017 build - X-Ways Forensic 19.3 SR-7 was released with a few bug fixes and improvements.
X-Ways Forensic 19.3 SR-7 - X-Ways Forensic 19.4 Beta 2 was also released, with a few bug fixes and improvements including the introduction of the “Override” command line parameter, which “overrides message boxes and dialog boxes until the last command line parameter has been processed”
X-Ways Forensic 19.4 Beta 2
And that’s all for Week 35! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 