FORENSIC ANALYSIS
- Glenn Edwards Jr at Hidden Illusion has a post on enumerating prefetch filename hashes to brute force the original path of an executable. He also lists various use-cases where this may be helpful.
Go Prefetch Yourself - Jim Hoerricks at Amped Software discusses when someone should seize a DVR and provides some resources for best practices.
To seize or to retrieve: that is the question - There were a few posts by Cyber Forensicator this week
- They shared a guide from Cyber Punk on using LiMEaide to “remotely dump Linux RAM”.
How to Remotely Dump Linux RAM - They shared news of a “video course by Chad Russell” called “Digital Forensics for Cyber Professionals” released by Packt Publishing.
Digital Forensics for Cyber Professionals - They shared a paper by Frank Block and Andreas Dewald from DFRWS USA 2017 called “Linux memory forensics: Dissecting the user space process heap”
Linux memory forensics: Dissecting the user space process heap - They shared some links to RecuperaBit, which can be used to recover deleted NTFS structures.
RecuperaBit: A Tool for Forensic File System Reconstruction
- They shared a guide from Cyber Punk on using LiMEaide to “remotely dump Linux RAM”.
- Arman Gungor at Metaspike sought to answer the question “is it possible to detect that a user has deleted an attachment from an e-mail prior to producing it”. Arman was able to show that the file size did not update when the attachment was removed (so detection of large size + no attachment would probably highlight it) and that a new Root Entry was added to the end of the file with the date that the attachment was removed (although I’m not sure if this was added from the removal or the saving process). Oddly enough, the attachment wasn’t removed from the e-mail file and could be carved out quite easily which sounds like a bug that may be corrected in future, and explains why the file size doesn’t really reduce the size of the e-mail itself.
Recovering Removed Email Attachments — Outlook Email Forensics
- Patrick Siewert at Pro Digital Forensics explains how to use CellHawk from Hawk Analytics to map GPS coordinates exported from a Cellebrite dump. I haven’t got a copy of UFED PA handy to check right now, but I think it’s possible to export GPS data to a KML file and import that into Google Earth/Maps. Pretty sure you can do that in XRY, or at least you used to be able to. Patrick said that he will be diving more into the CellHawk tool, so would be interesting to see it compared with free tools like Google Earth.
- Nick Raedts at Raedts.BIZ explains “the differences between deleting a file and wiping a file, and also explain how different drive types (HDD vs SSD) affect the outcome.” The first half of the post also describes the different drives and file systems that examiners will commonly see.
- Lionel Faleiro at SandmaxPrime shows how to parse Windows LNK files using PowerForensics.
- SANS shared a sponsored whitepaper by WireX about how to use their platform, Network Forensics Platform, for incident response.
The Efficiency of Context: Review of WireX Systems Incident Response Platform
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ links to LiMEaide, “a python application developed by Daryl Bennett that can remotely dump RAM of a Linux client.”
THREAT INTELLIGENCE/HUNTING
- Hideaki Ihara at the Port 139 blog shows how Poison Ivy’s automatic startup can be detected with autoruns.
Poison Ivy と MSIEXEC
- He then shows how to register a scheduled task and view it in Autoruns
- Austin Taylor shared out a Flattened MITRE ATT&CK Matrix
- Demisto have written an article giving a background of threat hunting and why it’s important.
- Kristina Sisk at Happy Threat Hunting walks through the process of “outlining the expected outcome from R&D Hunts”. She also shared out her HT-Trackr project, which can assist hunters in tracking their hunting techniques.
- Will Schroeder at SpecterOps walks through the process of hunting for attackers in Active Director Replication Metadata.
- Keshia LeVan at Red Canary walks through an attack process that utilises ADS to bypass user account controls as well as what the attack looks like using Carbon Black’s EDR
Using Alternate Data Streams to Bypass User Account Controls
- Kevin Breen at Tech Anarchy shows how to hunt for interesting data in Pastebin using YARA rules. He also releases PasteHunter, which is “a simple script and a set of Yara rules that will fetch pastes from the pastebin API and store any matching pastes in to an elastic search engine with a nice Kibana front end.”
UPCOMING WEBINARS
- The DFRWS EU 2018 CFP is opened until Monday, October 9, 2017. The event will take place in “Florence, Italy at the Convitto della Calza – Oltrarno Meeting Center” between 21 – 23 March 2018.
DFRWS EU 2018
- Michael Krueger and Tony Ramirez at NowSecure will be hosting a webinar on the recent updates to Android and iOS on September 14 @ 1:00 pm – 1:30 pm CDT.
Android “O” and iOS 11 security updates: What you need to know
- Paul Slater and Mark McCluskie at Nuix will be hosting a webinar on hyperscaling your investigation and intelligence capabilities on 14 September 2017 at 11am BST.
PRESENTATIONS/PODCASTS
- Joshua I. James shows how to use the GnuWin32 ‘file’ utility to identify files in Windows, as well as mounting split raw images using FTK imager
-
Patrick Wardle’s presentation on his analysis of OSX Fruitfly was re-shared on DEF CONs YouTube channel because the previous video cut off halfway.
DEF CON 25 – Patrick Wardle – Offensive Malware Analysis: Dissecting OSX FruitFly
- Hasherezade looked at the webinjects for the Kronos malware.
- On this week’s Digital Forensics Survival Podcast, Michael explained the OS X Collector Python script produced by Yelp’s Security team.
- SANS shared a couple of presentations from the DFIR Summit and Threat Hunting Summits.
-
Ted Smith at X-Ways Clips has recorded a video on parsing the Skype SQLite Database using X-Ways to identify deleted messages
MALWARE
- Hideaki Ihara at the Port 139 blog examines a RAT identified by Fortinet in Dependency Walker.
Rehashed RATとDLL Hijacking
- Xavier Mertens at /dev/random explains that malware may watch for “interesting processes that could reveal that they are being monitored or debugged” and shares the list of processes.
Interesting List of Windows Processes Killed by Malicious Software
- Jasper Manuel and Artem Semenchenko at Fortinet examine a maldoc that exploits CVE-2012-0158 and distributes the NewCore RAT.
Rehashed RAT Used in APT Campaign Against Vietnamese Organizations
- Lenny Zeltser shared a new cheatsheet for malware reversing. He also updated his cheatsheet on analysing maldocs
Tips for Reverse-Engineering Malicious Code – A New Cheat Sheet
- Malware Breakdown walks through the infection chain of the Roboto Condensed social engineering scheme that is used to distribute DELoader.
Roboto Condensed Social Engineering Scheme Delivers Terdot Zloader/Zbot.
- Dominik Reichel at Palo Alto Networks analyses the Babar/Snowball malware.
- Didier Stevens posted a few times on the SANS Internet Storm Centre Handler Diaries this week
- He analyses a non-malicious PDF file to show how to determine that it isn’t malicious. (Part 1 and 2)
- Didier also explains a recent update to his translate tool to assist in output sanitisation
Malware analysis output sanitization, (Sat, Sep 9th)
-
Holger Unterbrink and Matthew Molyett at Cisco’s Talos blog examine the “Graftor aka LoadMoney adware dropper”
- Dr. Fahim Abbasi and Rodel Mendrez at Trustwave SpiderLabs examine a phishing campaign distributing a malicious javascript that downloads a variant of the Dridex banking trojan.
Malware Xeroing in on Cloud Accounting Customers
- The Symantec Security Response have released a report detailing the Dragonfly group who are currently targeting “the energy sector in Europe and North America”
Dragonfly: Western energy sector targeted by sophisticated attack group
- Chris Schraml at PhishLabs explains three different infection vectors Locky uses to attack victims – maldoc, rar’d vbscript, and 7zipped javascript.
- Ahmed Zaki at NCC Group has a post describing how to decrypt strings in a Poison Ivy sample using IDAPython.
MISCELLANEOUS
- Brett Shavers has a post on the meaning of the phrase “forensically sound” specifically when applied to evidence. “Forensically sound more aptly applies to the technical processes and methods, but does not really define whether or not a ‘thing’ is evidence or not or that a court will accept it or not”. I liked his comparison between processes that “alter” evidence such as an autopsy – capturing RAM is a process and the extraction for that specific case cannot be reproduced, but the process is the important part. From there the analysis is the reproducible (forensically sound?) part.
“Forensically Sound”. One of those phrases that is commonly used, misused, unused, and abused. - Digital Forensics Corp shared a few articles this week
- They shared an article by Patrick Siewert on Call Detail Records Analysis
Call Detail Records Analysis - They shared a link to PPEE, which is a PE file explorer.
PPEE Overview - They shared Donato Pasqualicchio’s PowerShell cheatsheet
PowerShell Cheat Sheet - They shared a paper by Luca Massarelli, Leonardo Aniello, Claudio Ciccotelli,
Leonardo Querzoni, Daniele Ucci and Roberto Baldoni on “Android Malware Family Classification Based on Resource Consumption over Time”
Android Malware Classification - They shared a couple of articles on Android app reverse engineering: offensivepentest and evilsocket.
- They shared an article by Patrick Siewert on Call Detail Records Analysis
- Oleg Afonin at Elcomsoft comments on the recent changes to iOS and how it may affect mobile forensics. Users are now required to enter their passcode when pairing their computer; this will have an impact on those that rely on touchID to access the phones they’re examining (my understanding is that whilst passcodes may be protected under the 5th amendment you can may be able to compel someone to “provide a fingerprint” like you would in a forensic procedure). There’s also the introduction of an S.O.S mode that has the feature of restricting unlocking to passcode only. Oleg also advises that Apple has removed notifications from backups and some thoughts on 2FA.
New Security Measures in iOS 11 and Their Forensic Implications
- Andrea Little Limbago at Endgame commented on the recent report on Dragonfly released by Symantec.
The Escalation of Destructive Attacks: Putting Dragonfly in Context
- There were a couple of posts on the Forensic Focus blog this week
- They interviewed Thomas Barton on his research into secure messaging apps
Interview With Thomas Barton, Research Associate, Canterbury Christ Church - They shared a brief summary of Jamie McQuaid’s blog series on using F-Response with Magnet Axiom.
Blog Series: Using F-Response In Enterprise Investigations
- They interviewed Thomas Barton on his research into secure messaging apps
-
Lee Reiber has a post on LinkedIn lists an example of when extracting data from a drone may be important and how the recent update to Oxygen Forensic Detective can assist. Apparently, this update is a field-first so that’s cool; I recall Paraben supporting extracting data from the DJI app, but if I had any questions I’d probably direct them here.
Impacting the Digital Forensic Space with Industry Leading Drone Support
- Action Dan at LockBoxx provides a brief review of “How to Investigate Like a Rockstar: Live a real crisis to master the secrets of forensic analysis” by Sparc Flow. Overall it was a very positive review so I might have to pick this up and have a read (it’s fairly short).
- There were a couple of posts on the Magnet Forensics blog this week
- Tayfun Uzun answered some questions about Magnet’s upcoming Axiom Cloud product.
AXIOM Cloud Q&A with Tayfun Uzun: Part 1 - Christa Miller has compiled all of the recent Magnet Forensics posts on Android device acquisition.
A Roundup of Magnet Forensics Android Recovery Resources
- Tayfun Uzun answered some questions about Magnet’s upcoming Axiom Cloud product.
-
Yulia Samoteykina at Atola Technology explains Atola’s multi-pass imaging technique, which allows an examiner to skip damaged sections of a drive when it encounters an error. The idea is that on a pass, if errors are encountered, then the program will skip a defined number of blocks in an attempt to read all of the good parts of the drive first. The jump distance is reduced on each subsequent pass. The end result is that you may end up with a large portion of the data quicker, and choose to skip the extraction of the damaged section.
- Richard Wartell at Palo Alto Networks shares pictures of the prizes for the recent LabyREnth CTF challenge.
- Scott Roberts continues his learning about ICS/SCADA systems, providing a background of the environment that defenders of these systems will be protecting.
- Dave Shackleford at ShackF00 shares his thoughts on the lack of defence-based talks at Blackhat and Defcon. Personally, I think that the better talks are the ones that say “here’s how you attack, and here’s what it looks like/you can protect against it”. I’m not really interested in just the attack methods, because that doesn’t really improve everyone’s security – which was my understanding was the point of the security cons.
Where are the “Actionable Defense” talks? - Megan Hallowell at Champlain College’s Leahy Center for Digital Investigation shares her experience at Enfuse 2017 regarding Jessica Bair’s ransomware presentation.
Enfuse 2017 Reflection – Megan Hallowell: Tracking Ransomware - @Happyasamonkey posed a question on Twitter during the week that led to some interesting discussion surrounding indexing as a matter of course on a job. Generally, most people said that they didn’t index unless they were required to, but the main points that came out of it were. 1) index when the job requires it, but don’t have the box ticked for every job. 2) useful for creating wordlists for password cracking. 3) Myself and another said that if you’ve got the time and resources then you can run additional processing even if you don’t use it, but others disagreed. My point is that if my machine is doing nothing over the weekend then it doesn’t necessarily hurt to have it done if the case may benefit. Especially if the job changes and you need it anyways. Of course, your mileage may vary, and Eric raised a good point about whether you may end up making more work for yourself by additional processing. I guess it depends on the cases you work, because if you do additional processing and find something you didn’t know was there then it can make it worthwhile 4) X-ways simultaneous search is generally faster for individual searches, but of course if your case pivots and you would benefit from an index, Eric shares a tip on how to make it less crash-prone.
Check out @happyasamonkey’s Tweet - @inakiabadia posted a tutorial for developing Volatility plugins
Check out @inakiabadias Tweet - Charles Herring at Witfoo continues his series on people being more important with machines with part two covering algorithms and machine learning and part three covers “how cognition & AI compare & how they can work together.”
People > Machines (Part Two)
SOFTWARE UPDATES
- Amped Software have released Five Update 9722 with a variety of new features.
Amped FIVE Update 9722: Genetec Omnicast G64/G64X Support, Full Uncompressed AVI Export Compatibility, Filter Panel Options and much, much more! - Arsenal Consulting advised that they have updated HibernationRecon (latest v1.1.0.66) to work with PowerShell ISE, and Arsenal Image Mounter “now resolves [duplicate] volume GUIDs” (v2.3.24). They also announced that their training now comes with a year’s worth of their tools.
- Eric Zimmerman updated ShellBags Explorer to version 0.9.5.0, adding new GUIDs, and Shellbag types and extension blocks, as well as updates to SBECmd to process the live registry and recursively look through a given directory for relevant registry files.
- Didier Stevens updated his re-search Python script to v0.0.9, adding the “-x (–hex) [option] to produce hexadecimal output.”
- MD5 updated VFC to v4.17.8.25, improving win10 password bypass, and adding an option in the ‘Modify Hardware feature’.
- Oxygen Forensic have updated their Detective product to version 9.6 introducing drone support (they specify DJI Phantom 3 and DJI Inspire 1, but it may be others as well), as well as improvements to cloud extractor and “bypass screen lock on a greater variety of Motorola devices and supports simultaneous Android data extraction”.
- X-Ways Forensic 19.4 was released with a number of new additional improvements upon Beta 2.
- Yogesh Khatri at Swift Forensics has developed “an extendible framework (in python) which has plugins to parse different artifacts on a mac”. Interestingly it’s designed to allow examiners to process Macs without a Mac. Very interested to see how this project plays out because a) Mac-only stuff ie disk images, and b) unicode can cause issues on Windows, so always interested to see how that’s handled. Also, more Mac knowledge is always a good thing, it’s a very underserved part of the community…hopefully someone *cough* Sarah *cough* gets their act together and releases a comprehensive book on OSX/MacOS Forensic Analysis.
And that’s all for Week 36! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 