FORENSIC ANALYSIS

• Hideaki Ihara at the Port 139 blog walks through the process of creating a deleted record in NTFS $I30. For more information about NTFS index attributes I found this article useful (although the pictures don’t appear to display any more for some reason).
  NTFS $I30 と Deleted record
  
  
• There were a few posts shared on Cyber Forensicator this week
  • Oleg Skulkin and Igor Mikhaylov wrote an article on USB device forensics on Win10 using Magnet Axiom. Interestingly the screenshot of the artefacts extracted from the jumplist didn’t also include the Destlist value, which would indicate that the file was accessed (which in fairness is a bit of a misnomer because there wouldn’t be a record for the files at all if they weren’t accessed).
    The Hitchhiker’s Guide to USB Forensics
  • They shared the news that Max M. Houck’s book titled “Digital and Document Examination” is available for pre-order.
    Digital and Document Examination by Max M. Houck
  • They shared Sqrrl’s “Practical Threat Hunting” eBook.
    Hunt Evil: Your Practical Guide to Threat Hunting
  • They shared Barry J. Grundy’s “Law Enforcement and Forensic Examiner’s Introduction to Linux”
    Law Enforcement and Forensic Examiner’s Introduction to Linux
    
    
• There were a number of posts shared on Digital Forensics Corp this week
  • They shared an article by Neeraj Aarora on how to get into DFIR
    How to become a computer forensic examiner
  • They shared an article by Aftab Alam on repairing OST files.
    Recovering corrupted OST files
  • They shared an article by Timothy Opsitnick, Joseph Anguilano and Trevor Tucker on various avenues of investigation for employee data theft.
    Investigating Employee Data Theft
    
    
• There were a few posts on the Elcomsoft blog this week regarding the recent updates to iOS
  • Vladimir Katalov explains how it’s possible for an attacker to change a user’s iCloud password if certain circumstances occur.
    iOS 11 Does Not Fix iCloud and 2FA Security Problems You’ve Probably Never Heard About
  • Oleg Afonin looks at the updates to iOS 11 and the circumstances that allow examiners to be able to obtain data from it
    Elcomsoft Phone Breaker 8, New Apple Devices and iOS 11
  • Vladimir also discusses the iOS keychain, and encrypted iOS backups.
    iOS 11: jailbreaking, backups, keychain, iCloud – what’s the deal?
    
    
• Bradley Schatz at Inside Out walks through the process of acquiring 2TB of data from AWS using Evimetry (although the process can be applied to other tools). “Using EC2 Snapshots in conjunction with Snapshot Sharing enables one to quickly Collect copies of Target storage. Acquisition can then be undertaken in the Cloud, so that the evidence is protected by a hash at the earliest opportunity, while minimising the amount of data that needs to be copied.”
  AWS EC2 Cloud Storage Acquisition with Evimetry

THREAT INTELLIGENCE/HUNTING

• Hideaki Ihara at the Port 139 blog examines the update to sysmon in relation to WMI event monitoring.
  WMIとsysmon v6.10
  
  
• Logan Lembke at Black Hills Information Security explains how to use Bro IDS and Real Intelligence Threat Analytics (RITA) to hunt.
  Let’s Go Hunting! How to Hunt Command & Control Channels Using Bro IDS and RITA
  
  
• Monty St John at CyberDefenses talks about using loose YARA rules as a start and then build increasingly tighter rules to provide “thorough and accurate detection”. “Employing the thought of loose matching to tighter matching meant we could re-use earlier loose detections in different context within the conditional logic of later rules. It allowed the introduction of loose detection as a strategy to find interesting things and then tighter and tighter detections to hone in on something specific”.
  Beware Putting on the Blinders
  
  
• Diego Perez at Eideon shows how to hunt for mimikatz using Sysmon and Event logs
  Tales of a Threat Hunter 1
  
  
• Marcos at Follow The White Rabbit walks through the use of Sysinternals sysmon.
  #Sysmon, The ‘Big Brother’ of Windows; and the ‘super’, #SysmonView
  
  
• Pieter Arntz at Malwarebytes labs provides a primer on YARA rules
  Explained: YARA rules
  
  
• The guys at Red Canary explain how attackers use the RLO character to trick users into thinking their malware is innocuous, and also how to detect these threats with a number of tools.
  “semaG dna nuF” with Right-to-Left Override Unicode Characters
  
  
• Guy Bruneau at the SANS Internet Storm Centre Handler Diaries suggests that people take a look at rockNSM as “it contains all the basic elements needed to capture data on the fly with Suricata, Bro, Logstash, Kibana, Elasticsearch and Kafka needed to conduct an investigation”.
  rockNSM as a Incident Response Package, (Sun, Sep 17th)

UPCOMING WEBINARS

• AccessData announced a number of short webinars to take place over the upcoming months.
  Webinar Series: Take an AccessData Coffee Break
  
  
• Chet Hosmer at Python Forensics shared the abstracts for his upcoming talks at the HTCIA International Conference.
  HTCIA International Conference 2017
  
  
• Martijn Grooten at Virus Bulletin shares briefly shares some information about an incoming presentation at VB2017. Julia Karpin and Anna Dorfman will be presenting their tool, Crypton, which was designed to improve the “reverse engineering process by decrypting encrypted content found in a (malicious) binary”
  VB2017 preview: Crypton – exposing malware’s deepest secrets

PRESENTATIONS/PODCASTS

• Douglas Brush interviewed Harlan Carvey on Cyber Security Interviews. They discussed a variety of topics from how Harlan entered the field, various challenges that he see’s in the industry (for example communication, sharing, and the lack of instrumentation), as well as his love of home beer-brewing. I liked the part about documentation/defining scope/presentation of information because it validated some of my documentation process.
  #034 – Harlan Carvey: You Have To Apply the Data To Your Theory
  
  
• Dan O’Day shared his presentation on “Intro to smartphone forensics”.
  Check out @4n68r’s Tweet
  
  
• Kasten Hahn at Malware Analysis For Hedgehogs examines the Scantime crypter and explains the terminology behind it.
  Malware Analysis – What is a Scantime Crypter?
  
  
• There were a number of videos uploaded to the Nuix YouTube channel this week
  • Investigate USB Activity with Nuix Insight Analytics & Intelligence
  • Hyperscale Your Investigation and Intelligence Capabilities
  • Nuix Insight Analytics & Intelligence Incident Response
  • Introducing Nuix Insight Analytics & Intelligence Solution Packs
    
    
• On this week’s Digital Forensic Survival Podcast, Michael covered a method of extracting an iOS device and examining the data. I’ve been doing a bit of iOS device examination at home and I’ve had success using Belkasoft’s Acquisition Tool (which is free), and I also understand Magnet Acquire is also able to easily take an iOS backup. From there I’ve played around with a couple of different backup viewers that let me extract the files/databases that I needed to parse.
  DFSP # 082 – iPhone Forensics on the Cheap
  
  
• Richard Davis has uploaded a video to his YouTube channel covering NTFS Index Attributes as a continuation of his video on the NTFS file system.
  Windows NTFS Index Attributes ($I30 Files)
  
  
• SANS shared a couple of presentations from the DFIR Summit and Threat Hunting Summits.
  • The Mind of a Hunter: A Cognitive, Data-Driven Approach – SANS Threat Hunting Summit 2017
  • The Cider Press: Extracting Forensic Artifacts from Apple Continuity – SANS DFIR Summit 2017

MALWARE

• Hideaki Ihara at the Port 139 blog takes a look at a trojan that stores data in the browser’s cache to evade security.
  C2とWeb Storage
  
  
• The Cylance Threat Guidance Team examine the Hancitor malware sample that they previous extracted from a maldoc.
  Threat Spotlight: MAN1 Malware – The Last Crusade?
  
  
• Xiaopeng Zhang at Fortinet continues “the FortiGuard Labs analysis of the new Poison Ivy variant, or PlugX, which was an integrated part of Poison Ivy’s code”.
  Deep Analysis of New Poison Ivy/PlugX Variant – Part II
  
  
• Omri Ben Bassat at Intezer continues his examination of the Agent.BTZ/ComRAT malware.
  New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2
  
  
• Giovanni Vigna at Lastline explains various types of packers that malware applications use and how to detect them.
  When Malware is Packing Heat
  
  
• There were a couple of posts by Malware Breakdown this week
  • They examine some malspam that downloads the CoreBot banking trojan.
    “Re: Details” Malspam Downloads CoreBot Banking Trojan
  • They also examine the HookAds campaign which is now dropping ZeuS Panda
    HookAds Campaign Leads to RIG EK and Drops ZeuS Panda.
    
    
• Jérôme Segura at Malwarebytes Labs examines a maldoc that leverages CVE-2017-8759 to install FinFisher.
  PSA: New Microsoft Word 0day used in the wild
  
  
• Jeremy Scott at NTT Security provides an overview of static and dynamic malware analysis
  Detecting Malware through Static and Dynamic Techniques
  
  
• Lenny Zeltser has a post on the SANS DFIR blog sharing links to the four malware analysis cheatsheets that he’s recently updated
  “4 Cheat Sheets for Malware Analysis”
  
  
• Didier Stevens has a post on the SANS Internet Storm Centre Handler Diaries walking through some sample analysis with his (beta) tool jpegdump.
  Analyzing JPEG files, (Sun, Sep 10th)
  
  
• Genwei Jiang, Ben Read, and James T. Bennett at FireEye explain CVE-2017-8759 and how a malicious RTF file used it to execute the Finspy malware.
  FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
  
  
• There were a couple of articles on the TrendLabs blog this week
  • Kevin Sun examines the BankBot Android malware.
    BankBot Found on Google Play and Targets Ten New UAE Banking Apps
  • The guys also examine a PostScript document that is used to attack older versions of the Hangul Word Processor (HWP)
    Hangul Word Processor and PostScript Abused Via Malicious Attachments
    
    
• Vitali Kremez reversed the Trickbot Banking trojan’s testnewinj32Dll and shareDll32/WormShare modules
  
  
• Cassius Puodzius at WeLiveSecurity examines an attack chain used to distribute malware in Brasil and analyses the “downAndExec standard that is making extensive use of JS scripts to download and execute — in this particular instance, banking malware on victims’ computers.”
  DownAndExec: Banking malware utilizes CDNs in Brazil

MISCELLANEOUS

• Arsenal Consulting updated their Registry Recon Quick Start guide.
  Check out @Arsenalarmed’s Tweet
  
  
• Blackbag will now provide a USB-C to USB connector for anyone who has purchased Macquisition in the last 30 days and into the future. It’s a shame that they aren’t providing this to people with active subscriptions as well, although to get the best “experience”, I’d suggest a USB-C to USB-C and USB-A hub (like this, but maybe cheaper) since you’re going to want to connect the dongle and a destination drive as well. Alternatively, maybe there’s a way to transfer Macquisition to a 1TB external SSD….something to play with at some point (this may be a breach of the terms of service, so if Blackbag wanted to offer a 1TB SSD version I think people might be interested)
  MacQuisition now includes USB-C Adapter with Purchase
  
  
• Patrick Howell O’Neill at Cyberscoop has a write-up about Berla, the company that produces the car infotainment unit acquisition tool, iVe. Usually I wouldn’t mention this kind of article but I feel it’s important because I’m not sure if people know how much data they may be able to obtain from car systems.
  Meet Berla, the little-known company that can pull smartphone data from your car
  
  
• Dan Pullega tweeted out his thoughts on teaching DFIR – sit them down and walk through your process and explain your logic/reasoning.
  Check out @4n6k’s Tweet
  
  
• DFIR Guy at DFIR.Training has a great post on the distinctions in work and personalities behind the digital forensics, incident response, and e-discovery spaces. This can be helpful for giving advice to people as to where to dive in when they’re looking to get into DFIR.
  For the new kids on the block
  
  
• Preston Miller and Chapin Bryce’s book titled “Python Digital Forensics Cookbook” is now available for pre-order and is due out October 5th.
  Python Digital Forensics Cookbook
  
  
• Scar at Forensic Focus shared her roundup of the past month’s forum posts.
  Forensic Focus Forum Round-Up
  
  
• The guys at H-11 Digital Forensics shared a story about how data from a Fitbit was critical in a murder case…which sounds very similar to the DFRWS IoT challenge.
  Fitbit Used as Key Evidence in Murder Case
  
  
• Adam at Hexacorn updated his EDR sheet to include LimaCharlie
  Updated EDR Sheet – LimaCharlie
  
  
• John Patzakis, Esq. at X1 Discovery explains the impact of the FRE 902(14) on social media evidence and how examiners will most likely be required to use a dedicated extraction product instead of taking screenshots.
  Federal Rule of Evidence 902(14) Will Especially Impact Social Media Evidence Preservation
  
  
• Yulia Samoteykina at Atola Technologies explains how to use the “splitting imaging sessions functionality” that was added to the latest version of Atola Insight Forensic.
  Splitting an imaging session to separate targets
  
  
• Ryan McGeehan provides some information on responding to AWS breaches
  Responding to typical breaches on AWS
  
  
• Felisa Charles at The Leahy Center for Digital Investigation shares her experience at Enfuse 2017; in particular, Jake Williams’ talk on knowing normal to find evil.
  Enfuse 2017 Reflection – Felisa Charles: Know Normal, Find Evil
  
  
• Also from LCDI, Jack Gleason shares his experience at Enfuse 2017 and Julie Lewis’ presentation on social media evidence.
  Enfuse 2017 Reflection – Jack Gleason: Social Media as Digital Evidence
  
  
• Bradley Schatz announced that AFF4 support has been pushed to the Volatility project so we should be seeing that in an upcoming release – if you want it now you’ll have to pull the source.
  Check out @blschatz’s Tweet
  
  
• Charles Herring at WitFoo continues his series on people and machines withpart four covering playbook automation, and part five covers a number of different topics
  
  
• Pieces0310 shared their concern regarding LE being able to force a suspect to look at their new iPhone X to unlock the device and then they “could start to do mobile forensics easily and conveniently”. If we combine what we learnt about the updated iOS from Elcomsoft last week then to perform an extraction, examiners would be required to enter a passcode to verify the trust relationship. A way around this would be to sync the device with the user’s own computer if they still did that, but I imagine that’s rarer than it was when the iPhone first came out. This means that the LE examiner may be able to unlock the device, but the examination won’t necessarily be easy and may require a lot of time, effort, and photographs of the screen.
  The most interesting feature of iPhone X – FaceID – Pieces0310

SOFTWARE UPDATES

• Elcomsoft updated Phone Breaker to version 8.0, adding support for iOS 11. “The update supports the decryption of and password recovery for local backups, downloads system backups, files, media and synced data from iCloud Drive, and offers access to iCloud Keychain.”
  Elcomsoft Phone Breaker 8.0 Adds iOS 11 Support
  
  
• Evimetry v3.0.2 was released during the week with a few fixes and improvements. v3.1.3-Unstable was also released.
  Evimetry v3.0.2
  
  
• IDA 7.0 was released with a variety of updates.
  IDA: What’s new in 7.0
  
  
• Mark Russinovich announced some updates to the Sysinternals tools with a variety of new features.
  Sysinternals Update: Sysmon v6.10, Process Monitor v3.40, Autoruns v13.80, AccessChk v6.11
  
  
• Oxygen Forensic have updated their Detective product to version 9.6.1, further expanding their support for DFI’s Go drone mobile apps.
  Oxygen Forensic® Detective provides enhanced support for drones!
  
  
• Passware has released Passware Kit 2017 v4 adding support for DriveCrypt, 1Password for Mac, improvements to GPU-accelerated password recovery” and the introduction of “GPU-accelerated password recovery for PDFs”
  New In Passware Kit 2017 v4
  
  
• CCF-VM v2.2 was released, incorporating newer versions of CDQR and CyLR, as well as other improvements.
  CCF-VM v2.2
• CyLR v1.3.4 was released with improvements to the Mac/Linux collection process.
  CyLR v1.3.4
  
  
• SSDeep Version 2.14 was released with a bug fix and speed improvements. SSDeep also moved to a new website which has a cool feature of allowing you to try some of the ssdeep features online.
  Version 2.14

And that’s all for Week 37! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!