FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog has a few posts on the $INDEX_ROOT NTFS attribute.
- Firstly, he takes a look at the $INDEX_ROOT NTFS attribute of a file.
$INDEX_ROOT と $I30 - Hideaki also has a post about ObjectID’s and how they are affected by moving the file across mediums. I’m wondering the USB drive he used was formatted to NTFS; because that might explain why the object ID didn’t transfer. I did a quick test on my system and moving between directories and other NTFS file systems seemed to maintain the object ID.
NTFS $OBJECT_ID と Removable - Lastly, he shows how to manually parse the $INDEX_ROOT attribute of a file and obtain the ObjectID.
$ObjId と $O
- Firstly, he takes a look at the $INDEX_ROOT NTFS attribute of a file.
- The Blackbag Training Team shares some information about Apples Unified logging. From the looks of the article, reviewing the logs requires a Mac and can use either Terminal or Console. They have also shared the command that examiners would have to run to identify all connected devices stored in the Unified logs.
Accessing Unified Logs from an Image - Oleg Afonin at Elcomsoft explains that the latest Android update (8.0 – Oreo) now allows users to backup their SMS to the cloud (previously this was only Pixel devices). Oleg also runs through the multitude of other data available from an Android cloud backup and data sync, as well as how to force a full cloud backup. He also provides the steps for extracting “SMS text messages from Android 8.0 Oreo backups using Elcomsoft Cloud Explorer 1.40”.
Android 8.0 Oreo: Your Text Messages Are in the Cloud Now - Jim Clausing has converted the mac_robber script to Python. Jim’s version adds the ability to hash files without modifying the access times and includes that in the bodyfile output.
New tool: mac-robber.py, (Tue, Sep 19th) - Jim also shows how to mount a file system on Linux in a way that would allow an examiner to hash the files without updating the last access times.
Forensic use of mount –bind, (Sun, Sep 24th) - The Journal of Digital Investigation for September 2017 (Volume 22) has been released.
Volume 22 Journal of Digital Investigation - The Forensicator has written an article analysing “metadata for the files in Guccifer 2.0’s “Clinton Foundation” file dump (cf.7z), dated July 5, 2016”.
Guccifer 2.0 CF Files Metadata Analysis - Anthony Berglund and Kevin Boyd at FireEye share pywintrace, which is “a flexible wrapper around Windows APIs to accelerate ETW research”
Introducing pywintrace: A Python Wrapper for ETW - Yogesh Khatri at Swift Forensics takes a look at the naming structure of the entries under FXDesktopVolumePositions in the com.apple.finder.plist file. The names contain some random hex data at the end which appear to be the “‘Created date’ of the volume’s root folder (for most but not all the entries!)” in Mac Absolute Time.
Interpreting volume info from FXDesktopVolumePositions
THREAT INTELLIGENCE/HUNTING
- Samuel Alonso at Cyber IR walks through the use of RSA Netwitness for threat hunting.
Advance Hunting with RSA Netwitness - Monty St John at CyberDefenses walks through calculating entropy using YARA’s math module.
Yara, Entropy and a bit of Math - Didier Stevens at NVISO Labs shares a YARA rule for the compromised version of CCleaner.
YARA rules for CCleaner 5.33 - Lee Holmes walks through hunting for base64 strings using PowerShell
Searching for Content in Base-64 Strings - Quentin Jerome at Rawsec shares “a table describing the different Sysmon events available across the different Sysmon versions.”
Sysmon Events Table - Quentin also tested using Sysmon 6.10 “to detect WMI abuses”.
Sysmon v6.10 VS WMI Persistence - Michael Haag at Red Canary shows how to setup and ingest Carbon Black data into Splunk.
Operationalizing Data With the Carbon Black and Splunk Integration (Part 1) - Xavier Mertens has a post on the SANS Internet Storm Centre Handler Diaries on building intelligence based on malspam. Xavier “collected files attached to malicious emails and tried to categorize them to determine what were the most common names”.
Getting some intelligence from malspam, (Mon, Sep 18th)
UPCOMING WEBINARS
- Belkasoft will be hosting a webinar on the new version (8.5) of the Belkasoft Evidence Centre 2018. The webinar will take place on September 25, 9 am PDT / 18:00 CET.
Join us for a free webinar on the new version of Belkasoft Evidence Center! - The call for papers for Enfuse 2018 is now open and will close November 3, 2017.
Enfuse 2018 Call for Speakers - Jeff Hedlesky and David Groskopf at Guidance Software/OpenText will be hosting a webinar on the Tableau TX1 on Thursday, October 05, 2017 at 11:00 AM Pacific Daylight Time
Three Ways to Improve Your Efficiency with the Tableau TX1 Forensic Imager - Jessica Hyde at Magnet Forensics will be hosting two webinars on the new Connections feature in Axiom on Tuesday, October 10 @ 9:00AM EDT and 1:00PM EDT.
Connecting the Dots Between Artifacts and User Activity - Sumuri will be hosting a live stream on Apple APFS on Wednesday, September 27, 2017, at 10:30AM Pacific/1:30PM Eastern.
- Martijn Grooten at Virus Bulletin shares an introduction to Axelle Apvrille from Fortinet’s talk at VB2017 on Android reverse engineering tools.
VB2017 preview: Android reverse engineering tools: not the usual suspects
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the presentations from Louisville Infosec 2017 and Derbycon 2017
- Blackbag have uploaded a video explaining how to put an Android phone into airplane mode and turn on USB debugging. USB debugging may be required to obtain an extraction of an Android device.
Android Setup - The presentations for BSides Augusta 2017 have been uploaded.
BSides Augusta 2017 - Douglas Brush interviewed David Kovar on Cyber Security Interviews. They covered how David got into the field, his development of analyzeMFT, and his work in the drone examination and security space.
#035 – David Kovar: Where Is the Best Application of Your Skill Set - Sarah Edwards was interviewed on the Mac Admins podcast this week and discussed her work in digital forensics, her research (and love) of all things Apple, as well as her SANS course.
Episode 52: Digital Forensics on the Mac with Sarah Edwards - Magnet Forensics uploaded a few videos about their upcoming Axiom Cloud product, as well as a brief video about the new Connections feature in Axiom.
- Paraben Forensics have uploaded a video to their YouTube channel providing an overview of the E3 platform.
E3:Universal Overview Webinar - On this week’s Digital Forensics Survival Podcast, Michael covers the creep.py OSINT script that can be used “to profile social media accounts by geolocation.”
DFSP # 083 – cree.py - Richard Davis “discusses the CCleaner malware incident reported by Cisco’s Talos Intelligence Group on Monday, September 18, 2017.”
CCleaner v5.33 Malware (Supply Chain Attack) - SalvationData have uploaded the webinar by Raymond Luo on recovering data from damaged or inaccessible CCTV DVR systems.
SalvationDATA Webinar – Retrieve Evidentiary Videos From Damaged or Inaccessible CCTV DVRs - SANS shared a few presentations from the DFIR Summit and Threat Hunting Summits.
- Incident Response in the Cloud (AWS) – SANS Digital Forensics & Incident Response Summit 2017
- Deciphering Browser Hieroglyphics – SANS Digital Forensics and Incident Response Summit 2017
- Hunting: From Fudd to Terminator – SANS Threat Hunting Summit 2017
- Rob Lee “The Most Lethal Forensicator We Know” Award – SANS DFIR Summit 2017
- Manny and Jason at Sumuri Forensics showed off the new processor and motherboards going into their products.
New Components Coming To A TALINO Near You! – TALINO Talk – Episode 7 - Steve Whalen at Sumuri also has an important announcement about the OS X High Sierra update. Apparently, none of the Windows forensics tools currently support APFS, which means that there are two options: either perform your examination on a Mac, or create a logical acquisition using a Mac-based imager (Recon Imager or Macquisition) and load it up on a non-Mac examination computer.
Northwest ICAC APFS and Mac Forensics Live Stream Announcement - Hasherezade has shared the slides for her presentation at Security Case Study 2017 on Petya/NotPetya.
Check out @hasherezade’s Tweet
MALWARE
- Dennis Schwarz at Arbor Networks examines some of the obfuscations used by the FormBook malware family.
The Formidable FormBook Form Grabber - Joie Salvio and Jasper Manuel at Fortinet examine a malicious “Hangul Word Processor (HWP) document leveraging the already known CVE-2015-2545 Encapsulated PostScript (EPS) vulnerability”.
Evasive Malware Campaign Abuses Free Cloud Service, Targets Korean Speakers - Malware Breakdown examines an infection chain that drops Ramnit and the AZORult stealer.
Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer. - Jérôme Segura at Malwarebytes Labs examines the delivery mechanism and payload of “a malicious Microsoft Office file disguised as a CP2000 notice.”
Fake IRS notice delivers customized spying tool - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Renato Marinho shares the threat flow and IOCs for the latest Locky campaign, YKCOL.
Ongoing Ykcol (Locky) campaign, (Wed, Sep 20th) - Brad Duncan reviews “indicators for this most recent wave” of Hancitor malware.
Malspam pushing Word documents with Hancitor malware, (Fri, Sep 22nd)
- Renato Marinho shares the threat flow and IOCs for the latest Locky campaign, YKCOL.
- Alexander Liskin, Anton Ivanov, and Andrey Kryukov examine a document that contained “no macros, exploits or any other active content”. but did provide the attackers with some intelligence by utilising third-party PHP scripts.
An (un)documented Word feature abused by attackers - Edmund Brumaghin, Earl Carter, Warren Mercer, Matthew Molyett, Matthew Olney, Paul Rascagneres and Craig Williams at Cisco’s Talos blog examine the files stored on the C2 server for the infected CCleaner version that did the rounds this week. This included examining the stage2 payload which dropped trojanised DLLs and stored “an encoded PE in the registry”.
CCleaner Command and Control Causes Concern - Antonio Pirozzi has a post on Security Affairs sharing CybSec Enterprise Z-Lab’s analysis of the Petya Ransomware.
CSE CybSec ZLAB Malware Analysis Report: Petya - Andrea Fortuna at “So Long, and Thanks for All the Fish” shares a link to IlluminateJs which can be used to deobfuscate JavaScript.
IlluminateJs: a good Javascript Deobfuscator - Andrea has also collated some information about the Floxif malware that was embedded into version 5.33 of CCleaner.
CCleaner incident: what we need to know? - Tony Huffman at Tenable shares some details about the “malicious modification of the 32-bit CCleaner.exe binary”.
Piriform CCleaner Remote Backdoor - There were a couple of posts on the FireEye Threat Research blog this week
- Jonas Pfoh and Sebastian Vogl “present a novel approach to manual dynamic analysis: rVMI. rVMI was specifically designed for interactive malware analysis. It combines virtual machine introspection (VMI) and memory forensics to provide a platform for interactive and scriptable analysis.”
rVMI: Perform Full System Analysis with Ease - Jaqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser discuss the APT33 threat group.
Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and
Energy Sectors and has Ties to Destructive Malware
- Jonas Pfoh and Sebastian Vogl “present a novel approach to manual dynamic analysis: rVMI. rVMI was specifically designed for interactive malware analysis. It combines virtual machine introspection (VMI) and memory forensics to provide a platform for interactive and scriptable analysis.”
- There were a couple of posts on the TrendLabs blog this week
- Hara Hiroaki, Higashi Yuka, Ju Zhu, and Moony Li examine “a malicious profile that can render the iOS device unresponsive” named iXintpwn/YJSNPI.
iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices - Lenart Bermejo, Kenney Lu, and Cedric Pernet examine a new variant of the RETADUP malware that has been found “targeting specific industries and governments in South America”
New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining
- Hara Hiroaki, Higashi Yuka, Ju Zhu, and Moony Li examine “a malicious profile that can render the iOS device unresponsive” named iXintpwn/YJSNPI.
- Filip Kafka at We Live Security examines the infection mechanism that FinFisher uses.
New FinFisher surveillance campaigns: Are internet providers involved?
MISCELLANEOUS
- Scott Vaughan at Berla has posted two iVe Feature Spotlights; one on blending data from two ECUs in the same case, and the other on iVe’s new mapping options
- Brett Shavers provided a brief update about his upcoming Bitcoin Forensics book and how crytocurrencies may be involved in your current investigations – but if you’re not looking for them, you probably won’t find them.
Some of your cases probably already have cryptocurrency evidence in them… - Chris Sanders has a post about his newest online training course based on Cliff Stoll’s book “The Cuckoo’s Egg”. “This series is ideal for people who are new to information security or want exposure to other facets of the field”
The Cuckoo’s Egg Decompiled: An Introduction to Information Security - The guys at Cyber Forensicator shared a couple of posts
- They shared a paper by Tanveer Zia, Peng Liu, and Weili Han titled “Application-Specific Digital Forensics Investigative Model in Internet of Things (IoT)”
Application-Specific Digital Forensics Investigative Model in Internet of Things (IoT) - They shared a paper by Pavel Gladyshev and Joshua I James from the Journal of Digital Investigation titled “Decision-theoretic file carving”
Decision-Theoretic File Carving
- They shared a paper by Tanveer Zia, Peng Liu, and Weili Han titled “Application-Specific Digital Forensics Investigative Model in Internet of Things (IoT)”
- The guys at Digital Forensics Corp shared a few articles this week
- They shared an article by Samuel Odendaal at Sucuri on identifying a malicious backdoor purporting to be an image.
Malicious Backdoor in Image - They shared a link to the “LaZagne project [which] is an open source application used to retrieve lots of passwords stored on a local computer.”
Recovering passwords with LaZagne - They shared a post by bridgeythegeek on writing a Volatility plugin
How to make a Volatility Plugin - They shared a post by Lydecker Black on Pharos, the Static Binary Analysis Framework.
Pharos Overview
- They shared an article by Samuel Odendaal at Sucuri on identifying a malicious backdoor purporting to be an image.
- There were a few posts on the Forensic Focus blog this week
- James Zjalic wrote an article regarding the various “laws, regulations, best practices, guidelines, and standards surrounding digital forensics” in relation to seizure and analysis.
Digital Forensics: Iron Bars, Cement And Superglue - Scar shared her roundup of last month’s news.
Digital Forensics News September 2017 - They interviewed Oleg Skulkin, who co-authored the Windows Forensics Cookbook with Scar de Courcier.
Interview With Oleg Skulkin, Author, Windows Forensics Cookbook - They also interviewed Diego Renza Torres, professor in the Telecommunications Engineering Faculty, at Universidad Militar Nueva Granada about his work in audio forensics.
Interview With Diego Renza Torres, Professor, Universidad Militar Nueva Granada
- James Zjalic wrote an article regarding the various “laws, regulations, best practices, guidelines, and standards surrounding digital forensics” in relation to seizure and analysis.
- Apparently, “Paraben has created a 3-day IoT and Smartphone forensic course”; there isn’t much detail in the post but it will be interesting to see how the course develops.
Paraben Launches Industry First IoT Forensic Training At NATO Cyber School - Chiragh Dewan at Infosec Institute shared his list of 10 digital forensics tools that are maybe lesser known – I’m not sure if I agree on whether some of the tools should be considered lesser-known, but maybe I’m the exception.
10 Digital Forensics Tools – The Lesser Known - Tim Berghoff at G Data Security shares some advice on preparing for a situation that requires incident response (both internally, and employing the services of an IR team).
Fighting virtual fires, Part 2: how to get ready - Yulia Samoteykina at Atola Technology walks through transferring Insight cases across computers.
Exporting and importing cases from one computer to another - Mark Barrenechea at OpenText confirms the purchase of Guidance Software by OpenText. I’m not sure what this means for Encase and Tableau long term but the post seems to indicate that business should continue as usual.
OpenText acquires Guidance Software - Sean McVey at Sean’s Cyber blog shares 37 questions that SOCs should be asked when preparing for an incident.
McVey’s 37 Questions for a SOC - Sean Mason at Cisco has shared his thoughts on communicating to a client and team during an incident. He also shares a template that the Cisco IR team uses to document their findings, plan, and communicate effectively.
Incident Response Fundamentals – Communication - David Shackleford and Daniel Miessler both wrote articles about the relevance of a degree in the Infosec field. Whilst not specifically DFIR related I thought I’d include it because of the “competence is key” themes in both articles. David’s article comes at it from a slightly different approach though – that people should build up their expertise in other areas before getting into infosec.
- Cheeky4n6Monkey tweeted out an ArsTechnica article which provides a thorough review of the new features of iOS 11.
Check out @Cheeky4n6Monkey’s Tweet - Heather Mahalik and Sarah Edwards have updated their SQLite pocket reference guide.
New SQlite Pocket Ref - John Lambert tweeted out how Microsoft’s Red and Blue teams train together.
Check out @JohnLaTwC’s Tweet
SOFTWARE UPDATES
- Berla have released iVe v1.12.4 adding “support for a wide range of Mercedes-Benz vehicles manufactured from 2011 to present”. They’ve also included “additional mapping functions, as well as the ability to combine data from vehicles containing two supported ECUs into one iVe case”, and UI and performance improvements.
iVe v1.12 Released - DVR Examiner 2.0.4.0 has been released.
- Elcomsoft Cloud Explorer (ECX) 1.40 was released, adding SMS extraction from Android Cloud Backups as well as “support for XLSX data exporting”
Elcomsoft Cloud Explorer Adds XLSX Export and Android Oreo Support, Downloads SMS Text Messages from Google Account - Adam at Hexacorn updated his DeXRAY script to version 2.01 to support BullGuard quarantine files.
DeXRAY 2.01 update - Magnet Forensics have updated Axiom to version 1.2, which introduces the new Connections feature, as well as Axiom Cloud.
Magnet AXIOM 1.2 is Here with AXIOM Cloud, Connections and More! - Matt Seyer has released a new Rust-based DFIR tool for decoding the Windows Registry to JSON.
RustyReg - “A new version of MISP 2.4.80 has been released including the most awaited MISP objects feature along with other new features, security fix CVE-2017-14337 and improvements.”
MISP 2.4.80 released (aka MISP objects release) - Oxygen Forensic Detective was updated to version 9.6.2, adding support for “iOS 11 and their iCloud backups”
Oxygen Forensic® Detective supports iOS 11 and new iPhones! - Sanderson Forensics have updated a couple tools this week
- SQLite Forensic Explorer was updated to version 1.2.3 with some performance updates and bug fixes
SQLite Forensic Explorer New release 1.2.3 - SQLite Recovery was updated to version 1.6.3 with some improvements and bug fixes.
SQLite Recovery New release 1.6.3
- SQLite Forensic Explorer was updated to version 1.2.3 with some performance updates and bug fixes
- Tableau have released Tableau Firmware update version 7.19, affecting the TX1 and T7u.
Tableau Firmware update version 7.19 - TZWorks released usp v0.52, dup v0.14, and csvdx v0.18 during the week.
- X-Ways Forensics 19.4 SR-1 was released, with some minor improvements and bug fixes.
X-Ways Forensics 19.4 SR-1
And that’s all for Week 38! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 