FORENSIC ANALYSIS
- Martino Jerian at Amped Software shares some information about Apple’s move to the HEIF file format in iOS 11. Interestingly, the file’s format may be switched back to JPEG when transferring the file. From the image in the post it looks like the file also keeps its EXIF data which is nice.
HEIF Image Files Forensics: Authentication Apocalypse? - Avoiding Atrophy Forensics has a post on using FTK Imagers command line version.
Command Line FTK Imager - Brett Shavers talks about the importance of debriefs and discussing cases. “Debriefing your casework and the casework of others will bring up things that were done wrong and things that could have been done better. Debriefing cases makes future cases better.” He also discusses the importance of case-building – putting disparate pieces of information together to lead you towards your defined goal.
Placing the Beard Behind the Keyboard - Oleg Afonin at Elcomsoft shows how to locate Saved Wifi networks and their passwords using Elcomsoft Phone Viewer
Accessing iOS Saved Wi-Fi Networks and Hotspot Passwords - Marcos at ‘Follow The White Rabbit’ has a post regarding the Windows Registry and the various tools built around Regripper. This included my GUI for Regripper, so thanks for the shout out Marcos 🙂
Windows registry? Prepare the coffeemaker! Using #RegRipper - Alexander Sevtsov at Lastline examines “a malicious Hangul Word Processor (HWP) document file”
Uncovering Nation-Specific, Targeted Attacks ( . . . without Knowing Korean) - The guys at Magnet Forensics interviewed Bob Elder, the CEO of Teel Technologies Canada and “discussed what he and his team were up to and the importance of partnership in providing meaningful solutions to the forensics community”.
Magnet Forensics and Teel Technologies are Partnering on a Demo Roadshow - Jamie McQuaid at Magnet Forensics walks through using the newly released Axiom Cloud to extract data from various cloud sources.
How to Acquire and Analyze Cloud Data with Magnet AXIOM Cloud - Marc Padilla examines his network traffic to understand the contents of encrypted BitTorrent traffic.
Determine the Contents of Encrypted BitTorrent Traffic - Lorna Hutcheson at the SANS Internet Storm Centre was asked a question by a reader regarding TCP flags.
Good Analysis = Understanding(tools + logs + normal), (Fri, Sep 29th) - Heather Mahalik at Smarter Forensics takes a look at parsing the SMS database from iOS 11. She also shares some of her testing methodology which shows how different tools interpret the data, or how different extraction methods result in different data being presented. I also liked her point about it being a requirement for vendors to provide access to the databases/configuration files. This is both for manual verification, and for accessing the data from apps that aren’t supported.
Time is NOT on our side when it comes to messages in iOS 11 - Over on my ThinkDFIR site, I decided to play around with APFS and have a look at how some of the tools interpreted the volume. On Windows, none of the tools can do anything with the drive; the most recent update to X-Ways will identify that the volume is APFS but that’s it. So as Steve Whalen said in his presentation, you will need a Mac in the equation (or at least OSX….Hackintosh/VM may work). I also just added another part at the bottom for mounting an APFS image so that a user can look at its contents on OS X High Sierra (I think that you can only use High Sierra, but haven’t checked if it will work on the previous OSX). My next test will be to take Blacklight and see if I can examine the mounted drive in a logical fashion.
Playing with APFS - Yogesh Khatri at Swift Forensics shares some code for 010 editor and Python for interpreting APFS timestamps, which are represented as the “number of nano-seconds since 1-1-1970”.
APFS timestamps
THREAT INTELLIGENCE/HUNTING
- Derek Banks at Black Hills Information Security shows how to setup Windows Event Forwarder “to consolidate Windows Endpoint logs”.
End-Point Log Consolidation with Windows Event Forwarder - The guys at Incident Response Consortium share some strategies for creating an incident response plan.
How to Set Up an Incident Response Plan that Actually Works - Tomoaki Tani and Hiroshi Soeda at JPCERT have a post on “how to search proxy logs for Datper’s communication using log management tools – Splunk and Elastic Stack (Elasticsearch, Logstash and Kibana).”
Chase up Datper’s Communication Logs with Splunk/Elastic Stack - Matt Culbertson at Nuix shares some thoughts from the experts at last week’s Nuix User Exchange.
Threat Hunting in 2017: What do the experts say? - Xavier Mertens has a post on the SANS Internet Storm Centre Handler Diaries regarding analysing PCAP data that he has stored in a Docker container using Moloch and ElasticSearch.
The easy way to analyze huge amounts of PCAP data, (Thu, Sep 28th)
UPCOMING WEBINARS
- SalvationDATA will be hosting a webinar on their upcoming hard drive and smartphone acquisition products. The webinar will take place on Wed, Oct 18, 2017 at 8:00 AM – 8:30 AM GMT.
SalvationDATA Computer & Mobile Forensics New Products Release Webinar - Martijn Grooten at Virus Bulletin provided a brief overview of Patrick Wardle’s upcoming talk at VB2017.
VB2017 preview: Offensive malware analysis: dissecting OSX/FruitFly.B via a custom C&C server
PRESENTATIONS/PODCASTS
- A number of talks from the 2017 “A Conference on Defence” have been uploaded to the YouTube channel.
- Adrian Crenshaw has uploaded more videos from Derbycon 2017
- Detektiv Mreža shares a video of Oxygen Forensic Detective downloading two Android phones simultaneously.
Extract data from several Android devices simultaneously - Elcomsoft uploaded this marketing video, which normally isn’t something I would share but I thought it was fun.
Elcomsoft Mobile Forensic Bundle: Digital Forensic Tools For Government and Law Enforcement - Forensic Focus shared a presentation by “Mark Scanlon from University College Dublin [on] a formal data-driven approach for prompt investigation of enterprise and internet-wide infections.”
Video: Behavioral Service Graphs - On this week’s Digital Forensic Survival Podcast, Michael gave his review of Alan J White and Ben Clark’s Blue Team Field Manual.
DFSP # 084 – Blue Team Field Manual - There were a few videos uploaded to the SalvationDATA YouTube channel
- The first shows how to use their SmartPhone Forensic System to acquire data from a feature phone
SPF-SmartPhone Forensic System-Case Study-Data Acquisition from Feature Phones - The second shows how to “extract the video clips from [a] DVR system without having the DVR hard drive on hand or accessing the DVR control system” using VIP-Network Extraction.
VIP-Network Extraction-SOP-SalvationDATA DVR Forensics Solution - Lastly, they show how to acquire an Android device using SmartPhone Forensic Triage Acquisition.
SPA-SmartPhone Forensic Triage Acquisition-SOP Introduction-SalvationDATA Mobile Forensics Solution
- The first shows how to use their SmartPhone Forensic System to acquire data from a feature phone
- SANS shared a couple of presentations from the DFIR Summit and Threat Hunting Summits.
- Taking Hunting to the Next Level: Hunting in Memory – SANS Threat Hunting Summit 2017
- Mac Forensics: Looking into the Past with FSEvents – SANS DFIR Summit 2017
- Framing Threat Hunting in the Enterprise – SANS Threat Hunting Summit 2017
- MAC Times, Mac Times, and More – SANS Digital Forensics & Incident Response Summit 2017
- Steve Whalen at Sumuri gave a presentation on APFS at the Northwest ICAC meeting. If you deal with Macs, I’d highly recommend watching this talk. Steve does a great job of providing an overview of APFS and how to work around it. He also briefly showed off the soon-to-be-released update to Recon Imager.
SUMURI APFS Special Live Stream – Live from Northwest ICAC at Microsoft Headquarters - On this week’s Talino Talk, Manny and Jason go over some of the new features in the redesigned Talino Cryptanalysis workstation.
TALINO Talk EP 8 – The Newest TALINO Cryptanalysis Workstation!
MALWARE
- Hideaki Ihara at the Port 139 blog examines how the CCleaner malware. uses services to maintain persistence. Hideaki identifies that if the service that loads the malicious DLL is started then “it can not be detected with the Autoruns tool”.
SessionEnvとTSMSISrv.dll - Michał Praszmo at CERT Poland analyses the Ramnit malware.
Ramnit – in-depth analysis - The Cylance Threat Guidance Team examine the Defray ransomware.
Threat Spotlight: Defray Ransomware Hits Healthcare and Education - The guys at Digital Forensics Corp shared an article by GBHackers on fileless malware
Fileless Malware Overview - Tim Berghoff at G Data Security shares Nathan Stern’s analysis of some AutoIT malware targeting users in China.
Analysis: Adchiate – Marketing via AutoIT - Malware Breakdown examines the artefacts created by the Remcos RAT on a Windows system.
Malvertising Leads to RIG EK - Marco Ramilli examines a Monero CPU Miner malware that is located entirely in memory.
Advanced ‘all in memory’ CryptoWorm - There were a couple of posts on the Palo Alto Networks blog this week
- Jeff White looks at a sample of the AgentTesla malware, focusing on the various packing techniques used and providing “scripts to unpack each phase”.
Analyzing the Various Layers of AgentTesla’s Packing - Josh Grunzweig and Robert Falcone provide some further information about the phishing campaign utilising the “CMSTAR malware family [to target] various government entities in the country of Belarus.”
Threat Actors Target Government of Belarus Using CMSTAR Trojan
- Jeff White looks at a sample of the AgentTesla malware, focusing on the various packing techniques used and providing “scripts to unpack each phase”.
- There were a couple of posts on the SANS Internet Storm Centre this week
- Didier Stevens continues his examination of a PDF file to confirm that it is not malicious. In this part he dissects his previously extracted image to “try to understand all elements of its structure, hoping to find anomalies”.
It is a resume – Part 3, (Sun, Sep 10th) - Renato Marinho analyses the XPCTRA malware.
XPCTRA Malware Steals Banking and Digital Wallet User’s Credentials, (Mon, Sep 25th)
- Didier Stevens continues his examination of a PDF file to confirm that it is not malicious. In this part he dissects his previously extracted image to “try to understand all elements of its structure, hoping to find anomalies”.
- There were a couple of posts on Cisco’s Talos blog this week
- Michael Gorelik and Josh Reynolds examine “a newly discovered RTF document family that is being leveraged by the FIN7 group (also known as the Carbanak gang)”
FIN7 Group Uses JavaScript and Stealer DLL Variant in New Attacks - Warren Mercer, Paul Rascagneres and Vanja Svajcer examine an attack “focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors”
Banking Trojan Attempts To Steal Brazillion$
- Michael Gorelik and Josh Reynolds examine “a newly discovered RTF document family that is being leveraged by the FIN7 group (also known as the Carbanak gang)”
- Dr. Fahim Abbasi and Nicholas Ramos at Trustwave SpiderLabs analyse an attack chain leading to the Emotet malware.
Emotet lives another day using Fake O2 invoice notifications - Joshua Shilko at PhishLabs examines the RedAlert2 Android banking trojan.
RedAlert2 Mobile Banking Trojan Actively Updating Its Techniques - Jason Gu, Veo Zhang, and Seven Shen at TrendLabs examine the ZNIU Android malware
ZNIU: First Android Malware to Exploit Dirty COW Vulnerability
MISCELLANEOUS
- Andrew Hay at LEO Cyber Security has started a series on how he manages his CFP’s for upcoming conferences. This post covers the use of Trello to create a variety of different boards, lists, and cards to cover a variety of topics related to creating and delivering a presentation.
The Hay CFP Management Method - Blackbag Technologies have announced that they were be releasing an update to Blacklight in early November with a few new features. They also released a post about their adoption of the Sleuth Kit library for their backend file system parsing. Unfortunately, from the posts provided, it doesn’t appear that there will be native APFS support out of the gate, but hopefully this will change by release.
BlackLight 2017 Coming Soon! - There’s an article on the Deepspar blog regarding PCIe SSDs and announced that they have released a PCIe SSD add-on to the Deepspar Disk Imager. This add-on incorporates a number of new features that will assist data recovery and forensic examiners with recovering data from damaged PCIe drives.
Recovering Problematic PCIe SSDs - Demux have shared the release notes for last week’s update to DME forensics DVR examiner (Version 2.0.4.0)
DVR Examiner V2.0.4 released - There were a few posts on the Forensic Focus blog this week
- Somehow I managed to miss this review of Macquisition by David Flynn. David provides an overview of Blackbag’s Macquisition tool.
Reviews – 2017 – MacQuisition 2017 From BlackBag Technologies - They interviewed Zubair Baig, Senior Lecturer at Edith Cowan University about his research into the forensic and cybercrime implications of smart cities.
Interview With Zubair Baig, Senior Lecturer, Edith Cowan University - They shared the Defense Cyber Crime Centre (DC3) validation report of the MediaClone SuperImager Plus.
MediaClone SuperImager Plus DC3 Validation Report
- Somehow I managed to miss this review of Macquisition by David Flynn. David provides an overview of Blackbag’s Macquisition tool.
- The Forrester report on DFIR service providers for Q3 2017 has been released. I haven’t read it as I’m not a client (it’s $2495 USD to read) so can’t vouch for its efficacy.
The Forrester Wave™: Digital Forensics And Incident Response Service Providers, Q3 2017 - Adam at Hexacorn shows how to maintain persistence using Java
Beyond good ol’ Run key, Part 65 - Christopher Woods at Nuix shares some best practices for improving your examinations by providing better incorporation with other stakeholders (ie investigators). These best practices include deciding on a scope with the investigator, and allowing them access to the data (concurrently if possible), as well as utilising intelligence resources to build on data gathered in other investigations.
3 Investigations Best Practices to Increase Efficiency - Yulia Samoteykina at Atola Technologies has advised that the thunderbolt module for the Insight has started shipping. This will allow examiners to acquire the newer Mac laptops via target disk mode.
Thunderbolt extensions ready for shipping! - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some information about BitCracker, a “mono-GPU password cracking tool developed only for volumes encrypted with the password authentication mode.”
BitCracker: open source BitLocker password cracking tool - Dan O’Day has updated his Google analytics Domain hash calculator to work on a list of domains, rather than just a single, as well as rewriting it in C++.
CLI of Google Analytics Domain Hash Calculator - There were a few more Enfuse 2017 reflections posted on the Leahy Center for Digital Investigation blog.
- Enfuse 2017 Reflection – Emily Platz: Combating Fileless Malware
- Enfuse 2017 Reflection – Jonathan Castro: Forensic Report Writing
- Enfuse 2017 Reflection – Dylan Francis
- Enfuse 2017 Reflection – Ree Blaisdell
- Enfuse 2017 Reflection – Michael Geyer: Passwords, Encryption, and Preparing Your Engagement for Analysis
SOFTWARE UPDATES
- Elcomsoft updated their Phone Viewer tool to version 3.50, adding iOS 11 support, as well as an Application and WiFi view to see which applications and wireless networks are stored on the device.
Elcomsoft Phone Viewer 3.50 Adds iOS 11 Support, New Applications and Wi-Fi Plugins - Phil Harvey updated ExifTool to v10.62 (development release), adding some new tags and fixing some bugs.
ExifTool 10.62 - Adam at Hexacorn updated DeXRAY to version 2.02, adding “Zemana <hash> files+quarantine.db”.
DeXRAY 2.02 update - Mobiledit Forensic Express 4.2 has been released with support for iOS 11, as well as other feature improvements and app parsers.
Forensic Express 4.2 Released! - X-Ways Forensics 19.4 SR-2 was released with a few bug fixes and the “ability to recognize APFS volumes”. It should be noted that the update doesn’t allow X-Ways to parse the APFS volumes, just identify what they are, allowing an examiner to identify which direction their examination needs to take.
X-Ways Forensics 19.4 SR-2 - X-Ways Forensics 19.5 Preview 1 was released with a variety of new features.
X-Ways Forensics 19.5 Preview 1
And that’s all for Week 39! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 