FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog examines the Security ID of a file and then looks for that ID in the $Secure file.
Security Id と $Secure - Eric Zimmerman has a post regarding the recent updates to Amcache on Windows 10’s Fall Creators update. He has also updated his AmcacheParser to deal with the new format and advises that “any tool that has been parsing amcache.hve will break when used on these new formats as the old keys and value names no longer exist”. Whilst the update removes MFT information and volume information for each file entry as well as the “key for each program that tracked a (generally accurate) list of all the files associated with said program”, it also adds a lot more new data.
(Am)cache still rules everything around me (part 2 of 1) - The Blackbag Training Team has posted some information about dealing with APFS. Their current recommendation is to copy “the files to a DMG formatted as HFS+ so that the examiner can lock it and import easily into BlackLight”. They also released a how-to guide for imaging workaround using Macquisition 2017 R1.
Apple File System in Mac Forensic Imaging and Analysis - The guys at Cyber Forensicator shared a presentation by Tomer Teller at Microsoft regarding “how unique insights from Microsoft help you defend against attacks”.
Cloud attacks illustrated: How unique insights from Microsoft help you defend against attacks - They also shared an article from the Journal of Digital Investigation (volume 22, supplement) on DJI Phantom III forensic analysis.
DROP (DRone Open source Parser) your drone: Forensic analysis of the DJI Phantom III - Jason Hale at Digital Forensics Stream shares a Win10 registry subkey that can be used to identify program execution and file access. Eric Zimmerman also has completed a Registry Explorer plugin to extract the data.
RecentApps Registry Key - Oleg Afonin at Elcomsoft covers “the steps required to access the list of apps installed on an iOS device” using Elcomsofts tools.
Obtaining Detailed Information about iOS Installed Apps - Alex Maestretti at Netflix provides an update on their project of moving “towards a streaming model for disk forensics by updating various existing tools that are built around the concept of imaging a single machine and creating a file.”
Update: Disk Forensics as a Microservice - Jessica Hyde at Magnet Forensics explains that it’s possible to force a cloud backup on an iOS 11 device without knowing the unlock PIN. If the user has setup 2FA then it’s possible to obtain the verification code using the users fingerprint. You will still need the user’s iCloud credentials.
How to Acquire an iOS 11 Device Without the PIN/Passcode - Jeremy Scott at NTT Security shows how to use Volatility to identify malware within a memory image.
Hunting Malware with Memory Analysis - Andrea Fortuna at ‘So Long, and Thanks For All The Fish” has a few posts this week
- The first post is a fairly comprehensive summary of the FAT filesystems.
Some thoughts about FAT Filesystem - The second covers Volume Shadow Copies, explaining what they are and why they can be useful for forensic analysis.
Volume Shadow Copies in forensics analysis - Lastly, he talks about the MACB timestamps on NTFS, the time rules, and detecting timestomping by comparing FILE_NAME and STANDARD_INFORMATION timestamps.
MAC(b) times in Windows forensics analysis
- The first post is a fairly comprehensive summary of the FAT filesystems.
- Patrick Olsen at System Forensics has begun a series on Office 365 with the intent of covering “a range of use cases and address them from a security monitoring and response standpoint”. This post covers his setup and compares E3 and E5 licenses.
Office 365 (O365) Security Use-Case Series - Howard Oakley at ‘The Eclectic Light Company’ has reverse-engineered Apple’s logarchive bundle format and “as a result, a new version of MakeLogarchive will generate logarchives which can be opened using Consolation, Apple’s Console, and the log command in Terminal”. Howard then provides a walkthrough of using the tool.
MakeLogarchive enables Consolation to read individual log files - Pieces0310 points out that Encase (version unknown, but it’s 7 or 8) may not list all previously connected devices in “USB Records”. This was shown by examining the link files and seeing that another device had been connected that had not been observed in the previous section. It appears that the author then examined the registry with another tool to provide additional information about the other device.
EnCase missed some usb activities in the evidence files – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Monty St John at Cyber Defenses shows how to apply YARA detection to downloaded HTML pages.
A YARA Adventure in HTML - Adam at Hexacorn shows a registry entry related to winsock that can be used to execute a DLL
Beyond good ol’ Run key, Part 66 - Jared Atkinson at SpecterOps shares the pros and cons of “three different concepts [they] use to describe detections”.
Thoughts on Host-based Detection Techniques - Henrik Johansen shares a system for automating memory forensics across an environment. By using scheduled memory dumps across the entire organisation (using a scheduled task and f-response), and extracting relevant artefacts (using Volatility), “we no longer have to work with a dump — we can work with data from all of them.” (using a log management tool, in this case, Humio).
Automating large-scale memory forensics
UPCOMING WEBINARS
- Brett Shavers will be running a free webinar, sharing tips and case studies for placing the suspect behind the keyboard. This will take place on Oct 17 at 11:00am (PST) for 30 minutes.
Free Webinar – Tips and Case Studies on Placing the Suspect Behind the Keyboard - “The call for papers for DFRWS EU 2018 has been extended to the 9th of October.”
Call For Papers: DFRWS EU 2018 - NW3C and Microsystemation will be hosting a webinar on Drone Forensics 101 on 2nd November 2017 at 2 pm (EDT).
Check out @NW3CNews’s Tweet
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded some more videos from Derbycon 2017
Derbycon 2017 - Kevin DeLong at Avairy Solutions interviewed Jessica Hyde from Magnet Forensics on the new connections feature of Axiom. Jessica also encouraged people to share their findings either through Magnets Artefact Exchange, or blogs, listservs or even tweets.
HTCIA 2017 – Jessica Hyde of Magnet Forensics - Harlan Carvey was interviewed on this weeks ‘Down the Security Rabbithole’ podcast. This interview complemented Harlan’s previous interview on Cyber Security Interviews a couple weeks back.
DtSR Episode 264 – Windows Forensics Then and Now - Forensic Focus has uploaded a webinar and transcript regarding the E3: Universal platform by Cassie Castrejon from Paraben.
Webinar: E3: Universal Overview - Magnet Forensics have uploaded Tayfun Uzun’s previous webinar on “Artifacts in the Cloud and the Impact on Forensics”
Recorded Webinar: Artifacts in the Cloud and the Impact on Forensics - Microsystemation have uploaded a short video introducing XAMN Elements, along with a call for beta testers.
XAMN Elements – The fastest route from undecoded data to solid evidence - On this week’s Digital Forensic Survival Podcast, Michael talks about steganography and the potential challenges it may present to digital forensics professionals. I remember a talk at DEFCON 21 that may interest people by John Ortiz on methods of detecting steganography.
DFSP # 085 – Leggo my Stego - SANS uploaded a few presentations from the 2017 DFIR Summit.
- Google Drive Forensics – SANS Digital Forensics and Incident Response Summit 2017
- The Audit Log Was Cleared – SANS Digital Forensics and Incident Response Summit 2017
- Know Your Creds, or Die Trying – SANS Digital Forensics and Incident Response Summit 2017
- Boot What? Why Tech Invented by IBM in 1983 is Still Relevant Today – SANS DFIR Summit 2017
- Manny and Jason hosted another Talino Talk, providing answers to three common questions they get from customers.
TALINO Talk Episode 9 – The Top Three Questions We Get From Customers - Steve Whalen at Sumuri has a short video on APFS and Recon Imager.
RECON IMAGER Supports APFS Now – Don’t Wait For Work Arounds
MALWARE
- Hideaki Ihara at the Port 139 blog comments on the Japanese characters seen in a screenshot in a post on Cisco’s Talos blog.
CCleaner と GB2312 - The guys at Joe Security show how to use JS instrumentation to detect and bypass evasion techniques using by malicious Javascript.
Generic JS Instrumentation - Eric Merritt at Carbon Black examines the Kangaroo ransomware.
Threat Analysis: Don’t Forget About Kangaroo Ransomware - Hackers Arise share a walkthrough of OllyDbg basics.
Reverse Engineering Malware, Part 5: OllyDbg Basics - Alex Sirr and Spencer Walden at Icebrg explain some of the recent changes to the techniques used by the FIN7 threat actor.
Footprints of FIN7: Pushing New Techniques To Evade Detection - Jay Rosenberg at Intezer has a post describing new evidence from the Ccleaner supply chain attack linking the attack to the Axiom group.
Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers - Malware Breakdown has a couple of posts this week
- The first provides additional analysis of the “Roboto Condensed social engineering scheme” including the infection chain and file system activity.
Roboto Condensed Delivers Downloader Which Downloads a CoinMiner. - The second examines a “Seamless gate which used RIG EK to deliver Ramnit banking Trojan”
Seamless Campaign Delivers Ramnit Banking Trojan via RIG EK.
- The first provides additional analysis of the “Roboto Condensed social engineering scheme” including the infection chain and file system activity.
- Pieter Arntz at Malwarebytes Labs shows how to examine a “file called grandfather.exe” using ILSpy.
Using ILSpy to analyze a small adware file - There were a few posts on the SANS Internet Storm Centre this week
- Lorna Hutcheson takes a look at Coinhive’s obfuscated miner javascript code
Who’s Borrowing your Resources?, (Sat, Sep 30th) - Brad Duncan has located some malspam pushing Formbook and “examines the associated email, traffic, malware, and infected Windows host.”
Malspam pushing Formbook info stealer, (Tue, Oct 3rd) - Xavier Mertens shows the benefits of using passive DNS to assist in investigating a security incident involving an online resource that had since been cleaned.
Investigating Security Incidents with Passive DNS, (Mon, Oct 2nd) - Johannes Ullrich shares a script to “extract all the HTTP requests [from a packet capture], and turn them into cURL commands for replay”
pcap2curl: Turning a pcap file into a set of cURL commands for “replay” , (Thu, Oct 5th)
- Lorna Hutcheson takes a look at Coinhive’s obfuscated miner javascript code
- Jaromir Horejsi at TrendLabs examines a maldoc that drops an executable they’ve named Syscon. Jaromir also shows how Syscon uses an FTP server for C&C.
SYSCON Backdoor Uses FTP as a C&C Channel
MISCELLANEOUS
- Carrie Roberts has a guest post on the Black Hills Information Security blog on cracking password protected MS Office documents with msoffice-crypt, John the Ripper, and hashcat. Hashcat’s GPU acceleration makes the cracking significantly faster.
How to Crack Passwords for Password Protected MS Office Documents - Blackbag’s pending release of Blacklight has changed the way that they hash files; “in line with industry processes for forked files only, a file’s data fork will be hashed. If the data fork doesn’t exist then the resource fork will be hashed. Furthermore, a combined hash will no longer be calculated”. They are also incorporating hashsets from hashsets.com.
Filter out more hashes with BlackLight 2017 R1 - The guys at Digital Forensics Corp shared a few articles this week
- They shared a video by Alen Gojak on rooting a Samsung Galaxy S7 (v7.0 Nougat) without tripping knox.
How to root Samsung Galaxy S7 - They shared a video by MalwareTech showing “how to extract an Emotet payload from a malicious office document”.
Extracting Malware from an Office Document - They also shared an article by Alistair Ewing that is “a general overview of the actions, programs and techniques used in data collection prior to scenarios such as digital investigation of an recently departed employee or for an e-Discovery litigation hold.”
Forensic Imaging
- They shared a video by Alen Gojak on rooting a Samsung Galaxy S7 (v7.0 Nougat) without tripping knox.
- MediaClone has announced on Forensic Focus that they have received the “DC3 Validation Report for The SuperImager Plus Desktop Gen-2 units” and to get in touch if you’d like to view the report. This was shared last week but it looks like the article has been taken down (and I’m pretty sure the report was also publicly accessible then too).
DC3 Validation Report For The SuperImager Plus Desktop Gen-2 Units - Malware Archaeology’s ‘Windows Registry Auditing Cheat Sheet’ has been updated and can be found here.
Check out @HackerHurricane’s Tweet - Magnet Forensics posted a number of times this week
- They have acquired Sentinel Data, who make the Atlas Case Management system.
Magnet Forensics to Make Great Case Management Software Available - They interviewed one of their trainers, Christopher Vance about his life before Magnet and love of teaching.
Meet Magnet Forensics’ Training Team: Christopher Vance - They introduced a new class on mobile forensics, AX300, which “details the use of Magnet AXIOM’s imaging abilities, using the standard mobile device imaging methodologies as well as advanced imaging techniques like TWRP and recovery image flashing when things don’t go as expected or when you encounter locked devices”. They also announced that AX200 can now be taken as an online, self-paced course.
AX300 Brings Advanced Mobile Forensics to Magnet Forensics’ Training Suite - Lastly, they announced that they are updating their whitepaper on presenting data at court.
Newly Updated White Paper on Presenting in Court Coming Soon!
- They have acquired Sentinel Data, who make the Atlas Case Management system.
- Yulia Samoteykina at Atola Technology shared some questions that were asked during a Q&A at the recent Techno Security and Digital Forensics Conference in San Antonio, Texas.
Q&A during Techno Security and Digital Forensics Conference in San Antonio, Texas - The Leahy Center for Digital Investigation blog shared a few students’ reflections from Enfuse 2017.
SOFTWARE UPDATES
- Daniel White at ‘All Things Time Related…” has announced an update to Plaso, now at version 20170930 (codenamed Heimdall). This adds some under-the-hood changes, and interestingly makes the tool not “backwards-compatible with storage files generated with older version of log2timeline”. As a recommendation, it’s a good idea to copy the tools you use (if possible) into your case data, so that you can have a copy if you need them. This is a good example of when that’s useful. You can download the latest version here
Drink joyful the good mead – Plaso 20170930 Heimdall released - Arsenal Consulting advised that they have updated Arsenal Imager to version 2.4.26
Check out @ArsenalArmed’s Tweet - Cellebrite have updated UFED PA/LA and Reader to version 6.3.12, updating support for a number of apps, as well as resolving a few issues.
UFED Physical Analyzer, UFED Logical Analyzer and Reader Version 6.3.12 - Phil Harvey has updated ExifTool to version 10.63 (development release).
ExifTool 10.63 - David Cowen announced a free utility that is now available called Bitrocker, which is able to “pull the recovery key identifiers from a bitlocker encrypted volume.”
Check out @HECFBlog’s Tweet - Adam at Hexacorn has updated his DeXRAY script to version 2.03, adding “‘handling’ of quarantine.qtn from Symantec products on MAC.”
DeXRAY 2.03 update - Microsystemation have released XRY v7.5, XAMN Spotlight 3.0 and XAMN Elements.
Released today: XRY v7.5, XAMN Spotlight 3.0 and XAMN Elements - Oxygen updated their Detective product to version 9.6.2.100, adding support for a number of new Android devices, as well as the new iOS devices and iOS 11. They also fixed the issue with message parsing on iOS that Heather raised last week.
Oxygen Forensic® Detective supports Apple iOS 11 and new iPhones! - Peter Kacherginsky advised that Flare-VM has been “updated with many new malware analysis tools and a powershell installer.”
Check out @_iphelix’s Tweet - Lennart Koopmann has released a tool called nzyme, which is a “Java-based program that puts wireless network adapters into monitor mode, sniffs management frames from all configured 2.4Ghz or 5Ghz channels and writes them into a Graylog instance for monitoring and analysis.”
Introducing nzyme: WiFi monitoring, intrusion detection and forensics - X-Ways Forensics 19.4 SR-4 was released with some minor improvements and bug fixes.
X-Ways Forensics 19.4 SR-4 - X-Ways Forensics 19.5 Preview 2 was released with a number of new features.
X-Ways Forensics 19.5 Preview 2
And that’s all for Week 40! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 