FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog looks into the USN Journal on NTFS. He creates a test file and monitors what happens to the journal.
$JとUSN - Hideaki also takes a look at the ‘enablerangetracking’ feature of the fsutil command on Win10.
USN と range tracking - Adam Harrison at 1234n6 took a look at the Windows Subsystem for Linux (WSL) introduced in the Windows 10 Anniversary update in a couple of posts.
- The first examines the “Windows Subsystem for Linux (WSL) and how to identify it is installed on a system you are analysing”. I like that Adam also provides a method for installing the WSL for systems not connected to the Internet (and wish Microsoft would make an easier way to do this). Examiners can identify that WSL has been enabled by locating bash.exe, as well as the “Lxss\rootfs” directory and associated registry key.
Windows Subsystem for Linux and Forensic Analysis - The second provides some insight into some of the user activity based artefacts that can be found on the WSL. Interestingly you can have multiple instances of the WSL installed, not only for each user but “multiple userlands can be installed side by side” (although this is unconfirmed). There’s a lot of useful information in here that people should refer back to if the WSL has been used on a system.
Forensic Analysis of Systems which have Windows Subsystem for Linux Installed
- The first examines the “Windows Subsystem for Linux (WSL) and how to identify it is installed on a system you are analysing”. I like that Adam also provides a method for installing the WSL for systems not connected to the Internet (and wish Microsoft would make an easier way to do this). Examiners can identify that WSL has been enabled by locating bash.exe, as well as the “Lxss\rootfs” directory and associated registry key.
- Marco Fontani at Amped explains how Amped Authenticate can be used to determine if two photos were taken with the same camera. this is performed by analysing the Photo Response Non-Uniformity (PRNU) noise and recently they released an update for the tool as “many of our users told us that the filter was hard to configure, and results were not easy to interpret.”
PRNU-based Camera Identification in Amped Authenticate - The Blackbag Training Team has updated their blog post from last week to add in the method for mounting images of drives with 4k sectors.
Apple File System In Mac Forensic Imaging And Analysis - Brett Shavers walks through a case study involving digital evidence. There’s also an important announcement at the end regarding his webinar and course.
Case study – Placing the Suspect Behind the Keyboard - Brett also recommends that prospective LE employees probably shouldn’t refer to themselves as hackers as this is a red flag.
If you are a “Self-Proclaimed Hacker” looking for a job in LE… - Cheeky4n6Monkey has been dissecting the new HEIF/HEIC image format. This post includes methods of viewing or converting HEIF photos and videos, as well as what he’s learnt about the file format itself.
Monkey takes a .heic - Jon Baumann at Ciofeca Forensics takes a look at iCloud Notes and provides a script to decompress and extract them.
There’s Gold In Them There Blobs! - The guys at Cyber Forensicator shared a few articles this week
- They shared an article by S.H Mohtasebi, Ali Dehghantanha, and Kim-Kwang Raymon Choo called “Cloud Storage Forensics: Analysis of Data Remnants on SpiderOak, JustCloud, and pCloud”
Cloud Storage Forensics: Analysis of Data Remnants on SpiderOak, JustCloud, and pCloud - They shared a tool by Virtual Reality Systems called AUMFOR, which is a GUI memory forensics utility built on top of Volatility.
AUMFOR – Automatic Memory Forensics - They shared Sumuri’s Macintosh Forensics best practice guide.
SUMURI’s Free Mac Forensics Guide - They shared a paper from the International Journal of Electronic Security and Digital Forensics by Cass Flowers, Ali Mansour, and Haider M. Al-Khateeb titled “Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation”.
Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation - They also shared the news that “Digital Forensics with Kali Linux” by Shiva V.N Parasram is available for pre-order.
Digital Forensics with Kali Linux
- They shared an article by S.H Mohtasebi, Ali Dehghantanha, and Kim-Kwang Raymon Choo called “Cloud Storage Forensics: Analysis of Data Remnants on SpiderOak, JustCloud, and pCloud”
- Digital Forensics Corp shared a tool called psad, which “is a lightweight system daemon [which] is designed to work with Linux iptables/ip6tables/firewalld firewalling code to detect suspicious traffic such as port scans and sweeps, backdoors, botnet command and control communications, and more.”
Intrusion Detection and Log Analysis - Nanni Bassetti has an article on Forensic Focus showing how to use Imm2Virtual to boot a forensic image as a virtual machine. Imm2Virtual uses a combination of Arsenal Image Mounter and Virtual Box “to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it”.
Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File - Also on Forensic Focus, Haider H. Khaleel has posted a paper on different digital forensics methodologies. “This paper proposes a new methodology, Focused Digital Forensic Methodology (FDFM), that is capable of eliminating the data volume issue and the lack of focus with the current digital forensic methodologies.”
Focused Digital Forensic Methodology - Christopher Vance at Magnet Forensics walks through the process of examining an unknown iOS app. In this case he takes a look at the data stored by the Anti-Chat app; Not shown specifically, but afterwards, Chris built a custom artefact which means that this knowledge will be saved and shared.
Supporting the Unsupported: Locating and Analyzing Information from New Mobile Apps - Alex Maestretti at Netflix shares some thought on memory forensics on a variety of topics – Desktops vs Datacenters vs Microservices, System vs Process Memory, Cloud Deployments, Containers, and Interpreted Languages.
Memory Forensics in Clouds and Containers - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ has a post covering a variety of topics on the NTFS file system including the structure of the file system, the MFT, last access times, and Alternate Data Streams.
Some thoughts about NTFS Filesystem - Howard Oakley at ‘The Eclectic Light Company’ provides some information about the unified logging found across Apple’s operating systems.
Inside the macOS log: logd and the files that it manages - Howard also showed that the logd log can also help identify which processes were used on which day (up to months in the past). “Although the information contained in the logd logs is very detailed, and very extensive, it doesn’t discriminate between users, and doesn’t show what anyone was doing with those processes”. “It does, though, give great insight into the activity of different processes on that Mac over a surprisingly long period.”
What’s your Mac been up to for the last 3 months? Inside macOS’s hidden activity records
THREAT INTELLIGENCE/HUNTING
- Countercept have a post about the importance of network analysis in threat hunting. “It’s important to analyse other data sources to corroborate the indicators found at endpoints and create further opportunities to detect stealthier attacks. Foremost among these other sources are log and network analyses.”
What Is Good Network Analysis? - Monty St John at CyberDefenses demonstrates using hashes in YARA rules.
YARA Hashing Magic - Didier Stevens shared “2 Suricata rules to detect Active Directory replication traffic between a domain controller and a domain member like a workstation”.
Quickpost: Mimikatz DCSync Detection - Joe Desimone at Endgame investigates “an emerging trend of adversaries using .NET-based in-memory techniques to evade detection.” Joe discusses “both eventing (real-time) and on-demand based detection strategies of these .NET techniques”.
Hunting for In-Memory .NET Attacks - Kathayra at ‘Happy Threat Hunting’ describes the roles in a threat hunting team, as she explains that individual hunters work well for small organisations but the model doesn’t scale well. These roles are the hunt lead, gatherer, hunter, and tracker.
Pack Hunting - Didier Stevens at NVISO Labs shares a couple of “YARA rules to detect [Dynamic Data Exchange] in Office Open XML files (like .docx)”. “These rules can be used in combination with a tool like zipdump.py [or ClamAV] to scan XML files inside the ZIP container with the YARA engine”.
Detecting DDE in MS Office documents - Didier also examines some of the documents captured with the rules.
YARA DDE rules: DDE Command Execution observed in-the-wild - Scott Koegler at IBM’s Security Intelligence blog lists five questions to consider when developing an incident response plan.
How an Effective Incident Response Plan Can Help You Predict Your Security Future - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ looks at Process Hollowing and detecting it with Volatility.
Understanding Process Hollowing - Pablo Delgado at Syspanda shows what sysmon logs one would see when a user clicks on an e-mail and subsequently executes a malicious macro-laden document.
Threat Hunting with Sysmon: Word Document with Macro
PRESENTATIONS/PODCASTS
- Kevin DeLong at Avairy Solutions interviewed Barry Page about his work at the National Computer Forensic Institute, which provides DFIR training to state and local law enforcement (examiners, investigators and judges). The institute not only provides comprehensive training but also all of the tools for the students to take back with them, which means they can put what they’ve learned into play immediately, which is a really impressive initiative.
HTCIA 2017 Barry Page - Douglas Brush interviewed Eric Conrad on Cyber Security Interviews. “In this episode we discuss starting in IT before there was infosec, the value of certifications, making blue teams sexy again, teaching for SANS, what makes a good cyber security professional, threat hunting, the importance of PowerShell, DeepBlueCLI, and so much more.”
#038 – Eric Conrad: You Need To Be Interested Beyond 9 to 5 - A number of presentations from the 2017 DEFCON IoT village and Privacy track (village?) have been uploaded to the DEFCON YouTube channel.
- The guys at Forensic Focus shared Jan Peter van Zandwijk’s presentation from DFRWS EU on “Bit Errors As A Source Of Forensic Information In Nand Flash Memory
Video: Bit Errors As A Source Of Information In Nand Flash MemoryBit Errors - The Forensic Lunch has returned! Dave and Matthew hosted Rebekah Brown on her work in threat intelligence and modelling, as well as her book “Intelligence-Driven Incident Response”. Matthew also talked about his latest Rust tool, RustyReg and Dave shared some information about SANS FOR500 (plus a recommendation for Ryan Benson’s SANS DFIR Summit 2017 presentation).
Forensic Lunch 10/13/17 - ICDF2C tweeted out a link to Mikhail Bushkov and Ben Galehouse’s presentation from the GRR Workshop at ICDF2C Prague 2017.
Check out @ICDF2C’s Tweet! - Joe Slowik shared his presentation from the SANS DFIR Summit in Prague titled “Windows Log Forensics to the Next Level: PowerShell & WMI”.
Check out @jfslowik’s Tweet! - Magnet Forensics have uploaded Jessica Hyde’s webinar from during the week on the new connections feature in Axiom.
Recorded Webinar: Connecting the Dots Between Artifacts and User Activity - On this week’s Digital Forensic Survival Podcast, Michael talks about BambiRaptor by BriMor Labs (as well as a bit about RAM capture – Michael recommends Belkasoft RAM Capturer as it has a smaller footprint to FTK Imager).
DFSP # 086 – BambiRaptor - Richard Davis provides an overview of Mandiant’s Redline
Introduction to Redline - SANS shared a few presentations from the 2017 DFIR Summit and Threat Hunting Summit.
- Tracking Bitcoin Transactions on the Blockchain – SANS DFIR Summit 2017
- Implications of Firmware Trickery Hard Drives – SANS DFIR Summit 2017
- The Myth of Automated Hunting in ICS/SCADA Networks – SANS Threat Hunting Summit 2017
- Beats & Bytes: Striking the Right Chord in Digital Forensics – SANS DFIR Summit 2017
- Real-Time Threat Hunting – SANS Threat Hunting & Incident Response Summit 2017
- Lenny Zeltser has uploaded a short video to “demonstrate how you can intercept network connections in a malware analysis lab if the specimen uses IP addresses for its command-and-control or other communications”.
How to Intercept IP Connections in a Malware Analysis Lab
MALWARE
- Anton Wendel at Cyber.WTF provides some analysis on the Emotet trojan.
Emotet beutet Outlook aus - Joie Salvio and Rommel Joven at Fortinet examine an infection chain that utilises “a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link”. This payload turned out to be an HTA file containing the NanoCore RAT.
PDF Phishing Leads to Nanocore RAT, Targets French Nationals - Hasherezade unpacks a cryptocurrency miner.
Unpacking a cryptocurrency miner (from NSIS-based cryptor) - Ari Eitan at Intezer “present an intriguing case of code reuse in malware from publicly available code, where possibly North Korean and Iranian APT threat actors both used the same code from an example on CodeProject in crafting their malware.”
North Korea and Iran Use CodeProject to Develop Their Malware - Malware Breakdown takes a look at a RIG EK landing page which downloads and executes the Quant Loader malware, which copies and executes itself as “svchost.exe”.
Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook. - Jérôme Segura at Malwarebytes Labs takes a look at a seemingly benign maldoc that “is used to launch a multi-stage attack that relies on the hyperlink feature in the OpenXML format. This then loads another document that contains an exploit.”
Decoy Microsoft Word document delivers malware through a RAT - MalwareTech has uploaded a video showing how to unpack a TrickBot sample using Ida Pro.
Unpacking Encrypted Executables (TrickBot) - Robert Falcone and Bryan Lee at Palo Alto Networks share some additional research into the OilRig campaign. They examine the attack campaign that the actors have been using to distribute the ISMDoor trojan.
OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries this week
- Xavier Mertens examines a maldoc that reports an XML file, and “contains Base64 data that decodes to another Microsoft document”.
Base64 All The Things!, (Mon, Oct 9th) - Didier Stevens takes a look at a malformed JPEG to determine whether it was malicious or not.
A strange JPEG file, (Sun, Oct 8th)
- Xavier Mertens examines a maldoc that reports an XML file, and “contains Base64 data that decodes to another Microsoft document”.
- There were a couple of posts on Cisco’s Talos blog this week
- Edmund Brumaghin, Colin Grady, with contributions from Dave Maynor examine an attack utilising “DNS TXT records to create a bidirectional command and control (C2) channel. “The malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence”.
Spoofed SEC Emails Distribute Evolved DNSMessenger - Paul Rascagneres examines a modified version of a “legitimate executable that is part of “Symantec Endpoint” [that] is named EFACli64.dll”. This file was involved in the CCleaner incident and “the well-known IDA Pro disassembler has trouble displaying the [modifications made to the DLL]”.
Disassembler and Runtime Analysis
- Edmund Brumaghin, Colin Grady, with contributions from Dave Maynor examine an attack utilising “DNS TXT records to create a bidirectional command and control (C2) channel. “The malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence”.
- There were a few posts on the Trustwave SpiderLabs blog this week
- Nicholas Ramos takes a look at the Lukitus variant of the locky ransomware
Locky Part 1: Lukitus Spam Campaigns and Their Love for Game of Thrones - Homer Pacag provides some information about a locky variant that uses the extension “ykcol” when encrypting files.
Locky Part 2: As the Seasons Change so is Locky - Dr. Fahim Abbasi, Gerald Carsula and Rodel Mendrez examine a malicious e-mail that distributes jRAT’s bot agent.
VAT Return with a Vengeance
- Nicholas Ramos takes a look at the Lukitus variant of the locky ransomware
MISCELLANEOUS
- ACELab have updated their PC-3000 UDMA board, improving data transfer speeds, as well as overall stability.
New enhanced PC-3000 UDMA is getting even more efficient! - Kate Brew at AlienVault commented on a previous poll she put up on Twitter regarding coding in InfoSec. It seems that some people think that coding is a requirement and some that think there are many ways to contribute. My two cents is that learning to write basic scripts at school and university made me in no ways a proficient programmer, but I can mess around with the scripts I find online and see what their doing (and more often than not, understand why I can’t get them to execute). It’s not a requirement, but it a) makes it easier to figure out why things aren’t working and b) compartmentalise your knowledge so that you don’t make mistakes later and can easily share your work with others.
Do InfoSec Folks Need to be Able to Write Code? - Chris Sanders provides some strategies for applying deliberate practice to InfoSec. A key takeaway from Malcolm Gladwell’s book “Outliers” is that 10,000 hours of a skill is what is required to become a master. This has largely been misquoted, and in actuality what Gladwell was proposing was based Anders Ericsson’s work, suggesting that deliberate practice is what makes someone a master. Chris shows how doing so helped him improve in one aspect of his life, and how a practice plan can assist practitioners in tracking tasks to assist their improvement.
Gaining Technical Experience with Deliberate Practice - Dave at Demux looks into the units that the “Duration Slider in the Clip Attributes panel uses.”
DVR Examiner – Features – Clip Attributes - DFIR Guy at DFIR.Training has a post about sharing and DFIR Door Kickers. First off; Yes, I dislike that my name is in the title of a blogpost, but that comes with putting your work out there; Yes I’m going to hide in my corner now 🙂 Thankfully, my workplace affords me a lot of out-of-office time, so I choose to spend that time learning and reading; putting it out weekly means I have a deadline to force myself to keep up. Without everyone else actually doing the research I’d have little to talk about. Regarding this “If you don’t write anymore, or you don’t write enough, don’t worry. You won’t be in his blog”; this is only a partially true statement – it’s not about how often you write, if you write it and I can find it (note: if I can’t find it, then a lot of people can’t find it either), then I’ll share it. The caveat is if it’s obvious marketing stuff and has little “value” to practitioners then I’m not including it (or if you specifically ask me not too, which doesn’t happen often). And hopefully, we can get more people writing more – you never know when some small piece of information can help someone solve their problem – is also gives me more content to write about, but hey what better way to spend a Sunday than sitting in a food court because they have free wifi 🙂
The Phill Moore Effect - Marcos at ‘Follow The White Rabbit’ walks through various aspects of Eric Zimmerman’s Registry Explorer (which if it isn’t one of your go-to registry viewers I’d suggest taking a look).
Another view of Registry: I do It with #RegistryExplorer. And you? - The guys at Forensic Focus posted a couple of interviews this week
- Megan Sawle at Infosec Institute took a look at the salaries one can expect in the digital forensics field.
Average Forensic Computer Analyst Salary 2017 - Victoria Berry at Magnet Forensics interviewed Lee Whitfield about his background and the famous Forensic 4:Cast awards. Lee has done a great job with the awards for the better part of a decade, and I’m very excited to see what happens next year (and also not confident how I’d fare against AboutDFIR and DFIR.Training in a category). If I’m lucky I’ll be able to watch the awards live at the 2018 DFIR Summit as well :).
The 4:cast is Bright: a Q&A with Lee Whitfield - Nick Raedts’ blog has been awarded as one of the top 15 forensics blogs on Feedspot. Congrats Nick!
Awarded top 15 Forensic blog - Vitaliy Mokosiy at Atola Technology explains the difference between a variety of storage technologies.
Untangling terms: M.2, NVMe, USB-C, SAS, PCIe - Nick Harbour at FireEye shares the winners and solutions to the 2017 Flare-On Challenge.
2017 Flare-On Challenge Solutions
SOFTWARE UPDATES
- Belkasoft released Belkasoft Evidence Centre v8.5 with a number of improvements including “more mobile acquisition and analysis features”, updates to live memory analysis, malware detection, as well as “better support for Outlook PST and OST files”, cryptocurrencies, and additional mobile apps.
What’s New in Belkasoft Evidence Center 2018 Version 8.5 - Griffeye have released Analyze version 17.1.1, along with the first step of Analyze Command, which “allows integration of third party applications, and the automatic start and import of data to Analyze from external tools”
Analyze 17.1.1 – Take Command! - “A new version of MISP 2.4.81 has been released including a significant rework of the graphical visualisation, support for STIX 2.0 export, multiple bug-fixes and improvements for misp-objects.”
MISP 2.4.81 released (aka new graphical visualisation and STIX 2.0 export) - “A new version of MISP 2.4.81 has been released including a significant rework of the graphical visualisation, support for STIX 2.0 export, multiple bug-fixes and improvements for misp-objects.”
MISP 2.4.81 released (aka new graphical visualisation and STIX 2.0 export) - OS Forensics 5.2.1000 was released with a variety of new features and bug fixes, including a new triage wizard that allows for quick data collection (presentation?).
V5.2.1000 – 10th of October 2017 - radare2 v2.0.0 has been released with a number of “new features, bug fixes and enhancements.” It was then updated to <v2.0.1 https://github.com/radare/radare2/releases/tag/2.0.1>
r2-2.0 aka “shiny-nibbles” - Sumuri updated Recon to version 3.14.1.12, adding support for iOS 11, OS X High Sierra, APFS volumes, and Recon Imager logical images.
Recon for MacOS - Sumuri has also released Recon Imager v1.03 which adds the ability to create logical images. This will allow examiners to copy out files from an APFS volume and then examine them using Windows-based tools. This is a good stop-gap until the Windows tools officially support APFS.
Recon Imager Update - X-Ways Forensics 19.1 SR-10, 19.2 SR-8, and 19.3 SR-8 were released with various bug fixes.
- X-Ways Forensics 19.4 SR-5 was released with some minor improvements and bug fixes
X-Ways Forensics 19.4 SR-5 - X-Ways Forensics 19.5 Preview 3 was released with some minor improvements and bug fixes
X-Ways Forensics 19.5 Preview 3
And that’s all for Week 41! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 