I wanted to start this post slightly differently; last week a colleague lost his fight with cancer – he was one of the founding members of the organisation that I work at, and the lack of his presence will be noticed across the command.
Some people have been very kind to donate to my work on the monthly podcast, and I’m planning on passing on the donations for this month to Lifehouse, a cancer treatment and research centre in Sydney, in Johns memory.
If anyone would like to contribute (you can sign up and then cancel the recurrent next week), I’ll be sending whatever money is received when the podcast is posted on Tuesday.
Rest in peace mate.
And now onto the forensics news of the week
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog takes a look at how the defragmentation process affects the NTFS $LogFile.
$LogFile (2) と Defrag - Brett Shavers continues to expound the benefits of case studies – applying how he was forced to sink or swim in a number of occasions and how analysing what others had done before him had helped.
Case studies are more helpful than you may think - Jon Baumann at Ciofeca Forensics has released a new tool, SQLite Miner. This tool goes through the blog data in an SQLite database and assists in identifying what that data may be (based on magic numbers). “SQLite Miner is one tool that could be very beneficial for the forensic examiner to inform that manual analysis of a new application, find relevant data within a SQLite database of interest, or search across a larger set of backup folders to automatically export all embedded files for easier searching.” Jon then explains various cases where this tool would be useful.
Mining Hidden Gems WIth SQLite Miner - Jon also released his Make Analysis Great Again (MAGA) tool to assist in automating some of the command line input for the tools used in the SANS500 course. I’m in two minds about scripts like this – on one hand, it’s awesome to remove the typing and potential errors (and why I wrote a similar script for my regripper GUI). But on the other, I would also want students not to rely on it – sometimes the tools aren’t displaying all of the data by default for example. Either way, I do like the concept of removing the typing etc and just getting you the data to analyse; that’s always useful.
Make Analysis Great Again (or never type the same thing twice) - The guys at Cyber Forensicator posted a few times this week
- They shared a tool called ArtifactExtractor, which “is a script that extracts common Windows artifacts from source images and VSCs”
Extract Common Windows Forensic Artifacts with ArtifactExtractor - They shared an article by Daniele Ucci, Leonardo Aniello, and Roberto Baldoni titled “Survey on the Usage of Machine Learning Techniques for Malware Analysis”
Survey on the Usage of Machine Learning Techniques for Malware Analysis - They shared an article by Tadani Alyahya and Ridous Kausar from FAMS 2017 titled “Snapchat Analysis to Discover Digital Forensic Artifacts on Android Smartphone”
Snapchat Analysis to Discover Digital Forensic Artifacts on Android Smartphone
- They shared a tool called ArtifactExtractor, which “is a script that extracts common Windows artifacts from source images and VSCs”
- Vladimir Katalov at Elcomsoft covers a couple of topics in this post (although I think the marketing rant wasn’t necessarily related to the post). The marketing section is 100% to be read though – I read a lot of advisories by companies about how their tool is the most amazing thing and usually it’s good to read them with a grain of salt. Not every tool is the panacea, but they should be considered for their merits because everyone picks different sections of this enormous field to focus on. Vladimir then walked through a case study where they used a variety of their tools to obtain data from iCloud.
How To Obtain Real-Time Data from iCloud and Forget About 2FA with Just an Old iTunes Backup. No Passwords Needed - Ryan Duquette has a guest post on the Magnet Forensics blog on how to use Axiom to assist in an inside threat investigation.
Insider Threats! Using Magnet AXIOM to Prevent and Investigate Intellectual Property Theft - Mark Mckinnon has released an Autopsy plugin for custom reporting.
Custom Reports For You - Joe Babineau at Nuix has a post about deduplication, including a video on the ways that Nuix performs the task.
Mastering Global and Custodial Deduplication in Nuix - Heather Mahalik at Smarter Forensics provided a list of her favourite mobile forensics tools and her reasons why.
My Handy Smartphone Toolbox - There were a couple of posts on the Leahy Center for Digital Investigation blog
- “The VMWare Analysis team is researching the differences between a Windows 7 machine and Windows 7 virtual machine (VM) as well as the changes between a Windows 10 machine and VM” and shared their first update. “So far, the only identified difference between the VM and the Machine is in the prefetch files”.
VMWare Analysis Update 1 - The Application Analysis team shares their first update. They will be looking at the artefacts left on Win10 by the Steam, LastPass, and Fitbit applications.
Application Analysis Update 1
- “The VMWare Analysis team is researching the differences between a Windows 7 machine and Windows 7 virtual machine (VM) as well as the changes between a Windows 10 machine and VM” and shared their first update. “So far, the only identified difference between the VM and the Machine is in the prefetch files”.
- Pieces0310 briefly mentions that Responder Pro 3.1.3 can be used to analyse Win10 memory dumps.
Responder Pro new version could analyze Win10 memory dump – Pieces0310 - Pieces0310 also shows that USB device information can be found in the “Microsoft-Windows-Kernel-PnP%4Configuration.evtx” event log on Win10.
How to find missing USB Records? – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Monty St John at Cyber Defenses introduces CHRIME, which is a threat intelligence conceptualisation technique.
What is this CHRIME thing anyway? - There’s a post on Hacker Hurricane commenting on the Talos post regarding APT28; specifically methods of prevention and detection of the maldoc.
Looking at APT28 latest Talos Security write up and how YOU could catch this type of behavior - Xavier Mertens at the SANS Internet Storm Centre shows how to analyse a file with an unknown extension using a YARA rule.
Stop relying on file extensions, (Tue, Oct 24th)
UPCOMING WEBINARS/CONFERENCES
- The SANS Blue Team Summit & Training CFP has opened until November 3, 2017.
Blue Team Summit & Training
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the presentations from GrrCon 2017.
GrrCon 2017 - More videos from DEFCON 2017 were uploaded this week
- Kastern Hahn has uploaded a video showing how to “find or get fresh malware samples if you have no access to Virustotal or other paid accounts”
Malware Analysis – Finding Fresh Samples Without Paid Account - Matt Seyer has posted his and David Cowens presentation from OSDFCon 2017
Check out @forensic_matt’s Tweet - Stuart Clarke at Nuix shared a couple of updates to Nuix Analytics & Intelligence
- On this week’s Digital Forensic Survival Podcast, Michael provided an overview of a few locations that examiners can look for evidence of program execution.
DFSP # 088 – Perfect Execution - Richard Davis has provided “a quick update to the “Introduction to Redline” video.” “In this video, we’ll take a look at the behavior when attempting to analyze a memory image with version 1.20, and then we’ll repeat the test with version 1.20.1 to verify the issue has been fixed.”
Redline Update - SANS uploaded a couple of talks from the 2017 DFIR Summit and Threat Hunting Summit.
- On Talino Talk, Manny and Jason talk about the USB2 and USB3 hubs that they put in the Talino workstations.
Why So Many USB Hubs in a TALINO? – TALINO Talk Episode 10 - Martijn Grooten at Virus Bulletin shared a paper from VB2017 on “Crypton, a tool developed by F5 Networks researchers Julia Karpin and Anna Dorfman”. The tool “aims to speed up the reverse engineering process by decrypting encrypted content found in a (malicious) binary.”
VB2017 paper: Crypton – exposing malware’s deepest secrets
MALWARE
- Dennis Schwarz at Arbor Networks examines the SnatchLoader “downloader” malware.
SnatchLoader Reloaded - The Bad Rabbit malware appeared this week and was covered on a number of websites.
- Joesecurity – NotPetya reappears as BadRabbit and keeps the Semi Kill Switch
- BitDefender – Bad Rabbit Ransomware Strikes Ukraine, Likely related to GoldenEye
- BartBlaze – Comparing EternalPetya and BadRabbit
- Carbon Black – Threat Advisory & Analysis: ‘Bad Rabbit’ Ransomware
- Cylance – Threat Spotlight: Bad Rabbit Ransomware
- Endgame – BadRabbit Technical Analysis
- Forcepoint – NotNotPetya – Bad Rabbit
- Fortinet – Tracking the Bad Rabbit
- Intezer – NotPetya Returns as Bad Rabbit
- Malwarebytes – BadRabbit: a closer look at the new version of Petya/NotPetya
- McAfee – ‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine
- Palo Alto Networks – Threat Brief: Information on Bad Rabbit Ransomware Attacks
- SANS – BadRabbit: New ransomware wave hitting RU & UA, (Tue, Oct 24th)
- Securelist – Bad Rabbit ransomware
- Talos – Threat Spotlight: Follow the Bad Rabbit
- Security Affairs – CSE Malware ZLab – Preliminary analysis of Bad Rabbit attack
- Andrea Fortuna – BadRabbit ransomware: suggested readings
- Symantec – BadRabbit: New strain of ransomware hits Russia and Ukraine
- FireEye – BACKSWING – Pulling a BADRABBIT Out of a Hat
- TrendMicro – Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia
- WeLiveSecurity – Bad Rabbit: Not-Petya is back with improved ransomware
- The Grugq at Comae Technologies compares the attack vectors and effects of the three worm attacks of this year (WannaCry, NotPetya, and BadRabbit)
The Shadow Internet - Sergei Frankoff at OALabs shows how to patch a binary that isn’t executing properly using a hex editor.
Quick And Dirty Binary Patching With A Hex Editor - Adam Kramer at the SANS DFIR blog explains a process of testing server-side scripted malware that “alter their responses based on the footprint of the visitor.”. To do so, Adam has released a script that iterates through a list of countries and user-agents and “identifies any results which are different from the control value and highlights to the analyst”.
“Uncovering Targeted Web-Based Malware Through Shapeshifting” - There were a couple of posts on the SANS Internet Storm Centre this week
- Richard Porter has a post regarding the use of DDE to provide macro-less code execution in a maldoc.
Macro-less Code Execution in MS Word, (Wed, Oct 25th) - Renato Marinho shares some details of the “Catch-all” malware
“Catch-All” Google Chrome Malicious Extension Steals All Posted Data, (Fri, Oct 27th)
- Richard Porter has a post regarding the use of DDE to provide macro-less code execution in a maldoc.
- Warren Mercer, Paul Rascagneres and Vitor Ventura at Cisco’s Talos blog analyse a maldoc used in a “new malicious campaign from the well known actor Group 74”. “Unlike previous campaigns from this actor, the flyer does not contain an Office exploit or a 0-day, it simply contains a malicious Visual Basic for Applications (VBA) macro.”
“Cyber Conflict” Decoy Document Used In Real Cyber Conflict - Matthew Haigh, Michael Bailey, and Peter Kacherginsky at FireEye explain the new feature in FakeNet-NG – “content-based protocol detection and configuration”.
New FakeNet-NG Feature: Content-Based Protocol Detection - The guys at Trend Micro have a post on fileless malware, including a couple examples of where it has been used against organisations.
Fileless Malware: A Hidden Threat - Whilst not exactly malware analysis; Veronica Valeros has a post on her timeline of RATs. She is “currently working on the third iteration, which will contain +240 RATs” with the aim of getting to 300 well-known RATs.
A Study of RATs
MISCELLANEOUS
- Dave at Demux shared a video on importing a video into a tool called VideoFOCUS.
VideoFOCUS Screen Capture - The guys at Digital Forensics Corp shared an overview of Rekall on Kitploit
Rekall Overview - Jimmy Schroering at DME Forensics explains some of the updates to DVR Examiner 2.0; particularly around the efficiency improvements and redesign that allows them to push updates to the filesystem parsing mechanism much quicker.
Moving Forward with DVR Examiner 2.0 - Wes Jones at Fifth Rendition has started a series on how he got into the DF field.
How I hacked my way into Digital Forensics. Part 1 of a few - Tom Bytes at Forensic Bytes has a couple of posts this week
- The first was an overview of a few OSDFCon presentations.
OSDFCON: Here’s What You Missed - The second shares some information regarding salaries and job availability in the digital forensics field
Digital Forensics Career Overview – Part 2
- The first was an overview of a few OSDFCon presentations.
- Victoria Berry at Magnet Forensics interviewed Troy Schnack about his background and building artefacts for the Artefact Exchange.
Q&A with Troy Schnack, Forensics Examiner in the Western District in Missouri - Yulia Samoteykina at Atola Technology shows how to compare a drives SMART table before and after imaging.
Tracking a drive’s SMART table status before and after imaging - Scott J Roberts has a post on how he develops presentations. Saving this one for later, it’s lengthy but it’s a good read for those looking to plan out their future speaking engagements.
Building Better Security Presentations - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ explains the various SIDs that can be found on a Windows machine.
Windows Security Identifiers (SIDs)
SOFTWARE UPDATES
- Eric Zimmerman has updated Timeline Explorer to version 0.6.0. New features include updated controls and parsers, saving and loading sessions, improved filter editing, and column pinning.
Timeline Explorer 0.6.0 released! - Thomas Tempelmann has released v1.0 of “Biskus APFS Capture”. This is a Windows and Mac tool for opening APFS volumes. Unfortunately, it doesn’t unlock fv2 volumes yet, so will mainly be useful for external drives and updated systems where the user hasn’t turned on FileVault2. There’s a trial if you want to test it out, but you can also start a blog and document your findings/use cases; I’m sure Thomas would appreciate it.
Check out @tempelorg’s Tweet - Mark Baggett has “released a new version of SRUM_DUMP that creates CSV files”.
Check out @MarkBaggett’s Tweet - Matt Seyer updated his RustyReg windows registry parser (version 0.1.3) with some dramatic speed improvements.
Check out @forensic_matt’s Tweet - MobilEdit Forensic Express 4.2.1 was released, fixing a couple of bugs.
Forensic Express 4.2.1 released - Nir Sofer at Nirsoft has released a new tool to display “the list of all software packages installed on your system with Windows Installer, and lists the files, Registry keys, and .NET Assemblies associated with them”.
New tool that shows the list of all software packages installed on your system with Windows Installer - Paul Sanderson released updates to a number of his tools
- SQLite Forensic Explorer v1.2.4 was released with a number of bug fixes.
SQLite Forensic Explorer New release 1.2.4 - SQLite Recovery was updated to version 1.6.4.
SQLite Recovery New release 1.6.4 - Forensic Browser for SQLite v3.2.10 was released with a number of bug fixes and enhancements.
Forensic Browser for SQLite New release 3.2.10 - ESEConvert v1.0.4 was released with a number of bug fixes.
ESE Extension, new release 1.0.4
- SQLite Forensic Explorer v1.2.4 was released with a number of bug fixes.
- TZ Works released their Oct/Nov 2017 build, updating csvdx, usp, cafae, and yaru
Oct/Nov 2017 build (package) - X-Ways Forensics 19.5 Preview 5 was released with some minor improvements
X-Ways Forensics 19.5 Preview 5
And that’s all for Week 43! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 