Just wanted to say thanks first up to the Patreon donors for the latest podcast episode. For those that didn’t see last weeks post, I’ll be donating the proceeds from this months show to the Lifehouse cancer research and treatment centre.
FORENSIC ANALYSIS
- Dan Pullega at 4n6k posts how he identified the answer to a question I posted on Twitter. I kept coming back to the prefs.js file, however didn’t realise that the file would only update when the program was closed. As Firefox is open source, Dan was able to assist by pulling the source code and locating the relevant sections relating to my query. Thanks Dan!
Forensics Quickie: Identifying “Clear Recent History” Settings for an Old Version of FireFox - John Walther at Carpe Indicium has a post regarding the forensic artefacts left by the program Eraser when it is installed and opened.
Forensic Artifacts of Eraser – part 1 - There were a number of posts by Cyber Forensicator this week
- They shared a presentation by Scott Moulton from SkyDogCon 2017 called “Think Different? On Forensics”.
Think Different? On Forensics - They shared a paper by Gabriel Arquelau Pimenta Rodrigues, Robson de Oliveira Albuquerque, Flávio Elias Gomes de Deus, Rafael Timóteo de Sousa Jr., Gildásio Antônio de Oliveira Júnior, Luis Javier García Villalba, and Tai-Hoon Kim titled “Cybersecurity and Network Forensics: Analysis of Malicious Traffic towards a Honeynet with Deep Packet Inspection”.
Cybersecurity and Network Forensics: Analysis of Malicious Traffic towards a Honeynet with Deep Packet Inspection - They shared the announcement that Mike Sheward’s book titled “Hands-on Incident Response and Digital Forensics” “is expected to be published in May 2018 and is available for pre-order”.
Hands-on Incident Response and Digital Forensics - They shared a paper by Mohammed I. Al-Saleh and Mona J. Al-Shamaileh titled “Forensic Artifacts Associated with Intentionally Deleted User Accounts”.
Forensic Artefacts Associated with Intentionally Deleted User Accounts - They shared a presentation from DEFCON by Matt Joyce titled “Amateur Digital Archeology”.
Amateur Digital Archeology
- They shared a presentation by Scott Moulton from SkyDogCon 2017 called “Think Different? On Forensics”.
- The guys at Digital Forensics Corp shared a paper by Cosimo Anglano, Massimo Canonico, and Marco Guazzone titled “Forensic Analysis of Telegram Messenger on Android Smartphones”.
Forensic Analysis of Telegram Messenger - Vladimir Katalov at Elcomsoft has a couple of posts this week
- The first discusses the major issues with getting into a locked iPhone. Overall, Apple’s security has improved a lot in recent years, meaning locked devices are getting harder and harder to get into. Vladimir lists a few scenarios and the information that you’re able to obtain in those situations.
Can You Unlock That iPhone? - The second is a fairly lengthy look at the history of iOS security and forensics. It covers topics including iOS backups (and the data that isn’t backed up), trust relationships with computers, physical acquisition of older iOS devices, iCloud acquisitions.
The art of iOS and iCloud forensics
- The first discusses the major issues with getting into a locked iPhone. Overall, Apple’s security has improved a lot in recent years, meaning locked devices are getting harder and harder to get into. Vladimir lists a few scenarios and the information that you’re able to obtain in those situations.
- Cindy Murphy at Gillware Digital Forensics describes a recent examination where an employee’s workstation showed up with the files cleared off it. During her investigation, she identified that the user had run a Windows system reset, which deleted the user’s files (and made them orphaned so easily recoverable with metadata intact). Cindy also explains that Windows logged a lot of the activity.
Forensic Case Files: Windows Update Did It!
THREAT INTELLIGENCE/HUNTING
- Xavier Mertens at /dev/random shares a “custom search command [for Splunk] that interacts with MISP to get IOCs.”
Splunk Custom Search Command: Searching for MISP IOC’s - Monty St John at Cyber Defenses explains the Constellations part of the CHRIME acronym.
CHRIME and Constellation - Cheryl Biswas at CyberWatch lists a number of logs in Windows and Linux that may assist in identifying suspicious activity.
Log Files: You Don’t Know What You’ve Got til it’s Gone - Didier Stevens shares a YARA rules and ClamAV signatures “to detect documents created with [a] Metasploit module”
Analyzing Metasploit’s Office Maldoc - Kristina Sisk at Happy Threat Hunting describes building a Threat Hunting Team Maturity Model. She also mentions that “if you are considering building your own model to assist in future audits be sure to document your model development process, your references, and resources. This documentation will be instrumental in showing auditors the thought process behind your model in the absence of an industry recognized one.”
Threat Hunting Team Maturity Model - Jeremy Scott at NTT Security shows how to “use memory analysis techniques to retrieve the Dyre Trojan configuration”.
Using memory analysis to hunt more malware - There were a couple of posts on the Red Canary blog this week
- Casey Smith explains why hunters should setup collections using sysmon, DNS logging, as well as create a baseline and inventory of your environment. “The collection and capability is low cost and high signal. If you have collection and analysis in these areas, you will likely be able to unmask adversary activity in your fleet”.
The Scariest Threats? The Ones We Cannot See - Michael Haag analyses some data from Carbon Black Response using Splunk.
Operationalizing Carbon Black Response with Splunk (Part 2): Advanced Data Analysis
- Casey Smith explains why hunters should setup collections using sysmon, DNS logging, as well as create a baseline and inventory of your environment. “The collection and capability is low cost and high signal. If you have collection and analysis in these areas, you will likely be able to unmask adversary activity in your fleet”.
- The SANS InfoSec Reading Room has published Brian Todd’s whitepaper on setting up a logging infrastructure and performing correlations on the captured data.
Creating a Logging Infrastructure - Pablo Delgado at Syspanda shows the event IDs generated when sysmon is stopped.
Monitoring the monitor: Sysmon status
UPCOMING WEBINARS/CONFERENCES
- Jamie McQuaid and Kevin Harth at Magnet Forensics will be hosting two webinars on their new Atlas case management system. The webinars will take place on Tuesday, November 7th at 9:00AM EDT and Wednesday, November 8th at 1:00PM EDT.
Webinar: From Intake To Court: Using Case Management To Stay On Track - The CFP for Enfuse 2018 has been extended until November 2017.
Enfuse 2018 Call For Speakers - SANS posted notification that there are a few DFIR webinars coming up soon
- Rob Lee will be presenting a webinar on the SIFT Workstation. The webinar will take place on Friday, November 10th, 2017 at 1:00 PM EST (18:00:00 UTC).
Getting Started with the SIFT Workstation - Heather Mahalik and Domenica Crognale will be hosting a webinar on Heather’s recent post on iOS 11 SMS examination, as well as their testing/research methodologies. The webinar will take place on Wednesday, November 8th, 2017 at 10:30 AM EST (15:30:00 UTC)
iOS 11 isn’t all fun and games. What we know so far and ways to handle unsupported data sets - Lenny Zeltser will be hosting a webinar on deriving potential infection markers from malware. “It will also examine the potential for and limitations of vaccination and will explore several samples that could be controlled using this technique”. The webinar will take place on Tuesday, November 14th, 2017 at 11:00 AM EST (16:00:00 UTC).
Using Malware Analysis to Explore the Potential of Malware Vaccination
- Rob Lee will be presenting a webinar on the SIFT Workstation. The webinar will take place on Friday, November 10th, 2017 at 1:00 PM EST (18:00:00 UTC).
PRESENTATIONS/PODCASTS
- James Habben at 4n6ir has shared his presentation on malicious USB devices and the methodology that it describes.
Malicious USB Devices - Kevin DeLong at Avairy Solutions interviews Chet Hosmer at the HTCIA conference. Chet talks about his work and his thoughts on how the market is moving towards more active cyber defence rather than responding to incidents.
HTCIA 2017 – Chet Hosmer - A number of presentations from DEF CON 25 were uploaded to the DEF CON YouTube channel.
DEF CON 25 - Forensic Focus has shared Jessica Hyde’s presentation on Magnet Axiom’s connections feature.
Connecting the Dots Between Artifacts and User Activity - They also shared Felix Freiling’s presentation from DFRWS EU on whether digital investigators should learn to program
Do Digital Investigators Have To Program? A Controlled Experiment In Digital Investigation - Kasten Hahn at Malware Analysis for Hedgehogs has another post on his ‘Ask an Analyst’ series
Ask An Analyst – How did I get Into Malware Analysis? - Kasten also continues his analysis of the Fleercivet malware.
Malware Analysis – Analysis of Fleercivet (Part 4) - The slides from OSDFCon 2017 have been uploaded.
OSDFCon 2017 - Paraben have uploaded a video showing how to access the tutorials and help files in their E3 product.
E3 How To Use Help Files - On this week’s Digital Forensic Survival Podcast, Michael interviewed a practitioner about a career in digital forensics.
DFSP # 089 – So you want to DFIR? - SalvationData have uploaded a video on the disk imaging function of the VIP DVR Forensics tool.
VIP-Disk Imaging-SOP-SalvationDATA DVR Forensics Solution - Chad Tilbury at SANS presents a webinar based on a presentation that he gave at the 2017 DFIR Summit. The presentation covered credential types, attack
tools, and mitigation from both a red and blue team perspective.
Windows Credentials Attacks, Mitigations & Defense - Robert M. Lee at SANS gave a webinar on the updated FOR578 course.
Updated FOR578: Training for Security Personnel and Why Intelligence Matters to Yo - Ira Viktor interviewed Yuri Gabanov on the Cyber Jungle this week regarding Belaksoft’s latest update.
The CyberJungle Episode395 - Virus Bulletin has uploaded a presentation by Andrew Brandt from VB2017. Andrew presented on the TrickBot malware.
Turning Trickbot: decoding an encrypted command-and-control channel
MALWARE
- Bart Blaze at Blaze’s Security Blog analyses some malware that’s involved in a supply chain attack on the CrunchyRoll website.
CrunchyRoll hack delivers malware - The guys at ClearSky analyse a maldoc associated with the leetMX cyber-attack campaign
LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America - Assaf Dahan, Kohei Fujikawa, and Tomonori Sawamura at Cyber Reason break down a recent attack using the Oni ransomware against Japanese companies.
Night of the Devil: Ransomware or wiper? A look into targeted attacks in Japan - The Cylance Team analyses a recently maldoc utilised by APT28.
Cylance vs. APT28’s VBA Malware - Didier Stevens analyses a maldoc whose macros had been macros had “been disabled by orphaning the streams containing macros”.
Analyzing A Malicious Document Cleaned By Anti-Virus - Floser Bacurio Jr., Wayne Low, and Jasper Manuel at Fortinet analyse a new Sage ransomware variant.
Evasive Sage 2.2 Ransomware Variant Targets More Countries - Ioana Rijnetu at Heimdal Security analyses the Bad Rabbit ransomware
Security Alert: Bad Rabbit Ransomware Spreads Through Fake Adobe Flash Update - Darryl at Kahu Security deobfuscates a PHP script that was “protected by PHPJiami”
Deobfuscating PHPJiami - Pieter Arntz at Malwarebytes Labs analyses a trojan “by looking at the API calls performed during the sandboxed execution of the file.”
Analyzing malware by API calls - MalwareTech provides some guidance on creating a malware analysis virtual machine.
Creating a Simple Free Malware Analysis Environment - There were a couple of posts on the McAfee Lab blog this week
- Xiaobing Lin at McAfee analyse “a new variant of Expiro with a significant change in its infection routine”.
Expiro Malware Is Back and Even Harder to Remove - Yukihiro Okutomi examines some malicious Android apps
Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization
- Xiaobing Lin at McAfee analyse “a new variant of Expiro with a significant change in its infection routine”.
- There were a couple of posts on the Palo Alto Networks blog this week
- Brandon Levene, Brandon Young and Dominik Reichel analyse a downloader used as part of the Necurs campaign to distribute Locky or TrickBot.
Everybody Gets One: QtBot Used to Distribute Trickbot and Locky - Jacob Soo and Josh Grunzweig examine “three documents crafted to exploit the InPage program”.
Recent InPage Exploits Lead to Multiple Malware Families
- Brandon Levene, Brandon Young and Dominik Reichel analyse a downloader used as part of the Necurs campaign to distribute Locky or TrickBot.
- There were a few posts on the SANS Internet Storm Centre Handler Diaries this week
- Didier Stevens shows how to extract a malicious file that’s stored in the ACE archive format.
Remember ACE files?, (Sun, Oct 29th) - Didier also shows how to extract a PDB path from a PE file
PE files and debug info, (Mon, Oct 30th) - Xavier Mertens walks through some PowerShell snippets used for various purposes by malware.
Some Powershell Malicious Code, (Tue, Oct 31st) - Xavier also examines an obfuscated JAR file
Simple Analysis of an Obfuscated JAR File, (Fri, Nov 3rd) - Didier shows how to use his tools to triage and extract URLs from PDF documents
PDF documents & URLs, (Sat, Nov 4th)
- Didier Stevens shows how to extract a malicious file that’s stored in the ACE archive format.
- There were a few posts on Securelist this week
- Sergey Yunakovsky examines the DiscordiaMiner malware.
Tales from the blockchain - The GReAT team explore the recent attacks performed by the Gaza cybergang.
Gaza Cybergang – updated activity in 2017 - The team also take a look at the Silence trojan seen attacking financial institutions.
Silence – a new Trojan attacking financial organizations
- Sergey Yunakovsky examines the DiscordiaMiner malware.
- Edmund Brumaghin, Earl Carter and Emmanuel Tacheau at Cisco’s Talos blog examine an attack where the malicious actors poisoned Google Search results and distributed a maldoc containing a new version of Zeus Panda.
Poisoning the Well: Banking Trojan Targets Google Search Results - Nicholas Ramos at Trustwave takes a look at the recent DDE attack.
The Complexity amidst Simplicity: Exploiting the MS Office DDE Feature - There were a couple of posts on the TrendLabs blog this week
- Jason Gu, Veo Zhang, Seven Shen examine some Android apps that have “malicious cryptocurrency mining capabilities”
Coin Miner Mobile Malware Returns, Hits Google Play - Lilang Wu, Ju Zhu, and Moony Li take a look at a “new variant of iXintpwn/YJSNPI (detected by Trend Micro as IOS_YJSNPI.A) that uses a signed profile to conduct different attacks compared to its predecessor.”
App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant
- Jason Gu, Veo Zhang, Seven Shen examine some Android apps that have “malicious cryptocurrency mining capabilities”
- Martijn Grooten at Virus Bulletin shared a paper by Alex Kouzmine and Frank Bitsch on “FAME, a ‘Friendly Malware Analysis Framework’ – an open source framework that should help make the important task of analysing the various threats an organization is facing both faster and easier.”
Paper: FAME – Friendly Malware Analysis Framework
MISCELLANEOUS
- Atola have shared their Insight manual online
Check out @atola_insight’s Tweet - Brett Shavers had a couple of posts this week
- The first introduces Brett’s new case study series. For $125 (a year I’m guessing), Brett will give you access to the various case studies that he has, and will, record. He intends to produce between 4 and 8, 15-45 minute case studies a month. Brett also has a “short-run promo price that includes a 3-month access the Case Studies Series and also to the X-Ways Forensics Practitioner’s Guide Online Course for $95”. I’ve recently completed the X-Ways course, and it was really great – especially when you’ve got the tool open and need to remember how to do something, you can jump to the relevant video and watch Brett do it.
A bundle of case studies and X-Ways Forensics Practitioner’s Guide training - The second discusses the benefits of sharing and compares the military view on sharing (pro-sharing) with the private sector view. I think that people might think it takes longer than it does; realistically you’re doing the testing or research anyways, so writing it down coherently shouldn’t be that much extra work. And the main question is will you ever have to do that research again in a year….which took longer, the time it took you to write everything down, or to re-do your research?
Sharing is caring
- The first introduces Brett’s new case study series. For $125 (a year I’m guessing), Brett will give you access to the various case studies that he has, and will, record. He intends to produce between 4 and 8, 15-45 minute case studies a month. Brett also has a “short-run promo price that includes a 3-month access the Case Studies Series and also to the X-Ways Forensics Practitioner’s Guide Online Course for $95”. I’ve recently completed the X-Ways course, and it was really great – especially when you’ve got the tool open and need to remember how to do something, you can jump to the relevant video and watch Brett do it.
- Alex Caithness and Arun Prasannan at CCL had a nice summary of the history of smartphone operating systems. If anything, this shows that even though there are two major operating systems on mobile, there’s been a variety over the years so there’s always work in DFIR…
The Smartphone Graveyard - Tyler Schlecht at DME Forensics provides an update on the pending release of DVR Examiner. Version 2.2, expected in January 2018, includes the new update framework, as well as a change in licensing. Instead of paying for updates and retaining access to the last version that you had an active subscription to, soon you won’t be able to process evidence without an active license.
Upcoming DVR Examiner Updates: More DVRs, Faster! - Tom Bytes at Forensic Bytes discusses the difference between private and public sector digital forensics.
Digital Forensics Career Overview – Part 3 - There were a few posts on the Forensic Focus blog this week
- The guys from HddSurgery share some information about their Head Holder, Head Holder +, Platter Stand 2.5″ and Platter Stand 3.5″ products.
Data Recovery Tools: Platter Stands And Head Holders From HddSurgery - HancomGMD shared news that a new mobile forensics tool has been released called MD-Live.
MD-LIVE: New Product For New Trend of Mobile Forensics - Paraben, along with Avairy Solution, have announced Paraben Training Academy; an “online learning environment allows individuals in the field of cyber-forensics to attend video courses, complete labs, and take certification examinations all in one virtual place”. “Currently, the program will offer the DSMO-DS Mobile Operator course and certification but the curriculum will be expanding from there.”
Paraben Training Academy Launches With DSMO Certification - AccessData announced that they have an implementation of AD Lab on Amazon Web Services.
AccessData’s AD Lab Becomes First Forensics Platform Available On AWS And Azure
- The guys from HddSurgery share some information about their Head Holder, Head Holder +, Platter Stand 2.5″ and Platter Stand 3.5″ products.
- Sean Morrissey at Katana Forensics has noticed a new feature that will roll out soon for WhatsApp that allows users to delete messages that have been sent off the receiver’s device. As the feature hasn’t been released yet it’s difficult to say if the message will be recoverable from the database.
The Forensic Issue with WhatsApp’s New Feature! - There were a few articles on the Magnet Forensics blog this week
- Victoria Berry interviewed Tayfun Uzun on the Cloud product and how it integrates with Axiom.
AXIOM Cloud Q&A with Tayfun Uzun: Part 2 - Christa Miller wrote an article on taking the stand in a trial, particularly surrounding presenting yourself when opposing counsel asks questions (and my documentation post even got a shout-out, so thanks!).
How to Maintain Your Expert Credibility on the Stand - Christa also interviewed Jamie McQuaid and Jessica Hyde on the benefits of researching in digital forensics. One of the things they touch on is how examiners do their own research (which includes validation testing) and how a goal should be to learn one new thing a week. The next step would be to share that one thing you learn; if it took you time to figure it out, no doubt someone else will benefit from the time you spent. Other good methods of research and expanding your knowledge is picking a topic and presenting at a conference, or going through some of the DF challenges that others have compiled.
Making Time for Forensic Curiosity: Digital Forensic Research
- Victoria Berry interviewed Tayfun Uzun on the Cloud product and how it integrates with Axiom.
- Nick Raedts at Raedts.BIZ has tested six imaging tools to compare their performance and features. Overall his top picks were the more fully featured tools – FTK Imager, Belkasoft Acquisition Tool, and Paladin.
TESTED: Forensic imaging tools - Patrick Olsen at System Forensics provides a security overview of AWS.
AWS Security Overview – Part I - Howard Oakley ‘The Eclectic Light Company’ has a post covering the updated copy/clone mechanism in OSX 10.13. Would be interesting for someone to dive into this from a forensic perspective. ie: what happens on the file system (timestamps mainly) when a user clones a file, and also how to ensure you’re examining the final version of a file.
Taking Stock: Using APFS in High Sierra 10.13.1 - Christopher Schmitt at FireEye introduces GoCrack, a tool “that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI … to create, view, and manage tasks.”
Introducing GoCrack: A Managed Password Cracking Tool
SOFTWARE UPDATES
- Last week Cellebrite updated UFED Cloud Analyzer version 6.2 but I missed it (sorry!). The update adds support for iOS 11 iCloud backups, Google Takeout, LinkedIn, and Box.
UFED Cloud Analyzer Release Notes 6.2 (October 2017) - This week, Cellebrite updated UFED Ultimate, InField, and Physical/Logical analyser to version 6.4. The update adds support for DJI drones, additional extraction for some Android devices, support for Apple’s HEIC format, as well as various bug fixes.
UFED Ultimate, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer & Reader 6.4 [November 2017] - CRU released version 3.1.0.6 of their Forensic Software Utility for Windows. This version adds support for the v5.5 line of ultradocks.
Forensic Software Utility - Cyber Triage v2.1.7 has been released, with UI updates, Chrome support, and improved malware scoring
More Changes To Make Your Response Faster - Didier Stevens updated a number of his tools this week
- David Dym at EasyMetaData has “updated FindUSBMSC to allow it to handle corrupted gzip files.”
FindUSBMC updated – v20171030 - Elcomsoft released version 3 of their Advanced Intuit Password Recovery tool. “Version 3.0 adds support for the latest versions of QuickBooks and Quicken, enabling users to attack and recover passwords protecting Quicken 2006-2017 documents and instantly unlock QuickBooks databases in 2006 through 2017 formats.”
ElcomSoft Provides Password Recovery Solution for Quicken and QuickBooks - Evimetry v3.0.4 was released with a few bug fixes.
Release 3.0.4 - Phil Harvey updated ExifTool to version 10.65 (development release) adding new tags and bug fixes.
ExifTool 10.65 - AccessData has released “AD Lab 6.3 and FTK 6.3 [which features] parsing of new file types, innovative job management tools and more flexible processing options.”
AccessData Releases Powerful New Versions Of AD Lab And FTK Forensics Tools - GetData released Mount Image Pro v6.2.0.1774 increasing the “speed of File System mount file access” and adding “improved support for write-blocked physical drive Live Boot in Forensic Explorer.”
1 November 2017 – v6.2.0.1774 - Passmark Software released OSForensics v5.2.1002 with a number of bug fixes.
V5.2.1002 – 3rd of November 2017 - Tableau have released a new firmware update (v7.20). “This release includes firmware updates for the TX1 Forensic Imager, the Forensic Universal Bridge model T356789iu, and an update to the TFU utility.”
Tableau Firmware Update Revision History for v7.20
And that’s all for Week 44! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 