FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog looks at the effect on a file/folders MFT entry when sdelete is used.
Win 10 と sdelete - Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator take a look at a few artefacts on OSX that may assist in identifying files copied to a connected volume. They also show a file called devices.tingo, which appears to have a lot of very useful information, but I’m not sure what application it relates to.
The Hitchhiker’s Guide to macOS USB Forensics - Cindy Murphy at Gillware Digital Forensics explains a new “feature” in iOS 11 that allows users to reset their backup password. The feature means that backups on their own are protected, but users that have forgotten their passwords (a problem Apple would have to deal with because people would definitely forget them) can reset their settings, which will clear the password. This is fairly good news from a forensics side because, as Cindy mentions, breaking iOS backup passwords can be tricky. One of the key takeaways was how Cindy was able to update a phone to iOS 11, and then remove the backup password (if someone was looking for a project then taking a look at what changes on the device would be very useful)
Forensic Case Files – A New Solution for Previously Encrypted iOS Backups - Oleg Afonin posted a couple times on the Elcomsoft blog this week
- The first explains the information that can be obtained from locked iOS devices with and without a lockdown file.
The iPhone is Locked-Down: Dealing with Cold Boot Situations - The second walks through the process of removing the backup password from an iOS 11 device and then acquiring it. It’s an interesting stance for Elcomsoft to take that this step is backwards – realistically, the process has been simplified for device owners or those in possession of the device’s passcode. If found on their own, the backups are still secured with the passcode. This really only makes a difference to the phone owners (who have the passcode because it’s their phone) that have since forgotten their backup password – which would be a problem that Apple would have to deal with because unhappy customers are a top priority for many companies. From a law enforcement perspective, the examiner would still need to have the device, and the passcode to perform an extraction (with the passcode being required to trust the computer on iOS 11). As a byproduct of this change, LE examiners just wouldn’t need to necessarily break the backup password afterwards; which means reducing the number of hurdles that LE examiners (who should be examining the device under the appropriate authority) have to jump through.
iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password
- The first explains the information that can be obtained from locked iOS devices with and without a lockdown file.
- Jake Williams tweeted a diagram explaining how ewfmount can be used to allow legacy EWF images (E01) to be mounted under Linux.
Check out @MalwareJake’s Tweet - SalvationDATA have a case study on recovering footage from a fire damaged DVR system.
[Case Study] Detailed Steps for Extracting Data from Burned & Watered Hard Drive of DVR System
THREAT INTELLIGENCE/HUNTING
- The guys at Cyber Forensicator shared an article by Moti Bani at Microsoft on how some defenders are manipulating registry entries to avoid detection by Sysinternals Autoruns.
Chasing Adversaries with Autoruns – Evading Techniques and Countermeasures - Monty St John at CyberDefenses explains the H (History) from the CHRIME acronym.
CHRIME and History - Jordan Potti shows how to implement a suggested attacker detection method that involves “the use of an AD account with the password in the description attribute and logon hours set to none.”
Honey Accounts - Chris Sanders at Sqrrl discusses “a few techniques you can use to hunt on the network for file types that could be suspicious given the right context.”
Threat Hunting for Suspicious File Types on the Network - The Symantec Security Response describe a “previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets”
Sowbug: Cyber espionage group targets South American and Southeast Asian governments
UPCOMING WEBINARS/CONFERENCES
- The CFP for DFRWS USA 2018 has been announced. DFRWS will take place in Providence next July. The CFP for papers closes January 12, 2018.
Check out @nolaforensix’s Tweet
PRESENTATIONS/PODCASTS
- Richard Davis walks through Link files and Jumplists.
LNK Files and Jump Lists - Kevin DeLong at Avairy Solutions posted a video on the information that you can obtain from a locked iOS 11 device. This is mainly centred around the data that’s available through control centre and through Siri. This video will be useful for those that don’t have much experience with iOS devices.
Get Information from a locked iOS 11 Device - Videos from the DEF CON 25 Packet Hacking Village were uploaded during the week
DEF CON 25 Packet Hacking Village - Joshua James at DFIR.Science has posted two videos this week
- Magnet Forensics have uploaded Kevin Harth and Jamie McQuaid’s presentation on case management using Magnet Atlas.
Recorded Webinar: From Intake to Court: Using Case Management to Stay on Track - Yulia Samoteykina at Atola Technology shares a presentation by Derek Frawley and John Farrugia from the 2017 Techno Security and Digital Forensics Conference titled “Streamlined Child Exploitation Investigations”
Successful use of Insight in investigations: Our clients’ presentation - SANS uploaded Heather Mahalik and Lee Crognale’s webinar on iOS 11 and handling unsupported data sets.
iOS 11 isn’t all fun and games
MALWARE
- Hideaki Ihara at the Port 139 blog briefly describes Excel’s RegisterXLL mechanism (with regards to the registry and autoruns)
RegisterXLLとAutoruns - Aditya Gupta has shared his solutions for the 2017 Flare-On challenge.
Check out @adi1391’s Tweet - Dave Lassalle, Sean Koessel, Steven Adair at Volexity examine a recent campaign tied to the OceanLotus APT group “targeting several Asian nations, the ASEAN organization, and hundreds of individuals and organizations tied to media, human rights and civil society causes”.
OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society - Karan Sood at CrowdStrike examines the “Stage 2 dropper that pertains to the CCleaner embedded malware”
In-Depth Analysis of the CCleaner Backdoor Stage 2 Dropper and Its Payload - The Cylance Threat Guidance Team tear down a Locky sample to show “the techniques used by threat actors to avoid detection.”
Threat Spotlight: Locky Ransomware - Minh Tran at Fortinet examines a maldoc designed to target JustSystems Ichitaro. “JustSystems Ichitaro uses jtd format, which in a nutshell is an OLE2 compound file format.”
Potential Malware Campaign Targeting JustSystems Ichitaro Users - Adam at Hexacorn suggests a method of malware delivery that could cause security solutions headaches. Malware downloaders could request an executable from two different websites as two distinct parts (ie alternating bits) and then put them together on the host.
Breaking download for breaking purposes - Denis O’Brien at “Malware Analysis: The Final Frontier” has released a few updates for IRIS-H (the “Online Digital Forensic Tool for Microsoft Office Files”); adding support for Shell Link (.LNK) files, an update to the Parser for Field Characters used in OLE and OOXML documents, and an OOXML relationships file parser.
- Hasherezade at Malwarebytes walks through reversing the Malwarebytes CrackMe challenge.
How to solve the Malwarebytes CrackMe: a step-by-step tutorial - Ryan Sherstobitoff and Michael Rea at McAfee examine a maldoc that leverages the DDE technique. “This document likely marks the first observed use of this technique by APT28.”
Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack - There were a couple of posts on the Palo Alto Networks blog this week
- Robert Falcone examines “a new version of the Clayslide delivery document used [by the OilRig threat group] to install a new custom Trojan whose developer calls it “ALMA Communicator””
OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan - Josh Grunzweig and Jen Miller-Osborn analyse a new malware family named “Reaver” with ties to the attackers that use the SunOrcal malware.
New Malware with Ties to SunOrcal Discovered
- Robert Falcone examines “a new version of the Clayslide delivery document used [by the OilRig threat group] to install a new custom Trojan whose developer calls it “ALMA Communicator””
- Didier Stevens has a post on the SANS Internet Storm Centre Handler Diaries on how to extract the text from a PDF document using his tools.
Extracting the text from PDF documents, (Sun, Nov 5th) - Anatoly Kazantsev at Securelist analyses a malicious sample that hides its activity within a trusted process by executing within the console utility InstallUtil.exe.
Using legitimate tools to hide malicious code - Gadi Ostrovsky and Limor Kessemat at Security Intelligence examine “an overlay RAT malware using the AutoIt framework to bypass AV detection in attacks against Brazilian bank targets”
Overlay RAT Malware Uses AutoIt Scripting to Bypass Antivirus Detection - There were a couple of posts on the TrendLabs blog this week
- Joey Chen and MingYen Hsieh analyse an attack by the cyberespionage group REDBALDKNIGHT, utilising the Daserf backdoor.
REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography - Lorin Wu takes a look at malicious Android apps that “can surreptitiously install other malware on the affected device via the Toast Overlay attack”.
Toast Overlay Weaponized to Install Several Android Malware
- Joey Chen and MingYen Hsieh analyse an attack by the cyberespionage group REDBALDKNIGHT, utilising the Daserf backdoor.
- Vitali Kremez reverses the “latest Lethic spambot”.
Let’s Learn: Lethic Spambot & Survey of Anti-Analysis Techniques
MISCELLANEOUS
- Daniel Pistelli at Cerbero advises that “the upcoming 2.8 version of Profiler Advanced comes with full-fledged support for raw Windows memory image”
Windows Memory Forensics: Close to Release - Chris Sanders posted some notes from the first week of the Cuckoo’s Egg book reading. These include thoughts on locard’s exchange principle, as weltimestamps, and the recording will be available until the 16th.
Cuckoo’s Egg – Week 1 Notes - “Wiley has announced a new book by Nick Furneaux – “Cryptocurrency Forensics”. The book is expected to be published in June 2018”
Cryptocurrency Forensics - DFIR Guy at DFIR.Training shares his thoughts on presenting for free at conferences. Obviously, you need to bring the goods when it comes to content, but his opinion is that “the presenters are the glue and fabric to any conference, yet the vast majority are not paid”. It’s an interesting perspective, and I guess it comes down to your negotiation abilities. This all applies to conferences that are for-profit; the exceptions are the smaller grassroots not-for-profit cons and groups. For anyone interested, this topic was also covered recently on the Art of Charm podcast.
Experts do it for free, but why? - The guys at Digital Forensics Corp shared a post describing how to mount and decrypt APFS volumes on OSX.
Unlock or decrypt an APFS drive - Scar at Forensic Focus has shared Angus Marshall’s survey on digital forensics tool development.
Digital Forensics Tool Development Survey - Tracy Maleeff at InfoSecSherpa shares a recent IR scenario where a customer/end user had clicked on a suspicious link and she utilised empathy in her response.
Empathy in Incident Response - There’s a post on the Katana Forensics blog regarding the recent mass shooting in Texas. Although the FBI hasn’t confirmed the phone that the shooter had, it is suspected to be an iPhone, so the author runs through the scenario to (based on public information) see what the FBI is able to achieve. There’s also an interesting editorial about how far Apple is willing to push this stance.
Apple and the Texas Shooter - David Longenecker at ‘Security for Real People’ has started a list of tools that are useful in IR work. The list can be found here
IR Toolkit - Danny Akacki at Sqrrl has shared his top InfoSec Twitter accounts. Somehow I made the list, thanks Danny!
Threat Hunting Influencers: Top InfoSec Twitter Accounts to Follow - Patrick Olsen discusses Identity Access Management on AWS.
AWS Security Overview – Part II – IAM - The students at LCDI share “the math and code that will calculate our Bluetooth device’s position.”
Bluetooth Device Tracking Update 2 - Troy Schnack relates about an old song regarding remembering both the old and the new to DF work. He advises that whilst the new artefacts are worth chasing, we shouldn’t forget the foundational artefacts as well.
One is Silver and the other Gold
SOFTWARE UPDATES
- ACELab have released new PC-3000 Flash software Ver. 7.1.1.
The new PC-3000 Flash software Ver. 7.1.1. is available! - Blackbag have released Blacklight 2017 R1 adding a variety of new features including support for EML files, exporting media to LACE, C4ALL, and Project Vic, as well as parsing recent items from newer versions of OSX.
Blacklight 2017 R1 is now available - CRU have released Forensic Software Utility v3.1, USB 3.0 WriteBlocker Driver v1.1, and Ditto/Ditto DX 2017Sep20a.
- Didier Stevens updated oledump to version 0.0.30, adding orphaned stream detection.
Update: oledump.py Version 0.0.30 - Didier also updated his numbers-to-string Python script to version 0.0.3, adding a man page.
Update: numbers-to-string.py Version 0.0.3 - Elcomsoft released EIFT (Elcomsoft iOS Forensic Toolkit) version 2.40. Vladimir Katalov has a post describing the information that can be obtained using EIFT.
What can be extracted from locked iPhones with new iOS Forensic Toolkit - Eric Zimmerman pushed a minor update to his TimelineExplorer tool (version 0.6.1.2).
TLE 0.6.1.2 - “F-Response 7.0.3.1 has been released. This release corrects and improves upon issues detected in the last few months, including issues with certain Cloud Providers, TACTICAL license management, and error logging.”
- GetData updated Mount Image Pro to version 6.2.0.1775 to fix a bug.
10 November 2017 – v6.2.0.1775 - Adam at Hexacorn has updated DeXRAY to version 2.04 to deal with a new decryption routine used by MBAM.
DeXRAY 2.04 update - Microsystemation have released XRY & Kiosk/Tablet v7.5.1. The update adds support for additional drone data, new app versions, new phone models, as well as bug fixes
Released today: XRY & Kiosk/Tablet v7.5.1 - Rekall v1.7.1 was released, adding “full support for Python 3, [and] a refactored and improved EFilter which should be more robust and powerful.”
Release 1.7.1 - SalvationDATA have released two tools this week SPA “(SmartPhone Forensic Triage Acquisition) of mobile forensics”, and DRS Preview, which is “the software version of DRS (Data Recovery System).”
- They have also released an update to VIP (Video Investigation Portable), now at version 1.0.15.7996. The update adds support for E01/AFF, additional file system support, multi-tasking, and GUI improvements, as well as licensing and bug fixes.
VIP V1.0.15.7996 New Version Release for Better DVR Forensics - SSDeep version 2.14.1 was released with a bug fixes.
Version 2.14.1 - X-Ways Forensics 19.4 SR-6 was released with some minor improvements and bug fixes.
X-Ways Forensics 19.4 SR-6 - X-Ways Forensics 19.5 Beta 1 was released with a number of new features.
X-Ways Forensics 19.5 Beta 1
PRODUCT RELEASES
- CRU have released the new Ditto Shark, and Network Tap Module. The Ditto shark “is a slim, standalone network capture device designed to sniff and collect traffic on a network – including VOIP – with virtually no packet loss at sustained network traffic speeds of 100 Mbps or short burst gigabit network traffic.” The Network Tap module adds network data capture capability to the Ditto/Ditto DX.
And that’s all for Week 45! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 