Just to start, I’ve signed up to Amazon’s Affiliate program so if you click on the Amazon links I’ll get a referral bonus. That being said, I’m going to be providing the non-referral link, as well, for anyone that wants to use that.
Also; apologies for the formatting and if some posts from the week haven’t been shared. Something’s up with my Feedly/IFTTT apparently. Adding to the post after it’s been published destroys the formatting.
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog takes a look at what happens to the USN Journal when a tool is used to change timestamps on a file.
USN Journal と Timestamp - John Bair’s new book, “Seeking the Truth from Mobile Evidence: Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations” has been released. (Non-affiliate link).
- Andrew Swartwood at Between Two DFIRns has posted a new DFIR CTF challenge.
DFIR CTF: Precision Widgets of North Dakota Intrusion - Brett also shares the feedback from a recent survey on his case studies; many people have found them beneficial and relevant, produced often enough, and of a sufficient length.
DF/IR Case Studies - The guys at Cyber Forensicator shared a number of papers this week
- They shared a paper by Antonis Michalas and Rohan Murray titled “MemTri: A Memory Forensics Triage Tool Using Bayesian Network and Volatility”
MemTri: A Memory Forensics Triage Tool Using Bayesian Network and Volatility - They shared a paper by Sebastian Neuner, Artemios G. Voyiatzis, Martin Schmiedecker, and Edgar R. Weippl titled “Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS”
Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS - They shared a paper by Christopher Meffert, Devon Clark, Ibrahim Baggili, and Frank Breitinger titled “Forensic State Acquisition from Internet of Things (FSAIoT): A general framework and practical approach for IoT forensics through IoT device state acquisition”
Forensic State Acquisition from Internet of Things (FSAIoT): A general framework and practical approach for IoT forensics through IoT device state acquisition - They shared a paper by Dr.-Ing. Andreas Dewald, Sabine Seufert titled “What is new in EXT4 from an incident analysis perspective”
What Is New in EXT4 from an Incident Analysis Perspective - Lastly, they shared a tool by Ahmed Shawky called Mail Header Analyzer
Mail Header Analyzer (MHA)
- They shared a paper by Antonis Michalas and Rohan Murray titled “MemTri: A Memory Forensics Triage Tool Using Bayesian Network and Volatility”
- Joshua James at Digital Forensic Science shows how to install and use EWF Tools on Linux
EWF Tools: working with Expert Witness Files in Linux - The guys at Digital Forensics Corp share a tool called FatCat which can be used to parse FAT file systems.
FatCat Overview - Mark Mckinnon explains an Autopsy module that he created that will export files matching listed file extensions into a VHD file.
Creating A Data Preview Container in Autopsy. - There’s a post on MuSecTech about automating IR collection. There are a number of benefits to automation and the author makes some valid points regarding the speed and efficiency of having a tool that can extract and parse artefacts.
Making a Case for Live Response Scripts (See what I did there?) - Nick Raedts explains how to generate a personalised wordlist using bulk_extractor.
Building wordlists from Forensic Images - The SANS Information Security Reading Room shared a couple of papers this week
- Scott Perry’s paper demonstrates “tools and techniques to conduct server and network discovery in a virtualized environment and how to leverage the software used by administrators to acquire virtual machines hosted on vSphere and ESXi”.
Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXi - John Garris’ paper “provides an overview of various proposals, developments, and possible approaches to help address the privacy concerns central to the [U.S. Ninth Circuit Court of Appeals] decision, while potentially improving the overall effectiveness and efficiency of digital forensic operations in law enforcement.”
Tackling the Unique Digital Forensic Challenges for Law Enforcement in the Jurisdiction of the Ninth U.S. Circuit Court
- Scott Perry’s paper demonstrates “tools and techniques to conduct server and network discovery in a virtualized environment and how to leverage the software used by administrators to acquire virtual machines hosted on vSphere and ESXi”.
- TM4n6 has a post looking into the forensic artefacts for the Vim text editor on both Unix and Windows.
Forensic Relevance of Vim Artifacts - Graham Cluley at WeLiveSecurity shares an article regarding the new WhatsApp feature to delete messages that you’ve sent from a receipient’s device. The article points out that part of the messages can also be found in the notification log, but I don’t think a proper analysis of the message databases has been conducted. The article also lists situations where the log isn’t going to be populated, and also that the log is cleared on restart (something to keep in mind when performing a physical extraction which usually requires restarting the phone).
Think you deleted that embarrassing WhatsApp message you sent? Think again
THREAT INTELLIGENCE/HUNTING
- Chris Sanders shares the notes from the chapters the Cuckoo’s Egg that were reviewed this week
Cuckoo’s Egg – Week 2 Notes - Paula at CQURE Academy walks through the process of creating Sysmon config file.
Building A Perfect Sysmon Configuration File - The guys at Digital Forensics Corp shared an article by Brian Reitz at Spectre Ops on hiding registry keys. “RegEdit will throw an error when viewing the key, while reg query and PowerShell’s Get-ItemProperty won’t return a value hidden in this way. However, using the Autoruns tool from Sysinternals, we can see (and delete) the value we just created”.
Hiding Registry keys - Chenming Xu, Dan Caselden, Justin Warner, Stephen Hinck at Iceberg provide a case study that “demonstrates how an understanding of the underlying vulnerability [in Apache Struts] as well as exploitation techniques can be combined and applied to create more robust detections.”
Exploiting Apache Struts: A Case Study In Writing Better Detections - There’s a post on the NTT Security blog that uses an example to show the difference between attack information and threat intelligence.
What does threat intelligence actually mean? - The SANS InfoSec Reading Room shared Brian P. Kime’s white paper on “how CTI can support DFIR at each level of intelligence and operations – tactical, operational, and strategic – and during each phase of the incident response lifecycle – preparation; detection and analysis, containment, eradication, and recovery; and lessons learned”
Cyber Threat Intelligence Support to Incident Handling - Kaspersky Lab have posted an article in response to the article by “the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system”. The article lists a number of questions that they started their internal investigation and shares their findings.
Investigation Report for the September 2014 Equation malware detection incident in the US - Matthew Hosburgh at Sqrrl shows how to hunt for the use of the voice recording app on Windows systems.
Hunting for Evidence of Eavesdropping
UPCOMING WEBINARS/CONFERENCES
- Paraben announced on Forensic Focus that they will be uploading “quick training videos focused on the individual E3 Platform features” to their YouTube channel.
Quick Trainings Get You Going With The E3 Platform - Magnet Forensics announced a webinar on their Atlas case and lab management solution. The webinar will take place on Tuesday, 28 November 2017 at 2:00PM GMT.
From Intake to Court: Using Case Management to Stay on Track
PRESENTATIONS/PODCASTS
- Adrian Crenshaw shared the presentations from SecureWV/Hack3rcon 2017.
SecureWV/Hack3rcon 2017 Videos - Maxim Suhanov shared his presentation on parsing Windows Registry Files. In the presentation, he points out that a number of tools do not parse the transaction logs, and therefore can miss important data. Thanks to the guys at Cyber Forensicator for sharing the link.
In-Depth Forensic Analysis of Windows Registry Files - Douglas Brush interviewed Andrew Hay on this week’s episode of Cyber Security Interviews, during which they discussed the difference between forensics in the cloud, and forensics of the cloud; infrastructure vs service (among other things).
041 – Andrew Hay: Creative Solutions To Hard Problems - A couple of presentations and transcripts were posted on the Forensic Focus blog this week
- Hasherezade posted a couple of videos this week
- Nuix posted a couple of videos this week
- OA Labs released a few videos this week on their YouTube channel
- Paraben Corporation shared a video showing how to use their mobile case comparer function in E3 Universal and DS. They also have a blog post explaining why you might want to do this.
E3 Platform Using Mobile Case Comparer - On this week’s, Digital Forensics Survival Podcast, Michael talks about the Red Team field manual, which is the companion to the Blue Team field manual.
DFSP # 091 – Red Team Field Manual - Rob Lee at SANS presented a webinar on the SIFT Workstation. (Also, I really like the new logo).
Getting Started with the SIFT Workstation Webcast with Rob Lee - Jessica Hyde ran a SANS webcast during the week on IoT forensics and SANS has archived it for viewing.
Making IoT Relevant
MALWARE
- Jared Myers at Carbon Black shares Carbon Black’s Threat Analysis Unit’s (TAU) analysis of the BadRabbit dropper and ransomware.
Carbon Black TAU Threat Analysis: A Deeper Look at BadRabbit Shows Overlapping Similarities to NotPetya - Countercept have a post analysing the Kodiac post-exploitation toolkit, as well as providing ‘indicators that can be used to detect its activity.”
Hunting for Kodiac – A COM-Based Rootkit - Furoner at Furoner.CAT walks through a process for analysing the Acroform objects within a PDF file for maliciousness.
Checking for maliciousness in Acroform objects on PDF files - Jay Rosenberg at Intezer compares the IcedID banking trojan with the Pony malware.
IcedID Banking Trojan Shares Code with Pony 2.0 Trojan - Karsten Hahn at Malware Analysis For Hedgehogs has written a post that “explains [the different strategies employed by virus’ to infect host computers] so that the infection type of viruses can be identified during analysis.”
File Infection Strategies - Denis O’Brien at “Malware Analysis: The Final Frontier” has released a few updates for IRIS-H, adding an OOXML ‘Footer Part’ parser and updating the OOXML ‘document’ file parser
- Malware Breakdown examines an infection chain showing “the Seamless campaign delivering [the] Ramnit banking Trojan via [the] RIG exploit kit.”
Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer. - MalwareTech walks through his process of “identifying Command and Control (C2) servers and understanding their topology, using Emotet as an example.”
Investigating Command and Control Infrastructure (Emotet) - Marco Ramilli describes a trick to bypassing the password on protected VB macros.
Unprotecting VBS Password Protected Office Files
- Guy Bruneau at the SANS Internet Storm Center dumps some decoded VBScript which appears to be Coin Miner.
VBE Embeded Script (info.zip), (Mon, Nov 13th) - Dave McMillen at Security Intelligence analyses a malicious sample that was part of an attack that hid “cryptocurrency CPU-mining tools … within fake image files.”
Steganography: A Safe Haven for Malware - Dhanesh Kizhakkinan, Yu Wang, Dan Caselden, Erica Eng at FireEye analyse a recent attack by “a financially motivated threat actor … primarily targeting the retail, restaurant, and hospitality industries.”
Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks - Rubio Wu at TrendLabs examines a new variant of the Emotet trojan.
New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis - Javier Vicente Vallejo has written a “short post about the particular installation of the new WinDbg and the way that [he] needed to configure VirtualKD’s vmmon to attach the new WinDbg to the selected running VM from the vmmon menu”
Installation and First Contact With the New WinDbg - Vitali Kremez reverses “the Golroted Trojan with the focus on its native API process hollowing technique and User Account (UAC) bypass method exploiting Environment variables in Scheduled Tasks.”
Let’s Learn: Dissecting Golroted Trojan’s Process Hollowing Technique & UAC Bypass in HKCU\Environment - The VMRay Research Team have a post sharing their analysis of “a Word document using a sandbox evasion technique, the execution of shellcode via Dynamic Data Exchange, and NotPetya reborn as BadRabbit”
VMRay Malware Analysis Report Recap – October ’17
MISCELLANEOUS
- Belkasoft have a post explaining that “the updated Forensic Toolkit (FTK) v.6.3 integrates Belkasoft-made analytics core”; this was announced back in April.
AccessData and Belkasoft announce the release of Forensic Toolkit (FTK) with Belkasoft-made built-in analytics core. - Josh Huff at ‘Learn All The Things’ shares a few blogs that he has found useful. Thanks for the mention!
Sharing DFIR research - Brett Shavers has a couple of posts this week
- First, he shares his opinion of the requirement for regulation in the DFIR industry. This is something that I can see happening at some point, and a lot of labs/examiners will want to push back from it. On the plus side, you won’t have Joe IT guy rocking up to court with his expert report, but on the other, your employer may not be able to afford the training requirements. Brett also has a bit of a soapbox rant about certifications and training courses; most of the courses I’ve sat in people have engaged and been involved, but I’ve also sat in a couple where some of the folks paying good money to be there are either not at the right skill level to take the class, or don’t really want to be there; which I never like seeing because of the whole “paying good money” thing. I like the concept of certifications; I don’t like how much some of them cost (on top of the training course you take). I think that overall obtaining a certification is a good acknowledgement that you paid attention in class, or at least can apply some of the things you’ve learned (on your own or in class).
The last thing we want in DF/IR is the first thing we need in DF/IR (aka: regulations…) - Second, DONT STEAL PEOPLES STUFF. In this niche community it’s a much better idea to say “I’m working on this, who wants to help” than it is to go it alone (or in this case, join a project and then decide to post on your own). I’m with Brett, I much prefer to post my ideas up (at least I mean to on my ThinkDFIR site when I get around to it) and either get contributors, collaborators, or others that ask if they can do it instead. If someone announces a project, you’re within your rights to start your own project to “compete” but it’s better for everyone if you collaborate. It’s not cool if you start collaborating and then decide you’re better off competing.
Thinking of Writing a #DF/IR Book? Here’s a tip that may or may not work out for you.
- First, he shares his opinion of the requirement for regulation in the DFIR industry. This is something that I can see happening at some point, and a lot of labs/examiners will want to push back from it. On the plus side, you won’t have Joe IT guy rocking up to court with his expert report, but on the other, your employer may not be able to afford the training requirements. Brett also has a bit of a soapbox rant about certifications and training courses; most of the courses I’ve sat in people have engaged and been involved, but I’ve also sat in a couple where some of the folks paying good money to be there are either not at the right skill level to take the class, or don’t really want to be there; which I never like seeing because of the whole “paying good money” thing. I like the concept of certifications; I don’t like how much some of them cost (on top of the training course you take). I think that overall obtaining a certification is a good acknowledgement that you paid attention in class, or at least can apply some of the things you’ve learned (on your own or in class).
- Whilst he’s been talking about it for a little bit, DFIR Guy is retiring and as a result, wants to pass the torch for the website and Twitter account. Hopefully whoever takes it over can offer the same level of commitment to keeping it alive and updated.
Goin’ fishing, the kind with a real fishing pole.. - Matt Edmondson at Digital Forensics Tips describes a couple of methods for identifying password hash formats.
Resources to Help Identify Password Hash Formats - Compelson announced on Forensic Focus that they will be releasing MobilEdit Forensic Express v5 this week, but I haven’t seen anything else on their site about it.
New MOBILedit 5.0 Will Be Launched In Abu Dhabi, Hong Kong And China - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares the installation instructions for Santoku, which can be used for Android forensic analysis.
Santoku, a linux distribution for Android forensic analysis - Patrick Olsen at System Forensics describes what the “cloud” is.
AWS Security Overview – Part 0 – What is Cloud - Christa Miller at Magnet Forensics has a post about the discovery process when researching forensic techniques and artefacts. In this she interviews Cheeky4n6Monkey about some of the steps that he follows when tasked with parsing data that the forensics don’t present.
Being Forensically Curious: The Process of Discovery
SOFTWARE UPDATES
- James Habben at 4n6IR has updated Evolve to version 1.6. The update documents the API and adds plugin search. James also explains the background for writing Evolve and some of the headaches that the approach he took caused.
Evolve Version 1.6 - Daniel Pistelli at Cerbero announced the release of Profiler v2.8, the memory analysis tool.
Profiler 2.8 – Windows Memory Forensics - DVR Examiner 2.1 has been released, adding improved support for E01 images, forensic imaging, additional file systems as well as other improvements and bug fixes.
DVR Examiner 2.1 Has Arrived! - ExifTool was updated to v10.67 adding new tags and bug fixes.
ExifTool 10.67 - Katana Forensics released Lantern v4.70 adding iOS 11 support and fixing the iOS messaging parsing bug.
- X-Ways Forensics 19.4 SR-6 was updated to fix a bug (It says SR-6 on the site, but there was another SR-6 released a couple weeks ago so it could be a typo).
X-Ways Forensics 19.4 SR-6 - X-Ways Forensics 19.5 Beta 2 was released with some improvements and bug fixes.
X-Ways Forensics 19.5 Beta 2 - Magnet Forensics released updates for Axiom, IEF, and Acquire during the week although there wasn’t a public notification. Information about the release has been shared here
- Oxygen Forensics released a maintenance version of their Detective product. “Detective v.10 comes with the breakthrough algorithms of cloud data acquisition, extended drone support, updated bypass screen lock methods and advanced app data parsing.”
Introducing the new Oxygen Forensic® Detective v.10!
And that’s all for Week 46! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 