FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog examines the Windows registry file format
RegistryとFile format(1) - Luis Rocha at ‘Count Upon Security’ looks at a few artefacts that may be useful when investigating an attacker interacting with a Windows machine through the GUI.
Digital Forensics – Artifacts of interactive sessions - The guys at Cyber Forensicator shared a few posts this week
- They shared Jan-Niclas Hilgert, Martin Lambertz, and Daniel Plohmann’s paper from DFRWS USA 2017 titled “Extending The Sleuth Kit and its underlying model for pooled storage file system forensic analysis”
Extending The Sleuth Kit and its underlying model for pooled storage file system forensic analysis - “Packt Publishing has announced the third edition of Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin, Heather Mahalik and Satish Bommisetty”. “The book is expected to be published in April 2018”.
The third edition of Practical Mobile Forensics has been announced - They shared Kurt H. Hansen and Fergus Toolans paper titled “Decoding the APFS file system”
Decoding the APFS file system
- They shared Jan-Niclas Hilgert, Martin Lambertz, and Daniel Plohmann’s paper from DFRWS USA 2017 titled “Extending The Sleuth Kit and its underlying model for pooled storage file system forensic analysis”
- Quix0te at Musectech looks into time discrepancies on Windows covering time drift, time stomping, and time zones.
About Time - Jake Williams at Rendition Infosec shared the Volatility plugins that he developed and mentioned during his recent<https://www.sans.org/webcasts/memory-forensics-sodium-pentothal-security-106060 SANS Webcast> with Alissa Torres
Memory Forensics Plugins - The app analysis team at LCDI provides an update on their progress analysing the Fitbit, LastPass, Steam, and Trello apps. Thinking out loud, it would be great if LCDI hosted the test data that the students generated somewhere.
Application Analysis Update 2: Fitbit, LastPass, Steam, and Trello - Pieces0310 takes a look at a file that was not recognised correctly by a file signature search. After manually examining the file they determined that it was a Symantec Ghost Image.
File signature analysis failed to recognize .old file – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Gayle Kennedy at Countercept describes a recent attack on a law firm that attempted to execute SnatchLoader after a targetted spear phish.
Case Study: Defending a Major Law Firm - The guys at Digital Forensics Corp shared an article by Kirtar Oza on detecting PowerShell attacks in Windows Event logs.
Powerdown the PowerShell Attacks Overview - Jon Barker at NVIDIA presents a paper that “introduces an artificial neural network trained to differentiate between benign and malicious Windows executable files with only the raw byte sequence of the executable as input.”
Malware Detection in Executables Using Neural Networks - Tony Lambert at Red Canary outlines “a threat detection in which Windows Remote Management (WinRM) spawned a process via Windows Management Instrumentation (WMI)”.
Lateral Movement Using WinRM and WMI
UPCOMING WEBINARS/CONFERENCES
- “The 12th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE) is calling for paper submissions in the broad field of Digital Forensics from both practitioner and researcher’s perspectives”. The event will take place on May 24, 2018, in San Francisco and the CFP closes 16th January 2018. Papers can be submitted here.
PRESENTATIONS/PODCASTS
- Casheeew uploaded their presentation on network forensics from Blackhoodie 2017.
Check out @casheeew’s Tweet - Jon Poling shared his presentation from the recent SecTor conference on DFIR in AWS.
Check out @JPoForenso’s Tweet - Paraben Corporation uploaded a couple of videos on E3 this week
- On this week’s, Digital Forensic Survival podcast Michael talks about the new Apple File System (APFS) and some things to consider when dealing with it.
DFSP # 092 – New Apple File System - Alessandro Guarino at Strange Loops shared his presentation on Corporate Forensics; which describes what digital forensics is, how it can benefit organisations, and its challenges in doing so.
Corporate Forensics Presentation at ISSE 2017 - Virus Bulletin uploaded a couple of presentations this week
MALWARE
- Eric Merritt and Jared Myers at Carbon Black examine a malicious sample that utilises CVE-2017-11882 in an attack.
Threat Analysis: Equation Equals Backdoor - Shaun Hurley and Sergei Frankoff at CrowdStrike continue “the technical analysis of the BadRabbit ransomware attacks” and describe “the steps taken by BadRabbit to leverage those controlled data structures to elevate the authenticated SMB session to System”.
BadRabbit MS17-010 Exploitation Part Two: Elevate Privileges - Vitali Kremez at Flashpoint examines the malware utilised by the “Trickbot banking Trojan gang”
Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model - Jasper Manuel, Joie Salvio, Wayne Low at Fortinet analyse some malware that utilises CVE-2017-11826.
CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document - Amanda Rousseau shared her write-ups for questions 1-4 of the FlareOn 2017 challenge.
Check out @malwareunicorn’s Tweet - Thomas Reed at Malwarebytes Labs shares some IOCs for OSX.Proton which is spreading as an application named “Symantec Malware Detector”.
OSX.Proton spreading through fake Symantec blog - Inhee Han at McAfee examines some “Android malware that contains a backdoor file in the executable and linkable format (ELF)”
Android Malware Appears Linked to Lazarus Cybercrime Group - There were a few posts on the Palo Alto Networks blog this week
- Anthony Kasza, Juan Cortes and Micah Yates describe “a new cluster of malware samples, which targets Samsung devices and Korean language speakers, with relationships to the malware used in Operation Blockbuster.”
Operation Blockbuster Goes Mobile - Josh Grunzweig and Jen Miller-Osborn examine “a new variant of the SunOrcal malware family”
SunOrcal Adds GitHub and Steganography to its Repertoire, Expands to Vietnam and Myanmar - Mike Harbison shows a technique to “take the assembly code directly from the malware’s decompression/decoding routine, put it in a compiler such as Visual Studio, compile it to a dynamic link library (DLL), and then call into it using your favorite scripting language such as Python”
Using Existing Malware to Save You Time
- Anthony Kasza, Juan Cortes and Micah Yates describe “a new cluster of malware samples, which targets Samsung devices and Korean language speakers, with relationships to the malware used in Operation Blockbuster.”
- There were a couple of posts on the SANS Internet Storm Centre Handler Diaries this week
- Brad Duncan examines the infection traffic associated with a recent wave of malspam.
Resume-themed malspam pushing Smoke Loader, (Sun, Nov 19th) - Brad also briefly covers that the Magniber ransomware is still being distributed by the Magnitude EK.
One month later, Magniber ransomware is still out there, (Mon, Nov 20th)
- Brad Duncan examines the infection traffic associated with a recent wave of malspam.
- Alexey Firsh at Securelist takes a look at some commercial Android spyware apps.
Android commercial spyware - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares an article showing how process hollowing works.
RunPE: a practical example of Process Hollowing technique - There were a couple of posts on the TrendMicro blog this week
- Ronnie Giagone, Lenart Bermejo, and Fyodor Yarochkin examine some malspam utilised by the Cobalt group.
Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks - Jaromir Horejsi takes a look at “a file-encoding ransomware variant implemented entirely in VBA macros called qkG”
qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
- Ronnie Giagone, Lenart Bermejo, and Fyodor Yarochkin examine some malspam utilised by the Cobalt group.
- Vitali Kremez reverses “the Trickbot Socks5 backconnect module including its communication protocol and source code-level insights.”
Let’s Learn: Trickbot Socks5 Backconnect Module In Detail
MISCELLANEOUS
- Andrew Hay explains “how to create the cards [in Trello] and populate them with the required data to better manage your CFP pipeline.”
The Hay CFP Management Method – Part 2 - Brett Shavers has a few posts this week
- The first announces a course on cryptocurrencies that is “being developed alongside the [Bitcoin forensics] book as a companion to the book”.
Bitcoin Forensics | Investigating Cryptocurrency Crimes Online Course….it’s coming… - The second discusses mentorship, and the benefits and responsibilities of doing so.
DFIR Mentors. You just might be one and not know it. - The last promotes continuous learning and provides a ridiculous discount to Brett’s catalogue of products (which will probably be over by the time you read this).
When you think you know enough
- The first announces a course on cryptocurrencies that is “being developed alongside the [Bitcoin forensics] book as a companion to the book”.
- About DFIR now has a job listing page.
Check out @aboutdfir’s Tweet - DFIR Guy at DFIR Training has officially passed the torch to a new owner. Thankfully he’s also archived his older posts, and may return as DFIR_Batman on Twitter rather than just disappearing into the ether.
I pushed the button to retire - The guys at Digital Forensics Corp shared an article by the Ultimate Hackers on the different folders created in a default Linux installation.
Linux File System Overview - Oleg Afonin at Elcomsoft explains how Google Prompt affects a users security compared with Apples 2FA. He then provides the steps to acquire a Google account protected with Google Prompt using Elcomsoft Cloud Explorer.
The Future of Android Security: Why Google Pushes Away from SMS to Prompt Verification - There were a number of posts on Forensic Focus this week
- Scar provides links to a few of the recent discussions on the forum.
Forensic Focus Forum Round-Up - They interviewed Glen Dario Rodriguez And Fernando Molina about their “new model for digital evidence preservation in criminal research institutions”
Interview With Glen Dario Rodriguez And Fernando Molina, Researchers - Paraben shared a brief overview of some of the videos they recently uploaded to their YouTube channel.
Paraben E3 Platform Highlights-Cloud Data & OCR Data - Scar shared her picks for Digital Forensics news over the last month
Digital Forensics News November 2017 - They interviewed Kyung-Su Lee about his work at HancomGMD. The companies focus appears to be mobile forensics, in particular, the Asian mobile phone market.
Interview With Kyung-Su Lee, Chief Technology Officer, HancomGMD
- Scar provides links to a few of the recent discussions on the forum.
- Johann Hofmann at Griffeye explains the new features coming in Analyze Di Pro.
Be on top of your game – with the new Analyze DI Pro edition - Hasherezade walks through solving challenge 3 of FlareOn 2017 using the library that she wrote for “loading and converting PE files”.
Import all the things! Solving FlareOn Challenge 3 with libPeConv - Dan Borges at LockBoxx reviews the Hash Crack password cracking manual although doesn’t appear to think that it’s worth the money.
Book Review: “Hash Crack” - Jessica Hyde at Magnet Forensics has written a fairly comprehensive blogpost on ways to share in digital forensics.
The Importance of Sharing in DFIR - Yulia Samoteykina at Atola Technologies shows how to calculate segmented hashes of a damaged drive using the Atola Insight.
Calculating segmented hash of a damaged drive - SalvationData provided an overview of the 3rd International Workshop on Digital Crime and Forensics where they attended and presented some research.
SalvationDATA participated in the International Workshop on Digital Crime and Forensics(IWDCF2017) - Paul Rascagneres at Cisco’s Talos briefly explains Pyrebox, which took first place in the Volatility plugin contest.
Talos Wins The 5th Volatility Plugin Contest With Pyrebox - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ explains how to use FatCat to recover broken FAT filesystems.
How to recover a broken FAT filesystem using FatCat - Patrick Olsen has written a few posts on AWS security
- A security researcher (I’m guessing?) tweeted out that they were able to write to a USB drive through a wiebetech USB write blocker. When pushed on this, the author advised that they will disclose how this was performed next year. With that in mind, I’m not sure what benefit there is to sharing the information now, other than to cause headaches (because who know, it may be something important, or it may be nothing).
Check out @__ths__’s Tweet - Michael Hale Ligh at Volatility Labs announced the winners of the annual Volatility Foundation plugin contest.
Results from the (5th Annual) 2017 Volatility Plugin Contest are in!
SOFTWARE UPDATES
- Plaso 20171118 was released, “fixing a couple of small issues and adding a parser for Sophos Antivirus SAV logs.”
Plaso 20171118 - Amped released v10039 of Five introducing the new ‘Assistant’ pane. “The Assistant provides a set of predefined workflows which can be used to automate common operations or guide new users, but it’s not obtrusive. You can use it or not, and you can always add filters or do anything, as usual, it’s just an additional option.”
Amped FIVE Update 10039: Introducing the Assistant, and much more - Cellebrite released an update (v6.4.1) for their Touch2, Touch, 4PC and InField products adding additional device support.
Touch2, Touch, 4PC and InField 6.4.1 Maintenance Release [November 2017] - Philippe Lagadec updated oletools to add support for extracting “DDE links from Excel XLSX and Word DOCX+DOC”.
Check out @decalage2’s Tweet - Didier Stevens updated pcap-rename to v0.0.2 to support “big-endian pcap files”.
Update: pcap-rename.py Version 0.0.2 - Elcomsoft updated Cloud Explorer to version 2.0, adding a Mac version, and expanding “Google Two-Factor Authentication support by adding Google Prompt and FIDO Keys, including Yubico dongles, to the list supported secondary authentication methods.”
Elcomsoft Cloud Explorer 2.0 Adds Google Prompt and FIDO Keys Support, Introduces the Mac Edition - Maxim Suhanov has updated his registry parsing utility, YARP, to version 1.0.1
1.0.1 - Passmark updated OSForensics to V5.2.1003, fixing some bugs.
V5.2.1003 – 23rd of November 2017 - SalvationData released SPF V3.63.15.0 with improved app/device support/features and bug fixes.
Mobile Forensics SPF V3.63.15.0 Optimize Decryption of WeChat Database and Support Samsung’s Tizen OS - X-Ways Forensics 19.4 SR-7 was released, fixing some bugs.
X-Ways Forensics 19.4 SR-7 - X-Ways Forensics 19.5 Beta 3 and then 4 were released during the week adding some new features.
X-Ways Forensics 19.5 Beta 4
And that’s all for Week 47! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 