FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog continues his examination of the Windows registry file format
RegistryとFile format(2) - There were a couple of posts by Digital Forensics Corp this week
- They provided a brief overview of Volatility Workbench by Passmark software.
Volatility Workbench Overview - They shared an article on InfoSecAddicts on iOS device partitions, SQLite databases, and plists.
SQLite and Plist Files
- They provided a brief overview of Volatility Workbench by Passmark software.
- Elcomsoft have a few posts this week about iCloud Authentication tokens, and how to extract them
- Issue 6 of the IEEE Security & Privacy Journal has been released.
Issue 6 • November/December 2017 - Sean Morrissey at Katana Forensics has an article regarding the need for faraday bags for mobile phone preservation. The author explains that whilst in many cases the SIM can be removed from a mobile device, this doesn’t negate a wipe performed over wifi. Also, some phones will not allow examiners to turn on airplane mode after a period of time (if a passcode is enabled and the examiner doesn’t have it).
Faraday and Mobile Forensics Today and Beyond - Sarah Edwards at Mac4n6 has written a post showing how to mount images of OSX file systems with “4k blocks instead of 512 byte block sizes”.
Mount All the Things! – Mounting APFS and 4k Disk Images on macOS 10.13 - Adam Kramer has a post on the SANS blog about a Windows feature called ‘Monitoring Silent Process Exit’ that will ” automatically generate a memory dump when a process with a specified name exits”.
“Acquiring a Memory Dump from Fleeting Malware” - Mark at Sneaky Monkey has posted a write-up of level 1 of the GrrCon 2017 DFIR CTF.
GrrCon 2017 DFIR write up – Level 1
THREAT INTELLIGENCE/HUNTING
- Jayden Zheng at Countercept provides “a short analysis on how to detect the persistence methods that utilize CLSID hijacking with junction folders, specifically those that were created in the Start Menu directory”
Hunting for Junction Folder Persistence - Jack Crook at ‘DFIR and Threat Hunting’ shares the mind maps that he created previously for threat hunting and then walks through an example of an attack falling within each category.
A Few Of My Favorite Things - Preston Miller at DPM Forensics explains a couple of new additions to his phishing detection script.
A Return to Phishing - Cindy Murphy at Gillware Digital Forensics walks through an investigation of a client’s server that had been used by a malicious attacker to mine bitcoin.
Forensic Case Files: Unauthorized Bitcoin Mining - Shusei Tomonaga at JPCERT explains how their new tool, LogonTracer, can be used to visualise event logs.
Visualise Event Logs to Identify Compromised Accounts – LogonTracer – - “The NTT Security Global Threat Intelligence Center (GTIC) released its Q3 ‘17 Threat Intelligence Report”
The NTT Security GTIC 2017 Q3 Threat Intelligence Report - Keya Horiuchi at Red Canary walks through the detection of an attacker utilising the DDE exploit.
Microsoft DDE Exploit Arriving in Email Accounts - Carlos Perez at ‘Shell is Only the Beginning’ describes some of the operational changes to sysmon v6.20. This includes “Enhancements in WMI Logging, [the] ability to change driver name, [and the] ability to change service name and service executable name.”
Operational Look at Sysinternals Sysmon 6.20 Update - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some Windows one-liners for downloading and executing code. The post not only lists the command run, but also the process that is utilised, and where the payload is written to disk.
How a malware can download a remote payload and execute malicious code…in one line? - Christopher McCubbin at Sqrrl explains “the use of isolation forests to find unusual behavior in cybersecurity log files”
Threat Hunting through the use of an Isolation Forest
UPCOMING WEBINARS/CONFERENCES
- Tayfun Uzun at Magnet Forensics will be presenting a webinar on Wednesday, December 13, 2017 at 1:00PM Eastern Time regarding the “importance of smart, simplified collaboration and how to avoid pitfalls when working with several and varied stakeholders.”
Sharing is Caring: Empowering the Whole Team to Collaborate - Matt Aubert at Cisco announced a webinar titled “Dissecting a Breach: An Incident Responder’s Perspective.” The webinar will take place on December 5, 2017 at 1PM ET | 10AM PT. The post also describes the incident response process.
Dissecting a Breach: The Process of Incident Response
PRESENTATIONS/PODCASTS
- Presentations from DEF CON 25’s Crypto and Privacy Village were uploaded
- Magnet Forensics have released their recorded webinar on Magnet Atlas, their case management solution.
Recorded Webinar: From Intake to Court: Using Case Management to Stay on Track (UK Edition) - Nuix have uploaded a video showing how “Nuix Analytics & Intelligence is used to review the submission of several insurance claims tied to an apartment building fire in Dubai, tying these claims in with the real-world whereabouts of the claimants around the date of the fire.”
Inside Scoop Product Update November 2017 – Insurance Claim Demo Part 1 - OALabs have posted a video on using “IDA Pro and the debugger to unpack a Loki malware sample from a packer that has a ton of anti-analysis, anti-debug, and ant-vm tricks.”
How To Defeat Anti-VM and Anti-Debug Packers With IDA Pro - Paraben Corporation have uploaded a video on using the email deduplication feature in E3.
Paraben’s E3 Platform Email Deduplication - On this week’s Digital Forensic Survival Podcast, Michael and Tim discuss integrating Volatility with Autopsy.
DFSP # 093 – Chocolate Peanut Butter Moment - Martijn Grooten at Virus Bulletin shared Patrick Wardle’s presentation on OSX FruitFly from VB2017.
VB2017 paper: Offensive malware analysis: dissecting OSX/FruitFly.B via a custom C&C server
MALWARE
- The Extreme Coders blog has a write-up of the reversing CTF from TU CTF 2017.
TUCTF Write-up – RE track - Anton Wendel at Cyber WTF provides some links between Emotet and ZeuS Panda.
Emotet drops ZeuS Panda targeting German and Austrian online banking users - There were a couple of posts on the Fortinet blog this week
- Jasper Manual and Joie Salvio examine a maldoc that uses CVE-2017-11882.
Cobalt Malware Strikes Using CVE-2017-11882 RTF Vulnerability - Minh Tran analyses the Fallchill RAT that’s being utilised by the Hidden Cobra APT group
A Deep Dive Analysis of the FALLCHILL Remote Administration Tool
- Jasper Manual and Joie Salvio examine a maldoc that uses CVE-2017-11882.
- Hasherezade takes a look at challenge 6 of the FlareOn4 CTF.
Hook the planet! Solving FlareOn4 Challenge6 with libPeConv - Denis O’Brien at “Malware Analysis: The Final Frontier” has released some minor updates for IRIS-H
IRIS-H (alpha): Updated LNK file parser / Command line arguments deobfuscation added - There were a couple of posts on the Malwarebytes Labs blog this week
- Jérôme Segura examines some recent changes in the Terror EK
Terror exploit kit goes HTTPS all the way - Jérôme also takes a look at a technique that malicious website owners are utilising to mine cryptocurrency even after the user closes the web browser.
Persistent drive-by cryptomining coming to a browser near you
- Jérôme Segura examines some recent changes in the Terror EK
- Morphisec have published a report by Michael Gorelik and Roy Moshailov on fileless malware.
Fileless Malware: Attack Trend Exposed - Kaoru Hayashi at Palo Alto Networks examines “a new custom Remote Access Trojan (RAT) called UBoatRAT.”
UBoatRAT Navigates East Asia - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries this week
- Xavier Mertens examines a PowerShell script that he found on Pastebin.
Fileless Malicious PowerShell Sample, (Wed, Nov 29th) - Brad Duncan takes a look at some malspam pushing Emotet.
More Malspam pushing Emotet malware, (Thu, Nov 30th)
- Xavier Mertens examines a PowerShell script that he found on Pastebin.
- Warren Mercer, Paul Rascagneres and Jungsoo An at Cisco’s Talos blog examine a new version of ROKRAT, which is distributed via a malicious HWP document
ROKRAT Reloaded - Chris Schraml at PhishLabs examines a recent Gozi sample.
Banking Trojan Dropped Through Spoofed Korean CERT Bulletin - Abhay Vaish and Sandor Nemes at FireEye examine “a Ursnif/Gozi-ISFB sample that manipulated TLS callbacks while injecting to child process.”.
Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection
MISCELLANEOUS
- Chris Sanders discusses the realities of password theft and how they relate to chapters 9-14 of the Cuckoo’s Egg.
Cuckoo’s Egg – Week 3 Notes - The guys at Cyber Forensicator shared a few posts this week
- They shared an article by Rich Infante on understanding iOS backups.
Reverse Engineering the iOS Backup - They shared an article by Sean Metcalf on Mimikatz.
Unofficial Guide to Mimikatz & Command Reference - They shared the news that “Digital Forensics and Investigations: People, Process, and Technologies to Defend the Enterprise” by Jason Sachowski “is expected to be published in September 2018”.
Digital Forensics and Investigations: People, Process, and Technologies to Defend the Enterprise
- They shared an article by Rich Infante on understanding iOS backups.
- Vladimir Katalov at Elcomsoft covers Apple’s 2FA implementation
Breaking Apple iCloud: Reset Password and Bypass Two-Factor Authentication - There were a couple of interviews on Forensic Focus this week
- Johann Hofmann at Griffeye discusses the need for automation and integration between software vendors. “Griffeye has developed Analyze CMD (Command), a data orchestration tool that can help fully automate workflows involving the Analyze platform and other valuable tools”
Automation – the next big leap in digital investigations - There were a couple of posts on the Magnet Forensics blog this week
- The first regards using the portable case feature. I like making portable cases to provide data to investigators. A few things that I’ve learned along the way are: don’t put them on CD/DVDs because they need to be written to. You may need to work on a machine that is less locked down as the report viewer is an executable. I can’t recall if this was an issue with HTML output or portable case output but sometimes you get issues where the folder paths created are too long for NTFS to handle and that can cause issues when trying to move the folders around.
Portable Case Makes Collaborating on Case Easier - The second continues the series on being forensically curious; this time, covering creating profiles of known data and then using them to identify forensic artefacts in mobile apps.
Being Forensically Curious: The Process of Testing
- The first regards using the portable case feature. I like making portable cases to provide data to investigators. A few things that I’ve learned along the way are: don’t put them on CD/DVDs because they need to be written to. You may need to work on a machine that is less locked down as the report viewer is an executable. I can’t recall if this was an issue with HTML output or portable case output but sometimes you get issues where the folder paths created are too long for NTFS to handle and that can cause issues when trying to move the folders around.
- John Patzakis, Esq. at X1 Discovery provides “an example of a Rule 902(14) certification for the authentication of social media evidence collected by X1 Social Discovery.”
Practice Tool: Sample FRE 902(14) Certification to Authenticate Social Media Evidence - Patrick J. Siewert at Pro Digital Forensic shares his take on the distinction between requiring a subpoena or search warrant to obtain call data records from a cellular provider.
Discussion: SCOTUS, Carpenter & Call Detail Records - Patrick Olsen at System Forensics continues his AWS security overview series
- Lesley Carhart describes how she plans for travel to an infosec engagement.
The Infosec Introvert Travel Blog - WeLiveSecurity interviewed Peter Kálnai and Michal Poslušný about their Browserhooks Volatility plugin that won 3rd place in this years Volatility plugin contest.
ESET malware researchers awarded prize in open-source memory forensics competition
SOFTWARE UPDATES
- “Mobilyze 2017 R1.1 is now available with new features and improvements that support the latest phones and operating systems, including iPhone 8 and devices running iOS 11, or Android 8.0 (Oreo).”
Mobilyze 2017 R1.1 is now available - “PyInstaller Extractor has been updated to v1.9. The features of this release includes support for Pyinstaller 3.3 [and] display the scripts which are run at entry point”
Pyinstaller Extractor updated to v1.9 - Didier Stevens updated his pdfid tool to v0.2.3, adding a -n option to hide “output for names with a count of zero”.
Update: pdfid.py Version 0.2.3 - Elcomsoft Phone Breaker 8.1 was released, which allows investigators to utilise the Anisette data on a suspect computer to bypass 2FA. Oleg Afonin explains the process in this article.
Target: Apple Two-Factor Authentication - Evimetry 3.0.5 was released with some fixes and improvements.
Release 3.0.5 - Paraben have updated their E3 platform to version 1.5. They “are also offering a unique come back program until Dec 31, 2017 where prior lapsed customers can bring their license current for a small fee”.
Paraben Releases Version 1.5 Of The E3 Platform With New iOS 11 And Chrome - GetData updated Forensic Explorer to version 4.1.0.6746 with a variety of new enhancements and features. The main improvement is the new Artifacts Module, which I’ve heard about from the developers but I haven’t had a chance to see yet.
Version 4 – Major Release – 29 November 2017 – v4.1.0.6746 - Griffeye has released Analyze Di Pro, “an advanced investigation tool, used to process, analyze, visualize and manage large volumes of images and video”
Launch of Analyze Di Pro – Advanced Integrated Workflow - IDA 7.0sp1 was released with a significant number of bug fixes.
IDA: What’s new in 7.0sp1 - MobilEdit Forensic Express 5.0 has been released with new features including an improved update mechanism, “Photo Recognizer”, and “Language customization and localization of reports”.
Forensic Express 5.0 Released - Maxim Suhanov has updated his registry parsing utility, YARP, to version 1.0.3
1.0.3 - Nader Shalabi at No-Secure-Code has released Sysmon View v1.4. The update adds WMI event importing (including some additional ‘views’), as well as no longer encrypting the SQLite database used to store imported events.
Sysmon View 1.4 released! - Oxygen Forensic Detective was updated to version 10.0.1, improving data collection from the WhatsApp server, and “also allows selecting a time period for data export and improves video files detection”.
Oxygen Forensic® Detective extracts extended information from WhatsApp server - Radare2 was updated to v2.1.0. “This release brings better support for Windows debugging, radare2 filesystem, file format improvements and massive speedup of the interface. Moreover, you can find better working search commands and various bug fixes.”
Codename “onhold” - IsoBuster 4.1 Beta was released, improving reporting and file export, as well as improved file system support and bug fixes.
IsoBuster 4.1 Beta released - X-Ways Forensic 19.5 was officially released and then updated to SR-1. The update includes minor improvements and bug fixes.
X-Ways Forensics 19.5 SR-1
And that’s all for Week 48! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 