FORENSIC ANALYSIS

• Hideaki Ihara at the Port 139 blog takes a look at registry transaction log files and shows to examine them using Maxim Suhanov’s YARP tool.
  RegistryとTransaction log files

• The guys at Cyber Forensicator shared a paper by Xingzi Yuan, Omid Setayeshfar, Hongfei Yan, Pranav Panage, Xuetao Wei, and Kyu Hyung Lee titled “DroidForensics: Accurate Reconstruction of Android Attacks via Multi-layer Forensic Logging”
  DroidForensics: Accurate Reconstruction of Android Attacks via Multi-layer Forensic Logging

• The guys at Digital Forensics Corp shared an article from GBHackers on the Windows registry and some useful registry keys.
  Windows Registry Analysis

• Preston Miller at DPM Forensics export data from Google, Twitter, Facebook, and LinkedIn using their native backup services.
  500 Words or Less: Native Backups

• HDD Surgery has a post on the Forensic Focus blog regarding the MediaCache technology found on Seagate drives. The author explains that if a drive is damaged, MediaCache should be considered when performing data recovery.
  MediaCache On Seagate drives – A Potential Problem For Digital Forensics

• Chad Tilbury released an updated SANS Memory Forensics Cheat Sheet
  SANS Memory Forensics Cheat Sheet

• Yulia Samoteykina at Atola Technology shows how to use the search feature of Insight during the imaging process.
  Artifacts: Image & analyze on the fly

• Todd A. Faulkner has a guest post on the Paraben blog explains the benefits of seizing a suspect’s Bluetooth devices to assist in unlocking their mobile device via the Smart Lock feature.
  Using Bluetooth & NFC as a Smartphone Backdoor

• Volume 23 of the Journal of Digital Investigation was released.
  Digital Investigation Volume 23

• The students at LCDI shared their final update on application analysis. This update covers the artefacts identified in the Fitbit App.
  Application Analysis Update 3

THREAT INTELLIGENCE/HUNTING

• Roberto Rodriguez at ‘Cyber Wardog Lab’ talks about data quality with regards to threat hunting.
  Ready to hunt? First, Show me your data!

• Fox-IT share details of an incident where they were victims of a man-in-the-middle attack.
  Lessons learned from a Man-in-the-Middle attack

• Adam at Hexacorn shares a Microsoft tool for logging text on Windows UI elements.
  UI Anomalies – Beyond AV, EDR, and UEBA (also, user monitoring & keylogging w/o traditional tricks)

• Jacob Goldberg at ‘Infosec Topics’ has a post on ELK integration and then runs through a case study using the APT34 tools.
  SYSMON – ELK Integration and Monitoring APT34 Tools

• Michael Haag at Red Canary walks through “three exercises that illustrate the progression of hunting maturity models”
  Threat Hunting at Scale: Techniques & Tools to Mature Your Program

• There were a couple of posts on ReversingLabs this week
  • They share a YARA rule for detecting the “BadRabbit encryption routine”.
    ReversingLabs’ YARA rule detects BadRabbit encryption routine specifics
  • They share a YARA rule for detecting CVE-2017-11882 as well as IOCs for documents exploiting the vulnerability.
    ReversingLabs’ YARA rule detects a Cobalt payload exploiting CVE-2017-11882

• Adam Kramer has a post on the SANS DFIR blog sharing a “methodology for discovering inbound evil updates”
  “Automated Hunting of Software Update Supply Chain Attacks”

• Jessica Payne shows how, “using the built in Windows Event Forwarding components of Windows, some PowerShell scripts, and PowerBI desktop, you can create a fast, free, and effective console for diagnosing problems and finding Indicators of Attack in your network”
  Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI

• Matthew Hosburgh at Sqrrl explains the use of honey tokens to seed a hunt.
  Going on the Offense to Seed the Hunt

• Chris Long has released “Detection Lab [which] is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices”
  Introducing: Detection Lab

• Daniel Lunghi, Jaromir Horejsi, and Cedric Pernet at TrendLabs provide some information on “Patchwork (also known as Dropping Elephant)”, who are “a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets”
  Untangling the Patchwork Cyberespionage Group
  

UPCOMING WEBINARS/CONFERENCES

• The CFP for the next ADFSL conference, “held at The University of Texas at San Antonio, San Antonio, TX from May 17 to 18, 2018” is open, and will close January 15, 2018.

• Paraben announced on Forensic Focus that their Paraben’s Forensic Innovation Conference (PFIC) 2018 will be running on “September 5th and 6th at the Park City Marriott hotel”, Park City, Utah.
  PFIC & Park City – Together Again!

PRESENTATIONS/PODCASTS

• Forensic Focus shared Dinil Mon Divakaran’s presentation (and transcript) from DFRWS EU 2017
  Evidence Gathering For Network Security And Forensics

• OpenText have uploaded the webinar by Matt McFadden and Raj Udeshi during the week on utilising Encase to identify and analyse a forensic image containing child abuse material.
  Fighting Child Exploitation with Digital Forensics

• Hasherezade has uploaded a few videos this week
  • Unpacking Magniber ransomware with hook_finder
  • My experiments with enSilo’s Process Doppelganging
  • hook finder vs Process Doppelganging
  • My experiments with ProcessDoppelganging – running a PE from any file

• The presentations from LASCON 2017 have been uploaded to their YouTube channel

• Kristy Lam at Magnet Forensics shared Tayfun Uzun’s previously recorded webinar on working collaboratively.
  Recorded Webinar: Sharing is Caring: Empowering the Whole Team to Collaborate

• James Billingsley at Nuix demonstrates how Nuix Analytics & Intelligence can be used to examine forensic artefacts related to removable devices for an insider threat case.
  Complex Made Easy with Analytics & Intelligence

• OALabs have uploaded a video where they “unpack a new version of GlobeImposter ransomware using the X32bg / X64dbg debugger.”
  Unpacking GlobeImposter Ransomware With x32dbg

• On this week’s Digital Forensic Survival Podcast, Michael discusses a method for conducting an eDiscovery investigation using the built-in features of Office 365.
  DFSP # 095 – freE-DISCOVERY?

• Richard Davis shares a short video explaining a short survey that he’s put together to gather information about what content people would like to see in the future.
  Channel Update and Survey

• SANS uploaded a number of highlights from this years CTI Summit.
  • 2017 CTI Summit Highlight – Knowing When to Consume Intelligence and When to Generate It
  • 2017 CTI Summit Highlight – Using CTI Against the World’s Most Successful Email Scam
  • 2017 CTI Summit Highlight – Knowing When to Consume Intelligence and When to Generate It
  • 2017 CTI Summit Highlight – Beyond Matching: Applying Data Science Techniques to IOC-Based Detection
  • 2017 CTI Summit Highlight – Cliff Stoll – (Still) Stalking the Wily Hacker

• Steve Watson provided a brief summary of day one of the first Data Finders event.
  Day One Update

MALWARE

• Eric Merritt at Carbon Black shares some “details of how Smoke Loader infects the system, attempts to evade analysis, and persist on the system.”
  Smoke and Mirrors

• There were a couple of posts by Cybereason this week
  • Amit Serper analyses a new sample of the OSX.Pirrit malware.
    OSX.Pirrit Mac Adware Part III: The DaVinci Code
  • Fred O’Connor explains the use of PowerShell and WMI for fileless malware.
    Fileless Malware 101: Understanding Non-Malware Attacks

• Mike Stokkel at Fox-IT shared some IOCs relating to a recent distribution of Zeus Panda
  Criminals in a festive mood

• Alexander Sevtsov at Lastline examines “a Tyupkin malware sample”.
  Tyupkin ATM Malware: Take The Money Now Or Never!

• Robert Falcone at Palo Alto Networks provides an analysis of the recent testing activities carried out by the OilRig developers. PAN also released their Adversary Playbook for OilRig.
  OilRig Performs Tests on the TwoFace Webshell

• R3mrum at ‘Reverse Engineering Malware’ analyses some Emotet malware and introduces “a new tool that will help you analyze heavily obfuscated PowerShell scripts”.
  From Emotet, PSDecode is born!

• Xavier Mertens at the SANS Internet Storm Center presents a “Microsoft Office document which uses its metadata to obfuscate the malicious macro”
  Microsoft Office VBA Macro Obfuscation via Metadata, (Sat, Dec 16th)

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares an article by Moti Bani explaining “how to investigate suspicious activity on servers using Sysmon Tool”.
  Investigate suspicious Windows processes using Sysinternals Sysmon

• Nicholas Ramos at Trustwave SpiderLabs examines a malicious BAT file found in “spam emails targeting Brazilian users”
  Sneaky *.BAT File Leads to Spoofed Banking Page

• Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, and Christopher Glyer provide a comprehensive analysis of “TRITON, [which] is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers”.
  Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

• David Sancho and Fernando Merces at TrendLabs examine the Prilex and Cutlet Maker malware.
  Dissecting PRILEX and CUTLET MAKER ATM Malware Families

• Ben Humphrey at NCC Group examines an attack by the Hidden Cobra APT using the Volgmer trojan.
  HIDDEN COBRA Volgmer: A technical analysis

• Martijn Grooten at Virus Bulletin shared two presentations from VB2017
  • VB2017 video: Spora: the saga continues a.k.a. how to ruin your research in a week
  • VB2017 paper: Nine circles of Cerber

• Vitali Kremez walks through reversing “the latest Point-of-Sale (POS) malware dubbed “GratefulPOS” in-depth including some of the notable source code-level insights.”
  Let’s Learn: Reversing Grateful Point-of-Sale Malware in Dep

• Anastasios Pingios at ‘xorl %eax, %eax’ has a couple of posts this week
  • The kworker Linux cryptominer malware
  • Trick for quick reverse engineering of JavaScript malware

• Zerophage examines the Snatch Loader malware.
  Malware – Snatch Loader: Reloaded

MISCELLANEOUS

• Eric Huber at ‘A Fistful of Dongles’ shares some thoughts on how to look after your people during an incident, and that it should be included in your incident response plan.
  The Glaring Omission in Your Incident Response Planning

• Darlene Alvar at Amped Software shares an article that “takes a look at two cases involving the authentication of digital images and the importance of the questions asked of the analyst during those investigations”
  Investigating Image Authenticity

• Devon Ackerman at AboutDFIR shared a survey for Rick Kiper on developing “a digital forensics tool typology”.
  Rick Kiper’s Research Project

• Joshua I. James at ‘Digital Forensic Science’ provides some recommendations for people getting started in the digital forensics field.
  Getting started in Digital Forensics

• Brett Shavers at DFIR.Training has added a directory listing to the site. The goal is to create “a searchable, sortable, filterable directory of DFIR/eDiscovery vendors, associations, and training resources.”
  http://www.dfir.training/index.php/dfir-training-categories-k2/item/8-cool-stuff-being-added-to-dfir-training

• Jimmy Schroering at DME Forensics explains that they have “developed an internal database of what types of system are (or may be) supported by DVR Examiner”. Their “goal is to make this information available to users at some point in some fashion”, however, they haven’t worked out how yet.
  How Can You Tell If Your DVR is Supported?

• Forensic Focus shared the release notes for MOBILedit Forensic Express 5.0 as well as some information about the new features.
  New MOBILedit 5.0 With Revolutionary Live Updates System Released

• There were a few posts at the Magnet Forensics blog this week
  • Christa Miller shared some information about the updated Dynamic App Finder function of Axiom (DAF is in IEF but I’m not sure if the updated version has been applied to both). DAF2 will make it easier for examiners to identify new sources of chat, geolocation, contact info/details, and web data across unsupported databases.
    Dynamic App Finder 2: A stronger, more efficient investigative starting point
  • She also shared a case study titled “Partnering to Reduce Digital Forensic Backlogs”.
    New Case Study: How Portable Cases in Magnet AXIOM Help Examiners Collaborate with Stakeholders
  • Christa also continues her series on forensic curiosity, covering a variety of tips to finding and parsing app data (which goes quite well with the previous post on DAF2).
    Being Forensically Curious: Finding and Parsing

• Rick Andrade shared the news that the Magnet training team have put together an interactive tutorial on using portable cases.
  New Self-Paced Tutorial Gives Stakeholders a Guided Tour of Portable Case

• Jake Williams at Rendition InfoSec has shared the news of their new challenge running until December 24th. They will be posting a new challenge daily with cash prizes for the best responses.
  Introducing Infosec Advent

• Howard Oakley at The Eclectic Light Company has started a series on MacOS extended attributes
  • An introduction to extended attributes, xattrs
  • xattr: template for type page
  • xattr: com.apple.rootless, protects with SIP
  • xattr: com.apple.quarantine, the quarantine flag
  • xattr: com.apple.TextEncoding, reveals text file encoding
  • xattr: com.apple.ResourceFork, a classic Mac resource fork
  • xattr: com.apple.metadata:com_apple_backup_excludeItem, exclude from backups

• Over on my ThinkDFIR blog, I wrote a list of things that I had learned about the DFIR Netwars contest. These are things that I would like to consider the next time I do one of these events, or for those that haven’t had a chance to play yet. (Also, Rob Lee liked the write-up!)
  Things I Wish I Knew Before DFIR Netwars

SOFTWARE UPDATES

• AceLab released updates to a couple of their PC-3000 products
  • The new versions of PC-3000 Express/UDMA-E/Portable Ver. 6.4.14, Data Extractor Ver. 5.7.7, PC-3000 SSD Ver. 2.5.8 are available now!
  • The new version of PC-3000 SAS Ver. 6.4.14 is available now!

• Apache Tika v1.17 was released adding “new support for automatic image captioning, as well as numerous bug fixes and upgrades to dependencies”
  Release 1.17 – December 8, 2017

• Berla updated iVe to version 1.13.4. “This release introduces support for a significant number of Hyundai vehicles manufactured from 2011 to present, as well as select Kia vehicles.” iVe also “now includes photos of all supported systems for a given vehicle within the acquisition wizard.”
  iVe v1.13 Released

• Cellebrite released Analytics Desktop v6.3 adding project VIC integration, the ability to “view tags from UFED Physical Analyzer in Analytics Desktop” and “improved media review”.
  Analytics Desktop 6.3 [December 2017]

• Cyber Triage was updated to v2.1.8 and Brian Carrier has a post about their recent Phantom integration. “The Phantom integration makes your response team more efficient by automatically starting an analysis of a remote system so that the data is waiting for you when you have time to start working on the alert.”
  Phantom Integration Allows for Faster Responses

• Didier Stevens updated a few tools this week
  • He updated rtfdump to version 0.0.6> and released a hashing utility
  • He updated the biff parsing plugin (v 0.0.2) for oledump to add “new options [to] allow [users] to search for opcodes (-o) and strings/bytes (-f) inside BIFF records”
    Update: plugin_biff.py Version 0.0.2 / oledump.py Version 0.0.31
  • He also updated oledump to v0.0.32 to include a new plugin “that identifies streams in MSG files based on the 8-digit hexadecimal codes in the stream name.”
    New oledump Plugin: plugin_msg.py / oledump.py Version 0.0.32

• Teru Yamazaki at Forensicist has released a forked version of Bulk Extractor which includes NTFS and utmp record carving.
  Bulk Extractor with Record Carving

• GetData released Forensic Explorer v4.1.0.6802 with some bug fixes.
  11 Dec 2017 – 4.1.0.6802

• Katana Forensics Updates Lantern Triage to 1.1712.81.

• Sarah Edwards updated her Mac MRU Parser script to v1.5, fixing some bugs, and adding support for some Non-MRU-but-still-useful plists
  Script Update – Mac MRU Parser v1.5 – Added Volume Analysis Support and Other Stuff!

• MobilEdit App Analyzer version 2017-12-15-01 was released, adding app support for iOS Evernote, and Android Maxthon Browser, and improving deleted data recovery for Uber’s Android app.
  App Analyzer update version  2017-12-15-01

• Microsystemation have released XRY 7.6, XAMN Spotlight 3.1 and XAMN Elements Beta 3.1 with a variety of updates.
  Released today: XRY 7.6, XAMN Spotlight 3.1 and XAMN Elements Beta 3.1

• NIST have released the “federated testing tools, [which] is designed to help law enforcement and forensic practitioners with a critical early step in evidence collection: making a copy of the data from a seized electronic device”. “The federated testing tools allow authorities to run tests in advance on their digital forensic software to make sure ahead of time that it will not fail them when a suspect’s personal computer, media or device arrives in the forensic science lab”
  New NIST Forensic Tests Help Ensure High-Quality Copies of Digital Evidence

• Oxygen Forensic Detective v10.0.2 was released. “The new release updates data parsing from 150+ app versions, supports 135 new device models and includes minor improvements.”
  Oxygen Forensic® Detective 10.0.2 is released!

• Passmark Software updated OSForensics to V5.2.1004 with some bug fixes and minor improvements.
  V5.2.1004 – 14th of December 2017

• Passware Kit 2017 v5 was released. V5 “recovers passwords for McAfee Drive Encryption, extracts macOS High Sierra account passwords from memory images, decrypts LUKS drives, and supports iOS 11. GPU-accelerated password recovery is now up to 350% faster for TrueCrypt system partitions. A new, efficient Passware dictionary is available for download for our customers.”
  New In Passware Kit 2017 v5

• IsoBuster 4.1 was officially released.
  IsoBuster 4.1 released

• Yogesh Khatri at Swift Forensics has released “Version 0.2 of mac_apt … with APFS support.”
  mac_apt + APFS support 

• Magnet released Axiom v1.2.2, updating the Dynamic App Finder and add “various Improvements to Mobile Acquisitions, Cloud Artifacts, Connections and AXIOM Filtering”
  Magnet AXIOM 1.2.2 Brings Big Improvements for Mobile, Cloud, and Computer Forensics

And that’s all for Week 50! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!