Merry Christmas and Happy Holidays! Hope everyone’s enjoying their break…although the last couple weeks have been 120+ links shared a week, and this week is no exception.
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog uses eventlogedit to delete an Event Log record.
EventLogとEVTX - There were a few posts by the guys at Cyber Forensicator this week
- Igor Mikhaylov’s ‘Mobile Forensics Cookbook’ has been released.
Mobile Forensics Cookbook has been released - They shared a paper by M. Amine Chelihi, Akintunde Elutilo, Imran Ahmed, Christos Papadopoulos, and Ali Dehghantanha titled “An Android Cloud Storage Apps Forensic Taxonomy”
An Android Cloud Storage Apps Forensic Taxonomy - They shared a blogpost from SalvationData on recovering fragmented files from the XFS file system
Computer Forensics: Fragmented Files Recovery Based on XFS File System - They shared a presentation by “Craig Rowland from Sandfly Security [on] how to use basic Linux command line tools to do intrusion detection and digital forensics for Linux systems.”
Command Line Forensics For Linux - They also shared “page_brute.py [which] is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys.”
Pagefile forensics: page_brute
- Igor Mikhaylov’s ‘Mobile Forensics Cookbook’ has been released.
- Marcos at ‘Follow the White Rabbit’ describes various methods for creating timelines in multiple formats. This is a good post for showing you the steps that you can take to generate both a standard MFT timeline, as well as a supertimeline.
About the timelines: The limit, your imagination - Mark Lohrum at ‘Free Android Forensics’ shows how to extract and unpack the boot and recovery kernels from an Android device (as well as some brief non-related Star Wars talk)
Unpacking boot and recovery kernels - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ has a couple of posts this week
- He first shows how to compile and use Microsoft’s procdump Linux port.
Sysinternals ProcDump porting for Linux - He also walks through creating a forensic image of a hard drive using FTK Imager and the Caine boot disk.
Forensic disk images of a Windows system: my own workflow
- He first shows how to compile and use Microsoft’s procdump Linux port.
- TM4n6 walks through the process of acquiring data from an Android device using Android Debug Bridge (ADB). This is performed on a Linux system and shows how to create a logical (non-rooted device) and physical image (rooted device). It is possible to install an image over the recovery partition using something like ODIN and TWRP (or Magnet Acquire) and then manually perform your acquisition using a combo of ADB, DD, and netcat without rooting your device, as long as you can overwrite the recovery partition. Some phones are locked down though so this might not be possible.
Android Forensics with ADB
THREAT INTELLIGENCE/HUNTING
- The Carbon Black Threat Analysis Unit released their 2017 threat report.
Carbon Black 2017 Threat Report: Non-Malware Attacks and Ransomware Continue to Own the Spotlight - Lital Asher-Dotan at Cyber Reason lists the essential elements of an EDR solution and compares AV with “next gen” EDR solutions.
Endpoint Detection and Response (EDR) 101 - Monty St John at CyberDefenses continues his series on CHRIME
- The guys at Digital Forensics Corp shared an article by Nate Marx at ProtectWise 401TRG on detecting lateral movement in SMB traffic.
SMB Overview - Hasherezade explains the Process Doppelgänging technique for hiding malware, as well as how to detect it. “The Process Doppleganging … substitutes the PE content before even the process is created” and “uses a very little known API for NTFS transactions”. “It can be easily detected with the help of any tool that compares if the image loaded in the memory matches the corresponding file on the disk”
Process Doppelgänging – a new way to impersonate a process - Jake Williams comments on Benjamin Delby’s update to Mimikatz, which allows attackers to avoid leaving traces in event logs.
Check out @MalwareJake’s Tweet - Jordan Potti walks through the process of setting up Elastalert
Using ElastAlert to Help Automate Threat Hunting - SANS have posted a discussion between “Rebekah Brown, Rick Holland, and Scott Roberts [on] some of the most frequently asked questions about threat intelligence.”
“Your Cyber Threat Intelligence Questions Answered” - There were a couple of posts on the Sqrrl blog this week
- Ryan Nolette walks through a sample hunt for domain admin account activity.
Situational-Awareness driven Threat Hunting - Matthew Hosburgh continues his previous post on seeding a hunt using active defence techniques.
Deception, Breaches, and Going on the Offense to Seed the Hunt
- Ryan Nolette walks through a sample hunt for domain admin account activity.
- Ryan McGeehan at Start Up Security shared what he has learned from this years security breaches.
Learning From Security Breaches in 2017 - Matt Everson at Tenable shares a YARA rule for the Triton malware framework.
Triton: What You Need to Know - Nick Buraglio at ‘The Forwarding Plane’ describes a variety of tools for managing NetFlow data
What is your netflow strategy?
PRESENTATIONS/PODCASTS
- Tayfun Uzun at Magnet Forensics answered a few questions about portable cases.
Portable Case Q&A with Tayfun Uzun - Nuix have uploaded a video showing how Nuix Analytics & Intelligence is used in a case study involving the “shipment of hazardous chemicals”
Inside Scoop Product Update December 2017 – Shipping Demo - OALabs have uploaded a video showing “a quick example of using BlobRunner to debug shellcode.”
Debugging shellcode using BlobRunner and IDA Pro - Paraben have released a couple of videos on processing emails using E3.
- On this week’s Digital Forensic Survival Podcast, Michael talked “about Mac Logs, namely the new Unified Logging in OS X and how this impacts forensic exams.”
DFSP # 096 – OS X Unified Logging - Craig Bowser shared his presentation from the SANS SIEM Summit titled “SIEMple Simon met a WMIman”
Check out @shad0wtrackers’s Tweet - Virus Bulletin released a few presentations this week
- VB2017 paper: Peering into spam botnets
- VB2017 paper: Modern reconnaissance phase on APT – protection layer
- VB2017 video: Spora: the saga continues a.k.a. how to ruin your research in a week
- Industroyer: biggest threat to industrial control systems since Stuxnet
- Battlefield Ukraine: finding patterns behind summer cyber attacks
MALWARE
- Xavier Mertens at /dev/random provides details on a compiled HTML help file (chm) that launches a malicious PowerShell script.
Malware Delivered via a Compiled HTML Help File - The guys at Joe Security have analysed a Loapi sample.
Loapi – from Static to Dynamic Instrumentation - Jared Myers shares information about a maldoc that injected “a Cobalt Strike payload into a running process”
Threat Analysis: Malicious Microsoft Word Documents Being Used in Targeted Attack Campaigns - There’s a post on the ‘CyberCrime & Doing Time’ sharing some details on an IcedID sample
IcedID New Tricks: Where Banking Trojan meets Phishing - Digital Forensics Corp shared an article by David Alvarez-Perez at Gradiant security analysing some malware exploiting CVE-2017-11826
CVE-2017-11826 analysis in Depth - Alex Davies and Connor Morley at Countercept “dissect the latest Emotet dropper and payload, highlighting the TTPs and IOCs that can be used to detect and prevent such attacks.”
Hunting For Emotet - Artem Semenchenko and Evgeny Ananin at Fortinet walk through an attack used to distribute the Bitcoin Orcus RAT.
Circle of the fraud: more information about Bitcoin Orcus RAT campaign - Ioana Rijnetu at Heimdal Security analyses an Emotet sample and explains how AtomBombing works
Security Alert: Emotet Trojan Returns with New Waves of Spam Campaigns - Malware Breakdown analyses some malspam distributing Ursnif and provides some IOCs
Malspam Distributing Ursnif (Gozi ISFB) - Christiaan Beek and Raj Samani at McAfee Labs provide some details of an attack by the Dragonfly group.
Operation Dragonfly Analysis Suggests Links to Earlier Attacks - There were a couple of posts on the Netskope blog this week
- Umesh Wanve examines an attack distributing the TelegramRAT malware
TelegramRAT evades traditional defenses via the cloud - Amit Malik analyses a maldoc from an attack they are calling BadWolf-1. “The Word document, disguised as an important company update, used two recently reported Microsoft Office vulnerabilities (CVE-2017-0199 & CVE-2017-11882) with multi-level payload downloads upon exploitation.”
Targeted Attack BadWolf Exploits Office Vulnerabilities to Exfiltrate Data
- Umesh Wanve examines an attack distributing the TelegramRAT malware
- Darien Huss at Proofpoint shares their recent report on the Lazarus group.
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group - There were a few posts on SANS Internet Storm Centre this week
- Didier Stevens analyses a maldoc across two diaries
Phish or scam? – Part 1, (Sun, Dec 17th) - Didier also shows how to use a new python script to display the text in a docx file without opening it.
Phish or scam? – Part 2, (Mon, Dec 18th) - Xavier Mertens shows a malicious PowerPoint presentation that executes a PowerShell command on ‘MouseOver’ of the link on the slide.
Example of ‘MouseOver’ Link in a Powerpoint File, (Tue, Dec 19th) - Richard Porter posted a guest post by Etay Nir on the basics of kernel hooking.
Guest Diary (Etay Nir) Kernel Hooking Basics, (Wed, Dec 20th) - Didier also explains how to determine if a PDF is encrypted and then decrypt it.
Encrypted PDFs, (Sat, Dec 23rd)
- Didier Stevens analyses a maldoc across two diaries
- There were a few posts on Securelist this week
- Ilya Pomerantsev and Dmitry Tarakanov expand on Palo Alto’s previous research into the PYLOT malware.
Travle aka PYLOT backdoor hits Russian-speaking targets - Nikita Buchka, Anton Kivva, Dmitry Galov examine the Loapi Android malware
Jack of all trades - Alexander Kolesnikov examines the NiceHash cryptocurrency miners. I can’t remember where I saw it, but someone said that it seems that ransomware is slowing down and miners are building up. I guess at least your files might be slightly safer at the expense of some electricity.
Nhash: petty pranks with big finances
- Ilya Pomerantsev and Dmitry Tarakanov expand on Palo Alto’s previous research into the PYLOT malware.
- There were a couple of posts on the Trustwave SpiderLabs blog this week
- Rodel Mendrez examines an attack that utilises CHM files to distribute malware against Brazilian institutions.
CHM Badness Delivers a Banking Trojan - Simon Kenin reviews the recently published source code of the BrickerBot malware.
BrickerBot mod_plaintext Analysis
- Rodel Mendrez examines an attack that utilises CHM files to distribute malware against Brazilian institutions.
- There were a few posts on the TrendLabs blog this week
- Ecular Xu examines “a new variant of [the] VAMP” malicious Android app called GnatSpy.
New GnatSpy Mobile Malware Family Discovered - Ecular Xu and Grey Guo analyse the AnubisSpy Android malware.
Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy - Rubio Wu, Anita Hsieh, and Marshall Chen examine an attack utilising the Loki malware.
CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer - Lenart Bermejo and Hsiao-Yu Shih analyse the Digmine cryptominer
Digmine Cryptocurrency Miner Spreading via Facebook Messenger
- Ecular Xu examines “a new variant of [the] VAMP” malicious Android app called GnatSpy.
- Vitali Kremez has a couple of posts this week
- The first post shows how to “reverse the latest Magniber ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.”
Let’s Learn: Studying Magniber Ransomware PEB Traversal Function - The second post shows how to “reverse the latest Trickbot’s module called “DomainGabber,” also known as “domainDll32,” used for LDAP harvesting of domain controller configuration.”
Let’s Learn: Introducing New Trickbot LDAP “DomainGrabber” Module
- The first post shows how to “reverse the latest Magniber ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.”
- The ESET team at WeLiveSecurity provide an update to their research into the Sednit group; this includes an “update of their attack methodology” and “the evolution of their tools, with a particular emphasis on a detailed analysis of a new version of their flagship malware: Xagent.”
Sednit update: How Fancy Bear Spent the Year - Anastasios Pingios at ‘xorl %eax, %eax’ examines some new samples of the Tiny XMR mooner cryptominer.
The “Tiny XMR mooner” Linux cryptominer malware
MISCELLANEOUS
- Matthew Ulm at 31ric shares some resources on file signatures
File Information Resources - Eric Huber at ‘A Fistful of Dongles’ comments on the fact that competence in the field is more important than qualifications.
The Sound Of Music - Cryptocypher at AlienVault has a great post on building a personal brand in InfoSec. This is from the perspective of a student who is trying to get noticed in the field, however, a lot of the lessons apply generally. I’m hoping to present my thoughts on how to do it, and why you would want to at a couple of conferences next year 🙂
Building Personal Brand: From One InfoSec Student to Another - Brett Shavers at DFIR.Training comments on what he looks for when evaluating a digital forensics tool.
I love DFIR software. I hate DFIR software. - The guys at Digital Forensics Corp shared an article by Neucleus Technologies on how to extract emails from corrupted OST files.
How to extract emails from corrupted OST-files - Vladimir Katalov at Elcomsoft has listed the various security changes made between iOS 10 and 11 that investigators and examiners should be aware.
What’s New in iOS 11 Security: the Quick Reference Guide - There were a number of posts on the Forensic Focus blog this week
- Scar de Courcier reviewed MSAB’s XEC Director.
Review Of XEC Director From MSAB - Paraben shares some details from the next update to E3 regarding exporting geolocation data to a KML file that can be viewed with HTCI’s MapLink.
Paraben Adds MapLink Integration - Scar shared her top stories and forum topics from the last month
- Scar de Courcier reviewed MSAB’s XEC Director.
- Belkasoft has announced their annual customer survey, which comes with a chance to win a full license of BEC 2018.
Belkasoft Annual Customer Survey – Complete And Win! - The MobilEdit team has put out a call for unsupported apps that people need help parsing. “They are accepting requests for app support and work hard on detailed analysis of their databases, file structures, encryption and deleted data”
Need To Analyze Some Apps? Send Them To The MOBILedit Team - They interviewed Miloš Gizdovski, who is the marketing director at HddSurgery.
Interview With Miloš Gizdovski, Marketing Director, HddSurgery - Hex-Rays announced the winners of their annual IDA Pro plugin contest.
Hex-Rays Plugin Contest Results 2017 - Adam Belsher at Magnet Forensics shares his highlights from this year including their various wins in the 4Cast awards, the Artifact Exchange, and updates to Axiom.
Looking Back on 2017 with Adam Belsher, CEO of Magnet Forensics - Paul Shomo at OpenText announced the winner of the inaugural Forensic Research Awards Program. Unfortunately, this came after a bit of prompting (it was meant to be announced at the end of September), which caused a bit of an outcry. There’s room for improvement with the program, and I like the concept of rewarding people for the research that they currently do for free in an attempt to inspire more people to spend their free time sharing/researching. One of the suggestions I liked is that the program should run throughout the year and people can submit their published research posts/papers for the judges to review. This means that the research is published from the get-go and others are incentivised to do some research.
Forensic research awards highlight the difficulty of digital privacy - Kinny Chan at Precision Discovery comments on the Federal Rule of Evidence 902 amendments which came into effect December 1st.
Self-Authenticating eDiscovery – What Did the Rule Amendments Change? - SalvationData shared their most popular articles of the year
Season’s Greetings from SalvationDATA - Howard Oakley at ‘The Eclectic Light Company’ continues sharing information about MacOS extended attributes
- xattr: com.apple.FinderInfo, information for the Finder
- xattr: com.apple.LaunchServices.OpenWith, sets a custom app to open a file
- xattr: com.apple.metadata:kMDItemDownloadedDate, the download datestamp
- xattr: com.apple.metadata:kMDItemWhereFroms, origin of downloaded file
- xattr: com.apple.metadata:kMDItemCopyright, records copyright info
- xattr: com.apple.metadata:kMDItemCreator, records the app which created a file
- xattr: com.apple.metadata:kMDItemDescription, arbitrary information about a file
- xattr: com.apple.metadata:kMDItemHeadline, an arbitrary text headline
- Virus Bulletin posted reviews of the recent Botconf and AVAR conferences.
SOFTWARE UPDATES
- Didier Stevens released a couple of new tools this week
- DME Forensics have released DVR Examiner 2.1.1, adding “support for the Prod2_264 filesystem” and resolving a “scan issues with the ICATCH_264 Filesystem”.
DVR Examiner 2.1.1 has been released! - ExifTool was updated to v10.69 adding new tags and bug fixes.
ExifTool 10.69 - GetData updated Forensic Explorer to v4.1.0.6828, fixing a couple of bugs
17 Dec 2017 – 4.1.0.6828 - Katana Forensics released an update for Lantern Triage (Update 1.1712.200); improving “iOS Extraction performance (iPhone X)” and “cloud support for iOS 11 Devices”
- “A new version of MISP 2.4.85 has been released including improvements to the feed ingestion performance, warning-list handling and many bug fixes.”
MISP 2.4.85 released (aka feeds and warning-lists improvement and more) - MobilEdit App Analyzer version 2017-12-18-01 was released, adding support for Sarahah, and Maxthon for iOS
- Microsystemation released XEC Director, Export & Express 3.0, Kiosk & Tablet 7.6. XEC Director 3.0 now allows users to “centrally manage XRY Office clients as well as Kiosks, Tablets and Express, in a single connected network”. The update to Kiosk also actives Windows Defender and has GUI improvements.
We’ve released XEC Director, Export & Express 3.0, Kiosk & Tablet 7.6 - X-Ways Forensic 19.5 SR-3 was released with some bug fixes
X-Ways Forensic 19.5 SR-3 - X-Ways Forensic 19.6 Preview 2 was released with a number of improvements.
X-Ways Forensic 19.6 Preview 2 - Maxim Suhanov has updated his registry parsing utility, YARP, to version 1.0.8
1.0.8
And that’s all for Week 51! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!