Last weekly post for the year! It’s both good and bad that the year ends on a Sunday. It does round things off nicely, but it also means that I have a podcast to put together next. Thank you to everyone that reads this every week, and also shares it around with others. I really appreciate the support
Looking forward to an exciting 2018!
FORENSIC ANALYSIS
- Andrew Swartwood at ‘Between Two DFIRns’ has released a new network forensic CTF
Network Forensic CTF – TufMups Undercover Operation
- Brett Shavers discusses the need for continued education. I liked Brett’s point about saving important blog articles to PDF as I have found that some blogs get taken down. Generally, it’s a good idea to save them in your case notes if you’re referencing them. It is time-consuming to do your own research, but it’s worth it; A new-ish paradigm is to work through it live (Test Kitchen style) that some may find useful because they can have others help guide them and everyone learns together. Wyatt Roersma also did some live streamed work.
Don’t look back. Try to keep up. This is #DFIR.
- Brian Moran at BriMor Labs and Jessica Hyde from Magnet Forensics have shared out a cheat sheet they made “summarizing the URLs to query from Amazon to return some of the Amazon Echosystem data”
Amazon Alexa Forensic Walkthrough Guide
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shows how to perform a logical acquisition of an Android device using ADB and Android Backup Extractor.
Forensic logical acquisition of Android devices using adb backup
- Over on my ThinkDFIR blog I wrote up my notes from Dave Cowen’s recent Forensic Lunch Test Kitchen videos. I didn’t get to watch them all in the week that they came out (I think it was ~5 hours of content all up), so I figured I’d write it up now.
Documenting a week of DFIR cookups
THREAT INTELLIGENCE/HUNTING
- Monty St. John at CyberDefenses explains the Malware component of the CHRIME acronym
CHRIME and Malware
- Jack Crook at ‘DFIR and Threat Hunting’ shares how he chains interesting events together using ELK.
Hunting with ELK
- Adam at Hexacorn shows how psexec has a command line option “that allows you to create a service name as per your liking”.
PsExec going places…
- Adam at Hexacorn shows another method for abusing a configuration setting to obtain persistence. If a specific value is set in the registry, the system will look for an external .manifest file, which can be used to reference malicious DLLs.
Beyond good ol’ Run key, Part 69
- Jordan Potti shows how to setup Elastic Curator “to clean up the [sysmon] logs when the [ELK] server began to reach a threshold”
Using Elastic Curator To Clean Up ELK
- Jake Williams at ‘Rendition Infosec’ posed a question on Twitter regarding whether network or endpoint monitoring was more important. Endpoint monitoring had the most votes however the comments that Jake has collated appear to provide better insight.
Host or endpoint monitoring – if you can only do one, which one?
- Sergey Golovanov and Igor Soumenkov at Securelist share a script that they use “to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers were moving through the network”
Happy IR in the New Year!
UPCOMING WEBINARS/CONFERENCES
- Matt Bromiley announced that he will be doing a two-part webcast series on Windows Event logs next month. The first, “What Event Logs? Part 1: Attacker tricks to remove event logs” is running on January 11th, 2018 at 15:30 UTC. The second, “What Event Logs? Part 2: Lateral movement without event logs” is running on January 18th, 2018 at 15:30 UTC
Check out @mbromileyDFIR’s Tweet
PRESENTATIONS/PODCASTS
- The guys at Cyber Forensicator shared a presentation by Wesley McGrew from Defcon 19 titled “Forensics for people who break things”
Covert Post Exloitation Forensics with Metasploit
- Hasherezade shows how to unpack a sample utilising process hollowing using PE-sieve
DEMO: Unpackig process hollowing with PE-sieve
- On this week’s Digital Forensic Survival Podcast, Michael describes some useful event logs to be aware of.
DFSP # 097 – The Main Event
- Wyatt Roersma live streamed many many hours of coding and memory/malware analysis during the week. There’s not enough time left in the year to watch all of it, but you can see his Twitch channel here
MALWARE
- The guys at Digital Forensics Corp shared a tweet by Eduardo Novella showing how to deobfuscate a packed dex file using Simplify.
Deobfuscating dex files
- Marco Ramilli analyses a malicious unnamed infostealer sample.
Info Stealing: a new operation in the wild
- Reverse Engineering Malware has released an update to PSDecode to allow it to “override methods within system classes typically used by malware authors”. “As the malicious script is run through PSDecode, these actions are stored and, when complete, the actions are printed to the screen in the order in which they occurred.”
PSDecode Update: New-Object override + Actions output
- Veo Zhang at TrendLabs examines a malicious Android app that exploits CVE-2017-13156.
Janus Android App Signature Bypass Allows Attackers to Modify Legitimate Apps
- Vitali Kremez analyses “the internals of the prolific Cutlet ATM malware.”
Let’s Learn: Cutlet ATM Malware Internals
MISCELLANEOUS
- Didier Stevens wrote a short series on cracking encrypted PDFs
- The guys at Digital Forensics Corp shared a number of articles this week
- They shared an article by Check Point Research on a vulnerability found in Huawei Home Routers that would allow them to join a variant of the Mirai botnet.
Routers in Botnet Recruitment
- They advised that “Apktool v2.3.1 has been released”. “Apktool is a tool for reverse engineering 3rd party, closed, binary Android apps.”
Apktool v2.3.1 has been released
- They advised that “Dolphin Data Lab has released a new adapter for chip-off. The adapter’s name is DFL eMMC Chip Reader All in One.”
DFL eMMC Chip Reader
- They shared a link to an online forgery detection tool; playing around with the test image is very interesting.
Forensically
- They shared an article by Check Point Research on a vulnerability found in Huawei Home Routers that would allow them to join a variant of the Mirai botnet.
- Belkasoft posted a recap of their releases this year on Forensic Focus
Belkasoft And Belkasoft Evidence Center: 2017 Recap
- There were a couple of posts on the Magnet Forensics blog
- Dmitry Sumin from Passware was interviewed on the Magnet Forensics blog this week
A Deeper Look at Decryption: Q&A with Passware CEO and Founder Dmitry Sumin
- Christa Miller interviewed Preston Miller and Chapin Bryce on scripting with Python, collaboration, and the script that they submitted to the Magnet Artifact Exchange.
Being Forensically Curious: The Process of Scripting
- Dmitry Sumin from Passware was interviewed on the Magnet Forensics blog this week
- Joe Babineau at Nuix talks about Global (horizontal) and Custodial (vertical) deduplication using Nuix.
Mastering Global and Custodial Deduplication in Nuix
- Didier Stevens posted a couple times on the SANS Internet Storm Centre Handler Diaries this week
- He first shows how to extract a URL from “PDFs where the URL is stored indirectly”
PDF documents & URLs: update, (Sun, Dec 24th)
- Didier also shows how to use his tools to “decode objects that are not well-formed”
Dealing with obfuscated RTF files, (Mon, Dec 25th)
- He first shows how to extract a URL from “PDFs where the URL is stored indirectly”
- Howard Oakley at ‘The Eclectic Light Company’ posted some more MacOS extended attributes
- Pieces0310 shows how to use adb to create a screen recording of an Android device
以ADB指令将手机屏幕画面录制为视频 – Pieces0310
SOFTWARE UPDATES
- ExifTool 10.70 (development release) was released, with minor improvements and bug fixes.
ExifTool 10.70
- GetData released Forensic Explorer v4.1.0.6868 with some improvements and bug fixes
24 Dec 2017 – 4.1.0.6868
- MobilEdit released “Live Update version 2017-12-29-01 of MOBILedit Forensic Express”, adding support for the Windy Android app
Live Update version 2017-12-29-01
- OmenScan v1.4 was released and the developer has a blog post explaining the new feature for hiding the console.
Hiding and Showing Console Windows
- Paraben has released v1.6 of their E3 platform with new features including exporting data to HTCI MapLink, additional support for the DJI Go 4, and “new unlock and enhanced support for over a dozen new LG devices.”
What’s New in E3:Universal Aurora Edition 1.6
- Radare2 r2-2.2.0 Tió De Nadal was released
2.2.0
- Maxim Suhanov has updated his registry parsing utility, YARP, to version 1.0.9
1.0.9
And that’s all for Week 52/2017! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 