Happy New Year!

It was a bit hectic last week posting a few times on New Year’s Eve; in case you missed it, I posted my monthly podcast episode, as well as a wrap up for the year.

FORENSIC ANALYSIS

• Hideaki Ihara at the Port 139 blog posted a couple of times this week
  • The first shows the effects of removing thumbnails using Disk Cleanup on Win10
    Win10 と Thumbnail Cache
  • The second checks “the relationship between Thumbnail CacheId and thumbnail cache on Windows 10 ver 1709 environment.”
    Windows 10とThumbnailCacheId

• Mari DeGrazia at ‘Another Forensics Blog’ has a couple of posts about mounting APFS images on Windows and Linux
  • The first shows how to mount an APFS drive as a logical image into any forensic tool using the Paragon APFS preview Windows driver. I tested this process using a couple of test APFS images that I had created and it worked great for the unencrypted one. Still no success with the filevault2 one 😦 Also, It’s been pointed out that you may not be able to see the Extended Attributes. I haven’t confirmed this however
    How to mount Mac APFS images in Windows
  • The second shows a similar process for mounting APFS images on Linux. Mari wasn’t able to test it (yet) but apparently this process can support encrypted images.
    Mounting an APFS image in Linux

• There were a few posts by the guys at Digital Forensics Corp this week
  • They shared an article by Thomas White on recovering BitLocker Full Volume Encryption keys from memory with Volatility.
    Volatility plugin to extract BitLocker Full Volume Encryption Keys
  • They shared an article on database reverse engineering
    Database Reverse Engineering
  • They shared an article on Kitsploit regarding “ADRecon, [which] is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.”
    ADRecon Overview
  • They shared a Github repository maintained by Meir Wahnon
    that contains “a curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.”
    A List of Incident Response sources

• Aaron at DigitalResidue provides a primer on virtual memory and explains a few Volatility plugins
  damn blogger.com

• Preston Miller at ‘DPM Forensics’ describes some additional data that can be obtained from a users Google account outside the official Google Takeout app. This includes data from a users activity in Google Drive, as well as that which is stored in a users ‘My Activity’ page.
  500 Words or Less: Getting more from Google Accounts

• Hashim Shaikh at the Infosec Institute provides an overview of the mobile device examination process.
  Mobile Forensic Process: Steps and Types

• Mark Lohrum at ‘Free Android Forensics’ shows how to use the MTPwn to obtain select data from a locked Samsung device via the MTP protocol.
  MTPwn

• Steven Alexander at ‘The Bug Charmer’ shows how Apple Safari tracks “which sites were configured to play Flash video” in the com.apple.Safari.plist (as of OSX 10.10). The “PlugInPageURL” key is shown to contain a URL that has been accessed.
  Safari Plugin Forensics – com.apple.Safari.plist

• Robert at ‘The Hex Ninja’ walks through a carving a JPEG from unallocated space under a few different circumstances.
  Practical Exercise – Image Carving
  

THREAT INTELLIGENCE/HUNTING

• Chris Sanders continues reviewing ‘The Cuckoo’s Egg”, this time covering chapters 24-30.
  Cuckoo’s Egg – Week 5 Notes

• ClearSky Research Team have released their Cyber Intelligence Summary Report for 2017.
  Cyber Intelligence 2017 Summary Report

• Monty St. John at CyberDefenses explains the Execution component of the CHRIME acronym.
  CHRIME and Execution

• Adam at Hexacorn shows how to use deskbands to execute a program without autoruns detection.
  Beyond good ol’ Run key, Part 70

• Jordan Potti uses “Cyberwardog’s guidance to build an alert for the detection of Mimikatz using Sysmon and the ELK Stack.”
  Automating the detection of Mimikatz with ELK

• Matt Graeber at SpecterOps describes the limitations that he’s found with sysmon and the steps that were taken to get around them.
  Working With Sysmon Configurations Like a Pro Through Better Tooling

• There were a couple of posts on the Sqrrl blog this week
  • Kristina Sisk at Sqrrl describes the need for a hunting calendar to determine your team’s schedule for the year. She also lists a number of things one should consider in the planning process.
    Setting your Threat Hunting Calendar for 2018
  • Ryan Nolette provides a “quick overview of how [he uses] Bro IDS for threat hunting”
    Threat Hunting with Bro
    

PRESENTATIONS/PODCASTS

• The guys at Cyber Forensicator shared a webinar by Dr. Padhraic Smyth from the University of California, Irvine titled “Statistical Methods for Analyzing Event Time-Series Data in Digital Forensics”.
  Statistical Methods for Analyzing Event Time-Series Data in Digital Forensics

• Didier Stevens has uploaded a couple of videos in relation to some previous Internet Storm Centre Handler Diary posts
  • Dealing with obfuscated rtf files
  • PDF documents & URLs: video, (Tue, Jan 2nd)

• Hasherezade has uploaded a video showing how to unpack a TrickBot sample using PE-sieve
  Unpacking TrickBot with PE-sieve

• Karsten Hahn at ‘Malware Analysis For Hedgehogs’ shows how to “unpack and decompile a malware that was written in Python and transformed into an executable with PyInstaller”
  Malware Analysis – Unpack and Decompile Python-to-Exe Malware

• Karsten has also uploaded a short video showing “how to setup python 2.7 for your lab and how to use pip to install tool”
  Lab Setup – Setting up Python, Pip and Uncompyle6

• On this week’s Digital Forensic Survival Podcast, Michael talked about some fundamentals that newer examiners should focus on; that is to understand that answers don’t always come easy, and forensic artefacts are more important than tool training.
  DFSP # 098 – Back to basics 2018

• Richard Davis has uploaded a video describing shellbags and showing how to examine them using Eric Zimmerman’s Shellbag Explorer
  Shellbag Forensics
  

MALWARE

• Maxim Zavodchik, Liron Segal, and Aaron Brailsford at F5 explain “a new Linux crypto-miner botnet that is spreading over the SSH protocol”
  New Python-Based Crypto-Miner Botnet Flying Under the Radar

• Floser Bacurio and Wayne Low at Fortinet “discuss the history of sandbox detection”, discuss “the malware families that KTIS has observed from spear-phishing emails that attempt to bypass the user-mode API hook in order to evade sandbox detection”, and  “share the mitigation method we use to harden the Cuckoo sandbox against this bypass technique.”
  Prevalent Threats Targeting Cuckoo Sandbox Detection and Our Mitigation

• Adam at Hexacorn has shared some “normalized data logs from [malware] sandboxing sessions”
  Happy New Year 2018 & Get yourself logs from 250K sandboxed samples

• Ryan Sherstobitoff and Jessica Saavedra-Morales at McAfee Labs examine a maldoc relating to “a campaign targeting organizations involved with the Pyeongchang Olympics.”
  Malicious Document Targets Pyeongchang Olympics

• Roy Moshailov at Morphisec examines the RokRAT malware.
  Threat Profile: RokRAT

• Didier Stevens at the SANS ISC Handler Diaries shows how to extract files from a “Transport Neutral Encapsulation Format” file.
  Analyzing TNEF files, (Sun, Dec 31st)

• Edmund Brumaghin at Cisco’s Talos blog details an attack launched in Ukraine that infected victims with a variant of the Zeus banking trojan.
  Not So Crystal Clear – Zeus Variant Spoils Ukrainian Holiday

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ explains the code of a Python keylogger
  How keyloggers works: a simple example of keyboard hooking using Python

• Two Intel bugs hit the news this week; here are all the links talking about them
  • cyber.wtf – Behind the scenes of a bug collision
  • Forcepoint – The Looming Spectre of a Meltdown
  • Forensic Focus – Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs
  • Malwarebytes Labs – Meltdown and Spectre: what you need to know
  • McAfee Labs – Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’
  • Meltdown and Spectre: Where the Real Risks Lie
  • NVISO Labs – New year, new vulnerabilities: Spectre & Meltdown
  • Palo Alto Networks – Threat Brief: Meltdown and Spectre Vulnerabilities
  • Rendition Infosec – Meltdown and Spectre Vulnerability Slides
  • Rendition Infosec – Meltdown and Sceptre – enterprise action plan
  • SANS Webcast – Meltdown and Spectre Webcast – Understanding and mitigating the threats
  • SANS ISC – Spectre and Meltdown: What You Need to Know Right Now, (Thu, Jan 4th)
  • SANS ISC – Meltdown and Spectre: clearing up the confusion, (Sat, Jan 1st)
  • So Long, and Thanks For All The Fish – Meltdown and Spectre: what we know about the vulnerabilities in CPUs?
  • So Long, and Thanks For All The Fish – In-Spectre-Meltdown: a PoC for Meltdown and Spectre vulnerabilities
  • SpiderLabs – Overview of Meltdown and Spectre
  • TaoSecurity – Spectre and Meltdown from a CNO Perspective
  • The Keyword – Answering your questions about “Meltdown” and “Spectre”
  • TrendLabs – When Speculation Is Risky: Understanding Meltdown and Spectre
  • Virus Bulletin – Meltdown and Spectre attacks mitigated by operating system updates
  • WeLiveSecurity – Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

• Matt Everson at Tenable has uploaded the post on Triton to indicate the malware utilises the TriStation protocol and not the TSAA protocol which was indicated earlier.
  Triton: What You Need to Know

• Wyatt Roersma posted a few live streams this week; the two that caught my eye were
  • Memory Analysis Live!!
  • Static File Analysis
    

MISCELLANEOUS

• Dr Cotton at ‘Cotton On…’ shares his network diagram for his testing lab.
  Building a Lab Pt.2 Software

• DriveSavers have a post on the different types of legal documents that may be required before acquiring e-mail evidence so that it is admissible in court.
  Legal Email Collection

• Jack Crook at ‘DFIR and Threat Hunting’ has a non technical/DFIR post that I thought would be worth sharing. Jack’s health took a turn in 2017 and explains how he has managed to get himself back on track. He also dresses the importance of maintaining a healthy lifestyle.
  My 2017

• Belkasoft announced on Forensic Focus that they’ve extended their customer survey. Customers that fill out the survey go into the draw to win a free years license of BEC
  Belkasoft Customer Survey Extended

• Compelson has announced a 10% discount on their on MobilEdit Forensic Express product for Forensic Focus readers until the 11th January.
  MOBILedit Forensic Express Now Available At 10% Discount For 10 Days

• “Researchers have discovered how to identify smartphones by examining just one photo taken by the device.” There are a couple of products on the market that I know of that have similar capability, however, I think they require some training (using other photos taken by the device).
  Tiny details in photos identify your unique phone

• Magnet Forensics listed the many achievements that they are proud of from 2017.
  Magnet Forensics in 2017 – A Look Back by the Numbers

• Howard Oakley at ‘The Eclectic Light Company’ shows how moving a file from MacOS to iCloud Drive removes some of the extended attributes. The test he performed was moving a file from Sierra to High Sierra via iCloud Drive; I’m unsure if moving a file between the same OS will cause the same activity.
  iCloud Drive can strip (meta)data from your documents
  

SOFTWARE UPDATES

• Plaso 20171231 was released, making the SQLite Plaso storage file default, adding a “new SQLite parser plugin to handle Safari’s newer history format” and “nicer looking partition and VSS overviews in log2timeline”, as well as updates to DFVFS.
  Plaso 20171231 released

• “Cellebrite has detected a bug in the date verification mechanism that will cause all UFED Physical Analyzer, UFED Cloud Analyzer and UFED InField products to stop decoding data as of January 5th, 2018. The error will only appear in the trace log.” As a result, Cellebrite have released an emergency hotfix.
  Preventative hotfix for UFED Physical Analyzer, UFED Cloud Analyzer and UFED InField

• ExifTool 10.73 (development) was released, decoding some new tags and fixing some bugs
  ExifTool 10.73

• GetData updated Forensic Explorer to version 4.1.2.6910 with some additional features and improvements
  v4.1.2.6910

• Tableau Firmware Update (TFU) version 7.21 has been released, with firmware updates for the TD2u Forensic Duplicator (version 1.3), TDP6 SAS Expansion Module (version 1.1.1), and TFU Utility (version 7.21)
  Tableau Firmware Update (TFU) version 7.21

• Mark Russinovich announced that Sysmon v7 has just been released “which includes file version information and can dump old configuration schema versions.”
  Check out @markrussinovich’s Tweet

• Howard Oakley at ‘The Eclectic Light Company’ has released the first beta release of his extended attribute editor, xattred.
  xattred’s first beta release: edit any extended attribute

• Maxim Suhanov has updated his registry parsing utility, YARP, to version 1.0.11
  1.0.11

And that’s all for Week 1! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!