FORENSIC ANALYSIS

• Hideaki Ihara at the Port 139 blog took a look at the Win10 Thumbnail index database, thumbcache_idx.db.
  Win10 と Thumbnail Index 

• Brian Maloney stumbled across a Windows event log, Microsoft-Windows-MBAM/Operational, that tracks RemovableDriveMounted and RemovableDriveDismounted (event ID 39 and 40)
  Check out @bmmaloney97’s Tweet 

• There were a few posts on the Cyber Forensicator blog this week
  • They shared a paper by Suchul Lee, Sungil Lee, and Jun-Rak Lee titled “SPaRe: Efficient SQLite Recovery Using Database Schema Patterns”
    SPaRe: Efficient SQLite Recovery Using Database Schema Patterns
  • They shared a paper by Peter Kieseberg, Sebastian Neuner, Sebastian Schrittwieser, Martin Schmiedecker, and Edgar Weippl titled “Real-time Forensics through Endpoint Visibility”
    Real-Time Forensics Through Endpoint Visibility
  • Maxim Suhanov guest posted about his “Yet Another Registry Parser” tool, specifically relating to the registry file carving feature. “According to the tests, approximately 10-25% of fragmented registry files can be reconstructed using the yarp-carver tool”
    Carving Fragmented Registry Files 

• There were a couple of posts by Elcomsoft this week
  • Oleg Afonin describes various methods of extracting media files from iOS devices using Elcomsoft’s tools
    How to Extract Media Files from iOS Devices
  • Oleg also shows how to use Elcomsoft various tools to extract Google Chrome and Google account saved passwords. Oleg then briefly describes some case studies where these passwords can be used. Stored passwords are a great repository to call on when building password cracking dictionaries.
    Extracting and Making Use of Chrome Passwords 

• Foxton Forensics explain that their ‘Browser History Capturer’ tool now has the ability to extract internet history from System Restore points.
  Recovering deleted internet history from System Restore points 

• Tom Sela at ‘Illusive Networks’ reverse engineers the doskey application which is capable of recovering CMD.exe command history directly from memory.
  Windows Console Command History: Valuable Evidence for Live Response Investigation 

• Sarah Edwards at Mac4n6 has a post on using the iOS 10.3.3 and iOS 11 jailbreaks to acquire iOS devices manually.
  iOS Imaging on the Cheap! – Part Deux! (for iOS 10 & 11) 

• Arman Gungor at Metaspike lists some considerations to take into account when collecting email evidence. This includes correctly identifying sources, dealing with the security that the owner has in place, storing the data in the correct format, using adequate tools, and verifying the accuracy of the downloaded emails.
  Forensically Collecting Emails — 5 Things to Know 

• Yulia Samoteykina at Atola Technology shares a workflow for acquiring evidence from a potentially damaged hard drive.
  Evidence acquisition workflow in 5 steps 

• Howard Oakley at ‘The Eclectic Light Company’ posted a couple of items of interest this week
  • He describes the metadata found on MacOS and how to display the various extended attributes.
    Where did that metadata come from?
  • He also described the various file system and cloud services that preserve extended attributes when files are transferred through them. This can be useful to know when trying to figure out why a file doesn’t have all the metadata that you would expect.
    Which file systems and Cloud services preserve extended attributes?
    

THREAT INTELLIGENCE/HUNTING

• The Falcon Intelligence Team at Crowdstrike share some information about a recent attack “targeting suspected victims involved in or supporting the February 2018 Olympic Winter Games in Pyeongchang, South Korea.”
  Malicious Spear-Phishing Campaign Targets Upcoming Winter Olympics in South Korea 

• There were a couple of posts on the Cyber Reason blog this week
  • Sarah Maloney provides an overview of APT’s and their actions, as well as describing a shift in mentality required when dealing with them.
    Defending Against an Advanced Persistent Threat (APT)
  • Fred O’Connor provides an overview of threat hunting along with some steps to get started
    8 Steps to Start Threat Hunting 

• Meir Brown at Cyberbit shows how to detect a LockPoS variant using their EDR solution
  How Cyberbit Researchers Discovered a New Silent LockPoS Malware Injection Technique 

• Jack Crook at ‘DFIR and Threat Hunting’ poses the question “what are your tools detecting”. Jack explains that if your EDR solution is looking for malware this may not adequately detect an adversary that can live off the land. He also shares “some tests that you can use to verify the capabilities of your tools when it comes to recon, lateral movement and data staging”
  What are your tools detecting 

• Sergio Caltagirone at Dragos shares their report on Industrial Control Threat Intelligence
  Industrial Control Threat Intelligence 

• The MISP project have a post about how to use “MISP to share vulnerability information efficiently”
  Using MISP to share vulnerability information efficiently 

• Olaf Hartong has shared “a repository of sysmon configuration modules”
  Sysmon-modular 

• Champ Clark at Quadrant Information Security mimics some of the threat hunting suggestions made by Jack Crook using Sagan.
  Using Jack Crook’s log analysis concepts with Sagan 

• A couple of whitepapers were published on the SANS Information Security Reading Room this week
  • They shared Kenneth G. Hartman’s whitepaper titled “Digital Forensic Analysis of Amazon Linux EC2 Instances”
    Digital Forensic Analysis of Amazon Linux EC2 Instances
  • They also shared Alfredo Hickman’s whitepaper titled “Container Intrusions: Assessing the Efficacy of Intrusion Detection and Analysis Methods for Linux Container Environments”
    Container Intrusions: Assessing the Efficacy of Intrusion Detection and Analysis Methods for Linux Container Environments 

• There were a few posts on the SANS Internet Storm Centre Handler Diaries this week
  • Brad Duncan reviews some network data from “fake anti-virus (AV) web pages or other unwanted destinations that pop up after viewing a legitimate, but compromised, website.”
    Fake anti-virus pages popping up like weeds, (Mon, Jan 8th)
  • Renato Marinho examines a system compromised using CVE 2017-10271
    Campaign is using a recently released WebLogic exploit to deploy a Monero miner, (Thu, Jan 4th)
  • Russ McRee describes some GitHub projects that he has identified as of interest
    GitHub InfoSec Threepeat: HELK, ptf, and VulnWhisperer, (Wed, Jan 10th)
  • Johannes Ullrich explains the compromise of a PeopleSoft system using CVE-2017-10271 to install XMRig
    A Story About PeopleSoft: How to Make $250k Without Leaving Home., (Mon, Jan 8th)
  • Xavier Mertens shows a recent attack distributing a cryptominer
    Mining or Nothing!, (Thu, Jan 11th)
  • Bojan Zdrnja “would like to remind everyone on registry changes that are required by the latest patches released by Microsoft”. Bojan also shows the steps required to ensure the patches are applied, and how “Mimikatz successfully extracts the plain text password from an unpatched Windows 2008R2 server.”
    Those pesky registry keys required by critical security patches, (Fri, Jan 12th) 

• Ann Swenson at Cisco expounds the benefits of IR planning and shares a link to their eBook on the subject
  Incident Response: Are you ready? 

• Matthew Hosburgh at Sqrrl shows how to examine systems for indications of RDP brute force attempts
  Threat Hunting for Internal RDP Brute Force Attempts 

• There were a couple of articles on Syspanda this week
  • Pablo Delgado shows how to go about “setting up a Logstash filter that will look for Event Ids that match the Security Group Management logs generated by your Domain Controller for long term storage. This will allow us to look back through historical data and see when groups were created, deleted, and whether users were added/removed.”
    Monitoring Domain Group Membership Changes With ELK
  • Khoa Nguyen shares a one-liner to “find [exchange] mailboxes with forwarding addresses enabled”
    Exchange – Find Mailboxes with Forwarding Addresses Enabled 

• Tomas Foltyn at WeLiveSecurity describes a new attack vector utilised by the Terla group. “Not only does the gang now bundle its backdoors together with a legitimate Flash Player installer but, compounding things further, it ensures that URLs and the IP addresses it uses appear to correspond to Adobe’s legitimate infrastructure”
  ESET research: Appearances are deceiving with Turla’s backdoor-laced Flash Player installer
  

UPCOMING WEBINARS/CONFERENCES

• The 4Cast is returning (at least for one episode, hopefully more). Lee will be hosting “4:cast Award winner Cindy Murphy, 4:cast Award nominee Sarah Edwards, Ryan Benson and Jessica Hyde” at 7PM Central on 14th January 2018.
  Forensic 4:cast Live 

• The CFP deadline for DFRWS USA 2018 has been pushed back to 21 January, 2018. 

• Jessica Hyde at Magnet Forensics will be hosting a webinar looking “into vault and security apps with a focus on Cheetah Mobile apps including file managers, cleaning apps, private browsers and app locks”. The webinar will take place Tuesday, January 30, 2017 at 1:00PM Eastern Standard Time (New York, GMT-05:00).
  How the on-set of security apps is impacting investigations 

• Michael Gough and Brian Boettcher will be starting up a new DFIR podcast called the “Brakeing Down Incident Response Podcast”
  ANNOUNCING The BD-IR Podcast
  

PRESENTATIONS/PODCASTS

• The Black Hat YouTube channel posted Tal Be’ery & Tal Maor’s talk from BH USA 2017 on lateral movement
  The Industrial Revolution of Lateral Movement 

• Forensic Focus shared Mark Scanlon’s presentation from DFRWS EU 2017 titled “Eviplant – An Efficient Digital Forensic Challenge Creation, Manipulation And Distribution Solution”.
  Webinars – 2018 – Eviplant – An Efficient Digital Forensic Challenge Creation, Manipulation And Distribution Solution 

• Hasherezade demos how “HollowsHunter detects impersonated processes”
  [DEMO] HollowsHunter detects impersonated processes 

• OALabs have uploaded a video showing how to use “IDA Pro and Python scripts to removed obfuscated code and statically unpack [the Pykspa] malware”
  Unpacking Pykspa Malware With Python and IDA Pro – Subscriber Request Part 1 

• On this week’s Digital Forensic Survival Podcast, Michael revisits the Prefetch artefact.
  DFSP # 099 – B2B with Prefetch 

• The SANS DFIR YouTube channel has posted Alissa Torres & Jake Williams’ presentation on memory analysis.
  Memory Forensics Sodium Pentothal for Your Security
  

MALWARE

• Daniel Pistelli at Cerbero shows how to use Profiler to extract a Powershell command embedded in a Word document using DDE
  Microsoft Office DDE Detection 

• Researchers at Check Point examine the infection chain distributing the XMRig Monero mining software
  ‘RubyMiner’ Cryptominer Affects 30% of WW Networks 

• The guys at Digital Forensics Corp shared an article from Security Affairs on the new VirusTotal Graph feature, which allows “investigators working with multiple reports at the same time, to try to pivot between multiple data points (files, URLs, domains and IP addresses)”
  VirusTotal Graph Overview 

• Justin Warner at Icebrg provides a “walkthrough of an attack campaign [distributing cryptocurrency mining malware] that ICEBRG has witnessed in the wild over the past several weeks and break down some key lessons learned from the attack.”
  Coin Mining By Opportunistic And Automated Threats 

• Alexander Sevtsov at Lastline goes through “the details of how document files can achieve remote code execution by using monikers crafted to evade signature-based detection techniques relying on blacklisted CLSIDs, and how these monikers function under the hood.”
  When Scriptlets Attack: The Moniker 

• Malware Breakdown examines some malspam that distributes the Tesla keylogger
  Malspam Entitled “Invoice attched for your reference” Delivers Agent Tesla Keylogger 

• Jérôme Segura at Malwarebytes Labs posted a couple of times this week
  • He provides an overview of the Ngay campaign that utilises the RIG exploit kit to mine various cryptocurrencies.
    RIG exploit kit campaign gets deep into crypto craze
  • Jérôme also shares some IOCs for malware that purports to be patches for Spectre/Meltdown
    Fake Spectre and Meltdown patch pushes Smoke Loader malware 

• Jaewon Min at McAfee examines two “malicious APK files that were used in the targeted attacks” purporting to be the “Pray for North Korea” and “BloodAssistant” apps.
  North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk 

• Patrick Wardle at Objective-See examines the MaMi MacOS malware.
  Ay MaMi 

• There were a couple of posts on the Palo Alto Networks blog this week
  • Cong Zheng, Claud Xiao and Yanhui Jia “outline how Satori has evolved to become an IoT malware family targeting zero-day vulnerabilities”
    IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
  • Jeff White examines the PowerStager tool
    PowerStager Analysis 

• Antonio Pirozzi, Antonio Farina, and Luigi Martire at CSE Cybersecurity have released an analysis report on a variant of the ursnif v3 trojan. Interestingly this malware utilises, what the researchers describe as, double process hollowing
  CSE Malware ZLab – Double Process Hollowing -The stealth process injection of the new Ursnif malware 

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ provides an overview of “Process Doppelgänging”.
  Process Doppelgänging: a more stealth alternative of the process hollowing technique? 

• More Spectre/Meltdown fun!
  • AlienVault – Improve Your Readiness To Defeat Meltdown & Spectre
  • Check Point – How The Spectre/Meltdown Vulnerabilities Work
  • Check Point – Detection of the Meltdown and Spectre Vulnerabilities Using Checkpoint CPU-level Technology
  • Cyber Reason – Meltdown and Spectre Questions Answered
  • DtSR Episode 278 – The Meltdown Over Spectre
  • Endgame – Detecting Spectre and Meltdown Using Hardware Performance Counters
  • G Data – Inside Meltdown and Spectre: Interview with Anders Fogh
  • G Data – “Meltdown” and “Spectre”: researchers discover severe CPU bugs
  • Malwarebytes Labs – Meltdown and Spectre fallout: patching problems persist
  • Rendition Infosec – Updated Spectre and Meltdown Presentation
  • SANS – “Meltdown and Spectre – Enterprise Action Plan”
  • SANS – Meltdown and Spectre  – Updated Threat Information – Latest Information – SANS DFIR WEBCASTS
  • Cisco – Meltdown and Spectre
  • So Long, and Thanks for All the Fish – Meltdown: another PoC in the wild
  • The Krypt – Trying to Understand the Meltdown and Spectre Vulnerabilities
  • Threatpost – Experts Weigh In On Spectre Patch Challenges
  • VMRay – Our Statement on Spectre and Meltdown
  • xorl %eax, %eax – Thoughts on Meltdown & Spectre 

• There were a couple of posts on the TrendLabs blog this week
  • Lorin Wu examines a malicious Android app identified as “ANDROIDOS_BKOTKLIND.HRX”
    First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services
  • Jordan Pan and Song Wang examine an Android malicious app, part of the FakeBank malware family, targetting “Russian banks while using new and evolved obfuscation techniques”.
    New Mobile Malware Uses Layered Obfuscation and Targets Russian Banks 

• Feike Hacquebord shared some additional information regarding the recent campaign by the Pawn Storm espionage actor group.
  Update on Pawn Storm: New Targets and Politically Motivated Campaigns 

• Vitali Kremez shows how to “unpack and dissect the Panda banking malware injection DLL module titled “libinject.dll.””
  Let’s Learn: Dissect Panda Banking Malware’s “libinject” Process Injection Module
  

MISCELLANEOUS

• James Habben at 4n6IR shares his thoughts on breaches, stating “A PCI data breach is good for a company”. This is because it forces the company to look at their security and usually afterwards “this is the safest that network has ever been”.
  Reputations and PCI Data Breaches 

• AboutDFIR has added a research topics page which allows people to propose research topics (as broad or as specific as you want – I’d suggest going specific). From there people can indicate that they would like to work on the problem. It would also be helpful for those new to the field to partner up with mentors and work through the problems together.
  DFIR Research 

• It was identified that the Forensic Wiki is shutting down, and as a result there was a flurry of activity on Twitter in an attempt to preserve the data. I’m not entirely sure why it’s being shutdown but it is apparently being archived on Archive.org. There is also a Google Group which I think intends on coming up with a plan for hosting the wiki elsewhere. Coincidently, Brett Shavers has also started a Forensic Artifact database on DFIR.training.
  Check out @bitsgalore’s Tweet 

• Chris Sanders continues reviewing ‘The Cuckoo’s Egg”, this time covering chapters 31-37.
  Cuckoo’s Egg – Week 6 Notes 

• Dan Pullega noticed that Nuix Proof Finder is no longer going to be sold. This was a great tool (because it was just Nuix with a 15gb injest limit) that was very cheap and very useful. It’s a shame that it’s goign to cease working once your current license expires. Worse yet, if you have saved data in a Proof Finder case the only way you’ll be able to access it is by purchasing a full copy of Nuix.
  Check out @4n6k’s Tweet 

• DME Forensics shared their three most popular blog posts from 2017
  Our Top 3 Blogs of 2017 

• Lee Whitfield has opened the 2018 Forensic 4:cast Awards nominations! Last year this blog was one of the top 3 nominated for “Blog of the year” which was very much appreciated. If you’d like to nominate anyone across all of the categories you can head over here. You’re allowed to nominate multiple times so you can get all the different blogs/hardware/software/resources/people etc that you think are deserving of some recognition, and then the top 3 will go into the finals. Nominations close March 31, 2018.
  Forensic 4:cast Awards 2018 – Nominations are Now Open 

• Scar de Courcier posted a couple of articles on Forensic Focus this week
  • She reviewed ADF Solutions’ Digital Evidence Investigator
    Review Of Digital Evidence Investigator From ADF Solutions
  • She also posted an article about NIST’s federated testing tools.”The software suite … is designed to help law enforcement and forensic practitioners with a critical early step in evidence collection”: data acquisition.
    New NIST Forensic Tests Help Ensure High-Quality Copies of Digital Evidence 

• Dan Borges at LockBoxx shares his writeup of the 2017 SANS Holiday Hack challenge.
  SANS Holiday Hack 2017 Writeup 

• Jordan Wright and Nick Steele and Pepijn Bruienne at Duo Labs have also shared their writeup of the holiday hack challenge
  SANS Holiday Hack 2017 Writeup 

• Jessica Hyde at Magnet Forensics has written a comprehensive post for those looking to get into the DFIR field (or even move around, a lot of the stuff mentioned can be applied across the board).
  Job Hunting in the DFIR Field 

• Michael Cohen at the ‘Rekall Forensics blog’ describes a process for configuring and compiling tools to run on older Linux server environments. Some tools require libraries that are not and cannot be installed on EOL’d servers and as a result, Michael shares his research and work-arounds for getting some newly developed tools to work.
  ELF hacking with Rekall 

• SalvationData announced that they have had two tools, “VIP (Video Investigation Portable) and SPA (SmartPhone Forensic Triage Acquisition) … listed in [the] CFTT (Computer Forensics Tool Testing) catalog”.
  Two more tools from SalvationDATA have been listed in CFTT (Computer Forensic Tool Testing) catalog 

• SANS have reiterated that the CFP for the DFIR Summit in Austin closes on Monday, 15 January, 5 p.m. EST
  “11th Annual Digital Forensics and Incident Response Summit Call for Presentations deadline Jan 15th 2018” 

• Jay Smith at FireEye announced the release of “a new plug-in for IDA Pro users – SimplifyGraph – to help automate creation of groups of nodes in the IDA’s disassembly graph view”
  FLARE IDA Pro Script Series: Simplifying Graphs in IDA
  

SOFTWARE UPDATES

• Blackbag Technologies have released Blacklight 2017 R 1.1 which included some new enhancements and bug fixes. This includes updated FSEvents parsing, “support for Windows 10 Fall Creators Update (Version 1709) memory images”, and “enhanced Volume Shadow Copy (VSC) display”
  Blacklight 2017 R 1.1 Now Available! 

• Cellebrite updated UFED Ultimate, UFED InField, Central Management System, UFED Physical Analyzer, UFED Logical Analyzer & Reader 6.5
  UFED Ultimate, UFED InField, Central Management System, UFED Physical Analyzer, UFED Logical Analyzer & Reader 6.5 [January 2018] 

• Philippe Lagadec advised that “ViperMonkey 0.05 [has] just updated with tons of new features and bug fixes”
  Check out @decalage2’s Tweet 

• ExifTool 10.75 was released, adding some new tags and bug fixes
  ExifTool 10.75 

• Eric Zimmerman updated Timeline Explorer to version 0.6.1.3.
  TLE Update 

• GetData updated Forensic Explorer to v4.1.2.6936 with some minor updates and improvements
  v4.1.2.6936 

• MobilEdit added and improved support for a number of Android apps in live update 2018-01-12-01
  Live Update version  2018-01-12-01 

• X-Ways Forensics 19.6 Preview 3 was released with some GUI and workflow improvements
  X-Ways Forensics 19.6 Preview 3
  

And that’s all for Week 2! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!