FORENSIC ANALYSIS

• Hideaki Ihara at the Port 139 blog takes a look at the $BITMAP attribute of a folder.
  Folderと$BITMAP (0xB0) 

• Dan Pullega at 4n6k looks into an unknown entry in the debugfs stat output on Linux ext4.
  Forensics Quickie: Methodology for Identifying Linux ext4 Timestamp Values in debugfs `stat` Command 

• Digital Forensics Corp shared a few articles this week
  • They shared an article by Raj Chandel on carving with Foremost
    Data Carving with Foremost
  • They shared an article by Gift John Paul on identifying TOR communication on a network.
    Detecting Tor communications
  • They shared an interview with Balsign Rajput of the Maharashtra Cyber Police on “focusing on building cyber hygiene, dealing with resource and skill challenges, [and] the Importance of data sharing.”
    Cloud Forensics in Breach Investigations
  • They also shared an article on the difference between ‘kernel mode’ and ‘user mode’
    Anatomy of the thread suspension mechanism in Windows 

• Preston Miller at DPM Forensics shares a script for extracting data from the Google Activity page. I’ve been doing some research into Google Home cloud data and noticed that there was a bit of data that wasn’t extracted by the cloud tools (the audio for example), so I’ll be taking a further look into this in the future. I don’t think anything extracts out the audio just yet, so that’s something I’ll be looking into.
  Hasty Scripts: Capture Google Activity Log 

• Oleg Afonin at Elcomsoft takes a look at the “differences between the three mobile operating systems [iOS, Android, and WinPhone 10), their update policies and the challenges they present to the forensic examiner.”
  Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile 

• Marcos at ‘Follow The White Rabbit’ describes the various timestamps available on NTFS as well as sharing his testing on various actions and their effect on said timestamps.
  What happened? The ABC of the MACB 

• Cindy Murphy at Gillware Digital Forensics shares a recent case where an employee had returned a company laptop without its original hard drive. By comparing the manufacture date, and look at the S.M.A.R.T data she was able to show that the employer had done a poor job of trying to conceal their theft.
  Forensic Case Files: Employee Hard Drive Switcheroo 

• Abhimanyu Dev at ‘Hacking Articles’ shows how to acquire memory using DumpIt and then run a number of Volatility plugins
  Memory Forensics Investigation using Volatility (Part 1) 

• Hats Off Security has a post showing how to use SMB to obtain file/directory timestamp metadata.
  SMB2 – File/Directory Metadata 

• Matthew Green has a post about a PowerShell module that he has authored “as a simple implementation for live response and file collections over Powershell remoting”
  Invoke-LiveResponse 

• Xavier Mertens at the SANS Internet Storm Centre advises that it’s possible to directly comment on packet captures, and can be facilitated through the use of the extended PCAP format, PCAP-ng
  Comment your Packet Captures!, (Thu, Jan 18th) 

• Over on my ThinkDFIR site, I shared who I’m nominating (and why) for the Forensic 4Cast Award. I’d very much appreciate the nomination in a category if you think this site deserves it (blog, resource, or both!?). I’m not going to spam the top of my posts this year like I did last year, but I’ll probably shoot out a reminder every so often.
  4Cast Award Nominations

THREAT INTELLIGENCE/HUNTING

• Chris Doman at AlienVault has shared some analysis of the data obtained from the Open Threat Exchange (OTX), showing what threats to look for in your environment.
  OTX Trends Part 1- Exploits 

• The ClearSky Research Team have released a couple of reports this week
  • Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets – And the HBO Hacker Connection
  • Cyber Intelligence 2017 Summary Report 

• Didier Stevens shows data exfil through Pastebin using the Tor browser and highlights that it is not indicated in a packet capture.
  Quickpost: Data Exfiltration With Tor Browser And Domain Fronting 

• Adam at Hexacorn shows a method of hiding from autoruns that he describes as “impossible to treat it seriously”.
  Yet another way to hide from Sysinternals’ tools, part 1.5 

• Christopher Ross at SpectreOps shows how to use the MacOS event monitor daemon (emond) to establish persistence. Christopher also advises that “this method of persistence is predicated on several changes to the file system”, and shows some detection start points.
  Leveraging Emond on macOS For Persistence 

• Julie Brown at Red Canary describes a recent attack distributing the Adwind RAT
  We Smell a RAT: Detecting a Remote Access Trojan That Snuck Past a User 

• Matthew Hosburgh at Sqrrl shows how to go on a “threat hunt for network share recon”. “The objective is to find early signs of abnormal network reconnaissance before catastrophe strikes”.
  Hunting for Network Share Recon
  

UPCOMING WEBINARS/CONFERENCES

• Dr. Joe T. Sylve at Blackbag Technologies will be hosting a webinar on working with APFS volumes. The webinar will take place on Wed, Jan 31, 2018, 6:00 PM – 7:00 PM GMT.
  Ask an Expert: How will APFS impact my investigations? 

• The Brakeing Down Incident Response podcast will be released next week where they’ll be speaking with David Cowen and Tyler Hudak
  BDIR Podcast Episode 000 

• Susteen will be hosting a webinar on their Susteen Cloud Analyzer tool for law enforcement on Wednesday, January 24 at 2:00 PM Eastern.
  New Social Media & Cloud Analyzer 

• The CFP for the 2018 HTCIA Annual Conference and Training has opened. The deadline for submission is February 19, 2018. The event will take place at the Omni Shoreham Hotel, Washington, DC, August 20-22, 2018.
  2018 HTCIA Annual Conference and Training CFP

PRESENTATIONS/PODCASTS

• The Forensic 4Cast has returned! After some brief audio issues, Lee Whitfield hosted Cindy Murphy, Sarah Edwards, Jessica Hyde, and Ryan Benson to talk about what they’ve been up to, the upcoming 4cast awards, and the DFIR Summit. Jessica also announced that she’s working on a new book on IoT Forensics which is very exciting.
  Forensic 4:cast Live 

• The Black Hat YouTube channel shared Dan Amiga and Dor Knafo’s talk from Black Hat Asia 2017 titled ‘The Irrelevance of K-Bytes Detection – Building a Robust Pipeline for Malicious Documents’
  The Irrelevance of K-Bytes Detection – Building a Robust Pipeline for Malicious Documents 

• There was a Forensic Lunch episode this week! Dave announced that he will be running more test kitchens, Lee spoke briefly about the 4cast awards, and Matthew described some of his research with procmonx.
  Forensic Lunch: 1/19/18 

• Hasherezade uploaded a few videos to her YouTube channel
  • Unpacking a monero miner with HollowsHunter
  • Unpacking Loki Bot with HollowsHunter/PE-sieve
  • Unpacking Ramnit with HollowsHunter/PE-sieve 

• Magnet Forensics shared links and abstracts to their 5 most popular webinars of 2017.
  Revisit the Top 5 Magnet Forensics Webinars of 2017 

• Nuix uploaded a couple of videos by Wil Hüging to their YouTube channel
  • The first shows how “users can export metadata profiles directly to SQL” in Nuix 7.4
    Metadata Export to SQL in Nuix 7.4
  • In the second, Wil “provides an overview of the Nuix Data Finder add-on for the Nuix Workstation, a powerful tool allowing users to search and cull data before building a full index”
    Data Finder for Nuix Workstation 

• OALabs uploaded a video showing how to patch a piece of malware that had Anti-VM detections so it would run in their sandbox
  Reverse Engineering Anti-VM Detections in Malware – Subscriber Request Part 2 

• On this week’s Digital Forensic Survival Podcast, Michael provides a refresher on the shimcache artefact.
  DFSP # 100 – B2B Shimcache 

• SANS uploaded Matt Bromiley’s previous webinar on “techniques, old and new, that attackers are using to neutralize event logs as a recording mechanism”
  What Event Logs?  Part 1:  Attacker Tricks to Remove Event Logs 

• Manny and Jason walk through the new case design for the Talino Workstation
  Talino Talk Ep. 11- All New Talino Case 

• Wyatt Roersma live streamed again on Twitch this week, mainly covering malware analysis and programming topics. He was also able to give away a few prizes for those that tuned into the stream.

MALWARE

• Agnieszka Bielec at CERT Polska analyses a variant of the BankBot “banking malware for Android system, which targets Polish users”
  Analysis of a Polish BankBot 

• The Cylance Threat Guidance Team examine the LockPOS Point of Sale Malware and share some IoCs
  Threat Spotlight: LockPOS Point of Sale Malware 

• Roland Dela Paz & Ran Mosessco at Forcepoint examine “a peculiar email campaign distributing a variant of the Dridex banking trojan.”
  New Year, New Look – Dridex via Compromised FTP 

• Adam at Hexacorn shows what can be done with the “reports of sandboxed samples” that he released last week.
  What can you do with 250K sandbox reports? 

• Karsten Hahn at ‘Malware Analysis For Hedgehogs’  explains the naming conventions used by antivirus vendors.
  Interpreting Antivirus Detection Names 

• Malware Breakdown examines a malware infection leading to the Ramnit Banking Trojan.
  RIG Exploit Kit Delivers Ramnit Banking Trojan via Seamless Malvertising Campaign 

• Hasherezade at Malwarebytes Labs examines a coin miner that utilises the “Heaven’s Gate” technique
  A coin miner with a “Heaven’s Gate” 

• Marco Ramilli examines an obfuscated Javascript being distributed via email to Italian companies
  Huge Botnet Attacking Italian Companies 

• Umesh Wanve at Netskope examines a RAT that’s hidden on GitHub using “GitHub’s native branching to hide the malware from casual passers-by”
  Git Your RATs Here! 

• There were a few posts on the SANS Internet Storm Centre this week
  • Didier Stevens takes a “look at an Excel sample … with a formula that downloads and executes a COM scriptlet.”
    Peeking into Excel files, (Sun, Jan 14th)
  • Didier advises that QPDF has been updated to allow decryption of PDFs encrypted using a 40-bit key.
    Decrypting malicious PDFs with the key, (Mon, Jan 15th)
  • Didier also examines a phishing RTF document
    An RTF phish, (Sat, Jan 20th)
  • Brad Duncan shows the infection chain of some malspam distributing Gozi-ISFB.
    Reviewing the spam filters: Malspam pushing Gozi-ISFB, (Wed, Jan 17th) 

• Nikita Buchka and Alexey Firsh at Securelist examine some new Android spyware that they have named “Skygofree”.
  Skygofree: Following in the footsteps of HackingTeam 

• SecureWorks has a post about a recent engagement where they identified the compromise of an Oracle WebLogic Server. “These incidents are representative of broader campaigns by financially motivated threat actors to deploy cryptocurrency mining software to large numbers of infected hosts”
  Unpatched Oracle WebLogic Servers Infected with Cryptocurrency Software 

• There were a couple of posts on Cisco’s Talos blog this week
  • Warren Mercer and Paul Rascagneres expose “the malicious activities of Group 123 during 2017”.
    Korea In The Crosshairs
  • Jaeson Schultz examines the activity of the Necurs botnet.
    The Many Tentacles of the Necurs Botnet 

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ walks through the installation and usage of Hasherezade’s PE-sieve.
  PE-sieve, a command line tool for investigating inline hooks 

• Daniel Plohmann at ‘The Byte Atlas’ shares a link to his malpedia project and shows how he has “taken all dumps for versions of Zeus-related families and created a similarity matrix for them, using IDA Pro and BinDiff.”
  The Big Zeus Family Similarity Showdown 

• Swapnil Patil and Yogesh Londhe at FireEye share the observation that “threat actors [have been] leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware”. The maldocs are utilised to execute PowerShell payloads.
  Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in
  Recent Campaign 

• There were a couple of posts on TrendLabs this week
  • Gilbert Sison, Rheniel Ramos, Jay Yaneza, and Alfredo Oliveira examine a new KillDisk variant
    New KillDisk Variant Hits Financial Organizations in Latin America
  • Kevin Sun analyses the GhostTeam Android adware.
    GhostTeam Adware can Steal Facebook Credentials 

• Vitali Kremez dissects an anti-bot filtering script from a malvertising campaign
  Let’s Learn: Dissect Rig Exploit Kit Anti-Bot Filter Gate

MISCELLANEOUS

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares a tool, LaZagne, developed by Alessandro Zanni, which is “useful to retrieve passwords stored on a local computer by most commonly-used software”.
  LaZagne, a credentials recovery tool 

• Eric Huber at ‘A Fistful of Dongles’ comments on the “convergence of blockchain and digital forensics” – mainly from an investigative standpoint.
  Blockchain and Digital Forensics 

• Marco Fontani at Amped explains some of the recent improvements made to “Amped Authenticate’s Camera Identification filter based on PRNU analysis. “
  Improved PRNU-Based Forgery Localization 

• Brett Shavers discusses the benefits of failing, and the resultant learning that comes from it.
  Rub some dirt in it. 

• There were a few posts by the guys at Cyber Forensicator this week
  • They shared a presentation by Matt Bromiley and Seth Hall on using Bro for network visibility
    The Power of Bro and why you should include it in your security infrastructure
  • They indicated that the book, “Malware Data Science” by Joshua Saxe, will be published in August 2018
    Malware Data Science: Attack Detection and Attribution
  • “Packt Publishing has announced “Learning Malware Analysis“ by Monappa K A. The book is expected to be published in June 2018”
    Learning Malware Analysis
  • They shared an article by Abdurrahman Pektas and Tankut Acarman titled “Portable Dynamic Malware Analysis with An Improved Scalability and Automatization”
    Portable Dynamic Malware Analysis with an Improved Scalability and Automatisation 

• Brett Shavers has been adding an artefact database to DFIR.Training and describes it in this post.
  Oh so many artifacts 

• Jimmy Schroering at DME Forensics tells the story of hiring their first employee when they started the company.
  Growth in a Small Forensics Company – Our First Employee 

• Nikhil Mittal at ‘Lab of a Penetration Tester’ advises that the recent update to PowerShell (v6) has resulted in the logging features being drastically reduced.
  A Critique of Logging Capabilities in PowerShell v6 

• Magnet Forensics announced their Magnet Training Annual Pass (TAP). I recall hearing about this previously, but I think this is the official announcement. “It’s a one-time purchase that will allow you to take any number of training courses within 12 months for a one-time fee of $4,995 USD”.
  Pay Once, Train Continuously with the Magnet Training Annual Pass 

• Microsystemation have shared a case study on how they assisted the Tennessee Dept. of Correction in reducing their backlog.
  Mobile forensic case study: Tennessee Dept. of Correction

SOFTWARE UPDATES

• CCF-VM 3.0 was released, incorporating “Google Cloud Platform (GCP) Support, CyLR 1.4.0, CDQR 4.1.1, Plaso 20171231, and OS Updates”
  CCF-VM 3.0 

• Cellebrite has released a maintenance version of UFED Physical Analyzer, UFED Logical Analyzer and Reader 6.5.1 to fix some bugs. 

• Didier Stevens updated a couple of his tools this week
  • Update: xmldump.py Version 0.0.2
  • Update: format-bytes.py Version 0.0.4 

• Eric Zimmerman released his RecentFileCacheParser tool (Version 0.5.0.0)
  RecentFileCacheParser Version 0.5.0.0 

• Magnet Forensics released Axiom 1.2.3, which “improves smartphone acquisition, provides innovative new time filtering capabilities, enhancements to AXIOM Examine and AXIOM Cloud, offers new artifacts, and adds language support for Chinese (traditional) and Korean.”
  Magnet AXIOM 1.2.3 Improves Smartphone Acquisition 

• “A new version of MISP 2.4.86 has been released including improvements to the sharing groups and their respective APIs, granular access control of MISP-modules at an instance-level along with the usual set of bug fixes.”
  MISP 2.4.86 released (aka sharing groups improvement, large information sharing communities support and more) 

• Tableau released v7.21b of the Tableau Firmware Update utility. “This release includes a firmware update for the Forensic Imager (TX1) and an update to the TFU utility. These related changes are minor, yet critical to improving the user experience of updating TX1 SD cards.”
  Tableau Firmware Update Revision History for v7.21b 

• X-Ways Forensics 19.5 SR-4 was released with some minor improvements and bug fixes
  X-Ways Forensics 19.5 SR-4 

• X-Ways Forensics 19.6 Preview 4 was released.
  X-Ways Forensics 19.6 Preview 4 

• YARA 3.7.1 was released to fix a couple of bugs
  YARA 3.7.1

And that’s all for Week 3! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!