Week 3 – 2018

FORENSIC ANALYSIS

  • Preston Miller at DPM Forensics shares a script for extracting data from the Google Activity page. I’ve been doing some research into Google Home cloud data and noticed that there was a bit of data that wasn’t extracted by the cloud tools (the audio for example), so I’ll be taking a further look into this in the future. I don’t think anything extracts out the audio just yet, so that’s something I’ll be looking into.
    Hasty Scripts: Capture Google Activity Log
     
  • Marcos at ‘Follow The White Rabbit’ describes the various timestamps available on NTFS as well as sharing his testing on various actions and their effect on said timestamps.
    What happened? The ABC of the MACB
     
  • Cindy Murphy at Gillware Digital Forensics shares a recent case where an employee had returned a company laptop without its original hard drive. By comparing the manufacture date, and look at the S.M.A.R.T data she was able to show that the employer had done a poor job of trying to conceal their theft.
    Forensic Case Files: Employee Hard Drive Switcheroo
     
  • Matthew Green has a post about a PowerShell module that he has authored “as a simple implementation for live response and file collections over Powershell remoting”
    Invoke-LiveResponse
     
  • Xavier Mertens at the SANS Internet Storm Centre advises that it’s possible to directly comment on packet captures, and can be facilitated through the use of the extended PCAP format, PCAP-ng
    Comment your Packet Captures!, (Thu, Jan 18th)
     
  • Over on my ThinkDFIR site, I shared who I’m nominating (and why) for the Forensic 4Cast Award. I’d very much appreciate the nomination in a category if you think this site deserves it (blog, resource, or both!?). I’m not going to spam the top of my posts this year like I did last year, but I’ll probably shoot out a reminder every so often.
    4Cast Award Nominations

THREAT INTELLIGENCE/HUNTING

  • Chris Doman at AlienVault has shared some analysis of the data obtained from the Open Threat Exchange (OTX), showing what threats to look for in your environment.
    OTX Trends Part 1- Exploits
     
  • Christopher Ross at SpectreOps shows how to use the MacOS event monitor daemon (emond) to establish persistence. Christopher also advises that “this method of persistence is predicated on several changes to the file system”, and shows some detection start points.
    Leveraging Emond on macOS For Persistence
     
  • Matthew Hosburgh at Sqrrl shows how to go on a “threat hunt for network share recon”. “The objective is to find early signs of abnormal network reconnaissance before catastrophe strikes”.
    Hunting for Network Share Recon

UPCOMING WEBINARS/CONFERENCES

  • The Brakeing Down Incident Response podcast will be released next week where they’ll be speaking with David Cowen and Tyler Hudak
    BDIR Podcast Episode 000
     
  • Susteen will be hosting a webinar on their Susteen Cloud Analyzer tool for law enforcement on Wednesday, January 24 at 2:00 PM Eastern.
    New Social Media & Cloud Analyzer
     
  • The CFP for the 2018 HTCIA Annual Conference and Training has opened. The deadline for submission is February 19, 2018. The event will take place at the Omni Shoreham Hotel, Washington, DC, August 20-22, 2018.
    2018 HTCIA Annual Conference and Training CFP

PRESENTATIONS/PODCASTS

  • The Forensic 4Cast has returned! After some brief audio issues, Lee Whitfield hosted Cindy Murphy, Sarah Edwards, Jessica Hyde, and Ryan Benson to talk about what they’ve been up to, the upcoming 4cast awards, and the DFIR Summit. Jessica also announced that she’s working on a new book on IoT Forensics which is very exciting.
    Forensic 4:cast Live
     
  • There was a Forensic Lunch episode this week! Dave announced that he will be running more test kitchens, Lee spoke briefly about the 4cast awards, and Matthew described some of his research with procmonx.
    Forensic Lunch: 1/19/18
     
  • Nuix uploaded a couple of videos by Wil Hüging to their YouTube channel
    • In the second, Wil “provides an overview of the Nuix Data Finder add-on for the Nuix Workstation, a powerful tool allowing users to search and cull data before building a full index”
      Data Finder for Nuix Workstation
       
  • On this week’s Digital Forensic Survival Podcast, Michael provides a refresher on the shimcache artefact.
    DFSP # 100 – B2B Shimcache
     
  • Wyatt Roersma live streamed again on Twitch this week, mainly covering malware analysis and programming topics. He was also able to give away a few prizes for those that tuned into the stream.

MALWARE

  • Agnieszka Bielec at CERT Polska analyses a variant of the BankBot “banking malware for Android system, which targets Polish users”
    Analysis of a Polish BankBot
     
  • Umesh Wanve at Netskope examines a RAT that’s hidden on GitHub using “GitHub’s native branching to hide the malware from casual passers-by”
    Git Your RATs Here!
     
  • SecureWorks has a post about a recent engagement where they identified the compromise of an Oracle WebLogic Server. “These incidents are representative of broader campaigns by financially motivated threat actors to deploy cryptocurrency mining software to large numbers of infected hosts”
    Unpatched Oracle WebLogic Servers Infected with Cryptocurrency Software
     
  • Daniel Plohmann at ‘The Byte Atlas’ shares a link to his malpedia project and shows how he has “taken all dumps for versions of Zeus-related families and created a similarity matrix for them, using IDA Pro and BinDiff.”
    The Big Zeus Family Similarity Showdown
     

MISCELLANEOUS

  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares a tool, LaZagne, developed by Alessandro Zanni, which is “useful to retrieve passwords stored on a local computer by most commonly-used software”.
    LaZagne, a credentials recovery tool
     
  • Eric Huber at ‘A Fistful of Dongles’ comments on the “convergence of blockchain and digital forensics” – mainly from an investigative standpoint.
    Blockchain and Digital Forensics
     
  • Brett Shavers discusses the benefits of failing, and the resultant learning that comes from it.
    Rub some dirt in it.
     
  • Brett Shavers has been adding an artefact database to DFIR.Training and describes it in this post.
    Oh so many artifacts
     
  • Magnet Forensics announced their Magnet Training Annual Pass (TAP). I recall hearing about this previously, but I think this is the official announcement. “It’s a one-time purchase that will allow you to take any number of training courses within 12 months for a one-time fee of $4,995 USD”.
    Pay Once, Train Continuously with the Magnet Training Annual Pass
     

SOFTWARE UPDATES

  • CCF-VM 3.0 was released, incorporating “Google Cloud Platform (GCP) Support, CyLR 1.4.0, CDQR 4.1.1, Plaso 20171231, and OS Updates”
    CCF-VM 3.0
     
  • Cellebrite has released a maintenance version of UFED Physical Analyzer, UFED Logical Analyzer and Reader 6.5.1 to fix some bugs. 
  • Magnet Forensics released Axiom 1.2.3, which “improves smartphone acquisition, provides innovative new time filtering capabilities, enhancements to AXIOM Examine and AXIOM Cloud, offers new artifacts, and adds language support for Chinese (traditional) and Korean.”
    Magnet AXIOM 1.2.3 Improves Smartphone Acquisition
     
  • Tableau released v7.21b of the Tableau Firmware Update utility. “This release includes a firmware update for the Forensic Imager (TX1) and an update to the TFU utility. These related changes are minor, yet critical to improving the user experience of updating TX1 SD cards.”
    Tableau Firmware Update Revision History for v7.21b
     
  • YARA 3.7.1 was released to fix a couple of bugs
    YARA 3.7.1

And that’s all for Week 3! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s