Week 4 – 2018

For anyone in Sydney, I’ve started a Google Group for those in DFIR to meet up every so often and have a drink. If you want to join just submit a request, it’s open to all.

FORENSIC ANALYSIS

  • Oleg Skulkin and Igor Mikhaylov take a look at detecting if the clock on a MacOS system has been backdated. If I recall correctly there’s a date in the extended attribute relating to files downloaded from the Internet (I think it’s called kMDItemWhereFroms). Something else I’ve seen is that the elements relating to the Date & Time preferences panel get accessed when it’s opened, so if you can correlate that with the date and time change then that can support your theory.
    Detection of Backdating the System Clock in macOS

  • Magnet Forensics have released a whitepaper written by Jamey Tubbs on Windows passwords. The whitepaper explains how to extract the NTLM hash from a Win10 system, generate a wordlist, and then run a dictionary attack with hashcat. I would also suggest throwing the NTLM password at one of the online password repositories, as I’ve had success with reversing passwords that way.
    White Paper: 4 Steps to Forensic Windows Password Cracking

  • Yulia Samoteykina at Atola Technology shares the imaging speeds that the Atola Insight can achieve on HDD and SSDs – on the drives tested they were able to show the Insight get quite close to the max read speed on the drives. Unfortunately, they didn’t give the imaging time taken so we have to assume the drive was reading at the max speed the whole time (and without bad sectors/errors).
    The speed of imaging with Atola Insight Forensic

  • Pieces0310 shows how to boot into a VM using Paladin. The end indicates that they think that producing an image from a VM via a bootdisk will produce better results than examining the VMDK/VHDs of the VM itself; no evidence to support this is provided, however.
    Use LiveCD to acquire images from a VM – Pieces0310

THREAT INTELLIGENCE/HUNTING

  • Javvad Malik and Christopher Doman at AlienVault have a post indicating the top malware and malicious domains that they have identified.
    OTX Trends Part 2: Malware

  • Xavier Mertens at the SANS Internet Storm Centre shows how attackers can use a BITS integration into PowerShell to download and execute code. He also explains where a defender can look if a malicious actor is suspected to have used BITS.
    Investigating Microsoft BITS Activity, (Fri, Jan 26th)

UPCOMING WEBINARS/CONFERENCES

  • “The call for papers for VB2018, the 28th Virus Bulletin International Conference, which will take place in Montreal, Canada, 3-5 October 2018, is now open”
    VB2018 call for papers now open!

PRESENTATIONS/PODCASTS

  • Xavier Mertens at /dev/random shared his thoughts on the CoRIIN “Incident Response and Digital Forensics Conference”. He also included the slides from his presentation: “Full Packet Capture for the Masses”.
    CoRIIN 2018 Wrap-Up

  • Devon Ackerman of AboutDFIR fame joined Dave and Matthew on the Forensic Lunch. Devon described a bit of the work that he’s been doing at Kroll and AboutDFIR, and then presented some of his research on IR in Office365.
    Forensic Lunch: 1/26/18

MALWARE

  • Joe Security unpack and analyse a malicious sample that opens a PDF of the book cover of the newly released “Fire and Fury” book.
    Generic .Net Unpacking

  • Jarosław Jedynak at CERT Polska explains their Mtracker project, which allows them to mimic malicious samples “during communication with C&C server and download new samples or webinjects automatically, without any delay or human intervention.”
    Mtracker – our take on malware tracking

  • Philip Tsukerman at Cyber Reason reviews “the various methods of DCOM lateral movement (including some that are yet undocumented), assess their use cases and forensic artifacts and offer methods to detect and prevent the use of these techniques.”
    New lateral movement techniques abuse DCOM technology

MISCELLANEOUS

  • Adam Harrison at 1234n6 walks through the process of installing the SIFT workstation on Win10’s Linux subsystem. I recently setup a box as a dedicated SIFT machine, but I think I might look into getting this working once I get my act together. Windows administration is a lot easier for me than Ubuntu via SSH (sure you can figure it out, but time is money when you’re trying to remember the right words to type to format a drive as exfat…yes it’s not difficult, but a couple mouse clicks is easier to remember :P)
    Installing SIFT Workstation under Windows Subsystem for Linux

  • There’s a post on the Endgame blog providing suggestions for how to get into InfoSec. This includes attending meetups and conferences where you can, as well as working through openly available CTFs and challenges. I also recommend starting a blog and documenting your experiences.
    Getting Started in Information Security

  • There were a few posts on the Forensic Focus blog this week
    • Jasmin Cosic, Miroslav Baca & Peter Grd have shared their paper on developing a standard for chain of custody in digital forensics. The paper outlines “the usage of Digital Evidence Management Framework (DEMF), the framework outlined in previous researches that allows guidance and proving of [metadata], or chain of custody at any time in any phase of digital forensic investigation”
      Developing A Standard For Chain Of Custody
    • James Zjalic shares his thoughts on charlatans in DF. This goes well with what was said in the discussion on ISO 17025 – we shouldn’t be worrying about certifying computer labs, but rather set a standard for DF examiners to work towards.
      Charlatans In Digital Forensics

  • There are now two copies of the Forensic Wiki running concurrently. Simson Garfinkel cloned the wiki to this location, however, since then the contractor running the original decided to keep it up and running as well; so I’m not sure what’s going to happen, but I guess it means the original is here to stay for now.

  • Didier Stevens at the SANS Internet Storm Center shows how to use the ‘Decode as’ feature of Wireshark to decode TLS traffic (which Wireshark appears to think is SSH traffic based on the use of port 22).
    HTTPS on every port?, (Mon, Jan 22nd)

  • Who’s Who Legal highlighted “66 experts from 27 firms in the field of digital forensics”. I’m not really sure what criteria was used to list the individuals and companies. I have to admit that I know very few names on the list, and even fewer I could vouch for their abilities; that’s not to say that they don’t have top-notch abilities, I just don’t really know of a good objective way to judge without people sharing their knowledge or showing what they’ve achieved – now if only we could find a way to get them to share more.
    Investigations 2018: Digital Forensic Experts

SOFTWARE UPDATES

  • Blackbag Technologies have released Macquisition 2018 R1. The update adds APFS support, logical acquisition, live RAM capture from MacOS High Sierra, and NTFS write support.
    Macquisition 2018 R1 Is Now Available

  • DME Forensics have released DVR Examiner v2.2. The main update is the addition of “Filesystem Database Updates”, which allow DME to provide new file systems faster. They have also changed their license so that you will only be able to process data with an active license. Expired licenses will still be able to view old cases.
    Updates More Often with DVR Examiner 2.2 – Available Now!

  • ExifTool 10.77 (development release), adding some new tags and fixing bugs
    ExifTool 10.77

  • Forensicist have released a new tool specifically for analysing the USN Journal.
    USN Analytics

  • Adam at Hexacorn has updated DeXRAY to version 2.05, adding support for “Kaspersky’s System Watcher” quarantine files.
    DeXRAY 2.05 update

And that’s all for Week 4! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s