For anyone in Sydney, I’ve started a Google Group for those in DFIR to meet up every so often and have a drink. If you want to join just submit a request, it’s open to all.

FORENSIC ANALYSIS

• Hideaki Ihara at the Port 139 blog looks at the relationship between $INDEX_ALLOCATION (0xA0) and the Virtual Cluster Number (VCN).
  $INDEX_ALLOCATION (0xA0)とVirtual Cluster Number (VCN)

• Oleg Skulkin and Igor Mikhaylov take a look at detecting if the clock on a MacOS system has been backdated. If I recall correctly there’s a date in the extended attribute relating to files downloaded from the Internet (I think it’s called kMDItemWhereFroms). Something else I’ve seen is that the elements relating to the Date & Time preferences panel get accessed when it’s opened, so if you can correlate that with the date and time change then that can support your theory.
  Detection of Backdating the System Clock in macOS

• Ankit Gupta at ‘Hacking Articles’ describes how to create a forensic image of a device using Encase Imager, and then restore the image to a drive.
  Forensic Imaging through Encase Imager

• Magnet Forensics have released a whitepaper written by Jamey Tubbs on Windows passwords. The whitepaper explains how to extract the NTLM hash from a Win10 system, generate a wordlist, and then run a dictionary attack with hashcat. I would also suggest throwing the NTLM password at one of the online password repositories, as I’ve had success with reversing passwords that way.
  White Paper: 4 Steps to Forensic Windows Password Cracking

• Yulia Samoteykina at Atola Technology shares the imaging speeds that the Atola Insight can achieve on HDD and SSDs – on the drives tested they were able to show the Insight get quite close to the max read speed on the drives. Unfortunately, they didn’t give the imaging time taken so we have to assume the drive was reading at the max speed the whole time (and without bad sectors/errors).
  The speed of imaging with Atola Insight Forensic

• Stefan Bildhaeuser has started a new blog called Reflections, or My4n6, I’m not sure.
  • The first shows how to mount a drive as read-only with virtual write support using Caine Linux.
    Virtual write support on blocked disks
  • The second shows how to use qemu-nbd to mount vhdx images.
    Mounting .vhdx Images with qemu-nbd

• SalvationData provides some information about the WeChat group control system PC application.
  Forensic Fraud Investigation of Social Network Group Control System

• TM4n6 describes a method of creating a forensic image using DD (and it’s variants)
  Forensic Imaging with DD

• Pieces0310 shows how to boot into a VM using Paladin. The end indicates that they think that producing an image from a VM via a bootdisk will produce better results than examining the VMDK/VHDs of the VM itself; no evidence to support this is provided, however.
  Use LiveCD to acquire images from a VM – Pieces0310

THREAT INTELLIGENCE/HUNTING

• Javvad Malik and Christopher Doman at AlienVault have a post indicating the top malware and malicious domains that they have identified.
  OTX Trends Part 2: Malware

• Shusei Tomonaga at JP CERT shows “how unauthorised logon attempts can be identified using” LogonTracer.
  Investigate Unauthorised Logon Attempts using LogonTracer

• Adam Mathis at Red Canary explains how to use the MacOS EggShell framework, and then detect and prevent various attacks.
  How to Detect and Defend Against the EggShell Surveillance Tool for MacOS

• Xavier Mertens at the SANS Internet Storm Centre shows how attackers can use a BITS integration into PowerShell to download and execute code. He also explains where a defender can look if a malicious actor is suspected to have used BITS.
  Investigating Microsoft BITS Activity, (Fri, Jan 26th)

UPCOMING WEBINARS/CONFERENCES

• Jason Jordaan will be hosting a SANS webcast on testifying at court. The webinar will take place on Tuesday, February 13th, 2018 at 3:30 PM EST (20:30:00 UTC).
  Webcast 1: So, You Have To Testify, Now What?

• “The call for papers for VB2018, the 28th Virus Bulletin International Conference, which will take place in Montreal, Canada, 3-5 October 2018, is now open”
  VB2018 call for papers now open!

• Ace Lab have announced the 15th ACE Lab International Conference, to be held March 23, 2018, in Prague.
  15th ACE Lab International Conference “A Look Ahead: Top Trends & Developments in Data Recovery Technology”

PRESENTATIONS/PODCASTS

• Xavier Mertens at /dev/random shared his thoughts on the CoRIIN “Incident Response and Digital Forensics Conference”. He also included the slides from his presentation: “Full Packet Capture for the Masses”.
  CoRIIN 2018 Wrap-Up

• Devon Ackerman of AboutDFIR fame joined Dave and Matthew on the Forensic Lunch. Devon described a bit of the work that he’s been doing at Kroll and AboutDFIR, and then presented some of his research on IR in Office365.
  Forensic Lunch: 1/26/18

• Jamie McQuaid at Magnet Forensics has recorded a couple of videos showing how to acquire an iPhone 7 and a Galaxy S7 using Axiom
  • Samsung Galaxy S7 Quick Acquisition with Magnet AXIOM
  • Apple iPhone 7 Quick Acquisition with Magnet AXIOM

• Kasten Hahn at ‘Malware Analysis For Hedgehogs’ has uploaded a couple of vides on deobfuscating .NET binaries using de4dot.
  • Malware Analysis – Deobfuscating .NET Assemblies with De4Dot
  • Malware Analysis – When De4dot fails, Deobfuscating NullShield

• OALabs have uploaded a video showing how to analyze JavaScript and VBScript malware by using x64dbg debugger to hook API calls “and then demo a tool [frida-wshook] to automate the whole process.”
  Analyze JavaScript and VBScript Malware With x64dbg Debugger and API Hooking

• On this week’s Digital Forensic Survival Podcast, Michael covers the basis of the shellbags artefact.
  DFSP # 101 – B2B Shellbags

• Richard Davis has uploaded a video on Recycle Bin forensics.
  Recycle Bin Forensics

• SANS have uploaded Matt Bromiley’s presentation on “techniques to identify lateral movement when Windows Event Logs are not present”
  What Event Logs  Part 2  Lateral Movement without Event Logs

MALWARE

• Joe Security unpack and analyse a malicious sample that opens a PDF of the book cover of the newly released “Fire and Fury” book.
  Generic .Net Unpacking

• Jared Myers at Carbon Black examines the Pylot (Travle) malware.
  Threat Analysis: Pylot (Travle) Malware Family

• Jarosław Jedynak at CERT Polska explains their Mtracker project, which allows them to mimic malicious samples “during communication with C&C server and download new samples or webinjects automatically, without any delay or human intervention.”
  Mtracker – our take on malware tracking

• Philip Tsukerman at Cyber Reason reviews “the various methods of DCOM lateral movement (including some that are yet undocumented), assess their use cases and forensic artifacts and offer methods to detect and prevent the use of these techniques.”
  New lateral movement techniques abuse DCOM technology

• The Cylance Threat Guidance Team examine how the Kovter malware infects hosts.
  Threat Spotlight: Kovter Malware Fileless Persistence Mechanism

• Fortinet briefly examine the SpriteCoin Ransomware
  SpriteCoin: Another New CryptoCurrency…or NOT!

• Hasherezade walks through a Python-based crackme challenge.
  Solving a PyInstaller-compiled crackme

• Oleg Boyarchuk and Stefano Ortolani at Lastline examine the qkG malware.
  qkG: Simple Malware, Tricky Ransomware

• Zaid Arafeh at Microsoft provides some information about a recent Misfox infection.
  Now you see me: Exposing fileless malware

• Ashwin Vamshi at Netskope shares information about the Pony Loader malware
  Pony Loader exfiltrates user and wallet data

• Patrick Wardle at Objective-See analyses the CrossRat malware.
  Analyzing CrossRAT

• There were a few posts on the Palo Alto Networks blog this week
  • Josh Grunzweig shares details of a recent campaign distributing the XMRig Monero mining software, which on its own isn’t malicious, but has been used for malicious purpose.
    Large Scale Monero Cryptocurrency Mining Operation using XMRig
  • Josh also shares some information surrounding the TopHat campaign that saw attackers use “Arabic language decoy documents related to current events within the Palestine Territories as lures to entice victims to open and subsequently be infected by the malware”
    The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services
  • Robert Falcone examines an IIS backdoor called “RGDoor”.
    OilRig uses RGDoor IIS Backdoor on Targets in the Middle East

• Alberto Garcia Illera at Salesforce Engineering has added multi-platform support to the Ponce plugin for IDA Pro.
  Ponce 0.2 Released with Multi-Platform Support

• There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
  • Xavier Mertens shares some information surrounding a ransomware-as-a-service provider.
    Ransomware as a Service, (Thu, Jan 25th)
  • Brad Duncan examines the infection chain of the recent wave of malspam distributing hancitor.
    RTF files for Hancitor utilize exploit for CVE-2017-11882, (Wed, Jan 24th)

• Vitor Ventura at Cisco’s Talos blog analyses “a new variant of the SamSam ransomware”
  SamSam – The Evolution Continues Netting Over $325,000 in 4 Weeks

• There were a couple of posts on the TrendLabs blog this week
  • CH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z Lin and Razor Huang examine the Ratankba malware used by the Lazarus group.
    Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More
  • Chaoying Liu and Joseph C. Chen show how attackers are abusing Google’s DoubleClick to deploy the Coinhive mining malware.
    Malvertising Campaign Abuses Google’s DoubleClick to Deliver Cryptocurrency Miners

• Martijn Grooten at VirusBulletin shares Randy Abrams’ presentation from VB2017 on VirusTotal tips, tricks and myths.
  VB2017 paper: VirusTotal tips, tricks and myths

• Zerophage Malware has a post examining a maldoc that distributes the Loda Logger malware.
  Maldoc (RTF) drops Loda Logger

MISCELLANEOUS

• Adam Harrison at 1234n6 walks through the process of installing the SIFT workstation on Win10’s Linux subsystem. I recently setup a box as a dedicated SIFT machine, but I think I might look into getting this working once I get my act together. Windows administration is a lot easier for me than Ubuntu via SSH (sure you can figure it out, but time is money when you’re trying to remember the right words to type to format a drive as exfat…yes it’s not difficult, but a couple mouse clicks is easier to remember :P)
  Installing SIFT Workstation under Windows Subsystem for Linux

• Chris Sanders reviewed chapters 38-46 of the Cuckoo’s Egg.
  Cuckoo’s Egg – Week 7 Notes

• “Packt Publishing has released the third edition of Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin, Heather Mahalik and Satish Bommisetty.”
  The third edition of Practical Mobile Forensics has been released

• Stacey Champagne at Cyberly has listed her goals for the year. I think it’s good to publicise your goals like this, it takes courage to put them out publically, but also motivates you to achieve them.
  Career Goals in 2018 as a New Digital Forensics Investigator

• Brett Shavers has posted a couple of times on the DFIR.Training blog about the recent addition of the forensic artefact database, and the benefits of reviewing it periodically.
  • A goldmine of DFIR nuggets!
  • Slow is smooth.  Smooth is fast

• Oleg Afonin advised that as of iOS 11.3, Lockdown records will have a one week expiry. This will have significant implications for examiners utilising this method to bypass the user passcode to obtain an extraction.
  iOS 11.3 Adds Expiry Date to Lockdown (Pairing) Records

• There’s a post on the Endgame blog providing suggestions for how to get into InfoSec. This includes attending meetups and conferences where you can, as well as working through openly available CTFs and challenges. I also recommend starting a blog and documenting your experiences.
  Getting Started in Information Security

• There were a few posts on the Forensic Focus blog this week
  • Jasmin Cosic, Miroslav Baca & Peter Grd have shared their paper on developing a standard for chain of custody in digital forensics. The paper outlines “the usage of Digital Evidence Management Framework (DEMF), the framework outlined in previous researches that allows guidance and proving of [metadata], or chain of custody at any time in any phase of digital forensic investigation”
    Developing A Standard For Chain Of Custody
  • Jeremy Kirby advised that Susteen’s Burner Breaker tool has “achieved Popular Science’s “Best of What’s New” award in the category of Innovations in Security”
    Susteen’s Burner Breaker Wins Popular Science “Best Of What’s New”
  • Robert Merriott has posted his thoughts on the adoption of ISO 17025 for digital forensics. There has also been some healthy discussion happening in the forum.
    ISO 17025 For Digital Forensics – Yay Or Nay
  • James Zjalic shares his thoughts on charlatans in DF. This goes well with what was said in the discussion on ISO 17025 – we shouldn’t be worrying about certifying computer labs, but rather set a standard for DF examiners to work towards.
    Charlatans In Digital Forensics

• There are now two copies of the Forensic Wiki running concurrently. Simson Garfinkel cloned the wiki to this location, however, since then the contractor running the original decided to keep it up and running as well; so I’m not sure what’s going to happen, but I guess it means the original is here to stay for now.

• H-11 Digital Forensic Services have listed 30 of their favourite open source digital forensics tools.
  The Best Open Source Digital Forensic Tools

• Jared Greenhill at ‘Just Another DFIR Blog’ provides some advice for international students looking for work in DFIR in the US. Jerry Bell also tweeted some useful advice.
  DFIR Jobs — International student version

• Magnet Forensics have awarded Austin Berrier with their latest Magnet Forensics Community Award, and interviewed him about his work “as a Homeland Security Investigations Agent with the U.S. Government”
  Announcing the Latest Magnet Forensics Community Award Winner: Austin Berrier

• Didier Stevens at the SANS Internet Storm Center shows how to use the ‘Decode as’ feature of Wireshark to decode TLS traffic (which Wireshark appears to think is SSH traffic based on the use of port 22).
  HTTPS on every port?, (Mon, Jan 22nd)

• Who’s Who Legal highlighted “66 experts from 27 firms in the field of digital forensics”. I’m not really sure what criteria was used to list the individuals and companies. I have to admit that I know very few names on the list, and even fewer I could vouch for their abilities; that’s not to say that they don’t have top-notch abilities, I just don’t really know of a good objective way to judge without people sharing their knowledge or showing what they’ve achieved – now if only we could find a way to get them to share more.
  Investigations 2018: Digital Forensic Experts

SOFTWARE UPDATES

• Blackbag Technologies have released Macquisition 2018 R1. The update adds APFS support, logical acquisition, live RAM capture from MacOS High Sierra, and NTFS write support.
  Macquisition 2018 R1 Is Now Available

• Dan Gunter has released a Python script for parsing Bro logs.
  Simplifying Bro IDS Log Parsing with ParseBroLogs

• DME Forensics have released DVR Examiner v2.2. The main update is the addition of “Filesystem Database Updates”, which allow DME to provide new file systems faster. They have also changed their license so that you will only be able to process data with an active license. Expired licenses will still be able to view old cases.
  Updates More Often with DVR Examiner 2.2 – Available Now!

• “Elcomsoft Explorer for WhatsApp 2.30 can now download and decrypt Android user’s encrypted WhatsApp communication histories stored in Google Drive”. Oleg Afonin explains the acquisition process.
  Extract and Decrypt Android WhatsApp Backups from Google Account

• ExifTool 10.77 (development release), adding some new tags and fixing bugs
  ExifTool 10.77

• Forensicist have released a new tool specifically for analysing the USN Journal.
  USN Analytics

• Foxton Forensics have released Browser History Examiner v1.8.
  Check out @FoxtonForensics’s Tweet

• Adam at Hexacorn has updated DeXRAY to version 2.05, adding support for “Kaspersky’s System Watcher” quarantine files.
  DeXRAY 2.05 update

• Jad Saliba at Magnet Forensics announces the release of a new free tool, “Magnet AXIOM Wordlist Generator”, that can be used to generate a wordlist from an Axiom case file.
  Extracting Gold: Creating Wordlists from AXIOM Cases to Crack Passwords

• Minoru Kobayashi has released ‘vss_carver.py’, which can be used to carve deleted VSS snapshots.
  Check out @unkn0wnbit’s Tweet

• MOBILedit Forensic Express 5.1 Beta has been released with a number of new features, improvements, and bug fixes.
  MOBILedit Forensic Express Beta Released

• Oxygen Forensics released version 10.0.3 of their Detective product, including Project VIC integration, as well as other features and bug fixes.
  Oxygen Forensics partners with Project VIC to fight child exploitation

• X-Ways Forensics 19.5 SR-5 was released with some bug fixes
  Using LogStash to feed CEF to ElasticSearch

• X-Ways Forensics 19.6 Preview 5 was released with some additional features.
  X-Ways Forensics 19.6 Preview 5

And that’s all for Week 4! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!