FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog shows the affects some file actions have on an NTFS MFT record’s Fixup value and update sequence.
Fixup と Update Sequence Number
- Adam Harrison at 1234n6 walks through the process of rebuilding a hardware RAID in Encase 7/8. As a side note, Adam wrote this post so that he could refer back to it at a later day, but publishing it online means that we all benefit too!
Rebuilding Hardware Raid in EnCase 7/8
- CyDefe shared “a quick guide for dumping and analyzing windows and linux memory.”
Tools 101: Volatility Usage
- Teru Yamazaki at Forensicist explains how to use the “utmp scanner on bulk_extractor-rec.”
Carving utmp records for intrusion analysis
- There were a few posts on ‘Hacking Articles’ this week
- Ankit Gupta introduces OS Forensics by Passmark Software and shows how to create a new case, and setup and use the indexing feature.
Digital Forensics Investigation using OS Forensics (Part1)
- Ankit continues the previous post, this time looking at examining various artefacts such as recent activity, deleted files, memory, and prefetch.
Digital Forensics Investigation through OS Forensics (Part 2)
- Lastly, Ankit looks at the raw disk viewer, registry viewer, file system browser, and password extraction features.
Digital Forensics Investigation through OS Forensics (Part 3)
- Abhimanyu Dev shows how to use qemu to convert a VMDK image to raw format and then file carve from it. The image is also opened in FTK Imager, although if I recall correctly FTK Imager can already open VMDK images natively.
Convert Virtual Machine to Raw Images for Forensics (Qemu-Img)
- Ankit Gupta introduces OS Forensics by Passmark Software and shows how to create a new case, and setup and use the indexing feature.
- “Jamie McQuaid and Jessica Hyde [at Magnet Forensics] have written a series of blog posts that will walk through how to ingest various images from third-party sources into AXIOM and how to export an AXIOM image for use with other tools”
How to Ingest Images from Various Tools and Acquisition Methods
- Jon Poling at ‘Ponder The Bits’ walks through the process of creating a one-liner for generating file system listings with accompanying file hashes
Generating File System Listings from the Command Line (with Full MACB Timestamps and Hashes)
- SalvationData posted a couple of case studies this week
- The first shows how to create a backup of a MI(Xiaomi) Note 3 onto the devices SD Card and then examine it using SmartPhone Forensic System(SPF).
[Case Study] Mobile Forensics: Easy Solution for Apps Data Extraction from Unrooted Android Phone
- The second shows how to use SPF to obtain a physical extraction of devices using Qualcomm chips via ‘9008 mode’
[Case Study] Mobile Forensics: How to Extract Data from Locked Devices Powered by Qualcomm
- The first shows how to create a backup of a MI(Xiaomi) Note 3 onto the devices SD Card and then examine it using SmartPhone Forensic System(SPF).
- Howard Oakley at The Eclectic Light Company continues his research into extended attributes and iCloud
- He provides some information on the com.apple.cscachefs xattr (iCloud Drive app tag)
xattr: com.apple.cscachefs, iCloud Drive app tag
- He looks into the different iCloud Drive user modes. Interestingly, “iCloud Drive knows which files originated from each of the clients, and keeps track of that.”.
iCloud Drive has user modes, and tags transferred apps
- He provides some information on com.apple.icloud.itemName xattr (iCloud Drive placeholder filename)
xattr: com.apple.icloud.itemName, iCloud Drive placeholder filename
- He explains that Apple uses the com.apple.icloud.itemName tag to show files “which exist solely in iCloud”
How iCloud marks the place of documents stored remotely
- He provides some information on the com.apple.cscachefs xattr (iCloud Drive app tag)
- Robert at ‘The Hex Ninja’ shows how to automate some basic JPEG carving using Python
Practical Exercise – Image Carving II – Python
- hsiF_cisneroF noticed that FTK and Encase were unable to deal with a recent bitlockered Win10 image and asked to pass along the message to the community. Apparently, Axiom copes with the image just fine. My suggestion for when an encryption type isn’t supported is generally to find a way to mount it as a physical disk and then add it to the case that way. Independently, this is what was tried with Arsenal Imager Mounter being utilised to assist in decrypting the image.
Check out @hsiF_cisneroF’s Tweet
- Yogesh Khatri at Swift Forensics shows how to parse the macOS notes database.
Reading Notes database on macOS
THREAT INTELLIGENCE/HUNTING
- Vitali Kremez and Ronnie Tokazowski at Flashpoint provide some detection for the “Adobe Flash vulnerability, designated CVE-2018-4878.”
Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017
- Adam at Hexacorn shows a (failed) persistence technique that utilises the alg.exe process. Adam explains that it’s being included for completeness but has been unable to exploit it to load custom code.
Beyond good ol’ Run key, Part 71
- Adam also provided an update to his EDR solutions spreadsheet
Endpoint Detection and Response (EDR) solutions sheet – update
- Tom Kahana at Illusive Networks shares the newly released ““HistoricProcessTree”, a tool that visualizes historic process execution evidence (based on Event ID 4688 – Process Creation Event) in a tree view.”
Improving Cyber Investigation Outcomes through Better Visualization of Historic Process Execution Events
- Eyal Neemany at Javelin Networks looks at a few of the malware droppers used by APT29
How APT29 (Cozy Bear) & Active Directory Got Trump Elected
- There were a few posts on the Red Canary blog this week
- Casey Smith and Michael Haag “walk through how to build a chain reaction by utilizing multiple ATT&CK tactics and techniques, then show how to identify whether the solutions you have in place prevented and/or detected the behaviors”
Testing Detection and Prevention Tools With Atomic Red Team “Chain Reactions”
- Casey and Michael also posted some answers to questions they weren’t able to get to in their recent Atomic Red Team training session.
Detonate, Detect, Analyze: the Applied Research Team Answers Audience Questions
- Frank McClain explains how to effectively detect application shimming (and reduce the noise).
Detecting Application Shimming: A Story About Continuous Improvement
- Casey Smith and Michael Haag “walk through how to build a chain reaction by utilizing multiple ATT&CK tactics and techniques, then show how to identify whether the solutions you have in place prevented and/or detected the behaviors”
- Martin Lee and Vanja Svajcer at Cisco’s Talos blog “review some of the findings created by investigating the most frequently triggered Snort signatures as reported by Cisco Meraki systems and included in the Snort default policy set.”
2017 in Snort Signatures.
UPCOMING WEBINARS/CONFERENCES
- Cellebrite will be hosting a webinar on Thursday, February 8, 2018, at 3:00 PM EST on the challenges of new forms of digital evidence
New Forms of Digital Evidence Can Change Case Outcomes
- “On the 6th, 7th and 8th February 2018, MD5 will be holding a series of hour-long webinars, offering customers the opportunity to see all features of VFC – new and old – demonstrated and explained live.” To register for a session you can put your details in here
- Brian Hill at Oxygen Forensics will be hosting a 1-hour webinar on the future of training at Oxygen, the new features since v10, and the search functionality. The webinar will take place Thursday, February 8th, 2018 at 10 am Central Standard Time.
Oxygen Forensics, Inc Webinar Series Kick Off!
- SANS announced the CFP for their Threat Hunting and Incident Response Summit, held September 6 & 7, 2018. The Call for Presentations closes on Monday, March 5, 2018, at 5 p.m CST
“SANS Threat Hunting and Incident Response Summit 2018 Call for Speakers – Deadline 3\/5”
PRESENTATIONS/PODCASTS
- The first Brakeing Down Incident Response podcast was posted. Michael and Brian hosted Dave Cowan and Tyler Hudak. They also mentioned my site as a pick of the week so thanks! Also, props for the full show notes; not many people do them
BDIR-000 ; The Beginning
- Magnet Forensics shared Jessica Hyde’s recent webinar on security/vault apps
Recorded Webinar: How the Onset of Security Apps is Impacting Investigations
- On this week’s Digital Forensic Survival Podcast, Michael covered some of the information that can be obtained from examining the Internet Explorer internet history primarily relating to local file system access.
DFSP # 102 – B2B Windows Explorer
- I posted the “This Month In 4n6” podcast for January covering the articles, presentations, and software updates I wanted to talk about
This Month In 4n6 – January – 2018
- Wyatt Roersma live streamed some malware analysis a few times this week
vTriple – Twitch
MALWARE
- Ivona Alexandra Chili and Bogdan Botezatu at Bitdefender Labs share a whitepaper on Operation PZChao; including the “attack chain, the infrastructure used by the threat actors, the malware subdomains they control and the payloads delivered on the targeted systems, as well as other telltale signs about a possible return of the Iron Tiger APT.”
Operation PZChao: a possible return of the Iron Tiger APT
- Carrie Roberts at Black Hills Information Security shows how to deploy the REMnux malware analysis distro to an AWS instance.
Deploy REMnux to the Cloud, Reverse Engineering Malware in the Cloud
- Hasherezade shows how to unpack the Pykspa Malware using her libPeConv library.
Unpacking a malware with libPeConv (Pykspa case study)
- Hasherezade has also created a small crack-me challenge with Grant Willcox. The first to complete the challenge will win a book of their choosing, and the best writeup after the competition will also win a book.
White Rabbit crackme!
- Kyle Hanslovan at Huntress Labs shares the Huntress ThreatOps team’s analysis of payloads dropped due to “a vulnerability in Kaseya’s VSA product”
Deep Dive: Kaseya VSA Mining Payload
- Nicolas Falliere at PNF Software advises that “the latest JEB release ships with our all-new Android resources (ARSC) decoder, designed to reliably handle tweaked, obfuscated, and sometimes malformed resource files.”
A new APK Resources Decoder with de-Obfuscation Capabilities
- Alexander Sevtsov at Lastline Labs examines a maldoc that drops Smoke Loader.
Smoke Loader Campaign: When Defense Becomes a Numbers Game
- There were a few posts on the Malwarebytes Labs blog this week
- Vasilios Hioueras and Jérôme Segura take a look at the GandCrab ransomware
GandCrab ransomware distributed by RIG and GrandSoft exploit kits
- Vasilios Hioueras examines a new sample of the Scarab ransomware
Scarab ransomware: new variant changes tactics
- Thomas Reed examines the OSX.CreativeUpdate Monero miner
New Mac cryptominer distributed via a MacUpdate hack
- Vasilios Hioueras and Jérôme Segura take a look at the GandCrab ransomware
- Ryan Sherstobitoff and Jessica Saavedra-Morales at McAfee Labs describe and analyse “additional implants that are part of an operation to gain persistence for continued data exfiltration and for targeted access” against “organizations involved with the Pyeongchang Olympics”
Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems
- There were a few posts on the Palo Alto Labs blog this week
- Tom Lancaster and Juan Cortes analyse the Vermin malware
VERMIN: Quasar RAT and Custom Malware Used In Ukraine
- Josh Grunzweig shares some research into the Comnie malware family that has been observed “targeting organizations in the East Asia region”
Comnie Continues to Target Organizations in East Asia
- Etay Nir reviews “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software” by Andrew Honig and Michael Sikorski
The Cybersecurity Canon – Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- Tom Lancaster and Juan Cortes analyse the Vermin malware
- There were a few posts on the SANS Internet Storm Centre Handler Diaries this week
- Didier Stevens examines a maldoc that most likely came from a previous pentest
Is this a pentest?, (Sun, Jan 28th)
- Didier shows how to add a global comment to a PCAP file in Wireshark
Comment your Packet Captures – Extra!, (Mon, Jan 29th)
- Xavier Mertens provides a “quick analysis of a malicious Excel sheet found while hunting”
Simple but Effective Malicious XLS Sheet, (Fri, Feb 2nd)
- Didier also examine a malicious HTA file
Analyzing an HTA file, (Sat, Feb 3rd)
- Didier Stevens examines a maldoc that most likely came from a previous pentest
- Nick Biasini, Edmund Brumaghin, Warren Mercer and Josh Reynolds at Cisco’s Talos blog describe the latest trend of cryptocurrency miners, and the various attack vectors that are used to distribute the tools used.
Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions
- Tony Huffman at Tenable provides IOCs for the Ploutus-D ATM Malware
Ploutus-D ATM Malware Reported in U.S.
- There were a couple of posts on the TrendLabs blog this week
- Ecular Xu and Grey Guo examine the PoriewSpy malicious Android app
Hacking Group Spies on Android Users in India Using PoriewSpy
- Joseph C Chen analyses the infection chain of the Droidclub botnet
Malicious Chrome Extensions Found in Chrome Web Store, Form Droidclub Botnet
- Ecular Xu and Grey Guo examine the PoriewSpy malicious Android app
- Vitali Kremez shows how to “dissect and outline the main functions of FormBook crypter and its RunLib main injection DLL.”
Let’s Learn: Dissecting FormBook Infostealer Malware: Crypter & “RunLib.dll”
MISCELLANEOUS
- Brett Shavers comments on conferences offering free attendance and “exposure dollars” to present. This post is reminiscent of a post by the previous DFIR Guy at DFIR.Training; it does make sense when you think about it, but I do think that it depends on your profile as a speaker or researcher. That being said, if they ask you to come and speak then, yeah, they should be footing the bill.
How many exposure dollars do you need to buy a cup of coffee?
- Chris Sanders reviewed the remaining chapters of the Cuckoo’s Egg.
Cuckoo’s Egg – Week 8 Notes
- DME Forensics describe how to use the ““inaccessible recovery” feature in DVR Examiner” to recover (intentionally or unintentionally) deleted footage.
Recovering Deleted DVR Video with DVR Examiner
- Christa Miller from Magnet Forensics wrote an article for Evidence Technology Magazine covering 5 challenges that examiners will face with regards to mobile device examination.
5 Enduring Challenges of Mobile Forensics
- There were a few posts on Forensic Focus this week
- Scar de Courcier shared a roundup of the popular forum topics
Forensic Focus Forum Round-Up
- Scar also shared a few articles of interest from the last month
Digital Forensics News January 2018
- They also interviewed Tod Ewasko, Director Of Product Management at AccessData about the new AccessData Risk Tookit (RTK).
Interview With Tod Ewasko, Director Of Product Management, AccessData
- Scar de Courcier shared a roundup of the popular forum topics
- Magnet Forensics have a couple of posts this week
- They shared a case study of how Chris Brinkworth at Enterprise Knowledge Partners uses Axiom “in Corporate Security Incident Response and Investigations”
New Case Study Shows How Magnet AXIOM Helps Incident Responders Understand Endpoint Breach Impact
- They also want your votes in the 4Cast Awards for organisation, software, and blog. They also suggest that you nominate their Director of Forensics, Professor Jessica Hyde for Digital Forensic Investigator of the Year (which Jess blames me for)
Nominate Magnet Forensics in this Year’s Forensic 4:cast Awards!
- They shared a case study of how Chris Brinkworth at Enterprise Knowledge Partners uses Axiom “in Corporate Security Incident Response and Investigations”
- Unfortunately, OpenText didn’t follow through with their promise of more information surrounding their ‘Forensic Artifact Research Program’.
Check out @4n6k’s Tweet
SOFTWARE UPDATES
- Plaso 20180127 has been released updating some parsers and plugins, as well as cleanups and bug fixes.
Plaso 20180127 released
- Brian Moran has released a new version of buatapa (v0.0.7)
Several minor updates to buatapa!
- Cellebrite released UFED Physical Analyzer, UFED Logical Analyzer and Reader 7.0 with a variety of updates including “Premium language translation package, Decode data from LG Backup File (.LBF), [and] Decoding support of chats from multiple accounts for Telegram Messenger (Android)”
UFED Physical Analyzer, UFED Logical Analyzer and Reader 7.0 [January 2018]
- Didier Stevens released, and updated some of his tools this week
- Elcomsoft Forensic Disk Decryptor (EFDD) v2.0 was released. Vladimir Katalov has a blogpost explaining some of its features including mounting and decrypting images, capturing memory, and creating a portable version.
How to Instantly Access BitLocker, TrueCrypt, PGP and FileVault 2 Volumes
- Eric Zimmerman updated LECmd to version 0.9.8, PECmd to version 0.9.2.0, and TimelineExplorer to 0.6.2
- Evimetry was updated to r3.0.6 with a number of improvements and fixes
Release 3.0.6
- ExifTool 10.78 (development release), adding some new tags and fixing bugs
ExifTool 10.78
- Forensic Explorer v4.1.2.6966 was released with a number of improvements and fixes
30 Jan 2018 – 4.1.2.6966
- Nicole Ibrahim updated her FSEventsParser to v3.3; “Output reports and DB table [are] now sorted by event id”
Check out @nicoleibrahim’s Tweet
- Kaspersky Labs released a new evtx parser
ForensicsTools
- “A new version of MISP 2.4.87 has been released including a massive contribution enabling support for internationalisation and localisation in the MISP UI …, as well as a host of improvements to the UI, feed and APIs, including bug fixes and speed improvements.”
MISP 2.4.87 released (aka translate everything, improvements everywhere and more)
- Radare2 v2.3.0 has been released with a variety of new features and updates.
Codename: DirtyHarry
- X-Ways Forensics 19.6 Preview 6 with a number of improvements.
X-Ways Forensics 19.6 Preview 6
- Maxim Suhanov has released v1.0.12 of his yarp tool
1.0.12
And that’s all for Week 5! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 