Week 5 – 2018

FORENSIC ANALYSIS

  • Hideaki Ihara at the Port 139 blog shows the affects some file actions have on an NTFS MFT record’s Fixup value and update sequence.
    Fixup と Update Sequence Number

  • Adam Harrison at 1234n6 walks through the process of rebuilding a hardware RAID in Encase 7/8. As a side note, Adam wrote this post so that he could refer back to it at a later day, but publishing it online means that we all benefit too!
    Rebuilding Hardware Raid in EnCase 7/8

  • hsiF_cisneroF noticed that FTK and Encase were unable to deal with a recent bitlockered Win10 image and asked to pass along the message to the community. Apparently, Axiom copes with the image just fine. My suggestion for when an encryption type isn’t supported is generally to find a way to mount it as a physical disk and then add it to the case that way. Independently, this is what was tried with Arsenal Imager Mounter being utilised to assist in decrypting the image.
    Check out @hsiF_cisneroF’s Tweet

THREAT INTELLIGENCE/HUNTING

  • Adam at Hexacorn shows a (failed) persistence technique that utilises the alg.exe process. Adam explains that it’s being included for completeness but has been unable to exploit it to load custom code.
    Beyond good ol’ Run key, Part 71

  • Martin Lee and Vanja Svajcer at Cisco’s Talos blog “review some of the findings created by investigating the most frequently triggered Snort signatures as reported by Cisco Meraki systems and included in the Snort default policy set.”
    2017 in Snort Signatures.

UPCOMING WEBINARS/CONFERENCES

  • “On the 6th, 7th and 8th February 2018, MD5 will be holding a series of hour-long webinars, offering customers the opportunity to see all features of VFC – new and old – demonstrated and explained live.” To register for a session you can put your details in here

  • Brian Hill at Oxygen Forensics will be hosting a 1-hour webinar on the future of training at Oxygen, the new features since v10, and the search functionality. The webinar will take place Thursday, February 8th, 2018 at 10 am Central Standard Time.
    Oxygen Forensics, Inc Webinar Series Kick Off!

PRESENTATIONS/PODCASTS

  • The first Brakeing Down Incident Response podcast was posted. Michael and Brian hosted Dave Cowan and Tyler Hudak. They also mentioned my site as a pick of the week so thanks! Also, props for the full show notes; not many people do them
    BDIR-000 ; The Beginning

  • On this week’s Digital Forensic Survival Podcast, Michael covered some of the information that can be obtained from examining the Internet Explorer internet history primarily relating to local file system access.
    DFSP # 102 – B2B Windows Explorer

  • Wyatt Roersma live streamed some malware analysis a few times this week
    vTriple – Twitch

MALWARE

  • Ivona Alexandra Chili and Bogdan Botezatu at Bitdefender Labs share a whitepaper on Operation PZChao; including the “attack chain, the infrastructure used by the threat actors, the malware subdomains they control and the payloads delivered on the targeted systems, as well as other telltale signs about a possible return of the Iron Tiger APT.”
    Operation PZChao: a possible return of the Iron Tiger APT

  • Hasherezade has also created a small crack-me challenge with Grant Willcox. The first to complete the challenge will win a book of their choosing, and the best writeup after the competition will also win a book.
    White Rabbit crackme!

  • Kyle Hanslovan at Huntress Labs shares the Huntress ThreatOps team’s analysis of payloads dropped due to “a vulnerability in Kaseya’s VSA product”
    Deep Dive: Kaseya VSA Mining Payload

MISCELLANEOUS

  • Brett Shavers comments on conferences offering free attendance and “exposure dollars” to present. This post is reminiscent of a post by the previous DFIR Guy at DFIR.Training; it does make sense when you think about it, but I do think that it depends on your profile as a speaker or researcher. That being said, if they ask you to come and speak then, yeah, they should be footing the bill.
    How many exposure dollars do you need to buy a cup of coffee?

  • Christa Miller from Magnet Forensics wrote an article for Evidence Technology Magazine covering 5 challenges that examiners will face with regards to mobile device examination.
    5 Enduring Challenges of Mobile Forensics

  • Unfortunately, OpenText didn’t follow through with their promise of more information surrounding their ‘Forensic Artifact Research Program’.
    Check out @4n6k’s Tweet

SOFTWARE UPDATES

  • Plaso 20180127 has been released updating some parsers and plugins, as well as cleanups and bug fixes.
    Plaso 20180127 released

  • Eric Zimmerman updated LECmd to version 0.9.8, PECmd to version 0.9.2.0, and TimelineExplorer to 0.6.2

  • Evimetry was updated to r3.0.6 with a number of improvements and fixes
    Release 3.0.6

  • ExifTool 10.78 (development release), adding some new tags and fixing bugs
    ExifTool 10.78

  • Maxim Suhanov has released v1.0.12 of his yarp tool
    1.0.12

And that’s all for Week 5! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s