FORENSIC ANALYSIS
- There were a few posts by Cyber Forensicator this week
- They shared a link to Florian Roth’s APT simulator
APT Simulator
- They shared a thesis by Thomas Schreck titled “IT Security Incident Response: Current State, Emerging Problems, and New Approaches”
IT Security Incident Response: Current State, Emerging Problems, and New Approaches
- They shared a white paper by Digvijaysinh Rathod on Mac OSX forensics
Mac OS X Forensics
- They shared a paper by Nilay Mistry titled “volatile memory based forensic artifacts and analysis”
Nilay Mistry’s Research Papers
- They shared a link to Florian Roth’s APT simulator
- There were a few articles shared by Digital Forensics Corp this week
- They shared an article on Cyberpunk about the nightware IR framework
Incident Response Forensic Framework Overview
- They shared an article on PowerShell logging
PowerShell Forensics
- They also shared a PowerShell cheatsheet
PowerShell Cheat Sheet
- They shared an article on Cyberpunk about the nightware IR framework
- Chirath De Alwis has posted an article on Forensic Focus regarding memory dump formats covering raw, crashdump, hibernation files, EWF and HBGary’s HPAK format. Another format worth mentioning is AFF4, which is used by Google Rekall/winpmem suite.
Memory Dump Formats
- Stefan Bildhaeuser at my4n6 shows how to mount a BTRFS volume using Linux and then share it to your Windows machine via NFS. After this is shared, an examiner can add this share to X-ways for examination. You don’t get to see deleted files, or file system metadata, but you can at least examine the content.
Using unsupported file systems in X-Ways Forensics
- SalvationData posted a few times this week
- They cover various locations for finding location data on mobile devices, and services that can be used to map this data.
[Case Study] Mobile Forensics: How to Extract Raw Data of GPS Location and Base Station on iOS/Android Devices
- They post a fairly generic method of extracting data from a feature phone
[Case Study] Mobile Forensics: Unlock Evidentiary Data Hidden in Feature Phones
- They also show how to decrypt WhatsApp communications
WhatsApp Forensics: Decryption of Encrypted Databases and Extraction of Deleted Messages on Non-Rooted Android Devices
- They cover various locations for finding location data on mobile devices, and services that can be used to map this data.
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ explains the setupAPI.dev.log found on Windows Vista+ systems and how to parse it
USB Devices in Windows Forensic Analysis
THREAT INTELLIGENCE/HUNTING
- Matt Suiche at comae technologies advises that a recent update to Swishdbgext allows examiners to use “Yara rules to hunt process in memory”
YARA scans in WinDbg
- Adam at Hexacorn shows how to use a URL file as a file execution mechanism associated with a hotkey
Beyond good ol’ Run key, Part 72
- Mark Simos at Microsoft Secure explains last years NotPetya attack
Overview of Petya, a rapid cyberattack
- Quentin Jerome at RawSec introduces an engine “designed to match signatures in Windows events.”
Go Evtx SigNature Engine
- SANS have shared the results of the 2018 cyber threat intelligence survey written by Dave Shackleford
CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey
UPCOMING WEBINARS/CONFERENCES
- Scott Lorenz and Shahar Tal will be hosting a webinar for Cellebrite on the “Emergency Download mode (EDL) capability can provide you with forensically-sound access to extract physical data from devices”. The webinar will take place February 21, 2018 at 10AM New York (3PM London/4PM Belgium)
Access mobile device evidence faster using Emergency Download (EDL) mode
- The CFP for the 11th International Workshop on Digital Forensics has opened, and will close April 30, 2018. The workshop is “to be held in conjunction with ARES 2018, August 27 – August 30, 2018 in Hamburg, Germany”.
[CFP] 11th International Workshop on Digital Forensics
- Magnet Forensics will be hosting a webinar on “[recovering] cloud-based data and [performing] forensically sound Office 365 investigations”. The webinar will take place on Wednesday, February 28 – 9:00AM Eastern Standard Time (New York, GMT-05:00)
Forensics in the Cloud: How to conduct an Office 365 investigation
- Magnet Forensics have announced details of this years Magnet User Summit’s; including one in Las Vegas which I’m aiming to attend.
Now Open—Register for the Magnet User Summit Series//2018!
PRESENTATIONS/PODCASTS
- Bart Parys at Blaze’s Security Blog shared his slides for a presentation he gave “introducing the concepts of Malware Analysis, Threat Intelligence and Reverse Engineering.”
Malware Analysis, Threat Intelligence and Reverse Engineering: workshop slides
- Joshua James at DFIR.Science has uploaded a few videos this week
- Magnet Forensics posted a number of videos about performing various activities in Axiom and using Griffeye
- Erik Hjelmvik at Netresec presents the “analysis of a PCAP file containing network traffic from the “Zyklon H.T.T.P.” malware.”
Zyklon Malware Network Forensics Video Tutorial
- OALab have posted a video showing “how to unpack a Themida 2.x 64bit PE file [by demonstrating] how a bad architecture decision to use process injection (runpe) made it easy to dump the unpacked PE.”
Unpacking Themida 2.x 64bit … Without Actually Unpacking – REDUX!
- On this week’s Digital Forensic Survival Podcast, Michael covers Windows USB forensics
DFSP # 103 – B2B USB Forensics
- Wyatt Roersma live streamed some malware analysis a few times this week
vTriple – Twitch
MALWARE
- Xavier Mertens at /dev/random shares a module that he wrote “to interconnect the malware analysis framework Viper and the malware analysis platform A1000 from ReversingLabs.”
Viper and ReversingLabs A1000 Integration
- There were a couple of posts on the Check Point Research blog this week
- Mark Lechtik examines the DorkBot malware
DorkBot: An Investigation
- The team also shared details on “a new malvertising campaign leading to the Rig Exploit Kit. “
A New Rig Exploit Kit Campaign Dropping XMRig Miner
- Mark Lechtik examines the DorkBot malware
- Luis Rocha at ‘Count Upon Security’ provides a “brief overview about the PlugX builder, analyze and debug the malware installation and do a quick look at the C2 traffic”
Malware Analysis – PlugX
- Yasmine Ison of the Cylance Threat Guidance Team examines a sample of the Ursnif malware
Threat Spotlight: URSNIF Infostealer Malware
- John Bergbom at Forcepoint has written a whitepaper on the network-level communications of “the PeddleCheap module of this DanderSpritz framework”
New Whitepaper – DanderSpritz/PeddleCheap Traffic Analysis (Part 1 of 2)
- Eric Chong at Fortinet shows a number of websites that have been infected with Coin Miner JavaScript
The Growing Trend of Coin Miner JavaScript Infection
- Jay Rosenberg at Intezer provides some information about a new sample of the Hermes ransomware and shows code-reuse between a previous version
Yet Another Distraction? A New Version of North Korean Ransomware Hermes Has Emerged
- There were a couple of posts on the Malwarebytes Labs blog this week
- Jérôme Segura examines a recent attack where “threat actors used a decoy Microsoft Excel document to lure their intended target (some South Korea users) in order to infect them with a remote administration tool named ROKRAT”
New Flash Player zero-day comes inside Office document
- Thomas Reed examines a new Mac cryptominer
New Mac cryptominer has 23 older variants
- Jérôme Segura examines a recent attack where “threat actors used a decoy Microsoft Excel document to lure their intended target (some South Korea users) in order to infect them with a remote administration tool named ROKRAT”
- Ashwin Vamshi at Netskope explains “a new malware named “ShortJSRAT” which uses a Windows script component scriptlet file with a .sct extension”
ShortJSRAT leverages cloud with scriptlets
- Patrick Wardle at Objective-See analyses the OSX/CreativeUpdater malware
Analyzing OSX/CreativeUpdater
- There were a few posts on the SANS Internet Storm Centre Handler Diaries this week
- Didier Stevens examines a malicious HTA file
Analyzing an HTA file: Update, (Mon, Feb 5th)
- Didier also takes a look at a maldoc that was downloaded through a malicious link in a PDF
An autograph from the Dridex gang, (Fri, Feb 9th)
- Brad Duncan takes a look at some malspam distributing the GandCrab ransomware
GandCrab Ransomware: Now Coming From Malspam, (Wed, Feb 7th)
- Brad also looks at some malspam pushing Loki-bot
3 examples of malspam pushing Loki-Bot malware, (Tue, Feb 6th)
- Didier Stevens examines a malicious HTA file
- Paul Rascagneres at Cisco’s Talos blog analyses some malware associated with targetted attacks in the Middle East
Targeted Attacks In The Middle East
- Martin Co and Gilbert Sison at TrendLabs examine a recent attack utilising the Windows Installer service to distribute Loki-bot
Attack Using Windows Installer msiexec.exe leads to LokiBot
- Martijn Grooten at Virus Bulletin shares a paper by Fortinet researchers Bahare Sabouri and He Xu on the Andromeda “malware, its anti-analysis tricks, its C&C traffic, and how it has evolved over the years.”
New paper: A review of the evolution of Andromeda over the years
- VMRay recaps their malware analysis reports for January
VMRay Malware Analysis Report Recap – January 2018
- Zerophage Malware examines the infection chain of the GrandSoft EK that drops a Leviarcoin miner
GrandSoft EK via Slots drops Leviarcoin Miner
MISCELLANEOUS
- Jim Hoerricks at Amped shares a couple use cases for a feature in DVRConv allowing examiners to split audio and video channels.
Amped DVRConv for transcription?
- Chris Sanders has posted the complete Cuckoo’s Egg online course on his website.
The Complete Cuckoo’s Egg Online Course Available for Free
- Didier Stevens updated his hash Python script to v0.0.2 to add the option to recurse directories.
Update: hash.py Version 0.0.2
- DME Forensics have a post explaining how to use the DVR Examiner Updater to obtain their latest file system parsers.
Introducing the DVR Examiner Updater
- Forensic Focus posted a couple of interviews this week
- They interviewed Barbara Guttman about her work at NIST and the Federated Testing Project
Interview With Barbara Guttman, Software Quality Group Manager, NIST
- They also interviewed Harlan Carvey about his work at Nuix and incident response
Interview With Harlan Carvey, Director Of Intelligence Integration, Nuix
- They interviewed Barbara Guttman about her work at NIST and the Federated Testing Project
- Magnet Forensics provided an overview of the white papers that they released last year
Magnet Forensics’ 2017 White Papers: A Retrospective
- Shelly Giesbrecht at Nerdiosity explains the benefits of tabletop exercises to test your IR plan
Tabletops Aren’t Just For Eating Dinner On
SOFTWARE UPDATES
- Eric Zimmerman has released SDB Explorer, which “is a GUI program that allows for interacting with Microsoft Shim databases”
Introducing SDB Explorer
- Cyber Triage was updated to version 2.1.10, adding Splunk integration.
Integrate with Splunk for Faster Alert Triage
- “Elcomsoft Phone Breaker receives an update [v8.2], adding the ability to extract several types of iOS synced data from the user’s iCloud account.” Oleg Afonin provides additional context about the update.
Elcomsoft Phone Breaker 8.20 Extracts More Evidence from iCloud
- Mobiledit Forensic Express 5.1 was released, improving it’s phone unlock capabilities, as well as adding other new features
Forensic Express 5.1 Released
- Denis O’Brien at “Malware Analysis: The Final Frontier” has released an update for IRIS-H, adding support for zip files
IRIS-H (alpha): Added ZIP files support
- X-Ways Forensics released a number of updates to previous and current versions of the software
And that’s all for Week 6! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 