FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog utilises Teru Yamazaki’s USN parsing utility to identify deleted files and folders in the journal
USN Analytics と Folder - Arsenal Consulting has shared a couple of articles (one was from last week and I missed it, sorry!)
- They have put together an infographic on the Windows hibernation file, with which you can use their Hibernation Recon tool to extract additional useful data.
Windows Hibernation Infographic - Lodrina Cherne explains a recent case study where they were required to carve and repair a video from a dashcam that didn’t finalise and therefore was unplayable.
Case Study in Successful Dash Cam Video Repair
- They have put together an infographic on the Windows hibernation file, with which you can use their Hibernation Recon tool to extract additional useful data.
- Scott Vaughan at Berla shares details of the newly released iOS version of the iVe Mobile app
iVe Mobile Updated, Now on iOS - The guys at Cyber Forensicator posted a few times this week
- They shared a MacOS IR toolkit written by Joey Pistone called Transit
Transit: a MacOS IR toolkit - They shared details of Harlan Carvey’s new book, “Investigating Windows Systems”
Investigating Windows Systems - They shared a MacOS log viewer created by Howard Oakley called Consolation
Consolation – a log browser for macOS Sierra and High Sierra - They shared a paper by Dr. Digvijaysinh Rathod from the International Journal of Emerging Trends & Technology in Computer Science titled “Darknet Forensics”
Darknet Forensics - They shared details of the recently released book by Joseph Muniz and Aamir Lakhani titled “Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer”
Investigating the Cyber Breach has been released
- They shared a MacOS IR toolkit written by Joey Pistone called Transit
- There were a few posts on Digital Forensics Corp this week
- They shared an article by Jules Pagna Disso on examining phishing emails
How to analyze fake emails - They shared a presentation by Nikhil Mittal on analysing attackers use of PowerShell
Analyzing an attack with powershell - They shared a tool called LaZagne which can be used to decrypt user passwords
LaZagne Overview - They shared an article by @sudosev at AlienVault on building a home malware analysis lab
Building a Malware Analysis Lab
- They shared an article by Jules Pagna Disso on examining phishing emails
- Matthew Shannon at F-Response provides a method of allowing F-Response access to the raw disk of a High Sierra volume by disabling System Integrity Protection (SIP).
Live Forensics and High Sierra (Apple OSX High Sierra and SIP) - Forensic Focus posted an article by Roman Morozov at AceLab explaining why SSDs cease to function and provides “a method to access the data on devices that have ceased to function”
Techno Mode – The Fastest Way To Access Digital Evidence On Damaged SSDs - Brad Schatz at Schatz Forensic explains the new feature in Evimetry to create “Deadboot USB’s directly from the Controller” and shows the improvements made to the imager GUI.
Simple Deadboot provisioning and acquisition with Evimetry - Patrick Bell at Practical Forensics walks through brute forcing “LUK volumes using hashcat.”
Cracking Linux Full Disk Encryption (LUKS) with hashcat – The Forensic way! - Nick Raedts describes TrueCrypt and VeraCrypt and then shares a few methods of identifying tc/vc encrypted containers on a drive.
Detect TrueCrypt and Veracrypt volumes - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares the commands that he runs to generate a filesystem and super timeline
Forensic Timeline Creation: my own workflow - Kyle Bubp examines a phishing email sent to obtain a users o365 credentials
Analyzing Malicious Emails - TM4n6 shows how to manually carve file files in Linux.
Manual Data Carving on Linux - Miketxus at ‘Follow the White Rabbit’ presents a star wars themed threat hunting scenario, walking through the memory and hard drive acquisition process followed by some quick triage in Redline – even without that high MRI score that first svchost stands out quite well.
Rogue APT: A Story of #DFIR – Episode 1
THREAT INTELLIGENCE/HUNTING
- Brian Gladstein at Carbon Black explains that logging endpoint data is critical to identifying TTPs
Unfiltered Endpoint Data: Building Better Detection - Similarly, Amit Sharma at Cyberbit talks about endpoint data, but indicates the importance of “using big data technology to cope with such substantial amounts of data allows us to quickly perform risk scoring, graph analysis, time series analysis and determine causal relationships between entities to assess alerts and determine if they are suspicious or benign.”
Using Big Data for Threat Detection - Chris Magistrado at real0day has written a tutorial for writing YARA rules
Tutorial: Creating Yara Rules for Malware Detection - Iran Threats have published their “working notes about various incidents and threat actors” regarding the Flying Kitten group
Flying Kitten: From Defacements To Industrial Espionage - Jordan Potti shows how to combine ELK, OSQuery and Kolide to perform threat hunting on Mac and Linux hosts.
Elk + Osquery + Kolide Fleet = Love - Erik Hjelmvik at Netresec shares a video showing how to scan a PCAP for malware
Antivirus Scanning of a PCAP File
UPCOMING WEBINARS/CONFERENCES
- SalvationData will be hosting a webinar on decrypting and recovering WhatsApp data on non-rooted smartphones along with releasing a free tool. The webinar will take place on Wed, Mar 7, 2018 9:00 AM – 10:00 AM GMT.
WhatsApp Forensics Free Tool Release Webinar - Jason Jordaan will be hosting a webinar for SANS to “help the first time or inexperienced witness to understand some of the core legal concepts you will need to be familiar with, understand how to effectively interact with lawyers, and the duties and responsibilities you have as a witness.” The webinar will be run Tuesday, February 27th, 2018 at 3:30 PM EST (20:30:00 UTC).
Webcast 2: Working With The Lawyers - SANS released the agenda for the upcoming DFIR Summit in June.
SANS DFIR Summit Agenda
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the presentations from BSides Tampa 2018
- Dave and Matthew hosting Dr Joe Sylve and Ashley Hernandez from Blackbag Technologies to talk about the latest updates from Blackbag including their recent Macquisition and Blacklight releases, as well as APFS and FSEvents. They will also be running another broadcast next week at a time I’ll be awake for so hopefully I can watch live! Happy days.
Forensic Lunch: 2/16/18 - Arizona HTCIA shared out three presentations put on by Jessica Hyde from Magnet Forensics (1, 2, and 3)
- Nuix uploaded a couple of videos this week
- “Alex Chatzistamatis takes you through an introduction to Nuix Web Review & Analytics, focusing on the software’s collaborative aspects for eDiscovery teams, legal reviewers, and investigators.”
Introduction to Collaboration in Nuix Web Review & Analytics - Corey Tomlinson explains the new RegRipper extension for their Workstation product.
RegRipper Extension for Nuix Workstation
- “Alex Chatzistamatis takes you through an introduction to Nuix Web Review & Analytics, focusing on the software’s collaborative aspects for eDiscovery teams, legal reviewers, and investigators.”
- On this week’s Digital Forensic Survival Podcast, Michael revisited the UserAssist artefact
DFSP # 104 – UserAssist Forensics - Richard Davis has uploaded a video regarding the Windows Remote Desktop Protocol (RDP) Cache
RDP Cache Forensics - Wyatt Roersma live streamed some random DFIR things a few times this week
vTriple – Twitch
MALWARE
- Sean Sabo at Arbor Networks provides details of a new sample of the Gh0st malware utilised in the Musical Chairs campaign, as well as a new domain that has been “associated with the corresponding actor.”
Musical Chairs Playing Tetris - Ming Loh at Countercept shows how to compile and decompile Python scripts
How To Decompile Any Python Binary - Amanda Rousseau, Devon Kerr, and Lucien Brule analyse the Olympic Destroyer malware.
Stopping Olympic Destroyer: New Process Injection Insights - John Bergbom at Forcepoint shares details of the “network-level evasions used related to DoublePulsar and DanderSpritz”
Evasions used by The Shadow Brokers’ Tools DanderSpritz and DoublePulsar (Part 2 of 2) - Xiaopeng Zhang at Fortinet examines a new variant of jRAT
New jRAT/Adwind Variant Being Spread With Package Delivery Scam - Jay Rosenberg at Intezer compares the code in the Olympic Destroyer malware with code used by various APT groups that have Chinese links. “This is not a definitive statement whatsoever of whether China is behind the attacks or not, but when deeply analyzing the code, there are several unique links to Chinese threat actors”. Robert M. Lee from Dragos disagreed with this assessment and suggested that it was “very poorly done and knee-jerk reaction attribution speculation benefits no one”
2018 Winter Cyber Olympics: Code Similarities with Cyber Attacks in Pyeongchang - Stefano Ortolani at Lastline Labs examines a cryptominer located on various public sector websites.
Trust Me, I am a Screen Reader, not a CryptoMiner - Gleb Malygin at Malwarebytes Labs examines a malicious Android app, Swift Cleaner, written in the Kotlin programming language.
Kotlin-based malicious apps penetrate Google market - Ryan Sherstobitoff at McAfee Labs examines some malware distributed as part of the HaoBao campaign by the Lazarus group
Lazarus Resurfaces, Targets Global Banks and Bitcoin Users - Sergei Frankoff at OA Labs shows how to patch a binary with a hex editor
Quick And Dirty Binary Patching With A Hex Editor - R3mrum looks at “one of GootKit’s anti-analysis methods and use what is learned to identify the true executable names that are associated with the precalculated hashes defined by the malware author.”
String Hashing: Reverse Engineering an Anti-Analysis Control - There were a few posts on the SANS Internet Storm Centre Handler Diaries this week
- Didier Stevens shows “how to detect Word documents with signed VBA code”
Finding VBA signatures in Word documents, (Sun, Feb 11th) - Didier also examines a “malicious RTF file with several stages (PowerShell commands), containing Gzip compressed shellcode.”
Analyzing compressed shellcode, (Mon, Feb 12th) - Xavier Mertens shows how to examine malicious MSI files
Malware Delivered via Windows Installer Files, (Sat, Feb 17th)
- Didier Stevens shows “how to detect Word documents with signed VBA code”
- Warren Mercer and Paul Rascagneres at Cisco’s Talos blog provide some information about a recent attack against the computer systems involved in the current Winter Olympic games
Olympic Destroyer Takes Aim At Winter Olympics - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ lists a variety of malware hiding and evasion techniques that are in use “to hide malicious files from automated threat analysis system and antivirus systems”
Malware hiding and evasion techniques - Homer Pacag at Trustwave SpiderLabs examines a maldoc that distributes password stealing malware
Multi-Stage Email Word Attack without Macros - Veo Zhang, Jason Gu, and Seven Shen at TrendLabs describe a new variant of ‘Android Remote Access Tool (AndroRAT)’’ and share some IoCs
New AndroRAT Exploits Dated Permanent Rooting Vulnerability, Allows Privilege Escalation
MISCELLANEOUS
- Brett Shavers has released another DFIR case study.
DFIR Case Studies #7 - Brett Shavers at DFIR.Training has posted a few times this week
- Brett advised to try and use the right tool for the job, rather than just using the tool you’ve got in front of you – thankfully a lot of the good tools are free or open source. That being said, if someone was looking for a project you can always write up tool parsing comparisons (for example like Mari did a few years ago)
Stop forcing the square #DFIR peg into the round hole. - A classified ads page has been added to the site to help connect people that are trying to get rid of gear.
DFIR Classified Ads - A compilation of keyword lists has also been added, and Brett comments on the effectiveness of using lists like these in an investigation.
Keyword Lists. Lazy way or good technique?
- Brett advised to try and use the right tool for the job, rather than just using the tool you’ve got in front of you – thankfully a lot of the good tools are free or open source. That being said, if someone was looking for a project you can always write up tool parsing comparisons (for example like Mari did a few years ago)
- The Digital Forensic Compass launched this week. Currently, the website compiles supported device lists from a number of hardware and software based tools, mainly for mobile devices. This looks like a great database for assisting examiners that are tasked with obtaining data, particularly from devices that aren’t necessarily supported by the big players or aren’t Android/iOS. I can see the project expanding to include additional information such as pin-outs for JTAG/ISP and walkthroughs for complicated extraction methods if people would like to share them.
Digital Forensic Compass - There were a few posts on Forensic Focus this week
- They reviewed Mobiledit Forensic Express
Review Of MOBILedit Forensic Express From Compelson - They interviewed Dr Jasim Cosic about his work on the Digital Evidence Management Framework
Interview With Dr Jasmin Cosic, Associate Professor And Researcher - They shared details of a new solution by AccessData called Quin-C
AccessData Introduces Quin-C, Next-Gen Solution For Digital Investigations
- They reviewed Mobiledit Forensic Express
- David Cowen at the ‘Hacking Exposed Computer Forensics’ blog shares his commitments for the year with regards to the Forensic Lunch and his SANS FOR500 classes.
2018 Updates and Teaching SANS Windows Forensics FOR500 in Singapore - Jamie Mcquaid at Magnet Forensics comments on the various methods that are available to acquire mobile devices, mainly from a perspective that device support list should not dictate whether an examiner says “it can’t be done and stops there”. An examiners role when acquiring data from a mobile device may change, and often they will be tasked with obtaining data from new, password-protected or otherwise unsupported devices. Combining chipset-based physical extractions with logical and file system OS-based backup/extraction options is a good way of getting by for “unsupported” phones. Examiners shouldn’t be solely relying on the support list of a single tool when acquiring data as often there are many different methods and some might get you the data easier than others.
Device Agnostic Mobile Acquisition – Who Needs Model Numbers? - Microsystemation shared an article from the February edition of Digital Forensics Magazine by Joel Bollo and David Kovar regarding drone forensics
Investigators face new forensic challenges and opportunities with growing use of UAVs - Daan Raman at Nviso Labs shows how to use data visualisation to assist in improving understanding of captured network traffic
Going beyond Wireshark: experiments in visualising network traffic
SOFTWARE UPDATES
- Blackbag Technologies have released BlackLight 2018 R1. In the post, Julie Urban explains how to use Macquisition in combination with Blacklight to examine APFS images. I haven’t played around with the update but apparently, it will decrypt filevault2 images within the program itself (rather than pushing it out to MacOS); which means that you will be able to open these images on the Windows version of Blacklight as well, which is very useful. Julie also explains that you can use the logical container option to extract the files into a sparse image for examination (which I think a number of tools support). I’d still recommend getting a physical of disk0 if you can because then you can boot that to an external hard drive (which is good for visualisation).
End-To-End Solution For APFS Now Available - Didier Stevens updated a few of his tools
- Evimetry v3.0.7 has been released, fixing a few bugs.
Release 3.0.7 - Evimetry v3.1.5 (unstable) has also been released, which provides updates to the deadboot imager.
Release 3.1.5-UNSTABLE - ExifTool was updated to version 10.79, adding new tags and bug fixes
ExifTool 10.79 - Teru Yamazaki at Forensicist shares the latest NRSLJP hashset
NSRLJP_201802 - Katana Forensics updated Lantern Triage to version 1.1802.120, adding in the ability to map locations from call detail records
- MobilEdit Forensic Express 5.1.1 was released, fixing some bugs and making some minor improvements.
Forensic Express 5.1.1 released - Sanderson Forensics have updated a couple of his tools this week
- Encase Forensic 8.06 has been released with various improvements. Unfortunately, their website is a little cumbersome to find details of the release, or notification that it came out; but I found it elsewhere to share out.
Encase Forensic 8.06 - Tableau have updated the TFU to v7.22 to update the TX1 Imager to version 1.2. This appears to be a very large update with new features, enhancements, and bug fixes.
Tableau Firmware Update Revision History for v7.22 - Maxim Suhanov released yarp v1.0.13.
1.0.13
And that’s all for Week 7! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 