I’ve been told I need to promote the Patreon link. It’s here if you’re interested 🙂
FORENSIC ANALYSIS
- Kasasagi at ‘Apprentice forensic ‘s note’ has identified the ‘bam’ key in the Windows registry that stores the full path of an executable and the last execution time. It is indicated that this is only written when the computer is shut down so checking the registry on a live system may not be accurate (without parsing memory).
About bam key (execution trace?) (Last update: 2018/02/23 02:23) - Hideaki Ihara at the Port 139 blog looks at verifying some of the data found in the ‘bam’ key.
bam key と Program execution - Zak Thoreson at ‘Aqueous Analytics’ shares an incident response process for dealing with VMWare incidents.
VMWare Incident Response: A Process - The guys at Cyber Forensicator shared a few articles this week
- They shared a tool called PcapXray which can be used “to visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction”
Visualize Packet Captures with PcapXray - They shared a paper by Mohm Najwadi Yusoff, Ali Dehghantanha, and Ramlan Mahmod titled “Network Traffic Forensics on Firefox Mobile OS: Facebook, Twitter and Telegram as Case Studies”
Network Traffic Forensics on Firefox Mobile OS: Facebook, Twitter and Telegram as Case Studies - They shared a “collection of PowerShell scripts by Tony Phipps” called “Threat Hunting Reconnaissance Toolkit or THRecon”
Threat Hunting Reconnaissance Toolkit
- They shared a tool called PcapXray which can be used “to visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction”
- Mikeltxus at Follow The White Rabbit continues his Star Wars themed DFIR case study, looking further into memory, file system, network, and Windows artefacts.
Rogue APT: Una historia de #DFIR – Episodio 2 - Mark Lohrum at ‘Free Android Forensics’ walks through reversing a basic Android app. Also, congrats on the pending little one!
Deep dive into an app - Matthew Green shares his research into “Background Intelligent Transfer Service (BITS) [which] is a Windows component used to transfer files asynchronously between a client and a server.”
Sharing my BITS - Jonathon Poling at ‘Ponder The Bits’ has compiled some information about “RDP-related Windows Event Log ID’s/entries for tracking and investigating RDP usage on a Windows Vista+ endpoint”
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation - The SANS InfoSec Reading Room shared a couple of whitepapers this week
- They shared Chuck DiRaimondi’s paper on Lockheed Martin’s Laika BOSS “file-centric recursive object scanning framework”
Automating Static File Analysis and Metadata Collection Using Laika BOSS - They shared Sebastien Godin’s paper on utilising features found within Win10 and WinServer2016 that can be utilised for endpoint detection and response to augment or replace existing third-party EDR tools.
Using Windows 10 and Windows Server 2016 to create an Endpoint Detection and Response solution - They shared a paper by Michael C Long II titled “Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity”
Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity
- They shared Chuck DiRaimondi’s paper on Lockheed Martin’s Laika BOSS “file-centric recursive object scanning framework”
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shows how to boot a computer using a Linux boot disk and take a forensic image over a network using DD and netcat. If you would like to include verification information then a number of the forensic distros have ewftools installed.
Forensic disk acquisition over the network - There were a couple of posts by the students at Champlain College
- The first introduces a project to look into “Pick Up Where I Left Off”, which is a feature coming to Win10 in the near future. This feature is meant to be a “cross-platform version of Apple’s Handoff and Auto Resume features”
Windows Fall Creator Introduction - The second project relates to examining a large number of popular apps across Android, iOS, and Windows Phones. I’m never sure if it’s good to include Windows Phone in these projects; on one hand, they’re very rarely seen, and on the other, they’re a pain because there’s little research on them because they’re so rarely seen.
Mobile Device Forensics Update 1
- The first introduces a project to look into “Pick Up Where I Left Off”, which is a feature coming to Win10 in the near future. This feature is meant to be a “cross-platform version of Apple’s Handoff and Auto Resume features”
THREAT INTELLIGENCE/HUNTING
- Matt Suiche at Comae Technologies explains a method of periodically obtaining memory images from critical systems within an organisation and analysing them with their Stardust tool.
Rethinking Logging for Critical Assets - Gayle Kennedy at Countercept explains how they have had more success with behaviour-based detection than signature-based detection for threat hunting.
How Do We Detect Signature-Less Attacks? - Joe Slowik at Dragos expressed similar sentiments (in many many more words): “developing an understanding of network security events through a behavioral perspective rather than a single observation point (atomic IOC view) ensures analysts are better positioned to understand and respond to malicious events as they are identified.”
Threat Analytics and Activity Groups - Russ McRee at HolisticInfoSec shared a post last week that I missed, HELK vs APTSimulator, in which he runs APTSimulator and then does a “fast run-through with HELK’s Kibana Discover option looking for the above mentioned APTSimulator activities”
toolsmith #131 – The HELK vs APTSimulator – Part 1 - Moti Bani at Windows Security shows how to detect kerberoasting activity in the Azure Security Centre
Detecting Kerberoasting activity using Azure Security Center - Ben Downing at Red Canary explains how to use “entropy in threat hunting to help identify adversarial behavior”
Using Entropy in Threat Hunting: a Mathematical Search for the Unknown - Kaspersky’s Great team share details of the activities performed by the Sofacy threat group in 2017.
A Slice of 2017 Sofacy Activity - Henrik Johansen shares details of HashiCorp’s Nomad, which is “a very fast and secure cluster scheduling system [and has been looking into it to see] how such a system might be applicable to the field of Information Security.” This can be used to schedule memory dumps or running YARA rules for example, in your threat hunting operations.
Cluster scheduling systems for large scale Security Operations
UPCOMING WEBINARS/CONFERENCES
- Rey Navarro at Griffeye will be hosting a webinar on 16th March 2018 at 9am EST (15:00 CET) on visual media investigations.
Griffeye 101: A Crash Course In Visual Media Investigations - Jad Saliba at Magnet Forensics shares a video of the Magnet User Summit which will take place in a number of cities across Europe and the US this year. (I’m aiming to attend the Las Vegas one if all goes to plan!)
Magnet User Summit // 2018 - SANS have uploaded a brief video for the DFIR Summit (where I will be speaking on some research into Google Home) emulating the Stranger Things title sequence.
DFIR THINGS - Stephen Mathezer and Kevin Ripa will be hosting a SANS webinar on March 1st, 2018 at 3:30 PM EST (20:30:00 UTC) on bringing value during a pentest, as well as deep-dive forensics – I’m not sure if this is going to be about file carving or parsing artefacts though.
Check out @sansforensics’s Tweet
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the presentations from BSides NOVA 2018
- John Strand at Black Hills Information Security has uploaded a presentation on network threat hunting
WEBCAST: Tales from the Network Threat Hunting Trenches - Cysinfo have uploaded a few of the presentations from their 12th meetup
Forensic Lunch: 2/23/18 - Dave and Matthew ran a Forensic Breakfast instead this week, to allow us Australians to watch at a more reasonable time. Dave asked me to come on to talk about my work on this blog, including the podcast and patreon, and also my movements at a few conferences in May and June. Afterwards, Brad Schatz spoke about his recent updates to Evimetry; in particular, the new deadboot agent. Something I forgot to mention re how do I find things. the TLDR is I check a number of sources weekly, and try to find what people share out across various platforms. If you have RSS, great, if you don’t it goes on a list which I check before the post goes out. What’s been happening more recently is people are telling me prior to their release or letting me know if I missed something (which is great, because I do miss things). Really the only things I don’t share are marketing things or stuff that’s been reshared multiple times. I’d much prefer someone asks why I missed something since chances are it was just overlooked (or IFTTT didn’t run properly, which has happened recently). Overall, the best thing from my perspective is if you’re starting something new or sharing out something you want the DFIR community to know about, let me know and I’ll get it out there. After all, if I can’t find it, there’s a good chance many others can’t either.
Forensic Lunch: 2/23/18 - Erik Hjelmvik at Netresec have uploaded a video tutorial covering “how to analyze SPAM email traffic from the Kelihos botnet”
Analyzing Kelihos SPAM in CapLoader and NetworkMiner - OALabs have uploaded a video showing how to “use x64dbg to unpack a new Emotet / Geodo malware (Stage 1)”
Unpacking Emotet / Geodo (Stage 1) Using x64dbg – Subscriber Request - Paraben Corporation uploaded a few videos this week
- On this week’s Digital Forensic Survival Podcast, Michael interviewed a mobile forensics examiner, Robert, about his work in data extraction relating to JTAG and ISP.
DFSP # 105 – from Zero to JTAG - Robert M Lee talks about the updates to the Cyber Threat Intelligence course (FOR578) as well as the new GCTI certification.
Why and How to Take the GCTI The Industry’s Cyber Threat Intelligence Certification - On Talino Talk, Steve and Jason talk about the recent changes to Talino and Sumuri and how that will affect things going forward.
TALINO Talk ep12 - Alan Orlikoski shared out his recent presentation to the Alamo ISSA regarding CCF-VM, installing the GCP version, and discussing the possibilities and risks of automation.
Check out @AlanOrlikoski’s Tweet - Wyatt Roersma live streamed some random DFIR things a few times this week
vTriple – Twitch
MALWARE
- The guys at Joe Security examine a sample of the Elise malware.
Latest Elise APT comes packed with Sandbox Evasions - The Check Point research team explain how the “JenkinsMiner Campaign Works”. The JenkinsMiner “could potentially become one of the biggest malicious mining operations ever seen.”
Jenkins Miner: One of the Biggest Mining Operations Ever Discovered - Andrey Shalnev at F5 provides additional details regarding the JenkinsMiner campaign
XMRig Miner Now Targeting Oracle WebLogic and Jenkins Servers to Mine Monero - Winston M at Cysinfo examines some malspam that distributes the AzorUlt 2 Spyware
AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document - Gilad Yehudai and Nadav Avital at Incapsula examine some attacks that distributed some crypto-mining malware
New Research: Crypto-mining Drives Almost 90% of All Remote Code Execution Attacks - Alexander Sevtsov and Stefano Ortolani at Lastline Labs examine a sample of the Olympic Destroyer malware
Olympic Destroyer: A new Candidate in South Korea - Malware Breakdown examines an infection of the Ramnit trojan by the RIK EK
Seamless Campaign Uses RIG EK to Deliver Ramnit - There were a couple of posts on the Malwarebytes Labs blog this week
Encryption 101: a malware analyst’s primer - Vasilios Hioureas shares an “introductory primer on encryption mechanisms and how they are exploited for malicious purposes.”
Encryption 101: a malware analyst’s primer - Hasherezade takes a look at the Avzhan DDoS bot and compares it to a previous sample.
Avzhan DDoS bot dropped by Chinese drive-by attack - Roy Moshailov at Morphisec analyses a GandCrab ransomware sample
Threat Profile: GandCrab Ransomware - Bryan Lee and Robert Falcone at Palo Alto Networks examine a recent attack by the OilRig group involving “a variant of the ThreeDollars delivery document” as well as another attack involving a new trojan, OopsIE.
OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan - There were a few posts on the SANS Internet Storm Center Handler Diaries
- Didier Stevens shows how to use his tools to examine MSI files
Analyzing MSI files, (Mon, Feb 19th) - Didier also shows how to find VBA signatures in macro documents.
Finding VBA signatures in .docm files, (Sun, Feb 18th) - Renato Marinho explains how he statically unpacked a payload from a Brazilian banking trojan.
Statically Unpacking a Brazilian Banker Malware, (Tue, Feb 20th)
- Didier Stevens shows how to use his tools to examine MSI files
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares details of an online malware analysis sandbox called “any.run”
ANY.RUN, a new tool for online malware analysis - Dr. Fahim Abbasi at Trustwave SpiderLabs examines some malspam purporting to be from the Australian Securities and Investment Commission.
Fake ASIC Renewal Spam Delivers Malware to Australian Companies - FireEye have released a report on APT37 (Reaper), a threat actor that is “working on behalf of the North Korean government”
APT37 (Reaper): The Overlooked North Korean Actor - Vitali Kremez analyses “Ramnit’s hidden Virtual Network Computing (hVNC) remote control module focusing on its hidden desktop creation.”
Deeper Dive into Ramnit Banker “VNC IFSB” Remote Control Module - Anastasios Pingios at ‘xorl %eax, %eax’ presents a “few common techniques used by phising kits authors to evade detection”
Threat Intelligence: Phising kits anti-detection
MISCELLANEOUS
- Eric Huber at ‘A Fistful of Dongles’ has started a series on DFIR life after working in LE. This post covers the decision to leave LE to join the private sector and things people should consider. My main take away is: “you should always be preparing for the next job even if you aren’t actively looking for the next job”; I’m quite happy where I am at the moment, but one of the reasons I started this blog was because it would force me to keep up with what’s going on around the industry (not just necessarily the stuff I deal with at work) so I was better preferred if I decided to move on. (If my employers are reading this, I’m not looking to move on, don’t worry :P)
Life After Law Enforcement: Do I Stay Or Do I Go? - Brett Shavers wrote a couple of posts this week
Making Ham Sandwiches in DFIR - The first expounds the benefits of writing clearly, for your intended audience. If you write your report, and your audience doesn’t understand it, then it doesn’t really count.
Making Ham Sandwiches in DFIR - Brett also talks about the difference in perspectives, from responder to user, regarding an incident in a workplace.
Cyber Health - Brett Shavers at DFIR.Training is looking for some advice about whether people would be interested in a sub-contracting listserv or directory.
DFIR Sub Work List? - DME Forensics have shared details of the new tags feature in DVR Examiner.
DVR Examiner Feature Highlight: Tags - Forensic Focus interviewed Nick Sharples from Nuix about his previous life “as a consultant to UK Law Enforcement”, his work going forward at Nuix
Interview With Nick Sharples, Senior Solutions Consultant, Nuix - Pelle Garå at Griffeye expounds the benefits of incorporating various databases maintained and contributed to by groups as “powerful intelligence and investigative resources that let specialized investigators share data with colleagues”.
Using technology to get results - Adam at Hexacorn has written a lengthy piece of advice for new SOC analysts to take onboard when starting (although a lot of this advice can be applied across the board).
How to become the best SOC Analyst E-V-E-R - Paul Kincaid at Malwarebytes Labs has started a series on building an effective incident response program in response to GDRP. This post outlines “some of the regulatory requirements documented in the GDPR”
How to build an incident response program: GDPR guidelines - Vitaliy Mokosiy at Atola Technology provides a list of forensics conferences for 2018 and 2019 (including approximate prices where possible). Forensic Focus also shared a code for a discount for Techno Security (which I’ll be attending this year!)
Top forensic conferences 2018-2019 - Blackbag Technologies have changed the devices that they will be distributing Macquisition on. Macquisition will now come on a 120GB solid state drive, and is upgradable to 1TB. I wouldn’t rely on imaging to the 120GB drive, only because most Mac laptop models are minimum 256GB (only the air comes with 128GB), and I wouldn’t want to rely on the compression; but for data collection and memory capture it’ll be great!
Macquisition’s New Device Sizes Provide Supersized Imaging
SOFTWARE UPDATES
- David Spreadborough explains some of the new features in Amped Authenticate (update 10641)
Amped Authenticate Update 10641: Social Media Identification, Griffeye Integration & Many New Filter Options - The Sleuth Kit and Autopsy were updated this week with new features and bug fixes
- Didier Stevens updated a couple of his tools this week
- Elcomsoft released iOS Forensic Toolkit 3.0 which provides the ability to obtain a physical extraction from iOS 10 and 11 devices (that have been jailbroken), as well as a method of obtaining iOS shared files. Oleg Afonin explains how to jailbreak an iOS device running v10 or v11, and then perform a physical extraction. Vladimir Katalov explains how to extract iOS Shared Files using the toolkit.
Elcomsoft iOS Forensic Toolkit 3.0 Extracts Critical Evidence from iOS 10.x and iOS 11 Devices - ExifTool 10.80 (production release) was released will some new features enhancements.
ExifTool 10.80 (production release) - UFED and UFED Physical Analyser 7.1 were released, adding bootloader physical extraction for a number of Qualcomm devices, and password bypass for a number of Samsung models, as well as other new features and updates
UFED Ultimate, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer & Reader 7.1 [February 2018] - GetData released Forensic Explorer to v4.1.2.7056 with some minor improvements.
24 Feb 2018 – 4.1.2.7056 - Hashcat 4.1.0 was released, including new algorithms, as well as a performance increase for common algorithms.
Hashcat 4.1.0 - “A new version of MISP 2.4.88 has been released including fuzzy hashing correlation (ssdeep), STIX 1.1 import functionality, various API improvements and many bug fixes”
MISP 2.4.88 released (aka sharing groups improvement, large information sharing communities support and more) - “MOBILedit Forensic 9.3 [was released] with new Android recovery mode access, the Blackberry OS 10 Wi-Fi support, more SIM data processing, many new phones and added several other improvements.”
MOBILedit Forensic 9.3 Released - Microsystemation released XRY 7.6.1, Kiosk 7.6.1 and Tablet 7.6.1, “adding support for almost 500 new mobile device profiles and app versions, plus new Android data extraction options.”
Released today: XRY 7.6.1, Kiosk 7.6.1 and Tablet 7.6.1 - Passmark released OSForensics v5.2.1005 with a variety of bug fixes.
V5.2.1005 – 22nd of February 2018 - OLETools was updated to v0.52, adding a “new tool msodde to detect and extract DDE links from MS Office files, RTF and CSV”, as well as other improvements and bug fixes.
2018-02-18 v0.52 - TZWorks released the February build of their tools with improvements to a number of tools regarding “USB Artifact Analysis”, as well as “bugs fixes and minor updates were made throughout the suite of tools not listed”
Feb 2018 build (package) - X-Ways Forensic 19.5 SR-7 was released with bug fixes
X-Ways Forensic 19.5 SR-7 - X-Ways Forensic 19.6 Beta 1 was released with some improvements and features
X-Ways Forensic 19.6 Beta 1 - Maxim Suhanov released yarp v1.0.14.
1.0.14
And that’s all for Week 8! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!