Just a reminder that the nominations for the Forensic 4Cast awards are still open and if you haven’t already, head over here to submit your nominations. If you’d like to nominate this blog it would be very much appreciated 🙂
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog continues to look at the Bam key along with registry transaction logs.
Bam KeyとTransaction Log - Mark Spencer at Arsenal Consulting shows how not incorporating the Registry transaction logs can lead to incorrect conclusions as “Registry updates may not be pushed from the hive transaction logs to active hives not for seconds, minutes, or hours – but days”
Unique Windows Registry data in Fast Boot hibernation and hive transaction logs - There were a few articles on Cyber Forensicator this week
- They shared Amam Hardikar forensic challenges mindmap
Forensic Challenges - They shared a whitepaper by M. Soria-Machado, D. Abolins, C. Boldea, and K. Socha titled “Detecting Lateral Movements in Windows Infrastructure”
Detecting Lateral Movements in Windows Infrastructure - Oleg Skulkin and Igor Mikhaylov show how to extract data from a damaged SQLite database.
Forensic Analysis of Damaged SQLite Databases
- They shared Amam Hardikar forensic challenges mindmap
- There were a couple of articles shared by the guys at Digital Forensics Corp this week
- They shared an article from Microsoft Technet on identifying USB history using PowerShell
How to find a USB History with PowerShell - They shared an article by “Malcolm Owen [where he] described an algorithm for creating a list of all the files inside the macOS directory in seconds using TextEdit”
How to create a list of all the files inside a macOS directory
- They shared an article from Microsoft Technet on identifying USB history using PowerShell
- Chirath De Alwis has a guest post on Forensic Focus on using FTK Imager to capture volatile and non-volatile data.
Evidence Acquisition Using Accessdata FTK Imager - Costas Katsavounidis examines the Bam key and compares the timestamp associated with the key with the prefetch execution artefact
An Alternative to Prefetch -> BAM - Tim Moniot at Magnet Forensics shows “how to acquire Yahoo email using the POP/IMAP method” in Axiom.
Using AXIOM Cloud to Acquire and Process Yahoo Email - SalvationData have a post showing how to use “SPF to physically extract forensic images from smartphones equipped with MTK chipsets.”
[Case Study] Mobile Forensics: How to Extract Data from Locked Devices Powered by MediaTek - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shows how to locate text in the Notepad process should it not parse out with the correct plugin/profile
Volatility tips: extract text typed in a notepad window from a Windows memory dump - There were a couple of posts on ‘The Leahy Center for Digital Investigation’ blog this week
- “The exploration forensics team [announced that for their project this semester they will be] conducting research on hardware and software that tests for paranormal activity.”
Exploration Forensics Blog 1 - “The Application Analysis team [announced that for their project they] chose four Windows applications to perform a forensic analysis on – Spotify, Bitcoin Miner, Speedtest, and Dashlane.”
Application Analysis Introduction
- “The exploration forensics team [announced that for their project this semester they will be] conducting research on hardware and software that tests for paranormal activity.”
THREAT INTELLIGENCE/HUNTING
- Diego Perez at Eideon shares some methods of detecting the use of WMI to maintain persistence.
Tales of a Threat Hunter 2 - There’s a post on ‘Hackers Arise’ about network forensics; in it, the author walks through a few steps in an examination of the network traffic on a machine that may be infected with malware
Network Forensics, Part 1 - There were a couple of articles on ‘Hacking Articles’ this week
- Deepanshu looks at various Nmap scans in Wireshark
Understanding Guide for Nmap Timing Scan (Firewall Bypass) - Pavandeep Singh shows some of the features of Mimikatz
Understanding Guide to Mimikatz
- Deepanshu looks at various Nmap scans in Wireshark
- Adam at Hexacorn has updated his EDR sheet, adding OSQuery, PolyLoygyx, and Secdo
Endpoint Detection and Response (EDR) solutions sheet – update - Rob VandenBrink at the Internet Storm Center shows how an attacker might use inbuilt domain tools to steal Active Directory passwords, as well as describing some protections against this attack.
Cracking AD Domain Passwords (Password Assessments) – Part 1 – Collecting Hashes, (Mon, Feb 26th) - Brad Garnett at Cisco discusses the benefits of logging PowerShell, sysmon, and EDR, especially when used in combination with memory forensics techniques.
The Power of Logging in Incident Response
UPCOMING WEBINARS/CONFERENCES
- Warren Pamukoff and Tayfun Uzun at Magnet Forensics will be hosting a webinar on Office 365 investigations. The webinar will take place on Tuesday, March 13 at 1:00PM Eastern Standard Time (New York, GMT-05:00)
Forensics in the Cloud: How to Conduct an Office 365 Investigation
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the presentations from BSides Columbus 2018
- Michael Gough and Brian Boettcher at Brakeing Down Incident Response posted another episode where they speak to Martin Brough, “Manager of the Security Solutions Engineering team in the email phishing industry” about credential stealing.
BDIR-001: Credential stealing emails, How do you protect against it? - Cellebrite have shared Scott Lorenz and Shahar Tal’s recent webinar on using EDL mode to acquire data from locked devices that have Qualcomm chipsets
Watch Recording: Access mobile device evidence faster using Emergency Download mode (EDL) - Douglas Brush interviewed Kristinn Gudjonsson on Cyber Security Interviews about the impetus that led to Kristinn creating log2timeline and what he’s up to now.
045 – Kristinn Gudjonsson: You Don’t Want Analysts Spending All Their Time Extracting Data - Shaun Walsh interviewed Theresa Payton on Cylance’s InSecurity podcast this week “to discuss how government incident response is different from the private sector, who should be in charge of incident response, and what organizations can do to make up for the lack of internal resources.”
InSecurity Podcast: Theresa Payton on Incident Response - Forensic Focus shared Karl Wust’s presentation from DFRWS EU 2017 titled “Force Open – Lightweight Black Box File Repair”
Video: Force Open – Lightweight Black Box File Repair - Dave and Matthew hosted Eric Zimmerman on the Forensic Lunch this week to talk about his latest update to Registry Explorer. Matthew also talked briefly about his work with Maxim’s YARP tool and his talk on ArangoDB at the DFIR Summit.
Forensic Lunch: 3/2/18 - There were a few presentations and videos shared by Magnet Forensics this week
- They also shared their recent webinar on o365 examination.
Recorded Webinar: Forensics in the Cloud: How to Conduct an Office 365 Investigation - “This video uses Magnet AXIOM to do an MTP acquisition on a Samsung device without knowing the user’s passcode or having USB debugging turned on.”
Samsung Passcode Bypass with MTP Acquisition using Magnet AXIOM - “This video uses Magnet AXIOM to acquire a physical image of LG devices without knowing the user’s passcode”
LG Bypass and Physical Acquisitions with Magnet AXIOM
- They also shared their recent webinar on o365 examination.
- Erik Hjelmvik at Netresec shares a video tutorial covering the “analysis of a malware redirect chain, where a PC is infected through the RIG Exploit Kit.”
Examining Malware Redirects with NetworkMiner Professional - On this week’s Digital Forensic Survival Podcast, Michael talks about cryptocurrencies and the benefit of getting involved so that you have an idea of what they are before you’re tasked with investigating them. The one minor correction is that Michael said that Bitcoin went from around $700 in December to $14000 currently; whilst it did jump significantly, it was more around the 7-10k mark in December rather than $700.
DFSP # 106 – Cryptocurrency 1-2-3 - SANS posted Robert M. Lee’s recent testimony on the US critical energy infrastructure
Robert M. Lee – Testimony Cybersecurity in our Nation’s Critical Energy Infrastructure - I recorded my ‘This Month In 4n6’ podcast for the month of February.
This Month In 4n6 – February – 2018 - Nate Guagenti shared the slides from his presentation with Roberto Rodriguez titled “The Quieter You Become, the More You’re Able to (H)ELK”
Check out @neu5ron’s Tweet
MALWARE
- Bogdan Botezatu at Bitdefender Labs shares a decryptor for the GandCrab ransomware
GandCrab Ransomware decryption tool - Bart Parys at Blaze’s Security Blog takes “a quick look at fake versions of Steam Desktop Authenticator (SDA)”
Fake Steam Desktop Authenticator steals account details - Jared Myers at Carbon Black analyses a ROKRAT sample
Threat Analysis: ROKRAT Malware - The Cylance Threat Guidance Team examines the UDPoS “Point-of-Sale (PoS) malware, designed to harvest and exfiltrate credit card information from PoS systems using DNS tunneling”
Threat Spotlight: Inside UDPoS Malware - Andrey Shalnev at F5 examines an attack against the rTorrent client distributing a Monero coin miner that has links to the Zealot campaign.
rTorrent Client Exploited In The Wild To Deploy Monero Crypto-Miner - Balaji N at GBHackers briefly describes an RTF document used to distribute the NetWiredRC and Quasar RATs
Hackers Distributing Malicious RTF Excel Sheets Document and Installing RAT using VBA Macro code - Darryl at Kahu Security shows how to deobfuscate an obfuscated PHP mailer script
Deobfuscating a “Sophisticated” Mailer - Dan Borges at LockBoxx shares some answers to the TAMUctf 18
- Brian Maloney shows how to decode Symantec VBN files
Symantec Endpoint Protection VBN files - Malware Breakdown shares some IOCs from the Seamless campaign
Seamless Campaign Uses RIG EK to Deliver More Ramnit - There were a few posts on Malwarebytes Labs this week
- Jérôme Segura shares details on various crypto miners
The state of malicious cryptomining - Jérôme also examines a page from the ‘Coins LTD’/etags malvertising campaign.
RIG malvertising campaign uses cryptocurrency theme as decoy - Vasilios Hioureas reviews the encryption used by the ShiOne ransomware.
Encryption 101: ShiOne ransomware case study - Hasherezade examines a sample of the Avzhan DDoS bot
Blast from the past: stowaway Virut delivered with Chinese DDoS bot
- Jérôme Segura shares details on various crypto miners
- Ryan Sherstobitoff at McAfee Labs shares details on the Honeybee campaign and the Maocheng dropper.
McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups - Andrea Allievi and Elia Florio at Microsoft share their research into the FinFisher malware utilised by the Neodymium group
FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines - Michael Gorelik at Morphisec examines a “suspicious document uploaded to VirusTotal that exploits the latest Flash vulnerability CVE-2018-4878” that has ties to the Lazarus Group.
The Lazarus Group Strikes Again – Or is it an Imposter? The Latest CVE-2018-4878 Attack - There were a couple of posts on the Netskope blog this week
- Ashwin Vamshi shares some research on the ShortJSRAT malware
ShortJSRAT leverages cloud with scriptlets - Ashwin also shares analysis of a couple of Pony Loader Binaries.
Pony Loader exfiltrates user and wallet data
- Ashwin Vamshi shares some research on the ShortJSRAT malware
- There were a number of posts on the Palo Alto Networks blog
- Bryan Lee, Mike Harbison and Robert Falcone examine an attack that has links with tools used by the Sofacy group
Sofacy Attacks Multiple Government Entities - Terry Young shares a report that “summarizes the rapid growth of malicious APK files and provides a peek into the malware and other threats found in live mobile networks.” The report is titled “Look What’s Riding your Network: A Deeper Look at Growing Threats to Mobile Networks and Subscribers”
Look What’s Riding Your Network - Brad Duncan compares the usage of the Rig exploit kit over the last year.
Rig EK One Year Later: From Ransomware to Coin Miners and Information Stealers - Jeff White examines a Hancitor sample
Dissecting Hancitor’s Latest 2018 Packer - Josh Grunzweig examines a Monero mining sample distributed on a Russian BitTorrent website
Monero Miners Continue to Plague Users via Russian BitTorrent Site
- Bryan Lee, Mike Harbison and Robert Falcone examine an attack that has links with tools used by the Sofacy group
- Brad Duncan at the SANS Internet Storm Center examines some malspam “targeting unpatched versions of Microsoft Office like CVE-2017-8570 to infect computers with Formbook.”
Malspam pushing Formbook info stealer, (Tue, Feb 27th) - There were a couple of posts on Cisco’s Talos blog
- Warren Mercer and Vitor Ventura examine a Python-based RAT “impacting users of a Brazilian public sector management school.”
CannibalRAT targets Brazil - Paul Rascagneres and Martin Lee look at the attribution effort of the Olympic Destroyer malware
Who Wasn’t Responsible for Olympic Destroyer?
- Warren Mercer and Vitor Ventura examine a Python-based RAT “impacting users of a Brazilian public sector management school.”
- Johnlery Triunfante and Mark Vicente at TrendLabs examine a sample that distributes an XMRig Monero miner
Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads
MISCELLANEOUS
- L.E. “Ted” Wilson at AccessData comments on some case law relating to digital searches on cell phones in the US
Law Enforcement Professionals Need to Evaluate Digital Forensics Practices Amid Looming Constitutional Showdown Regarding Digital Searches - Brian Carrier discusses some of the recent improvements made to Autopsy, primarily related to the improvements to examining communications data
Autopsy 4.6 Includes New Communications Viewers, Encryption Detection, and More. - Scott Vaughan at Berla explains how to update the iVe hardware license keys.
Updating iVe Hardware License Keys - Brett Shavers at DFIR.Training introduces a subcontractor listserv
Find a DFIR Subcontractor with the DFIR listserv - Didier Stevens shows “how to add comments to packets and capture files in Wireshark”
Wireshark Comments - There were a few posts on the Forensic Focus blog this week
- Scar shares the top forum threads of the month
Forensic Focus Forum Round-Up - Scar also shares her top articles of the month
Digital Forensics News February 2018 - Danny Garcia from Cellebrite has a post about how they are “reviewing and updating [Cellebrite’s training programs] core competencies in not only [their] core forensic track but each certification program [they] offer. The goal is to ensure each is grounded in research and driven by best practices, allowing [Cellebrite] to meet quality assurance standards and a peer-review process”
When It Comes To Training, Quality Absolutely Matters!
- Scar shares the top forum threads of the month
- Steve Watson shared out the news that “the Drone Forensics Program released 100GB of additional datasets yesterday as well as the first three full reports on our findings.”
- Magnet Forensics have announced a new class, AX250, described as an advanced digital forensics class; it looks really interesting, covering a variety of Windows artefacts, as well as other artefacts including file system journaling and password cracking.
Magnet AXIOM Advanced Computer Forensics (AX250) Now Open! - Richard Bejtlich at Tao Security shows how to import pcaps into Security Onion
Importing Pcap into Security Onion - Howard Oakley at The Eclectic Light Company describes a number of the hidden files and folders on MacOS
What are all those hidden folders then? - Andrew Case at Volatility Labs lists some of the training that they will be running this year, as well as “highlights some of the new material”
Malware and Memory Forensics Training Headed to Herndon and Amsterdam!
SOFTWARE UPDATES
- Berla have released iVe v1.14, adding “support for additional MyLink and IntelliLink systems from 2012 to present bringing the supported vehicle count to over 11,400 models of vehicles”
iVe v1.14 Released - ExifTool was updated to version 10.82 (development release) adding new tags and bug fixes
ExifTool 10.82 - GetData released Forensic Explorer v4.1.2.7056 with some minor updates
24 Feb 2018 – 4.1.2.7056 - Adam at Hexacorn has released DeXray 2.06 with improvements to the parsing of Symantec Quarantine files
DeXRAY 2.06 update - Hex-Rays released IDA Pro v7.1 with new features and bug fixes.
IDA: What’s new in 7.1 - Magnet Forensics have released Axiom 1.2.4 with improvements to mobile device acquisition, cloud extraction, disk decryption, and “additional support for .HEIC files.”
Magnet AXIOM 1.2.4 Brings New Capabilities to Bypass Android Passwords - Passmark released OSForensics v5.2.1006 with a few bug fixes.
V5.2.1006 – 26th of February 2018 - Oxygen Forensic Detective 10.1 was released, adding a number of features including the “capability to extract data from DJI cloud”, as well as support for additional devices and apps.
Oxygen Forensic® Detective offers exclusive support for DJI cloud. - “Paraben is issuing a patch release to the E3 Platform for an adjustment associated with a hardware and firmware issue associated with the acquisition of these iOS devices.”
New E3 Platform 1.65 patch release for iPhone 6 and above hardware - SalvationData updated DRS (Data Recovery System) to version v17.7.3.2.286 with a variety of new features
[Software Update] DRS (Data Recovery System) V17.7.3.2.286 — Major improvements on flexibility & usability that makes your investigations easier and more efficient! - X-Ways Forensics 19.6 Beta 2 was released with some improvements and bug fixes
X-Ways Forensics 19.6 Beta 2
And that’s all for Week 9! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 