FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog shows how to repair a dirty registry hive manually so that it can be examined by Log2timeline.
Registry Transaction LogとPlaso - Scar at Forensic Focus has posted an article on using Oxygen to examine drone onboard/SD card and Cloud data.
Oxygen Drone Forensics - Alexis Brignoni at ‘Initialization Vectors’ shares a method of parsing the Discord app chat data for review.
Finding Discord app chats in Windows. - Magnet Forensics posted a couple of articles this week
- Christopher Vance explains the new advanced MTP acquisition in Axiom for Samsung devices. Christopher shows how this was useful for a situation where he was unable to perform a board-swap or screen repair on a locked, passcode-protected device and was still able to obtain the media directory.
Extracting Data from a Samsung Device Using Advanced MTP - Jamey Tubbs examines various Windows registry artefacts that have changed with Windows 10 – many of the same examination techniques will still work; however different activities modify registry keys, and some of the things we used to be able to rely on, such as the installdate value, have now moved and are a little more involved.
What “the Last Version of Windows” Means for Digital Forensics
- Christopher Vance explains the new advanced MTP acquisition in Axiom for Samsung devices. Christopher shows how this was useful for a situation where he was unable to perform a board-swap or screen repair on a locked, passcode-protected device and was still able to obtain the media directory.
- Kasasagi at Padawan-4n6 continues some verification of the BAM key using Eric’s recently updated Registry Explorer.
bam キー(実行痕跡?) について(2) & レジストリのトランザクションログ - “Polito Inc. has partnered with ReversingLabs (RL) and has developed a plugin extension called ReversingLabs Lookup Utility for Autopsy”.
Enhancing Digital Forensics with ReversingLabs Hash Query Plugin for Autopsy
THREAT INTELLIGENCE/HUNTING
- Rohan Vazarkar at SpecterOps explains “what each collection method [in BloodHound] does, particularly which API calls are used for each different step, as well as the detailed target selection logic.”
SharpHound: Target Selection and API Usage - Rob Smallridge at NCC Group examines a recent attack by APT15 which utilised some new backdoor scripts, “RoyalCli and RoyalDNS”.
APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS
UPCOMING WEBINARS/CONFERENCES
- Jamie McQuaid at Magnet Forensics will be hosting a couple of webinars on the trends in mobile forensic device acquisition. The webinars will take place Tuesday, March 27th @ 1:00PM EST and Wednesday, March 28th @ 9:00AM EST
Mobile Trends, Tools and Methods - NW3C and NCFTA are delivering a webinar on 03/14/2018 at 1PM EDT titled “How Virtual Currency is Changing the Way We Investigate”
Check out @NW3CNews’s Tweet - Jason Jordaan will be hosting a webcast for SANS on Tuesday, March 13th, 2018 at 3:30 PM EST (19:30:00 UTC) on tips and techniques for testifying at court.
Webcast 3: Tips and Techniques for Testifying Successfully
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the presentations from BSides Indianapolis 2018 2018
- Forensic Focus posted a couple of presentations this week
- The first is the transcript and video of Daniel Spiekermann’s presentation at DFRWS EU 2017 titled “Network Forensic Investigation In Openflow Networks With ForCon”
Video: Network Forensic Investigation In Openflow Networks With ForCon - The second is the transcript and video of Jessica Hyde’s recent presentation on security apps.
Video: How The Onset Of Security Apps Is Impacting Investigations
- The first is the transcript and video of Daniel Spiekermann’s presentation at DFRWS EU 2017 titled “Network Forensic Investigation In Openflow Networks With ForCon”
- Dave and Matthew hosted Maxim Suhanov on the Forensic Lunch this week to talk about his research into registry hives, transaction logs, and his YARP library. The important takeaway is that as of Windows 8.1, Microsoft has been using the transaction logs of the registry more often, and as a result, the most up to date information may not be held within the registry files themselves unless you incorporate the log files.
Forensic Lunch: 3/9/18 - Karsten Hahn at ‘Malware Analysis For Hedgehogs’ shares some tips for writing papers and blog articles on malware analysis.
Writing Malware Analysis Papers and Blog Articles - OALabs have uploaded a video showing how to “use IDA Pro and x64dbg to unpack a recently packed Gootkit malware (stage1)”
Unpacking Gootkit Malware With IDA Pro and X64dbg – Subscriber Request - Richard Davis has uploaded a new video on using Volatility to parse Windows 10 memory dumps, as well as how to obtain the latest version of Volatility.
Volatility Profiles and Windows 10 - SalvationData released a few of their webinars during the week
MALWARE
- Dennis Schwarz and Jill Sopko at Arbor Networks examine a “new modular malware framework” called yty, whose development they’re attributing to “Donot Team, who created EHDevel”.
Donot Team Leverages New Modular Malware Framework in South Asia - Nadav Avital at Incapsula analyses an attack using ‘RedisWannaMine’ that deploys crypto mining malware.
RedisWannaMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits - Shusei Tomonaga at JPCERT/CC examines the TSCookie, which has also been called PLEAD.
Malware “TSCookie” - Lastline Labs examine some samples from the Olympic Destroyer campaign
From Russia(?) with Code - Malware Breakdown provides details on the HookAds campaign which is using the “RIG EK to deliver [the] Bunitu Proxy Trojan”
HookAds Campaign Is Back And Using RIG EK to Deliver Bunitu Proxy Trojan - Ryan Sherstobitoff at McAfee Labs shares a recent investigation into “Hidden Cobra’s Bankshot malware implant [that has been seen] surfacing in the Turkish financial system”
Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant - Patrick Wardle at Objective-See provides a “comprehensive technical analysis of the macOS agent of the cross-platform RAT OSX/Coldroot”. This malware is also undetected by the virus scanners on VirusTotal, and Patrick identified it by checking if it had references to the macOS ‘privacy database’ (TCC.db).
Tearing Apart the Undetected (OSX)Coldroot RAT - There were a couple of posts on the Palo Alto Networks blog this week
- Brandon Levene and Josh Grunzweig analyse the ComboJack malware.
Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency - Brandon Levene, Josh Grunzweig and Brittany Ash examine some recent activity by the “Patchwork group, alternatively known as Dropping Elephant and Monsoon, conducting campaigns against targets located in the Indian subcontinent.”
Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
- Brandon Levene and Josh Grunzweig analyse the ComboJack malware.
- Christie Ott at Rapid7 describes some of the steps to follow when building an incident response plan, taken from their eBook: “Prepare for Battle: Building an Incident Response Plan”
How to Build an Incident Response Plan: Your Battle Plan - There were a few posts on the SANS Internet Storm Centre Hander Dairies
- Xavier Mertens examines a PowerShell script that downloads a cryptominer
The Crypto Miners Fight For CPU Cycles, (Sun, Mar 4th) - Xavier also examines a similar script that targets Linux systems
Malicious Bash Script with Multiple Features, (Mon, Mar 5th) - Brad Duncan reviews some malspam distributing the GlobeImposter and GandCrab ransomware
Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there, (Wed, Mar 7th) - Renato Marinho examines an attack that exploits the Apache SOLR vulnerability (CVE-2017-12629).
Apache SOLR: the new target for cryptominers, (Thu, Mar 8th)
- Xavier Mertens examines a PowerShell script that downloads a cryptominer
- Securelist examine the OlympicDestroyer malware
OlympicDestroyer is here to trick the industry - Robin Gonzalez Valero at Cisco describes some sandbox evasion techniques employed by malware, as well as how to use “User Emulation Playbooks in Threat Grid”
Don’t Let Malware Slip Through Your Fingers - Edmund Brumaghin and Holger Unterbrink at Cisco’s Talos blog share “details related to ongoing Gozi ISFB activity, the Dark Cloud botnet, as well as the additional threats we have observed using this infrastructure over the past couple of years.”
Gozi ISFB Remains Active in 2018, Leverages “Dark Cloud” Botnet For Distribution - Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, and Ron Deibert at ‘The Citizen Lab’ describe their “investigation into the apparent use of Sandvine/Procera Networks Deep Packet Inspection (DPI) devices to deliver nation-state malware in Turkey and indirectly into Syria, and to covertly raise money through affiliate ads and cryptocurrency mining in Egypt. “
BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? - VMRay shared their malware analysis recap report for February
VMRay Malware Analysis Report Recap – February 2018
MISCELLANEOUS
- Eric Huber at ‘A Fistful of Dongles’ continues his ‘life after law enforcement’ series, talking about what to expect in terms of the change of pace, as well as the different types of work and how it’s affected by corporate politics or other factors. It’s clear from the article that this is a good place if you’re motivated to do a good job (and be rewarded for it), as opposed to government positions where you may be able to get away with coasting.
Life After Law Enforcement: Life In The Fast Lane - Bob Petrachek at Blackbag Technologies lists a number of reasons on why he would select a Mac as his examination platform of choice. I don’t necessarily disagree but I think I would recommend if you have the option, I’d suggest getting a grunty Windows/Linux desktop, and a (preferably high-end, but they’re stupid expensive) MacBook Pro. That would give you a lot of the benefits listed in the article of having MacOS, without the pricetag of the Mac Pros. I spoke with Bob recently about speccing out a Mac Pro and was told that RAM was key to processing quickly with Blacklight. Knowing this, it makes sense to throw your case onto your best-specced machine aka Windows box (most probably) for processing and then you can move it to your Mac for the bits that need a Mac’s touch. Mac Pro’s look great and all, but the cost and form-factor (for forensics, they’re nice to look at though) is just hard to justify.
Examination Platforms – Mac or Windows? - Alistair Ewing at Compute Forensics shares out his top 10 free computer forensics tools.
Top Ten Free Computer Forensic Software - Brett Shavers at DFIR.Training shares his thoughts on creating test images and describes his process for doing so.
Forensic Test Images! - Digital Forensics Corp shared an article from Beebom on Android emulators for Windows.
Android Emulators for Windows - Christa Miller from Magnet Forensics has written an article in Forensic Magazine on the different approaches one can take when dealing with today’s landscape of digital devices and evidence.
Next-generation Digital Forensics: Expanding the Toolkit - Cindy Murphy at Gillware Digital Forensics gave a lengthy shoutout to a number of prominent women in computing that accomplished great things and inspired her. She also gave a shout-out to a number of women in the DFIR field (some of whom I’m friends with and can attest to their awesomeness :)).
A Shout-Out to Amazing Sheroes in IT - Johann Hofmann and Pelle Gara at Griffeye talk about the utility of AI and machine learning for digital data in criminal investigations.
AI and machine learning: The future is now - Paul Kincaid at Malwarebytes Lab walks through the four phases of the “NIST SP800-61r2 Incident Response Life Cycle”
Building an incident response program: creating the framework - John E Dunn at Naked Security reports on a company, Grayshift, which is “quietly touting software it claims can unlock Apple’s flagship handsets, the iPhone X and 8”. If this does work and isn’t patched by Apple, this could provide law enforcement with an “expensive” way of getting through iOS passcodes. I think it’s only a matter of time though before Apple finds a way to improve their security again (which I’m not really for or against; you want to be able to catch the bad guys, but you also want your things secure)
Second company claims it can unlock iPhone X
SOFTWARE UPDATES
- ExifTool was updated to version 10.83 (development release) adding new tags and bug fixes
ExifTool 10.83 - Linus Nissi has released a Python script, WinOSparser, that parses the ‘Source OS’ data in the SYSTEM key. This is populated with the ‘SOFTWARE\Microsoft\Windows NT\CurrentVersion’ data when Win10 does a major update.
WinOSparser - Magnet Forensics released Axiom 1.2.5 during the week; although not really sure what the update was from last weeks update.
- Denis O’Brien at “Malware Analysis: The Final Frontier” has released an update for IRIS-H, adding support for RTF files
IRIS-H (alpha): Added RTF files parser module - Radare 2.4.0 was released with a number of new features, improvements, and bug fixes.
2.4.0: Chussy Chaber - SalvationData have released their free WhatsApp extraction and decryption tool.
SalvationDATA WhatsApp Forensics Free Tool Official Release - Sanderson Forensics released Forensic Browser for SQLite v3.2.12 with some bug fixes and enhancements
Forensic Browser for SQLite v3.2.12 - Scott Piper at Duo announced a new tool called CloudTracker “for easily analyzing CloudTrail logs from Amazon Web Services (AWS)”
Introducing: CloudTracker, an AWS CloudTrail Log Analyzer - A number of older versions of X-Ways Forensics were updated with bug fixes this week, along with the official release of 19.6
- Maxim Suhanov released yarp v1.0.15.
1.0.15
And that’s all for Week 10! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 