FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog takes a look at the ‘Access Bits’ in a Windows 10 registry hive.
RegistryとAccess bits - Sebastian Neef at 0day Work shares his findings from pulling apart the .DS_Store file format.
Parsing the .DS_Store file format - Marco Fontani at Amped Software shows “what Griffeye Analyze DI Pro enables you to do when linked with the Amped Authenticate plugins.”
Amped Authenticate & Griffeye Analyze DI Pro: a synergy that empowers forensic analysts! - There were a couple of posts on Cyber Forensicator this week
- Oleg Skulkin and Igor Mikhaylov examine a memory image of a machine that was attacked with meterpreter.
Finding Metasploit’s Meterpreter Traces with Memory Forensics - They also shared instructions on how to setup the Forensic-full package on a Debian workstation as an alternative to SIFT.
Make Your Debian a Forensic Workstation
- Oleg Skulkin and Igor Mikhaylov examine a memory image of a machine that was attacked with meterpreter.
- Oleg Skulkin and Igor Mikhaylov at Digital Forensics Corp share how to analyse an installation of CorelDRAW.
CorelDRAW Forensics: step by step - Jason Hale at ‘Digital Forensics Stream’ has released a new tool, USB Detective, which looks to simplify the analysis of USB device history. As mentioned in the post, Windows 10 comes with some interesting challenges for examiners with its regular removal of artefacts.
Introducing USB Detective - Josué Ferreira has written an article on forensic focus on acquiring data from solid-state drives using open source tools
Forensic Acquisition Of Solid State Drives With Open Source Tools - Brian Baskin at ‘Ghetto Forensics’ explains the challenges that students face in the Mid Atlantic Collegiate Cyber Defense Competition, where instead of a typical CTF, the students end goal is “proving an attack to law enforcement.”
Enforcing the Law at the Mid Atlantic Collegiate Cyber Defense Competition (MACCDC) - Alexis Brignoni at ‘Initialization Vectors’ shares a script “to convert the JSON [Discord] chats to XLS spreadsheets.”
DIscord JSON chats to XLS - SalvationData share a case study on acquiring the MicroSD card from a Raspberry Pi using their Data Recovery System (DRS) tool
[Case Study] Computer Forensics: Data Extraction From a Raspberry Pi - Over on my ThinkDFIR blog I shared some of my testing for an error we were seeing in Word document metadata relating to the word count. Turns out that Word updates this value when you run word count, so if someone doesn’t run that right before saving then I wouldn’t rely on a metadata extraction tool over Word itself.
Word Document Metadata Bugs and Verification - Troy Schnack shares a case study where the interpretation of the dates and times was critical to identifying the user’s activity. Troy shows how the file created/modified dates can be linked to an activity – the created date of the file will indicate when the file download commenced, however the “Downloaded Date/Time” field for the Ares file sharing program will typically indicate when the download completed (which isn’t considered an action by the user).
Timeline in P2P Forensic Cases
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn shows how dvdplay.exe can be leveraged on systems that have it as a persistence mechanism.
Beyond good ol’ Run key, Part 73 - Hadar Yudovich at Illusive Networks shows how to extract “the timestamp of each network connection” for inclusion in a timeline.
Why and How to Extract Network Connection Timestamps for DFIR Investigations - Jared Atkinson at SpecterOps discusses the Get-InjectedThread PowerShell script.
Defenders Think in Graphs Too! Part 1 - Tony Lambert at Red Canary shows an example of a cryptominer detection.
When Web Servers Go Cryptocurrency Mining - Pablo Delgado at Syspanda shows how to scan and tag potential Dropbox phishing emails using their subject
Tagging Phishing emails with Regex Rules [Proofpoint] - Andreas Sfakianakis at ‘Tilting at windmills’ comments on the recent report on APT activity by CrySys labs
CrySyS Lab Analysis on NSA’s Territorial Dispute
UPCOMING WEBINARS/CONFERENCES
- Buddy Tidwell and Mati Goldberg at Cellebrite will be hosting a webinar on “UFED Physical Analyzer’s SQLite Wizard and the new Virtual Analyzer” on March 28 at 10:00am (New York)/2pm (London)/3pm (Brussels).
Cellebrite forensic experts demonstrate unique capabilities of Cellebrite SQLite Wizard & New Virtual Analyzer - Magnet Forensics share some details on the European leg of their Magnet User Summit series.
The Magnet User Summit Europe Series//2018: Mobile Forensics with Magnet AXIOM - Brian Hill at Oxygen Forensics will be hosting a webinar on Thu, Apr 5, 2018, 3:00 PM – 4:00 PM GMT. The webinar will cover “what data can be found inside application databases that Oxygen Forensic Detective parses out and using the SQLite Viewer built into the program to find additional data and to parse data not supported.”
Oxygen Forensics, Inc App Data/SQLite Viewer Webinar - Phil Hagen will be hosting a webinar on the latest updates to the FOR572 course. The webinar will take place Tuesday, April 10th, 2018 at 10:30 AM EST (14:30:00 UTC)
What’s new in FOR572
PRESENTATIONS/PODCASTS
- Forensic Focus shared the transcript and video of Adam Pridgen’s presentation at DFRWS EU 2017 titled “Picking Up The Trash – Exploiting Generational GC For Memory Analysis”
Video: Picking Up The Trash – Exploiting Generational GC For Memory Analysis - Karsten Hahn at ‘Malware Analysis For Hedgehogs’ posted a couple of videos this week
- On this week’s Digital Forensic Survival Podcast, Michael covers the radare2 reverse engineering framework
DFSP # 108 – Under the Radare
MALWARE
- Jared Myers at Carbon Black examines an infection chain that “leverages certutil.exe and MSBuild, uses a carrier file (MS Office Document) and an embedded VBA macro to initiate techniques initially discussed publicly by Casey Smith”
Threat Analysis: Recent Attack Technique Attempts to Bypass Whitelisting by Leveraging MS Office Document Macros, MSBuild, Certutil - Roland Dela Paz at Forcepoint examines the Qrypter RAT
A Look into Qrypter, Adwind’s Major Rival in the Cross-Platform MaaS Market - There were a couple of posts on Malware Breakdown this week
- The first examines a recent infection chain from the HookAds Campaign
HookAds Campaign Delivers Bunitu Proxy Trojan via RIG EK - The second examines a password-protected maldoc that distributes the Sigma ransomware
Malspam Contains Password Protected Document That Downloads Sigma Ransomware
- The first examines a recent infection chain from the HookAds Campaign
- There were a couple of posts on Malwarebytes Labs this week
- David Sánchez, Mickaël Roger, and Jérôme Segura examine a maldoc that is used to deploy Hancitor
Hancitor: fileless attack with a DLL copy trick - Hasherezade, Jérôme Segura and Vasilios Hioureas examine an attack that distributes version 2.1 of the Hermes ransomware after exploiting a Flash vulnerability.
Hermes ransomware distributed to South Koreans via recent Flash zero-day
- David Sánchez, Mickaël Roger, and Jérôme Segura examine a maldoc that is used to deploy Hancitor
- There were a couple of posts on McAfee Labs this week
- Christiaan Beek examines a malware downloader used by the Necurs botnet.
Necurs Botnet Leads the World in Sending Spam Traffic - Raj Samani shared that “McAfee published the McAfee Labs Threats Report: March 2018.”
‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware
- Christiaan Beek examines a malware downloader used by the Necurs botnet.
- There’s a post on the ‘Microsoft Secure’ blog sharing the analysis of a supply chain attack used to distribute Dofoil/Smoke Loader
Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak - Alex Hinchliffe, Mike Harbison, Jen Miller-Osborn and Tom Lancaster at Palo Alto Networks examined some samples of the HenBox Android malware family.
HenBox: The Chickens Come Home to Roost - Brad Duncan has a post on the SANS Internet Storm Center regarding some malspam distributing the Sigma ransomware.
Malspam pushing Sigma ransomware, (Wed, Mar 14th) - Joshua Shilko at PhishLabs examines a new variant of BankBot, called Anubis.
New Variant of BankBot Banking Trojan Ups Ante, Cashes Out on Android Users - There were a couple of posts on the FireEye blog this week
- Sudeep Singh, Dileep Kumar Jallepalli, Yogesh Londhe, and Ben Read at FireEye share details from a recent campaign by the TEMP.Zagros/MuddyWater threat group
Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear
Phishing Campaign - FireEye also share some details on the TEMP.Periscope/Leviathan threat group
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S.
Engineering and Maritime Industries
- Sudeep Singh, Dileep Kumar Jallepalli, Yogesh Londhe, and Ben Read at FireEye share details from a recent campaign by the TEMP.Zagros/MuddyWater threat group
- Jaromir Horejsi at TrendLabs shares some information about the infection chain used by a threat actor, with similarities to a previous MuddyWater campaign.
Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia - Veronica Valeros has released the third iteration of her RAT timeline.
A Study of RATs: Third Timeline Iteration - Tomáš Foltýn at WeLiveSecurity examines a new backdoor used by the OceanLotus APT group
OceanLotus ships new backdoor using old tricks
MISCELLANEOUS
- Brett Shavers posted a couple times this week
- He has released the latest iteration of the Windows Forensic Environment training
Windows Forensic Environment – Newest project is complete - Brett also comments on the need to document the training that you receive so that you can improve your credibility on the stand/to your manager.
Some things about training, education, and learning in DFIR
- He has released the latest iteration of the Windows Forensic Environment training
- Alistair Ewing at Compute Forensics walks through the use of Imm2Virtual to create a virtual machine from an image.
How to make a Forensic Image Bootable in VirtualBox for Free - Brett Shavers at DFIR.Training comments on the need to take stock of the tools at your disposal to solve the problems that you’ve got.
So many tools, so little time, and oh yeah, I forgot about that tool. - There were a few posts on Forensic Focus this week
- Scar shares a roundup of forum posts from the last month
Forensic Focus Forum Round-Up - Logicube will be launching the Falcon-Neo imaging tool soon, shipping in April 2018.
Logicube® Launches Next-Generation Forensic Imaging Technology - L.E. “Ted” Wilson makes comment on the legal issues surrounding obtaining and using data from mobile phones in a criminal investigation in US jurisdictions.
Law Enforcement Professionals Need to Evaluate Digital Forensics Practices
- Scar shares a roundup of forum posts from the last month
- Christa Miller at Magnet Forensics challenges “examiners to think seriously about adjusting their focus to include investing in both an “artifact tool” and a “file system tool””.
File System Forensics: No Longer the Gold Standard? (Part 1) - Thomas Reed at Malwarebytes Labs shares further information about the GrayKey iPhone unlock tool, as well as an opinion on the potential security implications.
GrayKey iPhone unlocker poses serious security concerns - Amber Schroader at Paraben Corporation has posted some details of PFIC, as well as a request for feedback on how their products are performing/can be improved.
Checking in on What’s New at Paraben! - There were a few posts on the SANS Information Security Reading Room this week
- Pick a Tool, the Right Tool: Developing a Practical Typology for Selecting Digital Forensics Tools
- Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security
- PCAP Next Generation: Is Your Sniffer Up to Snuff?
- PCI DSS and Security Breaches: Preparing for a Security Breach that Affects Cardholder Data
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes how to install the SIFT workstation. On a similar topic, Jon Poling started a bit of a discussion about an alternative distro to SIFT.
What is SIFT Workstation and how install it on my Linux (or Windows) system?
SOFTWARE UPDATES
- The Linux version of Autopsy 4.6.0 (beta 1) was released
Autopsy 4.6.0 Linux ZIP (beta 1) - Blackbag Technologies have released Mobilyze 2018 R1 to incorporate “new features and improvements that support popular communication applications including WeChat, LINE, and FaceBook Messenger on iOS devices.”
Wechat, Line And Facebook Messenger Support Included In Mobile Forensic Tool Update - CDQR 4.1.3 was released with some minor improvements.
CDQR 4.1.3 - UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader version 7.2.1 was released with some improvements and bug fixes; the file format viewer is the part I’m most excited about because not being able to examine plists directly in PA has been a pain for a long time.
UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader 7.2 [March 2018] - Cerbero have released Profiler Advanced v2.9 with “improved support for memory images” including heap and file carving.
Heap & File Carving - Two versions of Evimetry were released with some bug fixes and enhancements.
- ExifTool v10.86 (development) was released with new tags and bug fixes.
ExifTool 10.86 - Log-MD 2.0 (free and professional) was released with some new features and bug fixes.
LOG-MD Free Edition and LOG-MD Professional version 2.0 released - Passmark Software updated OSForensics to v5.2.1007 with a couple of bug fixes.
V5.2.1007 – 16th of March 2018 - Sanderson Forensics updated two tools with bug fixes.
- X-Ways Forensics 19.6 SR-1 was released with some minor improvements.
X-Ways Forensics 19.6 SR-1 - Maxim Suhanov released yarp v1.0.16.
1.0.16
And that’s all for Week 11! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 