If you like my work and would like to nominate me for a 4Cast Award for Blog of the year that would be greatly appreciated. Nominations close at the end of this month.
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog takes a look at the “the Shell item structure of the LNK file.”
LNKとShell item
- Forensic Labs provides some instructions on dealing with forensics on AWS cloud instances
How to perform AWS Cloud Forensics
- The guys at Digital Forensics Corp shared a couple of articles this week
- They shared a paper where researchers uncovered illicit data stored within the Bitcoin blockchain.
A Analysis Blockchain Content on Bitcoin
- They shared an article by Kevin J. Ripa on live imaging a Mac.
Forensic Acquisition Mac Computers
- They shared a paper where researchers uncovered illicit data stored within the Bitcoin blockchain.
- Alexis Brignoni at ‘Initialization Vectors’ shows how to convert UNIX Epoch timestamps that are stored in an SQLite database field to local time.
How to convert UNIX Epoch timestamps in SQLite DB fields to local time.
- Sarah Edwards at Mac4n6 shows how macOS will store the password used to encrypt an existing APFS volume in the unified logs. Howard Oakley also confirms this
Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes via Disk Utility.app
- Maxim Suhanov has uploaded a “new registry sample & a write-up [on] how applying an active log entry from a transaction log file can bring the hive to the “previous state” [and] missing log entries”
Check out @errno_fail’s Tweet
- Marcus Bakker at MB Secure shows how to determine which process on a network (through a non-transient proxy) is causing traffic to a specific IP.
Volatility: proxies and network traffic
- SalvationData have posted a couple of case studies this week
- The papers from DFRWS EU have been uploaded.
The Proceedings of the Fifth Annual DFRWS Europe Conference
- Howard Oakley at ‘The Eclectic Light Company’ shares details on the macOS unified log.
- The students at ‘The Leahy Center for Digital Investigation’ provided updates on their projects
THREAT INTELLIGENCE/HUNTING
- Jon Gross and Kevin Livelli at Cylance share some details about a recent compromise of core routers by a threat actor
Energetic DragonFly DYMALLOY Bear 2.0
- Daniel Bohannon highlights “a bug [he] found in Sysmon’s event logging that contaminates process command line argument logging and adversely affects at least two different tools used for viewing Windows event logs.”
Test Your DFIR Tools: Sysmon Edition
- Oddvar Moe shares a persistence technique not detected by autoruns, that requires creating the RunOnceEx key.
Persistence using RunOnceEx – Hidden from Autoruns.exe
- Fernando Tomlinson announced that PoSh Hunter is now live and contains over 90 challenges
Check out @Wired_Pulse’s Tweet
- Xavier Mertens has a couple of posts on the ‘SANS Internet Storm Center Handler Diaries’ regarding automated hunting using a combination of MISP, Bro, Splunk, and TheHive.
- Daniel Bohannon at FireEye shares his whitepaper on “command line argument obfuscation that affect static and dynamic detection approaches” and unveils “four never-before-seen payload obfuscation approaches that are fully compatible with any input command on cmd.exe’s command line”.
DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques
- The InThreat team at Sekoia have compiled their findings on the MuddyWater threat group.
Falling on MuddyWater
UPCOMING WEBINARS/CONFERENCES
- Mark Spencer at Arsenal Consulting will be running a webinar on March 27th, 2018 at 2:30pm EDT on “key pieces of evidence that traditional forensic tools overlook in Windows Registry and Hibernation files”.
Uncovering Evidence You Have Never Seen Before from Windows Registry and Hibernation Files
- Derrick Donnelly will be hosting a webinar on April 3 2018 at 17:00 UTC titled “Apple’s latest file system – is APFS a blessing or a curse to digital investigators?”
Apple’s latest file system – is APFS a blessing or a curse to digital investigators?
- Lee Reiber at Oxygen Forensics will be hosting a webinar on extracting data from recreational drones on Tuesday March 27th 2018 at 8 am PDT / 11 am EDT / 4 pm BST
Drone Forensics – How to deal with the new threat.
- X1 Discovery will be hosting a webinar on Thu, Apr 5, 2018 6:00 PM – 6:30 PM GMT on “how X1 Social Discovery uniquely enables compliance with Rule 902(14) by collecting and preserving electronic evidence consistent with best practices.”
Using X1 Social Discovery to Authenticate Evidence Under New Federal Rule of Evidence 902(14)
- Lisa Stewart and Harp Thukral at OpenText will be demonstrating “the new features of EnCase Forensic 8.06 and share tips & tricks for best practices along the way that can improve your case efficiency”. The webinar will take place on Wednesday, April 04, 2018 at 11:00 AM Pacific Daylight Time
How to Conduct More Efficient Examinations with EnCase Forensic 8.06
- OpenText released the program for Enfuse 2018. If you’re going there hit me up, I’ll be speaking about personal branding in DFIR on the Wednesday afternoon.
Enfuse 2018 program is here
- The Techno Security program has been released. I’ll be there too! (And not presenting so less stressed)
2018 Conference Program
- Nolan Tracy from Teel Technologies will be hosting a webinar on the “xBit Digital Case Management” on Thu, Mar 29, at 11:00 a.m. PT / 2:00 p.m. ET (6:00 PM GMT)
Live webinar on Mar 29 at 11:00 a.m. PT / 2:00 p.m. ET
PRESENTATIONS/PODCASTS
- Adrian Crenshaw uploaded the presentations from BSides Chattanooga 2018
- Joshua James at DFIR.Science uploaded a couple of videos on wiping external media.
- Elcomsoft shared two of their presentations from DFRWS EU 2018; one was on cloud forensics and the other on examining iOS devices
- Hasherezade has uploaded a video showing how to unpack a ursnif sample
Unpacking Ursnif
- Martin Barrow at Magnet Forensics has uploaded a video showing how to use Axiom to load a custom image onto a Samsung device to extract data.
AXIOM Advanced Recovery Samsung
- On this week’s Digital Forensics Survival Podcast Michael talked about Didier Stevens oledump tool.
DFSP # 109 – OLEDump
- Eric Zimmerman will be hosting a webinar on the latest updates to his registry parsing tools on Wednesday, March 28th, 2018 at 3:30 PM EST (19:30:00 UTC).
Exploring Registry Explorer
- SANS uploaded Jason Jordaan’s recent webinar on testifying at court.
Webcast Series: So, You Have To Testify, Now What (Part 1)
- Steve and Jason at Sumuri talk about how they are coping with the change in the availability of components for the Talino systems due to the current cryptocurrency miner craze.
TALINO Talk ep13
- Ted Smith at ‘X-Ways Forensics’ Video Clips shows how to “save long lists of report table associations for easy re-insertion into other X-Ways Forensics cases, avoiding the need to retype them.”
Video 58 – Save and Load Long Report Table Association Lists
MALWARE
- Malware Breakdown posted twice this week
- The first briefly examines some malspam distributing “Pony and Loki-Bot”
Malspam Delivers Pony and Loki-Bot
- The second examines the Fobos Malvertising Campaign which is delivering the Bunitu Proxy trojan via the RIG EK
Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK
- The first briefly examines some malspam distributing “Pony and Loki-Bot”
- Marcus Hutchins at MalwareTech describes the various languages that he prefers to use in malware analysis, as well as what makes them useful in particular situations.
Best Programming Languages to Learn for Malware Analysis
- Morphisec posted a couple of articles this week
- Roy Moshailov examines a “Dofoil/Smoke Loader Trojan sample”.
Threat Profile: Dofoil (Smoke Loader) Trojan with Coin-Miner
- Michael Gorelik examines a recent attack exploiting “the Flash vulnerability CVE-2018-4878”
Watering Hole Attack on Leading Hong Kong Telecom Site Exploiting Flash Flaw (CVE-2018-4878)
- Roy Moshailov examines a “Dofoil/Smoke Loader Trojan sample”.
- Ruchna Nigam and Kyle Wilhoit at Palo Alto Networks examine the TeleRAT Android malware, as well as share some “Operational Security (OPSEC) fails [found] while sifting through multiple malicious APK variants abusing Telegram’s Bot API”
TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iranian Users
- Didier Stevens has a post on the SANS Internet Storm Centre examining a maldoc.
“Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence.”, (Sat, Mar 24th)
- Sudeep Singh and Yijie Sui at FireEye examines some “malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide”
SANNY Malware Delivery Method Updated in Recently Observed Attacks
- There were a couple of posts on TrendLabs this week
- The Trend Micro Cyber Safety Solutions Team walk through a recent attack exploiting CVE-2013-2618 to distribute “a modified XMRig miner.”
Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
- Joseph C Chen examines a campaign distributing ICLoader, which has been seen to download botnets, miners, and ransomware.
Pop-up Ads and Over a Hundred Sites are Helping Distribute Botnets, Cryptocurrency Miners and Ransomware
- The Trend Micro Cyber Safety Solutions Team walk through a recent attack exploiting CVE-2013-2618 to distribute “a modified XMRig miner.”
- Frédéric Vachon at WeLiveSecurity takes a look at “Glupteba, an open proxy previously distributed by exploit kits deployed as part of Operation Windigo”
Glupteba is no longer part of Windigo
MISCELLANEOUS
- AccessData posted a brief interview with Tod Ewasko, their Director of Product Management, regarding incident response.
Digital Forensics 101
- Forensic Labs briefly compares Encase, FTK, and X-ways
Encase vs FTK vs X-Ways Review
- Foreman Forensics added ‘account locking’, “where after a set number of incorrect passwords users cannot log into their accounts even when they have the correct password”.
Account Locking
- Scar at Forensic Focus shares her top articles of the month
Digital Forensics News March 2018
- Susteen announced on Forensic Focus that they have released their new case and data management system, “4N6 Forensic Director”.
Centralize All Your Digital Forensic Tools In One Location
- The guys at InfoSec Institute provide a brief demonstration of Wireshark
Wireshark: An Open-Source Forensic Tool
- Griffeye shared their recent involvement in a project “run by The Department of Homeland Security’s Science and Technology Directorate in the USA, is called Child Exploitation Image Analytics (CHEXIA)”. The project seeks to use facial recognition algorithms on “datasets of seized images of child exploitation to see which works the best”
DHS is using facial recognition to help rescue victims of child exploitation.
- Magnet Forensics continue their series on the artifacts-oriented approach to DFIR, focusing on the evolution of devices towards mobile, cloud and IoT.
The Shift from File System Forensics to Artifacts-Oriented Forensics (Part 2)
- John Patzakis, Esq. at X1 Discovery announces the release of a “freely available, patented electronic evidence verification tool for use in conjunction with evidence collected with X1 Social Discovery.”
A Rule 902(14) Process of Digital Authentication of Social Media Evidence Explained (Technical Overview with Provided Resources)
- Caitlin Condon at Rapid7 recaps the previous threat intel book club meeting where “Rebekah Brown led us through the middle section of The Cuckoo’s Egg and posited some new questions for discussion and reflection.”
Next Threat Intel Book Club 4/5: Recapping The Cuckoo’s Egg
- Steve Watson comments on the recent Uber self-driving car and how this is the first case that he can recall where “a new technology problem [has been] so quickly focused on the digital forensic questions”
A Preview of Digital Forensic Questions against Emerging Technologies
- Anastasios Pingios at ‘xorl %eax, %eax’ provides a brief review of Michael Sikorski and Andrew Honig’s 2012 book, “Practical Malware Analysis”.
Book: Practical Malware Analysis
SOFTWARE UPDATES
- Amped released ‘Amped Authenticate Update 10641’, introducing the “new Social Media Identification filter”
Identify Social Media Files with Amped Authenticate
- Cyber Triage 2.2.0 was recently released, and Brian Carrier has a post describing the update; which includes integration of yara and volatility.
Search For Advanced Malware In Cyber Triage Using Yara Rules
- ViperMonkey v0.06 was released with “new features and bug fixes”
2018-03-22 v0.06
- ExifTool v10.87 (development) was released with new tags and bug fixes.
ExifTool 10.87
- “A new version of MISP 2.4.89 has been released including a new MISP event graph viewer/editor, many API improvements and critical bug fixes (including security related bug fixes).”
MISP 2.4.89 released (aka Event graph viewer/editor)
- MobilEdit released Forensic Express 5.2 Beta with a number of new features and bug fixes
Forensic Express 5.2 Beta Released
- USB Detective v1.0.2 was released and includes a few new features.
Version 1.0.2 (3/21/2018)
And that’s all for Week 12! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!