Last chance to nominate this site for the 2018 Forensic 4Cast Awards. If you have already, it’s very much appreciated.
FORENSIC ANALYSIS
- Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator tested how various actions affect the 8 timestamps on an NTFS volume on a Win10 host. This test shows that there are minor differences compared to the table presented on the SANS poster.
Windows 10 Time Rules - Digital Forensics Corp shared an article form Meridian Discovery about “how Outlook stores file system timestamps of a file that resided on an NTFS file system”
Analysis of Email Attachment Timestamps - Oleg Afonin has posted an article on Forensic Focus about jailbreaking iOS 10 and 11 devices. This process is important to those that want to obtain a physical image of an iOS device.
Jailbreaking iOS 11 And All Versions Of iOS 10 - Alexis Brignoni at ‘Initialization Vectors’ explains his process for finding Discord chats on OS X
Finding Discord chats in OS X - Sarah Edwards at Mac4n6 advised that she found plaintext passwords for new APFS volumes in the install.log file (which isn’t cleared until a major os update). This may have been fixed in the recent update.
OMG, Seriously? – APFS Encrypted Plaintext Password found in ANOTHER (More Persistent!) macOS Log File - Arman Gungor at Metaspike lists a number of reasons why not to use Outlook to preserve an email account.
7 Reasons Not to Use Outlook to Forensically Preserve Emails - Volume 24 of the Journal of Digital Investigation was released.
- Heather Mahalik at Smarter Forensics searches for Apple Maps data on her various iOS devices and eventually finds that it’s stored in iCloud (but not accessible in the device backups).
First the Grinch and now the Easter Bunny! Where is Apple Maps hiding? - Maxim Suhanov shares his comments on the recent NIST publication “Windows Registry Forensic Tool Specification”.
Comments on “Windows Registry Forensic Tool Specification” (Public Draft 1 of Version 1.0)
THREAT INTELLIGENCE/HUNTING
- Monty St John has a post on AlienVault’s blog on using YARA rules.
YARA Rules for Finding and Analyzing in InfoSec - Tom Kellermann at Carbon Black comments on the importance of hunting.
Suppressing the Adversary via Threat Hunt Teams - Jayden Zheng at Countercept describes application shim databases, as well as “how to hunt for malicious Shim installation and execution”
Hunting For Application Shim Databases - Jack Crook at ‘DFIR and Threat Hunting’ tests some theories on detecting C2 traffic.
C2 Hunting - Adam at Hexacorn shared a few more persistence techniques
- He shows how we can manipulate a DLL to execute any executable named “mstran40.exe”.
Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 6 - He also shows “a very obscure persistence mechanism that affects VMWare Tools versions that utilize the vm3dum DLL”
Beyond good ol’ Run key, Part 74 - Lastly, he demonstrates a persistence mechanism that manipulates the PATH variable.
Beyond good ol’ Run key, Part 75
- He shows how we can manipulate a DLL to execute any executable named “mstran40.exe”.
- Justin Warner and Stephen Hinck explains what threat hunting is, and describe a threat hunting framework.
Evolve Your Detection Capabilities With Threat Hunting - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ has a couple of posts this week
- He walks through the “Internal Monologue Attack”
Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack - He also explains the China Chopper Webshell and how to detect it
What is the China Chopper Webshell, and how to find it on a compromized system?
- He walks through the “Internal Monologue Attack”
- Florian Roth explains the different names given to the various APT actors.
The Newcomer’s Guide to Cyber Threat Actor Naming - Aaron Goldstein at Tanium explains how the SamSam threat actors exploit systems to deploy ransomware.
SamSam ransomware: How Tanium can help - Joe Ziemba shows how to examine the Windows event logs to detect password spraying attacks.
Detect Password Spraying With Windows Event Log Correlation
UPCOMING WEBINARS/CONFERENCES
- Cesar Quezada at Magnet Forensics will be hosting a webinar on parsing unsupported mobile apps. The webinar will take place Thursday, April 12 – 9:00AM Eastern Standard Time (New York, GMT-05:00)
Mobile App Parsing – All About that Data - Kevin Ripa will be hosting a webinar titled “The Magic of Raw Data Carving” on 12th April at 14:30 UTC.
Check out @sansforensics’s Tweet - Cisco announced that the Talos Threat Research Summit will be taking place June 10 at the Hyatt Regency in Orlando, Florida.
Talos Threat Research Summit at Cisco Live US 2018
PRESENTATIONS/PODCASTS
- Forensic Focus shared a couple of presentations this week
- They uploaded Christian Zoubek’s presentation from DFRWS 2017 titled “Selective Deletion Of Non-Relevant Data”
Video: Selective Deletion Of Non-Relevant Data - They also uploaded the recording and transcript from Warren Pamukoff and Tayfun Uzun’s recent webinar on Office 365 investigations.
Webinar: Forensics In The Cloud
- They uploaded Christian Zoubek’s presentation from DFRWS 2017 titled “Selective Deletion Of Non-Relevant Data”
- Magnet Forensics have shared Jamie McQuaid’s recent webinar, “Mobile Trends, Tools, and Methods”.
Recorded Webinar: Mobile Trends, Tools, and Methods - Karsten Hahn at ‘Malware Analysis For Hedgehogs’ explains how PE files are mapped in memory
Malware Theory – Memory Mapping of PE Files - OALabs uploaded a video showing how to analyse the “Adwind / JRAT malware using x64dbg and Java ByteCode Viewer”
Analyzing Adwind / JRAT Java Malware - On this week’s Digital Forensic Survival Podcast, Michael provides an overview of two tools by Foxton Forensics: Browser History Viewer and Browser History Capturer
DFSP # 110 – Web Browser Forensics with Foxton
MALWARE
- Dennis Schwarz at Arbor Networks examines a recent attack utilising a new version of the Panda Banker malware.
Panda Banker Zeros in on Japanese Targets - Amit Serper and Chris Black at Cyber Reason examine a “credstealer written with [AutoHotKey] that masquerades as Kaspersky Antivirus and spreads through infected USB drives” that they’ve called Fauxpersky.
Fauxpersky: CredStealer malware written in AutoHotKey masquerades as Kaspersky Antivirus, spreading through infecting USB drives - Robert Michel at Cyber.WTF examine the Olympic Destroyer malware.
Dissecting Olympic Destroyer – a walk-through - There were a couple of posts on the “Dissect Malware” blog this week
- Jay Rosenberg at Intezer examines a maldoc utilised by the Lazarus group “targeting potential cryptocurrency exchanges, FinTech, financial companies, and others who might be involved with cryptocurrencies. The malicious document came embedded with an upgraded and revamped version of a RAT they have added to their arsenal.”
Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies - Darryl at Kahu Security provides some details of a file left on a compromised machine that “led to the discovery of a Windows backdoor written in JavaScript and the C&C backend scripts”
Reflow JavaScript Backdoor - There were a number of posts on the Malwarebytes Labs blog this week
- Jérôme Segura takes “a look at an evasion technique used by miners to bypass list-based blockers and behavior-based detection by avoiding maxing out the user’s CPU.”
Malicious cryptomining and the blacklist conundrum - Jérôme also reviewed the exploit kits being used so far in 2018
Exploit kits: Winter 2018 review - Vasilios Hioureas examines a PrincessLocker sample and shows how to develop a decryptor.
Encryption 101: Decryptor’s thought process - Vishal Thakur guest posts on the QuantLoader trojan downloader
An in-depth malware analysis of QuantLoader
- Jérôme Segura takes “a look at an evasion technique used by miners to bypass list-based blockers and behavior-based detection by avoiding maxing out the user’s CPU.”
- Axel F and Matthew Mesa at Proofpoint examine the history and features of ThreadKit, which is “a new Microsoft Office document exploit builder kit that featured a variety of recent exploits as well as a mechanism to report infection statistics”
Unraveling ThreadKit: New document exploit builder used to distribute The Trick, Formbook, Loki Bot and other malware - Edmund Brumaghin, Andrew Williams, and Alain Zidouemba at Cisco’s Talos blog examine the GoScanSSH malware, which is “a new malware family that was being used to compromise SSH servers exposed to the internet”.
Forgot About Default Accounts? No Worries, GoScanSSH Didn’t - Dr. Fahim Abbasi and Phil Hay at TrustWave SpiderLabs “provide an analysis of a Java-based malware sample circulated via spam, that leverages Crypter services hosted on the dark web to create mutations to evade detection”
Crypter-as-a-Service Helps jRAT Fly Under The Radar - There were a couple of articles on the TrendLabs blog this week
- Lorin Wu analyses the HiddenMiner Android mining malware.
Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure - Tamada Kiyotaka and MingYen Hsieh examine the latest backdoor utilised in the ChessMaster campaign.
ChessMaster Adds Updated Tools to Its Arsenal
- Lorin Wu analyses the HiddenMiner Android mining malware.
- Vitali Kremez posted a few times this week
MISCELLANEOUS
- Zak Thoreson at Aqueous Analytics gives some tips on putting together a team to compete in the Collegiate Cyber Defense Challenge (CCFC), as well as how to prepare for the challenge.
CCDC: Tips and Tricks to Managing a Team - Brett Shavers has a post on creating visualisations to represent datasets, as well and the importance of sharing your findings.
Make DFIR easier to learn with visual aids (and teach students to share their work) - Over on DFIR.Training, Brett has set up a social network for the DFIR community.
The #DFIR Social Network - Didier Stevens explains a minor issue when piping from one tool to another, caused by Windows’ interpretation of the EOF character.
CTRL-Z is EOF - Forensic Focus posted an interview with Farid Emrani, who is the president and CEO of Logicube.
Interview With Farid Emrani, President & CEO, Logicube - Christa Miller at Magnet Forensics finished her series on the artefacts-oriented approach, with this post covering using the approach to get an idea of the user’s habits, as well as making collaboration easier for non-technical stakeholders.
The Benefits of the Artifacts-Oriented Approach (Part 3) - Marco Ramilli compares and contrasts “Security Operation Centers (SOC), Computer Emergency Response Teams (CERT) and Computer Security Incident Response Teams (CSIRT)”.
CERTs, CSIRTs and SOCs after 10 years from definitions - “NIST is releasing a guide that describes procedures for documenting and populating test data on a mobile device as part of testing a mobile forensic tool”
NIST Releases Draft Guide on Mobile Test Devices for Digital Forensics - Todd A. Faulkner guest posts on the Paraben blog on how to deal with HEIC files.
What do you do with the HEIC file from iOS? - Phil Hagen at Red Canary describes a number of things to consider when developing successful staff/teams.
Building a Winning Security Team: Practical Tips on Training and Team Development
SOFTWARE UPDATES
- Eric Zimmerman has updated Registry Explorer v1.01, RECmd v1.0, ShellBags Explorer v1.0, AppCompatCacheParser v1.0, AmcacheParser v1.0, and Timeline Explorer v0.8.0.0. These updates primarily relate to adding Registry transaction log support. The Timeline Explorer update includes performance improvements and a “Power filter, which allows for complicated filters across all columns including negation, logical AND, etc.”.
Updates to the left of me, updates to the right of me, version 1 releases are here (for the most part) - Cellebrite released UFED Cloud Analyzer 7.1, which includes the capability to capture public webpages.
UFED Cloud Analyzer 7.1 Release Notes - Cellebrite also updated UFED to v7.2.1 to resolve a UFED Reader issue
UFED 7.2.1 Maintenance Release [March 2018] - ExifTool 10.88 (development) was released with new tags and bug fixes
ExifTool 10.88 - ADF Solutions announced the release of Digital Evidence InvestigatorⓇ (DEI) version 1.3.0, Triage-InvestigatorⓇ version 4.3.0, and Triage-G2Ⓡ version 4.3.0.
ADF Launches New Digital Forensic Software Versions - DeXRAY 2.10 was released to fix bugs handling VBN files
DeXRAY 2.10 update - Magnet Forensics updated Axiom to v1.2.6, adding support for Google Hangouts acquisition from the cloud, as well as improvements to password cracking and reporting.
Magnet AXIOM 1.2.6 Brings Cloud Improvements and Support for Google Hangouts - MobilEdit Forensic Express 5.2 was released, with a number of new features and bug fixes.
Forensic Express 5.2 Released! - Passware released a new tool, the Passware Encryption Analyzer (2018 v1 Beta). This “is a free tool that scans a system to detect protected or encrypted documents, archives, and other types of files. This application provides detailed information about any protected items found, including protection methods and encryption types.”
New in Passware Encryption Analyzer 2018 v1 Beta - USB Detective v1.0.3 was released, adding a timeline export feature.
Version 1.0.3 (3/28/2018) - X-Ways Forensics 19.5 SR-9 was released with various bug fixes.
X-Ways Forensics 19.5 SR-9 - X-Ways Forensics 19.6 SR-2 was released with a number of improvements and bug fixes.
X-Ways Forensics 19.6 SR-2
And that’s all for Week 13! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 