FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog posted a couple of times this week
- First, he takes a look at the Property store data block of a LNK file. Hideaki indicates that this data is not parsed in Plaso.
LNK と Property Store - Next, he looks at some of the timestamps stored in the shell items of a LNK file.
LNK と Time stamp (FAT date and time)
- First, he takes a look at the Property store data block of a LNK file. Hideaki indicates that this data is not parsed in Plaso.
- Dr. Joe Sylve at Blackbag Technologies answers the “top five frequently asked questions about APFS encryption”
Ask The Expert: APFS Encryption - The guys at Cyber Forensicator shared a few articles this week
- They shared a video by Aliaume Leroy from Bellingcat on “open source investigation/verification tools”
Digital Forensics: Open Source Investigation/Verification Tools - They shared details of a new book by Jason Sachowski titled “Digital Forensics and Investigations: People, Process, and Technologies to Defend the Enterprise”, which is expected to be released in May.
Digital Forensics and Investigations: People, Process, and Technologies to Defend the Enterprise - They shared a link to a tool called “Dshell [which] is an extensible network forensic analysis framework, that enables rapid development of plugins to support the dissection of network packet captures.”
Dshell: An Extensible Network Forensic Analysis Framework
- They shared a video by Aliaume Leroy from Bellingcat on “open source investigation/verification tools”
- John Ahearne at DriveSavers explains the “presentation” phase of the IPAP model for digital forensics.
Digital Forensic Process—Presentation - Vladimir Katalov at Elcomsoft has a writeup of their recent presentation on iOS data extraction. He also comments on competition in the mobile forensic space.
Demystifying Advanced Logical Acquisition - Mark Lohrum at “Free Android Forensics” walks through the process of copying out the User Data partition of a rooted Android phone to obtain a file system dump.
Obtaining all files in the data partition without a physical image - Sarah Edwards at Mac4n6 continues her testing of identifying APFS plaintext passwords on various version of MacOS 10.13. Overall, the bug appears to be fixed as of 10.13.4.
Ok Internet, Lets Test this APFS Plaintext Password Bug Properly - Pasquale Stirparo has updated his Mac4n6 project with some additional MacOS artefacts.
Check out @pstirparo’s Tweet - Patrick Siewert at Pro Digital Forensic Consulting runs through the examination of a device with some less-common messaging/calling apps.
About Those Other Texting Apps in iOS… - SalvationData show how to parse a dump from a memory chip using their SPF product.
[Case Study] Chip-Off Forensics: How to Extract data from Damaged Mobile Devices
THREAT INTELLIGENCE/HUNTING
- Brian Moran at BriMor Labs relays a recent ‘incident’ where threat intel was shared poorly, and suggests some ways that companies can do better.
Fishing for work is almost as bad as phishing (for anything) - Wasim Halani at Checkmate demonstrates “how we can use the ELK stack to analyze a set of Apache web server logs and identify (potential) malicious actors or traffic patterns.”
Security Analytics Using ELK - Vitali Kremez, Amina Bashir, and Paul Burbage at Flashpoint provide some details a recent spate of attacks against Magneto sites, as well as IoCs and YARA rule.
Compromised Magento Sites Delivering Malware - Adam at Hexacorn posted a couple items of interest this week
- He shows that a hosts.isc file placed in the same directory as the hosts file will be treated the same way.
The little known (I think) secret of hosts.ics - He also demonstrates another method of executing PowerShell scripts on a system by using the “environment variable called PSExecutionPolicyPreference.”
A quick note about PSExecutionPolicyPreference
- He shows that a hosts.isc file placed in the same directory as the hosts file will be treated the same way.
- Russ McRee at HolisticInfoSec shows some “additional, useful HELK features to aid you in your threat hunting practice”
toolsmith #132 – The HELK vs APTSimulator – Part 2 - Matthew Green provides “an overview [of Powershell download cradles], highlighting areas [he] found interesting thinking about detection from both network and endpoint views.”
Living off the Land: Powershell Download Cradles - There’s a post on the Pentest Labs blog on “Windows locations where passwords might exist and techniques to retrieve them.”
Dumping Clear-Text Credentials - James Condon at 401 TRG discusses a “a method of conducting threat research on network metadata at scale using Amazon S3, Apache Parquet, Spark, and Zeppelin.”
Building a Data Lake for Threat Research - Tony Lambert at Red Canary walkthrough an attack by an adversary to deploy cryptomining software as well as move laterally across a network.
Tried-and-True Tactics: How an Adversary Mixed Lateral Movement and Cryptomining - Xavier Mertens at the SANS Internet Storm Centre shows how to use certutil to download data from a server.
A Suspicious Use of certutil.exe, (Wed, Apr 4th) - Jurgen Kutscher shares the FireEye M-Trends report for 2018.
M-Trends 2018 - Andreas Sfakianakis at ‘Tilting at windmills’ comments on ENISA’s “comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of TIP users, developers, vendors and the security research community.”
A Study on Threat Intelligence Platforms
UPCOMING WEBINARS/CONFERENCES
- The agenda for BSides NOLA has been released.
- Rick McElroy and Joe Moles at Carbon Black/Red Canary will be hosting a webinar titled “Operationalizing Your Threat Hunt” on Thursday, April 12th @ 2:00 PM EDT
Operationalizing Your Threat Hunt - Paraben Corporation shared some information about the PFIC agenda on Forensic Focus
PFIC Agenda Launched & Keynote Announced - The CFP for OSDFCon is open and will close June 1, 2018
OSDFCon CFP
PRESENTATIONS/PODCASTS
- Michael Gough and Brian Boettcher hosted David Longenecker on the most recent episode of the Brakeing Down Incident Response podcast.
BDIR Episode – 002 - Douglas Brush interviewed Keith McCammon from Red Canary on Cyber Security Interviews this week
049 – Keith McCammon: We Have An Analysis Problem - Forensic Focus uploaded the recording and transcript of Dr Joe Sylvie’s recent webinar on APFS.
Webinar: Ask An Expert: How Will APFS Impact My Investigations? - Dave and Matthew ran the Forensic Lunch this week, talking about their current projects, and testing Windows timestamps.
Forensic Lunch: 4/6/18 - OpenText uploaded their recent webinar on using Encase Forensic 8.06 in investigations.
How to Conduct Efficient Examinations with EnCase Forensic 8 06 - Hasherezade shows how to deobfuscate an unpacked TrickBot sample.
Deobfuscating TrickBot’s strings with libPeConv - On this week’s Digital Forensic Survival Podcast, Michael covers some of the important artefacts to consider during an incident incorporating network traffic.
DFSP # 111 – Network Triage - Richard Davis has released a video showcasing Jason Hale’s USB Detective product.
Introduction to USB Detective
MALWARE
- Alex Constantinou at Foregenix examines a sample of the Zend malware.
New malware affecting Zend Framework. - Dissect Malware continues the examination of a malicious document
A close look at malicious documents (Part II) - Or Fridman at Intezer shows how unpacking a malware sample can provide a better understanding of its inner workings.
Unpacking reveals a file’s true DNA - Brian Maloney shows how to parse “Symantec Endpoint Protection logs” using “Microsoft’s Log Parser and Log Parser Studio”.
Remotely grab Symantec logs with Log Parser - Malware Breakdown examines some malspam that delivers the Loki-bot trojan.
Malspam Delivers Loki-Bot - Malwarebytes Labs analyse the LockCrypt ransomware.
LockCrypt ransomware: weakness in code can lead to recovery - Amit Malik at Netskope examines the ATMJackpot malware.
Netskope Discovers ATMJackpot Siphoning Cash - There were a couple of posts on the Palo Alto Networks blog this week
- They published some information about the Rarog trojan.
Smoking Out the Rarog Cryptocurrency Mining Trojan - Ruchna Nigam provides some analysis on the KevDroid Android spyware that has been linked with “the North Korean Reaper group”
Reaper Group’s Updated Mobile Arsenal
- They published some information about the Rarog trojan.
- There were a couple of posts on the SANS Internet Storm Centre Handler Diaries this week
- Didier Stevens examines a pdf containing malicious links, and also shares an animation of the displayed PDF showing the scenario. Didier also shared advice on detecting PDFs by this actor.
Phishing PDFs with multiple links, (Sat, Mar 31st) - Johannes Ullrich shows a recent attack “exploiting Java deserialization vulnerabilties” on a Windows machine.
Java Deserialization Attack Against Windows, (Tue, Apr 3rd)
- Didier Stevens examines a pdf containing malicious links, and also shares an animation of the displayed PDF showing the scenario. Didier also shared advice on detecting PDFs by this actor.
- Warren Mercer, Paul Rascagneres, and Vitor Ventura at Cisco’s Talos blog analyse the KevDroid Android spyware.
Fake AV Investigation Unearths KevDroid, New Android Malware - Ross Gibb at Cisco shares an article by “Daphne Galme of Cisco, and Michael Gorelik of Morphisec” examining the IcedID trojan.
IcedID Banking Trojan teams up with Rovnix for distribution - Sudhanshu Dubey at FireEye analyses the JavaScript infection vector used to distribute the NetSupport Manager RAT
Fake Software Update Abuses NetSupport Remote Access Tool - There were a few posts on the TrendLabs blog this week
- They examined a large number of samples to identify how effective code signing is at preventing malware. They found that “code signing is a very efficient technique in defending against malware, but as revealed in our research, it is not foolproof and can be abused”
Understanding Code Signing Abuse in Malware Campaigns - Jaromir Horejsi shares details of the latest version of the MacOS backdoor utilised by the OceanLotus threat group. “The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed.”
New MacOS Backdoor Linked to OceanLotus Found - Chaoying Liu and Joseph C. Chen examine a recent attack against the “AOL advertising platform” that injected CoinHive.
Cryptocurrency Web Miner Script Injected into AOL Advertising Platform
- They examined a large number of samples to identify how effective code signing is at preventing malware. They found that “code signing is a very efficient technique in defending against malware, but as revealed in our research, it is not foolproof and can be abused”
- Trustlook examine a malicious Android app named “Cloud Module”.
A Trojan with Hidden Malicious Code Steals User’s Messenger App Information - Vitali Kremez posted a couple times this week
- The first is a reviews and documents the “latest BlackTDS traffic distribution leading to fake Adobe Flash Player and its social engineering theme.”
Malware Traffic Internals: BlackTDS Social Engineering Drive-By Leads to Fake “Adobe Flash Player” - The second examines “the latest module “network64/32Dll,” leveraged by the notorious Trickbot banking malware gang.”
Let’s Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
- The first is a reviews and documents the “latest BlackTDS traffic distribution leading to fake Adobe Flash Player and its social engineering theme.”
- Peter Kálnai and Anton Cherepanov at WeLiveSecurity “review some of the tools [used by the Lazarus group] that were detected on numerous servers and endpoints in the network of an online casino in Central America”
Lazarus KillDisks Central American casino
MISCELLANEOUS
- Eric Huber at ‘A Fistful of Dongles’ provided a brief update on his happenings in the near future, as well as a listing of current jobs available at NW3C.
2018 National Cyber Crime Conference - Wesley Vandiver at Berla wrote a couple of posts this week
- First, he walks through a scenario where incorporation of the data held on a vehicles infotainment unit may be useful.
Value of Vehicle System Data in Accident Reconstruction - Wesley also shared a new paper that he authored with Robert Anderson addressing “the accuracy of the speed data reported in two common systems supported by iVe – MyFord/MyFord Touch (Sync Generation 2) and Sync3 (Sync Generation 3) systems.”
iVe Testing and Validation Technical Paper
- First, he walks through a scenario where incorporation of the data held on a vehicles infotainment unit may be useful.
- Brett Shavers has released a new training course dedicated to WinFE.
5 Cool Things You Can Do with the Windows Forensic Environment (WinFE) - Brett also has a couple of posts on DFIR.Training
- The first provides some tips for those looking to improve their branding in DFIR. Basically try to post on a semi-regular basis, link to your socials, and put a date/RSS feed on your content. Please do this. If you have a site, double check to make this works. It makes my life a bunch easier, and you get free exposure dollars 🙂 (FYI, That’s also the TLDR for my Enfuse 2018 talk, but for the more verbose version come and say hi!)
Top 5 Methods to Make Sure no one Visits Your #DFIR Blog - The second is on justifying the expense of tools and training. My main takeaways are that the cost of the tool or training can be justified in the time that it saves you, or the outcome that it gives you in a case. If you could do it with a free or cheap tool, or you could teach yourself, then that works too; sometimes the expenses can be justified by the ROI.
These DFIR tools are expensive! (but not really)
- The first provides some tips for those looking to improve their branding in DFIR. Basically try to post on a semi-regular basis, link to your socials, and put a date/RSS feed on your content. Please do this. If you have a site, double check to make this works. It makes my life a bunch easier, and you get free exposure dollars 🙂 (FYI, That’s also the TLDR for my Enfuse 2018 talk, but for the more verbose version come and say hi!)
- Digital Forensic Magazine have an article on the importance of content marketing. Some companies in DFIR do this quite well, and others not so much. I much prefer to read articles from companies that are informative about either better ways to use their product, or understanding artefacts or examination processes (that can be applied to any tool); those generally are the ones I get the most benefit from, and it’s also more conducive to sharing.
7 Reasons Why Digital Forensics Should Utilise Content Marketing in 2018 - Jessica Lyford posted a recap of the recent Nuix Insider Conference on Forensic Focus
2018 Nuix Insider Conference Recap - Peter Warnke at Magnet Forensics explains the benefits of using Axioms link analysis (Connections) feature to identify a user’s actions in a timeline.
Telling the Story of Digital Evidence - Magnet Forensics have released some information about the Capture The Flag competition being run by Dave and Matthew of GC-Partners/Forensic Lunch fame. The prizes look great, and it looks like it’ll be a lot of fun.
Join the DFIR Capture The Flag Challenge at the Magnet User Summit in Las Vegas - There were a couple of posts on IBM’s Security Intelligence blog on planning for an incident, threat intelligence, detection, and response.
- Ryan McGeehan provides some scenarios where IR playbooks will be useful and why they should be written.
Incident Response: Writing a Playbook - Joseph Balazs shared out the poster that he created with Dr. Marcus Rogers, Dr. John Springer, and Dr. Dawn Laux, titled “Decoding the Hexadecimal Representation of a PostgreSQL Database Table”. There’s also another interesting poster on the site titled “Leveraging Memory Forensics To Decrypt iOS Backups”
Check out @jwbalazs’s Tweet
SOFTWARE UPDATES
- CDQR 4.1.5 was released, aligning various “parser lists with Plaso 20180127” and “Skadi 2018.1”
CDQR 4.1.5 - Didier Stevens updated xmldump to v0.0.3
Update: xmldump.py Version 0.0.3 - ExifTool 10.90 (development) was released with new tags and bug fixes
ExifTool 10.90 - GetData released Forensic Explorer v4.2.8.7234 with a number of updates and bug fixes.
5 Apr 2018 – 4.2.8.7234 - Nrvana released “macOS triage [which] is a python script to collect various macOS logs, artifacts, and other data.”
macOS triage - Regripper was updated (version number unchanged) to include a new switch (-uP) that allows users to quickly update profiles to reflect new plugins.
RegRipper Update - Hasherezade has released PE-bear v0.3.8 with a number of bug fixes.
PE-bear – version 0.3.8 available - Microsystemation released XRY 7.7 and XAMN 3.2.
XRY updated - NetworkMiner 2.3 was released, including “improved extraction of files and metadata from several protocols as well as a few GUI updates”, and “VoIP call audio extraction and playback as well as OSINT lookups of file hashes, IP addresses, domain names and URLs” in the professional version.
NetworkMiner 2.3 Released! - Forensic Browser for SQLite v3.2.14 was released with a number of enhancements and bug fixes
Forensic Browser for SQLite v3.2.14 - USB Detective v1.0.4 was released with some improvements and fixes
Version 1.0.4 (04/06/2018) - X-Ways Forensics 19.6 SR-3 was released with some bug fixes
X-Ways Forensics 19.6 SR-3 - X-Ways Forensics 19.7 Preview 1 with some improvements and bug fixes
X-Ways Forensics 19.7 Preview 1
And that’s all for Week 14! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 