Lee Whitfield at Forensic 4Cast has opened up voting for the 2018 Forensic 4Cast awards, held at the SANS DFIR Summit in Austin, Texas.
Thanks to everyone that nominated ‘This Week in 4n6’ for blog of the year. Voting ends May 25th, so I’ll post this up a couple times before then to remind people to vote 🙂
Also, if you could click on the DFIR Summit link that would be greatly appreciated; would help my chances in the Speaker challenge to win a smart watch.
Forensic 4:cast Awards 2018 – Voting is Open
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog walks through the use of Registry Miner
Registry MinerとTime stamp - James Habben at 4n6IR shows how to set timezones in Encase and X-Ways, and how to display the timezones next to each timestamp
- The Blackbag Training Team explain the steps required to mount an APFS E01 or raw image. Side note: Still playing around with the process, but you can use the ditto command to copy to an HFS+ image which can then be viewed in Windows-based tools. Ditto should preserve the file system metadata.
Apple File System In Mac Forensic Imaging And Analysis - Conor Jackson has uploaded his reports on the NTFS and FAT filesystems.
File-System-Forensics - The guys at Cyber Forensicator shared a paper by Christopher John Lees titled “GVFS metadata: Shellbags for Linux”
GVFS metadata: Shellbags for Linux - Alexis Brignoni at ‘Initialization vectors’ takes a look at the file access metadata of the top five Android media players on Google Play.
Was the video viewed? – Android video player apps - Paraben have published a post explaining how to acquire Zimbra email and parse it with E3
Extracting email from Zimbra - Troy Schnack takes a look at the fb_temp folder on the Android Facebook Messenger app to determine if you can “track whether files or media were actually shared in the app and when.”
FB Messenger App (Android) Media Files Share Tracking
THREAT INTELLIGENCE/HUNTING
- Brittnie Prakash at CrowdStrike describes the Formbook malware and what to look for when hunting for it.
A Hunter’s Perspective: Detecting Formbook 3.8 Activity in Your Environment - Roberto Rodriguez at “Cyber Wardog Lab” introduces “every component of the [The Hunting ELK, HELK] and provide a few basic use cases to explain some of the benefits that it could bring to a hunt team.”
Welcome to HELK! : Enabling Advanced Analytics Capabilities - Duncan Slater at Foregenix looks at some of the methods of improving your incident readiness, as well as where businesses need to improve on the typical incident timeline (hint: between the point of compromise and incident detection).
Reducing the Impact of a Breach Through Early Detection (Part 1) - Carl Leonard at Forcepoint shares his thoughts on the Verizon DBIR
Timely detection and response – thoughts on the Verizon 2018 DBIR - Glen Scott shares details of a recent WordPress site hijacking and how he performed his incident response.
WordPress hacked site – forensics report - Chris Pogue at Nuix comments on their newly released ‘Black Report’
Nuix Black Report 2018: Getting a Seat at the Table - Didier Stevens at NVISO Labs shows how to create custom YARA rules.
Creating custom YARA rules - Oddvar Moe posted a couple of times this week
- The first demonstrates “a technique to execute any binary file after another application is closed without being detected by Autoruns.exe.”
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe - The second shows a method of placing data into an NTFS ADS and executing it.
Putting data in Alternate data streams and how to execute it – part 2
- The first demonstrates “a technique to execute any binary file after another application is closed without being detected by Autoruns.exe.”
- Kaspersky’s Global Research and Analysis Team released their APT Trends report for Q1 2018
APT Trends report Q1 2018 - Jeffrey Carpenter at SecureWorks shares some insights from the “Incident Response Insights Report 2018”.
Top 3 Lessons from a Year’s Worth of Incident Response Data - Pablo Delgado at Syspanda shares a “configuration [that] will make it easier to parse Syslog messages sent from your Websense appliance to your ELK stack.”
Triton AP-Websense SIEM Logstash Output Configuration - Verizon released the 2018 Data Breach Investigations Report.
UPCOMING WEBINARS/CONFERENCES
- Belkasoft will be hosting a webinar on April 24, 8 am PDT / 17:00 CET, providing an “overview of new features and improvements in the newest version of Belkasoft Evidence Center.”
Belkasoft Webinar Registration - Martijn Grooten at VirusBulletin announced the program for VB2018, which is being held in Montreal on 3-5 October 2018.
Broad-ranging and international VB2018 programme announced
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded various presentations from BSides Nashville.
- Belkasoft have uploaded a video showing off the new features of BEC v9.0
What is new in BEC version 9.0 - Black Hat share the recorded presentation by Chi-en (Ashley) Shen, Kyoung-ju Kwak & Min-Chang Jang titled “Nation-State Moneymule’s Hunting Season – APT Attacks Targeting Financial Institutions”
Nation-State Moneymule’s Hunting Season – APT Attacks Targeting Financial Institutions - Joshua James at DFIR.Science walks through the process of identifying physical disks in Windows using the command line, and then monitoring for newly connected drives.
Batch file scripting in Windows to monitor physical drives - Matt Shannon at F-Response shared a video “on how to leverage the new F-Response v7 (EE,CE+C,CE,TAC) Linux examiner tools”.
F-Response Linux Fu – Your Linux Style is Strong, Make it Stronger! - Hasherezade walks through unpacking a Kronos sample
Unpacking Kronos - Mark Arena shared the slides for his presentation titled “How to build a cyber threat intelligence program”
- “Open Analysis Live teams up with [Karsten aka] MalwareAnalysisForHedgehogs to unpack Princess Locker. [They] show how to use x64dbg and hooks on VirtualAlloc to dump the unpacked payload then fix the corrupted PE header.”
Unpacking Princess Locker and Fixing Corrupted PE Header (OALabs x MalwareAnalysisForHedgehogs) - On this week’s Digital Forensic Survival Podcast, Michael talks about the various ports that may be of interest during a network forensics examination.
DFSP # 112 – Port Forensics? - SANS shared a few videos this week
- Virus Bulletin shared a presentation from VB2017 by Axelle Apvrille on Android reverse engineering tools.
Android reverse engineering tools: not the usual suspects
MALWARE
- Bogdan Botezatu and Eduard Budaca at Bitdefender Labs share a whitepaper on the RadRAT malware
RadRAT: An all-in-one toolkit for complex espionage ops - Hod Gavriel and Boris Erbesfeld at Cyberbit provide a “technical analysis of [the] Early Bird code injection technique”
New ‘Early Bird’ Code Injection Technique Discovered - There were a couple of posts on the Dissect Malware blog this week
- The first examines a VBScript dropper that downloads Revenge RAT
Stealthy Powershell dropper dropping Revenge RAT - The second examines a malicious .NET binary file
Sophisticated Mutli-stage Malware (hosted on pussyhunter.ru)
- The first examines a VBScript dropper that downloads Revenge RAT
- Adam at Hexacorn has written a lengthy article on how to be the best malware analyst.
How to become the best Malware Analyst E-V-E-R - Alexander Sevtsov at Lastline Labs analyses “a variant of the highly evasive banker called Gootkit”
I Hash You: A Simple But Effective Trick to Evade Dynamic Analysis - There were a couple of posts on the Malwarebytes Labs blog this week
- Jérôme Segura looks at the ‘FakeUpdates’ campaign.
‘FakeUpdates’ campaign leverages multiple website platforms - Vasilios Hioureas walks through his code for his PrincessLocker decryption tool
Encryption 101: decryption tool code walkthrough
- Jérôme Segura looks at the ‘FakeUpdates’ campaign.
- Diwakar Dinkar and Madhusudhana Kotla at McAfee Labs examines a variant of the CoinMiner malware.
Parasitic Coin Mining Creates Wealth, Destroys Systems - Erik Van Buggenhout at NVISO labs walks through the an installation script for Cuckoo sandbox.
Painless Cuckoo Sandbox Installation - Patrick Wardle at Objective-See examines a calendar app located on the Mac App Store that contains a crypto-miner
A Surreptitious Cryptocurrency Miner in the Mac App Store? - Mike Harbison and Simon Conant at Palo Alto Networks take a look at the WebMonitor RAT
Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS) - Lee Holmes discusses a method of XOR-ing data that malware authors have attempted to use to obfuscate content (unsuccessfully).
XOR is Not as Fancy as Malware Authors Think - Colin and Zak at Red Flame Security provide “a high-level analysis of a recently discovered PlugX malware sample”
Comprehensive Analysis of a PlugX Malware Variant - Brad Duncan has a post on the SANS Internet Storm Center regarding some malspam “pushing GandCrab ransomware”.
Glitch in malspam campaign temporarily reduces spread of GandCrab, (Thu, Apr 12th) - There’s a post on Securelist examining some malware, not yet connected to a specific threat actor, that has been targeting the MENA region.
Operation Parliament, who is doing what? - Xabier Ugarte Pedrero at Cisco’s Talos blog shares “a set of PyREBox scripts that are designed to aid malware analysis: Malware monitor. These scripts automate different tasks, such as code coverage analysis, API tracing, memory monitoring, and process memory dumping.”
Malware monitor – leveraging PyREBox for malware analysis - Vitali Kremez analysed some malware
- Zerophage Malware provides some information about a malvertising campaign utilising the RigEK to distribute the GandCrab ransomware.
Rig EK drops GandCrab Ransomware Via CVE-2018-4878
MISCELLANEOUS
- Brett Shavers has a few posts over a couple of his sites
- First, he talks about the benefits of figuring out your problems rather than asking for the answer. It’s clear that you will learn a lot from identifying your issue and trying to think of all the ways that you can answer your problem; by trying everything you can think of you may just figure out the answer, or at the very least learn something for next time.
“I don’t need to learn. Just give me the answer.” - He also released case study #8, talking about a case that kept coming back for further work.
Zombie-Cases: Did you ever have a case that just wouldn’t die? - Brett also has a post on DFIR.Training about correctly identifying whether the suspect in an investigation is the suspect or the victim based on the evidence presented.
Computer owner as victim or suspect?
- First, he talks about the benefits of figuring out your problems rather than asking for the answer. It’s clear that you will learn a lot from identifying your issue and trying to think of all the ways that you can answer your problem; by trying everything you can think of you may just figure out the answer, or at the very least learn something for next time.
- Cloudy Forensics has a post explaining some basic usage of the SANS SIFT Workstation.
SANS SIFT Workstation - There were a few posts on the Magnet Forensics blog this week
- Jad Saliba performs a speed test between Axiom and IEF to show how much quicker Axiom has become since release.
The AXIOM Performance Journey: How Much Faster is it Now? - They shared further details about their upcoming Magnet User Summit in Las Vegas (I’ll be there, come say hi!)
Learning and Fun at the Magnet User Summit Las Vegas//2018 - They also have a post about the connections feature in Axiom; “how connections are determined, when to run the feature, how to add new evidence, and how to report them.”
Connections in Magnet AXIOM Q&A Part 1
- Jad Saliba performs a speed test between Axiom and IEF to show how much quicker Axiom has become since release.
- MSAB announced a partnership with URSA Inc, lead by David Kovar, to improve their capabilities in the field of Drone forensics. That being said, they announced a similar partnership with David Kovar last year so I’m not sure what changes are URSA will bring.
MSAB & URSA Inc. Partner on Drone Forensic Technology - Viviana Ross at SANS shared a list of reasons why to attend the SANS DFIR Summit (clicking the previous link helps my chances of winning a smart watch!)
“Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year” - Kevin Liston has a post on the SANS Internet Storm Center about applying the Feynman Technique to “your Incident Response and Investigation processes”
Getting Incident Response Help from Richard Feynman, (Sat, Apr 14th) - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ explains the use of chain of custody and shares a sample chain of custody form
Digital Forensic: the Chain of Custody - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some details on the EWF image format, and shows how to mount an EWF image using ewf-tools.
How to mount an EWF image file (E01) on Linux
SOFTWARE UPDATES
- Belkasoft updated BEC to v9.0 with a number of new features and enhancements.
What’s New in Belkasoft Evidence Center 2018 Version 9.0 - Blackbag Technologies released Macquisition 2018 R1.1 to fix some bugs.
Macquisition 2018 R1.1 Release Notes - Cellebrite updated their UFED line to v7.3, improving app and device support, as well as adding the ability to “generate a backup of an MTK Android mobile device, even if it is locked, and decode it using UFED Physical Analyzer. “
UFED Ultimate, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader 7.3 [April 2018] - Eric Zimmerman updated BStrings to v1.3.
Check out @EricRZimmerman’s Tweet - Evimetry updated to v3.0.9, with some bug fixes.
Release 3.0.9 - ExifTool 10.93 (development) was released with new tags and bug fixes
ExifTool 10.93 - F-Response 7.0.4.4 and Universal 2.0.1.17 were released
F-Response 7.0.4.4 and Universal 2.0.1.17 Released - Paraben released v1.7 of their E3 platform with a number of new features and enhancements.
Paraben’s New 1.7 Version of E3 Platform - GetData released Forensic Explorer v4.2.8.7284 with some minor updates.
13 Apr 2018 – 4.2.8.7284 - Microsystemation released a number of updates during the week: “XRY 7.7, XAMN Spotlight and Elements 3.2, and XEC Director 3.1”.
Now released: XRY 7.7, XAMN Spotlight and Elements 3.2, and XEC Director 3.1 - Maxim Suhanov released Registry Miner, a tool that “scans a given registry file (primary) and extracts everything that looks like a timestamp.”
Registry Miner - Oxygen Forensic updated their Detective product to v10.2. This update includes improved drone data extraction capabilities, the “ability to extract the WhatsApp Cloud token from Android OS devices” and more.
Oxygen Forensic® Detective enables drone physical acquisition via USB cable - Radare2-2.5.0 was released with a number of new features and improvements.
radare2-2.5.0 – eknad - Alan Orlikoski has renamed CCF-VM to Skadi and released a major update.
Check out @AlanOrlikoski’s Tweet - Moti Bani released a new tool: “Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threat”
Invoke-Adversary – Simulating Adversary Operations
And that’s all for Week 15! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 