There were a few more requests for votes for Forensic 4Cast Awards.

• Belkasoft – Phone Forensic Software, and Computer Forensic Software of the Year
• AboutDFIR – Digital Forensic Investigator, and Digital Forensic Resource of the Year
• Magnet Forensics – Digital Forensic Organization, Phone Forensic Software, and Computer Forensic Software of the Year

FORENSIC ANALYSIS

• Hideaki Ihara at the Port 139 blog posted a couple of times this week
  • The first takes a look at part of the file format used by Jumplists.
    JumpList と OLECF file header
  • The second continues the examination of a jumplist OLE container, looking at the Sector Allocation Table
    JumpList と The allocation table

• James Habben at 4n6IR demonstrates how to view a files owner permissions in EnCase, and then how to filter all files for a specific or list of owners.
  Show and Search for NTFS Owner in EnCase

• There were a couple of items on the Cyber Forensicator blog this week
  • They shared an article by Chiheb Chebbi on Hadoop forensics.
    How to Perform Hadoop Forensics
  • “McGraw-Hill Education has announced the second edition of award-winning “Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation” by Lee Reiber”. The book is expected to be published in November 2018
    Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation, Second Edition

• Oleg Skulkin and Igor Mikhaylov at Digital Forensics Corp show how to manually acquire a Facebook account. The comment about the process not being forensically sound is interesting; yes, you are making changes to the account to obtain access to it – however, you are also obtaining the data directly from Facebook. Once you download the data you can hash the download to ensure its integrity throughout your examination. If questioned, you’re able to say that “this is the data downloaded directly from Facebook’s servers”. I think it’s as valid as using a forensic tool to acquire the data, however, the forensic tools allow for better searching and reporting. Ultimately you will have to provide a statement to the court to explain what you’ve done, and when you’re dealing with cloud data, I think that take-out features should be considered a viable alternative to downloading data via the API.
  Cloud Forensics: How to acquire a Facebook account

• Alexis Birgnoni at ‘Initialization vectors’ looks at the Flud Android Torrent application.
  Torrent Applications in Android – Flud Torrent Downloader

• Magnet Forensics have released a new whitepaper on the skills that you should develop to master mobile app forensics.
  White Paper: 10 Skills You Need Toward Mastering Mobile App Forensics
  

THREAT INTELLIGENCE/HUNTING

• David Cowen shared the red team debrief slides from the 2018 National CCDC.
  National CCDC 2018 Redteam Debrief

• Adam at Hexacorn shared a number of persistence and anti-sandbox tricks
  • Beyond good ol’ Run key, Part 76
  • Beyond good ol’ Run key, Part 77
  • Monitoring clipboard – a quick antisandbox trick
  • ExtExport – yet another LOLBin
  • NTFS Sparse files – another possible quick anti- trick
  • I shot the sigverif.exe – the GUI-based LOLBin
  • Beyond good ol’ Run key, Part 78

• Odvar Moe walks through a program execution technique that utilises GPScript.exe.
  GPscript.exe – another LOLBin to the list

• Tom Webb has a post on the ‘SANS Internet Storm Center’ about hunting for user agent strings to identify attackers using common file downloaders such as Curl and Wget.
  More Threat Hunting with User Agent and Drupal Exploits, (Fri, Apr 27th)

• David Pany and Matthew McWhirt at FireEye walk through an attacker using RDP for lateral movement and provide recommendations to “help maximize the effectiveness of your RDP baselining exercises, while also reducing the opportunities for RDP to be leveraged for malicious actors within your environment”
  Establishing a Baseline for Remote Desktop Protocol
  

UPCOMING WEBINARS/CONFERENCES

• Magnet Forensics announced a couple of webinars this week
  • Geoff McGillivray and Cody Bryant will be hosting a webinar on the recent release of Axiom 2.0. The webinar will take place on Wednesday, May 9 – 9:00AM Eastern Standard Time (New York, GMT-05:00).
    Using Technology to Find Information Faster and Build Stronger Cases
  • Geoff McGillivray and Tayfun Uzun will be hosting a webinar on how the recent update to Axiom can assist in insider threat/data breach investigations. The webinar will take place Tuesday, May 8 – 1:00PM Eastern Standard Time (New York, GMT-05:00)
    Finding the Best Starting Point for Insider Threats and Other Workplace Investigations

• The CFP for OSDFCon has opened and will close June 1. OSDFCon will be held on Oct 17, 2018 at the Westin Washington Dulles, and you can register here

• Oxygen Forensics will be hosting a webinar on the report features of Detective on Thu, May 10, 2018 3:00 PM – 4:00 PM GMT.
  Oxygen Forensics, Inc Report Features Webinar
  

PRESENTATIONS/PODCASTS

• Adrian Crenshaw has uploaded various presentations from BSides Charm.

• There were a few presentations shared from Black Hat 2017.
  • PEIMA: Harnessing Power Laws to Detect Malicious Activities
  • Adventures in Attacking Wind Farm Control Networks
  • Insights From The Frontlines: Battling Global Cyber Threats with Christopher Glyer, FireEye

• Douglas Brush hosted Robert M. Lee on Cyber Security Interviews this week about his work at the US Air Force, SANS, Dragos and more.
  051 – Robert M. Lee: The Adversary’s Ability to Change Their Trade Craft is Difficult

• Forensic Focus uploaded the presentation and webinar on Drone Forensics by Lee Reiber from Oxygen Forensics.
  Webinar: Drone Forensics – How To Deal With The New Threat

• F-Response uploaded a number of videos to their YouTube channel this week.

• Jon Poling shared the slides from his BSides SF presentation titled “Logging, Monitoring, and Alerting in AWS (The TL;DR)”.
  Check out @JPoForenso’s Tweet

• On this week’s Digital Forensic Survival Podcast, Michael covered the Norse threat tracker.
  DFSP # 114 – Go Norse!

• SANS shared Robert M. Lee’s presentation from the 2018 CTI Summit titled The Challenge of Adversary Intent and Deriving Value Out of It – SANS CTI Summit 2018
  

MALWARE

• Andrey Shalnev at F5 shares details of a recent campaign exploiting CVE–2017–7269 to mine cryptocurrency.
  Windows IIS 6.0 CVE-2017-7269 Is Targeted Again to Mine Electroneum

• Vitali Kremez, Amina Bashir, and Paul Burbage at Flashpoint examine a sample of the Rubella Macro Builder crimeware.
  “Rubella Macro Builder” Crimeware Kit Emerges on Underground

• There were a couple of posts on the Malwarebytes Labs blog
  • Thomas Reed examines a variant of the Crossrider adware.
    New Crossrider variant installs configuration profiles on Macs
  • Hasherezade shared the latest Malwarebytes CrackMe
    Malwarebytes CrackMe 2: try another challenge

• Ryan Sherstobitoff and Asheer Malhotra at McAfee Labs share details of Operation GhostSecret, which “leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra.”
  Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide

• Alex Hinchliffe, Mike Harbison, Jen Miller-Osborn and Tom Lancaster Palo Alto Networks provide additional details on the HenBox malicious apps.
  HenBox: Inside the Coop

• The SANS InfoSec Reading Room shared Hirokazu Murakami’s whitepaper on the WannaCry Worm.
  Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules

• Xavier Mertens at the SANS Internet Storm Centre examines a method in bash to transmit network traffic.
  Malicious Network Traffic From /bin/bash, (Wed, Apr 25th)

• “Kaspersky Lab ICS CERT presents information on identified servers that have been infected and used by the [Energetic Bear APT] group. The report [that was released] also includes the findings of an analysis of several webservers compromised by the Energetic Bear group during 2016 and in early 2017.”
  Energetic Bear/Crouching Yeti: attacks on servers

• There were a couple of posts on Cisco’s Talos blog this week
  • They have a post detailing “a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that were tied to [the new cryptocurrency] Bitvote.”
    Cryptomining Campaign Returns Coal and Not Diamond
  • Warren Mercer and Paul Rascagneres “discuss the technical capabilities, the evolution, development and potential attribution of what we are calling GravityRAT. “
    GravityRAT – The Two-Year Evolution Of An APT Targeting India

• There were a couple of posts on the FireEye blog this week
  • Edson Sierra and Gerardo Iglesias share details of the Metamorfo malspam campaign and examine the accompanying banking trojans.
    Metamorfo Campaigns Targeting Brazilian Users
  • Michael Bailey walks “through a brief case study of some kernel shellcode, how to load shellcode with FLARE’s kernel shellcode loader, how to build your own copy, and how it works.”
    Loading Kernel Shellcode

• There were a couple of posts on the TrendLabs blog this week
  • Lenart Bermejo and Ronnie Giagone examine a new variant of the Retadup worm
    Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant
  • Miguel Ang describes a recent change to the Necurs botnet, which now uses a .URL file to bypass detection.
    Necurs Evolves to Evade Spam Detection via Internet Shortcut File

• ESET Research at WeLiveSecurity share details of recent activity by the Sednit group using the Zebrocy malware family.
  Sednit update: Analysis of Zebrocy
  

MISCELLANEOUS

• Brett Shavers talks about a few of the issues that police officers face when working in digital forensics from an operational standpoint – rotations, competing priorities, specialisations etc. The “majority of police agencies are fairly small (less than 100 officers)” line was interesting to me; we don’t have local PD’s, instead of having a very large (20k employees/officers) state-based agency. That being said, I’m sure the issues are similar across police agencies worldwide.
  Digital Forensics Tenure in Law Enforcement, and other fairy tales

• Didier Stevens shows how to pass standard input into Spider Monkey
  SpiderMonkey and STDIN

• Endgame have a post describing the talks that they will be giving at BSides Charm.
  We’ve Got It Covered: Endgame Presents at BSides Charm

• There were a couple of posts on Forensic Focus this week
  • Scar shares her roundup of forum posts from the last month
    Forensic Focus Forum Round-Up
  • They also interviewed Richard Frawley from ADF about his background and ADF’s Digital Evidence Investigator.
    Interview With Richard T. Frawley, Digital Forensic Specialist, ADF Solutions

• Arman Gungor at Metaspike discusses the pros and cons are filtering e-mails before and after a forensic collection.
  Searching & Filtering Emails when Forensically Collecting Mailboxes

• Gary Weiss at OpenText advised that “SC Magazine named OpenText™ EnCase™ Endpoint Investigator and OpenText EnCase Forensic as the Best Computer Forensic Solutions for the eighth consecutive year”
  OpenText EnCase wins top forensic award

• Scar de Courcier mentioned a number of resources for the digital forensic community, including a number of nominees for the pending 4cast awards.
  Digital Forensics Resources

• Lee Reiber at ‘The Mobile Device Examiner’ comments on a webinar regarding an SQL Query building feature of an un-named tool.
  I am back from Dagobah

• Over on my ThinkDFIR site, I wrote a post about the DFIR conferences that I’ll be attending across May and June. If you’re over at any of them and want to catch up then reach out – a few people have already so should make for an exciting trip!
  My DFIR Conference Tour
  

SOFTWARE UPDATES

• “Apache Tika 1.18 has been released! This release includes bug fixes (e.g. extraction from grouped shapes in PPT), security fixes and upgrades to dependencies”
  Release 1.18 – 4/20/2018

• Cyber Triage 2.2.3 was released with a number of improvements and bug fixes, however, release notes aren’t publically available.

• Eric Zimmerman updated TimelineExplorer to v0.8.0.1
  TLE

• GetData updated Forensic Explorer to v4.3.5.7330 with improvements and bug fixes.
  28 Apr 2018 – v4.3.5.7330

• Heather Mahalik released her iOS SMS parser Python script to parse the iOS 11 SMS database.
  iOS_sms_parser

• Adam at Hexacorn updated his DeXray tool to v2.13 with additional support.
  DeXRAY 2.13 update

• Magnet Forensics released Axiom 2.0 and have shared a few posts about the new features including the Case Dashboard, Volatility integration, and improvements to Magnet AI
  Magnet AXIOM 2.0 Is Here to Give You A Better Investigative Starting Point
  • Better Case Starting Points with Magnet AXIOM’s New Case Dashboard
  • Taking Magnet.AI Up a Notch in AXIOM 2.0
  • Enhance Investigations with Memory Artifacts through Volatility in AXIOM 2.0

• Metaspike released Forensic Email Collector v3.1. “Highlights are Search Console for Exchange, ability to split output PST files, and Exchange dumpster support”

• “A new version of MISP 2.4.90 has been released including the new extended events feature along with many updates in improvements in the API, user-interface (including many improvement in the graph editor) and many bug fixes.”
  MISP 2.4.90 released (aka Extended Events release)

• Oxygen Forensics have released an update to their Detective product, now at version 10.2.1. “This version resolves an issue related to decryption of the user partition of some Samsung physical dumps and contains other minor improvements.”
  Oxygen Forensics has released a maintenance version of Oxygen Forensic® Detective 10.2.1.

• TZWorks released a new build for their tools; “Bugs fixes and minor updates were made throughout the suite of tools”, as well as the release a new tool, Modular Inspection Network Xfer (minx).
  Apr 2018 build (package)

• USB Detective 1.1.0 was released with a number of new features and bug fixes.
  Version 1.1.0 (04/23/2018)

• X-Ways Forensics 19.6 SR-4 was released with new features and bug fixes
  X-Ways Forensics 19.6 SR-4

And that’s all for Week 17! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Due to a couple of requests, I’ve also created a donations page for those that didn’t want to support through Patreon.