Magnet Forensics wrote a blog post reminding you to go and vote in the Forensic 4Cast Awards. Only a couple more weeks till voting closes!
3 Reasons to Vote Magnet Forensics for Forensic 4:cast Digital Forensic Organization of the Year
Brett Shavers at DFIR.Training shared some stats for the site, as well as asked for the vote for Resource of the Year
Top 3 Reasons to Visit www.dfir.training
You can head over here to cast your vote (*cough* vote for me! *cough*)
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog manually identifies a stream and destlist of a jumplist
- James Habben at 4n6IR demonstrates how to “display the owner ID and search for all files owned by that ID” using X-Ways.
Show and Search for Owner ID in X-Ways - Matt at ‘Bit of Hex’ uncovers further information about a users Tor activity by carving a memory image.
Memory Forensics & Tor (part two) - Chris Sanders shows how to make examining large PCAP files easier by colourising the rows.
Analyzing Large Capture Files Part 1 – Colorizing Conversations in Wireshark - Cloudy Forensics has a post on incident response during a ransomware infection.
Ransomware Incident Response and Forensics - Jayden Zheng at Countercept demonstrates “how to extract the C2 from a Meterpreter payload that has been injected into memory”
Retrieving Meterpreter C2 From Memory - Oleg and Igor at Digital Forensics Corp describe the various methods of data extraction when looking for chat app data, and show how to analyse instant message databases using Belkasoft Evidence Centre.
Analyzing Instant Messengers with Belkasoft - Alexis Brignoni at Initialization Vectors examines the TeamViewer Remote Control Android app.
Android Remote Desktop Apps – TeamViewer Remote Control - Patrick Wardle at Objective-See shows how the MacOS Notification Centre can be used to identify Signal’s disappearing messages, if they appeared in the notification bar. He also wrote a tool to locate and parse the notification database for these messages.
When Disappearing Messages Don’t Disappear - Jasper at Packet Foo shows how to resolve IP addresses in a packet capture to physical locations.
Wireshark GeoIP resolution setup V2.0 - Gary at Salt Forensics posted a couple times this week
- He walks through hashing files in X-Ways to generate a hash database.
Hashing in X-Ways Forensics - He also shows how to manually backup an iOS device using libimobiledevice
Budget iOS Device Extraction
- He walks through hashing files in X-Ways to generate a hash database.
- Paul Sanderson’s book on SQLite Forensics is now available for purchase. I’ve heard very good things about it so far, so will be an interesting read for sure.
Check out @sandersonforens’s Tweet - Rob Lee announced that the SANS Hunt Evil poster has been released.
Check out @robtlee’s Tweet - SANS also indicated that the Mobile Forensics poster has also been updated.
Check out @sansforensics’s Tweet - The Forensicator has released a second report on the “early media coverage that reported on the “Trump opposition report” (1.doc).”
Media Mishaps: Early Guccifer 2 Coverage
THREAT INTELLIGENCE/HUNTING
- There were a couple of posts by Marc Rivero López this week
- The first shows how to extract a GUID from a .NET sample to use it for hunting.
Hunting .NET malware - The second looks at the ACE file format for transmitting malware.
How to deal with .ACE malware files?
- The first shows how to extract a GUID from a .NET sample to use it for hunting.
- Luis Rocha at ‘Count Upon Security’ shows how to “use the PlugX controller to mimic some of the steps that might be executed by an attacker.”
Malware Analysis – PlugX – Part 2 - Philip Tsukerman at Cyber Reason demonstrates “new lateral movement techniques discovered by Cybereason that abuse WMI (Windows Management Infrastructure).”
No Win32_Process Needed – Expanding the WMI Lateral Movement Arsenal - Alessandro Quaranta, Luukas Larinkoski, and Stefano Ortolani at Lastline Labs describe a recent attack that was identified by correlating malformed FTP connections with a portscan from the same host.
A Wild Port Scan Appears. What now? - Palo Alto Networks published a report “detailing the continued growth of Nigerian cybercrime”
SilverTerrier Update: Increasingly Sophisticated Nigerian Cybercriminals Take Bigger Part of $3B BEC-Related Losses - Kyle Rainey at Red Canary describes their detection methodology, detector development, and how to “turn a conceptual idea into an operational detector”.
Behind the Scenes with Red Canary’s Detection Engineering Team - Vicky Ray at the RSA Conference blog “summarizes some of the evolving playbooks of adversaries since early 2017”
Evolving Playbooks in Targeted APT Attacks across Asia Pacific and Japan - Ahmed Tantawy at SANS reviews the RSA NetWitness Platform.
Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platform - There were a few posts on the SANS Internet Storm Centre Handler Diaries this week
- Xavier Mertens demonstrates how to examine a .JOB file used by a sample to maintain persistence.
Adding Persistence Via Scheduled Tasks, (Mon, May 07th) - Bojan Zdrnja demonstrates how to exfiltrate data using “Windows command prompt commands”
Exfiltrating data from (very) isolated environments, (Thu, May 10th)
- Xavier Mertens demonstrates how to examine a .JOB file used by a sample to maintain persistence.
- Remco Verhoef shares details of some interesting C2 traffic “coming from 3 separate ip addresses from within China”. “The payloads that have being used are interesting and similar to other njRAT payloads”
Reversed C2 traffic from China, (Fri, May 11th) - There’s a post on TrustedSec about detecting kerberoasting.
The Art of Detecting Kerberoast Attacks
UPCOMING WEBINARS/CONFERENCES
- Belkasoft will be hosting a webinar on SQLite forensics. “During this session the following questions will be explained: freelists, unallocated space, journal files, write-ahead log (WAL) files and carving deleted SQLite databases”. “The webinar will be conducted on May 18, time and join link will be sent to you upon the registration”.
Join us for a free webinar on SQLite Forensics! - Sarah Edwards will be hosting a webinar on the 29th May at 3:30pm EST on the updates to the FOR518 Mac and iOS Forensic Analysis & Incident Response course.
Check out @sansforensics’s Tweet - “Registration for VB2018, the 28th Virus Bulletin Conference, which will take place in Montreal 3-5 October this year, is now open.”
Registration for VB2018 now open!
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded various presentations from BSides Detroit.
- Magnet Forensics shared two recorded webinars this week
- Karsten Hahn at Malware Analysis For Hedgehogs discusses “concepts and terminology of encrypted viruses and self-mutating viruses.”
Malware Theory – Oligomorphic, Polymorphic and Metamorphic Viruses - Nuix uploaded a video demonstrating an investigation into a fictional terrorist threat.
Team Spectre Counter-terrorism Demonstration - On this week’s Digital Forensic Survival Podcast, Michael walked through Andrew Cases’ memory forensics known-malware detection methodology.
DFSP # 116 – Automatic Detection of Malware from Memory Analysis - Richard Davis walks through various important processes on a Windows system and what normal should look like. He then shows a memory sample from a system infected with malware.
Windows Process Genealogy - SANS shared Michael Rea’s presentation from the 2018 CTI Summit titled “I Can Haz Requirements?: Requirements and CTI Program Success”
I Can Haz Requirements?: Requirements and CTI Program Success – SANS CTI Summit 2018
MALWARE
- Joe Security shared a report on some evasive malware.
Evasive Malware hits French Corporations - Chetan Nayak at Network Intelligence shows how to reverse a binary that has an XOR-hidden password inside.
Reverse Engineering For Beginners – XOR encryption – Windows x64 - JJ at DFIR IT analyses “a .NET binary located in a seemingly legitimate subdirectory under Program Files” that contained packaged PowerShell scripts.
Down the rabbit hole with packaged PowerShell scripts - Vitali Kremez at Flashpoint examines the source code of the TreasureHunter PoS malware.
TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked - There’s a post on Malwarebytes Labs about the Kuik adware program.
Kuik: a simple yet annoying piece of adware - Roy Moshailov at Morphisec analyses some “malspam purporting to be from HSBC Bank”.
New Info-Stealing Trojan Spotted in HSBC Malspam Campaign - Ashwin Vamshi at Netskope shares details of the Xbooster Attack Kill chain.
Xbooster Parasitic Monero Mining Campaign - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries this week
- Guy Bruneau requested copies of a script similar to one seen on a honeypot, that utilised PowerShell to download a PHP script.
Scans Attempting to use PowerShell to Download PHP Script, (Sun, May 06th) - Xavier Mertens examines some malspam.
Nice Phishing Sample Delivering Trickbot, (Wed, May 09th)
- Guy Bruneau requested copies of a script similar to one seen on a honeypot, that utilised PowerShell to download a PHP script.
- There were a couple of posts on Securelist this week
- Anton Ivanov, Fedor Sinitsyn, Orkhan Mamedov examine a sample of the SynAck ransomware utilising the “Process Doppelgänging technique”.
SynAck targeted ransomware uses the Doppelgänging technique - Vladislav Stolyarov, Boris Larin, Anton Ivanov “examine the core reasons behind the latest vulnerability, CVE-2018-8174.”
The King is dead. Long live the King!
- Anton Ivanov, Fedor Sinitsyn, Orkhan Mamedov examine a sample of the SynAck ransomware utilising the “Process Doppelgänging technique”.
- There were a couple of posts on Cisco’s Talos blog this week
- Vitor Ventura shares a whitepaper on wiper malware.
Wipers – Destruction as a means to an end - Nick Biasini shares details of the distribution of the Gandcrab ransomware via a spam campaign.
Gandcrab Ransomware Walks its Way onto Compromised Sites
- Vitor Ventura shares a whitepaper on wiper malware.
- There were a couple of posts on TrendLabs this week
- Ecular Xu and Grey Guo examine a sample of the Maikspy Android malicious APK.
Maikspy Spyware Poses as Adult Game, Targets Windows and Android Users - Hubert Lin shares details of an attack exploiting CVE-2017-10271 to deploy a cryptominer.
Malicious Traffic in Port 7001 Surges as Cryptominers Target Patched 2017 Oracle WebLogic Vulnerability
- Ecular Xu and Grey Guo examine a sample of the Maikspy Android malicious APK.
MISCELLANEOUS
- Andrew Case tweeted out that 44 new OS X profiles were just added to Volatility.
Check out @attrc’s Tweet - Kent Ickler at ‘Black Hills Info Sec’ demonstrates how to “use a custom dictionary to crack Microsoft Office document encryption”
How to Crack Office Passwords with a Dictionary - The CFP for the “Special Issue on Security and Forensics of Internet-of-Things” is open, and closes August 15, 2018.
Call-for-papers for Special Issue on Security and Forensics of Internet-of-Things: Problems and Solutions - Roger A. Grimes at CSO interviewed Rob Lee about his work as a threat hunter.
Who wants to go threat hunting? - There were a couple of posts on Cyber Forensicator this week
- They shared Alex Caithness’ blogpost on the Win10 Timeline feature and advised that they found the database in a slightly different location.
Windows 10 Timeline Forensic Artefacts - They shared details of a new book titled “Security, Privacy, and Digital Forensics in the Cloud” by Nhien-An Le-Khac, Lei Chen, and Hassan Takabi, due to be published in January 2019,
Security, Privacy, and Digital Forensics in the Cloud
- They shared Alex Caithness’ blogpost on the Win10 Timeline feature and advised that they found the database in a slightly different location.
- Elcomsoft drummed up some fear/rejoice this week when Oleg Afonin warned of a new feature in the iOS 11.4 Beta, called USB Restricted Mode, that cuts the USB connection if the phone hasn’t been unlocked in 7 days.
Patrick Howell O’Neill at Cyberscoop commented on this and advised that the feature was also in a previous beta, but clarified “that USB Restricted Mode is not in the current iOS 11.4 beta”. That’s not to say that it won’t be in the final release, or a future version, as this is clearly something Apple may want to use to combat LE utilising phone brute-forcing services.
In response to this, Vladimir Katalov shared their testing of 11.4 beta 2 and 3 and found that the lockdown record was able to be used after 14 days (well past its 7 day expiration) and stands by the statement that “USB Restricted Mode does kick in after 7 days” on these versions.
Vladimir also mentions that we don’t have accurate estimates of password cracking speeds, and that you can acquire the data from the phones after they’re unlocked using their iOS toolkit. He mentioned that a number of vendors are supporting the Graykey images, but said images are no different to those acquired by the Elcomsoft tool. My understanding is that the Graykey solution will get you slightly more data but I haven’t played with it. Either way, the main benefit of the password cracking solutions is that passwords are required to obtain extractions from locked iOS devices, and lockdown records aren’t always readily available.
I got a bit of a negative impression from that section, not sure if it was intentional; you can use iOS Toolkit for some things (or maybe you’re not allowed to jailbreak devices in your lab making their physical aka file system acquisition moot), but when faced with a locked device and no computer it’s been attached to then you’ve got a few issues.
Thankfully Elcomsoft has put together a lot of articles to familiarise yourself with to see what options you have available if you’re unable to procure the password-cracking services. - There were a few posts on Forensic Focus blog
- Scar de Courcier reviewed Oleg Afonin and Vladimir Katalov’s book “Mobile Forensics – Advanced Investigative Strategies”.
Mobile Forensics – Advanced Investigative Strategies - They interviewed Jim Kent from Black Rainbow about their new lab management tool, Nimbus.
Interview With Jim Kent, CEO & Co-Founder, Black Rainbow - There was a post regarding how the recent update to Oxygen Forensic Detective product can utilise the WhatsApp Cloud token.
Oxygen Forensics Introduces New Method Of Decrypting WhatsApp Data
- Scar de Courcier reviewed Oleg Afonin and Vladimir Katalov’s book “Mobile Forensics – Advanced Investigative Strategies”.
- Lenny Zeltser has written a cheat sheet with some writing tips for IT pros
Technical Writing Tips for IT Professionals - Magnet Forensics shared five case studies about how their tools were able to assist law enforcement.
5 Magnet Forensics Mobile Success Stories - “NIST has published a guide that describes procedures for documenting and populating test data on a mobile test device.”
NIST Publishes Guide on Mobile Test Devices for Digital Forensics: Special Publication 800-202 - Harlan Carvey at Nuix walks through the process of adding Yara and Regripper to Nuix workstation.
Step-by-step Guide: Adding Yara and RegRipper to Nuix Workstation - Andrew Torgan at Project VIC announced that they are working with ForceForge to create “VICLabs”, “to incubate collaborative solutions [that] will lead to positive outcomes for children worldwide, as well as improved processes for law enforcement.”
Project VIC Announces Partnership with ForceForge.org to Fight Domestic and International Child Exploitation - Andrew also announced the requirements collection phase timeline for the update to VICS 1.4.
Project VIC Announces Requirements Collection for VICS Data Model 1.4 Focused on Vulnerable Communities
SOFTWARE UPDATES
- Arsenal Image Mounter v2.6.35 Beta has been released with a number of new features including mounting directories and archives, and creating hyper-v VMs from images. they also tweeted out a thread describing the new features. You can register to download it here
- Eric Zimmerman released WxTCmd, a tool to parse the database for the new Win10 Timeline feature. Eric also updated TLE to v0.8.1.1
Introducing WxTCmd! - Macquisition 2018 R1.2 was released to fix a bug in the boot menu.
Macquisition 2018 R1.2 Release Notes - Didier Stevens updated a couple of his tools this week
- DME Forensics released DVR Examiner 2.3, with an updated UI, performance improvements, and an offline player library.
Now Available: DVR Examiner 2.3 - ExifTool 10.96 (development) was released with new tags and bug fixes.
ExifTool 10.96 - AccessData released AD Enterprise 6.5 with a number of new features.
AccessData Releases New Version Of AD Enterprise - GetData released Forensic Explorer v4.3.5.7354 with some minor improvements and bug fixes.
10 May 2018 – v4.3.5.7354 - OpenText apparently released Encase 8.07 – Haven’t really seen much about it anywhere outside of this tweet. I would prefer release notes from the official site, but this will do. They added a number of new features including APFS support, as well as improved support for a few encrypted file systems and improved VSC analysis.
Check out @cybr4n6’s Tweet - Petter Christian Bjelland uploaded a Python library for parsing AccessData AD1 images
pyad1 - Tableau released v7.23 of the Tableau Firmware Updater which “a firmware update for the Forensic Imager (TX1) and for multiple Forensic Bridges (T6u, T7u, T8u, and Universal Bridge).”
Tableau Firmware Update Revision History for v7.23 - David Cannings at NCC Group released a tool to convert YAML to YARA rules.
Tool release: yaml2yara
And that’s all for Week 19! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 