One more week of (vendor) campaigning for the Forensic 4Cast Awards!
This will be my last mention of it before the actual awards, so if you haven’t already, head over here to vote!
Magnet Forensics lists a few reasons why they deserve the Phone forensic tool of the year.
5 Reasons Magnet AXIOM Is Forensic 4:cast’s Phone Forensic Software of the Year
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog looks into the ActivitiesCache database used by the Timeline feature in Win10 and asks if anyone has identified the data stored within the FileShellLink field.
Win 10 1803 とActivitiesCache.db - Chris Sanders demonstrates how to “generate a protocol hierarchy chart in Wireshark” and Tshark and the benefits of doing so.
Analyzing Large Capture Files Part 2 – Protocol Hierarchy - There’s a post on the Cloudy Forensics blog about performing detection and IR in Azure.
Azure Forensics and Incident Response - Oleg and Igor at Digital Forensics Corp demonstrate “how to acquire a Gmail account with Thunderbird.”
Cloud Forensics: Acquisition a web based email account - Oleg Afonin at Elcomsoft explains Google authentication token and shares details of the new tool that they released to identify them on a system.
Accessing Google Account Data without a Password - Matt Shannon at F-Response shows how to examine physical memory off a remote machine by combining F-Response and Volatility.
High speed and low drag, Using F-Response Universal and Volatility for rapid memory consumption - There’s a post on the MobilEdit blog showing how to dump the memory of an HTC M9 using ISP.
HTC M9 – dump memory over direct eMMC (ISP) and data extraction - Gary at Salt Forensics shares some iOS forensic artifacts relating to user activity.
A Few Interesting iOS Forensic Artefacts - SalvationData have a post showing how to use SPF to download data from a Samsung device with an unlocked bootloader
[Case Study] Mobile Forensics: How to Extract data from a bricked phone?
THREAT INTELLIGENCE/HUNTING
- Adam Myers at CrowdStrike shares details of the Mythic Leopard APT group.
Meet CrowdStrike’s Adversary of the Month for May: MYTHIC LEOPARD - Gonx0 at ‘Follow The White Rabbit’ explains how to install MISP.
MISP: Introducción e instalación - Keshia LeVan at Red Canary has a post focusing on “what happens after a detector is produced and how we measure its effectiveness through tuning.”
Driving Efficacy Through Detector Tuning: a Deeper Dive Into Detection Engineering - SANS shared a whitepaper by Lionel Teo on using mathematical calculations for automated detection and analysis.
Automated Detection and Analysis using Mathematical Calculations - Sean Metcalfe at Trimarc demonstrates how to detect password spraying using Windows Event logs
Trimarc Research: Detecting Password Spraying with Security Event Auditing
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has shared the presentations from Nolacon 2018
- The guys at Cyber Forensicator shared a presentation by Credence Security and Blackbag Technologies about APFS
Apple File System (APFS) – Acquisition, Decryption and Analysis - Didier Stevens walked through some of the new output options he’s put into SpiderMonkey and python-per-line
- Dave and Matthew hosted a forensic lunch this week, speaking with Troy Schnack, Jason Jordaan, and James Cooksey.
Forensic Lunch 5 18 18 with Audio Syncd - OALabs have uploaded a video demonstrating how to “use IDA Pro and x64dbg to take a second look at Gootkit and determine how it uses files name checks to evade analysis”
Unpacking Gootkit Part 2 – Debugging Anti-Analysis Tricks With IDA Pro and x64dbg - On this week’s Digital Forensic Survival Podcast, Michael reviewed Joakim Schicht’s ExtractUSNJrnl and USNJrnl2Csv USNJrnl tools.
DFSP # 117 – USNJRNL Tool Review - SANS shared Rob Dartnall’s presentation from the 2018 Cyber Threat Intelligence Summit titled Intelligence Preparation of the Cyber Environment
Intelligence Preparation of the Cyber Environment – SANS Cyber Threat Intelligence Summit 2018 - Martijn Grooten at Virus Bulletin shares Filip Kafka’s presentation on the Finfisher spyware.
Turkish Twitter users targeted with mobile FinFisher spyware
MALWARE
- There was a post on the Execute Malware blog examining an obfuscated malicious script that was distributed in spam.
A Quick Look At A Malicious Script - Robert Neumann, Roland de la Paz, and Ran Mosessco at Forcepoint share details of a campaign using a variant of the Ursnif banking trojan.
The Many Faces of Ursnif – Email Hijacking, Mailslots, and Insecure Servers - Brian Maloney shares a plugin for ProcDot that allows examiners to reverse IP addresses to locations.
ProcDOT GeoIP plugin - Jaewon Min at McAfee Labs shares some details on a recent campaign by the Sun Team hacking group titled RedDawn.
Malware on Google Play Targets North Korean Defectors - There were a few posts on the SANS Internet Storm Centre Handler Diaries this week
- Brad Duncan describes some malspam distributing TrickBot
Malspam pushing Trickbot malware on Friday 2018-05-11, (Mon, May 14th) - Brad also shares “some phishing emails with links to a fake MyEtherWallet page”
Phishing emails for fake MyEtherWallet login page, (Tue, May 15th) - Remco Verhoef describes the Redis mining worm.
Anatomy of a Redis mining worm, (Fri, May 18th) - Xavier Mertens shares a malicious PowerShell script found targeting UK banking customers.
Malicious Powershell Targeting UK Bank Customers, (Sat, May 19th)
- Brad Duncan describes some malspam distributing TrickBot
- Suguru Ishimaru at Securelist shares details about some recent changes by the Roaming Mantis adversary group; expanding their operations geographically as well as broadening their attack/evasion methods.
Roaming Mantis dabbles in mining and phishing multilingually - Vitor Ventura at Cisco’s Talos blog examines the Telegrab malware, which collects ” cache and key files from end-to-end encrypted instant messaging service Telegram” and “is mainly targeting Russian-speaking victims”.
TeleGrab – Grizzly Attacks on Secure Messaging - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some thoughts on baselining and monitoring the use of RDP in an organisation to hunt threats.
Some thoughts about RDP protocol, from the point of view of cybersecurity - Karl Sigler at TrustWave SpiderLabs describes a maldoc that exploits CVE-2018-8174 and has been “discovered targeting trade agencies and other related organizations in China toward the end of April”
CVE-2018-8174 and Forcing Internet Explorer Exploits - Irshad Muhammad, Shahzad Ahmed, Hassan Faizan, and Zain Gardezi at FireEye discuss the Grobios “Trojan in depth with a focus on its evasion and anti-sandbox technique”
A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan - Nikolaos Pantazopoulos and Thomas Henry at NCC Group describe a new tool that they believe has ties to the Emissary Panda adversary.
Emissary Panda – A potential new malicious tool
MISCELLANEOUS
- Vitaliy Mokosiy at Atola announced the release of the Atola Taskforce; an update to the Insight which has a built-in touch screen and, due to simultaneous imaging, can reach speeds of up to 15 TB per hour. I like that the unit is self-contained; allowing examiners to bring it to the field to take advantage of both its speed and damaged-drive support.
We are launching Atola TaskForce. The revolution is here - The guys at Cyber Forensicator shared a couple of posts this week
- They shared a tool by Google called Docker Explorer, which is designed “to help forensicate offline docker acquisitions”
Docker Explorer – a Tool to Help Forensicate Offline Docker Acquisitions - They also advised that Jason Wayne’s book “Cybercrime and Digital Forensics” has released.
Cybercrime and Digital Forensics
- They shared a tool by Google called Docker Explorer, which is designed “to help forensicate offline docker acquisitions”
- There were a couple of posts on the Forensic Focus blog this week
- Scar at Forensic Focus shared her round up of forum topics.
Forensic Focus Forum Round-Up - Andrey Fedorov compares ADR512 with Belkasoft Evidence Centre for parsing the database associated with the ‘imo’ messaging app, primarily to show ADR512’s ability to identify deleted messages
ADR512 Testing
- Scar at Forensic Focus shared her round up of forum topics.
- Cindy Murphy at Gillware Digital Forensics announced that she will be posting a writeup of an artefact a month. Cindy’s blog is also nominated for 4Cast blog of the year, so if you think that’s worthy of a vote, you can vote here
Happy 2nd Birthday, Gillware Digital Forensics! - Adam at Hexacorn advised that he will be slowing down with his posts (which is a shame, he does good work!), and also shares his process for winning the Malwarebytes CTF
- Alexis Brignoni at Initialization Vectors has written a review on Paul Sanderson’s recently released “SQLite Forensics” book.
Book Review: SQLite Forensics by Paul Sanderson - Jamie McQuaid at Magnet Forensics answers some questions about the recent Volatility integration into Axiom.
Answering Some Questions about Memory Analysis in Magnet AXIOM - Donny Johnson shares a choose your own infosec adventure online book that’s a bit of fun
Welcome to Infosec! - Hal Marcus at OpenText lists a number of things that forensic examiners need to be able to do and explains how the recent update to Encase 8 accommodates these.
7 key things forensic investigators need to do - Dane Stuckey announced “the alpha release of DARKSURGEON, a Windows 10 packer project”. I haven’t had a chance to dig into it but it looks like a lot of work has gone into the project.
DARKSURGEON: A Windows 10 Packer Project for Defenders - Hoyt Harness at ‘The Positronikal Chronikal’ describes the background leading up the development of the new CarnivoreLE triage tool.
A New Live Triage Tool Taking Shape
SOFTWARE UPDATES
- Autopsy 4.7 was released with a number of new features including link analysis, an SQLite/plist viewer, volatility integration and more. There was also an update to TSK 4.6.1
Autopsy 4.7 Includes Link Analysis, Database Viewers, Triage, and More - DME Forensics released DVR Examiner Version 2.3.1 to resolve some issues.
DVR Examiner Version 2.3.1 - Elcomsoft released Cloud Explorer 2.10, adding “passwordless authentication into Google Account using binary authentication tokens, and the ability to extract files from Google Drive”
Elcomsoft Cloud Explorer 2.10 Adds Google Drive Support with Passwordless Authentication - ExifTool was updated to v10.97 (development release) with some new tags and improvements.
ExifTool 10.97 – “Multi-segment EXIF” - GetData released Forensic Explorer v4.3.5.7364 to fix a couple of bugs.
18 May 2018 – v4.3.5.7364 - Adam at Hexacorn updated DeXray to v2.14 adding “Microsoft Antimalware / Microsoft Security Essentials support”
DeXRAY 2.14 update - “A new version of MISP 2.4.91 has been released including new major features, improvements and bug fixes.”
MISP 2.4.91 released (aka distribution visualisation, galaxy at attribute level and privacy notice list) - Cellebrite released v7.5 of their UFED line of products, adding a new physical extraction method for Android devices, as well as improvements to other password bypass and data extraction methods.
UFED Ultimate, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader 7.5 & Analytics Desktop 7.0 [May 2018] - X-Ways Forensics 19.6 SR-5 was released containing some bug fixes
X-Ways Forensics 19.6 SR-5 - X-Ways Forensics 19.7 Preview 3 was released with some minor improvements.
X-Ways Forensics 19.7 Preview 3
And that’s all for Week 20! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 