FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog deletes some items out of the Win10 Timeline and shows that these events remain in the timeline database for a period (of unknown length) after the deletion. It would be good if he was to check the deleted records after a week or two and see how long they remain.
ActivitiesCache.dbとアクティビティ削除 - Chris Sanders describes how to “distil packet captures using Suricata, Bro, and PRADS.”
Analyzing Large Capture Files 3 – Distillation with Security Tools - The guys at Cyber Forensicator shared Ben Potter’s presentation titled “Automating Incident Response and Forensics”
Automating Incident Response and Forensics - Ricardo Gandara at DFIR VN walks through some of the useful information that can be obtained from examining the Zoho mail platform.
Forensics on Zoho email - Marcos at ‘Follow The White Rabbit’ has written a lengthy article on (manually and automatically) creating a physical image of a couple of Android devices.
#DFIR: No te creas todo lo que leas, porque todo depende del caso: Physical Imaging Android, (Paso a paso) - Patrick J. Siewert at Pro Digital Forensic Consulting tested the “Significant Locations” feature on iOS and, whilst he was able to locate data of interest directly through the phone, he was unable to identify the same information on the device (it may have been encoded in the significant.* plists).
Apple iPhone “Significant Locations” - Hal Pomeranz at Righteous IT has a few posts about the XFS file system
- The first provides a “quick introduction to XFS, the XFS superblock, and the unique Allocation Group (AG) based addressing scheme used in the file system”
XFS (Part 1) – The Superblock - The second looks “at the structure of the XFS inode.”
XFS (Part 2) – Inodes - The last looks at short form directory entries
XFS (Part 3) – Short Form Directories
- The first provides a “quick introduction to XFS, the XFS superblock, and the unique Allocation Group (AG) based addressing scheme used in the file system”
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes some of the artifacts that can be examined to identify program execution
Forensic Artifacts: evidences of program execution on Windows systems
THREAT INTELLIGENCE/HUNTING
- Cylance have released their 2017 Year in Review Threat Report.
The Cylance Threat Report: 2017 Year in Review - Jay Turla at InfoSec Institute has compiled a list of tools that can be used to hunt for malware on a system.
Free & Open Source Rootkit and Malware Detection Tools - Nathan Little at Gillware Digital Forensics provides some advice on identifying o365 and RDP data breaches.
How to Prevent the Worst Monday Imaginable - Harlan Carvey at Nuix adapts one of his recent Windows IR blogposts on EDR explaining the importance of early detection via improved instrumentation/visibility.
Use Early Endpoint Detection and Stop Worrying About Compliance - The SANS InfoSec Reading Room shared a couple of whitepapers this week
- Didier Stevens at the SANS Internet Storm Center shows what CVE 2018-10561 and CVE 2018-10562 exploit attempts looks like on their server.
DASAN GPON home routers exploits in-the-wild, (Sun, May 20th) - Shane at Swelcher describes some of the recent updates made to his vol2log to incorporate and analyse the output of the pslist and netscan plugins into Graylog.
PSList Analysis and Netscan Lookups Using Graylog
UPCOMING WEBINARS/CONFERENCES
- Magnet Forensics have announced two new upcoming webinars
- Christopher Vance will be running a webinar on iOS 11 and Android Oreo on Tuesday, July 10th at 9:00AM EDT and Wednesday, July 11th at 1:00PM EDT.
iOS 11 And Android Nougat/Oreo – An In-Depth Look At The Latest Mobile OSes - Jessica Hyde will be hosting a webinar on identifying IP theft. The webinar will take place on the 19th at 1:00PM EDT and June 20th at 9:00AM EDT
Connecting Artifacts and Users to Prove Intellectual Property Theft
- Christopher Vance will be running a webinar on iOS 11 and Android Oreo on Tuesday, July 10th at 9:00AM EDT and Wednesday, July 11th at 1:00PM EDT.
- Nuix announced ‘The Nuix User Exchange’, held at Huntington Beach, CA, USA from September 16-18, 2018
Nuix User Exchange 2018
PRESENTATIONS/PODCASTS
- Someone tweeted out this presentation on Nation State hacking and detection from the recent CRESTCon & IISP Congress Conference and Exhibition, which has uploaded a number of the presentations from the recent event.
Presentations 2018 - Dave and Matthew held a Forensic Lunch at the Magnet User Summit this week where they spoke with Jessica Hyde, Jad Saliba, and Heather Mahalik.
Forensic Lunch: 5/21/18 – - Leo Bastidas and Megan Roddie discussed sharing in InfoSec at a recent meetup. Sharing is pretty important to me because otherwise, this site wouldn’t exist.
Sharing is Caring - Sarah Edwards at Mac4n6 shared her presentation slides and demo videos on her recent presentation at BSides NOLA on APFS.
Presentation Slides & Demo Videos – Getting Saucy with APFS - On this week’s Digital Forensic Survival Podcast, Michael described the bash_history file that can be found on Linux/MacOS systems and is a useful pivot point for an investigation.
DFSP # 118 – .bash_history forensics - Richard Davis has released an update to his previous Windows Process Genealogy video to coincide with the recent update to the SANS Find Evil poster.
Windows Process Genealogy – Update - SANS shared Rick Holland’s presentation from the 2018 CTI Summit titled “There Is MOAR To Structured Analytic Techniques Than Just ACH!”
There Is MOAR To Structured Analytic Techniques Than Just ACH! – SANS CTI Summit 2018 - On Talino Talk, Jason spoke with Adam from Samsung about the benefits of using the newer Samsung SSD drives. One of the things that Jason mentioned was how choosing the right equipment can really speed up your acquisition and analysis – one acquisition taking 45 minutes, and another taking 2-3 on the right hardware. This shows that spending a little bit of time thinking about IO/processing speeds may be worth the effort sometimes.
TALINO Talk ep14
MALWARE
- Xavier Mertens shows how to render suspicious EML files in a Docker container using a script he wrote.
Rendering Suspicious EML Files - Samir Gadgil at Checkmate announced the release of their ransomware simulation framework.
Ransomware Simulation - Karan Sood at CrowdStrike provides a comprehensive analysis of the Samsam ransomware.
An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER - Evild3ad examines a maldoc that distributed “ZeusVM aka KINS”
[Maldoc] Word 2007 XML Flat OPC - There were a few posts on Malwarebytes Labs this week
- Thomas Reed examines a new piece of Mac malware that mines Monero.
New Mac cryptominer uses XMRig - Hasherezade wrote up an overview of her CrackMe2 challenge as well as announcing the winners.
Malwarebytes CrackMe 2: contest summary - Vishal Thakur decodes Emotet, specifically looking at ignoring the dead code, obfuscated commands, and program flow
Malware analysis: decoding Emotet, part 1
- Thomas Reed examines a new piece of Mac malware that mines Monero.
- Ashwin Vamshi at Netskope provides a “technical analysis of Xbooster, the different Xbooster strains, and the Monero earnings of the associated accounts.”
Technical Analysis of Xbooster parasitic Monero Miner - There were a few posts on the SANS Internet Storm Center Handler Diaries this week
- Xavier Mertens shows how to a .slk file can be used to trick a user into executing malicious code.
Malware Distributed via .slk Files, (Tue, May 22nd) - Xavier also examines a maldoc with a low VT score.
Antivirus Evasion? Easy as 1,2,3, (Fri, May 25th) - Didier Stevens examines a sample created with NSIS.
Quick analysis of malware created with NSIS, (Sun, May 27th)
- Xavier Mertens shows how to a .slk file can be used to trick a user into executing malicious code.
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some details of the GravityRAT malware
Malware VM detection techniques evolving: an analysis of GravityRAT - There were a couple of posts on TrendLabs this week
- Daniel Lunghi and Jaromir Horejsi examine some recent activity by the Confucius threat group
Confucius Update: New Tools and Techniques, Further Connections with Patchwork - Jaromir Horejsi, Joseph C. Chen, and Loseway Lu share details of recent activity by some developers in Moldova, which are delivering a “version of the Revisit remote administration tool, which is used to hijack the infected system. More importantly, it also delivers a malicious extension that could serve as a backdoor, stealing information keyed in on browsers”
Malicious Edge and Chrome Extension Used to Deliver Backdoor
- Daniel Lunghi and Jaromir Horejsi examine some recent activity by the Confucius threat group
- Zerophage shares details of a recent infection by the Rig EK that distributed Smoke Loader and a Monero miner
RIG EK via Ngay drops Smokeloader -> XMR Miner
MISCELLANEOUS
- Brett Shavers has written a few articles this week on his personal site and DFIR.Training
- He lists a few reasons why you shouldn’t hack back.
Don’t become a hacker by hacking back a hacker that hacked you - He comments on a recently added feature to Google allowing for expiration dates on e-mail content. This has been around for a while as an add-on service (I recall one that converted your message to an image and then referenced it in the email) but now is rolling out across Gmail.
Why does Google think this is a good idea? - Brett is also going to start a monthly newsletter for DFIR.Training, and also has opened the doors to guest bloggers
Yet another DFIR newsletter? Yep. - Lastly, Brett has uploaded a video with some tips on getting a job in the DFIR field. There’s a checklist and paper if you sign up to subscribe to the aforementioned newsletter too. (Edit: It’s now been added to the bottom of the post)
Unlocking the DFIR Door (aka: getting a job in DFIR)
- He lists a few reasons why you shouldn’t hack back.
- DME Forensics has uploaded an overview of their DVR Examiner product.
Accessible, Inaccessible, and VERY Inaccessible: Data Recovery with DVR Examiner - There were a couple of imaging devices released during the week and they were announced on Forensic Focus (as well as on display for the first time at Enfuse)
- Evimetry Lab was released, which allows for very fast imaging and concurrent processing of data. This was also accompanied by the release of updated Evimetry hardware to help ensure that the bottleneck in imaging is the suspect media
Evimetry Lab Changes The Game For In-Lab Forensic Workflow - Logicube announced the release of the Logicube Neo imaging device.
Logicube To Showcase Next-Generation Falcon-NEO At Enfuse Conference
- Evimetry Lab was released, which allows for very fast imaging and concurrent processing of data. This was also accompanied by the release of updated Evimetry hardware to help ensure that the bottleneck in imaging is the suspect media
- Scar at Forensic Focus shared a selection of articles from the last month to read.
Digital Forensics News May 2018 - Lenny Zeltser provides some guidance for writing in plain English. “By challenging yourself to shorten a complex concept into a single sentence, you motivate yourself to determine the most important aspect of the text, so you can better communicate it to others”
Communicating About Cybersecurity in Plain English - Scott Worden at Red Canary lists a number of lessons that he has learned working as a SOC analyst over the last three years.
Security Operations Lessons: What My Team Learned Building and Maturing a SOC - AAron Walters at Volatility Labs announced two Volatility contests. Every year, Volatility Labs puts on a competition encouraging people to build Volatility plugins. This year they have put together a new competition. “The Volatility Analysis Contest is intended to encourage people to share the creative ways they are using Volatility to augment their analysis efforts.”
The 6th Annual Volatility Plugin Contest and the Inaugural Volatility Analysis Contest!
SOFTWARE UPDATES
- Plaso 20180524 was released, adding new parsers as well as “a bunch of cleanups, performance tweaks and bug fixes”
Plaso 20180524 released - Alan Orlikoski updated a couple of tools this week
- Didier Stevens updated his base64dump Python script to version 0.0.10, adding additional encodings.
Update: base64dump.py Version 0.0.10 - ExifTool 10.98 (development) was released adding new tags and bug fixes.
ExifTool 10.98 - GetData released Forensic Explorer v4.3.5.7370 with some minor improvements.
25 May 2018 – v4.3.5.7370 - Griffeeye released Analyze 18.0, adding facial recognition and improved AI technology (trained by Australians! #represent)
Release of Analyze 18.0 – A No-Brainer - Magnet Forensics released Axiom 2.1, adding a number of new features including filevault2 support, windows 10 timeline parsing, and box.com and Google Takeout ingestion.
Magnet AXIOM 2.1 Builds on the Advances of AXIOM 2.0 - Mark Baggett updated SRUM-Dump to fix some bugs.
Check out @MarkBaggett’s Tweet - MobilEdit Forensic Express 5.3 was released, adding the ability to take screenshots of devices directly, additional and updated app analysers, as well as other features and bug fixes.
Forensic Express 5.3 Released! - MobilEdit also improved support in App Analyzer for the Azar iOS and Android apps.
Live Update version 2018-05-24-01 - Radare 2.6.0 was released with a variety of new features.
2.6.0 - SalvationData updated Video Investigation Portable V1.0.15.7999, adding new file system support, bug fixes, and performance improvements.
[Software Update] VIP V1.0.15.7999 New Version Release for Better User Experience!
And that’s all for Week 21! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 