I’m back! Thankfully was able to get the post done today before jetlag set in.
I’ll probably do a recap of the trip this week if I get a chance to jot down some thoughts. Overall it was fantastic and I had a great time, but it’s good to get home; 4 weeks away is a long time.
FORENSIC ANALYSIS
- Adam Harrison at 1234n6 shares his answer to last weeks Sunday Funday challenge regarding Extended MAPI properties.
Using Extended MAPI Properties to determine email sent time - Tony at the new Archer Forensics (*cough* my suggestion *cough*) subdomain of AboutDFIR has started the Zeltser challenge
- The first post describes Tony’s reasoning for starting the blog.
Removing the Cloak - The second shares his GCFA Gold Paper on file system timestamps, and the indication that he’s going to be revising it soon.
So, who am I?
- The first post describes Tony’s reasoning for starting the blog.
- Christian Rossow shares a tool written by Michael Brengel “to compress memory dumps of malware sandboxes”
Check out @christianrossow’s Tweet - Oleg and Igor at Digital Forensics Corp show how to acquire data from LinkedIn directly from the site.
How to acquire a LinkedIn account? - Cindy Murphy at Gillware Digital Forensics presented some interesting research into USB drive firmware manipulation. This is reminiscent of Courtney Webb’s talk at the 10th DFIR Summit on hard drive firmware manipulation. Cindy showed that “it is possible for multiple USB devices to leave behind forensic artifacts that appear to be generated by a single unique device”.
USB Pwny Express – Counterfeit USB Devices and Anti-Forensics - David Cowen at the Hacking Exposed Computer Forensics Blog posted a number of times this week
- Dave shows how “we can determine when exactly someone exported the message out of the mailbox and onto the disk”. The PR_CREATION_TIME timestamp is reset to the time of export. The “PR_MESSAGE_DELIVERY_TIME is still showing the original creation date”
Daily Blog #390: Exploring Extended MAPI part 4 - He then copies the email to another volume and observes that the internal creation and modification dates remain unchanged
Daily Blog #391: Exploring Extended MAPI part 5 - He shows that O365 brings back the X-Originating IP header
Daily Blog #392: Exploring Extended MAPI part 6 - He also tests “what happens to exported messages when different users edit the message”
Daily Blog #393: Exploring Extended MAPI part 7 - On the Forensic Lunch, Dave and Matthew interviewed Jaco Swanepoel about his CTF win at the recent Magnet User Summit.
Daily Blog #394: Forensic Lunch 6/15/18 - Congrats to Kevin Pagano for providing a comprehensive answer to last Sunday’s challenge.
Daily Blog #395: Solution Saturday 6/16/18 - Lastly, there’s a new Sunday Funday challenge, which appears to be based on my recent tweets about Zone Identifiers. Looks like I’ll be doing a little more work into this tomorrow.
Daily Blog #396: Sunday Funday 6/17/18
- Dave shows how “we can determine when exactly someone exported the message out of the mailbox and onto the disk”. The PR_CREATION_TIME timestamp is reset to the time of export. The “PR_MESSAGE_DELIVERY_TIME is still showing the original creation date”
- Bradley Schatz at Schatz Forensics shows how to analyse AFF4 Linux memory images in Volatility.
How to analyse AFF4 linux memory images - SANS have posted an ‘STI Graduate Student Research’ whitepaper by Ferenc Kovacs on using Win10 as a forensics platform. The paper covers some basic configuration, tool installation, and a comparison of imaging times between FTK Imager and Encase Imager.
Windows 10 as a Forensic Platform - Volume 25 of the Digital Investigation Journal was released.
- T3k-forensics shared their top 10 challenges in mobile forensics.
10 challenges in Mobile Forensics - Hoyt Harness at ‘The Positronikal Chronikal’ continues to describe his CarnivoreLE triage tool.
A New Live Triage Tool Taking Shape, Part 2 - Jaco at ‘The Swanepoel Method’ walks through his testing process to get Axiom to parse data from an APFS image. Jaco provides a method that allows him to review the data using Axiom; the additions I’d make to the process are using an HFS+ container and using a command like rsync to preserve the metadata, as Jaco indicated that the metadata changed when moving the files.
Parsing APFS with Axiom before the thing from Lost eats you - Over on my ThinkDFIR page, I wrote a quick post about Zone Identifiers and how not all ZoneID alternate data streams are created equal (I’m thankful Chrome has such a big market share because of all the valuable data in theirs)
Zone Identifier == kMDItemWhereFroms? - Costas K shared an interesting registry key that tracks program execution along with a filetime last execution timestamp. It appears to be associated with whether the programs jumplist was populated but also was seen to be inconsistent. A bit of testing on my end showed that it didn’t populate when jumplists weren’t on, and if jumplist tracking was turned off it would delete the key entirely. I also found that it was refreshed every 24 hours; which wasn’t replicated on others systems. Further testing is required, but this looks like an interesting program execution artefact for some applications.
Check out @sv2hui’s Tweet
THREAT INTELLIGENCE/HUNTING
- Adam Meyers at CrowdStrike provides some details on the Mustang Panda adversary group
Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA - A threat hunting and remediation workshop for AWS was uploaded to GitHub. “This workshop is designed to help you get familiar with AWS Security services and learn how to use them to identify and remediate threats in your environment”
Threat Detection and Remediation Workshop - Florian Roth shares a YARA rule creation crackme that was created for their interns.
Check out @cyb3rops’s Tweet - Sandfly Security show a method of detecting Linux Binary Poisoning manually, as well as using “Sandfly’s automated agentless intrusion detection”
Linux Binary Poisoning Detection – Sandfly 1.1.18 Update - Lee Neely at SANS shared the outcome of the recent survey on endpoint protection and response.
Endpoint Protection and Response: A SANS Survey - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes LogonTracer by JPCERT/CC which can be used to associate “a hostname/IP and account name founds in logon-related events and displaying it as a graph”
Analysing Active Directory event logs to identify compromised accounts - Olaf Hartong shows how to detect if an attacker is trying to alter the syslog configuration.
Endpoint detection Superpowers on the cheap — part 3 — Sysmon Tampering - Shane at Swelcher shares a Windows Event Collector configuration and also has updated vol2log to add “additional functionality to the PSList output which will add an additional field to compare the process name to the correctly spelled process name”
Windows Event Collector and Event ID Monitoring
UPCOMING WEBINARS/CONFERENCES
- Rich Frawley at ADF will be hosting a webinar on ADF Digital Evidence Investigator on Wednesday, June 20, 2018, at 2:00 PM EDT.
Webinar: Intro To DEI - Cellebrite will be hosting an “Ask the Expert” session online on June 21, 2018, at 2:00PM ET. You can register here
- “Susteen will be hosting a free live webinar presentation on their new Field Acquisition Device, [on] Tuesday, June 19th at 1:00 pm pacific.”
Immediately Acquire Evidence In The Field From Any Cell Phone – Join Webinar - SANS announced a webinar by Robert M Lee on Threat Intelligence Naming Conventions, to be held on June 26th at 3:30pm EST.
Check out @sansforensics’s Tweet
PRESENTATIONS/PODCASTS
- Black Hills Info Sec posted the second part of the Attack Tactics series, covering “the defensive components the organization could have implemented to stop us”
Attack Tactics: Part 2 - Daniel Roethlisberger shares his presentation slides from Area41 on monitoring macOS for malware and intrusions.
Check out @droethlisberger’s Tweet - Sarah Edwards at Mac4n6 shared her and Heather Mahalik’s presentation from the SANS DFIR Summit on interpreting Apple Health data.
Presentation – #DFIRFIT or BUST: A Forensic Exploration of iOS Health Data (SANS DFIR Summit) - Doug and Russ at Secure Digital Life discussed digital forensics this week. They provided a very broad overview of DF; although they jumped between disk and mobile forensics quite quickly so for those that aren’t aware of the differences may get a bit confused.
Digital Forensics – Secure Digital Life #68 - On this week’s Digital Forensic Survival Podcast, Michael talks about the benefits of scripting regularly performed tasks.
DFSP # 121 – Adventures in Scripting - J Smith has uploaded slides for both CircleCityCon’s Gotcha! Malware Analysis and Volatility Workshops.
Check out @SimpleSkink’s Tweet - On this week’s Talino Talk, Jason spoke with “Joe from Nuix [about] why they chose to partner with TALINO as their digital forensic workstation.”
TALINO Talk ep 15
MALWARE
- Mark Lechtik at Check Point examines “the UPAS Kit and the Kronos banking Trojan”.
Deep Dive into UPAS Kit vs. Kronos - There’s a post on Cloudy Forensics briefly describing the attack chain of cryptomining malware on servers.
Responding to Mining Malware Attacks against Servers - There were a few posts on the SANS Internet Storm Center Handler Diaries
- Brad Duncan examines some Loki-Bot malspam
More malspam pushing Lokibot, (Mon, Jun 11th) - Xavier Mertens shares some details on a recently compromised WordPress site.
A Bunch of Compromized WordPress Sites, (Wed, Jun 13th) - Remco Verhoef shows some ssh commands used by an attacker on a Honeytrap agent
From Microtik with Love, (Wed, Jun 13th)
- Brad Duncan examines some Loki-Bot malspam
- Ben Humphrey at NCC Group examines some maldocs exploiting CVE-2017-8570.
CVE-2017-8570 RTF and the Sisfader RAT - Zerophage Malware examines an infection chain leading to the GandCrab ransomware.
GranSoftEK drops GandCrab via Ascentor Loader.
MISCELLANEOUS
- Tod Ewasko at AccessData describes the challenges in DF and how AD is looking to “innovate” in this area; crowdsourcing and intelligent parsing.
The Evolution of Evidence Extraction: From ASCII Files to Artificial Intelligence - Kent R. Ickler at Black Hills Info Sec shares an updated Hashcat cheat sheet
Hashcat 4.10 Cheat Sheet v 1.2018.1 - After a lengthy Twitter discussion about performing research, Brett Shavers at DFIR.Training has added a section to the website to attempt to connect researchers to those able to peer review. Although by the end of the week it seems that this may not end up taking off.
Here’s a potential new method in how you can get your research peer-reviewed - DME Forensics shared a case study by Detective Raymond Coles from Ocean County where he was able to process a DVR quickly using DVR Examiner.
Case Files: Recovering Evidence Faster with DVR Examiner - Elcomsoft wrote a couple of articles this week
- Oleg Afonin shared details on how to keep your iOS device secure.
Protecting Your Data and Apple Account If They Know Your iPhone Passcode - Vladimir Katalov advises that iOS 11.4.1 Beta 2 turns on USB Restricted Mode if the user activates the SOS feature.
iOS 11.4.1 Second Beta Extends USB Restricted Mode with Manual Activation
- Oleg Afonin shared details on how to keep your iOS device secure.
- Magnet Forensics posted a number of times this week
- They announced that “AXIOM will soon be able to ingest data from Child Rescue Coalition (CRC)’s Child Protection System (CPS), a comprehensive system that compiles and curates millions of online child predator records.”
Magnet Forensics and Child Rescue Coalition Integrate Technology to Help Identify and Apprehend Child Predators - They released an e-book on investigating child exploitation cases.
New E-Book: Best Practices for Successful Child Exploitation Investigations - They announced “a new technology integration between Magnet AXIOM and the Semantics 21 (S21) suite of solutions, LASERⓘ-P and LASERⓘ-V, for AI-enabled picture and video categorization.”
Magnet AXIOM Now Offers Enhanced Integration with Project VIC and Semantics 21 - They shared the news of their two recent wins at the Forensic 4Cast awards. For any of their competitors reading this blog, just this section alone shows why the community holds Magnet in high regard.
Magnet Forensics Wins Two Forensic 4:cast Awards!
- They announced that “AXIOM will soon be able to ingest data from Child Rescue Coalition (CRC)’s Child Protection System (CPS), a comprehensive system that compiles and curates millions of online child predator records.”
- SalvationData has released their Data Copy King 2 (DCK 2) forensic imaging device, and a variety of write blockers.
[Products Launch] Boost Your Imaging Speed With SalvationDATA New Generation Forensic Hardware: DCK 2 and Write-Blocker - Scar de Courcier shares her favourite digital forensics books.
Some Of My Favourite Digital Forensics Books - Stacey Randolph at ‘The Knowledge Bean’ has embarked on the Zeltser challenge, and her inaugural post lists some areas she will be covering.
#1 – The Zeltser Challenge
SOFTWARE UPDATES
- Volexity have released a new memory acquisition tool called Surge Collect. I think this is a paid product, however, I didn’t see anything about cost on the site.
Surge Collect Provides Reliable Memory Acquisition Across Windows, Linux, and macOS - Oletools 0.53.1 was released to fix “a few bugs on Python 3”
Check out @decalage2’s Tweet - Didier Stevens updated a couple of his tools
- Elcomsoft released Elcomsoft Phone Breaker v8.30, adding “the ability to remotely access iMessage conversations stored in Apple iCloud, and becomes the first forensic tool on the market to extract encrypted iMessage conversation histories from the cloud.” Oleg demonstrates how to acquire iMessages from iCloud. Vladimir makes comment on iCloud security.
ElcomSoft Decrypts iMessages in iCloud - Eric Zimmerman pushed an update to his XWFIM tool
- ExifTool 11.02 was released adding new tags and bug fixes.
ExifTool 11.02 - GetData released Forensic Explorer v4.3.5.7398 with some bug fixes.
14 June 2018 – v4.3.5.7398 - Timesketch 20180613 was released.
20180613 - X-Ways Forensics 19.7 Preview 5 was released with some bug fixes.
X-Ways Forensics 19.7 Preview 5
And that’s all for Week 24! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 