FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog tests out Erics MFTECmd in examining a file stored in NTFS’s $ EA attribute.
MFTECmd と $EA - Somehow I missed Mari’s post last week so it’s here this week! Mari’s post covers PowerShell scripts that may be hiding in the registry as their persistence mechanism.
Malicious PowerShell in the Registry: Persistence - Craig Ball at ‘Ball In Your Court’ looks into a request about MAC times in 7z/Zip containers. The test that he ran showed that copying a file out of a zip container didn’t modify the MD5, but did change the creation time. The addendum also provided the requisite parameters to ensure that 7z preserves the Access and Creation times. A couple other options are to preserve the $MFT along with the physical files, or use a container created by a forensic tool to preserve the files of interest.
Preserving MAC Times Collecting Files in E-Discovery - Brian Moran at BriMor Labs walks through his acquisition of a problematic LG Aristo phone using Magnet Axiom. Curiously the trust prompt showed up in MTP, but then the connection protocol had to be changed to PTP for acquisition.
Who’s Down With PTP? - Luis Rocha at ‘Count Upon Security’ describes a number of Windows artefacts that can be used to identify program execution.
Digital Forensics – PlugX and Artifacts left behind - The guys at Cyber Forensicator posted a couple of times this week
- They shared Joe Gray’s presentation from BSidesKC 2018 titled “Dear Blue Team: Proactive Steps to Supercharge your IR”
Dear Blue Team: Proactive Steps to Supercharge your IR - They shared a paper by Ronald Malden titled “Forensic Analytic for Acquiring and Preserving Reliable Data from Cloud Hypervisors”
Forensic Analytics for Acquiring and Preserving Reliable Data from Cloud Hypervisors
- They shared Joe Gray’s presentation from BSidesKC 2018 titled “Dear Blue Team: Proactive Steps to Supercharge your IR”
- Vladimir Katalov at Elcomsoft describes some of the caveats around Elcomsoft’s iOS extraction process.
Breaking Deeper Into iPhone Secrets - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times this week
- The first three related to more MAPI data examination. The first looked at what forwarding an email does to Extended MAPI data.
Daily Blog #397: Exploring Extended MAPI part 8 - The second looks a some of the other fields related to “a MAPI property [that is] only set on sent messages that records the type of Client connection that existed when the message was sent.” This may be something that can be used to profile the sender’s mailbox.
Daily Blog #398: Exploring Extended MAPI part 9 - The third is about the ClientInfo property, and how it appears to be “populated/provided within an Exchange server organization.” Dave also provides a use case where you may be able to use this information to “get through all the messages the employees received and identify even faster which ones came from the attacker by isolating which Clients which employees were using and which the attacker was using.”
Daily Blog #399: Exploring Extended MAPI part 10 - The Magnet CTF challenge images have been uploaded, and Jessica Hyde also uploaded the processed Axiom case as well.
Daily Blog #400 – Forensic challenge image for the Magnet User Summit - The CTF site has also been opened up so you can play along at home.
Daily Blog #401: Magnet User Summit CTF is now open to the public - Dave shared my solution to his Sunday Funday challenge on ZoneIDs. Overall, I found that different applications create different ZoneIDs, and tested a number of ways to download a file onto my Win10 machine. Turns out other applications outside of browsers set a ZoneID (ie o365, Windows Mail, Skype). Plenty more things to test; my suspicion is that more Microsoft apps will set them.
Daily Blog #402: Solution Saturday 6/23/18 - Lastly, Dave posted this week’s Sunday Funday challenge; this time regarding the “timezone field to document which timezone a timestamp was populated with” on an ExFat volume.
Daily Blog #403: Sunday Funday 6/24/18
- The first three related to more MAPI data examination. The first looked at what forwarding an email does to Extended MAPI data.
- Jamie McQuaid at Magnet Forensics shows how to ingest the files output by the GrayKey device into Axiom.
Loading GrayKey Images into Magnet AXIOM - Patrick Wardle at Objective-See raises a security concern regarding QuickLook cache on MacOS. This may be useful for those trying to determine if a file has been copied to external media (regardless of encryption status/security concerns)
Cache Me Outside - Chapin Bryce at ‘Pythonic Forensics’ has returned to blogging!
- The first shows how to interact with the registry using the registry-python library.
Python as a Forensic Tool - The second looks at registry timestamps and shows how to perform frequency analysis on timestamp updates in an effort to determine the activity that modifies timestamps that we may be interested in. Say a key of interest is modified, then looking at the other keys modified at the exact same time may give us clues as to what activity occurred (such as Windows updates)
Trusting Registry Timestamps
- The first shows how to interact with the registry using the registry-python library.
- SalvationData share a case study showing how to use their tools to repair and image a damaged hard drive.
[Case Study] Computer Forensics: Data Recovery & Extraction From Platter Scratched Hard Drives - Stacey Randolph at ‘The Knowledge Bean’ posted a number of times this week
- She shares details of her favourite presentations from the SANS DFIR Summit
#2 – SANS DFIR Summit - She shares a method of acquiring data from iOS devices without fancy forensic tools; iTunes! And then iBackupBot to review the data.
#3 – iTunes Backups - She also describes how she ended up in digital forensics
#4 – Taking a Step Back - Back to iTunes backups; Stacey shows what can be found in the Info plist
- As well as the Manifest
- and Status Plists
- Lastly, she shows the iTunes Backup Manifest.db, which is an “SQLite database storing information about the iTunes backup.”
#8 – iTunes Backup Manifest.db
- She shares details of her favourite presentations from the SANS DFIR Summit
- Jaco at ‘The Swanepoel Method’ replicated and expanded on some of my findings on Zone.Identifiers. Jaco was able to test what I found as well as test some use-cases surrounding the Edge browser.
Highway To The Danger Zone.Identifier - There’s a post on TM4n6 showing how to examine alternate data streams on Linux and Windows.
Extracting ADS using Linux - Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’ has released her “guide on data leakage and IR in the cloud.”
CLOUD EXPOSURE, DLP & IR, A-Z
THREAT INTELLIGENCE/HUNTING
- CrowdStrike share details and a Python module for the Activities API used to obtain additional information regarding business e-mail out of Office 365.
Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises - Adam Harrison at 1234n6 tested the module out and shared the output.
Office 365 Activities API – Example Output - Vishal Thakur at Salesforce Engineering examines the Kardon trojan downloader.
Kardon Loader: Malware Analysis
UPCOMING WEBINARS/CONFERENCES
- Rich Frawley at ADF will be hosting a webinar on Wednesday, June 27, 2018 at/ 2:00 PM EDT on “fraud investigation best practices”. “Rich will showcase how investigators and Digital Crimes Units are saving time using ADF’s intelligent approach to investigating cases quickly thereby reducing the need to image every device and reducing forensic backlogs.”
Webinar: Solve Fraud & Economic Crimes - Comae Technologies will be re-running their intro to memory forensics webcast on Tuesday 26, June – 11AM PST and Tuesday 3, July – 11AM PST.
Webcast: Introduction to Memory Forensics With Comae - Heather Mahalik will be running a SANS webcast titled “No tool fits all – Why Building a solid Toolbox Matters” on July 10th at 3:30pm EST.
Check out @sansforensics’s Tweet
PRESENTATIONS/PODCASTS
- Adrian Crenshaw shared the presentations from BSides Cleveland 2018
- Kevin Delong at Avairy Solutions shared a sneak peak of his Twitter extraction tool.
Twitter Project - BlackBag Technologies shared a video showing of Blacklights Windows memory analysis capabilities.
Windows RAM Analysis - Magnet Forensics shared the recording of Jessica Hyde’s webinar on cases involving intellectual property theft
Recorded Webinar: Connecting Artifacts And Users To Prove Intellectual Property Theft - OALabs uploaded a video showing how to unpack “TrickBot and extract it’s configuration file using x64dbg and a Python script from the KevinTheHermit project”
Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python - On this week’s Digital Forensic Survival Podcast, Michael talked about the ATT&CK matrix.
DFSP # 122 – ATT&CK Matrix - Richard Davis at 13Cubed “takes a comprehensive look at the Windows event IDs and associated logs that will be of interest when investigating RDP-related activity … based upon research by Jonathon Poling”
RDP Event Log Forensics - SANS shared Matt Jane’s presentation from the 2018 CTI Summit titled “ElasticIntel: Building an Open-Source Threat Intel Aggregation Platform”
ElasticIntel: Building an Open-Source Threat Intel Aggregation Platform – SANS CTI Summit 2018
MALWARE
- Arbor Networks have a post examining the Kardon Loader malware.
Kardon Loader Looks for Beta Testers - Hubert Barc at Cert Polska examines the Backswap banking trojan.
Backswap malware analysis - There were a couple of posts on the Check Point blog
- Mark Lechtik compares the Kronos and UPAS Kit trojans
Deep Dive into UPAS Kit vs. Kronos - There’s also a post examining the Karius banking trojan.
Banking Trojans Under Development
- Mark Lechtik compares the Kronos and UPAS Kit trojans
- Cyber Reason walk through an attack that deployed a customised version of Mimikatz.
Attackers incriminate a signed Oracle process for DLL hijacking, running Mimikatz - The Cylance Threat Guidance Team share details on recent resurgence of the URLZone malware.
Threat Spotlight: URLZone Malware Campaigns Targeting Japan - Alexander Sevtsov at Lastline Labs examines a cryptominer with a couple of “evasion tricks used to bypass dynamic analysis systems.”
Evasive Monero Miners: Deserting the Sandbox for Profit - Malwarebytes Labs posted an analysis of an updated version of the SamSam ransomware.
SamSam ransomware: controlled distribution for an elusive malware - There were a few posts on the SANS Internet Storm Center Handler Diaries
- Xavier Mertens deobfuscates “a suspicious piece of a Javascript code”.
Malicious JavaScript Targeting Mobile Browsers, (Mon, Jun 18th) - Xavier also shares a “piece of PowerShell code which is executed from a Word document “
PowerShell: ScriptBlock Logging… Or Not?, (Tue, Jun 19th) - Didier Stevens analyses “a malicious, encrypted Excel document, with a twist.”
Encrypted Office Documents, (Sun, Jun 17th)
- Xavier Mertens deobfuscates “a suspicious piece of a Javascript code”.
- Sebdraven examines an “rtf document that exploits Office with the vulnerability on equation rendering in Office product. (CVE-2017–11882)”
A quick analysis malicious RTF to write yara rule part 1 - Warren Mercer and Paul Rascagneres at Cisco’s Talos blog share details of “a new campaign involving the FormBook malware”.
My Little FormBook - Rodel Mendrez and Lloyd Macrohon at SpiderLabs analyse a malicious Android APK attached to malspam as SilverBox.apk
Red Alert v2.0: Misadventures in Reversing Android Bot Malware - There were a couple of posts on the TrendLabs blog this week
- Ecular Xu examines the malicious Android app FakeSpy
FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users - Jed Valderama, Ian Kenefick, and Miguel Ang describe the IQY files that the Necurs botnet is using to avoid detection. “Once the user executes the IQY file it queries to the URL indicated in its code, the web query file pulls data … from the targeted URL into an Excel worksheet.”This then abuses Excel’s DDE feature.
Necurs Poses a New Challenge Using Internet Query File
- Ecular Xu examines the malicious Android app FakeSpy
- Tamas Boczan at VMRay examines a sample of Gandcrab
The Evolution of Gandcrab Ransomware
MISCELLANEOUS
- Brett Shavers at DFIR.Training shares “a brief list of reasons of why [he thinks] DFIRrs blog their research rather than formally publish it through a peer review process.”
Following up on Twitter conversations about publishing #DFIR research.. - Joshua I. James at DFIR Science then provides his response; that Open Journal Systems may be a potential solution. Personally, I think that academia should be picking the things that people are blogging about, get those people on board and formalise research that’s “already been done”. There’s a lot of “we need to find brand new”, but just search my site; there’s lots of brand new to go off, but there’s lots of “does this still apply today” which is equally valuable. That being said, my main gripe is that academia gets paid to write papers, journals get paid for people to read them, but reviewers, as far as I know, have to volunteer. Outside of a printable certificate, free access to the journal, and a line-item on your resume, I don’t see much incentive.
Re: Publish your #DFIR research! - Joe Sylve asked the Twitterverse why people haven’t published their research outside of blogposts; hopefully, we’ll get to see the presentation he was preparing for soon.
Check out @jtsylve’s Tweet - Adam Harrison at 1234n6 shares his thoughts on the disclosure of the o365 hidden API; although this was just one case, the overarching theme can be found in the opening paragraph: “The whole field of DFIR thrives and survives on shared research. Professionals who identify novel techniques or develop tools which they share outside their organisation help to drive progress, achieve better understanding and ultimately help the community in the arms race against bad actors.”
Sharing is Caring – The Secret O365 API - Eric Huber at ‘A Fistful of Dongles’ talks about preparing your resume (both the formatting, and the content) for a life after law enforcement. That being said, a lot fo the rules apply across the board.
Life After Law Enforcement: How to Prepare - Tony at Archer Forensics wrote a few posts this week
- The first covers preparing for work travel
Travel: It Is Not Just For Airline Status Pt. 1 - The second covers what to pack in your carry-on for an engagement.
Travel: It Is Not Just For Airline Status Pt. 2 - Tony asks why DFIR doesn’t have its own ‘team name’ and questions why “so much emphasis has been put on Red Teaming”
Playing Nice in the Sandbox Together - He also recommends that people learn to love the command line; lots of command line tools are very quick, and very powerful, as long as you know how to interpret the results.
Command Line or: How I learned to stop relying on GUI interfaces and love the syntax - Lastly, Tony shares his method of preparing for a GIAC certification exam.
Preparing for a GIAC Test….This is not the CISSP
- The first covers preparing for work travel
- Yulia Samoteykina at Atola describes the various methods to interact with the new TaskForce product.
Atola TaskForce’s connectivity and multi-user access - Matt at ‘Bit of Hex’ proposes a different way to look at forensic artefacts; instead of categorising by objective (ie proving program execution, user activity), Matt suggests categorising data by its use ie user data, user experience artefacts etc.
A Different View of Forensic Artefact Typologies - Dan O’Day at 4n68r has moved his blog, and whilst explicitly stating he won’t be undertaking the Zeltser challenge, has committed to continuing “sharing with the DFIR community through speaking/teaching, sharing code, and documenting things I learn along the way”
Updated website - Brett Shavers shares his opinion about expertise in the field. Something I’ve been telling a lot of people that use the “I’m new, what can I share” mantra can be responded to as Brett does in this post: “If you are looking for something to propel you into DFIR, find something that no one is doing, cares about, or knows about. Research that thing and find the DFIR relationship of that thing. Master it. Publish it with any means possible, including a blog post.”
In the #DFIR world, it seems like everyone is an expert…. - David Toy at Cyan Forensics explains how Cyan Examiner uses statistical analysis to determine if an item matches their contraband filter.
What does 99% confidence mean? - DME Forensics have a post showing the new interface for DVR Examiner v2.3.0.
A New User Interface for DVR Examiner - There were a number of posts on Forensic Focus this week
- They shared Felix Anda, David Lillis, Nhien-An Le-Khac & Mark Scanlon’s paper on estimating age based on facial features.
Evaluating Automated Facial Age Estimation Techniques For Digital Forensics - Scar reviewed Paul Sanderson’s SQLite Forensics
Review Of SQLite Forensics By Paul Sanderson - She then provided a recap of Techno Security Myrtle Beach 2018
Techno Security Myrtle Beach 2018 – Recap - She shared a round-up of the top forum posts in the last month
Forensic Focus Forum Round-Up - She also shared her top news picks from the month.
Digital Forensics News June 2018 - Lastly, they shared Asanka Sayakkara, Nhien-An Le-Khac & Mark Scanlon’s paper on using “Electromagnetic Side-Channel Attacks” to potentially obtain data from encrypted devices.
Electromagnetic Side-Channel Attacks: Potential For Progressing Hindered Digital Forensic Analysis
- They shared Felix Anda, David Lillis, Nhien-An Le-Khac & Mark Scanlon’s paper on estimating age based on facial features.
- Gary at Salt Forensics walks through spinning up an AWS instance to assist in AWS data collection.
AWS for Forensics (2) - Hoyt Harness at ‘The Positronikal Chronikal’ thanks a number of the early pioneers in DFIR.
A Thank You to the Pioneers - Troy Schnack shares some analogies for deleting files that can be used to explain the concept to lay audiences.
How to Explain Deleted Data: For Attorneys, Clients, Juries and More
SOFTWARE UPDATES
- Amped Five was updated to v11284 with a number of features and bug fixes.
Amped FIVE Update 11284: Multiplexed Stream Support, Proprietary Timestamp, Remove Frames Filter, and a Whole Lot More - Eric Zimmerman has released MFTECmd (v0.2.5.0), which is a command line MFT parser. To accompany this, Eric also updated TimelineExplorer to v0.8.4.0
Introducing MFTECmd! - Profiler 2.9.2 was released with additional support for the “new heap introduced in Windows 10.”
Profiler 2.9.2 – Windows 10 Heap - Jonas Plum has released afro, “an open source DFIR tool for file recovery of APFS volumes”
Check out @cugu_pio’s Tweet - Didier Stevens updated a few of his tools
- Elcomsoft released iOS Forensic Toolkit 4.0, “adding iOS keychain extraction via a newly discovered Secure Enclave bypass”, as well as crash log extraction (editors note: I think you may be able to extract crash logs using Xcode, but I’m not certain).
iOS Forensic Toolkit 4.0 with Physical Keychain Extraction - ExifTool 11.03 (development) was released adding new tags and bug fixes.
ExifTool 11.03 - GetData released Forensic Explorer v4.3.5.7438 with some additional features and bug fixes.
21 June 2018 – v4.3.5.7438 - Magnet Forensics released Axiom 2.2, adding physical imaging for drives with the MTK chipset, as well as enhancements to Magnet AI and memory analysis. (Editors note: If you’re an Axiom customer and also want to run volatility manually, do so from the Axiom install directory as an alternative to downloading from source. It’s compiled and includes the latest Win10 profiles). They also improved performance, added additional artefacts, and can now ingest Google Takeout natively (In testing I don’t think other tools have added this yet, and if Google messes with the API then Takeout may be your best bet for acquiring Google data).
Updates in Magnet AXIOM 2.2 Help You Get Evidence from the Most Sources - Metaspike updated Forensic Email Collector to v3.2.5.0 with a number of new features and improvements.
Forensic Email Collector (FEC) Changelog - Pasquale Stirparo updated his Epochalypse Python script to add support for APFS timestamps.
- Passmark Software released OSForensics V6.0.1000, which from the changelog appears to be a major update.
V6.0.1000 – 21st of June 2018 - IsoBuster 4.2 was released with a number of improvements and bug fixes.
IsoBuster 4.2 released - Sandro Süffert tweeted out that a “Computer Forensics tool developed by the Brazilian Federal Police is now available for general use under the GPL Licensing”; I don’t speak Portuguese so I can’t tell you what it does…
Check out @suffert’s Tweet - X-Ways Forensics 19.7 Beta 1 was released with some additional improvements
X-Ways Forensics 19.7 Beta 1 - Maxim Suhanov released yarp v1.0.17. Whilst the release notes page doesn’t have any information on it, Maxim did tweet this out.
1.0.17
And that’s all for Week 25! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 