FORENSIC ANALYSIS
- Chris Sanders describes “some different packet analysis tool filtering capabilities, some of the filters [he uses] when whittling down PCAPs, and some tricks for applying them effectively”
Analyzing Large Capture Files 4: Whittling with Filters - The guys at Cyber Forensicator wrote a few articles this week. Oleg Skulkin shared his answer to Dave Cowen’s challenge on Zone Identifiers. Hopefully, I can carve out some time to compile his research with my own into a more comprehensive paper on the information that can be obtained. Oleg and Igor then shared a walkthrough of the Anti-Forensics and Miscellaneous sections of the Magnet CTF.
- Pablo Espada at Perito Technologico has written a post (in Spanish) on the Win10 timeline feature.
Historial de Actividad en Windows 10 desde el punto de vista forense - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times this week, continuing his MAPI research, particularly around the metadata of attachments
- Arman Gungor at Metaspike shows how to “utilize the Internal Date and Unique Identifier (UID) message attributes to quickly identify and hone in on suspicious messages that have a significant discrepancy between their header dates and internal dates and sequence numbers.”
Using IMAP Internal Date for Forensic Email Authentication - Gary at Salt Forensics continues his series on AWS showing how to connect to an instance and attach a local volume, as well as how to upload an E01 image and a shoutout to VirtualHere for remote dongle usage.
- SalvationData have posted a case study for imaging a damaged drive with their DRS (Data Recovery System) tool
[Case Study] Computer Forensics: A Solution to Recover from Head Damaged HDD without Replacement - The SANS InfoSec Reading Room has posted John Brown’s white paper on combining artefact parsers into a single script to quickly examine a forensic image
Using Image Excerpts to Jumpstart Windows Forensic Analysis - Heather Mahalik at Smarter Forensics has written a guide for “smartphone acquisition of iOS and Android devices”.
Smartphone Acquisition: Adapt, Adjust and Get Smarter! - Stacey Randolph at ‘The Knowledge Bean’ posted a number of times this week
- She shares a script by Cheeky4n6Monkey on extracting blob data from SQLite databases
#9 – Manifest.db BLOBs - She shared Jonas Plum’s afro tool, APFS file carver
#10 – APFS - She walks through a scenario where a client has lost files on an iPhone during a simultaneous sync and file copy and asks for suggestions to help recover the missing files.
#11 – When Things Go Awry - She promotes the Diana Initiative
#12 – Supporting Women in Tech - She also hints at an upcoming series on the logs/files found in the macOS /private/var directory
#13 – Exploring macOS - And sadly, Stacey’s #DFIRDog Cody passed away during the week. RIP Cody 😦
#14 – Rest in Peace, DFIR Dog
- She shares a script by Cheeky4n6Monkey on extracting blob data from SQLite databases
- Jaco at ‘The Swanepoel Method’ shares some command line goodness to get some answers quickly regarding failed login attempts in the Windows Event logs. Posts like these are always great because often I’ve found that running dedicated tools quickly over the artefacts will get you to the data much faster than waiting for the full kitchen sink. I usually like to set the kitchen sink running on one machine, and then go hunting on another.
Finding Failed Logon Attempts With Log2Timeline While You’re Searching For Your FTK Dongle
THREAT INTELLIGENCE/HUNTING
- Joshua Pate at Carbon Black shares details of a recent investigation into customers hit by the Retadup worm to distribute a Monero miner.
Cb ThreatSight Investigation Reveals RETADUP Worm Leverages AutoIt to Launch Monero Cryptomining Campaign - There’s a post on the Nextron Systems blog about using Sigma rules for threat hunting in log files in the upcoming release of Spark
SPARK uses Sigma Rules in Eventlog Scan - Keya Horiuchi at Red Canary shares details of a recent engagement in two parts. “Part 1 focuses on steps the malware took to establish persistence, while Part 2 will focus on steps taken to evade defenses.”
- Richie Cyrus at ‘Security Never Sleeps’ has started a series discussing “methodologies and techniques to proactively find compromised Macs in a enterprise environment.” This post shows Richie generating some activity using Empire and then identifying it with osquery
Hunting for Bad Apples — Part 1
UPCOMING WEBINARS/CONFERENCES
- Voting for the presentations for OSDFCon 2018 has commenced and will be open for a couple of weeks.
OSDFCon 2018 Presentation Voting - SalvationData will be hosting a webinar on July 11, 2018, on the release of their new mobile forensic solution, SPF Pro
SalvationDATA New Generation Mobile Forensic Solution Release Webinar - The conference schedule for Techno Security & Digital Forensics 2018 San Antonio has been released.
2018 Conference Program
PRESENTATIONS/PODCASTS
- Black Hat shared Daniel Bohannon’s talk on Invoke-DOSfuscation from Black Hat Asia 2018
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) - On this week’s Digital Forensic Survival Podcast, Michael talks “about IP address and domain triage for computer forensic investigations.”
DFSP # 123 – IP Triage - SalvationData shared a video describing their SmartPhone Forensic System Professional tool
SPF Pro-SmartPhone Forensic System Professional-SOP-SalvationDATA Mobile Forensics Solution - SANS shared Jason Straight’s presentation from the 2018 CTI Summit titled “Legal Implications of Threat Intelligence Sharing”
Legal Implications of Threat Intelligence Sharing – SANS CTI Summit 2018 - On Talino Talk, “Jay & Steve talk about SUMURI’s new product RECON Imager Pro”
TALINO Talk ep16
MALWARE
- Cyber Forensicator shared a link to MalwareTech’s beginning reversing challenges.
Beginner Malware Reversing Challenges - Carlos Castillo at McAfee Labs examines some recent activity by the AsiaHitGroup Gang that has been distributing malicious Android apps to steal money from unsuspecting users.
AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play - Brittany Ash, Josh Grunzweig and Tom Lancaster at Palo Alto Networks describe some recent attacks focused in South East Asia by the previously unidentified Rancor group.
RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens examines a potentially malicious, but ultimately benign, PE
Guilty by association, (Mon, Jun 25th) - Didier also provides “some pointers for the static analysis of XPS files.”
Analyzing XPS files, (Tue, Jun 26th) - Renato Marinho shows how to use Imphash to compute “a fingerprint of the binary’s IAT (Import Address Table).”
Silently Profiling Unknown Malware Samples, (Wed, Jun 27th) - Remco Verhoef examines a malicious MacOS cryptomining script/binary used to target the crypto community.
Crypto community target of MacOS malware, (Fri, Jun 29th) - Johannes Ullrich shares a recent attack utilising the struts vulnerability to deploy a cryptominer.
New and Improved Cryptominers: Now with 50% less Greed., (Thu, Jun 28th)
- Didier Stevens examines a potentially malicious, but ultimately benign, PE
- Sudhanshu Dubey and Dileep Kumar Jallepalli at FireEye examine the attack chain utilised by the RIG Exploit Kit (EK) to deliver “a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner”
RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique - Jindrich Karasek and Loseway Lu at TrendLabs describe an attack by a mining bot on their honeypot sensor
Cryptocurrency-Mining Bot Targets Devices With Running SSH Service via Potential Scam Site - John Bergbom at Forcepoint demonstrates how to reverse engineer WebAssembly binaries
Analyzing WebAssembly binaries - Andrew Go, Christopher del Fierro, Lovely Bruiz, and Xavier Capilitan at G Data examine the Rozena malware.
Where we go, we don’t need files: Analysis of fileless malware “Rozena”
MISCELLANEOUS
- Tony at Archer Forensics posted a number of times this week on things to consider when getting into DFIR on the public or private side, as well as what to consider when posting on social media
So you want to get into DFIR? - Yulia Samoteykina at Atola describes the diagnostic process used by the Atola TaskForce
Diagnose a drive with Atola TaskForce - Derrick Rauch and Kent Ickler at Black Hills Info Sec describe how to run HashCat on an Ubuntu 18.05 server.
Running HashCat on Ubuntu 18.04 Server with 1080TI - Sherri Davidoff at LMG Security walks through their hunt for the o365 hidden API, and the release of a wrapper script for the CrowdStrike Python module (written by Matt Durrin) to pull out the o365 logs. She also discusses the ethics of firms keeping this information private for competitive advantage. BeanBagKing shows the use of this tool
Exposing the Secret Office 365 Forensics Tool - Brett Shavers expounds the benefits of starting with the low hanging fruit in an investigation
Old hat investigative work will always work - There was more talk about journal articles and peer review in DFIR
- Brett Shavers has a post on DFIR Training debating whether peer reviews in journals is actually important; considering the lengthy process to get published, as well as the weight that practitioners seem to give journal articles.
If Peer Review is so Important, Why Doesn’t Everyone Do it? - Brett also shares a suggestion by Jessica Hyde, coined as “Rapid Peer Review”. The idea is to encourage people to share their research, and others to review it with a much faster turn around than in journal articles.
The RAPID PEER REVIEW - Joshua James at Digital Forensic Science comments that we already have solutions to a number of the proposed problems in the form of Open Journal System.
DFIR already has Rapid Peer Review – we can do better
- Brett Shavers has a post on DFIR Training debating whether peer reviews in journals is actually important; considering the lengthy process to get published, as well as the weight that practitioners seem to give journal articles.
- Didier Stevens shows how to decode a certutil encoded file
Quickpost: Decoding Certutil Encoded Files - Oleg and Igor at Digital Forensic Corp provide an overview of the DFIR field
Skills and knowledge in Digital Forensics - Andrey Fedorov has a post on Digital Forensics Corp about recovering files after a ransomware infection
Data recovery after ransomware that encrypts files - DME Forensics provide an overview of the Offline Player Library in DVR Examiner 2.3
Feature Focus: Offline Player Library - Posts were written by FireEye and Richard Bejtlich denying the allegation that they used “hack back” techniques in the investigation that led to their APT1 report.
- Christa Miller at Magnet Forensics interviewed Dave and Matthew about creating the CTF for the Magnet User Summit.
The Making of a Capture the Flag Competition: An Interview with David Cowen and Matt Seyer - Magnet also shared their recent integrations with other vendors.
How Vendor Collaboration Makes Child Exploitation Investigations Stronger - Microsystemation announced that they have joined the Cyber-Investigation Analysis Standard Expression (CASE) initiative.
MSAB joins CASE Initiative on digital forensic standards - Shelly Giesbrecht at Nerdiosity expresses her gratitude for the DFIR family that she’s made over the years.
Joining the DFIR Family - Jake Williams has written an OpenText sponsored review of Encase v8.06. Interestingly, Jake mentions that in the Pathways feature you can integrate custom Enscripts. I haven’t played with Pathways properly, but I was recently told by OT representatives that this wasn’t possible (but it’s more likely that they didn’t know it was). Making use of custom Enscripts in Pathways makes the feature a lot more appealing so I may have to check it out.
One-Click Forensic Analysis: A SANS Review of EnCase Forensic - Scar de Courcier shares how she found her co-author for the ‘Windows Forensics Cookbook’
Why You Might Want A Co-Author, And How To Find One - Edmund Brumaghin, Earl Carter and Andrew Williams at Cisco’s Talos blog share details of the Thanatos ransomware and release a decryptor tool
Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor - Howard Oakley at The Eclectic Light Company shares a list of artefact locations on MacOS. As a side note, it’s interesting that security folks are calling the fact that MacOS caches information from encrypted volumes as a vulnerability or a bug.
Hidden caches in macOS: where your private data gets stored - There’s a post on the ‘Trail of Bits’ blog announcing two support methods fo osquery for those that need it.
Announcing the Trail of Bits osquery support group
SOFTWARE UPDATES
- BEC 9.1 has been released, featuring “a number of usability and performance improvements.”
What’s New in Belkasoft Evidence Center 2018 Version 9.1 - Eric Zimmerman updated MFTECmd to v0.2.6.0, adding “a lot of polish to the –de output and adds several new options as well.”
MFTECmd v0.2.6.0 released - Cellebrite released UFED Physical Analyzer 7.7, updating some app support and fixing some bugs
UFED Physical Analyzer 7.7 [June 2018] - Didier Stevens updated a couple of his tools this week
- DME Forensics added a new Filesystem Database Update for DVR Examiner.
- Magnet Forensics have released “Magnet Process Capture, a tool that allows you to capture memory from individual running processes.”
Magnet Process Capture – Saving Your Memory, One Process at a Time - “A new version of MISP 2.4.93 has been released including a much improved and tightly integrated MITRE ATT&CK interface, a new event locking functionality, initial support for a multilingual interface, various fixes including a security fix (CVE-2018-12649).”
MISP 2.4.93 released (aka ATT&CK integration improvements) - Microsystemation have released “XRY 7.8, Kiosk/Tablet 7.8, XAMN Spotlight & Elements 3.3 and XEC Director & Export 3.2” with a number of new features and improvements.
Now released: XRY 7.8, Kiosk/Tablet 7.8, XAMN Spotlight and Elements 3.3, and XEC Director and Export 3.2 - Oxygen Forensic Detective was updated to v10.3.1, adding “support for almost 300 iOS and Android mobile applications”
Oxygen Forensic® Detective v10.3.1 release adds support for hundreds of new mobile app versions - USB Detective v1.1.5 was released with a number of enhancements and bug fixes. I spoke with Jason a couple weeks ago about some changes, and they were in the next release; great turnaround time!
Version 1.1.5 (06/25/2018) - GetData updated Forensic Explorer to v4.3.5.7458 adding parsing of Mac artefacts, as well as other improvements
26 June 2018 – v4.3.5.7458 - Passmark Software updated OSForensics to V6.0.1001 with a variety of new features and improvements.
V6.0.1001 – 25th of June 2018
And that’s all for Week 26! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!