I’ve decided to formalise the support page for the project, which can now be accessed from the top menu. I figured that it would be a good idea to put it all in the one place. I’m still holding out from the advertising model, although I think that’s more of a personal preference more than people vocally being against it.
Thanks to all those that have donated/patreon’d so far, very much appreciated.
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog posted a couple of times this week
- He explains NTFS hard links and shows how a few MFT parsers display results when hard links are used.
$MFT と $ATTRIBUTE_LIST - He also looks at the attribute list and deleting records.
$ATTRIBUTE_LIST and deleted record
- He explains NTFS hard links and shows how a few MFT parsers display results when hard links are used.
- Adam Harrison at 1234n6 wrote a couple of posts about exFAT this week
- The first answers the recent Sunday Funday challenge on exFAT timestamps and time zones. Outside of the many rabbit holes it looks like Adam went down, “The summary result is that no tool will reliably display the exFAT timestamps associated with the various tested operating systems” – well that’s good…
exFAT Timestamp Behavior Associated with Different Operating Systems - The second takes a step back and describes the exFAT file system and how it records MAC times, as well as Adams testing methodology.
exFAT Timestamps: exFAT Primer and My Methodology
- The first answers the recent Sunday Funday challenge on exFAT timestamps and time zones. Outside of the many rabbit holes it looks like Adam went down, “The summary result is that no tool will reliably display the exFAT timestamps associated with the various tested operating systems” – well that’s good…
- Arun Prasannan at CCL Group discusses how some macOS metadata is affected by copying to a non-Apple file system using Macquisition/rsync. I’d be interested in seeing what happens when using the same methodology from APFS to HFS+, and whether metadata is lost in the file transfer.
Messing about with Windows metadata when analysing a Mac - Oleg and Igor at Cyber Forensicator finished off their walkthrough of the Magnet User Summit CTF covering the Exfiltration and Intrusion questions
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times (I’ve changed the order slightly)
- Congrats to Paul Bryant on his winning submission on exFAT timestamps.
Daily Blog #409: Solution Saturday 6/30/18 - Last weeks Sunday Funday was on the “level of access an examiner has during the upgrade process on a windows 10 system that is bitlocker encrypted during the reboot. “
Daily Blog #410: Sunday Funday 7/1/18 - Don’t take anything from my answer as being factual or correct. It won by virtue of being one of the only submissions; someone definitely should actually do the testing and figure out the actual answers though.
Daily Blog #416: Solution Saturday 7/7/18 - This weeks Sunday Funday relates to information that can be obtained from o365 under two different conditions. Adam Harrison and I have already posted our answers. At some point Dave will ask us to stop, we have yet to reach that point.
Daily Blog #417: Sunday Funday 7/8/18 - More importantly, Dave gave a little bit of insight into why he started his daily blogging challenge and pointed out that it’s not really about the daily posting, but more about pushing yourself to learn a little bit more each day. A lot of other blog authors say they have received the same benefit from doing say; it’s why I do what I do too. Daily blogging isn’t for everyone, but it’s good to set a goal to work towards. Once a month for example…12 blog posts a year! I’m sure that everyone can find it in them to put out 12 posts a year – you can even ask Devon to host the site for you.
Daily Blog #412: The importance of blogging,,, daily - Back to MAPI: This time testing an Excel document as an attached file.
Daily Blog #408: Exploring Extended MAPI Part 15 - And then a Word document. He found that “the creation time is being set to when the message was sent”
Daily Blog #411: Exploring Extended MAPI Part 16 - Dave then moved onto Outlook Web Access and found “that even though the message was marked unread and read again that the last modification time didn’t change from the time it was originally. In fact going through all the dates i didn’t find any updates made at all.”
Daily Blog #413: Exploring Extended MAPI part 17 - Lastly, he found that in OWA, replying to a message didn’t affect the MAPI data on the message in Outlook.
Daily Blog #414: Exploring Extended MAPI part 18
- Congrats to Paul Bryant on his winning submission on exFAT timestamps.
- Greg Smith at TrewMTE shared some resources relating to the Herrevad database relating to mobile geolocation artefacts.
Update – HERREVAD Databases Geo Location Artefacts - Volume 25 of the Journal of Digital Investigation was released.
- Jaco at ‘The Swanepoel Method’ shows how to use log2timeline to process the Security event log to detect time changes.
Detecting Time Changes with L2T (Ain’t Nobody Got Time For That)
THREAT INTELLIGENCE/HUNTING
- Roberto Rodriguez at Cyber Wardog Lab shares “a basic example of Sysmon rule tagging and how you can scale it with the right parser in solutions like HELK. [and also shares] a few initial thoughts on how to utilize these new capabilities.”
Categorizing and Enriching Security Events in an ELK with the Help of Sysmon and ATT&CK - Jack Crook at ‘DFIR and Threat Hunting’ talks about three detection method categories: “detections that are fed directly to an analyst as an alert”, “detections that are used for correlation”, and “detections written to increase visibility”
Methods of Detection - Nik Seetharaman at Endur@nt shows how to use Sysmon to detect “CMSTP-Enabled Code Execution and UAC Bypass”
Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon. - Adam at Hexacorn describes a “Registry entry that is a subject to remapping, and as such, may be used as yet another persistence mechanism
Beyond good ol’ Run key, Part 80 - Walter Legowski at Insinuator shares “PoSh_ATTCK [which] is a set of Cmdlets to manipulate the ATT&CK data from the command line”.
PoSh_ATTCK – ATT&CK Knowledge at your PowerShell Fingertips… - Erik Hjelmvik at Netresec shares a short video demonstrating “how you can search through PCAP files with regular expressions (regex) using CapLoader and how this can be leveraged in order to improve IDS signatures.
Detecting the Pony Trojan with RegEx using CapLoader - There were a couple of posts on the SpecterOps blog this week
- Steve Borosh shows how to “weaponize a Microsoft Access Macro shortcut to invoke a payload over HTTP” as well as detections and mitigations
Phishing tales: Microsoft Access Macro (.MAM) shortcuts - Matt Graeber shows some evasive attack scenarios that may inhibit some threat hunting data minimisation practices
What is it that Makes a Microsoft Executable a Microsoft Executable?
- Steve Borosh shows how to “weaponize a Microsoft Access Macro shortcut to invoke a payload over HTTP” as well as detections and mitigations
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ provides some resources for scanning docker images for cryptominers
Docker images under cryptojacking attack: how to check if a downloaded image is safe - Olaf Hartong shares his thoughts on the latest update to Sysmon
Sysmon 8.0, a leap forward in event annotation
PRESENTATIONS/PODCASTS
- Jessica Hyde was interviewed on the CyberNow podcast on her work, as well as the value of sharing
Check out @CyberNowPod’s Tweet! - Magnet Forensics shared Heather Mahalik’s presentation from the Magnet User Summit on the tool-box approach to digital forensics
Recorded Lecture: No Tool Fits All – Why Building a Solid Toolbox Matters - Paraben Corporation uploaded a couple of videos this week
- The videos from Pass The Salt Conference 2018 have been uploaded
- On this week’st Digital Forensic Survival Podcast, Michael discussed the impending USB Restricted Mode that looks like it’ll eventually be in iOS.
DFSP # 124 – iOS USB Restricted Mode - Rewa Technology have uploaded a video showing how they were able to repair a seemingly dead iPhone 6S with a damaged logic board and then acquire the data.
iPhone Data Recovery from Dead Phone – New Repair Service Launched - SANS shared a few videos this week
MALWARE
- Joe Security posted an analysis of “a recent sample related to APT28/Grizzlybear which includes nine different evasion tricks.”
APT28: Digging through Sandbox-Evasions with Bare Metal Analysis - Check Point Research shares details of an attack targetting “institutions across the Middle East, specifically the Palestinian Authority.”
APT Attack In the Middle East: The Big Bang - The Cylance Research Team examine the MBRKiller Wiper malware
Cylance vs. MBRKiller Wiper Malware - Kevin Beaumont at Double Pulsar shares some details of the recently updated GandCrab v4.1 malware, as well as some mitigations and IOCs
GandCrab v4.1 in the wild — first Windows XP and Server 2003 impacting ransomware SMB worm - Tim Berghoff at G Data shared a whitepaper on the analysis of the Fodevepdf trojan downloader.
Analysis: Downloader with a twist - Shusei Tomonaga at JPCERT/CC shares details of the WellMess malware which has been “programmed in Golang and cross-compiled to make it compatible both with Linux and Windows”.
Malware “WellMess” Targeting Linux and Windows - There were a few posts on the Malwarebytes Labs blog this week
- Thomas Reed examines the OSX.Dummy malware
Mac malware targets cryptomining users - Jérôme Segura reviews the vulnerability that exploits Win10 users through the use of .SettingContent.ms files
New macro-less technique to distribute malware - Jérôme also looks at some recent attacks distributing CoinHive
Obfuscated Coinhive shortlink reveals larger mining operation
- Thomas Reed examines the OSX.Dummy malware
- Matt Oh at Microsoft shares the analysis of a PDF document that contained “two new zero-day exploits”
Taking apart a double zero-day sample discovered in joint hunt with ESET - Didier Stevens at Nviso Labs takes the same PDF and shows how to extract the two payloads
Extracting a Windows Zero-Day from an Adobe Reader Zero-Day PDF - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens shows how to “extract the URLs from the XPS file.”
XPS samples, (Sat, Jun 30th) - And has also uploaded a video showing his process
Video: Analyzing XPS Files, (Sun, Jul 1st) - He also shows how to extract XPS metadata.
XPS Metadata, (Wed, Jul 4th) - As well as progress indication tips for Windows, Linux, and OSX
- Didier Stevens shows how to “extract the URLs from the XPS file.”
- Ben Baker and Holger Unterbrink at Cisco’s Talos blog share details on a new version of Smoke Loader
Smoking Guns – Smoke Loader learned new tricks - There were a couple of posts on the TrendLabs blog
- Martin Co and Joseph C. Chen take a look at some recent exploit kit activity
Down but Not Out: A Look Into Recent Exploit Kit Activities - Loseway Lu walks through the infection process of a maldoc that drops a number of malicious files.
Malicious Macro Hijacks Desktop Shortcuts to Deliver Backdoor
- Martin Co and Joseph C. Chen take a look at some recent exploit kit activity
MISCELLANEOUS
- To start off this section I wanted to address the unicorn in the room; the closure of the o365 activities API, which has been the talk of the town. There were a few posts, listed below, showing how to get access to the data, and also Dave Cowen’s commentary on disclosure of secret evidence sources. The main point of interest is that whilst we all agree that sharing is vital in this industry, there is always the concern that disclosing methodology in some way may force a companies hand; There are similar concerns with sharing encryption bypasses or mobile device acquisition techniques. By disclosing this information you run the risk of the research and development time and effort, as well as capability, disappearing. As a result, it becomes a minefield when trying to determine the ethics surrounding sharing certain information publically. That being said, there is still plenty of information that can be shared publicly that runs a far lower risk of a vendor caring about – usually surrounding parsing data that is required to keep a product functioning as intended.
- Matt Durrin at LMG Security advises that he is no longer able to access the Activities API of o365.
RIP Office365 Magic Unicorn Tool - Dave Cowen comments on the recent closure of the API by Microsoft
Daily Blog #415: The Death of a Unicorn - Richard Davis at 13Cubed produced a video showing the API access
Secret Office 365 Activities API - Kyle Bubp walks through his use of the magic unicorn script put out by LMG, which I guess is moot now
Using O365 Activities API for Incident Response
- Matt Durrin at LMG Security advises that he is no longer able to access the Activities API of o365.
- Eric Huber at ‘A Fistful of Dongles’ interviewed Mike Swindells on his role as “a Sergeant with the Calgary Police Service”
AFoD Interview with Mike Swindells - Atola have released a software update (2018.1.2) for the TaskForce which adds Chinese language support
Chinese version of TaskForce launched! - Matt at ‘Bit of Hex’ shows how he dealt with confusion caused when an artefact was be being presented correctly by a tool, but written incorrectly by an application in the first place. I’m not sure how relevant to DF the actual bug was, but it shows that when looking into odd results it’s a good idea to go look at the data directly to see where the bug may be.
Your forensic tools are wrong, because your application is lying - Blackbag Technologies have released an eBook on “conducting investigations in Windows Registry with BlackLight”
Check out @blackbagtech’s Tweet - Brett Shavers posted a few times across his blogs
- He responded to a section of some recently produced research relating to synchronisation artefacts. Apparently, the researchers indicated that many computer forensic examiners don’t regard synchronisation during their examinations; whilst I don’t disagree, I would like to know how they came to that conclusion – was there a survey, or just that there isn’t a huge amount of research in the area?
Snap! Oh no you didn’t. - Over at DFIR.Training, he shows in graphs: “The faster the information is disseminated, then faster it disappears, or worse, is never seen”. He also suggests that documenting your research will help you in the long run, preferably via a more lasting medium such as a blogpost or article.
The Dearth of Documentation in DFIR - Lastly, he clarifies some points about the DFIR Rapid Peer Review idea.
Getting Your Blog Post Officially DFIR Peer Reviewed – An Update
- He responded to a section of some recently produced research relating to synchronisation artefacts. Apparently, the researchers indicated that many computer forensic examiners don’t regard synchronisation during their examinations; whilst I don’t disagree, I would like to know how they came to that conclusion – was there a survey, or just that there isn’t a huge amount of research in the area?
- There were two posts on dumping domain password hashes; one on Hacking Articles, and another on Penetration Testing Lab
- Forensic Focus posted a couple of times this week
- They posted an interview with Ken Basore from Blackbag Technologies about his work at Blackbag including APFS and ingestion of Graykey images.
Interview With Ken Basore, CEO, BlackBag Technologies - Scar also shared the sessions that she will be attending at Techno Security San Antonio in September
Techno Security & Digital Forensics 2018 – San Antonio September 17-19
- They posted an interview with Ken Basore from Blackbag Technologies about his work at Blackbag including APFS and ingestion of Graykey images.
- Griffeye posted a couple of times this week
- They posted about the new face recognition feature that was added in the last release.
Face Recognition – Now for both images and videos - They also introduced Eric Oldenburg and covered his work in computer forensics utilising the Griffeye software before taking up a position with them.
Help is at hand: Meet Eric Oldenberg, Griffeye’s new tech evangelist
- They posted about the new face recognition feature that was added in the last release.
- Bradley Schatz at Inside Out shares some data acquisitions speeds of a 1TB NVMe drive. It would be interesting to see all the imaging tool vendors pitted against each other; granted, they all have their lanes, so even if you’re not the fastest imager, you may still have damaged drive support, or improved portability, or support for a wide range of drives. That being said, a speed race is probably not going to happen.
Which forensic imager is the fastest? - Magnet Forensics posted twice this week
- Christa Miller posted the answers to some of the questions posed by attendees of their recent webinars.
How AXIOM Technology Helps Builds Stronger Cases from Start to Finish: Webinar Q&A - They also interviewed Cindy Murphy from Gillware Digital Forensics
Q&A with Cindy Murphy, President & Co-Founder of Gillware Digital Forensics
- Christa Miller posted the answers to some of the questions posed by attendees of their recent webinars.
- Monnappa K A announced that his book “Learning Malware Analysis” has been released.
Check out @monnappa22’s Tweet - Basil Alawi S.Taher at the SANS Internet Storm Centre walks through the use of the “AutorunsToWinEventLog [which] is a PowerShell script that runs autorunsc and converts it to Windows Events.”
Using AutorunsToWinEventLog , (Fri, Jul 6th) - Scar de Courcier describes her process for choosing the section headings for the book that she co-authored, “Windows Forensic Cookbook”.
Choosing Your Section Headings
SOFTWARE UPDATES
- Plaso 20180630 has been released, adding filtering using the data stored on Forensic Artifacts, as well as “cleanups, performance tweaks and bug fixes”
Plaso 20180630 released - “Amped Authenticate 11362 is now released with a lot of improvements, including two new filters based on JPEG Dimples, one of the last discoveries of the image forensics scientific community”
Amped Authenticate Update 11362: JPEG Dimples, Improved JPEG HT, Social Media Identification, and much more! - Jamie Levy has released memtriage, which “allows you to quickly query a live Windows machine for RAM artifacts”. “This tool utilizes the Winpmem drivers to access physical memory, and Volatility for analysis.”
memtriage (previously lmem) - Didier Stevens updated a few of his tools this week
- ExifTool 11.06 (development release) was released, adding some new tags and bug fixes.
ExifTool 11.06 - Griffeye released Analyze 18.1, adding “new features, such as Object recognition and XMP grouping.”
Release of Analyze 18.1 – Still a No-Brainer - Sysmon v8 and Autoruns v13.90 were released
What’s New (July 5, 2018) - MobilEdit released live update version 2018-07-04-01 to App Analyzer fixing support for a few iOS/Android apps.
Live Update version 2018-07-04-01 - CapLoader 1.7 was released with a number of new features.
CapLoader 1.7 Released - Passmark Software has released OSForensics V6.0.1002 with a number of new features and bug fixes.
V6.0.1002 – 6th of July 2018 - Radare2 Codename: Salty peas was released, however, v2.7.0 is expected in a week
Codename: Salty peas - X-Ways Forensics 19.6 SR-6 was released with some bug fixes
X-Ways Forensics 19.6 SR-6 - X-Ways Forensics 19.7 Beta 2 with some new features
X-Ways Forensics 19.7 Beta 2
And that’s all for Week 27! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 