FORENSIC ANALYSIS
- Adam Harrison at 1234n6 shares his answer to the recent Sunday Funday challenge regarding o365 logging. Adam’s solution also won him the challenge
Investigating Office365 Account Compromise without the Activities API - Brian Gerdon at Arsenal Recon walks through his process for cracking the password of a Windows XP domain account.
An Adventure in Cached Windows Domain Password Recovery - Justin Boncaldo provides an overview of unallocated space and file carving.
DFS# 01 – Unallocated Space and Deleted Content - The proceedings for DFRWS 2018 USA have been released (although haven’t yet been combined into one encompassing issue)
- Elcomsoft posted a number of articles on iOS this week
- Oleg Afonin describes the newly released USB Restricted Mode which disabled the data connection on iOS 11.4.1+ devices after one hour; apparently, the lock does not engage if a compatible USB accessory is attached. Jake Williams at Rendition InfoSec also shared his thoughts on the impact of this update.
This $39 Device Can Defeat iOS USB Restricted Mode - Oleg also demonstrates how to install the Electra Jailbreak for iOS 11.2-11.3.1 so that you can use their iOS Forensic Toolkit to obtain a full file system acquisition.
Using iOS 11.2-11.3.1 Electra Jailbreak for iPhone Physical Acquisition - Lastly, he shows “how to access the lockdown files on a live macOS system”
Accessing Lockdown Files on macOS - Vladimir Katalov shares the list of devices that they tested to assist in preventing USB Restricted Mode from enabled.
USB Restricted Mode Inside Out
- Oleg Afonin describes the newly released USB Restricted Mode which disabled the data connection on iOS 11.4.1+ devices after one hour; apparently, the lock does not engage if a compatible USB accessory is attached. Jake Williams at Rendition InfoSec also shared his thoughts on the impact of this update.
- There were a couple of posts on ‘Forensics Matters’ this week
- The first shows how to install foremost on OS X
Install foremost on OS X - The second shows how to use Busybox to download the user data from a rooted Nexus 4
Dump an Android Partition for forensic analysis
- The first shows how to install foremost on OS X
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted
- He tested some ways of updating MAPI on a downloaded EML file.
Daily Blog #418: Exploring Extended MAPI part 19 - Dave and Matt will be hosting an unofficial CTF at Defcon again this year. Unfortunately, it’ll be restricted to people in Las Vegas…I’m not gonna lie, I’m semi-tempted to fly over for the weekend because it’ll be fun…is this a bad idea? almost certainly, but if I can get the cost down and the sign off from work and wife then I’m seriously considering it.
Daily Blog #419: Unofficial Defcon DFIR CTF 2018 - Dave also announced that they’re capping it at 200 entrants, so if you’re definitely wanting to compete, sign up quick
Daily Blog #420: 2018 Unofficial Defcon CTF Update - Lastly, he shared the news that Microsoft is turning on audit logging for all o365 clients by default. They may also be providing some of the additional granularity that some were utilising the Activities API for.
Daily Blog #421: Magical DFIR Beasts and where to find them
- He tested some ways of updating MAPI on a downloaded EML file.
- Magnet Forensics shared a couple of papers this week
- They released a white paper on acquiring and parsing data from iOS 11; apparently, the paper has been updated to include information from the recent update, but the version on the website currently is an older version. I’ve been told that if you want the latest version this will be updated on the site on Monday.
Whitepaper: Acquiring and Parsing Data from iOS 11 Devices - They shared a case study based on work performed by Troy Schnack where he used Axiom to assist in exonerating a suspect.
New Case Study: How Magnet AXIOM Helped Save an Innocent Man from Federal Prison
- They released a white paper on acquiring and parsing data from iOS 11; apparently, the paper has been updated to include information from the recent update, but the version on the website currently is an older version. I’ve been told that if you want the latest version this will be updated on the site on Monday.
- BeanBagKing at ØSecurity shows how to extract and combine individual footage segments from a Ubiquiti UniFi camera.
Stitching together UniFi Video Footage
THREAT INTELLIGENCE/HUNTING
- Jared Myers at Carbon Black describes a recent incident where attackers infiltrated a network and then deployed ransomware.
Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools - Tony Lambert at Red Canary shares details of a recent incident where the attacker deployed a cryptominer.
Mining off the Land: Cryptomining Enabled by Native Windows Tools - There were a couple of posts on the FireEye blog this week
- Victor Fang describes a method of detecting malicious PowerShell using machine learning
Malicious PowerShell Detection via Machine Learning - Scott Henderson, Steve Miller, Dan Perez, Marcin Siedlarz, Ben Wilson, and Ben Read share details of “a range of TEMP.Periscope activity revealing extensive interest in Cambodia’s politics”
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July
2018 Elections and Reveals Broad Operations Globally
- Victor Fang describes a method of detecting malicious PowerShell using machine learning
UPCOMING WEBINARS/CONFERENCES
- Trevor Goode and Ed Michael will be hosting a webinar on Wed July 18 at 1pm EDT on Overlaying Digital Intelligence and Ballistics Technology to Enhance Investigations
- Matt Bromiley will be hosting a webinar for SANS on Tuesday, July 17th, 2018 at 1:00 PM EST (17:00:00 UTC) on Business E-mail Compromise and Office 365
BEC & O365: Making Sense of All the Noise - Jamie McQuaid at Magnet Forensics will be hosting a webinar along with NW3C on “mobile forensic acquisition tools and techniques”.
Better Data, Better Investigations: Understanding Mobile Forensics Trends, Tools & Methods
PRESENTATIONS/PODCASTS
- On the Brakeing Down Incident Response podcast, Michael and Brian interviewed Chris Truncer of FortyNorthSec about WMI Exploitation and Detection.
The BDIR Podcast Episode-005 is out – WMI – Exploitation and Detection with Chris Truncer - Jake Williams at SANS presented on the recent review paper that he wrote on Encase Forensic 8.06. Harp Thukral also presented on Encase and its current capabilities.
One-Click Forensic Analysis: A SANS Review of EnCase Forensic - Brian Laskowski shared his slides on his “workflow for incident response using free and open source tools.”
No Fuss FOSS – building a Free and Open Source SoC - Christopher Vance at Magnet Forensics presented on iOS 11 and Android Nougat/Oreo during the week
Recorded Webinar: iOS 11 And Android Nougat/Oreo – An In-Depth Look At The Latest Mobile OSes - Didier Stevens at Nviso shows how to extract a Windows 0-day from a malicious PDF
Extracting a Windows Zero-Day from an Adobe Reader Zero-Day PDF - On this week’s Digital Forensic Survival Podcast, Michael talked about using Hashtopolis to perform distributed hash cracking
DFSP # 125 – Distributed Hash Cracking - SANS shared a number of videos this week
- The videos for Steelcon 2018 were uploaded last week.
MALWARE
- The Check Point Threat Intelligence Team posted some information about “an APT surveillance attack against institutions across the Middle East”.
APT Attack In the Middle East: The Big Bang - Nadav Avital and Gilad Yehudai at Incapsula “discuss some of the attackers’ methods to inject backdoors while evading detection [and] show examples of real backdoors found in our data, and how they use different evasion and obfuscation techniques, some of them quite complex.”
The Trickster Hackers – Backdoor Obfuscation and Evasion Techniques - Subrat Sarkar and Stefano Ortolani at Lastline Labs examine a maldoc exploiting CVE-2017-11882
Evading Static Analyzers by Solving the Equation (Editor) - William Tsing at Malwarebytes Labs provides some tips and resources for starting a threat intelligence program.
So you’ve been asked to start a threat intel program - Irfan Asrar and Raj Samani at McAfee Labs examine the FoulGoal Android spyware
Google Play Users Risk a Yellow Card With Android/FoulGoal.A - There’s a post by the Office 365 Threat Research team examining a maldoc that distributes the Hawkeye Keylogger malware
Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis - Mike Harbison and Brittany Ash at Palo Alto Networks analyse the Upatre downloader.
Upatre Continued to Evolve with new Anti-Analysis Techniques - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Renato Marinho examines a sample that exploited his WebLogic honeypot.
Criminals Don’t Read Instructions or Use Strong Passwords, (Mon, Jul 9th) - Remco Verhoef has collected additional information about the “Hello Peppa” payload shared by Guy Bruneau last week
Well, Hello Again Peppa!, (Wed, Jul 11th) - Johannes Ullrich shares details of a Mirai variant that attempts to exploit ADB.
Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp), (Tue, Jul 10th) - Xavier Mertens shares details of a “compromised JavaScript file that contains extra code to perform crypto mining activities”
Cryptominer Delivered Though Compromized JavaScript File, (Fri, Jul 13th)
- Renato Marinho examines a sample that exploited his WebLogic honeypot.
- Warren Mercer and Paul Rascagneres and Andrew Williams at Cisco’s Talos blog share details of a recent campaign specifically targetting 13 iPhones in India.
Advanced Mobile Malware Campaign in India uses Malicious MDM - Bryant Smith at Trustwave SpiderLabs shows how to use JA3 to inspect encrypted network traffic for malicious content.
Inspecting Encrypted Network Traffic with JA3 - Anton Cherepanov at WeLiveSecurity shares details of the Plead malware which utilises a stolen D-Link certificate.
Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign
MISCELLANEOUS
- Yulia Samoteykina at Atola shows how to import cases from the Insight into the TaskForce.
Importing cases from Atola Insight Forensic - There were a few posts on Cyber Forensicator this week
- They shared a tool by Daryl Bennett called “LiMEaide [which] is a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host.”
LiMEaide: Dump Linux Memory Remotely - They shared a presentation by Alexander Klepal at Bsides SATX titled ‘Fiddling with Flash Drive Forensics’
Fiddling with Flash Drive Forensics - They shared a presentation titled ‘Smart Car Forensics and Vehicle Weaponization’
Smart Car Forensics and Vehicle Weaponization - They shared a presentation by Conrad Fernandes from the DataWorks Summit titled “Security event logging and monitoring techniques for incident response in Hadoop”
Security Event Logging and Monitoring Techniques for Incident Response in Hadoop
- They shared a tool by Daryl Bennett called “LiMEaide [which] is a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host.”
- Didier Stevens shows the new JSON output method for his zipdump and oledump tools.
–jsonoutput - DME Forensics answered some frequently asked questions.
Frequently Asked Questions: DVR Examiner - There were a few posts on Forensic Focus this week
- They interviewed Jad Saliba from Magnet Forensics about the partnership with Child Rescue Coalition
Interview With Jad Saliba, Founder & CTO, Magnet Forensics - They shared a case study on how “AccessData’s solutions play a vital role in the investigations of child exploitation cases”
LaPorte County Prosecutor’s Office Relies On AD Lab To Help Prosecute Criminals - Scar invited those attending DFRWS to a lunch discussion, cohosted with Magnet Forensics on nurturing and supporting women in (and getting into) DFIR, as well as giving back to the community.
Join The First Ever DFIR Women’s Lunch - They also interviewed Alexander Poelma, Director Of Business Development, at AccessData about his previous role at “Fiscale inlichtingen-en opsporingsdienst (FIOD)—the Dutch agency responsible for investigating potential economic, fiscal and financial fraud nationwide” and his new role at AccessData
Interview With Alexander Poelma, Director Of Business Development, AccessData
- They interviewed Jad Saliba from Magnet Forensics about the partnership with Child Rescue Coalition
- Andrew Kempster at ‘Hex, Drugs, Rock and Roll’ explains how to mount VHDX files on Linux
Mounting VHDX Files - Howard Oakley at ‘The Eclectic Light Company’ advises that Apple has updated its articles regarding the 2018 MacBook Pro’s use of the T2 chip. My understanding is that this means that the SSD cannot be removed from the computer and as a result you’ll need to use a bootable OS (for example Caine, Paladin, Recon Imager, Macquisition with the latter two probably being preferrable) to obtain an image.
New Apple support articles about MacBook Pro 2018 model with the T2 chip
SOFTWARE UPDATES
- AceLabs have released an update (v7.2.5) to the PC-3000 Flash software.
The new PC-3000 Flash software Ver. 7.2.5. is available! - Didier Stevens released a new tool, file-magic, that replicates the functionality of the *nix “File” tool.
New Tool: file-magic.py - Digital Detective updated their NetAnalysis (v2.8) and HstEx (v4.8), and Blade (v1.15) tools this week. There’s also a 30% off sale for new licenses of these tools.
- GetData updated Forensic Explorer to v4.3.5.7540 with a number of new improvements and bug fixes.
12 July 2018 – v4.3.5.7540 - Paraben Corporation have released E3 v1.8 with some minor improvements and bug fixes
E3 1.8 is now available! - Passmark Software updated OSForensics to V6.0.1003 with some improvements to indexing.
V6.0.1003 – 10th of July 2018 - radare2-2.7.0 was released with “a lot of improvements in the analysis and visual representation”
codename: SleepyNull - SalvationData have released their SmartPhone Forensic System Professional tool. Raymond Luo also presented on the capabilities of the tool, as well as their disk duplication and write blocking tools.
[Product Launch] SalvationDATA Mobile Forensics SPF Pro Official Release! - USB Detective v1.1.6 was released with a variety of improvements.
Version 1.1.6 (07/11/2018) - X-Ways Forensics 19.7 Beta 3 was released adding some minor improvements.
X-Ways Forensics 19.7 Beta 3 - Maxim Suhanov released Yarp 1.0.19
1.0.19 - Eric Zimmerman updated JLE (v0.6.1.0), TLE (v0.8.5.0) and MFTECmd (v0.2.7.0)
That’s all for Week 28! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!
This Week In 4n6 