FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog looked into NTFS $REPARSE_POINTs and symbolic links, and by doing so was able to identify a bug in MFTECmd.
- Dan Pullega at 4n6k describes how he investigated a previously unknown GUID identified in Shellbags. Dan also identified the Adobe Creative Cloud was generated part of the GUID dynamically based on the username of the account
Forensics Quickie: Identifying an Unknown GUID with Shellbags Explorer, Detailing Shell Item Extension Block 0xbeef0026, & Creative Cloud GUID Behavior - Justin Boncaldo provides an introduction to LNK files
DFS# 02: Proof my client did -or didn’t- open a file (.LNK FILE OVERVIEW) - Alistair Ewing describes how he performs remote acquisitions of client machines.
How is a Remote Forensic Collection or Analysis Conducted? - Martin Korman & Hadar Yudovich have started a blog! Their first post covers the StartupInfo.xml, which can be used to identify which processes are launched at boot.
StartupInfo: Autoruns served up on a plate - Oleg and Igor at Digital Forensics Corp provide an overview of web browser forensics and show some of the features of Belkasoft Evidence Centre for parsing web browser data.
An Overview of Web Browser Forensics - Jason Hale at Digital Forensics Stream shows how to extract and examine the MBR stored within the Win10 event logs when a device is connected. Apparently, there’s a difference with GPT and MBR disk handling which Jason intends to cover at a later stage.
USB Device Tracking using the Partition/Diagnostic Event Log – Part 2 - eForensics Magazine shared a couple of articles this week
- They posted an article by Hector Barquero where he shows how to compare two identical (but different) pictures and extract EXIF metadata from them.
Digital Forensics – Tracking & Target Locating .Jpegs via Metadata (Exif) | By Hector Barquero - They also posted an article by Alexander Kot about his work on the Network Forensics Village at BSides Cleveland.
Network Forensics Village | By Alexander Kot
- They posted an article by Hector Barquero where he shows how to compare two identical (but different) pictures and extract EXIF metadata from them.
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a few times this week
- Last weeks Sunday Funday relates to Win10 and Cortana; asking what data is stored, where is it stored, and is there any location history. It does not ask the most important question of “who actually uses Cortana” however. He received one submission, by Justin Boncaldo, who shared his initial findings.
Daily Blog #423: Sunday Funday 7/15/18 - On Windows, there is a registry key that stores the current Computer Name, and when you change the name, another subkey, ActiveComputerName is populated; on reboot this is deleted.
Daily Blog #424: The registry key so nice they named it twice, computername computername - Dave details some information about the Userassist key, which is great for identifying GUI-based application usage.
Daily Blog #425: How I Use It: Userassist - He also lists some information about copying directories on Win10; “You will want to look into the Jumplist with Appid f01b4d95cf55d32a and within it you find an entry for every directory that has been pasted. You will not get the source location but rather the destination which in my mind is more useful. The MRU date associated and the creation time of the directory will show you when as well.”
Daily Blog #426: Directory Copy and Paste Artifacts in Windows 10 - He does some research into the previous Sunday Funday challenge regarding BitLocker; apparently, there’s a Clearkey mode that temporarily disables bitlocker for a defined number of reboots.
Daily Blog #427: Bitlocker Experiments Part 1 - Dave and Matthew hosted Arman Gungor from Metaspike on the Forensic Lunch; They discussed Arman’s ‘Forensic Email Collector’ product, and also shared some details of the upcoming CTF (which I’m all booked in for, very excited!)
Daily Blog #428: Forensic Lunch 7/20/18 - This week’s Sunday Funday relates to tracking timezone changes on a users system.
Daily Blog #430: Sunday Funday 7/22/18
- Last weeks Sunday Funday relates to Win10 and Cortana; asking what data is stored, where is it stored, and is there any location history. It does not ask the most important question of “who actually uses Cortana” however. He received one submission, by Justin Boncaldo, who shared his initial findings.
- Magnet Forensics released a couple of items relating to iOS 11 this week
- The first was a white paper on acquiring and parsing iOS 11 devices.
New White Paper: Acquiring and Parsing Data from iOS 11 Devices - The second, by Chris Vance, related specifically to the changes made in iOS 11.4.1 regarding USB Restricted Mode.
Working with iOS Devices Post-11.4.1
- The first was a white paper on acquiring and parsing iOS 11 devices.
- Maxim Suhanov has started a blog! In his first post he explains how live distros mount file systems from drives; and by doing his research was able to identify that “an adversary can write a small malicious file system to one of the internal drives, so that this internal drive will look like a boot drive for a live forensic distribution.” I’d be curious to know if anyone has come across this type of attack in the wild, or whether it’s a theoretical risk that may not be on the list of priorities to mitigate.
A live forensic distribution executing malicious code from a suspect drive - SalvationData have posted a couple of case studies using their newly released SPF Pro
THREAT INTELLIGENCE/HUNTING
- Kyle Hanslovan at Huntress Labs examines a phishing email that drops a malicious XPS file
Ask Huntress: Fake .XPS Invoice Leading to Phishing - Xavier Mertens at the SANS Internet Storm Centre shares a script to detect geographically improbable logins.
Searching for Geographically Improbable Login Attempts, (Tue, Jul 17th) - Richie Cyrus at ‘Security Never Sleeps’ discusses “hunting for activity resulting from attackers using the tactic of defense evasion on MacOS systems, and corresponding techniques.”
Hunting for Bad Apples – Part 2 - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ posted a couple of times this week
- He shares “a brief and simple workflow, useful for a first high-level analysis of memory dumps in order to search the presence of a generic malware.”
Finding malware on memory dumps using Volatility and Yara rules - He also shared a cheatsheet for Tcpdump.
TCPDUMP: a simple cheatsheet
- He shares “a brief and simple workflow, useful for a first high-level analysis of memory dumps in order to search the presence of a generic malware.”
- Dane Stuckey has a post on “using the system access control list (SACL) functionality to detect endpoint compromise on Windows hosts”
Detecting Windows Endpoint Compromise with SACLs - Pablo Delgado at Syspanda posted a couple of times this week
- He demonstrates how to filter VNC and RDP sessions in Logstash
Remote Connection Dashboards: VNC & RDP - He also shows how to look at services and scheduled tasks for indications of persistence.
Threat Hunting: Finding Persistence Mechanisms
- He demonstrates how to filter VNC and RDP sessions in Logstash
UPCOMING WEBINARS/CONFERENCES
- Endgame shared the various presentations that they will be giving next month at Hacker Summer Camp (BH/DC/BSLV)
Endgame Presents: Hacker Summer Camp 2018 - Eric Oldenburg at Griffeye will be “hosting a webinar on how to create more efficient workflows using the Griffeye Technology”. The webinar will take place August 28 at15:00 CEST.
Webinar: Using Griffeye Technology to Increase Efficiency and Results - Harp Thukral and Simon Key at OpenText will be presenting a webinar on APFS on July 31 2018 at 10:00 AM Pacific Daylight Time
The Challenges of APFS and How EnCase Can Help - Jamie McQuaid from Magnet Forensics and Dr. Liam Owens from Semantics21 will be hosting a webinar on their recent integration, “showcasing how these tools work together to save time identifying and rescuing child victims and apprehending offenders”. The posting doesn’t indicate when the webinar will be taking place, but I’m led to believe it’s August 14 or 15
Saving Valuable Time on Child Exploitation Investigations with Magnet Forensics and Semantics21
PRESENTATIONS/PODCASTS
- Mike Felch and Beau Bullock at Blackhills InfoSec discuss various ways to learn and network within the InfoSec community; whilst not specifically DFIR related, a lot of this stuff can be applied across the board.
WEBCAST: Highly Caffeinated InfoSec - Brian and Bryan at Brakeing Down Security spoke about threat hunting this week after the start of the #threatHunting channel on the BrakeSec Slack.
2018-025-BsidesSPFD, threathunting, assessing risk - DME Forensics uploaded a video about their partnership “with -iNPUT-ACE to provide a seamless workflow from video acquisition with DVR Examiner through analysis and processing.”
DVR Acquisition & Processing with DVR Examiner and -iNPUT-ACE - Joshua Wright shares some thoughts on “iOS 11.4.1 USB restricted mode and the Grayshift GrayKey”
Check out @joswr1ght’s Tweet - On this week’s Digital Forensic Survival Podcast, Michael discussed the importance of learning how to use the GREP utility
DFSP # 126 – Star Grepping
MALWARE
- SANS shared Thomas Rid’s presentation from the 2018 CTI Summit titled “Attributing Active Measures, Then and Now”
Attributing Active Measures, Then and Now – SANS CTI Summit 2018 - The Volexity Threat Research team posted some details of “a new e-commerce financial data theft framework named JS Sniffer”
JS Sniffer: E-commerce Data Theft Made Easy - Michał Praszmo at CERT Poland analyses the Smoke Loader dropper
Dissecting Smoke Loader - Hasherezade and Jérôme Segura at Malwarebytes Labs analyse the magniber ransomware.
Magniber ransomware improves, expands within Asia - Roy Moshailov at Morphisec highlights some changes in the GandCrab ransomware.
GandCrab Ransomware Version 4.0/4.1 - Sergei Frankoff at OALabs provides “instructions for the installation and configuration of a free Windows 7 VM with the OAlabs-VM installer.” This VM will be useful for malware analysis.
OALabs Malware Analysis Virtual Machine - There were a couple of posts on the Palo Alto Networks blog this week
- Brad Duncan shares details of a campaign that distributes emotet and trickbot in the same infection chain. “An Emotet+Trickbot combination represents a more potent infection, and it doubles the danger for any vulnerable Windows host.”
Malware Team Up: Malspam Pushing Emotet + Trickbot - Ruchna Nigam details various malware campaigns targeting IoT devices.
Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
- Brad Duncan shares details of a campaign that distributes emotet and trickbot in the same infection chain. “An Emotet+Trickbot combination represents a more potent infection, and it doubles the danger for any vulnerable Windows host.”
- Sebdraven examines a malicious RTF file containing CVE-2017–11882.
APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading - Dr. Fahim Abbasi and Diana Lopera at SpiderLabs examine some malspam that distributes the DanaBot malware.
DanaBot Riding Fake MYOB Invoice Emails - There were a couple of posts on the TrendLabs blog this week
- Joey Chen shares details of the Blackgear cyberespionage campaign that has recently resurfaced. This post describes the use of the marade downloader and the protux backdoor.
Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication - Joseph C Chen analyses some new tactics utilised by the Andariel group “which were used mainly against South Korean targets”.
New Andariel Reconnaissance Tactics Hint At Next Targets
- Joey Chen shares details of the Blackgear cyberespionage campaign that has recently resurfaced. This post describes the use of the marade downloader and the protux backdoor.
- Trustlook examines a malicious Android app that was packed with the Bangle Android app packer.
Bangle Android App Packer: Unpacking & Analysis - Vitali Kremez documents the “presence of the new TrickBot Tor plugin server and deobfuscate the latest TrickBot Loader malware string template.”
Let’s Learn: “TrickBot” New Tor Plugin Server Communication & Decoding Latest Trick Loader String Template - Kaspars Osis at WeLiveSecurity summarises the findings from the ““Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign” whitepaper.
A deep dive down the Vermin RAThole
MISCELLANEOUS
- Brian Moran at BriMor Labs shares his experience trying to automate live memory collection from a Mac in his Live Response collection tool and getting thwarted by SIP
Let’s Talk About Kext - Lee Holmes shares some tips for submitting a presentation to a conference.
Creating a Good Security Conference CFP Submission - Coincidently this week (or not, I’m not sure), Lesley Carhart also shared some tips for CFPs based on reviewing presentations for Derbycon
I reviewed 600+ call-for-paper submissions, (and you’ll probably guess what happened next.) - The guys at Cyber Forensicator shared a paper by Danny Hendler, Shay Kels, and Amir Rubin titled “Detecting Malicious PowerShell Commands using Deep Neural Networks”
Detecting Malicious PowerShell Commands using Deep Neural Networks - Brett Shavers posted a couple of times on DFIR.Training
- The first advises to think outside the box, both metaphorically, and outside of the data held within the devices to be examined. Combining other data points can assist in identifying further pieces of information relevant to the case, or assist in directing your examination of the electronic devices.
Think out of the box (literally) - The second talks about choosing the right tool for the job. It’s a good idea to try figure out the limitations of the tools you use; that’s not going to be an easy thing to do, but trying a little bit can help you a lot.
Some DFIR tools are terrible…
- The first advises to think outside the box, both metaphorically, and outside of the data held within the devices to be examined. Combining other data points can assist in identifying further pieces of information relevant to the case, or assist in directing your examination of the electronic devices.
- There was a new scenario posted on the Digital Corpora website; The scenario was created by a GMU student and covers the fictional investigation of the planning of a mass shooting
2018 Lone Wolf Scenario - Craig Wilson at Digital Detective describes various character encodings.
Character Encoding: A Quick Primer - Dan Gunter & Marc Seitz at Dragos share a Python module that they wrote to ingest EVTX files into ELK.
EvtxToElk: A Python Module to Load Windows Event Logs into ElasticSearch - Forensic Focus interviewed Tina Wu, a DPhil Cyber Security Student at the University of Oxford about her research into IoT device examination.
Interview With Tina Wu, DPhil Cyber Security Student, University of Oxford - Mike Cary released a PowerShell script that automates the use of Eric Zimmerman’s command line tools.
POSH-Triage - Jessica Hyde at Magnet Forensics shares her thoughts on giving back to the community, which is at the top of her “Maslow’s Hierarchy of Needs for Digital Forensics” pyramid. I for one appreciate all of the sharing that this community does, and encourage more, even though it makes my weekends a bit busier.
Giving Back in DFIR - Sarah Edwards has uploaded her “Getting Saucy with APFS – Workshop Edition materials”.
Check out @iamevltwin’s Tweet - Mike Sheward announced that his book, Hands-on Incident Response and Digital Forensics, has been released.
Out now: Hands-on Incident Response and Digital Forensics! - Yogesh Khatri at Swift Forensics has built an APFS template for the 010 Editor
APFS template for 010 Editor
SOFTWARE UPDATES
- Blackbag Technologies released Blacklight 2018 R2. Ashley Hernandez has also released a video providing an overview of the new features.
You Asked, We Answers: New BlackLight Enhancements For 2018 R2 - UFED Ultimate, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader 7.8 were released this week, adding additional device acquisition methods, as well as app updates and bug fixes.
UFED Ultimate, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader 7.8 [July 2018] - Eric Zimmerman updated MFTECmd (v0.2.9.1) and TLE (v0.8.5.1) this week. Both can be downloaded here.
- GetData released Forensic Explorer v4.3.5.7580, fixing a couple of bugs.
18 July 2018 – v4.3.5.7580 - Magnet Forensics released Axiom 2.3, introducing “integration of Child Rescue Coalition’s CPS software into AXIOM, performance improvements, and offline updates that are smaller and faster.” The update process from this version on should be quicker as only the update is downloaded and applied rather than the full installer.
CPS Integration and User Experience Improvements Come to Magnet AXIOM 2.3 - Matt Bromiley released OLAF (O365 Log Analysis Framework), which “is a collection of tools, scripts, and analysis techniques dealing with O365 Investigations.”
OLAF - MobilEdit added and improved support for a few iOS and Android apps.
Live Update version 2018-07-18-01 - “Oxygen Forensics has released a maintenance update to Oxygen Forensic® Detective (v10.3.2) to add support within Oxygen Forensic® Cloud Extractor for the latest Apple security standards protecting iCloud account data.”
Oxygen Forensics brings iCloud extractions back online along with enhanced iOS support - Passmark Software released OSForensic V6.0.1004 to fix a few bugs.
V6.0.1004 – 17th of July 2018 - Passware Kit 2018 v1 was released with an updated UI as well as a number of new features and improvements.
Passware Kit 2018 v1: The Anniversary Edition
And that’s all for Week 29! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!
This Week In 4n6 