FORENSIC ANALYSIS
- Adam Harrison at 1234n6 answers Dave’s latest Sunday Funday challenge on identifying historical timezone configuration changes. Adam’s submission also won
Methods to identify historical Time Zone configuration associated with a Windows PC - Matt at Bit of Hex shares a short Python script “which will brute-force binary data looking for valid dates and times”
Brute-forcing dates & times in binary data - Justin Boncaldo examines the data stored on the Facebook Messenger Windows App and finds that there’s not a lot of locally cached content. More and more reasons to extract cloud data whenever possible.
Facebook Messenger -Windows App Store Forensics - Kshitij Kumar and Jai Musunuri at CrowdStrike share details of “CoreAnalytics [on MacOS High Sierra], which is a system diagnostics mechanism that maintains a record of Mach-O programs that have executed on a system over approximately one month”
I Know What You Did Last Month: A New Artifact of Execution on macOS 10.13 - Brian Carrier at Cyber Triage shows how to create a timeline of activity in Cyber Triage
It’s About Time(lines)! - Depak Kumar describes some low-level phone acquisition techniques for acquiring data off damaged devices.
SMARTPHONE FORENSICS – 2 - Solvent at Forensics Matters shows how to use dc3dd to acquire a physical image of a device.
Image acquisition with dc3dd - Gig’s at Giggle Security has written a bit of advice about getting into Windows forensics; ranging from links to read through, event logs to understand, as well as a few useful tools for extracting and parsing various artefacts
Beginners Guide to the Windows Forensics Lifestyle - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times on Win10’s BitLocker implementation this week
- He shows that “Bitlocker or Bitlocker ToGo both will tell you the hostname of the system that encrypted the volume and the date it was encrypted”
Daily Blog #431: Bitlocker Experiments Part 2 - And that you can also determine the volume label or drive letter (if no volume label was present) when it was encrypted.
Daily Blog $432: Bitlocker Experiments Part 3 - He took a look at the “FVE Metadata block from a vhd encrypted with BitLocker while BitLocker is active and is protecting the VHD with a password and after I turned off protection”.
Daily Blog #433: Bitlocker Experiments Part 4 - The last part covers the layering of keys and Dave’s plans for accessing a bitlockered Windows installation that he doesn’t have the credentials for.
Daily Blog #434: Bitlocker Experiments Part 5 - Dave and Matthew ran a Forensic Lunch where they spoke about some of the things they’re working on, and answered viewers questions. They also spoke about actual lunch foods, and all the fun we’ll be having at Defcon in a couple of weeks (hanging out, FIFA, DFIR).
Daily Blog #435: Forensic Lunch 7/27/18
- He shows that “Bitlocker or Bitlocker ToGo both will tell you the hostname of the system that encrypted the volume and the date it was encrypted”
- Alexis Brignoni at ‘Initialization vectors’ examines the data stored by the Microsoft Translator Android app.
Microsoft Translator – Android DFIR App Review - Maxim Suhanov shows the effects of the different mounting mechanisms used in Paladin v6.09 and v7.04 specifically on dirty Ext4 drives. He also shows some of the instances where Debian-based operating systems, such as Kali, can modify data on the underlying devices. Lastly, he shows that the NTFS $LogFile may be wiped as a bug in busybox means that the drive may be mounted in ‘rw’ mode for a short period. This affects Paladin v6.09, however, Maxim did not indicate if this is also seen in the current version.
A live forensic distribution writing to a suspect drive - SalvationData have posted a case study on how to use their VIP (Video Investigation Portable) tool to recover CCTV DVR footage from a formatted drive.
[Case Study] DVR Forensics: How To Recover Surveillance Videos After Formatting A CCTV DVR Hard Drive - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ posted a couple times this week
- He shares some thoughts on lateral movement techniques including RDP, Admin shares, DCOM, and more.
Some thoughts about Lateral Movement techniques - And also shows that DumpIt sometimes will have issues with acquiring memory from Win7+ 64-bit systems that have more than 8GB of memory.
Digital forensics chronicles: image identification issues on large memory dump with Volatility
- He shares some thoughts on lateral movement techniques including RDP, Admin shares, DCOM, and more.
- Ron Hamann at Janky Robot Security walks through accessing Alternate Data Streams using the xattr command on a Mac.
Accessing Alternate Data Streams from a Mac
THREAT INTELLIGENCE/HUNTING
- Google announced that they will be “launching an Early Adopter Program (EAP) for a new “investigation tool” in the G Suite security center. It will help G Suite admins and security analysts identify, triage, and remediate security threats within their organization.”
Triage and remediate threats with new investigation tool in G Suite security center Early Adopter Program - Adam at Hexacorn shared two posts about modifying the Windows Explorer ‘Open’ menu to launch malicious programs.
- Koen Van Impe has a post on IBM’s Security Intelligence blog on the benefits of pivoting on data points during an incident.
How Pivoting Can Help Your Incident Response Process - Brian Laskowski at Laskowski-Tech shows how to integrate ClamAV with TheHive.
ClamAV Analyzer for TheHive and Cortex - Oddvar Moe shows how to manipulate the registry settings that would normally launch the Magnifier (win + ‘+’) to execute a different PE (in this instance a command prompt).
Another way to get to a system shell – Assistive Technology - Will at SpecterOps announces the release of a new series of tools called GhostPack; these tools look like they have a lot of useful functionality from triaging an incident, to determining insecurities on a system, and dumping specific process memory.
GhostPack - Sandfly Security have a post describing how their tool was able to assist in detecting and examining a cryptominer running on a Linux host. They also show how they were able to use inbuilt tools to triage the malware.
Linux Malware Cryptominer Detection and Forensics - SANS shared Dan Gunter’s whitepaper on evaluating the success of a hunting
Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments - Nikita Kazymirskyi, Anat Davidi, Ziv Mador, Karl Sigler, Brian Hussey, and Jeremy Batterman at TrustWave SpiderLabs have been looking into the recent SingHealth breach and share details of PasteBin posts that may be related to the attack
New Indicators Suggest Penetration Vectors and Earlier Dates for the SingHealth Breach - Pablo Delgado at Syspanda shows how to create a “dashboard that shows all-related activities performed by Domain Admin user(s)” in ELK.
Tracking & Monitoring Domain Admins with Logstash
UPCOMING WEBINARS/CONFERENCES
- Chris Vance at Magnet Forensics will be hosting a couple of webinars on using the Grayshift GrayKey along with Magnet Axiom to extract data from iOS 11 devices. The webinar will also “cover the newest issues in dealing with iOS 11-based devices, including passcode issues, the limits of biometrics, pairing certificates, and the newest USB Restricted Mode found in v11.4.1.” The webinars will take place Wednesday, August 1st @ 1:00PM EDT and Thursday, August 2nd @ 9:00AM EDT.
Unlocking iOS 11’s Gates with GrayKey and Magnet AXIOM - There will be a SANS Q&A with Phil Hagen on July 31.
Check out @sansforensics’s Tweet
PRESENTATIONS/PODCASTS
- Forensic Focus shared the transcript and recording of the recent Griffeye 101 webinar.
Webinar – Griffeye 101: A Crash Course In Visual Media Investigations - Hasherezade has uploaded a video showing how to trace executables using her Pin tracing tool.
Tracing executables with a Pin Tool (tiny_tracer) - On this week’s Digital Forensic Survival Podcast, Michael talked about DNS and when it may be useful in incident response cases.
DFSP # 127 – DNS & Forensics - Richard Davis at 13Cubed has released the second part of his Intro to Hashcat video.
Introduction to Hashcat – Part II - SANS shared Matt Bromiley’s recent webinar on O365 compromises.
Business Email Compromise; Office 365 Making Sense of All the Noise - On Talino Talk, Jason spoke with Dave from Truxton about their latest partnership.
TALINO Talk ep17
MALWARE
- Xavier Mertens at /dev/random shares some details of an “an altered jquery.js file” used to distribute a cryptominer.
Another Cryptominer Delivered Through Altered JQuery.js File - The Check Point Research team share details about the Emotet banking trojan.
Emotet: The Tricky Trojan that ‘Git Clones’ - The guys at Cyber Forensicator shared a post by Paul Cimino on disassembling a Word doc containing macros.
How to Disassemble a Word Document with Embedded Macros - Didier Stevens shows how to use his tools to extract a PE file from inside a JScript script generated with DotNetToJScript.
Extracting DotNetToJScript’s PE Files - eForensics posted an article by Francisco Sanchez on how to set up a malware analysis lab.
Malware Lab for Dynamic Malware Analysis | By Francisco Sanchez - Hauke Gierow at G Data advises that they have seen their first case of malware obfuscated using Dosfuscation. Whilst the actual malware was Trickbot, the obfuscation method meant that the data was not “immediately recognizable even by experienced analysts.”
G DATA analysis discovers Dosfuscation in the wild - James Kainth shared his notes from chapter 1 of Practical Malware Analysis
Practical Malware Analysis Notes Chapter 1 - Lenny Zeltser shares some of the malware samples that he has retired from the SANS FOR610 Malware Analysis course. He also states that “It’s also interesting to notice that, despite all the changes in the threat landscape, many of the same objectives and tricks persist in today’s malware world.”
Retired Malware Samples: Everything Old is New Again - Hasherezade and Jérôme Segura at Malwarebytes Labs examine a recent attack distributing the Hidden Bee miner, which maintains persistence via a bootkit.
‘Hidden Bee’ miner delivered via improved drive-by download toolkit - Debasish Mandal at McAfee Labs examines the CactusTorch “fileless threat”, which “uses the DotNetToJScript technique, [to load and execute] malicious .NET assemblies straight from memory.”
CactusTorch Fileless Threat Abuses .NET to Infect Victims - Elia Florio and Lior Ben Porat at the Windows Defender ATP Research team share details of a recent Supply Chain attack which affected the installer of a PDF Editor and was used to distribute a cryptominer.
Attack inception: Compromised supply chain within a supply chain poses new risks - Didier Stevens at Nviso Labs examines “PDFs [embedded with a file type with extension .SettingContent-ms that can be used on Windows 10 to execute arbitrary code”
Shortcomings of blacklisting in Adobe Reader and what you can do about it - There were a few posts on the Palo Alto Networks blog this week
- Liat Hayun provides an overview of document-based attacks
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway) - Bryan Lee and Robert Falcone share details of a recent attack by the OilRig group that distributes a “PowerShell backdoor called QUADAGENT”
OilRig Targets Technology Service Provider and Government Agency with QUADAGENT - Tomer Harpaz shares the process of creating the decryptor for the LockCrypt ransomware.
Decrypting the LockCrypt Ransomware - Robert Falcone, Bryan Lee and Tom Lancaster share details of an attack by a previously unpublished threat group called DarkHydrus. The attacks were spear-phishing e-mails “with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).”
New Threat Actor Group DarkHydrus Targets Middle East Government
- Liat Hayun provides an overview of document-based attacks
- Yair Tsarfaty at Radware shares details of the Micropsia malware.
Micropsia Malware - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens examines a maldoc using oledump.
Maldoc analysis with standard Linux tools, (Sun, Jul 22nd) - Brad Duncan shares details of some recent Emotet activity.
Recent Emotet activity, (Tue, Jul 24th) - Didier also examines a .MSG file using oledump.
Analyzing MSG files, (Mon, Jul 23rd) - Xavier Mertens deobfuscates a Windows batch file found within a maldoc.
Windows Batch File Deobfuscation, (Thu, Jul 26th) - Brad also examines the infection chain of some malspam containing password-protected documents.
Malspam with password-protected Word docs pushes Hermes ransomware, (Fri, Jul 27th)
- Didier Stevens examines a maldoc using oledump.
- Warren Mercer and Paul Rascagneres and Andrew Williams at Cisco’s Talos blog expanded on the previous article about mobile malware being distributed after getting users to join an MDM.
Advanced Mobile Malware Campaign in India uses Malicious MDM – Part 2 - Diana Lopera at Trustwave SpiderLabs analyses some malicious PDF documents that exploit the SettingContent filetype feature of Win10.
Malicious SettingContent now delivered through PDF - Swapnil Patil at FireEye shares details of the Felixroot backdoor that has been seen “as a payload in a campaign targeting Ukrainians”.
Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor
in Recent Campaign - There were a couple of posts on the TrendLabs blog this week
- Hubert Lin, Lorin Wu, and Vit Sembera share details of an attack that deploys malware “via scanned open ADB ports”
Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices - Jaromir Horejsi and Joseph C. Chen describe a new exploit kit that they’ve called Underminer.
New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel
- Hubert Lin, Lorin Wu, and Vit Sembera share details of an attack that deploys malware “via scanned open ADB ports”
MISCELLANEOUS
- Eric Huber at ‘A Fistful of Dongles’ interviewed Jessica Hyde about her life in the Marines, moving jobs to eventually work at Magnet, her upcoming book on IOT forensics, and sharing/giving back to the community.
AFoD Blog Interview with Jessica Hyde - Tony at Archer Forensics advises that he will be looking into the data stored by the Reddit iOS app.
Reddit, Lets Talk About It - Yulia Samoteykina at Atola shows how to find and edit cases on the Atola TaskForce.
Finding and editing cases - Matt at Bit of Hex continues to look into HTTP/2 traffic.
Dude! Where’s my HTTP/2? - The guys at Cyber Forensicator shared an upcoming book by Chet Hosmer on “incident response methods and techniques when faced with the unprecedented challenge that data hiding and covert communication pose”
Investigating Data Hiding and Covert Communication - Brett Shavers at DFIR.Training expounds the benefits of practising on test images. Something I started doing but got sidetracked from finishing was compiling all of the solutions online to the problems. One of the main problems I would find is that people would write up their solutions on their blogs, but there was no link from the original image back! Something for someone else to do if they’re interested.
New Digital Corpora Forensic Test Images - The guys at Digital Forensics Corp shared a broad overview of the GrayKey device, used to brute force and acquire iOS devices.
GrafKey Overview - Janis Dalins has a post on the Australian Government’s Digital Transformation Agency website about some of his research into utilising deep learning to assist in identifying offensive materials (including child abuse, and extremist content).
Using data to make investigations safer for AFP staff - There were a couple of posts on the Forensic Focus blog this week
- Scar shared a roundup of recent forum topics.
Forensic Focus Forum Round-Up - Scar also wrote a review of Macquisition from Blackbag Technologies.
Review Of MacQuisition From BlackBag Technologies
- Scar shared a roundup of recent forum topics.
- Cindy Murphy at Gillware Digital Forensics announced that she will be starting a new series of blog posts on her favourite forensic artefacts.
My Favorite Artifacts, Part 0: What Are Forensic Artifacts? - Magnet Forensics posted a couple of times this week
- They announced that they have acquired Tracks Inspector, and will be renaming it to Magnet Review. I’m interested to see how they plan to integrate all of their products together, with Atlas for case management, Acquire, Axiom, and IEF for data preservation and case processing, and then Review for data review and presentation.
Tracks Inspector is Joining Magnet Forensics as Magnet REVIEW™ - They also interviewed their Director of Training Operations, Jamey Tubbs.
Meet Magnet Forensics’ Training Team: Jamey Tubbs
- They announced that they have acquired Tracks Inspector, and will be renaming it to Magnet Review. I’m interested to see how they plan to integrate all of their products together, with Atlas for case management, Acquire, Axiom, and IEF for data preservation and case processing, and then Review for data review and presentation.
- Jessica Hyde noticed that several DFIR Best Practices and Guidelines Drafts from SWGDE up for public comment.
Check out @B1N2H3X’s Tweet - Howard Oakley at ‘The Eclectic Light Company’ has released a new MacOS tool, cmpxat, that will allow you to compare both the data and metadata of two files
How to check that a file really is a faithful copy - Over on my ThinkDFIR page, I put my thoughts down on why you should get into blogging. I’ve put some tips over here too since I guess I have some experience in posting? The TLDR is it’s worth putting your experiences or testing or anything you can out there on your own site. It benefits you in the long run. You can do it anonymously and still get some of the benefits.
Should I Start A Blog? Yes, the answer is Yes
SOFTWARE UPDATES
- Didier Stevens updated a couple of his tools this week
- ExifTool 11.07 (development release) was released with some new tags and bug fixes.
ExifTool 11.07 - Metaspike released Forensic Email Collector v3.3.5.0 with a number of new improvements.
Forensic Email Collector (FEC) Changelog v3.3.5.0 - GetData updated Forensic Explorer to v4.3.5.7596 to fix a minor startup bug.
25 July 2018 – v4.3.5.7596 - Nextron Systems shared some of the key updates coming to THOR version 8.49.0.
THOR Version 8.49.0 Changes - Orion Forensics updated USB Forensic Tracker to v1.1.2, adding in the extraction of information from some event logs, as well as other UI improvements.
USB Forensic Tracker - SalvationData updated SPF Pro to v6.77.23 adding a number of new features and bug fixes.
[Software Update] Mobile Forensics: SPF Pro V6.77.23 New Version Release for Better User Experience! - Matthew May has released his Forensic Triage tool, ftriage, which is a framework for “automating forensic data acquisition, reduction, and overall triage.”
Check out @matthewclarkmay’s Tweet - USB Detective v1.1.7 was released with a number of additional options and improvements.
Version 1.1.7 (07/25/2018)
And that’s all for Week 30! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!
This Week In 4n6 