Just an FYI I’m over in Las Vegas next week for DEF CON; two things. 1) If you’re around, shoot me a message on Twitter or through the contact form. Some people have reached out after I’ve been state-side and said things like “oh you looked busy”; if I’m busy, I’ll tell you, otherwise come say hi!; and 2) that means links only next week. Bit busy at the moment so rather than trying to push through and get everything done I’ll have to put the blog on the backburner for the week.
Also, seeking a bit of feedback re the way I’ve been formatting things: Do people prefer when I just list out the items, or when they’re grouped/correlated ie putting the answers to Sunday Funday in the link to the question?
FORENSIC ANALYSIS
- Delaney Jester describes what data can be obtained from the Cortana app on Android; she showed the manual process that she had to follow and compared it with UFED PA, which didn’t extract any of the data. Tools like PA do a great job, but can’t automatically parse the data they don’t know about, and there are a lot of apps that the tools don’t know about because covering them all is an impossible task.
The Forensics of Cortana on Android - Hideaki Ihara at the Port 139 blog tests the jumplist activity when copying a directory in Win10.
Jumplist and File copy - Adam Harrison at 1234n6 looks into Win10’s recent retirement of the RegBack registry backups. I checked my system and saw that the last modified times roughly matched up with the latest update, and that my hives were all zero’d out. Looks like Microsoft might not be giving us that artefact any more.
Has RegBack been retired? - Justin Boncaldo shows how to parse the SAM hive using RegistryExplorer and the RegRipper GUI. There’s also the RegRipper command line (which I generally prefer), or you can use my RegRipper GUI (which I probably need to package with Regripper and compile…eventually).
4n6 Quick! #01 -Windows Users list & Login Count - Alex Caithness at CCL looks at the Windows Facebook application and notices iOS-like features (plists on Windows!?). I see two possible outcomes from this; either we’ll be missing data because scanners won’t be looking for iOS artefacts on a Windows system, or because the apps will be the same across operating systems, it’ll be easier for the parsers to remain up to date. Maybe both even!
What the Blazes?! – Why are there iOS Artefacts in my Windows 10 Applications? - Craig Wilson at Digital Detective posted an article on his DataDump tool, “which allows you to dump segments of data from an original source image or physical/logical device.”
DataDump™ - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times this week
- Sunday Funday this week is about the inbuilt anti-forensics task found on Win10 that cleans up plug and play devices. Adam Harrison has posted his answer. Adam found that if you had the task it will remain through the upgrade process, but newer versions shouldn’t ship with the task. If rolling out Win10 across an organisation it’s probably ideal to delete the task anyways.
Daily Blog #437: Sunday Funday 7/29/18 - Dave links to Hideaki’s post, seen above.
Daily Blog #438: Validating the Windows 10 Copy Paste artifact - He also comments on the maximum storage limit of shell items in Windows jumplists (2000 items), and explains that Jumplist Explorer has a function to recover deleted entries that haven’t been overwritten.
Daily Blog #439: Jumplist maximum storage - He looks at the Win10 Notification Database for interesting tables/data, and shows that “we can recover the sender, subject and first lines of an email in the notification database even if the email has been purged from the system otherwise”
Daily Blog #440: Windows 10 Notifications Database - Dave mentions the need for regression testing with different feature updates of Win10 since each feature update adds and removes different functionality (who knows why). I have ideas for this, so if someone’s an AutoIT ninja then reach out and we can discuss if there’s a way to automate some of this.
Daily Blog #441: Changes in Windows 10 - Lastly, Dave asks the community to help compile a list of known anti-forensics tools that they’ve seen used in the wild
Daily Blog #442: Anti Forensic Tools in the wild
- Sunday Funday this week is about the inbuilt anti-forensics task found on Win10 that cleans up plug and play devices. Adam Harrison has posted his answer. Adam found that if you had the task it will remain through the upgrade process, but newer versions shouldn’t ship with the task. If rolling out Win10 across an organisation it’s probably ideal to delete the task anyways.
- Alexis Brignoni at Initialization vectors has released a tool for parsing the data found in the Microsoft Translate Android app. Alexis’ post shows that a number of apps are storing data in JSON now as well as SQLite, which may not be as easy to automatically parse with functions within tools (think Dynamic App Finder in IEF/Axiom and Cellebrite’s SQLite builder – although both of those tools do have JSON/XML viewers).
JSON-ception and the need for mobile DFIR scripting courses - Jon Poling tweeted out that examiners can “collect both iCloud Backup Logs and a full ASL log archive for analysis” using the “brctl” utility
Check out @JPoForenso’s Tweet - Brian Maloney shares a script for converting the Windows 10 Notification database’s write-ahead log to an SQLite database for examination.
Windows 10 Notification WAL database - There were a couple of posts on ØSecurity
- The first provides the client side logs to examine for an RDP session. This is complementary to Jon Poling’s Windows RDP-Related Event Logs: Identification, Tracking, and Investigation
Windows RDP-Related Event Logs: The Client Side of the Story - The second shows an event on the computer initiating the session that contains the hashed username that is being used, and provides a method of decoding the hash.
Windows Event ID 1029 Hashes
- The first provides the client side logs to examine for an RDP session. This is complementary to Jon Poling’s Windows RDP-Related Event Logs: Identification, Tracking, and Investigation
- SalvationData have a post on extracting data from a Seagate hard drive with corrupt firmware using their Data Recovery System (DRS) tool.
[Case Study] Computer Forensics: How to Forensically Extract Data from an Unidentified Seagate HDD - I posted my ‘This Month in 4n6’ podcast for July.
This Month In 4n6 – July – 2018 - Twitter user Wyv3rnSec has posted a table of Ext4 timestamp changes based on a variety of interactions. This is similar to the table for NTFS on the SANS Windows Forensic Analysis poster.
Check out @Wyv3rnSec’s Tweet - Accenture Security have posted a report on the use of the Socksbot malware family in the Goldfin campaign
GOLDFIN: A Persistent Campaign Targeting CIS Countries with SOCKSBOT
THREAT INTELLIGENCE/HUNTING
- Faisal AM Qureshi at ‘Deriving Cyber Threat Intelligence and Threat Hunting’ hunts for the use of the invoke-tokenmanipulation Powersploit module in Sysmon.
Hunting for Privilege Escalation Done with Invoke-TokenManipulation - Adam at Hexacorn posted a couple of times this week
- He shows how Windows interprets characters in ADS filenames, which may affect some MFT parsers
Adding some character to Alternate Data Streams - Adam also shows that the IOfficeAntiVirus and IAttachmentExecute interfaces can be modified within the Windows registry to act as a persistence mechanism.
Beyond good ol’ Run key, Part 83
- He shows how Windows interprets characters in ADS filenames, which may affect some MFT parsers
- Takuya Endo at JPCERT/CC has released a Volatility plugin for detecting the Cobalt Strike Beacon payload in memory
Volatility Plugin for Detecting Cobalt Strike Beacon - Keith McCammon shares his thoughts on the recently published SANS annual Endpoint Protection and Response survey.
SANS Endpoint Survey: Too Many Tools and Alerts - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ posted a couple of times this week
- He shares a script called malhunt which he uses to automatically scan for malware in memory images.
Malhunt: automated malware search in memory dumps - He also shared the ‘Diffy’ triage script created by the Netflix Security Intelligence and Response Team (SIRT).
Diffy: an interesting DFIR tool released from Netflix’s SIRT
- He shares a script called malhunt which he uses to automatically scan for malware in memory images.
- Pablo Delgado at Syspanda discusses “how we can create a good base configuration for Sysmon and then leverage a Logstash configuration to further filter known and expected connections and later being able to find the interesting items”
Threat Hunting: Fine Tuning Sysmon & Logstash to find Malware Callbacks C&C
UPCOMING WEBINARS/CONFERENCES
- Brian Hill at Oxygen Forensics will be hosting a webinar on dealing with encrypted iOS or Android backup’s. The webinar will take place Tuesday, August 7, 2018 3:00 PM – 3:30 PM GMT
Oxygen Forensics Getting past Encrypted Backups
PRESENTATIONS/PODCASTS
- Cellebrite have uploaded a video on using UFED Cloud Analyzer 6.2 to extract data from a users Google account using Google Takeout. The data is reviewed in UFED PA, but I’d also make sure to unzip the archive and look at the extracted data manually (it’s mainly HTML files); when I was playing with UFED CA in June it extracted all the data, but PA didn’t necessarily parse it all. That may have changed.
Access Google Takeout with UFED Cloud Analyzer 6 2 - OpenText uploaded Harp Thukral and Simon Key’s webinar on APFS.
The Challenges of APFS and How EnCase Can Help - Hasherezade posted a couple of videos this week
- Karsten Hahn at Malware Analysis For Hedgehogs shows how to deobfuscate a DOSfuscation-obfuscated sample
Malware Analysis – DOSfuscation Deobfuscation - Corey Tomlinson interviewed Harlan Carvey on the Nuix Unscripted podcast on threat hunting.
Getting Started with Threat Hunting - On this week’s Digital Forensic Survival Podcast, Michael discussed the use of Grep, Sed, and Awk.
DFSP # 128 – GREP vs SED vs AWK - SANS shared last week’s Q & A with Phil Hagen. They’re all individual videos and didn’t have time to link to them all, sorry!
SANS EMEA
MALWARE
- Yaroslav Harakhavik and Nikita Fokin at Check Point Research compare the Osiris banking trojan with Kronos.
Osiris: An Enhanced Banking Trojan - Jayden Zheng at Countercept shows how to use their Snake tool to perform malware analysis on static binaries.
Using Snake To Perform Malware Analysis - Paul Moon at CrowdStrike walks through a number of the tools used by the Carbonak/Carbon Spider group.
Arrests Put New Focus on CARBON SPIDER Adversary Group - The Cylance Threat Research Team examine the Smoke Loader (Dofoil) malware
Threat Spotlight: Resurgent Smoke Loader Malware Dissected - Illusive Networks have posted their analysis of the leaked source code, previously attributed to Carbanak, but which they identify is actually Buhtrap/Ratopak/Pegasus. The post focuses on their analysis of “the code that drives the reconnaissance and lateral movement phases of the Buhtrap/Ratopak/Pegasus operation.”
Deconstructing a Modern Bank Heist: the [not] Carbanak source code leak - Alexandre Mundo at McAfee Labs shares details of a variety of different versions of the GandCrab ransomware
GandCrab Ransomware Puts the Pinch on Victims - Didier Stevens at Nviso Labs has written three posts on identifying and analysing certificates that contain malicious PowerShell scripts.
- There were a few posts on the Palo Alto Networks blog this week
- Kaoru Hayashi and Vicky Ray share details of a recent attack against South Korean and Russian targets using a variant of the Bisonal malware.
Bisonal Malware Used in Attacks Against Russia and South Korea - Yue Chen, Wenjun Hu, Xiao Zhang and Zhi Xu share IOCs for some infected APKs containing malicious PE files.
Hidden Devil in the Development Life Cycle: Google Play Apps Infected with Windows Executable Files
- Kaoru Hayashi and Vicky Ray share details of a recent attack against South Korean and Russian targets using a variant of the Bisonal malware.
- Robert Falcone, David Fuertes, Josh Grunzweig and Kyle Wilhoit examine the infection chain of some activity the Subaat threat actor.
The Gorgon Group: Slithering Between Nation State and Cybercrime - Kirill Shipulin at Positive Technologies examines the Pegasus banking trojan
Pegasus: analysis of network behavior - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Xavier Mertens shows how to use the Linux ‘curl’ command to assist in malware analysis
Exploiting the Power of Curl, (Mon, Jul 30th) - Didier Stevens examines a DOSfuscated maldoc.
Malicious Word documents using DOSfuscation, (Mon, Jul 30th) - Brad Duncan examines some malspam that “has been pushing malware using the Agent Tesla keystroke logger”
DHL-themed malspam reveals embedded malware in animated gif, (Thu, Aug 2nd) - Didier Stevens also shows how to use his numbers-to-string Python script to assist in deobfuscating malicious PowerShell scripts.
Dealing with numeric obfuscation in malicious scripts, (Sat, Aug 4th)
- Xavier Mertens shows how to use the Linux ‘curl’ command to assist in malware analysis
- Sebdraven posted a couple of times this week
- The first examines an “RTF document exploiting the CVE-2017–11882”
Malicious document targets Vietnamese officials - The second examines an RTF document that drops the Sisfider payload.
Gobelin Panda against the Bears
- The first examines an “RTF document exploiting the CVE-2017–11882”
- Nick Carr, Kimberly Goody, Steve Miller, and Barry Vengerik at FireEye share details of FIN7 activity, exploring “the range of FIN7’s criminal ventures, the technical innovation and social engineering ingenuity that powered their success, a glimpse into their recent campaigns, their apparent use of a security company as a front for criminal operations, and what their success means for the threat landscape moving forward”
On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation - Anita Hsieh, Rubio Wu, and Kawabata Kohei at TrendLabs describe the infection chain of “a spam campaign that drops the same FlawedAmmyy RAT”
Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmyy RAT Distributed by Necurs - Vitali Kremez examines the Qakbot banker malware
Let’s Learn: In-Depth Reversing of Qakbot “qbot” Banker Part 1
MISCELLANEOUS
- Yulia Samoteykina at Atola walks through imaging a drive to two targets with post-hashing using the TaskForce
Imaging a drive to two targets with post-hashing - Matt at ‘Bit of Hex’ has written his thoughts on taking notes in an investigation. I’ve written my thoughts on the topic here, mainly covering writing an investigation report that has more in-depth technical reasoning or your thought process. I don’t necessarily time and date every one of my actions in my note-taking, but I definitely find writing things out helps me understand what I’m seeing, and also refer back when I need to years later (it’s not unusual for work to be performed and then not go to court for years). I also like taking screenshots to backup statements (ie checked the recycle bin, the file wasn’t in there, and screenshot the empty recycle bin); writing the line “I did not observe any activity of x” inevitably gets you the question “ok, well how did you come to that conclusion?” and without notes, that can be difficult.
Contemporaneous Notes: a forensicator’s best friend - Brett Shavers posted a few times (and moved his hosting, so some of this is from last week)
- He shares his thoughts on the difference between leaking and sharing information. This came from the recent e-mail leaks regarding the Graykey iOS password-bruteforce and extraction tool from the IACIS listserv.
Leaking information isn’t the same as sharing information. - He also lists the problems he has with the “low hanging fruit: evidence-based solutions to the digital evidence challenge” report, as well as describes his solution.
Low-Hanging Fruit Report - Lastly, Brett gives his opinion on taking notes during an investigation. I like his last point about not needing to ‘secure’ your note taking with hashes or preserving all the metadata for eternity; mainly because at some point the lawyers have to take your word regarding your integrity.
Brett’s opinion on DFIR notes and note-taking
- He shares his thoughts on the difference between leaking and sharing information. This came from the recent e-mail leaks regarding the Graykey iOS password-bruteforce and extraction tool from the IACIS listserv.
- Craig Wilson at Digital Detective posted an overview of number systems commonly found working with computers.
Introduction to Number Systems - Vladimir Katalov at Elcomsoft comments on some of the recent changes to the recent iOS 12 Beta
iOS 12 Beta 5: One Step Forward, Two Steps Back - Phillip Aaron has posted a review of Nick Furneaux’s book, “Investigating Cryptocurrencies: Understanding, Extracting, and Analyzing Blockchain Evidence”.
Book Review: Investigating Cryptocurrencies - Forensic Focus interviewed a couple of people this week
- Magnet Forensics posted a couple of articles this week
- They interviewed S21 Founder and CEO, Dr. Liam Owens
A Conversation with Dr. Liam Owens, Founder and CEO of Semantics 21 - Chris Vance shared his testing methodology and the list of devices that could be used to prevent iOS USB Restricted mode from enabling if inserted within the first hour.
iOS 11.4.1 Follow-up: Delaying USB Restricted Mode
- They interviewed S21 Founder and CEO, Dr. Liam Owens
- Jasper at Packet Foo walks through the process of splitting and merging packet captures.
PCAP Split and Merge - Paraben shared a free eBook that they wrote on validating forensic tools
How to Validate Your Forensic Tools - Simson Garfinkel advised that another sample test case was uploaded to Digital Corpora last week, called the “National Gallery DC 2012 Attack”.
Check out @xchatty’s Tweet
SOFTWARE UPDATES
- UFED Cloud Analyzer 7.3 was released with support for additional data sources as well as additional screenshot and video recording functionality
UFED Cloud Analyzer 7.3 [July 2018] - Didier Stevens updated a few of his tools this week
- ExifTool 11.08 was released with additional tags and bug fixes
ExifTool 11.08 - GetData released Forensic Explorer v4.3.5.7626 with some minor updates.
03 August 2018 – v4.3.5.7626 - Hashcat v4.2.0 was released adding a number of improvements and bug fixes. Those investigating Macs will be happy to see the inclusion of FileVault2.
hashcat v4.2.0 - TZWorks released the Aug 2018 build of their tools, which includes a new tool for parsing the Win10 timeline database, as well as various other updates and improvements (including an update to their NTFS tool to extract additional data sometimes stored zoneIDs)
Aug 2018 build (package) - Maxim Suhanov released YARP v1.0.20.
1.0.20
And that’s all for Week 31! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!
This Week In 4n6 
I like separate sections for podcasts, presentations, and software. The rest could possibly be lumped into one since there is overlap in the DFIR fields (also less work for you). Looking forward to seeing you in Vegas! Twice in one year – it’s like Christmas!
LikeLiked by 1 person