FORENSIC ANALYSIS
- Brian Gerdon at Arsenal Recon digs into the URLs generated by Gmail to try and trace user actions. Google tends to track a lot of interaction information, and even better, it’s stored in URLs for us. Awesome find that the message ID is actually a timestamp, looks like I’ll have to update GSERPent
Digging into Gmail URLs - Brian Carrier has a post on the recent “data source-level changes” to Autopsy 4.8.0.
Data Source-level Focus in Large Cases - Matteo at Forensics Matters shows how to extract GPS data from the EXIF data within a JPEG image using imago.
Extract GPS data from JPEG using imago - Cindy Murphy at ‘Gillware Digital Forensics’ shares a case study where the Smartphone user dictionary proved critical to providing a date range in a case. Cindy showed that the dictionaries are generally populated sequentially, and by attributing some of the words to items with known timestamps (such as text messages or web searches) then you may be able to provide a rough time for words that are between the known timestamps.
My Favorite Artifacts, Part One: Smartphone User Dictionary Files - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times this week (and I’ve distributed his posts around a little bit)
- This weeks Sunday Funday relates to limitations with regards to LNK files on Windows systems, which unfortunately no one won
Daily Blog #457: Sunday Funday 8/19/18 - Dave explains how to get access to the VMWare suite of tools for a year very cheaply.
Daily Blog #459: Building a testing lab on a budget
- This weeks Sunday Funday relates to limitations with regards to LNK files on Windows systems, which unfortunately no one won
- Alexis Brignoni has posted a couple times this week
- He looks at the data that can be recovered from the iOS Nike Run app and releases a script for parsing the associated database
iOS Nike Run app – Geolocation & self join queries - He also continues looking at Discord, this time looking at the application on Debian-based Linux systems.
Finding Discord chats in Linux – #DFIR review
- He looks at the data that can be recovered from the iOS Nike Run app and releases a script for parsing the associated database
- Yogesh Khatri at Swift Forensics has released an open source spotlight parser to parse the MacOS Spotlight database. Yogesh has also added this to his mac_apt parser.
An open source spotlight parser
THREAT INTELLIGENCE/HUNTING
- There were a couple of posts on Active Countermeasures this week
- John Strand shows how to use Wireshark to “identify the connections with the most packets, how to enable DNS resolution in the captures, and how to create a series of basic filters to remove known “good” traffic from the packet capture”
Wireshark For Network Threat Hunting: Creating Filters - Chris Brenton demonstrates how Tshark can be used “to display specific header fields” as well as diving into “how these fields can be extracted and manipulated”
Tshark Examples for Extracting IP Fields
- John Strand shows how to use Wireshark to “identify the connections with the most packets, how to enable DNS resolution in the captures, and how to create a series of basic filters to remove known “good” traffic from the packet capture”
- Zachary Burnham explains how to enable the File & Folder Access Security Audit logging in the Security event log. This type of logging is very noisy, but can make tracking file operations a lot easier.
Auditing File & Folder Access on Windows with Local Security Policy - Wee-Jing Chung at Countercept takes a look at Sharpshooter, “an open source C# payload creation and delivery tool built by MDSec, and [looks] at how defenders can detect such activity.”
Analyzing Sharpshooter – Part 1 - The Digital Shadows Security Engineering Team map the recent FIN7 indictment to the MITRE ATT&CK framework.
Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations - A whitepaper was introduced a couple weeks ago that I just found on Twitter; this isn’t something for DFIR people to really be concerned about as they are exploiting a bug in the character presentation in RegEdit to hide their persistence mechanism. They acknowledge that tools like AutoRuns and FTK Registry Viewer accurately display the “hidden” keys.
Exploiting RegEdit: Invisible Persistence & Binary Storage - Daniel Berman at Logz.io explains how to perform some advanced searches in Kibana.
Getting Started with Kibana Advanced Searches - SecureWorks share details of some recent activity by the Cobalt Dickens threat group.
Back to School: COBALT DICKENS Targets Universities - Doug Franklin at IBM’s Security Intelligence blog explains the muddy waters that threat analysts have to wade through when dealing with the same thing called a different name.
What’s In a (Threat Intelligence) Name? - Kent Walker at Google’s “The Keyword” blog shares some details on some “attempted [Iranian] state-sponsored hacking and influence campaigns”, including FireEye’s full report.
An update on state-sponsored activity
UPCOMING WEBINARS/CONFERENCES
- Rich Frawley at ADF will be hosting a webinar on how ADF can be utilised in fraud investigations. The webinar will take place September 13, 2018 at 10:00 AM EDT.
Webinar: Solve Fraud & Economic Crimes - The agenda for OSDFCon 2018 has been announced.
- Nathan Little from Gillware Digital Forensics and Jamie McQuaid from Magnet Forensics will be hosting a webinar presenting “a real case to demonstrate how Magnet AXIOM can be used to help identify the source of an intrusion and what sensitive data was taken by the attackers.” The webinars will run September 25th at 1:00PM EDT, and September 26th at 9:00AM EDT
Fraud, IP Theft, and an Intrusion: A Case Study with Gillware Digital Forensics - Red Canary and Carbon Black will be hosting three webinars September 20, October 2, and October 18, all at 1:00 PM EST, on “Threat Hunting with ATT&CK™”.
Check out @Redcanaryco’s Tweet
PRESENTATIONS/PODCASTS
- Brandon Dixon advised that RiskIQ has published a threat hunting workshop on YouTube, which comes in two parts
Check out @9bplus’s Tweet - The guys at Cyber Forensicator shared Jamie Levy’s presentation from Lockdown 2018 titled “Taking Memory Forensics To The Next Level”
Taking Memory Forensics To The Next Level - Forensic Focus shared the webinar and transcript by Geoffrey MacGillivray and Cody Bryant at Magnet Forensics titled “Using Technology To Find Information Faster And Build Stronger Cases”.
Webinar: Using Technology To Find Information Faster And Build Stronger Cases - Dave Cowen posted two Test Kitchens this week, and Brett Shavers (rightly so) appears to be a big fan of them.
- The first tested a Win7 Enterprise SP1 system for the creation of jumplist entries. Win7 and Win10 act quite differently, and Dave showed that a number of actions such as creating, accessing, and renaming folders, or creating a file did not result in new jumplist entries. If you do access a file, then an entry is created for the file and the folder that it was stored in. Similarly, a LNK file was created for the folder when a file was accessed.
Daily Blog #460: Test Kitchen 8/22/18 - The second looked at the creation of ObjectIDs on Win7 and Win10, expanding on Dave’s post during the week about the same. If you create a file in Win10 then a LNK is created as well, and as a result the file also has an ObjectID. On Win7 however, a LNK file isn’t created on the creation of a file, and an ObjectID is also not created. Therefore, you can say that if a file has an ObjectID then that file has probably been opened, even if there is no associated LNK file. Hideaki Ihara also confirmed that ObjectIDs were created on file open on Win10 systems. Dave later expanded on this and suggested that maybe we can triage a system to identify all the files in userland not created by a user on the system directly (ie downloaded from the web). This may be useful in conjunction with something like a ZoneID (which doesn’t always get created, or can be removed).
Daily Blog #461: Test Kitchen 8/23/18
- The first tested a Win7 Enterprise SP1 system for the creation of jumplist entries. Win7 and Win10 act quite differently, and Dave showed that a number of actions such as creating, accessing, and renaming folders, or creating a file did not result in new jumplist entries. If you do access a file, then an entry is created for the file and the folder that it was stored in. Similarly, a LNK file was created for the folder when a file was accessed.
- Jamie McQuaid at Magnet Forensics shows how to acquire a phone with an MTK (MediaTek) chipset using Axiom
Acquring MediaTek (MTK) Phones with Magnet AXIOM - Magnet Forensics shared the recent webinar by Jamie McQuaid and Dr. Liam Owens from Semantics21 “showcasing how these tools work together to save time identifying and rescuing child victims and apprehending offenders.”
Recorded Webinar: Saving Valuable Time on Child Exploitation Investigations with Magnet Forensics and Semantics21 - On this week’s Digital Forensic Survival Podcast, Michael talked about Process IDs
DFSP # 131 – PIDS
MALWARE
- Liviu Arsene at Bitdefender Labs shares a whitepaper about the Triout Android spyware.
Triout – Spyware Framework for Android with Extensive Surveillance Capabilities - Check Point Research have taken a look at the Ryuk ransomware, and noticed it’s similarities with the Hermes ransomware. They also share the infection chain used in the recent campaign.
Ryuk Ransomware: A Targeted Campaign Break-Down - Jason Meurer at Cofense shares some updates to the recent Necurs botnet campaign.
UPDATE: Necurs Botnet Banks on a Second Bite of the Apple with New Malware Delivery Method - The guys at Cyber Forensicator shared a tool called Blazescan, which “is a Linux webserver malware scanning and incident response tool”
Search for Malware on Webservers with Blazescan - Didier Stevens explains how to obtain the malware samples that he has analysed.
Obtaining Malware Samples for Analysis - Fortinet posted a few times this week (sorry! Ran out of time to go through it all)
- Anuj Soni at Malwology shows how to extract useful information from a PE file using Python.
Python for Malware Analysis – Getting Started - Marco Ramili walks through an infection chain that utilises “Obfuscation Techniques, Decryption Techniques, File-less abilities, Multi Language Stages and Evasions* Techniques in order to deliver this AdWind/JRat version”
Interesting hidden threat since years ? - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens shared a video on using OLEDump to examine .msg files.
Video: Peeking into msg files – revisited, (Sun, Aug 19th) - Xavier Mertens shares a sample that utilised AutoIT “to bypass many controls because the file is safe and signed.”
Malicious DLL Loaded Through AutoIT, (Tue, Aug 21st) - Xavier also takes a look at some malware distributed in malicious Microsoft Publisher documents
Microsoft Publisher Files Delivering Malware, (Fri, Aug 24th) - Which Didier Stevens then shows how to perform static analysis on.
Microsoft Publisher malware: static analysis, (Sat, Aug 25th)
- Didier Stevens shared a video on using OLEDump to examine .msg files.
- Edmund Brumaghin and Holger Unterbrink at Cisco’s Talos blog share details of a recent campaign using the Remcos RAT
Picking Apart Remcos Botnet-In-A-Box - There were a couple of posts on the TrustWave SpiderLabs blog this week
- Phil Hay shares some IOCs from the malspam containing malicious Microsoft Publisher documents.
Bank Malspam Revisited - Diana Lopera examines a maldoc distributing the Hermes ransomware.
Password Protected Word Document Delivers HERMES Ransomware
- Phil Hay shares some IOCs from the malspam containing malicious Microsoft Publisher documents.
- StillzTech has a post decoding an obfuscated payload used by a pentester in red team exercises.
Decoding the Pentester: Rev1 - There were a couple of posts on the TrendLabs blog this week
- Junestherry Salvador shares the infection chain of the “Cutwail botnet [which is] distributing spam mails abusing IQY files.”
IQY and PowerShell Abused by Spam Campaign to Infect Users in Japan with BEBLOH and URSNIF - Jaromir Horejsi, Joseph C. Chen, Kawabata Kohei, and Kenney Lu share details of the recent ‘Operation Red Signature’ “supply chain attack targeting organizations in South Korea”.
Supply Chain Attack Operation Red Signature Targets South Korean Organizations
- Junestherry Salvador shares the infection chain of the “Cutwail botnet [which is] distributing spam mails abusing IQY files.”
- Vitali Kremez posted a couple of times this week
- He reverses the panda banker malware, and details “the modules associated with the popular malware”
Let’s Learn: Dissecting Panda Banker & Their Modules: Webinject, Grabber & Keylogger DLL Modules - He also Reverse engineers and analyses “one of the latest Gozi “ISFB” ( also called “Ursnif'” amongst various researchers) banking malware variants focusing on the one of the latest “client.dll” 32-bit (x86) one.”
Let’s Learn: In-Depth Reversing of Recent Gozi ISFB Banking Malware Version 2.16 & “client.dll”
- He reverses the panda banker malware, and details “the modules associated with the popular malware”
- Tomáš Foltýn at ‘We Live Security’ shares details of a backdoor used by the Turla ATP.
Turla: In and out of its unique Outlook backdoor
MISCELLANEOUS
- Julie Urban at Blackbag Technologies shared some tips on dealing with the T2 chips found in Mac Pro and Macbook Pro devices.
Examining Mac Data From Hardware With The Apple T2 Chip - Jason Dickson at CCL Group describes the need for clarity in forensic reports.
Write to be Understood - DME Forensics have posted an article describing how to use the Report viewer in DVR Examiner.
Feature Focus: Clip List Report Viewer - Scar at Forensic Focus shares her roundup of news articles from the last month
Digital Forensics News August 2018 - Magnet Forensics interviewed one of their trainers, Doug Estes, about his background and experience teaching.
Meet Magnet Forensics’ Training Team: Doug Estes - Jasper at ‘Packet Foo’ describes the various columns in Wireshark that he has setup.
Wireshark Column Setup Deepdive - Megan Roddie at Recon InfoSec walks through the process of resolving IPs to geolocations in Graylog.
Geolocation via Pipelines in Graylog - SalvationData share a case study on extracting data “from encrypted WhatsApp database files with the help of SPF Pro.”
[Case Study] Mobile Forensics: How to Extract Data from Encrypted WhatsApp Database - The Country of San Mateo District Attorney’s Office had a need to present some text messages as if they would appear on the phone and shared out an Excel template and CSS stylesheet to help others that had the same need.
Tutorial: Make SMS Messages Display as a Webpage
SOFTWARE UPDATES
- Plaso 20180818 was released, adding a Win10 timeline parser and plugins for Google Hangouts and Kodi, updating Chrome support, and adding “support for lz4 compressed systemd journal events.”
Plaso 20180818 released - Amped DVRConv 11571 was released with a few new features and bug fixes.
DVRConv Update 11571: Multiplexed streams, timestamp extraction and more formats now supported - Cellebrite updated their UFED software to v7.9, who’s major feature update is a new method of visual reporting which allows examiners to “visually document and share your digital investigative process”
UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader v 7.9 [August 2018] - Didier Stevens updated his numbers-to-string.py script to version 0.0.5
Update: numbers-to-string.py Version 0.0.5 - Input Ace Version 2.2.1 was released, including updates to “File List, Report Templates, Project Loading/Saving, and More.”
iNPUT-ACE Version 2.2.1: File List, Report Templates, Project Loading/Saving, and More. - MobilEdit released Forensic Express v5.6, as well as updates to a variety of iOS and Android apps
Forensic Express 5.6 Released! - USB Forensic Tracker v1.1.3 was released with a few bug fixes and updates.
Check out @orionforensics’s Tweet - USB Detective v1.2.0 was released with a number of improvements; the main one being replaying Registry transaction logs.
Version 1.2.0 (08/21/2018) - Michael Cohen at “Velociraptor Incident Response” announced the release of Velociraptor (0.2.2), which introduces Velociraptor artifacts and explains how to utilise this new feature.
Velociraptor Artifacts - X-Ways Forensic v19.7 was officially released, with some additional bug fixes and improvements since the previous beta.
X-Ways Forensic 19.7 Released
And that’s all for Week 34! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!
This Week In 4n6 