FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog posted a couple of tests of the $LogFile this week
- He tested using “$LogFile to check overwriting of the cluster.”
NTFS $LogFile and DataRun - He also had a look at the $LogFile when an ObjectID is set.
NTFS $LogFile and ObjectID
- He tested using “$LogFile to check overwriting of the cluster.”
- Oleg Afonin at Elcomsoft has posted an article describing Apple Pay, where the data is stored, and how to extract and view it.
Analysing Apple Pay Transactions - Alexis Brignoni at Initialization vectors
Android Nike Run app – Geolocation, SQLite views & self joins - Shourjo Chakraborty at Lucideus has written an article on Windows Event Logs.
Introduction to Event Log Analysis Part 1 – Windows Forensics Manual 2018 - Patrick Siewert at Pro Digital Forensics walks through recovering a Powerpoint presentation using X-Ways
I Lost My Data! - Heather Mahalik at ‘Smarter Forensics’ tests various methods for determining when the last time an iOS device was backed up. Some tools will update the timestamp, and some won’t. The last paragraph provides a short workflow to follow.
Determining when an iOS backup was created - Over on my ThinkDFIR page, I took a look at copying and dragging files from an OSX 10.10.5 host to a disk image to see what happened with the filesystem timestamps. Interestingly, the “Date Added” timestamp was updated, but not always displayed on that OS. When I moved the image to a later version of MacOS (10.13) I was able to verify the “Date Added” timestamps were updated when the files were created on the image.
Copying v Dragging a file to an OS X Disk Image
THREAT INTELLIGENCE/HUNTING
- John at Active Countermeasures shows how to detect DNS backdoors using RITA and Bro.
DNS Backdoors? - Matthew Meltzer, Sean Koessel, and Steven Adair at Volexity share details of a recent attack using CVE-2018-11776 to distribute a cryptominer.
Active Exploitation of New Apache Struts Vulnerability CVE-2018-11776 Deploys Cryptocurrency Miner - Marina Liang and Emily Miner at Carbon Black walk through “an attack leveraging cmd.exe and PowerShell”
Threat Analysis: Recent Attack Technique Leveraging cmd.exe and PowerShell Demonstrates How Attackers Are Using Trusted Microsoft Applications for Malicious Behavior - Check Point Research share an interactive “visualization of the C&C domains from all the generations of” an attack by the APT-C-23 threat group.
Interactive Mapping of APT-C-23 - Luke Jennings at Countcept “looked at how JIT and Interop tracing can be used to gain a much deeper insight into the behaviour of a process invoking the .NET CLR by gaining method-level visibility, rather than simply assembly loading information”
Detecting Malicious Use of .NET – Part 2 - Monty St John at CyberDefenses shares “a few rules to keep in mind as your (sic) building your threat hunting and monitoring plan and thinking of the security measures you want to implement.”
7 Rules of Cybersecurity Threat Hunting - Adam at Hexacorn posted a couple of persistence mechanisms this week by modifying inbuilt Windows processes and features
- Such as werfault
Beyond good ol’ Run key, Part 85 - and the Disk Cleanup program
Beyond good ol’ Run key, Part 86
- Such as werfault
- Infosec Samurai at Measured Response describes the prerequisites for a successful hunt.
A Foundational Understanding of Threat Hunting - David Liebenberg at Cisco’s Talos group examines “several of [the threat actor] Rocke’s campaigns, malware, and infrastructure while uncovering more information about the actor”
Rocke: The Champion of Monero Miners - StillzTech examines a webshell and shares some detection mechanisms.
Analyzing and detecting web shells - Daniel Lunghi and Ecular Xu at TrendLabs examines some activity by the Urpage threat actor.
The Urpage Connection to Bahamut, Confucius and Patchwork
UPCOMING WEBINARS/CONFERENCES
- Scott Lorenz and Shahar Tal at Cellebrite will be running part 2 of their webinar on the EDL extraction mechanism. The webinar will take place on September 12 at 10am New York time.
Safely extract digital evidence with Advanced EDL methods
PRESENTATIONS/PODCASTS
- Kevin DeLong at Avairy Solutions noticed that there was a huge drop in followers for some of the DFIR company Twitter accounts around the time that Twitter got rid of a number of fake accounts.
Is Digital Forensics Being Targeted By Fake Twitter Accounts? - Maddie Stone’s presentation from Black Hat 2018 titled “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library” was shared on YouTube.
Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library - BDIR Episode 6 was released, with Jim Schwar as the guest.
BDIR Episode 006 - Griffeye shared a video showing the face detection feature in Analyze DI.
Analyze DI Face Detection and Recognition - Dave Cowen recorded a couple of Test Kitchens testing Object IDs, and it seems that these can be used to show files that have been accessed or downloaded on Win7. The same may not be said on WIn10 due to the differences in the shell item subsystem.
- National Cyber Summit shared a presentation by Joe Gray titled “Dear Blue Team: Forensic Advice to Non-Forensic Professionals to Supercharge Organization DFIR”.
Dear Blue Team: Forensic Advice to Non-Forensic Professionals to Supercharge Organization DFIR - On this week’s Digital Forensic Survival Podcast, Michael provided an overview of ‘root cause identification methodologies’.
DFSP # 132 – Root Cause - Jessica Hyde was on the Rallysec Twitch show where she spoke about her background, devices she’s pulled apart, DFIR resources, and more
Forensics with Jessica Hyde | RallySec Live! EP93 - SalvationData uploaded a video showing how to use SPF Pro to downgrade an app to extract data.
SPF Pro – SOP – Extract App data without Root: Downgrade Extraction - I recorded my ‘This Month in 4n6’ podcast for August.
This Month In 4n6 – August – 2018
MALWARE
- The ASERT team at Arbor Networks share details of an ongoing campaign by the Cobalt Group.
Double the Infection, Double the Fun - Israel Gubi at Check Point Research examines “a rootkit named CEIDPageLock being distributed by the RIG Exploit kit.”
CeidPageLock: A Chinese RootKit - Darrel Rendell at Cofense has written a three-part series examining the Geodo malware and its distribution.
- The Cylance Threat Research Team examine an updated version of the Emotet malware.
Cylance vs. Updated Emotet - Felix Weyne released “Imaginary C2 [which] is a python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.”
Check out @felixw3000’s Tweet - Joie Salvio at Fortinet shares a chronology of the GandCrab v4 malware
A Chronology of GandCrab v4.x - James Kainth shares his notes from chapter 2 of Practical Malware Analysis
Practical Malware Analysis: Chapter 2 - Leonid Grustniy at Kaspersky shares details of a recent Lazarus group attack deploying Fallchill
A cryptocurrency exchange hack with a North Korean accent - The Lastline Labs team examine a recent surge in different samples of the Agent Tesla malware, as well as share YARA rules for detecting them.
Tales From the Field: The Surge of Agent Tesla - Vishal Thakur examines PeaRAT, which is a trojan “that poses as a version of the popular open-source archive utility PeaZip”
New Malware PeaRAT posing as popular Windows tools - There were a couple of posts on the Malwarebytes Labs blog this week
- Vasilios Hioureas describes the history of fileless malware, as well as the issues SOC teams may face with detection and mitigation.
Fileless malware: getting the lowdown on this insidious threat - Hasherezade examines two of the payloads dropped by the ‘Hidden Bee’ malware that were written in an executable format created by the malware authors.
Reversing malware in a custom format: Hidden Bee elements
- Vasilios Hioureas describes the history of fileless malware, as well as the issues SOC teams may face with detection and mitigation.
- Didier Stevens at Nviso Labs shows how to compare “an unknown [malware] sample with a known sample, to determine if the unknown sample is malicious or not”
Differential Malware Analysis: An Example - There were a number of posts on the SANS Internet Storm Centre Handler Diaries this week
- Didier Stevens examines a malicious script that contained “another script, encoded with numbers using a simple substitution cipher”
Identifying numeric obfuscation, (Sun, Aug 26th) - Didier also shows how an H-worm variant “creates a registry entry with the method and date of infection, and communicates this to the C2 server.”
“When was this machine infected?”, (Sun, Aug 26th) - Jim Clausing shows how to shellcode as a binary file using Radare2 in one line.
Quickie: Using radare2 to disassemble shellcode, (Fri, Aug 31st) - Xavier Mertens examines a “shell script which drops a Monero crypto miner unknown on VT “
Crypto Mining Is More Popular Than Ever!, (Thu, Aug 30th)
- Didier Stevens examines a malicious script that contained “another script, encoded with numbers using a simple substitution cipher”
- Sebdraven examines the Felixroot backdoor
When a malware is more complex than the paper. - There were a couple of posts on Securelist this week
- Tatyana Shishkova examines the latest version of the Asacub Android malware.
The rise of mobile banker Asacub - Alexey Firsh analyses the BusyGasper malware
BusyGasper – the unfriendly spy
- Tatyana Shishkova examines the latest version of the Asacub Android malware.
MISCELLANEOUS
- Bret Peters at ADF explains “search profiles” within the ADF tool, including the pre-built ones and creating custom profiles.
Digital Forensic Search Profiles - Craig Ball at ‘Ball in your Court’ describes the process of drafting digital forensic examination protocols as well as provides some guidance as to why elements have been included.
Drafting Digital Forensic Examination Protocols - Brett Shavers posted a few times this week
- He shared his experience starting a digital forensic lab in his department and showed that sometimes you have to go above and beyond and spend your own personal time/money to get the job you want.
How to Start a Digital Forensic Lab in Your Police Department - He announced that the current X-Ways course will stop taking registrations at the end of this month and be replaced by the new “101+ tips and tricks with X-Ways Forensics”.
101+ Tips & Tricks with X-Ways Forensics - Brett also posted on DFIR.Training about the differences between DF and IR and how the two are sometimes conflated but are separate disciplines with similar tools/training/processes.
The “DF” and “IR” in DFIR does not mean it is the same job
- He shared his experience starting a digital forensic lab in his department and showed that sometimes you have to go above and beyond and spend your own personal time/money to get the job you want.
- The guys at Cyber Forensicator shared a link to Anbox, which “is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.”
Anbox: Boot a Full Android System on a Regular GNU/Linux System - Ken Pryor has returned to blogging! He also did a bit of validation testing of Dave’s Forensic Lunch as well as giving his experience with building a lab in response to Brett’s post
LIfe Update, a little Object ID research and More - DME Forensics share four ways that examiners may be able to recover DVR evidence; DVR examiner, using the system itself, recording the footage with a camera, and lastly getting in touch with their technical services team for further assistance.
Top 4 Ways to Recover DVR Video Evidence - Scar at Forensic Focus provided an overview of ICDF2C 2018
ICDF2C 2018 – New Orleans September 10-12 - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday challenge requests a Python script for identifying all files with ObjectIDs on a live Win10 system. I wrote half of it (the bit that enumerated all the files/folders recursively for a given path) but ran of time to pull object IDs.
Daily Blog #464: Sunday Funday 8/26/18 - Dave also advised that he will be heading over to England to teach FOR500 with Lee Whitfield at the end of the month.
Daily Blog #465: Coming to London
- This week’s Sunday Funday challenge requests a Python script for identifying all files with ObjectIDs on a live Win10 system. I wrote half of it (the bit that enumerated all the files/folders recursively for a given path) but ran of time to pull object IDs.
- Magnet Forensics posted a couple of times this week
- They shared the first of their Industry Insights Briefs.
New Industry Insights Brief: Successful Insider Threat Investigations - Jessica Hyde has written a post on ways to stay current in DFIR and I even got a shout out. Thanks Jess 🙂
10 Ways to Stay Current in DFIR
- They shared the first of their Industry Insights Briefs.
- Mark Mckinnon lists a variety of Autopsy modules that he has released, and also has a post explaining the Hash images plugin
New Modules Have Been Released…… - John Patzakis at X1 shares a case where presenting evidence stored on the “dark web” was essential.
Dark Web Evidence Critical to all Cyber Investigations and Many eDiscovery matters - Luis Martinez at Persistent 4n6 shared some thoughts post FOR585, including the tools that he has added to the provided VM and why, verifying tools and results, workflows, as well as some additional resources he’s found useful.
On the heels of FOR585 - Terrence D. Williams has a guest post on ‘Smarter Forensics’ shared his process for how he picks a new skill and puts in the “grunt work” to learn it by setting aside 4 hours a day. I think some formatting was lost in translation though because the numbering system made me twitch a bit.
Forensic Grunt Work - Tyler Hudak at TrustedSec throws out the idea of performing ’rounds’, similar to the medical industry, in the IR/SOC space. Sharing what we’ve found, and what we’re stuck on, has a net positive effect for all involved. Sometimes you’ll share something that someone else has experience dealing with, or sometimes you’ll share something that helps someone with their problem. By dealing with our problems as individuals we’ll either reinvent the wheel or not invent the wheel at all.
Making the InfoSec Rounds
SOFTWARE UPDATES
- Blacklight 2018 R3 was released and Ashley Hernandez has a couple of posts about the new features including APFS Snapshots, and ingesting Graykey images (their previous solution involved a tool called gray2black).
- DEFT Zero (2018.2) has been released.
DEFT Zero (2018.2) ready for download - InQuest released iocextract v1.7.2
iocextract v1.7.2 - MobilEdit Forensic Express 5.6.1 was released, fixing some bugs.
Forensic Express 5.6.1 Released - MSAB released XRY 7.8.1 “enabling access to more “locked” Qualcomm devices with our enhanced EDL dumper, and with improved support for the latest iOS 12 Beta. Plus support for 124 new device profiles and 123 new app versions.”
New XRY 7.8.1 is now available - NetworkMiner 2.3.2 was released, primarily fixing bugs.
NetworkMiner 2.3.2 Released! - SalvationData released SPF Pro V6.79.30 with a number of improvements.
[Software Update] Mobile Forensics: SPF Pro V6.79.30 New Version Release for the best preserving and analyzing your evidence!
And that’s all for Week 35! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!
This Week In 4n6 