FORENSIC ANALYSIS
- @0x00A at DFIR X has started a blog, and shows how to convert a vmem image to raw for examination with Volatility
How to prepare a VMWare memory image for Volatility analysis - Oleg Afonin at Elcomsoft explains “how to access information stored in Apple iCloud with and without using forensic tools”
Cloud Forensics: Why, What and How to Extract Evidence - Cindy Murphy at Gillware looks at the MobileSMS.plist on iOS to determine whether a user had changed the SMS retention settings. It looks like you should be able to determine how many times a user has messed with that setting, and even the existence of the value means that they have.
My Favorite Artifacts, Part Two: MobileSMS.plist and the Joy of Testing - Shourjo Chakraborty at Lucideus shows a variety of useful Windows Event logs.
Event Log Analysis Part 2 – Windows Forensics Manual 2018 - Maxim Suhanov takes a look at the compression used by Win10 in memory/pagefile.
Memory compression and forensics - SalvationData have a post on how to unlock a locked Huawei bootloader without wiping user data.
[Case Study] Mobile Forensics: A Practical Solution to Unlock Huawei Bootloader - SANS has released a new version of the Windows Forensic Analysis poster.
SANS Windows Forensic Analysis Poster
THREAT INTELLIGENCE/HUNTING
- James Habben at 4n6IR shares a Python script that scans the info.plist files in Mac apps to “identify all URL handlers attempting to be registered by applications”.
Parsing CFBundleURLSchemes from MacOS Apps - Chris Brenton at Active Countermeasures provides an overview of threat hunting (and a warning of inevitable scope creep)
Tightly Defining Cyber Threat Hunting - Check Point Research share details of a campaign by ‘Domestic Kitten’ running under the radar since 2016 involving malicious mobile apps
Domestic Kitten: An Iranian Surveillance Operation - Adam at Hexacorn posted a couple of program execution methods this week
- The first relating to Delegated NTDLL.
Beyond good ol’ Run key, Part 87 - And the second, to Windows Error Reporting
Beyond good ol’ Run key, Part 88
- The first relating to Delegated NTDLL.
- Oddvar Moe describes a persistence mechanism through “Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns.”
Persistence using Universal Windows Platform apps (APPX) - Jake Williams at Rendition Infosec shared his Threat Hunting Summit presentation and released the associated Supply Chain Risk Framework.
- Craig Bowser at Shadow Trackers takes a look at Bro logs on his home lab using Splunk and ELK.
Measuring and Monitoring - There were a couple of posts on the Velociraptor Incident Response blog
- The first describes the updated “client communications protocol [used] to deliver a fast and efficient, yet extremely responsive client communication.”
Velociraptor’s client communication - The second is a demo of the latest Velociraptor
Velociraptor walk through and demo
- The first describes the updated “client communications protocol [used] to deliver a fast and efficient, yet extremely responsive client communication.”
UPCOMING WEBINARS/CONFERENCES
- Bret Peters at ADF advised that the Crimes Against Children Conference “is scheduled for August 12-15, 2019 at the Sheraton Dallas Hotel.”
Crimes Against Children 2019 Conference Announced - Belkasoft will be hosting a webinar with Costas Katsavounidis on the Win10 Timeline feature.
Webinar on Timeline Forensics
PRESENTATIONS/PODCASTS
- Adrian Crenshaw uploaded the presentations from GrrCon 2018.
- Forensic Focus shared the recording and transcript of the recent webinar on APFS Snapshots by Ashley Hernandez and Dr. Joe Sylve at Blackbag Technologies
Webinar: The Importance Of APFS Snapshots In Investigations - On this week’s Digital Forensic Survival Podcast, Michael talked about the importance of logging, and the Ultimate Windows Security website.
DFSP # 133 – Know Thy Logs - Paul Sanderson shares a “short video [that] shows how to use the speech bubbles report functionality for the Forensic Browser for SQLite. This new report option will be available in version 3.3.0 which will be released shortly.”
Speech bubbles - SANS shared the presentation slides from the recent Threat Hunting & Incident Response Summit & Training 2018
Summit Archives - SANS shared Matt Seyer’s fantastic presentation from the DFIR Summit in June on artefact correlation using ArangoDB.
Automating Analysis with Multi-Model Avocados – SANS DFIR Summit 2018
MALWARE
- Charles Humphrey at AlienVault describes a number of tools that examiners can use to perform malware behavioural analysis and the benefits in doing so.
Malware Analysis for Threat Hunting - Bhavna Soman at the Microsoft Secure blog describes a targetted campaign distributing the Ursnif malware
Small businesses targeted by highly localized Ursnif campaign - Patrick Wardle at Objective-See examines a malicious Mac app called ‘Adware Doctor’ which has since been removed from the Mac App Store.
A Deceitful ‘Doctor’ in the Mac App Store - Thomas Reed further expanded on this by sharing details of other Mac apps from the App Store that similarly exfiltrate user data.
Mac App Store apps are stealing user data - There were a couple of posts on the Palo Alto Networks blog this week
- Robert Falcone, Bryan Lee and Riley Porter describe some recent activity by the OilRig group, utilising a variant of the OopsIE trojan.
OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE - Dominik Reichel and Esmid Idrizovic describe the Chainshot malware which exploits an Adobe Flash 0-day
Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware
- Robert Falcone, Bryan Lee and Riley Porter describe some recent activity by the OilRig group, utilising a variant of the OopsIE trojan.
- There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Manuel Humberto Santander Pelaez shows how to examine network traffic for patterns using Silk
Another quickie: Discovering patterns in network traffic with silk, (Sun, Sep 2nd) - Didier Stevens demonstrates how to use scdbg to analyse shellcode
Another quickie: Using scdbg to analyze shellcode, (Mon, Sep 3rd) - Xavier Mertens examines a malicious Powershell script
Malicious PowerShell Compiling C# Code on the Fly, (Wed, Sep 5th) - Xavier also examines a malicious HTA file that launches a browser in headless mode to miner cryptocurrency.
Crypto Mining in a Windows Headless Browser, (Fri, Sep 7th)
- Manuel Humberto Santander Pelaez shows how to examine network traffic for patterns using Silk
- Warren Mercer and Paul Rascagneres at Cisco’s Talso blog provide additional details about the “malicious mobile device management (MDM) platform that was loading fake applications onto smartphones.”
Malicious MDM: Let’s Hide This App - Limor Kessem and Maor Wiesen at Security Intelligence examine the CamuBot malware targetting major Brazilian banks.
CamuBot: New Financial Malware Targets Brazilian Banking Customers - Vishal Kamble and Vaibhav Deshmukh at Symantec describe an attack that uses WMIC to download a malicious XLS file.
WMIC を悪用して悪質なファイルをダウンロードする攻撃が出現 - Manish Sardiwal, Muhammad Umair, and Zain Gardezi at FireEye examine an attack chain by the Fallout EK distributing the Gandcrab malware.
Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware - Vitali Kremez analyses “one of the latest “IcedID” banking malware (also known to some researchers as “BokBot”) focusing on its core functionality.”
Let’s Learn: Deeper Dive into “IcedID”/”BokBot” Banking Malware: Part 1 - Matthieu Faou at WeLiveSecurity examines some activity by the PowerPool group utilising a recently released Win7-10 0-day by recompiling a modified version of the published source code.
PowerPool malware exploits ALPC LPE zero-day vulnerability
MISCELLANEOUS
- There were reports during the week that Apple will be creating a team dedicated to training LE DF examiners, as well as an online portal. I had a quick look but couldn’t really find much about the training side, so I’m slightly sceptical. I can’t imagine they’ll be teaching much on the analysis side; my guess would be basic preservation, requesting data from iCloud, and interpretation of the data available.
Apple is building an online portal for police to make data requests - Craig Ball at ‘Ball in your Court’ provides some information for examiners that deal with protective orders from lawyers.
Easing the Pain of Protective Orders - Ashley Hernandez at Blackbag Technologies describes the improvements to reporting in Blacklight.
Reporting Just Got A Whole Lot Easier - Justin Boncaldo reminds readers that various apps, serivices, and devices may be tracking a users location, which be useful during an investigation.
DFS #4: What devices are tracking me? - Brett Shavers at DFIR.Training comments on considerations when creating a top tool listing. Brett also advised that he will be putting together some tool reviews and has asked for commentary and opinions.
A Commentary on “Top 10 Digital Forensics Tools” Lists - I pushed a v0.00000001 of the script Dave asked for a couple weeks back as a Sunday Funday challenge. I should update it to make it a bit cleaner, but I’ve been busy. Alternatively, a PowerShell version may have better utilisation.
ListObjectIDs - Griffeye describe how they trained their AI technology using datasets from Taskforce Argos at Australia’s Queensland Police (#AussiesRepresent).
The new Griffeye AI technology – trained at Taskforce Argos - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ wrote a few posts this week
- He points us to Preston Miller and Chapin Bryce’s Python for DFIR books (I should add award-winning too).
Daily Blog #469: Book Highlight Learning Python for Forensics - He reminds us that even though we’re looking at digital devices, sometimes (or often) having no interaction with their owners or story, so be mindful of the impact.
Daily Blog #470: Unforseen impact of our work - Lastly, Dave advises of a missing DLL in the Python.org Python install when dealing with DFVFS that is not an issue if using the ActiveState version of Python.
Daily Blog #471: Gearing up for more dfvfs programming
- He points us to Preston Miller and Chapin Bryce’s Python for DFIR books (I should add award-winning too).
- Sarah Edwards at Mac4n6 has a post sharing some of the resources that she wanted to give a little bit back to; this blog was included which was really nice of her, especially considering a couple others jumped on after she posted; All support is greatly appreciated, but dollarydoos have a bit more value than exposurebucks 🙂
Making it Rain on this Labor Day – Giving Back to the DFIR and Security Communities - Magnet Forensics posted a couple of interviews this week
- Jasper at Packet Foo responds to the recent claim that Wireshark has a large attack surface and therefore is vulnerable to a skilled attacker. He also walks through a few countermeasures and reassures us that in his career he has “never encountered a file that contained anything designed to attack Wireshark.”
Attacking Wireshark
SOFTWARE UPDATES
- Atola have released v2018.8 of the TaskForce software with a number of new features and updates.
Release of Atola TaskForce 2018.8 is here! - Eric Zimmerman has released VSCMount, which allows examiners to easily mount the volume shadow copies within a mounted image on their host system.
Introducing VSCMount - Alan Orlikoski updated CDQR to v4.1.8.
CDQR 4.1.8 - CRU updated their Writeblocking Validation Utility to v2.0.1.0.
Download WriteBlocking Validation Utility - DVR Examiner updated their Filesystem Database to v3.0.3125
DVR Examiner Filesystem Database Version 3.0.3125 released - A new version of MISP (2.4.95) has been released with the first stage of a complete rework and refactoring of the API exports, allowing for more flexibility, improved search capabilities, performance and extendability.
MISP 2.4.95 released (aka API search improvement) - MobilEdit live update vEXF-2018-08-31-01 was released with support for a number of iOS and Android apps added.
Live Update version EXF-2018-08-31-01 - Radare2 2.9.0 codename pre-r2con2018 was released
pre-r2con2018 - X-Ways Forensics 19.7 SR-2 was released with a number of bug fixes and improvements.
X-Ways Forensics 19.7 SR-2
And that’s all for Week 36! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to everyone for their support!
This Week In 4n6 