FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog shows that it’s possible to copy a file using the esentutl application, and this is recorded in the security event log.
Esentutl and File copy - James Habben at 4n6IR shows how to locate ObjectIDs in Encase.
NTFS Object IDs in EnCase - There were a couple of posts on Cyber Forensicator this week
- They shared Nicolas Collery and Vitaly Kamluk presentation from HITBGSEC 2018 titled “Brain Surgery: Breaking Full Disk Encryption”
Breaking Full Disk Encryption - They shared a paper by Nathan Lewis, Andrew Case, Aisha Ali-Gombe, and Golden G.Richard III from DFRWS 2018 titled “Memory forensics and the Windows Subsystem for Linux”
Memory forensics and the Windows Subsystem for Linux
- They shared Nicolas Collery and Vitaly Kamluk presentation from HITBGSEC 2018 titled “Brain Surgery: Breaking Full Disk Encryption”
- Dan English has started a blog, and has posted about the Windows Recycle Bin.
An intro to the Windows Recycle Bin - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- Dave shares a new Sunday Funday challenge, documenting actions that create/remove/alter object IDs on Win7.
Daily Blog #480: Sunday Funday 9/16/18 - He shows that Windows event logs record interactions with VHDs
Daily Blog #481: Event Logs for VHDs - He shared out his next teaching events for the FOR500 Windows Forensic Analysis course; I haven’t yet taken the course with Dave but it would definitely be great should the opportunity arise.
Daily Blog #482: Teaching in Dubai! - He shows an interesting situation where Typed Paths can display technically incorrect information – when two explorer windows are opened and paths typed into both, the last window closed will write the typed paths to the registry.
Daily Blog #483: Typed Paths Amnesia - To demonstrate this, Dave ran a test kitchen and showed that the key is completely rewritten then the explorer window is closed.
Daily Blog #484: Forensic Lunch Test Kitchen 9/20/18 - Progressing from this, Dave setup sysmon to monitor the registry and show that the keys weren’t actually being deleted, and further examination of the transaction logs may be required.
Daily Blog #485: Forensic Lunch Test Kitchen 9/21/18
- Dave shares a new Sunday Funday challenge, documenting actions that create/remove/alter object IDs on Win7.
- Volume 26 of the Journal of Digital Investigation has been released.
- Howard Oakley at The Eclectic Light Company identified that Apple has updated their APFS spec document. It doesn’t cover filevault encryption, but at least they’ve gotten around to it. Dr Joe was happy that they got a big chunk of it right without the docs, and hinted that we may get it pushed back into the TSK soon
Apple finally releases APFS reference documentation - The students at Champlain College gave an overview of their experiences at the 2018 Enfuse conference (side note, if this is anything to go off, that might be the last Enfuse)
- Ted Smith shows how to rebuild spanned Linux LVM volumes using X-Ways.
Video 59 – How to rebuild forensic images of a spanned Linux LVM volume
THREAT INTELLIGENCE/HUNTING
- Aliz Hammond at Countercept describes various methods for detecting the “Gargoyle” code-scanner evasion. One of the methods, using Volatility, relies on their updated plugin, so keep that in mind.
Hunting for Gargoyle Memory Scanning Evasion - Richard Gold at Digital Shadows maps the 2017 FSB indictment to Mitre’s ATT&CK framework.
The 2017 FSB indictment and Mitre ATT&CK™ - Google advised that they are making their G Suite Investigation tool generally available. This tool “will help G Suite admins and security analysts identify, triage, and remediate security threats within their organization.”
Investigation tool in G Suite security center now generally available - Wataru Takahashi at JPCERT shares details of their new tool, SysmonSearch, to assist in visualising sysmon logs.
Visualise Sysmon Logs and Detect Suspicious Device Behaviour -SysmonSearch- - “NIST has released Draft NIST Internal Report (NISTIR) 8221, A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks, which analyzes recent vulnerabilities associated with two open-source hypervisors—Xen and KVM—as reported by the NIST National Vulnerability Database.”
A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks - Ben Downing at Red Canary shares “detection strategies for a lesser-used but well-documented technique: the MSXSL application whitelisting bypass.”
Detecting MSXSL Abuse in the Wild - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Rob VandenBrink shows how to detect “malicious UNC links in office documents” in PowerShell
Dissecting Malicious MS Office Docs, (Mon, Sep 17th) - Xavier Mertens briefly demonstrates using OSSEC to perform threat hunting
Hunting for Suspicious Processes with OSSEC, (Thu, Sep 20th)
- Rob VandenBrink shows how to detect “malicious UNC links in office documents” in PowerShell
- Henrik Johansen describes the system that he has set up, combining Humio and Nomad, to assist in reacting to events.
Adaptive tracking of Security related events
UPCOMING WEBINARS/CONFERENCES
- Nathan Little at Gillware and Jamie McQuaid at Magnet Forensics will be hosting a couple of webinars on intrusions, fraud, and IP theft. The webinars will take place September 25th @ 1:00PM EDT and September 26th @ 9:00AM EDT.
Webinar: Fraud, IP Theft, And An Intrusion – A Case Study
PRESENTATIONS/PODCASTS
- There was a Brakeing Down Incident Response episode released this week, and Michael and Brian hosted Katie Nickels from MITRE.
BDIR-007 - Douglas Brush interviewed Jake Williams on Cyber Security Interviews regarding “his passion for cyber security, changes in the industry, threat hunting vs. incident response, development of soft skills, AI and machine learning, holding back vulnerability disclosure, and so much more.”
#059 – Jacob Williams: What Didn’t We Catch - On this week’s Digital Forensic Survival Podcast, Michael spoke about triaging scheduled tasks on Windows systems.
DFSP # 135 – Scheduled Task Triage Part 1 - SalvationData demonstrate how to use SPF Pro to obtain a physical extraction of Qualcomm Based Devices
SPF Pro-SmartPhone Forensic System Professional-SOP-Physical Extraction from Qualcomm Based Devices - SANS posted Lee Whitfield’s presentation from the 2018 DFIR Summit titled “Evidence Generation X”.
Evidence Generation X – SANS DFIR Summit 2018 - Patrick Gray spoke with Chris Wade and Dr. Silvio Cesare about some changes to the new iPhones that may make password bruteforcing by companies like Grayshift and Cellebrite much harder going forward.
Risky Business feature: iOS exploits just got a lot more expensive
MALWARE
- 0verfl0w_ examines Turla’s keylogger
Post 0x17.1: Analyzing Turla’s Keylogger - The Volexity Threat Research team examined the recent attack against Newegg by the Magecart actors.
Magecart Strikes Again: Newegg in the Crosshairs - Aaron Riley at Cofense shares details of a new campaign distributing GandCrab v4.4
Staying King Krab: GandCrab Malware Keeps a Step Ahead of Network Defenses - Assaf Dahan at Cybereason shares details of the Overlay RAT campaign targeting Brazilian users.
Vai Malandra: A Look into the Lifecycle of Brazilian Financial Malware: Part One - Gabriel Landau and Joe Desimone at Endgame provide a history of kernel mode threats
Kernel Mode Threats & Practical Defenses: Part 1 - There were a couple of posts on the FireEye blog this week
- Nick Richard, DJ Palombo, Tyler Dean, Alexander Holcomb, and Charles Carmakal share details on a “campaign this year targeting web payment portals that involves on-premise installations of Click2Gov.”
Click It Up: Targeting Local Government Payment Portals - Irshad Muhammad, Sarfaraz Ahmed, Abhay Vaish describe the use of Delphi packers to evade malware analysis.
Increased Use of a Delphi Packer to Evade Malware Classification
- Nick Richard, DJ Palombo, Tyler Dean, Alexander Holcomb, and Charles Carmakal share details on a “campaign this year targeting web payment portals that involves on-premise installations of Click2Gov.”
- Xiaopeng Zhang at Fortinet examines a malicious sample called iTranslator
Deep Analysis of a Driver-Based MITM Malware: iTranslator - Marco Ramilli examines the Sustes malware, which downloads XMRIG.
Sustes Malware: CPU for Monero - Claud Xiao, Cong Zheng and Xingyu Jin at Palo Alto Networks examine “a new malware family that is targeting Linux and Microsoft Windows servers”, named Xbash.
Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows - Didier Stevens at the SANS Internet Storm Centre shows how to deobfuscate a simple ROT obfuscation used in malicious VBA code.
20/20 malware vision, (Sun, Sep 16th) - Trend Micro have a post on examining the Virobot ransomware.
Virobot Ransomware with Botnet Capability Breaks Through - Costin Raiu from Kaspersky Lab has guest posted on Virus Bulletin’s blog on the level of sophistication used by APT actors, and provides an overview of advanced attack methods. Costin believes that “the most likely scenario is that we are indeed only seeing the tip of the iceberg, and there is probably a lot going on that security companies do not find or report on.”
Where are all the ‘A’s in APT?
MISCELLANEOUS
- Brett Shavers posted a couple of times this week
- He shared his opinion on the recent indictment by the US against a North Korean hacker.
You can hack if your government says so. Right? - He also described the recent addition of a Patreon page to keep DFIR.Training alive. As I said last week, a lot of time and effort goes into some projects, and if you would be affected if they went away, then it’s worth contributing to their survival.
Patreon at DFIR Training
- He shared his opinion on the recent indictment by the US against a North Korean hacker.
- Oleg Afonin at Elcomsoft describes the updates to USB Restricted Mode in iOS 12
iOS 12 Enhances USB Restricted Mode - There were a few posts on Forensic Focus this week
- They interviewed Kevin Fisher at Paraben
Interview With Kevin Fisher, Senior Support Engineer, Paraben - Scar also provided an overview of the latest feature updates to Blackbag’s Blacklight.
Review Of BlackLight From BlackBag - They also shared a short video and transcription regarding Griffeye Analyze DI’s new features.
Walkthrough: Analyze DI Face Detection Recognition
- They interviewed Kevin Fisher at Paraben
- Foxton Forensics announced that they have retired their FoxAnalysis and ChromeAnalysis tools in favour of their Browser History Examiner tool.
FoxAnalysis and ChromeAnalysis products retired - Magnet Forensics posted an interview with one of their trainers, Larry McClain.
Meet Magnet Forensics’ Training Team: Larry McClain
SOFTWARE UPDATES
- Apache Tika 1.19 was released with “bug fixes, improved mime detection, security fixes and upgrades to dependencies.”
Release 1.19 – 9/14/2018 - Belkasoft Evidence Centre 2019 v9.3 was released with updates to computer, mobile, and cloud features.
What’s New in Belkasoft Evidence Center 2019 Version 9.3 - CDQR 4.1.9 was released
CDQR 4.1.9 - Eric Zimmerman updated RegistryExplorer to v1.1.0.5. (Side note: It’s just about worth running a script to download the current versions of his tools each time you do a case…)
- GetData released Forensic Explorer v4.4.8.7784 with a number of updates and improvements.
20 Sep 2018 – v4.4.8.7784 - MobilEdit released live update version 2018-09-17-01 adding support for a number of new iOS and Android apps.
Live Update version 2018-09-17-01 - MSAB posted that they have updated XAMN (v4.0), XRY (v7.9), and XEC (v3.3), but the post is protected so no release notes are available
Protected: New XAMN 4.0 helps you find the evidence & info you need even faster. Plus the latest versions of XRY 7.9 and XEC 3.3 are now available. - Michael Cohen released WinPmem 3.1.rc1. The update fixes the BSOD caused by Virtual Secure Mode. The best part about this story was the support the community showed to assist Michael in getting the update signed, as otherwise, the tool would have been pulled down.
Virtual Secure Mode and memory acquisition - Sandfly 1.4.4 was released with new features including the ability to “flag running processes under hidden subdirectories”, as well as detecting “malicious entries under the Linux /var/run directory targeting Process ID (PID) files”
Sandfly 1.4.4 – Mind your PIDness - Maxim Suhanov has released yarp v1.0.22.
1.0.22
And that’s all for Week 38! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those that give a little back for their support!
This Week In 4n6 