FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog deletes a folder containing a $I30 file, and a hardlinked picture. He shows that there is a reference in the index, FTK Imager doesn’t show the picture file, but Autopsy does.
Autopsy and Realloc - James Habben at 4n6IR has a couple of posts about identifying Object IDs in forensic tools
- On the Encase front, James shows how to use Encase to “identify the files in your case that have an Object ID assigned to them”
NTFS Object IDs in EnCase – Part 2 - And then search for a specific Object ID
NTFS Object IDs in EnCase – Part 3 - Using X-Ways, James shows how to display the object ID, but identifies that there isn’t currently a way to display that information in a column.
NTFS Object IDs in X-Ways
- On the Encase front, James shows how to use Encase to “identify the files in your case that have an Object ID assigned to them”
- There were a couple of posts on Hackers Arise regarding the basics of Wireshark and then using it to detect and analyse modbus traffic.
- Shourjo Chakraborty at Lucideus provides a brief overview of the Windows registry
Windows Registry Forensic Analysis Part 1 – Windows Forensics Manual 2018 - SalvationData have a post showing how to perform a physical extraction on Qualcomm based devices.
[Case Study] Mobile Forensics: Bypass Screen Password and Work on Broken Smartphones with Qualcomm Physical Extraction Technology
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures explains the benefits of limiting the scope of your threat hunt so as not to get distracted, or taint evidence.
Tightly Defining Cyber Threat Hunting - Charles Humphrey at AlienVault shares his thoughts on alert tuning
Alert Fatigue and Tuning for Security Analysts - Katie Dematteis at Carbon Black shares the Q&A from the recent webinar with Rick McElroy, John Wunder, and Phil Hagen.
Excerpts from: Using the ATT&CK™ Framework to Mature Your Threat Hunting Program - Marcus at MB Secure has written a series on opsec for blue teams, covering the risk of alerting adversaries, testing tools “which provide context and/or OSINT in relation to OPSEC”, and “sandboxes, secure communications and sharing of info & data, when dealing with a targeted attack.”
- Josh Frantz at Rapid7 describes some security features to make attackers utilising PowerShell’s lives harder, including setting up adequate logging.
The PowerShell Boogeyman: How to Defend Against Malicious PowerShell Attacks - StillzTech released a couple of tools that might be useful for Carbon Black users.
- Atul Kabra describes how to use osquery and PolyLogyx as a ‘smart agent’ to “serve the purpose of data collection but in an efficient manner so that the wheat and chaff can be segregated right at the data source making targeted data collection much simpler” and then queryable with SQL queries.
The name is query — osquery and we like it shaken not stirred - Scott Piper at Summit Route shows how to investigate a malicious AMI on AWS. He also introduces “a new CloudMapper command amis to help you investigate your existing EC2s”
Investigating malicious AMIs - Thomas Patzke explains some recent changes to Sigma to deal with issues such as “rules matching two different Windows events appeared that in fact describe the same events”
Introducing Generic Log Sources in Sigma
PRESENTATIONS/PODCASTS
- Ed Michael demonstrates how to decrypt iOS notes in UFED Physical Analyser. Ed exports the relevant database and uses a Perl script to export the hash, before cracking the hash using hashcat.
Using hashcat to decrypt iOS notes for Cellebrite’s Physical Analyzer - Magnet Forensics shared out their recent webinar by Jamie McQuaid, and Gillware’s Nathan Little regarding fraud, IP theft, and intrusion investigations.
Recorded Webinar: Fraud, IP Theft, and an Intrusion: A Case Study with Gillware Digital Forensics - OALabs have uploaded a video showing how to “reverse engineer the Aegis Crypter and take a look at how packers work from the malware developer’s perspective”
How Do Packers Work – Reverse Engineering “FUD” Aegis Crypter - On this week’s Digital Forensic Survival Podcast, Michael continued to explain a triage process for scheduled tasks
DFSP # 136 – Scheduled Task Triage Part 2 - SANS shared Jon Poling’s presentation from the 2018 DFIR Summit titled “Logging, Monitoring, and Alerting in AWS (The TL;DR)”
Logging, Monitoring, and Alerting in AWS (The TL;DR) – SANS DFIR Summit 2018 - On the Cyber Jungle, Ira Victor interviews Chet Hosmer on his Raspberry Pi sensor project, asc well as “Greg Kipper of Paraben Forensics on forensic tools to analyze the data gathered by the RaspberryPis in the Chet Hosmer interview.”
September 22, 2018, Episode 398, Show Notes
MALWARE
- Nikita Fokin, Israel Gubi, and Mark Lechtik at Check Point Research share details of the Gazorp malware builder, that can be used to create Azorult version 3.0 samples.
The ‘Gazorp’ Dark Web Azorult Builder - Adam Meyers at CrowdStrike provides an overview of the Cobalt Spider APT group
Meet CrowdStrike’s Adversary of the Month for September: COBALT SPIDER - Faisal AM Qureshi at “Deriving Cyber Threat Intelligence and Threat Hunting” walks through reversing shellcode downloaded by a “Powershell sample from hybrid analysis”
Reversing shellcode using blobrunner and Olly - G Data Security share details of some new Android malware that can read WhatsApp messages.
Android Trojan reads Whatsapp-Messages - Jérôme Segura at Malwarebytes Labs shows that “a variant of a remote code execution vulnerability with Internet Explorer’s scripting engine known as CVE-2018-8373 patched last August has been found in the wild.”
Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT - Andrea Lelli at Microsoft Secure describes various fileless threats. As an aside, I like Figure 9. Taxonomy of fileless threats
Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV - Josh Grunzweig and Bryan Lee at Palo Alto Networks share details of the new Nokki malware, which may have ties to the threat actors behind the Konni malware.
New KONNI Malware attacking Eurasia and Southeast Asia - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens shows how to examine a malicious RTF file with his tools and then take a look at the encoded shellcode with scdbg
Analyzing Encoded Shellcode with scdbg, (Mon, Sep 24th) - Brad Duncan examines some Emotet malspam
One Emotet infection leads to three follow-up malware infections, (Wed, Sep 26th) - Renato Marinho walks through his analysis of a massive (292mb) malware sample
Enriching Radare2 and x64dbg malware analysis with statically decoded strings, (Thu, Sep 27th) - Xavier Mertens shows a malicious Excel file that utilises the “DDE code injection” technique
More Excel DDE Code Injection, (Fri, Sep 28th)
- Didier Stevens shows how to examine a malicious RTF file with his tools and then take a look at the encoded shellcode with scdbg
- Securelist give an overview of malware distributed by USB devices.
USB threats from malware to miners - There were a couple of posts on Cisco’s Talos blog this week
- Paul Rascagneres and Vitor Ventura describe a recent spam campaign “spreading the Adwind 3.0 remote access tool (RAT), targeting the three major desktop operating systems (Linux, Windows and Mac OSX)”.
Adwind Dodges AV via DDE - Edmund Brumaghin describes the new features in VPNFilter
VPNFilter III: More Tools for the Swiss Army Knife of Malware
- Paul Rascagneres and Vitor Ventura describe a recent spam campaign “spreading the Adwind 3.0 remote access tool (RAT), targeting the three major desktop operating systems (Linux, Windows and Mac OSX)”.
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ provides an overview of PE injection
Some thoughts about PE Injection - Elliot Cao at TrendLabs share details of an exploit that uses the CVE-2018-8373 vulnerability.
New CVE-2018-8373 Exploit Spotted in the Wild - WeLiveSecurity have a post regarding “a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system.”
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
MISCELLANEOUS
- Arsenal are offering free subscriptions to colleges and universities for their tools.
Free Arsenal Subscriptions for Colleges and Universities - Arsenal have also put the call out to sponsor development of their Image Mounter utility.
Sponsoring Arsenal Image Mounter - Yulia Samoteykina at Atola demonstrates how to locate the reports generated by the TaskForce.
Finding reports in TaskForce - There were a few posts on Cyber Forensicator this week
- They shared Joachim Metz’s library for parsing the APFS file system.
libfsapfs: Library and Tools to Access the Apple File System (APFS) - “A new book by Arthur Salmon has been announced by Packt Publishing. The book is titled “Hands-On Network Forensics: Investigate network attacks and find evidences using common network forensic tools”, and is expected to be released on February 11, 2019.”
Hands-On Network Forensics: Investigate network attacks and find evidences using common network forensic tools - They shared Maxim Suhanov’s new winmem_decompress tool
winmem_decompress: Extract Сompressed Memory Pages from Page-Aligned Data
- They shared Joachim Metz’s library for parsing the APFS file system.
- DME Forensics have a post describing the Clip status field in DVR Examiner.
Understanding Clip Status in DVR Examiner - Gabriele Zambelli at Forense nella Nebbia shows how to convert HEIC files to JPG, and then transfer the EXIF data across.
Converting from .heic to .jpg - Lee Whitfield is changing some things about the beloved Forensic 4Cast Awards. I’ve gotten to see the awards a few times now and it’s always something to look forward to, especially if you’re nominated (and apparently some people felt I was robbed, but clearly more people voted for others in the category, so I can’t complain). I do like the idea of changing the awards to encourage and reward hard workers in the field, rather than companies that win an award so often that the categories are moot.
Changes to the Forensic 4:cast Awards - There were a few posts on Forensic Focus this week
- Scar shared a round up of forum posts, as well as her news picks from the last month
- They also interviewed Damir Delija, who is a Senior Lecturer at Zagreb University of Applied Sciences.
Interview With Damir Delija, Senior Lecturer, Zagreb University
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- Another week goes by without a submission! Hopefully, Dave gets a submission this week instead
Daily Blog #486: Solution Saturday 9/22/18 - This weeks Sunday Funday relates to the “EditFlags” found in the Classes key. I didn’t get to do the testing but I did write a quick regripper plugin to extract out the EditFlags values; someone should be able to add in the code to decode the hex data.
Daily Blog #487: Sunday Funday 9/23/18 - Dave highlights Yogesh’s Mac APT tool
Daily Blog #488: Tool Highlight Mac APT - And also indicates that he has been using the Hack in the Box challenges to practice hacking and tracking, with plans to live stream some detection methods in the future
Daily Blog #489: Do you IR your pentest labs? - He also draws attention to the news that Enfuse is “being rolled up into the larger OpenText conference”
Daily Blog #490: The end of enfuse/ceic - On the Test Kitchen this week, Dave showed that “files extracted in mass may have the same object ID timestamp” and “files created by the user should have incrementing object ID timestamps”
Daily Blog #491: Test Kitchen 9/27/18 Sequential ObjectID Testing
- Another week goes by without a submission! Hopefully, Dave gets a submission this week instead
- Alexis Brignoni shares his thoughts on thanking content creators in our community. As a content creator, I very much appreciate the support, and the extra dollars here and there definitely help justify spending the time.
It is our responsibility: Supporting DFIR researchers and content creators. - Christa Miller at Magnet Forensics shares a list of shortcut keys for Axiom
Keyboard Shortcuts to Help Your AXIOM Examinations Run More Efficiently - There were a number of articles by the students at Champlain College this week about their experiences at Enfuse 2018
- Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’ has shared her review of Harlan Carvey’s recent ‘Investigating Windows Systems’ book.
DFIR Field Manual?
SOFTWARE UPDATES
- Didier Stevens updated pecheck to version 0.7.4 to improve “digital signature handling.”
Update: pecheck.py Version 0.7.4 - ExifTool 11.11 (production release) was released with a number of new tags and bug fixes.
ExifTool 11.11 (production release) - Jamie Levy updated memtriage to v0.2-alpha, “adding new Winpmem drivers, adding yarascan plugin, [and] some minor code fixes”
v0.2-alpha Release - Josh Liburdi release Strelka, which “is a real-time file scanning system used for threat hunting, threat detection, and incident response. Based on the design established by Lockheed Martin’s Laika BOSS and similar projects (see: related projects), Strelka’s purpose is to perform file extraction and metadata collection at huge scale.”
Check out @jshlbrd’s Tweet - Minoru Kobayashi “fixed a minor bug of vss_carver.py and updated Windows binaries of extended-libvshadow”
VSS Carver - MobilEdit released Forensic Explorer 5.6.2 to fix a number of bugs, as well as Live Update version 2018-09-27-01 to add or improve support for a number of iOS and Android apps.
- Passmark released OSForensics V6.1 with a number of new features and improvements
OSForensics V6.1 released - Skadi 2018.4 was released, updating all internal tools.
Skadi 2018.4 - SalvationData released SPF Pro V6.81.26 with a number of improvements.
[Software Update] Mobile Forensics: SPF Pro V6.81.26 New Version Release for Better User Experience! - Maxim Suhanov has released yarp v1.0.23
1.0.23
And that’s all for Week 39! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those who give a little back for their support!
This Week In 4n6 