FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog explores whether he can “find timestamp changes using [the] USN Journal”
Timestamp and USN_REASON_BASIC_INFO_CHANGE - ADF have a post describing how to acquire memory using an ADF collection key
RAM Dump Forensics - Justin Boncaldo takes a look at the database that stores apps installed with the Windows app store.
“All Installed Apps” Artifact -Windows 10 Forensics - SANS released an updated version of the “Advanced Smartphone Forensics” poster
Advanced Smartphone Forensics Poster - Mike Cary has started a blog, DFIR on the Mountain and explains his reasons for doing so. He also has a post describing his automation script which runs Eric’s tools, as well as a few others for browser history
Start-ImageParsing.ps1 - Gabriele Zambelli at ‘Forense nella Nebbia’ examines the calllog.db on a couple of Android physical dumps to show that they can also contain SMS data.
Calllog.db and SMS data on Android 7.0 Nougat - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- I submitted a regripper plugin to extract the EditFlags values, however, more work needs to be done for it to parse out the data that was requested.
Daily Blog #492: Solution Saturday 9/30/18 - This weeks challenge asked “How would you monitor/record changes to registry keys? What could you do to get more data?”
Daily Blog #493: Sunday Funday 9/30/18 - And the winner was Kevin Pagano
Daily Blog #499: Solution Saturday
- I submitted a regripper plugin to extract the EditFlags values, however, more work needs to be done for it to parse out the data that was requested.
- InfoSecurityGeek has written a lengthy write up of the Defcon DFIR CTF. I like that the write up has a lot of screenshots, and uses freely available tools
Defcon DFIR CTF 2018 Writeup - Alexis Brignoni at Initialization vectors examines the Slack app for Android.
Finding Slack messages in Android using json_extract - Volume 10-4 of the International Journal of Electronic Security and Digital Forensics was released
International Journal of Electronic Security and Digital Forensics - Maxim Suhanov explores various methods for hiding data in the registry
Hiding data in the registry - Matt McFadden at OpenText explains why he believes it’s important to understand where data comes from during an examination. By understanding the data structures you have a better chance of explaining the data that your tool is presenting.
The importance of knowing ‘where’ in digital forensic analysis - Chapin Bryce at Pythonic Forensics shares some useful Linux commands for examining log files
- Henry Georges’ master’s thesis on ReFS was published, as well as a Python Script for analyzing a ReFS disk. Thank you to Paul Bryant for notifying me.
refs - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ lists three methods for accessing VSCs within an image
Accessing Volume Shadow Copies within a forensic image - Iria Piyo deletes a file and then restores it with FTK Imager to see if file system tunnelling affects the timestamps.
NTFSのトンネリングとFileRecovery
THREAT INTELLIGENCE/HUNTING
- Max Gannon at Cofense demonstrates how “threat actors can use combinations of multiple legitimate methods of encoding and obfuscation to retrieve online resources while avoiding both automated systems and analysts”
Threat Actors Customize URLs to Avoid Detection - Adam at Hexacorn discusses tactics vs techniques in the context of the Mitre Att&ck framework.
Lateral Movement and Persistence: tactics vs techniques - Vasilios Hioureas at Malwarebytes Labs walks through a few fileless malware attacks.
Fileless malware: part deux - Michael Henriksen shows how he uses draw.io for threat modelling.
Draw.io for threat modeling - There were a couple of posts on the Red Canary blog this week
- Frank McClain walks through various commands run by attackers on MacOS.
Attacking a Mac: Detecting MacOS Post-Exploitation - Justin Schoenfeld demonstrates how “the OODA loop method can help improve detection speed and accuracy”
How the OODA Loop Can Help Improve Detection Speed and Accuracy
- Frank McClain walks through various commands run by attackers on MacOS.
- StillzTech released a couple of tools for Carbon Black Response
- StillzTech also “looks at how we can use some AWS resources and the Carbon Black Event Forwarder to handle all network connections”
Event Processing Pipeline with AWS/CBR - David French posted a few articles on the Threat Punter blog this week
- He shows how to setup Sysmon and Splunk on a system to detect lateral movement
Detecting Lateral Movement Using Sysmon and Splunk - He shows how to set up monitoring on registry hives using Group Policy to detect attempts to steal passwords
Detecting Attempts to Steal Passwords from the Registry - He also demonstrates how to setup Sysmon to monitor for tools like Mimikatz attempting to obtain passwords from the lsass process in memory
Detecting Attempts to Steal Passwords from Memory
- He shows how to setup Sysmon and Splunk on a system to detect lateral movement
- Andreas Sfakianakis at ‘Tilting at windmills’ shares a few resources surrounding the Mitre Att&ck framework
Latest advances in MITRE’s ATT&CK framework
UPCOMING WEBINARS/CONFERENCES
- Cellebrite will be hosting a webinar on the recent updates to their UFED products on October 17 at 10am (New York) / 3pm (London) / 4pm (Brussels).
The convergence of physical and virtual data for faster discovery of evidence - Tayfun Uzun at Magnet Forensics will be hosting a webinar on “a variety of different methods available to bypass passwords on LG, Samsung, and Motorola phones as well as phones using MTK and Qualcomm chipsets.” The webinar will take place on Tuesday, November 13th @ 1:00PM EDT and Wednesday, November 14th @ 9:00AM EDT
An In-Depth Look at Different Password Bypass Options
PRESENTATIONS/PODCASTS
- A number of presentations from the 2018 ‘A Conference for Defense’ were uploaded.
- Adrian Crenshaw uploaded the videos from Derbycon 2018
- The talks from BruCON 2018 were uploaded to YouTube
BruCON Security Conference - Dave Cowen continued the test kitchen series! And thankfully has started putting a summary of his findings at the top of the posts. This weeks testing covered:
- Object ID timestamps and timestamp manipulation
Daily Blog #494: Forensic Lunch Test Kitchen 10/1/18 - Object ID sequence numbers and the registry
Daily Blog #495: Forensic Lunch Test Kitchen 10/2/18 - Duplicate Object IDs
Daily Blog #496: Forensic Lunch Test Kitchen 10/3/18 - Using YARP to examine TypedPaths
Daily Blog #497: Forensic Lunch Test Kitchen 10/4/18 - And a forensic lunch! Matt and Dave spoke about the various DFIR conferences, a DFIR cruise, as well as Matt’s script for parsing the $O Index Allocation
Daily Blog #498: Forensic Lunch 10/5/18
- Object ID timestamps and timestamp manipulation
- On this week’s Digital Forensic Survival Podcast, Michael talked “about the attack methodology known as Fast Flux.”
DFSP # 137 – Fast Flux - SANS uploaded a couple of presentations from the 2018 DFIR Summit
- I released my monthly podcast for September!
This Month In 4n6 – September – 2018
MALWARE
- 0verfl0w at 0ffset continues to examine the Turla keylogger
Post 0x17.2: Analyzing Turla’s Keylogger - Check Point Research continue their tutorial series on Labeless
- Assaf Dahan at Cybereason examines the Betabot malware.
New Betabot campaign under the microscope - There were a couple of posts on the FireEye blog this week
- Nalani Fraser, Jacqueline O’Leary, Vincent Cannon, and Fred Plan have released a special report on APT38.
APT38: Details on New North Korean Regime-Backed Threat Group - Nick Harbour shared the stats and solutions from the recent Flare-On challenge
2018 Flare-On Challenge Solutions
- Nalani Fraser, Jacqueline O’Leary, Vincent Cannon, and Fred Plan have released a special report on APT38.
- John Bergbom at Forcepoint introduces “Wasm’s memory structure and then look at performing high-level behavioral analysis of an unknown (-ish) sample”. Also this week, Willi Ballenthin at FireEye introduced “idawasm, an IDA Pro plugin that provides a loader and processor modules for WebAssembly modules”
Analyzing WebAssembly binaries: initial feel and behavioral analysis - Jay Rosenberg at Intezer shows the shared code between ROKRAT and Final1stspy and posits that “this code reuse provides more evidence towards the relationship of KimJongRAT, KONNI, NOKKI, Final1stspy, ROKRAT, and APT37.”
APT37: Final1stspy Reaping the FreeMilk - Josh Lemon at Lemon’s InfoSec Ramblings explains his process for examining malicious email (MSG/EML) files, as well as decoding their attachments.
Analysing Malicious Email Files - Josh Grunzweig at Palo Alto Networks “details the relationship found between the NOKKI and DOGCALL malware families, as well provides additional information about a previously unreported malware family [Final1stspy] used to deploy DOGCALL”
NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens examines a DOSfuscated sample
When DOSfuscation Helps…, (Sun, Sep 30th) - As well as a malicious spreadsheet
Decoding Custom Substitution Encodings with translate.py, (Mon, Oct 1st) - He shares “a YARA rule for the detection of DDE code injection in CSV files.”
Developing YARA Rules: a Practical Example, (Mon, Oct 1st) - and explores XOR searching in YARA 3.8.0
YARA: XOR Strings, (Sat, Oct 6th)
- Didier Stevens examines a DOSfuscated sample
- There were a couple of posts on Securelist this week
- They share new details about the various methods that the Roaming Mantis group distributes malware
Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system - They also discuss the ongoing activity by the Turla group
Shedding Skin – Turla’s Fresh Faces
- They share new details about the various methods that the Roaming Mantis group distributes malware
- The Symantec Security Response Attack Investigation Team provide an overview of the activities by APT 28
APT28: 軍と政府の組織を狙う新しいスパイ活動 - David French at Threat Punter examines a maldoc containing a RAT
5-Minute Analysis of a Remote Access Trojan
MISCELLANEOUS
- Binalyze released Irec Tactical
Check out @binalyze’s Tweet - Brett Shavers suggests that those that have to travel for work should try to see the sites when they can rather than fly in, work, fly out
#DFIR Traveling Isn’t - There were a couple of posts on Cyber Forensicator this week
- They shared Eric C. Thompson’s recently released book titled “Cybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents”
Cybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents - They also shared Daryl Bennett’s Python Digital Forensics course
Python Digital Forensics
- They shared Eric C. Thompson’s recently released book titled “Cybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents”
- The second volume of Don Murdoch’s Blue Team Handbook has been released
Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases: A condensed field guide for the Security Operations team (Volume 2) - Oleg Afonin at Elcomsoft describes Apple’s Activation Lock and explains various methods of disabling it.
Everything You Wanted to Know about Activation Lock and iCloud Lock - There were a few posts on Forensic Focus this week
- Magnet Forensics posted a survey for mobile forensic examiners
Magnet Forensics Survey: Mobile Examiner Feedback Wanted - Jade James provided an overview of the new features in AD Enterprise 6.5.1
Review Of Enterprise 6.5.1 From AccessData - Rich2005 shared their thoughts on ISO 17025 and doesn’t think that it’s a good fit for digital forensics. The interesting point made was that obtaining the certification is restrictive for smaller shops. I don’t know a lot about the standard, or the process of getting the certification, but I do think that there should be a barrier to entry to becoming an examiner for cases. The example provided showed a skilled defence examiner, however, that’s not always the case; in some cases, someone who has worked in computers can be accepted as an expert when they don’t know a lot about the actual DF field.
Opinion: Is ISO17025 The Right Standard For Digital Forensics? - They interviewed Angus Marshall about his work on standardisation and tool testing based on his recently published paper: “Requirements in digital forensics method definition: observations from a UK study”
Interview With Angus Marshall, Digital Forensic Scientist - Lastly, they shared a video and transcript of the latest features in Oxygen Forensic Detective
Walkthrough: Oxygen Forensic Detective Latest Features
- Magnet Forensics posted a survey for mobile forensic examiners
- Magnet Forensics posted a few times this week
- They released their new whitepaper, “Successful Employee Misconduct Investigations”
White Paper: Successful Employee Misconduct Investigations - Jad Saliba compares the speed of Axiom and IEF and shows the considerable speed improvements that they’ve made due to the increased focus on performance in Axiom
Magnet AXIOM vs. Magnet IEF: Going Supersonic - They also interviewed Hoyt Harness, who is a recent addition to the Magnet Training Team
Meet Magnet Forensics’ Training Team: Hoyt Harness
- They released their new whitepaper, “Successful Employee Misconduct Investigations”
- Kevin Pagano has started a new blog, Stark 4n6
The Man Behind the Mask - One of the students at Champlain College shared his thoughts on the recent Enfuse conference, as well as Rafal Los’ session “Order in Chaos: How Not to Lose Your Head When Your Hair is on Fire”
Industry Experience at Opentext Conference - Lucas Paus at WeLiveSecurity shares a couple of DFIR tool listings
IT forensic tools: How to find the right one for each incident
SOFTWARE UPDATES
- Plaso 20180930 was released, including a number of new plugins and parsers, as well as “a bunch of cleanups, performance tweaks and bug fixes”
Plaso 20180930 released - Alan Orlikoski released CDQR 4.2.0 to include “an optional argument ‘-f’ to allow filter files to be included”, and “–ignore_archives to not extract and inspect contents of archives found inside of artifacts list or disk image”
CDQR 4.2.1 - Cellebrite released v7.10 for their UFED line of products, which includes the Virtual Analyzer Android virtualisation feature, as well as additional device and app support.
UFED Ultimate, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader 7.10 [October 2018] - Cellebrite also released UFED Cloud Analyzer 7.4 adding support for Coinbase data, Viber backups, and extracting stored passwords from PC web browsers.
UFED Cloud Analyzer 7.4 [September 2018] - DME Forensics have “added a new Filesystem Database Update for DVR Examiner” however in the email notification didn’t provide details.
- Eric Zimmerman updated PECmd (v1.2.0.0) and Timeline Explorer (v0.8.7.0)
Updates - ExifTool 11.12 (development) was released with new tags and bug fixes
ExifTool 11.12 - MSAB shared the highlights from the recent updates to XAMN, XRY, and XEC Director on Forensic Focus
Introducing XAMN 4.0 – Redesigned To Help Investigators Find Evidence Fast - Griffeye released Analyze 18.2 which includes improvements across DI Pro, CS Enterprise, and Griffeye Brain.
Release of Analyze 18.2 – All about quality - AChoir Version 2.0 was released
AChoir Version 2.0 - Passware Kit 2018 v2 was released, adding support for Bitcoin wallets, and “instant decryption of APFS disks via analysis of iCloud or iTunes backups”, as well as other improvements.
Passware Kit 2018 v2 - Pasquale Stirparo updated his epochalypse script to support additional timestamps.
Check out @pstirparo’s Tweet - USB Detective 1.3.0 was released with various improvements, including VSS support
Version 1.3.0 (10/03/2018) - Various versions of X-Ways were updated to fix bugs, and add some new features to the latest preview.
And that’s all for Week 40! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those who give a little back for their support!
This Week In 4n6 