FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog looks at file system tunnelling on the C drive
File System Tunneling and C:\ - Adam Harrison at 1234n6 has written a post on Windows execution artefacts across a variety of desktop and server versions of Windows, and subsequently also (is going to be the winning, yes I’m calling it early) answers this weeks Sunday Funday.
Available Artifacts – Evidence of Execution - Arun Prasannan at CCL Group shows how to use a group policy edit to enable write protection from removable storage devices after finding that the registry modification way doesn’t work in all cases.
NVMe, UASP and write-blocking using the Windows registry - Oleg and Igor at Cyber Forensicator examine the Google Drive desktop application.
Cloud Forensics: Google Drive - Foxton Forensics have a post on using the Windows Timeline feature to examine internet history. They also note that this database isn’t cleared when a user clears their internet history, which is good to know.
Recovering Edge browser history using Windows Timeline - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- Another week without qualifying submissions!
Daily Blog #506: Solution Saturday 10/13/18 - Matt joined Dave for a test kitchen “to examine the ObjectID index to determine what is really happening when a file is deleted and its ObjectID index entry is deleted.”
Daily Blog #508: Forensic Lunch Test Kitchen 10/15/18 - Dave shows that accessing a file on a domain computer doesn’t appear to populate the “Domain ID” part of an Object ID
Daily Blog #509: ObjectIDs and Domains - A new Office artefact has been found! Dave shows a series of JSON/txt files inside a users appdata directory that shows a variety of files and timestamps. I looked at this directory on my system and saw folders for my local machine, as well as OneDrive. Inside were either text or JSON files that had a listing of files that exist in various directories. If I went through the save/open settings in Word and navigated to a folder it would scan the selected directory and store information in the JSON file for that directory. I deleted a file off my desktop and it remained in the JSON file until I navigated to it in Word. This is good to know!
Daily Blog #510: Office 2016 Backstage Artifacts - Dave ran a test kitchen, exploring “what was recoverable from an external drive formatted NTFS in regards to ObjectIDs”
Daily Blog #511: Forensic Lunch Test Kitchen 10/18/18 - Lastly, Dave took a look at some SMB brute forcing tools and the effects they leave in the Windows Event logs
Daily Blog #512: Forensic Lunch Test Kitchen 10/19/18
- Another week without qualifying submissions!
- Alexis Brignoni at ‘Initialization vectors’ posted a few times this week
- He shares a method of extracting messages from the iOS Slack app
Finding Slack app messages in iOS - He has created a Github repo for SQL queries that are used primarily in mobile forensics examinations. This is a great idea as often the queries are embedded in blog posts and presentations; if the research is all collated then it’s much easier to find.
Github repository for SQL queries used in digital forensics - Alexis also provides a bit of information he obtained in an email exchange about the Discord apps missing values
Update to Android Discord app “missing” values
- He shares a method of extracting messages from the iOS Slack app
- Jonas Plum wrote a post comparing afro to Blacklight for APFS file recovery. They did mention that they were going to compare with TSK, but as yet APFS support hasn’t been added (although I think the implementation would be the Blacklight implementation, so the file recovery comparison should yield the same results).
Comparison of APFS file recovery tools - Sam Koffman has released some information regarding “the forensic analysis of the records generated by the Microsoft Office telemetry feature”
Microsoft Office Telemetry Log (TBL) Format - Andrew Torgan at Project VIC shares details of the newly released standalone LACE Forensic Carver by BlueBear
Project VIC ™ partners with BlueBear LES to Promote New Standalone LACE Forensic Carver to Combat Child Exploitation - T3K Forensics provide a process for seizing mobile devices.
Mobile Forensic Process – Part II: Seizure - Over at my ThinkDFIR blog, I did some testing of the new Clipboard History feature in the latest Win10 update. Hopefully, someone with some Volatility experience can whip up a plugin to parse out this useful information.
Clippy History - Yogesh Khatri at Swift Forensics examines a new Spotlight database that he located within the user profile (as opposed to the usual location of the root of the drive).
The user spotlight database
THREAT INTELLIGENCE/HUNTING
- The guys at Cyber Forensicator shared Derek King’s new post on the Splunk blog regarding spotting signs of lateral movement.
Spotting the Signs of Lateral Movement - Russ McRee at HolisticInfoSec provides an overview of the “RedHunt Linux virtual machine for adversary emulation and threat hunting”
RedHunt Linux – Adversary Emulation & Threat Hunting - Ben Nick at Microsoft Azure shares details on “how Security Center’s Fileless Attack Detection discovers different stages of a multi-stage attack, starting with targeted exploit payload, or shellcode”
Detecting fileless attacks with Azure Security Center - Christopher Ross at SpecterOps provides an overview of authorisation plugins on MacOS including installation, weaponisation, and detection.
Persistent Credential Theft with Authorization Plugins - Red Canary have a post asking Casey Smith of Red Canary, Brenden Smith of First Bank, Tony Lambert of Red Canary, and Brian Baskin of Carbon Black a variety of questions about threat hunting processes and programs.
Grand Finale! Building a Mature Threat Hunting Program with MITRE ATT&CK - StillzTech walks through examining “Real Time (RT) process executions within Carbon Black Response”
Smashing the stack with Carbon Black
UPCOMING WEBINARS/CONFERENCES
- Arman Gungor at Metaspike will be hosting a webinar on email preservation challenges. The webinar will take place October 25, 2018 at 6PM UTC
Overcoming Email Preservation Challenges - Magnet Forensics announced that their 2019 User Summit will be held in Nashville (no more Vegas!). This User Summit will be bigger than the previous ones in which they will be hosting it across two days, inviting other speakers to submit presentations, as well as hosting training prior.
Magnet User Summit 2019 Coming to Nashville on April 2-3
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the videos from BsidesRDU 2018
BSidesRDU 2018 Videos - There was another episode of the Brakeing Down Incident Response podcast!
BDIR-008 - The videos from Hack.lu 2018 were uploaded.
- On this week’s Digital Forensic Survival Podcast, Michael interviewed Craig Rowland from Sandfly Security on Linux cryptominers
DFSP # 139 – Linux Crypto-Mining Malware Tactics - SalvationData have uploaded a video demonstrating how to acquire a backup of a mobile device using SPF Pro
SPF Pro-SmartPhone Forensic System Professional-SOP-Backup Extraction to Acquire Data without Root - SANS uploaded a couple of presentations this week
MALWARE
- 0verfl0w at 0ffset has posted a couple times this week
- They continue the examination of a Hancitor sample.
Post 0x16.2: Hancitor Stage 2 - and also solve MalwareTech’s Strings challenge.
Solving MalwareTech’s RE Challenges: Strings
- They continue the examination of a Hancitor sample.
- Barun at Attify has written up a few of the Flare-On CTF challenges
- Jacob Pimental at Goggle Headed Hacker has also shared a writeup of one of the challenge questions
Flare-On 5: MineSweeper Write-up - Check Point Research share details of the Godzilla Loader and Azorult 3.3
- Felix Schwyzer and Jan Miller at CrowdStrike demonstrate how to examine a malicious PDF in Falcon Sandbox.
Leveraging Falcon Sandbox to Detect and Analyze Malicious PDFs Containing Zero-Day Exploits - Marco Ramilli examines a malicious sample dubbed MartyMcFly
MartyMcFly Malware: Targeting Naval Industry - Shannon Lucas at SpecterOps walks through some Android APK reversing.
Don’t You (Forget About RE) - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens demonstrates how to examine a maldoc that contains an XOR encoded function
Maldoc: Once More It’s XOR, (Sat, Oct 13th) - Didier also shows how to use CyberChef to deobfuscate an obfuscated URL
CyberChef: BASE64/XOR Recipe, (Tue, Oct 16th)
- Didier Stevens demonstrates how to examine a maldoc that contains an XOR encoded function
- Sebdraven examines a maldoc exploiting CVE-2017–11882
APT Sidewinder changes theirs TTPs to install their backdoor. - There were a couple of posts on Securelist this week
- They share details of the DustSquad threat actor and their use of the “malicious program for Windows called Octopus that mostly targets diplomatic entities”
Octopus-infested seas of Central Asia - Andrey Dolgushev, Dmitry Tarakanov, Vasily Berdnikov examine the “DanderSpritz and FuzzBunch” as well as the DarkPulsar implant
DarkPulsar
- They share details of the DustSquad threat actor and their use of the “malicious program for Windows called Octopus that mostly targets diplomatic entities”
- There were a couple of posts on Cisco’s Talos blog
- Edmund Brumaghin and Holger Unterbrink share details of a new campaign that distributes the Agent Tesla malware
Old dog, new tricks – Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox - Ashlee Benge and Jungsoo An provide an overview of activities by the “APT threat actor known as “Tick,” “Bronze Butler,” and “Redbaldknight””
Tracking Tick Through Recent Campaigns Targeting East Asia
- Edmund Brumaghin and Holger Unterbrink share details of a new campaign that distributes the Agent Tesla malware
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes inline and IAT hooking that is utilised by user-land rootkits
Some thoughts about Windows Userland Rootkits - The Symantec Security Response Attack Investigation Team share details of a campaign by the Gallmaker threat actor.
Gallmaker: マルウェアを避け、現地調達型の手口だけを利用する新手の攻撃グループが出現 - Anton Cherepanov and Robert Lipovsky at WeLiveSecurity share details of the GreyEnergy malware framework linked to the BlackEnergy APT group
GreyEnergy: Updated arsenal of one of the most dangerous threat actors
MISCELLANEOUS
- John Lukach at 4n6IR demonstrates migrating his SHA256 hash library to AWS
AWS Pseudo Pipeline - Justin Boncaldo shares details of the book that he has been writing on entering the world of digital forensics.
Entering the World of Digital Forensics - Computer Forensics World has been reinvigorated. This happened a couple of weeks ago according to this blog post, but I only just saw it this week
Welcome to the New Computer Forensics World Forum - David Toy at Cyan Forensics explains how the long tail effect can be factored into building a hash set to be used in indecent image detection
Building useful triage datasets is easier than you think… - Brett Shavers at DFIR.Training shares his opinion regarding the definition of forensics.
You’re not really doing forensics if you’re not doing forensics - There were a few posts on Forensic Focus this week
- Scar recapped the recent Techno Security conference in San Antonio, Texas.
Techno Security TX 2018 – Recap - They provided an overview of Susteen’s Data Pilot 10.
Review Of Data Pilot 10 From Susteen - They shared Angus M. Marshall & Richard Paige’s research paper on ISO 17025
Requirements In Digital Forensics Method Definition: Observations From A Study - Scar reviewed “Executing Windows Command Line Investigations” by Chet Hosmer, Joshua Bartolomie and Rosanne Pelli
Executing Windows Command Line Investigations - They interviewed Sheldon Feinland from Blackbag Technologies
Interview With Sheldon Feinland, VP Of Sales, BlackBag
- Scar recapped the recent Techno Security conference in San Antonio, Texas.
- Adam at Hexacorn explains how he goes about discovering new persistence tricks.
How to find new persistence tricks? - Rebecca Anderson’s Amcache_Scan Autopsy plugin won the plugin competition at this years OSDFCon.
- There were a couple of posts by the students at Champlain College
- The mobile forensics team announced their project focusing on “social media apps on Android devices”
Mobile Forensics Update 1 - The tool eval team will be evaluating AccessData’s FTK. They also plan on comparing FTK to Encase and Autopsy, which will be good to see.
FTK Tool Evaluation Update
- The mobile forensics team announced their project focusing on “social media apps on Android devices”
SOFTWARE UPDATES
- Autopsy 4.9.0 was released with a number of new features and bug fixes. The Sleuth Kit 4.6.3 was also released.
4.9.0 (Oct 14, 2018) - Berla released iVe v2.1 adding support for new vehicles as well as other improvements and fixes. They also released a feature spotlight on the updated search functionality.
iVe Software v2.1 Release - Mobilyze 2018 R2 was released and Ashley Hernandez provides an overview of the new features.
What Time Is It? Time Zone Updates In Mobilyze - Elcomsoft Explorer for WhatsApp 2.50 was released adding “the ability to extract WhatsApp conversations from local and cloud backups produced by iOS 12, and offers support for new types of WhatsApp backups stored in the user’s Google Account”
Elcomsoft Explorer for WhatsApp Supports iOS 12, New Google Drive Backups - Eric Zimmerman updated a few of his tools: ShellBagExplorer, Appcompatcache and Amcache, as well as LECmd 1.1.0.2 and TLE 0.8.8.0
- Evimetry 3.0.11 and 3.1.8-UNSTABLE were released with a number of new features and bug fixes
Release Channels - ExifTool 11.14 (development) was released with new tags and bug fixes
ExifTool 11.14 - Metaspike released Forensic Email Collector v3.4.6.0 with a number of new features and improvements.
Forensic Email Collector (FEC) Changelog - MobilEdit has released Live Update version 2018-10-16-01 to update the cell tower package
Live Update version 2018-10-16-01 - AChoir v2.1 has been released, adding “built-in detection and Decompression of LZNT1 Compressed files”, and OS-based conditional execution.
AChoir v2.1 Released - Passmark Software released OSForensics 6.1 build 1002, fixing a number of bugs.
6.1 build 1002 16th Oct 2018 - Radare2 3.0.0 (codename: its-still-radare2) was released with a number of improvements and bug fixes
3.0 codename: its-still-radare2 - SalvationData’s DRS was updated to V18.7.3.291 with a number of updates and bug fixes
[Software Update] Computer Forensics: DRS V18.7.3.291 New Version Release for Better User Experience!
And that’s all for Week 42! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those who give a little back for their support!
This Week In 4n6 