Paul Sanderson advised that Sanderson Forensics is closed until further notice due to family health concerns. Sending well wishes and hopefully, everything gets better soon.
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog takes a look at the “Audit PNP Activity” event logging with regards to USB device connection.
Audit PNP Activity and ID 6416 - Sam Holt at AccessData walks through some drone analysis using a free tool called Datcon, as well as AccessData Quin-C
Drone attacks. How can we fight back? - John Walther at Carpe Indicium shares his findings on examining the Snapchat app on iOS and Android
“Gone In 10 Seconds” Snapchat Forensics - Michael R. Godfrey guest posted on Forensic Focus about the various forensic artefacts relating to the uTorrent client.
Forensic Analysis Of The μTorrent Peer-to-Peer Client In Windows - Cindy Murphy at Gillware provides an overview of JSON files and shares some examples of app data that is stored in JSON format.
.JSON files- My Favorite Artifacts, Part Three - There’s a post on Hackers-Arise about using Wireshark for network forensics
Network Forensics: Wireshark Basics, Part 2 - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday challenge is about testing copy and paste operations across NTFS volumes on Win7 and Win10. I did a bit of testing and published my findings here. The winning answer by Sandor Tokesi has also been posted.
Daily Blog #521: Sunday Funday 10/28/18 - Dave also did some testing on Recycle Bins on fixed and external drives.
Daily Blog #522: Forensic Lunch Test Kitchen 10/29/18 - and another on “what triggers the initial creation of the Recycle.Bin directory “
Daily Blog #523: Forensic Lunch Test Kitchen 10/30/18 - As well as a Forensic Lunch hosting “Hal Pomeranz talking all about XFS file systems and XFS forensics”
Daily Blog #524: Forensic Lunch 10/31/18 - Dave links to Brian Gerdon’s recently released Backstage artifact parser
Daily Blog #525: Office 2016 Backstage artifact parser - And also comments on Pasquale’s recent tweet regarding contributing to centralised projects. I tend to agree with both sides; on one hand you can write the tool the way to you want, but on the other you can help expand an existing project and make it better. Ideally you would do both; but with that in mind, helping someone build their project into an existing framework is also a worthwhile contribution.
Daily Blog #526: Where are we going?
- This week’s Sunday Funday challenge is about testing copy and paste operations across NTFS volumes on Win7 and Win10. I did a bit of testing and published my findings here. The winning answer by Sandor Tokesi has also been posted.
- Alexis Brignoni at ‘Initialization vectors’ analyses the CCleaner app for Android
Quick DFIR review – CCleaner for Android - SalvationData share a case study showing how they are able to decrypt WhatsApp backup files by downgrading the APK.
[Case Study] Mobile Forensics: SalvationDATA Helped a Crime Investigation by Decrypting WhatsApp Database
THREAT INTELLIGENCE/HUNTING
- Stacia Tympanick at Carbon Black demonstrates identifying a process running from an incorrect path using “Cb LiveOps in the Predictive Security Cloud”
ATT&CK +osquery = Love - Avihai Ben-Yossef at Cymulate shares a method to “abuse the Online Video feature on Microsoft Word to execute malicious code”
Abusing Microsoft Office Online Video - Fortinet have released a new playbook for the Goblin Panda threat group.
CTA Adversary Playbook: Goblin Panda - There were a couple of posts on Hats Off Security this week regarding examining encrypted network traffic
- Jerry at Infosec Engineering gives some advice on log aggregation to avoid issues with attacks destroying or disabling system logging
Thoughts About Counter-Forenics and Attacks on Logs - Nextron Systems have a post demonstrating how to build a YARA rule to hunt for a compromised certificate
Short Tutorial: How to Create a YARA Rule for a Compromised Certificate - Matt Graeber at SpecterOps describes how to use “PowerShell Desired State Configuration (DSC)” for lateral movement, as well as the Windows Event Logs that can be used to detect this activity
Abusing PowerShell Desired State Configuration for Lateral Movement - Nihad Hassan at Secjuice demonstrates a method of hiding data within an ADS that also remains hidden from various tools
Playing In The Dark Corners Of Windows With Alternative Data Streams - Symantec’s Security Response Attack Investigation Team provide an overview of an attack by the SamSam threat group
SamSam: 標的型ランサムウェアの攻撃は終わらず
UPCOMING WEBINARS/CONFERENCES
- Jessica Hyde at Magnet Forensics will be hosting a webinar on iOS 12 on Tuesday, November 28th @ 1:00PM EST and Wednesday, November 29th @ 9:00AM EST
Apple’s Tween Years: iOS’ Maturation from 10 through 11 and into 12
PRESENTATIONS/PODCASTS
- The presentations from BSides Augusta 2018 have been uploaded.
- The videos from the Blue Team Village at DEF CON 26 were uploaded
DEF CON 26 Blue Team Village - Rafael Los at ‘Down the Security Rabbithole’ interviewed James Habben about his experience and the DFIR community
DtSR Episode 320 – Specializing in Forensics - Forensic Focus shared the transcript and presentation by Vassil Roussev from DFRWS EU 2018
Nugget: A Digital Forensics Language - Sarah Edwards at Mac4n6 advised that her presentation with Heather Mahalik from the SANS 2018 DFIR Summit has been uploaded
Video Now Available – #DFIRFIT or BUST: A Forensic Exploration of iOS Health Data - Olaf Hartong shared his presentation from ISF2018 titled “Endpoint Detection superpowers on the cheap”
Presentations - The presentations from OSDFCon 2018 have been uploaded
2018 Agenda - On this week’s Digital Forensic Survival Podcast, Michael talked through triaging logon events in an IR investigation
DFSP # 141 – Logon Triage - Sandfly Security shared Craig Rowland’s presentation from Christchurch HackerCon 2018 titled “Insider’s History of Intrusion Detection”
Christchurch HackerCon 2018 Presentation – Insider’s History of Intrusion Detection Technology - I released my monthly podcast for October!
This Month In 4n6 – October – 2018 - There were a couple of presentations shared on the Virus Bulletin blog from VB2018
MALWARE
- Dario Durando at Fortinet demonstrates “how to unpack [Android] malware deployed by today’s most common dropper using only open-source free tools.”
How-to Guide: Defeating an Android Packer with FRIDA - Jay Rosenberg at Intezer examines CasperPhpTrojan which is believed to be the origin of the malware used by the Lazarus group
Paleontology: The Unknown Origins of Lazarus Malware - There’s a post on the Kryptos Logic blog providing a “Brief Overview of Emotet’s Email Harvesting Module”
Emotet Awakens With New Campaign of Mass Email Exfiltration - Thomas Reed at Malwarebytes Labs examines the Mac CoinTicker app, which downloads and installs the EvilOSX and EggShell backdoors in the background.
Mac cryptocurrency ticker app installs backdoors - Marc Rivero Lopez and John Fokker at McAfee Labs provide an overview of the Kraken ransomware, being distributed by the Fallout EK
Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens demonstrates how to detect compressed RTF within an MSG
Detecting Compressed RTF, (Sun, Oct 28th) - Didier uses ViperMonkey to examine a maldoc containing “an obfuscated PowerShell script”
Maldoc Duplicating PowerShell Prior to Use, (Mon, Oct 29th) - Brad Duncan “reviews noteworthy changes in recent malicious spam (malspam) pushing Hancitor.”
Campaign evolution: Hancitor malspam starts pushing Ursnif this week, (Tue, Oct 30th) - Brad also “reviews an example of malicious spam (malspam) using password-protected Word documents to distribute Nymaim on Tuesday 2018-10-30.”
More malspam using password-protected Word docs, (Wed, Oct 31st) - Didier also examines a maldoc that didn’t “exhibit malicious behavior in a sandbox” due to a bug in the code.
TriJklcj2HIUCheDES decryption failed?, (Fri, Nov 2nd) - Lastly, Didier examines a malicious RTF file containing CVE-2017-11882 exploits.
Dissecting a CVE-2017-11882 Exploit, (Sat, Nov 3rd)
- Didier Stevens demonstrates how to detect compressed RTF within an MSG
- Vitor Ventura at Cisco’s Talso blog examines the “GPlayed Banking” Android trojan.
GPlayed younger brother is a banker and targets Russian banks - There were a couple of posts on the TrendLabs blog this week
- Miguel Ang and Donald Castillo provide an overview of various file types that are being identified in malspam
Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments - Noel Anthony Llimos and Carl Maverick Pascual examine Trickbot’s “password grabber module (pwgrab32) that steals access from several applications and browsers”
Trickbot Shows Off New Trick: Password Grabber Module
- Miguel Ang and Donald Castillo provide an overview of various file types that are being identified in malspam
- Vitali Kremez analyses “one of the latest ZeusVM variants with the special attention to its main client module and its keylogger component.”
Let’s Learn: Exploring ZeusVM Banking Malware Hooking Engine
MISCELLANEOUS
- Dennis Ozment from 4theONE has a guest post on the AccessData blog asking for volunteers to assist in 4theONE’s effort in locating missing children.
Leveraging the Power of Digital Forensics to Rescue Missing Children - Craig Ball at ‘Ball in your Court’ has a post about requesting metadata when a file is provided during litigation. Before reading the article, one should understand that Craig is calling file metadata, application metadata, and file system metadata, system metadata. Otherwise, what he’s saying is right on point – if someone is providing a file to you, you should ensure that the metadata is preserved as best as possible so that it can be adequately examined (ie exported to the same filesystem, and a report generated with the associated file system metadata if possible).
Mad about Metadata - Brett Shavers posted a few times across a couple of his sites this week
- He shared details of the Patreon for DFIR.Training and what additional benefits throwing support provides. I’ve mentioned a few times that if you value the project it’s worth keeping it on the air, but Brett has gone above and beyond in what is provided in return.
What is this thing called “Patreon?” - As well as a shout out to the various contributors that help push the field forward
When I started in forensics, I had to walk 5 miles in the snow just to image a computer using a floppy…and Safeback (and other old DFIR tales). - Brett has also started an initiative to pass some DFIR books on. By signing into the social side of DFIR.Training you go in the running to win a book, and the only ask is that if you read it and hopefully pay it forward by passing it onto another with some highlighted passages.
FREE #DFIR BOOKS! - With the first being a couple of copies of Harlan’s recent “Investigating Windows Systems”, as well as two of his own. Brett also reiterates that the idea is to highlight a section or add in your own comments and pass it onto someone else to enjoy. You’re welcome to keep the book, but that would be counterintuitive to the sharing aspect
Tonight, I’m giving away a copy of Harlan Carvey’s book, Investigating Windows Systems.
- He shared details of the Patreon for DFIR.Training and what additional benefits throwing support provides. I’ve mentioned a few times that if you value the project it’s worth keeping it on the air, but Brett has gone above and beyond in what is provided in return.
- There were a couple of posts on Cyber Forensicator this week
- They shared a tool by Manish Bhatt for memory acquisition on FreeBSD
Acquire Volatile Memory from FreeBSD with FreeBmAM - They also advised that the second edition of “Learning Android Forensics … by Oleg Skulkin, Donnie Tindall, and Rohit Tamma is expected to be published in January 2019.”
Learning Android Forensics – Second Edition
- They shared a tool by Manish Bhatt for memory acquisition on FreeBSD
- Mike Cary at ‘DFIR on the Mountain’ demonstrates how to install Volatility on Windows. Unfortunately, this requires Python2 installed and because the Python devs hate us* that can be problematic. If you’re like me and am trying to make the switch to Python3, then I find a combo of Win10’s WSL with Python2 or SIFT, and the compiled Volatility exe in the Magnet Axiom Program Files directory does the trick.
*I don’t know if they hate us, but it feels like it sometimes.
Installing Volatility on Windows - DME Forensics have a post describing the new Aspect Ratio button in DVR Examiner 2.5
Feature Focus: DVR Examiner 2.5 Aspect Ratio - Oleg Afonin at Elcomsoft describes iOS DFU and recovery mode and what they can be used for.
Everything about iOS DFU and Recovery Modes - Scar at Forensic Focus reviewed the previous version of Magnet Axiom (v2.5).
Review Of AXIOM 2.5 From Magnet Forensics - Griffeye have posted a few articles about the recent partnership between Griffeye and BlueBear
- Adam at Hexacorn posted a couple times this week
- He recaps his 10 years in the security industry, and advises that to succeed in this industry, and abate the imposter syndrome, one must never sit back and think they know everything because that’s not possible.
10 years of IT SEC everything and nothing - Adam also updated his 3R script/page which lists regripper plugins and the keys they parse
Updated 3R (RegRipper Ripper)
- He recaps his 10 years in the security industry, and advises that to succeed in this industry, and abate the imposter syndrome, one must never sit back and think they know everything because that’s not possible.
- Jerry Gamblin has obtained a new Google Home Hub and started playing around with the undocumented API. It appears from Jerry’s testing that the interaction that I exploited to obtain data from my Google Home/Mini/Chromecast still appears in the latest iteration of Google’s Home products. I’m not sure if it’s that bad a vulnerability per se, yes interaction isn’t authenticated (via API or app), but there’s not that much more information available from the API than you can get from the app.
Google Home (in)Security - Magnet Forensics has released a new white paper on root cause analysis investigations.
White Paper: Successful Root Cause Analysis Investigations - Mark McKinnon has released a new “Timesketch Autopsy plugin [that] will pull all date related events from files or artifacts and create a json_line file and upload it to Timesketch”
Timesketch with Autopsy Data - Passware share details on how to utilise their encryption analyser tool.
5 Tips for Discovering and Analyzing Encrypted Electronic Evidence - Sebastian Bicchi at Secjuice walks through building a hash cracking rig.
How To Build A Hash Cracking Rig - Howard Oakley at ‘The Eclectic Light Company’ advised that his “paper providing the first full description of the macOS unified log has just been published in eForensics Magazine.”
eForensics Magazine publishes first full description of macOS unified log - There were a few posts by the students at Champlain College this week
- The Encase tool evaluation team introduced their project evaluating Encase 8
Encase Tool Evaluation - Similarly, the Autopsy team introduced their project.
Tool Evaluation: Autopsy Blog - One of the new students at LCDI, Madi, introduced herself
LCDI Intern Blog Series: Meet Madi! - The Application Analysis team introduced their project, examining the artefacts and network traffic on a number of Android mobile tracking & monitoring apps: “mSpy, FlexiSpy, Mobistealth, and Highster Mobile”
Application Analysis
- The Encase tool evaluation team introduced their project evaluating Encase 8
SOFTWARE UPDATES
- Arsenal released updates to HiveRecon (v1.0.0.50 Alpha) and HbinRecon (v1.0.0.36)
Check out @ArsenalRecon’s Tweet - Brian Gerdon at Arsenal has released a Python script to parse the files created by Microsoft Office related to the Backstage feature.
Backstage Parser - Winpmem was updated to v3.1 RC6 this week to fix a bug relating to writing to a file if the output files extension is not AFF4.
Bugfix release for winpmem - Didier Stevens updated his format-bytes Python Script to v0.0.6
Update: format-bytes.py Version 0.0.6 - Eric Zimmerman updated a few of his tools this week; WxtECmd (v0.3.1.0), Amcache Parser (v1.2.0.3), and MFTECmd (v0.3.2.0)
- Teru Yamazaki at Forensicist shared the latest version of bulk_extractor-rec 02, which includes “a scanner plugin for Bulk Extractor ‘s record carving”
Bulk Extractor with Record Carving - GetData released Forensic Explorer v4.4.8.7888 with a number of improvements and bug fixes
29 Oct 2018 – v4.4.8.7888 - Griffeye Analyze 18.3 was released, integrating BlueBear’s LACE carver, as well as some other improvements
Release of Analyze 18.3 – Carve to success - Hashcat v5.0.0 has been released, adding a number of new algorithms, improvements, and bug fixes
hashcat v5.0.0 - Matthew May has released the “Carbon Black Tool Kit (CBTK) [for] doing IR stuff with the Carbon Black API”
cbtk - Metaspike released a minor update to Forensic Email Collector v3.4.6.2
v3.4.6.2 – Released on 10/28/2018 - “A new version of MISP (2.4.97) has been released with new features such as related tags, the sighting restSearch API, a new French localisation along with many improvements to the API and he import/export capabilities, such as improved support for DHS AIS STIX 1 files.”
MISP 2.4.97 released (aka so many new features) - MobilEdit released Forensic Express 5.6.3 with some new features and bug fixes
Forensic Express 5.6.3 Released! - MSAB released XRY 7.9.1 and, Kiosk and Tablet 7.9.1, adding support for a number of new devices and app versions.
Now released: XRY 7.9.1, plus Kiosk and Tablet 7.9.1 - Paraben released E3 2.0 Bronze Edition with a number of updates
E3 2.0 Bronze Edition is now available! - X-Ways Forensics 19.8 Preview 4 was released with some minor updates
X-Ways Forensics 19.8 Preview 4
And that’s all for Week 44! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those who give a little back for their support!
This Week In 4n6 