FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog looks at the USN Journal on ReFS, which can be queried but FTK Imager doesn’t seem to parse the file system, and he was unsuccessful with carving for USN records
Refs and USN Journal - Further research indicated that USN_RECORD_V3 is used on ReFS.
Refs and USN Journal(2) - Marcus Thompson at Professor Bike describes the method that he uses to compare output of various INDX parsers.
Tool Output Precision Testing for Fixed-Size Artifacts - Alexis Brignoni at ‘Initialization vectors’ examines the Android TikTok app.
Finding TikTok messages in Android - Chapin Bryce at Pythonic Forensics describes fuzzy and context triggered piecewise hashing to perform similarity analysis of files.
Fuzzy Hashing and CTPH - SalvationData have posted a case study on how to use their DRS (Data Recovery System) to extract files from a drive with bad sectors using their pattern scan technology
[Case Study] Computer Forensics: Quick File Extraction from Bad Sector Drives – Explore SalvationDATA’s Pattern Scan Technology - Yogesh Khatri at Swift Forensics has looked into the dot-underscore files that MacOS uses to store extended attributes on non-Apple file systems. If someone was able to write a Python script to parse these that would be very useful.
The ._ (dot-underscore) file format
THREAT INTELLIGENCE/HUNTING
- Volexity Threat Research has a post describing a recent attack exploiting CVE-2018-15961
Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961) - Jaron Bradley and Karl Scheuerman at CrowdStrike share details of a recent attack against a corporate Mac network
OverWatch Insights: Reviewing a New Intrusion Targeting Mac Systems - Koen Van Impe at ‘Security Intelligence’ describes how to use passive DNS for incident response as well as providing guidance on how to use commercial or open source solutions to collect and query the data.
How to Use Passive DNS to Inform Your Incident Response - Brian Laskowski at Laskowski-Tech walks through the use of Blazescan for webserver malware investigations
Webserver Malware Investigations – Blazescan Tutorial - Russell McDonald at Microsoft Azure how Azure Security Center (ASC) is used to investigate some recent attacks against a honeypot
Leverage Azure Security Center to detect when compromised Linux machines attack - Kyle Rainey at Red Canary advises on various pitfalls one may fall into when implementing Mitre’s Att&ck framework into a security program and strategies to overcome them.
ATT&CK™ Is Only as Good as Its Implementation: Avoiding Five Common Pitfalls - Pasquale Stirparo has a post on the SANS Internet Storm Centre describes various methods of task scheduling on MacOS
Beyond good ol’ LaunchAgent – part 1, (Sun, Nov 4th) - Xavier Mertens at the SANS Internet Storm Centre examines a malicious PowerShell script
Malicious Powershell Script Dissection, (Tue, Nov 6th)
UPCOMING WEBINARS/CONFERENCES
- The CFP for Bsides Columbus is open. The event will take place at Columbus Police Academy on March 1, 2019
Check out @BSidesColumbus’s Tweet - Theo Papadopoulos and Alex Campbell at Stroz Friedberg will be hosting a webinar looking at the responder’s view of attack performed in the previous webinar. The webinar will take place on November 20, 2018, at 11:00 EST/16:00 GMT.
A Cyber Breach: Perspectives from an attacker and responder (Two Part Webinar) - Evan Luck at ‘The PhishLabs Blog’ will be hosting a webinar on phishing IR on November 15 at 2 PM ET
Learn About Phishing Incident Response on Nov 15
PRESENTATIONS/PODCASTS
- Twitter user @Morpheus______ shared a presentation on the APFS file system
Check out @Morpheus______’s Tweet - Didier Stevens demonstrates how to examine a PowerPoint file using ole_dump
oledump: plugin_ppt - Forensic Focus uploaded a couple of webinars and their transcripts
- Sarah Edwards at Mac4n6 shared her presentation from the recent Objective By The Sea conference introducing her new Apollo framework. The tool seeks to assist in automatically processing the various SQLite databases found on iOS. I like the idea of the platform as it opens up the ability for investigators to process iOS file system dumps without having to rely on paid tools, and also allows them to add new plugins and build out the support for the entire community.
Slides and Script! From Apple Seeds to Apple Pie & Introducing APOLLO: The Apple Pattern of Life Lazy Output’er - Karsten Hahn at Malware Analysis For Hedgehogs shares his thoughts on why the perfect antivirus doesn’t exist.
Why There Is No Perfect Antivirus Scanner - OALabs continue to “reverse engineer the IcedID custom malware injection component using IDA Pro, x64dbg, and some Python (API Scout).”
Reverse Engineering IcedID / Bokbot Malware Part 2 - On this week’s Digital Forensic Survival Podcast, Michael talks about Cron, which is a time-based job scheduler on Unix systems
DFSP # 142 – CRON 101 - SANS have uploaded Devon Ackerman’s presentation titled ‘A Planned Methodology for Forensically Sound IR in Office 365’ from the 2018 DFIR Summit
A Planned Methodology for Forensically Sound IR in Office 365 – SANS DFIR Summit 2018 - Didier Stevens shared a video on the SANS Internet Storm Center showing the Base64/XOR recipe in CyberChef.
Video: CyberChef: BASE64/XOR Recipe, (Sat, Nov 10th)
MALWARE
- Jesse Spangenberger at ‘Cyber Fēnix Tech’ comments on a “paper written by George W. Dunlap, Samuel T. King, Sukru Cina, Murtaza A. Basrai, and Peter M. Chen titled ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay.”
UMLinux and Malware Analysis - Xiaopeng Zhang at Fortinet examines a new sample of Trickpot containing a pwgrab module
Deep Analysis of TrickBot New Module pwgrab - Adam at Hexacorn describes the various tools in his RE environment.
Choosing your reverse engineering poison (a very subjective post on tools!) - Pieter Arntz at Malwarebytes Labs describes how to use Process Hacker to examine a suspicious process
Advanced tools: Process Hacker - Thomas Roccia at McAfee Labs describes the Triton ICS Malware and shares details of the detection mechanisms identified by Nozomi Networks
Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems - Ahmed Shosha and Abhijeet Hatekar at the Microsoft Threat Intelligence Center examine an attack using a Malicious InPage document
Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets - There were a couple of posts on Cisco’s Talos blog
- Danny Adamatis, Warren Mercer, Paul Rascagneres, Vitor Ventura provide a comprehensive overview of recent attacks against Iranian users of Instagram and Telegram
Persian Stalker pillages Iranian users of Instagram and Telegram - Edmund Brumaghin, Warren Mercer, Paul Rascagneres, and Vitor Ventura share details on “two ongoing malware distribution campaigns being used to infect victims with banking trojans, specifically financial institutions’ customers in Brazil.”
Metamorfo Banking Trojan Keeps Its Sights on Brazil
- Danny Adamatis, Warren Mercer, Paul Rascagneres, Vitor Ventura provide a comprehensive overview of recent attacks against Iranian users of Instagram and Telegram
- Bryant Smith at TrustWave SpiderLabs demonstrates how to use “Suricata’s Lua scripting engine to decode some [Hancitor] payload on the fly”
Decoding Hancitor Malware with Suricata and Lua - There were a couple of posts on TrendLabs this week
- Echo Duan examines the Movil Secure fake banking app
Fake Banking App Found on Google Play Used in SMiShing Scheme - Janus Agcaoili and Gilbert Sison examine a cryptocurrency miner, detected by Trend as Coinminer.Win32.MALXMR.TIAOODAM.
Cryptocurrency Mining Malware uses Various Evasion Techniques, Including Windows Installer, as Part of its Routine
- Echo Duan examines the Movil Secure fake banking app
- Nikolaos Pantazopoulos at NCC Group describes “the changes to RokRat in this latest iteration.”
RokRat Analysis - Vitali Kremez posted a couple of “Let’s Learn” articles this week
MISCELLANEOUS
- Barnaby Skeggs at B2Dfir shares “an Excel incident management and documentation workbook”
Free Incident Response Management and Documentation Workbook - Craig Ball advises how to use Apple’s Takeout feature to download your data.
Cloud Takeouts: Can I Get That to Go? - Matt at ‘Bit of Hex’ has written a list of questions that may come up in an interview for an LE DF position as well as the points that he would want covered.
Digital Forensics Interviews: Law Enforcement Edition - Ariel Watson at Cellebrite has a post about the overwhelming amount of digital data facing law enforcement and, not to be critical, serves to be an advertisement for their Digital Intelligence Platform. I don’t usually share posts like this but I wanted to talk about a couple of things; the first being that vendors will need to work on speeding up existing processes to get to answers faster, which they may read as implementing AI or other features to assist in review, but they should also be looking at speeding up acquisition times and reducing the amount of interaction required that may halt processing. Using an iOS acquisition in UFED PA as an example, after acquisition completes you still have to process the dump and export the report (which requires user interaction in the middle to go from acquisition to UFDR). All time-intensive processes, especially for larger devices, and generally if things like this can be improved it would assist LE in getting through the massive amounts of data. The other thing I wanted to mention was that any way of processing extractions with multiple tools, supported by vendors, would be greatly appreciated in assisting get the most out of the data (on the speed front, by being able to do it all automatically, examiners would save time with configuration and be able to set and forget overnight). This is not to be critical of Cellebrite or other vendors, I understand that they are in a competitive industry with limited resources and features sell product, just my personal perspective as someone trying to get as much useful data out of the mountain of devices as I can with the time afforded.
Law Enforcement Overwhelmed by Digital Data - Christine McGarry has shared her thoughts on preparing for a CTF
From Novice to Apprentice: How to Start Participating in Capture the Flag Events - There were a few posts on the Computer Forensics World blog this week
- Robert Merriott shared his post on ISO 17025 and asked for discussion.
ISO 17025 for Digital Forensic Labs – Horrible Idea? - TwiceSafe shared a response to Brett Shavers’ previous article about vendors sharing opinions with regards to their products
NEVER Mention your product in a reply –> That does NOT make sense! - And lastly, TwiceSafe shared the “Group Chat Digital Forensics Tool [which] was designed to visually display chat conversations as they are displayed on mobile devices, in chat bubbles.”
Cellebrite Group Chat Digital Forensics Tool
- Robert Merriott shared his post on ISO 17025 and asked for discussion.
- Cyber Forensicator have advised that Andrea Fortuna is selling a copy of his FOR508 index on Amazon, titled “The Little Handbook of Windows Forensics”.
The Little Handbook of Windows Forensics - Brian Carrier and Chris Ray at Cyber Triage describe the technique that they use to push their collection agent to a host without leaving admin credentials on the endpoint. As a side note, Chad Tilbury did a great presentation on credentials and how the keys to the kingdom may accidentally end up on an endpoint at the SANS DFIR Summit 2017.
Robust Use of PsExec That Doesn’t Reveal Password Hashes - There were a couple of posts on Forensic Focus this week
- There’s a post about the “new Image Analysis Add-On” for E3 which automatically categories images for examiners
Paraben Introduces New Enhanced Image Scanning In E3 Platform - As well as a tutorial by Logicube on the Forensic Falcon NEO
How To: Create A Logical Image On Falcon NEO
- There’s a post about the “new Image Analysis Add-On” for E3 which automatically categories images for examiners
- Griffeye shared an article from Police Tech Pioneers, “that looks at how new technology startups are set to transform policing was released”
New report lists most promising police tech companies - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday covers cutting and pasting across NTFS volumes. I submitted an answer again this week, and it can be found here. I didn’t find anything unsurprising really, outside of he rounding in FTK Imager was slightly different to AnalyzeMFT/MFTECmd.
Daily Blog #528: Sunday Funday 11/4/18 - He comments on the general misinterpretation of the timestamp in the shimcache.
Daily Blog #529: Human Bias and Shimcache - Dave advises that he is teaching FOR500 at the SANS CTI Summit in January 2019
Daily Blog #530: Teaching SANS Windows Forensics in the USA - Dave is writing a new book, and pushing chapters out as they are done. This looks like a really interesting idea and I look forward to seeing it in action.
Daily Blog #531: DFIR In Depth: Windows Forensics - He’s also listed the reasons why he’s going the self-publishing route. Based on a few conversations with people, I’m not really sure there’s a good enough incentive any more to go with a publisher. Since we’re in a niche industry, then word of mouth and the author’s profile will probably be enough to sell the book. The book may not end up in stores but then Amazon’s made sure that isn’t so much a problem. On the positive side, the author has more control, makes more money, and can update/release new editions as they see fit.
Daily Blog #532: Why self publish? - And shares the initial outline of the new book
Daily Blog #533: Windows Forensics DFIR InDepth proposed outline
- This week’s Sunday Funday covers cutting and pasting across NTFS volumes. I submitted an answer again this week, and it can be found here. I didn’t find anything unsurprising really, outside of he rounding in FTK Imager was slightly different to AnalyzeMFT/MFTECmd.
- MediaClone have released a new Supercopier Desktop 8 Nvme Ports Drive Duplicator and SuperImager Plus 8″ NVMe + SATA Forensic Field unit
- MobilEdit have uploaded a database of all of the apps that they support, per platform, and the type of data obtained
Database of supported apps now online!
SOFTWARE UPDATES
- Amped Five Update 12076 was released with a number of new features, and have written an article on the new filters
Amped FIVE Update 12076: Automatic Perspective Stabilization for License Plates and much more! - Caine 10.0 “Infinity” 64bit has been released.
CAINE 10.0 “Infinity” 64bit is out - UFED Physical Analyzer 7.11 was released, adding the ability to export hashes to Project VIC, additional iOS location information, as well as additional app support
UFED Physical Analyzer, UFED Logical Analyzer & Cellebrite Reader v 7.11 [November 2018] - Didier Stevens updated his hash.py Python script to v0.0.6 to add csv output
Update: hash.py Version 0.0.6 - DME Forensics released DVR Examiner 2.5 with a number of new updates and improvements.
DVR Examiner 2.5 Has Arrived — Download the Latest Software Update - Eric Zimmerman updated MFTECmd to v0.3.3.0 to fix a bug.
- ExifTool 11.17 was released with new tags
ExifTool 11.17 - GetData released Forensic Explorer v4.4.8.7926 with some updates and bug fixes
8 Nov 2018 – v4.4.8.7926 - IDA Pro 7.2 was released.
IDA: What’s new in 7.2 - JPCERT CC released LogonTracer v1.2.1
v1.2.1 - Passware Kit 2018 v3 was released, adding support for a number of different passwords, as well as various other improvements
Passware Kit 2018 v3 - Skadi 2018 4.1 was released with a number of changes and updates
Skadi 2018.4.1 - There’s a new DFIR Linux distro called Tsurugi created by Giovanni Rattaro, Marco Giorgi, and Davide Gabrini. Graneed has provided an overview in a blog post. Giovanni Rattaro has also shared a presentation on the distro from AVTokyo 2018
Tsurugi Linux - Maxim Suhanov released yarp v1.0.25
1.0.25
And that’s all for Week 45! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those who give a little back for their support!
This Week In 4n6 