FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog shows the File ID on ReFS. Examining this ID may be useful in identifying timestomping.
ReFS and File ID - Marcus Thompson at Professor Bike demonstrates various issues he has come up against whilst parsing MFT records.
Applying the Precision Testing Methodology to the Master File Table - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- Sandor Tokesi has picked up another win!
Daily Blog #534: Solution Saturday 11/10/18 - This week’s Sunday Funday continues the file system testing, this time looking at FAT32 cut/copy/pastes. Oleg Skulkin submitted the winning answer
Daily Blog #535: Sunday Funday 11/12/18 - Dave discovered that his USB 3 external wasn’t showing up in the usual location in the Registry and dug deeper to find it in the DeviceContainers subkey
Daily Blog #536: USB 3.0 External Storage Drive Forensics: Changes in registry locations - He did some testing of Jason Hale’s USB Detective to see how it coped with the change in operation for larger USB devices
Daily Blog #537: Forensic Lunch Test Kitchen 11/14/18 - And walked through the process of starting his new book. It looks very interesting and looks like it will cover a lot of the work that Dave has been doing over his career. At the moment that information is spread over presentations, blogs, and recordings, so having it all summarised in one place will be great.
Daily Blog #538: Forensic Lunch Test Kitchen 11/14/18 - Lastly, he did some testing of the Application Compatibility Cache artefacts
Daily Blog #540: Forensic Lunch Test Kitchen 11/16/18 - Dave also announced that he and Matthew will be hosting another CTF and Forensic Lunch at the 2019 Magnet User Summit.
Daily Blog #539: Forensic Lunch and CTF at Magnet User Summit 2019
- Sandor Tokesi has picked up another win!
- Alexis Brignoni at ‘Initialization vectors’ examines the iOS TikTok app
Finding TikTok messages in iOS - Maxim Suhanov walks through recovering deleted data from the Windows registry and advises that some tools do not work as well as others.
Tools that recover deleted registry data don’t do the same job - SalvationData describe using ADB to extract a backup of an Android device
[Case Study] Mobile Forensics: ADB Backup and Its Use in Digital Forensics - SANS have a post with links to various malware reversing resources
“Shortcuts for Understanding Malicious Scripts”
THREAT INTELLIGENCE/HUNTING
- Barnaby Skeggs at B2DFIR demonstrates “how to perform various incident response techniques using native Windows PowerShell functionality. “
Windows PowerShell Remoting: Host Based Investigation and Containment Techniques - Matt Hillman at Countercept explores “remote service creation as a lateral movement technique, and illustrate how we might spot it on an endpoint.”
Endpoint Detection of Remote Service Creation and PsExec - Sergei Frankoff and Bex Hartley at CrowdStrike share details of some attacks by the Indrik Spider group utilising the BitPaymer malware
Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware - Oriel Zabar at Cyberbit demonstrates a method of detecting reverse shells in network traffic with machine learning that has very high accuracy.
Detecting Reverse Shell with Machine Learning - The Cylance Research and Intelligence team produced a report on the “likely state-sponsored threat actor called The White Company”
The White Company: Inside the Operation Shaheen Espionage Campaign - Erik Hjelmvik at Netresec describes a utility called PacketCache and describes how to retrieve the resultant pcap file using PowerShell
Remote Packet Dumps from PacketCache - Sandfly Security have shared the “command line compromise detection for Linux cheat sheet and presentation given at Purplecon 2018”
Command Line Compromise Detection for Linux Cheat Sheet - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes application shimming and shares some tools for examining shim databases
Process Injection and Persistence using Application Shimming - StillzTech has started a series on utilising AWS in an IR engagement and walks through creating and interacting with an S3 bucket
Leveraging AWS for Incident Response: Part 1
UPCOMING WEBINARS/CONFERENCES
- The CFP for the 2019 ADFSL Conference on Digital Forensics, Security and Law has opened and will close 7 January 2019. The event will take place 15-17 May 2019 in Daytona Beach, Florida USA.
ADFSL Conference on Digital Forensics, Security and Law - Ben Charnota at Blackbag Technologies will be hosting a webinar on examining Apple iCloud products on Wed, Nov 28, 2018, 7:00 PM – 8:00 PM GMT.
Ask the Expert: Apple iCloud Productions - Eric Oldenburg at Griffeye will be “hosting a webinar on how to locate and extract images and videos from any digital media device directly into the Griffeye Analyze platform”. The webinar will take place on the 29th November 2018 at 9am EST (15:00 CET).
Webinar: Best-in-class carver as part of the Griffeye Analyze platform
PRESENTATIONS/PODCASTS
- Cellebrite shared a webinar by Ed Michael on digital evidence and the opioid crisis in the States.
Opioid Crisis in America: From Digital Clues to a Murder Conviction - Brian Carrier demonstrates the timeline feature of Cyber Triage
Cyber Triage – Timeline Analysis - Videos from the 2018 DEF CON Packet Hacking Village were uploaded to YouTube
- Hasherezade posted a few videos of unpacking malware this week, as well as an overview of the dump modes in PE-sieve
- Magnet Forensics shared a recorded webinar by Jamie McQuaid on password bypass and acquisition of mobile devices.
Recorded Webinar: An In-Depth Look at Different Password Bypass Options - On this week’s Digital Forensic Survival Podcast, Michael describes a technique of using bulk extractor to obtain IP addresses from a users internet history during a triage process
DFSP # 143 – Tips from the Trenches - Richard Davis at 13Cubed demonstrates how to extract embedded files from a malicious PDF
Juicy PDFs - SANS uploaded a couple of presentations this week
- Martijn Grooten at Virus Bulletin shared a couple of presentations from VB2018
MALWARE
- Check Point Research share details of the new samples of Olympic Destroyer and compare them to previous iterations of the malware
New Strain of Olympic Destroyer Droppers - Robert Michel at Cyber WTF examines a sample of GandCrab v4.3
Dissecting GandCrab Version 4.3 - There was a post on Execute Malware demonstrating how to extract URLs from an Emotet payload
A Method To Extract Emotet Payload URLs - There were a few posts on the Fortinet blog
- David Maciejak and Kenny Yongjian Yang examine a new variant of the Dharma ransomware
Dharma Ransomware: What It’s Teaching Us - Yueh-Ting Chen analyses “the new “working” version of the Kraken Cryptor Ransomware”
Analyzing the New non-Beta Version of the Kraken Cryptor Ransomware - Xiaopeng Zhang examines a phishing attempt distributing a Loki variant
New Loki Variant Being Spread By Phishing Email
- David Maciejak and Kenny Yongjian Yang examine a new variant of the Dharma ransomware
- Adam at Hexacorn shows how to analyse a word document using VBA/VBS.
Analyzing Word Documents via VBA/VBS - Ignacio Sanmillan at Intezer examines a variant of “the Muhstik botnet” with includes a phpMyAdmin scanner
Muhstik Botnet Reloaded: New Variants Targeting phpMyAdmin Servers - Shusei Tomonaga at JP CERT examines a new variant of the TSCookie malware.
Bug in Malware “TSCookie” – Fails to Read Configuration – - Hasherezade at Malwarebytes Labs shares details of “the updated obfuscation used by TrickBot’s main module.”
What’s new in TrickBot? Deobfuscating elements - Marco Ramilli examines a malicious PowerPoint document to drop the AzoRult malware
Microsoft Powerpoint as Malware Dropper - Kapil Khade and Xiaobing Lin at McAfee Labs examine the new WebCobra malware that is being used to mine cryptocurrencies.
WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency - Robert Falcone and Kyle Wilhoit at Palo Alto Networks look into OilRig’s operations over a period of time and observed how they were updating their tools
Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Brad Duncan shows what a part of his workday looks like as he tracks down “a campaign using malicious spam (malspam) to distribute Trickbot malware”
Day in the life of a researcher: Finding a wave of Trickbot malspam, (Wed, Nov 14th) - Brad also examines some Emotet malspam
Emotet infection with IcedID banking Trojan, (Thu, Nov 15th) - Xavier Mertens describes a simple obfuscation technique involving a variable used to call a function
Basic Obfuscation With Permissive Languages, (Fri, Nov 16th)
- Brad Duncan shows what a part of his workday looks like as he tracks down “a campaign using malicious spam (malspam) to distribute Trickbot malware”
- Bryant Smith at TrustWave SpiderLabs demonstrates decoding a malicious payload using Suricata’s Lua scripting engine
Decoding Hancitor Malware with Suricata and Lua - The Symantec Security Response Attack Investigation Team describe the FastCash malware used by the Lazarus group to steal money from ATMs.
FASTCash: Lazarus グループが ATM から 1,000 万ドル単位の現金を引き出している手口 - There were a few posts on TrendLabs this week
- Michael Villanueva and Toshiyuki Iwata examine malware that abuses “the online video feature in Microsoft Office to deliver” Ursnif.
Hide and Script: Inserted Malicious URLs within Office Documents’ Embedded Videos - Joy Nathalie Avelino, Jessica Patricia Balaquit, and Carmi Anne Loren Mora look into network flow clustering related to Gh0st RAT Variants
Using Machine Learning to Cluster Malicious Network Flows From Gh0st RAT Variants - Researchers also shared details of recent Emotet activity
Exploring Emotet: Examining Emotet’s Activities, Infrastructure
- Michael Villanueva and Toshiyuki Iwata examine malware that abuses “the online video feature in Microsoft Office to deliver” Ursnif.
- Rohan Viegas at VMRay “discusses the fundamental techniques GandCrab uses to encrypt user’s files and basic detection methods that can provide the first line of defense against attacks.”
SANS Webcast Recap: Dissecting GandCrab Ransomware
MISCELLANEOUS
- Yulia Samoteykina at Atola walks through the process of cloning a drive to five targets using the TaskForce. The title of the post does say imaging, however, it will only create a forensic image to network storage.
Imaging an evidence drive to 5 targets - Brett Shavers at DFIR.Training gave an update on his DFIR book sharing challenge. I really like the idea of the map; hopefully, some of the books have a long journey ahead of them.
“If you don’t have time to read, you don’t have the time (or the tools) to write. Simple as that.” – Stephen King - Rebecca Martineau at DME Forensics describes the various filtering options in DVR Examiner.
Feature Focus: Filter Options in DVR Examiner - Elcomsoft wrote a few posts this week
- Oleg Afonin describes how to perform a manual Google Drive backup using ADB
Google Enables Manual Google Drive Backups on Android Devices - Vladimir Katalov comments on iMessage security and the conditions where it’s possible to acquire iMessage contents from iCloud.
iMessage Security, Encryption and Attachments - Oleg expands on this by demonstrating the acquisition process.
Messages in iCloud: How to Extract Full Content Including Media Files, Locations and Documents
- Oleg Afonin describes how to perform a manual Google Drive backup using ADB
- Teru Yamazaki at Forensicist has updated the (Japanese) WinFE Win10 version install instructions.
WinFE based on WinPE for Windows 10 - Magnet Forensics announced the CFP for their 2019 User Summit. They intentionally note that you don’t need to tie your talk back to Magnet products as they are trying to build a community event rather than just a Magnet event (I’m getting the CEIC vibe since Enfuse has moved away/disappeared). The CFP closes November 30th.
Submit to the Magnet User Summit Call for Papers (CFP) - Polito have released a “ReversingLab extensions for X-Ways.”
Enhancing Digital Forensics with ReversingLabs Plugins: Now for X-Ways! - Pasquale Stirparo at the SANS Internet Storm Centre describes a variety of ways to contribute to the software component of the field.
Community contribution: joining forces or multiply solutions?, (Sun, Nov 11th) - The students at Champlain College posted updates on their projects
- Michael Hale Ligh at Volatility Labs announced the winners for the 2018 plugin and analysis contests.
Results from the 2018 Volatility Contests are in!
SOFTWARE UPDATES
- ADF Solutions released “versions 1.4 for Digital Evidence InvestigatorⓇ, and versions 4.4 for Triage-InvestigatorⓇ, and Triage-G2Ⓡ software.” The update brings a variety of features, including APFS support and parsing macOS Mojave log files
It Just Got Easier to Collect and Analyze Digital Evidence on Apple Macs and PCs - Autopsy 4.9.1 and TSK 4.6.4 were released.
- Didier Stevens updated his cut-bytes Python script to v0.0.8
Update: cut-bytes.py Version 0.0.8 - Elcomsoft updated their Phone Breaker tool to v8.40 to add “iCloud Messages extraction [and] … the ability to remotely access non-text content such as attached media, documents and other data stored in Apple iCloud”. “Elcomsoft Phone Viewer received an update to support the new data categories.”
Elcomsoft Decrypts Non-Text Content of iCloud Messages, Accesses Attached Photos, Media and Other Files - ExifTool 11.19 (development release) was released with new tags and features
ExifTool 11.19 - Nhan Huynh at FireEye announced an update to the Flare VM and has a post describing the installation process, as well as the new improvements
FLARE VM Update - Florian Roth has released a new tool, dfirtrack. “DFIRTrack (Digital Forensics and Incident Response Tracking application) is an open source web application … focused on handling one major incident with a lot of affected systems as it is often observed in APT cases”
dfirtrack - Magnet Forensics released Axiom v2.7 incorporating “acquisition, analysis, and reporting improvements, as well as improvements to GrayKey analysis, Magnet.AI and AXIOM Cloud.”
Get Improved GrayKey Evidence and Windows 10 Mail Support in Magnet AXIOM 2.7 - Quix0te at Musectech has released a new tool, AChReport, which can be used to triage a system and produces a report with a short summary of the artefacts presented.
AChReport v0.8 Released - Passmark released OS Forensics v6.1 build 1004 to fix some bugs
V6.1 build 1004 13th Nov 2018 - Oxygen Forensic Detective v. 11.0.1 was released, but I didn’t locate any publically available release notes
- Timesketch 20181116 was released
20181116: Restore ability to specify other delimiter character in csv imports. …
And that’s all for Week 46! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes
As always, thanks to those who give a little back for their support!
This Week In 4n6 