FORENSIC ANALYSIS
- Ashley Hernandez at Blackbag Technologies shares a number of useful tips for collecting data from Macs with T2 chips (although there are also tips for general Mac acquisition as well worth noting – particularly surrounding mounting dirty APFS volumes, and clearing fsevents accidentally). It also appears that live data collection will require additional modification to the OS from Mojave onwards.
The Answer To Apple’s T2 Chip? Macquisition Data Collection - Marcus Thompson at Professor Bike shares a slide that he made to assist in understanding memory address translation
Understanding Memory Address Translation - Mathias Fuchs at Cyberfox explains the process he went through to carve MFT FILE records from unallocated space and shares the Python script that he wrote to assist
Carving $MFT (MFTEntryCarver.py) - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday covers the artefacts relating to the Storport USB driver
Daily Blog #542: Sunday Funday 11/18/18 - Dave also posted a number of test kitchens looking into the shimcache and amcache. Lots of findings as Dave tries to fill in the gaps of understanding surrounding how these systems function
Daily Blog #543: Forensic Lunch Test Kitchen 11/19/18 - Daily Blog #544: Forensic Lunch Test Kitchen 11/20/18
- Daily Blog #545: Forensic Lunch Test Kitchen 11/21/18
- Daily Blog #547: Forensic Lunch Test Kitchen 11/23/18
- And lastly off topic, but shares a sous vide turkey recipe for Thanksgiving, which has given me an idea for a Christmas present, so thanks Dave!
Daily Blog #546: Thanksgiving post 2018
- This week’s Sunday Funday covers the artefacts relating to the Storport USB driver
- Alexis Brignoni at ‘Initialization vectors’ extracts chat communication from the iOS Blizzard Battle.net app.
Finding Blizzard Battle.net messages in iOS - Maxim Suhanov describes “an easy way to programmatically explore intermediate states of a registry hive using its transaction log files.”
Exploring intermediate states of a registry hive using transaction log files - Gary at Salt Forensics explains what can be obtained using the ‘takeout’ feature of Snapchat and how to go about requesting your data.
(Not Quite) Snapchat Forensics - Kevin Pagano at Stark 4n6 walks through the log database associated with the Teracopy application. If you get access to the log (~1 week retention) then you can get a lot of useful information regarding the applications usage
- Dr. Neal Krawetz at ‘The Hacker Factor’ has shared the results of reverse engineering the AROT metadata blocks identified in pictures found on Apple iOS devices. Interestingly, a potential bug in Apple’s code when adding the AROT data may remove EXIF data. This is important to know if someone were to be accused of manually removing EXIF data in a case.
Apple Rot - Over on my ThinkDFIR blog, I posted the findings of a quick test in Win10 where I identified $I files allocated in the Recycle Bin, that weren’t accessible via the UI. Initial indications seem to suggest that this is for files or folders that were deleted but then restored. Yogesh Khatri did some additional testing on methods of removing files from the Recycle Bin to see which one would also remove the $I file.
Quick Post: Notes on the Win10 Recycle Bin
THREAT INTELLIGENCE/HUNTING
- John Strand at ‘Active Countermeasures’ walks through detecting domain fronting malware using rita and AI-Hunter
Detecting Domain Fronting Malware - Zachary Burnham demonstrates how to use Winlogbeat and sysmon to send events to an ELK stack.
Sending logs to ELK with Winlogbeat and Sysmon - Chris Prall at Carbon Black shares some tips for supporting a threat hunting team
6 Signs of Successful Threat Hunting - Henry Bureau and Luke Jennings at Countercept look at the 5 top hacking tools according to NCSC and share the various blog posts that Counterept have written on mitigations for these
Breaking down the NCSC’s top five hacking tools - Adam at Hexacorn describes the process that Windows uses to open previously opened applications on restart
Beyond good ol’ Run key, Part 94 - Markus DeShon describes the need for threat-driven detection
Security through Data Fusion: Threat-Driven Detection - John E Dunn at Sophos shares the SophosLabs 2019 Threat Report
Cybercriminal techniques – Sophoslabs 2019 Threat Report - Tony Lambert at Red Canary discusses “some tactics that threat hunters can use to identify instances where adversaries use PsExec (even when it’s been renamed or cloned) and similar tools to move laterally between endpoints on your network.”
Threat Hunting for PsExec, Open-Source Clones, and Other Lateral Movement Tools - Robert M. Lee and Richard Bejtlich had a philosophical discussion on threat hunting
- There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Xavier Mertens describes the Cortex tool that is apart of TheHive project, which can be used to “analyze observables like IP addresses, emails, hashes, filenames against a huge (and growing) list of online services”
Querying DShield from Cortex, (Tue, Nov 20th) - Remco Verhoef shares details of some recent attacks against open http listener on Docker containers.
Moby the Shark, (Fri, Nov 23rd)
- Xavier Mertens describes the Cortex tool that is apart of TheHive project, which can be used to “analyze observables like IP addresses, emails, hashes, filenames against a huge (and growing) list of online services”
- Joe at ‘Stranded on Pylos’ shares some thoughts on the return of APT29 through a large scale phishing campaign mid-November.
CozyBear – In from the Cold? - TinkerSec posted an interesting tweet stream about an internal pentest and how the blue team was able to catch him
Check out @TinkerSec’s Tweet - Josh Graham at TSS Cyber walks through one of the challenges “from the CyberLympics that required the dissection of a packet capture that contained evidence of malicious activity.”
Cyberlympics 2018 — DNS covert channel
UPCOMING WEBINARS/CONFERENCES
- A couple of Magnet Forensics webinars were announced
- Trey Amick and the President of Child Rescue Coalition, Bill Wiltse will be hosting a webinar at 1PM on December 4th. The webinar will cover “Child Rescue Coalition’s Child Protection System (CPS) which provides proactive intelligence data that helps identify the creators and purveyors of Internet-based child pornography” and how Axiom integrates this data
Find More Victims, Catch More Suspects: How Creative Technology Partnerships Streamline Child Exploitation Investigations - Trey will also be co-hosting a webinar with NW3C on obtaining data from Instagram, Facebook, and iCloud backups
To the Cloud! Get the Evidence You Need to Move Cases Forward
- Trey Amick and the President of Child Rescue Coalition, Bill Wiltse will be hosting a webinar at 1PM on December 4th. The webinar will cover “Child Rescue Coalition’s Child Protection System (CPS) which provides proactive intelligence data that helps identify the creators and purveyors of Internet-based child pornography” and how Axiom integrates this data
PRESENTATIONS/PODCASTS
- Edward Preston at the ThreatVector podcast hosted Israel Perez and Wajih Yassine where they talked “about the various stages of a cybersecurity incident and exactly what their team does to help set things right again.”
DirtySecurity Podcast: Meet Israel Perez and Wajih Yassine, the Real CSI Cyber Guys - Forensic Focus shared the presentation and transcript of Captain John C. Alfred’s presentation at DFRWS USA.
Bombs, SWATs Anonymity And Forensics - On this week’s Digital Forensic Survival Podcast, Michael describes the broken authentication component of the OWASP top 10 guide.
DFSP # 144 – OWASP: Broken Authentication - SANS shared Nicole Ibrahim’s talk on Event Trace Logs from the 2018 DFIR Summit.
Windows Forensics: Event Trace Logs – SANS DFIR Summit 2018 - Andreas Sfakianakis at ‘Tilting at Windmills’ shared his presentation from CTI-EU.
Let’s make CTI great (again)!
MALWARE
- Matthew Bing at Arbor Networks advised that Mirai is now targetting Linux servers using the Hadoop YARN vulnerability
Mirai: Not Just For IoT Anymore - There were a couple of posts on the Fire Eye blog this week
- Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, and Nick Carr share details of recent activity suspected to be linked to APT29.
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign - Michael Bailey walks through the use of his De-DOSfuscator script against a heavily obfuscated command script
Cmd and Conquer: De-DOSfuscation with flare-qdb
- Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, and Nick Carr share details of recent activity suspected to be linked to APT29.
- Adrian OGara and Ran Mosessco at Forcepoint share details of a new Thanksgiving-themed Emotet campaign
Thanks for Giving, Emotet! - Artem Semenchenko at Fortinet examines some Google Docs maldocs.
Cookie Maker: Inside the Google Docs Malicious Network - Russ McRee at HolisticInfoSec demonstrates using ViperMonkey for VBA maldoc deobfuscation
ViperMonkey: VBA maldoc deobfuscation - Denis O’Brien at ‘Malware Analysis: The Final Frontier’ provides some deobfuscation tips when dealing with malicious RTF files.
Deobfuscation tips: RTF files - Jérôme Segura at Malwarebytes Labs examines an attack by the Magecart group against the Brasilian Umbro website
Web skimmers compete in Umbro Brasil hack - Michael Gillespie has uploaded a few videos analysing some ransomware
- Michael Gorelik at Morphisec presents finding on “two [FIN7] campaigns, which occurred in the first and second weeks of November”
FIN7 Not Finished – Morphisec Spots New Campaign - There were a couple of posts on the Palo Alto Networks blog this week
- Robert Falcone and Bryan Lee examine a couple of “weaponized documents that use a technique to load remote templates containing a malicious macro”
Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan - Tao Yan, Xingyu Jin, Bo Qu, and Zhanglin He describe the “FindMyName campaign, the new Azorult malware, and the obfuscation techniques used.”
New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit
- Robert Falcone and Bryan Lee examine a couple of “weaponized documents that use a technique to load remote templates containing a malicious macro”
- There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Guy Bruneau describes a tool written by Daniel Botterill that “has been designed to take in a PCAP capture file and report back any malicious behaviour identified.”
Multipurpose PCAP Analysis Tool, (Sun, Nov 18th) - Xavier Mertens walks through a malicious sample that stores its code on PasteBin
Divided Payload in Multiple Pasties, (Thu, Nov 22nd) - Didier Stevens has uploaded a video from his previous diary entry on “dissecting a CVE-2017-18822 Exploit”
Video: Dissecting a CVE-2017-18822 Exploit, (Fri, Nov 23rd)
- Guy Bruneau describes a tool written by Daniel Botterill that “has been designed to take in a PCAP capture file and report back any malicious behaviour identified.”
- Tatyana Shishkova and Lev Pikman at Securelist track the evolution of the Rotexy mobile trojan.
The Rotexy mobile Trojan – banker and ransomware - Secureworks also released their 2018 State of Cybercrime Report
Secureworks State of Cybercrime Report 2018 - There were a few posts on the TrendLabs blog this week
- They examine a miner by the Outlaw hacking group
Outlaw Group Distributes Botnet for Cryptocurrency-Mining, Scanning, and Brute-Force - Lenart Bermejo and Joelson Soares analyse the backdoors utilised by the Lazarus group in 2018
Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America - Noel Anthony Llimos and Carl Maverick Pascual examine the new psfin32 module of trickbot which “scans for indicators if an infected computer is connected to a network that supports POS services and machines.”
TrickBot’s Bigger Bag of Tricks
- They examine a miner by the Outlaw hacking group
- Ben Humphrey at NCC Group examines Turla’s PNG Dropper which has been observed to drop RegRunnerSvc. “The purpose of RegRunnerSvc is to extract an encrypted payload from the registry, load it into memory, and then run it.”
Turla PNG Dropper is back - Vitali Kremez demonstrates examining and extracting the “FIN7 JavaScript backdoor from malicious Microsoft Office documents.”
In-Depth Review of FIN7 VBA Macro & Lightweight JavaScript Backdoor - There were a few posts on the WeLiveSecurity blog this week
- They share details of the two new Zebrocy components deployed by the Sednit operators. “These new components use an unusual way to exfiltrate gathered information by using protocols related to mail services such as SMTP and POP3.”
Sednit: What’s going on with Zebrocy? - Matthieu Faou describes “a new watering hole campaign targeting several websites in Southeast Asia” that is attributed to the OceanLotus group
OceanLotus: New watering hole attack in Southeast Asia - Ondrej Kubovič explains some recent Emotet activity
Black Friday special by Emotet: Filling inboxes with infected XML macros
- They share details of the two new Zebrocy components deployed by the Sednit operators. “These new components use an unusual way to exfiltrate gathered information by using protocols related to mail services such as SMTP and POP3.”
MISCELLANEOUS
- Brett Shavers posted a few times on his blogs
- Brett comments on there sometimes being a need for attribution in IR cases. The case mentioned was originally thought to be external, but quickly was identified as being an inside threat case.
Don’t totally discount attribution in Incident Response work - And shares his thoughts on dealing with the ransom component of ransomware
On ransomware, my advice is different from that other guy’s advice. - Brett has put out the call for advertisers on DFIR Training to help pay for the upkeep of the site. The Patreon will continue, but that looks like it’ll get you a much better deal on Brett’s training courses than buying them individually.
Advertising on DFIR Training? Seriously? - Lastly, Brett discusses the basic skills that are important to DFIR professionals and points out that many vendors aren’t necessarily responsible for covering the basics, which is why many courses assume that as prerequisite knowledge
Wax on. Wax off.
- Brett comments on there sometimes being a need for attribution in IR cases. The case mentioned was originally thought to be external, but quickly was identified as being an inside threat case.
- There were a number of posts on Forensic Focus this week
- Paraben Corporation have announced that they have partnered with VTO to create a “5-day Chip Off Forensics Essentials class”.
Paraben And VTO Labs Bring You Chip-Off Training - Logicube shared a short tutorial on how to use the file browser on the Forensic Falcon Neo
How To: Use The File Browser Feature In Logicube’s Forensic Falcon NEO - Scar shared her top articles of the month
Digital Forensics News November 2018 - They interviewed Kim Smith, a Masters student at the University Of South Wales about her research into standardisation in digital forensics. Kim indicated that she hopes to “develop a world forum for experts to share information”, and I’m curious to see how this turns out.
Interview With Kim Smith, MSc Student, University Of South Wales - Griffeye posted some information about a site called Paliscope, which has implemented a new feature called Smart Images. This feature allows examiners to see all the metadata for images on a website in the browser.
EXIF Data Visible Directly In Browser With Paliscope - Scar shared her roundup of forum posts
Forensic Focus Forum Round-Up - As well as a review of Logicubes WriteProtect-Portable.
Review: WriteProtect-Portable From Logicube
- Paraben Corporation have announced that they have partnered with VTO to create a “5-day Chip Off Forensics Essentials class”.
- Magnet Forensics posted a couple of times this week
- Christa Miller interviewed Alexis Brignoni, who readers would recognise from his almost incessant posting of mobile forensic chat app analysis. Alexis points out something that people who regularly appear on this blog have realised; that “Everybody has something to contribute” and “It doesn’t have to take hours a week, just a few minutes to share what you know so others can build on your work. Even if it is something you believe others know already, share it still. Your way of presenting that knowledge might make a world of difference to someone that has never seen it the way you do.”
Shared Space for DFIR Contributions: An Interview with Alexis Brignoni - Trey Amick advises that the customer portal has been updated to make it easier to download the deltas to upgrade Axiom to the latest version (for offline installs, rather than downloading the entire 2GB install)
Delta Packs Let You Download AXIOM Updates Quickly
- Christa Miller interviewed Alexis Brignoni, who readers would recognise from his almost incessant posting of mobile forensic chat app analysis. Alexis points out something that people who regularly appear on this blog have realised; that “Everybody has something to contribute” and “It doesn’t have to take hours a week, just a few minutes to share what you know so others can build on your work. Even if it is something you believe others know already, share it still. Your way of presenting that knowledge might make a world of difference to someone that has never seen it the way you do.”
- Network dumps from RuCTFE 2018 have been uploaded.
Check out @RuCTFE’s Tweet - Howard Oakley at The Eclectic Light Company describes the security features of the new Mac’s with T2 chips. Howard advises that by default the Macs are shipped with encryption and full security enabled, which means no booting from external drives. This will make acquisition of these devices much harder.
Welcome to your new Mac: living with the T2 chip
SOFTWARE UPDATES
- AccessData’s FTK & AD Lab 7.0 were released with a number of updates
FTK & AD Lab 7.0 Are Released - Bradley Schatz announced the release of a “simple C++ based AFF4 reader library”
Check out @blschatz’s Tweet - Amped Software released update 12151 for DVRConv, adding the ability for systems administrators to lock down settings. They also added “further conversion support for 1 new file format and 4 new variations of already supported formats.”
DVRConv Update 12151: Admin lock down settings ability and more formats now supported - Belkasoft released a new version of their Live RAM Capturer. “Belkasoft Live RAM Capturer is re-signed with a new certificate and is now compatible with all versions and editions of Windows including newest Window 10.
Belkasoft news - Elcomsoft updated their iOS Forensic Toolkit to v4.10, adding “the ability to perform logical acquisition of iPhone Xs, Xs Max and iPhone Xr”, as well as support for using DFU and Recovery Modes to obtain some information about the connected device
Elcomsoft Extracts Data from Latest iPhones, Supports DFU and Recovery Modes - Eric Zimmerman has published a new tool to parse Windows (XP to 10) recycle bin files, RBCmd.
- Eric also updated his AmcacheParser (v1.2.0.5) and AppCompatCacheParser (v1.3.0.1).
- ExifTool 11.20 (development) was released with new tags and improvements
ExifTool 11.20 - GetData released Forensic Explorer v4.4.8.8008 to add improvements and bug fixes
22 Nov 2018 – v4.4.8.8008 - AChoir v2.4 was released
Check out @OMENScan’s Tweet - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ has released a new tool, AutoTimeline, which seeks to generate a timeline from a provided memory dump. This looks like a great starting point for memory analysis with Volatility.
AutoTimeliner: automatically extract forensic timeline from memory dumps - TC4Shell has released a plugin for 7-Zip to allow examiners to open common forensic image formats
7-Zip plugins\Forensic7z - Ulf Frisk has released MemProcFS which allows for mounting memory dumps as a virtual file system. The project also includes a Python/C/C++ API
Check out @UlfFrisk’s Tweet - X-Ways Forensics 19.8 Preview 5 with some minor updates
X-Ways Forensics 19.8 Preview 5
And that’s all for Week 47! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those who give a little back for their support!
This Week In 4n6 