I created a thank you page for all of those that have thrown me a few dollaridoos to help run the site.
Just to recognise and say thanks to those who give a little back
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization vectors’ examines the Dropbox app for iOS
Profiling user activity in Dropbox for iOS - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday explores documenting the order of creation of shims on Win10. The winner was Zach Stanford who posted his answer here
Daily Blog #555: Sunday Funday 12/2/18 - and put out a call for volunteers for the NCCDC Red Team.
Daily Blog #556: NCCDC Red Team Call for Volunteers - Dave recorded a test kitchen looking into the Syscache.hve
Daily Blog #558: Forensic Lunch Test Kitchen 12/5/18 - Dave also noticed that in Win10 we now have multiple options for the NtfsDisableLastAccessUpdate value; where previously it was 0 or 1, now it ranges from 0-3. Maxim Suhanov also took a look at this and on newer versions on Win10 it looks like we’ll have access timestamps on NTFS drives under 128GB. This means that we may need to retest our previous known knowns yet again. Hideaki Ihara also did some testing and showed that his system was set to DisableLastAccess = 2, on a 40GB drive.
Daily Blog #557: Changes in the NtfsDisableLastAccessUpdate key - And then tested out putting Win10 into the various modes
Daily Blog #559: Forensic Lunch Test Kitchen 12/6/18 - Eric Zimmerman joined Dave and Matthew to talk about his latest projects, including Recmd, the additional parsers now available in MFTECmd, and the new plugins based on Dave’s research in RegistryExplorer
Daily Blog #560: Forensic Lunch 12/7/18
- This week’s Sunday Funday explores documenting the order of creation of shims on Win10. The winner was Zach Stanford who posted his answer here
- Nick at ‘By Stimson’s Postulate’ examines the “Day One Classic” iOS app.
Journals and Geo and Pictures, Oh My! - Gabriele Zambelli at ‘Forense nella Nebbia’ takes a look at the Event Trace Logs on his Win10 system and notices a record of his external IP address. This can be very useful in identifying someone’s location at a time. Gabriele has also put a script together to parse the relevant logs into IP addresses, and then reverses them to a rough location using an external API
What was my IP? Ask DoSvc on Windows 10 - Sarah Edwards at Mac4n6 examines her iOS devices for the artefacts left by using AirDrop to share unsolicited files
AirDrop Analysis of the UDP (Unsolicited Dick Pic) - Hideaki Ihara at the Port 139 blog did some testing
- He executes some link files for executables on a USB drive to see the effects on amcache
USB and Amcache(2) - Hideaki also tested deleting registry keys and found that the last write timestamp may indicate the deletion time in some circumstances.
Deleted Registry KEY and Timestamp
- He executes some link files for executables on a USB drive to see the effects on amcache
- Gary at Salt Forensics describes a process of acquiring evidence from AWS, as well as considerations for examining said evidence on a machine hosted on AWS. By and large, doing the examination on AWS is probably going to be the cheaper option as extracting data from Amazon can get a bit costly. Alternatively, you can attach the snapshot/volume to your examination machine, capture the triage data that you want, and pull that down.
AWS for Forensics (5) - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ demonstrates imaging a rooted Android device
Android Forensics: imaging android filesystem using ADB and DD - Kevin Pagano at Stark 4n6 shares a couple of SQL queries for examining the Teracopy logs
TeraCopy: A Forensic Analysis (Part 3) - There were a couple of updates by the students at Champlain College
- Iria Piyo examines the effects of copying a text file with and without the ‘read-only’ flag set.
ファイルコピーしたらMFT Modifiedも更新された件
THREAT INTELLIGENCE/HUNTING
- The ASERT team at Arbor Networks share details of the ‘Stolen Pencil’ campaign targetting academic institutions.
STOLEN PENCIL Campaign Targets Academia - Chris Sanders demonstrates “how separating the functions of content matching and alerting can enable additional functionality that benefits the analyst.”
Content Matching Detection and Additional Outputs - Luke Jennings at Countercept looks at a .NET alternative to the Gargoyle memory scanning evasion technique as well as detection strategies
Gargoyle Memory Scanning Evasion for .NET - The guys at Cyber Forensicator share a tool by Thomas Chopitea called Malcom, which is “designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources”
Malcom: Malware Communication Analyzer - Mike Cary at ‘DFIR on the mountain’ demonstrates how to uses esentutl to copy files of a live machine. I didn’t know that you could do this with esentutl, and as a result found this site, which is dedicated to tracking lolbins/scripts/libraries.
Locked File Access Using ESENTUTL.exe - Paul Ewing, Ross Wolf, Anjum Ahuja, and Justin Ibarra at Endgame have released a starter guide on the recently released Event Query Language (EQL)
Getting Started with EQL - Adam at Hexacorn has a few posts this week
- He shares his thoughts on logging for security and IR purposes.
Get your logging act together, loggers! - Adam also advises of an evasion trick that takes advantage of logging platforms not identifying architectures, and therefore not highlighting paths that would generally not exist on a system.
Trivial Anti-BlueTeam trick for 32-bit systems - Lastly, Adam shares his thoughts on hunting on platforms other than Windows, and also some research on auditd, a Linux audit daemon.
auditd and the mystery of ANOM_* events
- He shares his thoughts on logging for security and IR purposes.
- Brian Maloney has identified an issue when trying to compare packet captures with procmon traces.
Comparing Packet Captures to Procmon Traces Revisited - There was a post on the Microsoft Secure blog regarding a recent attack against educational institutions.
Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers - Some more EDR vendors posted about their results in MITRE’s recent evaluation.
- John Wunder advises that MITRE have moved their Cyber Analytics Repository (CAR) to GitHub
Cyber Analytics Repository Migrated to Github - Nextron Systems describe a new feature in THOR 8.53 that allows hunters to only scan files that haven’t previously been scanned
THOR 8.53 Feature: Diff Mode - Casey Smith at Red Canary comments on the ‘Password Filter’ password stealing technique
Password Filters (T1174): Live Discussion on Detection Challenges and Strategies - Rob VandenBrink has a post on the SANS Internet Storm Centre of common methods of data exfiltration (during a pen test, but the same can be applied to malicious actors) as well as the thought process regarding their use vs detection
Data Exfiltration in Penetration Tests, (Tue, Nov 27th) - There were a few posts on Securelist this week
- Sergey Golovanov at Securelist describes the KoffeyMaker malware and provides a YARA rule
KoffeyMaker: notebook vs. ATM - Sergey also shares details of the DarkVishnya attacks, which saw actors gaining access to a premises before deploying their toolkit from the local network
DarkVishnya: Banks attacked through direct connection to local network - Vicente Diaz and Costin Raiu describe what the various APT groups have been up to this year
APT review of the year
- Sergey Golovanov at Securelist describes the KoffeyMaker malware and provides a YARA rule
- Brad Garnett at Cisco describes the difference between a compromise assessment and threat hunting
Compromise Assessment vs Threat Hunting - Olaf Hartong describes the Threat Hunting app that he wrote for Splunk
Endpoint detection superpowers on the cheap, Threat Hunting app
UPCOMING WEBINARS/CONFERENCES
- Bret Peters at ADF shares a list of upcoming DFIR conferences for 2019
Best 2019 Digital Forensic Conferences - Susteen will be hosting a webinar on their Data Pilot device on December 13th, 2018 at 3:00 PM Eastern.
New Field Triage Device Upcoming Webinar And Pilot Program From Susteen - The CFP for the IEEE Fifth international workshop on Security and Forensics in Cyber Space (SFCS 2019) taking place 15-18 April 2019 in Marrakech, Morocco has opened and will close January 10 2019.
IEEE Fifth international workshop on Security and Forensics in Cyber Space - The agenda for the 2019 Techno Security conference being held in California has been released
2019 Conference Program
PRESENTATIONS/PODCASTS
- Blackbag Technologies have released their recent webinar by Ben Charnota on Apple iCloud Production data
Ask the Expert: Apple iCloud Productions - Magnet Forensics shared the recording of their recent webinar with the Child Rescue Coalition
Recorded Webinar: Find More Victims, Catch More Suspects: How Creative Technology Partnerships Streamline Child Exploitation Investigations - On this week’s Digital Forensic Survival Podcast, Michael talks about detecting Mimikatz in Windows event logs
DFSP # 146 – Mimikatz Detection - SANS uploaded the presentations from the recent Tactical Detection & Data Analytics Summit & Training 2018
- SANS shared Ryan Benson’s presentation from the 2018 DFIR Summit titled ‘Efficiently Summarizing Web Browsing Activity’
Efficiently Summarizing Web Browsing Activity – SANS DFIR Summit 2018
MALWARE
- 0verflow at 0ffset shares a list of resources that they have found useful for learning malware analysis
How to get started with Malware Analysis - Brett Stone-Gross, Tillmann Werner, and Bex Hartley at CrowdStrike summarised and shared their findings about the Kelihos botnet.
Farewell to Kelihos and ZOMBIE SPIDER - Chris Navarrete at Fortinet shares details of some malware that utilises Nirsoft utilities to steal passwords from a system
The Weaponization of PUAs - Thomas Reed at Malwarebytes Labs examine a malicious Mac sample that combines “the EmPyre backdoor and the XMRig cryptominer”
Mac malware combines EmPyre backdoor and XMRig miner - Anuj Soni at Malwology has written a post about “an initial workflow for performing static code analysis using radare2.”
Intro to Radare2 for Malware Analysis - Michael Gillespie examines some more malware
- Sysopfb examines a malicious flash file that exploits CVE-2018-15982 to download CobInt
CVE-2018-15982 being used to push CobInt - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Brad Duncan examines some malspam distributing Lokibot
Malspam pushing Lokibot malware, (Tue, Dec 4th) - Brad also reviews some malspam pushing hancitor
Campaign evolution: Hancitor changes its Word macros, (Wed, Dec 5th) - Didier Stevens analyses a maldoc that contains a shell command hidden “somewhere in the document (not in the VBA code).”
Word maldoc: yet another place to hide a command, (Mon, Dec 3rd) - Remco Verhoef examines a malicious Docker container
A Dive into malicious Docker Containers, (Fri, Dec 7th) - Didier Stevens also examines a zip file containing an MHT file which acts as a downloader for a potentially malicious file
Reader Malware Submission: MHT File Inside a ZIP File, (Sat, Dec 8th)
- Brad Duncan examines some malspam distributing Lokibot
- Victor Hora at TrustWave SpiderLabs gives an overview of Magecart
Magecart – An overview and defense mechanisms - There were a couple of posts on WeLiveSecurity this week
- Marc-Etienne M.Léveillé shared the news that “ESET researchers are publishing a paper focused on 21 in-the-wild OpenSSH malware families”
The Dark Side of the ForSSHe - Kaspars Osis, Tomáš Procházka and Michal Kolář examine the DanaBot malware
DanaBot evolves beyond banking Trojan with new spam-sending capability
- Marc-Etienne M.Léveillé shared the news that “ESET researchers are publishing a paper focused on 21 in-the-wild OpenSSH malware families”
- Jacob Pimental at Goggle Headed Hacker walks through the FlareOn Fleggo challenge.
Flare-On 5: FLEGGO Write-up
MISCELLANEOUS
- ADF have a post about how DEI can be used in photo extraction and classification cases
What is Photo Forensics? - Brett Shavers at DFIR.Training discusses the difference between “basic skills and basic knowledge.”
Basic DF/IR Standards - Konstantin Chistyakov and Andrei Loktev from Paragon have a guest post on Cyber Forensicator about their image mounting tool
The Most Essential Image Data Retrieval for Digital Forensic Experts - Derrick Karpo shares a Linux distro for Passware Kit Forensic (PKF) agents
Check out @atdt0’s Tweet - Ken Pryor shares a glowing review of DFIR.Training (and Brett’s other work)
DFIR Training - DME Forensics have a post describing how you can go about assisting support in adding an unsupported file system to DVR Examiner.
When a Bug is More Than a Bug - There were a few posts on Forensic Focus this week
- They shared a video and transcript of the walkthrough of the “LACE Carver Integration with Analyze DI Pro”
How To: Integrate LACE Carver With Griffeye Analyze DI Pro - As well as a video and transcript of Logicube’s Forensic Falcon Neo
Walkthrough: Forensic Falcon NEO From Logicube - They also shared the video demonstrating how to multitask with the Falcon Neo
How To: Multitask With Logicube’s Forensic Falcon NEO - Scar interviewed one of my awesome patrons Vitaly Mokosiy about his work at Atola Technology
Interview With Vitaliy Mokosiy, CTO, Atola Technology
- They shared a video and transcript of the walkthrough of the “LACE Carver Integration with Analyze DI Pro”
- Magnet Forensics interviewed their new trainer, Chris Cone.
Meet Magnet Forensics’ Training Team: Christopher Cone - Mark McKinnon created a couple of Autopsy plugins. One parses the Win10 activities database, and the other is useful for developers to save time when testing their plugins.
- San4n6 created a couple of Python scripts to extract data from the cache_encryptedB.db on an iOS device
Check out @san4n6’s Tweet - Volume 27 of the Journal of Digital Investigation was released
- Marcos at ‘The Curious Minion’ shares his thoughts on the recent discussions about the basic skills in DFIR.
#DFIR: A matter of attitude and aptitude, (IMHO) - Whilst not a forensic post, I thought it was relevant. Microsoft has announced that they are going to be adopting Chromium for their Edge browser. What that means for forensics remains to be seen.
Microsoft Edge: Making the web better through more open source collaboration
SOFTWARE UPDATES
- Eric Zimmerman has updated MFTECmd to v0.3.6.1, adding “support for $Boot, $SDS, and $J files”, as well as various other improvements.
MFTECmd 0.3.6.0 released - Eric also updated his AppCompatCacheParser to v1.3.0.2
- Didier Stevens released oledump.py version 0.0.39
Update: oledump.py Version 0.0.39 - Didier also released his own version of strings
Release: strings.py - ExifTool 11.21 (development) was released with new tags and improvements
ExifTool 11.21 - Oxygen Forensic Detective v11.1 was released adding support for a number of different apps, and also adding the JetEngine module which should speed up data parsing and analysis
Oxygen Forensic Detective v11.1 - A new version, release 2018.12-1, of Grml Forensic was released
Check out @grmlforensic’s Tweet - Magnet Forensics released Axiom v2.8, with various updates “including G Suite Admin Support, iOS Screen Time and other additional performance improvements”
G Suite Admin Support and Screen Time Artifacts Now Available in Magnet AXIOM 2.8 - “A new version of MISP (2.4.99) has been released with improvements in the UI, API, STIX import and a fixed critical security vulnerability.”
MISP 2.4.99 released (aka API/UI fixes and critical security vulnerability fixed) - Radare2 3.1.3 – Codename Antiox was released to fix some bugs
3.1.3 – Codename Antiox - SalvationData released SPF Pro V6.84.27 with a number of new features and bug fixes
[Software Update] Mobile Forensics: SPF Pro V6.84.27 New Version Release for Better User Experience! - SANS released a new version of their SOF-ELK VM. “The new version of SOF-ELK has been rebuilt from the ground up to take advantage of the new version of the Elastic Stack software and uses all of the Elastic Stack’s components.”
“The new version of SOF-ELK is here. Download, turn on, and get going on forensics analysis.” - IsoBuster 4.3 Beta was released with a number of new features and improvements
IsoBuster 4.3 Beta released - X-Ways Forensics 19.8 Beta 1 was released with a number of improvements
X-Ways Forensics 19.8 Beta 1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 