I made stickers! If anyone has signed up to my Patreon and would like one, reach out and I will mail one to you
If you would like one but are not yet a Patreon, you can sign up at the $1 level here!
Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday challenge asks which projects use DFVFS
Daily Blog #562: Sunday Funday 12/9/18 - And shared a tool that utilises Dfvfs called ‘Artifact Extractor’. Curiously this post came out very shortly after I submitted my Sunday Funday answer. Hmm
Daily Blog #564: Tool spotlight Artifact Extractor - Dave tested tracking program execution on the Desktop in the Win7 syscache
Daily Blog #563: Forensic Lunch Test Kitchen 12/10/18 - Maxim Suhanov has been doing some testing on last access dates in Win10, which Dave shares
Daily Blog #565: Seeing Double (access dates) - Dave also spent a test kitchen coding a Python script to “print all of the file name’s out of the file name attributes for every file referenced in the Syscache hive Object key.”
Daily Blog #566: Forensic Lunch Test Kitchen 12/13/18 - Dave and Matthew hosted Eric Huber on the Forensic Lunch to talk about cryptocurrency investigations
Daily Blog #567: Forensic Lunch 12/14/18
- This week’s Sunday Funday challenge asks which projects use DFVFS
- Justin Boncaldo looks at the HxStore.hxd file on Win10 that has (unknown) encoded data, and email strings.
Microsoft HxStore.hxd (email) Research - Sarah Edwards at Mac4n6 walks through the use of her Apollo script
On the First Day of APOLLO, My True Love Gave to Me – A Python Script – An Introduction to the Apple Pattern of Life Lazy Output’er (APOLLO) Blog Series - The folks at MailXaminer demonstrate how to examine MBX files in their tool.
Open & Read MBX File Format In Email Forensic Investigation - Manuel Guerra at Glider walks through the various artefacts that can examined in the Firefox browser that is part of the Tor Browser bundle
TOR Forensics. Parte 1 - Also on TOR, Leon Kowalski at Netresec shows “how anonymous Tor browsing can be visualized, by loading a PCAP file with localhost traffic into NetworkMiner.”
TorPCAP – Tor Network Forensics - Hideaki Ihara at the Port 139 blog tests how Win10 affects Last Access dates.
- Gary at Salt Forensics looks at the daily.out log on MacOS. I’ve had success in the past with this log showing that volumes were mounted around specific times. It can also show other information such as network connections and uptime
Mac OS Daily Logs
THREAT INTELLIGENCE/HUNTING
- Richard Bejtlich at Corelight describes Network Security Monitoring and explains why he thinks it’s an important part of an organisation’s security posture
Network Security Monitoring: Your best next move - There were a couple of posts on the CrowdStrike blog this week
- Shawn Henry advised that the CrowdStrike Services Cyber Intrusion Casebook 2018 was released
The CrowdStrike Services Cyber Intrusion Casebook 2018 Offers Compelling Stories from the Front Lines of Incident Response - Dan Brown covers some of the terms used in MITRE’s recent EDR evaluation.
MITRE ATT&CK: Why Detections and Tainted Telemetry are Required for an Effective EDR Solution
- Shawn Henry advised that the CrowdStrike Services Cyber Intrusion Casebook 2018 was released
- The Dragos team describe what a “collection management framework (CMF)” is and why it is useful for defenders
Building a Collection Management Framework for Industrial Control Systems - The G Suite team has shared some new features they’ve added to the G Suite security center. The new features include “[creating] more informative and focused dashboards with custom charts” and “more insights into Gmail incidents with post-delivery event logs “
Improving the security center with custom dashboard charts and new email logs - There were a couple of posts on the Nviso Labs blog this week
- Daan Raman shares the news that they have open-sourced their ee-outliers framework that is used “to detect outliers in events stored in Elasticsearch”.
Announcement: open-sourcing ee-outliers - Daan then demonstrates “how ee-outliers can be used to detect beaconing TLS connections in security events stored in Elasticsearch”
TLS beaconing detection using ee-outliers and Elasticsearch
- Daan Raman shares the news that they have open-sourced their ee-outliers framework that is used “to detect outliers in events stored in Elasticsearch”.
- Roberto Rodriguez at SpecterOps shows how “to take rules that describe Windows event logs from the Sigma project and integrate them with [his] project HELK via Elastalert”
What the HELK? SIGMA integration via Elastalert - Eric Sun at Rapid7 shares their recent 2018 Q3 Threat Report as well as three actionable findings.
Q3 Threat Report: Analyzing Three Key Detection Trends - Keith McCammon at Red Canary asks various questions when evaluating endpoint detection/protection platforms.
Evaluating Endpoint Products in a Crowded, Confusing Market - Melissa at Sketchymoose goes hunting for the use of CVE-2018-15982
Having a Bit of Fun with CVE-2018-15982
UPCOMING WEBINARS/CONFERENCES
- Blackbag Technologies will be hosting a webinar with Joe Sylve and Sarah Edwards on Apple’s changes in 2018 and their predictions for 2019. They also tease a Christmas present for the DFIR community (my money is on pushing APFS support to TSK). The webinar will take place on Wed, Dec 19, 2018 7:00 PM – 8:00 PM GMT.
Naughty or Nice? Apple Changes in 2018 - Cellebrite will be hosting a webinar on downloading data from the cloud on December 19, 2018 at 10AM New York / 3PM London and December 20, 2018 at 12PM Singapore/ 3PM Sydney
How To Incorporate Cloud Evidence Into Your Investigations For Maximum Results - Paraben announced on Forensic Focus that the Paraben Forensic Innovation Conference 2019 will be held September 11-12 in Park City, Utah
DFIR And OSINT Come Together At PFIC 2019 - VB2019 has been announced and will be held 2nd-4th October in London, UK.
VB2019 London – join us for the most international threat intelligence conference!
PRESENTATIONS/PODCASTS
- The presentations from Botconf2018 have been uploaded.
- Cellebrite uploaded the recent webinar regarding their Cellebrite Advanced Services.
Advance Your Toughest Investigations with Cellebrite Advanced Services - Brett Shavers has started a DFIR Training podcast where he will talk for 10-15 minutes about a DFIR or investigations topic. This one is free, however, the remaining ones will be for Patreon subscribers only (from $1 a month).
Brett’s international smuggling case and how it relates to forensic analysis - Forensic Focus uploaded ElMouatez Billah Karbab’s presentation and transcript from DFRWS EU 2018 regarding “a framework for Android malware detection
MalDozer: Automatic Framework For Android Malware Chasing Using Deep Learning - Forensic Focus uploaded the presentation and transcript of Paraben’s webinar on using E3 for email analysis
Webinar: Using Paraben’s E3 Platform For Email Analysis - A number of videos were uploaded by Paraben Corporations this week
- On this week’s Digital Forensic Survival Podcast, Michael discusses “webshells for threat hunting and incident response triage.”
DFSP # 147 – Webshell Breakdown - Richard Davis at 13 Cubed walks through the process of acquiring memory and creating a custom content image using FTK Imager.
Triage Image Creation - SANS shared Yogesh Khatri’s presentation from the 2018 DFIR Summit titled “Mac_apt –The Smarter and Faster Approach to macOS Processing”
Mac_apt –The Smarter and Faster Approach to macOS Processing – SANS DFIR Summit 2018 - VirusBulletin shared two presentations/papers from VB2018
MALWARE
- 0verflow at 0ffset demonstrates how they set up their malware analysis environment
Setting Up a Safe Malware Analysis Environment - There were a couple of posts on the Cylance blog this week
- There was a Cylance Threat Intelligence Bulletin analysing some malware called RedControle.
Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure - The Cylance Research Team examines the Nemucod Trojan Downloader
Cylance vs. Nemucod Trojan Downloader
- There was a Cylance Threat Intelligence Bulletin analysing some malware called RedControle.
- James T. Bennett at Fire Eye shares a new IDAPython library – flare-emu “that provides scriptable emulation features for the x86, x86_64, ARM, and ARM64 architectures to reverse engineers”
FLARE Script Series: Automating Objective-C Code Analysis with Emulation - There were a couple of posts on Malwarebytes Labs this week
- Thomas Reed shares some comparisons between malware that was examined by other researchers this week that appears to relate to the DarthMiner malware
Flurry of new Mac malware drops in December - Pieter Arntz describes the various tools released by the Shadow Brokers to target vulnerabilities in SMB
How threat actors are using SMB vulnerabilities
- Thomas Reed shares some comparisons between malware that was examined by other researchers this week that appears to relate to the DarthMiner malware
- There were a couple of posts on McAfee Labs this week
- Ryan Sherstobitoff and Asheer Malhotra describe Operation Sharpshooter, which “leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation.”
‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure - Alexandre Mundo, Thomas Roccia, Jessica Saavedra-Morales and Christiaan Beek analyse Shamoon v3 which has been “attacking several sectors, including oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe.”
Shamoon Returns to Wipe Systems in Middle East, Europe
- Ryan Sherstobitoff and Asheer Malhotra describe Operation Sharpshooter, which “leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation.”
- There were a couple of posts on the Palo Alto Networks blog this week
- Bryan Lee and Robert Falcone describe the recent campaign by the Sofacy group starting mid October
Dear Joohn: The Sofacy Group’s Global Campaign - Robert Falcone examines “a new variant of the Disttrack malware”
Shamoon 3 Targets Oil and Gas Organization
- Bryan Lee and Robert Falcone describe the recent campaign by the Sofacy group starting mid October
- There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens demonstrates how using strings can be useful for identifying information in malicious documents.
Quickie: String Analysis is Still Useful, (Sun, Dec 9th) - Didier also examines a maldoc to identify “a PowerShell command obfuscated with a DOSfuscation technique.”
Yet Another DOSfuscation Sample, (Wed, Dec 12th) - Xavier Mertens shows a phishing attack that imitates a Non Delivery Receipt from Microsoft Office 365.
Phishing Attack Through Non-Delivery Notification, (Thu, Dec 13th)
- Didier Stevens demonstrates how using strings can be useful for identifying information in malicious documents.
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares a malware analysis platform called SNDBOX by Ran Dubin and Ariel Koren
SNDBOX: using Artificial Intelligence for malware analysis - There were a couple of posts on TrendLabs this week
- Joseph C Chen examines a new exploit kit named Novidade
New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers - Jindrich Karasek and Loseway Lu analyse an attack utilising CVE-2015-1427 to deploy a cryptominer
Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch - Mohamad Mokbel shares details of the Tildeb implant found in the Shadow Brokers dump.
Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak - Muhammad Bohio examines some malware that utilises a Twitter account distributing steganographied (is that a word) memes as C&C
Cybercriminals Use Malicious Memes that Communicate with Malware
- Joseph C Chen examines a new exploit kit named Novidade
- Vitali Kremez analyses “one of the “Zebrocy” C++ loader samples attributed to Sofacy/Sednit/APT28 group.”
Let’s Learn: Reviewing Sofacy’s “Zebrocy” C++ Loader: Advanced Insight - Lukas Stefanko at WeLiveSecurity examines a malicious Android app that uses “a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal’s two-factor authentication”
Android Trojan steals money from PayPal accounts even with 2FA on
MISCELLANEOUS
- Kate Brew at AlienVault discusses hiring in security operations centres.
Who Would You Hire in Your SOC? - Tony at Archer Forensics has written a comprehensive review of the SANS SEC401 course
SANS SEC401 – Comprehensive Review - Brett Shavers has a couple of posts on DFIR.Training
- He comments on why people may favour one tool over another; particularly around what they’ve been trained on, and how well the instructor did at presenting the tool. The important point Brett makes is to be aware of the strengths of your tools and use them appropriately.
Something I see with forensic software preferences - Brett also gives some feedback on the book sharing contest, his Patreon, and DFIR.Training site stats.
DFIR Bookshare Challenge and a Few Other Things
- He comments on why people may favour one tool over another; particularly around what they’ve been trained on, and how well the instructor did at presenting the tool. The important point Brett makes is to be aware of the strengths of your tools and use them appropriately.
- Ariel Watson at Cellebrite shares their biggest achievements of the year.
Top 4 Digital Forensics Innovations of 2018 - The guys at Cyber Forensicator shared details of a book by Nihad A. Hassan called “Digital Forensics Basics: A Practical Guide Using Windows OS”, expected to be released May 3, 2019
Digital Forensics Basics: A Practical Guide Using Windows OS - Dhiren Bhardwaj at ‘Digital Forensic Forest’ shares the registry settings that allow users to delete files directly without sending them to the recycle bin first.
Recycle Bin Bypass - Ben Miller and Daniel Michaud-Soucy at Dragos share a reading list for those looking to expand their understanding of ICS security and defence
A Dragos Industrial Control System Security Reading List - There were a couple of posts on Forensic Focus this week
- Scar provided an overview of the presentations that will be given at Techno Security & Digital Forensics 2019 in San Diego.
Techno Security & Digital Forensics 2019 – San Diego March 11-13 - Jade James has posted a review of Axiom 2.7 (as well as highlighting some of the features that have been introduced since v2.0)
AXIOM 2.7 From Magnet Forensics
- Scar provided an overview of the presentations that will be given at Techno Security & Digital Forensics 2019 in San Diego.
- A couple of Github repos popped up for registry modifications to write block removable drives; one by Fetchered and another by Forensicmike
- Magnet Forensics posted a couple of times this week
- Christa Miller shares all of the resources that Magnet put out in 2018
A Look Back at 2018: Resources for Mobile Investigations - and they announced that Ovie Carroll will be the keynote speaker for the 2019 Magnet User Summit in Nashville.
Announcing This Year’s Keynote Speaker at Magnet User Summit!
- Christa Miller shares all of the resources that Magnet put out in 2018
- Microsystemations have announced a new offering for LE and government agencies for obtaining data from certain mobile phones. This appears to be similar to what Cellebrite offer with their Advanced Services.
MSAB introduces Access Services: To help customers get access to the most challenging mobile phones - OpenText indicated that Enfuse would be coming back in Fall 2019.
- SalvationData have a post demonstrating how to “load a mobile device, a file or a folder for extraction and analysis” into SPF Pro
[Tips] Mobile Forensics: How to Make Analysis on Smartphone Backups - The Scientific Working Group on Digital Evidence (SWGDE) has posted four new draft documents for public review
and comment. These papers are SWGDE Best Practices for Mobile Device Evidence and Collection, Preservation, and Acquisition, SWGDE General Photography Guidelines for the Documentation of Evidence Items in the Laboratory, SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics, and SWGDE Technical Overview for Forensic Image Comparison
SWGDE Drafts For Public Comment - The students at Champlain College shared the final updates on their projects
SOFTWARE UPDATES
- Amped Authenticate Update 12336 was released with a number of new features and bug fixes
Amped Authenticate Update 12336: Brand new smart report tool, PRNU detection improvements and more… - Berla released iVe v2.1.1. “This minor release features speed and performance improvements for mapping when working with extremely large data sets as well as other minor bug fixes and enhancements.”
iVe Software v2.1.1 Release - Didier Stevens updated his rtfdump Python script to version 0.0.9
Update: rtfdump.py Version 0.0.9 - ExifTool 11.22 (development) was released with support for new tags
ExifTool 11.22 - GetData released Forensic Explorer v4.4.8.8090 with some bug fixes
13 Dec 2018 – v4.4.8.8090 - A number of the Sysinternals tools were updated
- XRY 7.10, Kiosk/Tablet/XRY Express 7.10, XAMN 4.1, and XEC 4.0 were released. The highlight appears to be XRY Photon which claims to acquire WhatsApp data from Android devices.
Now released: XRY 7.10, XAMN 4.1 and XEC 4.0 - Passware Kit 2019 v1 was released with some updates to their distributed password recovery and additional decryption techniques. The Passware Exchange service sounds great, that way if anyone has found the password before then that can be shared with other customers.
Passware Kit 2019 v1 - USB Detective Version 1.3.6 has been released resolving some issues and improving correlation of composite devices
Version 1.3.6 (12/13/2018)
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 