Thanks to those who give a little back for their support!
I’m taking a bit of a break next week, which means links only for the weekly.
I’m still planning on putting out the end of month and end of year post too though, but hectic time of year, so saving the 12ish hours from the weekly will be helpful 🙂 (yes the weekly takes upwards of 12 hours to write out, possibly due to getting distracted by Twitter, but mostly because there’s a lot to get through!)
FORENSIC ANALYSIS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- My solution won last week’s challenge on compiling the various projects that use DFVFS
Daily Blog #568: Solution Saturday 12/15/18 - This week’s challenge involves using DFVFS to perform some file system forensics
Daily Blog #569: Sunday Funday 12/16/18 - Dave and Matthew hosted Alissa Torres and Joe Sylve to talk about Alissa’s FOR526 course, the CTI Summit, and Joe’s work on APFS and TSK. They also hinted that the DFIRCruise may take place in November around Bsides NOLA
Daily Blog #574: Forensic Lunch 12/21/18 Alissa Torres, Dr. Joe Sylve - Dave continues his testing of executable tracking in the syscache hive
- My solution won last week’s challenge on compiling the various projects that use DFVFS
- Luxembourg Computer Incident Response Centre shared their training materials from their intro to DF course.
Digital Forensic – Training Materials - Elcomsoft posted a couple of times this week
- Vladimir Katalov shares a variety of “methods for accessing and decrypting the keychain secrets”
Six Ways to Decrypt iPhone Passwords from the Keychain - Vladimir also describes the process for decrypting WhatsApp backups
A New Method for Decrypting WhatsApp Backups
- Vladimir Katalov shares a variety of “methods for accessing and decrypting the keychain secrets”
- Sarah Edwards at Mac4n6 continues to share details about the various use cases of her Apollo framework. This tool is definitely worth putting through its paces on the iOS file system dumps if you have questions like the ones Sarah walks through
- On the Second Day of APOLLO, My True Love Gave to Me – Holiday Treats and a Trip to the Gym – A Look at iOS Health Data
- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice
- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving
- On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful!
- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis
- On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage
- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections
- Magnet Forensics posted a couple of times this week
- They provide an overview of the Screen Time artefacts on iOs
Getting Evidence from iOS Screen Time Artifacts - And Trey Amick describes some of the uses for the information tracked in the KnowledgeC database
Analysis of GrayKey Images with AXIOM: New KnowledgeC Database Artifact Additions
- They provide an overview of the Screen Time artefacts on iOs
- Maxim Suhanov takes a look at “the consistency of last access timestamps present in NTFS file systems.” Apparently, Microsoft’s documentation doesn’t necessarily line up with their code.
The (in)consistency of last access timestamps - SalvationData has a post describing a method for recovering data from a MySQL database using binlog.
[Case Study] Computer Forensics: A Method to Recover Data from MySQL Database by Utilizing Binlog - Pieces0310 demonstrates how to extract WeChat messages from a smartphone by backing the data up to the WeChat computer application. The process does require restoring the WeChat chat messages to another Android phone, but I wonder if you could just parse the data on the computer application to the same effect
How to extract WeChat chat messages from a smartphone running Android 7.x or above – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Zachary Burnham walks through setting up TheHive
Installing TheHive – a Security IR Platform - Hayden Parker at Coinbase introduces Dexter, their internal forensics framework. “Dexter is designed to wrap other tools, where available, to perform forensics tasks. The place that Dexter advances beyond the capabilities that were already available in other tools is the secure approval process for investigations, and the secure retrieval process for forensic artifacts.”
Introducing Dexter - There were a couple of posts on the Countercept blog this week
- Peter Cohen shares an overview of threat hunting
Threat Hunting – The Beginner’s Guide - In-Ming Loh describes “Parent PID (PPID) Spoofing … and how defenders can utilize Event Tracing for Windows (ETW) to detect this technique”
Detecting Parent PID Spoofing
- Peter Cohen shares an overview of threat hunting
- Tim Parisi at CrowdStrike discusses “the importance of deploying an endpoint technology to scope the incident, some common deployment challenges, and what organizations can do to overcome these challenges and be better prepared if and when an incident occurs.”
Confessions of a Responder: The Hardest Part of Incident Response Investigations - Allie Mellen at Cybereason gives an overview of Mitre’s recent Att&ck-based product evaluation.
The MITRE ATT&CK Framework: A Security Expert’s Guide - Geoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, and Nick Carr at FireEye describe some recent activity by APT33
OVERRULED: Containing a Potentially Destructive Adversary - Adam at Hexacorn describes a persistence mechanism that calls a DLL relating to payments
Beyond good ol’ Run key, Part 96 - Marcus Bakker at MB Secure shares the TaHiTI, “Targeted Hunting integrating Threat Intelligence”, methodology
TaHiTI – Threat Hunting Methodology - There were a couple of posts on the McAfee Labs blog this week
- Raj Samani shares the McAfee® Labs Threats Report, December 2018.
McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats - Thomas Roccia, Jessica Saavedra-Morales and Christiaan Beek examine some recent attacks by APT33.
Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems
- Raj Samani shares the McAfee® Labs Threats Report, December 2018.
- Michael Gorelik shared the December 2018 Morphisec Labs Threat Report
The December 2018 Morphisec Labs Threat Report - Nextron Systems provided some information about their YARA rules pack and feeds
YARA Rule Sets and Rule Feed - Daan Raman at Nviso Labs illustrates “how ee-outliers can be used to detect suspicious child processes”
Detecting suspicious child processes using ee-outliers and Elasticsearch - Josh Frantz at Rapid7 explains how to forward Windows event logs InsightIDR using NXLog and Windows Event Forwarding (WEF)
Windows Event Forwarding: The Best Thing You’ve Never Heard Of - Brian Donohue at Red Canary shares some of their best blog posts of 2018
Red Canary’s Best Blogs of 2018: PsExec, Cryptocurrency Miners, and More! - Jeff Atkinson at Salesforce Engineering describes how their newly released Bro-Sysmon system works.
Open Sourcing Bro-Sysmon - Jake Munroe at IBM’s Security Intelligence shares some thoughts on the SANS 2018 threat hunting survey regarding threat intelligence
More Than Just a Fad: Lessons Learned About Threat Hunting in 2018
UPCOMING WEBINARS/CONFERENCES
- Chris Crowley advised that the CFP for the SANS Security Operations Summit, held in New Orleans June 24-25th, is open and closes Friday, February 4th at noon CST.
Check out @CCrowMontance’s Tweet - Jonathan Munshaw at Cisco’s Talos advised that the CFP for the Talos Threat Research Summit, held June 9 in San Diego, California is open and will close January 25, 2019
Submissions for talks at the 2019 Talos Threat Research Summit are now open
PRESENTATIONS/PODCASTS
- Basis Technology uploaded the videos for HLTCon 2018, which isn’t exactly DFIR focused but people may find some value in some of the talks
- Blackbag Technologies have released a recorded version of their previous webinar on Apple’s 2018 updates with Dr Joe Sylve and Sarah Edwards.
- The guys at Cyber Forensicator shared a few presentations from this year
- Joshua James at DFIR.Science is starting an online course for getting started in research. The course is general, but Joshua said he would mention DFIR topics as that is his focus
RE100: 1.0 Introduction to Research - Forensic Focus have shared the recorded version and transcript of Cellebrite’s recent webinar on their Advanced Services for the APAC region
Webinar: Cellebrite Advanced Services For The APAC Region - Presentations from KringleCon 2018 were uploaded
- On this week’s Digital Forensic Survival Podcast, Michael shares some “tips for building a threat hunting program.”
DFSP # 148 – Threat Hunting Tips - Sumuri have announced that they will be donating a Talino workstation to an agency in need, and share the details on how to submit your agency
SUMURI Gives Back 2018
MALWARE
- There were a couple of posts on the Check Point Research blog this week
- They provide an overview of a recent attack utilising the GandCrab malware
Check Point Forensic Files: Fileless GandCrab As Seen by SandBlast Agent - They also examine a VBS file that may have at one point downloaded the DanaBot malware
VBS Unique Detection
- They provide an overview of a recent attack utilising the GandCrab malware
- Cylance have shared an analysis of the Sality malware
Cylance vs. Sality Malware - Yueh-Ting Chen and Evgeny Ananin at Fortinet examine some malware distributed as a fake “tsunami alert for Japanese citizens”
Fake Tsunami Alert Brings Malware to Japan - Jérôme Segura at Malwarebytes Labs advises that the Underminer EK now uses a new covert flash exploit.
Underminer exploit kit improves in its latest iteration - Michael Gillespie reverses “a Delphi ransomware that uses the Linear Congruential Generator algorithm, and re-create its keygen”
Analyzing Ransomware – Recreating an LCG Keygen - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens walks through a de-DOSfuscation technique
De-DOSfuscation Example, (Sat, Dec 15th) - Didier also examines a maldoc contained within a password-protected zip file
Password Protected ZIP with Maldoc, (Mon, Dec 17th) - Brad Duncan describes a malspam “campaign that uses password-protected Word documents to push various types of malware”
Malspam links to password-protected Word docs that push IcedID (Bokbot), (Tue, Dec 18th)
- Didier Stevens walks through a de-DOSfuscation technique
- Sebdraven analyses some malware used by the Sidewinder APT group.
APT Sidewinder complicates theirs malwares - There were a few posts on Cisco’s Talos blog
- David Liebenberg and Andrew Williams share the activities of a few threat groups that have similar TTPs
Connecting the dots between recently active cryptominers - Nick Biasini describes the impact of the cryptocurrency price crash on threat actors use of the currencies
As Cryptocurrency Crash Continues, Will Mining Threat Follow? - Jonathan Munshaw gave an overview of the top malware that Talos tracked in 2018
Talos’ Malware Year in Review
- David Liebenberg and Andrew Williams share the activities of a few threat groups that have similar TTPs
- There were a couple of posts on the TrendLabs blog this week
- They have a post sharing some research connecting “EMOTET, DRIDEX, URSNIF and BitPaymer” to each other.
URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader - Tony Bao describes some Android apps that have recently been detected as committing ‘click ad fraud’
Android Wallpaper Apps Found Running Ad Fraud Scheme
- They have a post sharing some research connecting “EMOTET, DRIDEX, URSNIF and BitPaymer” to each other.
- Vitali Kremez shares a couple of posts this week
- He analyses and documents “the progression of APT28 Zebrocy Delphi loader/backdoor variants from 6.02 to 7.00.”
Let’s Learn: Dissecting APT28 Zebrocy Delphi Loader/Backdoor Variants: Version 6.02 -> Version 7.00 - He also reverses “the latest APT28/Sofacy Zebrocy loader”, written in Go
Let’s Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader
- He analyses and documents “the progression of APT28 Zebrocy Delphi loader/backdoor variants from 6.02 to 7.00.”
- Rohan Viegas at VMRay gave an overview of his recent webcast with Jake Williams on information stealing malware
SANS Webcast Recap: Infection to Remediation – Exploring the InfoStealer Kill Chain
MISCELLANEOUS
- AccessData interviewed Dennis Ozment from 4theONE about a recent case study involving identifying the location of a missing girl
FTK Helps Non-Profit Team Rescue Missing Child and Assist Law Enforcement Professionals with Arrest - Nick Burton at ADF expounds the benefits of triaging a device to get to evidence quickly. Triage up front is usually a good idea as this can save you a great deal of time; if the evidence pops up in a triage search you may not need to dive deeper
How fast is digital forensic triage? - Julie Urban at Blackbag Technologies shares the news that Blackbag have pushed their updated version of The Sleuth Kit to their GitHub repo, which adds full APFS support, including snapshots and decryption.
A Present From Santa (APFS): Providing APFS Support Support To The Sleuth Kit ® Framework - Justin Boncaldo describes a few methods of putting someone behind a keyboard.
DFS #6: Who is behind the Keyboard? - Brett Shavers posted a few times this week from his various blogs
- He shares his opinion on choosing the right tool for the job, as well as how to choose the right tool for the job, and validation
What is the best way to get to Spokane from Seattle? - He shares a bit of information about his recently released podcast for his Patreon subscribers
DFIR Training Podcast - And comments on a recent question about using pirated forensic software – just don’t do it…Brett recommends following the license that the tool is distributed with, which may include ‘not for commercial use’.
Pirated forensic software: Everyone does it, right?
- He shares his opinion on choosing the right tool for the job, as well as how to choose the right tool for the job, and validation
- Depak Kumar shares a list of certifications in the Cyber Security field
Cybersecurity Certifications - DME Forensics describe the process they go through when dealing with a new DVR file system
The Basics of Reverse Engineering a DVR Filesystem - David Dym at EasyMetaData points out that some commonly used tools can be installed with chocolatey
Exiftool, grep and choco fun - There were a number of posts on Forensic Focus this week
- They interviewed Dmitry Postrigan about his background and his work at Atola Technology
Interview With Dmitry Postrigan, CEO, Atola Technology - They also interviewed Simon Crawley about his work at MSAB
Interview With Simon Crawley, Global Project Manager, MSAB - Scar de Courcier reviews Oxygen Forensic Detective
Oxygen Forensic Detective From Oxygen - She also shares a roundup of forum posts
Forensic Focus Forum Round-Up - And shares her top articles from the last month
Digital Forensics News December 2018 - Jade James reviewed Passware Kit Forensic 2018 v2.1, which from memory was the previous version before the release last week
Passware Kit Forensic 2018 v2.1 From Passware - Jade also reviewed Blackbag Technologies’ MacQuisition tool
MacQuisition From BlackBag - Lee Reiber from Oxygen Forensics shares some useful information for those dealing with drone examinations.
Scene Of The Crime: You’ve Found A Drone. What Do You Do?
- They interviewed Dmitry Postrigan about his background and his work at Atola Technology
- Lee Reiber announced that the 2nd edition of Mobile Forensic Investigations will be available January 3rd.
Check out @Celldet’s Tweet - Lenny Zeltser announces his new SANS course, SEC402, which covers writing in cybersecurity
A Short Cybersecurity Writing Course Just for You - Christa Miller at Magnet Forensics shares a number of the resources that Magnet shared that may be useful in corporate investigations
A Look Back at 2018: Resources for Corporate Investigations - Paraben Corporation have a post about their Activity Timeline custom acquisition option. This appears to load an agent onto Android 5+ devices to obtain the most recent user activity
Crash Scene Evidence from Smartphone - Patrick J. Siewert at Pro Digital Forensics explains the benefits of examining ceullar records (and being qualified to do so)
Using Cellular Records Analysis in Insurance Claims - Richard Bejtlich at Tao Security has a post sharing his story of burning out in InfoSec. For those that have that feeling, there’s no harm in taking a step back. There will always be more work, and you won’t ever be able to stop and say I’m done; chances are you’ll find another project to fill the time and cycle continues. Your health and relationships are much more important than being busy.
Managing Burnout - Steven Alexander at ‘The Bug Charmer’ shares his opinion of the recent SWGDE paper on using MD5 as a hashing algorithm in DFIR.
MD5 should not be used in forensics (or anywhere else) - Stefan Fleischmann advises not to update to Win10 1809; I’m not sure if this is affecting X-Ways 19.7 users or just general advice?
X-Ways Forensics 19.7
SOFTWARE UPDATES
- Arsenal Consulting announced that Registry Recon v2.3.0.0069 Beta has been released.
Check out @ArsenalRecon’s Tweet - Plaso 20181219 was released with APFS support, as well as some other changes.
Plaso 20181219 released - Atola TaskForce 2018.12 has been released with NVMe support, improved selective imaging, an improved interface, and other updates
Atola TaskForce 2018.12 release is out! - Cellebrite released v7.12 for their UFED line of products, adding support for decrypting encrypted MTK chipsets, improved extraction flow for unsupported devices, and other improvements.
Release Version 7.12: UFED 4PC, UFED Touch2 and UFED Physical Analyzer [December 2018] - Didier Stevens updated a couple of his tools this week
- ExifTool 11.23 (development release) was released with some improvements and bug fixes
ExifTool 11.23 - Griffeye released Analyze 18.4 with a couple of targeted features for their CS Operations product, as well as “several bug fixes and quality improvements in both Analyze DI Pro and Analyze CS Enterprise.”
Release of Analyze 18.4 – Utilize the team power - Input-Ace v2.3 was released
Introducing iNPUT-ACE Version 2.3! - Oxygen Forensic Detective 11.1.1 was released, but they haven’t publically shared the release notes (at least that I could find)
Check out @oxygenforenic’s Tweet! - IsoBuster 4.3 was released with a number of new features, improvements, and fixes
IsoBuster 4.3 released - Tableau Firmware Updater v7.26 was released. “This release includes a firmware update for the Tableau Forensic Imager (TX1), Forensic SAS Bridge (T6u), Forensic PCIe Bridge (T7u), Forensic USB Bridge (T8u), and Forensic Universal Bridge (T356789iu).”
Tableau Firmware Update Revision History for v7.26 - X-Ways Forensics 19.8 Beta 2 was released with some improvements to metadata analysis
X-Ways Forensics 19.8 Beta 2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 