As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’ posted a couple of times this week
- He released an Android-Usagestats-XML-Parser tool, based on research presented by Jessica Hyde last year
Android Usagestats XML Parser - And expands on this with a parser for Android recent tasks XML files
Android Recent Tasks XML Parser
- He released an Android-Usagestats-XML-Parser tool, based on research presented by Jessica Hyde last year
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- No qualifying answers for last weeks Sunday Funday, but Dave did mention Lance Mueller’s research into Deep Freeze from 8 years ago
Daily Blog #625: Solution Saturday 2/16/19 - This week’s is on documenting the program execution locations in MacOS Mojave
Daily Blog #626: Sunday Funday 2/17/19 - Dave points to Mathias Fuchs’ DFIR in 120 seconds series
Daily Blog #628: DFIR in 120 Seconds - And points out that Core Analytics is a good source of execution artefacts on MacOS Mojave
Daily Blog #629: Coreanalytics Update
- No qualifying answers for last weeks Sunday Funday, but Dave did mention Lance Mueller’s research into Deep Freeze from 8 years ago
- Harsh Behl at AccessData has written an article on “How to create an image of an eMMC/eMCP BGA chip, perform an analysis of it and link the suspects to any other suspects in your existing cases.” The example demonstrates how to read a chip using FTK Imager and then examine it with Quin-C
Quin-C: Chip-Off Forensics and Cross-Case Examination - There were a few posts on the Elcomsoft blog this week
- Oleg Afonin describes how to perform a jailbreak and acquire a full file system of an iOS 12 device
Physical Extraction and File System Imaging of iOS 12 Devices - Oleg also explains the rootless jailbreak for iOS 12
iOS 12 Rootless Jailbreak - Vladimir Katalov comments on the technical and legal Implications of iOS File System Acquisition, mainly surrounding the use of the Graykey and CAS services.
Technical and Legal Implications of iOS File System Acquisition
- Oleg Afonin describes how to perform a jailbreak and acquire a full file system of an iOS 12 device
- Hideaki Ihara at the Port 139 blog continues to test ADTimeline
Active Directory and ADTimeline(3) - Jaco at ‘The Swanepoel Method’ posted a couple of times this week
- He compares how he would fare answering the various questions in the 2018 Magnet User Summit CTF with both the full image and a triage image taken with Encase. Processing of the triage image completed 75% faster than processing of the full image, however Jaco notes that some of the data required was not collected. Encase’s conditions also did not collect VSS (which is where KAPE would be better utilised). The major point however is that you can collect and process a triage image and get to analysing well before a disk has finished processing (let alone imaging). Still take that image, but whilst you’re waiting you can get 82% of the answers in the MUS CTF.
Calculating the Cost: Triaging with Axiom and EnCase - Jaco also has announced a new series comparing the latest (ish) versions of Blacklight, Encase, FTK, and Axiom on how they would fare at the MUS 2018 CTF dataset
Announcing: Forensic Mania 2019
- He compares how he would fare answering the various questions in the 2018 Magnet User Summit CTF with both the full image and a triage image taken with Encase. Processing of the triage image completed 75% faster than processing of the full image, however Jaco notes that some of the data required was not collected. Encase’s conditions also did not collect VSS (which is where KAPE would be better utilised). The major point however is that you can collect and process a triage image and get to analysing well before a disk has finished processing (let alone imaging). Still take that image, but whilst you’re waiting you can get 82% of the answers in the MUS CTF.
- Josh Brunty shared the VM created by Nicole Odom for examining the Samsung Gear S3 Frontier smartwatch
Check out @joshbrunty’s Tweet - Joshua Hickman at ‘The Binary Hick’ takes a look at the data stored by Google Assistant on Android
OK Computer…er…Google. Disecting Google Assistant (Part 1) - Kevin Pagano at Stark 4N6 walks through answering questions from the Magnet User Summit 2018 CTF using free tools
- Brian Laskowski at ‘Laskowski-Tech’ shares a basic memory analysis workflow using Volatility
Volatility Workflow for Basic Incident Response - Liam Booth at ‘Security EDC’ takes a look at the “Command & Control forensic challenges from Root-Me.org” which is a memory forensic challenge
Command and Control - Troy Schnack takes a look at the log file and other artefacts associated with the qBittorrent application
Text Based Treasure: qBittorent Log File
THREAT INTELLIGENCE/HUNTING
- Matt Hillman, and Tim Carrington at MWR Labs
AutoCAD – Designing a Kill Chain - Adam at Hexacorn
Beyond good ol’ Run key, Part 104 - Kate Brew at AlienVault
Fileless Malware Detection: A Crash Course - Richard Bejtlich at Corelight
Examining aspects of encrypted traffic through Zeek logs - Russ McRee at HolisticInfoSec
Detection Development: The Research Cycle & NIST CSF - Katie Nickels at ‘Katie’s Five Cents’
Cyber Indictments and Threat Intel: Why You Should Care - Daniel Berman at LogzIO
- William Tsing at Malwarebytes Labs
The Advanced Persistent Threat Files: APT1 - Positive Technologies
Detecting Web Attacks with a Seq2Seq Autoencoder - Frank McClain at ‘Red Canary’
Defense Evasion and Phishing Emails - Ryan Campbell at ‘Security Soup’
How To: Extract Network Indicators of Compromise (IOCs) from Maldoc Macros — Part 1 - Secjuice
PowerShell Logging and Security - SpecterOps
- Pablo Delgado at Syspanda
Rapid 7 Nexpose Data to Splunk - Stephen Cobb at WeLiveSecurity
Siegeware: When criminals take over your smart building - Zachary Burnham
PandoraFMS: Build and Installation Guide
UPCOMING WEBINARS/CONFERENCES
- ACELab have announced their Technology Conference on Data Recovery & Digital Forensics. The conference will be held April 26, 2019 in Prague
Save the Date: 17th ACE Lab Conference on Data Recovery Is on Its Way - Magnet Forensics announced a Magnet User Summit in The Hague in May
Magnet User Summit 2019 is Coming to The Hague! - Lewis Brisbois CEeDS eDiscovery will be hosting a webinar on social media evidence on March 5, 2019 at 12 PM ET/9 AM PT
The Scope of Social Media and Evidentiary Considerations
PRESENTATIONS/PODCASTS
- Richard Frawley at ADF describes how to perform a live scan using DEI
How to Conduct a Live Forensic Scan of a Windows Computer - There were a couple of videos by Cellebrite about their latest UFED Ultimate release
- On this week’s Digital Forensic Survival Podcast, Michael discusses some methods of comparing files and folders
DFSP # 157 – File Comparison Strategies - Forensic Focus shared a couple of presentations from DFRWS EU 2018
- Hiroshi Soeda at JPCERT continues the overview of the 2019 Japan Security Analyst Conference
Japan Security Analyst Conference 2019 -Part 2- - OALabs have uploaded a tutorial that covers “the basics of debugging malware with WinDbg”, as well as an accompanying cheat sheet
WinDbg Basics for Malware Analysis - Craig Rowland at ‘Sandfly Security’ explains “why having no active intruder monitoring on Linux is a very bad idea and why you should be watching your Linux boxes for active intruders all the time”
Why You Must Monitor Linux for Signs of Intruders - Martijn Grooten at Virus Bulletin shares Thaís Moreira Hamasaki’s 2018 paper and presentation
VB2018 paper: Analysing compiled binaries using logic
MALWARE
- CERT Polska
Strengthening our malware analysis capabilities - Check Point Research
North Korea Turns Against New Targets?! - Max Gannon at Cofense
A Closer Look at Why the QakBot Malware Is So Dangerous - CrowdStrike
- Cybereason
Unleashing the True Potential of MITRE ATT&CK- Creating an Adversary Emulation Plan with the MITRE ATT&CK Framework - Xiaopeng Zhang at Fortinet
Analysis of a Fresh Variant of the Emotet Malware - Wren Balangcod at G Data
Distributing Malware – one “Word” at a Time - Matt at ‘Bit_of_Hex’
Base64 Encoded File Signatures - Palo Alto Networks
- Liana Parakesyan at Polito
Using Intezer Analyze to Reveal Malware Ancestry and Assist Incident Response and Forensic Investigations - Robert Simmons
- SANS Internet Storm Center
- Know What You Are Logging, (Mon, Feb 18th)
- Video: Finding Property Values in Office Documents, (Sun, Feb 17th)
- Identifying Files: Failure Happens, (Tue, Feb 19th)
- More Russian language malspam pushing Shade (Troldesh) ransomware, (Wed, Feb 20th)
- Simple Powershell Keyloggers are Back, (Thu, Feb 21st)
- Konstantin Zykov at Kaspersky
ATM robber WinPot: a slot machine instead of cutlets - Cisco’s Talos
- Don Ovid Ladores, Michael Jhon Ofiaza and Gilbert Sison at Trend Micro
Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability
MISCELLANEOUS
- The guys at Cyber Forensicator shared that “Packt Publishing has released the second edition of Learning Python for Forensics by Preston Miller and Chapin Bryce”
The Second Edition of Learning Python for Forensics has been released - There were a few posts on Forensic Focus this week
- “BlackBag Technologies and Image Analyzer Announce a Partnership to Provide Advanced Image Categorization for Triaging Photos and Videos in BlackLight”
BlackBag Technologies And Image Analyzer Partner For Advanced Image Triage - Götz Güttich reviewed Oxygen Forensic Detective 11.0.1.12
Review: Oxygen Forensic Detective 11.0.1.12 From Oxygen Forensics - They remind us that early bird registration for DFRWS EU ends on the 3rd March
DFRWS EU Early Bird Registration Ends Soon - Scar shares her top news items from the last month
Digital Forensics News February 2019
- “BlackBag Technologies and Image Analyzer Announce a Partnership to Provide Advanced Image Categorization for Triaging Photos and Videos in BlackLight”
- Nathan Little at Gillware shares some advice on putting together an incident response plan
Incident Response Planning 101: Simplification and Preparation are Key - Magnet Forensics posted a couple of times this week
- They announced a partnership with Grayshift, so that they will be distributing the Graykey devices
Magnet Forensics and Grayshift, Partnering to Preserve Justice - And described some of the additional data that is available in a full file system extraction over a standard backup
Maximizing the Partnership Between GrayKey and Magnet AXIOM
- They announced a partnership with Grayshift, so that they will be distributing the Graykey devices
- The 2019 Q1 VirusShare.com MantaRay Forensics Refined Hash Sets (update 2) were released
Check out @MantaRay4ensics’s Tweet - MSAB have released a free transition course to teach people to improvements made between the discontinued XRY Reader and the newer XAMN Viewer tool
Free online XRY Reader to XAMN Viewer transition course now available - Jason L. Covey at Paraben Corporation discusses the potential pitfalls in mobile forensic acquisition and examination.
Mobile Forensics for Me but Not for Thee - Chet Hosmer at Python Forensics shares his 2018 presentations
- Ron at Janky Robot shares an ASCII conversion chart that he found useful during the GCIA exam
Handy ASCII chart for packet and script decoding - Ryan Benson at dfir.blog shares a fantastic visualisation tool for Google Chrome artefacts over time. This is super useful for going back to look at what you should expect for different versions of Chrome. Now if someone could do that for every other browser…
Capturing Chrome’s Evolution - The students at Champlain College introduced their project of evaluating Elcomsoft’s tools
Elcomsoft Tool Evaluation Blog 1 - Over on my ThinkDFIR blog I shared a few little tricks for extending Eric’s KAPE tool.
KAPE Tricks
SOFTWARE UPDATES
- Alexis Brignoni updated his iOS Mobile Installation Logs parser to add support for utf-8 encoding
Check out @AlexisBrignoni’s Tweet - Binalyze released IREC v1.7.1 with additional collection features and bug fixes
Version 1.7.1 - DVRConv was updated to v12801
DVRConv Update 12801: Support for More New Formats, Format Variants and Timestamps - CyLR 2.1.0 was released
CyLR 2.1.0 - Didier Stevens updated oledump to v0.0.41
Update: oledump.py Version 0.0.41 - Elcomsoft released iOS Forensic Toolkit 5.0, enabling iOS 12 physical extraction.
Elcomsoft iOS Forensic Toolkit 5.0 enables iOS 12 physical extraction - Eric Zimmerman updated PECmd, AmcacheParser, EZViewer, bstrings, and KAPE
ChangeLog - ExifTool 11.28 was released with new tags and bug fixes
ExifTool 11.28 - GetData released Forensic Explorer v4.4.8.8270 adding support for Win10 prefetch files, and improving the display view
20 Feb 2019 – v4.4.8.8270 - Magnet Forensics released Axiom 2.10, updating and adding a number of new apps and artefacts
Slack and Microsoft Outlook Among the New and Updated Artifacts in Magnet AXIOM 2.10 - Maxim Suhanov released a minor update to his NTFS file system parser
1.0.0-beta5 - Metadata Interrogator v0.6 was released
v0.6 – Starling - AChoir v3.1(a) was released with script updates
AChoir v3.1(a) - Radare v3.3.0 Codename: BONELESS PIZZA was released
v3.3.0 Codename: BONELESS PIZZA - TZWorks released their Feb 2019 build of tools, including a new Chrome parsing utility
Feb 2019 build (package) - X-Ways Forensics 19.8 SR-1 was released with some minor improvements and bug fixes
X-Ways Forensics 19.8 SR-1 - YARA 3.9.0 was released with some improvements and bug fixes
YARA 3.9.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
