As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’ has released a new script for pulling out plists found embedded within the iOS KnowledgeC database. I came to Alexis with a problem of automating the extraction of these plists and he delivered in spades.
iOS Bplist Inception
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday relates to evidence of file access on MacOS Mojave. The winning solution was submitted by Amy Francis, and I posted up my solution as well.
Daily Blog #630: Sunday Funday 2/24/19
- This week’s Sunday Funday relates to evidence of file access on MacOS Mojave. The winning solution was submitted by Amy Francis, and I posted up my solution as well.
- Dave advises that they tested Elcomsoft iOS Toolkit against an iOS 12 iPhone were successfully able to acquire a full file system image.
Daily Blog #631: Elcomsoft IOS Toolkit and IOS 12 - as well as sharing a guide by Kevin Stokes on acquiring an iOS 12 device
Daily Blog #632: Using Elcomsoft IOS Toolkit on an iPhone with IOS 12.1 - Dave asks if anyone asks if there is a log to identify if and when Google Takeout was used on a GSuite account
Daily Blog #633: Things you can’t find in Gsuite logs for $100 - And shares details of a false-positive identified by Amazon GuardDuty
Daily Blog #634: AWS GuardDuty false positives
- Howard Oakley at ‘The Eclectic Light Company’ shares a method of recovering a corrupt PDF on MacOS taking advantage of previous versions.
Recovering a damaged document
- Justin Boncaldo describes the various artefacts that one can examine when looking for evidence of file access (and program execution) on Windows and MacOS
DFS #9: What files were recently accessed?
- Marcos at ‘Un minion curioso’ looks into Win10’s USB removal scheduled task and confirms Adam Harrison’s previous work on the subject
#DFIR: Windows and its anti-forensic side, (Plug and Play Cleanup and setupapi[.]dev)
- Maxim Suhanov discusses unallocated data found in allocated files on NTFS file systems and gives the example of the $Extend\$RmMetadata\$Repair file
NTFS: unallocated data marked as allocated
- Pablo Espada at ‘Perito Informático’ has an article on acquiring a rooted mobile device by DD-ing the data to an inserted microSD card
Cómo realizar una adquisición física en Android con “dd”, incluso cuando no tienes tarjeta SD – Parte 2
- Ryan Benson at dfir.blog shares some of the values in the Chrome source that are useful in identifying program/user actions.
Chrome Values Lookup Tables
- Troy Schnack examines the ChatHour Android app
ChatHour Chat/Messaging – Android
- Kasasagi at ‘Padawan 4n6’ looks at the data retained by the Input Method Editor on MacOS
Mac OSXのIME(Input Method Editor)アーティファクトに関して(About Mac OSX IME Artifact)
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
- Ben Bornholm at HoldMyBeer
Tales of a Blue Teamer: Detecting Powershell Empire shenanigans with Sysinternals
- Cyber Forensicator
- Flashpoint
- Maki
PCAP Analysis
- Daniel Berman at Logz.io
Monitoring Azure Activity Logs with Logz.io
- John Wunder at MITRE ATT&CK
Building an ATT&CK Sightings Ecosystem
- Olaf Hartong
Keeping an eye out for new detection content
- Jeff van Geete at 401TRG
An Introduction to Exploratory Data Analysis with Network Forensics
- Secureworks
State of the [BRONZE] UNION Snapshot
- Jose L. Villalón at ‘Security Art Work’
Analizando nuestra red (IV)
- Will at SpecterOps
A Case Study in Wagging the Dog: Computer Takeover
- Velociraptor
Agentless hunting with Velociraptor
- Zachary Burnham
ELK + Beats: Securing Communication with Logstash by using SSL
UPCOMING WEBINARS/CONFERENCES
- AccessData will be hosting a User Summit In Las Vegas, April 8-11
AccessData To Host 2019 User Summit In Las Vegas, April 8-11
PRESENTATIONS/PODCASTS
- Magnet Forensics shared the recorded webinar by Aaron Sparling and Jessica Hyde on memory analysis
Recorded Webinar: Memory Analysis for Investigations of Fraud and Other Wrongdoing
- A new episode the ‘Brakeing Down Incident Response’ was released
Episode 010
- Didier Stevens uploaded a video demonstrating stream objects in PDF
PDF: Stream Objects (/ObjStm)
- On this week’s Digital Forensic Survival Podcast, Michael talks about “Broken Access Control”
DFSP # 158 – OWASP: Broken Access Control
- Forensic Focus shared a presentation from DFRWS US 2018 and DFRWS EU 2018
- Adrian Crenshaw shared the videos from BSides Columbus 2019
- Mathias Fuchs at Cyberfox describes the RunMRU registry key
DFIR120 – RunMRU
- “Craig Rowland [at Sandfly Security] goes over the basics behind using command line tools on Linux to look into a suspicious process”
Using Command Line Tools to Find Process Masquerading Linux Malware
- SANS shared a couple of videos this week
- I recorded my ‘This Month in 4n6’ for February
This Month In 4n6 – February – 2019
- Helen Martin at Virus Bulletin shared a presentation from VB2018 by Michael Daniel from the Cyber Threat Alliance
VB2018 presentation: Levelling up: why sharing threat intelligence makes you more competitive
MALWARE
- Carbon Black
- DFIR IT
The Supreme Backdoor Factory
- Ben Hunter at Ensilo
Cyax Malware – Evasive Loader Reemerges
- Moritz Raabe at Fire Eye
FLARE Script Series: Recovering Stackstrings Using Emulation with ironstrings
- Josiah Smith at InQuest
Quick Analysis of A Customer Malspam Encounter
- Ignacio Sanmillan at Intezer
Technical Analysis: Pacha Group Deploying Undetected Cryptojacking Campaigns on Linux Servers
- Lenny Zeltser walks through the process of setting up a free Windows VM for malware analysis
How to Get and Set Up a Free Windows VM for Malware Analysis
- Jérôme Segura at Malwarebytes Labs
New Golang brute forcer discovered amid rise in e-commerce attacks
- Diwakar Dinkar at McAfee Labs
JAVA-VBS Joint Exercise Delivers RAT
- Morphisec
- Palo Alto Networks
- Ryan Campbell at ‘Security Soup’
How To: Extract Network Indicators of Compromise (IOCs) from Maldoc Macros — Part 2
- Didier Stevens at the SANS Internet Storm Centre Handler Diaries
Maldoc Analysis by a Reader, (Wed, Feb 27th)
- The ASERT team at Netscout
Introducing the NETSCOUT Threat Intelligence Report – Findings from Second Half 2018
- Alfredo Oliveira at TrendMicro
Exposed Docker Control API and Community Image Abused to Deliver Cryptocurrency-Mining Malware
- Utkonos
AlphaBlend Campaign Part 3
- Adrian Luca and Ionuţ Răileanu at Virus Bulletin
The malspam security products miss: Emotet, Ursnif, and a spammer’s blunder
MISCELLANEOUS
- ACELab have announced “a new PC-3000 SAS 6 Gbit/s System paired with PC-3000 Express RAID System or PC-3000 SAS 6 Gbit/s RAID System paired with PC-3000 Express System will turn your tools into the PC-3000 Hybrid System.”
Turn your PC-3000 tools into the PC-3000 Hybrid System to Recover Data and Evidence from Hybrid RAID
- Richard Frawley at ADF shares a couple tutorials on performing searches in DEI
- Marco Fontani at Amped describes how to use the batch file format analysis function in Amped Authenticate
Quick Triage with Amped Authenticate’s Batch File Format Analysis Can Save You Lots of Time
- Cellebrite reminds users that the recently End of Life’d UFED 1 devices should be returned to Cellebrite, as per the user agreement, and not sold on eBay
End of Life Options for Your Cellebrite Equipment
- Christian at IT-Dad gives an overview of the Digital Forensics Basics course that he did through MyTEEX
Kostenlose IT-Forensik Kurse Teil I – MyTEEX
- There were a few posts on Forensic Focus this week
- An article was posted on acquiring Alexa and Google Home data from the cloud using Oxygen Forensic Detective, as well as briefly from mobile devices
Digital Assistants: The New Eye-Witness
- They also interviewed Greg Masterson from MSAB
Interview With Greg Masterson, Technical Sales Engineer, MSAB
- And Christa Miller, who is now a content manager of the site
Interview With Christa Miller, Content Manager, Forensic Focus
- An article was posted on acquiring Alexa and Google Home data from the cloud using Oxygen Forensic Detective, as well as briefly from mobile devices
- Jaco at ‘The Swanepoel Method’ documents the processing stage of his ForensicMania showdown; describing the processing options and speeds to complete for the various tools.
#ForensicMania S01E01 – Processing
- Mailxaminer have written a post on various techniques that can be used in an email investigation.
Top 6 Digital Forensic Investigation Techniques For Effortless Investigation
- Ryan Benson at dfir.blog has created a collapsible indented tree that “lets you explore how the files and databases that make up the browsing history recorded in a Chrome profile have evolved through the versions”
Chrome Evolution
- Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — Feb. 17 to Feb. 23
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’ provides an overview of the HEIC format
HEIC Yeah
SOFTWARE UPDATES
- Atola Insight Forensic 4.12 was released. Yulia Samoteykina describes the new image file located on source feature.
Atola Insight Forensic 4.12 – Image file located on source drive
- Michael Cohen released a pre-release version of winpmem (v3.3.rc1)
Pre-release for testing only.
- Didier Stevens updated a couple of his tools this week
- DVR Examiner Version 2.6.0 was released, focusing on performance and recovery capabilities, as well as other improvements.
DVR Examiner 2.6 – New Software Update Available
- Elcomsoft Phone Viewer 4.40 was released, adding support for local Apple Health data, as well as listing trusted devices in iCloud
Elcomsoft Phone Viewer 4.40 shows trusted devices, adds local Apple Health support
- Eric Zimmerman updated a large number of his tools, however the biggest rewrite was regarding RECmd’s batch mode to improve speed and accuracy of wildcard searching.
ChangeLog
- ExifTool 11.29 (development) was released with new tags and bug fixes
ExifTool 11.29
- GetData released Forensic Explorer v4.4.8.8306 with some updates and bug fixes
01 Mar 2019 – v4.4.8.8306
- Maxim Suhanov released dfir_ntfs 1.0.0-beta6.
1.0.0-beta6
- XRY 7.11.1 Office Version was released with improvements to Photon and interface
Now Released: XRY 7.11.1 Office Version – With An Improved XRY Photon Feature
- Tableau Firmware Updater v7.27 was released to update the TX1 Forensic Imager to version 2.1.1 and fix some bugs
Tableau Firmware Revision History
- Various version of X-Ways Forensics were updated with bug fixes
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 