Lee Whitfield has opened up nominations for the Forensic 4cast awards, held during the SANS DFIR Summit. This site has been nominated as blog of the year the last two years running, and it is greatly appreciated if you could take the time to nominate it again.
Forensic 4:cast Awards 2019 – Nominations are Open
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday relates to the KnowledgeC database on MacOS Mojave
Daily Blog #636: Sunday Funday 3/3/19
- Dave gives some thoughts on Eric’s recently released KAPE tool
Daily Blog #638: Kape and Forensic Lunch
- Dave puts out a reminder that the CFP for the next DFRWS closes soon.
Daily Blog #639: DFRWS CFP and CFT
- And comments on Martin Korman’s newly released Registry parsing Python library
Daily Blog #640: Regipy – A new python windows registry forensics library
- There was also Forensic Lunch this week in which Eric demoed KAPE, and Dave, Matt, and Lee discussed the forensic 4cast and nominations for the various categories
Daily Blog #641: Forensic Lunch 3/8/19 Eric Zimmerman Lee Whitfield
- This week’s Sunday Funday relates to the KnowledgeC database on MacOS Mojave
- Martin Korman at ‘DFIR Dudes’ has released a Python-based registry parsing library.
Regipy: Automating registry forensics with python
- Lee Whitfield at ‘Forensic 4cast’ has a post on the RecentDocs key and some of the intricacies around its reliability. As a general rule, it’s better to rely on multiple artefacts when drawing a conclusion rather than just the one
Updates to the RecentDocs Key in Windows 10
- Hideaki Ihara at port139 looks at the “isDeleted [attribute] on the ADTimeline”
Active Directory and ADTimeline(4)
- Jaco at ‘The Swanepoel Method’ compares Axiom, FTK, and Encase in their abilities to parse Firefox and Chrome histories. Mostly everything appeared fine, except that Encase hasn’t updated their Firefox support since 2017. Browser forensics can be tricky at best; browsers are updated aggressively, and their release cycles are significantly faster than most major tool vendors. Ideally a vendor would highlight the version of the software on the system compared to their latest support to identify whether they could be missing something but I have yet to see anyone do this. Instead, you may need to determine the version yourself and then try to identify the latest supported version in the release notes.
EnCase you were hoping to parse Firefox
- Joshua Hickman at ‘The Binary Hick’ continues his research into Google Assistant on Android Auto
OK Computer…er…Google. Dissecting Google Assistant (Part Deux)
- Koen Van Impe describes how to use Mimikatz to crack Windows credentials
Mimikatz and hashcat in practice
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Excelling with sysmon configs
- Chris Sanders
New Course – Practical Threat Hunting
- Monty St John at CyberDefenses
What Is Cyber Intelligence?
- Fred Plan, Nalani Fraser, Jacqueline O’Leary, Vincent Cannon, and Ben Read at FireEye
APT40: Examining a China-Nexus Espionage Actor
- Ed Miles, Paul Ferguson, Fred Davis, Justin Warner at Gigamon
Three Families in Three Days – Revisiting Prolific Crimeware To Improve Network Detection: TrickBot
- Melissa at Sketchymoose’s Blog
Extracting Files from ACE files (CVE-2019-20250)
- MITRE ATT&CK
Visualizing ATT&CK
- Scott Piper at ‘Summit Route’
- Security Response Attack Investigation Team
Whitefly: Espionage Group has Singapore in Its Sights
- Hardik Modi at Netscout
Introducing NETSCOUT’s Threat Intelligence Report
- Rohan Viegas at VMRay
Reducing Incident Response Times with Splunk Adaptive Response
UPCOMING WEBINARS/CONFERENCES
- “The Call for Papers for VB2019, the 29th Virus Bulletin Conference (London, 2-4 October) is open until Sunday 17 March.”
The VB2019 call for papers is about … papers
PRESENTATIONS/PODCASTS
- On this week’s Digital Forensic Survival Podcast, Michael discusses Linux triage methods
DFSP # 159 – Linux Triage
- Forensic Focus shared Ralph Palutke’s presentation from DFRWS EU 2018.
Styx: Countering Robust Memory Acquisition
- Richard Davis at 13Cubed demonstrates how to embed meterpreter into a signed MSI file
Your Signature Is a JAR
- Craig Rowland at Sandfly Security “talks about agentless vs. agent based security for Linux”
The Advantages of Agentless Security and Intrusion Detection for Linux
- Martijn Grooten at Virus Bulletin shared a couple of presentations from VB2018
MALWARE
- Javier Ruiz at Alienvault
Mapping TrickBot and RevengeRAT with MITRE ATT&CK and AlienVault USM Anywhere
- Bart at ‘Blaze’s Security Blog’
Analysing a massive Office 365 phishing campaign
- Hexa at Brokesec
- Check Point Research
- Aaron Riley at Cofense
Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works
- Brendon Feeley, Bex Hartley and Sergei Frankoff at CrowdStrike
PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
- Didier Stevens
Analyzing a Phishing PDF with /ObjStm
- Mike Mimoso at Flashpoint
Collective Intelligence Podcast, Chris Elisan Inside GandCrab Ransomware
- Rommel Joven at Fortinet
New Stealth Worker Campaign Creates a Multi-platform Army of Brute Forcers
- Ioana Rijnetu at Heimdal Security
Security Alert: Malware is Hiding in Script Injection and Bypasses AV Detection
- Pavel Shoshin at Kaspersky Lab
Pirate Matryoshka: A nesting doll Trojan from Pirate Bay
- Pieter Arntz at Malwarebytes Labs
Spotlight on Troldesh ransomware, aka ‘Shade’
- Robert Falcone and Brittany Ash at Palo Alto Networks
New Python-based payload MechaFlounder used by Chafer
- SANS Internet Storm Center
- Trend Micro
- Rohan Viegas at VMRay
VMRay Analyzer 3.0: Raising the Bar for Automated Malware Analysis & Detection
MISCELLANEOUS
- Alexis Brignoni at ‘Initialization Vectors’ advises that Chris Weber has created a GUI for his Android Usage Stats and Recent Tasks XML file parser
UsRT – Graphical interface for Android Usagestats and Recent Tasks XML parsers.
- Tim Leehealey at AccessData describes the new database parsing feature in Quin-C
A Quick Review of Quin-Cs New Database Parsing Capabilities
- There were a couple of posts on the ADF blog this week
- Bradford Oliver describes some of the projects that are useful for law enforcement investigations into child exploitation cases
Industry Solutions for Child Exploitation Investigations
- Bret Peters interviewed Brett Shavers about his background, his work, DFIR.Training, and what motivates him
Meet Brett Shavers, DFIR Training Manager
- Bradford Oliver describes some of the projects that are useful for law enforcement investigations into child exploitation cases
- Brett Shavers posted a couple of times this week
- He describes a situation where by sharing information about recent cases he was able to assist a fellow examiner make a break through in their investigation
All you need is a tiny spark to solve your case.
- He also comments on a recent article by Harlan Carvey about reaching out to people
“I’ve answered questions, responded to emails, and been on phone calls…when asked.” – Harlan Carvey
- He describes a situation where by sharing information about recent cases he was able to assist a fellow examiner make a break through in their investigation
- John Ahearne at DriveSavers shares a word of warning not to exceed your knowledge (and open hard drives) or you will risk damaging potential evidence
Digital Forensics—Don’t Risk Destroying Digital Evidence
- Michael Karsyan at ‘Event Log Explorer’ advises that the native Windows Event Viewer can no longer read EVT log files
Windows Event Viewer cannot read classic event logs anymore
- First.Org have announced “The Incident Response Hall of Fame to recognize visionaries, leaders and luminaries who have made significant contributions to the development and advance of global security. Make your nominations by Apr 1, 2019”
Check out @FIRSTdotOrg’s Tweet
- Logicube have shared a tutorial on Forensic Focus “on the optional Thunderbolt I/O card on the Forensic Falcon-NEO”
How To Install And Use The Thunderbolt I/O Card On Logicube’s Falcon-NEO
- JJ Cranford at OpenText advised that EnCase won an award for SC Magazine’s Best Computer Forensic Solution.
OpenText at RSA: EnCase wins top forensic award from SC Magazine
- Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — Feb. 24 to March 2
- SalvationData have a post on using the search and sort features of their DRS (Data Recovery System) product
[Tips] How to Quickly Locate Potential Key Evidence Files
- Joe at ‘Sparky.Tech’ shares how to get Zeek working on a TinkerBoard single board computer
Network Forensics on the Cheap – A $60 IDS
- SwiftOnSecurity shared an article on digital forensics gone wrong where campus IT appears to have determined that a student was hacking their systems to change her grades. As a result, the student was expelled. The main takeaways are that DFIR is a specialist skill, and just because you have a computer or work in IT doesn’t mean you understand the intricacies of a forensic investigation. Brett Shavers also shared his comments here
Check out @SwiftOnSecurity’s Tweet!
- Jim Bonifield updated volGraph and it now supports combining and displaying json outputs from a number of Volatility modules
Check out @jimbonifield’s Tweet
- Yulia Samoteykina at Atola describes how to print case reports on the TaskForce
Printing all reports from a case
SOFTWARE UPDATES
- AChoir v3.2 was released
AChoir Release v3.2
- Kshitij Kumar and Jai Musunuri at CrowdStrike have released “AutoMacTC, an open-source triage collector utility that helps investigators swiftly gather the relevant data, find answers and then eradicate adversaries from their environments.”
AutoMacTC: Automating Mac Forensic Triage
- CRU updated their WriteBlocking Validation Utility to v2019.03.06, but I couldn’t find any release notes. For those that aren’t aware, you can run this tool against a hard drive connected to any write blocker to see how it fares against direct write and read commands.
Download CRU’s WriteBlocking Validation Utility
- Didier Stevens updated his pdf-parser Python script to version 0.7.1
Update: pdf-parser.py Version 0.7.1
- Eric Zimmerman updated EZViewer, TimelineExplorer and MFTECmd, as well as a new version of KAPE with a number of new features.
ChangeLog
- Evimetry 3.2.0 was released with bug fixes and improvements.
Release 3.2.0
- ExifTool 11.31 was released with a number of new tags and bug fixes
ExifTool 11.31
- Magnet Forensics have updated their Axiom Wordlist generator to generate an optomised wordlist of potential iOS passcodes for use with the Graykey device
Utilizing AXIOM Wordlist Generator to Optimize Handset Lock Code Breaking
- Metaspike released Forensic Email Collector v3.7.1.0 with a number of improvements.
Forensic Email Collector (FEC) Changelog
- “A new version of MISP (2.4.103) has been released with significant UI improvements (including a new flexible attribute filtering tool at the event level), many bug fixes and a fix to a security vulnerability (CVE-2019-9482) which was affecting sighting visibility.”
MISP 2.4.103 released (aka UI improvements)
- X-Ways Forensics 19.8 SR-3 was released with some bug fixes
X-Ways Forensics 19.8
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 