Had an exciting week in Singapore with the students of the FOR500 Windows Forensics Analysis class and learned a lot about content delivery and teaching from Ovie! Plus a chance to hang out with the other great instructors that were in town.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Marco Fontani at Amped Software demonstrates how to use Authenticate to extract and examine an image embedded in a PDF
Is your image embedded in a PDF file? No worries, Amped Authenticate can handle that! - Christian at IT-Dad demonstrates how to use the OSIRT Browser to collect evidence from the Internet
Der „OSIRT Browser“ – Beweise sammeln im Netz - The guys at Cyber Forensicator share a paper by Tajvinder Singh Atwal, Mark Scanlon and Nhien-An Le-Khac regarding the MacOS Spotlight metadata store
Shining a light on Spotlight: Leveraging Apple’s desktop search utility to recover deleted file metadata on macOS - Manuel Guerra at Glider examines data remnants in RAM from the Tor Browser
Tor Forensics Advanced. Part 2 - Hideaki Ihara at port139 looks at the actions that cause an 1149 event to be logged on Win10
RDP and ID 1149 “Remote Desktop Services: User authentication succeeded:” - Joshua Hickman at ‘The Binary Hick’ examines data created by the Google Search box on Android devices and identifies that tools aren’t necessarily identifying this information
Google Search Bar & Search Term History – Are You Finding Everything? - Marcos at ‘Un minion curioso’ walks through some initial steps when performing memory analysis
#DFIR: First steps with Volatility - Matt Seyer posted a couple of times this week
- The first was a post about building momentum by breaking up large projects into smaller ones. This adds the sense of accomplishment and over time small steps make big leaps.
Small Wins and Momentum - Matt also describes the process of adding “Task and Operation enumeration for ETW events” to his ETW monitoring script.
Opcode And Task Enumeration. and shell items?
- The first was a post about building momentum by breaking up large projects into smaller ones. This adds the sense of accomplishment and over time small steps make big leaps.
- The students at Champlain College posted a few times this week
- The first post related to data destruction
Data Recovery – Blog 1 - And the second to data recovery
Data Recovery Blog 2 - Another team evaluated a number of Elcomsoft tools
Elcomsoft Tool Evaluation Blog 2 - The Wearables team provided an update on their examination of a Samsung Galaxy Watch
Wearable Forensics Update
- The first post related to data destruction
THREAT INTELLIGENCE/HUNTING
- Vectra
Visibility, detection and response using a SIEM-less architecture - Black Hills Information Security
BHIS PODCAST: Tracking attackers. Why attribution matters and how to do it. - Carbon Black
Mature Your Threat Hunting by Testing Your Visibility - Check Point
Check Point Forensic Files: A New Monero CryptoMiner Campaign - Cyber Forensicator
Incident Forensics Lifecycle - Cybereason
Delayed Detections in MITRE ATT&CK: What Do They Mean for a Business? - Fire Eye
SilkETW: Because Free Telemetry is … Free! - Kirtar Oza
ThreatHunting for Linux- aligned with MITRE’s ATT&CK - Red Canary
Getting Started with ATT&CK? New Report Suggests Prioritizing PowerShell - z3rotrust
Steg Challenge_March 2019: A Lesson on the Dangers of Steg Malware - Zachary Burnham
Creating a Multi-Node ELK Stack
UPCOMING WEBINARS/CONFERENCES
- Richard Frawley at ADF will be hosting a webinar on investigating child exploitation cases on Wednesday, April 10, 2019 / 10:00 AM EST
Investigating Child Exploitation Cases
PRESENTATIONS/PODCASTS
- On this week’s Digital Forensic Survival Podcast, Michael discusses the social engineering toolkit
DFSP # 161 – Social Engineering Toolkit - Forensic Focus shared a couple of presentations from DFRWS US/EU 2018
- Jamey Tubbs at Magnet Forensics walks through keyword searching in Axiom
Magnet AXIOM Keywords and Unicode — A Minute with Magnet: Tips & Tricks Edition - Richard Davis at 13Cubed has put together a video on Eric Zimmerman’s KAPE tool
Introduction to KAPE - Steve Whalen and Manoj Kumar at Sumuri discuss imaging Macs with T2 chips using Recon Imager
RECON IMAGER | T2 Chipset Macs without Decryption - Martijn Grooten at Virus Bulletin shared Yoni Moses and Yaniv Mordekhay’s presentation from VB2018 titled “Android app deobfuscation using static-dynamic cooperation”
VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation
MALWARE
- Joe Security
Ransomware is not dead – a light analysis of LockerGoga - Carbon Black
- CrowdStrike
- Cyber.wtf
Using IDA Python to analyze Trickbot - Flashpoint
FIN7 Revisited: Inside Astra Panel and SQLRat Malware - Forcepoint
LockerGoga ransomware – how it works - Hasherezade
Unpacking Baldr stealer - Hexa at Brokesec
We Got One!!! - Objective-See
- Palo Alto Networks
- SANS Internet Storm Center
- Video: Maldoc Analysis: Excel 4.0 Macro, (Sun, Mar 17th)
- Wireshark 3.0.0 and Npcap: Some Remarks, (Mon, Mar 18th)
- Using AD to find hosts that aren’t in AD – fun with the [IPAddress] construct!, (Wed, Mar 20th)
- New Wave of Extortion Emails: Central Intelligence Agency Case, (Thu, Mar 21st)
- Introduction to analysing Go binaries, (Fri, Mar 22nd)
- “VelvetSweatshop” Maldocs, (Sat, Mar 23rd)
- Securelist
AZORult++: Rewriting history - Cisco’s Talos
Ransomware or Wiper? LockerGoga Straddles the Line - NCC Group
Chafer backdoor analysis - Yoroi
The Document that Eluded AppLocker and AMSI
MISCELLANEOUS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- Jonathan Yan won last weeks Sunday Funday challenge on AWS evidence sources
Daily Blog #645: Solution Saturday 3/16/19 - This week’s challenge relates to data sources on Azure Compute, and Dario B provided the winning answer
Daily Blog #646: Sunday Funday 3/17/19 - Dave will be heading to Security West in San Diego to teach the FOR500 class, I’m sure it’ll be a great class to attend!
Daily Blog #647: Windows Forensics in San Diego - Dave gives some tips for streaming your own test kitching
Daily Blog #648: How to stream your own test kitchen - As well as picking something to test
Daily Blog #649: How to pick something to test
- Jonathan Yan won last weeks Sunday Funday challenge on AWS evidence sources
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ demonstrates cracking an XLSX file using John the Ripper
Cracking Microsoft Excel Documents using John The Ripper - Brett Shavers comments on overcommitment in DFIR, where examiners are following a process without deviating regardless of the situation
Overcommitted in DFIR - Christian at IT-Dad describes the Computer Forensics Fundamentals course on Udemy
Kostenlose IT-Forensik Kurse Teil IV – Udemy - Hadar Yudovich at ‘DFIR Dudes’ takes a look at the mac_apt MacOS parser and identifies that the biplist Python library is marking certain valid plists as invalid, as well as creating a plugin to parse LaunchDaemons
Mac Forensics — No One Said It Would Be Easy - Didier Stevens advises that his pdf tools has the ability to examine a document stored online by passing in the URL directly
Quickpost: PDF Tools Download Feature - DME Forensics share a post about modifying your USB settings so that they don’t power down when your computer is unattended
Update Power Settings to Scan and Export Video Unattended - Jade James at Forensic Focus provides a recap of Forensics Europe Expo London 2019
Forensics Europe Expo London 2019 – Recap - Jaco at ‘The Swanepoel Method’ continues to compare the four forensic suites, this time against the “‘Misc’ section of questions from the 2018 MUS CTF”
#ForensicMania S01E02 – MISC - Paraben Corporation have released a free e-book for mobile device seizure
First Responders Guide - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — March 10 to 16 - Antonio at ‘Security Art Work’ continues writing the series on security incident report writing covering some additional tips and tricks
Cómo escribir informes de incidentes de seguridad - There’s a post on the Sumuri website discussing the potential problems with imaging a Mac with a T2 chip
Imaging APFS Snapshots Within T2 Chipset Macs - Over on my ThinkDFIR blog I updated Alexis Brignoni’s and my KnowledgeC parser. The updated version now decodes the nsdata protobuf encoded data, as well as parses both iOS 11 and 12 databases in a single script
Updating the KnowledgeC Parser - Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’ describes some of her recent updates to AboutDFIR
- John Patzakis at X1 provides an update on the effects of Federal Rule of Evidence 902(13)(14)
Rule of Evidence 902(13)(14) Update: States Begin Adoption, First Case Citations - Yulia Samoteykina at Atola posted a couple of walkthroughs for imaging using their products
SOFTWARE UPDATES
- AccessData released a new version of Quin-C with some additional features
New Version of AccessData’s Quin-C Software Features Enhanced Automation Tools for Legal Teams - CDQR 4.4.0 was released with some bug fixes
CDQR 4.4.0 - Cellebrite released Physical Analyzer 7.16 updating support for common chat apps
Keep up-to-date with the latest app versions. - “Elcomsoft Explorer for WhatsApp 2.70 offers small improvements and resolves compatibility issues with WhatsApp backups in Apple iCloud, iCloud Drive and Google Accounts.”
Elcomsoft Explorer for WhatsApp Supports iOS 12, New Google Drive Backups - Eric Zimmerman updated MFTECmd to “fix [an] issue with –de complaining about destination path”
ChangeLog - GetData released Forensic Explorer v4.6.8.8414, adding APFS support, IE 10/11 database parsing and other updates
21 Mar 2019 – v4.6.8.8414 - Input-Ace released v2.4.1
Introducing Version 2.4.1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 