Links only this week for the Threat Hunting and Malware Analysis sections this week.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ demonstrates how to analyse Win10 memory
Forensic analysis of Windows 10 compressed memory using Volatility - Arnau Gàmez at Arsenal Consulting shared his research, and a script for decoding the view tokens seen in Gmail URLs.
Digging Deeper into Gmail URLs & Introducing Gmail URL Decoder - Heather Mahalik at Cellebrite describes a few useful forensic artefacts for tracking a persons location or activity from the data on their mobile device
If I Were an Investigative Profiler for a Day - Adrian Denkiewicz at CQURE Academy provides an overview of Alternate Data Streams and how they may be utilised to hide data
[CQLabs] Alternate Data Streams - Oleg Afonin at Elcomsoft describes some of the mobile data that may reside on a desktop computer.
Extended Mobile Forensics: Analyzing Desktop Computers - Maxim Suhanov explores data held in shadow copies using his NTFS file system parser.
Things you probably didn’t know about shadow copies - Sandfly Security demonstrate how to use utmpdump on Linux to detect log tampering
Using Linux utmpdump for Forensics and Detecting Log File Tampering - Sandor Tokesi at Forensics Exchange has started a small series on collecting USB artefacts on Win10 and begins by describing the various event logs and event IDs you should keep an eye out for
USB storage forensics in Win10 #1 – Events - Francesco Picasso at Zena Forensics shares a script for decrypting “HiSuite and KoBackup backups”
Huawei backup decryptor - Iria Piyo looks at the affects of file system tunnelling on files downloaded with wget
NTFSのトンネリングとFileDownload(2) - Pieces0310 explains that you can identify a public IP address for the users in Line chat in a packet capture
Find out “Who” and “Where” – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Anti- techniques refresh A.D. 2019 - Adam Chester at XPN
Analysing RPC With Ghidra and Neo4j - Brandom Levene at ‘Anton on Security’
Guest Blog: Attribution Is NOT Your Top Security Concern! - Richard Bejtlich at Corelight
What did I just see? Detection, Inference, and Identification - Gayle Kennedy at Countercept
Why should you care about MITRE? - Cyber Triage
Intro to Incident Response Triage (Part 4): User Logins - Rich Mogull at DisurptOps
Breaking Attacker Kill Chains in AWS: IAM Roles - Paul Ewing and Ross Wolf at Endgame
EQL’s Highway to Shell - Andy Applebaum at Mitre ATT&CK
Getting Started with ATT&CK: Assessments and Engineering
UPCOMING WEBINARS/CONFERENCES
- Jason Bevis at Cylance will be hosting a webinar about how they pair automation with ATT&CK on August 15, 2019 at 10:00 AM PDT / 1:00 PM EDT
Webinar: The Power of 2: How Automated Threat Hunting & ATT&CK Can Work Together
PRESENTATIONS/PODCASTS
- AccessData uploaded a number of videos to their YouTube channel
- Andrea Lazzarotto has uploaded his presentation on WhatsApp message tampering. It’s in Italian, but Andrea has gone to the trouble of syncing up the subtitles for us
“Consequences and detection of WhatsApp messages tampering” - Blackbag Technologies have released an on-demand webinar by Ashley Hernandez on the latest time saving features in Blacklight
Timesaving Techniques for Your Next Case - BlackBag Technologies also shared a couple videos surrounding their integration with Semantics 21
- On this week’s Digital Forensic Survival Podcast, Michael spoke about credential guard, introduced in Win10
DFSP # 180 – Credential Guard - Magnet released a webinar by Sal Aziz, Tarah Melton, and Warren Pamukoff on how some of their recent additions to Axiom can assist ICAC investigations
Addressing The Challenges Of ICAC Investigations - as well as a video on using their newly updated Timeline feature for IP theft investigations
AXIOM at Work: Timeline Explorer for IP Theft - The presentations from “Objective by the Sea” v2.0 were uploaded to Youtube
- Ryan Benson at dfir.blog shared the section of his 2018 SANS DFIR Summit presentation regarding LocalStorage
Deciphering Browser Hieroglyphics: LocalStorage (Part 2) - SANS shared Dave Herrald and Ryan Kovar’s talk from the 2019 CTI Summit
How to Use and Create Threat Intelligence in an Office 365 World – SANS CTI Summit 2019 - I recorded my ‘This Month In 4n6’ podcast for July
This Month In 4n6 – July – 2019
MALWARE
- Alexandre Borges
Malwoverview - Swee Lai Lee at Carbon Black
CB TAU Threat Intelligence Notification – MegaCortex Ransomware - Check Point Research
Cobalt Group Returns To Kazakhstan - Nick Biasini, Chris Neal and Matt Valites at Cisco’s Talos
Malvertising: Online advertising’s darker side - Cisco’s Talos
New Re2PCAP tool speeds up PCAP process for Snort rules - Cylance
An Introduction To Code Analysis With Ghidra - Adi Zeligson and Rotem Kerner at Ensilo
DealPly Revisited: Leveraging Reputation Services To Remain Under The Radar - Nick Harbour at Fire Eye
Announcing the Sixth Annual Flare-On Challenge - Jason Reaves and Joshua Platt at Flashpoint
The Challenges of Cobalt Strike Server Fingerprinting - Bianca Soare at Heimdal Security
Android Malware: Your Mobile Device Isn’t Safe from Hackers - Shaul Holtzman at Intezer
- JPCERT/CC
- Malwarebytes Labs
- McAfee Labs
- OALabs
REvil Ransomware Unpacked – Cheeky Hack To Build Import Address Table - Nathaniel Quist at Palo Alto Networks
Rocke’in the NetFlow - Petter Potts at PepperMalware
Analysis of the Frenchy Shellcode - Christie Ott at Rapid7
How to Automate Threat Hunting with SOAR for Faster Response Times - Del Armstrong at Red Canary
Frankenstein was a hack: the copy/paste cryptominer - SANS Internet Storm Center
- Threat Recon
SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government - Makoto Shimamura at TrendMicro
Keeping a Hidden Identity: Mirai C&Cs in Tor Network - VMRay
Stepping into the Breach: Improving Security Researchers’ Ability to Dynamically Analyze MacOS Malware at Scale - Yoroi
MISCELLANEOUS
- Eric Huber at ‘A Fistful of Dongles’ comments on the state and future of DFIR investigations – with applications changing so frequently, vendors will struggle to keep up and when they can’t having the skills (or friends with skills) to parse application data are critical.
The Application Era of Digital Forensics - Richard Frawley at ADF demonstrates “how to create a forensic backup of an Android smartphone or tablet with Mobile Device Investigator”
How to Create a Forensic Backup of an Android Device with MDI - Brett Shavers wrote a few posts this week
- He covers some things to consider when attempting to tie a computers personalisation settings to a person
Personality of a computer - as well as the benefits of creating your own test images, or what to be aware of when using third-party made test sets
The best forensic test image ever! - and a great article on ways to ruin/avoid ruining a DFIR investigation
10 Ways to Ruin a DFIR Investigation (Fighting DFIR Monsters)
- He covers some things to consider when attempting to tie a computers personalisation settings to a person
- Hartek at “Follow The White Rabbit” reviews Belkasoft Evidence Centre
[REVIEW] Belkasoft Evidence Center - There were a few posts on Forensic Focus this week
- They demonstrate how to use Belkasoft Evidence Centre to perform a remote acquisition
How To Perform Remote Acquisitions With Belkasoft Evidence Center - Christa Miller describes the variety of places that digital forensics skills can be of assistance
Career Paths In Digital Forensics: Practical Applications - and Scar interviewed Lodrina!
Interview With Lodrina Cherne, Product Manager, Cybereason
- They demonstrate how to use Belkasoft Evidence Centre to perform a remote acquisition
- They also continued their ‘What’s Happening In Forensics’ series
- Katie Nickels at ‘Katie’s Five Cents’ shares some tips for surviving infosec cons in the lead up to Hacker Summer Camp
Ten Tips for Thriving at Infosec Cons - Trey Amick at Magnet Forensics demonstrates the performance improvements made between the recently released and previous version of Axiom
APFS Performance Improvements with Magnet AXIOM 3.4 - Luis Martinez at Persistent 4n6 shares his experience at the recent SANS DFIR Summit
Momentum and Inspiration – SANS DFIR Summit 2019 - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — July 28 to August 3
SOFTWARE UPDATES
- AceLab released “new versions of PC-3000 Express/UDMA-E/Portable Ver. 6.6.35, PC-3000 SAS Ver. 6.6.35, Data Extractor Ver. 5.9.22, Data Extractor RAID Edition Ver. 5.9.22, PC-3000 SSD Ver. 2.7.11”
- AChoir v3.7 was released
AChoir Release v3.7 - Apache TIka 1.22 was released
01 August 2019: Apache Tika Release - Arsenal released v3 of their Image Mounter tool
Check out @ArsenalRecon’s Tweet - Autopsy 4.12.0 was released
Autopsy 4.12.0 - IMF Security released LOG-MD v 2.2.1
LOG-MD version 2.2.1 is available - Eric Zimmerman updated Registry Explorer, EZViewer, Evtxecmd, and KAPE
ChangeLog - ExifTool 11.60 was released with new tags and bug fixes
ExifTool 11.60 - Oxygen Forensics released v11.5 of their Detective product
Oxygen Forensic Detective 11.5 Offers Facial Recognition - GetData released Forensic Explorer v4.8.4.8694
01 August 2019 – 4.8.4.8694 - “A new version of MISP (2.4.112) has been released with a host of API fixes, improvements and a security fix.”
MISP 2.4.112 released (aka summer fixes and improvement) - OpenText updated the Tableau Firmware Updater to v7.29 which affects the TD2u product
Tableau Firmware Revision History - OSForensics v7.0 build 1000 was released
V7.0 build 1000 31st July 2019 - radare2 v3.7.0 was released
r2-3.7.0 – Codename TopHat - Ryan Benson updated Hindsight to v2.4.0
Hindsight v2.4 Adds JSONL Output - SalvationData announced the release of Video Investigation Portable 2.0
[Product Launch] DVR Forensics: The Sophisticated Video Evidence Capturer-VIP2.0 Official Released Now!
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 