Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Chris Vance at ‘D20 Forensics’ uncovers what iOS leaves behind once an app has been deleted
iOS – Tracking Traces of Deleted Applications - DiabloHorn shares some notes on performing forensics on ZFS / Solaris boxes
Notes on ZFS / Solaris forensics - There were a few posts on the Elcomsoft blog this week
- Mattia Epifani examines an AppleTV
Apple TV Forensics 03: Analysis - Oleg Afonin walks through the current state of jailbreaking iOS devices running specifically iOS 12.4
iOS 12.4 File System Extraction - and Vladimir Katalov shares details about acquiring an iOS device with EiFT on Windows (but recommends MacOS)
iOS Acquisition on Windows: Tips&Tricks
- Mattia Epifani examines an AppleTV
- OTW at Hackers-Arise demonstrates the usage of tcpdump for network forensics
Network Forensics, Part 3: tcpdump for Network Analysis - Marco Neumann at ‘Be-binary 4n6’ shares a script for obtaining data from a running Android device using ADB. The commands listed go further than just pulling a backup and instead look at the volatile data that may be lost when the device is shutdown.
Android Live data – Commands and Scripts for Linux and Windows - The Microsoft Security Response Center team “describes how you acquire and access a Virtual Hard Disk (VHD) from a VM which has been flagged for investigation.”
Acquiring a VHD to Investigate
THREAT INTELLIGENCE/HUNTING
- Andrew Case, Matthew Meltzer, and Steven Adair at Volexity share important work looking into digital surveillance of Uyghur peoples. Targeted by what appear to be Chinese APT groups, attacks range across websites, email, and Android/iPhone platforms.
Digital Crackdown: Large Scale Surveillance and Exploitation of Uyghurs - Mac red teaming and IR were featured in a couple of posts this week
- Phil Stokes at SentinelOne concludes looking at macOS IR including how to investigate browser history and persistence mechanisms.
macOS Incident Response | Part 3: System Manipulation
- Action Dan at LockBoxx looks at ATT&CK on macOS.
MacOS Red Teaming 208: macOS ATT&CK Techniques
- Phil Stokes at SentinelOne concludes looking at macOS IR including how to investigate browser history and persistence mechanisms.
- James Dorgan at /var/log/messages extends red team tooling with the idea of “C3” (Custom Command and Control).
Hunting for C3 - Adam at Hexacorn keeps sharing exe nuggets of information
- Including at scale substring corpora analysis.
MZ stub strings - Sitting on the Lolbins, 12
- State Machine vs. Regex
- Potential tricks using new(?) APIs
- Appended data — goodware
- Beyond good ol’ Run key, Part 114
- Including at scale substring corpora analysis.
- Azeria introduces how the iOS kernel exploit unveiled last week by Google’s Project Zero starts with a linear heap overflow and goes on to use-after-free for arbitrary reads and writes.
Heap Exploit Development – Case study from an in-the-wild iOS 0-day - There were a couple of posts on the Check Point blog this week
- Artyom Skrobov and Slava Makkaveev share an OTA provisioning POC for certain Android phones.
Advanced SMS Phishing Attacks Against Modern Android-based Smartphones - Mark Lechtik and Nadav Grossman look at Bemstour, an APT3 exploitation tool which incorporates EternalRomance and EternalSynergy elements.
UPSynergy: Chinese-American Spy vs. Spy Story
- Artyom Skrobov and Slava Makkaveev share an OTA provisioning POC for certain Android phones.
- Dor Sarig at Cymulate Blog asks questions about organization APT readiness.
Myth vs. Reality — Testing Security Controls Against APTs - Brett Hawkins at FireEye shares the new tool SharPersist, from FireEye Mandiant’s Red Team, to establish persistence on Windows using C#.
SharPersist: Windows Persistence Toolkit in C# - Kris Oosthoek examined 900+ malware samples and maps them to ATT&CK
ATT&CK Techniques and Trends in Windows Malware - Olaf Hartong shares his thoughts on the latest Sysmon release.
Sysmon 10.4 release - Joan Soriano at Security Art Work writes about how to detect DGA via algorithm.
El Quijote de caza : Una aproximación ortográfica al Threat Hunting - Chad Loeven at VMRay recaps how VMRay Analyzer came out with mapping to MITRE ATT&CK earlier this year.
MITRE ATT&CK: A Rosetta Stone for the Cyber Security Ecosystem - Luis Lubeck at WeLiveSecurity (ESET) covers basics about ATT&CK.
What is MITRE ATT&CK and how is it useful?
UPCOMING WEBINARS/CONFERENCES
- Cellebrite announced a couple upcoming webinars
- Eric Oldenburg at Griffeye will be hosting a webinar on Griffeye Brain on September 18, 2019 at 3 pm CEST (9 am EDT)
Webinar: Griffeye Brain in Analyze DI Pro - Laura Wolf at Microsoft Security Response Center announced the 2019 BlueHat Seattle CFP
BlueHat Seattle 2019 Call for Papers is Now Open!
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the recording from Derbycon 2019
- Black Hills Information Security shared the recording of their recent Windows logging, Sysmon, and ELK webcast
Webcast: Windows logging, Sysmon, and ELK - On this week’s Digital Forensic Survival Podcast, Michael discusses executables on Linux
DFSP # 185 – Understanding Linux Executables - SANS shared a couple of presentations this week
MALWARE
- Malware blog posts had a hefty dose of BlueKeep this week.
- Brandon Stultz, Holger Unterbrink and Edmund Brumaghin at Talos examine BlueKeep.
The latest on BlueKeep and DejaBlue vulnerabilities — Using Firepower to defend against encrypted DejaBlue - MalwareTech releases details about BlueKeep.
BlueKeep: A Journey from DoS to RCE (CVE-2019-0708)
- Brandon Stultz, Holger Unterbrink and Edmund Brumaghin at Talos examine BlueKeep.
- There were a few posts on the Carbon Black blog this week
- Chrissy Morgan shares two posts about de-obfuscation and investigation
- Andrea Marcelli at Cisco Talos unveils an IDA Pro plugin (GhIDA) and a docker container with Ghidra as a Service (Ghidraaas).
GhIDA: Ghidra decompiler for IDA Pro - Matthew McWhirt at FireEye introduces the latest ransomware report (22 page PDF).
Ransomware Protection and Containment Strategies: Practical Guidance for
Endpoint Protection, Hardening, and Containment - Dario Durando at Fortinet looks at Android logging malware which may be related to FakeSpy.
FunkyBot: A New Android Malware Family Targeting Japan - Kaspersky Lab looks at back to school threats including “122,000 attacks by malware that was disguised as textbooks.”
Student surprise: malware masked as textbooks and essays - There were a couple of posts on the Malwarebytes blog this week
- Jovi Umawing shares how TrickBot may tamper with website text.
TrickBot adds new trick to its arsenal: tampering with trusted texts - Jérôme Segura examines the Domen toolkit.
New social engineering toolkit draws inspiration from previous web campaigns
- Jovi Umawing shares how TrickBot may tamper with website text.
- Marco Ramilli gives an example for anyone interested in malware in the MBR.
Writing Your First Bootloader for Better Analyses - Shay Kels and Amir Rubin at Microsoft Security share how using NLP and deep learning can improve threat detection.
Deep learning rises: New methods for detecting malicious PowerShell - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Daniel Bunce at SentinelOne concludes a series on reversing the Gootkit banking trojan.
Gootkit Banking Trojan | Part 3: Retrieving the Final Payload - TrendMicro had a few posts this week
- Hiding in Plain Text: Jenkins Plugin Vulnerabilities
- Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
- Spam Campaign Abuses PHP Functions for Persistence, Uses Compromised Devices for Evasion and Intrusion
- Malware Classification with ‘Graph Hash,’ Applied to the Orca Cyberespionage Campaign
- Trustlook examines the latest VT feeds.
VirusTotal APK Malware Detection Data –
Week 35: 20190826-20190901 - Tyranid’s Lair writes about a TrustedInstaller which should be anything but trusted.
The Art of Becoming TrustedInstaller – Task Scheduler Edition - Martijn Grooten at Virus Bulletin introduces a talk coming up at Virus Bulletin about LOLbins and parent – child processes, to be delivered by Bobby Filar at Endgame.
VB2019 preview: Problem child: common patterns in malicious parent-child relationships - Yoroi had a couple of malware writeups
MISCELLANEOUS
- Acelab share the history of the PC-3000
The Origins of PC-3000: From a Dream to Reality - Richard Frawley at ADF “explains Referenced File Capture and Linked Artifacts with Digital Evidence Investigator”
Investigate: Files Referenced by Artifact Records - Marco Fontani at Amped demonstrates the camera identification feature of Authenticate
Check Them All! Learn How to Run Camera Identification Against Multiple Reference Devices in Batch with Amped Authenticate - Joe Sandbox announced that they have released a connector for Carbon Black, which will be useful for those that use both services concurrently.
Joe Sandbox + Carbon Black - Brett Shavers posted a couple of times this week
- He warns of the potential for damage caused by deepfake videos
Our World is Going to Turn Upside Down with DeepFakes - He also reviewed the DeepSpar Guardonix write blocker, as well as giving DFIR Training readers a discount, and a chance to win one
If you don’t already have a DeepSpar Guardonix, you might want to get one.
- He warns of the potential for damage caused by deepfake videos
- ENISA have released a report evaluating various methods of communicating securely during an incident
Secure Group Communications for incident response and operational communities - There were a few posts on Forensic Focus this week
- MD5 provide an overview of the recent update to their VFC product
Walkthrough: VFC 5.0 - HancomGMD demonstrate how to “acquire video data with Md-Video
How To Acquire Video Data With MD-VIDEO From HancomGMD - Christa Miller shares a review of the SANS DFIR Summit that was held in July
SANS DFIR Summit 2019 – Recap
- MD5 provide an overview of the recent update to their VFC product
- They also continued their ‘What’s Happening In Forensics’ series
- Alex Ocheme Ogbole at Hallym University talks about keeping a chain of custody of digital evidence
The Implication of Chain of Custody to Digital Forensics Practitioners - Mike Cohen describes a method of using the Velociraptor API to present “a client’s VFS as a FUSE directory.”
The Velociraptor API And FUSE - Quix0te at MuSecTech answers a couple of questions about his Achoir project. Achoir is “a practical tool to address the need to gather/extract telemetry and forensic artifacts from Windows computers”
Why Achoir? - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the last couple of weeks
- SalvationData posted a couple of articles this week
- They announced their integration with Amped Five
[Case Study] DVR Forensics: VIP 2.0 Integration with Amped FIVE - And provide an overview of recovering DVR data with VIP 2.0
[Case Study] DVR Forensics: Recovering Inaccessible CCTV Surveillance Video Data with VIP 2.0
- They announced their integration with Amped Five
SOFTWARE UPDATES
- Adam at Hexacorn released an update to DeXray (v2.16)
DeXRAY 2.16 update - Brian Moran at BriMor Labs made some minor improvements to Cedarpelta
Small Cedarpelta Update - Cellebrite updated UFED PA to v7.23, and then released a hotfix to fix a bug due to Whatsapp on iOS updating
UFED Physical Analyzer 7.23: Enhance your investigation management process with new tools and capabilities - Elcomsoft iOS Forensic Toolkit was updated to v5.10 to allow for file system acquisitions of iOS devices up to iOS 12.4
Elcomsoft iOS Forensic Toolkit 5.10 with iOS 12.2 and 12.4 file system acquisition - Eric Zimmerman updated AmcacheParser, EZViewer, PECmd, and Registry Explorer, as well as introducing RLA which will replay log files into copies of the registry hives.
ChangeLog - Eric also updated KAPE to v0.8.7.1
- Philip Tully, Matthew Haigh, Jay Gibble, Michael Sikorski at FireEye release “StringSifter, a utility that identifies and prioritizes strings according to their relevance for malware analysis.”
Open Sourcing StringSifter - Metaspike released Forensic Email Collector v3.10.1.3
Forensic Email Collector (FEC) Changelog - MobilEdit v7.0.1 was released
Getting better with MOBILedit 7.0.1! - radare2 v3.8.0 was released
r2-3.8.0 – Taupe - Sandfly 2.2 was released
Sandfly 2.2 – Enhanced Web Shell Detection, Anti-Forensics and More - USB Detective v1.5.4 was released
Version 1.5.4 (09/04/2019) - Velociraptor v0.3.3 was released
Release 0.3.3 - X-Ways Forensics 19.9 Preview 3 was released
X-Ways Forensics 19.9 Preview 3
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 