No Lodrina this week, so links only in the Threat Hunting and Malware Analysis sections this week.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Geri at ‘4n6 Ninja’ has started a blog and shares her research on iOS snapshots, and worked with Alexis Brignoni at ‘Initialization Vectors’ to develop a process, as well as some scripts, for decoding this information
A “Quick Look” into iOS Snapshots - Philip Pineda and Jai Musunuri at CrowdStrike describe the wealth of data that can be found in the “macOS Terminal saved state files and how to reconstruct these files to identify additional adversary activity during interactive sessions.”
Saved by the Shell: Reconstructing Command-Line Activity on MacOS - Marco Neumann at ‘Be-binary 4n6’ took a look at a few apps that utilise the Tox protocol to communicate
- Mike Cohen at Velocidex has written a couple of posts on using Velocirator to triage a live host. Mike has done a great job at making the tool available for quick and easy collections, building off of the KapeFiles repo that Eric maintains. One of the things I like about Mike’s approach is the ability for the examiner to repack the collector binary so that it’s easier to distribute.
- Craig Rowland at Sandfly Security walks through a process for analysing a suspicious Linux process calling out to an unknown IP.
Basic Linux Malware Process Forensics for Incident Responders - Antonio Sanz at ‘Security Art Work’ answers the Triage VM questions from the Defcon DFIR 2019 CTF
DEFCON DFIR CTF 2019 (IV): Triage VM Questions - Paolo Dal Checco at “Studio d’Informatica Forense” gives an overview of Tsurugi Linux
La distro forense Tsurugi Linux disponibile anche in macchina virtuale VM - Over on my ThinkDFIR blog I demonstrated how to use recmd to find the MAC address of a computer from the registry, as well as how you should support creators you should rely on (like Eric!)
Hunting for MAC Addresses - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some thoughts on the Win10 timeline
Some thoughts about Windows 10 “Timeline” forensics artifacts - On the same topic, Igor Mikhailov at Group IB provides an overview of the Win10 Timeline feature
No Time to Waste: How Windows 10 Timeline Can Help Forensic Experts
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Also Node.js has been used to perform a Living off the Land (LotL) attack - Black Hills Information Security
- Kobi Leizerovich at Cyberbit
Best Red Team Exercises to Ensure your Network’s Security - d4v3c0d3r at “Digital Forensics, Incident Response and Malware Analysis”
File renaming technique vs Sysmon Powershell detection - Digital Shadows
Top Threat Intelligence Podcasts to Add to Your Playlist - Daniel Kapellmann Zafra and Nathan Brubaker at Fire Eye
The FireEye OT-CSIO: An Ontology to Understand, Cross-Compare, and
Assess Operational Technology Cyber Security Incidents - Maarten Goet
- MB Secure
How to integrate EQL into your tooling - Nextron Systems
Antivirus Event Analysis Cheat Sheet v1.7.2 - Wouter Stinkens at Nviso Labs
Azure Security Logging – part 3: security-logging capabilities of Azure virtual machines - Alex Hinchliffe at Palo Alto Networks
PKPLUG: Chinese Cyber Espionage Group Attacking Asia - Penetration Testing Lab
Persistence – Registry Run Keys - Sysopfb
Research into Attacking Powershell Empire - Justin Schoenfeld at Red Canary
Expediting false positive identification with string comparison algorithms - Ben Nahorney at Cisco
Threats in encrypted traffic - SpecterOps
- Sekoia
PRESENTATIONS/PODCASTS
- Veronica Schmitt interviewed Sarah Edwards on Behind The Incident
Behind The Incident Sarah Edwards - Douglas Brush at Cyber Security Interviews interviewed Lesley Carhart
#076 – Lesley Carhart: You’ve Got to Play the Game - “Brett Burney outlines best practices for preserving and producing online evidence” on Digital Detectives
How Lawyers Collect and Properly Authenticate Evidence from the Web - On this week’s Digital Forensic Survival Podcast, Michael spoke about NVMe
DFSP # 189 – NVMe - David Kerstjens and Robyn Kidd from ‘Law in Order’ have started a podcast called “In Brief”.
Digital Forensics ‘for Dummies’ - Lenny Zeltser shares a recent presentation he gave on cybersecurity writing mistakes
Top 10 Cybersecurity Writing Mistakes - Harp Thukral and Sunali Sagar at OpenText
What’s new and what’s next with OpenText EnCase Forensic 8.09 - SANS shared a couple of presentations
- Secure View shared a couple of videos about their DataPilot 10 capture device
- Steve and Jason at Sumuri show their new challenge coins
Introducing SUMURI Challenge Coins - I recorded by “This Month in 4n6” podcast for September
This Month In 4n6 – September – 2019
MALWARE
- Carbon Black
- Check Point Research
Rancor: The Year of The Phish - Warren Mercer and Paul Rascagneres at Cisco’s Talos
Open Document format creates twist in maldoc landscape - DarunGrim
PowerShellRunBox: Analyzing PowerShell Threats Using PowerShell Debugging - Bryce Abdo, Brandan Schondorfer, Kareem Hamdan, Kimberly Goody, Noah Klapprodt, and Matt Bromiley at Fire Eye
Head Fake: Tackling Disruptive Ransomware Attacks - Flare-On
- fl0x2208
Gozi ISFB RM3 and Me : A Diamond Model Approach - Lab52
Analyzing a Molerats spear phising campaing - Jason Zhang and Stefano Ortolani at Lastline Labs
HELO Winnti: Attack or Scan? - Malwarebytes Labs
Magecart Group 4: A link with Cobalt Group? - Marco Ramilli
Frequent VBA Macros used in Office Malware - John Fokker and Christiaan Beek at McAfee Labs
McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars - Abhinav Singh at Netskope
New Adwind Campaign targets US Petroleum Industry - SANS Internet Storm Centre Handler Diaries
- Securelist
- Sean Mason and Jeff Bollinger at Cisco
Threat Hunting: How to Gain the Most Value - Vitali Kremez at SentinelOne
Deep Insight into “FIN7” Malware Chain: From Office Macro Malware to Lightweight JS Loader - Sophos
- Jaromir Horejsi and Joseph C. Chen at TrendMicro
New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign - Yoroi
The sLoad Threat: Ten Months Later - Rubin Azad at ZScaler
Magecart hits again, leveraging compromised sites and newly registered domains
MISCELLANEOUS
- Heather Mahalik at Cellebrite walks through the process of creating a UFDR report to use with Cellebrite Reader
Cellebrite Reader – The First Stop for Digital Intelligence Collaboration - Chris Sanders has co-authored a research paper with Stef Rand on understanding security analyst’s “underlying cognitive processes”.
Creative Choices: Developing a Theory of Divergence, Convergence, and Intuition in Security Analysts - Craig Ball at ‘Ball in your Court’ has written a couple of posts on hashing
- There were a couple of posts on the Elcomsoft blog this week
- Oleg Afonin shares details on how to install iOS Forensic Toolkit on the latest macOS
Installing and using iOS Forensic Toolkit on macOS 10.15 Catalina - Vladimir Katalov provides an overview of the various passwords that are used on iOS devices and the security that they provide
Four and a Half Apple Passwords
- Oleg Afonin shares details on how to install iOS Forensic Toolkit on the latest macOS
- Eric Huber at ‘A Fistful of Dongles’ has a post on using your frustration with no knowing something as motivation for studying it
Frustration as Motivation - Which leads on well to the post on the StillzTech blog on recommended infosec readings.
Top Readings for InfoSec - There were a couple of posts on Forensic Focus this week
- HancomGMD announced a new physical extraction method for various Samsung Galaxy devices
HancomGMDs’ New Physical Extraction Method For Samsung Phone Models Up To Galaxy - Nuix advised that they have received ISO 27001:2013 certification
Nuix Achieves ISO 27001:2013 Certification
- HancomGMD announced a new physical extraction method for various Samsung Galaxy devices
- James Kainth provides an overview of password bruteforcing
Let’s Talk About: Password Cracking - Muhi Majzoub at OpenText describes what he’s looking forward to at Enfuse 2019
OpenText Enfuse: It’s going to be an incredible event
SOFTWARE UPDATES
- AChoir v3.8 was released
AChoir Release v3.8 - Atola has updated the firmware for the TaskForce to version 2019.9
Atola TaskForce 2019.9 release - Belkasoft Evidence Center 2020 Version 9.7 was released
What’s new in BEC v.9.7 - Berla released iVe v2.5, and shared some feature spotlight videos
- Didier Stevens updated his PDF tools
Update Of My PDF Tools - Elcomsoft updated Phone Breaker to v9.20, and Oleg Afonin describes the Screen Time passcode on iOS and how to identify it using the updated tool
Elcomsoft Phone Breaker 9.20 extracts Screen Time passwords and Voice Memos from iCloud - Eric Zimmerman updated Appcompatcacheparser, RECmd, Timeline Explorer, Bstrings, and his Get-ZimmermanTools updater script
ChangeLog - ExifTool 11.69 was released with new tags and bug fixes
ExifTool 11.69 - Magnet Forensics have released two new products, as well as updating Axiom to v3.6.
- Mathias Fuchs at CyberFox has released Aurora, and IR management tool
Aurora Incident Response - Image Interrogator v0.1 was released
Image Interrogator v0.1 Released - MSAB updated XRY (8.1), XAMN (4.4) and XEC (5.2) and shared some videos about the updates
Now released: XRY 8.1, XAMN 4.4 and XEC 5.2 - Passware Kit 2019 v4 was released
Passware Kit 2019 v4 - The Sekoia team have released FastIR Artifacts, which is a cross platform collection tool built off of the Digital Forensics Artifacts Repository
Introducing FastIR Artifacts - Velociraptor v0.3.4 was released
Release 0.3.4 - X-Ways Forensics 19.9 Beta 2 was released
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 