Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’ examines the database on Android that stores app/widget/folder icons and positioning, as well as sharing a script to take the hard work out of decoding the data.
Recreate Android apps, folders, and widget positions from a forensic extraction. - Lucy Carey-Shields at Amped discusses an amazing feature of Authenticate that allows an examiner to compare reference images taken on a device and determine a probability as to whether another image was captured with the same camera. I’ve seen something similar in another tool before and it was pretty cool; we were able to take photographs on two separate iPhones, and using this method of comparison could determine which photographs (to a degree of certainty) came from which camera (based on knowing where the reference set came from).
The Power of Amped Authenticate for Investigating CSE Cases - There’s a post on Cyber Triage about the importance of checking whether an attacker has modified system configuration settings during an investigation
How to Detect System Configuration Changes – Intro to Incident Response Triage (Part 9) in 2019 - Ian Whiffin has started a blog and share some interesting research
- The first goes into detail about the KnowledgeC database, as well as various other useful databases located on iOS
KnowledgeC (and Friends) - Ian next walks through the structure of a plist and the various data structures that comprise them
PList Decoding - And lastly decodes a “plist” file used to store Snapchat data; however whilst the extension is plist, the file is actually a completely different format
SnapChat PList (chatConversationStore.plist)
- The first goes into detail about the KnowledgeC database, as well as various other useful databases located on iOS
- Chad Tilbury at SANS has a post on acquiring data from cloud storage that is located on an endpoint. Chad will be hosting a webcast on the topic on December 3th, 2019 at 3:30 PM EST (20:30:00 UTC).
“Cloud Storage Acquisition from Endpoint Devices” - Yogesh Khatri at ‘Swift Forensics’ describes the recent volume changes in MacOS Catalina (which caused me no end of grief this week when the update resulted in logins failing and me having to wipe the system and start again!)
macOS 10.15 Volumes & Firmlink magic
THREAT INTELLIGENCE/HUNTING
- Markus Piéton (marpie) at a12d404 examines different persistence methods.
Persistence using Task Scheduler without a Scheduled Task - Active Countermeasures looks at threat intel versus threat hunting basics.
Threat Intel Versus Threat Hunting, What’s the Difference? - Adam at Hexacorn posted twice this week
- Anton Chuvakin looks at how to work with multiple SIEMs.
Living with Multiple SIEMs - MISP helps propose how to tell a story with large data sets using visualization in Maltego.
Visualising common patterns using MISP and ATT&CK data - Pentestlab examines offensive use of bitsadmin.
Persistence – BITS Jobs - Ryan Cobb at SpecterOps looks at Covenant v0.4.
Covenant: Developing Custom C2 Communication Protocols - Joe at Stranded on Pylos examines PSExec activity, discussing if it should be considered an IOC.
The Question of the Benign Indicator - The Hacker who Rolls shares a cheat sheet for Suricata IDS.
Suricata Cheat Sheet - TrustedSec posted a ransomware series
- Buni Okeke discusses ransomware basics and gives some examples.
Incident Response Ransomware Series: Part 1 - Justin Vaicaro looks at different attack vectors.
Incident Response Ransomware Series – Part 2 - Tyler Hudak goes over response and eradication.
Incident Response Ransomware Series – Part 3
- Buni Okeke discusses ransomware basics and gives some examples.
UPCOMING WEBINARS/CONFERENCES
- Dan Gunter and Marc Seitz from Dragos will co-host a webinar with the SANS Institute’s Tim Conway on November 22 2019 on threat hunting in ICS systems
Dragos to Co-Host Threat Hunting Webinar with Tim Conway of the SANS Institute - Sal Aziz and Drew Roberts at Magnet Forensics will be hosting a webinar on their new product, Cyber, on November 5, 2019 at 10AM EST
Addressing The Serious Threat Of Cybercrime - Arman Gungor at Metaspike announced a webinar on Forensic Email Collector on November 13, 2019, 7:00 PM UTC
Forensic Email Collector Power User Webinar
PRESENTATIONS/PODCASTS
- BlackBag Technologies released a recording of their recent webinar
Whodunit: Identifying Suspects Through Digital Evidence - The presentations from BSides DC 2019 were uploaded to Youtube
- On this week’s Digital Forensic Survival Podcast, Michael talks about the Loki IOC scanner
DFSP # 193 – LOKI - Samir Bousseaden shared some slides on threat hunting in Windows Event logs
The Power Of Windows EVT - Steve Whalen at Sumuri released a short video on using Recon Imager with a Thunderbolt 3 RAID to improve performance
Optimizing RECON IMAGER with Thunderbolt 3 RAID - I released my monthly roundup for October
This Month In 4n6 – October – 2019 - Veronica continues her “Behind the Incident” series, interviewing Jason Jordaan, Managing Director at DFIRLABS.
Behind the Incident 9 :Jason Jordaan
MALWARE
- The Bitdefender team looks at Ouroboros ransomware, spread via RDP.
Ouroboros Ransomware decryption tool - Matthew Valites with Joanne Kim and Edmund Brumaghin at Cisco Talos look at mobile spyware like FinSpy and FlexiSpy and cross reference traffic with spy domains to countries on the CATO Institute Human Freedom Index.
The commoditization of mobile espionage software - There were a couple of posts on the Cylance blog this week
- They discuss mobile malware in an hour long podcast.
InSecurity Podcast: Brian Robison on Mobile Malware and APT Espionage - Tatsuya Hasegawa looks at neshta infections from various years.
Threat Spotlight: Neshta File Infector Endures
- They discuss mobile malware in an hour long podcast.
- Dr. Ali Hadi at ‘Binary Zone’ shares a VM for download that is running Cuckoo in a VM.
Cuckoo VM for Malware Analysis - dragos looks at DC access at Kudankulam Nuclear Power Plant and shares that DTrack appears to be involved with infection.
Assessment of Reported Malware Infection at Nuclear Facility - Raymond Leong, Dan Perez, and Tyler Dean at FireEye uncovers MESSAGETAP from APT41 targeting servers routing SMS messages.
MESSAGETAP: Who’s Reading Your Text Messages? - Oleg Sulkin at Group-IB looks at the Shade (Troldesh) ransomware.
50 Shades of Ransomware - Frank Block at Insinuator.net examines Emotet variants.
Dissection of an Incident – Part 2 - Shaul Holtzman at Intezer gives overviews of Trickbot, Gh0stRAT, and DarkComet.
Intezer Analyze Community Halloween Edition: Trickbot or Treat! - JEB Decompiler in Action shares Golang basics for RE.
Analyzing Golang Executables - Alex Perekalin at Kaspersky shares an image of a giant poster covering virus milestones in history from the 30 years since the founding of the company.
A 30-year cybermaze, from the Cascade virus to recent days - Marco Ramilli looks at an engineering industry attack targeting Italian companies.
SWEED Targeting Precision Engineering Companies in Italy - Michael Gillespie shares a video (19 minutes) walking through STOP Ransomware (Old Djvu).
Analyzing Ransomware – STOP | Keys and IDs - Didier Stevens at NVISO Labs examines particulars behind decoding UserAssist keys containing evidence of execution.
Nessus’ UserAssist Plugin - Fang Liu, Tao Yan, Jin Chen, Rongbo Shao, Zhanglin He, and Bo Qu at Palo Alto Networks review email threats including more use of the Kaixin EK and less use of the Fallout EK.
Web-based Threats: First Half 2019 - Manohar Ghule and Mohd Sadique at Zscaler look at fileless infections using njRat, Sodinokibi, and Astaroth as examples.
Fileless malware campaign roundup - Sandor Tokesi at Forensics Exchange uses WSL and tests how files named with a trailing space are treated by different tools, including how this might impact malware remediation.
Unremovable malware with WSL - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Using scdbg to Find Shellcode, (Sun, Oct 27th)
- Unusual Activity with Double Base64 Encoding, (Sun, Oct 27th)
- Generating PCAP Files from YAML, (Tue, Oct 29th)
- Keep an Eye on Remote Access to Mailboxes, (Wed, Oct 30th)
- EML attachments in O365 – a recipe for phishing, (Thu, Oct 31st)
- Remark on EML Attachments, (Sat, Nov 2nd)
- Securelist reviews a Chrome attack they call Operation WizardOpium.
Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium - Ben Nahorney at Cisco writes about their threat of the month, RATs.
Remote Access Trojans - Erik Martínez at Security Art Work shares a recap of events at R2con, organized by the radare2 devs.
R2wars, una competición diferente - SentinelOne had two posts this week
- Tommy Dong at Symantec shares details of an Xhelper Android adware infection.
Xhelper: Persistent Android dropper app infects 45K devices in past 6 months - Virus Bulletin shares a Magecart skimmer paper (21 pages) from the recent VB2019.
VB2019 paper: Inside Magecart: the history behind the covert card-skimming assault on the e-commerce industry - Mark at “you sneakymonkey!” continues a meme-heavy Trickbot analysis.
TRICKBOT – Analysis Part II
MISCELLANEOUS
- Mark Spencer at Arsenal has a post on booting Bitlockered images with their Image Mounter tool.
BitLocker for DFIR – Part II - Yulia Samoteykina at Atola describes express mode in the Atola Taskforce, and how it can be used to automatically launch multiple imaging sessions
Express mode: self-launching imaging of 17 drives - Brett Shavers at DFIR.Training shares an update on what’s new on the website
What’s New at DFIR Training? - John Walther at Carpe Indicium provides an overview of the Nuix Workstation configuration settings as well as some recommendations on getting started
Nuix Workstation – Getting Started - Oleg Afonin at Elcomsoft describes the evolution of Microsoft Office document security
Microsoft Office encryption evolution: from Office 97 to Office 2019 - There were a few posts on Forensic Focus this week
- Martin Schuchardt at MSAB provides an overview of XRY Photon
XRY Photon: Accessing data that can’t be accessed - Patrick Siewert at Pro Digital Forensic Consulting makes the case for why call detail record analysis is not junk science
Three Reasons Why Call Detail Records Analysis Is Not “Junk Science” - Andrew Case at Volatility Labs announced the public beta of Volatility 3, and also that Volatility2 will be maintained until August 2021.
Announcing the Volatility 3 Public Beta!
SOFTWARE UPDATES
- AChoir v4.0a was released
AChoir Release v4.0a - Joe Sandbox Cloud now supports Sigma.
Joe Sandbox + SIGMA - Binalyze IREC v 1.9.7 was released
Version 1.9.7 - Didier Stevens updated some of his tools
- Eric Zimmerman updated Registry Explorer, LECmd, Timeline Explorer, and Evtxecmd
ChangeLog - GetData released Forensic Explorer v5.1.2.9090
29 October 2019 – 5.1.2.9090 - A new FOSS digital investigation platform called Kuiper was released
Kuiper - Maxim Suhanov released v1.0.0 of his dfir_ntfs file system parser
1.0.0 - MSAB updated XRY to v8.1.2
Now released: XRY 8.1.2 - Paraben updated E3 2.4 Bronze Edition
E3 2.4 Bronze Edition is now available! - Sandfly 2.3 was released with improved “performance, updates the custom Sandfly syntax, eliminates false alarms and migrates to Elasticsearch 7.”
Sandfly 2.3 – Performance Updates, Elasticsearch 7 Support and More - v8.5.4 of the X-Ways Viewer Component was released
Viewer Component
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 