Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections. Links only for them this week!
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- The big story this week was surrounding the reporting surrounding the analysis of Jeff Bezos’ iPhone. Interestingly found this advisory surrounding receiving a specially crafted MP4 in earlier versions of WhatsApp.
- Bill Marczak described some further ways that the investigation can be taken
Some Directions for Further Investigation in the Bezos Hack Case - Rob Graham did some testing on his own phone
Check out @ErrataRob’s tweet - There was an additional annexure to the report published with some further information
SRsSumexFreedexAnnexes
- Bill Marczak described some further ways that the investigation can be taken
- Geri at ‘4n6 Ninja’ describes a method of obtaining WhatsApp messages from non-rooted Android devices
WhatsApp messages in Non-Rooted Android Devices - Raj Chandel at Hacking Articles demonstrates multiple ways to mount raw images on Windows
Multiple Ways to Mount Raw Images (Windows) - Jon Baumann at Ciofeca Forensics continues his series on Apple Notes
Revisiting Apple Notes (4): Gallery Objects - Mail Xaminer have a post describing some of the header information found in an email on Gmail
Gmail Email Investigation in Computer Forensics - Gavin Saul at Verrimus describes a recent investigation into a hidden car monitoring device and how the perpetrator had accidentally disclosed their identity
Revealing ‘Bugged Car’ Device…
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures
How to Catch Data Exfiltration With a Single Tshark Command. – Video Blog - Posts from Adam at Hexacorn
- Ben Bornholm at HoldMyBeer
Part 2: Intro to Threat Hunting – Understanding the attacker mindset with Powershell Empire and the Mandiant Attack Lifecycle - Brad Duncan at Malware Traffic Analysis
- Artur at Cqure Academy
#CQLabs – Windows Defender Exploit Guard under the hood by Artur Wojtkowski - Cyber Triage
How to Use OODA in Your Incident Response Process in 2020: Observe - Malwrologist
Check out @DissectMalware’s tweet on Lateral Movement - Udi Yavo at Fortinet
Update: Curveball Exploit (CVE-2020-0601) Starts Making the Rounds - L4r1k
CitrixNetscalerAnalysis - Kyle Hanslovan
Validating the Bishop Fox Findings in ConnectWise Control - Matt “Rudy” Benton at Maveris Labs
VirusTotal is not an Incident Responder - Erik Hjelmvik at Netresec
Sniffing Decrypted TLS Traffic with Security Onion - Colin Estep at Netskope
A MITRE-based Analysis of a Cloud Attack - Jonas Bauters at Nviso Labs
What’s in a name? Thoughts on Red Team nomenclature - Penetration Testing Lab
- Zac Brown and Shane Welcher at Red Canary
Detecting attacks leveraging the .NET Framework - Robert at x1sec
CVE-2019-19781 - Steven F at SpecterOps
Revisiting Remote Desktop Lateral Movement - TheEnergyStory
Project TajMahal IOCs and Registry Data Decrypter - ThreatRecon
Monthly Threat Actor Group Intelligence Report, November 2019 - Carlos Perez at TrustedSec
Targeted Active Directory Host Enumeration - Trustwave SpiderLabs
Microsoft Internet Explorer Remote Code Execution 0-Day (CVE-2020-0674) - Wietze Beukema
PowerShell Obfuscation using SecureString - Yoroi
Yomi Hunter Catches the CurveBall
UPCOMING WEBINARS/CONFERENCES
- Atola shared a list of 50+ DFIR conferences for 2020
Top digital forensics conferences in 2020 - Buddy Tidwell and Heather Mahalik at Cellebrite will be hosting a webinar on February 5, 2020 11am (New York) on “Cellebrite’s first-ever premiere Training Symposium for digital forensic practitioners, Engage 2020”.
The “Lowdown” with Buddy Tidwell & Heather Mahalik: Engage 2020 - There will be a Women in Forensic Computing workshop held in conjunction DFRWS EU on March 24, 2020 in Oxford, UK
Workshop and Digital Forensics Bootcamp alongside DFRWS EU - Kroll has announced a training course on KAPE, held Wyndham Grand Hotel, Pittsburgh Pennsylvania in March 26, 2020
KAPE Intensive Training and Certification
PRESENTATIONS/PODCASTS
- John Strand at Black Hills Information Security shared a couple of short tutorial videos
- Talks from DEFCON China were uploaded to YouTube
- This weeks Detections podcast discussed the news, and interviews
Episode 9: Fear and Loathing in an Interview - On this week’s Digital Forensic Survival Podcast, Michael talked “about using layered drivers as an artifact to identify persistence”
DFSP # 205 – Layered Drivers - Dave and Matt ran the Forensic Lunch, with Ryan Benson talking about Unfurl, and Jessica Hyde and Aaron Sparling talking about the Magnet User Summit and Magnet Automate. We also should definitely put pressure on Dave and Matt to re-record their Michael Jackson themed presentation
Forensic Lunch 1/24/20 - The talks from LASCON 2019 were uploaded to YouTube
Securability – Shannon Leitz - Tarah Melton demonstrates tag syncing view in the latest update to Axiom
Magnet AXIOM 3.9 – Tag Syncing View - Nuix shared a number of video tutorials for using Nuix Discover
- Nuix Discover – Creating Reports
- Nuix Discover – Native Exports
- Nuix Discover – Load File Exports
- Nuix Discover – Ingestions
- Nuix Discover – Imports
- Nuix Discover – Dashboards
- Nuix Discover – Continuous Active Learning
- Nuix Discover – Coding Documents
- Nuix Discover – Analytics
- Nuix Enterprise Collection Center – Targeted File Collections
- Nuix Enterprise Collection Center – Forensic Collections
- Nuix Investigate – Text Chat Review
- Nuix Investigate – Single Item Tagging
- Nuix Investigate – Using Review Mode
- Nuix Investigate – Performing Freeform Searches
- Richard Davis at 13Cubed released a video on reviewing CVE-related event logs
CVEs in Windows Event Logs? What You Need to Know - Mike Cohen’s presentation from Linux Conf Au 2020 was uploaded to YouTube
“Velociraptor – Dig Deeper” – Mike Cohen (LCA 2020)
MALWARE
- Matt Bromiley, Christopher Glyer, and Andrew Thompson at Fire Eye
Nice Try: 501 (Ransomware) Not Implemented - Jacob Pimental at Goggle Headed Hacker
Olympic Ticket Reseller Magecart Infection - Malwarebytes Labs
- Adrian McCabe at Palo Alto Networks
The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks - Positive Technologies
Fileless ransomware FTCODE now steals credentials - Robert Simmons at ReversingLabs
Hunting for Ransomware - Rico J
RoboThiefClient – A Telegram session stealer - Ryan Campbell at ‘Security Soup’
New Obfuscation Techniques in Emotet Maldocs - SANS Internet Storm Centre Handler Diaries
- Citrix ADC Exploits Update, (Mon, Jan 20th)
- German language malspam pushes Ursnif, (Wed, Jan 22nd)
- DeepBlueCLI: Powershell Threat Hunting, (Tue, Jan 21st)
- Why Phishing Remains So Popular?, (Fri, Jan 24th)
- Complex Obfuscation VS Simple Trick, (Thu, Jan 23rd)
- Visibility Gap of Your Security Tools, (Sat, Jan 25th)
- Anton V. Ivanov, Mikhail Kuzin, and Ilya Mogilin at Securelist
Shlayer Trojan attacks one in ten macOS users - Megan Roddie and Limor Kessem at Security Intelligence
New NetWire RAT Campaigns Use IMG Attachments to Deliver Malware Targeting Enterprise Users - Jim Walter at SentinelLabs
New Snake Ransomware Adds Itself to the Increasing Collection of Golang Crimeware - Virus Bulletin
- Juan Infantes at VirusTotal
VirusTotal Graph++ - Tamas Boczan at VMRay
Analyzing ZeroCleare’s Behavior Using a Malware Sandbox - VMware Carbon Black
- Wilbur Security
XMRig and OPSEC Fail
MISCELLANEOUS
- Jessica Hyde wrote a great tweet stream of mobile forensics resources.
Check out @B1N2H3X’s tweet - Andrew Rathbun at AboutDFIR posted a content update
AboutDFIR Content Update 1/24/2020 - Oleg Afonin at Elcomsoft provides a comprehensive overview of some available encryption utilities
- There were a few posts on Forensic Focus this week
- They also continued their ‘What’s Happening In Forensics’ series
- Inquisitor H3x demonstrates setting up Tsurugi in VirtualBox
Tsurugi — Setting Up Your Environment - Justin Boncaldo comments on whether passion can outweigh having an investigative mindset. Ideally you’d have a combination of both!
Absence of ‘investigative mindset’ in DFIR - Koen Van Impe comments on the IR investments to prioritise in 2020
Which Incident Response Investments Are You Prioritizing in 2020? - Matthew Green shared a review of the SANS FOR578 Cyber Threat Intelligence course.
FOR578: Cyber Threat Intelligence - Magnet Forensics released the list of speakers for their upcoming Magnet User Summit
- Amber Schroader at Paraben Corporation comments on some basic principles of digital forensics
Basics of Digital Forensics - Richard Frawley at ADF demonstrates creating a collection key with DEI
Creating a Collection Key without Search Profiles - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — January 19 to January 25 - SpecterOps has published their Adversary Tactics: PowerShell course on Github
Check out @SpecterOps’s tweet - Steve Anson’s new book, Applied Incident Response was published
- John Patzakis at X1 comments on the legal aspects of forensic acquisition and preservation relating to a case in Florida, USA.
Court Compels Forensic Imaging of Custodian Computer, Imposes Sanctions Due to Non-Defensible eDiscovery Preservation Process
SOFTWARE UPDATES
- Amped Authenticate Update 15518 was released
Amped Authenticate Update 15518: Customizable Reporting, CRP Comparison, Enhanced JPEG Ghost Map Filter, Check Sun Position, Improved HEIF Support, and More - Autopsy 4.14 was released
Autopsy 4.14 Release Highlights - Cellebrite released UFED Infield 7.28.2
Industry-first: Forensically sound, full file system extraction with UFED InField - Michael Gillespie released CryptoTester v1.3.0.9 for Ransomware Analysis
Check out @demonslay335’s tweet - Didier Stevens updated a couple of his Python scripts
- Eric Zimmerman updated AppCompatParser
ChangeLog - GetData released Forensic Explorer v5.1.2.9270
24 January 2020 – 5.1.2.9270 - Magnet Forensics updated Axiom to v3.9.
AirDrop Artifacts and More in Magnet AXIOM 3.9! - “A new version of MISP (2.4.120) has been released, including an extension to the data-model adding the first_seen and last_seen values at the attribute and object levels.”
MISP 2.4.120 released (aka the timeline release) - Tableau Firmware Update v7.32 was released which updated T356789iu+LCD Forensic Universal Bridge to version 2.2.1
Tableau Firmware Update Revision History for v7.32 - ADF released new versions for Digital Evidence Investigator, Triage-Investigator, Triage-G2, and Mobile Device Investigator software.
ADF Announces New Product Versions 5.1.0 and 2.1.0 - Minoru Kobayashi released three new Mac forensics and malware analysis tools
Check out @unkn0wnbit’s tweet - X-Ways Forensics 19.9 SR-3 was released
X-Ways Forensics 19.9 SR-3 - As well as an update to the viewer component to v8.5.4
X-Ways Viewer Component - Yogesh Khatri has released v0.3 of his Unified Log Reader
v0.3
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 