Thisweekin4n6: Week 11 – 2016

Phillip kindly allowed us to publish his digest. So, here we go.

Software updates

Eric Zimmerman updated his AppCompatCacheParser to version 0.0.7.0. This included package updates and some clean up
AppCompatCacheParser v0.0.7.0

Paul Sanderson updated Forensic Browser for Sqlite to version 2.7.6. This update includes a number of enhancements and bug fixes
New release 2.7.6 – lots of enhancements

X-ways 17.4 SR7 has been released with minor improvements and bug fixes
X-Ways Forensics 18.7 SR-7

Paul Sanderson posted a great article last week on utilising SQL queries to convert timestamps. These queries can be used to validate the timestamps that can also be converted in place in his Forensic Browser for SQLite tool.
Validating a timestamp

Magnet has a post promoting the webinar they ran last week with Teel Tech on Smartphone forensics.
Advanced Smartphone Forensics, hosted in partnership with Teel Technologies

Harlan carvey has a new post up aptly titled “Links and Stuff” because it has a series of links….and stuff! The first link is to Mark Russinovich’s RSA 2016 presentation on sysmon. It looks like a really interesting presentation; I especially liked how he used it to track down the malware infecting his mother’s computer. Harlan then goes on to present some new ransomware that talks to the user. The third set of links relates to document macros. The presentation by Decalage looks great, especially considering it provides a list of tools and shows them in action. As a side note, I particularly like this paragraph “Do not…I repeat, do NOT…base any decisions made after an infection, compromise, or breach on assumption or emotion.  Base them on actual data, and facts.  Base them on findings developed from all the data available, not just some of it, with the gaps filled in with speculation”. It applies to just about everything, not just infosec. The end of the post is a short anecdote about identifying a previous malware infection on a computer by examining the index.datfiles.
Links and Stuff

Basis Technology sent an email around announcing the 7th Annual Open Source Digital Forensics Conference (OSDFCon). The conference is on the 27th October in VA, USA. The call for presentations closes June 1.
2016 Call For Presentations & Workshops

David Cowan has uploaded the results of the file carving tests shown on last week’s forensic lunch. From reading through it it appears that X-ways was top of the pack overall, with Blade coming in as the most configurable. I would like to see the versions of the tools they used included in the post; helps those that may want to replicate their tests with later versions.
Tool Testing: File Carvers as seen on the Forensic Lunch 3/11/16

Weare4n6 have a post up about utilising libmobiledevice to take a backup/logical acquisition of an iOS device (if you don’t have access to a commercial suite) with command line and pictures!
Logical acquisition of iOS devices with libmobiledevice

Dan has updated his list of AppID’s again. If you check out the Forensic Wiki post on appids you’ll notice Dan’s blog providing a significant chunk of it. The list is hosted on Dan’s github page. I would like to see someone create an online page that takes lists like this one, or the one on forensicwiki and allows you to determine the list separator (hash, tab, comma for example) and then download the file as a text document. Or if all the tools could decide on a standard separator that would work as well. I know, I probably should do it, eventually. Either way, great list!
Jump List Forensics: AppID Master List (400+ AppIDs)

There’s a new post up on Forensic Focus regarding the Forensics Europe Expo 2016. The first provides details of the event being held in London, April 19th and 20th. The second day of the expo is entirely dedicated to digital forensics and cybercrime. The programme can be found here.
Source The Latest Technology At Forensics Europe Expo
The second is an interview with the event manager for the event.
Interviews – 2016 Interview With Rob Lozowski, Event Manager, Forensics Europe Expo

Sarah Edwards has updated her Analysis and Correlation of Mac Logs presentation and uploaded it to her github. Since people don’t examine Macs as often as they do Windows based computers it’s always good when someone puts this much work into such an extensive presentation. The presentation covers all the different types of information that can be gleaned from OS X logs. This includes volume, network information, location data and user activity
Presentation Update: Analysis and Correlation of Mac Logs

Elcomsoft has a new post advising they have updated their Elcomsoft System Recovery tool to incorporate extracting password hashes Microsoft accounts with online authentication. This is when the user has linked their live account with their user profile on their computer and as a result their password is that of their live account. The post then goes into detail about what additional information an investigator/attack can obtain utilising the user’s credentials on a series of different Microsoft properties; from backup Bitlocker keys to Skype history and Bing searches. Unfortunately two factor authentication is still an issue. If you don’t have access to Elcomsoft’s System Recovery tool, you can extract the hashes using AccessData’s registry viewer (I’m pretty sure, I can’t exactly remember the process at the moment) and then crack the hash Elcomsofts Distributed Password Recovery or Passware etc.
Breaking into Microsoft Account: It’s No Google, But Getting Close

Michael Maurer at the Distributed Forensic Timeline (DiFT) blog has a post up expounding the benefits of the super timeline generated by Plaso. The post shows a few different timeline viewers including timesketch and the author’s own “Efetch”. I do agree with him that there’s definitely a lot more that can be explored around the timelining space. I’ll have to play around with the current GUIs and see how they compare. One day I’ll put my ideas around timeline generation into action, or at least find someone willing to help!
The Mysterious Powers of the Super Timeline (Plaso)

TrewMTE has a few posts up this week however only a couple really caught my eye. This post related to USIM cards and their potential importance in an investigation. It’s really just a couple links to previous posts on the subject, but those posts look quite in-depth
Exploration – missing the micro-evidence

The second post related to eMMC card readers, particularly the Up-n-Up UP828P Ultra Programmer. I don’t really know too much about reading chips directly, but thought people that might be in the market for a new card reader might find this useful.
eMMC

MSAB posted up a short post advising of a recent outcome in an Irish court. The post explains that an examiner used XRY to perform an extraction of a phone and this was brought up by the defense in the appeal. The ruling on the appeal mentioned “The Court is of the view that there was absolutely no requirement on the part of the prosecution to call a software engineer or by some other means to set about explaining how the software worked. Retired Detective Garda Supple was trained in the forensic examination of mobile phones and deployed the XRY system as a tool in that regard”. I think one of the key elements in this appeal was the mention of the examiner noting discrepancies in the manual review. The manual review process of a mobile phone analysis is key to validating the extracted data. I think it may have been a bit more of an uphill battle if that wasn’t mentioned in the trial.
XRY Passes Court of Appeal Challenge

Derek Edwards has a new whitepaper up on the SANS forensics reading room page suggesting the next advancement in forensic analysis tools be interfacing with distributed computing systems. Platforms like Amazon Web Services can be utilised to speed up some aspects of data processing. Of course this may not be useful in every event but that always depends on your data sizes. The paper explains that the main benefit of using a distributed system is splitting up the processing across multiple machines. This won’t work for serial processes such as hashing, but will speed up keyword searches/indexing (and I’m thinking potentially carving). I like the idea of speeding up a strings+grep search, even incorporating decompression of the hiberfil at the start. This paper is definitely something for those that need to deal with massive datasets, however its concept can be noted just in case you need it in the future.
Tech Refresh for the Forensic Analysis Toolkit

And lastly this quarter’s journal of digital investigation has officially been released. This volume contained papers on:

GVFS metadata: Shellbags for Linux; which describes metadata found within the Gnome Virtual File System that can assist examiners in locating information about files stored within the volume, whether external device or encrypted volume. The paper “establishes some rules of when a filename is recorded in the metadata files and what data is recorded when the file is deleted”

Determining image base of firmware for ARM devices by matching literal pools; which went right over my head unfortunately. Might need to revisit that one at a later stage.

Forensic analysis of newer TomTom devices; which describes a new method of data extraction for third generation TomTom devices that doesn’t require desoldering chips.

NVM express drives and digital forensics; which explains the impact the new NVM standard for communicating between a host and non-volatile memory devices.

Unmanned aerial vehicles: A preliminary analysis of forensic challenges; which provides an analysis process for both the UAC itself as well as the smartphone app based controllers. I’m 90% certain the author wanted to contribute invaluable drone research to investigators and not just have an excuse to fly quadcopters around most of the day 🙂. Still, as mentioned previously, whenever a nonstandard device comes across an investigator’s desk it’s always good when someone’s done some of the legwork and documented it appropriately.

Journal of Digital Investigation Volume 16

Don’t forget to check Phillip’s blog every week!