4n6 Week 45 – 2023 - FORENSIC ANALYSIS
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
FORENSIC ANALYSIS
Emi Polito at Amped
Emi Polito October 31, 2023 Good day dear colleagues and welcome back to another article in our “Learn and solve it with Amped FIVE” series. This week we’ll talk about photogrammetry and in specific, we’ll learn how to measure heights from surveillance video. Contents 1 Dealing with Perspective 2 The Single View Metrology 3 The Reverse Projection 4 Performing a Single View Metrology with Measure 3d 5 Registering the Reference Object 6 Measuring the Height of a Subject 7 Performing a Reverse Proj...
John Hyla at Blue Crew Forensics
October 30, 2023 by John Hyla Introduction I recently had a case involving Discord where the case investigator had observed images within the thread on an iPhone but they were not appearing in the threads in Cellebrite Physical Analyzer. The investigator described the images to me and I was able to locate them in a folder associated with Discord so I figured there had to be a way to make the connection. My research started by noting that the images existed in a folder named com.hackemist.SDImage...
Cado Security
Cellebrite
Agree & Join LinkedIn By clicking Continue, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy. Skip to main content LinkedIn Articles People Learning Jobs Join now Sign in Heather Mahalik’s Post Heather Mahalik Senior Director of Community Engagement at Cellebrite | SANS DFIR Curriculum Lead, Faculty Fellow and Author 5d Report this post Ready to supercharge your data extractions? Check out this outstanding how-to cheat sheet created by the dream team’s very own Paul Lore...
Cyber Social Hub
cybersocialhubnews October 30, 2023 Share This Post This article was written by MSAB Finding that you have a MediaTek device which has its Boot ROM interface disabled land on your desk? Access to MediaTek’s Boot ROM interface is the best way to extract the maximum amount of data from any device with a MediaTek chipset. The Boot ROM is always there, and it will not change. Because of this, we do not have to worry about different vendors, firmware, or security patches. It just works. Earlier this ...
Digital Daniela
10/31/2023 0 Comments Hello Everyone!This time I decided to do something different and showcase my thesis on memory forensics in responding to malware related incidents. I hope you enjoy it and learn something from it! digital_daniela_memory_forensics_theisis.docxFile Size: 928 kbFile Type: docxDownload File 0 Comments Leave a Reply. Powered by Create your own unique website with customizable templates. Get Started Home Blog
Doug Metz at Baker Street Forensics
Huntress Capture the Flag – A CTF Marathon CTF, DFIR, Forensics, Malware, Memory Analysis, OSINT, Steganography Throughout October, as part of Cyber Security Awareness Month, the team over at Huntress put on a ~30 day Capture the Flag event with 58 unique challenges. First and foremost, kudos to the organizers for pulling off an event of this size and duration. There were only minor technical difficulties noticed throughout the month, and on more than one occasion those were due to people not ob...
Huntress CTF: Week 1 – WarmUps CTF, DFIR, Malware, PowerShell The team at Huntress pulled off an amazing CTF that ran through the month of October with new challenges released daily. In this series, I’ll be providing my solutions to the challenges. WARNING Will Robinson, spoilers ahead! Use the tag #HuntressCTF to see all related posts. Technical Support There wasn’t really a solve to this one, but I’m including here for consistency. If you head to the Discord server for the event and went to th...
Huntress CTF: Week 1 – Malware: Hot Off The Press, HumanTwo, PHP Stager & Zerion DFIR, CTF, PowerShell, Malware Hot Off The Press To start with let’s see what kind of file this is. “UHARC is a compression/archiving system for PC platforms, which appears to be neglected since around 2005. It achieves better compression than most other archivers, at the expense of being much slower.” /fileformats.archiveteam.org/wiki/UHARC I scoured the internet looking for a copy of UHARC to download. I’m not goi...
Huntress CTF: Week 1 – Miscellaneous: I Won’t Let You Down CTF, DFIR I Won’t Let You Down If you went to the web page in a browser, there was a suggestion to use nmap. There was also an embedded video of Rick Astley. Nmap is a tool I’ve used over and over in my career. I may have even had Nmap Ninja on my resume or LinkedIn at a time. I always get a kick out of seeing it used in movies, and it’s be used in a lot. A basic, albeit thorough nmap command gives us: Ok, so let’s start knocking on port...
Huntress CTF: Week 1 – Forensics: Backdoored Splunk, Traffic, Dumpster Fire CTF, DFIR, PowerShell, Python Backdoored Splunk Hit Start. So we’ve got a url and a specific port. Firefox web browser yields… So we need an Authorization header. 🤔 Time to look at the provided files. It looks to be the export of a Splunk application. Time to download an eval copy of Splunk and… pause. There’s probably a simpler way to attack this. The Silver Searcher is a command line tool I picked up during the CTF and...
Huntress CTF: Week 2 – WarmUps CTF, DFIR Chicken Wings Opening the file with a text editor yields… (if you’re old like me you may recognize it) Wingdings! Head over to dcode.fr and translate it. F12 Hit the Start button and we’re provided with a URL and port. Open the site in a browser and enable source debugging, usually “F12” as the challenge suggests. If you click on the blue Capture The Flag button, you may observe a VERY quick pop-up. If we scroll to the bottom of the source code, (in CTF’s...
Huntress CTF: Week 2 – Forensics: Wimble, Opposable Thumbs, Tragedy_Redux CTF, DFIR, Forensics Wimble Once the file was downloaded and extracted from the zip I ran the file command on it. OK so we’ll be doing the analysis for this one on a Windows box to start. Move the file to windows and rename to Fetch.wim Open the .wim with 7zip explorer Within the zip file we see a plethora of Prefetch (.pf) files, but among them we there is a fetch.zip When we extract the contents of the zip file we have a...
Huntress CTF: Week 2 – Miscellaneous: Rock, Paper, Psychic CTF, DFIR, Miscellaneous Rock, Paper, Psychic Do you want to play a game? You can see the basic flow of the game above. You put in your choice, then after some calculation the game chooses, and what do you know – the game always makes the winning choice. How about a nice game of Chess? Having played the game a couple times to get familiar with the flow, I ran the program using x64dbg. Hit F9 a few times until it the program gets to your ...
Huntress CTF: Week 2 – Malware: VeeBeeEee, Snake Eater, Opendir DFIR, CTF, Malware VeeBeeEee First examine the file contents. Ooof. That hurts the eyes. If we throw it into CyberChef, with the assistance of some magic (or detailed reading of the challenge), we see that it’s VB Script, which can be converted using the Microsoft Script Decoder recipe. Copy the output to VS Code. The syntax highlighting shows that all the ””””””””al37ysoeopm’al37ysoeopm entries are just comments, so let’s remove th...
Huntress CTF: Week 2 – OSINT: Where Am I?, Operation Not Found, Under the Bridge DFIR, CTF, PowerShell, OSINT Where Am I? Opening the picture we see it’s a location. I’ve frequently used exiftool to inspect the metadata of pictures, including GPS coordinates. The file does contain GPS metadata but before we even get there, looks like something out of the ordinary for the Image Description… Instead of the usual CyberChef, this time we’ll do the conversion using PowerShell. The converted string is...
Huntress CTF: Week 2 – Steganography: Land Before Time CTF, DFIR, Steganography Land Before Time Here’s what we see when we open the image. Exiftool doesn’t have any interesting metadata. Let’s toss it into a iSteg. I think it found something. What about you? Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF. Share this:TwitterFacebookLike this:Like Loading... Related November 2, 2023October 22, 2023 Doug MetzHuntressCTF, iSteg,...
Huntress CTF: Week 3 – Miscellaneous: Who Is Real?, Operation Eradication CTF, DFIR, Miscellaneous Who Is Real? This was a change of pace from what a lot of the CTF has been; lots of malware and deobfuscation. In this challenge we’re tasked with figuring out which faces are real and which have been AI generated. Before starting the challenge, I familiarized myself with //whichfaceisreal.com/learn.html It gave me good ideas of things to look for regarding teeth, glasses, earrings, other faces in ...
The download is Application Logs.evtx If you open the log with Event Viewer, you may see there’s an entry for a (non-actual) event ID of 1337. The error content isn’t very helpful. Let’s take a hint from the title and run the event log through Chainsaw. Nothing significant when using the stock rules. What if we poke specifically at Event ID 1337. That looks interesting. Copy the binary data and bring it over to CyberChef From unintelligible binary to unintelligible PowerShell. Copy the output an...
Huntress CTF: Week 3 – M Three Sixty Five CTF, DFIR, M365 This is a multipart challenge. All the flags can be found within the live Microsoft 365 instance that we’ll ssh into. The clue is street address. I’m not too fluent in the capabilities of AADInternals, so the first thing I do is head over to the documentation. If I do a search on ‘street’ I see that it’s part of an Output example for Get-AADintTenantDetails Ok, let’s give that command a go. And there’s the flag under the street value. For...
Huntress CTF: Week 4 – Miscellaneous: MFAtigue DFIR, CTF, Miscellaneous MFAtigue For any of these challenges where there’s a download and an online component, I’ll usually start with the files. OK. So how can we get a password if we have access to the ntds.dit and the SYSTEM registry hive? The iredteam.com article looks like a good place to start. There’s a reference to dumping hashes using impacket. I don’t have the SECURITY hive, but I do have the ntds.dit and the SYSTEM hive. From here we’ll ...
Huntress CTF: Week 4 – Forensics: Bad Memory CTF, DFIR, Forensics, Memory Analysis Bad Memory I spent a bit of time on this trying to get Volatility 2 to work with the Mimikatz plug-in. I was not successful. I was able to run the Volatility hashdump module. I switched to Volatility3 and ran hashdump. For whatever reason the output of Volatility3 was different. The only user besides the default accounts is for ‘Congo.’ Copy the hashed password and head over to //hashes.com/en/decrypt/hash where w...
Oleg Afonin at Elcomsoft
October 31st, 2023 by Oleg AfoninCategory: «General» The bootloader vulnerability affecting several generations of Apple devices opens the door to forensically sound extraction. In today’s article we’ll discuss the compatibility and features of this exploit with different devices, iOS versions, and platforms. In addition, we’ll provide security professionals and researchers with valuable insight into potential issues and solutions when working with checkm8. Understanding Bootloader Vulnerabiliti...
Felix Guyard at ForensicXlab
October 27, 2023 10-minute read Memory Forensics DFIR • Volatility • Memory Forensics • Hibernation Abstract Link to heading In the Digital Forensics ecosystem, the field of memory forensics can help uncover artifacts that can’t be found anywhere else. That can include deleted files, network connections, running processes, rootkits, code injection, fileless malware and many more. Microsoft introduced the hibernation feature in Windows 2000, allowing systems to be powered down while preserving th...
Forensafe
03/11/2023 Friday The Android Play Store, officially known as Google Play, is a digital distribution service created and managed by Google. It serves as the official app store for devices running on the Android operating system. Users can browse and download a wide range of applications, games, movies, TV shows, music, and books directly to their Android smartphones, tablets, and other compatible devices. Digital Forensics Value of Android Playstore Search History Analyzing search queries execut...
Lionel Notari
iOS Unified Logs - Typing and sending a message in WhatsAppDigital investigations often rely on examining logs, and when it comes to WhatsApp, the logs can be a treasure trove of information. In this article, we'll dive into the world of WhatsApp unified logs to uncover the records created when a user types a message in the application. These logs offer a valuable tool for digital investigators to confirm that a user truly typed their message by pressing the keys on their phone's keyboard, rathe...
Mattia Epifani at Zena Forensics
iOS 15 Image Forensics Analysis and Tools Comparison - Native Apps By Mattia Epifani - October 30, 2023 I am finally back with the third blog post in the series!Before I introduce this new post, I want to point out some updates to the previous blog post. I have corrected a couple of errors related to the Belkasoft tool, in particular the device UDID and the device phone number.Also, after the blog post, Alexis Brignoni released some new iLEAPP parsers that cover most of the “red” boxes and MSAB ...
Maxim Suhanov
Bringing unallocated data back: the FAT12/16/32 case November 1, 2023November 2, 2023 ~ msuhanov Modern operating systems provide a way to increase the size of a given file without writing to it. In Unix-like operating systems, this is achieved through the truncate() and ftruncate() system calls. These calls allow programs to decrease or increase the file size. If the file size is decreased, data beyond the new end-of-file position is discarded (it can survive as deleted data, but there is no wa...
The DFIR Report
William Oettinger
Report this article William Oettinger CFCE, CISSP William Oettinger CFCE, CISSP Digital Evidence Examiner | Author | Trial Consultant | Expert Witness. Published Oct 30, 2023 + Follow We have all heard the saying, "If you didn't document it, it didn't happen." This rings especially true in the world of digital forensics. As a digital forensics investigator, comprehensive report writing is one of the most critical skills you can develop. Your detailed, unbiased reports will serve as the record of...