Misc

Analysis of HSTS Caches of Different Browsers

The Reason

I recently stumbled upon a strange behavior in my Firefox: I visited an HTTPS-enabled website that I had visited before and saw that my Firefox connected insecurely via HTTP. I found that strange because nowadays, most websites set the HSTS header, which is supposed to force the browser to connect via HTTPS. I checked whether this website set the HSTS header – and it did. This means my Firefox was ignoring/forgetting about the HSTS header right after my visit. Continue reading “Analysis of HSTS Caches of Different Browsers”

Continue reading
Misc

ERNW Whitepaper 71 – Analysis of Anti-Virus Software Quarantine Files

I am glad to announce the release of the ERNW whitepaper 71 containing information about quarantine file formats of different AV software vendors. It is available here.

Anti-Virus Software

I took quarantine files from real-life incidents and created some in a lab environment. Afterwards I tried to identify metadata, like timestamps, path names, malware names, and the actual malicious file in the quarantine files. One goal was to use this information to support our incident analyses: Using the results, we can now easily create timelines showing information about quarantined files, extract the detected malware, and sometimes even find information about processes that created the malicious files. Continue reading “ERNW Whitepaper 71 – Analysis of Anti-Virus Software Quarantine Files”

Continue reading
Building, Misc

How can data from fitness trackers be obtained and analyzed with a forensic approach?

The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center [1], every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can also be seen in criminal proceedings, as there exist more and more cases where these devices provide evidence.

Which useful evidential information fitness trackers collect and how to analyze them forensically was part of a paper that we presented at WACCO 2020 this year [2]. The goal was to develop an open source program to support investigators analyzing data that fitness trackers provide and to give a general approach on how to analyze fitness trackers.

Continue reading “How can data from fitness trackers be obtained and analyzed with a forensic approach?”

Continue reading
Misc

Dissection of an Incident – Part 2

After our last blogpost regarding Emotet and several other Emotet and Ransomware samples that we encountered, we recently stumbled across a variant belonging to the Gozi, ISFB, Dreambot respectively Ursnif family. In this blogpost, we want to share our insights from the analysis of this malware, whose malware family is mainly known for being a banking trojan that typically tries to infect browser sessions and sniff/redirect data. In particular, we are going to provide details about the first stage Word Document, the embedded JavaScript/XSL document, an in-depth runtime analysis of the downloaded executable, and some details regarding detection.

Also, with this blog post, we are releasing a Rekall plugin called pointerdetector that enumerates all exported functions from all DLLs and searches the memory for any pointer to them (essentially a search for dynamically resolved APIs). This plugin can assist in identifying dynamically resolved APIs and especially memory regions containing DLLs loaded with techniques such as reflective DLL injection. This blog post will contain some examples illustrating the usage of this plugin, as well.

If you are interested in a hands-on analysis of Incidents and malicious files, we are giving another round of our Incident Analysis workshop at Troopers20.

Continue reading “Dissection of an Incident – Part 2”

Continue reading
Misc

Comparison of our tool afro (APFS file recovery) with Blackbag Blacklight and Sleuthkit

At this years ARES conference, Jonas Plum (Siemens) and me (Andreas Dewald, ERNW Research GmbH) published a paper about the forensic analysis of APFS, file system internals and presented different methodologies for file recovery. We also publicly released a tool implementing our presented approaches, called afro (APFS file recovery).

Continue reading “Comparison of our tool afro (APFS file recovery) with Blackbag Blacklight and Sleuthkit”

Continue reading
Events

Incident Analysis and Digital Forensics Summit 2018, 14th of November of 2018

*This event will be held in German*

Inspiriert durch die erfolgreichen Round-Table-Diskussionen der Troopers-Konferenz freuen wir uns, Ihnen heute mit dem Incident Analysis and Digital Forensics Summit 2018, eine weitere Veranstaltung in einer Reihe zu Trend-Themen im Bereich der IT-Sicherheit vorzustellen.

Continue reading “Incident Analysis and Digital Forensics Summit 2018, 14th of November of 2018”

Continue reading
Events

DFRWS USA 2017

As mentioned in my last blogpost, I had the pleasure to participate in this years DFRWS USA and present our paper. The paper and presentation can be freely viewed and downloaded here or here. Note that there is also an extended version of the paper, which can be downloaded here.

The keepassx, zsh and heap analysis plugins are now also part of the Rekall release candidate 1.7.0RC1, so it’s easier to get started.

The conference had some great talks and workshops, which I’m going to briefly sum up.
Continue reading “DFRWS USA 2017”

Continue reading
Building

Release of Glibc Heap Analysis Plugins for Rekall

I’m happy to announce the release of several Glibc heap analysis plugins (for Linux), resp. plugins to gather information from keepassx and zsh, which are now included in the Rekall Memory Forensic Framework. This blogpost will demonstrate these plugins and explain how they can be used. More detailed information, including real world scenarios, will be released after the talk at this years DFRWS USA.

Continue reading “Release of Glibc Heap Analysis Plugins for Rekall”

Continue reading
Events

First dedicated Forensic Computing Training at TR17

I am looking forward to our newly introduced dedicated Forensic Computing Training at TR17!
We will start the first day with a detailed background briefing about Forensic Computing as a Forensic Science, Digital Evidence, and the Chain of Custody. The rest of the workshop we will follow the Order of Volatility starting with the analysis of persistent storage using file system internals and carving, as well as RAID reassembly with lots of hands-on case studies using open source tools. As a next step, we will smell the smoking gun in live forensics exercises. Depending on your preferences we will then dig a bit into memory forensics and network forensics. Continue reading “First dedicated Forensic Computing Training at TR17”

Continue reading