Digital Forensics & CPUs

Hardware
Reprinted with permission as originally written by Mark Vogel of F.A.S.T Forensics.   Kind of a book here but there's a LOT going on in the processor market right now between Intel & AMD, so there's a ton of information and considerations between the two now.   I have done a couple Ryzen builds since the release of the Ryzen 7 CPUs earlier this year to test out.  The chipsets for this platform seem to have finally matured as the most recent BIOS updates resolved a long ongoing issue with properly clocking faster RAM models to their factory spec for speeds of 2666MHz and higher.  This is actually important for Ryzen as the CPU does benefit more from faster memory than most Intel platforms, so running DDR4 3200 memory does…
Read More

Yandex.ru and Intrusion Investigations

Forensic Thoughts
Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not understand the context because there are not normally other .ru domains found during my investigation.  A little commonsense and research confirmed that “metrika” is Russian for “metric” and that examination of watch.js appears to reveal a web metric monitoring/tracking capability similar to Google’s Analytics reports offered to webmasters via its tracking code (https://support.google.com/analytics/answer/1032385?hl=en).   I…
Read More

Petya Ransomware Recap

Malware, Ransomware
Twitter, news media, and malware researchers were busy the past 30 hours as news of a ransomware variant being identified as Petya (NotPetya) was leveraging ETERNALBLUE to spread similar to how WannaCry ransomware had spread back in May 2017.  While variants of Petya have been seen going back a few months to include code similarities shared with Petrwrap and GoldenEye/Mischa ransomware strains, this quickly spreading variant leveraged a different attack than WannaCry in that it didn't just attack files based on their extension, but rather attacked the Master File Table (MFT) of the infected system.  Petya works by rebooting the system after its infected it and then encrypts the MFT and overwrites the Master Boot Record (MBR) causing a static ransom message to be displayed against a black backdrop starting…
Read More

SANS DFIR Summit 2017 Wrapup

SANS DFIR Summit 2017
Awesome presentations, great humor throughout and well deserved wins across all of the forensic4:cast awards.  It was tough to compete in the same category as Magnet Forensics and Cellebrite and having been nominated to the top 3 with these 2 alone was humbling.  It was my first SANS Summit, but it certainly won't be my last - already blocking off my calendar for next year.  It also got me thinking about a book that I had started about a year ago that my graduate work has had on hold...in a few months I think it will be time to pick that research back up. It was also the birth of a revised Twitter handle. Inadvertently Lee Whitfield @lee_whitfield had tagged About DFIR in a tweet as a pre-Forensic 4:cast awards announcement and my good buddy (and…
Read More