Forensic Blogs

An aggregator for digital forensics blogs

by

Speaking at Conferences, 2020 edition

As you can imagine, 2020 has been a very "different" year, for a lot of reasons, and impacts of the events of the year have extended far and wide.  One of the impacts is conference attendance, and to address this, several conferences have opted to go fully virtual. 

The Open Source Digital Forensics Conference (OSDFCon) is one such conference.  You can watch this year's conference via YouTube, or view the agenda with presentation PDFs.  Brian and his team (and his hair!) at BasisTech did a fantastic job of pulling together speakers and setting up the infrastructure to hold this conference completely online this year.

Speakers submitted pre-recorded presentations, and then during the time of their presentation, accessed the Discord channel set up for their talk in order to answer questions and generally interact with those viewing the presentation.

I've attended (in person) and spoken at this conference in the past, and I've thoroughly enjoyed the mix of presentations and attendees. This time around, presenting was very different, particularly given that I wasn't doing so in a room filled with people.  I tend to prefer speaking and engaging in person, as well as observing micro-expressions and using those to draw people out, as more often than not, what they're afraid to say or ask is, in reality, extremely impactful and insightful.  

In many ways, an online virtual conference is no different from an in-person event.  In both cases, you're going to have your vocal folks who overwhelm others.  A good example of this was the Discord channel for my talk; even before I logged in for the presentation, someone had already posted a comment about textbooks for DFIR courses.  I have to wonder, much like an "IRL" conference, how many folks were in the channel but were afraid to make a statement or ask a question.

Overall, I do think that the pandemic will have impacts that extend far beyond the wide-spread distribution of a vaccine.  One thought is that this is an interesting opportunity for those doing event planning to re-invent what they do, if not their industry.  Even after we move back to in-person meetings and conferences, there will still be significant value in holding virtual or hybrid events, and planning for such an event to be seamless and easy to access for the target audience will likely become an industry unto itself.

Addendum, 24 Nov: Here is the link to the video for my presentation.

Other videos:
Video for Brian's RDPiece presentation 
Asif's Investigating WSL presentation
Linux Forensics for IoT

by

Decrypting With translate.py

You’ve probably encountered malicious PowerShell scripts with an encrypted payload (shellcode, PowerShellScript, …).

Here is an example that I created:

There are 2 BASE64 strings in this script. The first one (cfr. variable $cfii) is the encryption key. The second one (cfr. variable $hctqdvb) is the payload.

The script uses AES encryption, with a 256-bit key, CBC mode, PKCS7 padding and an initialization vector (IV) that is stored in the first 16 bytes of the payload (0..15).

And after the payload is decrypted, it has to be decompressed with the Gzip algorithm.

With base64dump.py, I can find the 2 BASE64 strings in the PowerShell script:

I select the second BASE64 string (payload) to pipe into translate.py, using the following small Python script (decrypt.py) to do the decryption:

from Crypto.Cipher import AES from Crypto.Util import Padding def Decrypt(data): iv = data[0:16] ciphertext = data[16:] key = binascii.a2b_base64(keybase64) oAES = AES.new(key, AES.MODE_CBC, iv) return Padding.unpad(oAES.decrypt(ciphertext), 16)

This small script uses crypto functions from pycryptodome.

I use translate.py in fullread mode (-f –fullread, to “translate” the file in a single step, in stead of byte per byte) and use function Decrypt to decrypt the block of data, like this:

I load the script decrypt.py with option -s, and I pass the key as a BASE64 string via option -e.

The output is non-printable bytes, because the decrypted payload is Gzip compressed. I use translate.py again to do the decompression:

And now the “payload” I used is decrypted and decompressed: “This is a test!”

 

by

oledump Indicators

Each stream and storage can have an indicator in oledump.py‘s output:

You’ll probably know M and m: they are indicators that appear often.

Here is an overview of all possible indicators:

M: Macro (attributes and code) m: macro (attributes without code) E: Error (code that throws an error when decompressed) !: Unusual macro (code without attributes) O: object (embedded file) .: storage R: root entry