Forensic Blogs

An aggregator for digital forensics blogs

by

Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3

Here’s a new beta version of my tool pngdump.py, a tool to analyze PNG files.

I took a look at all files on MalwareBazaar with a PNG tag, and made updates to pngdump.py to handle them.

I found 3 types of “PNG” files.

First, files spoofing PNG files: files that are not PNG files, but have a .png extension.

Like .exe and .rar files:

Second, valid PNG files with an appended payload:

Third, invalid PNG files. For example, PNG files with the right record structure, but where the Zlib compressed image is replaced by an RC4 encrypted payload (IcedID):

I also have other samples, but that’s for another blog post.

Beta version 0.0.3 is available on GitHub.

by

Quickpost: Tuning The Electric Energy Consumption Of My TV

TLDR: reducing the sound volume level of our TV has no (significant) impact on its electric energy consumption, but reducing the back-lighting does.

Here in Belgium, mainstream media is full of news with tips to reduce energy consumption.

Some good tips, some bad tips … That’s mainstream media for you 🙂

Recently, there was an article with the following tip: “reduce the sound volume level of your TV to save energy” … (I’m not linking to this article).

It is true that a speaker (and the audio amplifier) requires power. And that there is a positive correlation between electric energy consumption and sound volume level. Large speakers can draw quite some amps…

But I was a little doubtful that lowering the sound volume level of our TV with a view clicks, would have a significant/measurable impact. Because some time ago, I already made measurements, and our TV drew 120 Watt maximum. So I did not expect a big impact.

Anyways, one has to make measurements to know if there is a (significant) impact or not.

We have a 55 inch QLED Samsung TV from 2018. The test protocol I worked out is the following: start to play a long movie (LoTR) and measure the electric energy consumption during one hour exactly (with a GW Instek GPM-8310 digital power meter). Don’t touch the TV or remote while testing is going on, and make sure that no dynamic settings are enabled that can influence the electric energy consumption (like ambient light based brightness control).

I measured at 3 sound volume levels: 20, 19 and muted. And I did this twice.

Here are the results:

Sound levelElectric energy consumption (Wh)20117,7419117,740 (muted)117,66

For our TV, there’s no difference between a sound volume level of 20 and 19.

And by completely muting the TV, we save 0,08 Watts. That’s a very small amount. To put that in perspective, we would have to watch 125 hours of muted TV to power a 10 Watt LED light-bulb for 1 hour.

Of course, that’s for our TV. If you have a TV with a powerful soundbar and extra speakers, your measurements will be totally different.

While going through all the settings of our TV, there is one thing I noticed: the back-lighting setting was set to its maximum (20).

I reduced the back-lighting to 10 and measured again. That made a significant change: 77,666 Wh in stead of 117,74 Wh (both at sound volume level 20, our usual setting). That’s a 34% reduction in electric energy consumption. That’s a significant reduction, but …, don’t forget that the back-lighting setting happened to be at its maximum.

We will keep it like that for the moment, and see if we still enjoy watching TV.

Quickpost info

by

ResponderCon Followup

I had the opportunity to speak at the recent ResponderCon, put on by Brian Carrier of BasisTech. I'll start out by saying that I really enjoyed attending an in-person event after 2 1/2 yrs of virtual events, and that Brian's idea to do something a bit different (different from OSDFCon) worked out really well. I know that there've been other ransomware-specific events, but I've not been able to attend them.

As soon as the agenda kicked off, it seemed as though the first four presentations had been coordinated...but they hadn't. It simply worked out that way. Brian referenced what he thought my content would be throughout his presentation, I referred back to Brian's content, Allan referred to content from the earlier presentations, and Dennis's presentation fit right in as if it were a seamless part of the overall theme. Congrats to Dennis, by the way, not only for his presentation, but also on his first time presenting. Ever.

During his presentation, Brian mentioned TheDFIRReport site, at one point referring to a Sodinokibi write-up from March, 2021. That report mentions that the threat actor deployed the ransomware executable to various endpoints by using BITS jobs to download the EXE from the domain controller. My presentation focused less on analysis of the ransomware EXE and more on threat actor behaviors, and Brian's mention of the above report (twice, as a matter of fact) provided excellent content. In particular, for the BITS deployment to work, the DC would have to (a) have the IIS web server installed and running, and (b) have the BITS server extensions installed/enabled, so that the web server knew how to respond to the BITS client requests. As such, the question becomes, did the victim org have that configuration in place for a specific reason, or did the threat actor modify the infrastructure to meet their own needs? 

However, the point is that without prior coordination or even really trying, the first four presentations seemed to mesh nicely and seem as if there was detailed planning involved. This is likely more due to the particular focus of the event, combined with some luck delivered when the organizing team decided upon the agenda. 

Unfortunately, due to a prior commitment (Tradecraft Tuesday webinar), I didn't get to attend Joseph Edwards' presentation, which was the one presentation I wanted to see (yes, even more than my own!).  ;-) I am going to run through the slides (available from the agenda and individual presentation pages), and view the presentation recording once it's available. I've been very interested in threat actor's use of LNK files and the subsequent use (or rather, lack thereof) by DFIR and threat intel teams. The last time I remember seeing extensive use of threat actor-delivered LNK files was when the Mandiant team compared Cozy Bear campaigns.

Going through my notes, comments made during one presentation kind of stood out, in that "event ID 1102" within the RDPClient/Operational Event Log was mentioned when looking for indications of lateral movement. The reason this stood out, and why I made a specific note, was due to the fact that many times in the industry, we refer to simply "event IDs" to identify event records; however, event IDs are not unique. For example, we most often think of "event log cleared" when someone says "event ID 1102"; however, it can mean something else entirely based on the event source (a field in the event record, not the log file where it was found). As a result, we should be referring to Windows Event Log records by their event source/ID pairs, rather than solely by their event ID. 

Something else that stood out for me was that during one presentation, the speaker was referring to artifacts in isolation. Specifically, they listed AmCache and ShimCache each as artifacts demonstrating process execution, and this simply isn't the case. It's easy for many who do not follow this line of thought to dismiss such things, but we have to remember that we have a lot of folks who are new, junior, or simply less experienced in the industry, and if they're hearing this messaging, but not hearing it being corrected, they're going to assume that this is how things are, and should be, done.

What Next?
ResponderCon was put on by the same folks that have run OSDFCon for quite some time now, and it seems that ResponderCon is something a bit more than just a focused version of OSDFCon. So, the question becomes, what next? What's the next iteration, or topic, or theme? 

If you have thoughts, insights, or just ideas you want to share, feel free to do so in the comments, or via social media, and be sure to include/tag Brian.