|PREVIEW_eForensics Magazine 2021 09 Hunting Endpoints for Forensic Artifacts-kopia.pdf|
This month we have prepared a set of 10 texts for you, including practical tutorials, tools reviews, and classic articles about the latest threats and challenges in the digital industry.
Wondering how to hunt for and gather information of forensic value to help with incident response and threat hunting activities? Or maybe you would like to learn more about how ESF was introduced to MacOS in response to both the security industry's demands and the company's future plans to withdraw Kernel Extension (KEXT) access in later versions of the operating system? The answers to these questions, as well as information on key points of interest in the ESF system, including its intended purpose, its usage, and issues encountered during real-life deployment operation, can be found in our journal!
Did you think that was it? Well, of course not! We also provide you with a practical tutorial on how to conduct a forensic analysis on the Xbox One console, which will guide you step by step through this process and tell you what data can be obtained from it! In this issue, you will also find out whether we are in danger of a cyberwar, and what cyberterrorism is exactly. We devoted an entire article to cryptocurrencies, in which the risks associated with the use of this means of payment and possible protection measures are presented. The next part of the forensic image analysis tools review could not be missing in this edition as well!
Intrigued? Do not hesitate and read this compendium of knowledge and fun!
Check out our Table of Contents below for more information about each article (we included short leads for you).
We hope that you enjoy reading this issue! As always, huge thanks to all the authors, reviewers, to our amazing proofreaders, and of course you, our readers, for staying with us! :)
and the eForensics Magazine Editorial Team
TABLE OF CONTENTS
Endpoint Security Framework (ESF) MacOS Subsytem For Real Time Detection, What Is It And How Can We Use It?
by Connor Morley
This paper will cover an overview of the nature of the Endpoint Security Framework (ESF) and why it was introduced, how the ESF can be used in active threat detection, the issues with data collection and an example use case against the Meterpreter agent on MacOS 11.2.2. Endpoint security framework (ESF) is the new(ish) security auditing tool that Apple has introduced to provide the security industry with a one stop shop for all its telemetry needs. Released back in MacOS version 10.15 in 2019, the ESF is capable of providing real time telemetry on the system being monitored for detection and automated defensive purposes. However, despite this component being introduced in 2019, it wasn’t until later 2020 that most of the industry started taking notice (going by the posts and availability of POC codes for its use). So if ESF has been introduced to the OSX environment, why should we use it and what are the benefits? Additionally this paper will aim to highlight key points of interest in the ESF system including its intended purpose, its usage, and issues encountered during real life deployment operation. This paper will explain some of the reasons why the ESF system was introduced by Apple in response to both security industry requirements and the company’s future plans for deprecation of the Kernel Extension (KEXT) access in later OS versions. Despite warning of this deprecation being introduced in 10.15.4, now at 11.2 KEXTs are still operational. How long this will remain the case is yet to be outlined by Apple.
Digital Forensics Investigation on Xbox One S Console
by Dr Pooneh Bagheri-Zadeh and Keeley Stainthorp
In the ever-evolving digital age, game consoles now play a huge role in the day-to-day lives of many people and are used for much more than inserting a disk and playing games. Consoles now provide a multitude of functions, such as playing games online with others, partaking in chats and video calls, as well as surfing the web, and storing files. It is arguable that more functionalities could result in more artefacts that could be extracted from the device. There have been several crimes reported by several newspapers involving crimes taking place on game consoles, particularly involving adults engaging in inappropriate conversations with children, much like the case of Adam Isaac (BBC News, 2017). There have also been incidents regarding drug dealing and terrorist activity, which indicates the importance of evidence gathering from game consoles. In this research work, a digital forensics investigation of Xbox One S, including analysing its partitions, the file system and other data analysis of Xbox, is presented.
Cyber-Attack Case Study Report
by Nikhil S. Mahadeshwar
Cyber-attacks on organisations are now inevitable. Security is no longer about preventing attacks; it’s about preparing for them. This means finding them and dealing with them in real time. The longer a cyber-attack goes undetected (on average 154 days), the more damage it does to the business and the more money it will cost for the business to recover. A recent attack was orchestrated on the victim company Site 1, which took place on 2nd February 2021, that caused major ripples in the integrity of security, which caused certain ransom emails to be sent to the employees on different days and time, but got reported on the 3rd of February. This attack caused sensitive data of the company’s assets to be breached and put up for ransom online if the demands were not met. The company, Site 1, engaged our organization initially for the incident handling of the cyber-crime. As per the ransom email submitted by the victim company, the “ALTDOS” group is behind this cyber strike, which is notoriously known to specifically target organizations that deal in the stock exchange and financial institutions.
Endpoint Incident Response with PowerShell – Hunting Endpoints for Forensic Artifacts
by Pathum Joseph
Incident Response is the process of handling an incident once it has occurred within a computer system or network. The process involves different stages from detection to containment. Incident response holds a vital part in today’s Cyber Security world and many organizations tend to have their own incident response team or engage third party resources to perform investigations during a cyber security breach or attack. This requires a certain degree of technical depth and competency, years of experience in the domain of cyber security and hands on experience in real world cyber security. The aim of this guide is to provide cyber security professionals assistance when an incident occurs. There is a common myth that you need enterprise level tools in your arsenal to perform incident response. However, you can perform a complete incident response and forensic data gathering without these enterprise level tools. The author used PowerShell, which is included with every Microsoft operating system. This guide illustrates how to hunt and gather information with forensic value to aid in incident response and hunting activities.
Crypto-Jacking: A New Gold Rush. Threats And Prevention
Money is a fundamental part of every human. Currency has become an integral part of our life. The concept of money came after centuries of people depending on the barter system. Later, it turned into coins made of silver or gold, and then people started depending on government paper currencies. Due to the increase in technology paper, currencies are now turned into cards, such as a credit card or debit card, and monetary transactions are happening online nowadays. As the technology develops, the transaction of money occurs without the involvement of banks or authorities, which we now call cryptocurrencies. Nevertheless, advancements in technologies allow attackers to carry the crypto mining for cryptocurrencies without the user's consent. Crypto-jacking occurs through many faces of the cyber world where individuals and significant authorization now fall victim to it.
by James A (Jim) McCoy, Jr
What comes to mind when you think of terrorism? September 11. Osama bin Laden and Al Qaeda. ISIS. Suicide bombs. Hijacking. Perhaps even the Unabomber or Timothy McVeigh and the Oklahoma City bombing. How many of us turn our thoughts to the internet, cell phones, social media, hacking, ransomware, cryptocurrency? In the business of e-forensics, this is where your mind should turn.
Creating A Safe Environment For OSINT Investigations
by Jeff Minakata
In this article, we will be talking about creating a safe environment for our OSINT (Open source intelligence) investigations and why we need to take steps to protect ourselves. We are going to be setting up a virtual machine along with sock puppet account(s) and some of the pitfalls along the way. To follow along with the article in its entirety, you will need to be able to install software to your computer, have about 8 GB of memory and about 40 GB of free space. Also, you will want to make sure that virtualization is enabled in your system BIOS as we will be installing a virtual machine.
Cyber War. Are We Prepared For Defense And Predictive Response?
by Longinus Timochenco
The international scope of the Internet and the global reach of the use of technology require the GLOBAL legislative system to address issues related to the application and implementation of international law. However, the complexities of cyberspace and the dynamic nature of technological innovations require a cyber defense framework that is not suited to any current legal system. Another complication is the lack of comprehensive international cyber defense cooperation treaties, which means that many countries are not adequately prepared or protected by legislation in the event of a cyber attack at the national level. For the purpose of this article, cyber warfare is defined as the use of exploits in cyber space as a way of intentionally causing harm to people, assets or economies. It can also be defined as the use and management of information in search of competitive advantage over an opponent, involving "the collection of tactical information, ensuring that the information itself is valid, dissemination of propaganda or disinformation among the enemy, impairing the quality of opposing force information and denial of service or information gathering opportunities for opposing forces.” The article will address some of the aspects related to the changing face of cyber warfare, with a specific focus on international cyber defense collaboration. It will analyze some international technological revolutions. The article will also address international cyber warfare and the influence of cyber defense on the international position of government. The article will conclude with recommendations on how to work for international collaboration in cyber defense. Welcome, but to come, protection and defense is necessary for our survival, we cannot ignore this fact, our LIFE is DIGITAL and we must protect it. Cyber crime is already an evil industry and together we can be one step ahead and respond accordingly.
Video Forensics Analysis Tools - Review
by Daniele Giomo
Amped Five ("Five" is the acronym for "Forensic Image and Video Enhancement") is a proprietary software developed by Amped. It is a software for processing images and movies for forensic, investigative and public security applications. It incorporates a variety of functions in a unique solution. The main application of AMPED FIVE is the improvement of images and videos from the scenes of a crime and captured with the most disparate. Devices, such as digital cameras, surveillance systems or mobile phones.
Quantum technology sub-elements 2021
by Kevin Coleman
Quantum technology burst onto the scene a few years back. It has drawn over a dozen countries in the race to capitalize on its development and evolution. The expansion of quantum technology is now a huge challenge for all of us. If this is not a big enough problem already, it is growing significantly and will continue to do so. Analysis in mid-2021 determined there were fourteen sub-elements that make up quantum technology.