Posts

MITRE Attack coverage based on detection rules

Everyone in Information Security knows about the  MITRE ATT&CK® framework. From the website : " [...] is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. " This is a short blog post, a  bookmark  for the related GitHub repository  attack-coverage : but what is the project about? Working as DFIR consultants for different customers we have to manage different level of maturity, technologies and processes all related to safeguarding customers' infrastructures. Think about the CSOCs, some outsourced some not: from a  reactive  point of view, they will be called in action when something  is triggered, most of the time automatically by some tools. Who defines  those triggers? Which scenarios are covered by t

Checkra1n Era - Ep 6 - Quick triaging (aka from the iPhone to APOLLO, iLEAPP and sysdiagnose in 6 minutes)

Image
Over the last months, a lot of research based on the  checkm8 exploit  was done. On  data acquisition : Belkasoft ,  Cellebrite  and  MSAB  developed a "forensic-oriented" implementation of the checkm8 exploit Elcomsoft ,  Oxygen  and  Magnet Forensics  support a full file system extraction of a  checkra1ned  device My iOS BFU Triage script is a valid option for quickly acquiring test devices. Ian Whiffin & Shafik G. Punja  wrote a detailed guide on how to use checkra1n and iOS BFU Triage script on a Mac OS X Moreover,  Elcomsoft  and  Belkasoft  released an update of their tools to obtain a full file system acquisition of a wide range of iOS devices based on an "agent" and a new version of  unc0ver  came out last week: it is based on a zero-day exploit and affects all the iOS versions from 11 to 13.5. We can say that, compared to one year ago,  it is easier to jailbreak an iOS device and obtain a full file system acquisition , also taking in

BYOM - Build Your Own Methodology (in Mobile Forensics)

Image
Last Friday I had the honour to present at " Life has no CTRL+ALT+DEL ", a DFIR online meetup organized by Heather Mahalik in this crazy COVID-19 period. I delivered a presentation titled "BYOM - Build Your Own Methodology (in Mobile Forensics)". If you are interested in taking a look at the presentation, it is available here https://www.dropbox.com/s/kxnhqyyyr8yk1h5/BYOM_Forensic.pdf?dl=0 During the presentation I shared some concepts I consider as "fundamentals" if you are working in this field. For each category, I provided some resources that can help building or improving your methodology. I decided then to share these resources in a blog post, with the hope that it could be a useful "starting point" for reading and studying, especially in this period. KNOWLEDGE Mobile OS Architecture and Security books Title Authors URL Android Internals Jonathan Levin http://newandroidb

teleparser

Image
Sometimes you need something open ... This post briefly introduces the teleparser script, whose goal is to parse the Telegram cache4.db . Honestly speaking, I would have done something else, but the coding (better, decoding ) job was born with a real case few months ago. Suppose you have a truly important cache4.db, a file containing every non-deleted and synced chat of the suspect, together with his encrypted p2p chats. Suppose that all the major well known commercial solutions are unable to properly parse that database: or, if able, they provide slightly different results. Again, the db content represents a crucial evidence. On which tools' outputs, if any, would you rely on to report evidences ? That's a classical example where the digital investigator must be able to explain every single bit there ( theoretically, he should always be ). Point is, the cache4.db is not just a simple SQLite database, but it's a SQLite database containing a lot of binaries

Checkra1n Era - Ep 5 - Automating extraction and processing (aka "Merry Xmas!")

Image
After my third post on  how to automate an extraction BFU , my great friend, colleague and fellow citizen Giovanni 'sug4r' Rattaro , Tsurugi Linux team leader and core developer, wrote me a message saying: " Belin Mattia! You had a great idea! But we can quickly improve your script!" And I answered: "Yes, why not. How is it going for you in the next couple of weeks? Do you have time?". And Giovanni: "No, I have to deliver the newest version of Tsurugi before Christmas. But still, we can do it!". And I said: "I am also very busy. But yes, we can do it!". Starting from my original idea, we completely redesigned and organized the script, both in terms of "user interface" (thanks Giovanni for the idea of using ncurses menu!) and functions. Still, our script is a PoC and must be used just for testing, studying, developing and learning purposes . It is not meant to be a "forensic tool", but we decided in any case to c