CoRIIN is a French cybersecurity conference and its name means: “Conférence sur la réponse aux incidents & l’investigation numérique”, which can be translated by Incident Response & Digital Forensics Conference. Even if we’ve attended CoRIIN since a few years, it’s the first time that we write a blogpost about it.
A few consultants from RandoriSec attended the conference and for the first time we gave a talk about iOS forensics. Please find a quick review of our favorite talks and also a summary of our talk. You can find the complete agenda with slides of the presentations on the Cecyf website.
Investiguer et détecter la menace du phishing : Adversary-in-The-Middle – Grégoire Clermont and Quentin Bourgue
Grégoire and Quentin presented their research on the hunting of phishing infrastructures.
Adversary in the middle is a technic now widely used by attackers to bypass MFA checks. The victim is lured to a phishing webpage which relays the credentials to the targeted service. The MFA challenge received from the targeted service is relayed to the victim by the phishing page. Such phishing frameworks are for rent between $120 and $1000 per month, depending on the features.
The evilginx project which was presented in 2017 hasn’t been used in the wild until 2022 according to the researchers and new frameworks are now available : dadsec and tycoon are the most widespread as of today.
To hunt such infrastructures, analysts can use known patterns, such as service-specific endpoints on unknown domains, specific frameworks or filenames. While these frameworks are efficient at MFA relaying, there are still some glitches : browser user agent not properly relayed, default service banners, source IP addresses in hosting AS ranges.
VolWeb, Une plateforme opensource d’analyse forensique de la mémoire – Félix Guyard
This talk from Félix Guyard reminded us of the value of RAM forensics, it is sometimes the only option for stealthy threats. Volatility is one of the most well-known utilities for RAM forensics. It is open source and can be used from the command line or as a library. Volweb uses volatility as a library, bringing a Web-based UI and several features to analysts. It allows for a client-server logic where the compute heavy tasks run on the server, this can make the general workflow more efficient, where the memory processing has to run once and the result of the extraction can be shared amongst analysts. Volatility has a terminal centric workflow, the web interface is an alternative for analysts. Volweb allows the analysis to be done by several people and its results to be shared, as an example it can generate STIX files for IOCs. Even though it is not meant to replace volatility, it is a tool that can help your analysis.
Recupération avancée en systèmes de fichiers exFAT et NTFS – Yves Vandermeer
We have all faced data loss on our hard drives due to accidental formatting, but others do it to erase their tracks.Yves Vandermeer presented the “Carving” method to attempt data recovery during technical analyses to obtain “exploitable evidence”. The elements he seeks to recover include the filename, directory name, file path, file type, file timestamp, etc.
He begins by explaining that depending on the file system (NTFS, exFAT) and partition structure, data can be fragmented or damaged, which can result in partial file recovery. In the demonstration, Yves Vandermeer uses a disk image containing non-fragmented files and the PhotoRec tool to recover “lost” data. PhotoRec scans the disk for file signatures and generates a report of found files, giving them a name and their position on the disk. However, mere file recovery does not constitute compelling evidence for an investigation, as no contextual information (such as who, why, when, etc.) is associated with the recovered files.
To go further, Yves Vandermeer uses a private investigation tool with a graphical interface in which he can read data content in ASCII. In this software, he can enter several parameters such as system architecture (to indicate the bit reading direction, “little-endian” or “big-endian”), jump to the desired specific position on the disk, enter block size, and other parameters not explained in the demonstration.
He then explains how, using a mathematical formula searching for multiple unknowns, he retrieves the various blocks of a file.
From there, we can traverse this data block to search for useful information for the investigation by analyzing and comparing the data bits in ASCII. He manages to retrieve various technical information such as the filename, file access path (which identifies the user account), directory, etc. By cross-referencing the data collected by the two tools, the files become exploitable evidence.
An important remark is made: if the bits have changed state, it may be impossible or very difficult to identify and recover the data.
Apple sysdiagnose pour l’analyse inforensique iOS – Amel Khamoum, Jérôme Rouaix and Davy Douhine
With the proliferation of mobile devices in the workplace and the BYOD phenomenon, the need for fast, automatable, accessible and privacy-respecting analysis becomes more and more pressing. Because despite MDM, MTD, XDR and other solutions, mobile platforms remain vulnerable and are sometimes compromised.
Several different techniques can be used to carry out a computer analysis depending on the objectives and the means available. After exposing the problem, the presentation detailed the different techniques and in particular the one based on a native Apple functionality: sysdiagnose. Not very intrusive, it requires neither a complete extraction of the file system nor a jailbreak. Also, we presented our contribution: scnr, an open source tool simplifying the analysis and scanning of complex files generated by sysdiagnose. The presentation is available here.