DFIR – Page 16 – Baker Street Forensics

Magnet 2022 CTF – iOS15

One of the evidence items during the 2022 Magnet User Summit CTF was a full file system extraction of an iPhone running iOS 15. Recently the CTF creators made the evidence (and corresponding challenge questions) available at CyberDefenders.org. You can register for a free account and then download the evidence. There’s several recommended tools listed in the challenge summary. For me the tools used were:

Magnet Axiom Cyber – [request a free trial]
iLEAPP
Decode
Unfurl
Excel (yup, an old friend returns)

Once you’re registered, process the evidence with Magnet and iLEAPP. The other tools we’ll touch on coming up.

WARNING: SPOILERS AHEAD

Don’t read ahead if you’re still working on the challenges. If you get stuck and want to see how I chose to solve it… then read on friend.

Continue reading →

AXIOM, YARA, GitHub – Oh My!

DFIR, PowerShell, yara

Version 6 of Magnet Axiom added support for YARA rules. By default the installation ships with the free Open-Source YARA rules from Reversing Labs. These YARA rules may be updated within Axiom periodically. In addition to the included rules, AXIOM supports adding your own YARA source folders.

If you need to update the included rules on demand, you can do so with a PowerShell script and the GitHub CLI. The script below can be used to update the included rules, as well as other YARA sources you may be using within Axiom.

Prerequisites:

Prior to running the script you’ll need to install GitHub CLI
Once installed run gh auth login to establish authentication with GitHub
When running the script you will need to run as an Administrator in order for the file-copy to ~\ProgramFiles to be successful

Set the working directory to the local git repository for the YARA rules

Set-Location C:\GitHub\reversinglabs-yara-rules\

Sync the repository; requires github CLI https://cli.github.com/

gh repo sync

Create local archive directory

mkdir C:\Archives -Force

Backup the existing YARA rules in Axiom

Get-ChildItem -Path "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA" | Compress-Archive -DestinationPath C:\Archives\AxiomYARA.zip

Variable for date/time

$timestamp = Get-Date -Format o | ForEach-Object { $_ -replace ":", "." }

Set the working directory to the Archives location

Set-Location "C:\Archives"

Rename the archive with timestamp

Get-ChildItem -Filter 'AxiomYARA' -Recurse | Rename-Item -NewName {$_.name -replace 'AxiomYARA', $timestamp }

Copy new YARA rules to Axiom

robocopy /s C:\GitHub\reversinglabs-yara-rules\yara "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA\ReversingLabs"

Now let’s run it all together in a single script:

Set-Location C:\GitHub\reversinglabs-yara-rules\ gh repo sync mkdir C:\Archives -Force Get-ChildItem -Path "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA" | Compress-Archive -DestinationPath C:\Archives\AxiomYARA.zip $timestamp = Get-Date -Format o | ForEach-Object { $_ -replace ":", "." } Set-Location "C:\Archives" Get-ChildItem -Filter 'AxiomYARA' -Recurse | Rename-Item -NewName {$_.name -replace 'AxiomYARA', $timestamp } robocopy /s C:\GitHub\reversinglabs-yara-rules\yara "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA\ReversingLabs"

That’s all there is to it. If you’ve got multiple repositories to sync, just add lines to cd (Set-Location) into those directories and repeat the gh repo sync command.

Feel free to copy the code above, or you can download directly from my GitHub.

Are you utilizing YARA rules within AXIOM? If so, leave a comment on what are some that you’ve found useful.

Play it Again Sam – A Recap of MUS 2022

CTF, DFIR, Presentations

I had a wonderful time participating in the Magnet User Summit, both in person and virtually. After 2 years of participating virtually, it was my first time attending the Summit in person. It was great to meet for the first time in person, not just many of my coworkers, but many of the regulars in my Twitter stream as well. What a gathering of brilliant, yet equally humble, investigators.

During the Summit I participated on a panel about Bringing your Forensics Lab to the Cloud. I also had fun co-presenting on two talks, Walkthrough of a BEC (Business Email Compromise) and. Walkthrough of a Ransomware Investigation, where we looked at the examinations from a Law Enforcement and from a corporate perspective.

There was the surreal moment of realizing that the boss doesn’t just rock, he ROCKS!

This year there was an in person and a virtual CTF with separate evidence and challenges. For the in-person CTF we examined a Linux laptop and an iPhone. Also, the long anticipated Dark Mode is a treat for the retinas.

For the virtual CTF the evidence sources were a Windows image and an Android mobile device, and a Google TakeOut. I surprised myself with how well I did on the Android and that hasn’t been my area of expertise.

During the virtual summit I enjoyed sharing my presentation, Free Tools for DFIR Triage Collections. Special thanks to everyone who engaged with me during and after the presentations, and from all different time zones. Your support was very much appreciated. If you missed it during the Summit or want to watch it again, you can head over to the Presentations page.

You can also check out all the other recorded presentations from the 2022 Magnet User Summit via the link below.

Magnet Summit 2022 Replays

Swag for Charity

DFIR

You can now get Baker Street Forensics swag, everything from shirts and stickers to onesies and pillows. I’m especially fond of the notebooks. I worked with a number of independent artists to commission a few new logo designs. This is where I need your help.

What’s your favorite of the designs? The winner will be the default logo for bakerstreetforensics.com
All proceeds from the sales will be donated to charity. Do you have a charity you’d like to nominate? The charity with the most votes will receive the proceeds.

Let me know your votes with a comment below, then visit the merch page, or click here to go direct to the store. Thank you for your support.