Share this page!

InverseCos 👻 SCARY DEMON Profile picture
Twitter logo
Oct 26 7 tweets 3 min read
1\ #DFIR: Chrome Forensics - How to Recover CLEARED History

If a user just cleared their browser history, you can still recover everything they were just looking at from the session files:

%appdata%\Local\Google\Chrome\User Data\Default\Sessions

inversecos.com/2022/10/recove…
2\ In some instances (more on this) the session and tab files inside that folder show the webkit/chrome date for when the session was exited.

This allowed me to put together a full timeline of what this naughty boy was doing *BONK*
3\ Historically, evidence of cleared history was in the Favicons file, but this is INCONSISTENT. Specifically under the table named "icon_mapping".

%appdata%\Local\Google\Chrome\User Data\Default\Favicons
4\ Some evidence of deleted searches are stored in “global-entities_metadata” - Chrome’s way of optimising search.

I don't recommend this artefact!

%appdata%\Local\Google\Chrome\User Data\Default optimization_guide_prediction_model_downloads/<str>/global-entities_metadata
5\ Evidence of data being cleared was also historically pulled from the Chrome Preferences file:

%appdata%\Local\Google\Chrome\User Data\Default\Preferences

Under the "browser.last_clear_browsing_data_time"
But this is not a thing anymore.
6\ There are three forensic scenarios I cover in the blog, all with diff artefacts:

1. A user cleared their history and did not use Chrome since

2. A user clears their history and re-opened ONE new session

3. A user clears their history and re-opened several sessions since
7\ Add me on battlenet if you want to play OVERWATCH with me. My username is animeb00bs#1424.
ill blame my bad gameplay on YOU. obviously

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with InverseCos 👻 SCARY DEMON

InverseCos 👻 SCARY DEMON Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @inversecos

InverseCos 👻 SCARY DEMON Profile picture
Oct 13
1\ #DFIR: How to investigate insider threats

Sharing the forensic methodology I follow when I'm investigating insiders 😍

This is where an employee sells creds/changes configs/runs malware leading to full DA compromise and then say they didn't do it O_o

inversecos.com/2022/10/how-to…
2\ The questions that I use to guide the analysis and prioritisation of analysis are:

1. How was the device accessed around the suspected behaviour?

2. Where was the user/device when this occurred?

3. Was the insider active on their system?

4. What did the user do?
3\ To answer the first question, I look at SRUM, specifically the App Timeline Provider details.

I pull:
> Execution time of the malicious thingz
> Duration of execution
> User SID

Then, I cross correlate that user info with their corresponding ActivitiesCache.db. #DFIRISS3XY
Read 7 tweets
InverseCos 👻 SCARY DEMON Profile picture
Aug 23
1\ #ThreatHunting: Detecting OAuth Token Theft in Azure / M365

This technique is STILL being abused by Chinese APT groups. This blog covers several methods of detecting this technique😈.

It's also a good reminder to always perform browser forensics ;)

inversecos.com/2022/08/how-to…
2\ METHOD 1: Look for the OAuth redirect consent link in browser history and/or proxy logs.

Take note of the following fields:
- client_id (malicious app id)
- redirect_uri (malicious domain)
- scope (API permissions requested)
3\ Review permissions requested in the scope field (I'll show you where else to find these permissions in the logs).

Take note of these:
- User.Read
- User.ReadWrite
- User.ReadWrite.All
- Mail.ReadWrite
- Calendars.ReadWrite
- Files.ReadWrite
- User.Export.All
Read 6 tweets
InverseCos 👻 SCARY DEMON Profile picture
Aug 5
1\ #DFIR: How to detect Linux Timestomping

Analyse the entries in these two files:
> filesystem.db
> filesystem.db-wal

Most writeups focus on detecting the use of "touch". But you can timestomp without using "touch". 😈

Check out my blog below 👇
inversecos.com/2022/08/detect…
2\ The file "filesystem.db" (enabled by default) tracks:
> fileCreated time
> fileLastAccessed time

Look for discrepancies in the fileCreated time in this DB file vs the times that "stat" show on a file.

There's also a correlating WAL that contains uncommitted data :3
3\ As you can see, this has caught an instance of timestomping where you can observe the creation time is after the access time.

You can query the db using this command:
sqlite3 *filesystem.db .dump | grep <filename>
Read 5 tweets
InverseCos 👻 SCARY DEMON Profile picture
Jun 22
1\ #ThreatHunting: How to detect Linux anti-forensics log tampering

Attackers can alter the utmp, wtmp, btmp files to hide malicious logon attempts by:

> Zeroing entries out in hex
> Overwriting the files with a malicious copy

BLOG POST BELOW 👇 UwU
inversecos.com/2022/06/detect…
2\ Method 1: Zeroing entries in hex

This leaves OBVIOUS AF traces. Look for entries with zeros, and datetime defaulting to 1970. You can also review timestamps (covered in thread 4).

I highlighted in purple where you zero out the data in hex.
3\ Method 2: Overwriting the file

Overwrite the entire entry with a "cleaned" version. In this example I removed all lines pertaining to "sansforensics" logging in. Timestamp detection is the best method to discover this technique.
Read 4 tweets
InverseCos 👻 SCARY DEMON Profile picture
May 19
1\ #ThreatHunting: How to detect fileless Linux malware

Look for processes in /proc/<PID>/exe where the path shows "(deleted)"

Here are two examples👇
1. BPFDoor deleted binary
2. An attacker abusing memfd_create() to exec their malware in RAM w/o dropping files to disk.
2\ To recover/extract these binaries running in memory - you can copying them out from this location:

/proc/<PID>/exe

Also as an FYI for memfd_create() abuse detection you can hunt for the "memfd: (deleted)" string directly.
3\ You can also review what command line spawned the pid by reviewing:

/proc/<PID>/cmdline

This screenshot shows the cmdline used for the memdf_create() reverse shell. There are a lot of other interesting things you can also review in /proc/PID
Read 4 tweets
InverseCos 👻 SCARY DEMON Profile picture
Apr 28
1\ How to detect file timestomping 👀

APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. 😈

Did you also know it's possible to timestomp $FN time?

👇👇 BLOG & TL;DR BELOW 👇👇

bit.ly/3KsX1ua
2\ Most IR analysts are taught to detect timestomping using two methods:

> Compare $FI vs $SI times in the MFT
> Look for 0s in timestamp nanoseconds

These two detections are NOT foolproof - they will catch simple cases. Attackers can set nanoseconds and modify $FN time!
3\ Why should you care?

Most forensic courses teach these 2 detections without introducing more variables. A lot of analysts treat what they are taught as the "bible" without questioning it and when it comes to detecting these anomalies... critical evidence may be missed.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(