Write-up for 2 forensics challenges at THCon : https://cryptax.github.io/thcon2026-breach/

#THcon #CTF #LUKS #forensics

----------------

🎥 Video
===================

Opening: The announcement describes a free webinar titled “Digital Forensics: Basic Linux Analysis After Data Exfiltration — Hackers Arise” scheduled for February 13, 2026. The core narrative emphasizes that intrusions often present as an adversary already resident in an environment rather than beginning with an obvious malware drop.

Technical Details: The event framing indicates a focus on post-exfiltration Linux analysis. Topics implied by the title and tagline include identification of forensic artifacts left after data exfiltration, methods to examine Linux hosts for traces of adversary activity, and investigator-centric techniques for reconstructing actions when initial compromise is not observable. The announcement explicitly centers on the concept that adversaries can be present before any exploit or payload execution.

Analysis: Framing investigations around the “adversary-inside” perspective shifts attention to persistence mechanisms, lateral movement artifacts, evidence of data staging and egress, and gaps in audit/visibility that enable prolonged dwell time. While the announcement does not list IoCs or specific tools, it signals an emphasis on host-level evidence collection and reasoning about timelines and artifact correlation on Linux systems.

Detection: Although the source does not provide detection signatures, the webinar’s scope suggests discussion of detection opportunities such as anomalous outbound connections, unusual file access patterns, unexpected scheduled jobs or services, and forensic indicators in system logs and memory snapshots.

Implications for IR practitioners: The stated narrative reinforces the need to treat post-exfiltration analysis as a distinct investigative discipline with its own priorities—establishing a timeline, locating exfiltration vectors, and validating whether data staging or covert channels were used.

Limitations: The announcement is a webinar summary and does not publish technical IoCs, ATT&CK IDs, or tooling details. Attendees should expect conceptual framing and case-oriented walkthroughs rather than a repository of signatures.

References: Event title and date as published by the organizers: “Digital Forensics: Basic Linux Analysis After Data Exfiltration — Hackers Arise”, Feb 13, 2026.

🔹 digitalforensics #linux #incidentresponse #dataexfiltration #forensics

🔗 Source: https://hackers-arise.com/digital-forensics-basic-linux-analysis-after-data-exfiltration/

MalChela v4.1: Mac Malware Analysis Arrives

MalChela v4.1 is out today, and the headline is something I’ve been wanting to tackle for a while: dedicated Mac malware analysis tooling. If you’ve been following the channel or the blog, you know MalChela started as a triage-first toolkit aimed at the kinds of samples that show up in Windows-centric IR engagements. That coverage was never the full picture. Mac malware — infostealers, adware loaders, APT implants — has become too common to treat as an edge case. v4.1 is the start at addressing that directly.

New Tools: Mac Analysis

Three new tools land in this release, each targeting a different layer of Mac binary analysis. All three are available in the PWA under the Mac Analysis heading, accessible via CLI shortcodes, and included in the release scripts.

codesign_check (cs)

macOS code signatures are one of the first things worth checking on any suspicious binary. codesign_check accepts either an .app bundle or a bare Mach-O and reports signature status (Developer-signed, Ad-hoc, or Unsigned), Bundle ID, Team ID, and entitlement presence — including the get-task-allow flag that marks debug and development builds. It also verifies the _CodeSignature/ and CodeResources directory structure.

Indicators flagged: missing CMS blob, CS_ADHOC flag, absent Team ID, and get-task-allow entitlement. FileMiner now suggests Code Sign Check automatically for all Mach-O files in a scan. (Planned feature: adding a certificate revocation check).

plist_analyzer (pa)

Parses macOS .plist files and .app bundle Info.plist for static malware indicators. This release includes four new detections:

• LSUIElement / NSUIElement = true — app runs as a hidden background agent with no Dock icon. Both the modern LSUIElement and legacy NSUIElement (integer 1) forms are now detected, covering older macOS malware that used the pre-Sierra key.
• NSAllowsArbitraryLoads = true — App Transport Security disabled, a classic C2 channel indicator.
• CFBundleURLTypes with custom URL schemes — flags non-standard scheme registrations used for persistence or inter-process communication.
• CFBundleSignature = ‘????’ — no creator code set, common in unsigned tools and malware.

macho_info (mo)

Parses thin and fat/universal Mach-O binaries and reports: architecture, linked libraries, section entropy, symbol status, RPATH entries, __PAGEZERO integrity, and PIE/ASLR flags.

This release also adds deprecated crypto library detection: macho_info now flags linkage against end-of-life OpenSSL libraries (libcrypto.0.9.8, libssl.0.9.8, and variants). There’s no legitimate reason for a modern binary to link these — flag it and investigate further.

mStrings — Mac Tuning

Running mStrings against Mach-O binaries previously produced a lot of noise: ObjC runtime stubs, Swift mangled symbols, and Apple system library paths that add volume without adding signal. A new is_objc_swift_noise() filter suppresses these categories:

• _objc_* runtime stubs
• @_* import stubs (including @_LSSharedFileList*, which was previously surfacing as false-positive filesystem IOCs)
• Swift mangled symbols (_$s*, _T0, swift_*)
• Apple system dylib paths under /System/Library/Frameworks/ and /usr/lib/swift/
• ObjC type encoding strings

Alongside the noise filter, 12 new Mac-specific MITRE detection rules have been added to detections.yaml:

Mac path extraction also gets a dedicated regex: re_mac_path captures filesystem IOCs in Mac-style paths (.sh, .py, .dylib, .plist, .app, .pkg, .command) under /Users/, /Library/, /tmp/, and related directories.

FileMiner — Session Persistence

FileMiner scan results now persist across browser close and refresh. Results, the analyzed path, and the set of executed sub-tools survive in localStorage automatically. On each scan, a session.json is also written server-side to saved_output/fileminer/ — or to the active case folder under saved_output/cases/<case>/fileminer/ when Save to Case is checked.

A Load Session button in the FileMiner options bar opens a file browser pre-navigated to the correct session directory. Selecting a session.json restores the full results table and re-populates the path input. Like the previous GUI, fileminer now tracks tool runs for suggested tools (green indicates tool report already generated).

MalChela v4.1 is available now on GitHub. As I said this is just the start of the macOS malware support. I’m looking forward to taking this much further.

Looking forward to getting my copy of Ungrounding - The Architecture of Genocide, a new book from Eyal Weizman, Director of Forensic Architecture. It's out for release on the 7th.

https://www.penguin.co.uk/books/463141/ungrounding-by-weizman-eyal/9781911717331

#palestine #israel #books #forensics #architecture