JPCERT/CC - JSAC2026 Day 2 Highlights

JPCERT/CC - JSAC2026 Day 2 Highlights 🚀

The second installment of JSAC2026 reports introduces presentations delivered during Day 2. Minoru Kobayashi presented an approach for inferring file operations and reconstructing them as a timeline based on the journal structures and analysis methods of the ext4 and XFS file systems. Through a demonstration of the journal analysis tool FJTA (Forensic Journal Timeline Analyzer), developed for this purpose, the presentation highlighted the effectiveness of journal analysis in complementing conventional timeline analysis, even in situations where timestamps cannot be considered reliable.

Specifically, MACB timestamps represent only a snapshot at the time of disk acquisition and, by design, cannot reflect multiple historical operations or manipulations such as timestomping. The presentation then provided an overview of the structures and analysis methods of ext4 and XFS journals, demonstrating how metadata modification records stored on a per-transaction basis can be used to infer operations such as file creation and deletion, and to reconstruct them chronologically. In conclusion, it was emphasized that file system journals constitute highly reliable forensic artifacts that are difficult to tamper with. For incident response, it was recommended that journal data should be collected as a priority after acquiring a memory image. The speaker emphasized the importance of prioritizing journal acquisition over block device analysis and standard file collection.

Shadow Liu, Lime Chen, and Albert Song presented an analysis of the phishing campaign “CoGUI,” which targets numerous Japanese brands in the financial, transportation, and government service sectors, as well as of the China-based Phishing-as-a-Service (PhaaS) platform “FishingMaster (垂钓大师)” behind its operations. The session demonstrated that CoGUI is operated through FishingMaster. Because the platform has promoted and distributed its services through closed channels, its operations had long remained largely unknown. It was further explained that, following media coverage in 2025, the operators temporarily suspended their activities but later resumed operations under rebranded names such as NX and FA. In doing so, they enhanced operational security by further concealing infrastructure, encrypting communications, and strengthening detection evasion capabilities. For defenders, the importance of identifying characteristic URL and API patterns, tracking related infrastructure, and conducting proactive threat hunting was emphasized.

Additionally, Masaomi Masumoto presented the methods for building phishing admin panels and their functionalities, against the backdrop of the growing prevalence of Phishing-as-a-Service (PhaaS). In recent implementations, these panels allow operators to create and configure phishing sites, manage stolen information, configure cloaking settings, manage domains, and even bypass one-time passwords. These panels are designed for rapid deployment and removal through the use of Docker and automated installation scripts, prioritizing immediacy and efficiency over persistence. Furthermore, through case studies such as “CoGUI” and “Oriental Gudgeon,” the presentation demonstrated that PhaaS infrastructure relies heavily on a limited set of specific URLs or domains. Given this high level of dependency, it was pointed out that blocking those particular URLs or domains could potentially disrupt the operation of the service as a whole. In conclusion, it was emphasized that effective phishing countermeasures require addressing not only individual phishing sites but also identifying and taking down the admin panels themselves.

To read the complete article see: Read full article