Windows Incident Response

More Timeline Creation Techniques

2009-11-25T18:50:00.000-05:00

Some of you may have seen (or be using) the timeline tools I released within the Win4n6 Yahoo group and included in my most recent Hakin9 article on Windows Timeline Analysis. If you've taken a look at the tools, you'll notice that I have some tools available for parsing Event Logs from Windows 2000, XP, and 2003 (i.e., .evt files) into the timeline (TLN) format I use. However, there's nothing there, at the moment, for parsing Windows Event Log/.evtx files from Vista, Windows 2008, or Windows 7.

A quick look around showed me that there weren't many free (as in beer) tools for parsing .evtx files. Andreas Schuster has done a good deal of work in this area, has picked apart some of the .evtx data types, and made some tools and an article on the subject available. However, these tools are somewhat limited due to the nature of the new .evtx file format.

Then along came LogParser...freely available from MS and extremely flexible. There are a number of sites available that are dedicated to or include the use of LogParser, and there's even a GUI or two available. However, that's a bit beyond what we're going to talk about at the moment.

You can download the Logparser.msi file from MS and install it, and then copy the files from the installation folder to a thumb drive or CD, making the tool available for live incident response activities. What this means is that you now have a platform-independent means for extracting event records from Windows systems. Using this command:

E:\>logparser -i:evt -o:csv "Select * from System" > %ComputerName%-system.csv

...will do the same thing on Windows XP as it will on Vista or Windows 2008. Now, you have a nice comma-separated value file that you can open in Excel or parse with Perl, and include the entries in a timeline.

Okay, that's live response...what about post-mortem analysis? Well, it turns out that there's a couple of ways you can go on this issue. The first is to have a VM available for each version of Windows, or at least one on the Windows XP/2003 side, and one on the Vista/Windows 7 side. For example, you can mount or access an image of a Windows 2008 system on Windows 7 system, extract the .evtx files, and use the following command:

C:\tools>logparser -i:evt -o:csv "Select * from d:\cases\System.evtx" > system.csv

At this point, all you need to do is parse the resulting .csv file...Perl works quite nicely for this.

The other option is to use just Windows 2008 or Windows 7 as your analysis platform, and convert the .evt files to .evtx format using wevtutil.exe.

C:\tools>wevtutil epl AppEvent.evt AppEvent.evtx /lf:true

This gives you the ability to parse both .evt and .evtx formats on the same platform. However, if you're primarily interested in producing a timeline of events, the timeline tools from the Win4n6 Yahoo group contain a Perl script that parses .evt files into TLN format, without relying on the API. Also, the timeline tools for parsing .evt files will be able to extract event records that aren't "seen" by the API.

Even More Linky Goodness...

2009-11-22T17:41:00.002-05:00

Tools
I received an email recently that let me know that the latest version of RevealerToolkit is available, a project from a Barcelona security company. The RVT framework is based on Brian Carrier's TSK tools, and even makes use of some of my code to parse EVT files. More information on RVT is available here. Also, be sure to take a look at the user guide, as well.

Remember when I got p0wned by Intel and MS? Thanks to a blog comment, I was pointed to VMLite, which provides an alternative to MS's XPMode, and without the requirement for hardware virtualization in the CPU. This may definitely be something to take a look at, as virtualization can play pretty important role in forensic analysis in a number of ways. Take a look at packages such as MojoPac and Moka-5, for example.

Rob Lee pointed the GCFA mailing list to RE-Google the other day...this is apparently (quoted) a plugin for the Interactive DisAssembler (IDA) Pro that queries Google Code for information about the functions contained in a disassembled binary. Wow, that sounds pretty cool!

Lance has posted another EnScript, this one to locate Limewire download remnants. This may be pertinent if you're looking at a case involving Limewire or just P2P in general.

Speaking of Lance, I've used the images he has made available for his practicals as examples on a number of occasions; these are excellent resources. However, if you want to work with these practicals as raw dd images (rather than .E0x format), you'll need to convert them using something like FTK Imager. But if you want to mount the EWF/EOx format images and access the files within them, you can use mount_ewf, which Chris has talked about. To do this on Windows, you need to follow these steps (from David Loveall, which Rob Lee so graciously provided to the Win4n6 Yahoo group):

1. Extract the mount_ewf files for Windows into a directory
2. Download and install the Visual Studio runtime files, if you don't already have them
3. Download and install ImDisk

At this point, you should just be able to double-click the E01 file, and tell it Open With... mount_ewf.exe. I'll have to say that I haven't tested this as of yet, but if you've got E0x files you'd like to access, but don't want to have to give up additional space in converting it to raw dd format, this may be an option. P2 Explorer (free) and SmartMount (not free) will also allow you to mount EWF/E0x format images.

Memory Collection and Analysis
An engineer at HBGary recently posted a review of Matthieu's windd tool, based on testing against their own FDPro tool. It's an interesting read...take a look. Here's Matthieu's response, along with some personal notes. I think it's good to see, read, and digest both sides of an issue, and this is definitely worth taking a look at.

On the analysis end of things, Jeff Bryner posted about his FaceBook Memory Forensics tool (ie, pdfbook) on the SANS Forensics Blog recently. Jeff's posted about other tools for parsing memory dumps, and I'm sure that you could use the output of the tool you're using (as opposed to pd.exe, as he mentions in the blog post) to obtain similar results. Looking at the code for pdfbook, as well as the other tools that Jeff's made available, I don't see why they can't be run across unallocated space or the pagefile, for that matter. Another thought might be to give the code the ability to do an EnCase-like preview of X number of bytes on either side of the 'hit' that's been located.

While you're conducting IR or memory analysis activities, Didier's done it again and given us all something new to worry about with SelectMyParent! SMP is a proof-of-concept tool to demonstrate that with the right privileges, you can create a process and designate a parent process for that process. So, instead of running Notepad or Solitaire with your privileges, as a child process of Explorer.exe, you can run it as a child of lsass.exe. And yes, I know what you're thinking...so what? Who's really going to use something like this? Perhaps malware authors...

Print Matter
As a side note from Jeff's post, DFM has it's inaugural issue available...this may be something worth taking a look at. I'd like to see how it compares to Into The Boxes...hopefully, there will be more of a supporting role than competitive.

Along those lines, my second article on timeline analysis is now available in Hakin9 magazine. This one is a hands-on walk-through for using the tools I discuss (and make available via the Win4n6 Yahoo group...go to the Files section) to create a timeline for forensic analysis. I mentioned at an ECTF meeting recently that I have used this technique to great effectiveness. In one instance during a PCI forensic assessment, I was able to narrow down the window of exposure by demonstrating that shortly after the malware was first installed on the system, AV detected and deleted it. In that instance, sources of information included not only the file system metadata and Event Log records, but also AV logs and even information derived from Dr. Watson logs...combining these allowed us to demonstrate that while the malware had been installed, it did not appear to be running at certain times (this malware was not a DLL injected into another process). The two big take-aways from the articles should be that (a) timeline analysis allows you to view events from a system (or several systems) in temporal proximity to each other, and (b) when additional analysis support is required, you can ship off the necessary information for a timeline to another analyst without worrying about exposing sensitive data.

You can also download free Hakin9 articles here.

Correction
I was taken to task by an anonymous poster recently regarding what I've described as a 128-bit timestamp. Apparently, this isn't a timestamp, but rather a SYSTEMTIME structure. I had searched for this, and even been asked by someone from Microsoft about it, but neither of us was able to find a link. So, thanks to Anonymous for sharing this. Apparently, I also stand corrected on how prevalent this structure is within the various versions of Windows, although that's still something of a mystery.

Media
Bret and Ovie have a new CyberSpeak podcast posted...check it out.

Working with Volume Shadow Copies

2009-11-18T18:33:00.000-05:00

To begin with, let me say right up front that most of the information in this post, particularly the latter half, is not something that I developed myself...consider this more of me being a secretary(albeit unpaid) for Rob Lee, Troy Larson, and apparently Jimmy Weg...apparently, these guys all knew about what I'm going to present here well before I started down this road.

That being said, away we go...

Based on something I saw in Troy Larson's presentation at DCC2009 regarding Volume Shadow Copies, I thought I'd try something...I wanted to see if I could mount an image of a Vista system from a Vista system, and access the Volume Shadow Copies within the image.

I started with a Vista Home Edition system and an image of that same system on a USB external HDD. I connected the USB external HDD to the live Vista system and mounted the acquired image with each of several tools. I used ImDisk, SmartMount v1.0.5, the 14 day trial copy of Mount Image Pro, and P2 Explorer.

In each instance I mounted the image as a drive letter, verified that I could access the volume, and ran vssadmin list shadows. In none of the instances did vssadmin recognize the mounted drive as a source of Volume Shadow Copies. Well, I take that back...I didn't even get that far with P2 Explorer...it automatically kicked off its MD5 hashing, and once that was done, reported that the image was corrupt.

Now, Troy had mentioned in his testing that only EnCase PDE will mount an image in a manner through which vssadmin can access Volume Shadow Copies within the image. Okay, well, that's not something I have available at this point.

Now, Troy, Jimmy, and Rob mentioned something in one of the lists recently that seemed interesting...basically, to summarize what was said...if you have a VMWare guest of Vista, for example, and you have an acquired raw/dd image of a Vista system, you can generate at .vmdk file for the image and add it to the Vista VM as a hard drive, and then you can 'see' the Volume Shadow Copies in the acquired image.

So I set out to see if this was something I could replicate. I used ProDiscover to create a .vmdk file for the acquired image (again...Vista Home OS), and I opened VMWare Workstation 6.5. I went to the settings for my Vista Ultimate VM and added the new .vmdk file to the properties for the VM as a hard drive. When I booted the Vista VM and logged in, I could see the acquired image right here as E:\. So far, so good.

I then ran vssadmin, like so:

C:\>vssadmin list shadows /for=e:

Lo and behold, I saw a list of Volume Shadow Copies for the E:\ drive! And yes, the entries for "Originating Machine" corresponded to the name of the system from which the image had been acquired.

The next step was to see if I could create symbolic links using mklink...the short version is that I could, but I could not access them, as I kept getting "The parameter is incorrect" messages. Suffice to say, I even created symbolic links for Volume Shadow Copies from the C:\ drive, and got the same message. It turns out that the issue with mklink is that the trailing \ is absolutely required (something that was also mentioned on the SANS blog). So the command looks like:

C:\>mklink /d C:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy18\

With this, you can then run tools such as RegRipper against the hive files, or copy out selected files for analysis (or better yet, just run your tools to collect the information), etc. Once you're done, you can remove the symbolic link with:

C:\>rd C:\shadow

Before I go on, let me remind you...you MUST have a \ at the end of the Volume Shadow Copy in the mklink command.

Moving on, I downloaded George M. Garner, Jr.'s FAU tools and ran the following command:

C:\tools>dd if=\\.\HarddiskVolumeShadowCopy6 of=g:\shadow6.dd --localwrt

HarddiskVolumeShadowCopy6 is one of the identified Volume Shadow Copies from the E:\ drive. I wanted to acquire an image of the Volume Shadow Copy to an attached USB external drive (G:\), hence the use of the --localwrt switch. For about 10 min, I let the command run, and kept running "dir g:\" from another command prompt, and kept seeing that shadow6.dd was 0 bytes. I stopped the imaging (Ctrl-C) and found that the output file was over 2.5GB! So I then re-ran the command, and just let it run...and it will run for a while, as I'm acquiring from a USB ext HDD to a USB ext HDD.

Here's the results of the 'dd' command:

C:\tools>dd if=\\.\HarddiskVolumeShadowCopy6 of=g:\shadow6_2.dd --localwrt
Copying \\.\HarddiskVolumeShadowCopy6 to g:\shadow6_2.dd
Output: g:\shadow6_2.dd
146526953472 bytes
139738+1 records in
139738+1 records out
146526953472 bytes written

Succeeded!

Now that the acquisition is complete, the next step is to verify the acquired image. Opening the image in FTK Imager, I was able to verify that I had a complete, readable file system. At this point, I can do everything with this image that I would with any other acquired image.

Again, let me remind you that this isn't something I came up with...apparently, others have known about this, I'm just writing it down.

Summary
1. Start with a raw/dd image of Vista or above
2. Create a .vmdk file for the image
3. Add the .vmdk as a hard drive to a VM of a like OS (if image is Vista, use a Vista VM)
4. Boot the VM, use vssadmin to locate VSC's on the image drive (or use WMI to get concise info)
5a. Use mklink to 'mount' the VSC's you're interested in, or...
5b. Acquire the full VSC using dd

Resources
Troy's Vista Forensics Slides (one version, anyway)
Shadow Copies on Wikipedia
Shadow Copy Client
Win32_ShadowCopy WMI Class

It's about time...

2009-11-14T04:24:00.000-05:00

Sometimes you need a tool, and you just don't have one available to do the thing you need done.

Recently, I was doing some analysis, and as part of that was running regslack to see what I could find in the unallocated space of some Registry hive files. Within the hex dump of unallocated space, I could see what appeared to be Registry keys (signature "nk"), but these were in the unallocated space dumps, not as part of deleted keys that had been extracted by Jolanta's regslack tool. I could also see, right there in my editor, what appeared to be a FILETIME date/time stamp. So I had a string that comprised the date/time stamp, but no way to translate it quickly.

So I wrote a tool.

I called this tool Decode64, as I wanted to decode the 64-bit FILETIME objects...but from the starting point of a binary value, the way RegRipper does it. No, I needed to be able to start with a string. So I wrote Decode64 to take a string representing the date/time stamp (analyst pastes it into a textfield...how easy is that??) and with the push of a button, translate that to both a Unix epoch time, as well as to a human-readable time, in GMT format.

Now, if you look closely at the graphic with this post, you'll see that the string entered into the first field is not indicative of a 64-bit timestamp...nope, it's one of those 128-bit timestamps that MS uses (i.e., in the Scheduled Task .job file format, and in various Registry values beginning with Vista). Consider that an Easter egg. ;-) So, I'll be using this to not only determine if something falls within my incident timeframe, but to also enter information into a timeline via the TLN tool that I wrote, and included with the timeline tools in the Win4n6 group.

Speaking of time, when I talk to folks about analyzing images for indications of malware infections, I will usually start with asking what AV product was installed. What most folks don't realize is that many Windows systems will have the MS Malicious Software Removal Tool (MRT) installed, and that the MRT maintains a log of activity, to include anything it finds and removes during a scan. I thought, cool...I can include that information in a timeline, IF I can parse it out. Now I can. ;-)

C:\tools>mrtparse.pl -f mrt.log -s YoUrMoM
1257686548|MRT|YoUrMoM|| - Backdoor:Win32/Rbot in file://C:\WINDOWS\system32\ss ms.exe (sigseq 0x000016677E6E8F8A)
1257686548|MRT|YoUrMoM|| - Win32/Rbot and Removed!

As you can see, mrtparse.pl is a pretty simple script. Right now what it does is parse through the mrt.log file looking for any segment of the log file that contains a return code between 6 and 13 (all I've see so far is 0 and 6). Once it finds such a segment, it parses out what was found. Pretty simple.

I only have a couple of log files for testing, so the functionality of the script is limited at this point. Also, I don't have anything definitive that describes the format that the time is maintained in (i.e., local system time or GMT). So there is definitely area for improvement, but those are both easy fixes, as well.

Some other thoughts I had were to include all return codes of "0", as well. My thought that it would be a good idea if you could see something like a malware file being added to the system, and the results of tools such as MRT and AV right in there, as well.

NOTE: Keep in mind that MRT is NOT an AV solution (...and you're going to ask me, "...but what is?", aren't you??) - it's more akin to a microscanner (similar to Stinger) in that it only protects against a very specific list of malware.

A possible next step would be to look at adding support for Windows Defender logs...

Resources
A note on Defender settings
Default Scheduled Tasks in Vista
Defender not working and IE homepage set to "about:blank"?
AV recommendations for Windows (links to log files)

Some Analysis Coolness

2009-11-13T04:53:00.000-05:00

TimeLine Analysis

The most recent issue of Hakin9 is available now...my second article on timeline creation and analysis is in this one; it's a hands-on walk-through of using the tools I put together, and use on a regular basis. You know...eat your own dogfood, as it were.

What do I like so much about this analysis method? Well, it's fast, it's relatively easy, and it lets an analyst (i.e., me) see a bunch of stuff all together in one place. It's pretty cool to see things like a remote login, creation of the PSExecSvc service, see that service start, then see a bunch of other files being created...to include the data files created by the malware.

Another thing I like about timeline creation and analysis is this...let's say you've got an analyst (or a team) on-site working an engagement, and they're stuck with something; determining the avenue of infection or compromise...whatever. Now let's assume that it's an engagement involving sensitive data, and they're trying to scope everything AND do collections. You can have those analysts dump the file system metadata, extract selected files from the system or image, zip all of that up and send it to someone for analysis. Not only do you run your analysis in parallel...you're not sending that sensitive data out! That's right, folks...you can increase your response efficiency and effectiveness using off-site staff, without further exposing sensitive data!

The version of the tools used in the article are available for download from the Win4n6 Yahoo group. The tools are all separate, standalone tools for right now because, to be honest, I don't always use them all together. Sometimes, it's good to see activity in a different format...in others, it's good to see a limited subset of activity (say, just your Event Log records) all at once, before moving on. By having separate tools, the analyst can intelligently select what they want added to the timeline in order to build it out.

File and Document Metadata

When I used to present at LE-oriented conferences more often, I'd talk about a nifty little tool out there called MergeStreams. This is a great little tool that essentially allows you to "hide" an Excel spreadsheet inside a Word document. This only applies to pre-Office 2007 document formats, however. I'll say that again...it only works on versions of MSOffice that use the OLE compound document format. What I'd show is someone pasting pictures (re: illicit images) into a Word document and then merging those with an Excel spreadsheet. Name the file "myspreadsheet.xls" and you would see the Excel spreadsheet. Rename the file, giving it a .doc extension, and you'd see the Word document.

While we're talking about Office document metadata, now is a good time to revisit some tools for extracting metadata; for pre-Office 2007 documents that use the OLE structured storage format, I've used the tools from my book, oledmp.pl and wmd.pl quite effectively, and there's OffVis from MS; for Office 2007 documents, try cat_open_xml.pl.

Didier Stevens has come up with something similar for PDF documents. All I can say about this is...wow. Really. This takes me back to '99, when I was sitting in the EnCase Introductory Training course in Leesburg, VA, and we were talking about file signature analysis. Gone are the days where we can simply scan for file signatures and compare that to the file extension...in order to do a decent job, we now have to go deeper. Just because a file begins with "MZ", is it really a Windows PE file? Is the PDF or Word (pre-2007) document really just a document, or is it a container masking/hiding something else?

Remember, a lot of the anti-forensics techniques out there target the analyst and their training.

Speaking of files, have you seen this new plugin from Bit9 called FileAdvisor? It's apparently a shell plugin for Windows, so if you find a suspicious file on your system, you can right-click it, and hash it and submit it for analysis. To view results, you'll need to register at the site with your name, email address, and a password. I don't necessarily see this on every user's desktop, but I do see responders and analysts possibly having it installed on a system somewhere.

Memory Parsing/Analysis
Jeff Bryner has put together a Python script for extracting FaceBook artifacts from a memory dump called pdfbook. For Windows systems, the script parses memory dumps from pd...I wonder if you could do the same thing using a full memory dump, extracting just the memory used by the process? Jeff has also released yim2text, a Python script for extracting Yahoo chat artifacts. Very cool.

In The News

2009-11-11T05:45:00.000-05:00

The Register is reporting that bot masters have hidden a control channel in the Google cloud via AppEngine. Interesting article, take a read. The article also points out that both Facebook and Twitter accounts have been seen being leveraged as control mechanisms. Quoted from the article:

And that may be another reason why black hats are flocking to the cloud.

"Going to a company as big as Google and saying 'Can we get an image of that server,' that's a pretty high barrier," he said.

I'd suggest that that would have to do with the implementation. Cloud is being sold as the next big thing...but what is it? Well, it depends on who you're talking to.

Something else that's been making its rounds is spilled COFEE...Dark Reading picked it up, as well. Folks, the only reason this is getting the press it is, is because this was originally released only to law enforcement. Other than that, it's really not that big of a deal. Hogfly weighed in on this, as well...he apparently felt so strongly about this...dude, his last post was in August! ;-)

FTK 3 has "explicit image detection" capabilities (PDF here). This looks to be very useful for finding images, but I'm not sure that that's really the issue at hand these days...I may be wrong. I mean, I thought that it wasn't so much a matter for LE to find the images (although the coolness factor might be that in the video, Erika Lee uses the term "trained", implying a neural network of some kind...), but it was more a matter of addressing the Trojan Defense. I mean, once you find the images, you have to then demonstrate that the user in question intentionally downloaded and viewed them, and possibly shared them. This is were browser/web history, P2P, and Registry analysis come into play. Know anyone who knows anything about "Registry analysis"?

Speaking of which...

I ran across this AP article regarding the "Trojan Defense" hosted at the Fox News site. This is an interesting article to me, because this is something I've been discussing with LE for a number of years now. One of the key aspects of the analysis performed can be seen here:

A technician found child porn in the PC folder that stores images viewed online.

For most examiners, this refers to the browser cache; for IE, the Temporary Internet Files subfolders. Now, I'm not about to disparage any analysts skills or capabilities...all I'm going to do is point some things out. First, those TIF subfolders aren't created by IE, they're created by the use of the WinInet APIs, which IE uses. Now, this means that another app that uses the same APIs would also create the subfolders, and if it were running in the context of the logged on user, the folders would be created in the user's TIF directory.

Where did I get this? Well, I got a little help from my buddy Robert "Van" Hensing...check out his blog post from 2006. This was valuable to me, as I had conducted an exam for a customer, and one of the oddities I found was that the Default User's web history (I was using ProDiscover in my examination, and there's an extremely useful function to search for and parse web history...) had been populated. I tracked that back to a copy of wget.exe running with privileges elevated to System level...but I digress.

So, it's entirely possible to get just about anything on a system and make it look like the user did it. Why do that? Perhaps to discredit the user or law enforcement...I don't know, I'm not this guy.

My point is that we can't simply look at the folder the files are located in and their date/time stamps, and think we've got it wrapped up. There are a number of other places on the system that we can look...Prefetch folder, Registry, etc...in order to answer the question of did a Trojan do it? before it's asked.

Happy Birthday, VMI!

2009-11-11T05:29:00.001-05:00

I know, another off-topic blog post, but this should the last one for a while!

The Virginia Military Institute was established on 11 Nov 1839, having originally been an armory manned by unruly troops. The armory was turned into a school, with the idea of having the students/cadets (or "keydets") guard the armory. The daily changing of the guard existed while I was there, and exists today.

Something old is shed and something new is added with each era. VMI started as a single barrack, and when I was there, I lived all four years in "New Barracks". This passed April, while visiting during my 20th reunion, I got a look into the "third barracks", which stands on the spot where LeJeune Hall, the cadet canteen, stood while I was there.

I did note that the cannon balls were still present in the wall of Old Barracks nearest Mallory Hall. To see other changes, check out Brother Rat, filmed in 1938, and starring Ronald Reagan...it was filmed, in part, on post at VMI.

VMI has a great tradition and a number of notable alumni; Chesty Puller attended, as did Patton. Dabney Coleman attended VMI. Perhaps VMI's most notable graduate is George C. Marshall, 1901, who went on to become the Chief of Staff of the Army (5-star general), Secretary of Defense, and Secretary of State. He is also a recipient of the Nobel Peace Prize, and the "Marshall Plan" for the restoration of Europe after WWII is named for him.

Happy Birthday, VMI, and Happy Birthday, Brother Rats!

Happy Birthday, Marines!

2009-11-10T04:57:00.001-05:00

This is usually a technical blog, but I wanted to take a moment to recognize the service and sacrifice of all current and former Marines on what is the 234th Birthday of the Corps.

For 234 years, Marines have served just like is says in the Marine's Hymn, exemplified by the motto, Semper Fidelis (Always Faithful).

In my short service in the Corps, I celebrated this date on land, in foreign lands, and even at sea. I was even the commander of the cake detail once (not nearly as ominous as it sounds). I've also seen some pretty humorous things happen during the ceremony...like the time four 2ndLts from TBS comprised the cake detail... 4 2ndLts + 1 Cake + 1 ramp to the stage = a true Benny Hill moment!

That being said, today is a day to thank any and all Marines you know...and by "thank", hug or buy 'em a beer...or both.

Semper Fi!

p0wnage

2009-11-09T20:17:00.005-05:00

A little over a month ago, I purchased a Dell Inspiron 1545 from the Dell Refurbished shelf. Most of the systems I've purchased from Dell have been procured through this route, and I've been pretty happy with the systems.

Until now. Tonight, I was p0wned by MS.

See, I'd purchased the laptop to do Windows 7 forensic (and in particular Registry) research. You know, use it like a user would and then see what the system "looks like" from a forensic perspective. Do what a user would do, then do like a forensic nerd would do.

Well, it seems that the laptop I purchased is running an Intel T4200 processor. It has 410 Million transistors, but does not support hardware virtualization.

Okay, my thought was that I was going to get an almost-brand-spanking-new system...no way it wouldn't support hardware virtualization. Well, it doesn't. What this means is that this laptop doesn't support XP Mode. Wow, so much for that rather critical portion of research.

So, the lesson learned here is, don't assume that the latest and greatest box, even one birthed in the past year, is going to have the necessary functionality to support what you want to do. In fact, as far as XP Mode is concerned, if that system you've got your eye on has an Intel processor, assume that it doesn't until proven otherwise. Wonder where I got that? My favorite forensics tool, Cory Altheide, found this at the Parallels site...notice what it says at the bottom of the page about AMD microprocessors.

Addendum: It seems that while the laptop I just purchased does not have a processor that supports hardware virtualization, the Dell Latitude D820 that I purchased in 2006 DOES! All I need to do is enable it in the BIOS...

Link-alicious

2009-11-04T18:19:00.001-05:00

Thanks to Rob Lee's tweets, I read about AccessData's new Registry Summary Reports recently. These seem like baby RegRipper plugins...not quite there yet. I contacted some marketing guys from AD and they said that Registry Viewer has had this capability for years...I never knew about it when I was using FTK v1.71 or 1.8 (and I was too busy pulling my hair out just trying to install v2.0!!)...guess I just missed it.

ImagineLan has an SRP Explorer utility that looks quite interesting, allowing you do to do diffs of Registry hives across Restore Points. Interesting.

From the MMPC, a post regarding the MSRT October release, with a case study.

Rifiuti, the tool from FoundStone for parsing Recycle Bin INFO2 files, has a version available for Vista Recycle Bins called rifiuti2. This is actually a rewrite of the original code, according to the Google Code page. And yes, there is a version available for Windows.

Anyone caught the most recent edition of Captain Forensics??

Addendum: Chris Novak had an excellent (albeit short) article published on the Fundamental Failures With IR Plans...essentially, not having/testing one. Chris makes an excellent point...although war stories are sexy (re: fascinating) and writing is boring, the fact is, you have to have an IR plan. I was talking to someone recently about a company that stores CVV data, and does their own PCI self-assessment...and passes. I bet they also check "yes" when they get to the PCI DSS requirement 12.9...

I found some interesting stuff on Ophacki recently, starting with this analysis from Joe Stewart, and then moving on to the ISC write-up. Folks, if nothing else, this sort of thing demonstrates the lengths malware authors can and will go to in order to keep their stuff on systems. This bit of malware is a link hijacker, which essentially means that it's relatively harmless...however, more and more customers are asking folks like me (and the malware experts I work with) to determine if the malware has the capability to steal data, and if so, what did it take. First, this ties in to the IR plan article...if you have no plan and do nothing but shut the system off (i.e., capture no volatile or network traffic data), my ability to help you answer those questions is limited. Your IT staff are closest to the incident...it may take me 24-48 hrs to get there, depending on flights (and contract negotiations). If you have a plan and trained response staff, you can at least collect the data...

Second, if you haven't hugged your malware analyst today, do it now. I mean, seriously...look at how complex Ophacki is...it reportedly hides in memory by destroying the PE header. It doesn't decrypt the strings it needs in memory until it needs them, and then it deletes them when it's done. It also deletes the SafeBoot key, and reportedly hooks the APIs to delete Registry keys so that you can't delete the keys it uses for persistence. It also removes Zeus.

In short, there is a lot of sophistication for a simple link hijacker...which tells me that there's some kind of economy at work here...someone REALLY wants to make money!! What if the intent were different? What if the author really wanted to steal data? What if the malware was used to determine the type of system it was on...if a home user's system, look for indications of web-based purchases (or just sniff the keyboard), look for tax returns, and then turn the system into a zombie.

My point is that malware is getting more and more sophisticated, and malware authors are responding not only to standard business practices (i.e., Conficker spread via network shares) but also to some of the response procedures - some malware does not write to disk, but instead remains persistent in memory because the systems are rarely rebooted. Some folks recommend simply nuking the box from orbit...clean and reinstall...but malware authors know that the box will likely be put right back in place with the same holes and vulnerabilities, because that part of the re-installation plan is very often missed or skipped, because there is no IR plan.

The Future of RegRipper

2009-11-03T23:12:00.002-05:00

You may have been wondering why, over the past months, I've been mentioning various plugins (or you may not, I don't know...), but they don't seem to be being released. Well, that's because, in part, that I don't really have a means for doing so other than uploading them to RegRipper.net (again, many, many thanks to Brett for that), and also, I've been working on updating RegRipper to something much more than what it is now.

As an example, I have a test script for the new version of RegRipper working...working fairly well, actually. Here's an example of the output:

C:\Perl\forensics\rr3>test.pl d:\cases\xp\config
Software d:\cases\xp\config\Software
Sam d:\cases\xp\config\Sam
Security d:\cases\xp\config\Security
System d:\cases\xp\config\System

ProductName = Microsoft Windows XP
CSDVersion = Service Pack 1
CurrrentVersion = 5.1

S-1-5-21-1220945662-884357618-682003330-1004
%SystemDrive%\Documents and Settings\Caster Troy

So, I provided the example output so that you could see what's happening, but there are still some things that are happening under the hood. In this example, I've pointed the test script to a directory where I have the Registry hives (SAM, Security, Software, and System) extracted from a sample image (one of Lance Mueller's practicals)...so the script locates the files with the right names, and then checks to see of they're the right type of hive file - that's the first list in the output. Then the script accesses the Software hive file (because now we know that it's a Software hive file) and extracts information about the OS, as well as about user profiles that the Registry knows about.

So know we have a pretty good opportunity for a great deal of automation, don't we? So, I can mount an acquired image via SmartMount, ImDisk, or P2 Explorer (or my app of choice), or access a remote drive via F-Response, or mount a Volume Shadow Copy, and then just point RR at the system32/config directory. Point and shoot...very cool. Now the application has a good deal of information on which to make decisions and choices to control program flow...such as, if the system isn't Windows 2000 or XP, is there any sense in running the ACMru plugin against the user hives? Or, if the system is XP, I may want to run one plugin to get wireless SSIDs, but if the system is Vista or above, I may want to run another plugin.

So, you're looking at the future of RegRipper...well, you're not so much as I am! ;-) For those of you who've already seen the power of RegRipper, and for those of you who've said that using RegRipper reduced what used to take you days into minutes, there's a lot to look forward to!

Speaking of plugins, I wrote another one tonight...svcdll.pl. This one runs through the Services subkeys in the ControlSet marked "Current", and locates all services with a ServiceDll value...many times, these are services run via SvcHost. This is also used by some malware variants...they'll create a service with a random name, and the ServiceDll value will point to a similarly oddly-named DLL. Svcdll.pl gives you a quick look for such things, providing a modicum of malware detection, and hey...it can be run against live systems if you're using F-Response!

Into The Boxes

2009-11-02T04:16:00.001-05:00

Into The Boxes is a new e-mag (first issue due out in Jan, 2010) covering issues concerning the Digital Forensics and Incident Response (DF/IR) community. The purpose of this e-mag is NOT to replace or compete with any of the other information resources within this community; in fact, it’s an attempt to augment what’s already out there, by providing additional resources in an easy-to-read and easy-to-manage format.

Sound cool? Check out the Welcome Message. If you'd like to contribute, check out the Collaboration Box. Comments and suggestions can be sent using the Call Box. Complaints and whining will be piped to /dev/null. ;-)

Linkware

2009-10-27T06:26:00.002-05:00

F-Response 3.09.05 is out! With this version comes "Compatible with Windows 7" status, as well as additional platform support (ie, HP-UX, and FreeBSD 7). If you haven't been watching Matt's product, all I can say is, you really need to be. Why? What does F-Response offer? As an incident responder, one of the biggest issues I've had to face is the lack of available data for analysis. This is most often due to the fact that the "victim" is woefully unprepared for those incidents that will, without question, occur. The short story here is that for relatively little expense, F-Response provides system owners and first responders (who should be the folks on-site) with the ability to quickly gather data so that the questions they do have (ie, was the system infected/compromised, was sensitive data on the system, etc.) can be answered.

Thanks to JL, we should be looking for a new release of Volatility soon! JL's been doing a lot of great work documenting Volatility, as well.

A bunch of us will be at the NetWitness User Conference next week...I won't be speaking, but I will be there with my employer. This is a great product, and if you don't already know about it, you really should check it out. Richard Bejtlich of TaoSecurity fame, perhaps the predominant NSM luminary, has blogged about NetWitness, albeit not recently. Maybe there's something on the horizon...we can only hope!

TrueCrypt 6.3 is out, with full support for Windows 7 and MacOSX 10.6 Snow Leopard! If you're one of those folks who loves the MacBook hardware, and loves to have the ability to use both MacOSX and Windows (via BootCamp), then you now have the ability to protect sensitive (ie, customer) data on both platforms.

Hey, did you know that this guy has been collecting screenshots from TweetMyPC? Looking at the archive, all of the screenshots are from this past summer (June through August), but still...probably a little more revealing than I'd like to have folks see! Reminds me of the site that used to be up a couple of years ago called "seewhatyoushare.com"...

Christa Miller had an excellent article posted on Officer.com, regarding crime scene evidence that's being ignored. While specific to LE, my own experience tells me that this is also the case with IR activities, where first responders don't often recognize the value in certain devices or data. Also important in today's day and age, Christa raises the issue of evidence "in the cloud". I'd blogged about 4 1/2 years ago about GMail Drive artifacts, and it's good to see Christa bringing this sort of thing back into focus again.

There are some thought provoking posts over on the Cassandra Security site...give them a look and a read, leave your comments. At least one of the guys over there is a former Marine, like myself, and this guy...so that's a recipe for some interesting posts!

The Free Tools post is really taking off...if you've got something to add, please feel free to make a comment. Really. Just add a comment if you have a free tool for Windows systems that isn't already on the list.

File Extensions and Programs

2009-10-27T05:54:00.000-05:00

Now and again in the lists, you'll see a post asking about a file extension, and what program it "belongs" to or what it does. Many times the way to determine some information about the file extension may be to search via Google of the Filext.com site. However, if you found the file while analyzing an acquired image, you already have the information you need at your finger tips, right there in the Registry within the image. The Registry maintains a list of file associations; that is, file extensions for installed applications, associated with the programs that should be used to open them. These are maintained for the system, as well as the user.

File extensions are the basis of traditional file signature analysis, where the file signature (usually a "magic number" within the first 20 bytes of the file) is compared to a set of known file extensions associated with that particular type of file. When a match is found, nothing happens...that's to be expected. However, when there's a mismatch...either a new file extension, or a new file extension and "magic number" combination...there should be a flag of some kind to notify the analyst.

I blogged on file associations over a year ago...sometimes circling back around to the older stuff is a good thing, can be very useful, and can remind us of things that might not have been useful at the time. So, the next time you run across an odd file extension, try taking a look at the Registry within the image; perform a little Registry analysis and post your findings to the list, rather than posting a question...because folks are just going to be asking you, "what did you find through Registry analysis?"

Free Tools

2009-10-23T06:43:00.012-05:00

I've seen requests in several listservs for listings of free tools that people use during examinations, and most often, the response is something akin to "contact me off list". In my mind, that kind of defeats the purpose of the listserv...why not just close it down and move everyone to Craigslist?

Regardless, I thought that this would be a good way to start and even maintain a list of free tools (or at least some that have trials/demos available) that can/have been used during computer forensic examinations on Windows systems. I'll start by providing tools that I use, as well as links to other tools, and from there, I will expand the list as I receive information (ie, comments, emails, etc.)

General Tools
Perl - 'nuff said; mostly for creating my own tools
Strings/BinText
LiveView

Acquisition
FTK Imager - great for opening raw (ie, dd) images, .EOx files, .vmdk files, etc - even allows you to "acquire" other formats to raw/dd. Also great for selected file extraction from the image, when you don't need everything
dd - George M. Garner Jr's FAU
dcfldd - another CLI imaging tool, available for the Windows platform
Tableau TIM - coming Q4, 2009
Raptor - bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let's just use this one as a placeholder for all bootable Linux CDs...)

Image Mounting
IMDisk - great free tool for mounting Windows images on Windows systems, in read-only mode
VDKWin - another free tool
P2Explorer - from Paraben; free, requires registration

Image Analysis
TSK Tools - I've used mmls and fls mostly, but blkls is extremely useful, as well
ProDiscover, Basic Edition - Not a full suite, but very useful
AntiVirus Scanners (ClamWinPortable, SysClean, Malwarebytes)
Timeline Creation Tools (TSK tools, pasco, Perl scripts, etc.) - Perl scripts available from the Win4n6 Yahoo Group
Internet Evidence Finder (JADSoftware) - also, check out the Encrypted Disk Detector
Carving - foremost, scalpel, PhotoRec
DiskDigger - from Dmitry Brant; also check out NTFSWalker

File/Document Metadata
Structured Storage Extractor - view contents of structured storage/OLE files; this used to mean just MS Office (pre-2007) documents, but on Windows 7, this now means Sticky Notes, etc.
OffVis (fact sheet) -
Office 2007 document metadata (script) - look for cat_open_xml.pl; other tools available, as well
Skype Extractor -
PDF Tools - from Didier Stevens; some of Didier's tools have been incorporated into the VirusTotal site
MSI files - InstEd

Working with Email
Email Conversion Tools - may not be free
AvTech - Perl script
Emailchemy - from Weird Kid Software; demo available
Mail-Cure - free, described here
Aid4Mail - free trial available
Intella - from Vound Software; doesn't require that Outlook be installed; trial available

File Hashing
MD5Deep - also allows for other hashing algorithms
SSDeep - fuzzy hashing; is also incorporated into VirusTotal

Registry Analysis
RegRipper - includes rip, ripXP, and regslack
MiTeC Registry File Viewer
Didier Stevens' UserAssist
Pwdump7 or SAMInside - great way to get password hashes for cracking

Archive/Compression Utilities
IZArc
PeaZip
Other utilities
ExtractNow

Memory Collection/Analysis
Windd - 1.3, for x86 and x64 now available
MDD - ManTech's memory imaging tool; 32-bit, has the 4GB limit
Nigilant32 - from Matt Shannon, F-Response; Windows 2000/XP only
Volatility - XP SP 2&3 only
Memoryze - from Mandiant

Packet Analysis
NetworkMiner
WireShark
NetWitness Investigator
Tools for extracting files from streams - not all of the tools listed run on Windows

Browser Analysis
SQLite Spy (for Firefox 3 analysis)

Misc
U3 Launcher Log parser
Other Mandiant Tools (Highlighter, Web Historian, etc.)
MIR-ROR - read about it here; great tool from Russ McRee (read Russ's ISSA toolsmith write-ups on other tools)
ShadowExplorer (Dan Mares' VSS)
SMPlayer - "for troublesome videos"
Evidence Mover
Windows Search Index Extractor - Extract information in the Windows Desktop Search database (ie, windows.edb file)

Sites
Various thumbnail cache extractor applications can be found here.
NirSoft has a variety of free and useful utilities available.
RedWolf Computer Forensics - various parsing tools
VirusTotal

Any you'd like to add? Comment, or email me.

Addendum:
Prefetch Parser
Fox Analysis - browser analysis
MiTeC Windows Registry Recovery
MiTeC Windows Registry Analyzer (associated guide)
DigestIT 2004 MD5 Hash

Windows 7 and the Future of Forensic Analysis

2009-10-21T22:19:00.000-05:00

Okay, so I was in Redmond, WA, last week at some computer conferences (yes, plural) and was on-stage with Troy Larson while he waxed philosophic on forensicy stuff with respect to Windows Vista and beyond, including Windows 7. I've been noodling a lot of this over, and here's what I've come up with...

One of Troy's pet projects is Volume Shadow Copies (please, do not ask me about any of his other interests...), and I have to say, he's really one of the most knowledgeable folks I'm aware of on the subject of VSC and the needs of forensic analysts. Troy has some interesting things to say about how Volume Shadow Copies can be accessed, but one of the most interesting aspects is that one way to do this is by booting your acquired image via something like LiveView. Another means is to mount the image file as a drive letter from a like system. At that point, you can image the entire volume or dump only selected files.

Notice at no point did I say, "...insert your dongle...", or "...run this EnScript...". It turns out that Volume Shadow Copies can be enumerated and accessed via WMI, meaning that once you have an image mounted, you may be able to (haven't tried it yet) automatically process what you need.

I was doing some research into processing the new Windows Event Log format (new as of Vista and Windows 2008, that is...) for inclusion into timeline analysis, and what I've been able to find out is that if you extract the pertinent .evtx files from your acquired image, you may be able to process them via LogParser, but again...on a like system. Andreas Schuster did a great job in documenting the format, but .evtx files are a combination of binary, and binary XML...eesh! Note - you may need to consider using something like wevtxutil in your live response activities...

Okay, I'm not sayin' that commercial forensic analysis suites are no longer useful...after all, ProDiscover 6.0 allows you to access Volume Shadow Copies if you're accessing the remote system live via the servlet...which means that if you're using PD for live response, you can likely automate what you need via Perl-based ProScripts.

So where does that leave us? Folks, I'm gonna sound the ol' "the age of Nintendo forensics is over " trumpet yet again, and the dawn of the educated, knowledgeable, sofis...soffis......sophisticated responder is upon us!

Timeline Creation Tools

2009-10-20T20:40:00.001-05:00

As time progresses, we look at the tools we have available to us, tweak those that we have, and maybe look for new capabilities, creating new tools. Recently, someone was kind enough to take the time to post some feedback on their experiences with the timeline tools I released in the Win4n6 Yahoo Group a bit ago, and I took the opportunity to update some of the tools based on that feedback. Below are the tools I updated, and what I did to update them:

pref.pl - removed the path to the directory where the Prefetch files are kept; the feedback had an excellent point - don't want to confuse the user

evtparse.pl - updated this script to (a) dump the sequence of event records and time generated timestamps, and (b) get all .evt files in a directory, rather than requiring the user to enter one command line for each file

jobparse.pl - created this one recently, for parsing Scheduled Task .job files (NOT the schedlgu.txt log file); includes output in TLN format

Now, these updated tools have NOT been included in the toolset available in the group, largely because my second Hakin9 article - the one where I provide a hands-on walk-through of the tools - should be coming out in the near future, and I don't want to confuse anyone. Also, the feedback (which I greatly appreciate) pointed out that this is still largely a manual process, and I realize that this can be an impediment to a lot of forensic examiners. Maybe what needs to happen is that I need to provide training on using these tools, so that more folks can realize for themselves the real power in this analysis technique.

Another thing I really need to emphasize about timeline generation is how powerful it can be when used to optimize triage and analysis techniques. Let's say you have a large-ish incident that you're responding to, and it's clear that you need to have a means to get some analysis completed in parallel, while the rest of the data is being collected. On-site staff can collect file system metadata and specific files from acquired images while verifying the image file systems, and ship that data off to another analyst for timeline generation and analysis. Given an image of 80 or 160GB, getting the file system metadata, and archiving selected files that have been extracted from an image means that you're sending off several MB of data, rather than GB. In addition, you're not actually sending file contents...so in the case of response activities involving a data breach, you can get analysis done by shipping this data off, but you're not sending the actual sensitive data itself...file names and paths != file contents.

So consider this scenario...on-site staff are in the process of acquiring systems (or, perhaps the organization's own incident responders are acquiring memory dumps and images) and part of that process is to verify the acquired images by opening the image file in FTK Imager. Now, you may only have a few team members on-staff, all trying to collect a considerable amount of data; not just images, but also network diagrams, data flows, etc. So, their new process is to verify the file system of each image, and then run the appropriate tools to collect file system metadata, as well as various files (i.e., .evt, .pf, .job, Registry, etc.), zip them up, and ship them off for analysis. Put these in the hands of someone skilled and practiced in the use of the timeline creation tools, and you will very quickly get a timeline of activity from each system. This can help you quickly narrow down what you're looking for or at, as well as help you scope other systems that may be involved in the incident. And you haven't contributed to the exposure of sensitive data!

Challenges

2009-10-16T07:29:00.001-05:00

What challenges do you face in Windows forensic analysis?

Book news and Registry research

2009-10-16T05:16:00.000-05:00

I've recently exchanged a number of emails with my editor at Syngress, and opted to put of working on a book on Registry analysis until next year.

Well, more accurately, I won't be submitting a manuscript until after the summer of 2010. One reason for this is because I want to have the time to really dig into the Windows 7 Registry and do some in-depth analysis (and thoroughly document it) to be included in the book. I also need to refine some of the updates I have planned for RegRipper and that set of tools.

However, there were other reasons for putting this project off, as well. I submitted my proposal for the book, and got back almost a dozen reviews...all anonymous. Many of the comments were interesting, but one of the common threads throughout the reviews was a need to compare commercial tools. Sadly, this isn't something I have access to...while some vendors have offered me trial versions of tools, this hasn't been the case with tools that deal with the Registry. I simply don't have access to such tools. Further, these tools are largely just Registry viewers, and don't offer the same sort of functionality or flexibility as RegRipper. I'm not sure, but this may end up being the biggest obstacle to the book.

Finally, I have to come up with a way to present the information I have and develop in the book without making it just a big, long, boring list of Registry keys and values. That'll take some time to develop...

DCC2009 Takeaways

2009-10-16T05:09:00.000-05:00

I had an opportunity to attend some of the presentations at the Digital Crimes Consortium 2009 conference at the Microsoft campus in Redmond, WA.

One of my biggest takeaways from this event was the fact that the needs of CIOs, IT staffs and consultants (which is where I spend most of my time) are, on the surface, vastly different from the needs of law enforcement. "Victim" IT organizations are primarily concerned with getting rid of a malware infection, regardless of what it is...worm, Trojan, etc. In my experience, eradication and returning the infrastructure to normal operations are the primary concern, with compliance and questions about data loss/exfiltration usually popping up after the fact (i.e., too late).

However, LE is interested in intelligence, some sort of actionable data that can be used to investigate cyber crimes, track down the players and prosecute someone, preferably someone fairly high up the food chain.

At first glance, there may not be an obvious overlap. However, both sides have information available that is useful, even valuable, to the other. LE might have data available about cyber crimes that occur across a wide range of victims...such as, was the incident initiated by a browser drive-by, was it targeted, etc? LE (depending upon the level that we're talking) may have trending information available regarding victim types, intruder/criminal activity, etc. Victim IT organizations will have information available about malware variants, outbound connections (to command-and-control servers, etc.), sensitive information collected, etc.

Where things tend to break down is that in some cases, LE either doesn't track the kind of information that might be useful to victims, or they feel that they can't share it because doing so might expose information. Victim IT organizations many times feel the same way...that they can't share what information they have without exposing information about their infrastructure, intellectual property, or "secret sauce". Sometimes, the victim organizations do not want to contact LE for fear that their name would be included in public documents, exposing the fact that and the means by which they were compromised...something those organizations do NOT want made public.

Another takeaway I got from the conference is that there is a definite organization and structure behind cyber criminal activities. There's a hierarchy to the structure, an economic driver (i.e., money), and individuals in the communities are kicked out if they fail to provide something back to the community. These seem to be driven like businesses without an HR department...maybe there are certain elements to this structure that the good guys could emulate.

Taking this anywhere is going to take some thought and some work.

The first part of this trip was to participate with Troy Larson in his Windows 7 Forensics presentation. I've been focusing on the Registry, but Troy's been looking at a lot of other things, most notably Volume Shadow Copies and how they can be used.

One of the things that Troy brought up in the presentation that stood out for me was the number of files (Sticky Notes/.snt, etc.) that are based on Microsoft's OLE, "structured storage" file format. You might be able to get some interesting data from these files using oledmp.pl, or you can use MS's own Office Visualization Tool.

Speaking of metadata, everyone should remember Kristinn's post to the SANS Forensic blog on Office 2007 document structure and metadata; I like it because he includes a Perl script for parsing this information. If you end up using the version of the script for Windows systems, be sure to read the file headers for instructions on how to ensure that you have the right modules installed.

Usually when I mention something like this, I get questions like, "...ok, but what about other document metadata?" Well, let's not forget Didier's work with PDFid.

Links

2009-10-10T16:26:00.000-05:00

Not much new, so here are some links to things I've found interesting...

Some of the TrustWave guys were at SecTor this past week...check out Chris's write-up on the event. Chris's presentations, and others, can be found here.

An astute reader found that the Kindle edition of WFA 2/e is now available. Thanks, Tom!

Matt Shannon posted recently on New Directions in Electronic Evidence Collection, regarding a conference he's attending at the University of Florida.

If you need to get specific information, such as product keys, from a Windows installation, check out KeyFinder from Magical Jelly Bean Software. Hey, it even has command line options so you can include it in your live response batch files!

If you haven't done so in a while, check out the e-Evidence site...the most recent update appears to be about 22 Sept, and Christina has linked some really interesting files, like this one and this one. There are even a couple of papers on forensics involving social networks (here, and here).

Hakin9 articles

2009-10-07T05:30:00.002-05:00

I returned from a trip this morning, to find two copies of the most recent edition of Hakin9 on my desk, with the first of three articles I've written on timeline creation and analysis. This first article is more of an introduction to the topic, and my hope is that anyone reading the articles is able to understand what I'm trying to get across, and see the usefulness and the power of this technique. Personally, I've used this technique on several examinations, all to spectacular effect.

Something that's very interesting (and validating) about this edition is Ismael Valenzuela's "My ERP got hacked - An introduction to computer forensics, pt II" article. Not only does Ismael make use of RegRipper, but he also walks through some techniques for parsing data (i.e., Event Logs/.evt files, IE browser history/index.dat file, etc.) in forensic analysis...very cool stuff, indeed! While Ismael's article does not explicitly develop a timeline, there are some data collection and analysis techniques illustrated in the article that are pretty spot on and very useful.

The second article in the series (I'm told that it will be in the next edition) is a hands-on walk-through, using a freely available image file that can be downloaded from the Internet as a basis for actually creating a timeline. While this is still a very manual process, I firmly believe the benefits of this technique far outweigh the "costs" (i.e., having to extract files and run CLI tools, etc.).

The third and final article (which I'm working on now) is a wrap-up, showing some alternative and advanced techniques that have proven (for me, anyway) to be extremely useful in getting data to include in the timeline. I've also pointed out a couple of areas where we need coverage with respect to converting the retrieved data into something that we can include in a timeline.

Overall, I think that the biggest issue with timeline creation and analysis at this point is the sheer volume of data that's available, and how we can go about doing a bit of data reduction. For example, I have yet to find a suitable technique for data visualization on the front end, when you have all of this data to go through. Clustered dots showing various activity (i.e., file system, Event Log, etc.) don't particularly make a great deal of sense to me, largely due to the fact that things such as software updates and normal operating system activity tend to create a great deal of "noise", where as, the compromise or the malware activity falls into what Pete Silberman of Mandiant referred to as "least frequency of occurrence". So spitting things out in ASCII format so that the analyst can do...well...analysis seems, to me, to be the most effective way to go at this point.

Once the analyst has nailed down the events in question, essentially separating the wheat from the chaff, then is the time for visualization techniques, particularly for reporting. I've seen and referred to some techniques for doing this, including Simile and using Excel to generate something usable.

Where was Waldo?

2009-09-27T05:10:00.006-05:00

I was talking to some really, really smart folks last week about some things you could do with data that resulted from computer forensic analysis, and the topic of geolocation came up. I had some ideas, and when I returned from my trip, I started taking a look into how I could use historical information derived from an acquired image to perform geolocation. I sat down yesterday...it was rainy, so it's a nice day to code...and worked up a proof-of-concept that came out quite nicely.

So basically, here's how it works....during the course of an exam, you may determine that the system was used to connect to multiple wireless access points (WAPs). As discussed earlier, there may be more than just the SSID of the WAP recorded in the Registry...for example, the MAC address of the WAP is also recorded. Pretty neat.

So what? So you have a MAC address...what would you do with this information? Look up the vendor? Well...that's a start, as it can help you confirm that you do, in fact, have the right type of device. But in a few easy steps, you may be able to find out where that WAP is physically located. I put heavy emphasis on may because this isn't a 100% done deal...but it is way kewl nonetheless.

So the steps go a little something like this...

1. Run RegRipper (or rip or even ripXP) against the Software hive to get the SSID and MAC address of the WAP, as well as the last time the WAP was connected to. For XP systems, the updated ssid plugin is what you want to use, and for Vista and above systems, I wrote a plugin called networklist.

Note: There's a date associated with the SSID within the binary data of the Registry value on XP systems...however, I have no idea what this date means. On Vista systems and above, the MAC address has a distinct value (ie, does not need to be stripped out of a binary data stream), and a date/time stamp that indicates when the WAP was last connected to.

As an example, here's the data I retrieved from an XP system:

Launching ssid v.20090807
SSID
Microsoft\WZCSVC\Parameters\Interfaces

NIC: 11a/b/g Wireless LAN Mini PCI Express Adapter
Key LastWrite: Thu Feb 7 10:38:43 2008 UTC

Wed Oct 3 16:44:25 2007 tmobile MAC: 00-19-07-5B-36-92

For completeness sake, the output of the networklist plugin looks like this:

Launching networklist v.20090811
Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
linksys
Key LastWrite : Mon Feb 18 16:02:48 2008 UTC
DateLastConnected: Mon Feb 18 11:02:48 2008
DateCreated : Sat Feb 16 12:02:15 2008
DefaultGatewayMac: 00-0F-66-58-41-ED

2. Submit your MAC address to the SkyHook WiFi Geolocation database...for metropolitan areas, you may get a lat/long pair back...it's not guaranteed, of course.

C:\Perl>skyhook.pl 00-19-07-5B-36-92
Latitude = 38.9454029
Longitude = -77.4444937

Note: The code for skyhook.pl was based on this code...many thanks to Joshua! I'm doing this on Windows, and I couldn't find a version of XML::LibXML that installed on Windows, so I used XML::Simple. Also, I made a number of other modifications with respect to programming style, but Joshua did most of the heavy lifting.

3. Using the lat/long pair, create a URL for Google Maps (you can include some additional information, such as the SSID and date last connected), which will give you a map with a pushpin and any additional information you add. For multiple WAPs and to plot multiple pushpins on the same map, you may need to create a KML or KMZ file and host it someplace that can be reached by Google Maps, and then submit the appropriate URL (on the KML Update page, hover over the link that ends in cropcircles.kmz...).

For the WAP in our example, the URL might look like this. Here's an article that describes how WiFi geolocation can be used to recover stolen laptops.

Again, this isn't 100%. Not every area is mapped, and its highly unlikely that SOHO WAPs have been mapped. Still, if you can get something out of this, it might be useful.

Resources
Google Gears Geolocation API gets Wifi
SkyHook Wireless How It Works page
Firefox GeoLocation add-on

Addendum: Updated my Perl script tonight, thanks to input from Colin Shepard on Net::MAC::Vendor (for Windows, download the .tar.gz file, can extract the .pm file into site\lib\Net\MAC in your Perl install...). Now, the script takes either a WAP MAC address (if no SSID is provided, uses "Unknown") or the path to a file containing MAC addresses and SSIDs on single lines, separated by semi-colons. The output is any vendor and address information returned by the OUI lookup, and a URL that can be pasted into your browser window to get a Google Map (if lat/longs are available). For example:

C:\Perl>maclookup.pl -w 00:19:07:5B:36:92 -s tmobile
OUI lookup for 00:19:07:5B:36:92...
Cisco Systems
80 West Tasman Dr.
SJ-M/1
San Jose CA 95134
UNITED STATES

Google Map URL (paste into browser):
http://maps.google.com/maps?q=38.9454029,+-77.4444937+%28tmobile%29&iwloc=A&hl=en

Pretty sweet...

Linkity-Link

2009-09-25T05:30:00.001-05:00

Now and again, the question comes up about writing technical forensic examination reports. Often in some forums, you'll see someone say that they feel that folks should publish their report formats...most often without doing so themselves. Funny how that works, eh?

Here's a link to a recent DFI article that describes what a report should contain.

Not long ago, John H. Sawyer wrote a nice article for DarkReading that mentioned my name...very cool, and a very nice reference. Thanks, John!

From the sausage factory, there's a great blog post about Windows Photo Gallery artifacts. IMHO, for the most part, we don't see enough of these kinds of posts...great work! Here's another, similar post from the ThinkTankForensics blog.

This past week, I had an opportunity to be around and talk to some really smart people, and had some really interesting thoughts about WiFi geolocation data extracted from acquired images. Okay, it's not quite as simple as that, per se, but I do think that for some folks (in particular, law enforcement), this sort of data exploitation will be extremely useful.

Ran across a reference to the Digital Forensic Framework last week, and thought I'd take a look...yes, Virginia, there is a Windows version! I'll have to read a bit more about it and give it a run.

Speaking of frameworks, ProDiscover version 6 is available! Thanks to Chris Brown's generosity, I've been using PD since version 3, and have written several ProScripts, which is the Perl scripting interface into ProDiscover. Some of the updates in version 6 are very, very welcome, including the ability to conduct regular expression raw mode searches. Very cool! I also ran across some comments in various lists that version 6 also supports access to Vista Volume Shadow Copy files...this is something I definitely need to check out. One of the things I've always loved about ProDiscover is the cleaner interface than some other tools, and I really like the Perl scripting capability!