Tuesday, June 24, 2008

Most Wished For...

Grabbed this image off of Amazon this morning..."Windows Forensic Analysis" is the #1 Most Wished For book in the Computers & Internet -> Security & Encryption -> Forensics category. Very cool! Just the other day, it was listed as #2...I'm sure it fluctuates back and forth. Even so, it's way cool!

A couple of other books you should be looking out for are Unix and Linux Forensic Analysis, but Chris Pogue, Cory Altheide, and Todd Haverkos, and Malware Forensics, with Eoghan Casey listed as one of the authors. Both books are on their way out, and definitely worth the wait!

Tuesday, June 17, 2008

Determing the OS version from an image

I was perusing the ForensicWiki list of recently added pages this evening and ran across an interesting page/placeholder titled, Determining OS version from an evidence image. The section on Windows systems was...well...empty. I had blogged on this a bit ago, but thought that I'd add a couple of things that might be of help...

From the image, locate the Windows (or WinNT)\system32\config directory, and extract the Software file...you can easily parse this using RegRipper. What you're most interested in is the contents of the Microsoft\Windows NT\CurrentVersion key, in particular values such as ProductName and BuildLab (if available).

To see the version of Windows you're working with, locate the %WinDir%\system32\ntoskrnl.exe file and check the file version information...this is how osid.pl works with memory dumps.

In order to determine the type of XP (Home or Pro) you're working with, check the %WinDir%\system32\prodspec.ini file.

Hope that helps...

Memory Collection and Analysis, part II

Based on my last post, I wanted to throw some quick tests together and see how things worked out...here's the results of what I found...

So, first off, I wanted to run ManTech's mdd...or memdd.exe, as it were. That worked out very well...ended up with a nice output file after running memdd.exe (renamed to mdd.exe) version 1.1:

06/17/2008 10:51 AM 23,520 mdd.exe 06/17/2008 10:56 AM 3,210,854,400 test.dmp

Next, I ran winen.exe, the tool available from GSI, as part of the EnCase 6.11 install (yes, I am a "dongled", licensed user). As I was running this on a Windows XP SP2 system with 2.99GB of RAM (4GB on the board) and used the defaults in the configuration file (except for where I was required to make an entry), I ended up with a total of five .E0x files. I then opened the .EO1 file as an evidence item in FTK Imager Lite v2.5.1 and, as expected, Imager did not recognize the file system. However, Imager appears to have read the EWF header info just fine, because it recognized what I had entered into the config file.

So I then chose Create Disk Image from Imager's File menu item, and chose Image File from the Select Source dialog. During the process of selecting options, I chose to have Imager output the image in 2000MB files (as opposed to the default 640MB file sizes used by winen). This resulted in two image files (winen.001 and .002), which I then cat'd together using the type command on Windows into a single file (winen.bin):

06/17/2008 01:18 PM 2,097,152,000 winen.001
06/17/2008 01:19 PM 1,113,702,400 winen.002
06/17/2008 01:42 PM 3,210,854,400 winen.bin

Notice that the file size for the final winen.bin file is the same as the test.dmp file created using mdd. Very cool.

Now...what to do with it? Well, that's where Volatility 1.1.1 comes in...I grabbed ActivePython, installed it, and was up and running with Volatility 1.1.1 in no time! I was able to view the process list, run the 'dlllist' command to get modules and the command line for each process, etc...all very cool stuff. Volatility worked very well on both memory dumps...not just the winen/FTK one, but the mdd RAM dump, as well.

So what's next? Well, I'd like to see about digging a bit deeper into the dumps, including:

- As Moyix discussed, enumerating Registry hives (or just keys and values) from memory
- Run Andreas's PTFinder against the memory dump and develop graphs of the processes using Richard McQuown's PTFinderFE
- Attempt to do file carving via scalpel

Anything else? What's in your wallet? =)

Take aways from this...it's likely that like linen, winen.exe will show up on IR tools distros...but you're not restricted to using EnCase to perform analysis of the memory dumps produced by such tools. Using free tools, you can convert the .E0x files to a dd-style format, and then use other freely available tools to parse through the memory dumps.

Addendum: Got this from someone who ran kern.pl on a memory dump from XP SP3 recently...

File Description : NT Kernel & System
File Version : 5.1.2600.5512 (xpsp.080413-2111)
Internal Name : ntkrnlmp.exe
Original File Name :
Product Name : Microsoft(R) Windows(R) Operating System
Product Version : 5.1.2600.5512

Pretty sweet, eh?

If you're using winen.exe to collect the contents of RAM and you're also using EnCase, you might want to check out these EnScripts from TK_Lane that will pull process information from the .EOx files. I haven't tried them yet, but thanks, TK, for providing them!

Saturday, June 14, 2008

Memory Collection and Analysis

As a follow-on to my previous post regarding OMFW, there have been some developments in the area of memory dumping and parsing (ie, collection and analysis) that have occurred over the past couple of months.

Lance Mueller posted on the new standalone memory dumping tool that is part of EnCase 6.11. Interesting tool as it apparently dumps the contents of physical memory from Windows (Windows 2000 through Vista) to an EnCase .E0x file format, for inclusion in a case. According to the documentation, there's functionality to extract that memory dump from the .E0x file format to something usable by HBGary's Responder product. Note: Initial testing indicates that FTK Imager will successfully convert the resulting .E0x files to a dd-style format for use with other tools.

Jesse Kornblum referred mdd to me. This one looks promising...captures memory from Windows versions through Vista and 2008. Jesse posted some clarifications about this tool on his blog. As it stands, this appears to be the first free tool to dump RAM from Windows 2000 through 2008, inclusive, in a dd-style format. Note: Updated version 1.1 was released on 17 June.

So available tools for collecting the contents of physical memory are becoming more available. From an analysis standpoint, I really think that you want to keep your eyes on the guys over at Volatility Systems, though.

Addendum: win32dd is available from Matthieu Suiche. I just found out about this so I haven't had an opportunity to try it...but I am looking forward to adding it to the list of tools to test!

Andreas blogs on the new tools...great stuff, very comprehensive view of where this all stands at the moment.

Wednesday, June 11, 2008

NTFS Alternate Data Streams

NTFS Alternate Data Streams (ADSs) have been around since the dawn of...well...NTFS. Windows OSs ship with plenty of tools to create (and execute) ADSs, but the cool thing is that until Vista came along, there were not tools provided with the Windows operating systems that allowed you to see arbitrary ADSs that had been added to your system.

Caveat: There are some tools that do allow you to see specific ADSs, but those are only in very specific instances. Even Windows systems themselves make use of some specific ADSs, as well.

And, yes, you heard me right...from NT up through Windows XP and 2003, someone could create arbitrary ADSs on your system, using tools on the system...but there are no tools that ship as part of the OS that allow you (as an admin) to find and/or view these ADSs. On Vista, you can use dir /R to view arbitrary ADSs.

An interesting kicker is that ADS can not only be attached to files, but directory listings, as well, using the same command line syntax, with a slight alteration...

D:\>type c:\windows\system32\calc.exe > d:\ads\:calc.exe

Running tools such as LADS (from Frank Heyne, see below) we see that the ADS is indeed attached to the directory listing. We can launch this executable using the same syntax as was used to create it:

D:\>start d:\ads:calc.exe

Pretty sweet, huh? This is how tlist.exe sees it:

2640 ads:calc.exe Calculator Command Line: "d:\ads:calc.exe"

You see pretty much the same thing in Task Manager, as well.

This topic is covered in both of my books...Windows Forensics and Incident Recovery and Windows Forensic Analysis. From these resources, you can see that ADSs can be used to "hide" files and data, but also be used as a repository for executables, as well as scripts.


My original paper, The Dark Side of NTFS
Frank Heyne's LADS
SoftCorp scSTREAMS
Rootkit that uses ADSs
WindowsIR on ADSs

Portable Devices on Vista

Rob Lee shared an interesting tidbit of Vista Registry goodness with me recently...basically, the Vista Registry maintains some historical data on the drive letters that had been assigned to portable devices. Sweet!

The key in question is:
HKLM\Software\Microsoft\Windows Portable Devices\Devices

The subkeys beneath this key contain the device names...and the FriendlyName value contains the drive letter.

Rob discovered this as a part of the Computer Forensics SANS course as part of the section on Application Forensics where he and the class were examining U3 device footprints on a VISTA machine. (rlee@sans.org for contact info)

Very cool, Rob, and thanks for sharing!

And yes, I've already written a plugin for RegRipper...I KNEW you were going to ask that! =)
The output looks like:

LastWrite : Fri Sep 21 01:42:42 2007 (UTC)
SN : 000A270018A0E610&0
Drive : IPOD (F:)

LastWrite : Thu Feb 7 13:26:19 2008 (UTC)
SN : 0C90195032E36889&0
Drive : GEEKSQUAD (F:)

LastWrite : Sat Dec 15 01:17:56 2007 (UTC)
SN : 6&14BB4B7C&0
Drive : Removable Disk (F:)

Tuesday, June 10, 2008

RegRipper Plugin Updates

Pretty much everyone is aware by now that the full version of RegRipper is available on SF.net. I made a couple of minor updates to some of the plugins the other day (so you won't find these in the currently available distribution) that I wanted to mention briefly...

First, I updated the winnt_cv plugin so that the InstallDate value is converted to a readable time stamp, such as:

InstallDate : Fri Aug 31 15:21:10 2007 (UTC)

Much better than just spewing the DWORD data to the output, don't'cha think?

Second, after using RegRipper on some actual engagements recently, I decided that I wanted a plugin that would display information about the services in a shorter format so that its easier to read. The services plugin displays the following about services and drivers:

Display = @%SystemRoot%\system32\snmptrap.exe,-3

ImagePath = %SystemRoot%\System32\snmptrap.exe

Type = Own_Process

Start = Manual

Group =

The svc plugin (get it...shorter name, shorter format for the output??) displays the following about services:

Thu Nov 2 12:53:48 2006Z
Appinfo (%SystemRoot%\system32\svchost.exe -k netsvcs) [LocalSystem]

Thu Nov 2 12:53:38 2006Z

SessionEnv (%SystemRoot%\System32\svchost.exe -k netsvcs) [localSystem]

Thu Nov 2 12:53:22 2006Z

TrkWks (%SystemRoot%\System32\svchost.exe -k LocalSystem NetworkRestricted) [Lo

Thu Nov 2 12:53:11 2006Z

Dhcp (%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted) [NT

The svc plugin grabs much of the same information as the services plugin, but presents it in a shorter format, so that it's much easier to read at a glance. In addition, svc also grabs the ObjectName value (if available), which indicates the account that the service runs under.

For analysis purposes, I generally try to look for services and drivers that have a LastWrite time around the reported date of the incident, as this has indicated the use of keystroke loggers and kernel-mode rootkits.

What's also really sweet about this is that, as always, the plugins work great with rip.exe...check out the batch files that were included in the most recent distribution of RegRipper.

Two other items that are yet to be completed (currently in progress) with regards to RegRipper are:

1. Extraction of time-based data in a common format, for correlation with other sources of time-based data, and then display of that data using Timeline or some other visualization tool.

2. Development of a separate, standalone copy of rip.exe (to start, anyway) that will not only run a plugin or plugins file against a hive, but also against the appropriate hive files in XP System Restore Points (all automatically).

Thoughts? Just more RegRipper goodness...no hive files were harmed in the making of these tools or of this post...

Thursday, June 05, 2008

Some UpComing Events

There are some interesting events coming up this summer (and beyond) that I wanted to point out to folks...

DFRWS is this summer (11-13 Aug), but the Open Memory Forensics Workshop (OMFW) will be held just prior (info here, update here). OMFW looks like a great opportunity...it's a half-day event, but looking at the list of speakers and panelists...wow! If you haven't already, grab books off of your bookshelf (I *know* most of you recognize author names...) and get your copies signed! OMFW is brought to you by the letters M and S, and these guys.

If anything, this really shows how the interest in analysis of physical memory is really picking up. More than anything, I'd have to say that the interest is really been driven by the guys over at Volatile Systems, along with a host of other names. There is a great deal of extremely valuable information available in physical memory (RAM), and these guys are leading the way in showing us what's there, and providing tools for getting at it and making it available, but more importantly, useful to analysts.

As a side note, if you look around the community/industry, there is a big piece that's missing right now...collection. That's right...there are open source and commercial tools (from Mandiant and HBGary...and HBGary is apparently partnering with GSI) that provide the ability to parse, comb through and analyze a physical memory dump, but very few that provide the ability to extract the contents of RAM from Windows 2003 SP1 and above (e.g., Vista, Win2K8) systems. I even received an email from a friend at MS yesterday asking me if I knew of any such tools. One would naturally assume that we'd eventually see such a tool from MS/SysInternals. One way to go about changing this...buy more F-Response!

Note: Paraben is having an Innovations Conference in Utah in Nov, 2008. They also let you vote for a company or product that you feel is most innovative for 2008...I voted for F-Response.

Okay, back on track...what was I talking about? Oh, yeah...

Looking at the program for DFRWS 2008...yet another impressive line-up. I'm hoping to go...working for a large corporate (think "glacial") entity (think Borg cube), these requests are always in limbo. However, I'm very interested in Timothy Morgan's talk, as well as a couple of others. It also looks as if some of the speakers from OMFW are going to be on deck for DFRWS, as well. Maybe a good opportunity to ply familiar faces and famous names with some of the locally brewed beverages.

Interestingly enough, the local RCFG conference (which overlaps with DFRWS this year) has been cancelled. That's too bad...this conference is held on the GMU campus and for the most part is a nice, smaller conference. However, with the right leadership, it has the potential to really be a premier conference...not just for local LE, but in general. In fact, an interesting thought would be that since some folks are going to be in the area anyway, talking about the same topic...

Also, in Jan 2009, there is the DoD CyberCrime Conference...Jesse mentioned the CfP here. It's too early to list the speakers, but I had an opportunity to visit the conference in 2007 and it was a good one...lots of attendees, lots of events, lots of really great speakers.

Monday, June 02, 2008

Job Openings

Okay, I'm going to take a slight divergence from the normal content of this blog to reach out to all of you, my loyal readers...according to Google Analytics, both of you. =D

Anyway, as you may or may not know, by day I am an incident analyst for the IBM ISS Emergency Response Services (ERS) team...and we're looking to expand. By that I mean add qualified members to our team. And not just here in the US, but also in Australia, AsiaPac, Japan, and EMEA.

So you're probably wondering what we do...good question. In short, we respond to incidents on an emergency basis. The basic idea is that we get a call, from a current (or soon-to-be) customer and we triage the incident and deploy the necessary assets. Each team member has a jump kit of equipment, both hardware and software (plus our tools of our own choosing), and we arrive on-site to assist the customer in resolving the incident, through incident management, data collection and analysis, and pretty much whatever else we need to do. In many cases, we collect data and return to the lab to perform analysis.

We also do Visa PCI forensic audits, as well. In addition, we have subscription customers that we service, as well, with on-site visits, training, CSIRP development, mock incidents, etc.

Of course, there's all the other stuff that goes along with this kind of work...report writing, keeping track of expenses and billable hours. I guess a lot of that is to be expected, but I thought I'd mention it anyway.

So what we're looking for is someone with experience in incident response (beyond just running an AV scanner, or just wiping the drive...), volatile data collection and analysis, forensic acquisition and analysis, documentation and justification of activities, reporting, and customer interface. All of these things are important in what we do.

If you think that this is something you'd be interested in, please feel free to send me a copy of your resume here or here.

Finally, this is NOT a sub-contractor opportunity...this is a full-time employment position.