Tuesday, September 30, 2008

Rootkit Detection

I received a comment to an older post from James (thanks, James!) yesterday who pointed me toward a very interesting article on Rootkit.com by Diablo. Diablo's article describes using the Windows CSRSS process as a built-in rootkit detection facility, and even provides some proof-of-concept code.

This is definitely worth a look, at least to get an understanding of the technique that Diablo is proposing. I've used RootkitRevealer and GMER as my primary tools for attempting to detect the use of rootkits on live systems, usually following some forensic analysis of the acquired image (feel free to ask me about this technique - but don't be afraid to share yours, as well).

How many csrss.exe process should be running in vista?
Default Processes in Windows 2000

Monday, September 29, 2008

Updates - 29 Sept

Some new items have popped up on the IR radar over the past week or so...

CyberSpeak podcast with an interview of Kevin Mandia. Kevin talks about his experiences with volatile data collection and analysis in recent incident response engagements. Much of what Kevin talked about with respect to what he's seeing...fewer attempts to obfuscate malcode, use of SQL injection, etc...that seem to be pretty common in the commercial incident response space. Kevin also talks about MIR, and a free memory acquisition/analysis tool from Mandiant called FreeAgent. Yes, I'm going to be checking that out when I get the time (work keeps me tres busy...)

Christina updated the E-Evidence site recently. Check out the RCMP Incident Responder's guide and the shoot-out between live response and memory analysis...excellent stuff. Definitely well worth the read.

Brian Kaplan has finally been able to release his Key Extraction proof-of-concept tool, which he addresses in his Master's Thesis (good job, Brian!!). Since I won't do Brian any justice at all attempting to describe the tool, It highlights the virtues of volatile memory analysis by demonstrating how key material and passphrases can be extracted from volatile memory to facilitate the analysis of encrypted media in a forensically sound manner. If you're using mdd.exe, win32dd.exe, or any other memory dumping tool, I would definitely include a copy of Brian's tool in your toolkit. (Note: Don't forget Jesse's blog post on BitLocker!)

There have been some updates to the Forensics Wiki recently involving browser forensics and network forensics. On the browser forensics side of things, Historian has been updated to include Google Chrome. The ForensicWiki is an excellent resource, and you should consider consulting and adding to it. As with any other resource, you should take the information available with a grain of salt, but to be honest, when I've needed to use it, it's been invaluable.

James McFarlane has updated the Win32::ParseRegistry module to version 0.40 and included a number of useful tools. James has left regdump.pl and regfind.pl, and added regexport.pl (dump the Registry in RegEdit 5.0 format), regscan.pl, and regview.pl (GTK+ - based Registry viewer). Thanks, James!

This wasn't so recent, but definitely worth mentioning...Moyix has been busy, and a bit ago posted on using Windows messages (from the message queue) as a resource in forensic analysis. He's got an excellent point...if you're using Volatility at all (or even thinking about using it), you should definitely take a look at his modules and be sure that you've got them added to your installation. There's no telling what artifacts you'll find laying around from the message queue.

Tuesday, September 23, 2008

RegRipper forums

RegRipper.net now has forums! Not only has Brett provided a facility for easy distribution of plugins, but he's also set up a place for folks to share their thoughts on the use of RegRipper and rip.exe.

Thanks, Brett!

Monday, September 22, 2008

Updates regarding Analysis

There's always something new on the analysis front, isn't there? It seems that I'll go away on a gig for a week or simply not pay attention to what's happening in the community, and BAM! It gets kicked up a notch!

First off, Moyix posted an excellent explanation of how the Windows message queue can be used as a forensic resource during analysis of a memory dump. Reading through the post, it's clear that while this analysis technique might not always work and provide relevant information, we all know that there are enough "buggy" apps out there that it's worth using the Volatility plugin that Moyix wrote to pull this data and have a look. The Windows message queue can hold messages that haven't been processed by the system, giving the examiner a clue as to the activity on the system at one point. The messages are associated with threads, which can be associated with a process, tying that information to an executable image file and a user.

Also, at the end of the post, Moyix mentions the possibility of getting a screen capture from a memory dump!

Excellent work, Moyix...keep it up! Also, reader...keep an eye on Moyix's blog for new plugins to add to Volatility, and expand your capabilities.

From Moyix's blog, I linked on over to the SysInternals Forums to read about a proof-of-concept tool called CrsWalker, from Diablo. This is a very interesting read...even though further down the thread, it's clear that the method of detection used by the tool is/can be circumvented, it's very interesting to see the thought process that Diablo used to develop his code. I don't think it would be a bad idea at all to get a copy of this and run it along with other tools, such as GMER or AV scanning apps.

Saturday, September 13, 2008


I received word from the author today of a new open-source tool that's available called PlainSight. Eoin says that the tool is part of master's program, and at this point, the tool is somewhat proof-of-concept, but looking at the tool demos, it looks as if it has a bit of promise.

The main web page describes the tool this way:

PlainSight is a versatile computer forensics environment that allows inexperienced forensic pactitioners perform common tasks using powerful open source tools.

We have taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.

PlainSight incorporates other open-source tools (RegRipper, Volatility, etc.) to create a framework for examining disk and memory images, or local disks.

Eoin says that he plans to add the following:

- Better browser support (FF3, Opera, chrome),
- Some sort of e-mail viewer,
- Integrate in moreRegRipper plugins,
- Better support for other operating systems (currently supports Windows 98/2000/XP/Vista)

I've downloaded the ISO and would like to take a look at this as soon as I get a chance. It appears that this runs in a Linux/Knoppix environment, so perhaps some suggests might be to create a Windows version. After all, the description of the tool says it's for allowing inexperienced examiners to perform some tasks...so why not provide the capability in an environment that the examiner may be more familiar with.

Even so, at first glance, this is looks like it's the kind of thinking and effort that is needed in this community, and is definitely a step in the right direction.

Mounting Images w/ SmartMount

Lately, I've been doing some work that's required me to mount images as read-only file systems. Some of the images have been dd-format images of drives, some have been EWF/EnCase .E0x files. Instead of using WinVDK or Mount Image Pro, however, I've been using SmartMount from ASRData. I can mount the drive image, regardless of the format, and test tools such as RegRipper/rip.exe to see how they behave (and they behave very well!)

Ever since I started using SmartMount (in beta, now in eval mode), I've used it primarily to mount images as read-only file systems on Windows...nothing spectacular, just mount the image, do some testing, and unmount the images. My first impression was that it was smoother and quicker than Mount Image Pro. Reviewing the web page for SmartMount, I see that Andy's got a number of features that are to be standard for both the Windows and Linux versions of SmartMount. When SmartMount goes final, we can expect to see a more-fully featured toolset than what's available out there now.

One thing I would like to see is a freeware version for Windows with a limited feature set...say, mount .vmdk, .E0x, and dd-format images as read-only drive letters on your system. None of the fancy stuff, like the layering of write protection and overlay files, etc. Free, or lower cost, so that its easily available to a wide range of folks. The reason for this, in part, is so that the usefulness of this capability can be fully recognized.

Thursday, September 11, 2008

PyFlag for Windows

Dr. Michael Cohen, the creator of PyFlag, has released a version of his forensic analysis tool for Windows! While more of an experimental tool or framework, PyFlag is provides an analyst with significant capabilities for analyzing disk images (EWF or raw formats), packet captures/pcap files, and log files.

PyFlag has also incorporated the Volatility Framework for memory dump analysis, as well. In fact, to see this capability in action, check out this DFRWS 2008 Forensic Challenge submission, from Michael, A. Walters, and D. J. Collett. If you're thinking about using PyFlag, be sure to read through the PDF to pick up some of the nuances and interesting features of PyFlag.

There are number of images available on the web, but Michael also provides some here. There are others (here, and here), so there's no shortage of stuff to use as test data to get the feel for WinPyFlag.

Be sure to thoroughly read the list of dependencies that apply to PyFlag for Windows (WinPyFlag??) and follow the prerequisites closely. If you do, you shouldn't have any trouble setting PyFlag up and getting running.

Wednesday, September 10, 2008


What's that? RegRipper.net? Yes, that's right...RegRipper has its own web site now! Many thanks to Brett Shavers for taking the lead on setting this up. This mechanism is so much easier than using SF.net, particularly when all that needs to be posted is a small plugin.

The site provides some basic background info on RegRipper as well as a download site for the latest version and plugins.

So, check it out...this is going to be THE resource for RegRipper from here on out...

Addendum: I mentioned earlier that someone got rip.pl running on Linux...the Linux version of rip.pl is posted in a message in the Win4n6 Yahoo Group.

Wednesday, September 03, 2008

New Stuff From SANS

Rob Lee let me know that the SANS Computer Forensics and e-Discovery with Rob Lee site is up, and looking around, it's pretty interesting. If you go to the Community section, there's a blog, links to other resources, but perhaps the most interesting is the Downloads section. This is where you find the SANS Investigative Forensic Toolkit (SIFT) workstation VMWare appliance.

I downloaded SIFT and got it up and running in VMWare Workstation (you can use VMPlayer) in no time. From there, I was able to map my host XP system to the available shares that Rob had already set up (i.e., "hack" and "images").

The VMWare appliance also comes with PTK from DFLabs already set up and ready to run. Rob also provided a neat little "cheat sheet" that you can download and keep nearby and handy when you're logged into and working in the appliance.

I know that this isn't specifically about Windows IR or forensics, but it does allow you to easily use the Linux (in this case, Fedora) platform to perform some modicum of analysis.

Don't forget about the SANS Forensic Summit in Oct, in Vegas!