Sunday, November 22, 2009

Even More Linky Goodness...

Tools
I received an email recently that let me know that the latest version of RevealerToolkit is available, a project from a Barcelona security company. The RVT framework is based on Brian Carrier's TSK tools, and even makes use of some of my code to parse EVT files. More information on RVT is available here. Also, be sure to take a look at the user guide, as well.

Remember when I got p0wned by Intel and MS? Thanks to a blog comment, I was pointed to VMLite, which provides an alternative to MS's XPMode, and without the requirement for hardware virtualization in the CPU. This may definitely be something to take a look at, as virtualization can play pretty important role in forensic analysis in a number of ways. Take a look at packages such as MojoPac and Moka-5, for example.

Rob Lee pointed the GCFA mailing list to RE-Google the other day...this is apparently (quoted) a plugin for the Interactive DisAssembler (IDA) Pro that queries Google Code for information about the functions contained in a disassembled binary. Wow, that sounds pretty cool!

Lance has posted another EnScript, this one to locate Limewire download remnants. This may be pertinent if you're looking at a case involving Limewire or just P2P in general.

Speaking of Lance, I've used the images he has made available for his practicals as examples on a number of occasions; these are excellent resources. However, if you want to work with these practicals as raw dd images (rather than .E0x format), you'll need to convert them using something like FTK Imager. But if you want to mount the EWF/EOx format images and access the files within them, you can use mount_ewf, which Chris has talked about. To do this on Windows, you need to follow these steps (from David Loveall, which Rob Lee so graciously provided to the Win4n6 Yahoo group):

1. Extract the mount_ewf files for Windows into a directory
2. Download and install the Visual Studio runtime files, if you don't already have them
3. Download and install ImDisk

At this point, you should just be able to double-click the E01 file, and tell it Open With... mount_ewf.exe. I'll have to say that I haven't tested this as of yet, but if you've got E0x files you'd like to access, but don't want to have to give up additional space in converting it to raw dd format, this may be an option. P2 Explorer (free) and SmartMount (not free) will also allow you to mount EWF/E0x format images.

Memory Collection and Analysis
An engineer at HBGary recently posted a review of Matthieu's windd tool, based on testing against their own FDPro tool. It's an interesting read...take a look. Here's Matthieu's response, along with some personal notes. I think it's good to see, read, and digest both sides of an issue, and this is definitely worth taking a look at.

On the analysis end of things, Jeff Bryner posted about his FaceBook Memory Forensics tool (ie, pdfbook) on the SANS Forensics Blog recently. Jeff's posted about other tools for parsing memory dumps, and I'm sure that you could use the output of the tool you're using (as opposed to pd.exe, as he mentions in the blog post) to obtain similar results. Looking at the code for pdfbook, as well as the other tools that Jeff's made available, I don't see why they can't be run across unallocated space or the pagefile, for that matter. Another thought might be to give the code the ability to do an EnCase-like preview of X number of bytes on either side of the 'hit' that's been located.

While you're conducting IR or memory analysis activities, Didier's done it again and given us all something new to worry about with SelectMyParent! SMP is a proof-of-concept tool to demonstrate that with the right privileges, you can create a process and designate a parent process for that process. So, instead of running Notepad or Solitaire with your privileges, as a child process of Explorer.exe, you can run it as a child of lsass.exe. And yes, I know what you're thinking...so what? Who's really going to use something like this? Perhaps malware authors...

Print Matter
As a side note from Jeff's post, DFM has it's inaugural issue available...this may be something worth taking a look at. I'd like to see how it compares to Into The Boxes...hopefully, there will be more of a supporting role than competitive.

Along those lines, my second article on timeline analysis is now available in Hakin9 magazine. This one is a hands-on walk-through for using the tools I discuss (and make available via the Win4n6 Yahoo group...go to the Files section) to create a timeline for forensic analysis. I mentioned at an ECTF meeting recently that I have used this technique to great effectiveness. In one instance during a PCI forensic assessment, I was able to narrow down the window of exposure by demonstrating that shortly after the malware was first installed on the system, AV detected and deleted it. In that instance, sources of information included not only the file system metadata and Event Log records, but also AV logs and even information derived from Dr. Watson logs...combining these allowed us to demonstrate that while the malware had been installed, it did not appear to be running at certain times (this malware was not a DLL injected into another process). The two big take-aways from the articles should be that (a) timeline analysis allows you to view events from a system (or several systems) in temporal proximity to each other, and (b) when additional analysis support is required, you can ship off the necessary information for a timeline to another analyst without worrying about exposing sensitive data.

You can also download free Hakin9 articles here.

Correction
I was taken to task by an anonymous poster recently regarding what I've described as a 128-bit timestamp. Apparently, this isn't a timestamp, but rather a SYSTEMTIME structure. I had searched for this, and even been asked by someone from Microsoft about it, but neither of us was able to find a link. So, thanks to Anonymous for sharing this. Apparently, I also stand corrected on how prevalent this structure is within the various versions of Windows, although that's still something of a mystery.

Media
Bret and Ovie have a new CyberSpeak podcast posted...check it out.

2 comments:

TLDietrich said...

Harlan,

Speaking of VM tools, I had been using VirtualBox (and probably still will continue), but the SANS SIFT Workstation won't load on it. So, I downloaded and installed the latest VMware Player. I have to say it is a significant improvement over prior versions. It now allows you to create and modify VM's. Though I haven't gotten it to work yet, it appears to have the Unity feature.

Again, if this was already widely known, please forgive me. As I said, I was living under a VirtualBox rock. ;)

denwer said...

This blog have great content and really possible to get helpful information.