Thursday, April 07, 2011


Digital Forensics Framework
The guys over at DFF have an open-source framework used as both a digital investigation and development platform.  As this is an open-source tool, Cory did discuss a previous version of this tool in the Digital Forensics with Open Source Tools book.

The DFF guys recently posted on Time Filtering, using DFF to filter the image based on time stamp information.

While I think that this is a great step forward, I also think at the same time that this sort of data visualization is of limited value.  As I've been creating timelines, I've been looking at ways to potentially present the information in a visual manner that would make analysis easier and more efficient; to be honest, I have yet to find something like this.  Others have talked about such presentation methods as a histogram showing volumes of activity, but in the same breath, they'll also talk about malware following the Least Frequency of Occurrence (LFO) on systems; I'm not sure that showing spikes in activity necessarily lends itself to finding those things that occur least frequently on a system.

Craig Ball wrote this article for Law Technology News, on the use of antiforensics.  Many times, measures taken to foil the work of forensic analysts were originally intended as a privacy measure, but even if those actions are intended specifically to hide the user's activities from the analyst, they are often not even a speed bump in the road to analysis.

During an investigation I determined that an "evidence eliminator" application had been used.  This analysis was of an older case, and the image was from a system that had been acquired several years prior to my analysis.  When I did some research on the version of the application, I found that it deleted specific Registry keys...but I was able to recover the most recently deleted keys from unallocated space within the hive file itself.  Previous subkeys and values were recovered via the hives found in the System Restore Points.

Antiforensics techniques target the training of the analyst...that's pretty much it.  For more information, see the Parsing EVT Records section below.

The DFF guys also included a link to the Digital Corpora site, from which the NTFS image described in the DFF blog post was downloaded.  This is a great place to go to get access to some images, one of which is of a Vista system, apparently.

One issue that continues to be a threat is disgruntled former employees.  Gucci was recently confronted with this issue.  What's interesting about the post to the Sophos NakedSecurity blog is that the fired former employee reportedly gained access to the network by first having created an account for a fictional employee, and then after being fired, social engineered the helpdesk and convincing them that he was that fictional employee.  After that, he was able to return time and time again.  This is just an example of how someone can use an organization's process against itself, taking full advantage of that process to perform a wide range of malicious actions. 

Using RegRipper
I recently received the following quote from someone who used RegRipper and the plugin recently, but asked to remain anonymous (permission was given to post the quote, however):

I have the date and time in which an IDS caught a piece of malware being downloaded on the network to a user's machine. I need/needed to look for clues to see if the exe actually executed or not. I was using FTK's registry viewer to create a timeline of last write times for Keys but Registry Viewer doesn't let you export in a format other than HTML, which is just not helpful.

RegRipper gives me a nice line by line way to see the time and date stamps in a way in which they are much more viewable, WHICH IS GREAT. 

Now, I'm not posting this to poke fun at nor admonish AccessData...not at all.  I'm also not saying that one tool is any better or worse than another...all tools have their strengths and weaknesses, and the real power of a tool is in who uses it.  I wanted to post this publicly to demonstrate to some who may not have used RegRipper or be familiar with it to see that, even though it's not a commercial tool, it can still be very useful.  I tend to think that a number of folks in the DFIR community use specific tools because they feel that they have to...their employer purchased a tool or set of tools, based on some ancillary knowledge of the industry or due to a customer requirement.  As such, there's considerable reticence toward trying or incorporating new tools, and rather than seeking the best tool to solve the problem, the problem is redefined to conform to the tools being used.

Open Source Conference
Speaking of tools, Brian Carrier sent out an email recently announcing the Sleuth Kit and Open Source Digital Forensics Conference on 14 June 2011 in McLean, VA.  The day before the conference, there will be "two half-day workshops that will allow you to get hands-on experience with analyzing web browser artifacts and making timelines with open source tools."

Speakers at the conference will include Cory Altheide, Brian Carrier and Jon Stewart.  You had me at "Cory Altheide".  ;-)  While remaining a fairly brief conference, this still looks as if it will be a good one, and I'm hoping that Cory and I will have copies of Digital Forensics with Open Source Tools available.

Chinese Bootkit
There's a new post over on the ThreatPost blog that discusses a Chinese bootkit.  There's some interesting information available, and a graphic that demonstrates the process by which systems are infected.  Part of that process includes an MBR infector, something for which I'd written a Perl script to help me detect during forensic analysis.  Unfortunately, there isn't a great deal of information available in the blog post about the MBR infector, but I will say that it appears that these sorts of malware are popping up more frequently, so this is definitely something you would want to include in your malware detection process.  After all, with the right tools, it only takes a few seconds to check for the possibility of an MBR infector, so we're not talking about extending your process by a day or more.  This Net-Security article indicates that the MBR infector copies the original MBR to the third sector, so the MBR infector detector would work very well in helping you find indications of this bit of malware.

Parsing EVT Records
Lance recently posted about an EnScript he provided to help parse "classic" Windows Event Log (.evt) records from unallocated space.  This is very similar to my recent post about the same thing, albeit the fact that the approach I took uses only free and open-source tools; however, if you're a heavy EnCase user, you'll probably want to go with Lance's solution.  More than anything else, I think that what this shows is that there's a need for these sorts of things within the community...many times, there simply isn't one, single way to accomplish something, and having multiple tools is a good thing.

I've recently received a number of requests to share this code and technique, and the first time I did so, I sent the script within 10-15 min of receiving the request.  And then didn't hear a thing back until I followed up three days later. it so hard to thank someone for sending you something that you asked for, and just acknowledging that you received it?

I was over reviewing the offerings on the "What's New" page at the web site, and found Nick Klein's presentation from RuxCon. Interestingly, slide 9 includes the bullet, "Be specific in defining the objectives and what evidence might assist in determining the facts."  Slide 11 of that presentation is all about documenting what you do.  This is interesting to me because it's very similar to what Chris talks about in his Sniper Forensics presentations.

Malware Analysis
MalwareAnalyzer 2.9 was released recently.  This project is written in Python, but provided as a Windows executable.  I haven't seen too much out there about this one, but projects like this are always worth a look.

1 comment:

Dennis said...

I like your comments in the Parsing EVT Records section. As you say, an acknowledgment is the least I'd expect, but a thank-you would be better.

Thank you for your endless contributions to our forensics world, Harlan.