Monday, January 02, 2012

Stuff

Using RegRipper
Russ McRee let me know recently that the folks at Passmark recently posted a tutorial on how to use their OSForensics tool with RegRipper.

Speaking of RegRipper, I was contacted not long ago about setting up a German mirror for RegRipper...while it doesn't appear to active yet, the domain has been set aside, and I'm told that the guys organizing it are going to use it not only as a mirror, but also as a site for some of the plugins they'll be getting in that are specific to what they've been doing.

If you're into GenToo Linux, there's also this site from Stefan Reimer which contains a RegRipper ebuild for that platform.


Updated tool:  Stefan over on the Win4n6 Yahoo group tried out the Jump List parser code and found out that, once again, I'd reversed two of the time stamps embedded in the LNK file parsing code.  I updated the code and reposted the archive.  Thanks!

Meetups
With respect to the NoVA Forensics Meetups, I posted here asking what folks thought about moving them to the DFIROnline meetups, and I tweeted something similar.  Thus far, I have yet to receive a response from the blog post, and of the responses I've seen on Twitter, the vast majority (2 or 3..I've only seen like 4 responses...) indicate that moving to the online format is just fine.  I did receive one response from someone who seems to like the IRL format...although that person also admitted that they haven't actually been to a meetup yet.

So...it looks like for 2012, we'll be moving to the online format.  Looking at the lineup thus far, we already seem to be getting some good presentations coming along in the near future.

Speaking of which, offering to either give a presentation or asking for some specific content to be presented on is a great way to contribute to the community.  Just something to keep in mind...if you're going to say, "...I'd like to hear about this topic", be prepared to engage in a discussion.  This isn't to say that someone's going to come after you and try to belittle your idea...not at all.  Instead, someone willing to present on the topic may need more information about your respective, what you've tried (if anything), any research that you've already done, etc.  So...please be willing to share ideas of what you'd like to see presented, but keep in mind that, "...what do you mean by that?" is NOT a slam.

New Tools
File this one under "oh, cr*p..."...

Seems setmace.exe has been released...if you haven't seen this yet, it apparently overcomes some of the issues with timestomp.exe; in particular, it is reportedly capable of modifying the time stamps in both the $STANDARD_INFORMATION and the $FILE_NAME attributes within the MFT.  However, it does so by creating a randomly-named subdirectory within the same volume, copying the file into the new directory, and then copying it back (Note: the description on the web page uses "copy" and "move" interchangeably).

Okay, so what does this mean to a forensic analyst, if something like this is used maliciously?  I'm going to leave that one to the community...

The folks at SimpleCarver have released a new tool to extract contents from the CurrentDatabase_327.wmdb file, a database associated with the Windows 7 Windows Media Player.   If you're working an exam that involves the use of WMP (i.e., you've seen the use of the application via the Registry and/or Jump Lists...), then you may want to consider taking a look at this tool.

You might also want to check out some of their other free tools.

Melissa posted to her blog regarding a couple of interesting tools for pulling information from memory dumps; specifically, pdgmail and Skypeex.  Both tools apparently require that you run strings first, but that shouldn't be a problem...the cost-benefit analysis seems to indicate that it's well worth running another command line tool.  An alternative to running these tools against a memory dump would be using Volatility or the MoonSols Windows Memory Toolkit to convert a hibernation file to a  raw dump format, and then run these tools.

Speaking of tools, Mike posted a list of non-forensics tools that he uses on Windows systems to his WriteBlocked blog.  This is a very good list, with a lot of useful tools (as well as tools I've used) on that list.  I recently used Wireshark to validate some network traffic...another tool that you might consider using alongside Wireshark is NetworkMiner...it's described as an NFAT tool, so I can see why it's not on Mike's list.  I use VirtualBox...I have a copy of the developer's build of Windows 8 running in it.

Wiping Utilities
Claus is back, and this time has a nice list of wiping utilities.  As forensic analysts, many times we have to sanitize the media that we're using, so having access to these tools is a very good thing.  I've always enjoyed Claus's posts, as well, and hope to see him posting more and more often in 2012.

Can anyone provide a technical reason why wiping with 7 passes (or more) is "better" than wiping with just 1 pass?

File Formats
I was reading over Yogesh Khatri's posts over at SwiftForensics.com, and found this post on IE RecoveryStore files.  Most analysts who have done any work with browser forensics are aware of the value of files that allow the browser to recover previous sessions...these resources can hold a good deal of potentially valuable data.

About halfway down the post, Yogesh states:

All files are in the Microsoft OLE structured storage container format.

That's awesome...he's identified the format, which means that we can now parse these files.  Yogesh mentions free tools, and one of the ones I like to use to view the contents of OLE files is MiTeC's SSV, as it not only allows me to view the file format and streams, but I can also extract streams for further analysis. 

Another reason I think that this is cool is that I recently released the code I wrote to parse Windows 7 Jump Lists (I previously released code to parse Win7 Sticky Notes), and the RecoveryStore files follow a similar basic format.  Also, Yogesh mentions that there are GUIDs within the file that include 60-bit UUID v1 time stamps...cool.  The Jump List parser code package includes LNK.pm, which includes some Perl code that I put together to parse these artifacts! 

I don't have, nor do I have access to at this time, any RecoveryStore files to work with (with respect to writing a parser)...however, over time, I'm sure that the value of these artifacts will reach a point such that someone writes, or someone contributes to writing, a parser for these files.
  

11 comments:

Little Mac said...

Harlan,
That's pretty cool that Passmark has provided a way to integrate rip into their utility.

I'd also like to say that while I enjoy your posts in general, the "Stuff" ones typically provide a lot of forensic goodness for me. The different tools you talk about, and other little bits and pieces of info you collect and share are very helpful - the kind of things to bookmark for future reference.

Frank

Hal Pomeranz said...

On the subject of multi-pass vs. single-pass wiping, I find Craig Wright's research compelling:

http://computer-forensics.sans.org/blog/2009/01/15/overwriting-hard-drive-data/

The short answer is that one pass is sufficient.

On the subject of wiping tools, we did a Command-Line Kung Fu blog post a while ago with some command-line mechanisms for wiping data (Windows and Linux/Unix):

http://blog.commandlinekungfu.com/2009/05/episode-32-wiping-securely.html

H. Carvey said...

@Hal,

Thanks...that's the point I was...uh...pointing to. ;-)

@Frank,

Thanks. I'd tried writing HowTo articles but those didn't seem to go over well at all.

Hal Pomeranz said...

Harlan, I find that my own "How-To" articles don't generate a lot of immediate feedback. But they have a "long tail" and I often get "thank yous" even years after my initial posting.

Jimmy_Weg said...

Concerning MSIE session restore, I recommend Internet Evidence finder from Jad Software. Not only will it parse out the session restore URLs, but it will scour a medium and may recover InPrivate URLs from an image (disk, folder, memory dump, etc.). I've tested IEF, and it works. There is only a limited amount of index data available from either artifact, and of note is that session restore and InPrivate records basicsally are indistinguishable from one another. Of course, we should be grateful to Harry Parsonage for his treatise on session restore forensics.

While Dr. Wright's research is interesting, I don't think that it proved anything that we haven't known for a long time. I recall that it came up on a list a short while ago and was discussed ad nauseum. Validate your wiper as you would any other tool, wnd you'll find that a single pass is sufficient. This reminds me of discussions about those esoteric areas of hard drives (P-list, G-list) that can't be accessed with ordinary forensics tools. True, but no one has cited (in the lists where this has been discussed) one case in which an examiner has recovered meaningful evidence from those areas.

That also leads me to comment on setmace. Practices differ among organizatons and examiners. In my own experience, which goes back to 1995 (I'm old), I have not had a single case in which intentional back/mis dating was employed. Perhaps it was, and I didn't recognize it, but I've done my share of date/time studies and never found anything that led me to a "time stomper." I'd be interested to hear about some actual cases.

BTW, in response to a member's question about registry key interpretation, one of the admin's on XWF's forum suggested WRF as a source for the answer. It's become the standard.

H. Carvey said...

Jimmy,

Over the years, I've had a number of cases where file MAC times have been manipulated. I don't specifically remember any that involved the use of timestomps, perhaps because that is too easy to detect. Rather, most of what I've seen has used GetFileTime()/SetFileTime() to copy the MAC times from kernel32.dll (or some other file) to the file being "hidden". In all of the cases I saw, this was done by a malware dropper, and very likely used to 'hide' the malware file from most IT admins and DF analysts. I think it was used because it worked.

...those esoteric areas of hard drives...

Yeah, that's something I've noticed, particularly when it's talked about at conferences. Sure, okay, this could be done, but how many times during exams have you (a) checked for it and (b) found it? Perhaps the fact that it could be done doesn't necessarily prove that it is being done.

...in response to a member's question about registry key interpretation...

Member, where? Member of what?

Jimmy_Weg said...

...a member's question about registry key interpretation, one of the admin's on XWF's forum...

Member of the XWF (X-Ways Forensics) users forum.

In all of the cases I saw, this was done by a malware dropper...

Ah, yes. I do think that such a scenario is something that any of us may encounter. I was focusing on user-directed manipulation.

H. Carvey said...

Jimmy,

Sorry, I wasn't familiar with "XWF"...

Anonymous said...

The process used by setmace.exe is described here:

http://www.forensicswiki.org/wiki/Timestomp

I don't know why they chose to create a new directory instead of using existing directories (e.g. "Program Files")...

John Moan said...

I have done a bunch of work with IE recovery store files and have a paper pending with the JDFSL on the topic. Hopefully I will hear from them soon as I would like to get this research out one way or the other soon. In the mean time, I wrote two tools, ParseRS and RipRS that can be used to extract data from RS files and carve them from unallocated space respectively. They are available at http://www.jtmoran.com/tools/default.html. I have not had much feedback on the tools, so if anyone would be willing to test them and offer feedback I would greatly appreciate it.

On a side note, I really appreciate the time you put in to your blog and other online resources. As someone just trying to get in to the field, it is a great resource. I will be joining you online tonight at DFIR online as well.

H. Carvey said...

Thanks, John. I've added a link to the FOSS Tools page off of this blog, as well as making a mention in a new post.