Tuesday, September 18, 2018

Book Writing

With the release of my latest book, Investigating Windows Systems, I thought that now would be a good time to revisit the topic of writing books.  It occurred to me watching some of the activity and comments on social media that there were likely folks who hadn't seen my previous posts on this topic, let alone the early stuff I'd posted about the book, particularly the stuff I'd written about the book two years ago.

As I said, I've blogged on the topic of writing (DFIR) books before:
17 Dec 2010
26 Dec 2010
28 Mar 2014
29 Mar 2014
16 Feb 2018

There are some things about writing books that many folks out there simply may not be aware of, particular if they haven't written a book themselves.  One such item, for example, is that the author doesn't own the books.  I had a sales guy set up an event that he wanted me to attend, and he suggested that I "bring some books to sell".  I don't own the books to sell, and as far as I'm aware, I'm not PCI compliant; I don't process credit cards.

Further, authors have little, if any, control over...well, anything beyond the content, unless they're self-published.  For example, I'm fully aware that as of 17 Sept 2018, the image on the Amazon page for IWS is still the place holder that was likely used when the page was originally set up.  I did reach to the publisher about this, and they let me know that this is an issue that they've had with the vendor, not just with my book but with many others, as well.  While I can, and do, market the books to the extent that I can, I have no control over, nor any input into, what marketing the publisher does, if any.  Nor do authors have any input or control over what the publisher's vendors do, or don't do, as the case may be.

Addendum, 19 Sept: I checked again today, and the Amazon page for the book has been updated with the proper book cover image.

Taking a quick look through a copy of the Investigating Windows Systems book, I noted a few things that jumped out at me.  I did see a misspelled word or two, read a sentence here and there that seemed awkward and required a re-read (and maybe a re-write), and noticed an image or two that could have been bigger and more visible.  Would the book have looked a bit better if it had a bit bigger form factor?  Perhaps.  Then it would have been thinner.  However, my point is that I didn't have any input into that aspect of the book.

I'm also aware that several pages (pp. 1, 45, 73, 97) have something unusual at the bottom of the page.  Specifically, "Investigating Windows Systems. DOI: https://doi.org/10.1016/{random}", and then immediately below that, a copyright notice.  Yes, this does stand out like a sore thumb, and no, I have no idea why it's there.

If you purchased or received a copy of the book, I hope you find value in it.  As I've said before, I wanted to take a different approach with this book, and produce something new and I hope, useful.

Monday, September 17, 2018

IWS is out!

My latest book, Investigating Windows Systems (Amazon, Elsevier) is out, and it seems that some have already received their ordered copies.  Very cool.  For anyone who's ordered a copy, I thank you and I hope you find some value in it.

I've blogged about the book several times (beginning here) since I started writing it, and I wanted to take a moment, now that it's out, to maybe clear up what may be some misconceptions about the book, because this book isn't at all like any of my previous books.

My goal in writing the book was to demonstrate the analysis process, and provide the analysis decisions I made during that process.  I wanted to write a book like this, because as with my other books, I hadn't seen anything out there (blogs, books, etc.) that provided something similar.  When I've had time to reflect on and look back over my own analysis engagements, this is something that has interested and fascinated me.  It's also made its way into conversations, but has also been something that has proven difficult when engaging with others; that is, understanding what led a particular analyst down a particular investigative route, to choose a particular tool, or to pivot on a particular artifact or piece of data.

As such, this book does not cover things like the basic usage of the mentioned or described tools, as these topics have been covered before, and anyone can look the usage up.  Also, the very basics of constructing a timeline are not addressed, as that topic has been covered extensively in other resources.

While writing the book, I used available images from several online sources (and with permission) as a backdrop against which to demonstrate the analysis process, as well as to illustrate the analysis decisions made during that process.

What the book is not is a walk-through of each CTF or forensic challenge employed.  That is to say, when engaging in analysis of a particular image, I do not simply walk through the posted challenge.  There's nothing wrong with the posted challenges at all, and most of the ones I've seen are quite good.  However, in two decades of performing DFIR work, I have yet to engage with a client that had 37 questions they wanted me to answer. I wanted to present the analysis based on (in my experience) as close to real world engagements as I could.

As I said, I used available images as the basis for the analysis I was performing.  I did this intentionally, as it provides an opportunity for the reader to follow along, or to try their own hand at analyzing the images.  The images range from Windows XP to Windows 7 and 10, and there's even a Windows 2008 image in there, as well. 

In addition, the tools used in the book are all free and open source tools.  The reason for this was two-fold; first, I wanted readers to see (as much as possible) and understand what was being done, so that when it came time to decide upon a commercial forensic suite to use, they could make better educated decisions.  Second, being just one person, I do not have access to commercial forensic suites.  The same goes for the images used; I do not have access to MSDN, nor other compromised images, and decided to make use (again, with permission) of what was available.

For anyone who purchased the book, thank you.  I hope you find value in it, enough so that you opt to write a review, or simply provide feedback.  Thanks.

Saturday, September 15, 2018

A lil Saturday morning computer programming

I've wanted to update lfle.pl for sometime, and with the rain this weekend, Saturday morning was the perfect time do so.  For those who may not be aware, lfle.pl is a script I have for extracting WinXP/2003 style Event Log records from unstructured data.  This means that it can be run against Event Log files, page files, unallocated space, and even memory dumps in order to extract these records.  When it finds a valid EVT record, it dumps the contents in TLN format, so that a timeline can be easily generated.

Okay, so the obvious elephant in the room...why bother updating this tool?  Well, in the summer of 2017, the world saw the NotPetya incident.  During this incident, one of the analysts on the team I was working with got several Windows XP and 2003 systems in for analysis. 

I downloaded the CFReDS hacking case image, and use FTK Imager to create a single, raw/dd-style image.  I then exported the unallocated space from the image file, using the following commands:

mmls -i raw -t dos g:\cfreds\image.001
blkls -i raw -f ntfs -A -o 63  g:\cfreds\image.001 > g:\cfreds\image_unalloc

Next, I ran lfle.pl against the resulting file:

lfle.pl -f g:\cfreds\image_unalloc

This command yielded no results.  Okay, next I exported the Event Log files from the image and ran lfle.pl against each one.  Forty records were found in the AppEvent.evt file, and 141 in the SysEvent.evt file.

Interestingly, I go no results running lfle.pl against the Security Event Log file, using the following command:

lfle.pl -f g:\cfreds\image\secevent.evt

The prompt simply returned.  Okay, so let's do some troubleshooting.  Using the "-s" switch to display statistics, I get the following results:

lfle.pl -f g:\cfreds\image\secevent.evt -s

Small records skipped         : 1
Large records skipped         :
Malformed records skipped:
Records retrieved                :

Okay, that's interesting. Only one "small" (i.e., less than 0x30 bytes) record was located.  Going with the "-d" switch to enable debugging output, I get the following:

lfle.pl -f g:\cfreds\image\secevent.evt -d

Magic number located at offset 0x4 with length of 48 bytes
0x00000000   30 00 00 00 4C 66 4C 65 01 00 00 00 01 00 00 00   0...LfLe........
0x00000001   30 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00    0...0...........
0x00000002   00 00 01 00 00 00 00 00 80 3A 09 00 30 00 00 00    .........:..0...

My final step was to open the secevent.evt file in hex editor, and low and behold, I found that there was just one record visible in the file, the one illustrated above.  Following the record, there is the "cursor", which is 0x28 bytes, and does not contain the "LfLe" magic number.  After that, what remained of the file was all zeros.  So, that explains the results; it's not that the tool is "broken" or "doesn't work", but instead that there's nothing to display in the file.

Hibernation File
The image also contains a hibernation file, which I exported from the image.  Using Volatility 2.6, I checked which profile would work for the image:

vol -f g:\cfreds\image\hiberfil.sys imageinfo
*Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)

I then converted the hibernation file to raw format:

vol -f g:\cfreds\image\hiberfil.sys --profile=WinXPSP2x86 imagecopy -O g:\cfreds\image\mem.raw

Finally, I ran lfle.pl against it, with all switches enabled:

lfle.pl -f g:\cfreds\image\mem.raw -d -s > g:\cfreds\image\mem_lfle_out.txt

With everything turned on and being collected in the output file, it's kind of messy, with valid records mixed in with debugging info, etc.  However, the statistics displayed at the end of the file tell us the story:

Small records skipped         : 22
Large records skipped         : 2
Malformed records skipped: 4
Records retrieved                : 95

So, 22 "small" records were skipped, 2 "large" (i.e., 0x1000 bytes or larger) were skipped, 4 malformed (size values that bracket the record were not identical) records were skipped, and a total of 95 valid records were retrieved.  Very nice.

Both the Perl script and the portable .exe version of the tool can be found on the GitHub repository.

Friday, September 14, 2018

Random Stuff

I decided to put this post together because some things just need to persist beyond the typical Twitter life cycle.  The focus here is free and open source tools that can be used on Windows to investigate/parse/enable analysis of Windows artifacts.  It's not my intention to take anything away from current repositories of such tools, such as the DFIRTraining site, but rather to bring these tools to the forefront again.

Windows 10 Oct 2018 update includes clipboard history and cloud sync

Ryan Kovar shared this resource regarding detailed properties in O365 audit logs

Maxim tweeted (on 4 Sept, I just saw it today) that yarp-carver had been run against the image from the LoneWolf scenario and recovered a good deal of Registry data.

Here's a great explanation of ShimCache data from the folks at Mandiant.

yarp tools - be sure to follow Maxim on Twitter (ex: tweet regarding yarp-carver)

Windows 10 Timeline
Matthew Seyer wrote up a nice article over on Medium regarding a tool that he wrote to parse the Windows 10 Timeline database (SQLite format).  In that article, he also referred to Eric Zimmerman's WxTCmd tool, which can be found here.

Anytime you're working with an SQLite database, be sure to incorporate Mari's SQLite deleted data parser (blog, Github)

Paper: A Forensic Exploration of the Microsoft Windows 10 Timeline

Windows 10 Notification Database
Yogesh's post - 2016
David Cowen's post - 2018
Malware Maloney's post on parsing the .wal file - 2018

Windows Event Logs
Tools for parsing Windows Event Log (*.evtx) files:
LogParser - MS's tool
parse_evtx.exe - KasperskyLab ForensicTools (x64)
Evtx2json - includes experimental support for EVTXtract output
EVTXtract - Willi Ballenthin's Python code (presentation)
EvtxParser - Andreas Schuster's Perl code (here's some more info on getting it installed)
EventCleaner - reportedly will allow you to remove EVTX records

I blogged about accessing VSCs recently (actually, I blogged about it twice...), and I wanted to include the information in this post.

Something to be clear about...the version of Arsenal's Image Mounter tool is the one from GitHub, NOT the one discussed here. Yes, one of the issues I ran into when seeking assistance in this endeavor was that there is more than one tool with same name, and that presented some challenges in communication.

My hope is that the version found on Github is updated to include the ability to mount raw/dd-style images via "Write-Temporary".

Here's a tweet about a presentation regarding recovering deleted VSCs using vss-carver.

DFIRTraining list of tools -

Parsing RDP Cache Files
remotecache.py -
bmc-tools.py -
Link to tools at DFIRTraining site

I'm more than happy to add to this list as new things come in.

Thursday, September 06, 2018

Accessing Volume Shadows, re-revisited

As a follow-on to my previous post, I wanted to provide a concise summary or overview of the processes for accessing VSCs.

First, a couple of important factors regarding this exercise:

The goal of this exercise was to identify and validate processes for accessing VSCs within acquired images, using free and open source tools on a Windows analysis system.

The source image file was from Digital Corpora's Lone Wolf scenario (downloaded *.e0x files, also converted to raw/dd).  Note that when using mmls.exe to view the partition table, the partition type is "gpt", not "dos".  This is part of the reason I wanted to use this image, to see if the tools used have any issues with different partition types.  The other reason for using this image is that it is (relatively) easily accessible by almost anyone, and anything I did can be validated using the image.


Arsenal Image Mounter (Mount through libewf)
  |__ ShadowExplorer (v0.9)

*After I posted this article, Eric Zimmerman pointed me to his VSCMount tool, which would be a great alternative to ShadowExplorer.  Note that if you're using VSCMount, you won't be able to access the VSCs via Windows Explorer, but Eric was able to use PowerShell to navigate the file system.  Similarly, I had no issues using a command prompt.  There simply appears to be an issue when trying to use Windows Explorer.

raw/dd #1
Arsenal Image Mounter (Mount raw image)
  |__ vssadmin
          |__ vss (X:\)
                |__ FTK Imager (add X:\ as logical drive evidence item)

raw/dd #2
  |__vshadowinfo/vshadowmount (requires Dokan 0.7.4)
         |__ access individual VSCs via FTK Imager (Image File)

raw/dd #3
Convert to *.e0x format, use *.e0x process (above)

I've been able to repeatedly replicate raw/dd processes #1 and #2 on several other images to which I have access.

Tuesday, September 04, 2018

Accessing Volume Shadows, Revisited

Almost 3 yrs ago, I published this blog post regarding accessing VSCs, via several different means.  I recently did some testing, revisiting the methods, and oddly enough, I couldn't get the several of them to work.  I posted to Twitter, but due to the nature of the medium, things started to get out of hand.  As such, I thought I'd post what I'd done, so that others could try the same methods, and see if maybe they could get the processes to work.

My analysis system is Windows 10; when I open a command prompt, I get "Microsoft Windows [Version 10.0.17134.228]".

I downloaded the *.e01 images files from the LoneWolf scenario that is available via the Digital Corpora site.  The image is of a physical Windows 10 system.  I then used FTK Imager to convert the split *.e0x images files into a unified raw/dd-style image, and I used that file (i.e., lonewolf_dd.001) in all of my testing.

Vhd Method
This method is defunct, in part because it no longer seems to work.

I did try vhdxtool, as well, but that didn't work at all...I'm not working with a .vhd file that needs to be converted to a .vhdx file, I'm using a raw/dd-style image.

This method requires Dokan 0.7.4 and pretty much follows along from the Libvshadow section of my previous post.  For this attempt, I used the extended libvshadow tools provided with vss_carver.py.

First, I used mmls (from the TSK tools) to determine the offset to the partition of interest:

mmls -i raw -t gpt g:\lonewolf\lonewolf_dd.001

From that, I saw:

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Safety Table
01:  -----     0000000000   0000002047   0000002048   Unallocated
02:  Meta    0000000001   0000000001   0000000001   GPT Header
03:  Meta    0000000002   0000000033   0000000032   Partition Table
04:  00       0000002048   0001023999   0001021952   Basic data partition
05:  01       0001024000   0001226751   0000202752   EFI system partition
06:  02       0001226752   0001259519   0000032768   Microsoft reserved partition
07:  03      0001259520   1000214527   0998955008   Basic data partition
08:  -----   1000214528   1000215216   0000000689   Unallocated

The partition we're interested in is the one in bold, and the offset is 1259520 sectors, or 644874240 bytes.  Using that information, I can run vshadowinfo (I don't have to, but I can):

vshadowinfo -o 644874240 g:\lonewolf\lonewolf_dd.001

From the output of the above command, I can see two VSCs, which is what I expected.  Now, for vshadowmount:

vshadowmount -o 644874240 g:\lonewolf\lonewolf_dd.001 x:\

After running this command, do not expect the command to exit...it won't, until you hit Control-C.  I minimized the command prompt (which was running with Admin privileges) and could see "VSS1" and "VSS2" in the X:\ volume via Windows Explorer.

Next, I opened FTK Imager, and added the X:\ volume as an logical drive evidence item, or I tried to.  I got an error dialog that said simply "Incorrect function. (1)". 

I then opened Autopsy 4.8.0, and tried to add the volume as a local disk data source to a case.  Unfortunately, unlike FTK Imager, Autopsy did not 'see' the X:\ volume.

Arsenal Image Mounter
I downloaded Arsenal Image Mounter, and used it to mount the image file.  When mounting, I chose the "Read Only" option (the "Write Temporary" option was grayed out, and reportedly not available for raw/dd-style images).  The image was mounted as "F:\", and I could easily browse the volume via Windows Explorer.

I had also downloaded ShadowExplorer 0.9, and when I opened it, it did not recognize the F:\ volume.  I could see C:\, D:\, and G:\ (ext HDD where the image was stored).

Vss Method
Finally, I tried vss.exe, mentioned in my previous post; however, I should note that Jimmy Weg seems to no longer maintain his "justaskweg" domain, or the site(s) referenced in my original blog post.  Further, the copy of vss.exe that I have has no identifying information (file version info), nor any syntax info.

I mounted the image via Arsenal Image Mounter (just like I did above), and got identifiers for both VSCs:

vssadmin list shadows /for=f:

I copied the ID for one of the VSCs to the clipboard, and then pasted it into the following command:

vss x: Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy47

The response I got back was:

Drive X:  ---> \Device\HarddiskVolumeShadowCopy47

Okay...that's a start.  I then opened FTK Imager and added the X:\ volume as a logical drive evidence item, and was easily able to traverse through the image, just as I normally would.

Of all of the methods tested, only vss.exe in conjunction with Arsenal Image Mounter was the one method that worked.

Addendum, 5 Sept
I've continued my testing, but before I kicked off the summary, I wanted to provide a link for vss.exe.  Thanks to Brian Maloney for tracking that down.

One thing that's been clear over the past day or so is that even providing clear documentation (above) as to what I did, and where I got the tools, there's been a significant disconnect with respect to those offering assistance.  It appears that the biggest one is that when we say "Arsenal Image Mounter", apparently, we're not all referring to the same thing.  I got a copy of Arsenal Image Mounter from Github, not from the from the main ArsenalRecon.com web site, and that appears to make a significant difference.  In particular, the option to mount a raw/dd image in "Write Temporary" mode is specifically NOT supported in this version of the tool.

So, to clarify, what I've been looking to do is get working processes for accessing VSCs within acquired images, using free and/or open source tools that run on Windows.

To get this version of Arsenal Image Mounter to work, I had to do a couple of things.  First, I had to download libewf.dll (My system is x64, so I used the DLLs from this location).  I then copied the libewf.dll from my Autopsy installation over to the same folder as the Arsenal Image Mount tool, overwriting the older version of libewf.dll (there was some speculation online that the older version of libewf.dll was causing problems).  Finally, I had to open the E01 files from the Lone Wolf scenario, rather than the raw/dd format image (I'd opened the E0x image files in FTK Imager and exported a raw/dd image, so I had both available).  Once I did that, I was able to use Shadow Explorer to successfully view and access the VSCs.

The process that appears to work for raw/dd images is to use the Arsenal Image Mounter to mount the image file in Read Only mode, and then use vssadmin (via an Admin-level command prompt) to list the VSCs, and then mount a VSC as X:\ (or whatever you choose) via vss.exe.  Once you've done that, you can open the now mounted VSC via FTK Imager,

I'm still trying to get vshadowmount to work, as well... I got the vshadowmount method working right after I published the updated post...essentially, once you run the vshadowmount command, you can access the individual VSCs via FTK Imager, by adding one of the VSCs as an image file evidence item, rather than logical drive.  That is, when adding an evidence item to FTK Imager (after running the vshadowmount command), you choose "Image File".  Boom.  Done.

Wednesday, August 22, 2018


Not all RegRipper plugins come from external sources; in fact, a good number of the plugins I've written start as something I've run across on the Internet, from various sources (most times Twitter).  Sometimes it's a blog post, other times it's a malware write-up, or it could be the result of a working a forensic challenge.

Based on Adam's post, I created a plugin (named wsh_settings.pl) that outputs the values of the Settings key, and includes an Analysis Tip that references the Remote value.

I also updated the clsid.pl plugin to incorporate looking for the TreatAs value. On a sample hive that I have from a Win7 SP1 system, I ran the following command:

rip -r d:\cases\test\software -p clsid | find "TreatAs"

I got a total of 9 hits, 7 of which were all for the same GUID (i.e., {F20DA720-C02F-11CE-927B-0800095AE340}), which appears to refer to packager.dll.

I also created a TLN output version of clsid.pl (named clsid_tln.pl) so that this information can be used to create timeline (in and of itself), or can be added to a timeline that incorporates other data sources.  I know from initial testing that under "normal" circumstances, the LastWrite times for the keys may be lumped together around the same time, but what we're looking for here is outliers, timeline entries that correspond with other suspicious activity, forming an artifact cluster.

I received an email from my publisher on 20 Aug 2018 telling me that Investigating Windows Systems had officially been published, and is available here through the publisher!  I'm not sure what that means with respect to the book actually being available or shipped (if you pre-ordered it) from Amazon; for me, it's a milestone, something I can mark off my list. That's #9 down (as in, nine books that I've authored), and I'm currently working on Practical Windows Investigations, which will is due out next year.

IWS is a bit of a departure from my previous books; instead of listing various artifacts that you could use in an investigation, and leaving it to the reader to figure out how to string them together, I used images available online to illustrate what an investigation might look like.  Using the images, I provide analysis goals that are more inline with what one might expect to see during a real world IR investigation.  I then walk through the analysis of the image (based on the stated goals), providing decision pivot points along the way.  However, these investigations are somewhat naturally limited...they aren't enterprise level, don't involve things like lateral movement, etc.  As such, these things aren't addressed, but I did try to cover as much as I could with what was available.

I have a GitHub repo for the book - it doesn't contain a great deal at the moment, just links to the images used, and in the folder for chapter 4, code that I wrote for that particular chapter.  I'm sure I'll be adding material over time, either based on requests or based on interesting things from my notes and folders for the book.

Practical Windows Investigations is going to swing the pendulum back a bit, so to speak, in that rather than just looking at artifacts, I'm focusing on different aspects of investigations and addressing what can be achieved when pursuing those avenues.  The book is currently spec'd at 12 chapters, and the list is not too different from what was listed in this post from March.

The current chapters are:

Core Concepts
How to analyze Windows Event Logs
How to get the most out of RegRipper
Malware Detection
How to determine data exfiltration
File (LNK, DOCX/DOC, PDF) Analysis
How to investigate lateral movement
How to investigate program execution
How to investigate user activity
How to correlate/associate a device with a user (USB, Bluetooth)
How to detect/analyze the use of anti-forensics
Making use of VSCs

As with my previous books, tools used for analysis will be free and open source tools; this is due to the fact that I simply do not have access to commercial tools.  This is a topic that is continually brought up during prospectus reviews, and the reviewers simply do not seem to understand. 

Saturday, August 18, 2018


Win10 Notification Database
Leave it to MS to make our jobs as DFIR analysts fun, all day, every day!  Actually, that is one of the things I've always found fascinating about analyzing Windows systems is that the version of Windows, more often than not, will predicate how far you're able to go with your analysis.

An interesting artifact that's available on Win10 systems is the notification database, which is where those pop up messages you receive on the desktop are stored.  Over the past couple of months, I've noticed that on my work computer, I get more of these messages, because it now ties into Outlook.  It turns out that this database is a SQLite database. Lots of folks in the community use various means to parse SQLite databases; one of the popular ways to do this is via Python, and subsequently, you can often find either samples via tutorials, or full-on scripts to parse these databases for you.

MalwareMaloney posted a very interesting article on parsing the write-ahead logging (.wal) file for the database.  Also, as David pointed out,

Anytime you're working with a SQLite database, you should consider taking a look at Mari's blog post on recovering deleted data.

Based on input from a user, I updated the sizes.pl plugin in a way that you may find useful; it now displays a brief sample of the data 'found' by the plugin (default is 48 bytes/characters).  So, instead of just finding a value of a certain size (or above) and telling you that it found it, the plugin now displays a portion of the data itself.  The method of display is based on the data type...if it's a string, it outputs a portion of the string, and if the data is binary, it outputs of hex dump of the pre-determined length.  That length, as well as the minimum data size, can be modified by opening the plugin in Notepad (or any other editor) and modifying the "$output_size" and "$min_size" values, respectively.

Here is some sample output from the plugin, run against a Software hive known to contain a malicious Powershell script:

sizes v.20180817
(All) Scans a hive file looking for binary value data of a min size (5000)

Key  : \4MX64uqR  Value: Dp8m09KD  Size: 7056 bytes
Data Sample (first 48 bytes) : aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAA...

From here, I'd definitely pivot on the key name ("4MX64uqR"), looking into a timeline, as well as searching other locations in the Registry (auto start locations??) and file system for references to the name.

Interestingly enough, while working on updating this plugin, I referred back to pg 34 of Windows Registry Forensics and for the table of value types.  Good thing I keep my copy handy for just this sort of emergency.  ;-)

Mari has an excellent example of how she has used this plugin in actual analysis here.

Speaking of books, Investigating Windows Systems is due out soon.  I'm really looking forward to this one, as it's a different approach all together from my previous books.  Rather than listing the various artifacts that are available on Windows systems, folks like Phill MooreDavid Cowen and Ali Al-Shemery graciously allowed me access to the images that they put together so that I could work through them.  The purpose of the book is to illustrate a way of stringing the various artifacts together in to a full-blown investigation, with analysis decisions called out and discussed along the way.

What I wanted to do with the book is present something more of a "real world" analysis approach.  Some of the images came with 30 or more questions that had to be answered as part of the challenge, and in my limited experience, that seemed a bit much.

The Github repo for the book has links to the images used, and for one chapter, has the code I used to complete a task.  Over time, I may add other bits and pieces of information, as well.

My submission for OSDFCon was accepted, so I'll be at the conference to talk about RegRipper, and how you can really get the most out of it.

Here is the list of speakers at the conference...I'm thinking that my speaker bio had something to do with me being selected.  ;-)

Friday, August 10, 2018

Gaps and Up-Hill Battles

I've been thinking about writing a RegRipper plugin that looks for settings that indicate certain functionality in Windows has been disabled, such as maintaining JumpLists, as well as MRUs in the Registry.

Hold on for a segue...

David Cowen recently requested input via his blog, regarding the use of anti-forensics tools seen in the wild.  A little more than two years ago, Kevin S. wrote this really awesome blog post regarding the evolution of the Samas/Samsam ransomware, and I know you're going to ask, "great, but what does this have to do with anti-forensics tools?"  Well, about half way down the post, you'll see where Kevin mentions that one of the early variants of Samas included a copy of sdelete in one of its resource sections.

As usual, Brett made some very poignant comments, in this case regarding seeing anti- or counter-forensics tools in the wild; specifically, just having the program on a system doesn't mean it was used, and with limited visibility, it's difficult to see how it was used.

Now, coming back around...

What constitutes counter-forensics efforts, particularly when it comes to user intent?  Do we really know the difference between user intent and operating system/application functionality?  Maybe more importantly, do we know that there is such a thing?

I've seen too many times where leaps (assumptions, speculation) have been made without first fully examining the available data, or even just looking a little bit closer.  Back in the days of XP, an issue I ran into was an empty Recycle Bin for a user, which might have been a bad thing, particularly following a legal hold.  So, an analyst would preview an image, find an empty Recycle Bin, and assume that the user had emptied it, following the legal hold announcement.  But wait...what was the NukeOnDelete setting?  Wait...the what?  Yes, with this functionality enabled, the user would delete a file as they normally would, but the file would not appear in the Recycle Bin. 

Other functionality that's similar to this includes, did the user clear the IE history, or was it the result of the regularly scheduled purge?  Did the user delete files and run defrag after a legal hold order, or was defrag run automatically by the OS?

Skipping ahead to modern times, what happens if you get a "violation of acceptable use policies" case, or a harassment case, or any other case where user activity is a (or the) central focus of your examination, and the user has no JumpLists.  Yes, the automatic JumpLists folder is empty.  Does that seem possible?  Or did the user suspect someone would be looking at their system, and purposely delete them?  Well, did you check if the tracking of JumpLists had been disabled via the Registry?

My point is that there is functionality within Windows to disable the recording and maintenance of various artifacts that analysts use to do their jobs.  This functionality can be enabled or disabled through the Registry.  As such, if an analyst does not find what they expect to find (i.e., files in the Recycle Bin, RecentDocs populated, etc.) then it's a good idea to check for the settings.

Oh, and yes, I did write the plugin, the current iteration of which is called disablemru.pl.  I'll keep adding to it as more information becomes available.

Friday, August 03, 2018

The Future of IR, pt I

I've been doing IR work for a while now, and I've had the great fortune of watching things grow over time.

When I started in the industry, there were no real training courses or programs available, and IR business models pretty much required (and still do) that a new analyst is out on the road as soon as they're hired.  I got started in the industry and developed some skills, had some training (initial EnCase training in '99), and when I got to a consulting position, I was extremely fortunate to have a boss who took an interest in mentoring me and providing guidance, which I greatly appreciate to this day.

However, I've seen this same issue with business models as recently as 2018.  New candidates for IR teams are interviewed, and once they're hired and go through the corporate on-boarding, there is little if any facility for training or supervising...the analysts are left to themselves.  Yes, they are provided with tools, software products, and report templates, but for the most part, that's it.  How are they communicating with clients?  Are they sending in regular updates?  If so, are those updates appropriate, and more importantly, are they technically correct?  Are the analysts maintaining case notes?

Over the years of doing IR work, I ran into the usual issues that most of us see...like trying to find physical systems in a data center by accessing the system remotely and opening the CD-ROM tray.  But two things kept popping into my mind; one was, I really wished that there was a way to get a broader view of what was happening during an incident.  Rather than the client sending me the systems that they thought were involved or the "key" systems, what if I could get a wider view of the incident?  This was very evident when there were indications on the systems I was examining that pointed to them being accessed from other systems, or accessing other systems, on the same infrastructure.

The other was that I was spending a lot of time looking at what was left behind after a process ran.  I hadn't seen BigFoot tromp across the field, because due to the nature of IR, all I had to look at were footprints that were several days old.  What if, instead of telling the client that there were gaps in the data available for analysis (because I'm not going to guess or speculate...) I actually had a recording of the process command lines?

During one particularly fascinating engagement, it turned out that the client had installed a monitoring program on two of the affected systems.  The program was one of those applications that parents use to monitor their kid's computers, and what the client provided was 3-frame-per-second videos of what went on.  As such, I just accessed the folder, found all of the frames with command prompts open, and could see exactly what the adversary typed in at the prompt.  I then went back and watched the videos to see what the adversary was doing via the browser, as well as via other GUI applications.

How useful are process command lines?  Right now, there're considerable artifacts on systems that give analysts a view into what programs were run on a system, but not how they were run.  For instance, during an engagement where we had established process creation monitoring across the enterprise, an alert was triggered on the use of rar.exe, which is very often as a means of staging files for exfiltration.  The alert was not for "rar.exe", as the file had been renamed, but was instead for command line options that had been used, and as such, we had the password used to encrypt the archives.  When we receive the image from the system and recovered the archives (they'd been deleted after exfil), we were able to open the archives and show the client exactly what was taken.

So, things have progressed quite a bit over the years, while some things remain the same.  While there have been significant in-roads made into establishing enterprise-wide visibility, the increase of device types (Windows, Mac, Linux, IoT, mobile, etc.) still requires us to have the ability to go out and get (or receive) individual devices or systems for collection and analysis; those skills will always be required.  As such, if the business model isn't changed in some meaningful way, we are going to continue to have instances where someone without the appropriate skill sets is sent out on their own.

The next step in the evolution of IR is MDR, which does more than just mash MSS and IR together.  What I mean by that is that the typical MSS functionality receives an alert, enriches it somehow, and sends the client a ticket (email, text, etc.).  This then requires that the client receive and understand the message, and figure out how they need to respond...or that they call someone to get them to respond.  While this is happening, the adversary is embedding themselves deeply within the infrastructure...in the words of Jesse Ventura from the original Predator movie, "...like an Alabama tick."

Okay, so what do you do?  Well, if you're going to have enterprise-wide visibility, how about adding enterprise-wide response and remediation?  If we're able to monitor process command lines, what if we could specify conditions that are known pretty universally to be "bad", and stop the processes?  For example, every day, hundreds of thousands of us log into our computers, open Outlook, check our email, and read attachments.  This is all normal.  What isn't normal is when that Word document that arrived as an email attachment "opens" a command prompt and downloads a file to the system (as a result of an embedded macro).  If it isn't normal and it isn't supposed to happen and we know it's bad, why not automatically block it?  Why not respond at software speeds, rather than waiting for the detection to get back to the SOC, for an analyst to review it, for the analyst to send a ticket, and for the client to receive the ticket, then open it, read it, and figure out what to do about it?  In that time, your infrastructure could be hit by a dedicated adversary, or by ransomware. 

If you stop the download from occurring, you prevent all sorts of bad follow-on things from happening, like having to report a "personal data breach", per GDPR. 

Of course, the next step would be to automatically isolate the system on the network.  Yes, I completely understand that if someone's trying to do work and they can't communicate off of their own system, it's going to hamper or even obviate their workflow.  But if that were the case, why did they say, "Yes, I think I will "enable content", thank you very much!", after the phishing training showed them why they shouldn't do that?  I get that it's a pain in the hind end, but which is worse...enterprise-wide ransomware that not only shuts everything down but requires you to report to GDPR, or one person having to have a new computer to get work done?

So, the overall point I'm trying to make here is that the future of IR is going to be to detect and respond faster.  Faster than we have been.  Get ahead of the adversary, get inside their OODA loop, and cycle through the decision process faster than they can respond.  I've seen this in action...the military has things called "immediate actions", which are actions that, when a condition is met, you respond immediately.  In the military, you train at these things until they're automatic muscle memory, so that when those things go occur (say, your rifle jams), you perform the actions immediately.  We can apply these sorts of things to the OODA loop by removing the need to make decisions under duress because we made them ahead of time; we made the decision regarding a specific action while we had the time to think about it, so that we didn't have to try to make the decision during an incident.

In order to detect and respond quicker, this is going to require a couple of things:
- Visibility
- Intelligence
- Planning

I'll be addressing these topics in future blog posts.

Notes, etc.

Case Notes
@mattnotmax recently posted a blog on "contemporaneous notes".

But wait...there's more.

I agree with what Matt said regarding notes.  1000%.

I've been on engagements where things have gone sideways.  In one instance, I was assigned by the PoC to work with a network engineer to get access to network device logs.  We walked through a high-level network diagram on a white board, and at every point, I was told by the network engineer that there were no logs available from that device, nor that one, and definitely not that one.  I took a picture with my cell phone of the white board to document my "findings" in that regard, and when I met with the PoC the following morning, he seemed bothered by the fact that I hadn't gotten anywhere the previous day.  He called in the network engineer, who then said that he'd never said that logs were not available.  I pulled up the photo of the white board on my laptop and walked through it.  By the time we got to the end of the engagement, I never did get any logs from any of the network devices.  However, I had documented my findings (written, as well as with the photo) and had a defensible position, not just for myself, but also for my boss to take up the chain, if the issue ended up going that far.

As a side note, I make it a practice that if I get the sense that something is fishy, or that an engagement could go sideways, I'll call my boss and inform my management chain first, so that they hear it from me.  Better that, than the first they hear of any issue is an angry call from a client.  This is where notes really help...IR engagements are highly stressful events for everyone involved, and having notes is going to help you when it comes to who said/did what, and when.

One of the questions Matt addresses in his blog post is the 'rules' of the notes; whenever I've been asked about this, the question has always been, "what's the standard?"  My response has always been pretty simple...reproduceability.  You need to write your notes to the point that 6 months or a year later, you (or more importantly, someone else) can take the notes and the data, and reproduce the results.

In fact, I have been asked the question about the "standard" so much over the years that it's become a high-fidelity indicator that notes will not be taken.  So far, every single time I've been asked about the "standard" to which notes should be taken, note have not been kept.

When I started with ISS in 2006, I was provided dongles for AccessData FTK, as well as for EnCase 4.22 and 6.19.  When I performed work, I noted which application I used right along with what I did...because that was important.  When we (our team) determined that one of the built-in functions for a commercial tool was not, in fact, finding all valid credit card numbers (kind of important for PFI work...), we worked with Lance Mueller to get our own function working, and made the use of the result script part of our standard operating (and repeatable) procedure.

Part of the PFI work at the time also included a search for hashes, file names, and a few other indicators.  Our notes had to have the date of the work, and our SOP required that just prior to running the searches for those indicators that we pull down the latest-and-greatest copies of the indicator lists.

Why was this important?  Well, if someone found something in the data (or on the original system) six or eight months later, we had clear and concise documentation as to what steps were taken when.  That way, if the analyst was on leave or on another engagement, a team lead or the director could easily answer the questions.  With some simple, clear, and concise notes, the team lead could say, "Yes, but that case was worked 8 months ago, and that indicator was only made available as part of last month's list."  Boom.  Done.  Next.

Another question that comes up is, what application should I use?  Well, I started with Notepad, because it was there.  I loved it.  When I received a laptop from a client and had to remove the hard drive for imaging, I could paste a link to the online instructions I followed, and I could download the instructions and keep them in a separate file, or print them out and keep them in a folder.  URL link or printed out, I had an "appendix" to my notes.  When I got to the point where I wanted to add photos to my notes, I simply used Write or Word.  Depending upon your requirements, you may not need anything schmancy or "high speed, low drag"...just what you've got available may work just fine.

If you're looking for something a little more refined when it comes to keeping notes, take a look at ForensicNotes.

Many of us say/talk about it...we keep notes because at some point in the future, someone's going to have questions.  I was in a role where we said that repeatedly...and then it happened.  Fully a year after working an engagement, questions came up.  Serious questions.  Through corporate counsel.  And guess what...there were no notes.  No one had any clue as to what happened, and by "no one", I'm only referring to those who actually worked the case.  Look, we say these things not because we're being silly or we're bored or we just want to be mean...we say them because they're significant, serious, and some of us have seen the damage that can occur to reputation of a company or an individual when notes aren't maintained.

Even with all of this being said, and even with Matt's blog post, there is no doubt in my mind that many DFIR folks are going to continue to say, "I don't want my notes to be discoverable, because a defense attorney would tear them/me apart on the stand."  According to Brett Shavers, that's going to happen anyway, with or without notes, so better to have the notes and be able to answer questions with confidence, or at least something more than, "I don't know".  The simple fact is that if you're not keeping case notes, you're doing yourself, your fellow analysts, and your client all a huge disservice.

Thursday, August 02, 2018

Some New Items

DFIR Skillz
Brett Shavers posted another great article in which he discussed a much-needed skill in DFIR, albeit one that isn't taught in any courses.  That is, communicating to others. If you really think about it, this is incredibly, critically, vitally important.  What good is it to have a good, great, or even the best threat intel or DFIR analyst, if they are unable to communicate with others and share their findings?  And I'm not talking about just the end results, but also being able to clearly articulate what led to those findings.  What is it that you're seeing, for example, that indicates that there's an adversary active in an environment, versus a bunch of persistence mechanisms kicking off when systems are booted?  Can you articulate your reasoning, and can you articulate where the gaps are, as well?

Something to keep in mind...there is a distinct difference between being not able to clearly delineate or share findings, and simply being unwilling to do so.

DFIR Skillz - Tech Skillz
A great way to develop technical analysis DFIR skills is to practice technical analysis DFIR skills.  There are a number of DFIR challenge images posted online and available for download that you can use to practice skills.

The CFReDS data leakage case provides a great opportunity to work with different types of data from a Windows 7 system, as well as from external devices.

The LoneWolf scenario at the DigitalCorpora site is pretty fascinating, as it allows you to practice using a number of tools, such as hindsight, Volatility, bulk_extractor, etc.  The scenario includes an image of a Win 10 laptop with a user profile that includes browser (Chrome, IE) history, a hibernation file, a memory dump, a page file, a swap file, etc.  This scenario and the accompanying data was produced by Thomas Moore, as his final project for one of Simson Garfinkel's courses at GMU.  The challenge in this scenario will be learning from the image, having not taken the course.

Ali Hadi, PhD, makes a number of datasets available for download.  I especially like challenge #1, as it's a great opportunity to try your hand at various analysis tasks, such as using Yara to detect webshells, etc.  There are also a couple of other really cool things you can do with the available data; many thanks to @binaryz0ne for providing the scenarios and the datasets.

These are just a few examples of what's available; perhaps the best way to really get the most from these scenarios is to work with a mentor.  I can see that many enthusiasts will download the images, maybe start down the road a bit, but not really get anywhere meaningful due to road blocks of some kind.  Having someone that you can bounce ideas off ("how does this analysis plan look?"), seek guidance from, etc., would be a great way to move beyond where you are now, and really expand your skill sets.

DFIRDudes (Hadar and Martin) have kicked off (here's the tweet announcing it) a new blog with an inaugural post on StartupInfo files.  This is a great idea, because as Brett had mentioned previously, there's a lot of great info that is peppered on to Twitter that really needs a much more permanent home someplace, one that's a bit roomier (and more persistent) than 280 characters.  The first sentence of the first post really sets the tone, and gives the blog a good push away from the dock.

If you're on the fence about starting a blog, check out Phill's post, because his answer is a resounding "yes".

Retail Breaches
HelpNetSecurity had a fascinating article recently that discusses a surge in retail breaches.  While this data is based on survey, I still find it fascinating that in 2018, more organizations haven't pursued the implementations of instrumentation and visibility into their infrastructures that would provide for early detection and response.  And yes, I do understand that the focus of the survey (and as a result, the data) is retailers, organizations that wouldn't necessarily have the budget for such things.

Perhaps the most telling part of the article is that, "Security spending is up but not aligning with risk."

RegRipper updates
I've received some great contributions to the repository over the past month or so; many, many thanks to those who've contributed plugins!

Thursday, July 05, 2018

LNK "Toolmarks"

LNK Artifacts and "Toolmarks"
I've discussed LNK files in this blog a number of times over the years, mostly focusing on the file format.  In one instance (from 5 years ago), the focus was on parsers, and specifically about determining devices that had been connected to the system, as when it comes to illicit images/videos, such things can determine the difference between "possession" and "production".  This sort of information can also be used to address such topics as data exfiltration.

Last year, I started looking at LNK files (here, and then shortly thereafter, here...) from a different perspective; that of LNK files being sent as email attachments, or somehow being delivered to a "victim".

So, what?  Why does this matter?  Most users of Windows systems are very familiar with LNK files, or "Windows shortcuts", as they pertain to user actions on a system, or software installations.  Both of these generally result in an LNK file being created.  And if you follow malware write-ups or threat intel blog posts, you'll very likely see mention of some malware variant or targeted adversary creating an LNK file in a user's StartUp folder as a means of remaining persistent on the system.  These LNK files are usually created on the compromised system, through the use of the local API, so other than their location, there's nothing too terribly interesting about them.

However, when an adversary sends a Windows shortcut file as an email attachment (or through some other mechanism) that LNK file contains information about their (the adversary's) system.  The folks at JPCERT/CC mentioned this about a year and half ago (the folks at NViso Labs said something similar, as well); if the LNK file was created (via the MS API) on the adversary's system, then it likely contains the NetBIOS name of the system, the MAC address, the volume serial number, and the code page number (although in the research I've done so far, I have yet to find an LNK file with the code page number populated).  While anyone of these values may be seen as trivial, all of them together can be employed to great effect by researchers. For example, using the NetBIOS name, MAC address, and VSN (such as illustrated in this blog post), I wrote a Yara rule that I deployed as a VirusTotal retro-hunt, in order to look for other examples; I ended up with several dozen responses in very short order.  An example of such a rule is the "shellphish" Yara rule illustrated in this blog post.  In the case of the "shellphish" rule, the LNK file that I initially looked at also included a SID in the Property Store Data Block, and including it in the retro-hunt served to minimize false positives (i.e., hits on files that contained the other byte sequences, but were not what I was looking for).

Using an LNK file parser available online, I parsed a LNK file with an embedded, base64-encoded Powershell command, and saw the following:

[Distributed Link Tracker Properties]
Version: 0
Droid volume identifier: 69426764-4841-414d-0000-000000000032
Droid file identifier: e09ff242-e6d1-9945-a75d-f512f84510dc
Birth droid volume identifier: 8e3691fc-e7be-bc11-6200-1fe2f6735632
Birth droid file identifier: e09ff242-e6d1-9945-a75d-f512f84510dc
MAC address: f5:12:f8:45:10:dc
UUID timestamp: 03/17/3700 (13:54:42.551) [UTC]
UUID sequence number: 10077
The file was moved to a new volume.

Okay, so, this is very different.  Usually, the "NetBIOS name" is 16 bytes, which is what my own parser looks for; however, in this case, what is the "machine ID" consumes a good bit more than 16 bytes, as illustrated in figure 1.

Fig 1: Hex dump from LNK file; Tracker Data Block

In this case, as you can see in figure 1, the "machine ID" is 31 bytes in size, with the first 24 bytes being "RAA6AFwAYQBhAC4AdgBiAHM", and the last 7 being all zeros.  As the size of the Tracker Data Block (4 bytes at 0xca3) remains consistent at 96 bytes, the larger-than-expected machine ID presents a parsing problem.  The "droids" start at offset 0xcd2, and are identical, so due to the larger machine ID, the Tracker Data Block itself "ends" part way through that section of data, at offset 0xd02.  This leaves the remaining 15 bytes of the final droid (which ends at 0xd11) unparsed...notice how the math works out?  The machine ID is 15 bytes larger than it should be, and as such, everything is "off" (per the MS file format documentation) by 15 bytes.

Normally, my parser returns output that appears as follows:

Machine ID            : admin-pc
New Droid ID Time     : Tue Sep 19 12:57:20 2017 UTC
New Droid ID Seq Num  : 11190
New Droid    Node ID  : 08:00:27:3a:ce:83
Birth Droid ID Time   : Tue Sep 19 12:57:20 2017 UTC
Birth Droid ID Seq Num: 11190
Birth Droid Node ID   : 08:00:27:3a:ce:83

The above output is from an LNK file that fully meets the file format specification.  During my research into some of these malicious LNK files, I added the ability to provide debugging information so that anomalies would be more apparent, rather than "hidden" behind the parsing process.

From the LNK file from which the hex dump in figure 1 was extracted, we can still extract and manually parse the droids; as the ObjectIDs are based on the UUID version 1 format (discussed in this blog post), we can use this information to our advantage in our research, extracting the node IDs (MAC addresses), etc.  Interestingly enough, though, the larger machine ID doesn't seem to have an effect on the command embedded within the LNK file; having sections of the file format that do not comply with the specification doesn't seem to affect the performance of the LNK file.

I began wondering if the larger machine ID field might be a "toolmark" of some kind, an artifact of whatever process or application that had been used to create the LNK file.  I also began looking at a range (I hesitate to qualify the range with "wide"...) of LNK files found online, particularly those that ran external commands (encoded Powershell commands, bitsadmin commands, etc.), as well as looking for tools, applications, or processes that would allow someone to create arbitrary, malicious LNK files.  At this point in time, I haven't yet found one that produces "toolmarks" similar to what's seen in figure 1.

The machine ID/NetBIOS name, user SID, VSN, and MAC address are all artifacts from the adversary's system that remain within the LNK file when it is sent to a target.  The folks at ProofPoint discussed one or two means of deploying LNK files, which could result in some very interesting artifacts.  I'm sure that if enough specifically-malicious LNK files were examined, we'd be able to pull out "toolmarks" from such things as specific applications/tools or processes used to create (or modify) the LNK files, or perhaps even identify misbehaving applications that create LNK files on non-Windows systems.

Friday, June 29, 2018


I just pushed three new plugins up to the RegRipper plugin repository, two written by Gabriele Zambelli (photos_win10.pl, msedge_win10.pl), and I wrote source_os.pl, to address the "When Windows Lies" issue that Mari brought up last year.

Addendum, 30 June: Pushed a new plugin from M. Godfrey, named "imgburn1.pl" to the repo this afternoon. Many thanks to Michael (and Gabriele) for writing and submitting plugins!

Addendum, 2 July: Thanks to input and test data from Mitch Impey, I was able to quickly update not only shellbags.pl and shellbags_tln.pl, but also comdlg32.pl.  Providing sample/test data makes troubleshooting and updating current plugins, or creating new ones, a much quicker and more efficient process.  Thanks, Mitch!

Addendum, 5 July: Many thinks to Micah Jones for sharing the dafupnp.pl plugin he wrote created!  This is a plugin that pulls information about media streaming devices from the System hive.  Thanks, Micah, for the great work and for sharing the plugin.  Also, based on the data that Micah shared, I updated the bthport.pl plugin, as well.

Also, I added bthport_tln.pl to the repository, as well.  This will help in performing timeline analysis for such things as data exfil via Bluetooth devices.

Addendum, 28 July: I committed two new plugins from Micah Jones to the repo this morning, thunderbirdinstalled.pl and mzthunderbird.pl.  Thanks, Micah!

Thursday, June 21, 2018

More about EDR/MDR

On the heels of my previous post on the topic, from my perspective, there still seems to be something of a misconception within the market as a whole as to the value of EDR/MDR. 

During conversations on the EDR/MDR topic, one of the questions we hear quite often is, "Do you detect X?", with "X" being some newly-identified virus or exploit.  I think that the reason we hear this question so often is that EDR/MDR is still somewhat new in the minds of the marketplace, and most organizations are still trying to visualize and really understand the concept, and how it applies to them.  The way we most often go about doing that sort of thing is by finding something we're familiar with, and start by building a comparison relationship there.  Unfortunately, starting with AV as the comparison doesn't really get us to where we need to be, in part because this is a whole new way of looking at things. 

And believe me, I do understand how difficult it is in today's marketplace to really understand what's out there.  A while back, I was in a sales presentation, and a sales rep was going through the slide pack they'd been provided by marketing; at one point, the client just came right out and said, "...yes, everyone says that, every other vendor we've spoken to has said the same exact thing.  How are you different?"  They were asking this question because they were trying to get beyond the initial fluff and down to, okay, how is this vendor's product better for us and our needs? Now, the folks we were talking to were actually very mature, in the sense that they had already identified their EDR needs, and actually had been working with an EDR product with a subset of their infrastructure, so they were essentially trying to make an apples-to-apples comparison of products.

As recently as last week, I was encouraged via a marketing email to sign up for a webinar, and one of the inducement statements in the corresponding blog post (linked in the email) was along the lines of, "...you should be detecting ransomware the moment it reaches out to the C2 server."

Hhhhmmm...but what if we could detect the issue before that point?  What if you could detect the initial behaviors that lead to a malware infection, and block the activity at that point, rather than waiting to try to detect the malware itself?  If we focused our efforts earlier in the attack cycle, we could impose greater pain on the attacker, raising the level of effort required on their part, and forcing them to change their tactics.

So what do I mean by this?  Every day, thousands (millions?) of employees log into their corporate computer systems, launch Outlook, and read their email.  Part of this may involve opening attachments, including MSWord documents and Excel spreadsheets.  As such, it's normal and expected to see a process tree that goes from the user logging in (Windows Explorer), to launching Outlook, and then Outlook includes whichever attachment is opened as a child process.  It looks something like this:


Now, when a user is sent a phishing email with a weaponized attachment, the user may be prompted to click the "Enable Content" button in MSWord in order to allow any embedded macros to run; once this happens, we generally see something like the command prompt (cmd.exe), or something else (PowerShell, etc.) running as a child process of MSWord.  This is ( a ) never a good thing, ( b ) easy to detect, and ( c ) equally trivial to block.  Here's what that might look like:

                        |__cmd.exe /c powershell.exe...

Here's a good example, shared by Phil Burdette some time ago, albeit without the Outlook component. 

The point is that this behavior can be detected and alerted on, and then action can be take at the point where winword.exe spawns a command shell as a subprocess.  As such, if we're blocking processes from executing at that point, then we're not even getting to the point where PowerShell or WScript or BITSAdmin or whatever is used to download the malicious stuff to the compromised system.  With the right instrumentation, you may also be able to isolate the system on the network after having blocked the malicious behavior.  That way, instead of sending someone a ticket telling them that they have to respond, and them getting it at some point in the future (even as much as a few minutes is enough for the adversary to burrow their way into your infrastructure), all access is immediately disabled.

This is where MDR solutions come into play.  With the right endpoint technology in place, an MDR not only monitors what's going on, but is able to take threat intelligence developed from monitoring their entire client base, and apply is across all monitored clients.  This means that every client benefits from what was gleaned and developed from any one client, and they benefit immediately.

What this ultimately leads to is much earlier detection of malicious activity, and a much quicker response to that activity, such that reporting is obviated.  After all, if you're able to detect and respond to an adversary much earlier in their attack cycle, and you're able to cycle through the OODA loop faster than the adversary, then you're able to prevent access to any "sensitive data".  If that sensitive data isn't accessed, then you don't have to report.  Also, you've got a record of activity that demonstrates that you were able to respond to, contain, and eradicate the adversary.

Monday, June 18, 2018


I've had a bunch of draft blog posts sitting around, and for some of them, particularly the really technical ones, I thought, "...ah, no one's gonna read this...", so I opted for another medium, or I simply deleted them.  However, I decided to throw a couple of them in together, into one post, just so I could complete my thoughts and get them out there, and do a bit of housekeeping with respect to my blog drafts.

Brett Shavers recently posted some interesting content on the topic of publishing in DFIR.  While DFIR doesn't necessary follow the "publish or perish" adage most often seen in academia, Brett does have some very good points.

To Brett's point about "lack of contributors", this is the reason why efforts like Into The Boxes project never really took off...you can't sustain a community-based project if folks within the community aren't willing to contribute.

By the way, I still have my inaugural hard copy of "Into The Boxes #1", knowing full well that one day it's going to be part of my DFIR museum, right alongside my MS-DOS install diskettes, my original Windows XP install CDs, and an AOL installation CD!

Something else that Brett mentioned in his post was "peer review".  Oddly enough, I've been engaged in a conversation with someone else in the DFIR community about this very topic, particularly as it applies to analysis findings.  In my experience, peer reviews within the community are spotty, at best.  We all know that team member that we can go to, because they'll turn around a 40 page report draft in 15 minutes, saying just that it "looks good."  And we also know that team member we can go to and rely on to catch stuff we may have missed.

Blog-a-Day Challenge
Speaking of publishing, it looks as if over the last couple of weeks a number of folks have decided to take the Zeltser Challenge, that is to post a blog a day for an entire year.  Not only has David Cowen picked it back up (he's done it before...), but others have joined the party, as well.  For example, Stacey has started The Knowledge Bean and decided to partake in the challenge. Tony at Archer Forensics has picked up the mantle, as well, and is off and running.

If anyone else in DFIR is doing something like this...blog-a-day, or even blog-a-week, let me know...I'd like to check it out.

Oh, and tying this back to the previous topic, something Tony mentioned in one of the blog posts:

I would solicit everyone to do that deeper dive research to further the field.

Agreed, 1000%. 

New Plugins
Well, let's see...what's new on the plugin front?  So, I recently received one updated plugin (lastloggedon.pl) and a new plugin (utorrent.pl) from Michael Godfrey (author information included in the plugins), and uploaded them to the repository.  I also added jumplistdata.pl, which is based on this finding from Costas K.  Finally, I created execpolicy.pl, a plugin to check the PowerShell ExecutionPolicy value, if it exists...some folks have said that adversaries have been observed modifying the Registry value to that they can bypass the execution policies in order to run their code, albeit not from the command line.

Not a new plugin, but I also updated the license for RegRipper to the MIT license, at the request of some folks at AWS.

Tool Usage
Mari published a blog article recently, which I thought was great...not just because Mari's great at sharing information in an easy-to-understand and repeatable manner, but more so due to how her post discussed tool usage.  There any number of DFIR sites out there, web sites and blogs alike, that are full of tool listings...here's this tool, and here's this tool.  Great.  It's like shop class, with all of the tools hanging on the peg board, on their specific hooks, over their specific silhouettes. 

The question folks should have is, great, but how can I best employ those tools to complete the goals of my investigation in a complete, thorough, accurate, and timely manner?

If you're looking for something to blog about...there you go.  There are potentially hundreds or thousands of blog posts based on just that single theme, that one topic.

Sunday, June 17, 2018

Coding in DFIR

A while back, I wrote a blog post where I discussed writing my own tools, and why I do it.  I have publicly shared the tools I've written, and I was asked to share my thoughts as to why I do it, and how it's "of value" to me, and more importantly, to my workflow.  I generally find it very helpful to have tools that fit into and support the workflow I'm using (i.e., timelines), and I also find it very valuable to be able to address issues with the tools (and others) as a result of the available data that's being parsed.

Something I've been interested in for quite some time is the metadata embedded in various file formats used on Windows systems, and this interest has cracked the shell a bit in more than a few cases, and given me just a peak inside of what may be going on when someone creates a file for malicious purposes.  I've not only been able to pull apart OLE format MS documents (MS Word .doc files), but also the OLE objects embedded inside the newer .docx format files.

One tool I like to use is Didier Stevens' oledump.py, in part because it provides a great deal of functionality, particularly where it will decompress VBA macros.  However, I will also use my own OLE parser, because it pulls some metadata that I tend to find very useful when developing a view into an adversary's activities.  Also, there is the potential for additional data to be extracted from areas that other tools simply do not address.

An example of simply metadata extraction came from the Mia Ash persona that Allison Wickoff (an excellent intel analyst at SecureWorks) unraveled.  I didn't have much at all to do with the amazing work that Allison did...all I did was look at the metadata associated with a document sent to the victims.  However, from that small piece of information came some pretty amazing insights.

Another, much older example of how metadata can be extracted and used comes from the Blair case.  That's all I'll say about that one.

Another file format that I've put some work into understanding and unraveling is the LNK file format, which MS has done a very good job of documenting.

There are a number of FOSS tools available for parsing the binary LNK file format that will display the various fields, but I noticed during some recent testing that there were files submitted to VirusTotal that had apparently "done their job" (i.e., been successfully used to infect systems), but the parsing tools failed at various points in dissecting the binary contents of the file.  Some tools that did all of their parsing and then displayed the various fields failed completely, and those that displayed the fields as they were parsed appeared to fail only at a certain point.  Understanding the file format allowed me to identify where the tools appeared to be failing, and in this way, I'm not simply going back to some who wrote a tool with, "..didn't work."  I know exactly what happened and why, and more importantly, can address it.  As a result of the work I did, I have also seen that some aspects of these file formats can be abused without degrading the base functionality offered via the format.

This is where coding in DFIR comes in...using a hex editor, I was able to see where and why the tools were having issues, and I could also see that there really wasn't anything that any of the tools could do about.  What I mean by that is, when parsing Extra Data Blocks within an LNK file (in particular, the TrackerDataBlock) what would be the "machine ID" or NetBIOS name of the system on which the LNK file was created extends beyond the bounds of the size value for that section.  Yes, the machine ID value is of variable length (per the specification) but it also represents the NetBIOS name of a Windows system, so there's an expectation (however inaccurate) that it won't extend beyond the maximum length of a NetBIOS name.

In some of the test cases I observed (files downloaded from VirusTotal using the "tag: lnk" search term), the machine ID field was several bytes longer than expected, pushing the total length of the TrackerDataBlock out beyond the identified length.  This causes all tools to fail, and begin reading the droids from the wrong location.  In other instances, what would be the machine ID is a string of hex characters that extends beyond the length of the TrackerDataBlock, with no apparent droid fields visible via a hex editor.

These are possibly modifications of some kind, or errors in the tool used to create the LNK files (for an example of such a tool, go here).  Either way, could these be considered 'tool marks' that could be used to track LNK files being deployed across campaigns?

Am I suggesting that everyone, every examiner needs to be proficient at coding and knowledgeable of file formats?  No, not at all.  In this blog post, I'm simply elaborating on a previous response, and illustrating how having an understanding of coding can be helpful.

Other examples of how coding in DFIR is useful include not just being able to automate significant portions of your workflow, but also being able to understand what an attacker may have been trying to achieve.  I've engaged in a number of IR engagements over the years where attackers have left batch files or Visual Basic scripts behind, and for the most part, they were easy to understand, and very useful.  However, every now and then, there would be a relatively un- or under-used command that required some research, or something "new".

Another example is decoding weaponized MSWord documents.  Not long ago, I unraveled a macro embedded in an MSWord document, and having some ability to code not only helped me do the unraveling, but also helped me see what was actually being done.  The macro had multiple layers of obfuscation, including base64 encoding, character encoding (i.e., using the character number from an ASCII table instead of the character itself, and decoding via chr()...), as well as a few other tricks.  At one point, there was even a base64-encoded string embedded within a script that was, itself, base64 encoded.

So, in summary, having some capability to code, at some level, is extremely valuable within the DFIR community...that, or knowing someone.  In fact, having someone (or a few someones) you can go to for assistance is just helpful all around.