Data Exfiltration

Similar to copied files, one of the questions that responders and analysts get from time to time is, how do I tell what data was copied off of a system, or exfiltrated from the network?

This is not an easy question to answer, and often depends upon a number of variables. To make things a bit simpler, let's look at a couple of scenarios:

1. You show up on-site, are handed a hard drive or an image, and asked to tell if data (either any data, or specific data) was copied off of the system.

In this case, as the responder/analyst, you've got a couple of options. First, try to determine what the customer envisions with respect to how the data may have been taken. Was it copied to a USB removable storage device? Was it accessed by a remote intruder (via a backdoor or bot), or perhaps sent off of the system by the user, via web-based email or FTP? All of these may give you clues on where to start looking for some kind of logs. In most cases, you may not find any. However, I've found indications of partial conversations and even attachments as part of web-based email. Also, when an incident has involved remote unauthorized shell-level access, I've found indications with Registry hive files of activity by the intruder accesses or searching for files.

You might also try to determine what other devices or monitoring applications may have logs available that might be of use. Firewall and router ACL logs, for instance, may give you indications of untoward outbound connections. In the absence of those logs, you could hope that someone captured some network traffic.

A note on logs: Some logs may include data about an outbound connection, to include the total number of packets transferred. While this might be an indicator that something may have been sent over the network connection, you will still be unable to determine what actual content was sent from simply the packet size alone. True, traffic analysis might give you an indication, particularly when combined with testing of malware (if malware was the root of the issue) in a virtual environment, but the fact of the matter is that knowing that three guys just ran by your house doesn't tell you the color of their shirts, or their names.

If the issue in question was thought to be associated with malware found on a system, running that malware in a virtual environment may provide indications of specific files or content that the malware was looking for, but this may not always be the case. Sometimes, malware (bots, for instance) won't be programmed to look for files or content themselves, but can be commanded to do so via the C&C server, and your analysis may be predicated on a particular time window, or having access to the Internet so that the malware you're testing can connect to the C&C server.

2. You arrive on-site after a worm infection has been eradicated, and asked to determine what, if any data had been exfiltrated from the network.

In this case, the systems in question may still be live, but the malware may have been eradicated. Under such circumstances, you're not going to have processes to look at - running processes maintain a list of handle objects, and you may be able to get an idea of the file handles that a process has open. However, beyond that, this is scenario leaves you in much the same position as scenario #1.

3. You arrive on-site, and there are systems that are infected still running, that haven't been taken off-line or cleaned, and are still generating network traffic. At this point, what data do you need to determine data exfiltration?

The best source of information for determining data exfiltration at this point is going to be network traffic captures. At this point, you can see the data itself, and using tools like Wireshark, reconstruct entire network conversations and see what data was transmitted, and from which system. You can then use words and phrases that appear to be unique to do keyword searches on the systems themselves for the actual content that was accessed.

Another good source (albeit not the best) of information will be from the hosts themselves. Using either live response tools such as handle.exe, or dumping the contents of physical memory and using Volatility to parse out the list of open file handles from each process, you will be able to see which files the process in question had open. This will give you yet another data point in determining not only data exfiltration, but also perhaps any targeted nature of malware.

To sum up, in an ideal world, when faced with the question of data exfiltration via the network, the responder should be looking for a live system with an active process, and network packet captures. For other incidents where the exfiltration mechanism isn't know, non-digital sources such as CCTV, etc., might prove to be valuable.

A word about preparedness - F-Response. Yep, that's it. Data leaving your network, particularly when you don't want it to, is a very bad thing. Determining the cause, what data is being taken, where it's going, etc. - all the important questions that need to be answered - are all questions that require a quick and accurate response to answer. Even the fastest incident responders will take time to arrive on-site, whereas if you have F-Response Enterprise Edition already installed, the response time is reduced to however long it takes a responder to log in and access the central appliance. The advantage of tools like F-Response are a faster, greener response that doesn't replace having someone come on-site, but instead augments it. This all assumes, of course, that you're response plan isn't to run AV scans, delete stuff, take systems off-line, and then call someone...

F-Response: Imaging RAIDs

Matt Shannon posted an excellent article to his blog this morning called Singing in the RAID...it's a must read, folks. Take a look.

One thing that Matt quite correctly points out is that sometimes live acquisition (acquiring an image of system while the system is running) is your only option. There are times when a customer will tell you that the system you need to image can't be taken down, so removing the drives, imaging each, and rebuilding the array is not an option. Of course, there are other issues, such as SAS drives, boot-from-SAN systems, etc., that can all put a responder in the position to have to acquire the system in a live condition. This can be done by running acquisition tools such as FTK Imager from a CD or USB removable device, or the circumstances may permit or require you to use F-Response with its built-in write-blocking capability to access the system and perform the live acquisition (imaging done with the acquisition tool of your choice).

Another advantage of using F-Response is that it obviates the need for expensive enterprise licenses.

DFRWS2008

I have to say...I'm not an avid conference goer/crasher, but I have been to a few security conferences, starting with Usenix back on '00, and including BlackHat, DefCon (presented at DefCon 9), GMU/RCFG, etc. That said, by far, DFRWS is the best conference I've ever attended! Based on content, program structure, and attendees, this was hands-down THE best conference I've ever attended! The only reservation I have in saying that is that the OMFW was a workshop, but I would like to see it somehow either expanded in its own right, or included in the DFRWS conference.

Location, Venue - The conference location was great, and in this case, easy to get to as it was relatively close to my location, and to the airport. The facilities were great, and there were plenty of places to eat locally...although the food provided at the conference was really pretty good. Interestingly enough, when Cory and I checked in on Sunday, Oticon (anime conference) was just finishing up, so there were all these kids dressed up as anime cartoon characters...which was actually pretty funny. Cory posited that DFRWS was the second nerdiest conference in town, and I think he was right! Perhaps this was sort of the unintended entertainment for the computer nerds...

Speakers - The speakers were excellent all around, and the technical committee deserves a round of applause for being able to select the papers that were presented from the range of of submissions. Of course, there were a couple of papers I was particularly interested in, such as Tim Morgan's paper on recovering deleted data from within Registry hive files. Also, the first keynote address by SA Ryan Moore, on network traffic analysis of compromised POS systems was interesting...to hear that the USSS is involved in PCI-type engagements and to what degree.

Networking - One of the best things about conferences like this is that it draws folks from within the community that you hear about or hear from online, but don't actually get to meet face-to-face...until the conference. For example, I don't live too far from Richard of TaoSecurity, but we never cross paths, and got to chat for a few minutes at the conference. The same is true for folks like Moyix, Andreas, AAron, Brian, Eoghan, Michael and many others. In some cases, I've been under the impression that some folks were like unicorns...there were emails and blogs with their names on them, but few would admit to sightings, particularly while sober...and yet, there they were! Another great benefit of the conference was for folks like Tim and JT to meet up...they'd each been working on the same thing (ie, deleted keys within Registry hive files) and neither knew that the other was working away! Having them collaborate can only be a good thing!

Forensics Rodeo - The Forensics Rodeo on Tues evening was a great time. I didn't participate, per se, although Cory did. I mostly wanted to watch and see how others go about their analysis when given materials/data, so I took notes and yelled out the instructions and questions to be answered across the table. In this case, each team was given a Windows memory dump and an image of a thumb drive, and a set of questions. Our team won...which is to say that Dr. Michael Cohen won, using Volatility and PyFlag, and the rest of us within the ECR (military acronym meaning the "effective casualty radius") won through proximity.

If I had one criticism about this event, it would be the fact that the Wharf Rat, the venue for the reception on Monday evening, as out of the one beer that I went there to try! The waitress said that the menu on the web site isn't kept up-to-date...for shame! How dare you play tricks on an old man!

Open Memory Forensics Workshop

This is the first time this workshop has been put on, but I have to say that it was a rousing success right off the starting blocks! An excellent format, excellent schedule, and excellent speakers. More importantly for me, there was a great deal of information and discussion that was either immediately practical, or would lead to something practical and useful in a hands-on manner within a relative short period.

A couple of the big-brain take-away thoughts that came out of this 1/2 day workshop were:

There seemed to be agreement amongst the assembled panel (as well as the attendees) that open-source is the way to go with tools like memory parsing tools. Open-source allows for verification of your findings and how various items were found, transparency, as well as extensibility.

When performing memory acquisition and analysis (parsing, really), what are the essential or pertinent objects/items/elements? What parts of, say, an EPROCESS structure are absolutely essential for determining if you're looking at an actual EPROCESS structure?

The subject of anti-forensics came up as well, and a thought was that if the bad guys know about what the good guys are doing, and know what important elements have been identified simply by looking at the open-source code, then they can easily come up with ways to combat those tools and techniques, and obfuscate what they're doing. This has in part to do with the discussion of essential/critical structure elements. For example, many of the tools that do a brute-force linear scan through a memory dump looking for EPROCESS structures look for specific elements of the structure itself in order to identify, as close as possible, a legitimate structure. Someone could obfuscate what they're doing by discovering which of those elements they can modify in order to avoid detection. Without identifying these critical elements...elements that cannot change without crashing the system...then this relatively new area of memory analysis is more open to anti-forensic and obfuscation techniques. However, Jesse pointed out something very important...a preponderance of anti-forensics and obfuscation (i.e., the over-abundance or relative lack of artifacts that an examiner would expect to see) activity should be a clear indicator to the examiner that something is amiss.

Also, Jesse used the term "tool marks" in his presentation...from what I saw, it sounded like "artifacts" to me, albeit specific to a particular "tool". This can be an important tool (I need to discuss this interesting topic w/ Jesse some more...) in that it can be a very useful data reduction tool to assist the examiner in identifying unusual things. For instance, something that came out of the DFRWS2008 Forensic Rodeo was that an unusual string in memory may indicate the use of TrueCrypt.

Overall, the quality of the presentations and speakers, as well as the panels, made for an excellent workshop! My hat's off to AAron and everyone else who put their time and effort into this event! It was great to finally meet folks like Moyix, Andreas, and have a chance to listen to their thoughts, and thank them. I hope to see this workshop again next year!

File Associations

Now and again, I'll see posts in the lists asking questions about files based on the names and/or the extensions of the files. If the name is unique, sometimes an analyst can find out quite a bit about the file by doing a Google search. This should not be considered the be-all and end-all, however...too many folks have tottered down the wrong path based on what they've found in this manner.

[digression=momentary]I can't tell you how many times I've walked into an engagement where the other party's entire "analysis" consisted solely of performing a Google search![/digression]

So let's say that you find several files on a Windows system with a particular extension that you, as an examiner, don't recognize. Sure, many of us recognize ".doc" and ".txt", and right off-hand, we know what programs these files are associated with. In some cases, these programs (most often MSWord and Notepad, respectively) are used to create files with these extensions, and we know from experience that when we receive one of these files and double-click it, the operating system will automatically open the file using a specific application. How does Windows know how to do this?

This information is maintained in...wait for it...wait for it....that's right, the Registry!! Through normal usage on a system, a user might interact with these areas of the Registry through a context menu (specifically, "Open With..."), and an uber-user might actually use ftype and assoc at the command line. However, if you're only got an image of a system, how would you very quickly attempt to determine which application was associated with a particular file extension?

So, let's say that we want to determine the file association for the ".doc" extension. We can start on a live system by typing the following command:

C:\>assoc .doc
.doc=Word.Document.8

Okay, that's pretty straightforward. The same command works for PDFs, etc. In order to find out what application specifically is used to open the file when the user double-clicks it, we can use this command:

C:\>ftype AcroExch.Document
AcroExch.Document="C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe" "%1"

Pretty neat, eh? Okay, great. So how do we find this in an image of a system? You can start by going to the following key:

HKLM\Software\Classes

Beneath this key, there are a LOT of subkeys, and most of the first ones that you will see are the file extensions. Scroll down to ".doc", and you'll see that the value named "(Default)" within the key contains the name that was saw above when we ran the "assoc" command. In some cases, the extensions won't have a great deal of information (subkeys and values) but in others (as with ".doc"), you'll see a number of entries. Now, using "Word.Document.8", keep scrolling down beneath the Classes key, all the way down until you find that name. Once you find the Registry key with that name, you then want to find the "shell\open\command" subkey, and within that subkey, the "(Default)" value. So, at this point, the full Registry path that we should be at is:

HKLM\Software\Classes\Word.Document.8\shell\open\command

The "(Default)" value within this subkey will give you the path to and command line for the application used to open the files with the extension we started with.

Pretty cool stuff, eh?

Oh, and don't forget to check the NTUSER.DAT files, as well, for the same paths.

Addendum: I created a Software hive plugin for RegRipper, but it can take a while to run, so I'd recommend running it with rip.exe instead. Want to know the default web browser on the system? Check the entries for HTTP and HTTPS. Also, I created a RegRipper plugin for the FileExts key in the NTUSER.DAT file.

Upcoming Events

It seems that one of my partners-in-crime and I will be attending a couple of events together this year...stay tuned for some good times!

OMFW - Open Memory Forensics Workshop, 10 Aug 2008, Baltimore - AAron's putting on a great workshop on the subject, which is pretty cool, considering he's one of the guys who's creating the absolute bleeding edge in this area. There are some big names, not only in this field, but in the field of forensic analysis, who will be attending. So, bring your cameras and dollar bills, and see if you can get guys like Mike...excuse me, Dr. Michael...Cohen to sign various body parts! ;-) Be sure to say hi to Jesse, too!

DFRWS - Digital Forensics Research Workshopt, 11/13 Aug 2008, Baltimore - DFRWS is always a great conference, or so I've been told. This will be my first (hopefully not my last) time attending this conference, and the lineup of speakers and presentations is very impressive. I'm particularly looking forward to presentations regarding Registry analysis, such as Tim Morgan's Recovering Deleted Data from the Windows Registry.

Don't forget to drop by the Wharf Rat for the reception on Monday, and enjoy a little hot monkey love!

SANS Forensic Summit - 13/14 Oct 2008, Las Vegas - Rob Lee is really making 2008 the year for forensic conferences with this one! There is already an awesome list of speakers, which makes me wonder why I'm speaking! ;-) Hey, if you can't find something interesting to listen to, come watch me mutter my way through something about the Windows Registry! This summit is turning out to be less of a speaker's conference, and more of a practitioner's workshop...some of the topics that are going to be addressed are along the lines of what works and what doesn't, from the folks who are doing the do!

These are THE MUST ATTEND events for 2008...for no other reason than the fact that The Cory Altheide will be there! Hey, that's why I'm going!

MRT

The SANS Internet Storm Center had an interesting post the other day about the MS Malicious Software Removal Tool (aka, MRT). What I took away from the post is that KB 891716 says that whenever MRT is run, the "Version" value is updated with a new GUID. This information can be compared to the list of GUIDs from that same KB article, and correlated against the MRT.log file itself. KB 890830 contains a list of malicious software that MRT is intended to protect against.

From a forensic analysis perspective, this provides some good information with respect to malware that may or may not be on the system.

I put together a quick RegRipper plugin to address this key, and when run via rip.exe, the output looks as follows:

C:\Perl\forensics\rr>rip -r d:\cases\lenovo\software -p mrt

Launching MRT v.20080804
Key Path: Microsoft\RemovalTools\MRT
LastWrite Time Wed Jan 9 22:28:00 2008 (UTC)
Version: 330FCFD4-F1AA-41D3-B2DC-127E699EEF7D

Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT was last run. According to the KB article, each time MRT is run, a new GUID is written to the Version value.

If you check KB 891716 for the above listed GUID, you'll see that it corresponds to Jan 2008, which correlates to the LastWrite time for the key itself. By checking the chart in the KB, you can see the malware that the system is supposed to be protected against.

Notice I've added an "Analysis Tip" to this plugin. I've also included some additional information in the header to the plugin itself, which is simply a text-based file that can be opened in any editor...much like Nessus plugins.

ProDiscover 5 is out!

Technology Pathways announced today that ProDiscover 5.0 is now available! Updates include:

- Added the ability to investigate, extract, and report on Microsoft client email formats including Outlook and Outlook Express.
- Added the ability to read and add E01 (Expert Witness) formatted images.
- Added UNICODE support and localization for Japanese and Chinese character sets.
- Improved Microsoft Vista support for remote agent and client.
- Improved overall file I/O and Hashing performance.
- Fixed issue with random crash during content searches of specifically formatted images.
- Fixed long path issue effecting extraction of very long path items of interest from images.

If you're not a licensed user of ProDiscover, you can try out the Free Basic Version.

I've enjoyed using ProDiscover IR for a number of years now, to the point of using FTK Imager to convert EnCase .E0x files to dd format (which, apparently, I would no longer need to do) in order to open the case in ProDiscover. PD uses Perl as its scripting language, which for me, really rocks! The interface for PD 5 hasn't seen any radical changes, which is good...firing it up for the first time, I saw a lot of the familiar settings, with some additions of new ones, particularly the Email Viewer.

The Question of "whodunnit?"

One of the questions that comes up from time to time during an examination is "whodunnit?" Take an examination involving, let's say...illicit images. The accused claims that they didn't do it, so the question becomes, who did? Sometimes the answer might be that someone else sat at the keyboard of the computer and performed the actions that lead to the images being on the system, and in other cases, the answer might be that the images were the result of a remote attacker/hacker or malware. The latter is sometimes referred to as the Trojan Horse Defense, or malware defense. In 2003, this guy used the malware defense and was acquitted of breaking into gov't computer systems...his claim was that someone had hacked his system and then launched the attack. From the article:

A forensic examination of Mr Caffrey's PC had found no trace of a hidden program with the instructions for the attack.

And yet, he was still acquitted. Since then, this has been a concern to many a forensic examiner and law enforcement officer...what happens if the accused makes that claim? How can a forensic examination corroborate that claim, or disprove it all together?

First, let me say that there is no 100% certainty in every examination that any or all of these techniques are going to work. There are certain things that computer forensic analysis will not reveal...one of them being things that simply are not there (ie, an analyst cannot find CCNs or artifacts of an intrusion if there simply are none to be found). However, what I'd like to discuss is some of the finer points of technical forensic analysis that can provide a good deal of information, such that the proper authorities (counsel, jury, etc.) have a better foundation on which to base their decision.

One of the areas of incident response that we're moving into fairly rapidly now...this area has been picking up steam a good bit lately since its introduction in 2005...is the collection and analysis of physical memory. In just about a week, the OMFW will occur and there will be a good number of folks presenting on and discussing this topic. There are a number of tools available now that will allow a responder to dump the contents of physical memory from a Windows system (XP, as well as Vista), and then analyze that dump...locate running processes, network connections, etc. In addition, PTFinder (Andreas appears to be attending OMFW) may still allow the examiner to identify exited processes (lsproc does this for Windows 2000 and can be ported to other versions of Windows)...procL from ScanIT appears to do something similar. A number of other articles provide information on retrieving image files, Registry keys, and even Event Log records from a physical memory dump. Further, a recent print issue of Linux Pro Magazine has an article on pg. 30 entitled Foremost and Scalpel: Restoring deleted files, in which the authors state, "Foremost and Scalpel ignore the filesystem and can even restore data from RAM dumps and swap files."

Within the realm of computer forensic analysis, there are a number of areas of a Windows system in which artifacts indicating user activity may be found. These go beyond the traditional examination of browser history artifacts, etc., and can provide indications of user activity, as well as historical indications of when the user was logged into the system. Windows Event Log and Registry analysis are two of these areas, along with the overall correlation of artifacts from different parts of the system...the more artifacts that the examiner is able to pull together, the more complete a picture that can be developed.

For example, for a backdoor to be useful to an intruder, it has to remain persistent (see Jesse Kornblum's paper, Exploiting the Rootkit Paradox with Windows Memory Analysis) across reboots. There are only so many ways this can occur, with persistent stores being primarily within the Registry and the file system. Using tools such as RegRipper, the persistence mechanisms with the system and user Registry hive files can be displayed, and the file system persistence mechanisms can be viewed, as well, for any indications of suspicious entries.

The Windows Registry holds a wealth of information about software applications installed on the system. Some of this information differentiates between those apps run by the user, and those run automatically by the system. In addition, the applications themselves have traces and artifacts...antivirus applications generally maintain configuration information in addition to log files. The Windows firewall installed on XP and above maintains it's configuration information in the Registry. Many GUI applications...to include image and movie viewing apps...maintain lists of files that have been opened and viewed by those applications.

Knowing where to look and what to look for can give the analyst the ability to paint a very detailed picture of what occurred on the system. Windows XP is something of a fickle lover, as it will provide the knowledgeable examiner with a wealth of information, while at the same time using it's own inherent anti-forensic techniques to deprive more traditional examiners of those artifacts on which they traditionally rely. Remember Harlan's Corollary to the First Law of Computer Forensics?

The great thing about all this is that while it may appear to be magical, requiring knowledge beyond the reach of all but a few individuals...that's simply not the case at all. All of this can be incorporated into the examiner's forensic analysis process and methodology.

So, the question isn't, was there or was there a Trojan or backdoor on the system what was responsible for this activity...it's now, do you want to answer the Trojan Defense before you walk into the interview room with the defendant and their attorney?

Resources:
Ex Forensis post

Copying Files

Every now and again, I see the question of "where does Windows keep logs of files copied to a thumb drive, or CD/DVD?" Recently, I saw that question posted to several lists, as well as emailed directly to my inbox. ;-) As such, I thought it would be a good idea to address that issue here, and maybe get comments back from others with respect to how they might address this kind of situation.

In general, Windows does not maintain a record or log of files that are copied. Whether you use the command line "copy", or use drag-n-drop, there simply isn't a record on Windows systems that show, "on this date, user X copied this file from here to here". Using something like WMI, someone could surely write a file system monitor that looked for and correlated file accesses to file creations...but that might be complicated, as you would need to also alert on removable storage devices being attached to the system and then include those within your monitoring scheme. However, this model wouldn't take into account instances in which a user opened a file in, say, MS Word, and then chose "Save As..." from the File menu and saved the file to another location.

If you have images of both pieces of media that you're interested in (ie, the hard drive, and the external storage media), you can use information from this MS KB article to gain some insight into the copy direction...if a copy operation did, in fact, occur. However, you may find a Windows shortcut/.lnk file in the acquired image of the hard drive, and a reference in the Registry to the thumb drive having been attached to the system in question. But what does this tell you? It may indicate that the user had accessed the document on the removable storage device, but it doesn't necessarily provide an indication of a copy operation.

Okay, so what if you find files...say, Word documents...with the same name on both pieces of media? Again, refer back to the previous MS KB article with respect to analyzing the MAC times of the file found in both images. I would also highly recommend hashing the files within each image (MD5, as well as perhaps also using ssdeep), as well as recording their sizes. If the files are the type that are known to contain metadata (Office or PDF docs, image files, etc.), extract and record that, as well.

The Future of IR

Many readers like to hear what others think is "the future" of something...what changes are coming down the road, how a certain segment of society or "community" will/should react to those changes, etc. Based on some of my own experiences, I thought I'd focus not so much on where I think things are going in the world of incident response (IR) and computer forensic (CF) analysis, but more on where IMHO I think things should be going.

For the most part, many of the changes that affect what we do as incident/first responders and forensic analysts are driven by outside forces. For example, storage media continues to increase in capacity, as well as complexity. Not only is the storage media itself (hard drives, thumb drives, etc.) increasing in capacity, but so is the complexity of how these are used (ie, multi-terabyte NASs and SANs, boot-from-SAN servers, etc.). Add to that increased sources (iPods, cell phones...let's not even discuss cell phones and PDAs...) of data (I'm refraining from the use of the term "evidence", but in many cases, it's synonymous with 'data'), as well as changes in operating systems and applications themselves, and the level of complexity is quickly surging out of control.

Our world is changing...so what do we do about it? Well, for one, we can adapt and change how we do things in order to keep up, with the goal being to try to get one step ahead of the "bad guys". Rather than looking only at an acquired image of the physical drive, start conducting more live response and going into memory for data. Folks like ManTech and Volatility Systems make this sort of thing possible.

As incident responders, our needs are changing...sometimes even when we're not aware that they are. Folks like Matt Shannon have recognized this, and as a result have produced tools such as F-Response. Matt has separated the presentation and collection phase of IR/CF from the analysis phase, making even collection of data vendor-agnostic. What this means is that using F-Response, you end up with a drive icon on your forensic platform that you can then acquire, read-only, regardless of what you've got on the other end (RAID, SCSI, SAS, etc.). You can then use any tool to acquire your image, and any forensic analysis application to perform your analysis.

The thing is, Matt comes from the managed forensic services world...which is something that itself should be growing as corporate IT goes green. With the corporate IT perimeter continuing to disappear and cybercrime increasing, there is a growing need for quicker response times - that is, less time between discovery of an incident (or breach) and someone actually taking action to address it. Many organizations do not seem to be interested in training their own staff to perform first response and containment, so there needs to be a way to get data collected and analyzed and initiate response activities in a timely, efficient, and correct manner. Managed security monitoring services aid greatly in the detection (and prevention) of incidents, and managed forensic/IR services using tools such as F-Response (Enterprise Edition) would greatly decrease response time. However, managed forensic services require a great deal of trust between the customer and vendor, and that trust takes time to develop.

IMHO, innovations such as F-Response and the Volatility Systems tools are not taking us to the cutting edge of IR capabilities...rather, the people behind these innovations are creating the absolute bleeding edge of incident response.

We need to take a look at what we do and how we do it, examining and adapting our procedures and processes, based on what makes sense to us...not what makes sense to an application vendor.

Imaging Devices in the Registry

I ran across an interesting blog this morning that had to do with Windows image acquisition devices, and where files are stored. These devices aren't write-blockers (what most forensic analysts may think when they hear "image acquisition") but instead digital cameras, like the MS LifeCam. The post mentions a GUID that is part of the directory path, and a search at the MS site reveals the following:

Identifier:	GUID_DEVINTERFACE_IMAGE
Class GUID:	{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}

As a corporate consultant, I don't do a great deal of work with illicit images...however, this post does show what kind of information about image capture/acquisition devices (aka, cameras) is resident within a system image, and in particular within the Registry. The question then becomes, what other information is available?

While this specific post may apply more appropriately to law enforcement (i.e., illicit images), I can see how our team might get a call from a corporate customer regarding issues like someone taking pictures of other employees without their consent, etc. So this is great information to keep in mind.

Note that this does not apply to digital cameras that someone hooks up to their system via a USB cable and copies pictures from the camera memory device. Such devices are treated by Windows as removable storage...what we're talking about here is devices controlled via WIA in order to capture images/pictures, such as web cams.

Addendum: Apparently, some still image devices will be added to the Registry, even if they are only connected via USB and images copied off of them.

And yes, Virginia...there is a plugin! Rip.exe output looks like:

C:\Perl\forensics\rr>rip -r d:\cases\system -p imagedev
Launching imagedev v.20080730
imagedev
ControlSet001\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}

Still Image Capture Devices
hp photosmart 320

Resources:
How the Windows Image Acquisition Service Stores Images from a USB Camera in Preview
Registry Entries for Still Image Devices

BRAP Forensics

Sometimes I have to marvel at the little pearls (as opposed to Perl!!) I find through sites like eEvidence...Christina's diligence in ensuring that there is always new information added to the site really makes it worthwhile to stop by at least once a month and see what's new.

One of the items I really enjoyed was Hal Berghel's article on BRAP Forensics. In this article, Hal talks about some of the nice little bits of debris or (in his words) "guano" left behind by browsers and applications, as well as OLE file (MS Word) metadata and Recycle Bin/INFO2 file analysis. Hal also mentions Registry analysis, particularly of the NTUSER.DAT file. For the most part, Hal refers to these tidbits in negative terms but for forensic analysts working on an examination, these tidbits can be priceless. I've used many of these techniques...sometimes in combination...to extract some extremely useful information from an examination.

Resources
Mandiant's WebHistorian

Challenges

As I sit here behind my keyboard, looking at my desktop, I have a couple of items on my plate...things to do...some short-term, some long-term.

One short-term item I keep in mind is, how can I do what I do better? What were some of the challenges I had to overcome on a recent (or several recent) engagement? How could I prepare myself better in the future? This usually results in an update to my own personal IR toolkit, either through a tool (something I've downloaded, or something I've written), or a methodology/process.

One long-term item is preparing to update Windows Forensic Analysis for its second edition. Lots of opportunity there...with tools like RegRipper, a lot of the smaller scripts just go away, and their functionality gets incorporated into a plugin of some kind.

When thinking about these things and actually beginning work on any/all of them, I find myself thinking, what challenges do others face? I'm a consultant by day, and a forensics nerd by...well, all the time. I do primarily corporate work, but I know that folks who hold FTE (full-time employment) positions within organizations doing what I do have a different set of challenges that they face. Throw LE into the mix, and you can see that based on the direction from which you approach IR/CF, and how you're involved in either (or both), you're going to have a different perspective, and a different set of challenges.

What are your challenges? Are they technical? Political?

RegRipper Plugin

Jason has written the first RegRipper plugin (pagingfile.pl) that I'm aware of to be written by someone other than me! The plugin returns the location of the pagefile for Windows systems.

Great job, Jason! If you want to post the plugin for public consumption or include it in the distro, let me know. And thanks for taking that first step!

ShutdownCount

I was tooling around the Internet last night and ran across the "Forensics from the sausage factory" blog...and to be honest, my first thought was, "Oh, snap!"...it sounded like another one of those blogs that starts out being technical and interesting and then pretty soon the author starts posting personal or political stuff...

Anyway, I did find some pretty interesting posts, like this one. Like a fish, I'm easily distracted by shiny objects...in this case, anything that has to do with forensic analysis and the Registry. This post mentioned the following value:

HKLM\System\CurrentControlSet\Control\Watchdog\Display\ShutdownCount

Interesting. According to the post, this maintains a count of how many times the system was shut down. Most of the information regarding this value that I've been able to find via Google has to do with CastleCops and spyware scans...not sure why. I did find some info at MS on this, but it has to do with a Watchdog timer for video display drivers.

Any thoughts?

Any other keys/values of interest? If so, it's usually helpful to state why the key/value is of interest to forensic examiners (or incident responders).

Yes, I created a plugin for this value. ;-)

Deleted Keys in the Registry

Have you ever thought, what happens when keys are deleted from the Registry? Yeah, me, too. Where do they go? Well, as it turns out, they appear to hang around, in Registry hive file "unallocated space".

A bit ago, Jolanta Thomassen asked me to help with ideas (and be her sponsor) for her master's thesis, and I threw out Registry "slack" or unallocated space recovery...which she picked up and started running with right away. So far, she's done a great job of locating "deleted" Registry cells, the most interesting (to forensic examiners) of which are cells representing Registry keys, as keys have pointers to their parent keys (so that you can reassemble the full path of the key), timestamps (aka, LastWrite time), as well as pointers to their values. All of these maybe useful to a forensic examiner.

Not only that, but she's writing her code in Perl! This makes it easy for me to understand, add print() statements to (ie, "poor man's debugger"), and modify. For example, I've borrowed her search code, and added in my own code for parsing the key cells, etc., so that I can better see and understand what's going on. In some ways, it's not too different from looking for processes in a memory dump using a brute force approach...you read in values, and make decisions about the type of cell you've found based on those values.

Okay, so I've focused on Registry keys, as I tend to think that they are the most useful to a forensic analyst, for the reasons stated above. By themselves, Registry values found in hive file "unallocated" space may not be entirely useful...without any time-based information, or anything else to reference to (ie, like a key), they're about as useful as finding some text in the pagefile or file slack.

Addendum: Got some code working (finally!) to track backwards through the hive file once a "deleted" key has been found, and attempts to reassemble the full path name of the key. Jolanta already has this working, but I wanted to give it a shot. Below is an excerpt from my code outupt (still with debug info showing):

0x0008e474 456
Software\Microsoft\Windows\CurrentVersion\Explorer
\MountPoints2\{2490fb13-f08b-11d8-958e-806d6172696f}\
Shell
LastWrite = Mon Sep 26 23:37:22 2005
Subkeys = 0
Values = 1
Ofs_LF = 0xffffffff

0x0008e4e4 344
Software\Microsoft\Windows\CurrentVersion\Explorer\
MountPoints2\{2490fb13-f08b-11d8-958e-806d6172696f}\
Shell\AutoRun
LastWrite = Mon Sep 26 23:37:22 2005
Subkeys = 0
Values = 1
Ofs_LF = 0xffffffff

0x0008e32c 784
Software\Microsoft\Windows\CurrentVersion\Explorer\
CD Burning\Current Media
LastWrite = Mon Sep 26 23:34:10 2005
Subkeys = 0
Values = 6
Ofs_LF = 0xffffffff

Notice with the first two keys above, the second is a subkey of the first, yet actual data from the first key's structure states that there are no subkeys available. Interestingly, names, LastWrite times and links to values are retained when a key is deleted, but links to subkeys are not.

Another interesting artifact retained in deleted Registry keys can be seen in the output of one of the code samples Jolanta sent me:

$$$PROTO.HIV\Software\Microsoft\Windows\CurrentVersion\
Explorer\CD Burning\Current Media
Last modified: Mon Sep 26 23:34:10 2005
-->REG_BINARY; TotalBytes; 00 88 10 00 00 00 00 00;
-->REG_BINARY; FreeBytes; 00 00 00 00 00 00 00 00;
-->REG_DWORD; Media Type; 2;
-->REG_DWORD; UDF; 1;
-->REG_SZ; Disc Label; PDServer25;
-->REG_DWORD; Set; 1;

Interesting...it looks as if on 26 Sept 2005, someone burned a CD with the label "PDServer25". This demonstrates some pretty interesting potential for time-based information that may be useful to a forensic examiner.

Forensic Analysis Applications

As a forensic nerd, I'm familiar with...either directly or indirectly...a number of tools. Like most folks, I try not to be specific to a single tool, but rather understand what I need to do, and then select the appropriate tool for the job. I've used EnCase (going back as far as v.3), FTK, ProDiscover, and recently I've had an opportunity to work with X-Ways Forensics. I have access to SMART and MacForensicsLab, although I can't admit to having used either to a great extent. I've also seen PyFlag in action, and at one point (several years ago) I even installed TSK/Autopsy on a Dell Inspiron 5150 laptop running Windows.

Before I go any further, let me say that I'm separating data collection from data analysis. If anyone's read my books, you'll know what I'm talking about. When discussing functionality in a forensic analysis application, I'm not going to be discussing the applications ability to acquire data (ie, an image)...only to present it. A great example of this is Matt Shannon's F-Response...Matt has focused solely on allowing incident responders to collect data in a vendor-agnostic manner, allowing them to use any tool they want to acquire an image from a live system.

That being said, all of these tools are just that...tools...and each has it's own strengths and weaknesses. I won't go into detail on that here, because to be honest, at some point, these things really start to become a matter of perspective. By that, I mean that I do certain kinds of analysis...intrusions, breaches, suspicious activity, etc...and I don't do other kings of work (ie, CP). Some tools are great for certain types of analysis and the folks who use them know how to navigate the application to perform those functions really well. Each forensic analysis application provides the user with a layer of abstraction of the data, as well. While the examiner may see the hex data that corresponds to the contents of the image being analyzed, she may also see things like the volume identifier, drive letter, file structure, and icons representing files and directories...all of which are abstraction layers that present and represent the data to her.

However, I don't feel that I'm completely limited by these forensic analysis applications. In many cases, I may have a need that I can fulfill by either using another tool, or by creating my own tools. For example, I do a considerable amount of Registry analysis when analyzing a Windows system. As such, Registry Viewers similar in function to RegEdit don't offer me a great deal of functionality. This is why I wrote RegRipper...and it's also the reason I've written other tools (like the ones on the DVD that ship with my book).

Working with these applications, I've found that in many ways, they're all vastly different...different in the capabilities they provide, and especially different in how you would go about getting them to perform a certain function and then display the results. Most applications abstract packages of data as 'cases' and that's great...each has their own way of requesting and storing the case-specific (examiner, date, etc.) information. Then try just adding an image file to the case...I think you can see where I'm going with this.

The issue I see facing us, as a community of forensic examiners, is that we're making our own jobs harder through complexity. I say "our" because as (heavy) users of forensic analysis applications, we should take it upon ourselves to provide input and feedback to the developers of the forensic analysis applications. We're facing the same issues we always see...storage media is increasing in capacity, data (aka, "evidence") can now be found in more sources and formats (cell phones/PDAs, physical memory/RAM, email .PST/.NSF files, etc.), and the forensic analysis applications themselves are adding to the complexity itself. There's more and more available data to analyze and it appears to me (via my own experience as well as viewing public and vendor lists/forums) that the design of forensic analysis applications is adding to the overall complexity, making it harder to get to the data presentation and reduction that is so important.

My thought is this...a forensic analysis application needs a core set of functionality and capabilities. Beyond that, additional functionality can be added through plugins or modules, as well as scripting capability via an extensive and usable API. A forensic analysis application should be a data presentation application...actual "analysis" needs to be done by the examiner or analyst themselves.

Core Functionality
- Stability - 'nuff said!
- Simplicity - again, this is all relative
- Be able to open/add/import standard and the most popular image file formats
- Be able to recognize and present a wide range of file systems
- Searches (grep/regex, keyword, filename) across all files, including inside files such as archives (zip, bz2, rar, etc.)
- File type/signature analysis
- File Carving
- Timeline creation
- Ownership/permission searches
- Hash creation/comparison
- Image viewing (aka, "Gallery View")
- Segregation of data between 'cases'
- Extensibility (via scripting API, and separate plugins)

This is just my list of core capabilities for forensic analysis apps, and shouldn't be construed as being comprehensive. Like I said before, there are going to be examiners who heavily rely on the Gallery View available in most forensic analysis apps for what they do...and there are going to be examiners (like me) who will start an examination by opening the 'case' and extracting certain files for detailed analysis. It's all a matter of what you do, and your personal preference.

Being a forensics nerd, I do understand economics. I do understand why some forensic analysis apps are designed the way they are...there is money to be made through providing training and support by making your application proprietary. There are forensic applications available and in extensive use for which the training is more about how to navigate the GUI rather than actually do productive work.

Don't get me wrong here...all I'm saying is that IMHO, I'm seeing certain aspects of what we do, and how we do it, as a "community", and I'm thinking...wow, can't this be easier and more straightforward? Shouldn't it be possible to get an analysis application that is stable, presents the data in a straightforward manner, and allows me to perform certain data reduction functions easily and accurately? Instead, why are we faced with applications whose interfaces become more complex and less easy to navigate between major releases, and at the same time loose or break major core, underlying functionality at the same time? And why are we charged thousands of dollars more for this new version? What's the focus here?

My goal here is neither to make forensic analysis so easy that a caveman could do it, nor to make so difficult that only a very select (genetic mutations) few could do it. I simply think that we've gone so far afield with the development of these applications that we've lost sight of what's actually necessary. I'd love to see a forensic analysis application that for one price comes with a core set of functionality (see above) for one price, and is simple and stable, and can be extended via a simple scripting API. Beyond that, include an a la carte menu of plugins or modules that will NOT increase the complexity of the application but instead simply add to its capabilities. For example, say an application that presents the file system within the image in an Explorer-style interface, and then a plugin that will allow the examiner to add .PST files to the case, open them in a similar style interface, and also allow the contents (including attachments) to be viewed, searched, etc...all without crashing the main app.

...or am I just completely out of my mind here?

Process-to-port Mapping

During first responder activities, be they simple troubleshooting or incident response related, one of the important pieces of information that can really provide some insight into the behavior and status of a system is process-to-port mapping.

Why is this information important? Well, it really depends on what you're looking for, but if your initial indicator or notification of a potential security incident is "unusual traffic" originating from a system, then you'd want to know what process was generating that traffic...right? After all, there are a couple of truths you need to keep in mind when troubleshooting or performing IR activities. One is that network traffic never spontaneously emanates from a system without a cause...there's always some process involved. Another is that nothing happens on a system without some code executing as part of a thread/process.

Okay, moving on...

With NT, getting process-to-port mapping information wasn't easy. You had to use a tool like fport to get the information. The same was true for Windows 2000, and it was really cool that as of XP, netstat.exe had the '-o' switch added so that you could get the network connections with the associated PID all on one line (this is great for scripting! =) )

Many folks may not be aware that there was an update to Windows 2000 that added the '-o' capability to netstat.exe on that platform. If you've got Windows 2000 systems, this is a great update to add, so that (as an admin) you have the capability to get the information you need.

Another tool you can use to get this information during IR activities is tcpvcon. I prefer this tool because it can be included in a batch file (reducing overhead), and the output can be sent to .csv format, which is great for parsing with Perl scripts.

Analysis Tip: One of the things you might run across during an engagement is working with admins who are network-centric...or being one of those network-centric admins. For example, you may get some indication of an issue from traffic captures, or IDS/IPS/firewall notifications or logs. In such cases, you very often have a couple of pieces of information available to you, one of them being the source IP of the traffic, which you would likely use to locate the system from which the traffic originated (assuming that it wasn't spoofed). But guess what? You will very likely also have the source port for the traffic...and this will information (if you don't ignore it) may assist you in identifying the process from which the network traffic had been generated. Something as simple as "netstat -ano | find " may be all you need to do to find the process that generated the traffic.

How is this important? Well, one more than one occasion, incident responders such as myself have encountered those who've said, "...we saw some unusual traffic, found the system, and scanned it with [insert AV product name], and found a virus." In such cases, there may be no correlation whatsoever between the traffic and whatever the AV product found (could've been a DLL or a Registry key...) - this is "incident response by assumption/speculation", which is about as bad as "security through obscurity".

Analysis Question

Didier Stevens recently posted a Python script that will create a .VBS script with an embedded executable. This kind of reminds me of the stories about MIT in the late '60's, when the freshmen would try to crash the server, and the admins wrote the "servercrash" script...to sort of remove the mystery and ability to claim bragging rights from the whole mess.

Didier's script presents an interesting opportunity...what would you look for if you were analyzing a system and trying to determine if something like this had been used? Any thoughts? Grab the Python script, maybe install ActivePython, and see what you come up with...

Most Wished For...

Grabbed this image off of Amazon this morning..."Windows Forensic Analysis" is the #1 Most Wished For book in the Computers & Internet -> Security & Encryption -> Forensics category. Very cool! Just the other day, it was listed as #2...I'm sure it fluctuates back and forth. Even so, it's way cool!

A couple of other books you should be looking out for are Unix and Linux Forensic Analysis, but Chris Pogue, Cory Altheide, and Todd Haverkos, and Malware Forensics, with Eoghan Casey listed as one of the authors. Both books are on their way out, and definitely worth the wait!

Determing the OS version from an image

I was perusing the ForensicWiki list of recently added pages this evening and ran across an interesting page/placeholder titled, Determining OS version from an evidence image. The section on Windows systems was...well...empty. I had blogged on this a bit ago, but thought that I'd add a couple of things that might be of help...

From the image, locate the Windows (or WinNT)\system32\config directory, and extract the Software file...you can easily parse this using RegRipper. What you're most interested in is the contents of the Microsoft\Windows NT\CurrentVersion key, in particular values such as ProductName and BuildLab (if available).

To see the version of Windows you're working with, locate the %WinDir%\system32\ntoskrnl.exe file and check the file version information...this is how osid.pl works with memory dumps.

In order to determine the type of XP (Home or Pro) you're working with, check the %WinDir%\system32\prodspec.ini file.

Hope that helps...

Memory Collection and Analysis, part II

Based on my last post, I wanted to throw some quick tests together and see how things worked out...here's the results of what I found...

So, first off, I wanted to run ManTech's mdd...or memdd.exe, as it were. That worked out very well...ended up with a nice output file after running memdd.exe (renamed to mdd.exe) version 1.1:

06/17/2008 10:51 AM 23,520 mdd.exe 06/17/2008 10:56 AM 3,210,854,400 test.dmp

Next, I ran winen.exe, the tool available from GSI, as part of the EnCase 6.11 install (yes, I am a "dongled", licensed user). As I was running this on a Windows XP SP2 system with 2.99GB of RAM (4GB on the board) and used the defaults in the configuration file (except for where I was required to make an entry), I ended up with a total of five .E0x files. I then opened the .EO1 file as an evidence item in FTK Imager Lite v2.5.1 and, as expected, Imager did not recognize the file system. However, Imager appears to have read the EWF header info just fine, because it recognized what I had entered into the config file.

So I then chose Create Disk Image from Imager's File menu item, and chose Image File from the Select Source dialog. During the process of selecting options, I chose to have Imager output the image in 2000MB files (as opposed to the default 640MB file sizes used by winen). This resulted in two image files (winen.001 and .002), which I then cat'd together using the type command on Windows into a single file (winen.bin):

06/17/2008 01:18 PM 2,097,152,000 winen.001
06/17/2008 01:19 PM 1,113,702,400 winen.002
06/17/2008 01:42 PM 3,210,854,400 winen.bin

Notice that the file size for the final winen.bin file is the same as the test.dmp file created using mdd. Very cool.

Now...what to do with it? Well, that's where Volatility 1.1.1 comes in...I grabbed ActivePython, installed it, and was up and running with Volatility 1.1.1 in no time! I was able to view the process list, run the 'dlllist' command to get modules and the command line for each process, etc...all very cool stuff. Volatility worked very well on both memory dumps...not just the winen/FTK one, but the mdd RAM dump, as well.

So what's next? Well, I'd like to see about digging a bit deeper into the dumps, including:

- As Moyix discussed, enumerating Registry hives (or just keys and values) from memory
- Run Andreas's PTFinder against the memory dump and develop graphs of the processes using Richard McQuown's PTFinderFE
- Attempt to do file carving via scalpel

Anything else? What's in your wallet? =)

Take aways from this...it's likely that like linen, winen.exe will show up on IR tools distros...but you're not restricted to using EnCase to perform analysis of the memory dumps produced by such tools. Using free tools, you can convert the .E0x files to a dd-style format, and then use other freely available tools to parse through the memory dumps.

Addendum: Got this from someone who ran kern.pl on a memory dump from XP SP3 recently...

File Description : NT Kernel & System
File Version : 5.1.2600.5512 (xpsp.080413-2111)
Internal Name : ntkrnlmp.exe
Original File Name :
Product Name : Microsoft(R) Windows(R) Operating System
Product Version : 5.1.2600.5512

Pretty sweet, eh?

If you're using winen.exe to collect the contents of RAM and you're also using EnCase, you might want to check out these EnScripts from TK_Lane that will pull process information from the .EOx files. I haven't tried them yet, but thanks, TK, for providing them!

Memory Collection and Analysis

As a follow-on to my previous post regarding OMFW, there have been some developments in the area of memory dumping and parsing (ie, collection and analysis) that have occurred over the past couple of months.

Lance Mueller posted on the new standalone memory dumping tool that is part of EnCase 6.11. Interesting tool as it apparently dumps the contents of physical memory from Windows (Windows 2000 through Vista) to an EnCase .E0x file format, for inclusion in a case. According to the documentation, there's functionality to extract that memory dump from the .E0x file format to something usable by HBGary's Responder product. Note: Initial testing indicates that FTK Imager will successfully convert the resulting .E0x files to a dd-style format for use with other tools.

Jesse Kornblum referred mdd to me. This one looks promising...captures memory from Windows versions through Vista and 2008. Jesse posted some clarifications about this tool on his blog. As it stands, this appears to be the first free tool to dump RAM from Windows 2000 through 2008, inclusive, in a dd-style format. Note: Updated version 1.1 was released on 17 June.

So available tools for collecting the contents of physical memory are becoming more available. From an analysis standpoint, I really think that you want to keep your eyes on the guys over at Volatility Systems, though.

Addendum: win32dd is available from Matthieu Suiche. I just found out about this so I haven't had an opportunity to try it...but I am looking forward to adding it to the list of tools to test!

Andreas blogs on the new tools...great stuff, very comprehensive view of where this all stands at the moment.

NTFS Alternate Data Streams

NTFS Alternate Data Streams (ADSs) have been around since the dawn of...well...NTFS. Windows OSs ship with plenty of tools to create (and execute) ADSs, but the cool thing is that until Vista came along, there were not tools provided with the Windows operating systems that allowed you to see arbitrary ADSs that had been added to your system.

Caveat: There are some tools that do allow you to see specific ADSs, but those are only in very specific instances. Even Windows systems themselves make use of some specific ADSs, as well.

And, yes, you heard me right...from NT up through Windows XP and 2003, someone could create arbitrary ADSs on your system, using tools on the system...but there are no tools that ship as part of the OS that allow you (as an admin) to find and/or view these ADSs. On Vista, you can use dir /R to view arbitrary ADSs.

An interesting kicker is that ADS can not only be attached to files, but directory listings, as well, using the same command line syntax, with a slight alteration...

D:\>type c:\windows\system32\calc.exe > d:\ads\:calc.exe

Running tools such as LADS (from Frank Heyne, see below) we see that the ADS is indeed attached to the directory listing. We can launch this executable using the same syntax as was used to create it:

D:\>start d:\ads:calc.exe

Pretty sweet, huh? This is how tlist.exe sees it:

2640 ads:calc.exe Calculator Command Line: "d:\ads:calc.exe"

You see pretty much the same thing in Task Manager, as well.

This topic is covered in both of my books...Windows Forensics and Incident Recovery and Windows Forensic Analysis. From these resources, you can see that ADSs can be used to "hide" files and data, but also be used as a repository for executables, as well as scripts.

Resources
My original paper, The Dark Side of NTFS
Frank Heyne's LADS
SoftCorp scSTREAMS
Rootkit that uses ADSs
WindowsIR on ADSs

Portable Devices on Vista

Rob Lee shared an interesting tidbit of Vista Registry goodness with me recently...basically, the Vista Registry maintains some historical data on the drive letters that had been assigned to portable devices. Sweet!

The key in question is:
HKLM\Software\Microsoft\Windows Portable Devices\Devices

The subkeys beneath this key contain the device names...and the FriendlyName value contains the drive letter.

Rob discovered this as a part of the Computer Forensics SANS course as part of the section on Application Forensics where he and the class were examining U3 device footprints on a VISTA machine. (rlee@sans.org for contact info)

Very cool, Rob, and thanks for sharing!

And yes, I've already written a plugin for RegRipper...I KNEW you were going to ask that! =)
The output looks like:

Device : DISK&VEN_APPLE&PROD_IPOD&REV_1.62
LastWrite : Fri Sep 21 01:42:42 2007 (UTC)
SN : 000A270018A0E610&0
Drive : IPOD (F:)

Device : DISK&VEN_BEST_BUY&PROD_GEEK_SQUAD_U3&REV_6.15
LastWrite : Thu Feb 7 13:26:19 2008 (UTC)
SN : 0C90195032E36889&0
Drive : GEEKSQUAD (F:)

Device : DISK&VEN_CASIO&PROD_DIGITAL_CAMERA&REV_1.00
LastWrite : Sat Dec 15 01:17:56 2007 (UTC)
SN : 6&14BB4B7C&0
Drive : Removable Disk (F:)

RegRipper Plugin Updates

Pretty much everyone is aware by now that the full version of RegRipper is available on SF.net. I made a couple of minor updates to some of the plugins the other day (so you won't find these in the currently available distribution) that I wanted to mention briefly...

First, I updated the winnt_cv plugin so that the InstallDate value is converted to a readable time stamp, such as:

InstallDate : Fri Aug 31 15:21:10 2007 (UTC)

Much better than just spewing the DWORD data to the output, don't'cha think?

Second, after using RegRipper on some actual engagements recently, I decided that I wanted a plugin that would display information about the services in a shorter format so that its easier to read. The services plugin displays the following about services and drivers:

Name = SNMPTRAP
Display = @%SystemRoot%\system32\snmptrap.exe,-3
ImagePath = %SystemRoot%\System32\snmptrap.exe
Type = Own_Process
Start = Manual
Group =

The svc plugin (get it...shorter name, shorter format for the output??) displays the following about services:

Thu Nov 2 12:53:48 2006Z
Appinfo (%SystemRoot%\system32\svchost.exe -k netsvcs) [LocalSystem]

Thu Nov 2 12:53:38 2006Z
SessionEnv (%SystemRoot%\System32\svchost.exe -k netsvcs) [localSystem]

Thu Nov 2 12:53:22 2006Z
TrkWks (%SystemRoot%\System32\svchost.exe -k LocalSystem NetworkRestricted) [LocalSystem]

Thu Nov 2 12:53:11 2006Z
Dhcp (%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted) [NT Authority\LocalService]

The svc plugin grabs much of the same information as the services plugin, but presents it in a shorter format, so that it's much easier to read at a glance. In addition, svc also grabs the ObjectName value (if available), which indicates the account that the service runs under.

For analysis purposes, I generally try to look for services and drivers that have a LastWrite time around the reported date of the incident, as this has indicated the use of keystroke loggers and kernel-mode rootkits.

What's also really sweet about this is that, as always, the plugins work great with rip.exe...check out the batch files that were included in the most recent distribution of RegRipper.

Two other items that are yet to be completed (currently in progress) with regards to RegRipper are:

1. Extraction of time-based data in a common format, for correlation with other sources of time-based data, and then display of that data using Timeline or some other visualization tool.

2. Development of a separate, standalone copy of rip.exe (to start, anyway) that will not only run a plugin or plugins file against a hive, but also against the appropriate hive files in XP System Restore Points (all automatically).

Thoughts? Just more RegRipper goodness...no hive files were harmed in the making of these tools or of this post...

Some UpComing Events

There are some interesting events coming up this summer (and beyond) that I wanted to point out to folks...

DFRWS is this summer (11-13 Aug), but the Open Memory Forensics Workshop (OMFW) will be held just prior (info here, update here). OMFW looks like a great opportunity...it's a half-day event, but looking at the list of speakers and panelists...wow! If you haven't already, grab books off of your bookshelf (I *know* most of you recognize author names...) and get your copies signed! OMFW is brought to you by the letters M and S, and these guys.

If anything, this really shows how the interest in analysis of physical memory is really picking up. More than anything, I'd have to say that the interest is really been driven by the guys over at Volatile Systems, along with a host of other names. There is a great deal of extremely valuable information available in physical memory (RAM), and these guys are leading the way in showing us what's there, and providing tools for getting at it and making it available, but more importantly, useful to analysts.

As a side note, if you look around the community/industry, there is a big piece that's missing right now...collection. That's right...there are open source and commercial tools (from Mandiant and HBGary...and HBGary is apparently partnering with GSI) that provide the ability to parse, comb through and analyze a physical memory dump, but very few that provide the ability to extract the contents of RAM from Windows 2003 SP1 and above (e.g., Vista, Win2K8) systems. I even received an email from a friend at MS yesterday asking me if I knew of any such tools. One would naturally assume that we'd eventually see such a tool from MS/SysInternals. One way to go about changing this...buy more F-Response!

Note: Paraben is having an Innovations Conference in Utah in Nov, 2008. They also let you vote for a company or product that you feel is most innovative for 2008...I voted for F-Response.

Okay, back on track...what was I talking about? Oh, yeah...

Looking at the program for DFRWS 2008...yet another impressive line-up. I'm hoping to go...working for a large corporate (think "glacial") entity (think Borg cube), these requests are always in limbo. However, I'm very interested in Timothy Morgan's talk, as well as a couple of others. It also looks as if some of the speakers from OMFW are going to be on deck for DFRWS, as well. Maybe a good opportunity to ply familiar faces and famous names with some of the locally brewed beverages.

Interestingly enough, the local RCFG conference (which overlaps with DFRWS this year) has been cancelled. That's too bad...this conference is held on the GMU campus and for the most part is a nice, smaller conference. However, with the right leadership, it has the potential to really be a premier conference...not just for local LE, but in general. In fact, an interesting thought would be that since some folks are going to be in the area anyway, talking about the same topic...

Also, in Jan 2009, there is the DoD CyberCrime Conference...Jesse mentioned the CfP here. It's too early to list the speakers, but I had an opportunity to visit the conference in 2007 and it was a good one...lots of attendees, lots of events, lots of really great speakers.

Job Openings

Okay, I'm going to take a slight divergence from the normal content of this blog to reach out to all of you, my loyal readers...according to Google Analytics, both of you. =D

Anyway, as you may or may not know, by day I am an incident analyst for the IBM ISS Emergency Response Services (ERS) team...and we're looking to expand. By that I mean add qualified members to our team. And not just here in the US, but also in Australia, AsiaPac, Japan, and EMEA.

So you're probably wondering what we do...good question. In short, we respond to incidents on an emergency basis. The basic idea is that we get a call, from a current (or soon-to-be) customer and we triage the incident and deploy the necessary assets. Each team member has a jump kit of equipment, both hardware and software (plus our tools of our own choosing), and we arrive on-site to assist the customer in resolving the incident, through incident management, data collection and analysis, and pretty much whatever else we need to do. In many cases, we collect data and return to the lab to perform analysis.

We also do Visa PCI forensic audits, as well. In addition, we have subscription customers that we service, as well, with on-site visits, training, CSIRP development, mock incidents, etc.

Of course, there's all the other stuff that goes along with this kind of work...report writing, keeping track of expenses and billable hours. I guess a lot of that is to be expected, but I thought I'd mention it anyway.

So what we're looking for is someone with experience in incident response (beyond just running an AV scanner, or just wiping the drive...), volatile data collection and analysis, forensic acquisition and analysis, documentation and justification of activities, reporting, and customer interface. All of these things are important in what we do.

If you think that this is something you'd be interested in, please feel free to send me a copy of your resume here or here.

Finally, this is NOT a sub-contractor opportunity...this is a full-time employment position.