Friday, April 30, 2010

F-Response & Some Mo Stuffz

I know I've mentioned this already, but this one is worth repeating...Matt's up to v3.09.07, which includes support for access to physical memory on x64 systems, and a COM scripting object for Windows systems.

I have to say, back when Chris opted to add Perl as the scripting language for ProDiscover, I was really excited, and released a number of ProScripts for use. Matt's really big on showing how easy it is to use F-Response (Matt is incredibly responsive and has released Mission Guides), and has released a number of samples that demo the ability to script tasks with F-Response EE through VBScript, Python, and yes...Perl! My favorite part of his demos is where he has the comment, "Do Work". ;-)

Last year, Matt released the FEMC, taking the use of F-Response EE to an entirely new level, and with the release of the scripting object, he's done it again. Imagine being able to provide a list of systems (and the necessary credentials) to a script, and sitting back to allow it to run; reach out to each system, perform some sort of RegRipper-like queries of the system, look for (and possibly copy) some files...and then you come back from doing other work to view a log file.

I've done some work, with Matt's help, to get a Perl version of his script working against a Windows system, just to kind of get familiar with working with some of the functions his COM object exposes. I have VMWare Workstation and a couple of Windows VMs available, and the biggest issues I ran into were having the firewall running (turn it off for testing), and an issue with connecting to remote shares, even default ones...I found the answer here. I made the change described just so that I could map a share as a means for testing, and then found out by flipping the setting from "Classic" back to "Guest Only" that an untrapped error would be thrown. Once I had the F-Response License Manager running on my analysis system and the adjustment made on my target testing system, the script ran just fine and returned the expected status.

The script I wrote, with Matt's help, runs through the process of connecting to and installing F-Response, running it, enumerating targets and then uninstalling F-Response. The output of the script looks like:

Status for Avail, not installed
Status for Installed, stopped

Status for Installed, started
Status for Avail, not installed

I should note that in order to get pmem as a target, I had to open FEMC and check the appropriate box in the Host Configuration dialog.

As you can see, the script cycled through the various states with respect to the target system, from the system being available with no F-Response installed, to installing and viewing targets, to removing F-Response. With this, I can now completely automate accessing and checking systems across an enterprise; connect to systems, log into the appropriate target (vol-c, for example), and as Matt says in his sample scripts, "do work". Add in a little RegRipper action, maybe checking for files, etc.

Awesome stuff, Matt! For more awesome stuff, including a video and Mission Guide for the COM scripting object, check out the F-Response blog posts!

Awesome Sauce Addendum: The script can now access/mount the volume from the remote system, then uses some WMI and Perl hash magic to get the mounted drive letter on the local system, and then determines if Windows\system32 can be found. Pretty awesome sauce!

Didier has updated his PDFid code recently to detect and disarm the "/Launch" functionality. Didier mentions that this is becoming more prevalent, something important for analysts to note. When performing root cause analysis, we need to understand what's possible with respect to initial infection vectors. Many times, the questions that first responders need to answer (or assist in answering) include how did this get on the system, and what can we do to prevent it in the future? Many times, the actual malware is really the secondary or tertiary download, after the initial infection through some sort of phishing attack.

Over on the Offensive Computing blog, I saw that JoeDoc, a novel runtime analysis system for detecting exploits in documents like pdf and doc, has been released in beta. Check out JoeDoc currently supports PDF format.

If you're trying to determine if there's malware in Flash or Javascript files, you might want to check out wepawet.

In the first edition of the ITB, Don wrote an article on potential issues when using an Internet-connected system to view files in FTK Imager. John McCash posted to the SANS Forensic Blog recently regarding a similar topic that ThotCon recently.

Okay, so what's the issue here? Well, perhaps rather than making artifacts difficult to find, an intruder could put out a very obviously interesting artifact in hopes that the analyst will view it, resulting in the infection of or damage to the analysis system.

Also check out iSEC's Breaking Forensic Software paper...

Friday, April 23, 2010

Links...and whatnot

There seems to be a theme to this post...something along the lines of accessing data through alternate means or sources...and whatnot...

Blog Update
- Mounting EWF files on Windows
Over in the Win4n6 Yahoo group, a question was posted recently regarding mounting multiple (in this case, around 70) .E0x files, and most of the answers involved using the SANS SIFT v2.0 Workstation. This is a good solution; I had posted a bit ago regarding mounting EWF (Expert Witness Format, or EnCase) files on Windows, and Bradley Schatz provided an update, removing the use of the Visual Studio runtime files and using only freely available tools, all on Windows.

Speaking of freeware tools, if you're using ImDisk, be sure to get the updated version, available as of March of this year. There have been some updates to allow for better functionality on Windows 7, etc.

Also, FTK Imager (as well as the Lite version) are up to version 2.9.

...Taking Things A Step Further...
If you've got segmented image files, as with multiple .E0x or raw/dd format .00x files, and you want to get file system metadata for inclusion in a timeline, you have a number of options available to you using freely available tools on Windows.

For the raw/dd format files, one option is to use the 'type' command to reassemble the image segments into a full image file. Another option...whether you've got a VMWare .vmdk file, or an image composed of multiple EWF or raw/dd to open the image in FTK Imager. Once the image is open and you can see the file system, you can (a) re-acquire the image to a single, raw/dd format image file, or (b) export a directory listing.

You can also use FTK Imager to export file system metadata from live systems, but this can be a manual process, as you have to add the physical drive via the GUI, etc. This process may be a bit more than you need. To meet the needs of a live IR script, I created a CLI tool called mt.exe (short for MACTimes) that is a compiled Perl script. Mt.exe will get the MAC times of files in a directory, and can recurse will also get MD5 hashes (it gets the MAC times before computing a hash) for the files, and has the option to output everything in TSK v3.x bodyfile format. I plan to use this to get file listings for specific directories, in order to optimize response and augment follow-on analysis.

Into The Shadows
Lee Whitfield posted his SANS EU Forensics Summit presentation, Into The Shadows, for your listening/viewing pleasure. In the presentation, Lee presents what he refers to as "the fourth way" to analyze Volume Shadow Copies. Watching the video, it appears that Lee is deciphering the actual files that the created by the Volume Shadow Service, and using that information to extract meaningful data.

You should also be able to work with Volume Shadow Copies as we discussed earlier, but like Lee says (and was mentioned by Troy Larson), if you're going to image the entire VSC, you're going to need to have additional space available. However, what if you were to mount the VSC in question and only extract selected files? Sure, this would require knowledge of what you were attempting to achieve and how you'd go about doing it, but you wouldn't require the additional space, and you would still have the VSC available to be mounted later, if need be.

EVTX Parsing
SANS has postponed the Forensics Summit in London due to the Krakatoa-like volcanic eruption that has been obscuring the airspace over Europe. As such, Andreas has posted his slides regarding Vista (and above) Event Log format. Very cool stuff, and very useful.

Finally, Christa pointed me to an interesting article at CSOOnline about how fraud is no longer considered by banks and financial institutions to be just a cost of doing business. Very interesting, and it demonstrates how incident preparation, detection, and response are becoming more visible as business processes.

From that article, I found a link to another article, this one discussing the basics of incident detection, response and forensics with Richard Bejtlich. Very much well worth the read...

Wednesday, April 14, 2010

More Links

RegRipper in Use
Simon posted to the Praetorian Prefect blog recently regarding WinPE. In his post, Simon described installing and using RegRipper from the Windows Forensic Environment (WinFE). Very cool! RegRipper (well, specifically ripXP) was designed for XP System Restore Point analysis, and RegRipper itself has been used via F-Response, and on an analysis system to extract Registry data from mounted Volume Shadow Copies.

Speaking of WinFE, Matt posted recently on creating a WinFE bootable CD with F-Response pre-installed! Matt shows you how to use Troy's WinFE instructions to quickly make the installation F-Response ready! Along with the Linux bootable CDs Matt's put together, it looks like he's building out a pretty complete set.

XP Mode Issues
I found this on Securabit, how the installation and use of XP Mode in Windows 7 exposes the system to XP OS vulnerabilities, as well as vulnerabilities to applications run through XP Mode. This is going to be a bit more of an issue, now that MS has removed that hardware virtualization requirement for XP Mode to run, making it accessible to everyone. Core Security Technologies announced a VPC hypervisor memory protection bug...wait, is that bad?

Well, I like to look at this stuff from an IR/DF perspective. Right now, we've got enough issues trying to identify the initial infection we've got to deal with it in two operating systems! I've installed XP Mode, and during the installation, the XP VM gets these little icons for the C: and D: drives in my host...hey, wait a sec! So XP can "see" my Windows 7? that bad?

Installing and using Windows 7 isn't bad in and of's really no different from when we moved from Windows 2000 to XP. New challenges and issues were introduced, and the IT community, as well as those of us in the IR/DF community learn to cope. In this case, IT admins need to remain even more vigilant because now we're adding old issues in with the new...don't think that we've closed the hole by installing Windows 7, only to be running a legacy app...with it's inherent vulnerabilities...through XP Mode.

Volume Shadow Copies
Found this excellent post over on the Forensics from the Sausage Factory blog, detailing mounting a Volume Shadow Copy with EnCase and using RoboCopy to grab files. Rob Lee has posted on creating timelines from Volume Shadow Copies, and accessing VSCs has been addressed several times (here, and here). With Vista and now Windows 7 systems becoming more pervasive (a friend of mine in LE has already had to deal with a Windows 7 system), accessing Volume Shadow Copies is going to become more and more of an issue...and by that I mean requirement and necessity. So it's good that the information is out there...

MFT Analysis
Rob Lee posted to the SANS Forensic Blog regarding Windows 7 MFT Entry Timestamp Properties. This is a very interesting approach, because there's been some discussion in other forums, including the Win4n6 Yahoo group, around using information from the MFT to create or augment a timeline. For example, using most tools to get file system metadata, you'll get the entries from the $STANDARD_INFORMATION (SIA) attribute, but the information in the $FILE_NAME (FNA) attribute can also be valuable, particularly if the creation dates are different.

When tools are used to alter file time stamps, you'll notice the differences in the SIA and FNA time values, as Lance pointed out. Brian also mentions this like three times in one of the chapters of his File System Forensic Analysis book. So, knowing how various actions can affect file system time stamps can be extremely important to creating or adding context to a timeline, as well as to the overall analysis.

The Future
Rob's efforts in this area got me to long will it be before forensic analysts sit down at their workstation to being analysis, and have a Kindle or an iPad or similar device right there with them, to assist them with their analysis workflow? Given the complexity and variety of devices and operating systems, it would stand to reason that an organization would have a workflow with supporting information (docs like what Rob's putting together, etc.), possibly even online in one location. The analyst would access the online (internally, of course) app and enter their information and begin their case, and they would be presented with workflow, processes and supporting information. In fact, something like that could also provide for case management, as well as case notes and collaboration, and even ease reporting.

Is the workflow important? I'd suggest that yes, it is...wholeheartedly. I've seen a number of folks stumble over what they were looking for and spend a lot of time doing things that really didn't get them any closer to their goals...if they had and understood their goals! This would not obviate the need for training, of course, particularly in basic skills, but having some kind of Wiki-ish framework with a workflow template for an analyst to follow would definitely be beneficial...that is, aside from its CSI coolness (I still yell, "Lt Dan!" at the TV whenever Gary Sinise comes on screen in CSI:NY).

Sunday, April 11, 2010

Links...and whatnot

Security Ripcord
Don posted recently on his experiences attending the Rob Lee's SANS SEC 508 course. Don has some very interesting insights, so take a look. Read what he says carefully, and think about it before reacting based on your initial impression. Don's an experienced responder that I have the honor of knowing, and the pleasure of having worked with...he's "been there and done that", likely in more ways than you can imagine. Many times when we read something from someone else, we'll apply the words to our own personal context, rather than the context of the when you read what Don's said, take a few minutes to think about what he's saying.

One example is Don's statement regarding the court room vs. the data center. To be honest, I think he's absolutely right. For far too long, what could possibly go on in the court room has been a primary driver for response, when that shouldn't be the case. I've seen far too many times where someone has said, "I won't do live response until it's accepted by the courts." Okay, fine.

Another one that I see a lot is the statement, "...a competent defense counsel could ask this question and spread doubt in the mind of the jury." Ugh. Really. I saw on a list recently where someone made that statement with respect using MD5 hashes to validate data integrity, and how a defense attorney could bring up "MD5 rainbow tables". Again...ugh. There are more issues with this than I want to go into here, but the point is that you cannot let what you think might happen in court deter you from doing what you can, and what's right.

DFI Newsletter
I subscribe to the DFI Newsletter, and I found a couple of interesting items in the one I received on Fri, 9 April. Specifically, one of my blog posts appear in the In The Blogs section. Okay, that was pretty cool!

Also, there was a link to an FCW article by Ben Bain regarding how Bill Bratton "said local police departments have been behind the curve for most of their history in tackling computer-related crime and cybersecurity" and that "it's a resource issue."

I know a couple of folks who have assisted local LE in their area, and that seems to be something of a beneficial relationship, particular for LE.

File System Tunneling
Okay, this is a new one on me...I ran across this concept on a list recently, and thought I'd look into it a bit. In short, it seems that there's long been functionality built into NTFS that allows, under specific conditions and for a short period of time (default is 15 seconds) for file metadata (specifically, the file creation time) to be reused. In short, if a file with a specific name is deleted, and then another file with the same name created in that directory within 15 seconds, the first file's metadata will be reused. Fortunately (note the sarcasm...), this functionality can be extended or disabled.

Okay, so what does this mean to forensic analysts? Under most conditions, probably not a lot. But this is definitely something to be aware of and understand. I mean, under normal circumstances, time stamps are hard enough to keep up with...add into that tunneling, anti-forensics, and the fact that on Vista and above, updating of last access times is disabled.

More than anything else, this really illustrates how important it is, when considering potential issues or asking questions about systems, to identify things like the OS, the version (i.e., XP vs. Win7), the file system, etc.

MS KB 172190
MS KB 299648
Daniel Schneller's thoughts
Old New Thing blog post
MSDN: File Times

The eEvidence what's new site was updated a bit ago. Christina is always able to find some very interesting resources, so take some time to browse through what's there. Sometimes there's case studies, sometimes some really academic stuff, but there's always something interesting.

Matthieu has released the MoonSol Windows Memory Toolkit, with a free community edition. Check it out.

Tuesday, April 06, 2010

WFA 2/e Amazon Ranking!

Good news, all...and thanks to @Syngress for tweeting this this morning! Windows Forensic Analysis 2/e is still ranked #1 on Amazon in the Forensics and Windows Security categories! Very cool, and thanks to everyone who has their copy, for purchasing the book.

Looking today, I noticed that Amazon also has a Kindle version priced out...very cool. I don't have a Kindle, but I hope that anyone who does and has a copy of WFA on it finds it just as useful as a paperback edition, if not more so.

Again, thanks to everyone who has purchased a copy of WFA!

Monday, April 05, 2010

ITB 0x1 is out!

Don has posted the new ITB, issue 0x1!

This issue has an article on plist files, and a write-up on Don's review of the Super Drivelock. Also, Chris has provided some insights into PCI data breach investigations and Richard Harmon's release of his poorcase tool.

Shoutz to Don for putting the work into putting this together! It's a lot of work getting articles, and getting them together. This is a community-based newsletter, and NEEDS input from the community! So, if there's something you'd like to write about, or something you'd like to see discussed, drop Don a line.

Also, Bret and Ovie released their latest podcast this weekend...great job, guys!

Friday, April 02, 2010

New stuff

The first ever Sleuth Kit and Open Source Digital Forensics Conference is coming up in June, 2010, and I'll be one of the speakers, joining Brian Carrier, Jamie Butler, Dario Forte, Rob Joyce and Simson Garfinkel. I'll be talking about creating timelines using TSK and other open source tools.

Timelines and Last Access Times

Many examiners make use of file last access times during an examination, to some degree. Most examiners are also aware that MS has a Registry value called NtfsDisableLastAccessUpdate which can be used to disable updating of last access times on files, and that it's enabled (i.e., set to 1) by default beginning with Windows Vista. However, that doesn't mean that these values are never changed...take a look at the links in the Resource section, and consider doing some testing of your own.

Windows XP - explanation of fsutil, including disablelastaccess behavior
DigFor explanation - when 'disabled' doesn't entirely mean disabled
MS KB 299648 - Description of NTFS date and time stamps
Jones Dykstra and Assoc. article

Over on the SANS ISC blog, Pedro Bueno posted a link to some tools he uses and wanted to share with others. There's some interesting tools there, one of which is WinAPIOverride32. If you're doing malware analysis, these look like some very interesting and useful tools.

If you're doing any sort of malware analysis and encounter obfuscated JavaScript, check out JSUnpack.

GrandStream Dream Updates
Claus is back to posting again, and has a heavy version available. Rather than re-hashing what Claus has posted here, I'd recommend that you take a look...trying to summarize what he's done simply won't do it justice. Yes, Claus has pulled together links from other blogs, but sometimes it's good to see a bunch of like posts grouped together.

One of the things that Claus mentioned that I hadn't seen before is StreamArmor, a tool for locating NTFS alternate data streams, that goes beyond your normal "here's an ADS" approach. StreamArmor looks for malicious streams, skipping over "normal" streams so as not to overwhelm the analyst. This has benefits...if you're familiar with how ADSs work. I can see something like this being used when an acquired image is mounted (SmartMount, ImDisk, P2 eXplorer, etc.) and scanned with AV/anti-spyware tools...just hit it with StreamArmor while it's mounted.

Didier Stevens has been posting a lot lately on proof-of-concepts for getting malware on systems by embedding it into PDF documents. If you didn't already have a reason to search TIF and email attachment directories for PDF documents, then reading through his posts should make you realize why you need to make it part of your analysis process.

Thought of the Day

I've been working on writing my latest book and got to a section of the first chapter where I talk about analysis and what that means. As I was writing, it occurred to me that there are some basic concepts that some analysts take for granted, and others simply do not understand. Keeping these concepts in mind can help us a great deal with our exams.

Locard's Exchange Principle
Edmund Locard was a French scientist in the early part of the 20th century who originated the principle that when two objects come into contact, material is transferred between them. This is as true in the digital realm as it is in the physical world. When malware reaches out to find other systems to infect or to contact a CnC server, there is information about these connections on the system. When an intruder accesses a system, there is information about the system their connection is coming from as well as information about their activities on the compromised system. In many cases, the information may be degraded due to temporal proximity to the event, but it will have been there.

Least Frequency of Occurrence
I credit Pete Silberman of Mandiant with this phrase, not because he was the first to use it (some searches indicated pretty quickly that it is used in other fields), but because his use of it was the first time I heard it applied in a profound manner to the IR community. At the SANS Forensic Summit in 2009, Pete used this to describe the occurrence of malware on systems, and looking back over other exams I'd performed, it occurred to me that the same thing is true for intrusions.

The concept is amazing in its simplicity...given normal system activity, malware and intrusions occur least frequently on that system. Say, malware is installed as a Windows service set to launch at system startup as part of the SvcHost've got one file (DLL on the drive), a few keys/values in the System hive, and one in the Software hive.

Okay, so the practical application of this is that we're NOT looking for massive toolsets being loaded onto the system. Listing all of the files on the system and sorting by creation date (in the absence of modification of time stamps) is more likely to show you OS and application updates than it is when the malware was installed. The same sort of thing applies to an intrusion.

In short, goals are the beginning and the end of your exam. What are you looking for, what questions are you trying to answer? Your exam goals drive your analysis approach and what tools you need to use...and it should never be the other way around. Tools should never drive your analysis.