Friday, October 14, 2011


Carbon Black
I recently gave a presentation at ETCSS, during which we discussed the need for incident preparedness in order to improve the effect of incident response efforts.  In that presentation, I mentioned and described Carbon Black (Cb), as well as how it can be used in other ways besides IR.

While I was traveling to the venue, Cb Enterprise was released.  Folks, if you don't know what Carbon Black is, you really should take a look at it.  If you use computers in any capacity beyond simply sitting at a keyboard at your house...if you're a dentist's office, hospital, law firm, or a national/global need to take a good hard look at Cb.  Cb is a small, light-weight sensor that monitors execution on a system...remember Jesse Kornblum's Rootkit Paradox paper?  The paradox of rootkits is that they want to hide, but they must run...the same is true with any malware.  Cb monitors program execution on Windows systems.  The guys at Cb have some great examples of how they've tracked down a three-stage browser drive-by infection in minutes, where it may have taken an examiner doing just disk forensics days to locate the issue.

If you have and use computers, or you have customers who do, you should really take a hard look at Cb and consider deploying it.  Seriously...check out the site, give the Kyrus Tech guys a call, and take a good hard look at what Cb can do for you.  I honestly believe that Cb is a game changer, and the Kyrus Tech guys have demonstrated that it is, indeed, a game changer, but not just for IR work.

Jamie Levy has posted documentation and plugins for her OMFW talk (from last July) regarding extracting timeline data from a memory dump using the Volatility framework.  This is a great set of plugins for a great memory analysis framework, folks.  What's really cool is that with a little bit of programming effort,  you can modify the output format of the plugins to meet your needs, as well.  A greatbighuge THANKS to Jamie for providing these plugins, and for the entire Volatility team/community for a great memory analysis framework.

Exploit Artifacts
Speaking of timelines...Corey has posted yet another analysis of exploit artifacts, this one regarding a signed Java applet. This is a great project that Corey works on, and a fantastic service that he's providing.  Using available tools (i.e., MetaSploit), he compromises a system, and then uses available tools and techniques (i.e., timeline analysis) to demonstrate what the artifacts of the exploit "look like" from the perspective if disk analysis.  Corey's write-up is clear and concise, and to be honest, this is what your case notes and reports should look like...not exactly, of course, but there are lot of folks that use the "...I don't know what standard to write to..." as an excuse to not do anything.  Look at what Corey's done here...don't you think that there's enough information to replicate what he did?  Does that work as a standard?

Also, take a look at the technique Corey used for investigating this issue...rather than posting a question online, he took steps to investigate the issue himself.  Rather than starting with an acquired image and a question (as is often the case during an exam), he started with just a question, and set out to determine an answer.  Information like this can be extremely valuable, particular when it comes to determining things such as the initial infection vector of malware or a bad guy, and a good deal of what he's provided can be added to an exam checklist or a plugin for a forensic scanner.  I know that I'm going to continue to look for these artifacts...a greatbighuge THANKS to Corey, not just for doing this sort of work, but posting his results, as well.

DFF 1.2 is available for download.  Take a look at this for a list of the updates; check out batch mode.  Sorry, I don't have more to write...I just haven't had a chance to dig into it yet.

One of the things I see a great deal of, whether it's browsing the lists or reading questions that appear in my inbox, is that when asking questions regarding forensic analysis, many of us still aren't providing any indication of the operating system that we're analyzing.  Whether its an application question (P2P, FrostWire, a question about MFT entries, etc.), many of us are still asking the questions without identifying the OS, and if it's Windows, the version.

Is this important at all?  I would suggest that yes, it is.  The other presentation I gave at ETCSS (see the Carbon Black entry above) was titled What's new in Windows 7: An analyst's perspective.  During this presentation, we discussed a number of differences, specifically between Windows XP and Win7, but also between Vista and Win7.  Believe it or not, the version of Windows does matter...for example, Windows 2003 and 2008 do not, by default, perform application prefetching (although they can be configured to do so).  With Windows XP, the searches a user executed from the desktop were recorded in the ACMru key; with Vista, the searches were NOT recorded in a Registry key (they were/are maintained in a file); with Windows 7, the search terms are maintained in the WordWheelQuery key.

Still not convinced?  Try analyzing a Windows 7 memory dump with Volatility, but don't use the Windows 7 profile.  

So, it you're asking a question that has to do with file access times, then the version of Windows is very important...because as of Vista, by default, updating of last access times on files is disabled.  This functionality can be controlled by a Registry value, which means that this functionality can also be disabled on Windows XP systems.

I also see a number of questions referring to various applications, many of which are specific to P2P applications.  Different applications behave saying, "I'm doing a P2P investigation" doesn't really provide much information if you're looking for assistance.  I mean, who's going to write an encyclopedic if/then loop with all of the possibilities?  Not only is the particular application important, but so is the version...for the same reasons that the OS version is important.  I've dealt with older versions of applications, and what those applications do, or are capable of doing, can be very important to an investigation...that is, unless you're planning to fill in the gaps in your investigation with speculation.

In short, if you've got a question about something, be sure to provide relevant background information regarding what you're looking can go a long way toward helping someone answer that question and provide you with assistance.

I've started a new page for my blog, listing the FOSS forensic tools that I find, come across, get pointed to, and use.  It's a start...I have a good deal of catching up to do.  I've started listing the tools, and provided some descriptions...I'll be updating the tools and descriptions as time goes on.  This is mostly a place for me to post tools and frameworks so that I don't have to keep going back and searching through my blog for something, but feel free to stop by and take a look, or email me a tool that you like to use, or site with several tools.

One final thing...and this is for Mr. Anonymous, who likes to leave comments to some of my blog posts...I get no benefit, monetarily or otherwise, for my comments or endorsement of Volatility, nor for DFF...or any other tool (FOSS or otherwise) for that matter.  I know that in the past, you've stated that you "...want to make sure that it is done with the right intentions".  Although you've never explicitly stated what those intentions are, I just wanted to be up front and clear...I have used these tools, and I see others discovering great benefit from them, as such, I think that it's a great idea to endorse them as widely as possible, so that others don't just see the web site, but also see how they can benefit from using these tools.  I hope that helps.


Girl, Unallocated said...

Just wanted to say thank you for all the information you put out into the community, whether it is tools you create, insights you have gained, or highlighting other's tools that may help examiners. The information you provide (of your own good will!) is invaluable to many, many people in the field. Thank you!

H. Carvey said...

Thanks for the comment! I'm just glad that someone finds this stuff useful!

Okay, you're one... ;-)

Phil Hagen said...

Great info, Harlan - thanks. Don't sweat MrAnon and company... Haters gonna hate.

Corey Harrell said...

It's unforunate that people try to put a negative spin on why others share information. If someone is sharing something they find helpful then who is to judge why they decided to share. The focus should be on the information that is being passed along and if it is helpful to the person receiving it. Alot of the things you provided (posts, tools, answers to questions, etc) have helped me so thank you for what you do.

> Information like this can be extremely valuable, particular when it comes to determining things such as the initial infection vector of malware or a bad guy

I've seen and hear comments from others about how it's difficult (if not impossible) and time consuming to determine how malware ended up on the system. A few years ago I even asked a question about how to determine where the malware on a system came from and the response I got was pretty much most of the time you can't figure it out. I've found alot of value in documenting the attack vector artifacts since it helps me better understand the data I'm seeing (and not seeing). It has consistently enabled me to locate the most likely method the malware used to infect a system in a short amount of time. This is contray to the comments I've heard and all it takes is a better understanding about the artifacts left on a system. Unforunately, there are so many artifacts not publically documented which would be helpful in knowing how to approach an examination.

clint said...

I installed Carbon Black on my laptop after you mentioned it last time. I like that you don't even notice its there. The web site repository can be pretty slow at times when running queries but other than that, it works well. I may even try out the enterprise version but I sort of want to wait for the registry and network connection information to get added first.

H. Carvey said...


I've seen and hear comments from others about how it's difficult (if not impossible) and time consuming to determine how malware ended up on the system.

Sometimes, that may seem to be the case...but I've found timelines to be extremely helpful in this. Unfortunately, I simply don't think that there are many analysts out there who actually create least, not the way some of us do.

Anonymous said...

Carbon Black to me seems to be just a monitoring service from the net. You can accomplish the same type results and also control who has this resulting information with setting up your own monitoring and having the results remain within your control and on your servers.

One of the most popular and flexible monitoring systems is Nagios. You can learn more about it at :

Two other Open Source/Freeware tools are - PRTG and Network Monitor II (desktop display), and you can learn more at :

You will notice other systems mentioned in the Wikipedia too. To me you still have to put in the effort to make Carbon Black setup for your own needs. So why not just keep the information on you own system.

This need is more of a Net or Systems Admin tools and need. Just my 2 cents on this recommendation.

Corey Harrell said...

> but I've found timelines to be extremely helpful in this

I picked up on your response a little late. I gradually learned the power of timelines in this area. In one instance it helped me identified the initial infection vector even after someone "cleaned" (deleted everything helpful) from the system. The timeline showed activty explaining what happened. Without it I don't think I would have been successful.

H. Carvey said...

I used timelines to identify DLL search order hijacking, as well as a number of other issues. I've found this analysis technique particularly helpful when traditional tools and techniques, including AV, were not as fruitful.

At this point, I still don't understand why more analysts aren't putting in the effort to dig into this technique...the "cost" of learning it is far outweighed by the benefits...