Andrew Case, developer of Registry Decoder, recently posted regarding using reglookup for Registry analysis. There are a number of links in Andrew's post to some of Tim Morgan's papers regarding such topics as looking for deleted Registry keys, so be sure to take a look.
PFIC 2011
I had an opportunity to meet a lot of great folks in Park City, many of whom I had only known about via their online presence. One of those is fellow DFIR'er and fellow former Marine Corey Harrell. Corey's one of those impressive folks that you want to reach to and find in the community; rather than just sitting quietly, or just clicking "+1" or "Like", Corey goes out and does stuff, a good deal of which he's posted to his blog.
Corey posted his PFIC 2011 Review to his blog recently (Girl, Unallocated posted her thoughts and experiences, as well)...this is great stuff, for a couple of reasons. First, some conferences, like PFIC, have a number of good topics and speakers, often during the same time slot. As such, you may not be able to get to all of the presentations that you'd like to, and having someone post their "take-aways" from the presentation you missed is a good way to get a bit of insight beyond simply downloading the slide pack. Taking that a step further, not everyone can attend conferences, so this gives folks who couldn't attend an opportunity to peek behind the curtain and see what's going on. Finally, this gets the word out about next year's conference, as well, and may get someone over the hump of whether to attend or not.
DoD CyberCrime
Speaking of presentations, I got word recently that my DoD CyberCrime Conference presentation on timeline analysis on 25 Jan 2012, from 8:30-10:20am. The last (and first) time I attended DC3 was in 2007, and unfortunately, within less than an hour of finishing my presentation, I was on an incident call, and off the next day to another major city. Ah...such was the life of an emergency responder.
My timeline analysis presentation (an example of a previous presentation can be found here) is a bit different from most of those that I find available online, in part because I don't focus on using the SANS SIFT Workstation. That's not to say that SIFT isn't a great resource...because it is. Rob's done a great job of assembling a range of open source tools, and getting them all set up and ready to use. However, the approach I tend to take is to start by attempting to engage the audience and discussing with them the reasons why we'd want to do timeline analysis in the first place, discussing concepts such as context and increased relative confidence in the data. Understanding these concepts can often be what gets folks to see the value of creating a timeline, when "...because this guy said so..." just isn't enough. From there, we walk through using the tools, and demonstrate how timelines can be used as part of your analysis process...keeping in mind that like any other tool, this is just a tool and needs to be used accordingly. Creating a timeline when it doesn't make sense to do simply...well...doesn't make sense.
Anyway, I'm really looking forward to this opportunity, and hopefully seeing a bunch of really good presentations, as well. Looking at the conference agenda as it is so far, it looks like there's a couple of good social events, as well, which will lead to some great networking.
MMPC Updates
The Microsoft Malware Protection Center (MMPC) recently posted regarding some new MSRT definitions, including Win32/Cridex, another bit of malware that steals online banking credentials. Cridex uses the user's Run key for persistence, and apparently stores data in the Default value of the HKCU\Software\Microsoft\Windows Media Center\
Duqu
Although I haven't had an opportunity to analyze a system infected with Duqu, as always, I remain interested in what's out there, particularly from a host-based perspective. I ran across a set of open source tools for detecting Duqu files (readme here). There's also the Symantec write-up on Duqu, which is very interesting, as it defines the Duqu "load point", which is a driver loaded as a Windows service, specifically HKLM\SYSTEM\CurrentControlSet\Services\JmiNET3. Apparently, configuration information is maintained in the FILTER subkey beneath this key.
Interestingly, the load point is described as "JmiNET7.sys", but the Symantec paper goes on to say that the service name is "JmiNET3".
The Symantec paper goes on to describe the loading techniques for the payload loader, and method 3 involves a section within a DLL called ".zdata".
Finally, the Diagnostics section of the paper includes another Registry key that is supposed to indicate an infected system; specifically, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\”CFID”.
Anyone interested in learning more about Duqu should take a look at the Symantec paper, as well as anything else that's out there. There seem to be some interesting (and possibly unique) indicators that you can use to scan your infrastructure for infected systems; per the Symantec paper, part of the Duqu threat involves infostealers.
Tool Updates
There've been some updates to the SysInternals tools recently, in particular to AutoRuns (new v 11.1), including some new autostart locations. Check them out.
Andreas has updated his Evtx Parser tool (written in Perl), as well.
ImDisk was recently updated to version 1.5.2.
I updated my maclookup.pl WiFi geolocation script to macl.pl. The previous version of the script used Skyhook to perform lookups, in an attempt to translate a WiFi WAP MAC address (found in the Windows Registry) to a lat/long pair. I found out recently that this stopped working, so I sought out...and found...a way to update the script.
Reading
The e-Evidence.info what's new site was updated recently, and as always, there's lots of great reading material. This presentation on using open source tools for digital forensic analysis spends a good couple of slides demonstrating how to use RegRipper. David Hull has a timeline presentation available that discusses the use of SIFT v2.0 to create super timelines.
Thanks for the post Harlan. The Tool Updates section is particularly useful for me, as it is sometimes easy to fall behind of the latest news and releases; and I LOVE testing out new functionality of new releases! There is also a new version of FTK Imager available on Access Data's site as of (Nov 14, 2011). http://accessdata.com/support/adownloads#FTKImager
ReplyDeleteAppreciate your comments about people like Corey Harrell (and yourself), who does stuff. The community gets better when more people take time to contribute and share what they know.
ReplyDeleteI'll be at DoD CyberCrime and your talk description has my interest piqued. I like the sounds of your approach of trying to engage the audience in a discussion. I hope folks are talkative, that always makes it more interesting and fun.
David,
ReplyDeleteI have to agree, but contributing can take so many different forms. I'd love to just see more people asking questions...as someone who's written tools, I know that I don't have all the answers. If I can better understand someone else's needs, maybe I can make the tools better.
However, more often than not, what happens is that someone downloads a tool, runs it incorrectly, decides it doesn't work, and doesn't say anything to anyone. I recently saw someone post to a forum about SANS SIFT...so my first question was, "...did you go to Rob Lee and ask him the question?" The answer was "no", which I do not understand.
My point is that not everyone can DO something, in the sense that Corey does stuff. However, something as simple as asking a question or just letting someone know what your needs are is still contributing to the overall community.
WRT my DC3 presentation, I hope to see you there! It's gonna be good!
Thanks for the compliments about my efforts; the feedback means a lot. Just the other day I was talking to my wife about how much I've benefited by trying to help others. I'm better at DFIR as a direct result of my willingess to share information. Whether if it's through blogging, security groups, forums, or asking questions.
ReplyDeleteI just wish everyone understood that sharing information not only makes others better but it helps to improve yourself at the same time.
Harlan,
ReplyDeleteI went through your timeline presentation and used the tools to generate the timeline. Question to you: Is the generated timeline in UTC format ?
Thanks for sharing. Till now I was using SIFT and Log2Timeline, but found your method and the steps useful as I can run it on Windows workstation.
Thanks,
Lakshmi N
Harlan,
ReplyDeleteI went through your timeline presentation and used the tools to generate the timeline. Question to you: Is the generated timeline in UTC format ?
Thanks for sharing. Till now I was using SIFT and Log2Timeline, but found your method and the steps useful as I can run it on Windows workstation.
Thanks,
Lakshmi N
Lakshmi,
ReplyDeleteI went through your timeline presentation and used the tools to generate the timeline. Question to you: Is the generated timeline in UTC format ?
In the timeline presentation, slide 18 has a bullet that states, "Time (normalized to Unix epoch time, UTC)".
HTH
Thanks Harlan.
ReplyDeleteThanks Harlan.
ReplyDeleteThe Symantec report has a small error with the location of the registry key showing Duqu infection. Instead of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\”CFID”, it should be CF1D at the end.
ReplyDeleteSource: https://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter