tag:blogger.com,1999:blog-9518042.post2004241006941644693..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: In The NewsUnknownnoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-9518042.post-83136870280096949082009-11-12T15:35:12.231-05:002009-11-12T15:35:12.231-05:00Jimmy,
Would it follow, then, that it's almos...Jimmy,<br /><br /><i>Would it follow, then, that it's almost always the API or the function of some library or the like that does something and not the app?</i><br /><br />No, that's not a blanket statement you can use. It's apparently the case...but only in this cases, as far as I know.<br /><br />For instance, when a PE file is launched, if you "watch" it with ProcMon, you'll see the <i>Image File Execution Options</i> Registry key checked. This isn't a function of the PE file itself...this is a function of how the OS manages the launching of the PE file. However, with MRU lists, those are, in most cases, a function of the app...how/if they're written, how they're maintained, etc.<br /><br /><i>Perhaps too many cases are founded on evidence that lends itself to the trojan defense.</i><br /><br />I think that the first instances of the use of the defense were more of "..this stuff is so technical, they'll never prove otherwise.."; now, it might be more of a gamble on how good the examiners for both sides are.<br /><br />The interesting thing about your statement, though, is that there <i>is</i> evidence that may lend itself very well to the Trojan Defense...but at the same time, there's other information available that can lend a greater level of context and granularity to that evidence.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-85526558857104548132009-11-12T15:13:34.713-05:002009-11-12T15:13:34.713-05:00Understood...but on a system with, say, 20,000 ima...<i>Understood...but on a system with, say, 20,000 images, how many does one actually have to categorize? </i><br /><br />20,000 images are nothing! I probably can view that many thumbs and categorize them properly in about an hour. I've had a case with one million, but that's another story :-). It's really not a matter of "how many are enough?" Regardless of the fact that one or five can be an offense, the idea, after all, is to protect children. We send all c-p to NCMEC for the database and stopping short, in any but an extreme case, is unacceptable. We can, however, provide the images to the case agent or an analyst for review. <br /><br />The EID feature is an add-on that is not free unless you buy an extended subscription. I find that disappointing in an expensive tool. A similar feature comes with XWF. That said, I rarely use it; I can't take a chance of missing anything, and these tools are imperfect. <br /><br /><i>First, those TIF subfolders aren't created by IE, they're created by the use of the WinInet APIs, which IE uses. </i><br /><br />You got me here, so please forgive my ignorance of the subject. Would it follow, then, that it's almost always the API or the function of some library or the like that does something and not the app? Of course, absent any indication of infection, it's a matter of what's in the folders and how it got there. Perhaps too many cases are founded on evidence that lends itself to the trojan defense.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-4736812466520390462009-11-11T11:51:23.021-05:002009-11-11T11:51:23.021-05:00Bingo. Using procexp, I see the wininet.dll file ...Bingo. Using procexp, I see the wininet.dll file loaded by the email client, and see the system calls via procmon.<br /><br />Another successful day of learning. :-)JMhttps://www.blogger.com/profile/07137659393529974776noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-6149795179348043472009-11-11T11:28:37.312-05:002009-11-11T11:28:37.312-05:00Using IEHV from NirSoft, I was reviewing the histo...Using IEHV from NirSoft, I was reviewing the history files and found *a lot* of local file browsing in the user temp folders, the contents of which were all emails (and the temp folder resembled the name of the email client itself "xpgrpwise" along with the internal email domain and post office of the user).<br /><br />I confess that I committed a cardinal sin and didn't really pursue it much further, simply assuming, er "concluding" that the local client was using the "IE engine" to render HTML email. (In my defense, I was really just testing the iehv tool and had no investigation that would require verification at the time. Still - I should've run it to ground.)<br /><br />Now it seems more logical that the client was probably just using the WinInet APIs. And this time I will at least attempt to verify that. :-)JMhttps://www.blogger.com/profile/07137659393529974776noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-32977895708761229832009-11-11T11:03:11.853-05:002009-11-11T11:03:11.853-05:00JM...interesting. Can you elaborate?JM...interesting. Can you elaborate?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-12835284765053822312009-11-11T11:03:10.826-05:002009-11-11T11:03:10.826-05:00JM...interesting. Can you elaborate?JM...interesting. Can you elaborate?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-51022309011957496182009-11-11T10:23:39.700-05:002009-11-11T10:23:39.700-05:00I have also seen where HTML email from the desktop...I have also seen where HTML email from the desktop client ends up in the TIF directory. That really confused me the first time I saw it.JMhttps://www.blogger.com/profile/07137659393529974776noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-16549197591540694172009-11-11T07:33:39.053-05:002009-11-11T07:33:39.053-05:00Well for one "customer" (in the UK) it i...Well for one "customer" (in the UK) it is 10000 images, so it takes a while.Forensicsnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-39120933184279234312009-11-11T07:28:03.834-05:002009-11-11T07:28:03.834-05:00Understood...but on a system with, say, 20,000 ima...Understood...but on a system with, say, 20,000 images, how many does one actually have to categorize? Would it be enough to meet the federal statute? Or how about just 100? Would the time be better spent figuring out whether or not a Trojan really did it, or tying the images to a specific user account?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-41906553233741727492009-11-11T07:19:51.561-05:002009-11-11T07:19:51.561-05:00The locating of issues is easy enough, the actual ...The locating of issues is easy enough, the actual grading e.g. categorisation of pornographic material from pictures of trees/cars/houses etc is a very time intensive process, one which unfortunately takes far too much of an investigators time, especially when you consider the volume of cases involving indecent pornography.Forensicsnoreply@blogger.com