Monday, August 13, 2018

Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public

Hello Reader,
            This year at Defcon we made things interesting with a challenge that involves making your way through 3 images to answer questions and solve a case. Now that Defcon is over and the winners awarded it's your turn to give the challenge a try.

The first image password is 'tacoproblems'
The second and third image password is gained by answering the right questions in the CTF.


CTF Site:
https://defcon2018.ctfd.io/

Download Links:
Image 1:
https://www.dropbox.com/s/1q4f0fowo8048mq/Image1.7z?dl=0

Image 2:
https://www.dropbox.com/s/9gzjfqkl8uup58k/Image2.7z?dl=0

Image 3:
https://www.dropbox.com/s/jvaqb4rfi3jojbk/Image3.7z?dl=0

Sunday, August 12, 2018

Daily Blog #450: Sunday Funday 8/12/18

Hello Reader,
Defcon is over and with it our CTF. For this weeks challenge lets look at some browser forensics artifacts that could be helpful to you when I open up the forensic ctf to the public tomorrow.         


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/17/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history.

Saturday, August 11, 2018

Daily Blog #449: Solution Saturday

Hello Reader,
Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out.


The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed. 


The Winning Answer:

The majority of Anti-Forensic tools are just programs like any other, often executed within the host OS. Additionally, the question specifically asks about proving execution of of Anti-Forensic tools. As such the first thing I will concern myself with is evidence of program execution. 

Noting that different anti-forensics tools may miss certain evidence sources (especially if run with basic user privileges) it is important to be broad in the areas you look as one of the lesser known or used artifacts may have been left untouched by the tools. Additionally in cases of suspected anti-forensic efforts I would be interested in the content of all of these artifacts, including whether they are empty, as this may be an indication of anti-forensics tool use in and of itself. 

Evidence of Tool Execution
Windows
Prefetch
Jump Lists
AppCompatCache
MUICache
UserAssist
RunMRU
LastVisitedMRU
Log Files (tools may be deployed as services or with a scheduled element, process creation events associated with Audit Process Creation)
Third party application execution monitoring (e.g. AV, DLP, etc)
WSL (If WSL is in use then this opens a whole other kettle of fish, .bashhistory, evidence of tool installation etc.)
Evidence of process artifacts in RAM
Command history in RAM

MacOSX
knowledgeC.db database (application usage data)
.bashhistory (if tools used or executed from command line)
FSEvents (evidence of filesystem events including creation of software files and also deletion and renaming associated with tool use)
com.apple.finder.plist (evidence of finder searches for software)
RecentApplications.sfl
Spotlight Shortcuts plist
.bashhistory in ram
Evidence of process artifacts in RAM

Evidence of Tool Use
In addition, the use of anti-forensics tools can leave their own artifacts behind. In the case of CCleaner the presence of deleted but recoverable “ZZZ” files and folders is a classic indicator of use. Other similar unique fingerprints are associated with different anti-forensic tools. One other such tell tail sign is recoverable files with random filenames and high entropy content consistent with being overwritten with pseudo random data, entropy analysis of recovered deleted files can highlight these. 

Evidence of research/download/installation
Proving the intent of a user can also be useful, whether evidence of the use of anti-forensic tools is actually identified. Evidencing that tools were sought, downloaded and installed during an in-scope time frame (such as just after an employee was notified of an HR interview etc). Additionally evidence that research was performed into hiding evidence can be helpful in painting a picture as to a users intentions and help to combat the "My computer was running slow so I used CCleaner" defense.

Windows
Registry artifacts (installed applications, application specific entries etc)

OSX
/Library/Receipts/InstallHistory.plist
/Library/Preferences/com.apple.SoftwareUpdate.plist
/Library/LaunchAgents

Both
The disk… (Look for executables for anti-forensics tools on disk e.g. ‘Program Files’ Directories, ‘Applications’ directories, ‘Downloads’ directories) 
Browser History/Cache/Cookies for evidence of search history and websites visited (location dependant on OS and installed browser(s))
Proxy/ web filtering logs (evidence of browsing to sites concerning anti-forensics and downloading of tools)
AV Logs (scanning of downloaded executable)

Wildcard
You never know where you might find that smoking gun which demonstrates the intention to circumvent forensic analysis. In one notable case, a colleague of mine stumbled across an iOS note which was stored within a backup on the suspects computer. Within it the suspect had detailed a proposed methodology to steal data from his employer which would be “undetectable”. Using throwaway virtual machines (which would then be wiped from disk) he proposed to collate and extract data from the organisation and transmit it to a cloud service connected to via the VM. The actions performed left almost no trace of the IP theft, but what evidence of the existence of a now deleted VM coupled with the note made compelling reading in court.

---

Daily Blog #448: Defcon DFIR CTF update

Hello Reader,
      Another late post after a long day in Vegas. We launched the ctf today and already have a fight for the top 3 spots. As more people get the evidence I'm expecting it to get really interesting.

We initially planned to do a live stream today but spent most of the day finishing the last questions so I expect we will do the stream tomorrow instead.

For those who want to watch the scoreboard go to
https://defcon2018.ctfd.io/scoreboard

To follow along, the contest ends tomorrow nighy! There is a long time for everything to change by then.

As before once the event is over we will make the images public and everyone can play, just without prizes.

Friday, August 10, 2018

Daily Blog #447 Defcon 2018 Forensic CTF

Hello Reader,
Just a reminder that the ctf starts tomorrow afternoon. If you are in Vegas and have not signed up yet here is the link:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055?ref=estw

Prizes:
1st. DFIR Netwars Continuous for a year from SANS and. Lego mini fig
2nd. Magnet prize loaded backpack, Lego mini fig and license of forensic email collector
3rd. Blackbag prize pack

It's not too late to sign up, get ready!

Thursday, August 9, 2018

Daily Blog #446: Sparse image blues

Hello Reader,
     A quick one before I fall asleep after a long day of ctf prep and Vegas fun. If you are using the fresponse imager to capture a full disk be aware that it seems to default to a sparse image format and leaves out shadow copies.

However imaging the same fresponse mounted image with another tool will capture the full disk.

Wednesday, August 8, 2018

Daily Blog #445: F-Response and the Cloud

Hello Reader,
           Today I'm sharing a lesson I learned from acquiring systems in the cloud from another cloud hosted system in the same provider. I was adding the agents and getting ready to acquire the systems, but they kept dropping off the F-Response management list of subjects.

I was quite confused, I checked the network and realized my RDP session was active the entire time and hadn't timed out. I restarted the F-Response service and kept a ping running, when the F-Response agent timed out I noticed the ping never lost a packet.

So I reached out to the excellent support staff (aka Matt Shannon) at F-Response and explained my problem and they quickly reached out (after 5PM!) and offered a suggestion, check your clock skew.

This isn't something I had run into before and so I went and made sure my clocks were the same and now it's happily imaging away.

So hopefully this helps someone in the future, if you F-Response subject keeps timing out check to make sure that the license server and the subject are set to the same time!