Tuesday, July 17, 2018

Daily Blog #424: The registry key so nice they named it twice, computername computername

Hello Reader,
               I enjoy teaching forensics as students always ask questions to make you figure out things you just take for granted. A good example of this was last month while in Amsterdam I had a student ask, hey why is the computername registry key in the System registry (located under System\\Control\ComputernName\CompuerName) under a registry key named computername. 

I've always made jokes about this key, see post title above, but never really took the time to understand why it was setup this way. A couple of google searches and some in class testing later I had my answer.

It turns out that when you change the name of your Windows computer in the control panel that a new key is added to the base computername key. This new key called ActiveComputerName contains the old name of the computer prior to you changing it while the new name you have given the computer is now stored in the ComputerName key.

Here is the ComputerName key after renaming the computer

Here is the old name of the computer, located in the ActiveComputerName key

Here is the new name of the computer in the ComputerName key

On reboot the activecomputername key is deleted and the new ComputerName key is kept.

So there you go, there is in fact a reason and a function for the duplication in the computername registry key. Every key, every decision has a story and understanding how it works and why will only make you a better examiner. 

Sunday, July 15, 2018

Daily Blog #423: Sunday Funday 7/15/18

Hello Reader,
          Windows 10 keeps on changing and with it new features come along that we care about and old features we were excited about disappear. Let's see if you can solve this missing artifacts mystery in this weeks Sunday Funday.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 7/20/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtfu
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Cortana used to have a database that kept track of location information and other relevant DFIR data. As of a year ago the database has changed and the location data is nowhere to be found. For this weeks challenge please answer the following questions:
1. Where does Cortana keep it's data now
2. What data does Cortana retain now 
3. Is there any location history left from Cortana

Daily Blog #422 Solution Saturday 7/14/18

Hello Reader,
         Things are always changing in forensics and especially forensic analysis of cloud hosted systems. This weeks challenge involved Office 365 audit logs and while the contest was going this week Microsoft announced welcome changes that will be rolled out that will change both the question and this weeks answer. So congratulations to this weeks winner Adam Harrison .

The Challenge:
Explain in a compromise of a Office365 account what you could review in the following circumstances.

Scenario a: only default logging in a E3 plan

Scenario b: Full mailbox auditing turned on

You are attempting in both scenarios to understand the scope of the attackers access 

The Winning Answer from Adam Harrison:

The first point to note is that a compromise of Office 365 (while commonly referred to as Business Email Compromise (BEC)) is not necessarily limited to email accounts. Depending on how an organisation employs Office 365 they may host a wealth of information besides just email and attachments in O365, much of which could be valuable to an attacker. In the case of the in-scope E3 plan, each compromised user account could potentially expose:

Exchange — Email messages, attachments and Calendars (Mailbox size up to 100GB)
OneDrive — 1TB per user, unless increased by admins to up to 25TB.
SharePoint — Whatever sites that user has access to.
Skype — Messages, call and video call history data
Microsoft Teams — Messages, call and video call history data as well as data within integrated apps.
Yammer — Whatever it is people actually do on Yammer. Are you prepared for a full compromise of your organisation's memes, reaction gifs and cat pictures?

All of that before you concern yourself with the likelihood of credential reuse, passwords which may be stored within O365 (Within documents and emails) for other services, delegated access to other mailboxes and MDM functionality.

Specifically answering the two questions:

Scenario a: only default logging in a E3 plan

Below is a non-comprehensive list of evidence sources which may be available to an examiner to assist in understanding the scale/scope of an O365 compromise:

  • Unified Audit Log, via Audit Log Search in the Security & Compliance Centre and accessible using Search-UnifiedAuditLog' cmdlet. This will need to be enabled if not already enabled and will provide retrospective visibility if enabled after the fact.
  • Mailbox Content
  • Read Tracking 
  • Message Tracking Logs
  • Mailbox Rule information
  • Proxy Logs/ DNS Logs/ Endpoint AV Logs / SIEM
  • Office 365 Management Activity API
  • Azure Active Directory reports and Reporting Audit API (With Azure AD P1/P2)

Scenario b: Full mailbox auditing turned on

By default, Auditing is not enabled, nor are the more granular Mailbox Auditing and SharePoint Site Collection Audit options. However, if we assume that 'audit log search' has been enabled as well as the optional logging associated with enabling 'mailbox auditing' and that audit has been configured for all SharePoint site collections then the following additional evidence sources become available.

  • Unified Audit Log - but now with more detailed events recorded as a result of enabling 'mailbox auditing'. The 'Search-MailboxAuditLog' will now also be available.
  • SharePoint Audit log reports

It should be noted that simply enabling mailbox audit logging for all mailboxes is not enough to capture all useful events. By default, only the 'UpdateFolderPermissions' action is logged with additional events requiring configuration, these include Create, HardDelete, MailboxLogin, Move, MoveToDeletedltems, SoftDelete and Update events.

SharePoint audit logging is pretty granular and, in my experience, rarely enabled. However, if correctly configured a record of user actions including document access, modification and deletion actions can be generated.

These evidence sources, their usefulness and some suggested methodologies to leverage them are outlined in my recent blog post.

Friday, July 13, 2018

Daily Blog #421: Magical DFIR Beasts and where to find them

Hello Reader,
                  Good news, the Unicorn maybe dead but it turns out all of the issues that it raised is causing a major change from the Office 365 team. You can read the official announcement here: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Exchange-Mailbox-Auditing-will-be-enabled-by-default/ba-p/215171 but here is the TLDR:

1. Mailbox auditing will now be turned on in full mode by default for all commercial tenants
2. If you already have mailbox auditing turned on it will continue to be on
3. They are going to add more audit flags to provide more granular access

This is great news and it should be on by default across your potential investigations by the end of year, but you could always just try to talk people into turning it on now!

Thursday, July 12, 2018

Daily Blog #420: 2018 Unofficial Defcon CTF Update

Hello Reader,
           In the first 24 hours we've already had 39 signups for the CTF, last year we had 125 and I've expanded the initial amount to 200 to start with. I wanted to provide an update because we are going to cap this to keep it manageable and I expect that we are going to hit our max again this year.

Why do I expect to hit the max? Well if you consider there are over 10,000 people at Defcon then 200 is only .02% of the total population. We think there are more DFIR and DFIR interested people at Defcon than most of us realize and our hope is to build the interest into a community there to bring people into out world that may not realize we exist.

Make sure to sign up here:

Tuesday, July 10, 2018

Daily Blog #419: Unofficial Defcon DFIR CTF 2018

Hello Reader,
            Matt and I are working on creating the evidence you will be examining for next months Unofficial Defcon DFIR CTF! This post is here to let you know that:

1. We plan to do it again this year
2. We will be distributing the files electronically this year, no in person transfer needed
3. Signups will happen through CTFd I'll be posting the link closer to Defcon
4. If you or your company wants to supply a prize we open to working with you on that. Last year we did it in partnership with SANS who provided DFIR Netwars Continuous to the winners
5. This years scenario is set to be much more involved than last years, if everything we are planning works out
6. We are still planning on restricting this to people who are in Las Vegas for the event. Why? So we can get everyone who qualifies together at the end

We had a lot of fun last year and we look forward to meeting new talented examiners this year.

You can sign up here:

Matt and I will be doing a live stream during the event to provide some commentary on how it's going. This is something we wanted to do after the Magnet CTF and it should be fun.

Monday, July 9, 2018

Daily Blog #418: Exploring Extended MAPI part 19

Hello Reader,
         Since my last test that showed that the Extended MAPI data wasn't be updated when I modified a message in OWA in my local outlook client I've been testing ways to get this updated data.

First I tried to download my mailbox, but apparently I need to get a working EWS url first. So I'll try that again tomorrow.

Second I went into the compliance center and searched for and found my test message I've been experimenting with. In doing this I downloaded the original message in EML format (the only option given) and I still did not find the updated extended MAPI data as seen below:

Here the Last Modification time got set to when I downloaded the message from Compliance Center and the original submission time exists. But I have no Last Verb time or code showing this message was replied too.

Third I emailed myself the message in OWA as an attachment by drag and dropping the message into a new email, this actually put the message as a MSG attached to the email message. Once I accessed this within Outlook in my local system I was able to see the expected data:

Here you can see that we finally have the expected Last Verb time showing when the message was replied to and when it was replied to. The Last Modification has been updated to reflect when I sent the message to myself as an attachment.

So I now need to download the mailbox fresh and then look into my local outlook account to see if this data has finally been updated.