Wednesday, September 19, 2018

Daily Blog #483: Typed Paths Amnesia

Hello Reader,
               I'm going to update this post with a video when I get to my hotel room tonight and do a test kitchen. I wanted to take a moment to talk about the Typed Paths registry key in Windows. Typed Paths if you are not familiar records the last 25 directories you manually typed into the file explorer path bar seen highlighted below:



If you ever tested this registry key (located under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths) you might have been confused that entries didn't show up in the key when you typed paths into path bar above, but they still showed up in the drop down within the GUI.


You have to close the file explorer window for the entries you see within the GUI to be committed to the registry key.

When I showed this in class some time ago I had a student who asked a very smart question, they asked 'well, what happens if you have two file explorer windows open'. So we did the test and as it turns out something very interesting happens.

Both file explorer windows will start with a copy of the registry key loaded in its process memory and display the same entries. As you type in new paths into each window each will show their own version of the list without any knowledge of the other file explorer process.

When you close the first file explorer window the registry key will get updated with the contents of that processes Typed Paths. However, when you close the second it will overwrite the key without checking its contents meaning you will lose any unique entries typed into the first window as it will just write to the registry the contents of its process memory.

So TypedPaths works, but like every other artifact it has limitations. Make sure you know what those limitations are!

Tuesday, September 18, 2018

Daily Blog #482: Teaching in Dubai!

Hello Reader,
             Are you in the middle east and have a passion for DFIR? I'll be teaching SANS FOR500 Windows Forensics this November in Dubai! if you are interested you can learn more here:

https://www.sans.org/event/gulf-region-2018

For those of you in the United States after my SANS world tour of 2018 I'm scheduled to teach back home twice so far in 2019. Once in January at the CTI Summit:

https://www.sans.org/event/cyber-threat-intelligence-summit-2019

And lastly at Security West in May:
https://www.sans.org/event/security-west-2019


I hope to see you at one of these events!

Monday, September 17, 2018

Daily Blog #481: Event Logs for VHDs

Hello Reader,
               I was going back through default event logs when I ran across an event log for VHD actions that was described in Harlan Carvey's Windows Forensic Analysis Toolkit. There is an event log named "Microsoft-Windows-VHDMP-Operational.evtx"n that contains entries from creating, provisioning and mounting/unmounting VHDs.

If I was aware of this I must have forgotten but it was something I thought would be useful for the future so I decided to document it here.  Here is an example of a VHD being attached to my Windows 10 system.


Sunday, September 16, 2018

Daily Blog #480: Sunday Funday 9/16/18

Hello Reader,
          I'm going to change things around for this weeks challenge, lets put things back to research and less about coding and see how you do. 


The Prize:
$100 Amazon Giftca

The Rules:

  1. You must post your answer before Friday 9/21/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On Windows 7 test and document how you can get ObjectIDs to:
1. Populate
2. Change
3. Get preserved

Good luck!

Saturday, September 15, 2018

Daily Blog #479: Solution Saturday 9/15/18

Hello Reader,
       This week I didn't get any working entries for the challenge, meaning I'll just put up the code to do it on Monday. Otherwise make sure to try and submit nextbweek your hesitation might have cost you $100!

Friday, September 14, 2018

Daily Blog #478: Github repository for the Test Kitchen

Hello Reader,
        I went ahead and added a Github repository for the ObjectID scanner I was showing on the Test Kitchen last night. You can get the script here:

https://github.com/dlcowen/TestKitchen/blob/master/ObjectIDScannerV1

This scripts requires that you have installed:
Python 3.6 or newer
pytsk3


And you can follow this repository to get all future scripts I show on future episodes of the Test Kitchen:
https://github.com/dlcowen/TestKitchen

Test this on your own system and let me know if you find something I missed!

I fly out to London tomorrow and look forward to continuing the research there. 

Thursday, September 13, 2018

Daily Blog #477: Forensic Lunch Test Kitchen 9/13/18 ObjectID Decoded and timestamps tested

Hello Reader,
        Our Forensic Lunch Test Kitchen series continues! Tonight we decoded the Object ID values into their timestamps, sequences, versions, variant and mac addresses to try to understand more about what the values mean.

We found that:

  • As Maxim Suhanov (https://twitter.com/errno_fail) stated the time values used to construct the ObjectID UUIDs are cached. Meaning that the timestamp decoded does not indicate when the ObjectID was created and the timetamps will increment by miliseconds between ObjectID creations in the same boot
  • That the seed of the cached timestamp is the system boot time, so at every reboot the cached time that serves are the earliest possible ObjectID time will update to the boot time as recorded in the system event logs
  • That the sequence number does appear to increment overall but this needs further testing
  • That the $Volume ObjectID attribute is actually the VolumeID referenced by the ObjectID index
You can watch it here:

Daily Blog #476: Forensic Lunch Test Kitchen 9/12/18 ObjectID Default Behavior

Hello Reader,
         Another night, another test kitchen! Tonight I try to remove my observation bias from the past episodes but modifying the code in my Automating DFIR with Pytsk series to extract ObjectID attributes from files and directories in the MFT. To do this I wrote and troubleshot a python script in Python 3 which I'm trying to force myself to convert to that recurses through a live volume and prints out all the Object IDs that exist.

What we learned:

  • Some system files have what appear to be invalid MAC addresses from the file creation
  • Some user directories have ObjectIDs
  • Some installed programs have MAC addresses from their original developers
  • Some Windows system32 executables have ObjectIDs and in Windows 7 have the original MAC addresses
Watch the video below to learn more:

Tuesday, September 11, 2018

Daily Blog #475: Forensic Lunch Test Kitchen 9/11/18 ObjectIDs

Hello Reader,
       Another Forensic Lunch Test Kitchen this evening with a deeper look into ObjectIDs.

We covered:

  • The fact that the suffix of an ObjectID is the MAC address of the primary network interface as described in Harry Parsonage's paper (http://computerforensics.parsonage.co.uk/downloads/themeaningoflife.pdf)
  • The fact that the prefix of an ObjectID is a timestamp showing when the ObjectID was set
  • The fact that opening a file updates a LNK file but does not change the ObjectID
  • The fact that opening a file whose ObjectID was set one one system does not update the ObjectID when the same file is opened on the same volume on another system
  • The fact that changing attributes, permissions and ADS values does not update the ObjectID
Hear and see more in the video below:

Monday, September 10, 2018

Daily Blog #474: Application Experience Program Telemetry

Hello Reader,
         I had another examiner, who will go nameless unless they choose to be named, ask what program execution and persistence artifacts appear to be unique to Windows Server 2008 vs Windows 7. I thought about this for awhile and it boiled down to differences in default event logging with Windows Server typically having many more default events and logging sources on than the desktop OS.

As I was going through the event logs on one of my own Server 2008 R2 systems I noticed that my telemetry logs appeared to be much more thorough then the same version of my own Desktop telemetry logs.

The logs in questions are located int he evtx file Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx. Inside of this event log which was touched on back in 2013 by Cylance (https://threatvector.cylance.com/en_us/home/Uncommon-Event-Log-Analysis-for-Incident-Response-and-Forensic-Investigations.html) is a series of EventID 500 entries that record each of the executables that required compatibility an example message follows:

Compatibility fix applied to C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{5F4D076C-A8C6-4442-9BB4-54AC9B81EE6E}\MpSigStub.exe.
Fix information: RunAsInvoker, {1c2d58c3-dcd2-41e3-bd0b-25f05028c655}, 0x40102.

I like this event log because:

  1. It only gets populated when application compatibility is invoked, which most cross written malware does
  2. Because it doesn't get overwhelmed with events my server event log goes back 3 years
  3. Unlikely to be cleared as attackers are focused on the security event log

I am going to do some testing and run some different attacker tools on Windows Server tomorrow night and see which leave entries in these event logs. 

Sunday, September 9, 2018

Daily Blog #473: Sunday Funday 9/9/18

Hello Reader,
           Another week passes and I'm full of ideas of things I want to test, program and try. After Phill Moore's program to recursively call fsutil to determine ObjectIDs I thought maybe a smaller scale challenge would help us all move forward in this path. So this week we are doing another Python programming challenge but with possibly a smaller scope.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 9/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Writing a program in Python to parse the the $O ADS stream found at \$Extend\$ObjId:$O in any NTFS drive with Windows running. 

Good luck!

Saturday, September 8, 2018

Daily Blog #472: Solution Saturday 9/8/18

Hello Reader,
      I didn't mean for there to be a week without a solution or a challenge but labor day weekend was way to much fun to stop and blog. So here is a late submission by Phill Moore which answered the last challenge posted on listing ObjectIDs.

Now Phill took an interesting approach, he iterates through the file system running fsutil by calling out to the command line you can find his solution here:
https://github.com/randomaccess3/SundayFunday/tree/master/ListObjectIDs

In the coming days as I get my development environment ready for a broadcast I plan to do a more direct parse using  DFVFS. Let's see how it goes!

Thursday, September 6, 2018

Daily Blog #471: Gearing up for more dfvfs programming

Hello Reader,
        In my attempt to get a Windows VM up and running as a test development environment for doing some tutorials on 64 bit Python 3.6 and DFVFS I ran into an interesting challenge I thought I would document here to help you and myself in the future when I forget I figured this out.

If you are installing a library like PYTSK that requires some Visual Studio runtime DLLs to be installed then you'll get an interesting error like

"python can't find installed module"

when attempting to import the module. I hit this when I was using the windows python 3.6 install from python.org. I attempted different versions of Python 3.6 only in the end to discover that the real issue was the missing DLL. So instead just install the activestate version of Python 3.6 and it will install the needed DLLs to get the libraries working.

Looking forward to documenting more as the week goes on!

Wednesday, September 5, 2018

Daily Blog #470: Unforseen impact of our work

Hello Reader,
                Today I'm reflecting on something that hasn't happened to me in the 19 years I've been doing digital forensics. A defendant in a civil lawsuit committed suicide and I was the expert for the plaintiff. I've seen a lot of people whose choices have left them in different positions of distress but this is the first time I've had one who went as far as to end their lives because of it.

So take a second to remember that the data you are analyzing belongs to a person and sometimes they have more problems then you know about. 

Tuesday, September 4, 2018

Daily Blog #469: Book Highlight Learning Python for Forensics

Hello Reader,
            If you've read some of the older blog series you know that I'm a big proponent of getting new and old examiners programming. In my Automating DFIR series I focused on people who already knew Python and wanted to learn how to interact with forensic images in their scripting, but it didn't help those examiners who didn't have a good place to start with programming in the first place.

I've started reading Learning Python for Forensics and the Python Digital Forensics Cookbook to see what Preston Miller and Chapin Bryce had to say. So far I think they've done an excellent job getting new programmers up to speed with useful scripts that will help to automate their workflow.

You should go check it out here:
https://www.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230


Thursday, August 30, 2018

Daily Blog #468: Jessica Hyde on Rally Security

Hello Reader,
       If you want to understand how people outside of our DFIR space see and understand us, even with a technical infosec background, check out Jessica Hyde's appearance on Rally Security. It was a great reminder of seeing something we are all so deep in from the outside. I think putting yourself into others perspectives helps you explain things and educate others on what we do.

You can watch it here:
https://www.twitch.tv/videos/303079856

Wednesday, August 29, 2018

Daily Blog #467: Forensic Lunch Test Kitchen 8/29/18

Hello Reader,
        I've had a string of test kitchens this week all revolving around ObjectIDs. Today I extend and test Ken Pryor's testing in his blog (https://digiforensics.blogspot.com/2018/08/life-update-little-object-id-research.html) regarding how objectids are retained on copying and pasting versus cut and paste within two ntfs volumes. I did my testing in Windows 7 and validated what Ken had found in his post.

In addition we did some testing with:

  • ObjectIDs and FAT file systems
  • Do directories get ObjectIDs in Windows 7?
  • Does Privazer or CCleaner get rid of ObjectIDs?
  • Why do we care about ObjectIDs so much?

You can watch the broadcast here:

Tuesday, August 28, 2018

Daily Blog #466: Forensic Lunch Test Kitchen 8/28/18

Hello Reader,
            Another Test Kitchen has been recorded. If you want to catch these live I can't promise any particular broadcast time as I do these when I have time, but if you subscribe to my Youtube channel (https://www.youtube.com/user/LearnForensics) you will get notifications whenever I do go live.

This Test Kitchen I did more experimentation with the creation of ObjectIDs when saving files from browsers to the Downloads directory with surprising results! It turns out that:

  • Saving a text file in Chrome to the downloads directory will create an ObjectID and a LNK file even without opening the file
  • Saving a text file in Firefox to the Downloads directory will create a LNK file but will not populate the ObjectID attribute. 
  • Saving executable files in both browsers will create Zone.Identifier alternative data streams as Phill Moore researched prior but will not create ObjectIDs or LNK files. 

Want to see and learn more? Watch the video below:

Monday, August 27, 2018

Daily Blog #465: Coming to London

Hello Reader,
        In the UK or Europe? In three weeks on September 17, 2018 I'll be teaching SANS FOR500 Windows Forensics with Lee Whitfield. If you've read the blog, played the ctfs, done the challenges and watched the forensic lunch its time to come fill in the gaps. In class Lee and I will be going beyond the books to explain how and why things work and what you can rely on.

Interested?
You can find out more here:
https://www.sans.org/event/london-september-2018/course/windows-forensic-analysis

Sunday, August 26, 2018

Daily Blog #464: Sunday Funday 8/26/18

Hello Reader,
    I've been looking into ObjectIDs quite a bit lately so why not open up the fun to all of you and let's see what a crowdsourced effort can produce. This week will see the intersection of programming and analysis in what should be a good learning challenge for many of you.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/31/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Write a python script that can determine which files on a Windows 10 system have ObjectIDs. 

Daily Blog #463: Solution Saturday 8/25/18

Hello Reader,
      This weeks submissions missed the mark, I got some submissions about lnk file security vulnerabilities but none addressing limitations on how they are created. So sounds like good topics for future test kitchens and a new challenge tomorrow.

Saturday, August 25, 2018

Daily Blog #462: ObjectIDs and intrusion triage

Hello Reader,
         I was thinking more about yesterdays test kitchen in regards to ObjectID creation on Windows 10. To summarize the point if a file gets created in the GUI in Windows 10 it creates a shell item (lnk, jumplist, recent doc, etc...) as well as gets an ObjectID. It occurred to me that just as we have trained examiners to look for Zone.Identifiers for evidence of files downloaded we could use the absence of a ObjectID on a Windows 10 file to find those files that were either not created within the GUI or created in one of the special exclusion directories (outlook temp, internet temp, etc..).

With this in mind we could quickly triage through and in an intrusion scenario eliminate all the files that a user created through the GUI, then eliminate the system files through hash comparison leaving us with just a smaller set of files whose hashes aren't known and were not created by the user. This along with a comparison of the execution artifacts could lead to some pretty fast triage for possible malicious executables.

I'm going to see next week about writing a python script to do this, expect a sunday funday challenge related to this. 

Friday, August 24, 2018

Daily Blog #461: Forensic Lunch Test Kitchen 8/23/18

Hello Reader,
               Another day, another Test Kitchen! Sometimes it's easier just to stream out to Youtube a test rather than document and screenshot all of the steps so I did that again tonight. This evening I decided to test if ObjectIDs would be created for files that were created but not opened on Windows 7 and Windows 10.

If you wanted to watch one of these live, make sure to subscribe to the Youtube channel and receive notifications for random dings of forensic testing.

You can watch the video here:

Wednesday, August 22, 2018

Daily Blog #460: Test Kitchen 8/22/18

Hello Reader,
           If you were a subscriber to my YouTube channel you would have seen a notification that I was live tonight. Tonight I decided to do a Test Kitchen broadcast to test the behavior of jumplists in Windows 7 vs Windows 10 to see if any of the new jumplist behavior we have observed in Windows 10 was actually there all along.

If you watch the below video you can see me test whether or not Jumplist entries got created for:

  • Creating a file
  • Creating a directory
  • Opening a directory
  • Opening a file
  • Copy and pasting a directory
  • Renaming a directory
As well as some lnk file testing at the end to see how lnk files were created for opening a file in different directories. 

Watch the video below!



Tuesday, August 21, 2018

Daily Blog #459: Building a testing lab on a budget

Hello Reader,
       I know many of you have work or home labs where you do test things, research things and overall use different virtual environments. What many people don't know though is that you can get a hold of almost all of the VMware software you need like:

  • VMWare Workstation
  • VMWare Fusion
  • VCenter
  • VSphere ESXi Enterprise
  • VSan
For $200 you can join the VMUG (VMware User Group) Advantage program which will get you access to the Eval Experience which gets you 365 days of licensing for the above VMware software and much more. This has let me really get some of my testing accelerated at a much lower cost and I'm looking forward to using the clustered ESXi license as well as VSAN to setup larger research environments. 


You'll have to setup an account at VMUG and usually wait a day to get the login to the OnHub store that contains the eval software. After that you have a year of much easier research ahead of you.

Good Luck!

Monday, August 20, 2018

Daily Blog #458: Object IDs

Hello Reader,
        In Hideaki Ihara's blog post on the port139 blog,  he talks about a subsystem that has been around for quite some time the Distributed Link Tracking System which allowed for lnk files and other shell item structures to survive a file being renamed or moved prior to the inclusion of the MFT Reference numbers in Windows 7. This means that there are at least two methods within a LNK file now that will allow it to point to the correct file even if it has been renamed or moved since it was last opened.

Hideaki is pointing our that when a file is opened and a shell item is created for it that an Object ID should be created for it as an attribute. While I agree this is true I would also look for the creation of the LNK file itself and then what jumplist got updated to determine what application opened the file. Especially since not every file opened will get an Object ID as stated in the limitations section of the Microsoft documentation.

In summary a Object ID won't be set even if a file is opened when:

  1. The file is being opened from a removable drive 
  2. The file is being opened from a FAT drive
  3. The file is being opened from a newly formatted NTFS volume and it the system hasn't rebooted
  4. The file is being opened from a newly attached fixed disk with NTFS and the system hasn't been rebooted
I think we should do more testing with this but in all the above scenarios the shell item system would still record these accesses and the USN journal would show the lnk files and jump lists being updated. I like where Hideaki is going I just want to make sure people are aware of whats possible. 

Sunday, August 19, 2018

Daily Blog #457: Sunday Funday 8/19/18

Hello Reader,
Microsoft is also introducing subtle changes in Windows, sometimes they were always there but we just didn't notice. Lets see what you can determine in this weeks lnk file challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/24/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
As of Windows 10, possibly earlier!, windows will only keep 20 lnk files for a single extension. What other limitations of the lnk file system can you find?

Saturday, August 18, 2018

Daily Blog #456: Solution Saturday 8/16/18

Hello Reader,
           This week Lodrina Cherne swooped in with some interesting research that went way beyond URL history. I think what Lodrina has submitted here is the base of some very interesting research that needs to be performed to find out more. I am happy to say I received more submissions this week but I would encourage anyone reading this to give these challenges a try and submit an answer. You can only benefit from the research and possibly the win!


The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history


The Winning Answer:
Lodrina Cherne @hexplates


Here are some general methods to investigate upload activity in browsers:

RESEARCH! Besides searching your favorite forensic blogs, browsers and web applications may have developer documentation online.

In the past I’ve used Yahoo! Mail developer docs to better understand webmail artifacts. APIs and handles are sometimes documented for third party developers, use this to your advantage!

Here’s a snippet from the Yahoo Developer Network related to uploading:


This snippet is as example specifically related to advertiser data upload – so if I was interested in in this artifact, one search term might be
              “status”: “completed”

Here’s an example related to Google Drive upload:



My search term for Google Drive uploads might be
              uploadTime=

Mozilla (FireFox) has a good collection of APIs, here are some upload related ones we might see:
What the MDN web docs tell us is that bytes and file path + name are properties used in “UploadData”. There’s also browser compatibility information – so this may apply with Chrome or FireFox on Android? Pretty cool!

These events may leave some of the above keywords on disk – but even more important than the keywords, we know that there is some kind of marker that the upload has started, that it’s completed successfully, etc. We know this data is being recorded somewhere, even temporarily, so it’s worth digging for this type of data on disk!

TEST! For different web applications, what is the expected behavior? Are there keywords that appear on screen or a string in the site URL?

Here’s one example using the Dropbox browser interface with Chrome. I am dragging and dropping a file from my system into Dropbox. Note the on screen prompt “upload to the folder”.


While the file is uploading, we see “Uploading Additional Forensic Resources.docx” at the bottom of the screen.


When the upload is complete, the status changes to “Uploaded Additional Forensic Resources.docx”


Potential search terms for Dropbox upload so far are
              upload to the folder
              Uploading [filename of interest]
              Uploaded [filename of interest]

These search terms could be run in your forensic tool across browser artifacts like history and cache. Using a forensic suite for your first pass search can be useful to look across different locations and filetypes. Are you searching inside SQLite databases? Decompressing FireFox session history? Not every suite will do this for you though they will be more efficient than searching each database or cache folder by itself on your first pass!

Besides browser artifacts, you could run these keywords across other areas of the drive like unallocated space and the pagefile/hibernation file.

Another test could be uploading a file with a unique name to a filesharing site, then search your browser data for that filename. ­­­


Daily Blog #455: Perfect Score in the Defcon DFIR CTF

Hello Reader,
       This post serves to congratulate @gh0stp0p on achieving the first perfect score in the Defcon DFIR CTF! She has not only won the admiration of her peers but also a license of Forensic Email Collector. For those still wanting to play, or still playing, we will leave the CTF up for at least a month before we move onto the next project.

As a reminder the CTF is located here:
https://defcon2018.ctfd.io/

And you can download the images here:
http://www.hecfblog.com/2018/08/daily-blog-451-defcon-dfir-ctf-2018.html

Thanks everyone for playing and hopefully you will learn something from the experience! Next time we will up the difficulty. 

Thursday, August 16, 2018

Daily Blog #454: SQLite Write Ahead Logs and Python

Hello Reader,
           If you haven't already done so check out this blog post from Malware Maloney:
https://malwaremaloney.blogspot.com/2018/08/windows-10-notification-wal-database.html

In it not only does author show how to create a new query for pulling messages from the database he also extended a SQLite python library to correctly decode the write ahead log of the SQLite database that stores the notifications. Meaning you can recover more deleted messages.

Give it a read and in a future post let's take that and write a script around it.

Wednesday, August 15, 2018

Daily Blog #453: Winners of the Unofficial Defcon DFIR CTF

Hello Reader,
        I realized that while I posted this on twitter I did not share this on the blog which is the more permanent record of things. First this years Defcon DFIR CTF was sponsored by:


SANS - Donating 1st prize access to DFIR Netwars Continuous for a year and lego minifigs
Also if you were in the blue team village at just the right time we brought out SANS tshirts, polos, keychains and posters that quickly disappeared.





 Magnet Forensics - Donating a really cool backpack that contained a license of AXIOM, a magnet water bottle, magnet external cell phone battery and a cool magnet pen.










 Blackbag Forensics - Donating a license of Blacklight and a really cool insulated drink cup (like a yeti or rtic but with a very nicely done blackbag logo)







 MetaSpike - Who donated a license of Forensic Email Collector which will go to whoever gets the first perfect score in the Defcon DFIR CTF!


  • 1st Place went to Hadar Yudovich @hadar0x

Tuesday, August 14, 2018

Daily Blog.#452 Dealing with deleted shadow copies

Hello Reader,
       For those of you who use libvshadow you may have noticed that it shows deleted shadow copies but does not differentiate between active and deleted shadow copies. This can be an issue as parts of the deleted shadow copies could be overwritten leading to strange results.

Looks like two researchers out of Japan are attempting to fix that issue with an extension to libvshadow and some really interesting catalog recreation research.


Check it out below!

http://i.blackhat.com/us-18/Thu-August-9/us-18-Kobayashi-Reconstruct-The-World-From-Vanished-Shadow-Recovering-Deleted-VSS-Snapshots.pdf

Monday, August 13, 2018

Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public

Hello Reader,
            This year at Defcon we made things interesting with a challenge that involves making your way through 3 images to answer questions and solve a case. Now that Defcon is over and the winners awarded it's your turn to give the challenge a try.

The first image password is 'tacoproblems'
The second and third image password is gained by answering the right questions in the CTF.


CTF Site:
https://defcon2018.ctfd.io/

Download Links:
Image 1:
https://www.dropbox.com/s/1q4f0fowo8048mq/Image1.7z?dl=0

Image 2:
https://www.dropbox.com/s/9gzjfqkl8uup58k/Image2.7z?dl=0

Image 3:
https://www.dropbox.com/s/jvaqb4rfi3jojbk/Image3.7z?dl=0

Sunday, August 12, 2018

Daily Blog #450: Sunday Funday 8/12/18

Hello Reader,
Defcon is over and with it our CTF. For this weeks challenge lets look at some browser forensics artifacts that could be helpful to you when I open up the forensic ctf to the public tomorrow.         


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/17/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history.

Saturday, August 11, 2018

Daily Blog #449: Solution Saturday

Hello Reader,
Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out.


The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed. 


The Winning Answer:

The majority of Anti-Forensic tools are just programs like any other, often executed within the host OS. Additionally, the question specifically asks about proving execution of of Anti-Forensic tools. As such the first thing I will concern myself with is evidence of program execution. 

Noting that different anti-forensics tools may miss certain evidence sources (especially if run with basic user privileges) it is important to be broad in the areas you look as one of the lesser known or used artifacts may have been left untouched by the tools. Additionally in cases of suspected anti-forensic efforts I would be interested in the content of all of these artifacts, including whether they are empty, as this may be an indication of anti-forensics tool use in and of itself. 

Evidence of Tool Execution
Windows
Prefetch
Jump Lists
AppCompatCache
MUICache
UserAssist
RunMRU
LastVisitedMRU
Log Files (tools may be deployed as services or with a scheduled element, process creation events associated with Audit Process Creation)
Third party application execution monitoring (e.g. AV, DLP, etc)
WSL (If WSL is in use then this opens a whole other kettle of fish, .bashhistory, evidence of tool installation etc.)
Evidence of process artifacts in RAM
Command history in RAM

MacOSX
knowledgeC.db database (application usage data)
.bashhistory (if tools used or executed from command line)
FSEvents (evidence of filesystem events including creation of software files and also deletion and renaming associated with tool use)
com.apple.finder.plist (evidence of finder searches for software)
RecentApplications.sfl
Spotlight Shortcuts plist
.bashhistory in ram
Evidence of process artifacts in RAM

Evidence of Tool Use
In addition, the use of anti-forensics tools can leave their own artifacts behind. In the case of CCleaner the presence of deleted but recoverable “ZZZ” files and folders is a classic indicator of use. Other similar unique fingerprints are associated with different anti-forensic tools. One other such tell tail sign is recoverable files with random filenames and high entropy content consistent with being overwritten with pseudo random data, entropy analysis of recovered deleted files can highlight these. 

Evidence of research/download/installation
Proving the intent of a user can also be useful, whether evidence of the use of anti-forensic tools is actually identified. Evidencing that tools were sought, downloaded and installed during an in-scope time frame (such as just after an employee was notified of an HR interview etc). Additionally evidence that research was performed into hiding evidence can be helpful in painting a picture as to a users intentions and help to combat the "My computer was running slow so I used CCleaner" defense.

Windows
Registry artifacts (installed applications, application specific entries etc)

OSX
/Library/Receipts/InstallHistory.plist
/Library/Preferences/com.apple.SoftwareUpdate.plist
/Library/LaunchAgents

Both
The disk… (Look for executables for anti-forensics tools on disk e.g. ‘Program Files’ Directories, ‘Applications’ directories, ‘Downloads’ directories) 
Browser History/Cache/Cookies for evidence of search history and websites visited (location dependant on OS and installed browser(s))
Proxy/ web filtering logs (evidence of browsing to sites concerning anti-forensics and downloading of tools)
AV Logs (scanning of downloaded executable)

Wildcard
You never know where you might find that smoking gun which demonstrates the intention to circumvent forensic analysis. In one notable case, a colleague of mine stumbled across an iOS note which was stored within a backup on the suspects computer. Within it the suspect had detailed a proposed methodology to steal data from his employer which would be “undetectable”. Using throwaway virtual machines (which would then be wiped from disk) he proposed to collate and extract data from the organisation and transmit it to a cloud service connected to via the VM. The actions performed left almost no trace of the IP theft, but what evidence of the existence of a now deleted VM coupled with the note made compelling reading in court.

---

Daily Blog #448: Defcon DFIR CTF update

Hello Reader,
      Another late post after a long day in Vegas. We launched the ctf today and already have a fight for the top 3 spots. As more people get the evidence I'm expecting it to get really interesting.

We initially planned to do a live stream today but spent most of the day finishing the last questions so I expect we will do the stream tomorrow instead.

For those who want to watch the scoreboard go to
https://defcon2018.ctfd.io/scoreboard

To follow along, the contest ends tomorrow nighy! There is a long time for everything to change by then.

As before once the event is over we will make the images public and everyone can play, just without prizes.

Friday, August 10, 2018

Daily Blog #447 Defcon 2018 Forensic CTF

Hello Reader,
Just a reminder that the ctf starts tomorrow afternoon. If you are in Vegas and have not signed up yet here is the link:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055?ref=estw

Prizes:
1st. DFIR Netwars Continuous for a year from SANS and. Lego mini fig
2nd. Magnet prize loaded backpack, Lego mini fig and license of forensic email collector
3rd. Blackbag prize pack

It's not too late to sign up, get ready!

Thursday, August 9, 2018

Daily Blog #446: Sparse image blues

Hello Reader,
     A quick one before I fall asleep after a long day of ctf prep and Vegas fun. If you are using the fresponse imager to capture a full disk be aware that it seems to default to a sparse image format and leaves out shadow copies.

However imaging the same fresponse mounted image with another tool will capture the full disk.

Wednesday, August 8, 2018

Daily Blog #445: F-Response and the Cloud

Hello Reader,
           Today I'm sharing a lesson I learned from acquiring systems in the cloud from another cloud hosted system in the same provider. I was adding the agents and getting ready to acquire the systems, but they kept dropping off the F-Response management list of subjects.

I was quite confused, I checked the network and realized my RDP session was active the entire time and hadn't timed out. I restarted the F-Response service and kept a ping running, when the F-Response agent timed out I noticed the ping never lost a packet.

So I reached out to the excellent support staff (aka Matt Shannon) at F-Response and explained my problem and they quickly reached out (after 5PM!) and offered a suggestion, check your clock skew.

This isn't something I had run into before and so I went and made sure my clocks were the same and now it's happily imaging away.

So hopefully this helps someone in the future, if you F-Response subject keeps timing out check to make sure that the license server and the subject are set to the same time!

Sunday, August 5, 2018

Daily Blog #444: Sunday Funday 8/5/18

Hello Reader,
           Thank you for all of the responses in the blog comments, on twitter and on LinkedIn to my question regarding Anti Forensics tools used in the wild. It was great to expand everyone's knowledge of what tools to look for and make a list of those I need to test to see what traces each of them leaves behind. With that in mind let's see how you handle this weeks Anti Forensics themed challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/10/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed. 

Saturday, August 4, 2018

Daily Blog #443: Solution Saturday 8/4/18

Hello Reader,
           Another week where Adam Harrison has again dominated the entries. For those of you thinking about trying out next weeks contest don't be deterred. You too can be a winner with just some basic effort and some good documentation skills!

The Challenge:
Windows 10 keep changing and with it its behavior. In Windows 8.1 and early versions of Windows 10 there was a task to delete plug and play devices that haven't been plugged in for 30 days. In more recent versions of Windows 10 this appears to be disabled. For this challenge please document what versions of Windows 10 has the task enabled and if it survives being upgraded. 

The Winning Answer:
https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html?spref=tw

Great job Adam! Come back tomorrow for a new challenge!

Friday, August 3, 2018

Daily Blog #442: Anti Forensic Tools in the wild

Hello Reader,
       Today I have a question for you. In my work I've encountered tools that my suspects have used to clean or wipe their system. However I'm wondering what others are out there that I haven't seen yet. So here is my list


  • CCleaner
  • Evidence Eliminator
  • System Soap
  • PC Optimizer Pro
  • BCWipe
  • Eraser
  • Sdelete

What additional wipers or anti forensics tools have you come across? Let me know in the comments below or in a tweet/linked in comment.

Thanks!

Thursday, August 2, 2018

Daily Blog #441: Changes in Windows 10

Hello Reader,
           One of the problems we are having recently in Windows 10 forensics is that what would previously be identified with a major service pack version or a new version of Windows is now being marked as a feature release. These releases are changing the behaviors we rely on in forensics and we are going to have to start referring not just to Windows 10 but the build of Windows 10. This isn't going to stop in the near future as Microsoft says that they plan to just iterate Windows 10 for the foreseeable future.

If you look at some of Adam Harrison's recent blogs you'll notice he has multiple major versions of Windows 10 running within different VMs. I think this kind of setup will be necessary going forward and we are going to have do more regression testing of artifacts both old and new to understand the new normal.

I'll be following this up with what the major releases are so we can start building a common vernacular in describing Windows 10. For now just be aware that just because its Windows 10 does not mean that any previous Windows 10 research still applies without testing. 

Wednesday, August 1, 2018

Daily Blog #440: Windows 10 Notifications Database

Hello Reader,
       I had stopped thinking about the Windows 10 notifications database since I last saw Yogesh Kahtri blog post about it here. I was reviewing a file list produced by an opposing party in a litigation we are working and suddenly saw a directory full of notification images and got curious again.

Since Yogesh first blogged about it the location of the Notification data has changed and it is now located here:
\Users\\AppData\Local\Microsoft\Windows\Notifications

Pictures pushed to the system and displayed in start menu tiles or notifications are stored here:
\Users\\AppData\Local\Microsoft\Windows\Notifications\wpnidm

And the database is now a SQLite database named wpndatabase.db which you can open up with any SQLite tool. I am using Navicat for SQLite because its one of my favorites.

When I did I found the database I went looking to see which table contained the data that I would think is interesting and found a table named Notification, here is the schema:


There are three fields here you should pay attention to the first is the HandlerID which will tell you which program created the notification, you find the name associated in the NotificationHandler table.


The second field is the Payload field, this is the actual contents of the Notification, I was looking through here to see if there was something interesting and found all the Notifications that Outlook had been popping up as I was getting new emails. Here is an example:



Placeholder image
Caesars Total Rewards
Win big in August with the play by TR app! Download now!
<http://click.email.caesars-marketing.com/open.aspx?>
Download and log in to be rewarded.         View this email with images. <http://view.email.caesar...





Within the text tags you can see the contents of the new mail notification I received from Outlook.

 The last fields to look at are the ExpiryTime and ArrivalTime which record when the notification was received (ArrivalTime) and when it will be deleted from the database (ExpiryTime). These are stored in decimal but if you convert them to Hex you can convert them back to a readable time using the Windows FileTime BigEndian option in Dcode.
 

So there you go, we can recover the sender, subject and first lines of an email in the notification database even if the email has been purged from the system otherwise. I am going to look further into this to see if there is any other Notifications of interest.

Tuesday, July 31, 2018

Daily Blog #439: Jumplist maximum storage

Hello Reader,
          There is some interesting testing going on with shell item storage. The quirks of lnk files naming and storage by extension is surprising and needs more testing before its documented. Something that has been tested though is how many items a jumplist will store.

When Eric Zimmerman was first writing Jumplist Explorer we were discussing what the maximum amount of entries stored in a single jumplist could be. So we wrote some quick automation and found that a single jumplist will store approximately 2,000 items before it purges the oldest item. I suspect the hard limit is 2048 (power of 2) but in our testing it was when we reached 2,000 that older items began being deleted from the structure.

Now this does not mean the older entries are lost, the jumplist is a compound file system and the streams are just marked as deleted and available to be recovered until a new entry gets written over it. In fact Jumplist Explorer can recover deleted entries and mark them as such. Tomorrow I'll see if I can get screenshots of this happening and show the internal record numbers. 

Monday, July 30, 2018

Daily Blog #438: Validating the Windows 10 Copy Paste artifact

Hello Reader,
         If you don't read the port139 blog, you should! On the most recent post the port139 blog, translated from Japanese to English, validated the Windows 10 copy paste artifacts I wrote about earlier this month. You can read about it here:

http://port139.hatenablog.com/entry/2018/07/29/211630

I really liked reading this as it allowed me to see how another examiner approached the artifact and provided another examiner validating the artifact.

So if you were looking for something to write about, pick an artifact and test it!

Sunday, July 29, 2018

Daily Blog #437: Sunday Funday 7/29/18

Hello Reader,
           Another week, another challenge. If you are reading this don't feel your answer needs to perfect to submit. You never know when everyone else got to busy to try. Give the challenge a try, even if you don't win $100 you still won new knowledge.



The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/3/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:
Windows 10 keep changing and with it its behavior. In Windows 8.1 and early versions of Windows 10 there was a task to delete plug and play devices that haven't been plugged in for 30 days. In more recent versions of Windows 10 this appears to be disabled. For this challenge please document what versions of Windows 10 has the task enabled and if it survives being upgraded. 

Daily Blog #436: Solution Saturday 7/28/18

Hello Reader,
             Jet Lag got me and I fell asleep before posting this earlier, but I'll take advantage of this random wake up time to post the winning answer. This week I thought I didn't have any submissions but missed the fact after a 16 hour plane ride that I did have quite a complete answer from Adam Harrison. Luckily I did get some more last minute submissions after reaching out but in the end Adam wins again.

The Challenge:
On a Windows 10 system what are the different ways you could determine what timezones a user was in prior to the whatever timezone is stored in the registry?


The Winning Answer from Adam Harrison:
Posted on his blog here.

Adam did submit a document as well but the blog post is more up to date.

Great job Adam! Look for another post in the daylight hours with this weeks challenge.


Friday, July 27, 2018

Daily Blog #435: Forensic Lunch 7/27/18

Hello Reader,
           Greetings from my flight from Abu Dhabi to Dallas, Texas. We had a Forensic Lunch today with just Matt and I talking about Bitlocker, the Defcon DFIR CTF and making future challenges and test images with the possibility of live streaming us watching machines get compromised. Unfortunately I was doing this from a hotel so the stream got disconnect midway through so its in two parts.

Here is the first part:
https://www.youtube.com/watch?v=0uHUF7AXVHg

here is the second:
https://www.youtube.com/watch?v=x3Grhz5f6TU

Normally I would embed the videos but the inflight wifi is blocking Youtube and my VPN isn't working. In good news though in 14 more hours I'll be back in Texas and able to get back to a regular schedule.

Hope you enjoy!

Thursday, July 26, 2018

Daily Blog #434: Bitlocker Experiments Part 5

Hello Reader,
             As I was looking at the FVE metadata header and decoding the output I realized two things.

1. There is more here than I previously understood, I didn't appreciate the layering of keys that existed.

You can read more about how this works here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-key-management-faq as a TLDR though there are three layers of protection that are provided. The documentation goes from the disk and up but let's go the opposite way, the way a user interfaces with Bitlocker.

The protector you have picked (TPM, Password, Pin, etc..) will be used on successful authentication to decrypt something called the Volume Master Key or VMK. As I am going through the metadata header I can see the attributes marking the VMKs that exist.

The VMK in turn once decrypted is then used to decrypt the Full Volume Encryption Key or FVEK which is what actually encrypted the data on your storage volume.  So when the protectors are disabled what is happening is that the VMK key is being decrypted, allowing the FVEK and with it the raw data to be accessed. This is how encryption can be 'paused' or 'suspended' for a windows update without decrypting the drive. Very clever and it explained the huge difference within the blocks.

I was expecting to see one key change or a key exposed, instead the rest of the block that was chaning was actually the contents being decrypted allowing any system that has the ability to support this mode to access it.

This explains why some software packages that access Bitlocker volumes fail to do so without a password/pin/recovery tool as they were not programmed to check if the decrypting keys were left decrypted based on a previous command or action.

When I get back in my lab next week I am going to see how I can get Windows Update to trigger this removal of protections for me as I think this will likely allow for the imaging of a drive that is technically encrypted but allows anything that understands it to decrypt it. I am going to focus this on the scenario of a system I don't have credentials for as if I did I could just log in and get manage-bde to provide me the recovery-key I needed.

This also means for those doing onsite acquisitions if you don't want to rely on extracting the key from memory you could just get manage-bde to get you the recovery key prior to imaging and be able to access the drive in your lab.

2. I need to write what I'm doing manually into a Python script to really do this effectively. I could make an 010 template but it would seem that a Python script to parse these fields would lead to better long term results and testing.

This is likely going to start next week as well as tomorrow is a Forensic Lunch day and then I'll be reviewing the Sunday Funday submissions on the 16 hour flight home.

Thanks for reading this far and frankly for reading this at all. Forcing myself to research, test and document things everyday is already making me feel more engaged again and clearing out old lingering questions I never made time to answer. I would hope others have already discovered most of this (Jesse Kornblum and Joachim Metz have documented these things in their work) but I find a lot of value in doing it yourself if you really want to understand whats possible.