Tuesday, September 18, 2018

Daily Blog #482: Teaching in Dubai!

Hello Reader,
             Are you in the middle east and have a passion for DFIR? I'll be teaching SANS FOR500 Windows Forensics this November in Dubai! if you are interested you can learn more here:


For those of you in the United States after my SANS world tour of 2018 I'm scheduled to teach back home twice so far in 2019. Once in January at the CTI Summit:


And lastly at Security West in May:

I hope to see you at one of these events!

Monday, September 17, 2018

Daily Blog #481: Event Logs for VHDs

Hello Reader,
               I was going back through default event logs when I ran across an event log for VHD actions that was described in Harlan Carvey's Windows Forensic Analysis Toolkit. There is an event log named "Microsoft-Windows-VHDMP-Operational.evtx"n that contains entries from creating, provisioning and mounting/unmounting VHDs.

If I was aware of this I must have forgotten but it was something I thought would be useful for the future so I decided to document it here.  Here is an example of a VHD being attached to my Windows 10 system.

Sunday, September 16, 2018

Daily Blog #480: Sunday Funday 9/16/18

Hello Reader,
          I'm going to change things around for this weeks challenge, lets put things back to research and less about coding and see how you do. 

The Prize:
$100 Amazon Giftca

The Rules:

  1. You must post your answer before Friday 9/21/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
On Windows 7 test and document how you can get ObjectIDs to:
1. Populate
2. Change
3. Get preserved

Good luck!

Saturday, September 15, 2018

Daily Blog #479: Solution Saturday 9/15/18

Hello Reader,
       This week I didn't get any working entries for the challenge, meaning I'll just put up the code to do it on Monday. Otherwise make sure to try and submit nextbweek your hesitation might have cost you $100!

Friday, September 14, 2018

Daily Blog #478: Github repository for the Test Kitchen

Hello Reader,
        I went ahead and added a Github repository for the ObjectID scanner I was showing on the Test Kitchen last night. You can get the script here:


This scripts requires that you have installed:
Python 3.6 or newer

And you can follow this repository to get all future scripts I show on future episodes of the Test Kitchen:

Test this on your own system and let me know if you find something I missed!

I fly out to London tomorrow and look forward to continuing the research there. 

Thursday, September 13, 2018

Daily Blog #477: Forensic Lunch Test Kitchen 9/13/18 ObjectID Decoded and timestamps tested

Hello Reader,
        Our Forensic Lunch Test Kitchen series continues! Tonight we decoded the Object ID values into their timestamps, sequences, versions, variant and mac addresses to try to understand more about what the values mean.

We found that:

  • As Maxim Suhanov (https://twitter.com/errno_fail) stated the time values used to construct the ObjectID UUIDs are cached. Meaning that the timestamp decoded does not indicate when the ObjectID was created and the timetamps will increment by miliseconds between ObjectID creations in the same boot
  • That the seed of the cached timestamp is the system boot time, so at every reboot the cached time that serves are the earliest possible ObjectID time will update to the boot time as recorded in the system event logs
  • That the sequence number does appear to increment overall but this needs further testing
  • That the $Volume ObjectID attribute is actually the VolumeID referenced by the ObjectID index
You can watch it here:

Daily Blog #476: Forensic Lunch Test Kitchen 9/12/18 ObjectID Default Behavior

Hello Reader,
         Another night, another test kitchen! Tonight I try to remove my observation bias from the past episodes but modifying the code in my Automating DFIR with Pytsk series to extract ObjectID attributes from files and directories in the MFT. To do this I wrote and troubleshot a python script in Python 3 which I'm trying to force myself to convert to that recurses through a live volume and prints out all the Object IDs that exist.

What we learned:

  • Some system files have what appear to be invalid MAC addresses from the file creation
  • Some user directories have ObjectIDs
  • Some installed programs have MAC addresses from their original developers
  • Some Windows system32 executables have ObjectIDs and in Windows 7 have the original MAC addresses
Watch the video below to learn more:

Tuesday, September 11, 2018

Daily Blog #475: Forensic Lunch Test Kitchen 9/11/18 ObjectIDs

Hello Reader,
       Another Forensic Lunch Test Kitchen this evening with a deeper look into ObjectIDs.

We covered:

  • The fact that the suffix of an ObjectID is the MAC address of the primary network interface as described in Harry Parsonage's paper (http://computerforensics.parsonage.co.uk/downloads/themeaningoflife.pdf)
  • The fact that the prefix of an ObjectID is a timestamp showing when the ObjectID was set
  • The fact that opening a file updates a LNK file but does not change the ObjectID
  • The fact that opening a file whose ObjectID was set one one system does not update the ObjectID when the same file is opened on the same volume on another system
  • The fact that changing attributes, permissions and ADS values does not update the ObjectID
Hear and see more in the video below:

Monday, September 10, 2018

Daily Blog #474: Application Experience Program Telemetry

Hello Reader,
         I had another examiner, who will go nameless unless they choose to be named, ask what program execution and persistence artifacts appear to be unique to Windows Server 2008 vs Windows 7. I thought about this for awhile and it boiled down to differences in default event logging with Windows Server typically having many more default events and logging sources on than the desktop OS.

As I was going through the event logs on one of my own Server 2008 R2 systems I noticed that my telemetry logs appeared to be much more thorough then the same version of my own Desktop telemetry logs.

The logs in questions are located int he evtx file Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx. Inside of this event log which was touched on back in 2013 by Cylance (https://threatvector.cylance.com/en_us/home/Uncommon-Event-Log-Analysis-for-Incident-Response-and-Forensic-Investigations.html) is a series of EventID 500 entries that record each of the executables that required compatibility an example message follows:

Compatibility fix applied to C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{5F4D076C-A8C6-4442-9BB4-54AC9B81EE6E}\MpSigStub.exe.
Fix information: RunAsInvoker, {1c2d58c3-dcd2-41e3-bd0b-25f05028c655}, 0x40102.

I like this event log because:

  1. It only gets populated when application compatibility is invoked, which most cross written malware does
  2. Because it doesn't get overwhelmed with events my server event log goes back 3 years
  3. Unlikely to be cleared as attackers are focused on the security event log

I am going to do some testing and run some different attacker tools on Windows Server tomorrow night and see which leave entries in these event logs. 

Sunday, September 9, 2018

Daily Blog #473: Sunday Funday 9/9/18

Hello Reader,
           Another week passes and I'm full of ideas of things I want to test, program and try. After Phill Moore's program to recursively call fsutil to determine ObjectIDs I thought maybe a smaller scale challenge would help us all move forward in this path. So this week we are doing another Python programming challenge but with possibly a smaller scope.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 9/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Writing a program in Python to parse the the $O ADS stream found at \$Extend\$ObjId:$O in any NTFS drive with Windows running. 

Good luck!

Saturday, September 8, 2018

Daily Blog #472: Solution Saturday 9/8/18

Hello Reader,
      I didn't mean for there to be a week without a solution or a challenge but labor day weekend was way to much fun to stop and blog. So here is a late submission by Phill Moore which answered the last challenge posted on listing ObjectIDs.

Now Phill took an interesting approach, he iterates through the file system running fsutil by calling out to the command line you can find his solution here:

In the coming days as I get my development environment ready for a broadcast I plan to do a more direct parse using  DFVFS. Let's see how it goes!

Thursday, September 6, 2018

Daily Blog #471: Gearing up for more dfvfs programming

Hello Reader,
        In my attempt to get a Windows VM up and running as a test development environment for doing some tutorials on 64 bit Python 3.6 and DFVFS I ran into an interesting challenge I thought I would document here to help you and myself in the future when I forget I figured this out.

If you are installing a library like PYTSK that requires some Visual Studio runtime DLLs to be installed then you'll get an interesting error like

"python can't find installed module"

when attempting to import the module. I hit this when I was using the windows python 3.6 install from python.org. I attempted different versions of Python 3.6 only in the end to discover that the real issue was the missing DLL. So instead just install the activestate version of Python 3.6 and it will install the needed DLLs to get the libraries working.

Looking forward to documenting more as the week goes on!

Wednesday, September 5, 2018

Daily Blog #470: Unforseen impact of our work

Hello Reader,
                Today I'm reflecting on something that hasn't happened to me in the 19 years I've been doing digital forensics. A defendant in a civil lawsuit committed suicide and I was the expert for the plaintiff. I've seen a lot of people whose choices have left them in different positions of distress but this is the first time I've had one who went as far as to end their lives because of it.

So take a second to remember that the data you are analyzing belongs to a person and sometimes they have more problems then you know about. 

Tuesday, September 4, 2018

Daily Blog #469: Book Highlight Learning Python for Forensics

Hello Reader,
            If you've read some of the older blog series you know that I'm a big proponent of getting new and old examiners programming. In my Automating DFIR series I focused on people who already knew Python and wanted to learn how to interact with forensic images in their scripting, but it didn't help those examiners who didn't have a good place to start with programming in the first place.

I've started reading Learning Python for Forensics and the Python Digital Forensics Cookbook to see what Preston Miller and Chapin Bryce had to say. So far I think they've done an excellent job getting new programmers up to speed with useful scripts that will help to automate their workflow.

You should go check it out here: