Home Archives for 2013

Daily Blog #191: Let's talk about MTP Part 1

Hello Reader,
If you read last weeks Saturday Reading you would have seen a series of very interesting articles by Nicole Ibriham about MTP device entries in the Shellbags artifact. Many of you may be wondering, well why do I care about MTP? Most of you may think MTP is still relugated to cheap MP3 players/Video players and digital cameras. Times have changed and in order to get a few things under control with storage space for application and files the Android devs have moved away from Mass Storage drivers and to MTP as stated below:

ICS supports USB Mass Storage (UMS). The Galaxy Nexus does not. This is the same scenario as Honeycomb, as for instance HC supports USB Mass Storage while Xoom does not.

If a given device has a removable SD card it will support USB Mass Storage. If it has only built-in storage (like Xoom and Galaxy Nexus) it will (usually) support only MTP and PTP.

It isn't physically possible to support UMS on devices that don't have a dedicated partition for storage (like a removable SD card, or a separate partition like Nexus S.) This is because UMS is a block-level protocol that gives the host PC direct access to the physical blocks on the storage, so that Android cannot have it mounted at the same time.
With the unified storage model we introduced in Honeycomb, we share your full 32GB (or 16GB or whatever) between app data and media data. That is, no more staring sadly at your 5GB free on Nexus S when your internal app data partition has filled up -- it's all one big happy volume.

However the cost is that Android can no longer ever yield up the storage for the host PC to molest directly over USB. Instead we use MTP. On Windows (which the majority of users use), it has built-in MTP support in Explorer that makes it look exactly like a disk. On Linux and Mac it's sadly not as easy, but I have confidence that we'll see some work to make this better.
On the whole it's a much better experience on the phone.

-- Dan Morril http://www.reddit.com/r/Android/comments/mg14z/whoa_whoa_ics_doesnt_support_usb_mass_storage/c30q93p

You should start understanding MTP by reading Nicole's blog series starting here http://nicoleibrahim.com/part-2-usb-device-research-msc-vs-ptp-vs-mtp/ and then the Wikipedia entry on MTP and ending with AndroidCentral.com's write up on the move to MTP as the new default.

So MTP used to be interesting from a cheap-o storage device forensics view and now is interesting in a hey what did they do with that Android 3.0+ device that they plugged into this system. With Android controlling 84% the market (at the last time I read an article about it) and more devices moving to 3.0 or greater this is something you need to pay attention to and understand.

This week we will go through:
1. What artifacts do and don't exist for MTP devices that you can rely on
2. What accesses to MTP devices look like form shellbags and other sources
3. A place holder for odd things we find along the way.

Daily Blog #190: Sunday Funday 12/29/13 Winner!

Hello Reader,
This weeks Sunday Funday must have hit a cord out there as I got many great submissions. Picking a winner when there are multiple great answers is hard and I had to ask for a second opinion from the lab to come to an agreement, they were that good this week. With that said, this weeks winner is an anonymous submission whose answer shows a depth of experience that I appreciated. They answered the question well and provided some great gotchas to make note of. If you are doing mobile forensics you should read this one and check out the links provided in it.

The Challenge:

You are faced with an Android device where full physical imaging isn't supported by your mobile forensics software provider. What steps would you take to accomplish the following:
1. Locate a safe rooting mechanism
2. Test the rooting mechanism
3. Image the device
4. Manually extract the sms database
5. Parse and export to xls the sms database

The Winning Answer:

Anonymous

Remove the SIM and SD Cards and exploit separately. The SD Card may be encrypted but in my experience very few users enable this.

Place the handset into Airplane Mode and switch off WiFi and BlueTooth.

Attempt to image the device using an off the shelf tool such as the Cellebrite UFED or XRY. We will usually attempt to exploit the device logically initially and then either take a physical image or a file system dump depending on what is supported and whether the device has full device encryption enabled.

If the device won't image using our standard tools we will then move on to other methods. This may be JTAG if the device is supported by the RIFF box and we have permission from the customer to take the device apart or more likely will involve rooting the device.

The best source of information for all things android is the XDA Developers Forums www.xda-developers.com. The forums can be searched for a specific device and then the various rooting options explored.

Rather than use the rooting exploit on the handset being investigated I would first attempt to root another handset of the same model. We are lucky enough to have access to a good library of devices but if this was not the case I would attempt to purchase one, ideally of the same make, model and network as that being investigated. I would then root the purchased handset in order to make sure the process does not unduly effect the data on the device. Only once this has been proved would I use the rooting exploit on the target device.

Once the device is rooted I would ensure that USB Debugging and Stay Awake options are enabled in the developers area of the settings. The developer area is not always immediately visible but can usually be made to appear by clicking around seven times on the Build Number in the About Phone section of the options.

Insert a large SD card into the device boot it up and connect the handset to a machine with the android SDK installed. The Santoku VM, downloadable from santoku-linux.com is a good choice.

The command adb devices will show one device connected if all is working correctly.

Type adb shell in order to gain a linux shell onto the rooted device.

Type the following commands in the shell:

su

mkdir /sdcard/forensics

cp /data/data/com.android.providers.telephony/databases/mmssms.* /sdcard/forensics (this will copy the files required for the SMS investigation. Use * in order to copy the Write Ahead Log files as well as the main sqlite database).

mount (this will show a list of the devices mounted on the various directories of the file system. We are usually interested in the /data directory).

dd if={BlockDevice} of=/sdcard/foreniscs/data.dd (where {BlockDevice} = the device identified above. On my sample phone this was /dev/block/mmcblk0p26.

Ctrl-C (this will exit back to the main PC shell.)

Then use the command adb pull /sdcard/forensics . to pull the image and extracted SMS database back to the investigators machine. Or alternatively just pull the SD Card and connect it using a normal card reader to access the files.

In order to process the SMS databases I would use the epilog tool from CCL forensics as this is the only tool I know of which accurately recovers all the deleted data from SQLITE databases which use a Write Ahead Log. It comes with a number of signature files and these include those for dealing with the android SMS database. Epilog allows for exporting to Excel as well as various other formats.

Updated with Pictures!

Daily Blog #189: Sunday Funday 12/29/13

Hello Reader,
This week I thought I would focus on something we have to deal with in the lab occasionally. I've mentioned our process in past forensic lunches but I'm interested to see what you do to solve these issues. With new mobile phones coming out constantly and Android being the most common I thought it would be worth your time to answer this Sunday's challenge.

The Prize:

A Wiebetech Ultrabdock Writeblocker

The Rules:

You must post your answer before Monday 12/30/13 2PM CST (GMT -5)
The most complete answer wins
You are allowed to edit your answer after posting
If two answers are too similar for one to win, the one with the earlier posting time wins
Be specific and be thoughtful
Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
You are faced with an Android device where full physical imaging isn't supported by your mobile forensics software provider. What steps would you take to accomplish the following:
1. Locate a safe rooting mechanism
2. Test the rooting mechanism
3. Image the device
4. Manually extract the sms database
5. Parse and export to xls the sms database

Daily Blog #188: Saturday Reading 12/28/13

Hello Reader,
It's Saturday! Time for links to make you think while your kids are still fascinated with their christmas toys. Get some coffee its time for some reading!

1. We had an interesting experiment this Friday on the forensic lunch, http://www.youtube.com/watch?v=4kntixnk0lI. We did what I call an OpenChat where anyone could join the video chat room, I'll leave the judgement of success or failure to you.

2. Yogesh Khatri has a new Windows 8 related blog up, http://www.swiftforensics.com/2013/12/device-lastremovaldate-lastarrivaldate.html. This time he's focusing on the conditions that set the fields relating to when a removable device was last plugged in and when it was last removed. I've seen some discussion regarding this new artifact before but not the conditional table that Yogesh has made.

3. Lee Whitfield has posted the solution to the forensic challenge in the last issue of 4:Mag, http://forensic4cast.com/2013/12/4mag-challenge-solution/. Forensic challenges are fun and help you to improve your skills! I would recommend trying it on your own and seeing if you can solve it.

4. Nicole Ibrahim, you may have seen on a past forensic lunch, has written up more of her research into different USB attached devices and protocols. http://nicoleibrahim.com/part-4-usb-device-research-usb-first-insert-results/. It's very thorough and worth a serious read and consideration.

Daily Blog #187: Forensic Lunch 12/27/13

Hello Reader,
Today's forensic lunch was a bit of a holiday experiment. I opened up the video chat room link to anyone who wanted to join and see what kind of conversation we had. In the end we had an interesting chat but I was hoping more of you would take me up on my offer.

Did you like this idea? Would you want to do this again? Let me know in the comments

Daily Blog #186: ANJP v3 Beta Release Announcement

Hello Reader,
I'm happy to announce a pretty big milestone for us in the G-C labs, ANJP v3 Beta! If you've been watching the forensic lunch you know about the new features and capabilities we've been adding as we work our way to a commercial tool release to go along side our free parser. We think that this beta release is a pretty significant step forward towards that goal.

What's new in V3?

We've ported the GUI from win32 to WX which means once we figure out the details we'll have GUI compiled versions of ANJP for Mac and Linux alongside windows.
Rather than just dump out text files, which it still can do, you can now export directly to Excel xlsx files
The GUI has been extended beyond just "select files and process" to include a report viewing option that will allow you to:

View, search and export the MFT
View, search and export the USNJrnl
View, search and export the $logfile
View transactional based events such as file creation, deletion and renames
View change based events such as timestamp changes, what was burned to CD and more

We've developed a XML based rules engine that we've populated with some sample rules. The rules engine is still under development to expose all the underlying options within the MFT/USN/$Logfile but its very functional right now.
You can now specify your owl rules or IOCs and the parser will show you what matches.
Adding rules will not require you to reparse the data!
Full Unicode Support
Fixes for weird one off journals we've been sent (Thanks for those who've done so!)

What's left to do?

Finish the development of the rules engine for MFT and USN operations
Fully document the rules creation process and parameters
Full image access with a perl port of lib tsk

If you want to sign up for this beta go here:
https://docs.google.com/forms/d/1GzOMe-QHtB12ZnI4ZTjLA06DJP6ZScXngO42ZDGIpR0/viewform

If you want to start testing our perl-tsk port go here:
https://github.com/wsdookadr/Tsk-XS

Our plan is to take the module once completed to CPAN so the DFIR perl developers of the world can come back into equal footing with our python brethren.

Also tomorrow we are having an open Forensic Lunch where anyone can join the video chat room and talk about 2013 and the year to come in DFIR. I'll hope you'll join me:
https://plus.google.com/u/0/b/105962155502598586194/events/cf6g55kk25m08pm8afb7ct1mb9k

Daily Blog #185: Merry Christmas

Hello Reader,
Merry Christmas to those of you celebrate it. As I did with thanksgiving I smoked a meal for my family and I thought I would share it with you as well. Tomorrow we'll get back to forensics.

HECFBlog Smoked Prime Rib

Step 1. The night before you plan to cook, get a 'standing rib roast' which is butcher terms for a prime rib roast.
Step 2. Mix some spice (salt/pepper or montreal steak seasoning whatever you prefer) with Worcestershire
Step 3. Place olive oil on the roast to help the spice mix you plan to on stick
Step 4. Rub the mixture all over the roast, cover it and place it in the fridge overnight as seen below:

Step 5. Get your smoker fired up and get the temperature to 225, I use a weber smokey mountain
Step 6. Get the prime rib onto the smoker and plan about 3-4 hours of cooking time until the interior of the middle of the roast reaches 135
Step 7. Take the prime rib off the smoker and onto a direct heat grill or if you are using a grill converted into a smoker place the roast onto the direct heat. You are looking to sear the meat and this should just take a couple minutes per side.
Step 8. Remove from the heat and enjoy!

There you go, and let's get back into the normal flow of things tomorrow.

Friday we are going to have a special holiday Forensic Lunch where anyone can join the video chat as long as slots are open!

Daily Blog #184: Artifacts from alternative file system drivers on NTFS Part 5

Hello Reader,
In this series we've explored the POSIX namespace, how the ntfs-3g driver uses it, what default system files use it and the win32 api's interaction with it. Today let's focus on what additional artifacts exist soley within the MFT that in combination with the POSIX namespace let us identify absolutely that a non native NTFS driver wrote to the disk.

To accomplish a unique signature that reflects the actions that ntfs-3g takes when writing to a NTFS volume we need to examine three fields within a MFT file record. If you want to see this in a more interactive fashion watch last weeks Forensic Lunch where we walked through it.

1. Namespace
The Namespace can be one of 4 things that determines the encoding of the filename being stored there.The namespace as we discussed previously will be Posix or File Name Namespace 0. This on its own though does not identify a ntfs-3g written file as we've discussed in this series.

2. LSN
The LSN or Logfile Sequence Number references the most recent change stored within the $logfile. The LSN in a native windows system writing to NTFS has full support for the $logfile and will populate this field to reflect the record entry made. The ntfs-3g driver only updates the restart area and does not populate the $logfile, because of this the LSN value will be 0 for all ntfs-3g written files. If you are looking at a pre vista system then the LSN and Namespace are the only two correlation points you have to identify ntfs-3g written files.

3. USN
The USN or Update Sequence Number references those entries written into the $USNJRNL:$J. We've talked about the USN many times in this blog and hopefully you are familiar with the basic functionality by now. In our testing we were expecting this value to be set to 0 just like the LSN but instead a 64 bit value will be assigned, we are still examining the source to determine the method use in the numbers duration but they do to seem to increase but can be duplicated. The USN values used are outside the range of valid USN Journals that we've seen. The USN number is also the offset into the USN Journal to where that last change has been recorded.

So there we go.
If you are looking at a Windows 2000/XP/2003 system than the Namespace and LSN are your points of analysis to determine if a file was written using the ntfs-3g driver.

If you are looking at a Windows Vista/7/2008 system than the Namespace, LSN and USN fields will determine if a file was written using the ntfs-3g driver.

We haven't tested windows 8 yet but will do so and write a blog to reflect when we have done so and solved what the value used in the USN field means.

Daily Blog #183: Sunday Funday 12/22/13 Winner!

Hello Reader,
This week an anonymous submitter has won the day, and a 4TB External Hard Drive. It's important to keep track of what changes, especially when it comes to OS's that we may not be dealing with daily yet.This week's answer does a good job at showing some of what's changed but there is more than you should be aware of. Your greatest challenge in dealing with Windows 8 is just getting all your regular tools to run! With all this said here is this weeks winning answer!

The Challenge:
1. Explain the artifacts for execution you can find on windows xp and windows 8
2. For those artifacts that are in the same location for both, explain what differences exist

The Winning Answer:

Program Execution: following are some of the well-known artifacts one may find on Windows XP/7/8 systems along with relevant distinctions across the Windows versions:

Application Compatibility Cache: used to determine issues relating to application comp ability with executables; can use to track executables by file name, size, last modified time and last update time (only in WinXP)
WinXP --> SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\
Win7/8 --> SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\

Jump Lists: unique to versions of Windows 7 and greater, allows users to quickly access frequent/recent selections; can determine first/last time of execution of an application
Win7/8 --> C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Prefetch: Used by Microsoft Windows for preloading code pages of often-used applications; can use to tell if application had been executed on a system (uses a calculate hash for the directory from where application was ran); may not necessarily be enabled on all systems as there are discrepancies across Windows versions.
WinXP/Vista/7/8 --> C:\Windows\Prefetch

Last Visited MRU: Logs specific executable called by an application for opening files documented in the OpenSaveMRU key; also tracks directory location for the last file accessed by an application.
WinXP --> NTUSER.dat\Software\Microsoft\Windows\Current Version\Explorer\ComDig32\LastVisitedMRU
Win7/8 --> NTUSER.dat\Software\Microsoft\Windows\Current Version\Explorer\ComDig32\LastVisitedPidMRU

RunMRU Start (Run): logs usage of Start -> Run sequence for loading executables
WinXP/7/8 --> NTUSER.dat\Software\Microsoft\Windows\Current Version\Explorer\RunMRU

UserAssist: Tracks GUI-based applications that are launched from the user's desktop in the launcher on Windows systems
WinXP/7/8 --> NTUSER.dat\Software\Microsoft\Windows\Current Version\Explorer\UserAssist\{GUID}\Count
Where GUID can be on of the following:
XP --> 75048700 (Active Desktop)
Win7/8
        --> CEBFF5CD (.EXE file execution)
        --> F4E57C4B (Shortcut file execution)
        --> 6D809377 (ProgramFilesX64)
        --> 7C5A40EF (ProgramFilesX86)
        --> 1AC14E77 (System)
        --> D65231B0 (SystemX86)
        --> B4BFCC3A (Desktop)
        --> FDD39AD0 (Documents)
        --> 374DE290 (Downloads)
        --> 0762D272 (User Profiles)

In addition, one can review Windows Event logs for service related information.
Services Events: log of services that were started/stopped; can also identify services that start on boot (ultimately determine file/executable associated with service); requires reviewing event logs; following are relevant event IDs:
7034 --> service crashed unexpectedly
7035 --> Serve sent a Start/Stop command
7036 --> Service started/stopped
7040 --> Start type changed

Daily Blog #182: Sunday Funday 12/22/13

Hello Reader,
Continuing my attempt to bring the forensic lunch into more relevance for those of you who are hoping to get a leg up on Sunday Funday's I am going to theme this weeks challenge on Windows 8 again. You can watch this weeks episode here: http://www.youtube.com/watch?v=PZBjams_abg

The Prize:

A 4TB External Seagate Goflex drive

The Rules:

You must post your answer before Monday 12/23/13 5PM CST (GMT -5)
The most complete answer wins
You are allowed to edit your answer after posting
If two answers are too similar for one to win, the one with the earlier posting time wins
Be specific and be thoughtful
Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
This week on the forensic lunch you heard Rob Lee talk about the challenges of using the same tools and techniques between Windows XP and Windows 8. For this challenge:

1. Explain the artifacts for execution you can find on windows xp and windows 8
2. For those artifacts that are in the same location for both, explain what differences exist

Daily Blog #181: Saturday Reading 12/21/13

Hello Reader,
It's Saturday! I'm going to be spending the day using my smoker and reading Windows Internals Part 1 while my kids play. For you though I have more links to make you think as we get into this weeks Saturday Reading.

1. Forensic Lunch always is #1 on my list! This week we had Rob Lee, @robtlee http://computer-forensics.sans.org/, talking about the new SANS FOR 408 class and the interesting journey into Windows 8 forensics.This included some really interesting discussions into artifacts being created across synced devices! Mari DeGrazia, @maridegrazia http://az4n6.blogspot.com/, talking about her research into Google analytics cookies. This included a demo of her tool and its output. It allows you to recover so much more information if your trying to discover not only if a website was visited but at what times and to what extent. Lastly Matthew and I talked about detecting files being created from alternative NTFS drivers, such as ntfs-3g, using artifacts within the $MFT only!

Watch it here: http://www.youtube.com/watch?v=PZBjams_abg

2. Kevin Stokes from my lab put up a series of two articles on Dropbox analysis using the journals. Part 1 is here http://metadatum.me/2013/12/15/dropbox-ntfs-journal-artifacts/ and Part 2 is here http://metadatum.me/2013/12/18/dropbox-ntfs-journal-artifacts-part-2/. This is an interesting low level look on how dropbox interacts with the file system in creating, uploading and deleting files.

3. Harlan has two blogs up this week. The first is a pretty large update post that covers topics from windows 8 artifacts to shellbags to shell items research updates and links. You should read it here http://windowsir.blogspot.com/2013/12/updates.html. The second post http://windowsir.blogspot.com/2013/12/shellbags.html goes into why testing and understanding our artifacts is so important.

4. Yogesh Kahtri has an update to his amcache resarch, http://www.swiftforensics.com/2013/12/amcachehve-part-2.html. If you are going to be looking at a Windows 8 system in the near future you need to read this.

5. Frank Mclain has a fun two parter up on his blog about a piece of malware he tracked down and examined. Part 1 goes into the initial detection here http://forensicaliente.blogspot.com/2013/12/whats-hash-got-to-do-with-it.html and part 2 goes into his analysis of what it was doing http://forensicaliente.blogspot.com/2013/12/whats-hash-got-to-do-with-it-part-2.html.

6. On Andrew DiMino's blog Semper Securus has a nice walk through showing his analysis of an attack on his honeypot and what the attacker setup. A nice ready walking through a Linux compromise that you don't see much of. Also it involves perl so I had to link it http://sempersecurus.blogspot.com/2013/12/a-forensic-overview-of-linux-perlbot.html

7. On the sysforensics blog there is a nice write up to create a 'NSRL server' http://sysforensics.org/2013/12/build-your-own-nsrl-server.html. NSRL stands for National Software Reference Library and is an invaluable resource for eliminating files by hash when they are known to be part of the operating system or application install set. The more non user generated data you can eliminate the better you can focus on whats important. More importantly you can now download the NSRL hash sets instead of waiting for DVDs in the mail!

8. Over on the handler diaries there is neat post walking through how to extract a process for memory and analyze it with volatility to understand what its up to http://blog.handlerdiaries.com/?p=205. The point of the blog is to help you understand a programs capabilities, execution and output so you can determine what to do next.

That's all for this week, make sure to come back tomorrow for Sunday Funday!

Daily Blog #180: Forensic Lunch 12/20/13

Hello Reader,
It's Friday and then means we had another Forensic Lunch! This week we had:
Rob Lee, @robtlee http://computer-forensics.sans.org/, talking about the new SANS FOR 408 class and the interesting journey into Windows 8 forensics.This included some really interesting discussions into artifacts being created across synced devices!
Mari DeGrazia, @maridegrazia http://az4n6.blogspot.com/, talking about her research into Google analytics cookies. This included a demo of her tool and its output. It allows you to recover so much more information if your trying to discover not only if a website was visited but at what times and to what extent.
Matthew and I talked about detecting files being created from alternative NTFS drivers, such as ntfs-3g, using artifacts within the $MFT only!

Try to make time to tune in live every Friday at Noon CST so you can ask your questions!

Daily Blog #179: Artifacts from alternative file system drivers on NTFS Part 3

Hello Reader,
In the two prior posts in this series we've examined the characteristics of a POSIX file name made by the linux ntfs-3g driver and the POSIX file names we should expect to see in a normal windows system. Today we are going to focus on the win32 api's that allow file creation to see which would allow a POSIX file name to be created in the first place.

There are three main functions exposed by the win32 api for file creation:

1. CreateFile

This function is the main function for opening and creating a file on the disk or for accessing a device such as COM1 or a physical drive. Createfile has support for POSIX naming conventions by passing in the 'FILE_FLAG_POSIX_SEMANTICS' flag in the optional dwFlagsAndAttributes field when creating a file. What is interesting is that this flag when set does not actually create a POSIX namespace file name attribute.

2. CreateFile2

This function appears to be related to Windows Store based win 8 apps that operate within sandboxed environments. There is no stated POSIX support which is interesting. This means I need to test to see what Win8 default files are POSIX.

3. CreateFileTransacted

CreateFileTransacted support the same methods as CreateFile, including POSIX, but creates a transactional NTFS stream that file resides in until the transaction is committed. We are doing research into Transactional NTFS and plan to write more about this later. Interesting to note that this article begins with a warning about the possible deprecation of this functionality in the future.

So in my current testing I cannot find a win32 api that creates a POSIX filespace filename attribute. Here is my perl code for calling into the win32 api and createfile:

#!/usr/bin/perl -w

use Win32API::File qw( :ALL );

my $hDisk= Win32API::File::CreateFile( "//./H:/\$PosixTesTingAgain", GENERIC_ALL(),
FILE_SHARE_READ()|FILE_SHARE_WRITE(), [], CREATE_NEW(), FILE_FLAG_POSIX_SEMANTICS(), [] );

I've tried this with a couple variations on file name conventions to force a POSIX only compatible name, but then it just fails. I'm not done yet though and will continue trying to find a function that will allow this namespace to be attributed within windows.

Why? It's important to understand whats possible so we can determine if a user program could ever create a POSIX file name. If we can't, that is a great evidence point in supporting whether a file was created by the linux ntfs-3g driver or windows.

Daily Blog #178: Artifacts from alternative file system drivers on NTFS Part 2

Hello Reader,
Yesterday we went through the linux ntfs-3g driver's interaction with the MFT in NTFS. If you haven't read that you should as it explains why POSIX filespace's are the focus of today's post. Today I am going to compare the MFT my system and a test system to see how many POSIX file names are created by default so we can determine a set of rules to see if we can ascertain when a file was created by the linux ntfs-3g driver.

I parsed my MFT using mft2csv as we just added the filespace name support to v3 of anjp which we are polishing up for this months beta release. I like mft2csv and think its an easy tool to use when you just care about high detail MFT parsing. My system drive has 628,480 MFT records, its been in active use for over a year with the current install. Of those 628,480 have POSIX filespace records. So having a POSIX namespace in your filename alone does not indicate that the linux-3g driver was used in creating a file. Whats interesting here is that these POSIX filenames break down to some basic categories:

1. System files/directories like \boot and it's directories, $Recycle.bin and $Extend
2. Applications from OEMs like cygwin and hp
3. Shared libraries from visual studio, microsoft common libs and other programs
4. FTK Job work queues
5. The entire QT SDK
6. Windows directories and files
7. The user profile directories for default and public

Why is that interesting? Not a single file that I or program at my direction made in the last year as a POSIX filespace name is stored under my profile. I want to test this on a non OEM windows install to see if the same number of POSIX filespace file names are created when you install from MS media directly.

So taking the logic one step forward, based on my limited sample set so far there should not be a user created file originally made by the native NTFS driver and using standard win32 system calls that results in a POSIX filespace file names. I am going to take this a step further tomorrow by finding which win32 calls can create POSIX filespace named files and testing this same theory against my virtual machines.

Daily Blog #177: Artifacts from alternative file system drivers on NTFS Part 1

Hello Reader,
Often times when I talk to security professionals a kind of game arises where they try to come up with a scenario where they can perform an action on a system that we cannot detect in our analysis. Often times these question sessions lead to the idea that the hypothetical will simply mount his NTFS drive in Linux and perform his bad actions there to get around Windows logging and artifacts. I've talked before about the Linux driver's lack of support for the $logfile and $Usnjrnl leading to a lack of artifacts that can be correlated but we can now actually go one further.

The inherent limitation when basing the detection of a past event on the journals ($logfile and $USNJrnl) is that they have a finite time of existence before being written over. While the shadow copies will retain them for a period of time they will eventually expire and be overwritten as well. This finite lifespan and further research into MFT internals ( and a very nice tweet from Willi Ballenthin) lead me to an interesting documentation page from the linux3g project: http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/concepts/filename_namespace.html that listed all the available NTFS name spaces for FILENAME attributes.

This then lead to the mount.ntfs-3g man page, http://linux.die.net/man/8/mount.ntfs-3g, that had the following statement:

"Windows Filename Compatibility

NTFS supports several filename namespaces: DOS, Win32 and POSIX. While the ntfs-3g driver handles all of them, it always creates new files in the POSIX namespace for maximum portability and interoperability reasons. This means that filenames are case sensitive and all characters are allowed except '/' and '\0'. This is perfectly legal on Windows, though some application may get confused. The option windows_names may be used to apply Windows restrictions to new file names."

So I grabbed the CFReDS project deletion file testing image 11, you can download it here http://www.cfreds.nist.gov/dfr-images/dfr-11-ntfs.dd.bz2 and ran it through mft2csv which I know actually identifies which namespace a filename is set to. From prior testing with the $logfile and confirmation from NIST I knew that the files in this test where created in Linux and then deleted in Windows. This is what mft2csv see's from those files:

Tomorrow we'll talk about what other default files are created as POSIX by windows to prevent false positives and end this series Thursday talking about how user created file could be POSIX.

Daily Blog #176: Sunday Funday 12/15/13 Winner!

Hello Reader,
The challenge has once again been defeated! This week I had a tough time picking a winner as we had several good submissions. In order to pick a winner I went back to the rules and judged based on which answer was the most complete in its scope, but not necessarily in the depth. I had several longer submissions that went into great detail on how they found one method for these LNKs to websites being created, but only one submitter provided four examples. Congratulations go out to Ryan Tracey, you can congratulate him yourself if you go to the SANS DFIR Summit like he is now!

The Challenge:
You are analyzing a Windows 8.1 system and run across a lnk file in the suspects recent directory. The lnk file points to a website but the suspect has denied accessing it. Analyze the lnk files and explain how a lnk file to a website will be created in the a users recent folder in Windows 8.1

Download the LNKs here:
https://drive.google.com/file/d/0B_mjsPB8uKOAU2cwZUM4aEpQV2c/edit?usp=sharing

The Winning Answer:
Ryan Tracey

I have very little experience with Windows 8, so I'm basing this answer off a test I ran in a Windows 8.1 VM. During my testing, I came across several scenarios where a lnk file to a website was generated.

1. Access the website through the Run Dialog.

2. Access the website through the Windows search charm.

3. Accessing the website from a lnk file (e.g. shortcut to http://192.168.1.1 from router configuration CD).

4. Accessing the website from a link in an application (e.g. Skype or Facebook).

After reviewing the list of targets from the files you provided, I think it's likely that there are additional scenarios in which a lnk file to a website will be created in a users recent folder.

Daily Blog #175: Sunday Funday 12/15/13

Hello Reader,
It's Sunday and time for the gauntlet to be thrown down to those who are willing to sacrifice part of their day for a worthy prize. This week if you watched the Forensic Lunch you heard Yogesh Kahtri talk about Windows 8 forensics and I'm going to focus this weeks challenge on Windows 8. In this challenge you will need to download and analyze some data so I'm going to give you more time than usual.

The Prize:

A free ticket to the SANS DFIR Summit 2014 in Austin, Tx. A value of $995 if you were to buy it early/

The Rules:

You must post your answer before Monday 12/16/13 1PM CST (GMT -5)
The most complete answer wins
You are allowed to edit your answer after posting
If two answers are too similar for one to win, the one with the earlier posting time wins
Be specific and be thoughtful
Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
You are analyzing a Windows 8.1 system and run across a lnk file in the suspects recent directory. The lnk file points to a website but the suspect has denied accessing it. Analyze the lnk files and explain how a lnk file to a website will be created in the a users recent folder in Windows 8.1

Download the LNKs here:
https://drive.google.com/file/d/0B_mjsPB8uKOAU2cwZUM4aEpQV2c/edit?usp=sharing

Daily Blog #174: Saturday Reading 12/14/13

Hello Reader,
It's Saturday! Time for another set of links to make you think. The ice is melting in Dallas and I'm looking forward to a cold winter so I'll have an excuse to stay inside and read.

1. We had a great Forensic Lunch this week! We had Yogesh Kahtri talking about his Windows 8 registry forensics research , Dan Pullega talking about his extensive research into Windows Shellbags, David Dym talking about his new tool MetaDiver, and Matthew and myself talking about v3 of ANJP and demoing the auto detection of CD Burning. You can watch it here: https://www.youtube.com/watch?v=XNui5Rrz7-s

2. Willi Ballenthin has put up his slides on MFT analysis for responders, http://www.williballenthin.com/blog/2013/12/13/mft-analysis-presentation/. I like Willi's work a lot so you should know its full of good material.

3. Over on the hexacorn blog there is a cool bit of analysis written up on detecting what libraries were loaded by a visual basic application, http://www.hexacorn.com/blog/2013/12/11/some-forensic-artifacts-are-just-like-this-sometimes-visual-often-basic-and-on-occassion-iconic/. This is great for those of you doing IR as VB apps are in the attackers toolkit of most of the bad guys out there.

4. There is a new article up on forensic focus regarding recovering purged records from Skype databases and SQLite, http://articles.forensicfocus.com/2013/11/26/extracting-evidence-from-destroyed-skype-logs-and-cleared-sqlite-databases/, how cool is that. The author uses a number of tools to test which can carve SQLite records from unallocated space to recover skype history. Great reading.

5. What's that? Two articles on he hexacorn blog in one week? It must be close to Christmas time. This post focuses on a really cool topic, using the names of unused dlls to load into memory with valid processes. The basic idea is that there are some dll's that no longer exist but will still be loaded if you place a dll with the same name in the right directory, give it a read: http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

6. Dealing with a UEFI system and want to boot from Linux? Read this http://ilostmynotes.blogspot.com/2013/12/windows-8-and-ubuntu-1304-with.html and see what his solution was. If you can get it working it can get your Linux boot cds working again.

7. This wasn't put up this week but I thought after meeting Carlos that I should make sure more people are aware of it. Carlos has a great blog up on how to boot from a write blocked drive in Linux with an overlay file for changes using all FOSS software, http://www.epyxforensics.com/node/50. Before his post I only knew of commercial solutions so this is great stuff.

8. Jimmy Weg has a good blog up if your trying to boot a suspects Win8 image up in a VM and don't know his password, http://justaskweg.com/?p=1434. Following Jimmy's methods will get a working password readded to the account and you logged in.

9. Jack has a new blog up on the Handler Diaries which is a blog I like to read but need to put in to my feedly so I see his newest posts. http://blog.handlerdiaries.com/?p=177 In this post Jack goes into his approach for hunting evil and taking a proactive approach to finding unknown malware.

That's all for this week, make sure to come back for tomorrow's Windows 8.1 themed Sunday Funday!

Subscribe to: Posts ( Atom )

The Challenge:

The Winning Answer:

Top Posts/Right Now