February 2014

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Hello Reader!,
          Today's Forensic Lunch was great and really focused on IR and static malware analysis. If you are interested in either of those topics, boy do we have a great show for you. This week we had:

Jack Crook, @jackcr, talking about his work in IR, how he got started, his forensic challenges and his work in building local DFIR community. You can read his blog here, http://blog.handlerdiaries.com/, and learn more about his community efforts in Virginia.

Marc Ochsenmeier, @ochsenmeier, giving us the history of his tool PeStudio and an overview of how it works as well as the future of the tool.  His website is http://winitor.com/ where you can download PeStudio for yourself as its free for non-commercial use!


Hello Reader,
            I thought it would be a good idea to post up the video that I asked Kevin Stokes in our lab to make showing how to actually write the Multiboot Image to a thumbdrive. While you could just use a variety of methods, we've found ImageUSB from PassMark to be a reliable tool for it.
I'm planning on having more videos made to be uploaded to the Youtube channel to help understand and explain some of the more difficult topics we go over.

You can download ImageUSB from PassMark here: http://www.osforensics.com/tools/write-usb-images.html

Watch the video below:

Hello Reader,
         Last week we talked about how to build WinFE to put on our Multiboot Thumbdrive. Now let's show a step by step guide to building WinFE light in case you are tight on space or on a system with very little resources.



This is a visual guide to compliment Colin Ramsden’s guidance on building Windows FE Lite.  This is another great, light-weight tool to have around, especially if you’re not comfortable with the Linux environment when booting a device for imaging.

Get the Prerequisites:
11.       Windows 7 computer with 20 GB or more free space.
a.       Disable User Account Control (optional)
b.      32-bit is recommended for supporting older architecture.  64-bit can be used, just be consistent during the build.  These instructions and links will be for 32-bit.
c.       I installed a fresh, new copy of Windows 7 Ultimate SP 1 for this demonstration.
22.       Download Microsoft Windows Automated Installation Kit (WAIK) ISO http://www.microsoft.com/en-us/download/confirmation.aspx?id=5753
33.       Use your favorite ISO mounter or burn the WAIK ISO to disc.  http://static.slysoft.com/SetupVirtualCloneDrive.exe
44.       Windows 7 x86 ISO or Disc
a.       Ultimate or Enterprise
55.       Windows XP Professional SP3 x86 ISO or Disc (Optional)
88.       Programmers Notepad -- http://pnotepad.googlecode.com/files/pn2342350_multilang.exe
a.       Optional, though as Colin notes, you can edit the build to suit your needs.
99.       HFS+ Drivers -- support.apple.com/downloads/DL1443/en_US/BootCamp_3.3.exe
a.       Optional.  However this is can add support for HFS+ volumes.
b.      Might as well include them.  Leaving them out requires editing the batch file.  Aside from not having HFS+ support.
110.   Download the WinFE Lite Full Package – Contains the rest of what you need.  Including the write protect script.  http://www.ramsdens.org.uk/repository/fullpackage/FE_Lite.zip

Now we Begin:
11.       Install WAIK from the ISO or burned Disc, to the default directory:

This is the KB3AIK_EN (WAIK install file) mounted via Virtual CloneDrive.


Simply select Windows AIK Setup to begin installation.






22.       Install Explorer++ and 7-Zip.
33.       Extract files from Windows 7 and XP (Optional) install Discs or ISO
a.       To keep things organized, create four folders to sort the files you will need.  Per Colin’s example, create a “Repository” folder, then within this folder create “Drivers”, “Windows7Files”, “WindowsXPFiles”

b.      Use 7-zip to access the Windows 7 Installation ISO or to access the Disc for Windows 7.

c.       Navigate to “Sources”

d.      Then find “install.wim” within the directory.

e.      Double clicking “install.wim” inside 7-Zip will open the file to reveal its contents.

f.        Export out the largest folder that appears, to the Window7Files folder created in step 3a.  In this case, folder 5.
g.       Optional – Use 7-Zip to access the Windows XP installation ISO or Disc.  Go into the I386 folder and export files, to the WindowsXPFiles folder, that can add some extra features.  Colin suggests the following list, just double click to find the executable.
                                                               i.      CALC.EX_ (calc.exe)
                                                             ii.      MAG_HOOK.DL_ (mag_hook.dll)
                                                            iii.      MAGNIFY.EX_ (magnify.exe)
                                                           iv.      MSPAINT.EX_ (mspaint.exe)
                                                             v.      MSSWCH.DL_ (msswch.dll)
                                                           vi.      MSTSC.EX_ (mstsc.exe)
                                                          vii.      MSTSCAX.DL_ (mstscax.dll)
                                                        viii.      OSK.EX_ (osk.exe)


h.      Optional – Use 7-Zip to extract drivers for HFS+ support by navigating to the “BootCamp_3.3.exe” file downloaded from step 9 of the prerequisites.  Right-click on the file and select “Open Inside”.  Now double-click entries in this order:

                                                               i.      .rsrc
                                                             ii.      0
                                                            iii.      MSP_RESOURCE
                                                           iv.      UPDATE32
                                                             v.      PCW_CAB_BootCamp
There are two files here to extract.  “AppleHFS.sys” and “AppleMNT.sys” Place these in the “Drivers” created in Step 3a.

44.       Extract the WinFE full package from step 10 in the prerequisites to the location of your choice.  I choose simply under the C: drive.  Do not alter the names of the files and directories extracted from the package, as they are needed for the batch script we will be using.

Let’s Build it:
Here is a little information about the folders from the extracted FE_Lite directory.
ISO – This is where our built ISO will be output. 
X – User files can be added to this folder and sub-directories
Other folders – used in the build process
Where to copy files:
\X\Windows\System32
ExplorerFrame.dll            (From \Repository\Windows7Files\5\Windows\System32)
calc.exe                                                (From \Repository\WindowsXPFiles)
mag_hook.dll                    (From \Repository\WindowsXPFiles)
magnify.exe                       (From \Repository\WindowsXPFiles)
mspaint.exe                       (From \Repository\WindowsXPFiles)
msswch.dll                          (From \Repository\WindowsXPFiles)
mstsc.exe                           (From \Repository\WindowsXPFiles)
mstscax.dll                          (From \Repository\WindowsXPFiles)
osk.exe                                (From \Repository\WindowsXPFiles)
Explorer.exe                      (Renamed from Explorer++ which was downloaded earlier)

 


This is how the “\X\Windows\System32” directory should look now (assuming you show extensions, of course).  Updates to WProtect.exe (used for Write Protection and mounting) can be added to this folder prior to a rebuild.  Also you can adjust the wallpaper for the build by including a BMP file of choice named “winpe.bmp”
\X\Windows\System32\Drivers

         
      
AppleHFS.sys
                AppleMNT.sys

Press the button!
Open a command prompt and run the MakeFELite.bat file.  There will be a lot of information scrolling on the screen as it goes through the batch file.  Then it will be done.


You can copy the resulting image to a CD or thumbdrive, or just load it into a VM to check it out.  But this will give you a command prompt to play around in.  Add other tools and rebuild to you hearts desire.

Hello Reader,
          It appears by what I received that there is a need for further explanation of how Indexers deal with unallocated space. I've posted the winning answer from Darren Windham but I'm also going to reach out to Jon Stewart to see if he'd be willing to write up his answer. Things are not as simple as they are presented to you once you begin your searching! That said, here is this weeks winning answer.



The Challenge:
You have a 10gbs of unallocated space from a drive that you need to index and search. Explain how an indexing program handles unstructured data for tokenizing and what other technologies must be used to handle encoded data.

The Winning Answer:
Darren Windham


When parsing an unstructured set of data you must first locate tokens or some indicators that an artifact of interest may be present. In a forensic examination this could be a keyword expression, a url, an email address, a header for a file to recover, or other encoded data.  Once these tokens have been located they can be indexed and examined in further detail to determine if they are in fact relevant to your investigation.  One tool to automate some of this is bulk_extractor by Simson Garfinkel.  Since it does not parse the file system it can parse multiple parts of the disk in parallel depending on the number of processor cores available and it also detects compressed/encoded data and searches it recursively.  No matter the tool or the search engine used to parse the unstructured data you still have to have some idea on what you are looking for and the best methods to find the kind and type of artifacts you are looking for or expect to find.  In those cases you don't get the expected results a different tool or search pattern may be needed to put some order to the data.

Hello Reader,
        If you watched the forensic lunch this week you heard Jon Stewart talk about Lightgrep. Indexing and searching can be a vital piece in our investigations and understanding how that technology works is important. In that regard let's see how you fare with this weeks challenge!

The Prize:
A 32GB USB3 Kangaruu thumbdrive w/ write protection loaded with our Multiboot Image




The Rules:
  1. You must post your answer before Monday 2/24/14 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
You have a 10gbs of unallocated space from a drive that you need to index and search. Explain how an indexing program handles unstructured data for tokenizing and what other technologies must be used to handle encoded data.

Hello Reader,
              Hope you had a great week, but now the week is over. It's Saturday! It's time for more links to make you think in this weeks, Saturday Reading.

1. We had a Forensic Lunch with two people whose expertise is in fields I know much less about which always fascinates me. We had a fascinating Forensic Lunch today with:

Lenny Zeltser, @lennyzeltser , talking about his career in reverse engineering and the challenges of moving his analysis platform to Windows 8. Here are the links he discussed:

Books mentioned:
Malware Analyst's Cookbook: http://www.malwarecookbook.com
Practical Malware Analysis: http://practicalmalwareanalysis.com/
Jon Stewart, @codeslack, talking about his career and his work on Lightgrep.
You can grab a copy of the lightgrep engine source here:http://www.lightboxtechnologies.com/lightgrep-engine/
You can grab a copy of  v1.4 with lightgrep built in here: http://digitalcorpora.org/downloads/bulk_extractor/
You can buy a copy of lightgrep that works with Encase and other tools here:http://www.lightboxtechnologies.com/lightgrep/

 2. Hexacorn blog has part 8 in their autorun series up, http://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/, this one covering how to get users to be your persistence mechanism through jumplists. Very cool.

3. Jason Hale has a new blog post up documenting addtional MRU's in office 2013, http://dfstream.blogspot.com/2014/02/office-2013-more-mrus.html, more MRUs is always a good thing!

4. Lenny Zeltser has a new blog post up on the SANS DFIR blog discussing Ollydbg v2, http://digital-forensics.sans.org/blog/2014/02/20/ollydbg-version-2-for-malware-analysis, and its current state of feature completeness.

5. Harlan has a new blog up discussing how to identify, http://windowsir.blogspot.com/2014/02/more-tracking-user-activity-via-registry.html, additional files being accessed in Office 2013 on a per user basis with timestamps and last position for each document.

Did I miss something? Did you post a blog I missed? Let me know in the comments or email me dcowen@g-cpartners.com and let me know!

Hello Reader,
           We had a fascinating Forensic Lunch today with:

Lenny Zeltser, @lennyzeltser , talking about his career in reverse engineering and the challenges of moving his analysis platform to Windows 8. Here are the links he discussed:







Books mentioned:

Malware Analyst's Cookbook: http://www.malwarecookbook.com

Practical Malware Analysis: http://practicalmalwareanalysis.com/




Jon Stewart, @codeslack, talking about his career and his work on Lightgrep.
You can grab a copy of the lightgrep engine source here:http://www.lightboxtechnologies.com/lightgrep-engine/
You can grab a copy of  v1.4 with lightgrep built in here: http://digitalcorpora.org/downloads/bulk_extractor/
You can buy a copy of lightgrep that works with Encase and other tools here:http://www.lightboxtechnologies.com/lightgrep/





Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.