Friday, February 28, 2014

Daily Blog #250: Forensic Lunch 2/28/14

Hello Reader!,
          Today's Forensic Lunch was great and really focused on IR and static malware analysis. If you are interested in either of those topics, boy do we have a great show for you. This week we had:

Jack Crook, @jackcr, talking about his work in IR, how he got started, his forensic challenges and his work in building local DFIR community. You can read his blog here, http://blog.handlerdiaries.com/, and learn more about his community efforts in Virginia.

Marc Ochsenmeier, @ochsenmeier, giving us the history of his tool PeStudio and an overview of how it works as well as the future of the tool.  His website is http://winitor.com/ where you can download PeStudio for yourself as its free for non-commercial use!


Posted by David Cowen at 1:15 PM 0 comments Links to this post
Labels:

Thursday, February 27, 2014

Daily Blog #249: How to write the Multiboot USB Image to a thumbdrive

Hello Reader,
            I thought it would be a good idea to post up the video that I asked Kevin Stokes in our lab to make showing how to actually write the Multiboot Image to a thumbdrive. While you could just use a variety of methods, we've found ImageUSB from PassMark to be a reliable tool for it.
I'm planning on having more videos made to be uploaded to the Youtube channel to help understand and explain some of the more difficult topics we go over.

You can download ImageUSB from PassMark here: http://www.osforensics.com/tools/write-usb-images.html

Watch the video below:

Posted by David Cowen at 2:16 PM 0 comments Links to this post
Labels:

Wednesday, February 26, 2014

Daily Blog #248: Adding the WinFE Image to the Multiboot Thumdrive Image (Video)

Hello Reader,
       We've gone through now how to build the WinFE and WinFE Lite images for use in the Multiboot Thumbdrive. What we haven't covered is how to then add that image (or any other bootable image) to our multiboot thumbdrive. So I asked Kevin Stokes in our lab to make a video walking you through this.


Posted by David Cowen at 12:33 AM 0 comments Links to this post
Labels: , ,

Tuesday, February 25, 2014

Daly Blog #247: How to Build WinFE Lite for the USB Multiboot Image

Hello Reader,
         Last week we talked about how to build WinFE to put on our Multiboot Thumbdrive. Now let's show a step by step guide to building WinFE light in case you are tight on space or on a system with very little resources.



This is a visual guide to compliment Colin Ramsden’s guidance on building Windows FE Lite.  This is another great, light-weight tool to have around, especially if you’re not comfortable with the Linux environment when booting a device for imaging.

Get the Prerequisites:
11.       Windows 7 computer with 20 GB or more free space.
a.       Disable User Account Control (optional)
b.      32-bit is recommended for supporting older architecture.  64-bit can be used, just be consistent during the build.  These instructions and links will be for 32-bit.
c.       I installed a fresh, new copy of Windows 7 Ultimate SP 1 for this demonstration.
22.       Download Microsoft Windows Automated Installation Kit (WAIK) ISO http://www.microsoft.com/en-us/download/confirmation.aspx?id=5753
33.       Use your favorite ISO mounter or burn the WAIK ISO to disc.  http://static.slysoft.com/SetupVirtualCloneDrive.exe
44.       Windows 7 x86 ISO or Disc
a.       Ultimate or Enterprise
55.       Windows XP Professional SP3 x86 ISO or Disc (Optional)
66.       Explorer++ -- http://explorerplusplus.com/software/explorer++_1.3.5_x86.zip
77.       7-Zip -- http://downloads.sourceforge.net/sevenzip/7z920.exe
88.       Programmers Notepad -- http://pnotepad.googlecode.com/files/pn2342350_multilang.exe
a.       Optional, though as Colin notes, you can edit the build to suit your needs.
99.       HFS+ Drivers -- support.apple.com/downloads/DL1443/en_US/BootCamp_3.3.exe
a.       Optional.  However this is can add support for HFS+ volumes.
b.      Might as well include them.  Leaving them out requires editing the batch file.  Aside from not having HFS+ support.
110.   Download the WinFE Lite Full Package – Contains the rest of what you need.  Including the write protect script.  http://www.ramsdens.org.uk/repository/fullpackage/FE_Lite.zip

Now we Begin:
11.       Install WAIK from the ISO or burned Disc, to the default directory:

This is the KB3AIK_EN (WAIK install file) mounted via Virtual CloneDrive.


Simply select Windows AIK Setup to begin installation.






22.       Install Explorer++ and 7-Zip.
33.       Extract files from Windows 7 and XP (Optional) install Discs or ISO
a.       To keep things organized, create four folders to sort the files you will need.  Per Colin’s example, create a “Repository” folder, then within this folder create “Drivers”, “Windows7Files”, “WindowsXPFiles”

b.      Use 7-zip to access the Windows 7 Installation ISO or to access the Disc for Windows 7.

c.       Navigate to “Sources”

d.      Then find “install.wim” within the directory.

e.      Double clicking “install.wim” inside 7-Zip will open the file to reveal its contents.

f.        Export out the largest folder that appears, to the Window7Files folder created in step 3a.  In this case, folder 5.
g.       Optional – Use 7-Zip to access the Windows XP installation ISO or Disc.  Go into the I386 folder and export files, to the WindowsXPFiles folder, that can add some extra features.  Colin suggests the following list, just double click to find the executable.
                                                               i.      CALC.EX_ (calc.exe)
                                                             ii.      MAG_HOOK.DL_ (mag_hook.dll)
                                                            iii.      MAGNIFY.EX_ (magnify.exe)
                                                           iv.      MSPAINT.EX_ (mspaint.exe)
                                                             v.      MSSWCH.DL_ (msswch.dll)
                                                           vi.      MSTSC.EX_ (mstsc.exe)
                                                          vii.      MSTSCAX.DL_ (mstscax.dll)
                                                        viii.      OSK.EX_ (osk.exe)


h.      Optional – Use 7-Zip to extract drivers for HFS+ support by navigating to the “BootCamp_3.3.exe” file downloaded from step 9 of the prerequisites.  Right-click on the file and select “Open Inside”.  Now double-click entries in this order:

                                                               i.      .rsrc
                                                             ii.      0
                                                            iii.      MSP_RESOURCE
                                                           iv.      UPDATE32
                                                             v.      PCW_CAB_BootCamp
There are two files here to extract.  “AppleHFS.sys” and “AppleMNT.sys” Place these in the “Drivers” created in Step 3a.

44.       Extract the WinFE full package from step 10 in the prerequisites to the location of your choice.  I choose simply under the C: drive.  Do not alter the names of the files and directories extracted from the package, as they are needed for the batch script we will be using.

Let’s Build it:
Here is a little information about the folders from the extracted FE_Lite directory.
ISO – This is where our built ISO will be output. 
X – User files can be added to this folder and sub-directories
Other folders – used in the build process
Where to copy files:
\X\Windows\System32
ExplorerFrame.dll            (From \Repository\Windows7Files\5\Windows\System32)
calc.exe                                                (From \Repository\WindowsXPFiles)
mag_hook.dll                    (From \Repository\WindowsXPFiles)
magnify.exe                       (From \Repository\WindowsXPFiles)
mspaint.exe                       (From \Repository\WindowsXPFiles)
msswch.dll                          (From \Repository\WindowsXPFiles)
mstsc.exe                           (From \Repository\WindowsXPFiles)
mstscax.dll                          (From \Repository\WindowsXPFiles)
osk.exe                                (From \Repository\WindowsXPFiles)
Explorer.exe                      (Renamed from Explorer++ which was downloaded earlier)

 


This is how the “\X\Windows\System32” directory should look now (assuming you show extensions, of course).  Updates to WProtect.exe (used for Write Protection and mounting) can be added to this folder prior to a rebuild.  Also you can adjust the wallpaper for the build by including a BMP file of choice named “winpe.bmp”
\X\Windows\System32\Drivers

         
      
AppleHFS.sys
                AppleMNT.sys

Press the button!
Open a command prompt and run the MakeFELite.bat file.  There will be a lot of information scrolling on the screen as it goes through the batch file.  Then it will be done.


You can copy the resulting image to a CD or thumbdrive, or just load it into a VM to check it out.  But this will give you a command prompt to play around in.  Add other tools and rebuild to you hearts desire.

Posted by David Cowen at 1:04 PM 0 comments Links to this post
Labels: ,

Monday, February 24, 2014

Daily Blog #246: Sunday Funday 2/23/14 Winner!

Hello Reader,
          It appears by what I received that there is a need for further explanation of how Indexers deal with unallocated space. I've posted the winning answer from Darren Windham but I'm also going to reach out to Jon Stewart to see if he'd be willing to write up his answer. Things are not as simple as they are presented to you once you begin your searching! That said, here is this weeks winning answer.



The Challenge:
You have a 10gbs of unallocated space from a drive that you need to index and search. Explain how an indexing program handles unstructured data for tokenizing and what other technologies must be used to handle encoded data.

The Winning Answer:
Darren Windham


When parsing an unstructured set of data you must first locate tokens or some indicators that an artifact of interest may be present. In a forensic examination this could be a keyword expression, a url, an email address, a header for a file to recover, or other encoded data.  Once these tokens have been located they can be indexed and examined in further detail to determine if they are in fact relevant to your investigation.  One tool to automate some of this is bulk_extractor by Simson Garfinkel.  Since it does not parse the file system it can parse multiple parts of the disk in parallel depending on the number of processor cores available and it also detects compressed/encoded data and searches it recursively.  No matter the tool or the search engine used to parse the unstructured data you still have to have some idea on what you are looking for and the best methods to find the kind and type of artifacts you are looking for or expect to find.  In those cases you don't get the expected results a different tool or search pattern may be needed to put some order to the data.
Posted by David Cowen at 10:47 AM 0 comments Links to this post
Labels: ,

Saturday, February 22, 2014

Daily Blog #245: Sunday Funday 2/23/14

Hello Reader,
        If you watched the forensic lunch this week you heard Jon Stewart talk about Lightgrep. Indexing and searching can be a vital piece in our investigations and understanding how that technology works is important. In that regard let's see how you fare with this weeks challenge!

The Prize:
A 32GB USB3 Kangaruu thumbdrive w/ write protection loaded with our Multiboot Image




The Rules:
  1. You must post your answer before Monday 2/24/14 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
You have a 10gbs of unallocated space from a drive that you need to index and search. Explain how an indexing program handles unstructured data for tokenizing and what other technologies must be used to handle encoded data.
Posted by David Cowen at 9:45 PM 0 comments Links to this post
Labels: ,

Daily Blog #244: Saturday Reading 2/22/14

Hello Reader,
              Hope you had a great week, but now the week is over. It's Saturday! It's time for more links to make you think in this weeks, Saturday Reading.

1. We had a Forensic Lunch with two people whose expertise is in fields I know much less about which always fascinates me. We had a fascinating Forensic Lunch today with:

Lenny Zeltser, @lennyzeltser , talking about his career in reverse engineering and the challenges of moving his analysis platform to Windows 8. Here are the links he discussed:

Dealing with ASLR on Windows 8.1: http://digital-forensics.sans.org/blog/2014/02/17/malware-analysis-and-aslr-on-windows-8-1
setdllcharacteristics: http://blog.didierstevens.com/2010/10/17/setdllcharacteristics/
CFF Explorer: http://www.ntcore.com/exsuite.php
Scylla for process dumping: http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/
Books mentioned:
Malware Analyst's Cookbook: http://www.malwarecookbook.com
Practical Malware Analysis: http://practicalmalwareanalysis.com/
You can take a class with Lenny here:  https://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques
Jon Stewart, @codeslack, talking about his career and his work on Lightgrep.
You can grab a copy of the lightgrep engine source here:http://www.lightboxtechnologies.com/lightgrep-engine/
You can grab a copy of  v1.4 with lightgrep built in here: http://digitalcorpora.org/downloads/bulk_extractor/
You can buy a copy of lightgrep that works with Encase and other tools here:http://www.lightboxtechnologies.com/lightgrep/

 2. Hexacorn blog has part 8 in their autorun series up, http://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/, this one covering how to get users to be your persistence mechanism through jumplists. Very cool.

3. Jason Hale has a new blog post up documenting addtional MRU's in office 2013, http://dfstream.blogspot.com/2014/02/office-2013-more-mrus.html, more MRUs is always a good thing!

4. Lenny Zeltser has a new blog post up on the SANS DFIR blog discussing Ollydbg v2, http://digital-forensics.sans.org/blog/2014/02/20/ollydbg-version-2-for-malware-analysis, and its current state of feature completeness.

5. Harlan has a new blog up discussing how to identify, http://windowsir.blogspot.com/2014/02/more-tracking-user-activity-via-registry.html, additional files being accessed in Office 2013 on a per user basis with timestamps and last position for each document.

Did I miss something? Did you post a blog I missed? Let me know in the comments or email me dcowen@g-cpartners.com and let me know!
Posted by David Cowen at 12:26 AM 0 comments Links to this post
Labels:

Friday, February 21, 2014

Daily Blog #243: Forensic Lunch 2/21/14

Hello Reader,
           We had a fascinating Forensic Lunch today with:

Lenny Zeltser, @lennyzeltser , talking about his career in reverse engineering and the challenges of moving his analysis platform to Windows 8. Here are the links he discussed:



Dealing with ASLR on Windows 8.1: http://digital-forensics.sans.org/blog/2014/02/17/malware-analysis-and-aslr-on-windows-8-1

setdllcharacteristics: http://blog.didierstevens.com/2010/10/17/setdllcharacteristics/

CFF Explorer: http://www.ntcore.com/exsuite.php

Scylla for process dumping: http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/

Books mentioned:

Malware Analyst's Cookbook: http://www.malwarecookbook.com

Practical Malware Analysis: http://practicalmalwareanalysis.com/


You can take a class with Lenny here:  https://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques


Jon Stewart, @codeslack, talking about his career and his work on Lightgrep.
You can grab a copy of the lightgrep engine source here:http://www.lightboxtechnologies.com/lightgrep-engine/
You can grab a copy of  v1.4 with lightgrep built in here: http://digitalcorpora.org/downloads/bulk_extractor/
You can buy a copy of lightgrep that works with Encase and other tools here:http://www.lightboxtechnologies.com/lightgrep/





Posted by David Cowen at 6:56 PM 0 comments Links to this post
Labels:
Subscribe to: Posts (Atom)