Daily Blog #343: Sunday Funday 6/1/14

Hello Reader,
     We have now officially entered the last month of my year of blogging, let's make sure we end it well. It's Sunday and that means it's time for another challenge you can spend your day on but let's change the rules a bit to give you a bit more time to do so while still allowing me to declare a winner, and write a blog post about it, on Monday. If you watched the Forensic Lunch on Friday you heard Lee Whitfield talk about the current Trucrypt conspiracy. Let's test your malware analysis skills in this weeks challenge.

The Prize(s):
A guest post on the blog to raise your visibility
A $250 Amazon Gift Certificate, emailed to you anywhere in the world
A $250 Newegg Gift Certificate, emailed to you anywhere in the world

The Rules:
  1. You must post your answer before Monday 6/2/14 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Download the latest release of Truecrypt here: http://sourceforge.net/projects/truecrypt/files/TrueCrypt/TrueCrypt-7.2.exe/download and perform an analysis of the binaries to determine what besides decrypting files it is doing.

Daily Blog #342 Saturday Reading 5/31/14

Hello Reader,
       It's Saturday! Another week of forensics has passed us by and its time reflect on facts hard fought and mysteries left to solve. It's time for more links to make you think in this weeks Saturday Reading.

1. We had a fun Forensic Lunch this week with:
You can watch it here: https://www.youtube.com/watch?v=4ZWP9ZZ71bk

2. Over on the Apple Examiner blog here is a new writeup on making a portable OSX triage workstation, if you are a OSX user its a good read http://www.appleexaminer.com/MacsAndOS/Analysis/HowTo/PFW/PFW.html

3. The volatility blog has been updated with a large set of information, including updates on their book and the announcement of their yearly plugin contest. Get involved and win a prize! http://volatility-labs.blogspot.com/2014/05/volatility-update-all-things.html

4. On the Digital Forensic Tips blog there is a writeup on how to deal with Trucrypt in your investigations, its a good summary and worth a read http://digitalforensicstips.com/2014/05/some-basic-options-when-dealing-with-truecrypt-aka-finally-a-forensics-post/

5. On the hexacorn blog Adam has a write up about a new malware variant that is targeting Windows Sidebar gadgets, http://www.hexacorn.com/blog/2014/05/24/upatres-gadgetry/

6. Brian Moran has a new blog up in his series on artifacts of Bluetooth data exfil, read part 4 here http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_29.html

7. The papers presented at DFWRS EU 2014 are up and I'm looking forward to reading new research, http://dfrws.org/2014eu/program.shtml, you might seem some blog posts pop up on the most interesting to me

8. Glen Edwards, Jr and Ian Ahl of fireye put up their slides from Bsides NOLA called 'Mo' Memory No Problems' https://speakerdeck.com/hiddenillusion/mo-memory-no-problem

9. The Open Security Research blog has been updated with a how to guide to remote memory acquisition in Linux, very cool http://blog.opensecurityresearch.com/2014/05/acquiring-linux-memory-from-server-far.html

10. J Michel has posted a step by step walk through of a journey into chip off, something I'm very interested in http://blog.j-michel.org/post/86992432269/from-nand-chip-to-files

Daily Blog #341: Forensic Lunch 5/30/14

Hello Reader,
            We had a great forensic lunch today with some good conversation and great viewer participation. Our guests this week were:

Sarah Edwards, @iamevltwin, talking about her presentation on Mac/OSX malware.
Lee Whitefield, @lee_whitfield, talking about the current Trucrypt conspiracy theories and what may have happened

For those listening here are our conference recommendations:
Large conference: CEIC
Mid size but vendor sponsored: PFIC
Mid size but independent : HTCIA
Small and very technical: SANS DFIR Summit and OSDFCon

You can watch the show below:

Daily Blog #340: The leap from beta to final, Triforce updates

Hello Reader,
          If you are still running a Triforce beta, I would highly suggest you move over to the production version. We've fixed a lot of bugs and added lots of features. It's your choice free or paid, of course think the paid version is well worth the money! Curious as to what all is waiting for you? Here is an update:

You can grab a copy of the free or paid version at https://www.gettriforce.com

Report Filtering (Please read user manual for more information)

Exporting and importing filters

Unexpected crashes using filtering options
Added filtering logic

Additional Unicode Support

Filter with Unicode Strings

Export to Unicode File Name


Signature Corrections
User can create a file list to search the MFT (Paid Version Only)


Various GUI bugs
Report Record Count in Report View

Also to those users who've moved over the paid version we have our first signature update going out to you tonight!

Daily Blog #339: A short product recommendation

Hello Reader,
     If you are like me then searching, de-duplicating and producing email for review is one of the banes of your existence. You would think that such fundamental task would have been solved in the mainline tools we use but all of their limitations turn the process of producing email into a bit of a nightmare. I've used a series of tools in the past to accomplish this with varied success:
Transend Forensic Migrator (which is good for all sorts of things)
FTK (which in recent versions has become less reliable in exporting and processing email, much less deduplicating)
Paraben Email Examiner

None of which made the process as easy or simple as Sherpa Soft's Discovery Attender did for me today. Now I've heard from many friends over the years that I should get a copy of this software as many people where doing in house basic ediscovery with it, but I didn't try it out. I finally broke down and got a copy and let me tell you, its what it claims to be.

I was able to search 34 archives of email, it supports ost and psts, search emails and attachments, deduplicate and produce to PST all within a couple hours. I'll wait to see what pitfalls lie in wait for me but for now, very happy with this product and can recommend it as a solution for others trying to solve this problem.

Grab a copy here, http://www.sherpasoftware.com/microsoft-exchange-products/discovery-attender.shtml , for those that are wondering I didn't get as much as a discount for this post. I paid full price and tested it prior to even thinking about writing. Right now I'm downloading a fresh Windows 7 vm and Kali Linux so I can write up the credential stealing series.

Daily Blog #338: Triforce ANJP Free Edition

Hello Reader,
    I think its important to keep promises whenever you can. If you remember when we first started talking about the Triforce products we stated we always wanted to keep a free version available. Today we announce that free version to all of you. While in a perfect world you would get a license of our awesome commercial product, we don't want to withhold good evidence from anyone. The free version of Triforce ANJP will fully parse out the $MFT, $Logfile and USNJrnl to text and sqlite databases just like the commercial version. The only difference comes in its ability to use signatures, both provided by us and ones you create yourself, and advanced reporting.

You can download your own free for life copy here: https://www.gettriforce.com/product/anjp-free/

We are here to support you in your investigations and make sure you always have the best evidence we can help you get. You will see that the license states not for commercial use, which we think is fair for those of you using our tools to generate a profit from your services.

Moving forward we will strive to make the core of the parser the same as the commercial version so the free version will stay up to date and hopefully bug free.

Daily Blog #337: Sunday Funday Winner 5/25/14

A solemn memorial day reader,
     I guess you are all enjoying the three day weekend as I received no entries to this weeks contest. So I will donate this license to the first armed forces veteran who emails me with proof of service, your choice which proof, today. Email it to dcowen@g-cpartners.com.

After I finish the current series I'm working on, what credentials can attackers steal via what remote access methods, I will write a series on the USN and $logfile artifacts.

Daily Blog #336: Sunday Funday 5/25/14

Hello Reader,
      It's Sunday and time for another forensic challenge to see what you know and to share what you know with the community. With the official launch of our first product, Triforce ANJP, it's time to see how well you understand the research and artifacts we've been discussing for the last two years!

The Prize:
A license of Triforce ANJP, a $599 value

The Rules:
  1. You must post your answer before Monday 5/26/14 10AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
List all of the facts and a description of them you can determine from the $logfile and $USNJrnl that you cannot from any other artifact. 

Daily Blog #335: Saturday Reading 5/24/14

Hello Reader,
       It's Saturday and after a long two weeks in Las Vegas it was back to the lab with expert reports and declarations waiting for me to write. If you are like me and recovering your work load its time to keep up with the latest research to see how you can keep ahead of whats coming next. Time for more links to make you think in this weeks Saturday Reading.

0. We launched the Triforce ANJP! Go check it out and buy a copy at http://www.gettriforce.com

1. The Forensic Lunch this week was live from CEIC, with a total of three shows! You can watch them here:

Day 1: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/05/daily-blog-331-forensic-lunch-live-from.html
Day 2: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/05/daily-blog-332-forensic-lunch-live-from.html

2. Brian Moran has been very, very busy this week. Not only sending in a guest post to my blog but posting 4 blog posts of his own.

The first is a write up all about advanced analysis of the ZeroAccess rootkit and updates to his Windows response toolkit, http://brimorlabs.blogspot.com/2014/05/zeroaccess-windows-command-line-code.html

The next post is a three part series about data exfiltration using BlueTooth and the analysis to detect it
Part 1: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say.html
Part 2: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_22.html
Part 3: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_23.html

3. Sharon Nelson has a new blog post up covering a case involving a network engineer who decided to take down his old employer on the way out, http://ridethelightning.senseient.com/2014/05/network-engineer-sentenced-to-four-years-for-destroying-company-data.html. Read this to keep your office space dreams at bay.

4. Harlan has a new post up all about self publishing your next book. If you are considering writing a book please read Harlan's blog and carefully and understand the level of effort involved. Once you've done so carefully consider your next steps and what route to market you want to take:

5. Adam from Hexacorn is back with part 12 of the beyond the run key series, this week with a focus on Rover autostart mechanism http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/

6. Ryan over at Obsidian Forensics has a new blog up talking about the process of porting his previously perl tool Hindsight to python http://www.obsidianforensics.com/blog/python-version-of-hindsight-released/

7. Version 5 of REMnux has been released, a handy reverse engineering distribution gets better http://blog.zeltser.com/post/86508269224/remnux-v5-release-for-malware-analysts

8. A new release candidate for Plaso is out, Kristinn and team are asking that everyone test and report any bugs they find get a copy here: https://googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/1.1.0/RC1

Daily Blog #334: More on Encrypted iPhone backups

Hello Reader,
       Today we have a guest post from Brian Moran. Brian saw our Sunday Funday challenge based on Hal's recent testing for the SANS OSX Forensics class and generously followed up with some knowledge of his own! Check this out, very cool stuff.

I am sure you guys already know this, but there is something I wanted to add to your Sunday Funday challenge about encrypted iOS backups and the absolute joy that I personally find every time that I come across a system with encypted backups :) 

When iOS encrypts the data in the keychain, which stores passwords for the system and applications, it uses a unique key to that iOS device (if memory serves, the length of that key is 64bits, and the password is AES256 encrypted using that key. I might be wrong on the key length and encryption mechanism, but I believe that is correct). 

iPhone Keychain Backups
In iOS, an application always has access to its own keychain items and does not have access to any other application’s items. The system generates its own password for the keychain, and stores the key on the device in such a way that it is not accessible to any application. When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup. For this reason, it is important to use the keychain on iPhone to store passwords and other data (such as cookies) that can be used to log into secure web sites.

However, when a user choose to encrypt their backups, the data in the keychain in the iOS backup is no longer encrypted with that key, it is instead encrypted with the user's iOS backup password. So, by utilizing a tool like elcomsoft's Phone Password Breaker (shoutout to Vladimir Katalov) you can load the encrypted iOS backups into the EPPB tool and attempt to break the password for the backups. Once you (hopefully) recover this password, on top of getting ALL the data from the backups, you now also have passwords saved in the keychain for things like email, wifi connections, applications passwords, etc.

I believe the intent of this was to allow a more seamless integration into restoring your iOS device from an encrypted backup (I honestly have no idea why you would take a potentially strong(er) password (device specific) and change it to a potentially weak(er) (user supplied) password, but hey, that is what makes Apple devices so fun to forensicate!) So just be sure that if you choose to encrypt your iOS backups that you use really strong passwords, otherwise, the potential is there to get even MORE data from an encrypted iOS backup than a non-encrypted iOS backup :)

Daily Blog #333: Announcing the official launch of Triforce ANJP!

Hello Reader,
       Thanks to everyone who came out to our launch party at CEIC last night, I had a great time meeting all of you and I hope you had a great time as well. I am very happy to announce that the beta for Triforce ANJP (Advanced NTFS Journal Parser) is over and we are officially making it available for sale.

Go to the Triforce website here: https://www.gettriforce.com

With the arrival of the official commercial version I'm happy to say we've also released:
  • An official Users Manual 
  • Youtube videos explaining the main functions and features of the tool
  • Youtube videos explaining how to use the tool
  • Official support via email and phone
  • All located here https://www.gettriforce.com/support/
 We offered a discount code for $100 off the list price of $599 at the conference but I thought I shouldn't limit that offer to just those who could make it to CEIC. So I thought other than our beta users (who received an ever better discount code) you our regular blog readers also deserved a discount. So for the next 7 days you can use discount code TFBLOG499 and get the Triforce for just $499! To our beta users please know that we will have to turn off the beta discount at some point and I'll be emailing you when we determine what that time frame is.

That $499 gets you a perpetual license that you can activate on two systems of your choice and a year of free signature updates. After the 1st year we will charge $199 a year for signature updates and new versions. We have a lot of features planned to be added over the year as we turn the Triforce into what we imagine it can be and when they do get added the price will likely go up. New features coming in the next few months:

  • New signatures monthly
  • Forensic image access, no more exporting artifacts
  • Better reporting
  • More database support, extending beyond sqlite to mysql, postgres and more
  • Full MFT rule support
  • Auto license activation
So if you've enjoyed this year of blogging, the forensic lunch, our projects (like the multi boot thumbdrive), research and tools please consider supporting us with a purchase of a Triforce license. I think you'll be happy you did when you see what it can do for your investigations!

Daily Blog #332: Forensic Lunch live from CEIC day 2!

Hello Reader,
       We got to do another broadcast live from CEIC and its been really fun to do. Being able to walk around and just grab people and bring them on the air to you has been great and hopefully good for you as well! The goal in all of these live broadcasts is to bring some of the most interesting things going on here to you at home.

Today we had:

Daily Blog #331: Forensic Lunch Live From CEIC Day 1!

Hello Reader,
       I'm have a lot of fun at CEIC and today we got to do two broadcasts from the conference.

Mid day broadcast:
We had in order of appearance:

  • Suzanne Widup, @suzannewidup, talking about her talk at CEIC on the DBIR and her new book 
  • Ken Mizota, @kenm_encase, the product manager for Encase investigation products talking about whats new v7 and the upcoming v8 
  • David Dym, @dave873, talking about his talk on SQLite forensics

End of day wrap up:
We had in order of appearance:

  • Jake Williams, @malwarejake talking  about the conference, his classes and his talks at CEIC
  • Jad Saliba, @jadatmagnet, talking about whats new in IEF, upcoming training classes and certifications!
  • Sarah Edwards, @iamevltwin, talking about her talks at CEIC and her research into OSX

Daily Blog #330: Sunday Funday 5/18/14 Winner!

Hello Reader,
   Another Sunday Funday come and gone and I am now only 35 blog posts away from my year! This week I am happy to reveal our winning answer as I believe the answer really presents the itself in a well organized fashion that will help many people get a handle on the killchain as it is.

The Challenge:
Explain the 'Kill Chain' we specific DFIR examples of artifacts you would look for and remediation steps for each part of the process.

The Winning Answer:

The cyber kill chain was first coined by Lockheed Martin’s Eric Hutchins, Michael Cloppert, and Rohan Amin in 2011. Their paper, “Intelligence-Drive Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” has a wonderfully long title, and is an informative look into cyber threats. More information on this paper can be found in the ‘Further Information’ section, located at the bottom of this submission.
When examining where digital forensics and the cyber kill chain intersect, it’s important to understand each step of the kill chain and the forensic artifacts that may be applicable. Let’s take a walk through the kill chain, some relevant DFIR artifacts, and potential remediation/prevention steps:
1)    Reconnaissance
a.    Step Overview
The first step of the cyber kill chain highlights the research that an adversary may perform either to identify a potential target, or on a specific, pre-selected target. In either matter, reconnaissance may involve profiling an organization’s web presence, searching for employees and pertinent details, and/or gaining insight into other technologies an organization may use.
b.    DFIR Artifacts
·         Network logs would be artifacts of interest here, including firewall and web logs. Other outward-facing (aka DMZ) device logs would be useful as well. Data analytics can assist analysts in identifying suspicious traffic, such as scanning activity or connections from questionable locations. Correlations over time can help determine what is the “hum of the Internet” vs what may be repeated attempts to profile a network.
·         The identification of reconnaissance is also going to depend on the attacker’s objectives or capabilities. If employees are too open about their personal details on LinkedIn/Facebook/Twitter/FourSquare, an adversary may be able to profile an entire C-Suite without ever pinging an organization’s IP block.
c.    Remediation/Prevention Steps
·         Firewall ACLs can be utilized to block traffic from unwanted locations, or reaching sensitive areas.
·         To address reconnaissance using social networking sites, employee training can go a long way to help preventing too much information being released.
2)    Weaponize
a.    Step Overview
The second step of the cyber kill chain is an action of the attacker to take a payload, such as a Trojan or backdoor, and craft it into “weapon form”. By weapon form, the attacker needs a method with which to deliver the payload. These methods may include malicious document files, such as PDFs or MS Office documents, or malicious web sites set to execute code upon page loads.
b.    DFIR Artifacts
·   Artifacts of interest from step 2 would be the weaponized payloads that may be left on a compromised host. Artifacts of this type may include malicious PDFs, Office documents, compressed files, or actual executables delivered via step 3’s mechanism. Granted, Step 3 will be required to get these artifacts on the machine, but once on there, may provide a wealth of information. These artifacts will be utilized in subsequent steps as well.
c.    Remediation/Prevention Steps
·   As step 2 covers the weaponizing of a payload, remediation would be best efforts to prevent the execution of said weapon. This is more in line with step 4.
·   In an effort to catch weaponized malware, NIDS or NIPS tools may be used.

3)    Deliver
a.    Step Overview: While step 2 focused on the weaponization of a payload, step 3 is the actual delivery of said weapon. Methods of delivery may include an email with an attachment from step 2, a maliciously crafted website, or a strategically placed USB drive.
b.    DFIR Artifacts
·         The artifacts an analyst might be interested in from Step 3 will be dependent on the method of delivery. For a spear phishing email, analysts will want to analyze the email messages, including headers, attachments, source, etc. For malicious websites, collecting internet history artifacts, including cached HTML files, scripts, cookies, etc. will be important. If the delivery mechanism is something physical, such as a USB drive with AutoRun malware, then forensically preserving the drive becomes an artifact itself.
c.    Remediation/Prevention Steps
·         Employee training is a valuable step in preventing delivery of malware. While this is a pipe dream for some organizations, educating employees to be cautious of emails containing suspicious attachments or originating from unknown sources. Users should also be cautious when browsing the web, although sometimes even mainstream sites can be hit with vulnerabilities
·         Depending on the delivery vector, there are a multitude of technologies that can help. Endpoint USB protection can help prevent executables from running, and/or disabling Windows features such as AutoRun.
·         Email traffic monitoring, either via inline malware detection or endpoint detection, may help to find malicious files within emails. Also, these tools may be used to
·         Utilizing web proxies may help prevent users from visiting malicious sites. Proxies that ingest data sources like trusted sites and blacklisted IPs are a step closer to prevention.
4)    Exploit
a.    Step Overview: Steps 2 and 3 weaponized and delivered malicious code: Step 4 is the exploitation that allows the malicious code to run. If the delivery mechanism was a PDF, the exploitation may be a vulnerability that allows for JavaScript files to be run and subsequently download a Trojan.
b.    DFIR Artifacts
·         Artifacts of forensic interest for step 4 are going to be similar to step 2 and 3, and will involve the actual weaponized payload itself. Whether it’s a Java, Windows, Internet Explorer, Office, or Adobe exploit (to name some amongst many, many others), performing analysis on the malware may help determine information about the specific exploit(s) used.
·         Step 4 is also where an analyst may want to begin looking at system artifacts. While step 4 does not yet cover a full installation of the malware, system artifacts may yield information such as time of infection or steps that the user took to get infected (unknowingly, we hope). A timeline using a wide range of Windows artifacts (MFT, registry, internet histories, etc.) would be able to identify the time when the email arrived or USB drive was plugged in, and actions that occurred within the seconds (or milliseconds) afterwards.
·         Specific browser artifacts, including pages visited and/or downloads, may also yield information about the exploit.
·         The Windows registry hives (system, sam, software, security, ntuser, and usrclass files) may also provide unique information, such as data on removable drives, recent executables/files.
·         Link (lnk) and prefetch files may provide more information about executables around the time of exploit.
·         A forensic analyst may also, at this point, find themselves accessing logs on various servers – again, dependent on the method of delivery. Web-based exploits would have valuable information in web logs, proxy logs, and/or firewall logs. If the delivery method was email, the analyst may want to pull email information from the central mail server(s) to trace the source of the delivery.
c.    Remediation/Prevention Steps
·         A myriad of steps can help prevent against weapons successfully exploiting on a target host. Keeping software up to date, for example, is important given the number of vulnerabilities that exist in third-party software tools or document…readers.
·         Utilizing host-based intrusion detection and prevention tools, such as HIDS, HIPS, and/or anti-virus can help to protect against exploitation. These tools will also help remediate Step 5, which is the installation of the malware. Note that keeping these endpoint solutions up to date is also extremely important – anti-virus is only as useful as the signatures it knows!
5)    Install
a.    Step Overview: Step 5 focuses on the installation of the weapon from Step 2 via the exploit in Step 4.
b.    DFIR Artifacts
·         Now that the weaponized payload has been installed on the host, the file(s) discussed in steps 2-4 will now certainly be of importance. The analyst should try to capture any remnants of the malware, including executables and other dropped files. Sandboxing or reversing the malware can help analysts determine other artifacts to look for, as well as begin crafting countermeasures for Step 6.
·         More so than step 4, system- and disk-level artifacts are going to be valuable at this point in time.
o   The MFT can help paint when the malware was installed, and other artifacts that may have been Modified/Accessed/Changed/Born. The USN journal will also yield information about changes made to the volume.
o   Windows Event Logs may provide information about the install, and any Windows events that may have been triggered.
o   The components of the Windows registry are going to provide information about application install, keys created/changed/deleted, and persistence mechanisms. UserAssist, ShimCache, and MRU may also be valuable here, although not all will be affected by every malware.
o   Similar to Step 4, link and prefetch files may yield information about the executable(s) run to support the installation.
o   File (file://) entries in the index.dat will also provide local and remote file access.
·         A memory capture of an infected host may yield more information about the malware. Of course, it’s difficult to trigger a memory capture as soon as malware is installed on a host, however there is valuable data in the memory of an infected host.
c.    Remediation/Prevention Steps
·         By this point in time, the malware has successfully been executed on a host and has successfully “passed through” the intended exploit. HIDS/HIPS may be useful in prevention/detection, allowing the malware to get as far as attempting to install on the disk or make registry changes before it’s blocked.
·         If the malware is known, anti-virus software may succeed in stopping the infection at this point. It’s also possible that the malware went undetected up to this point, but a dropped executable or DLL file triggered a Quarantine.
·         Application whitelisting may also be useful at this level, preventing untrusted executables from running.
6)    Command and Control (C2)
a.    Step Overview: Perhaps the sign that many DFIR analysts are familiar with, Step 6 focuses on the beaconing of a compromised host to a C2 server. Once Steps 1-5 have been executed, the host is now likely compromised, and relays back to its C2 infrastructure for next steps.
b.    DFIR Artifacts
·         Artifacts from Step 5 are still going to be useful in this stage, especially if a host is actively beaconing the source of that beaconing has yet to be identified. Finding what is causing the beaconing should be a top priority.
·         If identified, the source of the beaconing should be captured and analyzed. Malware may have multiple C2 servers embedded and MD5 hash values may allude to other intel.
c.    Remediation/Prevention Steps
·         As with other steps, NIDS/NIPS solutions installed in an environment may be able to alert and detect or prevent against suspicious traffic. Other steps in the kill chain may have been successful thus far, however NIDS/NIPS may prevent C2 communications from reaching outbound.
·         If intel is gathered about C2 domains/IPs, firewall ACLs can be put into place to prevent outbound or inbound communication.
7)    Act on Objectives
a.    Step Overview
The final step of the cyber kill chain identifies that once an attacker has gained a foothold into an organization, their true objectives come to light. If an attacker compromised the laptop of a CFO, and the original target was next quarter’s financials, then this step represents the exfiltration of said data. Another type of objective may have been to infiltrate an entry point, and then move laterally throughout a network.
b.    DFIR Artifacts
·         Step 7 is not a fun place to be in the cyber kill chain, however from a forensic analyst’s point of view, it is sometimes the most fruitful. It may also be the most common. A large majority of artifacts discussed in previous steps can be useful at this step. Of course, understanding the motives of the attackers will denote how useful each one will be.
·         If the attacker was hoping to compromise an initial host and move throughout an environment, lateral movement artifacts will be useful at this step. This may include:
o   Remote Desktop Protocol (RDP) history
o   Windows Event Logs to identify failed/successful logins, logon types (remote, local, etc.), and other events
o   Windows Registry Hives to check for new Windows user accounts, user activity. Shellbags may also highlight lateral movement.
·         If the attacker was seeking to exfiltrate data, then a forensic analyst will want to look for evidence of files being removed from the system, or creation of new compressed files.
o   Newly-created, and oddly named compressed files such as RARs or ZIPs may differ from user behavior and resemble attacker exfiltration.
o   MFT entries may show new compressed files created
o   Prefetch and/or LNK files may show compression tools being utilized
·         An analyst will also want to again consult network logs available to detect outbound information. Network device logs may allude to exfiltration IPs/hosts, or even provide bytes out to determine how much data left the environment.
c.    Remediation/Prevention Steps
·         Again, remediation/prevention is going to depend on the attacker’s objectives. An unprotected system in a poorly-maintained environment is going to leak data without detection. That being said, maintaining proper network intrusion prevention/detection, host-based intrusion prevention/detection, anti-virus, and a responsive DFIR team will be useful.
·         More specifically, to block outbound communications, firewall ACLs can again be utilized to block communication.
·         User access controls and permissions can be useful in preventing damaging lateral movement.
Note that the preceding is, by no means, an exhaustive list. To pretend that infosec is the same as it was five minutes ago is a dream, and analysts should be prepared to be nimble. There is no single “do it all” tool that offers “push button” forensics and information security. But the right tools, when combined in the right environment, and with the right people, can go a long way in helping an organization keep its data where it should be.
Further Information:

Daily Blog #329: Sunday Funday 5/18/14

Hello Reader,
       It's Sunday Funday time again! Time to put your forensic mental muscle to the test in this weeks challenge. If you watched the Forensic Lunch on Friday you heard Lee Reiber describe how their cybersecurity product can address the 'kill chain', let's see how well you understand this well used term.

The Prize:
A $200 Amazon Gift Card

The Rules:
  1. You must post your answer before Monday 5/19/14 10AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Explain the 'Kill Chain' we specific DFIR examples of artifacts you would look for and remediation steps for each part of the process. 

Daily Blog #328: Saturday Reading 5/17/14

Hello Reader,
         It's the weekend between ADUC and CEIC. If you are a conference warrior like me this is your chance to take a breath and catch up the world. Get ready for more links to make you think before another week of good talks and knowledge on this weeks Saturday Reading.

1.  If it's #1 on the list its the Forensic Lunch, this week live from ADUC! This week we had:
  • Lee Reiber, @celldet, talking about what is new at AccessData, the conference, his product MPE+, FTK, insight and all the rest. It was fun getting to talk to him in person where I could ask hi, questions without a filter and we can get some good facts.
  • Matt came on and we talked about new features in our upcoming release of Triforce ANJP! Showing how to find evidence of exploitation of an XP system with metasploit via the netapi exploit.
  • Sheryl Falk, @sheryfalk, Pierre Lidome and I talking about our panel that I posted the slides to yesterday. Most importantly going over the most important things we said but didn't write down in the slides.
I hope you liked it and get ready for next week when we will be broadcasting live from CEIC and bringing the best information there to you at home.  You can watch the video here:

2. Harlan has a new blog up this week with updates and links, http://windowsir.blogspot.com/2014/05/updates.html. Most interesting to me was updates to Regripper!

3. The Forensic 4Cast award voting has been extended another week, read about it here: https://forensic4cast.com/2014/05/awards-update-deadline-change/. If you haven't done so already please vote (I'm up for two awards!) and help those who help you! Vote here: https://forensic4cast.com/forensic-4cast-awards/

4. Corey Harrell has a new blog post up all about what artifacts are left over from an exploit, http://journeyintoir.blogspot.com/2014/05/cve-2013-0074-3896-silverlight-exploit.html. These are always fun to read and can usually lead to you thinking of new sources of artifacts to look for.

5. Brett Shavers has a new blog post up announcing the arrival of training videos on WinFE, http://winfe.wordpress.com/2014/05/10/coming-soon-online-winfe-training-program/. I think WinFE is great and look forward to seeing these.

6. Going to be at CEIC? Make sure to signup for our TriForce party Wednesday night from 6-8pm or our TriForce classes! It's all free so go here and get a ticket: http://www.eventbrite.com/e/triforce-training-sessions-and-launch-party-during-ceic-conference-tickets-11533471925

That's all for this week, see you tomorrow for another Sunday Funday challenge!

Daily Blog #327: Forensic Lunch schedule for next week at CEIC

Hello Reader,
         As I mentioned in yesterdays Forensic Lunch we will be doing the show live at CEIC next week! Not only will be doing it live, we will be doing it multiple days!

Schedule live from the show floor:
Tuesday 5/21/14 2:00pm CST (RSVP and video here) Interview with Ken Mizota, Suzanne Widup and more!
Tuesday 5/20/14 6:00pm CST (RSVP and video here) Daily Wrapup
Wednesday 5/21/14 6:00pm CST (RSVP and video here)Daily Wrapup

We will be bringing on guests from Guidance and the best speakers we can round up from the day. The goal here is to bring those of you who can't make it to CEIC the best information that's being given here!

If you are at CEIC and either want to watch the show live or talk to us about your DFIR world we will be to the left of the entrance to the exhibit hall. Guidance has been very supportive of our efforts and is setting up a table with mics and all so we can all have some forensic fun.

Daily Blog #326: Forensic Lunch 5/15/14

Hello Reader,
            This week we had a special Forensic Lunch on a Thursday instead of a Friday since the conference here at ADUC (AccessData User's Conference) ends tomorrow. I think we had a great show this week, it was live from the conference where I am speaking at. I hope to do more of these in the future to help you virtually extend your travel and training budgets.

This week we had:
Lee Reiber, @celldet, talking about what is new at AccessData, the conference, his product MPE+, FTK, insight and all the rest. It was fun getting to talk to him in person where I could ask hi, questions without a filter and we can get some good facts.

Matt came on and we talked about new features in our upcoming release of Triforce ANJP! Showing how to find evidence of exploitation of an XP system with metasploit via the netapi exploit.

Sheryl Falk, @sheryfalk, Pierre Lidome and I talking about our panel that I posted the slides to yesterday. Most importantly going over the most important things we said but didn't write down in the slides.

I hope you liked it and get ready for next week when we will be broadcasting live from CEIC and bringing the best information there to you at home.

Daily Blog #325: IP Theft Panel at ADUC 2014

Hello Reader,
            We had a fun panel today on IP Theft at ADUC, AccessData Users Conference. Thanks to those of you who came out. Here are the slides from today's talk:


It was fun to meet those of you who identified yourselves as blog readers/forensic lunch watchers! If you ever see me please do come up and say hi! It's nice to know there are real people attached to the visitor counts I watch to see who is reading this. It's very motivating to meet all of you and hear your experiences and perspectives as we all work to get better at DFIR work.

Today's panel covered IP Theft from three perspectives:
In house forensics - Pierre Lidome, Schlumberger
Outside Counsel - Sheryl Falk, Winston & Strawn
Outside Expert - Me!

I hope you get some good information from this presentation, I really felt like we talked about some issues that don't get discussed a lot outside of teams of people like us who have learned how to work together well.

Daily Blog #324: Voltatility GUI by Andrew Nind

Hello Reader,
            One of my favorite things about this year of blogging is how many of you I've now been in contact with. I find DFIR work to be fascinating and I love to meet those who share my passion and start their own projects. One such person doing so is Andrew Nind who is developing a GUI in C# for Volatility as a way to teach himself C#.

You can download the project here:

Give the Volatility GUI Plugin Manager a try and give some feedback to Andrew, its what those of us who put out projects are always looking for. I for one look forward to using this in my work as I think it will help those like me who use Volatility but not on a daily basis. I usually have to go back to the help screen and look up plugin names and options each time I run it so this will help speed my work up when memory forensics is required.