@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Super Sunday Funday Forensic Challenge - Update 4

Current Contest

Eight people are made it to Level 4 out of over 100 who are playing, and only one has passed it and moved on to Level 5. Level 5 remains unsolved! The contest ends tomorrow 9/16/14 so don't give up!

If you have questions I am planning to be in #dfir on irc.freenode.net on 9/11, 9/12, 9/15 and 9/16. If you have questions get an IRC client and come ask them. I may be on during the evening weekends but no guarantee to do so. Other players are in the channel though and you are welcome to talk amongst your selves.

For those of you not playing, or looking for a break here is some more good information.

Learn Windows Forensics from me!

I'll be co-teaching SANS FOR408 with Rob Lee in Ft. Lauderdale, FL at DFIRCon East Nov 3rd-8th 2014. If you want to spend a week learning everything you can about Windows forensics, and nights going deeper into the artifacts/structures if you want, I can't wait to meet you. As a bonus SANS has put out a $400 coupon for the event, go here to claim it.

Solutions to the past contest

Something I have not posted that I've been promising is the answers to the last 5 stage challenge. Let's continue that now. 

Stage 4 Question:
Hello Forensicator,
     Welcome to Stage 4, where the typing gloves come off and we get to see who has it in them to get to Stage 5.
The Challenge:
You’ve worked with law enforcement to track down the source of the IP Address you found in the memory dump connecting to the internet. They traced it down to a ZTE Avail running Android 4.2. This was a prepaid phone left in a coffee shop as it was triangulated and found still powered on and hidden behind a trash can. Local police believe that the attacker must have used the wireless access point functionality of the phone to route to the Internet. They have surveillance video but need to know the make of the laptop used and the time to identify the suspect.
1.       How can you determine if the phone was on during the time of the attack
2.       How can you determine the google account associated with the phone
3.       How can you determine which MAC and ip address was associated with the wireless AP feature
4.       How can you determine which type of computer connected to the wireless AP 
The Winning Answer:

1.       How can you determine if the phone was on during the time of the attack
This depends on the time that has elapsed since the attack to the time we tracked down the phone. If the phone had been on continuously since the time of the attack you could run the “uptime” command through ADB debugging or check the kernel log (dmesg.log) to see if the events in it still covered the time of the attack. 

If the phone had been turned off since the attack it is best to fall back filesystem timelining. I could create a timeline of activity in X-Ways from all the sql databases and various logs checking for activity, connections, wireless activity, the log for WiFi connections that we address later in this Stage to determine from some internal timestamps if there was activity and what was happening.
I would start with checking for messages and calls being sent and received during that time frame, and then move into checking the web browsing activity on the phone during the time of the attack.  Between file system timestamps, internal timestamps on databases for user activity and parsing through various logs with Unix timestamps this should be able to be established solidly.

Before relying on your timeline you will want to check the time settings of the phone at “data/property”.  

2.       How can you determine the google account associated with the phone
“Data/system/sync/accounts.xml” should contain the Google account that is associated with the phone. There are other places where this information can be found though.  At “Data/system/users/accounts.db” there is a file that contains all accounts that require authentication.  The Gmail address should be there as well if the user makes use of it for other activities.
At path “data/com.google.android.gm/shared_prefs/gmail.xml” there should be a file with the Gmail account name account.

3.       How can you determine which MAC and ip address was associated with the wireless AP feature
Various config files at paths just under “data/misc” contains files relating to Bluetooth, WiFi and other access that will have the MAC addresses of devices that connected to it. In particular at path “data/misc/dhcp” there would be information for what IP address the phone had from the Wireless access point it was connected to.  Since the computer is tethered to the phone for the connection, that will be the router for it and the most public IP address for the computer.  The wireless access point the phone was connected to would need to be checked for the public IP address out to the Internet.

The computer will have been given a DHCP lease for a local 192.168.x.x IP address on the phone that would be stored at  “data/data/com.googlecode.android.wifi.tether/var/dnsmasq.leases”. The “dnsmasq.leases” file may be stored at a different path if the user had some other type of tethering application. On the phone I examined it had the file at the specified path.  That file will contain the IP address given to the computer by the phone, the MAC of the computer, and a Unix timestamp for the lease (another indicator of if it was on at the time of the attack!).
4.       How can you determine which type of computer connected to the wireless AP:
If this question is simply asking to be able to tell if the computer is an Apple or PC you can check the MAC address from "dnsmasq.leases"against a database such as “http://www.wireshark.org/tools/oui-lookup.html” to determine the vendor for the NIC.  Apple produces their own NIC cards and will be the manufacturer.  Marvell or something else will be the vendor for PCs.

If this question wants to know the EXACT type of computer this is a little sticky and I honestly need a test android to tether a computer to for testing.  I did notice that at ”misc/wifi/wpa_supplicant.conf” there are multiple devices names for connections on an Android dump I got access to for answering this question. It contained the make and model number of other devices, but without a phone to test on I cannot be certain if it is a phone that was connected to or from as a hotspot. Since I didn't see any information for WAPs like home routers I really feel this is a file that shows information for devices that have connected to my phone as a hotspot though.   

The only answer I needed:

 I really needed to see that the answer showed an understanding of how the wifi hotspot assigned ip addresses, where it would be stored and how it could be correlate. Beyond that I wanted to see an understanding of how Android write it logs, outside of the normal Android backup data, and the idea of MAC to vendor lookups.

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.