Saturday, December 15, 2018

Daily Blog #568: Solution Saturday 12/15/18

Hello Reader,
This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win!



The Challenge:
Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!

The Winning Answer:

dfVFS, or Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system
objects, for which it uses several back-ends that provide the actual
implementation of the various storage media types, volume systems and file
systems.


Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso documentation
A DFVFS backed viewer project with a WxPython GUI for viewing file systems and file system metadata. Forensic Lunch about it

Allows you to extract a file from forensic images, virtual disks, raw images and live disks, including from volume shadows. Blog posts:
An open source tool set built on dfVFS. Blog post about it

Evidence Fetcher (efetch) is a web-based file explorer, viewer, and analyzer. Efetch supports viewing hundreds of file types including office, registry, PST, image, and SQLite files. Efetch supports navigating RAW, E01, ZIP, GZ, TAR, VMDK, VHD, QCOW, and BZ2 files thanks to dfVFS.
Blog post about it

A tool for when you have a bunch of documents to figure out of. Gransk is an open source tool that aims to be a Swiss army knife of document processing and analysis. Its primary objective is to quikly provide users with insight to their documents during investigations. It includes a processing engine written in Python and a web interface. Under the hood it uses Apache Tika for content extraction, Elasticsearch for data indexing, and dfVFS to unpack disk images.

A Python implementation of VMPOP (Virtual Machine POPulation) framework. dfVFS is used to enable for Data Extraction features

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs.

This program automatically finds provenance related to a file on an image
I’m not exactly sure what that means.

Technically doesn’t use DFVFS, but a long time ago Dave put out a Sunday Funday challenge to automate the installation so I wrote this script. It may not work any more, it worked at the time.

Friday, December 14, 2018

Daily Blog #567: Forensic Lunch 12/14/18

Hello Reader,
         It's the forensic lunch! This broadcast we had Eric Huber talking about his work at the NW3C (National White Collar Crime Center) and his investigations into Cryptocurrencies. I think you'll enjoy it!

You can read Eric's Blog here:http://www.afodblog.com/
You can follow Eric on twitter here: https://twitter.com/ericjhuber
You can learn more about the NW3C here: https://www.nw3c.org/

Watch the video below:

Thursday, December 13, 2018

Daily Blog #566: Forensic Lunch Test Kitchen 12/13/18

Hello Reader,
         This was another test kitchen were we mainly got some python code to work and in the end were able to print all of the file name's out of the file name attributes for every file referenced in the Syscache hive Object key. This isn't done though as next week I need to add in the sequence numbers to the checks to make sure I'm looking at the right file.

So next week we will be able to start making some observations about what exactly Syscache is actually tracking.

You can watch me use Eric Zimmerman's new Syscache plugin and write python code to parse the filename attribute here:

Wednesday, December 12, 2018

Daily Blog #565: Seeing Double (access dates)

Hello Reader,
         Got some medicine today so hopefully I'll be able to stop coughing tomorrow. In the meantime I'd like to point you to some very interesting work Maxim Suhanov is doing. You can read the tweet thread here:

https://twitter.com/errno_fail/status/1073012513187479553


Maxim found that Windows is keeping two last access dates, one on the disk and one in memory for a single file if Last Access dates are enabled. In the below python script you can see he can actually see the contents of both version of the timestamp:


#!/usr/bin/env python3

import os
from time import sleep

FILE_PATH = 'ts.txt'

def get_atime_1():
 result = os.stat(FILE_PATH, follow_symlinks = False)
 return result.st_atime

def get_atime_2():
 for entry in os.scandir('.'):
  if entry.name.lower() == FILE_PATH.lower():
   return entry.stat().st_atime

#print('Starting up...')
#sleep(15)
print(get_atime_1(), get_atime_2())

https://gist.github.com/msuhanov/74fd3c795883e0491277e6e27f2434e3

That to me is fascinating, it looks like one entry is coming from the stat of the file itself while the other is coming from the directory index. This is going to become more testing material in the near future. 

Tuesday, December 11, 2018

Daily Blog #564: Tool spotlight Artifact Extractor

Hello Reader,
      Well my cough has gotten worse so no test kitchen tonight or else you would mainly hear my coughing. So tonight I thought I would take the time to spotlight one of the tools you could be including in your Sunday Funday submission this week, Artifact Extractor.

You can check it out here:
https://github.com/Silv3rHorn/ArtifactExtractor

What Silv3rHorn has done is create a dfvfs script that will extract from any support image source (which is alot) all of the artifacts specified in the logical volume and the shadow copies.

Check it out and let me know what you think! I'll be using it in future test kitchens to give a go. 

Monday, December 10, 2018

Daily Blog #563: Forensic Lunch Test Kitchen 12/10/18

Hello Reader,
         Another test kitchen down! This time we went back to the Syscache.hve in Windows 7 trying to understand its limitations and its purpose in the operating system. Here is what we found:

  • Programs executed from the Desktop whether from the command line or GUI were not being inserted into the Syscache.hve
  • Programs executed from a temp directory made on the Desktop were being recorded in the Syscache.hve
  • There are some sysinternals programs that are not being captured at all, these may not need any shiming

You can watch the video here:

Sunday, December 9, 2018

Daily Blog #562: Sunday Funday 12/9/18

Hello Reader,
        We've had a lot of different kinds of challenges to attract different people within the community to participate. This week I'm changing the challenge up again to open up who can participate this week in a test of your google and basic code reading skills.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!

Saturday, December 8, 2018

Daily Blog #561: Solution Saturday 12/8/18

Hello Reader,
       Another challenge where a new victor has emerged! One of the great things about these weekly challenges is that let's people within the larger community a chance to show what they got. This week Zach Stanford has made his mark with his winning submission.

The Challenge:


Document the order that the following shims are executed/data written in Windows 10:
  • Prefetch
  • Shimcache
  • Amcache
  • Userassist
  • SRUM
List the time stamps associated with the entry creation and whatever else you can determine about the order they are called

The Winning Answer:
https://medium.com/@z89127866x/battle-of-the-shims-60fdae38264e

Come back tomorrow for the next week's challenge!

Daily Blog #560: Forensic Lunch 12/7/18

Hello Reader,
        This week we had a Forensic Lunch with Eric Zimmerman! We talked about

You can watch the video here:

Thursday, December 6, 2018

Daily Blog #559: Forensic Lunch Test Kitchen 12/6/18

Hello Reader,
  Tonight we tested the new NTFSDisableLastAccessUpdate registry key in Windows 10 1803. Here's what we learned:

  • We learned that reading double negatives can be hard, it turns out my system did have last access dates on (value of 2) as Maxim Suhanov stated as my system drive was <= 128gb in size
  • We learned that drives larger than 128gb in size (my host system) have last access dates off (value of 3)
  • We learned that changing the value from 2 to 3 will be reversed on reboot as system managed really does mean system managed. 
  • We learned that changing the value from 2 to 1 will remain 1 on reboot meaning user managed will not be overruled by the system on reboot.
  • We learned that we will have to double check every system now because as of Windows 10 1803 we may have updated last access dates again!
You can watch the video here:

Wednesday, December 5, 2018

Daily Blog #558: Forensic Lunch Test Kitchen 12/5/18

Hello Reader,
     Tonight we were testing the Syscache.hve that Maxim Suhanov found in his testing of the Amcache and Recentcache.bcf files, you can read his write up here: https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/

From our testing tonight here is what we learned:

  • The syscache hive has three indexes
    • The ObjectID key (no relation to $objid) which is inserted into the hive sequentially as new executables are run (we haven't tested executables being prechecked before running)
    • The FileID key which is indexed off of the sequence and entry number of the file being executed
    • The Objectlru which appears to connect the two
  • The ObjectID keys contain the SHA1 hash of the contents of the executable being checked
  • The ObjectID keys contain the MFT reference number of the executable being checked
  • The ObjectID key does not contain the name of the executable, but you can find it by looking up the MFT reference number
  • The Syscache hive appears to be updated quite quickly and is not using the transaction logs to do so 
  • The syscache hive is a Windows 7 feature (haven't tested windows vista) and does not exist in the same location at least in Windows 10
  • The key write time appears to be the time of first check for the current hash, we will change the hash of a known executable to test this behavior tomorrow night
You can watch the video here:

Tuesday, December 4, 2018

Daily Blog #557: Changes in the NtfsDisableLastAccessUpdate key

Update 12/6/18: It turns out that my test system had a system volume smaller than 128gb in size meaning the last access dates were enabled (setting 2). According to @errno_faiil (Maxim Suhanov) if my system driver was larger than 128gb then the last access dates would be disabled (setting 3).

Want to know more? Watch this video: https://www.youtube.com/watch?v=yHG6MEH99Z0

Hello Reader,
        It looks like as of at least Windows 10 1803 a new change has come to an old registry key. The NtfsDisableLastAccessUpdate key found in 'SYSTEM\CurrentControlSet\Control\FileSystem' no longer is just a true/false 1/0 value. It now has four possible values stating how the access dates in NTFS were enabled or disabled.

Looking at my laptop's registry I can see the following value is currently set:

which leads to the question of... what does 80000002 mean? Luckily fsutil will translate the current value for us:


So the 8 appears to be some kind of upper bit masking while the 2 is the value set letting us know that NTFS Access updates are currently disabled by system policy.

Checking the set behavior command in fsutil shows us all the possible documented options:

As you can see we've moved from two possible states (on/off, true/false, 0/1) to four. The system is now tracking if the user or the system has enabled or disable last access dates in NTFS.

Why? I have no idea currently but it certainly does add more context to the decision. So all of you who have tools that interpret this value will need to update your tools!



Daily Blog #556: NCCDC Red Team Call for Volunteers

Hello Reader,
         It's coming around to CCDC competition time for much the of the United States, some schools are already in invitationals. This is the yearly call for volunteers for the NCCDC red team. If you have the following to bring to the table:


  • Custom malware
  • Custom command and control 
  • An active Github repository 
  • The ability to lay low and persist with an active defender
If so, email your cv to volunteer@nccdc.org Spots are limited each year for volunteers and we hope to hear from you. 

Sunday, December 2, 2018

Daily Blog #555: Sunday Funday 12/2/18

Hello Reader,
             We've had some great research coming out by working together. This weeks challenge is less about trying something new, and more about trying to understand more about what we already know.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/7/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Document the order that the following shims are executed/data written in Windows 10:
  • Prefetch
  • Shimcache
  • Amcache
  • Userassist
  • SRUM
List the time stamps associated with the entry creation and whatever else you can determine about the order they are called

Saturday, December 1, 2018

Daily Blog #554: Solution Saturday 12/1/18

Hello Reader,
        This week we have a clear winner with Maxim Suhanov not only answering the question but finding a new artifact and writing a proof of concept extractor for it in the process!

The Challenge:
On a  Windows 7 system how long does it take for a new gui executable to appear in the Amcache. What can you do if anything to force the executable to appear in the amcache hive. 

The Winning Answer:
Maxim Suhanov (@errno_fail)

Friday, November 30, 2018

Daily Blog #553: Forensic Lunch 11/30/18

Hello Reader,
         We had a forensic lunch today! It was just Matt and I as all of our scheduled guests had to reschedule but we made the most of our time. Thanks for those of you who tuned in live and expect Forensic Lunch to return in December on:


December 7th, 2018 at Noon CST
December 14th, 2018 at Noon CST

Matt and I talked about:

I'm behind on podcast uploads again, I'll get that fixed. 

You can watch the video here:

Thursday, November 29, 2018

Daily Blog #512: Forensic Lunch Test Kitchen 11/29/18

Hello Reader,
       Tonight we tested out Maxim Suhanov's YARP library and his provided script to extract and decompress the LZNT1 compressed keys in the CIT\System key we talked about last night.

Here is what we learned:

  • YARP is a great python registry library, clearly I'm just scratching the surface of what it can do
  • LZNT1 requires a minimum chunk size equal to the cluster size of the ntfs drive to decompress data
  • The CIT\System key on my test system had two values to be decompressed
  • The first value appears to contain system executables
  • The second value appears to contain user executables
  • There is some overlap between the CIT\System key and the recentfilecache.bcf
  • The CIT\System key refers to the recentfilecache.bcf file
  • The CIT\System key contained calls to rundll with parameters

You can watch the video here:

Wednesday, November 28, 2018

Daily Blog #552: Forensic Lunch Test Kitchen 11/28/18

Hello Reader,
       Tonight we had a test kitchen with ups and downs as some things worked and others didn't. Here's what we learned:


  • All of the lznt1 libraries we tried to decompress the system binary registry entries Maxim Suhanov found failed
  • YARP has support for the lznt1 format used in the registry, I've downloaded it and we will use it tomorrow
  • The Windows 7 Amcache can be manually updated by running the scheduled task, but otherwise will not be updated until the scheduled task runs
  • The last write date of the key in the Amcache in Windows 7 has nothing to do with execution time, its just when the scheduled task ran
  • Like Windows 10 the Windows 7 Amcache will scan any executable on the desktop and insert it into the Amcache even if it wasn't executed
More tomorrow night!

Here is the video:

Tuesday, November 27, 2018

Daily Blog #551: Forensic Lunch Test Kitchen 11/27/18

Hello Reader,
       Tonight we reached another conclusion on our road to understanding of the Amcache hive.
Here is what we learned:

  • As Maxim Suhanov pointed out on twitter for Windows 7 there is a schedule task called 'Microsoft Compability Appraiser' that runs every night and updates the Amcache
  • On Windows 10 that same task exists but the Amcache is updated after GUI executions 
  • Non executed programs in the Desktop, at least, are added when the scheduled task runs
  • If a program is modified and its hash changed the new entry will be updated when the schedule task runs again, not when the program is executed
  • There is a registry key in the SOFTWARE hive that Maxim found that appears to contain compressed appcompat data in Windows 7, in Windows 10 I found no entriies
Tomorrow night we check what Windows 7 is doing, validating what Maxim has found and what we have found in Windows 10.

You can watch the video here:

Monday, November 26, 2018

Daily Blog #550: Forensic Lunch Test Kitchen 11/26/18

Hello Reader,
           Tonight we continued our shimcache testing and here is what we found out tonight:

  • Confirmed again that shimcache will record any executable viewable within the GUI
  • Shimcache will update the record if the executable is modified and then executed
  • Amcache does not immediately update an entry if an executable is modified and executed
  • Sysmon did not get added to the Amcache even though it has some type of GUI window (message box appearing) but this was not the standard win32 gui message box
  • Amcache added the executable we left on the desktop but did not execute on Friday at 5am UTC saturday, the process event log showed it was a background task manager. 
  • Sysmon was installed to see if we can get more detail on the process that is updating Amcache

We are now going to let the system update the registry overnight and see what changes it makes with the executable we left in the desktop and the downloads directory. 

You can watch the video here:

Sunday, November 25, 2018

Daily Blog #549: Sunday Funday 11/25/18

Hello Reader,
        Another week of research and discovery is behind us. Let's push your own knowledge this this weeks challenge!

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 11/30/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On a  Windows 7 system how long does it take for a new gui executable to appear in the Amcache. What can you do if anything to force the executable to appear in the amcache hive. 

Daily Blog #548: Solution Saturday 11/25/18

Hello Reader,
          Looks like the holiday week took up most peoples times as I didn't have any qualifying answers this week. Come back tomorrow for next weeks challenge!

Friday, November 23, 2018

Daily Blog #547: Forensic Lunch Test Kitchen 11/23/18

Hello Reader,
            Tonight we had a short late night broadcast as I am enjoying the four day weekend that is Thanksgiving here in the United States. However just because it was short doesn't mean we didn't find out a lot of interesting things! Here is what we learned:

  • The desktop executable rbcmd.exe that I didn't execute but did extract was added to the Amcache 24 hours later after the last video aired
  • The Amcache hive transaction logs do contain all of the most recent GUI executables executed, with a 10 second delay. For 10 seconds after execution there is a buffer likely in memory where the changes are pending
  • If you parse the Amcache hive without the transaction logs you will miss the most recently executed GUI programs
  • Running programs from the command line are not found in the transaction logs immediately after execution
  • Programs not executed in the GUI but executed from the command line in directories other than the desktop have not shown up in the Amcache
You can watch the video here:

Thursday, November 22, 2018

Daily Blog #546: Thanksgiving post 2018

Hello Reader,
         When I did the previous year of blogging my wife suggested I post recipes which I did on Holidays. This year I did a sous vide turkey following the recipe in this video:


https://www.youtube.com/watch?v=x03Ug4biX-I

I did one thing different though, I cooked the turkey breasts to 145 rather than 130 and it made a huge difference. Last year I cooked it to 130 as suggested and the meat while safe to eat was pink and made everyone worried, finding itself in the broiler to bring it to temp.

145 was the perfect temp and led to a very good product that I then broiled the skin to give it the roasted appearance people expect.

Tomorrow back to the normal schedule!

Wednesday, November 21, 2018

Daily Blog #545: Forensic Lunch Test Kitchen 11/21/18

Hello Reader,
         Tonight we continued looking into Amcache and Shimcache in their parts of the application compatibility cache system. Here is what we learned:

  • Command line executions, without GUIs, are not immediately tracked in Amcache but are in Shimcache after two days 
  • Command line executions, with GUIs, are tracked in Amcache after a shutdown, need to check the transaction logs next time to see if we can get them without reboot/shutdown
  • Command line programs executed from the GUI are tracked in the Amcache
  • The process creation events I turned in the local security policy are not catching user processes, need to check on why
  • Amcache does contain command line programs I never executed, but the dates are 3 days after the extraction

So we need to let the system keep running and see if some automatic sweep will cause the other command line executables to be tracked. 

You can watch the video here:

Tuesday, November 20, 2018

Daily Blog #544: Forensic Lunch Test Kitchen 11/20/18

Hello Reader,
          Tonight we continued our journey into the shimcache and amcache. Here is what we learned:

  • The extracted executable file from the command line that was not executed was still not present in the shimcache
  • Simply viewing the directory in the GUI that the extracted but not executed executable was in was enough to get it added to the shimcache
  • No new entries from the downloads directories were present in the Amcache

Tomorrow night we will see if the Amcache needed even more time, suggesting its a schedule task

You can watch the video here:

Monday, November 19, 2018

Daily Blog #543: Forensic Lunch Test Kitchen 11/19/18

Hello Reader,
     Tonight we continue to go down further into the application compatibility cache and its associated artifacts. Thanks to tonight's BFFs (Best forensic friends) Phill Moore, Jessica Hyde and Mike Cary for participating in the testing! Here is what we learned:

  • Approximately 6 hours or so after the tests were done on 11/16/18 in the prior video (https://www.hecfblog.com/2018/11/daily-blog-540-forensic-lunch-test.html) the entries we expected to show up in the Amcache were written to the registry 
  • In addition to the programs we executed being delayed in their writes, we also had more programs we extracted in the GUI but did not execute show up in Amcache
  • The timestamp of the key here did not reflect when the program executed but rather when it was added to the Amcache hive! We are setting up more testing to determine what the triggers are for Amcache updating
  • Extracting an executable from a zip file in the command line did not result in a Shimcache or Amcache entry being made, as suggested by Mike Cary on twitter. 
  • Executing an executable from the command line did get an entry in the shimcache on shutdown and reboot
  • We had an inconsistent result in the amcache on execution where once it appeared after shutdown and another time it didn't
  • We have enabled process creation event logging and the VM will run overnight to see when and what hopefully is updating the Amcache

You can watch the video here:

Sunday, November 18, 2018

Daily Blog #542: Sunday Funday 11/18/18

Hello Reader,
         We've had some great submissions the last couple of weeks and hoping to get that trend up this week! Following on from this weeks topics lets see how well you can work your forensic tool for registry analysis.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 11/23/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
What keys and or files are created/modified when you:
1. First plug in a USB 3.0 drive using the storport driver
2. The last time you plug in a USB 3.0 drive using the storport driver

Saturday, November 17, 2018

Daily Blog #541: Solution Saturday 11/17/18

Hello Reader,
          This week a new champion emerges and enters the winners circle. Congratulations to Oleg Skulkin who grabbed a win this week with his testing! Make sure to come back tomorrow to see next weeks' challenge for your chance at $100!

The Challenge:
We've tested what happens for copies to NTFS drives. Now let's change it up. What changes occur to files when you copy and paste as well as cut and paste to a FAT32 drive

The Winning Answer:
Olegl Skulkin

I created 6 files, 1 DOCX, 1 TXT, 1 JPG on an NTFS volume for copying, and 1 DOCX, 1 TXT, 1 JPG for cutting and pasting. I used Windows 10 both for copying and cutting, and a freshly formatted FAT32 flash drive.

I created two folders on the flash drive – “copy - paste” and “cut - paste”. I copied and pasted first three files to “copy - paste”, and next three files to “cut - paste”. Then I imaged the flash drive with FTK Imager (4.1.1.1) and used Autopsy (4.9.0) to examine the image.

Here are the results:


The DOCX file saved its Modified timestamp, lost time for Accessed, and its Created timestamp changed. Despite the fact I used UTC as the timezone in Autopsy, the timestamps were shown in UTC +3. 

The same results were observed for the TXT file: 


And for the JPG file:

As for cutting and pasting, the DOCX file saved its Modified and Created timestamps, but lost time for Accessed timestamp (again, timestamps are in UTC +3):

The same happened with the TXT file:

And with the JPG file:

Results 
Copy – paste: 
Modified 
Accessed 
Created 
Unchanged 
Changed 
Changed 

Cut – paste 
Modified 
Accessed 
Created 
Unchanged 
Changed 
Unchanged