Daily Blog #583: Sunday Funday 12/30/18 - Syscache.hve File Challenge

Hello Reader,
      This will be the first Sunday Funday for 2019 since when the submissions are received and judged the winner will be announced in 2019. Let's see what your system monitoring/debugging skills are like.

The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 1/4/19 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

What processes update the Syscache.hve file on Windows Server 2008 R2?

Also Read: Daily Blog #582

Read More

Daily Blog #582: Solution Saturday 12/29/18 - Syscache Server 2008 R2 Challenge

Hello Reader,
         Well no winner this week, I may have pushed a bit far in a holiday week. Tomorrow is the first contest for the new year and we will all have a fresh start.

The Challenge:

On server 2008 r2 how would the following be seen in the syscache and what was logged:

1. Powershell empire agent

2. Meterpeter

3. Mimikatz

The winning answer:

None! I'll make sure to cover this in the test kitchen

Also Read: Daily Blog #581

Read More

Daily Blog #581: Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012

Hello Reader,
         Tonight we booted up a server 2012 VM which is in line with Windows 8.1 looking to see if we could find a syscache hive with and without applocker configured. So far no such luck but we will keep trying.

If you want to watch the video you can do so here:

Also Read: Applocker and Windows 10

Read More

Daily Blog #580: Applocker and Windows 10

Hello Reader,
          Didn't get started until very late tonight so I didn't do a broadcast, tomorrow though we will for sure. Instead I decided to see if I could get Applocker going on Windows 10 Enterprise since I already have a VM running it. I turned Applocker into audit only mode, made default rules and executed programs and ...

Nothing

So far I haven't had any entries in the event logs or a syscache hive generated, so tomorrow on the stream we will attempt to make this work again and also try this on Sever 2012, 2016 and 2019.

Also Read:  The meaning of Syscache.hve

Read More

Daily Blog #579: The meaning of Syscache.hve

Hello Reader,
     One of the things I've often repeated the last couple of test kitchens in regards to the Syscache hive is why does it exist. In earlier googling I thought based on its locations in slide presentations that it might be involved in the volume shadow copy system, something Maxim Suhanov does not agree with. This left the question though, what does it relate to?

Well reader long time BFF (Best Forensic Friend) Dr. Vico Marziale at blackbag may have found a pretty huge clue. In his googling, which I must say found things I did not even when searching keywords that existed in the document, found a pdf from Legato/EMC networker release notes form July of 2010.

Within these release notes the backup software states:
"The files syscache.hve, syscache.hve.LOG1, and syscache.hve.LOG2 are skipped during backup 

The files syscache.hve, syscache.hve.LOG1, and syscache.hve.LOG2, located in the %systemdrive%\system volume information folder, will be skipped during backup. These hive files are used for maintaining extended data for executable files on the system, such as SRP (Software Restriction Policies) and AppLocker. Microsoft recommends not restoring these files. These files are created from derived data and will be rebuilt over time"

Source: https://nsrd.info/blog/wp-content/uploads/2010/07/NW753_Release.pdf

So the reason this registry hive was placed in the System Volume Information folder could be that the contents of this special folder are not included in shadow copies. Also Windows Applocker was introduced in Windows 7 (https://en.wikipedia.org/wiki/AppLocker) which coincides with creation of the Syscache hive and was available in Windows Server 2008 R2:(https://blogs.technet.microsoft.com/askperf/2009/10/19/windows-7-windows-server-2008-r2-applocker/)

The included scope of Applocker includes Exes, DLL's and Scripts:

"AppLocker currently supports the following file extensions:

• Executables (.exe, .com)
• Dlls (.ocx, .dll)
• Scripts (.vbs, .js, .ps1, .cmd, .bat)
• Windows Installers (.msi, .mst, .msp)
• Packaged app installers (.appx)"

Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain

Note that the above link is for Windows 10, in Windows 7 we have not yet seen powershell scripts get logged. 

So this does appear to be the closest thing we've found to a explanation of why Syscache contains the data that it does. Now we need to find out what happened to the hive in later versions of Windows and what else we can infer from its association. 

Tomorrow I plan to return to the test kitchen, just having to much fun over the holidays to do one in time tonight. 

Also Read: Daily Blog #578

Read More

Daily Blog #578: Merry Christmas 12/25/18

Hello Reader,
        At every major holiday I post a recipe on my wife's advice. She said you would at some point want to read something not technical. So since it's Christmas I thought I would share one of the recipes I've been making for my family and friends.

For a number of years I made Nigella Lawson's Aromatic ham:
https://www.foodnetwork.com/recipes/nigella-lawson/aromatic-spiced-ham-recipe-2015116

If you enjoy ham I do recommend it as its fun to make, I like things that involve alot of steps when cooking, and the final product is quite the table centerpiece. These past few years I've been making the prime rib I posted back in 2013 which you can read here:
https://www.hecfblog.com/2013/12/daily-blog-185-merry-christmas.html

In either case, no matter what religion you follow or not I wish a happy holiday season to you and yours as we prepare to enter what may be a very uncertain new year.

Also Read: Daily Blog #577

Read More

Daily Blog #577: Christmas Eve 12/24/18

Good evening reader,
We are all tucked in and hoping that DFIR santa is bringing us new artifacts for Christmas. Tomorrow I'll likwly be posting a recipe but I wanted to wish you good tidings and a happy new year!

Also Read: Daily Blog #576

Read More

Daily Blog #576: Sunday Funday 12/23/18 - Syscache Challenge On Server 2008 R2

Hello Reader,
    Let's finish the year right. The last challenge of 2018 needs to be special.

The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 12/28/18 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

On server 2008 r2 how would the following be seen in the syscache and what was logged:

1. Powershell empire agent

2. Meterpeter

3. Mimikatz

Also Read: Daily Blog #575

Read More

Daily Blog #575: Solution Saturday 12/22/18 - DFVFS Challenge Solution

Hello Reader,
I always love introducing new winners to the community and this week I get my wish. Please congratulate Bastien Lardy with his winning Python DFVFS submission!

The Challenge:

Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its hash. What additional functionality you decide to add in from there will determine which answer is the most complete. If you need test images to code against consider the Defcon CTF images. 

The winning answer:

This is a python2 (I had issue with python3 and mediator...) script that reads an input disk image and searches (based on full path or regex filters), extracts or computes hash. If shadow copies exist, it will prompt a message whether to process those or not.

https://github.com/blardy/dfvfs_extractor

Also Read: Daily Blog #574

Read More

Daily Blog #574: Forensic Lunch 12/21/18 Alissa Torres, Dr. Joe Sylve

Hello Reader,
        Today we had another Forensic Lunch! This week we had:

• Alissa Torres, (@sibertor) talking all about the changes for FOR526 as a 6 day bootcamp of memory forensic goodness, with daily Netwars challenges! You can find out more and sign up here: https://www.sans.org/event/cyber-threat-intelligence-summit-2019/course/memory-forensics-in-depth
• Alissa and I also talked about the CTI Summit which is happening the two days prior to the courses you can find out more about it here: https://www.sans.org/event/cyber-threat-intelligence-summit-2019/summit-agenda
• BTW I'm also teaching FOR500 at the CTI Summit, my only east coast teach of the year: https://www.sans.org/event/cyber-threat-intelligence-summit-2019/course/windows-forensic-analysis
• Dr. Joe Sylve (@jtsylve) talked about his work in producing both a pooled storage implementation for TSK (The Sleuth Kit) as well as APFS
• We talked about how APFS works compared to other file systems and Dr. Sylve did some demos showing how the tsk tools have been extended to work with APFS snapshots and encryption!
• You can get the current patch for TSK here: https://github.com/blackbagtech/sleuthkit-APFS/ which hopefully will get rolled into the next release of TSK

What a great show! You can watch the video here:

Also Read: Daily Blog #573 

Read More

Daily Blog #573: Forensic Lunch Test Kitchen 12/20/18 Syscache and Server 2008 R2

Hello Reader,
       Tonight after finding out from you that the Syscache.hve exists on Server 2008 R2 we switched OS's in our testing and focused on Syscahe on Server 2008 R2 and away from Windows 7 for now. Here is what we learned:

• The Syscache hive exists on an unpatched Server 2008 R2 SP1 system
• The syscache hive exists even without Amcache coming into existence
• The syscache hive on server 2008 r2 is catching executables just like Windows 7
• The syscache hive on server 2008 r2 is committing changes to the registry hive within seconds of the execution
• The syscache hive on server 2008 r2 includes executions from the Desktop, unlike Windows 7
• The syscache hive on server 2008 r2 does not appear to be catching bat files like Windows 7 but does catch and executables the bat file calls

More testing to be done! Tune in tomorrow for the Forensic Lunch and next week for more testing!

You can watch the video here:

Also Read: Daily Blog #572 

Read More

Daily Blog #572: Forensic Lunch Test Kitchen 12/19/18 Syscache and Python

Hello Reader,
      Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned:

• That pytsk does not have an attribute for parent reference number, so we had to extract it from the file name attribute
• That analyzemft has a great set of example code to pull your unpack's from if you are looking to write your own attribute parser
• That when I grouped my syscache entries by programID I only had 60+ entries which seems more like just what has been executed on this lightly used VM
• That there is no entry of any program run directly from my Desktop

You can get the code here: https://github.com/dlcowen/TestKitchen/blob/master/PrintFileNamesByEntry.py

You can watch the video here:

Also Read: Daily Blog #571 

Read More

Daily Blog #571: Forensic Lunch Test Kitchen 12/18/18 Syscache

Hello Reader,
        Another evening, another test kitchen! Tonight we looked even deeper into the Syscache and we learned:

• Bat files are recorded in the Syscache hives when executed
• Bat files and other executables run from the Desktop are not recorded in the Syscache
• Powershell files (ps1) are not caught in the Syscache hive
• Deleting a file did not eliminate it from the Syscache hive 
• Installing a program recorded its installer, but the program did not prepopulate an entry in the Syscache hive
• Creating a bat file did not pre-populate it in the Syscache hive

You can watch the video here:

Also Read: Daily Blog #570 

Read More

Daily Blog #570: Forensic Lunch Test Kitchen 12/17/18 Syscache.hve

Hello Reader,
       Tonight in the Test Kitchen we expanded our testing of the Syscache hive by adding more data from our python script that is matching MFT entries to the Syscache entries. Here is what we learned:

• The syscache hive seems to record atleast exe, dll, bat and cmd files executed
• The syscache hive like the Amcache hive will store which program by sha1 hash the executable is associated with
• If there is no associated executable (no MSI installer) it will use the sha1 hash 'da39a3ee5e6b4b0d3255bfef95601890afd80709' which is the empty hash. Meaning like the Amcache it is storing information about executables not associated with any MSI installed program
• It appears, this needs more testing, that it may record more related executables than the Amcache does when a program is installed/executed

Still much more testing to be done to really make sure we understand what we are really seeing. To  be tested:

1. Installing a program but not executing it, will it appear
2. Adding full path support to the python script to understand where the associated files are being pulled from
3. Checking to see if powershell scripts get logged
4. Looking to see if deletions of programs/executables change the hive
5. Testing again to see if programs run from the desktop are include

You can watch the video here:

Also Read: Daily Blog #569 

Read More

Daily Blog #569: Sunday Funday 12/16/18 - DFVFS Python Script Challenge

Hello Reader,
             Last week I got you searching for DFVFS, this weeks let's see you program in DFVFS! We've done a lot of different challenges for the Sunday Funday series so why not continue to mix it up and see what you've learned.

Need some code examples? Look at yesterdays winning answer:
https://www.hecfblog.com/2018/12/daily-blog-568-solution-saturday-121518.html



The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 12/21/18 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its hash. What additional functionality you decide to add in from there will determine which answer is the most complete. If you need test images to code against consider the Defcon CTF images. 

https://www.hecfblog.com/2018/08/daily-blog-451-defcon-dfir-ctf-2018.html

Also Read: Daily Blog #568

Read More

Daily Blog #568: Solution Saturday 12/15/18 - DFVFS Challenge Winner Announcement

Hello Reader,
This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win!

The Challenge:

Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!

The Winning Answer:

@phillmoore

DFVFS

dfVFS, or Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system
objects, for which it uses several back-ends that provide the actual
implementation of the various storage media types, volume systems and file
systems.

Log2timeline/Plaso

Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso documentation

Pancake Viewer

A DFVFS backed viewer project with a WxPython GUI for viewing file systems and file system metadata. Forensic Lunch about it

DFVFSWizard

Allows you to extract a file from forensic images, virtual disks, raw images and live disks, including from volume shadows. Blog posts:

Daily Blog #367: Automating DFIR with dfVFS part 1

Daily Blog #372: Automating DFIR with dfVFS part 2

Daily Blog #373: Automating DFIR with dfVFS part 3

Daily Blog #374: Automating DFIR with dfVFS part 4

VFtools

An open source tool set built on dfVFS. Blog post about it

Efetch

Evidence Fetcher (efetch) is a web-based file explorer, viewer, and analyzer. Efetch supports viewing hundreds of file types including office, registry, PST, image, and SQLite files. Efetch supports navigating RAW, E01, ZIP, GZ, TAR, VMDK, VHD, QCOW, and BZ2 files thanks to dfVFS.

Blog post about it

Gransk - Document processing for investigations

A tool for when you have a bunch of documents to figure out of. Gransk is an open source tool that aims to be a Swiss army knife of document processing and analysis. Its primary objective is to quikly provide users with insight to their documents during investigations. It includes a processing engine written in Python and a web interface. Under the hood it uses Apache Tika for content extraction, Elasticsearch for data indexing, and dfVFS to unpack disk images.

Introduction to Gransk (YouTube)

pyvmpop

A Python implementation of VMPOP (Virtual Machine POPulation) framework. dfVFS is used to enable for Data Extraction features

ArtifactExtractor

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs.

AutoProvWindows

This program automatically finds provenance related to a file on an image

I’m not exactly sure what that means.

InstallDFVFS

Technically doesn’t use DFVFS, but a long time ago Dave put out a Sunday Funday challenge to automate the installation so I wrote this script. It may not work any more, it worked at the time.

Also Read: Daily Blog #567

Read More