June 2018

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Hello Reader,
      Another contest has completed and changing the time frame of the contest seems to have benefited all of us. It benefits the people playing as they get more time to complete their answer, it benefits me as I get to ask more in depth questions and it benefits you the reader as you get even more information!

The Challenge:
ExFAT is documented to have a timezone field to document which timezone a timestamp was populated with. However most tools just see it as FAT and ignore it. For this challenge document for the following operating systems how they populate ExFAT timestamps and which utility will properly show the correct values.

Operating systems:
Windows 7
Windows 10
OSX High Sierre
Ubuntu Linux 16.04 

This weeks' winning answer from Paul Bryant, Senior Lecturer at  Wellington Institute of Technology (WelTec) can be downloaded here as there is no way I can embed this into the post:
https://www.dropbox.com/s/h8omup03bxoblkp/exfat_os_dir_entries.pdf?dl=0

Enjoy and great work Paul!

Hello Reader,
            Another Friday where I'm not able to get a forensic test kitchen done due to my travel and teaching schedule but next week should be better!

Instead lets continue our outlook attachment testing, in the prior post I tested a png file. Let's test an Microsoft Excel document now to see how a file with a metadata structure Outlook would know effects our testing.

First here is the metadata on the file on the disk





Here is the extended mapi properties of the attachment when I sent the message a minute after creating the file.



As you can see the last modification time is being preserved again but the creation time is actually being set to the message creation time as seen in the delivery time below.


I then made sure it wasn't just a rounding issue by sending the same attachment the next day


which shows that the creation time is being sent to the date the message was sent and the modification time of the file is being preserved.


Saving the attachment back to the disk gives the following dates



As we can see the creation time is being set to when the message was sent and the modification time is being reapplied. The Access date appears to be updated but really that's just the real creation time before Microsoft Outlook rolled back the date.

More to come as we test other formats!

Hello reader,
        In yesterdays post I showed how saving an attachment applied the modification date that was stored within the attachment extended mapi properties. I was wondering how from a filesystem perspective you could tell the actual date the file was saved to the disk and as it turns out the filename attribute metadata has the dates the attachment was actually saved to the disk as seen below:


This is a png file, in the upcoming posts I'll be trying other file types to see if Outlook shows any different behaviors.

Hello Reader,
           In my prior post I was looking at the file system metadata stored based on Arman's blog post. In this post I wanted to see if something had changed with how Outlook was assigning creation times on saving a file. In the past I had found that Outlook would look into Word documents and retrieve the dates from the metadata in the document to apply to the file system, and in this post I am looking to see if that has changed.

I haven't tested a regular file before in looking to see what dates got applied and when I saved the attachment to my disk I was surprised to see the following

The creation time was sent to the time the message was received and matched the PR_CREATION_TIME I saw in the prior post. But the Modification time was reapplied from the data that was saved in the attachment extended mapi property! Notice that the Access time is set for today even though access times have been disabled since Windows 10. This because the access time is being set to the actual time of creation and then the other two dates have been rolled back by Outlook.

This is very interesting to me and I plan on testing this with some more file types this week and next.





Hello Reader,
           For today's post I've wanted to share some testing I've been doing of Arman Gungor's research into Extended MAPI data. Arman has agreed to come on the Forensic Lunch next month and talk about his work and this post I'd like to focus on some research he's done on how some file system timestamps are preserved from the sender's system when a file is attached in Outlook.

First you can read Arman's post here:
https://www.meridiandiscovery.com/articles/email-attachment-timestamps-forensics-outlook/

I emailed myself one of the pictures from Saturday's solution post and then examined the Extended MAPI data of the attachment with Outlook spy to see if I could confirm what Arman found.

Here are the file system timestamps on my system for pic10.png:

Looking at the Extended MAPI for the attachment I found the following. For the creation time I have the creation time of the message rather than the file attachment. The time is displayed is in UTC and I'm currently in is UTC +10.

Looking at the Modification time though we do find the correct file system time:

Which +10 hours is 6/24/18 at 6:14PM.

This is fascinating to me as I thought all file system metadata was stripped away when a file was attached. I am going to do more testing with Outlook attachments and the dates applied to see how these changes my prior results.

Hello Reader,
          In this post I want to follow up on an earlier post questioning what was left behind in a forwarded message extended MAPI wise that would allow an examiner to know more about the message. Well it's appropriate that this is Daily Blog 404 because within the extended MAPI i did not find any of the original dates contained in a property.

I still need to decode the conversation index though and I'll be working on that tomorrow as well as putting all of the logic into python code to automate this process.

Hello Reader,
             Thanks to your great submissions last week I had a really tough time picking a winner. In the end the community as a whole has benefited from your research. You will have a five days to try to complete this challenge now that answers are not due till Friday. Send in your answer as you have it and you are allowed to update your submission if you find new information.

ExFAT has been on my mind lately. Let's talk about documentation, expectation and reality in this weeks file system forensics challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 6/29/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:
ExFAT is documented to have a timezone field to document which timezone a timestamp was populated with. However most tools just see it as FAT and ignore it. For this challenge document for the following operating systems how they populate ExFAT timestamps and which utility will properly show the correct values.

Operating systems:
Windows 7
Windows 10
OSX High Sierre
Ubuntu Linux 16.04

Hello Reader,
             This week was really tough as I got a lot of really good submissions. In the end the winning submission from Phil Moore was selected because much like the other submissions that made it to the final round of consideration he listed which apps he tested that contained Zone.Identifiers and what different data points they contained. But Phil took it one step further and not only tested the application he tested the behavior such as saving different file types in IE or different moods of operation like InPrivate Browsing.  Last Phil added in a bonus OSX artifact to boot.

Here was the challenge:
The Challenge:
Zone.Identifier alternate data streams have been around for awhile please answer the following questions.
1. What version of Windows introduced zone.identifier
2. What data is contained with in a zone.identifier
3. What sets the zone.identifier
4. what conditions causes them to be created
5. What are the limitations of zone.identifier

So here is this week's winning entry from Phil Moore.


1. What version of Windows introduced zone.identifier
Windows Xp sp2



2. What data is contained with in a zone.identifier
“Windows Internet Explorer uses the stream name Zone.Identifier for storage of URL security zones.”
(Reference: https://msdn.microsoft.com/en-us/library/dn392609.aspx)

This relates to data stored in the registry in the Zones key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones




Until recently, the only information located within the ZoneID Alternate Data Stream related to the above settings:
 
In 2017, Twitter user @Ericlaw identified (https://twitter.com/ericlaw/status/903065616055185409) that browsers were putting additional information in the ADS ZoneID.

Independantly of this, I discovered that URLs and program identification information may also be found (Reference: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/)




Other examiners were able to replicate the findings (https://www.dfir.co.za/2018/06/18/highway-to-the-danger-zone-identifier/), as well as identify further information from the “Edge” browser.



Jaco Swanepoel eventually did figure out how to do it. I haven’t been able to replicate the HostIpAddress yet.



What this means is that we can also find the location from which the file originated in some instances, and also infer the browser used to download the file.

3. What sets the zone.identifier
As above, the browser checks the registry (NTUSER.DAT) and acts accordingly.

“URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust.” (Reference: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85) )

The domains that have been stored can be located here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains and EscDomains.

Adding items to these keys can be done through Internet Options:
The Internet Options can be accessed through Windows Settings or Internet Explorer.


As a test, I added a site to the restricted list and when saving the item, I observed that it had a ZoneID of 4.

Similarly, if I added an item to “Trusted” then it doesn’t get a ZoneID

4. What conditions causes them to be created
“Browsers and other internet clients (e.g. email and chat programs) can participate in the MOTW-marking system by using the IAttachmentExecute interface’s methods or by writing the Alternate Data Stream directly.” (Reference: https://textslashplain.com/tag/security/page/2/)

Forensic Wiki indicates that ZoneID’s were originally set when a file was downloaded using “Internet Explorer, Outlook, and Windows Messenger”.

I performed a majority of my testing on Win10; there’s plenty more to do however.
Task
ZoneID?
ADS Contents
Save picture (IE)
No

Save ZIP (IE)
Yes
ZoneID
Save file (Chrome, Chrome-based browser)
Yes
 ZoneID
RefererURL
HostURL
Save file (Firefox)
Yes
ZoneID
Save file (Edge)
Yes
ZoneID
LastWriterPackageFamilyName (Application name)

File saved out of Outlook (o365 desktop)*
Yes
ZoneID
File saved out of Mail “Trusted Microsoft Store” app*
Yes
ZoneID
File saved out of Skype “Trusted Microsoft Store” app
Yes
ZoneID
Skype (Classic) App
Yes
ZoneID
Wget under Windows Subsystem for Linux
No

Powershell
No

FTP.exe (inbuilt)
No

Tor Browser Bundle (Firefox)
Yes
ZoneID
Private Browsing (IE - Zip)
Yes
ZoneID
Private Browsing (Firefox - Zip)
Yes
ZoneID
Private Browsing (Chrome - Zip)
Yes
ZoneID
RefererURL
HostURL

Private Browsing (IE - Zip
Untested - download kept failing

Save a webpage to the desktop from a link (Chrome)
Yes
ZoneID
RefererURL
HostURL

Save current page***
No

Telegram (Windows)
No

Sync with Mega
No

Sync with Dropbox
No**

Sync with OneDrive
No


*apparently you can also drag and drop files from emails and these won't be given the zoneID however this wasn’t tested.

** Dropbox does create ADS’s for the files, but not a ZoneID.

*** Indication of originating URL identified in the saved HTML code.

On Windows 7 I observed ZoneIDs from saving files out of webpages, however no additional data was located.
I did not have a Windows 8/8.1 sytsem to test.

Internet Explorer doesn’t always create ZoneIDs, for example saving a picture did not create a ZoneID. All other browsers did however for the same test. As a guess, any file that IE thinks the user needs to be protected from should have a ZoneID.

5. What are the limitations of zone.identifier
“The Alternate Data Stream travels with the file as it’s copied between NTFS disks, but will be lost if the file is ever copied to a FAT file system disk (like many USB keys, CDs, etc) that doesn’t support ADS. If you use Windows Explorer to extract a ZIP file with the MotW ADS, it will be copied to each file extracted from the archive.” (Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/03/23/understanding-local-machine-zone-lockdown/)

Didier Stevens wrote a a post about propagation of ZoneIDs from ISO containers.
For example, if you open an ISO in Win10 and open the file, the file will not identify that it has come from the Internet (and I would guess if you copied it out it would not transfer the ZoneID with it).
(Reference: https://blog.didierstevens.com/2017/07/18/iso-files-with-zone-identifier/).


Addendum:

MacOS NTFS Drives
If you save a file to an NTFS drive using the Tuxera NTFS driver for MacOS you don’t get a ZoneID, but you do get Extended Attributes.


Program Execution:
On win8 if a program is executed and smart screen is displayed, if the user bypasses smartscreen to execute the application then this will replace the ZoneID with “AppZoneId=4”. This is not to be confused with “ZoneID=4” which would mean that the file came from a restricted zone.
I do not have a Win8 system to test this on, and was unable to replicate it on Win10.

This is another execution artefact however.
(Reference: https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/)

Removing ZoneIDs:
If you download an executable from the web you will get a Security Warning. If you deselect the “Always ask before opening this file” then the ZoneID will be removed.

Alternatively, if you go to the properties of the executable and select “Unblock” it will also remove the ZoneID.


Lastly, you can use the streams application (https://docs.microsoft.com/en-us/sysinternals/downloads/streams) by Mark Russinovich to remove ADS’s.

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.