Hacking Exposed Computer Forensics Blog

Hello Reader,
          There is some interesting testing going on with shell item storage. The quirks of lnk files naming and storage by extension is surprising and needs more testing before its documented. Something that has been tested though is how many items a jumplist will store.

When Eric Zimmerman was first writing Jumplist Explorer we were discussing what the maximum amount of entries stored in a single jumplist could be. So we wrote some quick automation and found that a single jumplist will store approximately 2,000 items before it purges the oldest item. I suspect the hard limit is 2048 (power of 2) but in our testing it was when we reached 2,000 that older items began being deleted from the structure.

Now this does not mean the older entries are lost, the jumplist is a compound file system and the streams are just marked as deleted and available to be recovered until a new entry gets written over it. In fact Jumplist Explorer can recover deleted entries and mark them as such. Tomorrow I'll see if I can get screenshots of this happening and show the internal record numbers. 

Hello Reader,
         If you don't read the port139 blog, you should! On the most recent post the port139 blog, translated from Japanese to English, validated the Windows 10 copy paste artifacts I wrote about earlier this month. You can read about it here:

http://port139.hatenablog.com/entry/2018/07/29/211630

I really liked reading this as it allowed me to see how another examiner approached the artifact and provided another examiner validating the artifact.

So if you were looking for something to write about, pick an artifact and test it!

Hello Reader,
           Another week, another challenge. If you are reading this don't feel your answer needs to perfect to submit. You never know when everyone else got to busy to try. Give the challenge a try, even if you don't win $100 you still won new knowledge.



The Prize:
$100 Amazon Giftcard

The Rules:




The Challenge:
Windows 10 keep changing and with it its behavior. In Windows 8.1 and early versions of Windows 10 there was a task to delete plug and play devices that haven't been plugged in for 30 days. In more recent versions of Windows 10 this appears to be disabled. For this challenge please document what versions of Windows 10 has the task enabled and if it survives being upgraded. 

Hello Reader,
             Jet Lag got me and I fell asleep before posting this earlier, but I'll take advantage of this random wake up time to post the winning answer. This week I thought I didn't have any submissions but missed the fact after a 16 hour plane ride that I did have quite a complete answer from Adam Harrison. Luckily I did get some more last minute submissions after reaching out but in the end Adam wins again.

The Challenge:
On a Windows 10 system what are the different ways you could determine what timezones a user was in prior to the whatever timezone is stored in the registry?


The Winning Answer from Adam Harrison:
Posted on his blog here.

Adam did submit a document as well but the blog post is more up to date.

Great job Adam! Look for another post in the daylight hours with this weeks challenge.

Hello Reader,
           Greetings from my flight from Abu Dhabi to Dallas, Texas. We had a Forensic Lunch today with just Matt and I talking about Bitlocker, the Defcon DFIR CTF and making future challenges and test images with the possibility of live streaming us watching machines get compromised. Unfortunately I was doing this from a hotel so the stream got disconnect midway through so its in two parts.

Here is the first part:
https://www.youtube.com/watch?v=0uHUF7AXVHg

here is the second:
https://www.youtube.com/watch?v=x3Grhz5f6TU

Normally I would embed the videos but the inflight wifi is blocking Youtube and my VPN isn't working. In good news though in 14 more hours I'll be back in Texas and able to get back to a regular schedule.

Hope you enjoy!

Hello Reader,
             As I was looking at the FVE metadata header and decoding the output I realized two things.

1. There is more here than I previously understood, I didn't appreciate the layering of keys that existed.

You can read more about how this works here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-key-management-faq as a TLDR though there are three layers of protection that are provided. The documentation goes from the disk and up but let's go the opposite way, the way a user interfaces with Bitlocker.

The protector you have picked (TPM, Password, Pin, etc..) will be used on successful authentication to decrypt something called the Volume Master Key or VMK. As I am going through the metadata header I can see the attributes marking the VMKs that exist.

The VMK in turn once decrypted is then used to decrypt the Full Volume Encryption Key or FVEK which is what actually encrypted the data on your storage volume.  So when the protectors are disabled what is happening is that the VMK key is being decrypted, allowing the FVEK and with it the raw data to be accessed. This is how encryption can be 'paused' or 'suspended' for a windows update without decrypting the drive. Very clever and it explained the huge difference within the blocks.

I was expecting to see one key change or a key exposed, instead the rest of the block that was chaning was actually the contents being decrypted allowing any system that has the ability to support this mode to access it.

This explains why some software packages that access Bitlocker volumes fail to do so without a password/pin/recovery tool as they were not programmed to check if the decrypting keys were left decrypted based on a previous command or action.

When I get back in my lab next week I am going to see how I can get Windows Update to trigger this removal of protections for me as I think this will likely allow for the imaging of a drive that is technically encrypted but allows anything that understands it to decrypt it. I am going to focus this on the scenario of a system I don't have credentials for as if I did I could just log in and get manage-bde to provide me the recovery-key I needed.

This also means for those doing onsite acquisitions if you don't want to rely on extracting the key from memory you could just get manage-bde to get you the recovery key prior to imaging and be able to access the drive in your lab.

2. I need to write what I'm doing manually into a Python script to really do this effectively. I could make an 010 template but it would seem that a Python script to parse these fields would lead to better long term results and testing.

This is likely going to start next week as well as tomorrow is a Forensic Lunch day and then I'll be reviewing the Sunday Funday submissions on the 16 hour flight home.

Thanks for reading this far and frankly for reading this at all. Forcing myself to research, test and document things everyday is already making me feel more engaged again and clearing out old lingering questions I never made time to answer. I would hope others have already discovered most of this (Jesse Kornblum and Joachim Metz have documented these things in their work) but I find a lot of value in doing it yourself if you really want to understand whats possible.

Hello Reader,
               I've now extracted the FVE Metadata block from a vhd encrypted with bitlocker while bitlocker is active and is protecting the VHD with a password and after I turned off protection. I was expecting to find the clearkey attribute set on the volume master key as described in the libbde documentation. Instead the protection was the same but it appears as though the decryption keys were left unprotected.

I removed the bitlocker protection using the following command
manage-bde -protectors -disable d:


I then checked the status of the bitlocker volume wit the following command
manage-bde -status d:


The protectors are still place and the recovery key has not changed:


However, comparing the same metadata block before and after removing protection shows that alot of changes occurred in the metadata block:


I'm still breaking out all the values that changed to understand them all better but this different than what I expected. Let's see what tomorrows testing brings.

Hello Reader,
                I was reading the libbde specification again and noticed I was missing something in the screenshots I posted yesterday. Yesterday I stated the hostname of the computer that encrypted the drive was present as well as the date it was encrypted. What is being stored between those two values though is the name of the volume being encrypted.

So in the first example:


After the Desktop hostname you can see the Unicode string bitlocker test. This was the name of the vhd I created and formatted NTFS for this test.

In the case that there is no volume label present, as was the example with my Bitlocker ToGo example, the drive letter it was assigned at the time of encryption will be stored as seen below:

In the above screenshot after the SANS-FOR600 string and before the 7/23/2018 string you can see F:. F: was the drive letter assigned to this volume prior to its encryption with bitlocker and the volume had no name given at the time of format.

So in total from an encrypted bitlocker disk so far we can determine:
1. The Hostname that encrypted it
2. The volume label or drive letter assigned ( if there is no volume label present) when it was encrypted
3. The date if was encrypted
4. In prior research we found we find the key identifiers of the recovery keys

Why is this useful? We can match this up in the case of external drives not only with the systems that encrypted them but also to the artifacts that show what was being accessed from these drives. In addition if you needed to look up a recovery key you could so with the hostname even if the identifier doesn't help you. Lastly you can determine when something was encrypted as it might correspond to a time when your suspect became aware of an investigation. 

Hello Reader,
             I'm continuing my Bitlocker experiments while here in Abu Dhabi until I return home this weekend to do more MAPI testing of OWA changes. After my last post and experiment I got some help from a friend and reread the Bitlocker specification from libbde here. In my prior Bitlocker work I don't think I appreciated what information the FVE metadata blocks were providing me.

Within the Bitlocker encrypted volume (without providing any keys, just the raw encrypted data) there are three metadata blocks that i'm looking into and that Metz has documented. Looking at the first one I see the following entry on a new vhd that I created, attached and bitlocker encrypted.



If you look closely starting at 3100078 you will see the start of a Unicode string that says Desktop-IVOIVRB this hostname of the machine I did the bitlocker encryption with followed by the date I encrypted the volume.

I thought this was very interesting! We can determine the name of the machine that encrypted the volume and when it was encrypted, but this was a fixed vhd. So I decided to use my SANS instruction laptop to encrypt a flash drive with Bitlocker ToGo to see if there was any difference.


Looking here starting at Offset 2800078 you can see the beginning of the Unicode string SANS-FOR600 which is the name of my instructor laptop and the date I encrypted the drive.

So Bitlocker of Bitlocker ToGo both will tell you the hostname of the system that encrypted the volume and the date it was encrypted! Faxcinating! More to come as I begin to tweak the properties of these drives with manage-bde and see what comes to light. 

Hello Reader,
             Another week already? Time for another challenge to keep your wheels turning and your research skills sharp. This week let's talk about time zones and Windows. With Windows 10 automatically changing your timezone by default based on your location its going to be come more important to know not only where but when someone was at a particular point in time.


The Prize:
$100 Amazon Giftcard

The Rules:




The Challenge:
On a Windows 10 system what are the different ways you could determine what timezones a user was in prior to the whatever timezone is stored in the registry?

Hello Reader,
            Another week, another challenge. It came down to the wire, that I extended, but we have an answer and a winner. This week's winner Justin Boncaldo sent in the only entry, many others were talking but didn't submit! So remember that submitting is half way to winning when tomorrow's challenge gets posted!



The Challenge:
Cortana used to have a database that kept track of location information and other relevant DFIR data. As of a year ago the database has changed and the location data is nowhere to be found. For this weeks challenge please answer the following questions:
1. Where does Cortana keep it's data now
2. What data does Cortana retain now 
3. Is there any location history left from Cortana

The Winning Answer from Justin Boncaldo:

As you know, Microsoft's Cortana used to store forensically valuable information within

 - 'CortanaCoreDb.dat' [user/appdata/local/packages/Microsoft.Windows.Cortana.cw5n1h2txyewy/localstate/ESEDatabase_CortanaCoreInstance] and

 - 'IndexedDB.dat' [user/appdata/local/packages/Microsoft.Windows.Cortana.cw5n1h2txyewy/appdata/indexed DB/]. 

1. It appears that the majority of Cortana's data is now stored in the cloud, and then requested on a necessary basis. By keeping most of a user's data on their own servers, Microsoft helps strengthen user security, allows seamless transition between devices, and allows for data to be utilized faster.

2. Although the two databases still exist on the system, not user data appears to be stored there anymore. Cortana currently mostly stores numerous json files and visual assets locally; necessary for the use of the application and a functional connection to be built with the servers. However, I was able to find two locations with potentially useful information. The first being "Local Recorder" at path  [user/appdata/local/packages/Microsoft.Windows.Cortana.cw5n1h2txyewy/Localstate/LocalRecorder/Speech/SavedAudio]   . This appears to contain locally stored instances of the audio recordings that Cortana takes. WAV audio files are saved using the shortname naming convention, and will automatically delete themselves from the system over time. Audio playback has not been successful for me yet, because these files are displayed with a filesize of 0 Kb. I have yet to compare this creation timestamp to that of a Cortana activation instance.  The second piece of data is WIFI data located at: [user/appdata/local/packages/Microsoft.Windows.Cortana.cw5n1h2txyewy/Localstate/signals/collection/Wifi]. This file stores the network SSID that the device was connected to at the time of voice commands. Unfortunately, this information is also deleted after some time and more testing needs to be done with this.

3. I believe these two locations could both hold valuable information to support other location data. Although they are not directly connected the user to a specific location on the earth, they might be showing that the user was using Cortana's voice commands at a specific time, and that they were connected to a specific network connection at that time too. Again, this is not direct data -and is apparently extremely volatile. More testing will be done to observe more actions of Cortana.  

 

Hello Reader,
            We had a great Forensic Lunch today with our guest Arman Gungor (@armangungor) from metaspike.com, talking about his research posted on the meridian discovery blog (like this one https://www.meridiandiscovery.com/articles/email-attachment-timestamps-forensics-outlook/ ) and his work on Forensic Email Collector. Matt and I also talked about the upcoming Defcon CTF and our planned live streams from Defcon providing commentary.

The video got split into two due to broadcasting software issues so here is the first video with Arman:

And here is the second video with Matt and I talking about the CTF


There will be another Forensic Lunch next Friday 7/27/18, looking forward to seeing you then!

Hello Reader,
          In a prior Sunday Funday regarding Bitlocker drives and Windows upgrades I extended my ask a bit too far in what I put into the challenge and justifiably received no submissions. I haven't stopped looking into the question though of how does Windows temporarily disable Bitlocker to allow the machine to boot for an upgrade and how can we as examiners take advantage of it.

In my research into this I've learned about the 'clearkey' which I've heard of before. The 'clearkey' means that the key to decrypt the bitlocker volume is left in plaintext within the volume. This allows for the bitlocker volume to be present and allows the user to in the future, if they so choose, to protect the volume with a password and recovery key. It appears as though some Surface computers come with this mode on when shipped.

However that did not answer my question about upgrades, as the drive isn't being re-encrypted in the upgrade process. It turns out there is an option to temporarily set an existing image into 'clearkey' mode. To do this you would execute the following command in an administrative command prompt

manage-bde -protectors -disable c:

Here is a screenshot of it successfully running

Checking the status of the drive with the command

manage-bde -status

I see the following


 Notice it has left the protection off for 1 reboot by default, just enough for an update to complete.

I'm going to encrypt a vhd next week and do some testing to see how the tools recognize this. When I'm back in the office in a week (still in Abu Dhabi!) I'll let one my machines upgrade and see if 'cleartext' mode is in fact enabled on my Bitlocker drives allowing me to decrypt them!

Hello Reader,
              I've talked about this in the Forensic Lunch and I think showed it once in a Test Kitchen but I don't think I've written about it in the blog. After reading the ongoing discussion on Twitter about the need to document beyond tweets and videos, you should read Brett Shavers post here , led me to understand that I need to put it in the blog as well to make it more accessible long term. In my mind I've already shown and shared this but I can't expect that everyone has watched and memorized the 100+ episodes of the Forensic Lunch.

So new as of at least Windows 10 (this needs to be tested on Windows 7 and Windows 8) there is a now a jumplist that is capturing the full path of every directory that is copy and pasted. For those of you doing external device investigations that means we have a data source that will show us what data our suspects have been copying and pasting onto external drives ... but only if what they are copying and pasting is a directory. Individual files being copy and pasted does not appear to be tracked, just directories.

You will want to look into the Jumplist with Appid f01b4d95cf55d32a and within it you find an entry for every directory that has been pasted. You will not get the source location but rather the destination which in my mind is more useful. The MRU date associated and the creation time of the directory will show you when as well.  

Hello Reader,
             I'm currently teaching in Abu Dhabi and hanging out with my family at night which means I'm not investing the time to do the next level of MAPI testing I need to do. Instead after the warm reception yesterdays post received I thought I would follow it up with a new series I will add to over time called ' How I Use It'.

Often times we talk about artifacts and evidence sources and how to interpret them, in fact there are so many that most people often forget what they know about them. What we don't often talk about is how we as examiners use that data within their casework to make conclusions or points.

So in this first post in this series of how I use different artifacts I want to talk about the Userassist key. This isn't a new key, it's been around since I first saw it in 2002 and wrote about it in the first Hacking Exposed Computer Forensics book in 2004 but people seem to overlook its usefulness.

Userassist records those programs that a user has executed from the GUI, that I would hope is well known at this point. I've posted about it once in 2013 (http://www.hecfblog.com/2013/08/daily-blog-45-understanding-artifacts.html) and even earlierin 2009 (http://www.hecfblog.com/2009/03/what-did-they-take-when-they-left-part_25.html) both times I didn't really go into detail of what I use it for.

So here are my main analysis points from reviewing this artifacts:

1. What kinds of programs is my suspect executing?

It's difficult to judge the technical proficiency of a suspect from the statements of the people who knew them as their frame of reference in judging their technical abilities is usually focused around how well they use Excel or Outlook. So rather than letting their statements of their abilities to be 'master hackers'  I like to see what kinds of GUI programs they've been executing.

Is it just Office, Outlook and IE?  Or are they loading regedit, going into the command prompt and looking into different system mmc's.  The difference in what they are executing helps me judge the types of artifacts I should expect to find and how closely I need to inspect the dates and artifacts the system is showing me.

In addition I can look for evidence of encryption tools (Veracrypt/Truecrypt), wipers (eraser/bcwipe) and even anti forensics tools (Ccleaner, everyone's favorite). All from one helpful key that will even tell me how many times they've executed it.

2. How far back does the Userassist go? Is it complete?

The Userassist key starts populating data when your first profile is first created and you've logged in for the first time. That means that the history of programs within the key should go back as far as the user profile creation. If there is a gap, especially if it is a large gap, you could be seeing evidence of anti forensics. Start looking for what happened immediately before the gap began to see what could have cleared the data.

Also remember that deleted registry keys, just like deleted files, are not gone just because we delete them. So make sure to use a tool that will show you any potential deleted userassist keys or values. tools like Registry Explorer, YARU and others can expose this data to you while exploring the keys.

3. What email clients is my suspect using?

I'm often looking for my suspects email archives. Rather than guessing what Email client they are using (yes some people don't use Outlook) I can just go to the Userassist key to find out. Unless you have a very interesting suspect using a command line based email reader (pine in windows subsystem for linux?)  the rest are GUI based and should be recorded. If I find no email clients I need to look for what web mail services my suspect is using in their browser history.

4. What web browsers is my suspect using?

Lastly in my normal inspection of the Userassist I'm looking to understand what web browsers by suspect is using. It is not uncommon now for a suspect to be using 2, 3 or even 4 different web browsers on their system during one day. So I use this as a sanity check to make sure:

1. I'm looking for history from all of those browsers, its easy to miss one and focus on the others
2.  I need to make sure my forensic tools support the browser being used, I'm looking at you Maxthon, as its easy to miss a whole browser history cache because you didn't realize the limits of your tool.

So that's the first 4 questions I would answer when reviewing this key and I review this key early in my investigation along with other basic artifacts (execution history, file access and device usage) to start understanding what to expect from this system.

Hello Reader,
               I enjoy teaching forensics as students always ask questions to make you figure out things you just take for granted. A good example of this was last month while in Amsterdam I had a student ask, hey why is the computername registry key in the System registry (located under System\\Control\ComputernName\CompuerName) under a registry key named computername. 

I've always made jokes about this key, see post title above, but never really took the time to understand why it was setup this way. A couple of google searches and some in class testing later I had my answer.

It turns out that when you change the name of your Windows computer in the control panel that a new key is added to the base computername key. This new key called ActiveComputerName contains the old name of the computer prior to you changing it while the new name you have given the computer is now stored in the ComputerName key.

Here is the ComputerName key after renaming the computer



Here is the old name of the computer, located in the ActiveComputerName key

Here is the new name of the computer in the ComputerName key



On reboot the activecomputername key is deleted and the new ComputerName key is kept.

So there you go, there is in fact a reason and a function for the duplication in the computername registry key. Every key, every decision has a story and understanding how it works and why will only make you a better examiner. 

Hello Reader,
          Windows 10 keeps on changing and with it new features come along that we care about and old features we were excited about disappear. Let's see if you can solve this missing artifacts mystery in this weeks Sunday Funday.


The Prize:
$100 Amazon Giftcard

The Rules:




The Challenge:
Cortana used to have a database that kept track of location information and other relevant DFIR data. As of a year ago the database has changed and the location data is nowhere to be found. For this weeks challenge please answer the following questions:
1. Where does Cortana keep it's data now
2. What data does Cortana retain now 
3. Is there any location history left from Cortana

Hello Reader,
         Things are always changing in forensics and especially forensic analysis of cloud hosted systems. This weeks challenge involved Office 365 audit logs and while the contest was going this week Microsoft announced welcome changes that will be rolled out that will change both the question and this weeks answer. So congratulations to this weeks winner Adam Harrison .



The Challenge:
Explain in a compromise of a Office365 account what you could review in the following circumstances.

Scenario a: only default logging in a E3 plan

Scenario b: Full mailbox auditing turned on

You are attempting in both scenarios to understand the scope of the attackers access 





The Winning Answer from Adam Harrison:

• Unified Audit Log, via Audit Log Search in the Security & Compliance Centre and accessible using Search-UnifiedAuditLog' cmdlet. This will need to be enabled if not already enabled and will provide retrospective visibility if enabled after the fact.
• Mailbox Content
• Read Tracking 
• Message Tracking Logs
• Mailbox Rule information
• Proxy Logs/ DNS Logs/ Endpoint AV Logs / SIEM
• Office 365 Management Activity API
• Azure Active Directory reports and Reporting Audit API (With Azure AD P1/P2)

• Unified Audit Log - but now with more detailed events recorded as a result of enabling 'mailbox auditing'. The 'Search-MailboxAuditLog' will now also be available.
• SharePoint Audit log reports

Hello Reader,
                  Good news, the Unicorn maybe dead but it turns out all of the issues that it raised is causing a major change from the Office 365 team. You can read the official announcement here: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Exchange-Mailbox-Auditing-will-be-enabled-by-default/ba-p/215171 but here is the TLDR:

1. Mailbox auditing will now be turned on in full mode by default for all commercial tenants
2. If you already have mailbox auditing turned on it will continue to be on
3. They are going to add more audit flags to provide more granular access

This is great news and it should be on by default across your potential investigations by the end of year, but you could always just try to talk people into turning it on now!

Hello Reader,
           In the first 24 hours we've already had 39 signups for the CTF, last year we had 125 and I've expanded the initial amount to 200 to start with. I wanted to provide an update because we are going to cap this to keep it manageable and I expect that we are going to hit our max again this year.

Why do I expect to hit the max? Well if you consider there are over 10,000 people at Defcon then 200 is only .02% of the total population. We think there are more DFIR and DFIR interested people at Defcon than most of us realize and our hope is to build the interest into a community there to bring people into out world that may not realize we exist.

Make sure to sign up here:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055

Hello Reader,
            Matt and I are working on creating the evidence you will be examining for next months Unofficial Defcon DFIR CTF! This post is here to let you know that:

1. We plan to do it again this year
2. We will be distributing the files electronically this year, no in person transfer needed
3. Signups will happen through CTFd I'll be posting the link closer to Defcon
4. If you or your company wants to supply a prize we open to working with you on that. Last year we did it in partnership with SANS who provided DFIR Netwars Continuous to the winners
5. This years scenario is set to be much more involved than last years, if everything we are planning works out
6. We are still planning on restricting this to people who are in Las Vegas for the event. Why? So we can get everyone who qualifies together at the end

We had a lot of fun last year and we look forward to meeting new talented examiners this year.

You can sign up here:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055

Matt and I will be doing a live stream during the event to provide some commentary on how it's going. This is something we wanted to do after the Magnet CTF and it should be fun.

Hello Reader,
         Since my last test that showed that the Extended MAPI data wasn't be updated when I modified a message in OWA in my local outlook client I've been testing ways to get this updated data.

First I tried to download my mailbox, but apparently I need to get a working EWS url first. So I'll try that again tomorrow.

Second I went into the compliance center and searched for and found my test message I've been experimenting with. In doing this I downloaded the original message in EML format (the only option given) and I still did not find the updated extended MAPI data as seen below:


Here the Last Modification time got set to when I downloaded the message from Compliance Center and the original submission time exists. But I have no Last Verb time or code showing this message was replied too.

Third I emailed myself the message in OWA as an attachment by drag and dropping the message into a new email, this actually put the message as a MSG attached to the email message. Once I accessed this within Outlook in my local system I was able to see the expected data:



Here you can see that we finally have the expected Last Verb time showing when the message was replied to and when it was replied to. The Last Modification has been updated to reflect when I sent the message to myself as an attachment.


So I now need to download the mailbox fresh and then look into my local outlook account to see if this data has finally been updated.