Hacking Exposed Computer Forensics Blog

Hello Reader,
       If you want to understand how people outside of our DFIR space see and understand us, even with a technical infosec background, check out Jessica Hyde's appearance on Rally Security. It was a great reminder of seeing something we are all so deep in from the outside. I think putting yourself into others perspectives helps you explain things and educate others on what we do.

You can watch it here:
https://www.twitch.tv/videos/303079856

Hello Reader,
            Another Test Kitchen has been recorded. If you want to catch these live I can't promise any particular broadcast time as I do these when I have time, but if you subscribe to my Youtube channel (https://www.youtube.com/user/LearnForensics) you will get notifications whenever I do go live.

This Test Kitchen I did more experimentation with the creation of ObjectIDs when saving files from browsers to the Downloads directory with surprising results! It turns out that:

• Saving a text file in Chrome to the downloads directory will create an ObjectID and a LNK file even without opening the file
• Saving a text file in Firefox to the Downloads directory will create a LNK file but will not populate the ObjectID attribute. 
• Saving executable files in both browsers will create Zone.Identifier alternative data streams as Phill Moore researched prior but will not create ObjectIDs or LNK files. 

Hello Reader,
        In the UK or Europe? In three weeks on September 17, 2018 I'll be teaching SANS FOR500 Windows Forensics with Lee Whitfield. If you've read the blog, played the ctfs, done the challenges and watched the forensic lunch its time to come fill in the gaps. In class Lee and I will be going beyond the books to explain how and why things work and what you can rely on.

Interested?
You can find out more here:
https://www.sans.org/event/london-september-2018/course/windows-forensic-analysis

Hello Reader,
    I've been looking into ObjectIDs quite a bit lately so why not open up the fun to all of you and let's see what a crowdsourced effort can produce. This week will see the intersection of programming and analysis in what should be a good learning challenge for many of you.


The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
      This weeks submissions missed the mark, I got some submissions about lnk file security vulnerabilities but none addressing limitations on how they are created. So sounds like good topics for future test kitchens and a new challenge tomorrow.

Hello Reader,
         I was thinking more about yesterdays test kitchen in regards to ObjectID creation on Windows 10. To summarize the point if a file gets created in the GUI in Windows 10 it creates a shell item (lnk, jumplist, recent doc, etc...) as well as gets an ObjectID. It occurred to me that just as we have trained examiners to look for Zone.Identifiers for evidence of files downloaded we could use the absence of a ObjectID on a Windows 10 file to find those files that were either not created within the GUI or created in one of the special exclusion directories (outlook temp, internet temp, etc..).

With this in mind we could quickly triage through and in an intrusion scenario eliminate all the files that a user created through the GUI, then eliminate the system files through hash comparison leaving us with just a smaller set of files whose hashes aren't known and were not created by the user. This along with a comparison of the execution artifacts could lead to some pretty fast triage for possible malicious executables.

I'm going to see next week about writing a python script to do this, expect a sunday funday challenge related to this. 

Hello Reader,
       I know many of you have work or home labs where you do test things, research things and overall use different virtual environments. What many people don't know though is that you can get a hold of almost all of the VMware software you need like:

• VMWare Workstation
• VMWare Fusion
• VCenter
• VSphere ESXi Enterprise
• VSan

Hello Reader,
        In Hideaki Ihara's blog post on the port139 blog,  he talks about a subsystem that has been around for quite some time the Distributed Link Tracking System which allowed for lnk files and other shell item structures to survive a file being renamed or moved prior to the inclusion of the MFT Reference numbers in Windows 7. This means that there are at least two methods within a LNK file now that will allow it to point to the correct file even if it has been renamed or moved since it was last opened.

Hideaki is pointing our that when a file is opened and a shell item is created for it that an Object ID should be created for it as an attribute. While I agree this is true I would also look for the creation of the LNK file itself and then what jumplist got updated to determine what application opened the file. Especially since not every file opened will get an Object ID as stated in the limitations section of the Microsoft documentation.

In summary a Object ID won't be set even if a file is opened when:

1. The file is being opened from a removable drive 
2. The file is being opened from a FAT drive
3. The file is being opened from a newly formatted NTFS volume and it the system hasn't rebooted
4. The file is being opened from a newly attached fixed disk with NTFS and the system hasn't been rebooted

Hello Reader,
Microsoft is also introducing subtle changes in Windows, sometimes they were always there but we just didn't notice. Lets see what you can determine in this weeks lnk file challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
           This week Lodrina Cherne swooped in with some interesting research that went way beyond URL history. I think what Lodrina has submitted here is the base of some very interesting research that needs to be performed to find out more. I am happy to say I received more submissions this week but I would encourage anyone reading this to give these challenges a try and submit an answer. You can only benefit from the research and possibly the win!


The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history


The Winning Answer:
Lodrina Cherne @hexplates

Hello Reader,
       This post serves to congratulate @gh0stp0p on achieving the first perfect score in the Defcon DFIR CTF! She has not only won the admiration of her peers but also a license of Forensic Email Collector. For those still wanting to play, or still playing, we will leave the CTF up for at least a month before we move onto the next project.

As a reminder the CTF is located here:
https://defcon2018.ctfd.io/

And you can download the images here:
http://www.hecfblog.com/2018/08/daily-blog-451-defcon-dfir-ctf-2018.html

Thanks everyone for playing and hopefully you will learn something from the experience! Next time we will up the difficulty. 

Hello Reader,
           If you haven't already done so check out this blog post from Malware Maloney:
https://malwaremaloney.blogspot.com/2018/08/windows-10-notification-wal-database.html

In it not only does author show how to create a new query for pulling messages from the database he also extended a SQLite python library to correctly decode the write ahead log of the SQLite database that stores the notifications. Meaning you can recover more deleted messages.

Give it a read and in a future post let's take that and write a script around it.

Hello Reader,
        I realized that while I posted this on twitter I did not share this on the blog which is the more permanent record of things. First this years Defcon DFIR CTF was sponsored by:


SANS - Donating 1st prize access to DFIR Netwars Continuous for a year and lego minifigs
Also if you were in the blue team village at just the right time we brought out SANS tshirts, polos, keychains and posters that quickly disappeared.





 Magnet Forensics - Donating a really cool backpack that contained a license of AXIOM, a magnet water bottle, magnet external cell phone battery and a cool magnet pen.










 Blackbag Forensics - Donating a license of Blacklight and a really cool insulated drink cup (like a yeti or rtic but with a very nicely done blackbag logo)







 MetaSpike - Who donated a license of Forensic Email Collector which will go to whoever gets the first perfect score in the Defcon DFIR CTF!

• 1st Place went to Hadar Yudovich @hadar0x

• 2nd Place went to Phill Moore @Phillmoore

• 3rd Place was a tie between Jessica Hyde @b1n2h3x and Jan Wichanski @JanWichanski

Hello Reader,
       For those of you who use libvshadow you may have noticed that it shows deleted shadow copies but does not differentiate between active and deleted shadow copies. This can be an issue as parts of the deleted shadow copies could be overwritten leading to strange results.

Looks like two researchers out of Japan are attempting to fix that issue with an extension to libvshadow and some really interesting catalog recreation research.


Check it out below!

http://i.blackhat.com/us-18/Thu-August-9/us-18-Kobayashi-Reconstruct-The-World-From-Vanished-Shadow-Recovering-Deleted-VSS-Snapshots.pdf

Hello Reader,
            This year at Defcon we made things interesting with a challenge that involves making your way through 3 images to answer questions and solve a case. Now that Defcon is over and the winners awarded it's your turn to give the challenge a try.

The first image password is 'tacoproblems'
The second and third image password is gained by answering the right questions in the CTF.


CTF Site:
https://defcon2018.ctfd.io/

Download Links:
Image 1:
https://www.dropbox.com/s/1q4f0fowo8048mq/Image1.7z?dl=0

Image 2:
https://www.dropbox.com/s/9gzjfqkl8uup58k/Image2.7z?dl=0

Image 3:
https://www.dropbox.com/s/jvaqb4rfi3jojbk/Image3.7z?dl=0

Hello Reader,
Defcon is over and with it our CTF. For this weeks challenge lets look at some browser forensics artifacts that could be helpful to you when I open up the forensic ctf to the public tomorrow.         


The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out.




The Winning Answer:

Hello Reader,
      Another late post after a long day in Vegas. We launched the ctf today and already have a fight for the top 3 spots. As more people get the evidence I'm expecting it to get really interesting.

We initially planned to do a live stream today but spent most of the day finishing the last questions so I expect we will do the stream tomorrow instead.

For those who want to watch the scoreboard go to
https://defcon2018.ctfd.io/scoreboard

To follow along, the contest ends tomorrow nighy! There is a long time for everything to change by then.

As before once the event is over we will make the images public and everyone can play, just without prizes.

Hello Reader,
Just a reminder that the ctf starts tomorrow afternoon. If you are in Vegas and have not signed up yet here is the link:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055?ref=estw

Prizes:
1st. DFIR Netwars Continuous for a year from SANS and. Lego mini fig
2nd. Magnet prize loaded backpack, Lego mini fig and license of forensic email collector
3rd. Blackbag prize pack

It's not too late to sign up, get ready!

Hello Reader,
     A quick one before I fall asleep after a long day of ctf prep and Vegas fun. If you are using the fresponse imager to capture a full disk be aware that it seems to default to a sparse image format and leaves out shadow copies.

However imaging the same fresponse mounted image with another tool will capture the full disk.

Hello Reader,
           Today I'm sharing a lesson I learned from acquiring systems in the cloud from another cloud hosted system in the same provider. I was adding the agents and getting ready to acquire the systems, but they kept dropping off the F-Response management list of subjects.

I was quite confused, I checked the network and realized my RDP session was active the entire time and hadn't timed out. I restarted the F-Response service and kept a ping running, when the F-Response agent timed out I noticed the ping never lost a packet.

So I reached out to the excellent support staff (aka Matt Shannon) at F-Response and explained my problem and they quickly reached out (after 5PM!) and offered a suggestion, check your clock skew.

This isn't something I had run into before and so I went and made sure my clocks were the same and now it's happily imaging away.

So hopefully this helps someone in the future, if you F-Response subject keeps timing out check to make sure that the license server and the subject are set to the same time!

Hello Reader,
           Thank you for all of the responses in the blog comments, on twitter and on LinkedIn to my question regarding Anti Forensics tools used in the wild. It was great to expand everyone's knowledge of what tools to look for and make a list of those I need to test to see what traces each of them leaves behind. With that in mind let's see how you handle this weeks Anti Forensics themed challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
           Another week where Adam Harrison has again dominated the entries. For those of you thinking about trying out next weeks contest don't be deterred. You too can be a winner with just some basic effort and some good documentation skills!

The Challenge:
Windows 10 keep changing and with it its behavior. In Windows 8.1 and early versions of Windows 10 there was a task to delete plug and play devices that haven't been plugged in for 30 days. In more recent versions of Windows 10 this appears to be disabled. For this challenge please document what versions of Windows 10 has the task enabled and if it survives being upgraded. 

The Winning Answer:
https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html?spref=tw

Great job Adam! Come back tomorrow for a new challenge!

Hello Reader,
       Today I have a question for you. In my work I've encountered tools that my suspects have used to clean or wipe their system. However I'm wondering what others are out there that I haven't seen yet. So here is my list

• CCleaner
• Evidence Eliminator
• System Soap
• PC Optimizer Pro
• BCWipe
• Eraser
• Sdelete

Hello Reader,
           One of the problems we are having recently in Windows 10 forensics is that what would previously be identified with a major service pack version or a new version of Windows is now being marked as a feature release. These releases are changing the behaviors we rely on in forensics and we are going to have to start referring not just to Windows 10 but the build of Windows 10. This isn't going to stop in the near future as Microsoft says that they plan to just iterate Windows 10 for the foreseeable future.

If you look at some of Adam Harrison's recent blogs you'll notice he has multiple major versions of Windows 10 running within different VMs. I think this kind of setup will be necessary going forward and we are going to have do more regression testing of artifacts both old and new to understand the new normal.

I'll be following this up with what the major releases are so we can start building a common vernacular in describing Windows 10. For now just be aware that just because its Windows 10 does not mean that any previous Windows 10 research still applies without testing. 

Hello Reader,
       I had stopped thinking about the Windows 10 notifications database since I last saw Yogesh Kahtri blog post about it here. I was reviewing a file list produced by an opposing party in a litigation we are working and suddenly saw a directory full of notification images and got curious again.

Since Yogesh first blogged about it the location of the Notification data has changed and it is now located here:
\Users\\AppData\Local\Microsoft\Windows\Notifications

Pictures pushed to the system and displayed in start menu tiles or notifications are stored here:
\Users\\AppData\Local\Microsoft\Windows\Notifications\wpnidm

And the database is now a SQLite database named wpndatabase.db which you can open up with any SQLite tool. I am using Navicat for SQLite because its one of my favorites.

When I did I found the database I went looking to see which table contained the data that I would think is interesting and found a table named Notification, here is the schema:


There are three fields here you should pay attention to the first is the HandlerID which will tell you which program created the notification, you find the name associated in the NotificationHandler table.


The second field is the Payload field, this is the actual contents of the Notification, I was looking through here to see if there was something interesting and found all the Notifications that Outlook had been popping up as I was getting new emails. Here is an example:




Caesars Total Rewards
Win big in August with the play by TR app! Download now!
<http://click.email.caesars-marketing.com/open.aspx?>
Download and log in to be rewarded.         View this email with images. <http://view.email.caesar...