Daily Blog #493: Sunday Funday 9/30/18

Hello Reader,
       If you watched the forensic lunch test kitchen this week you would have seen I was using Sysmon to monitor registry changes. Let's see what you would do in this weeks monitoring challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 10/5/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
How would you monitor/record changes to registry keys? What could you do to get more data?

Daily Blog #492: Solution Saturday 9/30/18

Hello Reader,
           This week Phill Moore of thisweekin4n6 has clinched the win with a registry ripper plugin to expose and parse the edit flags in the challenge. Make sure to check out his code below and do your own testing as I do mine!

The Challenge:
The Edit Flags key controls which extensions get LNK files, please test on the Windows OS of your choice how the different flags effect explorer's behavior and which extensions by default show these behaviors. 


The Winning Answer:
A submitted registry ripper plugin 

Daily Blog #491: Test Kitchen 9/27/18 Sequential ObjectID Testing

Hello Reader,
        We had a short broadcast this evening to test and show how the timestamps within the ObjectIDs were being set and incremented.

We learned that:

  1. Files extracted in mass may have the same object ID timestamp
  2. Files created by the user should have incrementing object ID timestamps

I've uploaded the new script (ObjectIDScannerV2) to the TestKitchen Github:
https://github.com/dlcowen/TestKitchen/tree/master


Watch it here:

Daily Blog #490: The end of enfuse/ceic

Hello Reader,
Just in case your not on Twitter, there is confirmation that the conference by the company fornallf known as guidance software is no more. Our industries biggest conference (that I'm aware of) is being rolled up into the larger opentext conference.

The future should be interesting to see what comes in it's place and how people accept itm

Daily Blog #489: Do you IR your pentest labs?

Hello Reader,
           Lately I've been experimenting with https://hackinthebox.eu but not for the normal reasons. I've always enjoyed the technical aspects of pentesting, and very rarely enjoyed the reporting or politics of remediation, which explains why I've done the national collegiate cyber defense competition for so long. With the hack in the box challenges though I'm not just practicing interesting techniques with a longer time frame then I normally get, I'm also getting to do some log and artifact review once I've compromised the system to see what data is being logged.

If there is one thing that most researchers would agree with is that getting good test data is hard work. With the large number of vulnerable systems setup in interesting ways I'm looking forward to sharing more of what I'm seeing. While some of the systems have logging turned off during the initial attack, once you get access there are no restrictions one changing the machine configuration to start logging the data.

To make things easier I've got a dedicated lab paid for that I'll be doing controlled testing and then in the future plan to transition the same access to the public systems to do live streamed attack detection with Matt in the future.

Always more things to try, test and do! Let me know if you are doing something similar. 

Daily Blog #488: Tool Highlight Mac APT

Hello Reader,
            I'm sure a lot of you follow Yogesh Kahtri's research but I wanted to take this post to point our that his MAC Artifact Parsing Tool (MAC APT) continues to be updated.  It not only supports parsing full disk image formats (E01, DD, DMG) but it now support APFS.

Combined with the only support for Spotlight indexes outside of Blacklight and you have a pretty amazing open source and free tool that has a plugin framework you could be contributing to if you do OSX investigations.

Want to learn more?
Go Here: https://github.com/ydkhatri/mac_apt

Daily Blog #487: Sunday Funday 9/23/18

Hello Reader,
       Let's try this again. We had some great weeks of Sunday Funday answers so I'm looking for another week of great submissions from motivated examiners.

The Prize:
$100 Amazon Giftca

The Rules:

  1. You must post your answer before Friday 9/28/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
The Edit Flags key controls which extensions get LNK files, please test on the Windows OS of your choice how the different flags effect explorer's behavior and which extensions by default show these behaviors. 


Daily Blog #486: Solution Saturday 9/22/18

Hello Reader,
        I was hoping a testing challenge would bring in more responses but we go another week without a winning entry. I'll be trying something different with tomorrow's Sunday funday. 

Daily Blog #485: Forensic Lunch Test Kitchen 9/21/18

Hello Reader,
         Continuing on from last nights test kitchen I've had another broadcast today trying to monitor the changes to the registry with Sysmon. What I saw in Sysmon showed me the key was being created each time Explorer exits and then set the values of the url keys, however it did not ever show the key being deleted. So we did some exploration into the TxR regtrans files and the LOG1/LOG2 transactional registry files in an attempt to find the changing keys. We may have found references to the keys but now we need more tools to decode the transactional logs, so ewe will continue another night.

You can watch the video here:

Daily Blog #484: Forensic Lunch Test Kitchen 9/20/18

Hello Reader,
         I ran out of time to get a video up for yesterdays blog post but I wanted to make sure I got this done and uploaded. So I did a test kitchen tonight focusing on what triggers the writing of the TypedPaths registry key I wrote about yesterday and how it overwrites it self in the event of two file explorer windows being open.

Watch it here:

Daily Blog #483: Typed Paths Amnesia

Hello Reader,
               I'm going to update this post with a video when I get to my hotel room tonight and do a test kitchen. I wanted to take a moment to talk about the Typed Paths registry key in Windows. Typed Paths if you are not familiar records the last 25 directories you manually typed into the file explorer path bar seen highlighted below:



If you ever tested this registry key (located under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths) you might have been confused that entries didn't show up in the key when you typed paths into path bar above, but they still showed up in the drop down within the GUI.


You have to close the file explorer window for the entries you see within the GUI to be committed to the registry key.

When I showed this in class some time ago I had a student who asked a very smart question, they asked 'well, what happens if you have two file explorer windows open'. So we did the test and as it turns out something very interesting happens.

Both file explorer windows will start with a copy of the registry key loaded in its process memory and display the same entries. As you type in new paths into each window each will show their own version of the list without any knowledge of the other file explorer process.

When you close the first file explorer window the registry key will get updated with the contents of that processes Typed Paths. However, when you close the second it will overwrite the key without checking its contents meaning you will lose any unique entries typed into the first window as it will just write to the registry the contents of its process memory.

So TypedPaths works, but like every other artifact it has limitations. Make sure you know what those limitations are!

Daily Blog #482: Teaching in Dubai!

Hello Reader,
             Are you in the middle east and have a passion for DFIR? I'll be teaching SANS FOR500 Windows Forensics this November in Dubai! if you are interested you can learn more here:

https://www.sans.org/event/gulf-region-2018

For those of you in the United States after my SANS world tour of 2018 I'm scheduled to teach back home twice so far in 2019. Once in January at the CTI Summit:

https://www.sans.org/event/cyber-threat-intelligence-summit-2019

And lastly at Security West in May:
https://www.sans.org/event/security-west-2019


I hope to see you at one of these events!

Daily Blog #481: Event Logs for VHDs

Hello Reader,
               I was going back through default event logs when I ran across an event log for VHD actions that was described in Harlan Carvey's Windows Forensic Analysis Toolkit. There is an event log named "Microsoft-Windows-VHDMP-Operational.evtx"n that contains entries from creating, provisioning and mounting/unmounting VHDs.

If I was aware of this I must have forgotten but it was something I thought would be useful for the future so I decided to document it here.  Here is an example of a VHD being attached to my Windows 10 system.


Daily Blog #480: Sunday Funday 9/16/18

Hello Reader,
          I'm going to change things around for this weeks challenge, lets put things back to research and less about coding and see how you do. 


The Prize:
$100 Amazon Giftca

The Rules:

  1. You must post your answer before Friday 9/21/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On Windows 7 test and document how you can get ObjectIDs to:
1. Populate
2. Change
3. Get preserved

Good luck!

Daily Blog #479: Solution Saturday 9/15/18

Hello Reader,
       This week I didn't get any working entries for the challenge, meaning I'll just put up the code to do it on Monday. Otherwise make sure to try and submit nextbweek your hesitation might have cost you $100!

Daily Blog #478: Github repository for the Test Kitchen

Hello Reader,
        I went ahead and added a Github repository for the ObjectID scanner I was showing on the Test Kitchen last night. You can get the script here:

https://github.com/dlcowen/TestKitchen/blob/master/ObjectIDScannerV1

This scripts requires that you have installed:
Python 3.6 or newer
pytsk3


And you can follow this repository to get all future scripts I show on future episodes of the Test Kitchen:
https://github.com/dlcowen/TestKitchen

Test this on your own system and let me know if you find something I missed!

I fly out to London tomorrow and look forward to continuing the research there. 

Daily Blog #477: Forensic Lunch Test Kitchen 9/13/18 ObjectID Decoded and timestamps tested

Hello Reader,
        Our Forensic Lunch Test Kitchen series continues! Tonight we decoded the Object ID values into their timestamps, sequences, versions, variant and mac addresses to try to understand more about what the values mean.

We found that:

  • As Maxim Suhanov (https://twitter.com/errno_fail) stated the time values used to construct the ObjectID UUIDs are cached. Meaning that the timestamp decoded does not indicate when the ObjectID was created and the timetamps will increment by miliseconds between ObjectID creations in the same boot
  • That the seed of the cached timestamp is the system boot time, so at every reboot the cached time that serves are the earliest possible ObjectID time will update to the boot time as recorded in the system event logs
  • That the sequence number does appear to increment overall but this needs further testing
  • That the $Volume ObjectID attribute is actually the VolumeID referenced by the ObjectID index
You can watch it here:

Daily Blog #476: Forensic Lunch Test Kitchen 9/12/18 ObjectID Default Behavior

Hello Reader,
         Another night, another test kitchen! Tonight I try to remove my observation bias from the past episodes but modifying the code in my Automating DFIR with Pytsk series to extract ObjectID attributes from files and directories in the MFT. To do this I wrote and troubleshot a python script in Python 3 which I'm trying to force myself to convert to that recurses through a live volume and prints out all the Object IDs that exist.

What we learned:

  • Some system files have what appear to be invalid MAC addresses from the file creation
  • Some user directories have ObjectIDs
  • Some installed programs have MAC addresses from their original developers
  • Some Windows system32 executables have ObjectIDs and in Windows 7 have the original MAC addresses
Watch the video below to learn more:

Daily Blog #475: Forensic Lunch Test Kitchen 9/11/18 ObjectIDs

Hello Reader,
       Another Forensic Lunch Test Kitchen this evening with a deeper look into ObjectIDs.

We covered:

  • The fact that the suffix of an ObjectID is the MAC address of the primary network interface as described in Harry Parsonage's paper (http://computerforensics.parsonage.co.uk/downloads/themeaningoflife.pdf)
  • The fact that the prefix of an ObjectID is a timestamp showing when the ObjectID was set
  • The fact that opening a file updates a LNK file but does not change the ObjectID
  • The fact that opening a file whose ObjectID was set one one system does not update the ObjectID when the same file is opened on the same volume on another system
  • The fact that changing attributes, permissions and ADS values does not update the ObjectID
Hear and see more in the video below:

Daily Blog #474: Application Experience Program Telemetry

Hello Reader,
         I had another examiner, who will go nameless unless they choose to be named, ask what program execution and persistence artifacts appear to be unique to Windows Server 2008 vs Windows 7. I thought about this for awhile and it boiled down to differences in default event logging with Windows Server typically having many more default events and logging sources on than the desktop OS.

As I was going through the event logs on one of my own Server 2008 R2 systems I noticed that my telemetry logs appeared to be much more thorough then the same version of my own Desktop telemetry logs.

The logs in questions are located int he evtx file Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx. Inside of this event log which was touched on back in 2013 by Cylance (https://threatvector.cylance.com/en_us/home/Uncommon-Event-Log-Analysis-for-Incident-Response-and-Forensic-Investigations.html) is a series of EventID 500 entries that record each of the executables that required compatibility an example message follows:

Compatibility fix applied to C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{5F4D076C-A8C6-4442-9BB4-54AC9B81EE6E}\MpSigStub.exe.
Fix information: RunAsInvoker, {1c2d58c3-dcd2-41e3-bd0b-25f05028c655}, 0x40102.

I like this event log because:

  1. It only gets populated when application compatibility is invoked, which most cross written malware does
  2. Because it doesn't get overwhelmed with events my server event log goes back 3 years
  3. Unlikely to be cleared as attackers are focused on the security event log

I am going to do some testing and run some different attacker tools on Windows Server tomorrow night and see which leave entries in these event logs. 

Daily Blog #473: Sunday Funday 9/9/18

Hello Reader,
           Another week passes and I'm full of ideas of things I want to test, program and try. After Phill Moore's program to recursively call fsutil to determine ObjectIDs I thought maybe a smaller scale challenge would help us all move forward in this path. So this week we are doing another Python programming challenge but with possibly a smaller scope.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 9/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Writing a program in Python to parse the the $O ADS stream found at \$Extend\$ObjId:$O in any NTFS drive with Windows running. 

Good luck!

Daily Blog #472: Solution Saturday 9/8/18

Hello Reader,
      I didn't mean for there to be a week without a solution or a challenge but labor day weekend was way to much fun to stop and blog. So here is a late submission by Phill Moore which answered the last challenge posted on listing ObjectIDs.

Now Phill took an interesting approach, he iterates through the file system running fsutil by calling out to the command line you can find his solution here:
https://github.com/randomaccess3/SundayFunday/tree/master/ListObjectIDs

In the coming days as I get my development environment ready for a broadcast I plan to do a more direct parse using  DFVFS. Let's see how it goes!

Daily Blog #471: Gearing up for more dfvfs programming

Hello Reader,
        In my attempt to get a Windows VM up and running as a test development environment for doing some tutorials on 64 bit Python 3.6 and DFVFS I ran into an interesting challenge I thought I would document here to help you and myself in the future when I forget I figured this out.

If you are installing a library like PYTSK that requires some Visual Studio runtime DLLs to be installed then you'll get an interesting error like

"python can't find installed module"

when attempting to import the module. I hit this when I was using the windows python 3.6 install from python.org. I attempted different versions of Python 3.6 only in the end to discover that the real issue was the missing DLL. So instead just install the activestate version of Python 3.6 and it will install the needed DLLs to get the libraries working.

Looking forward to documenting more as the week goes on!

Daily Blog #470: Unforseen impact of our work

Hello Reader,
                Today I'm reflecting on something that hasn't happened to me in the 19 years I've been doing digital forensics. A defendant in a civil lawsuit committed suicide and I was the expert for the plaintiff. I've seen a lot of people whose choices have left them in different positions of distress but this is the first time I've had one who went as far as to end their lives because of it.

So take a second to remember that the data you are analyzing belongs to a person and sometimes they have more problems then you know about. 

Daily Blog #469: Book Highlight Learning Python for Forensics

Hello Reader,
            If you've read some of the older blog series you know that I'm a big proponent of getting new and old examiners programming. In my Automating DFIR series I focused on people who already knew Python and wanted to learn how to interact with forensic images in their scripting, but it didn't help those examiners who didn't have a good place to start with programming in the first place.

I've started reading Learning Python for Forensics and the Python Digital Forensics Cookbook to see what Preston Miller and Chapin Bryce had to say. So far I think they've done an excellent job getting new programmers up to speed with useful scripts that will help to automate their workflow.

You should go check it out here:
https://www.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230