September 2018

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Hello Reader,
       If you watched the forensic lunch test kitchen this week you would have seen I was using Sysmon to monitor registry changes. Let's see what you would do in this weeks monitoring challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 10/5/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
How would you monitor/record changes to registry keys? What could you do to get more data?

Hello Reader,
           This week Phill Moore of thisweekin4n6 has clinched the win with a registry ripper plugin to expose and parse the edit flags in the challenge. Make sure to check out his code below and do your own testing as I do mine!

The Challenge:
The Edit Flags key controls which extensions get LNK files, please test on the Windows OS of your choice how the different flags effect explorer's behavior and which extensions by default show these behaviors. 


The Winning Answer:
A submitted registry ripper plugin 

Hello Reader,
        We had a short broadcast this evening to test and show how the timestamps within the ObjectIDs were being set and incremented.

We learned that:

  1. Files extracted in mass may have the same object ID timestamp
  2. Files created by the user should have incrementing object ID timestamps

I've uploaded the new script (ObjectIDScannerV2) to the TestKitchen Github:
https://github.com/dlcowen/TestKitchen/tree/master


Watch it here:

Hello Reader,
           Lately I've been experimenting with https://hackinthebox.eu but not for the normal reasons. I've always enjoyed the technical aspects of pentesting, and very rarely enjoyed the reporting or politics of remediation, which explains why I've done the national collegiate cyber defense competition for so long. With the hack in the box challenges though I'm not just practicing interesting techniques with a longer time frame then I normally get, I'm also getting to do some log and artifact review once I've compromised the system to see what data is being logged.

If there is one thing that most researchers would agree with is that getting good test data is hard work. With the large number of vulnerable systems setup in interesting ways I'm looking forward to sharing more of what I'm seeing. While some of the systems have logging turned off during the initial attack, once you get access there are no restrictions one changing the machine configuration to start logging the data.

To make things easier I've got a dedicated lab paid for that I'll be doing controlled testing and then in the future plan to transition the same access to the public systems to do live streamed attack detection with Matt in the future.

Always more things to try, test and do! Let me know if you are doing something similar. 

Hello Reader,
            I'm sure a lot of you follow Yogesh Kahtri's research but I wanted to take this post to point our that his MAC Artifact Parsing Tool (MAC APT) continues to be updated.  It not only supports parsing full disk image formats (E01, DD, DMG) but it now support APFS.

Combined with the only support for Spotlight indexes outside of Blacklight and you have a pretty amazing open source and free tool that has a plugin framework you could be contributing to if you do OSX investigations.

Want to learn more?
Go Here: https://github.com/ydkhatri/mac_apt

Hello Reader,
       Let's try this again. We had some great weeks of Sunday Funday answers so I'm looking for another week of great submissions from motivated examiners.

The Prize:
$100 Amazon Giftca

The Rules:

  1. You must post your answer before Friday 9/28/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
The Edit Flags key controls which extensions get LNK files, please test on the Windows OS of your choice how the different flags effect explorer's behavior and which extensions by default show these behaviors. 


Hello Reader,
         Continuing on from last nights test kitchen I've had another broadcast today trying to monitor the changes to the registry with Sysmon. What I saw in Sysmon showed me the key was being created each time Explorer exits and then set the values of the url keys, however it did not ever show the key being deleted. So we did some exploration into the TxR regtrans files and the LOG1/LOG2 transactional registry files in an attempt to find the changing keys. We may have found references to the keys but now we need more tools to decode the transactional logs, so ewe will continue another night.

You can watch the video here:

Hello Reader,
         I ran out of time to get a video up for yesterdays blog post but I wanted to make sure I got this done and uploaded. So I did a test kitchen tonight focusing on what triggers the writing of the TypedPaths registry key I wrote about yesterday and how it overwrites it self in the event of two file explorer windows being open.

Watch it here:

Hello Reader,
               I'm going to update this post with a video when I get to my hotel room tonight and do a test kitchen. I wanted to take a moment to talk about the Typed Paths registry key in Windows. Typed Paths if you are not familiar records the last 25 directories you manually typed into the file explorer path bar seen highlighted below:



If you ever tested this registry key (located under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths) you might have been confused that entries didn't show up in the key when you typed paths into path bar above, but they still showed up in the drop down within the GUI.


You have to close the file explorer window for the entries you see within the GUI to be committed to the registry key.

When I showed this in class some time ago I had a student who asked a very smart question, they asked 'well, what happens if you have two file explorer windows open'. So we did the test and as it turns out something very interesting happens.

Both file explorer windows will start with a copy of the registry key loaded in its process memory and display the same entries. As you type in new paths into each window each will show their own version of the list without any knowledge of the other file explorer process.

When you close the first file explorer window the registry key will get updated with the contents of that processes Typed Paths. However, when you close the second it will overwrite the key without checking its contents meaning you will lose any unique entries typed into the first window as it will just write to the registry the contents of its process memory.

So TypedPaths works, but like every other artifact it has limitations. Make sure you know what those limitations are!

Hello Reader,
             Are you in the middle east and have a passion for DFIR? I'll be teaching SANS FOR500 Windows Forensics this November in Dubai! if you are interested you can learn more here:

https://www.sans.org/event/gulf-region-2018

For those of you in the United States after my SANS world tour of 2018 I'm scheduled to teach back home twice so far in 2019. Once in January at the CTI Summit:

https://www.sans.org/event/cyber-threat-intelligence-summit-2019

And lastly at Security West in May:
https://www.sans.org/event/security-west-2019


I hope to see you at one of these events!

Hello Reader,
               I was going back through default event logs when I ran across an event log for VHD actions that was described in Harlan Carvey's Windows Forensic Analysis Toolkit. There is an event log named "Microsoft-Windows-VHDMP-Operational.evtx"n that contains entries from creating, provisioning and mounting/unmounting VHDs.

If I was aware of this I must have forgotten but it was something I thought would be useful for the future so I decided to document it here.  Here is an example of a VHD being attached to my Windows 10 system.


Hello Reader,
          I'm going to change things around for this weeks challenge, lets put things back to research and less about coding and see how you do. 


The Prize:
$100 Amazon Giftca

The Rules:

  1. You must post your answer before Friday 9/21/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On Windows 7 test and document how you can get ObjectIDs to:
1. Populate
2. Change
3. Get preserved

Good luck!

Hello Reader,
        I went ahead and added a Github repository for the ObjectID scanner I was showing on the Test Kitchen last night. You can get the script here:

https://github.com/dlcowen/TestKitchen/blob/master/ObjectIDScannerV1

This scripts requires that you have installed:
Python 3.6 or newer
pytsk3


And you can follow this repository to get all future scripts I show on future episodes of the Test Kitchen:
https://github.com/dlcowen/TestKitchen

Test this on your own system and let me know if you find something I missed!

I fly out to London tomorrow and look forward to continuing the research there. 

Hello Reader,
        Our Forensic Lunch Test Kitchen series continues! Tonight we decoded the Object ID values into their timestamps, sequences, versions, variant and mac addresses to try to understand more about what the values mean.

We found that:

  • As Maxim Suhanov (https://twitter.com/errno_fail) stated the time values used to construct the ObjectID UUIDs are cached. Meaning that the timestamp decoded does not indicate when the ObjectID was created and the timetamps will increment by miliseconds between ObjectID creations in the same boot
  • That the seed of the cached timestamp is the system boot time, so at every reboot the cached time that serves are the earliest possible ObjectID time will update to the boot time as recorded in the system event logs
  • That the sequence number does appear to increment overall but this needs further testing
  • That the $Volume ObjectID attribute is actually the VolumeID referenced by the ObjectID index
You can watch it here:

Hello Reader,
         Another night, another test kitchen! Tonight I try to remove my observation bias from the past episodes but modifying the code in my Automating DFIR with Pytsk series to extract ObjectID attributes from files and directories in the MFT. To do this I wrote and troubleshot a python script in Python 3 which I'm trying to force myself to convert to that recurses through a live volume and prints out all the Object IDs that exist.

What we learned:

  • Some system files have what appear to be invalid MAC addresses from the file creation
  • Some user directories have ObjectIDs
  • Some installed programs have MAC addresses from their original developers
  • Some Windows system32 executables have ObjectIDs and in Windows 7 have the original MAC addresses
Watch the video below to learn more:

Hello Reader,
       Another Forensic Lunch Test Kitchen this evening with a deeper look into ObjectIDs.

We covered:

  • The fact that the suffix of an ObjectID is the MAC address of the primary network interface as described in Harry Parsonage's paper (http://computerforensics.parsonage.co.uk/downloads/themeaningoflife.pdf)
  • The fact that the prefix of an ObjectID is a timestamp showing when the ObjectID was set
  • The fact that opening a file updates a LNK file but does not change the ObjectID
  • The fact that opening a file whose ObjectID was set one one system does not update the ObjectID when the same file is opened on the same volume on another system
  • The fact that changing attributes, permissions and ADS values does not update the ObjectID
Hear and see more in the video below:

Hello Reader,
         I had another examiner, who will go nameless unless they choose to be named, ask what program execution and persistence artifacts appear to be unique to Windows Server 2008 vs Windows 7. I thought about this for awhile and it boiled down to differences in default event logging with Windows Server typically having many more default events and logging sources on than the desktop OS.

As I was going through the event logs on one of my own Server 2008 R2 systems I noticed that my telemetry logs appeared to be much more thorough then the same version of my own Desktop telemetry logs.

The logs in questions are located int he evtx file Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx. Inside of this event log which was touched on back in 2013 by Cylance (https://threatvector.cylance.com/en_us/home/Uncommon-Event-Log-Analysis-for-Incident-Response-and-Forensic-Investigations.html) is a series of EventID 500 entries that record each of the executables that required compatibility an example message follows:

Compatibility fix applied to C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{5F4D076C-A8C6-4442-9BB4-54AC9B81EE6E}\MpSigStub.exe.
Fix information: RunAsInvoker, {1c2d58c3-dcd2-41e3-bd0b-25f05028c655}, 0x40102.

I like this event log because:

  1. It only gets populated when application compatibility is invoked, which most cross written malware does
  2. Because it doesn't get overwhelmed with events my server event log goes back 3 years
  3. Unlikely to be cleared as attackers are focused on the security event log

I am going to do some testing and run some different attacker tools on Windows Server tomorrow night and see which leave entries in these event logs. 

Hello Reader,
           Another week passes and I'm full of ideas of things I want to test, program and try. After Phill Moore's program to recursively call fsutil to determine ObjectIDs I thought maybe a smaller scale challenge would help us all move forward in this path. So this week we are doing another Python programming challenge but with possibly a smaller scope.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 9/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Writing a program in Python to parse the the $O ADS stream found at \$Extend\$ObjId:$O in any NTFS drive with Windows running. 

Good luck!

Hello Reader,
      I didn't mean for there to be a week without a solution or a challenge but labor day weekend was way to much fun to stop and blog. So here is a late submission by Phill Moore which answered the last challenge posted on listing ObjectIDs.

Now Phill took an interesting approach, he iterates through the file system running fsutil by calling out to the command line you can find his solution here:
https://github.com/randomaccess3/SundayFunday/tree/master/ListObjectIDs

In the coming days as I get my development environment ready for a broadcast I plan to do a more direct parse using  DFVFS. Let's see how it goes!

Hello Reader,
        In my attempt to get a Windows VM up and running as a test development environment for doing some tutorials on 64 bit Python 3.6 and DFVFS I ran into an interesting challenge I thought I would document here to help you and myself in the future when I forget I figured this out.

If you are installing a library like PYTSK that requires some Visual Studio runtime DLLs to be installed then you'll get an interesting error like

"python can't find installed module"

when attempting to import the module. I hit this when I was using the windows python 3.6 install from python.org. I attempted different versions of Python 3.6 only in the end to discover that the real issue was the missing DLL. So instead just install the activestate version of Python 3.6 and it will install the needed DLLs to get the libraries working.

Looking forward to documenting more as the week goes on!

Hello Reader,
                Today I'm reflecting on something that hasn't happened to me in the 19 years I've been doing digital forensics. A defendant in a civil lawsuit committed suicide and I was the expert for the plaintiff. I've seen a lot of people whose choices have left them in different positions of distress but this is the first time I've had one who went as far as to end their lives because of it.

So take a second to remember that the data you are analyzing belongs to a person and sometimes they have more problems then you know about. 

Hello Reader,
            If you've read some of the older blog series you know that I'm a big proponent of getting new and old examiners programming. In my Automating DFIR series I focused on people who already knew Python and wanted to learn how to interact with forensic images in their scripting, but it didn't help those examiners who didn't have a good place to start with programming in the first place.

I've started reading Learning Python for Forensics and the Python Digital Forensics Cookbook to see what Preston Miller and Chapin Bryce had to say. So far I think they've done an excellent job getting new programmers up to speed with useful scripts that will help to automate their workflow.

You should go check it out here:
https://www.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230


Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.