Hacking Exposed Computer Forensics Blog

Hello Reader,
       If you watched the forensic lunch test kitchen this week you would have seen I was using Sysmon to monitor registry changes. Let's see what you would do in this weeks monitoring challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
           This week Phill Moore of thisweekin4n6 has clinched the win with a registry ripper plugin to expose and parse the edit flags in the challenge. Make sure to check out his code below and do your own testing as I do mine!

Hello Reader,
Just in case your not on Twitter, there is confirmation that the conference by the company fornallf known as guidance software is no more. Our industries biggest conference (that I'm aware of) is being rolled up into the larger opentext conference.

The future should be interesting to see what comes in it's place and how people accept itm

Hello Reader,
           Lately I've been experimenting with https://hackinthebox.eu but not for the normal reasons. I've always enjoyed the technical aspects of pentesting, and very rarely enjoyed the reporting or politics of remediation, which explains why I've done the national collegiate cyber defense competition for so long. With the hack in the box challenges though I'm not just practicing interesting techniques with a longer time frame then I normally get, I'm also getting to do some log and artifact review once I've compromised the system to see what data is being logged.

If there is one thing that most researchers would agree with is that getting good test data is hard work. With the large number of vulnerable systems setup in interesting ways I'm looking forward to sharing more of what I'm seeing. While some of the systems have logging turned off during the initial attack, once you get access there are no restrictions one changing the machine configuration to start logging the data.

To make things easier I've got a dedicated lab paid for that I'll be doing controlled testing and then in the future plan to transition the same access to the public systems to do live streamed attack detection with Matt in the future.

Always more things to try, test and do! Let me know if you are doing something similar. 

Hello Reader,
            I'm sure a lot of you follow Yogesh Kahtri's research but I wanted to take this post to point our that his MAC Artifact Parsing Tool (MAC APT) continues to be updated.  It not only supports parsing full disk image formats (E01, DD, DMG) but it now support APFS.

Combined with the only support for Spotlight indexes outside of Blacklight and you have a pretty amazing open source and free tool that has a plugin framework you could be contributing to if you do OSX investigations.

Want to learn more?
Go Here: https://github.com/ydkhatri/mac_apt

Hello Reader,
       Let's try this again. We had some great weeks of Sunday Funday answers so I'm looking for another week of great submissions from motivated examiners.

The Prize:
$100 Amazon Giftca

The Rules:

Hello Reader,
        I was hoping a testing challenge would bring in more responses but we go another week without a winning entry. I'll be trying something different with tomorrow's Sunday funday. 

Hello Reader,
               I'm going to update this post with a video when I get to my hotel room tonight and do a test kitchen. I wanted to take a moment to talk about the Typed Paths registry key in Windows. Typed Paths if you are not familiar records the last 25 directories you manually typed into the file explorer path bar seen highlighted below:



If you ever tested this registry key (located under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths) you might have been confused that entries didn't show up in the key when you typed paths into path bar above, but they still showed up in the drop down within the GUI.


You have to close the file explorer window for the entries you see within the GUI to be committed to the registry key.

When I showed this in class some time ago I had a student who asked a very smart question, they asked 'well, what happens if you have two file explorer windows open'. So we did the test and as it turns out something very interesting happens.

Both file explorer windows will start with a copy of the registry key loaded in its process memory and display the same entries. As you type in new paths into each window each will show their own version of the list without any knowledge of the other file explorer process.

When you close the first file explorer window the registry key will get updated with the contents of that processes Typed Paths. However, when you close the second it will overwrite the key without checking its contents meaning you will lose any unique entries typed into the first window as it will just write to the registry the contents of its process memory.

So TypedPaths works, but like every other artifact it has limitations. Make sure you know what those limitations are!

Hello Reader,
             Are you in the middle east and have a passion for DFIR? I'll be teaching SANS FOR500 Windows Forensics this November in Dubai! if you are interested you can learn more here:

https://www.sans.org/event/gulf-region-2018

For those of you in the United States after my SANS world tour of 2018 I'm scheduled to teach back home twice so far in 2019. Once in January at the CTI Summit:

https://www.sans.org/event/cyber-threat-intelligence-summit-2019

And lastly at Security West in May:
https://www.sans.org/event/security-west-2019


I hope to see you at one of these events!

Hello Reader,
               I was going back through default event logs when I ran across an event log for VHD actions that was described in Harlan Carvey's Windows Forensic Analysis Toolkit. There is an event log named "Microsoft-Windows-VHDMP-Operational.evtx"n that contains entries from creating, provisioning and mounting/unmounting VHDs.

If I was aware of this I must have forgotten but it was something I thought would be useful for the future so I decided to document it here.  Here is an example of a VHD being attached to my Windows 10 system.

Hello Reader,
          I'm going to change things around for this weeks challenge, lets put things back to research and less about coding and see how you do. 


The Prize:
$100 Amazon Giftca

The Rules:

Hello Reader,
       This week I didn't get any working entries for the challenge, meaning I'll just put up the code to do it on Monday. Otherwise make sure to try and submit nextbweek your hesitation might have cost you $100!

Hello Reader,
        I went ahead and added a Github repository for the ObjectID scanner I was showing on the Test Kitchen last night. You can get the script here:

https://github.com/dlcowen/TestKitchen/blob/master/ObjectIDScannerV1

This scripts requires that you have installed:
Python 3.6 or newer
pytsk3


And you can follow this repository to get all future scripts I show on future episodes of the Test Kitchen:
https://github.com/dlcowen/TestKitchen

Test this on your own system and let me know if you find something I missed!

I fly out to London tomorrow and look forward to continuing the research there. 

Hello Reader,
         I had another examiner, who will go nameless unless they choose to be named, ask what program execution and persistence artifacts appear to be unique to Windows Server 2008 vs Windows 7. I thought about this for awhile and it boiled down to differences in default event logging with Windows Server typically having many more default events and logging sources on than the desktop OS.

As I was going through the event logs on one of my own Server 2008 R2 systems I noticed that my telemetry logs appeared to be much more thorough then the same version of my own Desktop telemetry logs.

The logs in questions are located int he evtx file Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx. Inside of this event log which was touched on back in 2013 by Cylance (https://threatvector.cylance.com/en_us/home/Uncommon-Event-Log-Analysis-for-Incident-Response-and-Forensic-Investigations.html) is a series of EventID 500 entries that record each of the executables that required compatibility an example message follows:

Compatibility fix applied to C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{5F4D076C-A8C6-4442-9BB4-54AC9B81EE6E}\MpSigStub.exe.
Fix information: RunAsInvoker, {1c2d58c3-dcd2-41e3-bd0b-25f05028c655}, 0x40102.

I like this event log because:

1. It only gets populated when application compatibility is invoked, which most cross written malware does
2. Because it doesn't get overwhelmed with events my server event log goes back 3 years
3. Unlikely to be cleared as attackers are focused on the security event log

Hello Reader,
           Another week passes and I'm full of ideas of things I want to test, program and try. After Phill Moore's program to recursively call fsutil to determine ObjectIDs I thought maybe a smaller scale challenge would help us all move forward in this path. So this week we are doing another Python programming challenge but with possibly a smaller scope.


The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
      I didn't mean for there to be a week without a solution or a challenge but labor day weekend was way to much fun to stop and blog. So here is a late submission by Phill Moore which answered the last challenge posted on listing ObjectIDs.

Now Phill took an interesting approach, he iterates through the file system running fsutil by calling out to the command line you can find his solution here:
https://github.com/randomaccess3/SundayFunday/tree/master/ListObjectIDs

In the coming days as I get my development environment ready for a broadcast I plan to do a more direct parse using  DFVFS. Let's see how it goes!

Hello Reader,
        In my attempt to get a Windows VM up and running as a test development environment for doing some tutorials on 64 bit Python 3.6 and DFVFS I ran into an interesting challenge I thought I would document here to help you and myself in the future when I forget I figured this out.

If you are installing a library like PYTSK that requires some Visual Studio runtime DLLs to be installed then you'll get an interesting error like

"python can't find installed module"

when attempting to import the module. I hit this when I was using the windows python 3.6 install from python.org. I attempted different versions of Python 3.6 only in the end to discover that the real issue was the missing DLL. So instead just install the activestate version of Python 3.6 and it will install the needed DLLs to get the libraries working.

Looking forward to documenting more as the week goes on!

Hello Reader,
                Today I'm reflecting on something that hasn't happened to me in the 19 years I've been doing digital forensics. A defendant in a civil lawsuit committed suicide and I was the expert for the plaintiff. I've seen a lot of people whose choices have left them in different positions of distress but this is the first time I've had one who went as far as to end their lives because of it.

So take a second to remember that the data you are analyzing belongs to a person and sometimes they have more problems then you know about. 

Hello Reader,
            If you've read some of the older blog series you know that I'm a big proponent of getting new and old examiners programming. In my Automating DFIR series I focused on people who already knew Python and wanted to learn how to interact with forensic images in their scripting, but it didn't help those examiners who didn't have a good place to start with programming in the first place.

I've started reading Learning Python for Forensics and the Python Digital Forensics Cookbook to see what Preston Miller and Chapin Bryce had to say. So far I think they've done an excellent job getting new programmers up to speed with useful scripts that will help to automate their workflow.

You should go check it out here:
https://www.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230