Hacking Exposed Computer Forensics Blog

Hello Reader,
               This another post that I'm making in the hopes that someone who is searching for this will find it and get their answer.

Do you have VMs running in AWS?
Do you have Amazon GuardDuty running?
Did you just get an alert that claimed your VM is originating an external connection to an external IP on a weird port (such as source port 80 and destination port 80)?

Well as it turns out, it may be a false positive. It appears with all the VPC logs being fed through GuardDuty that there is an issue detecting the difference between inbound and outbound traffic currently. This may lead to an alert like the one described above being triggered of someone were to just portscan you with a source port of 80.

Why would someone portscan with a source port of 80? To get around simple firewalls who allow traffic to flow on port 80 but not other ports.

So if you just got this alert and you are madly triaging the system and not finding any evidence of compromise ... contact AWS it may be a false positive. 

Hello Reader,
               I was working a case recently where an ex-employee was believed to have retained a companies data. They informed me that they found evidence the ex-employee had downloaded their Google mail, calendar and drive but couldn't at the time explain how they knew that. So like any investigator would/should I requested and received access to their Google Suite administrator account so I could download the associated logs.

What struck me as odd was in all of the logging I reviewed I couldn't find any that showed this user had done some kind of mass download or even mass access. Confused we went back to the company asking to speak to the person who first noticed this event. When we did she was able to inform us that she hadn't looked at the logs, rather she looked through the ex-employees email account.

Downloading the email account we found as she did an email from Google stating that the ex-employee had taken advantage of the Google TakeOut feature. The email stated as she said that it exported his Calendar, Email and Google Drive to an archive he could download from Google.

Luckily we asked and confirmed this but it did strike us as odd that the companies own GSuite logs wouldn't reflect this! So Reader I would ask you to comment below, have you seen this? Is there  alog we were missing? Or if the ex-employee had deleted that email would no one have been the wiser that he absconded with all of his company data? So far we've found no evidence other than the one email!

Hello Reader,
            Kevin Stokes is the mobile forensics champion in our offices at G-C Partners. When we get a copy of the new Elcomsoft IOS toolkit it was Kevin who went to work to test it out and understand what it was capable of. Kevin was nice enough to write up a quick guide to walk you through the process of doing this yourself!

1. Using the Safari mobile browser…
• (May work in other browsers? But Safari should exist on phone.)
2. Go to https://ignition.fun, get the app.
• Select the packages icon (circled in Blue).

• This will bring up the App categories available.
• Select Jailbreaks (also circled in Blue).

• Select the “rootlessJB” from Jake James (again, in blue).

• “GET” the app (In Red!), to continue

• Select “Install”, to download and install on the phone.

• You will now have the “rootlessJB” app installed
• But wait!  No need to select it yet.

• We need to work on our trust issues…

3. Trust Issues
• Go to Settings > General > Device Management
• Select the Khodal Enterprise app

• Select Trust Khodal Enterprise

• Select “Trust” once more.

• Once Trusted, the screen will look like the following (Allowing you to Delete the App, but don’t)

4. Jailbreak it!
• Open the rootless JB app, make sure to turn off “iSuperUS” and “Tweaks” (slide left)
• No need to add these for an acquisition.

• Select “Jailbreak” (the button with be greyed out for a moment).

• A message will appear at the bottom when it is successful.  (In testing, this took less than a minute each time)

5. iOS Toolkit Time!
• Select “F” to perform a File System acquisition.

• Give the tar file a name, default is “user.tar”

• Provide the SSH password …  (Hint! It’s “alpine”)

• Get another cup of coffee, while it downloads.

Hello Reader,
        If you haven't already heard Elcomsoft had updated their IOS Forensic Toolkit recently, you can check it out here: https://www.elcomsoft.com/eift.html. We got a license and tested it out and what we found is that:
A. It does not ship with any rootless jailbreaks
B. It does not automate the process of installing rootless jailbreaks
C. It does not do a physical image of the device

What it does do though is provide you a list of tested Jailbreaks (rooted and rootless) that you can install on an iOS device. Once the jailbreak is installed you can then use the Elcomsoft iOS Forensic Toolkit to decrypt the keycahin and most importantly get a full file system dump. We've tested this on an iPhone running IOS 12 and I can confirm that all the hidden and system directories we missed were included.

This includes not only FSEvents data but also the KnowledgeC databases that Sarah Edwards has been blogging about. We attached the same rootless jailbroken phone to Celebrite and it did not detect the presence of the jailbreak and so did not allow for a full filesystem dump.

While I'm sure this will be fixed in the never ending mobile forensics arm race in the near future its a point towards Elcomsoft this round.

Though I do have to wonder, if we could just dump a tar of the phones contents after applying the jailbreak ourselves without using Elcomsoft at all. This will be tomorrows testing along with a write up this week of our process for doing so.

Hello Reader,
            Last weeks challenge went unanswered, but I know there is a movement towards Mac forensics slowly building in the world. Though most of us are still focused on Windows or Mobile in our daily DFIR endeavors don't let you Mac skills fall to the wayside when you most need them... in the event of an incident. So this week let's make go back to the Mac for another challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
         Back in July of 2018 Crowdstrike wrote a very interesting post all about Core Analytics a service that runs by default on OSX that tracks aggregate daily data about executables run on the system for a month. You can read their original work here: https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/

I've noticed that most of the writeups that I've seen about OSX artifacts don't list Core Analytics which seems strange to me. Outside of KnowledgeC there isn't many other execution artifacts that I'm aware of on OSX. So in checking Mojave on a couple of systems I can report that Core Analytics is still alive and kicking in one of two directories.

Hello Reader,
           I know many of you are looking to get a better understanding of many of the fundamentals of DFIR. In most of my daily writing I focus on new things that I'm researching or find interesting but I don't typically take the time to cover the basics. Luckily Mathias Fuchs has started a video series called DFIR in 120 seconds to try to create consumable chunks of DFIR knowledge which good illustrations and explanations. While the videos will sometimes creep over 120 seconds they are always concise and explain key concepts in quick order.

Go check it out here: https://www.cyberfox.blog/dfir-in-120-seconds/

Hello Reader,
            While I didn't have any winners for last week's Sunday Funday I did want to draw your attention to the answers that were already present, from 8 years ago. Lance Mueller who wrote/writes the ForensicKB blog did his own Deep Freeze testing 8 years ago. Jessica Hyde reminded me of this while I was doing my own testing and it appears that Lance went even farther than I did in my first couple of tests.

So if you were looking for the answers to how Deep Freeze is writing data and discarding it between reboots I would suggest brushing up on Lance's research below:

http://www.forensickb.com/2010/10/forensic-analysis-of-frozen-hard-drive.html

Hello Reader,
         Let's reevaluate challenges again. Last week I either asked for too much or went to Niche so let's open it up again. The point of these challenges is to get you the larger DFIR community to get involved in your own research and testing so you can surprise yourself and help others in their work. So with that, here is this week's challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
             I was wondering 6 months ago what would make miss a day of blogging, it turns out the answer is moving! So now that things are settling down I should be back on schedule. Speaking of things that were missed, this weeks contest had no qualifying submissions that I saw. So tune in for this weeks Sunday Funday and your chance to take a $100 amazon giftcard for some DFIR research.

Hello Reader,
             I'm writing this post to serve as a bookmark for the future for anyone out there searching for this. If it's late at night and you have Microsoft Defender ATA in your network monitoring your systems and suddenly, you get a High Alert that a golden ticket was in use ... take a deep breath and examine the facts.

First this alert is generated because the kerberos ticket it reported had a time to live larger than group policy for them. This does not mean that this is proof that a ticket is being used right now so take a step away from the fire the missiles button and examine the facts.

Second check the account being used, if the account being used is the Machine account (the computer name with a $ at the end) and not a user then this could be a 'silver ticket' attack or just a system who clock is out of sync.

Third check to see what hosts this ticket is accessing and what the actual time to live is. When I make golden tickets in an attack simulation I give them very long lives (months to years) so I can keep using them going forward. If the ticket is only a couple hours greater than the policy (which it should tell you the policy time) take two steps away from the button.

Fourth check to see (especially if this is between domain controllers) if the machine account being used belongs to a DC being brought online and syncing for the first time. In which case this is probably a false positive.

Now if none of these things match your reported scenario go find out what accounts were effected, where the accesses came from and how long that ticket has to live and start triaging! You might have a real intrusion going on!

Hello Reader
             Keeping up with all of the materials that the community makes based on the work you the reader does in Sunday Funday challenges really makes it all worth it. Let's keep this amazing streaming going with this weeks DeepFreeze challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
             This week Oleg Skulkin has come in with another win! Oleg found some interesting results. In Oleg's testing all of his executions were caught by the Amcache, except those programs executed from external storage volumes. Very interesting! I think we will have to go back to Syscache and Amcache again in the near future to find more about what Oleg was seeing!




What are all the methods of execution you can find that are not recorded in the Amcache hive?

The Winning Answer:
Oleg Skulkin
https://cyberforensicator.com/2019/02/06/amcache-forensics-populated-or-not/

Hello Reader,
            I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against Azure AD in any configuration (cloud, hybrid, office 365) then you should be looking for an additional key value that has been around since the original 'Microsoft Account' in Windows 8.

They key value 'InternetUserName' will store the full account name with domain that the user authenticated with. A true local account will not have this value, only those accounts who are being authenticated against cloud hosted domains should contain it. In combination with a 0 logon count this can be used to determine not only that the user was not a local account but the full account name associated. 

Hello Reader,
              With the 2019 Magnet User Summit coming up and with it the DFIR CTF we are working on for it I think it's time that I close down the 2018 site. You can access it for the month of February here:

https://magnetctf.ctfd.io/

Why shut it dowh?
Well CTFd charges me $100 a month for the hosting and I user registrations have stopped adding and we new/better challenges coming so I'd rather use that money for this years CTF!

So if you haven't tried last years Magnet CTF this is your chance, I will be ending it 3/1/19.

Hello Reader,
             A quick reminder that the 2019 SANS DFIR Summit call for presentations is open!

https://www.sans.org/event/digital-forensics-summit-2019/call-for-presentations

Happening in Austin, Texas on July 25-26, 2019 the SANS DFIR Summit has some of the best presentations of the year. We look forward to this event everywhere as usually there is some new tool or research shown here that we can use immediately in our lab.

Also, if selected, not only do you get a free ticket to go to the summit... you also get a free ticket for a friend!

Hello Reader,
          I registered today for the Magnet User Summit (https://magnetusersummit.com/schedule)  and noticed that the CTF that Matt and I are hosting with Magnet and specifically in cahoots with Jessica Hyde is now full!

If you made the cut before it was full, get ready for some stiff competition and some great prizes. If you didn't make it I'm going to reach out to magnet to see what we can do to allow people onsite to play virtually on their own systems.

Matt, Jessica and I are working on something special and fun that is meant to be almost fully solved in the 3 hour period allotted and I can't wait for you guys to see what we have in store for you!

Hello Reader,
           2019 is becoming a pretty great year for responses to these challenges. It's always tough to weight different answers to find the one that is 'most complete' and I appreciate all the hard work all of you put into it. Even if you don't submit an answer and just work on the challenge I think everyone who is playing is winning. Let's continue this streak by building on Blanche Lagny's Amcache research!



The Prize:
$100 Amazon Giftcard

The Rules:

Hello Reader,
        I had some great submissions this week as people really got into shellbags research. This week Kevin Pagano managed to edge out a win with the extra work he did in showing the differences in how the data was recorded with different preferences in sorting and other features. The biggest thing that I took away from this is that we can tell the difference between a directory didn't have access to and interacted with one that they did have access to.

Next we did to determine a difference on just clicking on a directory versus opening it.

The Challenge:
Within a single shellbags entry answer the following:
1. What within the shellbags entry would tell you how the user had set their directory viewing preferences (sort order, thumbnail view, standard view)
2. What is the default view if they don't change anything?
3. If a user attempts to access the system volume information directory and a shellbag entry gets created (it should deny them access) what directory viewing settings are left behind

The Winning Answer:
Kevin Pagano
https://www.stark4n6.com/2019/02/shellbags-folder-views-and-windows.html