Home Archives for February 2019

Daily Blog #634: AWS GuardDuty False Positives

AWS GuardDuty false positives - Hacking Exposed Blog by David Cowen

Hello Reader,
This another post that I'm making in the hopes that someone who is searching for this will find it and get their answer.

Do you have VMs running in AWS?
Do you have Amazon GuardDuty running?
Did you just get an alert that claimed your VM is originating an external connection to an external IP on a weird port (such as source port 80 and destination port 80)?

Well as it turns out, it may be a false positive. It appears with all the VPC logs being fed through GuardDuty that there is an issue detecting the difference between inbound and outbound traffic currently. This may lead to an alert like the one described above being triggered of someone were to just portscan you with a source port of 80.

Why would someone portscan with a source port of 80? To get around simple firewalls who allow traffic to flow on port 80 but not other ports.

So if you just got this alert and you are madly triaging the system and not finding any evidence of compromise ... contact AWS it may be a false positive.

Also Read: Daily Blog #632

Elcomsoft 5.0 & rootlessJB by Kevin Stokes (02.25.2019) This process was done on a device running iOS 12.1. It is part of Elcomsoft’s tested jailbreaks listed in their documentation for iOS Toolkit 5.0.

Hello Reader,

Kevin Stokes is the mobile forensics champion in our offices at G-C Partners. When we get a copy of the new Elcomsoft IOS toolkit it was Kevin who went to work to test it out and understand what it was capable of. Kevin was nice enough to write up a quick guide to walk you through the process of doing this yourself!

Elcomsoft 5.0 & rootlessJB by Kevin Stokes (02.25.2019)

This process was done on a device running iOS 12.1.

It is part of Elcomsoft’s tested jailbreaks listed in their documentation for iOS Toolkit 5.0.

*NOTE: As always, for a forensic acquisition, document your steps and interactions.

1. Using the Safari mobile browser…

(May work in other browsers? But Safari should exist on phone.)

2. Go to https://ignition.fun, get the app.

3. Select the packages icon (circled in Blue).

Using Elcomsoft IOS Toolkit on an iPhone with IOS 12.1 - Hacking Exposed by David Cowen

4. This will bring up the App categories available.

5. Select Jailbreaks (also circled in Blue).

6. Select the “rootlessJB” from Jake James (again, in blue).

7. “GET” the app (In Red!), to continue

8. Select “Install”, to download and install on the phone.

9. You will now have the “rootlessJB” app installed

10. But wait! No need to select it yet.

11. We need to work on our trust issues…

12. Trust Issues

13. Go to Settings > General > Device Management

14. Select the Khodal Enterprise app

15. Select Trust Khodal Enterprise

16. Select “Trust” once more.

17. Once Trusted, the screen will look like the following (Allowing you to Delete the App, but don’t)

18. Jailbreak it!

19. Open the rootless JB app, make sure to turn off “iSuperUS” and “Tweaks” (slide left)

20. No need to add these for an acquisition.

21. Select “Jailbreak” (the button with be greyed out for a moment).

22. A message will appear at the bottom when it is successful. (In testing, this took less than a minute each time)

23. iOS Toolkit Time!

24. Select “F” to perform a File System acquisition.

25. Give the tar file a name, default is “user.tar”

26. Provide the SSH password … (Hint! It’s “alpine”)

27. Get another cup of coffee, while it downloads.

Also Read: Elcomsoft IOS Toolkit and IOS 12

Elcomsoft IOS Toolkit and IOS 12 Explained by David Cowen - Hacking Exposed Computer Forensic Blog

Hello Reader,
If you haven't already heard Elcomsoft had updated their IOS Forensic Toolkit recently, you can check it out here: https://www.elcomsoft.com/eift.html. We got a license and tested it out and what we found is that:
A. It does not ship with any rootless jailbreaks
B. It does not automate the process of installing rootless jailbreaks
C. It does not do a physical image of the device

What it does do though is provide you a list of tested Jailbreaks (rooted and rootless) that you can install on an iOS device. Once the jailbreak is installed you can then use the Elcomsoft iOS Forensic Toolkit to decrypt the keycahin and most importantly get a full file system dump. We've tested this on an iPhone running IOS 12 and I can confirm that all the hidden and system directories we missed were included.

This includes not only FSEvents data but also the KnowledgeC databases that Sarah Edwards has been blogging about. We attached the same rootless jailbroken phone to Celebrite and it did not detect the presence of the jailbreak and so did not allow for a full filesystem dump.

While I'm sure this will be fixed in the never ending mobile forensics arm race in the near future its a point towards Elcomsoft this round.

Though I do have to wonder, if we could just dump a tar of the phones contents after applying the jailbreak ourselves without using Elcomsoft at all. This will be tomorrows testing along with a write up this week of our process for doing so.

Also Read: Using Elcomsoft IOS Toolkit on an iPhone with IOS 12.1

OSX Mojave Challenge by David Cowen - Hacking Exposed Computer Forensic Blog

Hello Reader,
Last weeks challenge went unanswered, but I know there is a movement towards Mac forensics slowly building in the world. Though most of us are still focused on Windows or Mobile in our daily DFIR endeavors don't let you Mac skills fall to the wayside when you most need them... in the event of an incident. So this week let's make go back to the Mac for another challenge.

The Prize:

$100 Amazon Giftcard

The Rules:

You must post your answer before Friday 3/1/19 7PM CST (GMT -5)
The most complete answer wins
You are allowed to edit your answer after posting
If two answers are too similar for one to win, the one with the earlier posting time wins
Be specific and be thoughtful
Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

On OSX Mojave list all of the Plists that would record a file being interacted with.

Also Read: Elcomsoft IOS Toolkit and IOS 12

Coreanalytics Update by David Cowen - Hacking Exposed Blog

Hello Reader,
Back in July of 2018 Crowdstrike wrote a very interesting post all about Core Analytics a service that runs by default on OSX that tracks aggregate daily data about executables run on the system for a month. You can read their original work here: https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/

I've noticed that most of the writeups that I've seen about OSX artifacts don't list Core Analytics which seems strange to me. Outside of KnowledgeC there isn't many other execution artifacts that I'm aware of on OSX. So in checking Mojave on a couple of systems I can report that Core Analytics is still alive and kicking in one of two directories.

If the user when setting up their Mac opted to send data to Apple then the month worth of data will be found under:
/Library/Logs/DiagnosticReports/Retired

If the user opted out of sending data to Apple the data will be found under:

/Library/Logs/DiagnosticReports/

Otherwise all the data is in place and Crowdstrike's script still works.

Why shut it down?

Well CTFd charges me $100 a month for the hosting and I user registrations have stopped adding and we new/better challenges coming so I'd rather use that money for this years CTF!

So if you haven't tried last years Magnet CTF this is your chance, I will be ending it 3/1/19.