Daily Blog #701: Magnet Virtual Summit CTF 2020 Results

Magnet Virtual Summit CTF 2020 Results

Hello Reader,
         If you watched the live commentary boy were you in for a treat! So much so that I deleted the video afterwords. No reason to let that hot mess live on forever.

What will live on forever though is the winners of the CTF!

Magnet Virtual Summit CTF 2020 Results

Congratulations Evangelos aka theAtropos4n6 for winning 1st place! We will hopefully see you on the Forensic Lunch friday!

In second place was Oleg Skulkin aka 0x136 with the long time CTF feud between evandrix of Singapore and Adam Harris aka harrisonamj going to evandrix this time for the 3rd place finish.

Also Read: Daily Blog #700

Daily Blog #700: New version of Plaso

New version of Plaso



Hello Reader,
          Ryan Benson's #130 Daily DFIR tweet mentioned something I think is interesting:


New version of Plaso



He pointed out that there is a new version of Plaso out which by itself is good news but whats interesting is that they have now switched to libfsntfs for NTFS parsing.

Why is that interesting?

Every previous version of Plaso and DFVFS backed tools made use of the TSK's native support for NTFS. Libfsntfs is Metz's NTFS library that he wrote to handle all of the edge case NTFS conditions he found, provide faster speeds and extend what is possible with supports for things like case sensitive entries, which in NTFS is interesting all by itself.

I think we should have a look at this library wednesday. Why not tomorrow? Tomorrow is when we do Magnet Virtual CTF commentary live on Youtube!



Daily Blog: #699: Sunday Funday 5/10/20 - Auditd Challenge


Hello Reader.

       We've bounced from Windows to OSX and around the cloud. What we haven't done though is venture in the deep waters of Linux forensics. Today let's help out our fellow examiners who are in the trenches with few landmarks to lead their way in the linux forensics wasteland with this weeks challenge focused on Auditd.


The Prize:

$100 Amazon Giftcard
An apperance on the following week's Forensic Lunch!

The Rules:

  1. You must post your answer before Friday 5/15/20 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:

On a Linux system with Auditd enabled answer the following quesitons:

1. What new data sources does Auditd create

2. What tools support the data

3. What can an examiner determine from Auditd

4. How long is the data retained for

Daily Blog #698: Solution Saturday 5/9/20 - Updating a Previous Challenge on KnowledgeC


Hello Reader,
         It was week of returning champs coming to see who could win and this week that was Oleg Skulkin who did some solid work on updating a previous challenge on KnowledgeC. So congrats Oleg another win for the board!

The Challenge:
KnowledgeC on iOS is a jam packed knowledge resource, but on OSX it seems to be less used. 
1. What does each table in the KnowledgeC database correspond to activity wise
2. What data is logged  in each table
3. What data is not logged
4. Is there a similar datasource that would fill in the gaps?

The Winning Answer:
Oleg Skulkin


Know Your KnowledgeC

I’m using macOS devices quite often, for example, to read blogs and general web-surfing, but don’t look at them from a forensic perspective quite often, so Sunday Funday gives me a good opportunity to do it.

KnowledgeC. This is quite known source of forensic artifacts, many forensic tools even extract relevant data from it automatically (e.g. Magnet AXIOM, Plaso also has a parser for it - mac_knowledgec).

Regarding research, Sarah Edwards proved that KnowledgeC is power (https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage), also we already had a Sunday Funday on this topic, but focusing on macOS Mojave, and Tun Naung (https://twitter.com/tunnaunglin) won it (https://www.hecfblog.com/2019/03/daily-blog-642-solution-saturday-3919.html).

But now we already have macOS Catalina (10.15), so it’s high time to look at the data source again.

In fact, there are two knowledge databases on macOS: system and user context. The first is located under /private/var/db/CoreDuet/Knowledge, the second – under /Users/username/Library/Application Support/Knowledge.

Let’s start from the first one, system context database. It was obtained from a macOS image presented at recent Champlain CTF.
There are 16 tables in the database:

updating a previous challenge on KnowledgeC


System context database tables
Most of the tables are empty. The most interesting things start from ZOBJECT table. ZSTREAMNAME column contains information about the data streams. In the database I’m looking at there are several streams:


  • com.apple.spotlightviewer.events
  • /safari/history
  • /media/nowPlaying
  • /display/isBacklit
  • /app/inFocus
  • /app/activity
  • /activity/level/feedback
  • /activity/level
ZVALUESTRING column contains additional information. For example, for /app/inFocus is shows the application used, for /safari/history – URL. That’s not all, for Safari related activity and /media/nowPlaying it contains additional metadata in ZSTRUCTUREDMETADATA table, corresponding ID can be found in the column with the same name. For example, for Safari history it will store webpage’s title in Z_DKSAFARIHISTORYMETADATAKEY__TITLE column:

updating a previous challenge on KnowledgeC


Of course, we shouldn’t forget about the timestamps: there are three columns in ZOBJECT table: ZSTARTDATE, ZENDDATE and ZCREATIONDATE, all contain timestamps in Mac Absolute Time format.

It’s time for an SQL query!

updating a previous challenge on KnowledgeC




Let’s move on to the user context database. I got this one from our iMac. It’s used very often, so there should be a lot of data in the database.

Tables are the same – we have 16 of them. Let’s look inside ZOBJECT table. Here are the streams available in ZSTREAMNAME:


  • /portrait/topic
  • /portrait/entity
  • /notification/usage
  • /knowledge-sync-deletion-bookmark/
  • /knowledge-sync-addition-window/
  • /display/isBacklit
  • /app/usage
  • /app/intents

First of all, we have some information about database synchronization. It means that it may contain not only information about this iMac, but also synced data, for example, from an iPhone. There’s a table called ZSYNCPEER that includes some information about these devices:

updating a previous challenge on KnowledgeC


There’s another useful table – ZSOURCE. Here we can find was it a WhatsApp message, a phone call or an SMS. Also it can help us to understand some not common data types. For example, we can see that /portrait/topic refers to Pinterest, /portrait/entity – to Safari.

Let’s look inside ZSTRUCTUREDMETADATA, especially at Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION column. Here we can see some BLOBs. Let’s export one of them, it can be done, for example, with DB Browser for SQLite. In fact, it’s a binary plist. But that’s not all, there is another plist inside! It’s inside NS.data. In my case it was a WhatsApp message, and I could get not only the phone number (it’s also available at in Z_DKINTENTMETADATAKEY__DERIVEDINTENTIDENTIFIER), but also contact’s name. The same can be done with phone calls – we can recover the phone number. Unfortunately, we can’t recover the message body.

Again, we can gather a lot of information about the usage of applications from /app/usage stream:
updating a previous challenge on KnowledgeC



Let’s write an SQL query to gather this information:

updating a previous challenge on KnowledgeC


As you can see, the first record is April 4, 2020, today is May 3, 2020, so the database stores data for only 30 days.

So, what other similar data sources are available? For example, another interesting database is located under /private/var/db/CoreDuet/People. It’s interaction.db. There are 11 tables inside:

updating a previous challenge on KnowledgeC


If we look inside ZINTERACTIONS and ZCONTACTS, we can gather some information about calls the user performed. Again, it seems the data is written to the database as part of synchronization process, and, of course, it’ll contain different datasets – it’ll depend on the device.

Daily Blog #697: Forensic Lunch 5/8/20 - Jack Farley, Josh Brunty, Kevin Pagano, Tom Pace, Jim Arnold


We talk about DFIR with experts by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
        Another week of crisis times means another weekly Forensic Lunch!

This week on the Forensic Lunch we had:


You can watch it here:
https://youtu.be/fPzSm-hofA0

Daily Blog #696: Free Autopsy Training

Free Autopsy Training - DFIR

Hello Reader,
       I know right now not everyone is heads down in DFIR investigations like we are. I know that we are fortunate to retain our jobs and keep doing the work we love. So for those of you who know individuals who are looking to transition into DFIR or those already in it who are looking to grow their skills but currently have 0 budge to do it, I have some good news.

The fine folks over at Basis Technologies who fund things like The Sleuth Kit, Autopsy and OSDFCon have made their very successful Autopsy training class free!

This is an 8 hour on demand course that normally costs $495! However, you only have one more week left to claim it as they set a date of 5/15/20 to end this amazing deal.

So if you or someone you know has the time and want to get skilled up, what are you waiting for?
https://www.autopsy.com/support/training/covid-19-free-autopsy-training/

Daily Blog #695: Magnet Virtual Summit CTF Live Commentary!

Magnet Virtual Summit CTF Live Commentary!



Hello Reader,
      If your going to play the Magnet Virtual CTF or just want to watch as others do then join:

  • Brian Moran - Famous social media influencer and well known campaign manager 
  • Matthew Seyer - Master of rabbits, maker of beards and eater of tacos
  • Myself
As we provide live commentary digging deep into the questions, contestants and scores as we watch things heat up! Hopefully this will be a successful experiment!

So tune in if your playing to see how your competitors are doing, or just tune in to see how its going and ask questions to see how you would do!

You can watch live 5/12 at 4:30PM CDT (GMT -5) here:

Daily Blog #694: AZCopy and SAS Tokens

security and convenience of AZCopy with SAS tokens.

Hello Reader,
     If you read #DFIR twitter daily, I mean who doesn't!, then you likely saw this post by Jordan Barth



security and convenience of AZCopy with SAS tokens.


Let me explain what Jordan's talking about and  why you should care if your doing DFIR in Azure.

 Full disclosure Jordan is a fellow KPMGer and he knows his Azure.

So first, AZCopy is an utility created by Microsoft for moving data to or from Azure. You can read more about it here: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

Second SAS urls or SAS tokens stand for Shared Access Signature tokens which allow you to provide access to a resource with a single URL rather than providing login credentials. This let's you take let's say a compromised VHD and provide read only access to it even if:
1. You're not in the same subscription/tenant
2. You're not in the same organization
3. You don't have an account in that tenant

Just like in Google Docs you can provide a 'edit' or 'view' link to others without adding them to your account, you can do the same with Azure resources. This allows you to quickly allow let's say a IR tenant read only access to your production tenant without typing off an attacker anything has happened or starting up new instances in the compromised environment.

What Jordan is talking about though is not the security and convenience of AZCopy with SAS tokens, but rather the speed you will get when you make use of the Azure API rather than the browser. I'm sure this is even faster within Azure itself to make copies.

So make sure you know your cloud environment and start getting things in place to allow you to test and simulate incidents before you need them!

Also Read: Daily Blog #693

Daily Blog #693: Patent Powered

Daily Blog #692: Sunday Funday 5/3/20 - KnowledgeC on iOS Challenge

KnowledgeC on iOS Challenge

Hello Reader,
              Another week of fun and challenges! I'm really enjoying seeing all of you get into this and hope I find more time this week myself to do more testing. Let's face it most of us are still at home, so why not turn some of your downtime into DFIR research time! This week we move over to MacOS aka OSX.

The Prize:

$100 Amazon Giftcard
An apperance on the following week's Forensic Lunch!

The Rules:

  1. You must post your answer before Friday 5/9/20 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
KnowledgeC on iOS is a jam packed knowledge resource, but on OSX it seems to be less used. 
1. What does each table in the KnowledgeC database correspond to activity wise
2. What data is logged  in each table
3. What data is not logged
4. Is there a similar datasource that would fill in the gaps?

Daily Blog #691: Solution Saturday 5/2/20 - Magnet DFIR CTF Winner

Magnet DFIR CTF Winner

Hello Reader,
       This week an previous winner stepped up the challenge. Not only have they won a Sunday Funday before but they are also a Magnet DFIR CTF winner! This week Kevin Pagano stepped up and brought in the win with a good bit of research!

The Question:
Windows Timeline is an amazing source of user data, however like all things it has limitations. Answer the following questions:
1. How long before an action is taken before it is committed to the Windows Timeline database
2. What process and/or service creates the events
3. What call do developers need to make to support it
4. What is excluded?
5. When do events get removed?

The Winning Answer:
Kevin Pagano 


Windows Timeline is an amazing source of user data, however like all things it has limitations. Answer the following questions:

1. How long before an action is taken before it is committed to the Windows Timeline database

Almost instantly it seems, when running KAPE to test parsing the DB file, it actually wrote the kape.exe as the latest interaction.

2. What process and/or service creates the events

SVCHOST populates events into the ActivitiesCache database files. We can see a bunch of locks/unlocks through ProcMon:



3. What call do developers need to make to support it
Microsoft breaks this down in pretty good detail:


It uses the UserActivity API class object pulling in ActivityID, ActivationUri, and DisplayText as the minimum set. They also show all the code that is needed to add activities and adaptive cards to the Timeline. I am in no way a developer so this is all Greek to me.

4. What is excluded?

Applications that have activities that don't support using the API above won't be included from the GUI but they are still written to the DB file. 

5. When do events get removed?  
From Microsoft's site, items will be stored for up to 30 days (https://support.microsoft.com/en-us/help/4230676/windows-10-get-help-with-timeline), where after I assume they are deleted out of the database. There may be potential events you can recover from SQL slack. The user can also remove items as they see fit but they might not be purged until the Expiration Time is up for each entry.

Parsing using Eric Zimmerman's WxTCmd, we can see this is true.


Also Read: Daily Blog #690 



Daily Blog #690: Forensic Lunch 5/1/20 - Oleg Skulkin (FeatureUsage), Brian Marks (Office 365) , Lee Whitfield (Forensic 4Cast Nomations)



Hello Reader,
      This week the Forensic Lunch went into Overtime! We went a full 25 minutes over the usual hour because we had so much to talk about. On this weeks show:



You can watch the video here:
 https://youtu.be/g-CajSYPzYY