Daily Blog #211: Sunday Funday 1/19/14 Winner!

Hello Reader,
           Another Sunday Funday come and gone, more great information for everyone to benefit from. I liked this answer because it went into depth on differences between different versions of the OS and directly spoke to the questions being asked. I've been doing my own research into this issue that I'll be blogging out after the MTP series is finally completed but this weeks Anonymous winning answer best responded to the challenge posed.

The Challenge:
Since Windows XP we've been able to create a registry key that will treat USB devices as a read only. Answer any or all of the following questions to show how well you understand that functionality:

1. How does the write blocking become effective between XP, Vista and 7? What steps between applying the registry key and the write protection coming into effect need to take place.
2. What windows subsystem is enforcing the write protection?
3. What happens to USB devices already plugged in when the write protection?
4. Can anything bypass the write protection offered by this registry key?
5. Does this registry key protect MTP USB Devices?
6.  Why does this registry key not protect non USB Devices?

The Winning Answer:
Anonymous

  1. How does the write blocking become effective between XP, Vista and 7? What steps between applying the registry key and the write protection coming into effect need to take place.

In Windows XP and later a user can add/modify the registry value “WriteProtect” found in HKLM\System\CurrentControlSet\Control\StorageDevicePolicies to enable write blocking for USB devices.

The StorageDevicePolicies key may not exist by default and must be added by an administrator. If the value is set to “00000001” then all newly connected USB drives will be write blocked.

In the test that I performed on Windows 7 the effect was immediate, however according to an article on Howtogeek.com (1), on Windows XP; a restart is required when the key is initially added.

1. http://www.howtogeek.com/howto/windows-vista/registry-hack-to-disable-writing-to-usb-drives/ - Not that the reg files provided are mixed up and the “EnableUSBWrite” sets the key to 00000000.

2. What windows subsystem is enforcing the write protection?
Unsure.

The Plug-and-Play manager receives notification that a drive has been connected and then queries a number of keys in the SYSTEM hive. I imagine that it looks for the StorageDevicePolicies key if it exists and acts accordingly.

2. Windows Registry Forensics, Carvey, p 110.

3. What happens to USB devices already plugged in when the write protection?
If a USB device is currently connected when the registry key is changed it will remain writeable until it is removed and reconnected.

4. Can anything bypass the write protection offered by this registry key?
Yes, using a hex editor will bypass this kind of write protection (but not a physical write blocker).

3. http://lowcostwin4n6.blogspot.com.au/2011/06/testing-my-software-write-blocker.html

5. Does this registry key protect MTP USB Devices?
No.

I performed a quick test using my Nexus 5 and saw that it mounted as a portable device. I then successfully copied a file onto the device even though write protection was enabled.

6.  Why does this registry key not protect non USB Devices?

Unsure.

I imagine it has something to do with the way that Windows checked the registry key before it mounts USB drives but not before it mounts hard drives or portable devices.

It is possible to write protect hard disks using diskpart

http://pario.no/2011/05/23/clear-read-only-flag-on-disk-in-windows-7-using-diskpart/

Also Read: Daily Blog #210  

Read More

Daily Blog #210: Sunday Funday 1/19/14 - Windows XP Registry Key Challenge

Hello Reader,
       If you watched the lunch this week you heard Sarah Edwards discuss her OSX class and a great conversation with Craig Ball regarding his work as a special master and other topics. One of things Craig and I discussed was the need for passion and deep knowledge in forensics, so I thought I'd let this weeks challenge let you show your deep knowledge.

The Prize:

• A 128GB USB3 Kangu SS3 Thumbdrive with a write protect switch, preloaded with our multiboot image

The Rules:

1. You must post your answer before Monday 1/20/14 2AM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful 
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
 Since Windows XP we've been able to create a registry key that will treat USB devices as a read only. Answer any or all of the following questions to show how well you understand that functionality:

1. How does the write blocking become effective between XP, Vista and 7? What steps between applying the registry key and the write protection coming into effect need to take place.
2. What windows subsystem is enforcing the write protection?
3. What happens to USB devices already plugged in when the write protection?
4. Can anything bypass the write protection offered by this registry key?
5. Does this registry key protect MTP USB Devices?
6.  Why does this registry key not protect non USB Devices?

Also Read: Daily Blog #209

Read More

Daily Blog #209 Saturday Reading 1/18/14

Hello Reader,
     The DFIR world has been busy this week! I have a lot of links for you to look at that it might take you into Sunday! So put on a full pot of coffee, because it's time for links to make you think on this week's Saturday Reading

1.Did you know we do a live google on air hangout every Friday called the Forensic Lunch? We do! This week our guests were:
Sarah Edwards talking about her OSX Forensics class for SANS, signup for the beta here:http://computer-forensics.sans.org/blog/2014/01/14/introducing-mac-forensics-the-new-sans-dfir-course-in-beta-starting-in-april-2014

Craig Ball talking about his work as a Special Master within the Civil Courts and his perspectives on DFIR, you can read more from Craig at his website: http://craigball.com/

Matthew and I talking about the v3 Beta, the NCCDC Red Team intern position opening for CCDC alumni and more.

2. The Volatility team is always coming up with new and cool tools. This weeks post is no exception, click the link to read on how to recover truecrypt keys from memory! http://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html

3. This post on the securosis blog, https://securosis.com/blog/cloud-forensics-101, is a great primer for those of you having to do an examination on an AWS (Amazon Web Service) virtual instance.

4. Corey has really been doing some seriously good posts lately, this post about tying up all the sources of program execution is no exception, read it here http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html


5. I mentioned this post in the Forensic Lunch and I'll probably write about it again next week. The  team that runs the National Collegiate Cyber Defense Competition has put together an 'intern seat' on my red team at nationals, open to Alumni of the CCDC games. If you qualify, go here to fidn out how to apply and join Team Hillarious (Two L's because we are extra funny) http://www.nationalccdc.org/blog/do-you-want-to-be-the-1st-red-team-intern/

6. I tend not to talk about malware and IR much as this is a digital forensics blog for the most part, but I don't think of any of us are not fascinated by the Target breach. Brian Krebs has two great articles up looking into what he's uncovered: Part 1 is here http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/ and Part 2 is here http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/

7. To follow up from Brian Krebs post on the Target Breach, here is the Volatility team's write up on the POS malware and the technique of RAM scraping, http://volatility-labs.blogspot.com/2014/01/comparing-dexter-and-blackpos-target.html

8. Willi Ballenthin has released three tools this week, you should go get all of them... right now http://www.williballenthin.com/blog/2014/01/16/tool-release-fuse-mft/

http://www.williballenthin.com/blog/2014/01/15/tool-release-list-mft/

http://www.williballenthin.com/blog/2014/01/13/tool-release-get-file-info/

9. If you have to talk to lawyers regularly in your work you may have been asked the question how many boxes of paper would X data represent, Craig Ball has a new post up where he examines the issues in answering this question http://ballinyourcourt.wordpress.com/2014/01/15/revisiting-how-many-documents-in-a-gigabyte/

10. Jesse Kornblum has a quick post up pointing to new capability on hashsets.com to search the NSRL online, that's seriously cool. http://jessekornblum.livejournal.com/295268.html 
 
11. I do a lot of examinations of MS Office documents, so when I see a blog post regarding new findings in them I pay attention. Check out this post on Jason Hale's blog to learn about some new artifacts in MS Excel 2013,  http://dfstream.blogspot.com/2014/01/ms-excel-2013-last-saved-location.html

12. Harlan has a new post up this week discussing the gap or disconnect between those doing IR and those reverse engineering the malware that responders find. In it he argues for the integration of these two distinct roles or at least the communication between them to allow both aprties to do their jobs better. http://windowsir.blogspot.com/2014/01/malware-re-ir-disconnect.html

That's all for this week, keep up the great work out there! Make sure to come back tomorrow for a chance to win a Write Protectable USB3 Flash drive on Sunday Funday!

Also Read: Daily Blog #208 

Read More

Daily Blog #208: Forensic Lunch 1/17/14 - Discussion with Sarah Edwards, Craig Ball, and Matthew

Hello Reader,

This week we had another great forensic lunch, we had:

Sarah Edwards talking about her OSX Forensics class for SANS, signup for the beta here:http://computer-forensics.sans.org/blog/2014/01/14/introducing-mac-forensics-the-new-sans-dfir-course-in-beta-starting-in-april-2014

Craig Ball talking about his work as a Special Master within the Civil Courts and his perspectives on DFIR, you can read more from Craig at his website: http://craigball.com/

Matthew and I talking about the v3 Beta, the NCCDC Red Team intern position opening for CCDC alumni and more.

CCDC Alumni can apply for the red team intern slot here: http://www.nationalccdc.org/blog/do-you-want-to-be-the-1st-red-team-intern/

Also Read: Daily Blog #207

Read More

Daily Blog #207: SWGDE new best practices published

Hello Reader,
            If you've followed the blog for awhile you know that I am a member and a supporter of the efforts of the Scientific Working Group on Digital Evidence (SWGDE). We just finished up our meeting for the quarter and two documents have left public comment status:

This document provides tech notes in examination of OSX systems:

https://www.swgde.org/documents/Released%20For%20Public%20Comment/2013-09-14%20SWGDE%20Mac%20OS%20X%20Tech%20Notes%20V1V1

This document makes examiners aware of potential issues with UEFI in imaging:

https://www.swgde.org/documents/Released%20For%20Public%20Comment/2013-09-14%20SWGDE%20UEFI%20Effect%20on%20Digital%20Imaging%20V1

and moved into official public documents.

One document that should be released for public comment in the next few weeks is a best practices for dealing with skimming devices. When it's up for review I'll link it so you can join in on the public comment period with any concerns or suggestions you have.

I like SWGDE because they are working hard to put out good best practices, training guidelines, and guidance to those of us in the field. SWGDE has put out a lot of great information, which you can see here: https://www.swgde.org/documents/Current%20Documents

For those of you like me who are in the private sector, you should know that SWGDE now allows us full membership. If you want your input and ideas to be included in future SWGDE documents you should consider filling out a guest request:

https://www.swgde.org/documents/Application%20and%20Nomination%20Forms/Guest%20Invitation%20Letter%20Request%20(pdf)

and coming to a meeting to see if its for you.

Also Read: Daily Blog #206

Read More

Daily Blog #206: Download our Multi Boot USB Drive

Hello Reader,
        Many of you have expressed interest in our project to create a thumbdrive that can boot multiple live distributions and also have a live response toolkit partition. In fact yesterdays blog showing how to create your own has been one of the more popular posts this year. I thought I would follow that up with a link to download the thumbdrive image we've already made so you can use ours if you don't want to make your own. You can download it here:

Update 1/23/14: Google Drive was shutting down the link due to excess traffic due to the size and the number of concurrent downloads. Here is a new link from Mega that is claiming to give me 46TB of bandwidth.

https://mega.co.nz/#!3pIUQbzL!aM9VOSTWYNCoSb64TZZfQjOHML9vBZqT4tyctkegV3o


Things to know:
1. This thumbdrive image when restored is not write protected, if you want write protection against whatever nastiness is going to be on a live system you will plug it in into get a thumb drive that has a write protect switch. The Kanguru SS3 http://www.amazon.com/Kanguru-Flash-Physical-Protect-switch/dp/B008OGNM8E/ref=sr_1_1?ie=UTF8&qid=1389798136&sr=8-1&keywords=kanguru+ss3 is the drive we are testing with and having good success with.

2. We removed Kali Linux from the image until we understand the licensing issues of some of the bundled software. We've emailed them asking for clarification and if we are free to redistribute their ISO in our image I'll update the link.

3. The live response partition is fat32, and contains directories for osx/linux/windows natively compiled tools.

4. We are not responsible for any issues that arrive in the use of this, this is not a commercial or supported product. If you have questions you are welcome to send them to info@g-cpartners.com but understand that this is just a fun side project for us right now that we thought others would find useful.

Have an ISO or tool you think should be included? Please leave a comment below and we'll see if it will work!

Also Read: Daily Blog #205 - How to make your own Multi Boot Thumbdrive

Read More

Daily Blog #205: How to make your own Multi Boot Thumbdrive

Hello Reader,
          If you watched the forensic lunch last week you would have seen us demonstrate a multi boot USB key we've made. While we work out any potential licensing or permission we need to receive before we distribute someones work I thought it would be helpful to explain how we did it, so you can do it as well. So here is what Kevin Stokes in our lab wrote up:

In this walk-through, I’ll show you how to create a multi-boot USB drive to carry lots of great DFIR tools, or whatever else you want.

We started with a USB 3.0 32GB thumb drive.  They are very cheap now-a-days.  You can use a smaller drive.  We actually still have a lot of extra space, but that does leave plenty of room for add-ons later.

To keep the tool compatible with older systems, we used FAT32 and added several distros of linux to cover many situations and configurations.  Some of the distros will boot on USB 3 and some will not, however, they will all boot from USB 2.  Here are the distros we are using:

• SIFT 2.14
• Kali Linux
• Paladin 5
• Raptor 3

These will give a lot of compatibility with multiple systems and many tools for multiple situations.  Paladin and Raptor will even boot on MAC systems.   Feel free to add your favorite!

To make this tool even more versatile, we will add a second FAT32 partition for any other tools we wanted to have available.  Such as tools for Windows systems like the SysInternals Suite, FTK Imager Lite, among many others.

You can partition it with whatever tool you find that will partition removable drives.  I chose EaseUS Partition Master Free Edition, which has been pretty easy.  It is recommended that you make all your partitions Primary, however.  As apparently Windows will only look at the first Primary partition on a removable drive.  We can use another program called RMPrepUSB to switch the order of the active partitions (Ctrl-O) so we can manipulate each partition individually.  RMPrepUSB will do many of the other steps we need, too.  However, I found the other tools more intuitive.  Though I did not find another tool that would swap the order of the partitions, which we will need.

Once you have the thumb drive partitioned how you like, use XBoot to create the multi-boot partition.  When you add the ISO file to XBoot, select “ISO files which support Live-media-path kernel parameter”. 

Then add as many distros as you would like, in this manner.  Once you have all your distros added, you can select “Create USB”, a pop-up will appear to select the USB drive (make sure you get the right one!).  Syslinux bootloader is recommended for FAT32.  Select “OK”, then it will begin to create your bootable partition and add the distros you selected.  Be sure to test this out!  You can use the QEMU to test.

It’s not difficult to edit the menu, just grab a text editor and make adjustments to the right .cfg files.   For the image, I merely edited the default xboot.jpg image.  It’s a fun way to further customize your toolkit.   Add some extra information to assist you in choosing the right tool for the job.  For example, so far in my testing only Paladin and Raptor would boot on a MacMini here in the lab.  So I added information to save time and trouble later.

To add tools to the second partition, use RMPrepUSB tool (option Ctrl-O), to switch the partition that windows is showing you.

At this point, you have access to the non-boot partition, then just add whatever you would like.  There are many portable apps available.  I’d recommend, considering forensic use of this device, that you create a separate folder for any programs that require installation or just leave them out.

To keep the drive bootable and to always have access to the non-boot partition in Windows, make sure once you have finalized your customizations that you have the non-boot partition set as the first Primary partition.  That way Windows will always find it.  The computer will still see the boot partition when you’re booting from the thumbdrive, assuming you have the bios setup right.

Also Read: Daily Blog #206 - Download our Multi Boot USB Drive

Read More

Daily Blog #204: Sunday Funday 1/12/14 Winner!

Hello Reader,
          I thought this weeks challenge would have gotten more of you to write in with your best stories. Instead I received just one submission that was willing to tell a story, in return he just won a $1495 ticket to the SANS DFIR Summit. Take this as a lesson, if your answer or response isn't in your mind the greatest thing ever ... it may be enough to win! I'll take care of filling in the details you missed in later blog entries.

The Challenge:

Write your most challenging DFIR case and how you overcame the obstacles and the outcome. I'll take the top best cases based on our opinion and open it up for voting to all of you to pick the winner. Any kind of DFIR case is valid here, there are no boundaries on what makes something a good case. We will be judging your case with the following criteria to determine those cases to vote for:
1. Technical Challenges faced
2. Novel solutions
3. Result of your work
4. Interesting scenario

The Winning Answer:

 

This was one of my first DFIR experiences so I learned a lot from this and got me my first taste and want to get into IR and forensics.

I was working as a NT Server administrator for a dot com back in the late 90s/00s.  The security team for the company was contacted by a three letter agency that our IP addresses had been seen in part of another case they were working on led them to believe we had a compromised host.  The IP address given to us was of course the one and only email server for the entire company.  We had a dedicated security team but they were all linux guys and we were using NT4 and Exchange 5.5 for email.  Being the lone windows admin meant the investigation fell upon me.  I was told that to make sure the investigation was in-depth as if it wasn’t then there was a chance the three letter government agency may come in and seize the equipment.

First the technical challenges faced:

 

This was a long time ago and DFIR is not what it is today so the tools, documentation, etc was not what it is today so one of the first challenges was having to make it up as I went along.  Since it was a mail/web server it obviously had several paths of entry.  First I went and logged directly into the server from the console and began looking at running processes and other active sessions on the system.  I ended up finding Serv-U FTP had been installed and had a user list with accounts that were all using leetspeak.  Luckily the ports being used for Serv-U FTP was blocked at the firewall so it had only been installed but wasn’t able to be accessed.  As part of the investigation I also ran into some a folder that were flagged as hidden and no matter what I did to change permissions I could not access it.  

Novel solution:

 

After trying several methods to access it I dug out an old copy of dos based file/folder viewer.  It somehow was able to ignore permissions, flags, etc and allowed access to it.  Within the folder I was able to find a clear text log file from where msgina.dll had been replaced and any accounts that had logged directly into the console had been logged with their password in clear text! This was both good and bad as it was the first time I had seen my own account and the domain admin account in a clear text keylog file.  This of course led to more efforts and had to force password changes on every account, service, etc.

Results of the work:

 

Since the server was obviously compromised the end result was the decision to wipe and rebuild the server.  Of course this was all decided on a Friday afternoon and it was my task to now figure out how to wipe the OS, rebuild it, and retain all the MS Exchange databases and have it all back clean and working by Monday morning to minimize the impact to the company.  Given this scenario I made my first and only call to Microsoft to get exact detailed directions from them on the process of rebuilding an Exchange server but retaining all the mail databases.  So just to ensure I could successfully do this I took the process and verified I could successfully complete it using other hardware before I completely wiped the lone corporate mail server.  After a very late night on Friday I had success and came back in the next day and had to repeat the process on the real server.  In the end the agency didn’t come take away our mail server, I got to learn more about IR and Exchange, and I ended up finding an interest in the security side of IT.  So to whoever it was all those many years ago thanks for helping me find the desire and interest in having a career in DFIR.

TLDR; Bad guys own company mail server, server admin thrown into DIFR and decides to make a career of it.

Also Read: Daily Blog #203

Read More