Friday, October 8, 2010

"Perl's" of Wisdom

I spent the afternoon prepping up a laptop to take with me when I work cases on the road. If you've read some of  my earlier posts you know that I really like open source tools.

Regripper, The Sleuth Kit, UnxUtils, F-Response(not open source but worth every penny) and Imdisk are just a few of the indispensable tools that I think you should be using if you're serious about forensics. This is not to say that you have to jump off the deep end and run everything from a linux box. I'm not afraid to admit that I like to use Windows on my laptops. I'm not even afraid to admit that I like Windows XP.  

Here's what I don't like:

I don't like switching back and forth between machines to accomplish basic tasks, even if it's just popping open a VM and minimizing it again. Lame, hate it, I want  to be able to do everything from one machine. Why? I guess I'm just lazy and stuff. I don't want to bring 4 laptops with me to work a case. But I do want to be able to solve it while I'm on site.

So here we go,  If you want to crack off a timeline while those disks are imaging, I only know one way. F-repsonse and  Perl scripts.  F-response lets you deploy a tiny little client to each workstation, terminal, server or whatever it is you want to image, and suck all that data down to a single point. This is infinitely easier than attaching a hard drive to every machine in an environment, and it gets better.

The extra added bonus to F-response is that it offers up a live, read-only, environment to play with while that painfully slow image is running. 

It really is this easy:
Load up F-response listener 
Deploy client to nearly any OS in existence
Push start
Run your favorite imaging client (I like FTK lite)
Image hard drives from a single point on the listener.

Here's the bonus.  On the same machine that functions as the F-response listener, you have a mapped drive to the same physical disks that you are imaging. They show up as a regular mapped drive! E:, F:, G:  all read-only and there for you to get your forensics on.

Want a sneak peak at your timeline? Bam! 
fls -m 'C:\' -f ntfs \\.\: > bodyfile

Want to do a little password crack-a-lackin? Done! Use Ftk-Lite and extract that SAM hive.
Drop those hashes into Ophcrack and watch those default passwords appear before your very eyes.

This is not to say it's all a cakewalk. Thanks to Harlan there are some awesome perl scripts floating around the internet that will help you. Forcing these scripts to work on a Windows box can be a chore. Trust me, I just spent half my day proving it.

Case in point:  
This is Harlan's superfly, TNT perl script that shreds all of the registry hives(including NTUSER.dat)  and spits them out in standard bodyfile format.  (go back a few months and see my post on super timelines for use)

 The only 2 places I know of to get from are Harlan's email and the SIFT workstation. I didn't want to bug my mentor's mentor too much so I chose the SIFT download. 1.5 GB's later I had all the contents of /usr/local/src/windows-perl saved to my desktop.

Easy right? Install active-Perl from the website and go? 



No biggie, I'm missing a perl dependency right?  BONK!
There's something wrong with the script? BONK!
Something got screwed up when I copied it over from Linux? BONK!
My Perl environment is not the polished marble that Harlan's is?  Well, maybe....   BONK!

WTH is going on here? Thought 1 turns out to be correct. This is a dependency issue. Even after you've been through your environment 10 times and all your dependencies look sweet, there's the file in the right path and  you've contacted the developer because you've ruled out everything else. (sorry Harlan, I owe you  expensive scotch when we finally meet).  It's really very clear in all of it's perly non-clarity.   It can't locate Parse/ and this is clearly a misplaced file in a directory path right?  Not exactly. 

Try this.
From the command line type "ppm" for the perl package manager, go to view and check "all packages".  Glory, Glory, Hallelujah.  There's a package called Parse-Win32Registry. Right click and install that bad boy.

Now when you try that mystical command it coughs up a perfect bodyfile.

Coders are a bubble off; I'm telling you.

Next trick:  Path variables.

The command "dir" sucks, "ls" does not

ls, grep, cat, and a whole host of others are available in the unxutils package. Go downlaod it and install it and while you're on the web grab strings and grep.

Once you've got all these ported apps installed you don't want to cd into a specific directory to use them right?  You want to be able to use the command like you're the one in control.

Editing your $PATH is the answer.

Right click  my computer and go to properties--go to "advanced"--"environment variables"

Highlight "PATH" and click edit.  Use a semicolon as a separator and add the full system path to your sexy new executables.

Pretty soon your path can look like mine:

C:\Python26\Scripts;C:\Python26\;C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Tools\sleuthkit-win32-3.1.3\sleuthkit-win32-3.1.3\bin;C:\Tools\UnxUtils\usr\local\wbin;C:\Program Files\GnuWin32\bin;C:\Tools\sleuthkit-win32-3.1.3\sleuthkit-win32-3.1.3\bin

And my $PATH is dead sexy.

Saturday, October 2, 2010

Best. Job. Ever.

So, I promised exciting news last post and then it dawned on me that it's only exciting to my family and I. Sorry for the letdown.

I started my new job on Monday the 27th. Not just any old new job, but a job with Trustwave's Spiderlabs. If you don't know who who or what Spiderlabs are, start with the company webpage, then look at all the DEFCON talks, whitepapers, blogs and everything else these guys are responsible for.  They are the top Incident Response and Computer Forensics team in the country (my opinion of course) and I am absolutely stoked about joining them.

How on earth did I land a job with Trustwave?

For starters I have a lot of very relevant experience. I can walk into a server closet and discern what goes to what and why within a few minutes. This is important when every case situation is a total unknown.

I also went out of my way on my own dime to go to DEFCON and meet prospective employers. I shook a lot of hands, bought some drinks and asked some good questions. (see: networking)

I got certified earlier this year(see my earlier posts on studying for the GCFA) and started a forensics division at my former employer, business was just starting to build up when I got this offer.

Lastly, I may be the single luckiest person I know!  Timing, luck and a personal relationship with one of their senior consultants all came together at just the right time and led to job interviews. The rest is now history.

So what's a new guy learn on his first 2 cases?

1) People are still making the same simple mistakes when it comes to System Administration and auditing. Plain and simple. If you open RDP, PCAnywhere or VNC up to the internet and leave a weak, default or blank password, consider yourself pwned!

2) Hackers are getting better and better at disguising malware as valid processes. I can't go into a lot of detail here but plain sight is still the best hiding place of all.

3) P.O.S. integrators are screwing their customers! This is not to say that there are not some good integrators out there, but seriously, you cannot just drop these systems into place and pay absolutely no attention to the basic security fundamentals. When you do, you wind up costing your customers tens and possibly hundreds of thousands of dollars in investigations and fines.  Buck up! Put in a Netgear Prosafe for $85 and change those default passwords......or don't, I guess it's job security.

Thanks for following along.


Thursday, September 9, 2010

A little more love for DEFCON 18

DEFCON featured a number of talks about the Zeus trojan and for good reason. I think it's the most sophisticated mass-use malware ever written.  It can keylog, hoard your credit card numbers and even join you to a global botnet. Fun stuff huh?

It's current known variants are  ZbotPRGWsnpoemGorhax and Kneber.  

It can be very difficult to detect and remove because, every time you infect a machine, the signature changes. It's mass customization for malware!  The full package comes with a command and control php and sql webcenter for managing your unruly botnet as well as software for generating your very own custom malware. How much would you pay for this crystal-clear wonder? $4999? $3999?  Nope it can be yours for the low,low price of $500-$700 on the software black-market. (It should be noted that the latest version may cost you a few thousand).

So why do we care as forensic analysts?  

There are a couple pieces here:

1. It steals credentials and credit card data. Steal enough credit card data and the Feds will be hunting for you. This may lead to a forensic analysis of a host and Zeus is being found in the wild at credit card breaches. (I have it from an excellent source....)

2. Most commercial antivirus scanners will not detect or remove Zeus from an infected machine. These scanners are signature based (for the most part) and as I said before "every time you infect a machine, the signature changes".  

So now what? 

Forensic tools to the rescue!  

There are a number of ways to detect Zeus using a fairly common suite of forensic tools. I am not going to rehash someone elses work here. Kevin Stevens and Don Jackson have a fantastic write up on Zeus and its variants at the SecureWorks website

There is also a forensic breakdown of infected keys and tool usage here.  Really nice job Tyler. Most of this paper is based on results from memory analysis using volatility.

And what blog would be complete without mentioning regripper?  There is a third-party plugin called userinit that was written to find "urlzone" trojans. As a side effect it parses the same hive that the sdra64 binary attaches itself to (userinit).

That's it for me. I'm spending a lot of time studying for the CISSP exam.

Exciting news next post......

Good Luck.

Thursday, August 12, 2010


I went to DEFCON 18 (Barely Legal) 2 weeks ago. It was a great con and I can't wait for next year. The sheer brainpower on display in that hotel was impressive.

I saw some great presentations on everything from forensic methodology to custom malware, met some feds, and watched ReL1K pwn him some Windows 7 boxes with powershell (seriously nice work on the Social Engineering Toolkit).

I even got to see Hope Dworaczyk (Playmate of the Year) get awarded "Best Reason To Get Malware" by the guys from Barracuda labs.  Friggin' sweet!

If you've never been, GO!  It's an educational experience to say the least. Seriously, who knew you could get a mohawk to stand up over two feet tall?

There are some very cool things on the horizon for the internet:

Dan Kaminsky demo'd  DNSSEC. Finally, a way to actually prove that an email, website or any other electronic communication actually came from who it said it did!  Dan is a stinkin' genius by the way. I look forward to his next project, whatever it is.

Anybody heard about this whole "smart grid" thing? It's going to suck. Every single "smart" device out there is going to be a hackers dream.  One guy put up a presentation called "iBurglar". It's a webscript that will parse the power usage data that people post on twitter, facebook, etc... It will turn around and produce a calendar of the best times to rob that person. Dude was not a burglar, he was just trying to make a point about how dumb it is to put that kind of personal information out there.  It worked! Smart grid + dumb people = problems.

There were several talks about SCADA systems and their importance in the future of cyberwarfare. SCADA systems are web-enabled controls for our public infrastructure that can be tampered with to create"weapons of mass distraction".  I doubt that they could ever be used to do any catastrophic damage, but they could be used to throw the general public into a tizzy.

Spiderlabs says "All your droid are belong to us"  Thanks for letting me think that my droid was secure for the first 6 weeks I had it anyway......jerks.

More on DEFCON next week.

Did you know that the Zeus trojan has a web command center and a GUI for creating new versions? Ridiculously easy to own your own botnet!

Sunday, July 18, 2010


I haven't posted in a while so I asked my 6 year old boy what he thought I should write about.

 "Ghosts!" was his immediate and emphatic answer.  I don't know how to explain to him that my blog is about digital forensics and related topics, so here I am writing about ghosts.   A ghost , as I understand it, is a physical manifestation of a person's soul after their body has died. I myself have never witnessed said manifestations, but I have had some pretty damn weird stuff happen to me in one of my homes and in the cave I worked at when I was a teenager. For the record, ghosts don't exist.

Neither do entry-level jobs for forensic analysts without a bachelor's degree.

I may have more luck looking for a forensics job if I ever decide to leave Montana. That's not a decision I ever want to have to make. Simply put, this place rocks!  So what's a guy do to try to make himself more marketable?  Certification and Education are a good place to start.

I have been studying for the CISSP exam for the last several weeks and plan to take the exam in September. CISSP also counts for  several credits towards a Bachelor's degree in Information Assurance and Security.


I Hated (yes, capital H) high school but I tried to go to community college right afterward, anyway.  I wound up feeling like it was just an even more miserable extension of the former so I withdrew (dropped out) midway through my second semester and joined the Navy.  I got lots of training in the Navy that I actually enjoyed, like math, science, electronics, computers, etc. After I got out, I took some Microsoft courses and took all the MCSE tests. I enjoyed those classes as well. Now I have 12 years of experience and a fistful of certificates from formal training as well as the GCFA cert and my MCSE.

It's time to go back and rectify the whole "dropped out" thing. I'm looking at a couple of the online colleges and gearing up to knock out a degree as fast as I can. I look at the curriculum and it causes me pain to have to take "Windows Server Networking" since I could likely teach the course.  But it has to be done. I'm no longer running into job postings that state "or equivalent experience".

Wish me luck.
I'll need it to stay awake for "Introduction to Unix"

P.S. I'm going to get back to some more technical posts in the near future.  I have a few system images to run through and post about.

Monday, June 7, 2010

CDAC Cybersecurity: Incident Handling and Response

So, what's a guy with lots of computer skillz and a shiny new GCFA certificate do for fun? He goes to FEMA Cybersecurity training! I know you're all jealous, admit it.

These classes are free if you can catch one in your area, but I can honestly say that I didn't learn anything new in this class. It did reinforce a lot of prior learned techniques and I got another certificate for my "I Love Me" wall.

Here it is in a nutshell:
Day 1:
We covered the basics of Network Security. Access Control, Physical Security and Biometrics, Social Engineering.

Risk Assesment and Business Continuity Planning, Information Classifications, Privileges and Auditing.

Lab on setting Password complexity and length. (Yah, pretty weak stuff)

Device Hardening, Firewalls, Secure Protocols.

Lab on Packet capture and Network Monitoring. (not bad, but not in-depth enough to teach what you're actually looking at. I already know the how-to's)

Tuesday, May 25, 2010

Training, conferences and contacts. Oh My!

Professional development: The process of increasing the professional capabilities of one's self by attending training or meetings of like-minded professionals who are willing to share information and techniques.

This week I'm attending a FEMA course called "Cybersecurity: Incident Handling and Response".  So far it has been review but it looks promising for the next 3 days.  It is a free course if one is in your area but seating is limited. I recommend checking it out. I'll provide a full review after the course is over.

If you've been following the blog you know that I am a major proponent of professional networking. It's a great way to meet people that you may be able to employ or gain employment from, there are also lots of people that just know a lot about security, forensics, hacking, etc. that are willing to share ideas and tips.  I had no idea that there was already a group of these people that meet regularly here in Helena and have for some time.  2 hours into class and I had an invite to the local DEFCON group. First Friday of the month at the best sandwich shop in town? Done.  It simply can't hurt to get yourself known inside local circles.

Speaking of DEFCON, I'll be attending in Las Vegas this year. It will be the first time I've ever attended any kind of hacking conference and I'm pretty stoked to check it out.

Thursday, May 6, 2010

Baby Steps

Getting into digital forensics is a tough job.  Writing about it regularly is even tougher.  Since passing the exam, I have been working on a marketing package to pass out around town, had meetings with my bosses trying to convince them that "Yah. Really. We can charge $225/hr and up for these services", landed my first official retainer fee, set up a proposal for e-discovery work and performed my regular myriad of break-fix, server upgrade and auditing work. I've also helped produce an outline for a book idea with my good friend and forensic-y mentor Chris and sent in a column idea to Into the Boxes. It's been a bit of a whirlwind, but never you mind. I live to serve.

I was contacted by a civil defense lawyer about the feasibility of admitting all the content of a Yahoo user group into court.  I mulled it over a bit and tried out a few techniques I've learned over the years for dumping websites, did a little proof-of-concept and turned in an estimate for work. This could turn into a significant amount of work sorting, searching and carving usable info for the defense.  I accomplished my proof of concept using a combination of freebie web tools and some yellow-belt linux kung-fu.  If I land it and wind up doing all the work I'll be sure to post a more in depth analysis.

I updated my resume, wrote a Curriculum Vitae, created a sheet of services my company can offer and turned it all over to our technical writers and marketing people. I hope I don't get a pile of useless mush with pretty colors back. 

Tuesday, April 20, 2010

It can be done!

91.3% Well above the passing grade.  It feels good to earn a certification like GCFA. Especially when there are only ~2000 in the entire world. 

So what's next?

I've been in study mode for several months so I've decided to just keep on going and start studying for the CISSP exam.  I was studying for the exam about 3 years ago when I changed jobs. At the time there was no need for me to carry a certification like that and my company wasn't really interested so I dropped it. I wish I had just forged ahead alone and done it.  At any rate, I still have the "All-in-One" CISSP study guide and I'll be ready for the test in a few more months.

I'm also going to start working my local contacts for some forensics work and push towards "Expert Witness" status. It will be a big deal to get a few cases on my Curriculum Vitae and be able to help out some of the area lawyers with cases involving computers, media and any other digital devices.  Mobile forensics seems like a niche worth exploring although I can't imagine a lot of steady work coming from it.

I was invited to contribute to "Into the Boxes" which is pretty exciting.  I would love to contribute but I'm having a hard time coming up with a topic that won't make me seem like the village idiot compared to the rest of the guys writing for it. I'm open to suggestions on that front.

Chris has started a new blog series on command line vs. GUI tools. I may play devils advocate just for fun. We'll see what he posts later in the week.

Keep studying, keep practicing, I'm still here to help.


Tuesday, April 6, 2010

Studying for the GCFA certification: Part 2

Last post I gave you some books to read, let's move on to web resources.


The forensics community is not very large but many of the people in it are more than happy to share the latest developments in hardware, software and techniques. If you search Google  for "computer forensics blogs" you come up with a fairly long list of related blogs. Some of them are  geared towards hardware reviews and others towards tool usage. Many are by the same people that wrote the books I mentioned last post.  My best advice is to follow a couple that suit you and follow the cross-links from each blog.

For example: My blog has a link to "The Digital Standard" written by Chris Pogue, his blog is linked to "Windows Incident Response" written by Harlan Carvey, his blog is linked to the official SANS blog and so on, and so forth.  These guys write regular posts about installations, incidents, tool suites and plain old opinion.  There are more than a few tasty informational nuggets on their sites. After you take a practice test or two, you'll start to find discussions related directly to best practices and tool usage that you will likely see on the test.

Friday, April 2, 2010

Studying for the GCFA certification: Part 1

I'm scheduled to take the GCFA certification test on April 13th. I have been studying non-stop since right after the New Year.(Call it a resolution if you'd like)  I took a practice test last week and scored 86%. I was pretty happy with that score considering I'm learning it under self-study.

Before you take any of the SANS practice tests you are required to sign a legal notice regarding divulging any test questions and their ethics standards.(see: have some or look for a new field)  If you landed on this post hoping for a brain dump or a list of the hard test questions, move along, there is nothing to see here.

If you're looking for an overall view of the type of materials you need to study and the background that computer forensics requires, stick around, I may be able to help.

Sunday, March 28, 2010

Malware Case : Concluded

Let me preface this entry by stating that I did NOT follow all of the standard procedures that you would for a real case. I used this situation in an attempt to hone my skills and test my own capability to solve a case like this on a live machine. I did not produce a chain of custody, I did not interview staff members, I didn't take very good notes or record all my commands.

After I captured a full image of the hard drive using ftk-lite, I went ahead and used the installed antivirus solution and Malwarebytes Anti-Malware to scan and clean the original hard drive.

The first step of my investigation was to mount my USB disk with the acquired images (read-only) on my Ubuntu workstation.  I then mounted the image file itself to a folder I created and shared via Samba. Then I mapped a drive to the Samba share from my Windows XP workstation.  This allows to me to run scans and poke around the image as if it were a regular old network share, very slick if you have Windows forensic tools that you like to use. I knew I was looking at a malware incident so I fired off MBAM and scanned the read-only file system. Malwarebytes default action is to report only and produces a very simple log file when the scan is complete.

Friday, March 19, 2010

Malware case: Day 1

Here's the case:

A customer of mine called today because they suspect they have a virus or other malware. I picked up the machine and am capturing an image with FTK-Imager-lite as we speak. I am going to clean the live PC and give it back to the customer and use the image to attempt to figure out exactly what the infection mechanism was. I will detail my processes and findings here on the blog in hopes of attracting tips, comments and guidance from anyone in the audience.

Case background:

Customer complaint of popups and slow overall performance on March 18th 2010.
Collected PC in a powered down state from the customer site March 19th at 0945
Extracted hard drive at 1200 March 19th.
Mounted Read-Only on my Ubuntu workstation at 1205 and began imaging with FTK-lite from a WinXP VM at 1212, raw image format, dumping to Fantom 1 TB USB drive formatted NTFS, clean wiped using dd.
Estimated image completion time is ~12 hours.

Infected machine specs:
HP DX2300/XP Pro SP3/Trend Micro Antivirus/1GB RAM/Core2 Duo/160GB Sata HD

Once imaging is complete I will boot up the machine and capture RAM using memoryze for later analysis.

Any and all suggestions are welcome.

More to follow....

Thursday, March 18, 2010

When is it too early to specialize?

Incident Response, Crime Lab, Expert Witness for Defense, Private Consulting.

These are all very real career possibilities. The question is "When is it too early to choose a speciality?". Considering my small town life, my path will most likely be all of the above. No one is doing Incident response here, the DOJ and State sporadically contract out forensics work, most lawyers have a hard time interpreting the reports they receive from the crime lab and I'm already a consultant. All of it sounds good as experience on a resume, but do I run the risk of never becoming particularly good at any one of these things?

Companies aren't exactly clamouring for entry-level forensic analysts who work from home.

I guess we'll just have to see.

Tuesday, March 16, 2010

The start of a journey.

I'm a few short weeks from taking (and hopefully passing) the GCFA exam. I have been reading and studying everything I can get my hands on for more than 3 months to try to scratch the surface of the Computer Forensics field. I'm fortunate to know a handful of people already working as incident responders and investigators who have been willing to send me reading lists, blog links, old reports and class notes to study and review. Even with all of this it's difficult to know how to prepare for an exam encompassing such a broad field.

I'm already torn between the excitement of catching a hacker in the act or helping put away a creep that desperately deserves it, and the sheer boredom that is cyber-terrorism law and file allocation tables. I'm also torn by who I see working in the field. There seems to be a huge divide between those who innovate, experiment and further the possibilities and those who are happy pointing and clicking their way to a paycheck. I'd like to think that with a few years of experience under my belt I won't want a push-button forensics job. There is way too much to explore in a field that is just now coming into its own.

For now, I'm the new guy.

Wish me luck.