Friday, October 8, 2010

"Perl's" of Wisdom

I spent the afternoon prepping up a laptop to take with me when I work cases on the road. If you've read some of  my earlier posts you know that I really like open source tools.

Regripper, The Sleuth Kit, UnxUtils, F-Response(not open source but worth every penny) and Imdisk are just a few of the indispensable tools that I think you should be using if you're serious about forensics. This is not to say that you have to jump off the deep end and run everything from a linux box. I'm not afraid to admit that I like to use Windows on my laptops. I'm not even afraid to admit that I like Windows XP.  

Here's what I don't like:

I don't like switching back and forth between machines to accomplish basic tasks, even if it's just popping open a VM and minimizing it again. Lame, hate it, I want  to be able to do everything from one machine. Why? I guess I'm just lazy and stuff. I don't want to bring 4 laptops with me to work a case. But I do want to be able to solve it while I'm on site.

So here we go,  If you want to crack off a timeline while those disks are imaging, I only know one way. F-repsonse and  Perl scripts.  F-response lets you deploy a tiny little client to each workstation, terminal, server or whatever it is you want to image, and suck all that data down to a single point. This is infinitely easier than attaching a hard drive to every machine in an environment, and it gets better.

The extra added bonus to F-response is that it offers up a live, read-only, environment to play with while that painfully slow image is running. 

It really is this easy:
Load up F-response listener 
Deploy client to nearly any OS in existence
Push start
Run your favorite imaging client (I like FTK lite)
Image hard drives from a single point on the listener.

Here's the bonus.  On the same machine that functions as the F-response listener, you have a mapped drive to the same physical disks that you are imaging. They show up as a regular mapped drive! E:, F:, G:  all read-only and there for you to get your forensics on.

Want a sneak peak at your timeline? Bam! 
fls -m 'C:\' -f ntfs \\.\: > bodyfile

Want to do a little password crack-a-lackin? Done! Use Ftk-Lite and extract that SAM hive.
Drop those hashes into Ophcrack and watch those default passwords appear before your very eyes.

This is not to say it's all a cakewalk. Thanks to Harlan there are some awesome perl scripts floating around the internet that will help you. Forcing these scripts to work on a Windows box can be a chore. Trust me, I just spent half my day proving it.

Case in point: regtime.pl  
This is Harlan's superfly, TNT perl script that shreds all of the registry hives(including NTUSER.dat)  and spits them out in standard bodyfile format.  (go back a few months and see my post on super timelines for use)

 The only 2 places I know of to get regtime.pl from are Harlan's email and the SIFT workstation. I didn't want to bug my mentor's mentor too much so I chose the SIFT download. 1.5 GB's later I had all the contents of /usr/local/src/windows-perl saved to my desktop.

Easy right? Install active-Perl from the website and go? 

Wrong.

BONK!





No biggie, I'm missing a perl dependency right?  BONK!
There's something wrong with the script? BONK!
Something got screwed up when I copied it over from Linux? BONK!
My Perl environment is not the polished marble that Harlan's is?  Well, maybe....   BONK!


WTH is going on here? Thought 1 turns out to be correct. This is a dependency issue. Even after you've been through your environment 10 times and all your dependencies look sweet, there's the registry.pm file in the right path and  you've contacted the developer because you've ruled out everything else. (sorry Harlan, I owe you  expensive scotch when we finally meet).  It's really very clear in all of it's perly non-clarity.   It can't locate Parse/Win32Registry.pm and this is clearly a misplaced file in a directory path right?  Not exactly. 


Try this.
From the command line type "ppm" for the perl package manager, go to view and check "all packages".  Glory, Glory, Hallelujah.  There's a package called Parse-Win32Registry. Right click and install that bad boy.







Now when you try that mystical regtime.pl command it coughs up a perfect bodyfile.

Coders are a bubble off; I'm telling you.


Next trick:  Path variables.

The command "dir" sucks, "ls" does not

ls, grep, cat, and a whole host of others are available in the unxutils package. Go downlaod it and install it and while you're on the web grab strings and grep.

Once you've got all these ported apps installed you don't want to cd into a specific directory to use them right?  You want to be able to use the command like you're the one in control.

Editing your $PATH is the answer.

Right click  my computer and go to properties--go to "advanced"--"environment variables"

Highlight "PATH" and click edit.  Use a semicolon as a separator and add the full system path to your sexy new executables.

Pretty soon your path can look like mine:

C:\Python26\Scripts;C:\Python26\;C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Tools\sleuthkit-win32-3.1.3\sleuthkit-win32-3.1.3\bin;C:\Tools\UnxUtils\usr\local\wbin;C:\Program Files\GnuWin32\bin;C:\Tools\sleuthkit-win32-3.1.3\sleuthkit-win32-3.1.3\bin


And my $PATH is dead sexy.













Saturday, October 2, 2010

Best. Job. Ever.

So, I promised exciting news last post and then it dawned on me that it's only exciting to my family and I. Sorry for the letdown.

I started my new job on Monday the 27th. Not just any old new job, but a job with Trustwave's Spiderlabs. If you don't know who who or what Spiderlabs are, start with the company webpage, then look at all the DEFCON talks, whitepapers, blogs and everything else these guys are responsible for.  They are the top Incident Response and Computer Forensics team in the country (my opinion of course) and I am absolutely stoked about joining them.

How on earth did I land a job with Trustwave?

For starters I have a lot of very relevant experience. I can walk into a server closet and discern what goes to what and why within a few minutes. This is important when every case situation is a total unknown.

I also went out of my way on my own dime to go to DEFCON and meet prospective employers. I shook a lot of hands, bought some drinks and asked some good questions. (see: networking)

I got certified earlier this year(see my earlier posts on studying for the GCFA) and started a forensics division at my former employer, business was just starting to build up when I got this offer.

Lastly, I may be the single luckiest person I know!  Timing, luck and a personal relationship with one of their senior consultants all came together at just the right time and led to job interviews. The rest is now history.


So what's a new guy learn on his first 2 cases?

1) People are still making the same simple mistakes when it comes to System Administration and auditing. Plain and simple. If you open RDP, PCAnywhere or VNC up to the internet and leave a weak, default or blank password, consider yourself pwned!

2) Hackers are getting better and better at disguising malware as valid processes. I can't go into a lot of detail here but plain sight is still the best hiding place of all.

3) P.O.S. integrators are screwing their customers! This is not to say that there are not some good integrators out there, but seriously, you cannot just drop these systems into place and pay absolutely no attention to the basic security fundamentals. When you do, you wind up costing your customers tens and possibly hundreds of thousands of dollars in investigations and fines.  Buck up! Put in a Netgear Prosafe for $85 and change those default passwords......or don't, I guess it's job security.


Thanks for following along.

Grayson