An Eye on Forensics

MAC(b) Daddy at SecTor

2011-10-15T19:20:00.002-06:00

I'm proud to announce that I was invited to deliver I'm your MAC(b) Daddy at SecTor 2011 as well as take part in a full day of training for the Royal Canadian Mounted Police. If you haven't heard about SecTor, read here. It's Canada's largest security conference and is described as "The Canadian DEFCON"

I feel honored to have my talk accepted and I'm looking forward to meeting new peeps.

Hope to see you there!

I'm your MAC(b) Daddy at DEFCON 19

2011-08-16T12:03:00.000-06:00

It's hard for me to believe that I haven't updated this blog sine March 26th. The last 5 months may have been the busiest of my entire life. Three members of my team(including me) worked a nationwide breach on over 80 locations all using the same Point of Sale software. I also submitted to, and was accepted for two conferences. DEFCON 19 and SecTOR in Toronto. I have been working diligiently to make sure my presentation slides were clear and up to date and to make sure I was ready to get up there and speak in front of hundreds of people. I'm making excuses for myself here, the better thing is probably just to get on with it.

For a little background on Timestomping and why attackers are doing it, see Chris's post "Timestomping is for Suckers".

I presented a talk on Supertimelines and identifying anti-forensics at DEFCON this year. Aside from some minor issues trying to pull off a live demo, the talk went pretty well. I had the unceremonious duty of sharing a time slot with Dan Kaminsky so I’m very happy that I managed to fill 2/3 of the room. I’ve already started receiving a number of questions, links to others research and a number of other queries related to MAC(b) Daddy. Keep them coming, I’m more than happy to help out where I can.

I am presenting MAC(b) Daddy again at SECTor in October. Once that conference is over I will post the full content here on my blog.

The first communication I received was a link to a blog that was exploring different Timestomping methods using the Windows Powershell and the timestomp utility I mentioned in my talk. There is some great research and concise info about manipulating timestamps. The link was sent to me as a “Hey, this guy was able to modify the $MFT, and you said that couldn’t be done” Well, sort of. What I’m saying is that the $File_Name attribute can’t be modified by anything known, the blog above proves my point. Manipulation of the $Standard_Info attribute is, dare I say, easy?, at this point. The second set of attributes in the $MFT is still untouched by timestomp, powershell, perl scripts….anything. By comparing the two you can see the changes made to the system by these measures.

Directly after the talk I was approached by two Chinese gentleman that had a number of questions about trying to modify the $MFT with a kernel mode driver. I asked, “Why, what are you working on?” They replied with a smile and said “nothing”. This is DEFCON after all. This is certainly an interesting project but one that would require extreme caution. Modifying the $MFT on the fly could be extremely detrimental to a system. Move the file table entries by one block and you just turned your system into a brick. Not to mention that you would gave to query a protected file, make the change, leave the sequence number undisturbed and release the $MFT before the system itself tried to write to it again. Past experience suggests that you have 10 – 15 milliseconds to perform these actions.

Third, and maybe the most fulfilling for me, I was contacted by another forensicator who is working on a homegrown utility for parsing the $MFT and auto-comparing the entries for time anomalies. This functionality is included in the latest version of Log2Timeline as well. I have not used this particular module yet but I plan to in the next couple of weeks. His questions related to some anomalies in a number of the core OS files (like ntldr). I am by no means an expert here, but the way I understand the anomalies in these files follows: One of the only ways to actually pull off any “manipulation” of the $F_N attribute is to create a file on a second volume (D:\), modify the $S_I timestamps, and then move that file to the main volume (C:\). In this case the M attribute of $F_N will match the M attribute of the moved file. The same does not hold true for the B attribute, which creates a whole other anomaly in of itself. When we are talking about these core OS files, I think there are two things going on here.

1) The system isn’t a system yet, it has not gotten to the point where the system time has been determined. This is the same reason that you see registry entries in a supertimeline start in 1969 and 1970. The system has no baseline to set those registry write times to and the possibility exists for the same issue with the $MFT.

2) These files are not being created out of thin air, they are being moved from another volume (The install CD/DVD) and some of the timestamps from when this code was written is being maintained.

I promised the crowd to start updating my blog more frequently in support of MAC(b) Daddy. So here I am, a man of my word.

More as the questions and comments flow in.

Windows Registry Forensics-Review

2011-03-26T17:25:00.000-06:00

I read Harlan Carvey's "Windows Registry Forensics" on a flight to Florida last week so I thought I'd write up a little review.

If you haven't already read "Windows Forensic Analysis" I highly recommend you do so.

First of all I have a tremendous amount of respect for someone who is willing to put their thoughts to paper when it comes to digital forensics. It's a very difficult topic because things are always evolving. It also takes a tremendous amount of time to write a book, I'm trying to help a buddy with just a few chapters in a book he started and it's extremely difficult.

I will admit that I was expecting a little more book when I first purchased it, the registry is such a large piece of the Windows OS that I really thought the book would be encyclopedic. That being said, I was not disappointed by the content.

The book is layed out in 4 chapters: Analysis, Tools, Case Studies:System and Case Studies: User tracking.

The Analysis chapter covers the binary structure of the registry as well as it's main purpose to the operating system and to the users. A considerable amount of this section was review for me (ten years of sysadmin work) but I've never read anything that tears down into the physical on-disk structure of the registry at the lowest level. Harlan obviously spent some time in this section tearing the registry down to it's nuts and bolts.

The tools chapter: If you don't read Harlan's blog or keep up with who is doing what in the industry you'll be expecting him to spend 50 pages talking about EnCase. Instead he uses the chapter to talk about a myriad of other tools which are just as useful if not more so than EnCase. He spends a fair amount of time explaining his own Perl tool "Regripper" and how it came to be as well as encouraging readers to develop their own plugins for regripper. I personally use regripper on every case I work so I know how useful it is and have spent a fair amount of time trying to figure out how it odes what it does. The book helped explain a little bit of the "behind the curtain" thought process that went into it's design.

Case Studies: System. Here's where the book starts to really pick up. 72 pages of nuts and bolts and "Here's why I've spent the last 150 pages explaining all this crap to you." I read this section twice. The registry contains so much information about the state of a given system that it is imperative a good investigator knows what they are looking at, what is normal, and why. After reading Harlan's case studies I have a better understanding of the pieces I already knew about and some insight into other chunks of the registry that have never caught my eye. Excellent chapter.

Case Studies: Tracking user activity. The most useful chapter in the book! I am familiar with registry artifacts found during an investigation. For the most part I know how to use those artifacts to forward or disprove a theory. Even with that knowledge this section caught me off guard with how little I really know. Especially good was the dissection of all the areas of the registry that can be used for malware persistence and the write up on "shellbags". I have run across these artifacts a dozen or more times in my supertimelines but never payed them all that much attention, I knew that they represented user activity of some kind, but it didn't seem related to any type of malicious activity. Now I know that I was correct in my assumption but I also know that those shellbags are definitive proof of an interactive session.

All in all, I enjoyed reading the book. Harlan keeps it personable while maintaining an air of technicality. So many books like this are so dry that they can't be read for more than 15 minutes. Not so in this case. I have absolutely no regrets on the purchase price and just like "Windows Forensic Analysis" I will be referring to this book for years to come and I'm glad I have it as a resource.

PCAnywhere or "Here Hacker, Hacker"

2011-02-27T17:02:00.000-07:00

Let me start by apologizing to anyone that was enjoying fresh, regular content from my blog. I haven't written a new post in several months

I am not without reason. Starting a new job and getting used to the way things are done on a new team is time consuming and can require a lot of focus. A wise man once said: "If you don't know what you're doing, do it neatly" It doesn't fit entirely, but the learning curve has been steep, and my first few cases were worked through slowly, carefully and methodically.

This is not to say that my next cases will be worked any less carefully, but I've found you develop a rhythm in an investigation and you have to let the evidence lead you down the path to the answer.

Case in point:

I have already had a number of POS breach cases where PCAnywhere was the point of intrusion. I will focus on 2 for the purpose of this blog. These 2 cases were similar in that they were both running the same type of POS software and it was set up by the same integrator.

PCAnywhere is a 2 part remote administration utility that has been around for a number of years. I don't know exactly when it came out but I remember running into it as a system administrator at least 7 years ago. It has gone through a number of version upgrades over the years and the latest stable version is v 12.5. The 2 parts are the client, which is usually used by the remote administrator to make a connection to a remote PC or server for maintenance. The second part is the listener which (obviously) resides on the client machine that is to be remotely managed. Here's a list of the versions and the port usage (by version) from Symantec:

I have used numerous pieces of PCAnywhere evidence in my cases.

The first is the connection logs. By default they are located in %SystemRoot%\Program Files\PCAnywhere and have a .pl9 extension. These logs are extremely configurable in the software itself. They are easily viewed by using a registered copy of PCAnywhere or by downloading a trial from Symantec. These logs could contain anything from a basic timestamp and a connection attempt ,to full Windows Event Logging and verbose connection details to include connecting IP, user id info, files transferred, etc. For a full list of logging options, see this site. Obviously these logs are very useful to an investigation. Unfortunately, they are rarely verbose and in many cases I have found that logging is not even enabled.

I have a problem with this. ADMINISTRATORS: IF YOU ARE GOING TO OPEN A GAPING HOLE INTO YOUR CLIENT"S ENVIRONMENT, AT LEAST HAVE THE DECENCY TO PUT IN A STRONG PASSWORD AND SWITCH ON THE LOGS! Yer killin' me. You're also costing your clients tens of thousands of dollars.

There are also a number of vulnerabilities related to the older versions of PCAnywhere. Search the CERT website to read further on them all. US-CERT Site. One of these older vulnerabilities allowed you to pass the listener a message that says your login type is "0" Which allows you to log in with full admin credentials using a null username and password. That's Kwality there.

A bit more in depth is a file that I have found extremely useful that you probably don't know about. When you log in using the graphical interface a file called aw.swp is generated. This file is a cachefile that is created to speed up Windows operation. It is used every time you use the remote desktop via PCAnywhere. This leaves a nice trail of birth, modified and access times in the system timeline. I even found evidence of card-holder data being moved in the aw.swp file. My assumption is that the built-in PCAnywhere file transfer button was used to move a file containing captured data. No one at Symantec ever contacted me back on this issue.

Nothing ground-breaking here. It just goes to show that some of the most common applications leave behind some very definitive evidence. Sometimes you just have to dig around a little bit for an explanation of why.

I'm putting the finishing touches on a presentation for this years round of conferences. It's called "I'm your MAC(b) Daddy" and focuses on using super timelines to solve breach cases. I will post it here if I don't get accepted. I also have a post on generating timelines for filesystems that are not supported by fls and mactime.

New updates soon. Thanks for stopping by.

"Perl's" of Wisdom

2010-10-08T22:18:00.003-06:00

I spent the afternoon prepping up a laptop to take with me when I work cases on the road. If you've read some of my earlier posts you know that I really like open source tools.

Regripper, The Sleuth Kit, UnxUtils, F-Response(not open source but worth every penny) and Imdisk are just a few of the indispensable tools that I think you should be using if you're serious about forensics. This is not to say that you have to jump off the deep end and run everything from a linux box. I'm not afraid to admit that I like to use Windows on my laptops. I'm not even afraid to admit that I like Windows XP.

Here's what I don't like:

I don't like switching back and forth between machines to accomplish basic tasks, even if it's just popping open a VM and minimizing it again. Lame, hate it, I want to be able to do everything from one machine. Why? I guess I'm just lazy and stuff. I don't want to bring 4 laptops with me to work a case. But I do want to be able to solve it while I'm on site.

So here we go, If you want to crack off a timeline while those disks are imaging, I only know one way. F-repsonse and Perl scripts. F-response lets you deploy a tiny little client to each workstation, terminal, server or whatever it is you want to image, and suck all that data down to a single point. This is infinitely easier than attaching a hard drive to every machine in an environment, and it gets better.

The extra added bonus to F-response is that it offers up a live, read-only, environment to play with while that painfully slow image is running.

It really is this easy:

Load up F-response listener

Deploy client to nearly any OS in existence

Push start

Run your favorite imaging client (I like FTK lite)

Image hard drives from a single point on the listener.

Here's the bonus. On the same machine that functions as the F-response listener, you have a mapped drive to the same physical disks that you are imaging. They show up as a regular mapped drive! E:, F:, G: all read-only and there for you to get your forensics on.

Want a sneak peak at your timeline? Bam!

fls -m 'C:\' -f ntfs \\.\: > bodyfile

Want to do a little password crack-a-lackin? Done! Use Ftk-Lite and extract that SAM hive.

Drop those hashes into Ophcrack and watch those default passwords appear before your very eyes.

This is not to say it's all a cakewalk. Thanks to Harlan there are some awesome perl scripts floating around the internet that will help you. Forcing these scripts to work on a Windows box can be a chore. Trust me, I just spent half my day proving it.

Case in point: regtime.pl

This is Harlan's superfly, TNT perl script that shreds all of the registry hives(including NTUSER.dat) and spits them out in standard bodyfile format. (go back a few months and see my post on super timelines for use)

The only 2 places I know of to get regtime.pl from are Harlan's email and the SIFT workstation. I didn't want to bug my mentor's mentor too much so I chose the SIFT download. 1.5 GB's later I had all the contents of /usr/local/src/windows-perl saved to my desktop.

Easy right? Install active-Perl from the website and go?

Wrong.

BONK!

No biggie, I'm missing a perl dependency right? BONK!
There's something wrong with the script? BONK!
Something got screwed up when I copied it over from Linux? BONK!
My Perl environment is not the polished marble that Harlan's is? Well, maybe.... BONK!

WTH is going on here? Thought 1 turns out to be correct. This is a dependency issue. Even after you've been through your environment 10 times and all your dependencies look sweet, there's the registry.pm file in the right path and you've contacted the developer because you've ruled out everything else. (sorry Harlan, I owe you expensive scotch when we finally meet). It's really very clear in all of it's perly non-clarity. It can't locate Parse/Win32Registry.pm and this is clearly a misplaced file in a directory path right? Not exactly.

Try this.
From the command line type "ppm" for the perl package manager, go to view and check "all packages". Glory, Glory, Hallelujah. There's a package called Parse-Win32Registry. Right click and install that bad boy.

Now when you try that mystical regtime.pl command it coughs up a perfect bodyfile.

Coders are a bubble off; I'm telling you.

Next trick: Path variables.

The command "dir" sucks, "ls" does not

ls, grep, cat, and a whole host of others are available in the unxutils package. Go downlaod it and install it and while you're on the web grab strings and grep.

Once you've got all these ported apps installed you don't want to cd into a specific directory to use them right? You want to be able to use the command like you're the one in control.

Editing your $PATH is the answer.

Right click my computer and go to properties--go to "advanced"--"environment variables"

Highlight "PATH" and click edit. Use a semicolon as a separator and add the full system path to your sexy new executables.

Pretty soon your path can look like mine:

C:\Python26\Scripts;C:\Python26\;C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Tools\sleuthkit-win32-3.1.3\sleuthkit-win32-3.1.3\bin;C:\Tools\UnxUtils\usr\local\wbin;C:\Program Files\GnuWin32\bin;C:\Tools\sleuthkit-win32-3.1.3\sleuthkit-win32-3.1.3\bin

And my $PATH is dead sexy.

Best. Job. Ever.

2010-10-02T14:29:00.000-06:00

So, I promised exciting news last post and then it dawned on me that it's only exciting to my family and I. Sorry for the letdown.

I started my new job on Monday the 27th. Not just any old new job, but a job with Trustwave's Spiderlabs. If you don't know who who or what Spiderlabs are, start with the company webpage, then look at all the DEFCON talks, whitepapers, blogs and everything else these guys are responsible for. They are the top Incident Response and Computer Forensics team in the country (my opinion of course) and I am absolutely stoked about joining them.

How on earth did I land a job with Trustwave?

For starters I have a lot of very relevant experience. I can walk into a server closet and discern what goes to what and why within a few minutes. This is important when every case situation is a total unknown.

I also went out of my way on my own dime to go to DEFCON and meet prospective employers. I shook a lot of hands, bought some drinks and asked some good questions. (see: networking)

I got certified earlier this year(see my earlier posts on studying for the GCFA) and started a forensics division at my former employer, business was just starting to build up when I got this offer.

Lastly, I may be the single luckiest person I know! Timing, luck and a personal relationship with one of their senior consultants all came together at just the right time and led to job interviews. The rest is now history.

So what's a new guy learn on his first 2 cases?

1) People are still making the same simple mistakes when it comes to System Administration and auditing. Plain and simple. If you open RDP, PCAnywhere or VNC up to the internet and leave a weak, default or blank password, consider yourself pwned!

2) Hackers are getting better and better at disguising malware as valid processes. I can't go into a lot of detail here but plain sight is still the best hiding place of all.

3) P.O.S. integrators are screwing their customers! This is not to say that there are not some good integrators out there, but seriously, you cannot just drop these systems into place and pay absolutely no attention to the basic security fundamentals. When you do, you wind up costing your customers tens and possibly hundreds of thousands of dollars in investigations and fines. Buck up! Put in a Netgear Prosafe for $85 and change those default passwords......or don't, I guess it's job security.

Thanks for following along.

Grayson

A little more love for DEFCON 18

2010-09-09T20:32:00.000-06:00

DEFCON featured a number of talks about the Zeus trojan and for good reason. I think it's the most sophisticated mass-use malware ever written.  It can keylog, hoard your credit card numbers and even join you to a global botnet. Fun stuff huh?

It's current known variants are  Zbot, PRG, Wsnpoem, Gorhax and Kneber.

It can be very difficult to detect and remove because, every time you infect a machine, the signature changes. It's mass customization for malware! The full package comes with a command and control php and sql webcenter for managing your unruly botnet as well as software for generating your very own custom malware. How much would you pay for this crystal-clear wonder? $4999? $3999? Nope it can be yours for the low,low price of $500-$700 on the software black-market. (It should be noted that the latest version may cost you a few thousand).

So why do we care as forensic analysts?

There are a couple pieces here:

1. It steals credentials and credit card data. Steal enough credit card data and the Feds will be hunting for you. This may lead to a forensic analysis of a host and Zeus is being found in the wild at credit card breaches. (I have it from an excellent source....)

2. Most commercial antivirus scanners will not detect or remove Zeus from an infected machine. These scanners are signature based (for the most part) and as I said before "every time you infect a machine, the signature changes".

So now what?

Forensic tools to the rescue!

There are a number of ways to detect Zeus using a fairly common suite of forensic tools. I am not going to rehash someone elses work here. Kevin Stevens and Don Jackson have a fantastic write up on Zeus and its variants at the SecureWorks website.

There is also a forensic breakdown of infected keys and tool usage here. Really nice job Tyler. Most of this paper is based on results from memory analysis using volatility.

And what blog would be complete without mentioning regripper? There is a third-party plugin called userinit that was written to find "urlzone" trojans. As a side effect it parses the same hive that the sdra64 binary attaches itself to (userinit).

That's it for me. I'm spending a lot of time studying for the CISSP exam.

Exciting news next post......

Good Luck.

DEFCON 18

2010-08-12T20:36:00.001-06:00

I went to DEFCON 18 (Barely Legal) 2 weeks ago. It was a great con and I can't wait for next year. The sheer brainpower on display in that hotel was impressive.

I saw some great presentations on everything from forensic methodology to custom malware, met some feds, and watched ReL1K pwn him some Windows 7 boxes with powershell (seriously nice work on the Social Engineering Toolkit).

I even got to see Hope Dworaczyk (Playmate of the Year) get awarded "Best Reason To Get Malware" by the guys from Barracuda labs. Friggin' sweet!

If you've never been, GO! It's an educational experience to say the least. Seriously, who knew you could get a mohawk to stand up over two feet tall?

There are some very cool things on the horizon for the internet:

Dan Kaminsky demo'd DNSSEC. Finally, a way to actually prove that an email, website or any other electronic communication actually came from who it said it did! Dan is a stinkin' genius by the way. I look forward to his next project, whatever it is.

Anybody heard about this whole "smart grid" thing? It's going to suck. Every single "smart" device out there is going to be a hackers dream. One guy put up a presentation called "iBurglar". It's a webscript that will parse the power usage data that people post on twitter, facebook, etc... It will turn around and produce a calendar of the best times to rob that person. Dude was not a burglar, he was just trying to make a point about how dumb it is to put that kind of personal information out there. It worked! Smart grid + dumb people = problems.

There were several talks about SCADA systems and their importance in the future of cyberwarfare. SCADA systems are web-enabled controls for our public infrastructure that can be tampered with to create"weapons of mass distraction". I doubt that they could ever be used to do any catastrophic damage, but they could be used to throw the general public into a tizzy.

Spiderlabs says "All your droid are belong to us" Thanks for letting me think that my droid was secure for the first 6 weeks I had it anyway......jerks.

More on DEFCON next week.

Did you know that the Zeus trojan has a web command center and a GUI for creating new versions? Ridiculously easy to own your own botnet!

Ghosts!

2010-07-18T15:36:00.002-06:00

I haven't posted in a while so I asked my 6 year old boy what he thought I should write about.

"Ghosts!" was his immediate and emphatic answer. I don't know how to explain to him that my blog is about digital forensics and related topics, so here I am writing about ghosts. A ghost , as I understand it, is a physical manifestation of a person's soul after their body has died. I myself have never witnessed said manifestations, but I have had some pretty damn weird stuff happen to me in one of my homes and in the cave I worked at when I was a teenager. For the record, ghosts don't exist.

Neither do entry-level jobs for forensic analysts without a bachelor's degree.

I may have more luck looking for a forensics job if I ever decide to leave Montana. That's not a decision I ever want to have to make. Simply put, this place rocks! So what's a guy do to try to make himself more marketable? Certification and Education are a good place to start.

I have been studying for the CISSP exam for the last several weeks and plan to take the exam in September. CISSP also counts for several credits towards a Bachelor's degree in Information Assurance and Security.

Bonus!

I Hated (yes, capital H) high school but I tried to go to community college right afterward, anyway. I wound up feeling like it was just an even more miserable extension of the former so I withdrew (dropped out) midway through my second semester and joined the Navy. I got lots of training in the Navy that I actually enjoyed, like math, science, electronics, computers, etc. After I got out, I took some Microsoft courses and took all the MCSE tests. I enjoyed those classes as well. Now I have 12 years of experience and a fistful of certificates from formal training as well as the GCFA cert and my MCSE.

It's time to go back and rectify the whole "dropped out" thing. I'm looking at a couple of the online colleges and gearing up to knock out a degree as fast as I can. I look at the curriculum and it causes me pain to have to take "Windows Server Networking" since I could likely teach the course. But it has to be done. I'm no longer running into job postings that state "or equivalent experience".

Wish me luck.
I'll need it to stay awake for "Introduction to Unix"

P.S. I'm going to get back to some more technical posts in the near future. I have a few system images to run through and post about.

CDAC Cybersecurity: Incident Handling and Response

2010-06-07T22:39:00.001-06:00

So, what's a guy with lots of computer skillz and a shiny new GCFA certificate do for fun? He goes to FEMA Cybersecurity training! I know you're all jealous, admit it.

These classes are free if you can catch one in your area, but I can honestly say that I didn't learn anything new in this class. It did reinforce a lot of prior learned techniques and I got another certificate for my "I Love Me" wall.

Here it is in a nutshell:
Day 1:
We covered the basics of Network Security. Access Control, Physical Security and Biometrics, Social Engineering.

Risk Assesment and Business Continuity Planning, Information Classifications, Privileges and Auditing.

Lab on setting Password complexity and length. (Yah, pretty weak stuff)

Device Hardening, Firewalls, Secure Protocols.

Lab on Packet capture and Network Monitoring. (not bad, but not in-depth enough to teach what you're actually looking at. I already know the how-to's)

Day 2:
Incident response planning and the steps to Incident Response including legal aspects, policy and procedures. We also touched on Gramm-Leach Bliley, HIPAA, FERPA and the Computer Fraud and Abuse Act. (I could have used this section for the GCFA exam)

ISP legal procedures and requests for retention, some outdated threat statistics, Labs on setting up event and IIS logging, Malware types. Attack types including Man in the middle, DoS, DDoS, Spoofing.

Lab on password cracking. This would have been a lot more fun if I hadn't already ripped the SAM hive off of most of the laptops in the classroom and cracked all the passwords before lunchtime :) (I couldn't help it, I was bored)

Day 3:

Handling an Incident. Here we started going into the significance of the attack: Public utilities, CC theft, etc... and then went on to discuss monitoring of a live breach, IDS systems and monitoring them, Snort for Windows, Honeypots and Honeynets.

Evidence handling was next, The ex-cop and myself were the only ones that had any idea what chain of custody was or why it was important. Evidence handling and preservation, volatile data gathering. (I was actually impressed that they covered this at all, traditional forensics is image, image, image. Sort through it all later)

Forensic tools and their use: This section could have gone on for days, I was thankful they just breezed over a handful.of the common (and free) tools.

Day4:

Handling an Incident and Follow-up.
Short-term handling techniques depending on the type of threat. i.e. virus, worm, Trojan, DoS, site defacement.

Responding to intruder access.Change passwords, limit network access, system examination for extra open ports, research possible access methods.

Lab on setting account lockout policy.

Checksums and known-good lists.

Responding to internal breach. IeView, Cache audit, email examiner. (again, useful but pretty low level stuff)

System logs, IDS logs, syslog, using sawmill and log parser to provide search mechanism. ( I like grep...)

Tracking intruder source. Traceroute, Nslookup, dig, whois. Using Sam Spade

Day 5:

Practical Labs.

Scenario 1 You are contacted by the CIO of a power company who suspects one of his techs has been trying to access a central control server. Examine his workstation to see if his suspicions are founded.
(This one was kind of fun, the workstation is loaded with password cracking utilities, dameware remote control, IE shortcuts and visits to hacking websites and some recoverable emails of guidance from a more experienced hacker.)

Scenario 2. Move on to the server referred to in scenario 1. (I missed one piece on this one. One of the first things I did was run a netstat against it and I failed to notice that port 23 was listening. I was in the right place and Windows Server 2003 doesn't usually listen for telnet traffic. Duhhh. I did catch a number of other things that were out of place like a user profile folder for a non-existent user that contained the dameware listener and a handful of nefarious scripts.)

Scenario 3: Network technician calls you because he can't get into his Windows 2000 server anymore and is afraid it's a security breach. (boot off of recovery disk and reset the admin password, basic virus scan reveals a couple of trojan backdoors. System is 5 years behind on security patches...kinda boring)

All in all, I think it would be a good class to get your feet wet. If you're already certified in anything security there won't be anything new for you. However, this class is a prerequisite to become a FEMA/CDAC Cyberterrorism First Responder (CFR). I'm hoping they roll through next year so I can take the course and earn that certification.

I did meet a number of security people from my local area and got an invite to the 2600 group here in Helena. I exchanged some business cards and had a generally relaxing week away from the office. The instructor was very good and the course materials were good. Overall I give it a C+ mainly because it lacked any real depth.

By the Way my buddy Chris was interviewed for "The Cyber Jungle" Radio show, you can check out the podcast here. Fast forward to the 58:00 minute mark of episode 141 for his interview. Congratulations to Chris as well for getting his "Sniper Forensics" presentation accepted at DEFCON 18 in Vegas.

Now if he could only get me onto the Spiderlabs team............

Training, conferences and contacts. Oh My!

2010-05-25T15:14:00.001-06:00

Professional development: The process of increasing the professional capabilities of one's self by attending training or meetings of like-minded professionals who are willing to share information and techniques.

This week I'm attending a FEMA course called "Cybersecurity: Incident Handling and Response". So far it has been review but it looks promising for the next 3 days. It is a free course if one is in your area but seating is limited. I recommend checking it out. I'll provide a full review after the course is over.

If you've been following the blog you know that I am a major proponent of professional networking. It's a great way to meet people that you may be able to employ or gain employment from, there are also lots of people that just know a lot about security, forensics, hacking, etc. that are willing to share ideas and tips. I had no idea that there was already a group of these people that meet regularly here in Helena and have for some time. 2 hours into class and I had an invite to the local DEFCON group. First Friday of the month at the best sandwich shop in town? Done. It simply can't hurt to get yourself known inside local circles.

Speaking of DEFCON, I'll be attending in Las Vegas this year. It will be the first time I've ever attended any kind of hacking conference and I'm pretty stoked to check it out.

Baby Steps

2010-05-06T20:47:00.002-06:00

Getting into digital forensics is a tough job. Writing about it regularly is even tougher. Since passing the exam, I have been working on a marketing package to pass out around town, had meetings with my bosses trying to convince them that "Yah. Really. We can charge $225/hr and up for these services", landed my first official retainer fee, set up a proposal for e-discovery work and performed my regular myriad of break-fix, server upgrade and auditing work. I've also helped produce an outline for a book idea with my good friend and forensic-y mentor Chris and sent in a column idea to Into the Boxes. It's been a bit of a whirlwind, but never you mind. I live to serve.

I was contacted by a civil defense lawyer about the feasibility of admitting all the content of a Yahoo user group into court. I mulled it over a bit and tried out a few techniques I've learned over the years for dumping websites, did a little proof-of-concept and turned in an estimate for work. This could turn into a significant amount of work sorting, searching and carving usable info for the defense. I accomplished my proof of concept using a combination of freebie web tools and some yellow-belt linux kung-fu. If I land it and wind up doing all the work I'll be sure to post a more in depth analysis.

I updated my resume, wrote a Curriculum Vitae, created a sheet of services my company can offer and turned it all over to our technical writers and marketing people. I hope I don't get a pile of useless mush with pretty colors back.

I have a friend and client here in Montana who is a defense lawyer, he just happens to be working a Federal CP case. He received a copy of the crime lab report from the DOJ and was noticeably frustrated by it's content. Technically it's a solid report, but it is not well written or organized and it is not written in terms that are easily understandable to anyone but another forensic analyst. No worries, I'm officially on the case. My first retainer fee and official work: Translate a DOJ crime lab report into something a lawyer can read. I know, I know(insert lawyer joke here) . I'm thankful to have somebody that trusts me enough to give me a first break and help me attain expert witness status. My hope is that it will progress a bit further and I will actually get to produce my own report on the evidence at some point. The current report does not contain any timeline analysis, registry analysis, browser history, or many other components that I would consider crucial. Surprising to say the least, the report was written by an acknowledged pioneer in the forensics field. Who knew?

The book. Chris is the author of "Unix and Linux Forensic Analysis". He met with his old publisher a few weeks back and they asked him to consider a few projects they had in mind. One of them was right up my alley and he asked me to co-author with him. Needless to say, I accepted. I believe my answer was "You bet your ass!" This is going to be a very cool project and I think a very good book. I will not be divulging any content but if all goes well, this blog will continue on in support of the book.

I emailed ITB with a column idea where I would field questions that people have asked me about forensics in general. I don't have any god-like technical forensic powers, but I have a different perspective on the field that most of the contributors have lost. You don't get to be a recognized expert in a field without being where I am at some point. It's really the best thing I could come up with, I don't have much of a pool to draw from. E-mail them and ask them to do an "Ask Grayson" column. I think it would be fun.

If anybody missed it, Eric Huber who writes "A Fistful of Dongles" wrote a blog post about my blog posts! Well, it was less about me and more about experienced guys getting out there and sharing their knowledge, but I appreciate the plug nonetheless. I hope to actually meet some of the people I correspond with someday. Thanks Eric.

Keep plugging away, hard work will always be rewarded in the end.

It can be done!

2010-04-20T21:38:00.000-06:00

91.3% Well above the passing grade. It feels good to earn a certification like GCFA. Especially when there are only ~2000 in the entire world.

So what's next?

I've been in study mode for several months so I've decided to just keep on going and start studying for the CISSP exam. I was studying for the exam about 3 years ago when I changed jobs. At the time there was no need for me to carry a certification like that and my company wasn't really interested so I dropped it. I wish I had just forged ahead alone and done it. At any rate, I still have the "All-in-One" CISSP study guide and I'll be ready for the test in a few more months.

I'm also going to start working my local contacts for some forensics work and push towards "Expert Witness" status. It will be a big deal to get a few cases on my Curriculum Vitae and be able to help out some of the area lawyers with cases involving computers, media and any other digital devices. Mobile forensics seems like a niche worth exploring although I can't imagine a lot of steady work coming from it.

I was invited to contribute to "Into the Boxes" which is pretty exciting. I would love to contribute but I'm having a hard time coming up with a topic that won't make me seem like the village idiot compared to the rest of the guys writing for it. I'm open to suggestions on that front.

Chris has started a new blog series on command line vs. GUI tools. I may play devils advocate just for fun. We'll see what he posts later in the week.

Keep studying, keep practicing, I'm still here to help.

Grayson

Studying for the GCFA certification: Part 2

2010-04-06T19:27:00.001-06:00

Last post I gave you some books to read, let's move on to web resources.

Blogs:

The forensics community is not very large but many of the people in it are more than happy to share the latest developments in hardware, software and techniques. If you search Google for "computer forensics blogs" you come up with a fairly long list of related blogs. Some of them are geared towards hardware reviews and others towards tool usage. Many are by the same people that wrote the books I mentioned last post. My best advice is to follow a couple that suit you and follow the cross-links from each blog.

For example: My blog has a link to "The Digital Standard" written by Chris Pogue, his blog is linked to "Windows Incident Response" written by Harlan Carvey, his blog is linked to the official SANS blog and so on, and so forth. These guys write regular posts about installations, incidents, tool suites and plain old opinion. There are more than a few tasty informational nuggets on their sites. After you take a practice test or two, you'll start to find discussions related directly to best practices and tool usage that you will likely see on the test.

More related blogs:

ForeniscKB
Hacking Exposed
Security Ripcord
IT Audit Security

By the way, those of us writing the blogs like to know that you're out there. Do us a favor and click on the "follow" link or leave the occasional comment.

Go out and play.

Many of the tools and suites have trial periods or outright free software that you can download, install and test out. Go get as many of the tools as you can store, install them and take them for a test spin. For instance, one of my practice images had Skype installed. After searching for ASCII strings and looking at them with a hex editor, I wondered if there was anything out there to help me crack the default .dbb storage files. A quick google search landed me on Belkasoft's Skype analyzer. Free trial, $50 dollars for the fully licensed version. Perfect! By the way, if you're using Skype to talk about anything you wouldn't want others to see....STOP!

The new version of the SIFT workstation is available. Go get yourself a portal account and download it. Version 2.0 comes with a PDF user guide chock full of forensicy goodness.

Take a look at the GCFA Gold certified list. These guys had to write papers to get gold certified and most of their papers are out their for public review.

The leading incident response and forensics companies publish whitepapers regularly. Go download them, read them, highlight them. The exam is open book, open notes.

I found a gem called "Introduction to The Sleuth Kit" It's got everything from the history of TSK, to command line switches and sample outputs. It's going with me on exam day.

Write out your own study guide, I took notes as I was reading and interviewing people and compiled them into a document. When I took my first practice test I realized that were several holes so I added pages. My study guide is about 50 pages long now. (No, I will not sell you a copy) The process of re-typing things I know are important reinforces them in my head and makes for a great test reference.

Take your time, take the practice tests, ask me questions if you'd like.

I may be the new guy, but I'm here to help.

Studying for the GCFA certification: Part 1

2010-04-02T10:27:00.004-06:00

I'm scheduled to take the GCFA certification test on April 13th. I have been studying non-stop since right after the New Year.(Call it a resolution if you'd like) I took a practice test last week and scored 86%. I was pretty happy with that score considering I'm learning it under self-study.

Before you take any of the SANS practice tests you are required to sign a legal notice regarding divulging any test questions and their ethics standards.(see: have some or look for a new field) If you landed on this post hoping for a brain dump or a list of the hard test questions, move along, there is nothing to see here.

If you're looking for an overall view of the type of materials you need to study and the background that computer forensics requires, stick around, I may be able to help.

Me: I'm 37, I've been playing around with computers since I was 11 or 12. My first was a TI-99/4A hooked up to a black and white TV. It came with some really cool "programs" that would let you draw a giant with a flashing pixel for a hand. It was the coolest thing I had ever seen. That may have been the last coding I ever did. I did join the Navy on a 6 year hitch to get into some advanced electronics training. Aviation Electronics Technician (AT) "A" and "C" schools taught me everything from positive and negative to "hole flow" theory and NPN doping. I got out after 7 years and more or less( I did a little drinking to celebrate my newfound freedom. I'm told I had fun) started my MCSE certification immediately. I went through the NT 4.0(yes that's a Microsoft operating system) MCSE courses at University of Phoenix in 1999 and 2000 and passed all my cert tests in 2000. I've been working as a Sysadmin or consultant ever since. I've worked at everything from one of the largest data centers in the world(at the time), to private customers that were literally a one woman show. From junior help desk ticket guy to tech lead of a 20 person team. I started a consulting business in Phoenix focused on secure networking and then moved to Montana and continued consulting, auditing, etc... for a company here.

So , "blah, blah, blah, you've been around computers for awhile" right? Well yah! That's sort of my point. Don't expect to just go out and get a certification like this and expect great things to start happening. You need to have a breadth of experience with hardware, software, client relations, project management and technical writing to stand a chance.

For what it's worth, here's my recommendations:

1) If you can swing it, suck it up and pay for the SANS training. SEC:508 looks like an awesome class. The instructors are friggin' rocket scientists and the list of materials that come with the course look great. I can't come up with the $$, if I could I'd be there in a heartbeat.

2) Read everything you can get your hands on. Here's a starter list:

File System Forensic Analysis, Brian Carrier. Carrier wrote most of TSK. I'm pretty sure this dude dreams in binary. This is NOT an exciting book, but it is an absolute must read and, more importantly, a book you need to understand.

Windows Forensic Analysis, Harlan Carvey. He wrote most of the PERL tools used for parsing timelines, logs, registries, etc.. I'm not just pimping his book because he reads my blog. (thanks Harlan) There are gobs of great info in this book backed up by years of experience. Again, you can't just read it, you need to understand it. The test I took required you to apply tools and technique to a specific situation to come up with the correct answer.

UNIX and Linux Forensic Analysis, Chris Pogue. Chris teaches the SEC:508 course with Rob Lee and is heading up a movement called "Sniper Forensics" inside the community. His book deals with the same techniques as Harlan's on the UNIX platform. Don't think for a second that you won't run into *NIX boxes as an investigator, especially if you get into the server arena. If your goal is to be a crime lab guy 98 out of 100 cases are going to be Windows boxes but you don't want to have to pay me to handle those 2 Ubuntu machines. I plan to be expensive.

Incident Response and Computer Forensics, Mandia, Prosise and Pepe. Kevin Mandia is the primary here. I mentioned one of his tools in an earlier blog, he has a very successful software/incident response company to his name among other things. This is a great book regarding the actual process of performing an investigation as well as many of the legal precedents. Read and understand this book.

3) Go out and network. I live in a small town and have a long list of customers. I also co-organize a large charity event and I'm a volunteer firefighter. I know lots of people. I just picked up the phone and called the local DOJ crime lab. A week later I sat down with the lead computer crimes investigator for the State of Montana for an hour and a half. I also called around until I found the most knowledgeable computer crimes defense attorney in town. He gave me an hour of his time to talk about the Wiretap Act and Pen/Trace. These 2 interviews allowed me to correctly answer at least 6 questions.

Next post: blogs, websites, and Introduction to The Sleuth Kit.

Malware Case : Concluded

2010-03-28T20:29:00.007-06:00

Let me preface this entry by stating that I did NOT follow all of the standard procedures that you would for a real case. I used this situation in an attempt to hone my skills and test my own capability to solve a case like this on a live machine. I did not produce a chain of custody, I did not interview staff members, I didn't take very good notes or record all my commands.

After I captured a full image of the hard drive using ftk-lite, I went ahead and used the installed antivirus solution and Malwarebytes Anti-Malware to scan and clean the original hard drive.

The first step of my investigation was to mount my USB disk with the acquired images (read-only) on my Ubuntu workstation. I then mounted the image file itself to a folder I created and shared via Samba. Then I mapped a drive to the Samba share from my Windows XP workstation. This allows to me to run scans and poke around the image as if it were a regular old network share, very slick if you have Windows forensic tools that you like to use. I knew I was looking at a malware incident so I fired off MBAM and scanned the read-only file system. Malwarebytes default action is to report only and produces a very simple log file when the scan is complete.

The antivirus picked up the .exe's and .dll's but none of the compromised registry entries.(One of the reasons I like to use a number of different scanners)
I recorded the names of the files and started processing my image further:

My "evidence" drive is already connected read-only to my laptop, so my next step is to attach a drive where I can dump all of my processed data, in my case I have a Rosewill USB to multi-interface adapter. I connected a freshly wiped(dd if=/dev/zero of=/dev/sdx bs=512) 500 GB IDE drive for this purpose.

I'm not here to start fights but you can pay thousands of dollars for a software suite that will do everything for you at the push of a button(see: anybody can do this), I use The Sleuth Kit instead. It's um......free, and stuff. All those super expensive tool suites? Yup, based on the tools in TSK. Learn it, use it, rely on it, it's the goods. You can even pull down Autopsy while you're at it, turning TSK into one hell of a nice toolset. I recommend getting to know TSK for a little while and manually processing a case or two, you will learn a lot about what each of the commands produce and really the basics of why forensics is what it is. After you do, you will realize why Autopsy is so nice. It logs all those really, really fun commands for you and let's you put in case notes and all sorts of other fun stuff. On to the processing....

I used autopsy to open a case and added my raw image file, I also verified the MD5 checksum that FTK-Lite produced for me during the imaging process. Once the image was imported (many hours later) I did some cursory searches for the file names I recorded earlier (see:dirty word list) I found a directory under "Program Files" called "SelectRebates" The recorded creation time was November 7,2009 @ 13:41. This is almost too easy....

Now I have a pretty good idea when this was adware was installed, so on to creating a timeline.

The command fls is used to create a single file containing all the file and directory names and their MACtimes. It has a ton of useful switches for doing things like setting timezone, adjusting clockskew, image type and a myriad of other things. I don't recommend trying to look at this file raw after it's been created, it's a garbled mess that doesn't help you do anything. Instead continue on turning all that junk into a usable timeline.

The command mactime is used to parse all that raw data and turn it into something human-readable. It too has a ton of different switches, the important one for me in this case was the ability to capture a short time frame instead of looking at this system from build date to when I imaged it. I set a time frame of Nov. 6th to Nov. 8th. Here's what I got in return:

Looks like somebody was doing a little surfing right before the install......

A timeline is not the place to be looking at web history, try Web Historian instead. Mandiant has lots of other tools worth checking out as well. Web Historian spits out an excel file that is easily sorted and viewed:

Doing a little online coupon-clipping were we? Sounds pretty safe huh? My mom clips coupons.

Immediately after visiting :

http://discounts.shopathome.com/discounts_and_coupons/default-brand.aspx?refer=76418&src=SEPDSE&s_kwcid=TC-13775-292306429512-S-43445474512

The adware install begins in the timeline.

Seems like we've got it nailed down now, but I'm not quite satisfied. I've been reading some blogs about timelines and supertimelines lately and I figure this case fits the bill.

You'll have to read Chris's blog for the ins and outs of using regtime.pl to parse the registry and add it to your file system timeline. It just flat works and it blows away a standard file system timeline. Add the ability to parse some other system logs like event logs or Dr. Watson logs, system restore points, etc... and you can really start to nail down an event.

In the screenshot below you can not only see the installer finishing up creating it's file paths, but you can also see it adding itself to the run line and even adding it's own uninstaller. (very friendly for software that generates 5or 6 popups every minute). This is really useful information and pretty darn easy to add in to your standard timeline, Chris talks about some software in development (timescanner) that will grab a bunch of different logs and dump them into this format. Good stuff.

So we've found our adware, we've generated a timeline and a super-timeline, we've used it to nail down the website responsible and the user logged in at the time of the infection. Aside from the mountain of paperwork if it were the real deal.....case closed.

We could have gone in deeper to system restore points, prefetch and memory analysis. If this were a nasty trojan or a paid gig I would definitely go further. In this case I'm pretty satisfied.

Not too shabby for a new guy.

Malware case: Day 1

2010-03-19T15:35:00.000-06:00

Here's the case:

A customer of mine called today because they suspect they have a virus or other malware. I picked up the machine and am capturing an image with FTK-Imager-lite as we speak. I am going to clean the live PC and give it back to the customer and use the image to attempt to figure out exactly what the infection mechanism was. I will detail my processes and findings here on the blog in hopes of attracting tips, comments and guidance from anyone in the audience.

Case background:

Customer complaint of popups and slow overall performance on March 18th 2010.
Collected PC in a powered down state from the customer site March 19th at 0945
Extracted hard drive at 1200 March 19th.
Mounted Read-Only on my Ubuntu workstation at 1205 and began imaging with FTK-lite from a WinXP VM at 1212, raw image format, dumping to Fantom 1 TB USB drive formatted NTFS, clean wiped using dd.
Estimated image completion time is ~12 hours.

Infected machine specs:
HP DX2300/XP Pro SP3/Trend Micro Antivirus/1GB RAM/Core2 Duo/160GB Sata HD

Once imaging is complete I will boot up the machine and capture RAM using memoryze for later analysis.

Any and all suggestions are welcome.

More to follow....

When is it too early to specialize?

2010-03-18T15:23:00.000-06:00

Incident Response, Crime Lab, Expert Witness for Defense, Private Consulting.

These are all very real career possibilities. The question is "When is it too early to choose a speciality?". Considering my small town life, my path will most likely be all of the above. No one is doing Incident response here, the DOJ and State sporadically contract out forensics work, most lawyers have a hard time interpreting the reports they receive from the crime lab and I'm already a consultant. All of it sounds good as experience on a resume, but do I run the risk of never becoming particularly good at any one of these things?

Companies aren't exactly clamouring for entry-level forensic analysts who work from home.

I guess we'll just have to see.

The start of a journey.

2010-03-16T19:41:00.000-06:00

I'm a few short weeks from taking (and hopefully passing) the GCFA exam. I have been reading and studying everything I can get my hands on for more than 3 months to try to scratch the surface of the Computer Forensics field. I'm fortunate to know a handful of people already working as incident responders and investigators who have been willing to send me reading lists, blog links, old reports and class notes to study and review. Even with all of this it's difficult to know how to prepare for an exam encompassing such a broad field.

I'm already torn between the excitement of catching a hacker in the act or helping put away a creep that desperately deserves it, and the sheer boredom that is cyber-terrorism law and file allocation tables. I'm also torn by who I see working in the field. There seems to be a huge divide between those who innovate, experiment and further the possibilities and those who are happy pointing and clicking their way to a paycheck. I'd like to think that with a few years of experience under my belt I won't want a push-button forensics job. There is way too much to explore in a field that is just now coming into its own.

For now, I'm the new guy.

Wish me luck.