Case Notes

OK...so, if you are not using Case Notes (CN) by QCC Information Security, I have to ask, "why not?"

If you answered, "What's Case Notes?", let me splain.

Case Notes is an awesome tool for taking notes during your investigations. Unlike simply using Notepad or Word Pad, Case Notes timestamps your entries, allows you to password protect your notes file, has customizable tabs, and keeps creates an audit log of your activity.

Once you download and install CN (either 32 or 64 bit version) you are prompted to set up your preferences...like this...


As you can see, I can set up to 10 fields of metadata such as my name, my agency, the case type etc...very handy. Then you can customize up to four (4) additional tabs for specific notes. The main space for notes is a tab called, "Case Notes" and cannot be changed. You will also have a tab labeled, "Audit Log" which also cannot be changed. So if you use all four like I did, you will have a total of six tabs.

I use my tabs to keep track of evidence items...systems, hostnames, IP addresses, etc, Dirty Words (keywords)...stuff I run across that I want to search for on my image(s), Questions that need to be answered and the subsequent answers, and my Investigation plan...what am I trying to accomplish, and why.

So, once you are all set up, your screen will look like this...



Now that we have covered the tool, let's cover the concept.

Harlan and I were talking this morning and we were wondering why so many investigators don't create an investigation plan. I mean, it seems like a no brainer doesn't it. What are you looking for? What have you been hired to do? What is the overall purpose of the investigation? That would be the first thing you should write down.

Next, you can break the investigation into smaller, more manageable chunks that feed into the overall investigation plan. This is where you would use the Alexiou principle...

1. What question are you trying to answer?
2. What data do you need to answer that question?
3. How do you extract and analyze that data?
4. What does the data tell you?

Here is an example...

1. I want to know if the admin user account was used to launch malware.exe
2. I need the ntuser.dat file for the admin user
3. I am going to parse the MUICache and UserAssist Keys with Reg Ripper
4. The data from the UserAssist key indicates that malware.exe was launched by the admin user

This is pretty basic example, but it illustrates my point. You can ask yourself questions and answer them...inputting both into your case notes. Once you have your questions answered, you can update your investigation plan with HOW that information is relevant to the case.

For example, in this case what would the fact that malware.exe was launched locally by admin. Well, for one, I now know that the intruder had admin access. I also know that because the data appeared in the UserAssist key, that they had an interactive session with the shell. So what does that mean? Well, that means they had to login from somewhere, right? So now, I just generated some additional questions that need to be answered...so in my case notes, I would update my investigation plan and my To be answered sections.

1. How did the intruder gain admin access? I need to crack the passwords from the NTLM hashes and see what they are. I also need to parse the SAM hive to determine if the passwords were recently changed, and get the last login times for users in the admin group. If the passwords for admin users were changed recently, I need to get the passwords before the change. I can check to see if the system was taking restore points (or shadow volume copies) and extract the SAM and SYSTEM hives from the date immediately prior to the change. Then I can crack the NTLM hashes and get the passwords before the change occurred.

2. When did they gain access? I can tell this by looking at my timeline (which is one the FIRST things you need to create) and check the first appearance of malware.exe. That should give me a great place to start looking for remote access. I can then look for remote access attempts in the Security event logs. Does the customer have a VPN? Does it log? What about remote management tools? Which ones are in use (RDP, pcAnywhere, VNC, etc)? Are they open to the external internet? Do they log?

All of this from JUST answering a single question! Then as you progress through you case, if you take good notes you will make report writing MUCH MUCH easier! Also, since cases are getting more and more complex, and like me, you may be working more than one case at a time, good notes will keep you from trying to remember what you were doing three days ago and what you were thinking that made you do whatever it was that you were doing? Finally, should you get pulled off the case for any reason (or you just need help) good notes will help your fellow investigators know what you were doing, what you were thinking, and where you were headed.

So, back to my original question...if you are not using Case Notes...why? It's free. It's a great tool that has some really nice options. And taking good notes will help you keep your thoughts organized, and write your final report.

Lesson learned...TAKE GOOD NOTES!!!!!! I will give a dollar to anyone who can give me a good reason for not taking notes during a case. I am going to bet dollars to doughnuts that nobody is going to have any reason compelling enough for me to part with my GWs.

Happy hunting...and remember...TAKE GOOD NOTES!!!!

CyberJungle Interview

Tomorrow morning, I am going to be interviewed by Ira Victor for the radio show, The Cyber Jungle. He is going to be asking me about Sniper Forensics...what it is, what it means to investigators, and how using it can help you!

Listen in if you get the chance!

SANS What Works 2010

I will be delivering Sniper Forensics at the SANS What Works conference in DC on July 8th and 9th. Last year's conference was awesome, so I'm sure this year's will be even better. If you have some money budgeted for a conference this year, and can only pick one, this would be the one to attend!

Crack-a-Lacka

OK…so you may have heard that’s it pretty easy to crack SAM hives using tools like Cain & Able or Ophcrack, but, you have never done it before, you don’t know where to start looking, and you feel like a dolt. No worries my friend, I am here to help.

First, download Cain from Oxid.it, and Ophcrack from Sourceforge. These files WILL be identified as malware by your AV software, so make sure you drop them into a good tools directory that is not being monitored. Creating an exception for specific files and folders is a function most (if not all) current AV releases can do, and should be done if you are working in the incident response/forensics industry since you will likely have a slew of tools that would make most AV engines freak out.

Once you have your tools downloaded, use FTK lite and extract your local SAM and SYSTEM hives. While Cain will dump your NTLM hashes from you local system, I want to show you how to do this as if you were working on an actual case. I think it goes without saying that you would NEVER install Cain or Ophcrack onto a customer system...but there...I just said it now didn't I?

OK…so as you can see below, I have FTK Lite fired up, I have navigated to C:\Windows\system32\config, and I have highlighted my SAM and SYSTEM hives.

Next, I simply right click, and select “Export Files”. I drop them into a specific folder on my desktop, and I am ready to roll…go ahead and close FTK Lite at this point.

Next open Cain, go to tools, and select “Syskey Decoder”…like this…

From here, you will get a popup that looks like this…click on the tripe dots and navigate to where you dropped the system hive you just copied with FTK Lite.

Once you click on the system hive, that little window under where it says, “Boot Key (HEX) will be populated with a long string of numbers and letters. Copy that to your clipboard as you will need it in the next step.

Now, select the “Cracker” tab, and click on the big blue plus sign that sits right beneath the “Tools” menu tab. Then navigate to the SAM hive you just copied using FTK Lite, and paste in the Syskey that you just copied to your clipboard…should look like this…

When you click “Next”, Cain will dump the NTLM hashes from the SAM hive. Your table will now be loaded with whatever user accounts are on that machine, along with the NTLM hashes.

Next, highlight whichever users you want to crack, right click, and select export. Save them to the same place you dropped your hives (for ease of use), and close Cain.

Now open Ophcrack. My .lc out put file, when I open it with Textpad, looks like this…

cepogue:"":"":E4C3436DDD1F625CEBB15F4C062DCC55:EC85B8E81AE28777453327655700B6AE

I am interested in this part only…

E4C3436DDD1F625CEBB15F4C062DCC55:EC85B8E81AE28777453327655700B6AE

THAT is the NTLM hash for the user account cepogue.

On Ophcrack, click “Load”, then “Sinlge Hash” and paste the NTLM hash you want to crack in the little window like so…

Click OK. Now simply highlight, and click “Crack”. In less than a minute, my password was cracked!

Blamo! Pretty slick huh (Yes…I changed my password for the purpose of this example)!

Now, notice that I have two little green dots at the bottom of my screen. Those indicate that I have The “XP Free Fast”, and “XP Free Small” tables loaded. These are free (as indicated by the name) and can be downloaded from the web. You can also purchase larger tabs, or create custom tabs for specific tables (like Rainbow tables, or tables you have created with a word permuter).

I pretty much do this on every case. It’s quick, and gives me a great insight into the security posture of my customer. If like the admin password is “password”, or the “sqldevadmin” password is “sqldevadmin”, I know I they were likely wide open at the time of the incident. If I can crack the passwords in under five minutes, so can the bad guys.

Also, don’t let the customer fool you and say, “oh…our passwords have ALWAYS been strong!”. Parse the SAM hive with Harlan’s RegRipper and look at the “PWD Reset Date” under that username. If it’s a recent date, A) Obviously they’ve changed it, and B) You can always go to the _system_volume_information and extract the previous SAM hive (provided the system is taking restore points or shadow volume copies. ) Then simply extract the previous SAM hive, and repeat the same steps outlined above. Once you get the previous password you can be all…dood…”You changed you password on THIS date (as evidenced by the SAM hive), and your previous password was THIS..as I was able to extract it from the previous SAM hive that I extracted from the restore point from the day before you changed the password…SUCKA!”

Happy Hunting!