The Digital Standard

Manipulating WFP and Residual IOCs

2011-12-06T10:38:00.003-06:00

I just posted on the SpiderLabs Anterior blog about manipulating WFP and what IOC that would leave behind. Check it out!

Pauldotcom Inverview

2011-11-18T07:19:00.002-06:00

If you missed my interview on Pauldotcom last night, you can still watch it on their website.

Interview on Pauldotcom

2011-11-16T10:34:00.004-06:00

Sweet! I will be on Pauldotcom tomorrow night talking about Sniper Forensics! Check it!

Context, Context, Context

2011-11-15T14:20:00.003-06:00

Check out the SpiderLabs blog, "Anterior" for the latest Sniper Forensics post.

SecTor 2011 Huge Success

2011-10-20T08:42:00.002-05:00

I am back from Toronto, and once again Brian Bourne, Renu Bourne, Bruce Cowper and the rest of the SecTor folks out on one of the best security conferences anywhere in the world.

A special thanks to Melanie Wallis for handling the logistics for all of the speakers!

If you have not been to SecTor in the past, you are seriously missing out. The talks get better year after year, and the crowd continues to grow. This year Brian said they had over 1100 attendees, which is fastasic!

Also, Grayson Lenik, Jibran Ilyas, and I conducted a one day Forensics training seminar that went beautifully, and was very well recived.

Great job again to everyone at Black Arts LTD for making SecTor 2011 a huge success!

The Great Northern Invasion

2011-10-10T18:24:00.004-05:00

So I am heading to Canada twice this month to speak at two different security conferences.

On October 17th, I am presenting a day of Law Enforcement training in Toronto at SecTor followed on the 18th by the debut of Sniper Foreniscs v3.0: Hunt.

Then, on October 25th, I am speaking at SecureTech Canada where I am sitting on a panel discussing Cyber Extortion and Protecting Critical Data.

I am really looking forward to a pile of poutine...and maybe a Keith's!

If anyone is going to SecTor, I will be at Joe Bidali's right across the street from the hotel on most nights. See you there eh!

Log2Timeline Intall Guide

2011-09-21T16:15:00.001-05:00

Some folks have indicated that they cannot find this. According to Kristinn, it's in the "Install" documentation.

+ ---------------------------------------------------------------------------------------------------------------------
+ WINDOWS
+ ---------------------------------------------------------------------------------------------------------------------
This has been tested on a Windows XP sp3 machine (32 bit), and Win7 64 bit machine.

Download and install ActiveState Perl
Open command prompt and run the following commands (install dependencies):

ppm install datetime
ppm install win32::api
ppm install date::manip
ppm install xml::libxml
ppm install carp::assert
ppm install digest::crc
ppm install data::hexify
ppm install image::exiftool
ppm install file::mork
ppm install datetime::format::strptime
ppm install parse::win32registry
ppm install html::scrubber

Download the latest source code for log2timeline
Download two additional libraries:

"http://search.cpan.org/CPAN/authors/id/B/BD/BDFOY/Mac-PropertyList-1.33.tar.gz"
"http://search.cpan.org/CPAN/authors/id/S/SI/SIXTEASE/XML-Entities-1.0000.tar.gz"

Uncompress

Inside the XML-Entities:
Copy the content of the lib/XML folder to c:/perl/lib/XML/

Inside the Mac-Propertylist:
Create the directory c:/perl/lib/Mac
Copy the content of the lib/* to c:/perl/lib/Mac

Inside the log2timeline directory
Delete the file lib/Log2t/input/pcap.pm
Copy the content of the lib/Parse/* to c:/perl/lib/Parse/
Copy the content of the folder lib/Log2t to c:/perl/lib/Log2t/*
Copy lib/Log2Timeline.pm to c:/perl/lib/
Copy log2timeline to c:/perl/bin/log2timeline.pl
Copy l2t_process to c:/perl/bin/l2t_process.pl
Copy timescanner to c:/perl/bin/timescanner.pl

Test and hope the best... ;)

CyberSpeak Interview Available!

2011-08-29T06:50:00.002-05:00

My interview on CyberSpeak is now available.

Thanks to Ovie Carroll and George Starcher for taking the time to interview me! I hope your ratings don't drop too much =).

CyberSpeak Interview

2011-08-16T19:01:00.004-05:00

I just finished an interview with Ovie Carroll on CyberSpeak! It should be posted in about two weeks! Give it a listen!

Talked about Sniper Forensics and how it rocks the hizzie!

Investigation Plans

2011-08-12T07:35:00.003-05:00

I presented Sniper Forensics at two different conferences this past week and I am honestly, still alarmed by the number of investigators that still don't create an investigation plan at the beginning of a case. So, to sound like a broken record...If you are currently working cases, and NOT creating an investigation plan..START.

Here is what I do...

First, I open Case Notes and open my custom tab that I have labeled, "Investigation Plan".

Second, I sit back and think about what it is that I have been asked to do. This will obviously change from case to case, agency to agency, and person to person, but the general goal should be the same. You have been asked to identify something for some reason. You are not conducting the investigation for the sake of the investigation itself.

Once I have my overall goal, I write it down in my Case Notes..."I have been asked to confirm blah.

Third, I brainstorm on the "stuff" I will likely need to accomplish my goal. Will I need logs, will I need to interview customer (victim) employees, will I need timeline data, registry data...whatever.

Fourth, I use my tab that I have labeled, "Questions", and I ask myself questions that based on the data I just brainstormed, should help me to accomplish my overall goal. Throughout the investigation, I answer my questions. These answers will either terminate my line of thinking in that area and provide me with a new theory, or support my theory, enabling me to continue down the same path.

Following this brief but very useful exercise will give clarity to my investigation as well as provide success indicators so that I know I have found what I am looking for! Without a clear idea of what you have been asked to do, an investigator can easily become lost in the, "Fog of Forensics" and his case can grind to a stand still.

If you are using Investigation Plans...Good on you! If you are not...start...I promise you will see significant and immediate benefits!

Now...that pretty much concludes

How Do I Get There From Here?

2011-07-18T19:43:00.003-05:00

I have had several people ask me lately, "How do I get there from here"? Not referring to the Country song by Deana Carter, but referring to how to get a job as a forensic investigator/incident responder. So, after thinking about it, here are some ideas that I outlined that help me get to where I am today. Hopefully, you will find them helpful as well.
First of all, you need a good attitude. You need to leave your ego or any overinflated sense of superiority at the door. Some of the absolute BEST people in this industry...guys like Harlan Carvey, Rob Lee, Ovie Carroll, Cory Altheide, Hal Pomeranz, Chad Tilbury, Lenny Seltzer, Jesse Kornblum, Colin Sheppard, Chris Hague, Jibran Ilyas, Grayson Lenik and Eric Huber all share a common trait...Humility. I bet if you asked any one of them if they were good at what they do, you would likely get some variant of the response, "I sure try, but there is always so much to learn!"

They know they do not know everything, and work hard keep current on emerging concepts and technologies . I have met them all, and there is absolutely NO pretense in any of these industry giants. Also, they are passionate about their work, and love what they do. They are the best because they work the hardest. Period.

You also need to be flexible. The slogan of this industry is "semper gumby" - always flexible. You need to be able to adapt to constantly changing situations, emerging evidence, difficult customers, challenging time tables, and extensive travel. Don't be too rigid, or get frustrated when things either change unexpectedly, or don't turn out as planned.
And Travel...loooooots of travel. As an example, I am writing this in the airport during week three of a seven week travel spree. You will travel...a LOT...so get used to it.

Second, you have to be wired for this kind of work. By, "wired", I mean you just have to "get" technology. You have to have a knack for computers beyond the skills and abilities of what would commonly be referred to as a "normal" end user. You cannot be scared by the command line, Linux, Mater Boot Records, Master File Tables, the Windows Registry, the OSI model, Perl, Ruby, and/or Python (just to name a few). You need to be able to read, comprehend, and figure stuff out. You should know what you are looking at, why, and be able to explain it to anyone. In short, you need to be either inherently smart, or prepared to work really hard (I fall into the latter category - not the smartest dood in the room, but I think I work as hard as, or harder than just about anyone). In my opinion, having a concrete foundational knowledge is essential for the job, and is really the difference maker between someone who is OK at the job, and someone who is really good. So never stop learning!

Remember, knowing how to use a tool (any tool) no more makes you an investigator, than knowing how to use MS Word makes you Stephen King. It's a tool that does something...NOTHING more. It's the expert set of eyes on the screen and the expert fingers on the keyboard that make up the expert.

Third, you need a desire to find the truth. The evidence is there (usually), and it's up to you to find it, and interpret it properly. Also, there is a famous quotes by Dr. Carl Sagan who stated, "The absence of evidence is not the evidence of absence". Remember, it is the job of the investigator to identify and properly interpret the evidence.

These are the precepts you should hang your "hat" on. Find the truth. Dig it out of every registry hive, file system, unallocated cluster, slack space, and network capture you can find.
Along those lines, Harlan and I were recently having a discussion over breakfast about context. The basic results were that many investigators will jump to conclusions based on a single data point without building appropriate context around that data point. Why is it there? What does it mean? Am I drawing conclusions based on theory or fact? Are there other data points that all indicate the same "thing" took place. For us, best practice is to identify at least three data points that all point in the same direction. This will give the investigator confidence in what they found (that it is indeed accurate), and give weighting to the evidence.

This is something I touch on in Sniper Forensics. NEVER EVER form your opinion about what happened and try to make the data fit your theory. Let the data formulate your theory, and allow your investigation to flow with the evidence. You may change directions numerous times. Doing so doesn't mean you are wrong, or a bad investigator. It means you know enough to allow the evidence to guide the investigation. It's a complex, fluid combination of art and science, and if it were easy, everybody would do it and be good at it.

OK...so now that we have covered some of the basics regarding attitude, and some philosophical essentials, let's talk about education. You need it. Personally, I am not a huge fan of the forensic degree programs currently be taught at many universities. From what I have seen, they teach tool use, and maybe a little theory. Which is good, but not something that is going to equip an investigator for a successful career in the field. I would LOVE to see them teach the history of forensic science, logic, investigative methodology, technical writing, research methodologies, public speaking, conflict resolution, and systems administration. These are the key proponents of a solid investigator...not knowing how to use a tool! If you have the opportunity to take any class that covers these topics, I would HIGHLY recommend doing so. You would be amazed if I told you how relevant my Pre-Socratic Philosophy class is to my job! Or how much better my reports are after taking a technical writing course. The independent research I have done on expert witness testimony has made me better prepared to speak on the stand. Taking a class that certifies you in how to use a certain tool...ya...not gonna teach you ANY of those things...I'm juuuuuuuuuuuust sayin...

In my opinion, if you are looking into a degree program, take something that is going to teach you what "normal" looks like. Get a general IT degree that is well rounded with courses in Windows, Linux, networking, midrange, and emerging technologies. You can learn the tools later, knowing the basics will serve you far better in the field.

I am a fan of technical certifications...sort of. I have several, and I feel like I got something out of studying for, taking, and passing the requisite examinations. I think the subject matter is relatively small (compared to the larger IT world), focused, and can help to contribute to your subject matter expertise in a specific area.

Now, I am only partially a fan of certifications for a couple of reasons. I know several people who have multiple certifications, and are crummy investigators. Alternatively, I know several people who have few or no technical certifications, who are fantastic investigators. Again, those little letters after your name don't make you a good investigator. They mean you paid some money, sat in a class, and passed an exam. Nothing more. If you have multiple certs...good for you...don't get a big head about it. If you don't have any...don't let it discourage you. They are what they are...indicators that you took a class and passed a test.

Don't get me wrong, from a business perspective, technical certifications go a long way in establishing you as a subject matter expert (some contracts I have worked on even required them). Also, they can show prospective employers that you are serious about your trade, and have taken steps to set yourself apart from other applicants. But don't ever think that just because you have a cert and someone else doesn't that you are "better" than they are. It's simply not the case...ever...and it's just going to make you look like a jerk. I recommend taking the approach that you love the trade and want to learn as much as you can about it. You are fortunate enough to have the resources necessary to attend the class and take the exam. It was a great experience, and you feel that you have benefitted from the knowledge you gained. BUT, you realize that the forensics/IR world is a big place with a LOT to learn, and you are eager to be engaged in any way you can (recognize your efforts without breaking your arm patting yourself on the back...good skill to have). If you are good at what you do, your actions will speak far louder than any certifications ever could.

Next, know that you are going to have to interact with customers....a lot. You are going to have to explain some very technical concepts to non-technical people - not stupid, just not technical. You are going to have to deal with angry lawyers, crying business owners, demands, fear, and uncertainty. Basically, every new case, is everyone's worst day. You need to become skilled in situational analysis, leadership, public speaking, and incident management. You will have to learn how to walk the line (a very fine line sometimes) between confidence and arrogance. This is a difficult concept to learn, and honestly after studying it in both my undergrad and graduate degree programs, at Warrant Officer Candidate School, and reading books about it...it's something you are going to have to experience to get good at. At least by doing to research on it, you can better prepare yourself, and decrease the time it's going to take you to become proficient.

I also recommend reading Dale Carnegie's, How to Win Friends and Influence People at least once per year. Take good notes, and use them. It has a wealth of information and has been THE standard for interpersonal business relationships for almost 100 years. Also, realize that at the end of your contract is a person...a human being. This is their business, or their company...their livelihood. This is how they put a roof over their head, food on their table, and their kids through school. Be cognizant of that, and empathetic to their situation.

Finally, I will share some personal details about how I broke into the industry. When I was a sysadmin I got bored. You can only makes things work so well, and know how to troubleshoot so much, before it becomes mundane. That was the case with me...I was a Solaris and Windows admin at a decently sized IT shop and I was pretty good. My systems ran well, I could troubleshoot quickly and efficiently...and I was bored to tears. So, I searched internally for openings doing something different and I came across a posting for the Ethical Hacking Team. I had all of the required skills (networking, Linux, Windows), no different than any of the other applicants. But, what I had that they did not was raw desire. I wanted this job more than anything. I read anything I could get my hands on that dealt with the subject, spent my own money setting up a makeshift lab to play with tools, and perform experiments. I ooozed enthusiasm. I ended up getting the job. After I was hired, I asked my new manager what was it about me that ended up landing me the job? She told me something I have never forgotten to this day...

"Chris, I can teach you how to use the tools. The other folks on the team can teach you how to go after certain targets, what to look for, and how to run exploits. What I can't teach is enthusiasm. I know that you will be one of my best pentesters in a year simply because you want to be. I firmly believe you wanted the job more than anyone else."

So, while being passionate may not land you the job, it will set you apart from other applicants. Read, research, study, conduct experiments. Learn something new every day. Learn how to use open source tools (which is like 99% of what I use). Learn about forensic theory, investigative methodology, and logic. Learn how to write reports, how to deal with difficult situations and difficult people, and how to LISTEN! Most of all, love the work!

I hope you find this information helpful. If you have any specific questions, please feel free to email me at any time. I am always willing to help!

Happy Hunting!

Log2Timeline and Super Timelilnes

2011-07-15T17:23:00.002-05:00

With the recent release of Kristinn Gudjonsson's Log2Timeline v.60, oddly named, "The Killer Dwarf" (Ya...you had to be there), generating Super timelines has now become easier than ever. However, before we get into the technical specifics of exactly HOW this is done, let's cover the two divergent theories about timelines.

For the purposes of this post, I will refer to the two groups as the Hogs and the Budgies. Yes...I know I am terrible at naming things, but after you hear my rationale behind these names, you will at least know my thought process. First of all, both sides agree that timelines should be made. In fact, I am not entirely sure how I ever conducted an investigation without making a timeline, and I am even less sure about how anyone currently conducting investigations can think they are doing a comprehensive job without timelines! The separation in philosophies comes from exactly what data elements to include in the timeline.

Hogs want to include everything...file system data, event logs, registry last write times, application logs...whatever you have, throw it in there. The theory is, I am not entire sure what I will need, or what I really want to see so just show me everything and I will decide later.

Budgies are the exact opposite...they want to see a much smaller data sample. Presumably, they know precisely what is that they want, and only want to see that data.

I categorize myself as a Flying Pig, because what I want to look at changes from case to case. Sometimes, I only need data from the active file system, while other times, I want to maybe see the event logs, and just the system hive last write times.

I think it's OK to be a Flying Pig, and in my opinion, a good marriage of including just the right data elements into your timeline. If you are new to making forensic timelines, my recommendation is to be a Hog. Gather all of the data you can and throw it into your super timeline. Hopefully, as you get more and more familiar with what data provides value to your investigations, you will get better at determining which elements to include. The fact that you are doing timelines at all, sadly puts you in a very small (yet hopefully growing) number of investigators...so keep it up, however you choose to do it.

Now, on to the technical goodness!

Getting Log2Timeline to run properly in Windows was a bit of a challenge. I worked with Kristinn for about a month tweaking perl modules until we finally got a final product that worked properly.

To start with, go to www.log2timeline.net and download the latest version, and the Windows install guide. Once you have the files, unpack them into your tools directory and follow the install guide. I am not going to say much more about that here, other than I KNOW for a fact that it works...since I am the one that wrote it =). So if you follow it step by step, you should not have any problems.

What makes the newest release of Log2Timeline really powerful is the addition of the recurse option. This means that you can throw all of the data you want added to your timeline into a single directory, and use Log2Timeline to recurse through that directory and add any applicable files to the timeline.

Arguably just as important and powerful of a change is the addition of file carving functionality with plugin grouping (much like Harlan Carvey uses in Reg Ripper).

For example...let's say you acquire volatile data from a Windows XP System. You have the event logs, the registry hives, a couple of ntuser.dat files, and the Master File Table. You can chunk (yes...that is an Oklahoma term) them all into a single directory and use the following command syntax.

c:\>tools\log2timeline> perl c:\tools\log2timeline\log2timeline.pl -m "keyword" -z CST6CDT -r vol -f winxip -w c:\cases\\timeline\supertimline.csv

Let's take a look at these options one by one.

The -m option allows you to put in a keyword. Normally, I use the hostname and the drive letter...for example...cpbeefcake_win7_c:\. This can be anything that will allow you to quickly and easily distinguish one timeline from another.

The -z option allows you to set the timezone for the timeline. This step cannot, and should not be skipped. While I live in the central timezone, I work cases in multiple other timezones. By default, if you don't specify Log2Timeline will use the timezone of the localhost. Now, if the case you are working is say in Pacific Standard Time, and your timeline gets generated in Eastern Standard Time, your timeline will be off by as many as four hours! That is a HUGE margin of error, and will no doubt mess with the accuracy of your findings.

The -r option, we talked about briefly, but it is used to recurse through a directory. Log2timeline uses file carving to identify the header of all of the files in the directory. Once it obtains that data, it compares the headers to the known headers for the various plugin types. If the header is recognize, it will automatically load the appropriate plugin, and parse the chronological data from the file and put it into the timeline (pretty sweet!).

The -f option identifies the file type. This can either be the specific file type (if you are only parsing a single file) or a set of plugins if you are parsing the files from a specific operating system. In my example, I used the "winxp" plugin, which automatically loads all of the plugins needed for a Windows XP system.

The -w is the write option. This tells the tool where to write the output file...pretty basic. By default, the tool writes the output in CSV format. DO NOT append the .csv file extension to the output file. I am not sure why this hoarks up the output file, but it does. For some reason, the column headers are left off file and the l2tprocess will fail. I need to get with Kristinn on this.

If done correctly, your column headers should look like this...

c:\tools\test>strings 1

date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra

Now, if you want to, you can append like the contents of the Master File Table, or a timeline you created with Mactime to your initial output file. Again, since Log2timeline outputs into CSV format by default, you would need to append the final output from mactime, and not a bodyfile generated from FLS.

After you have your super file the way you want it, with all of the data you want it in, you will need to make sure the file is in chronological order, since Log2Timeline will simply add the data to the super file in sequential order (in the order it was read, or appended).

To do this, use the following command...

c:\tools\log2timeline>perl l2t_process -b super > supertimeline

The l2tprocess will chronologically arrange the data from the super file into the correct order, with the first entry at the top, and the last entry at the bottom. Pretty nice!

Another great feature is the ability to use the MFT in the supertimeline! Check it...

date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$SI [MACB] time,-,-,/$MFT,/$MFT,2,/$MFT,0, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$FN [MACB] time,-,-,/$MFT,/$MFT,2,/$MFT,0, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$SI [MACB] time,-,-,/$MFTMirr,/$MFTMirr,2,/$MFTMirr,1, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$FN [MACB] time,-,-,/$MFTMirr,/$MFTMirr,2,/$MFTMirr,1, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$SI [MACB] time,-,-,/$LogFile,/$LogFile,2,/$LogFile,2, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$FN [MACB] time,-,-,/$LogFile,/$LogFile,2,/$LogFile,2, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$SI [MACB] time,-,-,/$Volume,/$Volume,2,/$Volume,3, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$FN [MACB] time,-,-,/$Volume,/$Volume,2,/$Volume,3, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$SI [MACB] time,-,-,/$AttrDef,/$AttrDef,2,/$AttrDef,4, ,Log2t::input::mft,-

02/26/2009,20:51:34,CST6CDT,MACB,FILE,NTFS $MFT,$FN [MACB] time,-,-,/$AttrDef,/$AttrDef,2,/$AttrDef,4, ,Log2t::input::mft,-

You see the $SI and $FN in column eight? That's right baby! Timestomping has NEVER been easier to detect! You will see...plan as day...when the chronological data has been manipulated since they $SI and FN attributes will be different! Provided you search by keyword, they will appear literally right on top of each other! Very nice addition!

I almost wish it were harder than that to create super timelines, but it's really not. Kristinn has done a fantastic job on the latest release of Log2Timeline. There numerous other options the tool can use, and for the sake of brevity (not to mention the fact that you can read) I have not covered all potential option combinations. My advice is to take some time and play with the tool. Get to know how it works, what the output looks like, and what commands you think are the most relevant for the timelines you are creating.

Serious props to Kristinn for making this extremely useful and powerful tool free to the forensic community. He has done an outstanding job, and honestly, like Harlan's Reg Ripper, and Mandiant's Memoryze, this is a game changer.

Happy Hunting!

Sniper Forensic Part V: Finding Evil Part II

2011-07-07T16:36:00.003-05:00

Check it out on the SpiderLabs Anterior Blog!

MBR Analysis

2011-07-06T19:38:00.002-05:00

A few weeks ago, Harlan touched on the concept of analyzing the Master Boot Record (MBR or $BOOT) for signs of malware infestation. That got me to thinking, "what would that really look like"? So, I tested it and thought I would share my results.

To recap Harlan's post, basically the MBR contains the partition tables for a Windows system. On a typical NTFS host , the offset for the primary partition table that contains the operating system is 0x63. This may vary based on the type of system or the configuration, but generally speaking, this is pretty consistent. An easy way to check an image for the offset values is the The Sleuth Kit's tool, "mmls". By running mmls against an image, you will see the offset values for the partition tables.

Now, how malware comes into play here, is very interesting, and very clever. Let's take a "typical" Winodws NTFS system and assume that the OS partition is located where we would expect to see it, at offset 0x63. But what if there was a partition table set at offset 0x62? Would you even recognize it, or if you did, would you even care? It's not offset 0x63 right, and when you mount offset 0x63 you see the NTFS file system...plain as day...so no harm no foul, right? Wrong, and here's why.

The malware creates a partition table at offset 0x62 and copies the MBR, with a jump statement. The OS boots and see the MBR in offset 0x62 FIRST. It reads the data and if malware is present executes it. It then follows the jump command to offset 0x63, the NFTS file system is recognized, and normal the normal boot process resumes. When the malware runs on the infected system, the traces are NOT in the primary file system, because they are stored in another partition table! Pretty slick!

After some digging around, I found a pretty nice perl script called, MBRparser by Gary Kessler. It's easy to use and shows you exactly what you would need to see when looking for MBR infections. In the screenshot below, I used Gary's tool to parse the MBR from my local Windows 7 Dell laptop.

As you can see, since I have a typical NFTS file system, my first partition table is set to 0x63, exactly what I would expect to see. What I would NOT expect to see, is a entry prior to offset 0x63. If I exported the MBR (again, $BOOT) from a target system and parsed it with MBRparser, and I saw a partition table prior to 0x63, I would immediately become suspicious.

Now, don't think that every time you have a partition table before the NTFS file system that you have MBR malware. There are systems that intentionally put partitions with vendor tools, or other data there intentionally. So, "Don't Panic"...at least not yet. If you see something there before the NTFS file system you can either mount it with a tool like ImDisk, or FTK Imager, or you can extract the data using The Sleuth Kit's, "blkls". Then you can see the data and decide for yourself if it's just benign vendor stuff, or if it's, malware.

The real takeaway here is to actually start looking. By adding this step to your malware detection methodology, you will increase your chances to catch an infection of this nature. And, since you were likely not doing this in the first place, you have made yourself an exponentially better investigator.

Speaking at GFIRST

2011-06-30T07:50:00.003-05:00

I will be delivering a special version of the Sniper Forensics presentation at the GFIRST National Conference this year! I'm sure it will be a fantastic event, and I am really looking forward to it!

If anybody is going to be there, I would love to be able to meet you in person! Just let me know!

SANS What Works Summit HUGE success...again...

2011-06-09T14:37:00.002-05:00

Once again, Rob Lee and the folks at SANS put on THE conference to attend in the IR/Forensic space! I would like to extend my personal thanks to Rob, the staff at SANS, and all of those in attendance. You all are what continually make this conference such a rousing success year after year.

The presenters just keep getting better year after year (although Harlan Carvey was sorely missed)! Kristinn Gudjonsson slayed it with the new and drastically improved version of Log2Timeline, Hal Pomeranz stunned us with the evolution of the EXT4 filesystem and the massive proliferation that is looming on the horizon, and..as always...Cory Altheide showed once again why he is the Cloud Master!

I don't want to fail to mention the other talks by Sean Morressy whose Katana Lantern product is a MUST HAVE for any agency doing Apple device forensics! Andrew Hay also did a "bang up job" - no pun intended - on his five points talk...very very good stuff!

If I left anyone out, forgive me! I am just touching on the talks that really stuck with me, but all of the content was exceptional this year.

I have said it before, and I will say it again...if you can only attend ONE IR/Forensics conference next year GO TO THIS ONE!!!!

SANS What Works in Incident Response Today!

2011-06-06T07:36:00.003-05:00

I will be presenting Sniper Forensics v2.0 at the SANS Summit tomorrow. Hope to see you there!

GFIRST: Sniper Forensics

2011-05-05T11:46:00.001-05:00

Sweet! Sniper Forensics has been accepted at GFIRST!

Sniper Forensics Part IV: "Finding Evil"

2011-03-25T11:26:00.002-05:00

Posted on the SpiderLabs Anterior blog. Check it!

SANS What Works Summit 2011

2011-03-10T15:50:00.003-06:00

I was just informed by Rob Lee that Sniper Forensics 2.0: Target Acquisition has been selected for this year's SANS What Works in Incident Response Summit in Austin Texas! Sweet! See you there!

Time Stomping is for Suckers

2011-02-23T16:17:00.004-06:00

OK...So I have been seeing this more lately, so I feel like it's time to post about it again.

Chronological data about the files on a Windows system are stored in something called the Master File Table or $MFT. This is the place that the operating system and various GUI utilities (Insert Forensic GUI Utility of choice) pulls timeline, or MACB times. As a refresher, MACB stands for:

M - Modified
A - Accessed
C - Created
B - Birth

Now...there are two places in the MFT that store this chronological data. One is the $Standard_Information ($S_I) attribute, and the other is the $File_Name ($F_N) attribute. So now you are asking yourself, why are there two places that store this data, and why do I care...well...I will tell you...

The data is stored in two different places because they are accessed by two different parts of the system (loosely). The $S_I is accessed by the OS, various applications, and the user. So, it is able to be modified or stomped. THEREBY " fooling ANY and ALL forensic utilities. ALL OF THEM...since they all pull the chronological data from the $S_I. So, if a file has been modified, and you sort in your little GUI column sorter, the malicious file(s) that has (have) been stomped will be sort in like 2008, 1969, or whatever date the attacker decided to give it.

Sucks to be you right? Wrong! Sucks to be a crappy tool...not a smart investigator!

Here is why...

While the $S_I attribute is able to be modified by the OS and stuff, the $F_N attribute is not. So what does that mean? It means you can use this hand-dandy little perl script called, "mft.pl"from none other than the illustrious Harlan Carvey to parse the MFT and just pull out the $S_I and $F_N attributes (Which incidentally, Harlan was nice enough to post on Google Code...THANK YOU HARLAN). Then, when you compare the two values, you can see right away if the MACB times have been modified!

Here is the syntax to use mft.pl..

C:\tools>Perl mft.pl $MFT_from_suspect_system > ripped_mft.txt

Now if you cat or strings that file, it will look like a bunch of nonsense, so here is what I suggest:

C:\tools> strings ripped_mft.txt | grep -A 6 -B 6 -i filename_you_are_looking_for

This will give you the six (6) lines both before and after the hit in the MFT. The MACB times on the top are from the $S_I attribute, while the ones on the bottom (as indicated by the little "FN" are from the $F_N attribute.

So, if the top does not match the bottom, you have a file that has had its MACB times modified by something. Then you can indicate that, and show that the times on the bottom are the correct ones. Use those in your case timelines.

So you see, Time Stomping is for suckers! You can fool a tool, but you CAN'T fool an investigator.

Well...I guess technically you CAN, but it would have to be an investigator who is relying on the tool to solve his case for him and not his brain. In which case, I would refer to that person as more of a click monkey than an actual Investigator...but I digress...

Happy Hunting!

Named Top 25 Blog!

2011-02-23T15:43:00.003-06:00

I was just informed that TheDigitalStandard was named one of the top 25 Forensics blogs! Nice!

This distinction comes from http://www.criminaljusticedegreeschools.com/top-forensics-blogs/.

Thank you! Notice a couple of other names in the computer forensics world? Namely Harlan and Grayson...great work fellas!

Sniper Forensics Part 3

2011-02-21T12:04:00.001-06:00

Now posted on SpiderLabs Anterior!

Dumpy Goodness

2011-02-17T11:43:00.006-06:00

OK...I know the title sounds a bit wonky, but I really think a lot of you are going to find this post interesting and useful.

So...in my quest to be ever more efficient in my volatile data acquisition I stumbled upon (thanks to Harlan and Troy) a tool that is resident to Windows systems that has proved to be extremely helpful. It's called reg.exe, and it's pretty freaking sweet.

Normally, when extracting volatile data from a Windows system, I would dump RAM, run my volatile collection script, then fire up FTK Imager (usually in conjunction with F-Response if against a live system) and manually extract the registry hives and ntuser.dat files. I thought this was pretty efficient, but it always bothered me that I could not script the process. I mean, how quick and easy would it be if my data collection script dumped RAM, gather volatile data, extracted the registry hives and ntuser.dat files, AND...for good measure...ripped them for me with RegRipper!

That would not only save me time, but it'd be freaking sweet...so I set my mind to figuring this problem out. After a couple of days of poking around and trial and error, I got it to work! So, here's how...

reg.exe is resident to all Windows releases that I have in my lab (2000, XP, 7, Vista, Server 2003, and Server 2008), but just to be safe, I copied it from my lab XP system to the same directory with all of my tools. Then, when I scripted it into my batch file, it looks like this...

@ECHO Dumping Registry Hives
@ECHO Dumping SAM Hive
@reg save HKLM\SAM %DST%\%NAME%\vol\%NAME%_SAM_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SAM_Hive > %DST%\%NAME%\vol\%NAME%_SAM_Hive.md5

@ECHO Dumping SYSTEM Hive
@reg save HKLM\SYSTEM %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive > %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive.md5

@ECHO Dumping SECURITY Hive
@reg save HKLM\SECURITY %DST%\%NAME%\vol\%NAME%_SECURITY_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SECURITY_Hive > %DST%\%NAME%\vol\%NAME%_SECURITY_Hive.md5

@ECHO Dumping SOFTWARE Hive
@reg save HKLM\SOFTWARE %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive > %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive.md5

@DELAY.EXE %DELAY%

@ECHO Ripping SAM Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SAM_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SAM_Hive_ripped.txt

@ECHO Ripping SYSTEM Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive -f system > %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive_ripped.txt

@ECHO Ripping Software Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive_ripped.txt

@ECHO Ripping SECURITY Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SECURITY_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SECURITY_Hive_ripped.txt

Nice huh! So now, you can add this little snippet to your own volatile collection script. For more on reg.exe, you can also just run, "reg /?"...

C:\tools>reg /?

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved

REG Operation [Parameter List]

Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]

Return Code: (Except of REG COMPARE)

0 - Succussful
1 - Failed

For help on a specific operation type:

REG Operation /?

Examples:

REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?

As you can see from my script, I used reg save...

C:\tools>reg save /?

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved

REG SAVE KeyName FileName

KeyName ROOTKEY\SubKey
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to save. If no path is specified, the
file is created in the current folder of the calling process

Examples:

REG SAVE HKLM\Software\MyCo\MyApp AppBkUp.hiv
Saves the hive MyApp to the file AppBkUp.hiv in the current folder

***Remember...I am running this against a LIVE system! As far as I know, without either using reg.exe or something like FTK Imager, you cannot access the registry hives from a live system.***

Now, you would pretty much repeat the same process for ntuser.dat files, only instead of entering the hive information, you would use HKU (instead of HKLM) followed by a backslash and the SID of the specific user. Here is what the syntax looks like for the admin account on my XP box...

c:\tools>reg save hku\S-1-5-21-746137067-1547161642-839522115-500 outputfile.dat

Now, this may be "old new" to some of you, but I will tell you that for me...and I have been doing this for about seven years now...I had not heard of or used reg.exe until this week. AND, I have never seen it scripted before as part of a volatile collection script. It's not to say that it hasn't been done already, just that I have not seen it.

So...now, you can easily write a batch file that will dump RAM, grab volatile data, copy the registry hives and parse them, and copy ntuser.dat files and parse them. Total time saver!

Enjoy!

Happy Hunting!

Windows Registry Forensics Released!

2011-02-14T08:50:00.003-06:00

I received my copy of Harlan Carvey's, "Windows Registry Forensics" over the weekend and I am really excited to start reading it!

The registry is a GOLD MINE of forensic artifacts that can really put some teeth in your investigations. If you do not have this book yet, BUY IT!!! Harlan has not disappointed yet with any of his published works, and I don't expect this will be any different.

Look for a book review from me in the coming weeks. But seriously, if you are doing forensic investigations on Windows systems, and you don't yet have a copy of this book, you are really missing something. You have NO IDEA how useful this information can be!

Sniper Forensics Part 2 Posted

2011-01-21T09:17:00.003-06:00

I have posted part two of Sniper Forensics to the SpiderLabs Anterior blog.

Check it out! Great stuff! (or at least I think so)

SpiderLabs Anterior - Sniper Forensics

2011-01-19T13:01:00.004-06:00

Sniper Forensics: Part 1

I have recently blogged about the Sniper Forensics methodology at the SpiderLabs Anterior blog...which is THE official blog of the Trustwave SpiderLabs. Check it out!

Sniper Forensics Videos!

2010-11-16T08:26:00.002-06:00

The kind folks at SecTor just posted the videos from SecTor 2010! ALSO, there is a link there for the videos from 2009.

If you have not had a chance to see either of the Sniper Forensics talks, now is your chance to download the videos or the slide decks!

Sniper Forensics 2.0 Tools, Links, and Commands

2010-10-27T07:26:00.003-05:00

OK...so I figured that there would be a lot of questions about the tools I use and the command syntax that I covered in SF2. There is obviously a LOT I was not able to cover due to time constraints, so if anyone has any specific questions about which tools do what, how to use them, and how to interpret the output, please let me know and I will create a FAQ blog post.

Thank you for attending my talk! I hope you get out of it as much I put into it!

Happy Hunting!

Tools
====
F-Response (http://www.f-response.com/)
Memoryze (http://www.mandiant.com/products/free_software/memoryze/)
Audit Viewer ( http://www.mandiant.com/products/free_software/mandiant_audit_viewer/)
UnxUtils (http://sourceforge.net/projects/unxutils/)
Grep (http://gnuwin32.sourceforge.net/packages/grep.htm)
TextPad (http://www.textpad.com/download/)
Case Notes (http://www.qccis.com/forensic-tools)
The Sleuth Kit (http://www.sleuthkit.org/sleuthkit/download.php)
Log2Timeline (http://log2timeline.net/)
SIFT Workstation (https://computer-forensics2.sans.org/community/siftkit/)
AnalyzeMFT (http://www.integriography.com/)
RegRipper (http://regripper.net/?page_id=150)
RipXP (http://regripper.net/?page_id=150)
FTK Imater 3.0 (http://www.accessdata.com/downloads.html)

Syntax
=====
Use these commands to rip registry hives.
C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\SAM –f SAM > c:\cases\ripped\systemY_sam_ripped.txt

C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\system –f System> c:\cases\ripped\systemY_system_ripped.txt

C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\ntuser.dat –f ntuser> c:\cases\ripped\systemY_ntuser.dat.userX_ripped.txt

Use these commands to create a bodyfile and timeline. If you want a more detailed explanation of how to generate timelines, read my blog posts about timeline creation.

C:\tools\TSK\fls –m ‘C:/’ –f ntfs –r \\.\F: > c:\cases\customerX\timelines\systemY_bodyfile

Perl C:\tools\TSK\mactime.pl –d –b C:\cases\customerX\timelines\systemY_bodyfile\systemY_timeline.csv

You can add logs to your bodyfile with Log2Timeline
C:\>Perl C:\Perl\bin\Log2timeline –t >> c:\cases\customerX\timelines\systemY_bodyfile
You can hives and NTUSER.dat files to your bodyfile with regtime
C:\>Perl C:\tools\bin\regtime.pl –m HKLM/system –r c:\cases\customerX\hives\system >> \c:\cases\customerX\timelines\systemY_bodyfile

Search for suspect keywords
C:\cases\customerX\ripped>strings *.txt | grep –i
C:\cases\customerX\timeline>strings *.csv | grep –i

Search for suspect timeframe
C:\cases\customerX\ripped>strings *.txt | grep –i
C:\cases\customerX\timeline>strings *.csv | grep –i

Know how to stack your searches! CRITICAL!!!

Grep –i | grep –i
Grep –i | grep –i | grep –i
Grep –o
Gawk “{print $#}”
Cut –d -f#

Search for suspected date, all files “born” on that date.

C:\cases\customerX\timeline>strings_hostname_timeline.csv | grep -i "may 26 2010" | grep "..b,r"

SecTor 2010 - Debuting SF2

2010-10-24T17:42:00.005-05:00

I will be debuting the second version of Sniper Forensics, titled, "Target Acquisition" at SecTor in Toronto, Ontario, Canada on October 27th. It's a great conference and I couldn't be more excited!

Here are some quotes about what others are saying about SF2!

“As environments continue to grow in size and complexity, incident response teams entrenched in the “image everything” methodology will find themselves not able to understand the situation as fast as the threat is evolving within a target environment. Adopting the Sniper Forensics Methodology, will decrease the cost of the investigations while providing results many times faster over traditional approaches when applied to modern environments.”

- Nicholas Percoco
Senior Vice President, Trustwave SpiderLabs

=============================

“If you have a specific goal, you are much more likely to achieve it. Knowing what you want out of an investigation, before you start, will help you know when you're finished.”

- Jesse Kornblum
Computer Forensics Research Guru, Kyrus Technology

=============================

"Using F-Response as part of the "Sniper Forensics" model is the perfect logical extension of our original mission. Get answers, not just information."

- Matt Shannon
Founder, F-Response

=============================

“'Sniper Forensics: Target Acquisition' walks up to an analyst and slaps him right in the face! Here are targeted tools and techniques, straight from successful field ops, that every analyst needs to know! Once you've defined your target, go grab the data you need, and optimize your time and resources to get the job done!”

- Harlan Carvey
Vice President of Advanced Technical Projects, Terremark Worldwide
Author of “Windows Forensic Analysis 2nd Edition”
Author of the Blog, “WindowsIR.blogspot.com”

The “Not So” Perfect Keylogger

2010-10-23T13:54:00.004-05:00

I have seen a number of cases lately in which the method of data aggregation on Point of Sale Terminals was the use of Blazing Tools Perfect Keylogger. This is a commercial tool that is used to track the computer use of individuals within a family or a company. This blog is not about the legality or ethics of this tool, but rather about the technical specifics when looking for this tool during a compromise.

Below, is a timeline excerpt from a case I was working recently in which I saw Perfecet Keylogger running natively (ie…under the default naming convention). It should be noted, that the means of infiltration in 99% of these cases in an open remote administration port and default administrative passwords. This gave the intruders an easy path onto the target systems, and the credentials necessary to install the malware.

Pay special attention if you will, to the file names besides bpk.exe, specifically the letters after the “k” in “bpk”.

F:\timelines>strings _timeline.csv | grep -i bpk
Fri Aug 21 2009 02:42:56,499712,m..b,r/rrwxrwxrwx,0,0,13919-128-3,'C:/'/WINDOWS/system32/bpk.exe
Fri Aug 21 2009 02:42:56,19456,m..b,r/rrwxrwxrwx,0,0,13920-128-3,'C:/'/WINDOWS/system32/bpkr.exe
Fri Aug 21 2009 02:42:56,19968,m..b,r/rrwxrwxrwx,0,0,13922-128-3,'C:/'/WINDOWS/system32/bpkhk.dll
Fri Sep 04 2009 01:12:50,188895,ma.b,r/rrwxrwxrwx,0,0,14008-128-3,'C:/'/WINDOWS/security/bpk.chm
Mon Oct 19 2009 07:02:03,623,ma.b,r/rrwxrwxrwx,0,0,13996-128-1,'C:/'/WINDOWS/system32/bpk.dat
Sat Aug 21 2010 02:43:06,22586,...b,r/rrwxrwxrwx,0,0,13923-128-4,'C:/'/WINDOWS/Prefetch/BPK.EXE-06BA93D1.pf

As you can see, some of the key file names associated with Perfect Keylogger are: bpk.exe, bpkr.exe, bpkhk.dll, bpk.dat, and the configuration file not listed in the first timeline excerpt, pk.bin. These files are normally found in the C:\Windows\System32 directory, but can really run from any custom location, as indicated by the second timeline excerpt. When it’s seen in a RAM dump, it looks like this:

Below is a second example, in which the naming convention has been changed to confuse the would be investigator. Look at the letters after the “t” in “wuault.exe”. Do they look familiar? They should!

F:\timelines>strings timeline.csv | grep -i wuault
Fri Sep 04 2009 01:34:51,438272,m..b,r/rrwxrwxrwx,0,0,14055-128-3,'C:/'/WINDOWS/security/wuault.exe
Fri Sep 04 2009 01:34:51,24576,m..b,r/rrwxrwxrwx,0,0,14056-128-3,'C:/'/WINDOWS/security/wuaulthk.dll
Fri Sep 04 2009 01:34:51,40960,m..b,r/rrwxrwxrwx,0,0,14059-128-3,'C:/'/WINDOWS/security/wuaultwb.dll
Fri Sep 04 2009 01:34:51,215040,m..b,r/rrwxrwxrwx,0,0,14060-128-3,'C:/'/WINDOWS/security/wuaulti.dll
Fri Sep 04 2009 01:34:51,7680,m..b,r/rrwxrwxrwx,0,0,14061-128-3,'C:/'/WINDOWS/security/wuaultr.exe
Sat Sep 04 2010 05:44:06,16674,...b,r/rrwxrwxrwx,0,0,13976-128-4,'C:/'/WINDOWS/Prefetch/WUAULT.EXE-0E3FBF35.pf

When captured in a RAM dump, it looks like this:

Notice that the path is C:\windows\security. Also of note, look at the timeline above…see the “birth” date in my timeline? It says “Fri Aug 21 2009 02:42:56”, but the first prefetch file shows a timestamp of, “Sat Aug 21 2010 02:43:06”. About 10 seconds later…exactly one year later? What’s up with that? Well…let me tell you, but first, let’s quickly go over the Master File Table ($MFT), specifically the Standard_Information ($S_I), and File_Name ($F_N) attributes.
REAL basically, we all know that the $MFT holds information about the files on the disk. Well, one of those attributes, the $S_I, is accessible by the operating system (OS) and the user. So, what…that means that they can be changed, accessed, and yes…stomped. BUT, the $F_N attribute is not touched by anything except the kernel. So what does that mean? It means no modifications by the OS or the user…ie…no stomping.

So, Harlan sent me a Perl script he wrote which goes through the $MFT and extracts and parses the $S_I and $F_N attributes. So with our friend bpk.exe, it would look like this:

13919 FILE 14 1 0x38 4 1
0x0010 96 0 0x0000
0x0000
M: Fri Aug 21 07:42:56 2009 Z
A: Tue Oct 19 16:24:13 2010 Z
C: Tue Oct 19 16:12:26 2010 Z
B: Fri Aug 21 07:42:56 2009 Z ← This is the “modified” birth date of the file on the system.
0x0030 104 0 0x0000
0x0000
FN: bpk.exe Parent Ref: 847 Parent Seq: 1
M: Sat Aug 21 07:42:56 2010 Z
A: Sat Aug 21 07:42:56 2010 Z
C: Sat Aug 21 07:42:56 2010 Z
B: Sat Aug 21 07:42:56 2010 Z ← This is the actual “birth” date of the file on the system.
0x0080 88 1 0x0000
0x0000

And…it matches our Prefetch file, which further supports our finding that the timestamps have been modified. So be wary…if you come across Perfect Keylogger in a case, it will be offset by one year – I have seen this to be true in every Perfect Keylogger case I have worked, and it seems to be done as part of the install script. Now, while I have seen the binaries and associated dlls renamed, I have not seen the dump file (bpk.dat) or the configuration file (pk.bin) renamed. After downloading a trial version of Perfect Keylogger, I can see that you can change the output file, and path, so it’s possible…but like I said…just never seen it. I’m not certain the same can be said for the configuration file. I have tried several times unsuccessfully, so I think it may be hard coded into the program.

So if you try to open the bpk.dat, and the pk.bin they appear to be encrypted. Or are they? Through the efforts of the SpiderLabs Research Team, we found that they are NOT really encrypted, but rather encoded with a single xor key, 0xAA. So, when you use a simple xor script, against either one, you may get something that looks like this (since this was from a real case, I have modified the output, but the methods and the output format looks the same):

PK Password: "y0uv3b33np0wn3d"
License Name: "www.hacked.ws"
License: "PGTDFADBEPRCHGB"
Email Enabled?: true
SMTP Server: "10.10.10.10"
SMTP Port: 25
SMTP Username: "user"
SMTP Password: "p@ssw0rd"
Email Address: "p0wn3d@hackmemail.com"
FTP Enabled?: false
Hotkey Hex: keycode=0xdc modifier=0x07
Key-combo: SHIFT + CTRL + ALT + 6

So, this is great! You have the attacker’s email, the server he was using, his username and password! Better yet, you have the key-combo which is used to bring the Keylogger out of hidden mode. If the attacker wanted to use FTP instead of SMTP, you would see the same type of login information as you do for the SMTP example provided above. If you know that it’s running, but you don’t see the icon in the bottom of the screen, it’s in hidden mode. Simply use this key combination, and BAM, the icon will suddenly appear! Then, simply enter in the “PK Password” and you have access to the admin console of the keylogger! This configuration file will give you access to the time intervals in which the dump file is emailed or FTP’d. Pretty slick eh!

Now, it also uses the same xor to encode the dump file! So if you run the same xor script, you may see something that looks like this:

F:\ >cat bpk.dat.out
06-09-2010 03:22
wuault.exe
BlazingTools Perfect Keylogger: Options
[Password captured: p@ssw0rd]
15
$#$#$#$#$#$#$#$#$#$#$#$#$#$
19-10-2010 10:53
Explorer.EXE
Run
cmd
$#$#$#$#$#$#$#$#$#$#$#$#$#$
19-10-2010 10:54
cmd.exe
C:\WINDOWS\system32\cmd.exe
d:
dir
mkdir images
cd im
$#$#$#$#$#$#$#$#$#$#$#$#$#$
19-10-2010 10:56
cmd.exe
C:\WINDOWS\system32\cmd.exe
mkdir vol

Nice! Note that if you don’t have any scripting-fu (Perl, Ruby, Python, etc) you can simply install the trial version of Perfect Keylogger in a vmimage, and use the “view the log” option to see the decoded versions of the logs.

Additionally, the only registry entries I have seen for Perfect Keylogger are in the UserAssist key of an ntuser.dat file, showing initial execution, and in the RUN key of the SOFTWARE hive, showing that it’s set to start up at reboot.

NTUSER.DAT – UserAssist Key
=========================
UEME_RUNPATH:C:\Documents and Settings\\Desktop\i_bpk2007.exe (3) ← Indicates execution of the installation binary.

Software Hive
=========
Software\Microsoft\Windows\CurrentVersion\Run
C:\P15xx\DisableWriteCache.exe -s all
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
C:\WINDOWS\System32\bpk.exe ← Indicates that the keylogger will start each time the system boots.

So, if you are working on a case and you expect that you may have Perfect Keylogger, here are the key indicators of compromise:

Presence of:
• pk.bin, or bpk.dat (configuration or dump files)
• bpk.exe, wuault.exe, wuauclt.exe (running from the incorrect directory)
• binary and dlls timestopmed (check the $MFT)
• Entries in the ntuser.dat and SOFTWARE hives
• Active process running RAM with the same ending letters (as seen in the timeline example)

You can decode the configuration file and dump files with a simple xor, 0xAA key. Alternatively, you can use the demo version of the keylogger itself to open the dump file.

Good luck, and happy hunting!

Call for quotes

2010-10-12T10:03:00.002-05:00

I will be delivering Sniper Forensics v2.0 - Target Acquisition at SecTor this month in Toronto, Canada. To add some down home flavor to the preso, I would like to issue a "call for quotes" to anyone who uses the Sniper Forensics methodology. I will use between 5 and 10 quotes depending on your responses...so...I may not use any! But please, if you have heard my talk or read about it, and use the SF methodology, please let me know what you think!

Thanks!

Court Approved?

2010-08-27T08:13:00.003-05:00

I continue to hear this phrase mentioned by fellow forensicators in email lists and at conferences, so I thought I would, once again, help to dispel the myth.

THERE IS NO SUCH THING AS COURT APPROVED TOOLS.

Saying that one tool is court approved and another is not, is like saying you can take crime scene photos with a Nikon, but not a Kodak. It's just silly, and it's a myth perpetuated by those who seek to benefit from the existence of such a rumor.

Now, there ARE tools that have been used in court cases, which may be more familiar to attorneys and/or judges. This does NOT make them court approved, it simply means that they have been used before...nothing more. Pay careful attention to what I am writing here...simply using a tool...any tool...DOES NOT make your findings any more relevant, valid, or indisputable then if you had used any other tool to come to the same conclusions. The data is simply the data.

Your job as a forensic investigator is to produce forensically sound results. This too is a term that is often used incorrectly or as a buzz word. Forensically sound means that if given the same set of data, any other investigator, using any other tool, would come to the same conclusion.

Now really think about what this means. Let's say you have been asked to identify a date range for files in a specific directory. If given the same image, 10 different people, using 10 different tools, should come to the exact same results...EnCase, FTK, TSK, MFL, Perl scripts, Python, whatever...the conclusion should be the same because the means by which you would extract that data is the same.

The implications of a conclusion being forensically sound invalidate the entire premise of something being court approved. How can one tool that comes to the same conclusion as another tool be approved while the other is not? They DO the same THING. While the GUI may change, or the vendor - open source code versus proprietary - Linux versus Windows...it doesn't matter. The data is the data.

Surgery!

2010-08-05T09:01:00.002-05:00

In case you haven't noticed, I have not posted anything in awhile. That is due to the fact that last week during Black Hat, DEF CON, BSIDES week, my wife ended up in the Emergency Room, and surgery.

She is OK now, an at home recovering, but obviously my focus had to shift from forensics to my family. Once she is back on her feet and feeling better, I will be back to my usual forensic-y goodness.

I also want to give a HUGE thanks to all of you from BSIDES and SANS for sending me your thoughts and prayers. I also want to issue s public apology to the folks at The Next HOPE conference and DEF CON for having to miss my speaking engagements. You have my most sincere apologies, and hope you realize that my absence was a significant medical issue.

Thanks again!

SANS What Works 2010 - HUGE Success

2010-07-11T20:38:00.002-05:00

This past week, I had the great privilege of attending and speaking at the SANS What Works in Incident Response Summit in Washington, DC.

The Conference once again had some of the best speakers in the world of incident response and forensics including, Major Carol Newell of the Broken Arrow, OK Police Department, Rob Lee, Harlan Carvey, Jesse Kornblum, Troy Larson, Kris Harms, and Robert Shullich.

This is the second year for the conference, and I think that without question, the conference continues to improve. In a field as dynamic and fluid as Incident Response and Computer Forensics, investigators really need to keep current with not only their skill sets, but with emerging technologies, theories, and methodologies. This only makes sense, since the "bad guys" we are all trying to catch, are undoubtedly doing the same thing! This is crux of the summit, and the true value add for the attendees...you get to hear and see what is ACTUALLY working from some of the best minds in the industry.

The major focus this year was on the new challenges we face with the arrival of Windows 7, which is very different than XP, and Vista. There are new registry entries, gobs of new event logs, and a new file system layout. All in all, it going to mean countless hours of research by investigators to be efficient and effective at performing comprehensive forensic investigations.

The other big takeaway from the conference is the involvement with corporate investigators with law enforcement agencies...something I am a HUGE advocate of! Look for a LOT MORE of this to come, but the gist is this...LE agencies do not use police for forensic pathology, or for forensic dentistry, or forensic arson investigations. Why would they? For this, they would use doctors, dentists, and fireman. Why? Because they are subject matter experts in those fields. Why then, when it comes to computer forensic (arguably one of the most difficult of the forensic sciences - based on the vast array of digital media current in use by the "average" person) do LEs want to keep these types of investigations in house? Why not treat cases involving digital media, the same way they would any other case involving a forensic scientist, and seek the assistance of subject matter experts? This is the direction we want to start moving.

If you are an investigator, and want to start helping in LE cases, here are a few tips from Major Newell:

1. Certifications...get them! They look great on the stand, and will help you with the vetting process by the PD and as an expert witness.

2. Be presentable. You don't have to be a cover model by any stretch...but you ARE going to be representing the PD or the DA's office. Dress accordingly!

3. Letters of recommendation. Get these from any law enforcement agency, public official, military officer, or business executive you can. ALSO...get them from fellow investigators...IE...if Rob Lee, Harlan Carvey, and say...Jesse Kornblum say...hey...this guy is legit, then chances are that is going to carry a lot of weight with any respective PD.

4. Be an effective communicator. We deal with some of the most technical information in the IT world...and when on the stand, we may have to explain some of that highly technical information to a jury of our "peers"...which according to most PDs, is about as educated as the average 7th grader. So, know your audience...talk TO them, but never DOWN to them. Save the $5 words for the lawyers...remember the KISS pronciple on the stand.

ALSO...there is something I call the, "Your Mom" principle. If you can get your mom to understand (or some non-technical person provide your mom is either not around, or is in fact an IT engineer as well), then you should be good to go. Remeber, the goal is to convey the "story" of what happened...without spin...to the jury, not impress them with how smart you are.

Again, Kudos to Rob Lee and the SANS Institute for putting on yet another fantastic conferece. I said this last year, and I will say it again...if you only have the funding for one conference per year, THIS IS THE ONE to attend. There are more expert speakers, more potential to make great contacts, and more opportunity to learn at THIS conference, than any other confernce I have attended or spoken at! Great job ROB!!!

B-SIDESLV 2010

2010-06-21T17:29:00.002-05:00

Freaking Sweet! Sniper Foreniscs got picked up for the B-SIDES Security Conference in Las Vegas on July 28th and 29th...right before DEFCON! If you are going to be town for DEFCON, check it out!!!

Going to be at the 2810 Vegas Estate...Not too shabby!

Timeline Spikes

2010-06-21T08:59:00.004-05:00

I was playing with the output from The Sleuth Kit's FLS (great tool for making timelines) timelines this morning, and I was thinking about file system activity. Would a spike in activity mean something? Would a reduction in activity mean something? Could these deviances from "normal" activity be easily identified? If they were identified, could you determine the root cause more quickly?

Well...here are the commands to parse your timelines to show you exactly that...

To see file system activity represented numerically:

Strings timeline.csv | grep –i | grep –i | gawk “{print $3}” | sort | uniq –c

This command will show you the days of that month, sorted numerically, with a count of the number of hits on that day to the left. This will show both spikes and lulls as well as letting you get a feel for what “normal” file system activity looks like.

You can also see which files were created on a certain date:

Strings timeline.csv | grep –i , | grep –i | grep –i “...b,r”

This command will show you all of the files “birthed” on that month. You can also drill down to the day by adding a grep for the specific day...which is actually easier since the format in the timeline is a contiguous . Or you can pull out a specific directory by adding the path to the end of the command...like this:

Strings .csv | grep –i | grep –i | grep –i “...b,r” | grep –i system32

One thing that I have noticed in my experience with timelines is that nefarious activity (like file creations, and download activity) is that it occurs in clusters. When I review my timeline, I will see the bad guys dumping say three or four files onto the target system (usually in the %windir% or %windir%\system32 directories. So would this activity register as a spike in "normal" activity? What if you added the Event logs into the timeline with Log2Timeline? Would additional statistical information becmore more clear by simply looking at the numerical count for activity on a specific date?

I know that this is a really short blog post...sorry...been REALLY busy lately, but I hope that it shows you the possibilities that are available to you when you use the command line and your brain. Timelines are really really useful pieces of data!

DEFCON 18 - Sniper Forensics

2010-06-03T06:28:00.002-05:00

Freaking Sweet! I just found out this morning that Sniper Forensics was picked up for DEFCON 18!

Case Notes

2010-05-28T11:13:00.004-05:00

OK...so, if you are not using Case Notes (CN) by QCC Information Security, I have to ask, "why not?"

If you answered, "What's Case Notes?", let me splain.

Case Notes is an awesome tool for taking notes during your investigations. Unlike simply using Notepad or Word Pad, Case Notes timestamps your entries, allows you to password protect your notes file, has customizable tabs, and keeps creates an audit log of your activity.

Once you download and install CN (either 32 or 64 bit version) you are prompted to set up your preferences...like this...

As you can see, I can set up to 10 fields of metadata such as my name, my agency, the case type etc...very handy. Then you can customize up to four (4) additional tabs for specific notes. The main space for notes is a tab called, "Case Notes" and cannot be changed. You will also have a tab labeled, "Audit Log" which also cannot be changed. So if you use all four like I did, you will have a total of six tabs.

I use my tabs to keep track of evidence items...systems, hostnames, IP addresses, etc, Dirty Words (keywords)...stuff I run across that I want to search for on my image(s), Questions that need to be answered and the subsequent answers, and my Investigation plan...what am I trying to accomplish, and why.

So, once you are all set up, your screen will look like this...

Now that we have covered the tool, let's cover the concept.

Harlan and I were talking this morning and we were wondering why so many investigators don't create an investigation plan. I mean, it seems like a no brainer doesn't it. What are you looking for? What have you been hired to do? What is the overall purpose of the investigation? That would be the first thing you should write down.

Next, you can break the investigation into smaller, more manageable chunks that feed into the overall investigation plan. This is where you would use the Alexiou principle...

1. What question are you trying to answer?
2. What data do you need to answer that question?
3. How do you extract and analyze that data?
4. What does the data tell you?

Here is an example...

1. I want to know if the admin user account was used to launch malware.exe
2. I need the ntuser.dat file for the admin user
3. I am going to parse the MUICache and UserAssist Keys with Reg Ripper
4. The data from the UserAssist key indicates that malware.exe was launched by the admin user

This is pretty basic example, but it illustrates my point. You can ask yourself questions and answer them...inputting both into your case notes. Once you have your questions answered, you can update your investigation plan with HOW that information is relevant to the case.

For example, in this case what would the fact that malware.exe was launched locally by admin. Well, for one, I now know that the intruder had admin access. I also know that because the data appeared in the UserAssist key, that they had an interactive session with the shell. So what does that mean? Well, that means they had to login from somewhere, right? So now, I just generated some additional questions that need to be answered...so in my case notes, I would update my investigation plan and my To be answered sections.

1. How did the intruder gain admin access? I need to crack the passwords from the NTLM hashes and see what they are. I also need to parse the SAM hive to determine if the passwords were recently changed, and get the last login times for users in the admin group. If the passwords for admin users were changed recently, I need to get the passwords before the change. I can check to see if the system was taking restore points (or shadow volume copies) and extract the SAM and SYSTEM hives from the date immediately prior to the change. Then I can crack the NTLM hashes and get the passwords before the change occurred.

2. When did they gain access? I can tell this by looking at my timeline (which is one the FIRST things you need to create) and check the first appearance of malware.exe. That should give me a great place to start looking for remote access. I can then look for remote access attempts in the Security event logs. Does the customer have a VPN? Does it log? What about remote management tools? Which ones are in use (RDP, pcAnywhere, VNC, etc)? Are they open to the external internet? Do they log?

All of this from JUST answering a single question! Then as you progress through you case, if you take good notes you will make report writing MUCH MUCH easier! Also, since cases are getting more and more complex, and like me, you may be working more than one case at a time, good notes will keep you from trying to remember what you were doing three days ago and what you were thinking that made you do whatever it was that you were doing? Finally, should you get pulled off the case for any reason (or you just need help) good notes will help your fellow investigators know what you were doing, what you were thinking, and where you were headed.

So, back to my original question...if you are not using Case Notes...why? It's free. It's a great tool that has some really nice options. And taking good notes will help you keep your thoughts organized, and write your final report.

Lesson learned...TAKE GOOD NOTES!!!!!! I will give a dollar to anyone who can give me a good reason for not taking notes during a case. I am going to bet dollars to doughnuts that nobody is going to have any reason compelling enough for me to part with my GWs.

Happy hunting...and remember...TAKE GOOD NOTES!!!!

CyberJungle Interview

2010-05-26T14:16:00.002-05:00

Tomorrow morning, I am going to be interviewed by Ira Victor for the radio show, The Cyber Jungle. He is going to be asking me about Sniper Forensics...what it is, what it means to investigators, and how using it can help you!

Listen in if you get the chance!

SANS What Works 2010

2010-05-25T10:10:00.003-05:00

I will be delivering Sniper Forensics at the SANS What Works conference in DC on July 8th and 9th. Last year's conference was awesome, so I'm sure this year's will be even better. If you have some money budgeted for a conference this year, and can only pick one, this would be the one to attend!

Crack-a-Lacka

2010-05-24T14:10:00.006-05:00

OK…so you may have heard that’s it pretty easy to crack SAM hives using tools like Cain & Able or Ophcrack, but, you have never done it before, you don’t know where to start looking, and you feel like a dolt. No worries my friend, I am here to help.

First, download Cain from Oxid.it, and Ophcrack from Sourceforge. These files WILL be identified as malware by your AV software, so make sure you drop them into a good tools directory that is not being monitored. Creating an exception for specific files and folders is a function most (if not all) current AV releases can do, and should be done if you are working in the incident response/forensics industry since you will likely have a slew of tools that would make most AV engines freak out.

Once you have your tools downloaded, use FTK lite and extract your local SAM and SYSTEM hives. While Cain will dump your NTLM hashes from you local system, I want to show you how to do this as if you were working on an actual case. I think it goes without saying that you would NEVER install Cain or Ophcrack onto a customer system...but there...I just said it now didn't I?

OK…so as you can see below, I have FTK Lite fired up, I have navigated to C:\Windows\system32\config, and I have highlighted my SAM and SYSTEM hives.

Next, I simply right click, and select “Export Files”. I drop them into a specific folder on my desktop, and I am ready to roll…go ahead and close FTK Lite at this point.

Next open Cain, go to tools, and select “Syskey Decoder”…like this…

From here, you will get a popup that looks like this…click on the tripe dots and navigate to where you dropped the system hive you just copied with FTK Lite.

Once you click on the system hive, that little window under where it says, “Boot Key (HEX) will be populated with a long string of numbers and letters. Copy that to your clipboard as you will need it in the next step.

Now, select the “Cracker” tab, and click on the big blue plus sign that sits right beneath the “Tools” menu tab. Then navigate to the SAM hive you just copied using FTK Lite, and paste in the Syskey that you just copied to your clipboard…should look like this…

When you click “Next”, Cain will dump the NTLM hashes from the SAM hive. Your table will now be loaded with whatever user accounts are on that machine, along with the NTLM hashes.

Next, highlight whichever users you want to crack, right click, and select export. Save them to the same place you dropped your hives (for ease of use), and close Cain.

Now open Ophcrack. My .lc out put file, when I open it with Textpad, looks like this…

cepogue:"":"":E4C3436DDD1F625CEBB15F4C062DCC55:EC85B8E81AE28777453327655700B6AE

I am interested in this part only…

E4C3436DDD1F625CEBB15F4C062DCC55:EC85B8E81AE28777453327655700B6AE

THAT is the NTLM hash for the user account cepogue.

On Ophcrack, click “Load”, then “Sinlge Hash” and paste the NTLM hash you want to crack in the little window like so…

Click OK. Now simply highlight, and click “Crack”. In less than a minute, my password was cracked!

Blamo! Pretty slick huh (Yes…I changed my password for the purpose of this example)!

Now, notice that I have two little green dots at the bottom of my screen. Those indicate that I have The “XP Free Fast”, and “XP Free Small” tables loaded. These are free (as indicated by the name) and can be downloaded from the web. You can also purchase larger tabs, or create custom tabs for specific tables (like Rainbow tables, or tables you have created with a word permuter).

I pretty much do this on every case. It’s quick, and gives me a great insight into the security posture of my customer. If like the admin password is “password”, or the “sqldevadmin” password is “sqldevadmin”, I know I they were likely wide open at the time of the incident. If I can crack the passwords in under five minutes, so can the bad guys.

Also, don’t let the customer fool you and say, “oh…our passwords have ALWAYS been strong!”. Parse the SAM hive with Harlan’s RegRipper and look at the “PWD Reset Date” under that username. If it’s a recent date, A) Obviously they’ve changed it, and B) You can always go to the _system_volume_information and extract the previous SAM hive (provided the system is taking restore points or shadow volume copies. ) Then simply extract the previous SAM hive, and repeat the same steps outlined above. Once you get the previous password you can be all…dood…”You changed you password on THIS date (as evidenced by the SAM hive), and your previous password was THIS..as I was able to extract it from the previous SAM hive that I extracted from the restore point from the day before you changed the password…SUCKA!”

Happy Hunting!