I continue to hear this phrase mentioned by fellow forensicators in email lists and at conferences, so I thought I would, once again, help to dispel the myth.
THERE IS NO SUCH THING AS COURT APPROVED TOOLS.
Saying that one tool is court approved and another is not, is like saying you can take crime scene photos with a Nikon, but not a Kodak. It's just silly, and it's a myth perpetuated by those who seek to benefit from the existence of such a rumor.
Now, there ARE tools that have been used in court cases, which may be more familiar to attorneys and/or judges. This does NOT make them court approved, it simply means that they have been used before...nothing more. Pay careful attention to what I am writing here...simply using a tool...any tool...DOES NOT make your findings any more relevant, valid, or indisputable then if you had used any other tool to come to the same conclusions. The data is simply the data.
Your job as a forensic investigator is to produce forensically sound results. This too is a term that is often used incorrectly or as a buzz word. Forensically sound means that if given the same set of data, any other investigator, using any other tool, would come to the same conclusion.
Now really think about what this means. Let's say you have been asked to identify a date range for files in a specific directory. If given the same image, 10 different people, using 10 different tools, should come to the exact same results...EnCase, FTK, TSK, MFL, Perl scripts, Python, whatever...the conclusion should be the same because the means by which you would extract that data is the same.
The implications of a conclusion being forensically sound invalidate the entire premise of something being court approved. How can one tool that comes to the same conclusion as another tool be approved while the other is not? They DO the same THING. While the GUI may change, or the vendor - open source code versus proprietary - Linux versus Windows...it doesn't matter. The data is the data.
Friday, August 27, 2010
Thursday, August 5, 2010
Surgery!
In case you haven't noticed, I have not posted anything in awhile. That is due to the fact that last week during Black Hat, DEF CON, BSIDES week, my wife ended up in the Emergency Room, and surgery.
She is OK now, an at home recovering, but obviously my focus had to shift from forensics to my family. Once she is back on her feet and feeling better, I will be back to my usual forensic-y goodness.
I also want to give a HUGE thanks to all of you from BSIDES and SANS for sending me your thoughts and prayers. I also want to issue s public apology to the folks at The Next HOPE conference and DEF CON for having to miss my speaking engagements. You have my most sincere apologies, and hope you realize that my absence was a significant medical issue.
Thanks again!
She is OK now, an at home recovering, but obviously my focus had to shift from forensics to my family. Once she is back on her feet and feeling better, I will be back to my usual forensic-y goodness.
I also want to give a HUGE thanks to all of you from BSIDES and SANS for sending me your thoughts and prayers. I also want to issue s public apology to the folks at The Next HOPE conference and DEF CON for having to miss my speaking engagements. You have my most sincere apologies, and hope you realize that my absence was a significant medical issue.
Thanks again!
Sunday, July 11, 2010
SANS What Works 2010 - HUGE Success
This past week, I had the great privilege of attending and speaking at the SANS What Works in Incident Response Summit in Washington, DC.
The Conference once again had some of the best speakers in the world of incident response and forensics including, Major Carol Newell of the Broken Arrow, OK Police Department, Rob Lee, Harlan Carvey, Jesse Kornblum, Troy Larson, Kris Harms, and Robert Shullich.
This is the second year for the conference, and I think that without question, the conference continues to improve. In a field as dynamic and fluid as Incident Response and Computer Forensics, investigators really need to keep current with not only their skill sets, but with emerging technologies, theories, and methodologies. This only makes sense, since the "bad guys" we are all trying to catch, are undoubtedly doing the same thing! This is crux of the summit, and the true value add for the attendees...you get to hear and see what is ACTUALLY working from some of the best minds in the industry.
The major focus this year was on the new challenges we face with the arrival of Windows 7, which is very different than XP, and Vista. There are new registry entries, gobs of new event logs, and a new file system layout. All in all, it going to mean countless hours of research by investigators to be efficient and effective at performing comprehensive forensic investigations.
The other big takeaway from the conference is the involvement with corporate investigators with law enforcement agencies...something I am a HUGE advocate of! Look for a LOT MORE of this to come, but the gist is this...LE agencies do not use police for forensic pathology, or for forensic dentistry, or forensic arson investigations. Why would they? For this, they would use doctors, dentists, and fireman. Why? Because they are subject matter experts in those fields. Why then, when it comes to computer forensic (arguably one of the most difficult of the forensic sciences - based on the vast array of digital media current in use by the "average" person) do LEs want to keep these types of investigations in house? Why not treat cases involving digital media, the same way they would any other case involving a forensic scientist, and seek the assistance of subject matter experts? This is the direction we want to start moving.
If you are an investigator, and want to start helping in LE cases, here are a few tips from Major Newell:
1. Certifications...get them! They look great on the stand, and will help you with the vetting process by the PD and as an expert witness.
2. Be presentable. You don't have to be a cover model by any stretch...but you ARE going to be representing the PD or the DA's office. Dress accordingly!
3. Letters of recommendation. Get these from any law enforcement agency, public official, military officer, or business executive you can. ALSO...get them from fellow investigators...IE...if Rob Lee, Harlan Carvey, and say...Jesse Kornblum say...hey...this guy is legit, then chances are that is going to carry a lot of weight with any respective PD.
4. Be an effective communicator. We deal with some of the most technical information in the IT world...and when on the stand, we may have to explain some of that highly technical information to a jury of our "peers"...which according to most PDs, is about as educated as the average 7th grader. So, know your audience...talk TO them, but never DOWN to them. Save the $5 words for the lawyers...remember the KISS pronciple on the stand.
ALSO...there is something I call the, "Your Mom" principle. If you can get your mom to understand (or some non-technical person provide your mom is either not around, or is in fact an IT engineer as well), then you should be good to go. Remeber, the goal is to convey the "story" of what happened...without spin...to the jury, not impress them with how smart you are.
Again, Kudos to Rob Lee and the SANS Institute for putting on yet another fantastic conferece. I said this last year, and I will say it again...if you only have the funding for one conference per year, THIS IS THE ONE to attend. There are more expert speakers, more potential to make great contacts, and more opportunity to learn at THIS conference, than any other confernce I have attended or spoken at! Great job ROB!!!
The Conference once again had some of the best speakers in the world of incident response and forensics including, Major Carol Newell of the Broken Arrow, OK Police Department, Rob Lee, Harlan Carvey, Jesse Kornblum, Troy Larson, Kris Harms, and Robert Shullich.
This is the second year for the conference, and I think that without question, the conference continues to improve. In a field as dynamic and fluid as Incident Response and Computer Forensics, investigators really need to keep current with not only their skill sets, but with emerging technologies, theories, and methodologies. This only makes sense, since the "bad guys" we are all trying to catch, are undoubtedly doing the same thing! This is crux of the summit, and the true value add for the attendees...you get to hear and see what is ACTUALLY working from some of the best minds in the industry.
The major focus this year was on the new challenges we face with the arrival of Windows 7, which is very different than XP, and Vista. There are new registry entries, gobs of new event logs, and a new file system layout. All in all, it going to mean countless hours of research by investigators to be efficient and effective at performing comprehensive forensic investigations.
The other big takeaway from the conference is the involvement with corporate investigators with law enforcement agencies...something I am a HUGE advocate of! Look for a LOT MORE of this to come, but the gist is this...LE agencies do not use police for forensic pathology, or for forensic dentistry, or forensic arson investigations. Why would they? For this, they would use doctors, dentists, and fireman. Why? Because they are subject matter experts in those fields. Why then, when it comes to computer forensic (arguably one of the most difficult of the forensic sciences - based on the vast array of digital media current in use by the "average" person) do LEs want to keep these types of investigations in house? Why not treat cases involving digital media, the same way they would any other case involving a forensic scientist, and seek the assistance of subject matter experts? This is the direction we want to start moving.
If you are an investigator, and want to start helping in LE cases, here are a few tips from Major Newell:
1. Certifications...get them! They look great on the stand, and will help you with the vetting process by the PD and as an expert witness.
2. Be presentable. You don't have to be a cover model by any stretch...but you ARE going to be representing the PD or the DA's office. Dress accordingly!
3. Letters of recommendation. Get these from any law enforcement agency, public official, military officer, or business executive you can. ALSO...get them from fellow investigators...IE...if Rob Lee, Harlan Carvey, and say...Jesse Kornblum say...hey...this guy is legit, then chances are that is going to carry a lot of weight with any respective PD.
4. Be an effective communicator. We deal with some of the most technical information in the IT world...and when on the stand, we may have to explain some of that highly technical information to a jury of our "peers"...which according to most PDs, is about as educated as the average 7th grader. So, know your audience...talk TO them, but never DOWN to them. Save the $5 words for the lawyers...remember the KISS pronciple on the stand.
ALSO...there is something I call the, "Your Mom" principle. If you can get your mom to understand (or some non-technical person provide your mom is either not around, or is in fact an IT engineer as well), then you should be good to go. Remeber, the goal is to convey the "story" of what happened...without spin...to the jury, not impress them with how smart you are.
Again, Kudos to Rob Lee and the SANS Institute for putting on yet another fantastic conferece. I said this last year, and I will say it again...if you only have the funding for one conference per year, THIS IS THE ONE to attend. There are more expert speakers, more potential to make great contacts, and more opportunity to learn at THIS conference, than any other confernce I have attended or spoken at! Great job ROB!!!
Monday, June 21, 2010
B-SIDESLV 2010
Freaking Sweet! Sniper Foreniscs got picked up for the B-SIDES Security Conference in Las Vegas on July 28th and 29th...right before DEFCON! If you are going to be town for DEFCON, check it out!!!
Going to be at the 2810 Vegas Estate...Not too shabby!
Going to be at the 2810 Vegas Estate...Not too shabby!
Timeline Spikes
I was playing with the output from The Sleuth Kit's FLS (great tool for making timelines) timelines this morning, and I was thinking about file system activity. Would a spike in activity mean something? Would a reduction in activity mean something? Could these deviances from "normal" activity be easily identified? If they were identified, could you determine the root cause more quickly?
Well...here are the commands to parse your timelines to show you exactly that...
To see file system activity represented numerically:
Strings timeline.csv | grep –i | grep –i | gawk “{print $3}” | sort | uniq –c
This command will show you the days of that month, sorted numerically, with a count of the number of hits on that day to the left. This will show both spikes and lulls as well as letting you get a feel for what “normal” file system activity looks like.
You can also see which files were created on a certain date:
Strings timeline.csv | grep –i , | grep –i | grep –i “...b,r”
This command will show you all of the files “birthed” on that month. You can also drill down to the day by adding a grep for the specific day...which is actually easier since the format in the timeline is a contiguous. Or you can pull out a specific directory by adding the path to the end of the command...like this:
Strings.csv | grep –i | grep –i | grep –i “...b,r” | grep –i system32
One thing that I have noticed in my experience with timelines is that nefarious activity (like file creations, and download activity) is that it occurs in clusters. When I review my timeline, I will see the bad guys dumping say three or four files onto the target system (usually in the %windir% or %windir%\system32 directories. So would this activity register as a spike in "normal" activity? What if you added the Event logs into the timeline with Log2Timeline? Would additional statistical information becmore more clear by simply looking at the numerical count for activity on a specific date?
I know that this is a really short blog post...sorry...been REALLY busy lately, but I hope that it shows you the possibilities that are available to you when you use the command line and your brain. Timelines are really really useful pieces of data!
Well...here are the commands to parse your timelines to show you exactly that...
To see file system activity represented numerically:
Strings timeline
This command will show you the days of that month, sorted numerically, with a count of the number of hits on that day to the left. This will show both spikes and lulls as well as letting you get a feel for what “normal” file system activity looks like.
You can also see which files were created on a certain date:
Strings timeline
This command will show you all of the files “birthed” on that month. You can also drill down to the day by adding a grep for the specific day...which is actually easier since the format in the timeline is a contiguous
Strings
One thing that I have noticed in my experience with timelines is that nefarious activity (like file creations, and download activity) is that it occurs in clusters. When I review my timeline, I will see the bad guys dumping say three or four files onto the target system (usually in the %windir% or %windir%\system32 directories. So would this activity register as a spike in "normal" activity? What if you added the Event logs into the timeline with Log2Timeline? Would additional statistical information becmore more clear by simply looking at the numerical count for activity on a specific date?
I know that this is a really short blog post...sorry...been REALLY busy lately, but I hope that it shows you the possibilities that are available to you when you use the command line and your brain. Timelines are really really useful pieces of data!
Thursday, June 3, 2010
DEFCON 18 - Sniper Forensics
Freaking Sweet! I just found out this morning that Sniper Forensics was picked up for DEFCON 18!
Friday, May 28, 2010
Case Notes
OK...so, if you are not using Case Notes (CN) by QCC Information Security, I have to ask, "why not?"
If you answered, "What's Case Notes?", let me splain.
Case Notes is an awesome tool for taking notes during your investigations. Unlike simply using Notepad or Word Pad, Case Notes timestamps your entries, allows you to password protect your notes file, has customizable tabs, and keeps creates an audit log of your activity.
Once you download and install CN (either 32 or 64 bit version) you are prompted to set up your preferences...like this...
As you can see, I can set up to 10 fields of metadata such as my name, my agency, the case type etc...very handy. Then you can customize up to four (4) additional tabs for specific notes. The main space for notes is a tab called, "Case Notes" and cannot be changed. You will also have a tab labeled, "Audit Log" which also cannot be changed. So if you use all four like I did, you will have a total of six tabs.
I use my tabs to keep track of evidence items...systems, hostnames, IP addresses, etc, Dirty Words (keywords)...stuff I run across that I want to search for on my image(s), Questions that need to be answered and the subsequent answers, and my Investigation plan...what am I trying to accomplish, and why.
So, once you are all set up, your screen will look like this...
Now that we have covered the tool, let's cover the concept.
Harlan and I were talking this morning and we were wondering why so many investigators don't create an investigation plan. I mean, it seems like a no brainer doesn't it. What are you looking for? What have you been hired to do? What is the overall purpose of the investigation? That would be the first thing you should write down.
Next, you can break the investigation into smaller, more manageable chunks that feed into the overall investigation plan. This is where you would use the Alexiou principle...
1. What question are you trying to answer?
2. What data do you need to answer that question?
3. How do you extract and analyze that data?
4. What does the data tell you?
Here is an example...
1. I want to know if the admin user account was used to launch malware.exe
2. I need the ntuser.dat file for the admin user
3. I am going to parse the MUICache and UserAssist Keys with Reg Ripper
4. The data from the UserAssist key indicates that malware.exe was launched by the admin user
This is pretty basic example, but it illustrates my point. You can ask yourself questions and answer them...inputting both into your case notes. Once you have your questions answered, you can update your investigation plan with HOW that information is relevant to the case.
For example, in this case what would the fact that malware.exe was launched locally by admin. Well, for one, I now know that the intruder had admin access. I also know that because the data appeared in the UserAssist key, that they had an interactive session with the shell. So what does that mean? Well, that means they had to login from somewhere, right? So now, I just generated some additional questions that need to be answered...so in my case notes, I would update my investigation plan and my To be answered sections.
1. How did the intruder gain admin access? I need to crack the passwords from the NTLM hashes and see what they are. I also need to parse the SAM hive to determine if the passwords were recently changed, and get the last login times for users in the admin group. If the passwords for admin users were changed recently, I need to get the passwords before the change. I can check to see if the system was taking restore points (or shadow volume copies) and extract the SAM and SYSTEM hives from the date immediately prior to the change. Then I can crack the NTLM hashes and get the passwords before the change occurred.
2. When did they gain access? I can tell this by looking at my timeline (which is one the FIRST things you need to create) and check the first appearance of malware.exe. That should give me a great place to start looking for remote access. I can then look for remote access attempts in the Security event logs. Does the customer have a VPN? Does it log? What about remote management tools? Which ones are in use (RDP, pcAnywhere, VNC, etc)? Are they open to the external internet? Do they log?
All of this from JUST answering a single question! Then as you progress through you case, if you take good notes you will make report writing MUCH MUCH easier! Also, since cases are getting more and more complex, and like me, you may be working more than one case at a time, good notes will keep you from trying to remember what you were doing three days ago and what you were thinking that made you do whatever it was that you were doing? Finally, should you get pulled off the case for any reason (or you just need help) good notes will help your fellow investigators know what you were doing, what you were thinking, and where you were headed.
So, back to my original question...if you are not using Case Notes...why? It's free. It's a great tool that has some really nice options. And taking good notes will help you keep your thoughts organized, and write your final report.
Lesson learned...TAKE GOOD NOTES!!!!!! I will give a dollar to anyone who can give me a good reason for not taking notes during a case. I am going to bet dollars to doughnuts that nobody is going to have any reason compelling enough for me to part with my GWs.
Happy hunting...and remember...TAKE GOOD NOTES!!!!
If you answered, "What's Case Notes?", let me splain.
Case Notes is an awesome tool for taking notes during your investigations. Unlike simply using Notepad or Word Pad, Case Notes timestamps your entries, allows you to password protect your notes file, has customizable tabs, and keeps creates an audit log of your activity.
Once you download and install CN (either 32 or 64 bit version) you are prompted to set up your preferences...like this...
As you can see, I can set up to 10 fields of metadata such as my name, my agency, the case type etc...very handy. Then you can customize up to four (4) additional tabs for specific notes. The main space for notes is a tab called, "Case Notes" and cannot be changed. You will also have a tab labeled, "Audit Log" which also cannot be changed. So if you use all four like I did, you will have a total of six tabs.
I use my tabs to keep track of evidence items...systems, hostnames, IP addresses, etc, Dirty Words (keywords)...stuff I run across that I want to search for on my image(s), Questions that need to be answered and the subsequent answers, and my Investigation plan...what am I trying to accomplish, and why.
So, once you are all set up, your screen will look like this...
Now that we have covered the tool, let's cover the concept.
Harlan and I were talking this morning and we were wondering why so many investigators don't create an investigation plan. I mean, it seems like a no brainer doesn't it. What are you looking for? What have you been hired to do? What is the overall purpose of the investigation? That would be the first thing you should write down.
Next, you can break the investigation into smaller, more manageable chunks that feed into the overall investigation plan. This is where you would use the Alexiou principle...
1. What question are you trying to answer?
2. What data do you need to answer that question?
3. How do you extract and analyze that data?
4. What does the data tell you?
Here is an example...
1. I want to know if the admin user account was used to launch malware.exe
2. I need the ntuser.dat file for the admin user
3. I am going to parse the MUICache and UserAssist Keys with Reg Ripper
4. The data from the UserAssist key indicates that malware.exe was launched by the admin user
This is pretty basic example, but it illustrates my point. You can ask yourself questions and answer them...inputting both into your case notes. Once you have your questions answered, you can update your investigation plan with HOW that information is relevant to the case.
For example, in this case what would the fact that malware.exe was launched locally by admin. Well, for one, I now know that the intruder had admin access. I also know that because the data appeared in the UserAssist key, that they had an interactive session with the shell. So what does that mean? Well, that means they had to login from somewhere, right? So now, I just generated some additional questions that need to be answered...so in my case notes, I would update my investigation plan and my To be answered sections.
1. How did the intruder gain admin access? I need to crack the passwords from the NTLM hashes and see what they are. I also need to parse the SAM hive to determine if the passwords were recently changed, and get the last login times for users in the admin group. If the passwords for admin users were changed recently, I need to get the passwords before the change. I can check to see if the system was taking restore points (or shadow volume copies) and extract the SAM and SYSTEM hives from the date immediately prior to the change. Then I can crack the NTLM hashes and get the passwords before the change occurred.
2. When did they gain access? I can tell this by looking at my timeline (which is one the FIRST things you need to create) and check the first appearance of malware.exe. That should give me a great place to start looking for remote access. I can then look for remote access attempts in the Security event logs. Does the customer have a VPN? Does it log? What about remote management tools? Which ones are in use (RDP, pcAnywhere, VNC, etc)? Are they open to the external internet? Do they log?
All of this from JUST answering a single question! Then as you progress through you case, if you take good notes you will make report writing MUCH MUCH easier! Also, since cases are getting more and more complex, and like me, you may be working more than one case at a time, good notes will keep you from trying to remember what you were doing three days ago and what you were thinking that made you do whatever it was that you were doing? Finally, should you get pulled off the case for any reason (or you just need help) good notes will help your fellow investigators know what you were doing, what you were thinking, and where you were headed.
So, back to my original question...if you are not using Case Notes...why? It's free. It's a great tool that has some really nice options. And taking good notes will help you keep your thoughts organized, and write your final report.
Lesson learned...TAKE GOOD NOTES!!!!!! I will give a dollar to anyone who can give me a good reason for not taking notes during a case. I am going to bet dollars to doughnuts that nobody is going to have any reason compelling enough for me to part with my GWs.
Happy hunting...and remember...TAKE GOOD NOTES!!!!
Subscribe to:
Posts (Atom)