EDD and Forensics

Good Forensics, RE, Pen Testing, Network RE Training at Hole in the Wall Prices

2011-02-14T14:17:00.001-08:00

If your budget for training is tight this year you might want to check out a training event I will be helping out with this year called Tracer FIRE III. The link for the site is below:

http://csr.lanl.gov/tf/

I will be co-teaching the forensics class and the other instructors are experts in their area as well. The class I will be teaching is focused on live intrusion forensics so you can leave our write blockers at home.

Forensic Crash Dump Analysis

2010-10-18T18:45:00.000-07:00

I attended and spoke at Mandiant's MIRCon last week. It was a really good conference, not even counting that it was free. I have uploaded by slides from my talk and they can be downloaded here:

Forensic Crash Dump Analysis

I probably skipped over a lot of the details and did not leave people enough time to write down all the good registry and windbg tidbits. I am looking forward to the conference next year. I am working on getting the MIR scripts and shell scripts released and will be posted on this blog when they are released.

Good Malware Blogs and Job Posting

2010-08-16T08:09:00.000-07:00

I just got done with my morning blog roll reading and wanted to link to a couple of good entries. The first was by Zynamics talking about creating better malware signatures:

http://blog.zynamics.com/2010/08/13/privatesigs/

It specifically talks about creating signatures with their product VxClass. If you have not had a chance to use or see this product I suggest you do. The second blog entry worth re-posting was one from Nick Harbour at Mandiant. His post talks about finding command and control functions in malware, specifically focusing on the COM point of view, here is a link to the post:

http://blog.mandiant.com/archives/1396

Finally I would like to advertise a couple of positions that are open at my current work place. My team is looking for forensicators, incident responders, red teamers and malware analysts. If you are interested in the job apply at the link below:

http://www.hr.lanl.gov/JobListing/SingleJobAd.aspx?JobNumber=217724

$MFT Parsing EnScript

2010-08-10T21:54:00.000-07:00

There is a considerable amount of forensic goodness in the $MFT on NTFS partitioned disks. What is a $MFT? Well the $MFT is the master file table on NTFS partitions that is a kind of database that keeps track of all the files on the partition including its location and metadata about the file. I am not going to delve into the depths of the format of NTFS because it has already been explained in numerous books like File System Forensics by Brain Carrier. What I am going to do is quickly summarize the "goodness" available in the $MFT and how you can extract this data with a EnScript I have authored.

The $MFT contains an entry for every file and directory on a partition including itself. Important metadata with in a $MFT are the name of the file, inode number, standard information attribute, file name attributes and data attribute. The size of a $MFT record is 1024 bytes. Below is an example of a $MFT record:

The header of a $MFT record is "FILE0". A $MFT record entry can contain the contents of a file if the size of the file fits into the allotted size for data attribute. Below is a $MFT record broken down into what I think are its important parts.

The standard information attribute (SIA) will contain the file times most people are used to seeing on the file system such as created, last written, last accessed and last modified. These times can also be easily changed by the attacker, the "worst" forensic problem ever until now because now you will know about the file information attribute (FIA). The FIA stores dates associated with the file's name and parent directory. These dates cannot be altered using Windows API calls like the SIA can. The meta data kept in the file information attribute consists of the file name creation date, file name modified date, file name last written and file name last accessed. Comparing the SIA to the FIA can detect the dreaded timestomping but be aware of the number of times this happens on a non-compromised or purposely altered system so stick to time windows when doing this type of analysis. To find all these times you are going to have to parse them by hand, wait no you don't there's a script for that below:

MFTParser.EnScript

The EnScript I created, inspired by Keith Gould, will parse the important information mentioned above for you and provide you with a tab separated text file you can open up in Excel or parse with your favorite awk command. Don't worry I am not forgetting about the $MFT slack section mentioned above in the important parts, I will go over it in the next post.

Page Files

2010-06-30T06:32:00.000-07:00

I have not posted in a long time....seems to be a bit of a pattern but I should be posting more in the next couple of months with some new EnScripts. Before those posts though I wanted to point people to a great blog on why acquiring page files the same time as memory is a more complex problem than you would think.

http://blog.mandiant.com/archives/1102

Enjoy

HP MediaSmart and Apple Support

2009-07-19T18:37:00.000-07:00

This post is off topic but I thought it would be interesting to a large audience. I have had a HP MediaSmart 470 home server for about a year. I have enjoyed it was a file server for my home network and have been able to stream music and video to my PS3 seamlessly from it. It also serves as a nice print sharing server as well. I have been able to easily upgrade the RAM on the system from 512MB to 2GB and easily add a few TB's to its storage capacity. I have not used the other features of it such as photo sharing or page hosting. One feature I had not used at all was the system back up feature. Most of my home systems are Apples so I never had the need for a windows backup feature. About six months after I bought my HP MediaSmart, HP announced the feature on their new MediaSmarts would support Apple Time Machine backups. I was excited but disappointed with this new feature because I just bought mine and wondered if I should go get a new one just to have the Time Machine back up feature. I could not justify this purchase so I searched the forums and web for the support of a MediaSmart backward compatibility for about three months with no avail. About a week ago I stumbled across the MediaSmart support page and noticed a link to the download of the MediaSmart client support for OS X. The software for the client can be downloaded below followed by the installation instruction link.

OS X Client

Installation Intructions

Installing this client is pretty straight forward. By default with the older HP MediaSmart server the Time Machine backup feature won't work. It will complain about not having a "MAC" folder on the server. This is easily fixed by creating a "MAC" folder in the root share folder of the MediaSmart server. The folder layout should look like the figure below:

Once this folder is created you can open up the Time Machine preferences on your Mac and backup to the HP MediaSmart Server. I have two Mac systems backing up to the MediaSmart and it has worked well so far. I would recommend the HP MediaSmart to anyone looking for a fileshare, printshare, or backup solution for their home network.

Cool Tools and DoD Cybercrime Conference

2009-01-23T05:40:00.000-08:00

For the past two weeks I have been doing web application assessments. During this process I have had to try different tools to get the job done. During the trial and error process I can across some really cool tools, they are probably not new but new to me. The first is Charles proxy. This proxy is great for doing binary web application assessments allowing you to easily view the binary data being passed. A screen shot of Charles in action is below in Figure 1.

You can get the Charles proxy here.

Since I was looking at flash applications I needed analyze the swf file. While searching for a decent decomplier I found FileInsight by Secure Computing. Get FileInsight here:

This tools is great. It is a hex editor with collaborative reverse engineering in mind. Besides being a hex editor it allows you to do a number of actions I found to be useful:

-Breaks out PE header.
-Understands OLE2 structures.
-Ability to decode using multiple.
-Bookmark capability.
-Plug-ins for strings and an anomaly chart.

This will be replacing my other free and paid for hex editors, it is great cause it is free. It also looks to have a scripting capability that looks like it will come in handy.

On another note I spoke at the Defense Cyber Crime Conference last week. I addressed forensic issues on the Advanced Persistent Threat (APT). The talk is titled "Complex APT Forensics: Answering the Difficult Questions". You can get the sides and the customs Template and EnScripts from the following link:

APT M-unition Pack

Extract OLE Objects with OLExtract

2009-01-03T16:01:00.000-08:00

Recently I was challenged to see if I could extract files from Microsoft Office documents without a file header or footer. The files being put into the Microsoft documents were text files, configuration files and source code files. I do not know why these files were being put into office documents except maybe to hide the files. The files were not obfuscated in the documents and could be extracted manually. Extracting these files manually works for a small set of these documents but for a large set, manual extraction was not feasible. The location of these documents were on EnCase images so it made extracting them easier for me with an EnScript. The files in the office documents were kept as OLE objects. To view OLE objects in an office document within EnCase you can right click on the document and select "View File Structure". This action is shown in Figure 1 below.

Figure 1 - Viewing Office Document "File Structure".

This also becomes a manual process viewing each document and then seeing what OLE objects are located in the document. EnCase recently came out with a way to automate the "View File Structure" process. The automated process is done with the File Mounter EnScript. This EnScript allows you to view the embedded file structure of many files such as Thumbs.db, zip archives, and Office documents (YES). Executing the process to automatically mount these types of files looks like Figure 2 below.

Figure 2 - Mounting Office Documents with File Mounter EnScript.

Once all the Office documents have been mounted you can extract all the OLE objects that are non-picture files with my OLExtract EnScript. Get it below.

OLExtract

This EnScript looks for all the OLENative Entries in the mounted documents and then extracts them to your EnCase default export folder. The EnScript will separate each file extracted in relation to which document it was extracted from and files with the same name will be incremented. The results of the execution of OLExtract will look similar to Figure 3 below.

Figure 3 - Results of OLExtract

OLExtract will ignore jpegs stored as OLE objects because they are stored differently then other types of files stored in the document. You can extract jpegs easily from Office documents using file carving.

MemScript

2008-12-20T15:00:00.000-08:00

Just wanted to cross post about a blog I recently posted on MANDIANT's blog site. I will not go into the details and let you read it but the topic is about MemScript. MemScript is an EnScript that integrates EnCase, Memoryze and Audit Viewer. Check out the post here.

MemScript Blog at M-unition

It has almost been a year since my last post but I hope to keep it more up to date if my work schedule allows for it. While out and about I noticed some bugs in my current EnScripts that I fixed. The first deals with the Prefetch Analysis EnScript. If the file executed did not have an extension of .exe the bookmark for showing the location of the executable would be mangled. This bug is now fixed. You can get the updated version below.

Prefetch Folder Analysis

I am hoping to clean up some of the EnScripts I made for actual work use and get them out during the holidays. For convience sake I have also attached the MemScript to this post, get it below.

MemScript

Windows Memory Analysis

2008-04-18T12:15:00.000-07:00

Recently I got the chance to use EnCase Enterprise's ability to acquire physical memory over the network. This is a great feature and it is nice to see that Guidance is starting to catch up with other products that already offered this feature namely Mandiant's Intelligent Response and Techopathway's Pro Discover. I had made an EnScript to parse these data dumps for current and exited processes from XP machines last summer and I have finally got the OK to release it to the public. This EnScript will take a physical memory dump, be it done with either of the aforementioned products or with good old dd and makes bookmarks of the processes data. The bookmarks will list the process id, parent process id, process start time, and process end time. If the process has exited it will display a (X) by the bookmark folder name. I based the XP off the DFRWS memory image and created a Win2K EnScript before the XP one so it is listed here to just in case there are still 2K users out there. The XP EnScript has the option to export the results to an excel file. I will be trying to add future capability to this EnScript so stay tuned and give me feedback on what you would like to see added to it.

Windows Memory Analysis (XP)
Windows Memory Analysis (2K)

Luhn Algorithm EnScript

2008-04-09T18:55:00.000-07:00

After seeing a long list of posts in the forums on credit card finder module I wanted to post an EnScript I made up for some recent cases with an overwhelming amount of credit card hits with the EnCase credit card finder module. For those of you that do not know what this algorithm is I would explain it here but it is already on Wikipedia so look there. This EnScript reduces the amount of credit card number hits dramatically, from tens of thousands to hundreds. The basics of this EnScript are it looks at search hits already created by the module and then creates bookmarks of valid credit cards. Quick note is that you have to have the search hits you want to have analyzed blue checked. Have fun.

Credit Hit Analysis

PEvil Carver

2008-04-08T20:49:00.000-07:00

Alright it has been a while but here is a EnScript I talked about before in some forums and I have gotten some more questions about it so I am going to post it to let all have access to it.

So you might ask "What is the PEvil Carver EnScript"? Hopefully what this EnScript will do for you is find that evil program that is on your machine but you just can not find it through traditional forensic analysis, i.e. anti-forensic techniques are not allowing you to find it. This script takes an intelligent approach to finding PE type files (.dll, .exe, ocx, to name a few) from unallocated clusters (but you can search other unstructured data types) and does not just look for the "MZ" signature. This intelligent approach starts with finding that good old "MZ" signature but goes further to find the "PE" signature that follows it after a variable amount of space specified in the Image_Dos_Header. If these two signatures are present this script will start bookmarking and carving the PE file based on the data that is stored within the PE file structure. It will also look on the local system for files that already have the same hash and not export it if it is on the local system to cut down on false hits. The PE files are exported to an EnCase LEF file that can be added to a case and then mounted with VFS and then scanned with AV or other malware finding tools such as Mandiant's Red Curtian. The bookmarks also contain a plethora of data on the PE file itself. It parses out the Image_DOS_Header, Image_Optional_Header, Image_File_Header, and each sections Image_Section_Header. Looking at the data within these headers can help you identify if the PE file found is evil or not, the data here is much like PEiD. The hash and size of the file is also included in the bookmarks and a search can be done on the size or hash of the PE file to see if it is evil or not based on previously known indicators. Other features are that you can limit the size of the PE file to be exported, in initial testing PE files of significant size (1-2GB) were found in unallocated space and traditionally evil PE files are probably not of that size and what to keep a low profile. There is also an option to limit the size of PE files exported, as mentioned already must "Evil" programs will not want to have a big presence so limiting the size of these will produce better results. Some recent tests done with this EnScript reveal you can extract full PE's from memory dumps that match NSRL hashes and files have been identified that are known evil program from unstructured data found with Red Curtain and AV. Here is the EnScript, enjoy it and please as always give feedback. Thanks to Nick Harbour for the suggestion to make this script and just as a side not I will always provide the source code to how these EnScripts work, it is important to all forensic professionals to know what the tools they use do and not just point and click and get answers but know how they got those answers.

PEvil Carver

Prefetch Fix posted

2008-03-25T15:43:00.000-07:00

So I have got a few comments on the output that the prefetch gives on the location of the executable, it gave the location as a bunch of numbers instead of text, sorry coding laziness problem. I have fixed this now, I previously selected the wrong bookmark type for the report output; it was for a number and not text so this should be fixed with this version. There were also comments on the date and time that is reported I am working on this bug as I think it has to do with the early daylight savings time and how that is represented in EnCase, I have not had time to pin this down yet. I will also be working on getting the data exported to Excel. Thanks for the comments on the blog and within the forums. The link previously posted will point you to the new prefetch EnScript and so should this one.

Prefetch Folder Analysis

MSG is Good, No Bad, EnScript Anyways

2008-02-22T05:29:00.001-08:00

I know, I know MSG is bad for you but I thought that I would post this EnScript for the EDD forensicators out there. I made this up real quick for a case where exporting the MSG from the EnCase interface was producing undiscernible files. All the exported MSG files are named with the email message subject and if there is a repeatable subject it will get renamed to subject(1), subject(2), etc. It is hard to discern what MSG is which in this way so having a date related to the message gives more info and keeping the Outlook folder structure would be nice too. So what this EnScript will do is export the MSG, name the MSG with the subject and created date, and keep the outlook pst folder structure for you. MSG is bad but sometimes you have to give your client what they want. Get the EnScript below, and again comments suggestions please on any of my EnScripts.

MSG Export

Prefetch Folder Analysis

2008-02-20T10:22:00.000-08:00

I have received some feedback from the EnCase forums on posting my Prefetch Folder analysis EnScript and I thought this would be a good place to do it, and make it available to everyone. Before I get started I just wanted to give notation to Harlan Carvey and his book Windows Forensic Analysis which this script is based on from one of his perl scripts in that book.

For those of you that have not read the book or don't have idea on what prefetching is, prefetching is Windows way of saving load times for programs that are used often. The .pf files located in the pretech folder are cached portions of .exe files. This folder holds up to 128, sometimes more, .pf files and they all can be analyzed with this script. Each .pf file holds the hard page faults of the .exe along with metadata about where the executable is located and how many times that the .exe has been launched. There maybe multiple .exe .pf files with the same name in the directory such as rundll.exe-[characters).pf or even notepad.exe-[characters).pf each having a different set of random characters after the .exe-. These characters are not random and produced from the file path to where the .exe is located so if one notepad.exe is ran from system32 and another from windows it will generate two different .pf files. Evil will more then likely show up in this folder and you will be able to locate where it is being run from from looking at these files, or running this script.

So the big question is how do I use this EnScript, why should I download it. Well it will show you all the information talked about above, specifically:

Location of the .exe
Number of times .exe has ran
Last time .exe ran

The other data that you can correlate with this is the time that the file was created. Knowing when the .pf file was created and when it last ran will give you a date range on how long the .exe has been on the machine, great for malware(evil) or any case where the user is not supposed to be running program outside the enterprises gold build. You can also use data from the User Assist registry keys to see who ran the program because the .pf files do not give attribution to who ran the program but this area could be compared to the .pf files to give this. The EnScript can be downloaded below.

Prefetch Folder Analysis

Volatile Data Preservation

2008-02-12T19:01:00.000-08:00

Ok it has been a while since I started this blog but I do not think any one was reading it or will for a while, so here is my first meaningful post, hope to be on a more regular schedule from now on.

One thing that I have noticed is that the collection and preservation of volatile data is not as well documented or talked about when discussing evidence, and most of the focus is based on the hard drive collection and preservation. This probably has to do with the fact that the collection of volatile data is more related to network intrusion incidents then with prosecutions of criminal acts. This data should be treated the same way as the traditional collection of the hard drive, making sure that the evidence has a chain of custody and can not be tampered with, more on this can be read here. The Snapshot does a good job in interacting with the target machine as little as possible but preservation of the evidence that is collected is just as important as not interacting with the target machine. One area lacking in the preservation of the collected evidence I have observed, as well as others, is with EnCase Enterpise's inability to preserve their "Snapshots". I have not been able to figure out how to get the data to export from the report view and many have tried this with no luck either. At one point they had a Snapshot database feature that was once available and that is supposed to come back sometime with a new release, maybe 6.99, hopefully it will come back soon (its been almost a year since they promised it would be back).

In the mean time I thought I could make something for the preservation of this evidence. This EnScript will take a Snapshot from the case and produce either a HTML view of the Snapshot or a XLS workbook. The workbook is easier to use for analysis, auto filter will be your friend, and the HTML view is good for reporting purposes. Please give me comments on what could be done to make it better or more usable. Download it below.

Snapshot Report Generator

Start of a new year, new blog

2008-01-02T06:38:00.000-08:00

This year I wanted to start documenting some of the stuff that I am doing at work and at home so that I can refer back to it later. I decided to do it in a blog format so that others can learn from what I did well and what I did not do so well.