tag:blogger.com,1999:blog-59058774341062730502024-03-12T23:57:50.537-05:00Forensicaliente - because digital forensics is 'hot'Tips, tricks, problems, solutions, testing, and other 'cool' things from my forensic journey...Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.comBlogger43125tag:blogger.com,1999:blog-5905877434106273050.post-66100491915943701602014-09-07T22:50:00.002-05:002014-09-07T22:51:42.891-05:00It's a Groovy Kind of Risk<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;"><br />This
year at the <a href="http://www.sans.org/event/dfir-summit-2014" target="_blank">SANS DFIR Summit in Austin, TX</a> I had the distinct honor
and pleasure of presenting a talk entitled <i>To Silo, or Not to Silo:
That is the Question</i>. The PDF of the slides is available <a href="https://digital-forensics.sans.org/summit-archives/dfir14/To_Silo_or_Not_to_Silo_Frank_McClain.pdf" target="_blank">here (direct download)</a>.
All the other awesome presentations are up there as well, so make
time to <a href="http://digital-forensics.sans.org/community/summits" target="_blank">check them out</a> if you haven't already. </span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Shortly
after the Summit, I promised someone somewhere (or told, or maybe just
suggested) that I would post the notes, or at least more details,
about the talk. After all, we all know how entertaining it is to
look at the slides of a presentation. Wow, great stuff, right? I
think there are supposed to be videos of the talks somewhere or
other, but if there was a post about it, I missed it, and mine might
not've been taped anyway, and well, who knows. So basically, the
point of this is to flesh out that presentation in a meaningful way for
those who are readers of the word rather than hearers (and obviously,
not everyone could - or even want to - be there). That said, my
intent here is not to recreate the presentation (although I might steal
a slide or two), but rather to build on it, and present the topic in a
slightly (well, maybe more than slightly) different format. As an
aside, you might be wondering what took me so long to get this done.
Well, just like a nice single-malt scotch, some things <a href="http://www.masterofmalt.com/whiskies/oban-1996-bottled-2011-distillers-edition-single-malt-whisky/" target="_blank">must age to perfection</a>, and not leave the cask for bottling until they're just
right.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">A little
background first, to help set the stage, and fair warning - this may
be a bit long, and I may break it up into multiple posts (or I may
not). Also, this is a blog post, not a white paper or news article,
so it will be more "conversational" in nature. Hopefully,
you will find it worth your while to soldier on through it. The
genesis for the talk actually came from last year's Summit, with Alex
Bond's <a href="https://www.youtube.com/watch?v=ZuAFsceBttA" target="_blank">lightning talk</a> about combining host and network indicators. This made a lot of sense
to me, and I thought it could be a full talk; plus, it falls in line
with what I spend a lot of my time doing for a living. </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-size: large;"><b><span style="font-family: Arial, sans-serif;">First Things</span></b></span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Starting
off, my focus was on the need to broaden our horizons from an
evidence perspective; if we only look at host images, or RAM, or
firewall logs, or netflow, or (the list goes on...), and we don't
consider other sources, we're selling ourselves short. There are a
couple difficulties with this type of approach, I think it bears
calling them out now: </span>
</div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">1. Not
all evidence types are always available. This could be because they
don't exist, or because you're not provided access to them.</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">2. Not
all analysts/investigators/whatever you want to call them have
in-depth knowledge, skills, and abilities with all evidence types.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Both
those things are limiting factors, and so I started building from the
standpoints of:</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">1.
Dealing with the evidence you have, and expanding where you can.</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">2. Know
how to deal with the evidence types available to you, and how to
expand those.</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">3. If
you can't/don't/won't then you're selling yourself and your client
(internal or external) short.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">To me,
these things all related to siloing oneself, and so I came up with
the title I did, way back last year (had to have the title before I
could submit the talk in the first place). I mention that mainly
because Jack Crook has a <a href="http://blog.handlerdiaries.com/?p=613" target="_blank">great blog post</a> very similarly named, and
touching on some of the same concepts, from May of this year. Read it, it's good, as is the
norm for his blog. Just know that these were both conceived
independent of one another; it must be a "great minds think
alike" sort of thing, if I may in any way lay claim to that
adage.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">However,
as I delved more into the topic at hand, I added another piece,
which I feel it all really boils down to, and which if we ignore, can
REALLY be siloing ourselves. It's one that business people can
relate to (which is very important for us in our line of work), and
which really guides our decision-making processes in Information
Security as a whole. You haven't guessed yet? Well, it's risk.
That's right - risk. Virtually all of the decisions we make in the
course of DFIR work are based on, or informed by, risk. The
"problem" is, we don't tend to see it that way, and that's
odd to me, because in InfoSec we talk about it all the time (it's how
we relate "bad things" to the business, get money for
projects, tell people no, tell people yes, get hated/loved/ice water
dumped on, so on and so forth). To be honest, I'm guilty of that as
well - I could easily quantify various "needs" in that
respect, but it really wasn't until I started working on the
presentation, that I started seeing the correlation to the topic of
risk. </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Is risk
really such an odd topic for us? I honestly don't think so, it's
just we don't think of it in those terms. We'll take something
really simple - would you close your eyes and attempt to walk across
a busy intersection? Most likely not, but why? Because it's
"stupid" or "idiotic" or a "good way to get
killed"? Doesn't it really boil down to a risk decision,
though? The risk of getting mowed down by a speeding motorist in a
2000-lb vehicle is greater than the reward of saying you crossed the
intersection with your eyes closed. It's not that it's "stupid,"
it's just too risky for most people.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-size: large;"><b><span style="font-family: Arial, sans-serif;">All the Things</span></b></span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">So let's
start to put it in the context of DFIR, and the scope of my Summit
talk. In the presentation, I started off with a slide showing some
different broad sources of evidence: Systems, Network, Cloud,
Mobile; with the "Internet of Things" we may need to start
adding in things like Appliances and Locks as well. Anyway, within
those broad categories or families, there are subsets of types of
evidence, such as:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMLG9y64FFfx7dbWDJX4NhjFhI5mXwOAvzEmReLhQ6brhg6uS3UbvM8JC_XpYem4lV2nQUElvknoMDCE-gcRiHIw9QfLU20Uj2px79DwlNFB-uDVI-3Cnn_e4c2G4hHqyxnarJz4b4_tgF/s1600/Types_of_Evidence.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMLG9y64FFfx7dbWDJX4NhjFhI5mXwOAvzEmReLhQ6brhg6uS3UbvM8JC_XpYem4lV2nQUElvknoMDCE-gcRiHIw9QfLU20Uj2px79DwlNFB-uDVI-3Cnn_e4c2G4hHqyxnarJz4b4_tgF/s1600/Types_of_Evidence.png" height="380" width="640" /></a></div>
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Now,
obviously there are many more than that, and some (such as Reverse
Engineering/RE) aren't exactly evidence per se - but the idea was to
start to get the audience thinking about the things they do during a
given investigation (which may vary considerably, depending on the
type, scope, and sensitivity of the matter at hand). I'm pretty sure
that there are folks who don't regularly touch all, or even most, of
just these few. With that in mind, do you know these and more in
great detail? If you were handed one at random, would you know what
to do with it? Would it make you uncomfortable? What if you were
asked where to find it during an investigation? You don't have to
answer out loud - again, the point is get us all thinking. If you
think of each of these (or other) types/sources/etc of evidence as
languages, wouldn't you want to be fluent? Don't you think it would
be valuable? That's the first point.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">In the
preso, I illustrated this point - that of Knowledge, Skills, and
Abilities (KSAs) - by taking everyone back to their days of
role-playing games (I realize for some this might still be reality).
Not modern MMORPGs, but old-school things like A/D&D, with
character sheets, a bag full of dice, a DM (Dungeon Master, not
direct message) and a bunch of chips and salsa. Yes, I know, for
some there were probably "other" substances involved, but
this is a family show, okay? Anyway, back in those simpler times, I
always wanted to be more than just one character class during an
adventure, especially if there were only a handful in the game (kind
of like most DFIR teams); with only one of a few types, if someone
got hurt, killed, or otherwise taken out of action, it was a disaster
(in InfoSec terms, a single point of failure). I mean, if your thief
got caught and killed while picking a pocket, who was there to open
locks or detect traps for group? But, if you had a fighter/thief as
well, then you have at least somewhat of a backup plan (again in
InfoSec terms, a Disaster Recovery and Business Continuity/DRBC plan,
and not just a single point of failure). So it's one thing to know
one thing very well, but brings more value and broadens the overall
potential of the group (or DFIR team) if you have folks with a
broader skill set, such as a dual-class human or multi-class
non-human. In this context, we're talking about people who can take
apart a packet capture, reverse-engineer a binary, parse a memory
dump, and so forth - they're not stuck with just one thing. This was
the point that Jack raised in his blog post, and he draws it out very
well.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Shelly
Giesbrecht did a presentation at the Summit this year about building
an awesome SOC, <a href="http://digital-forensics.sans.org/summit-archives/dfir14/10_Ways_to_Make_Your_SOC_More_Awesome_Shelly_Giesbrecht.pdf" target="_blank">available here (direct PDF download</a>).
In a SOC, it's pretty common to have each member focused on a single
monitoring task - firewall, IDS/IPS, DLP, AV, etc, and while that can
provide a level of expertise in that area like <a href="http://en.wikipedia.org/wiki/Elminster" target="_blank">Elminster</a> does magic,
it doesn't produce a very well-rounded individual (can the AV person
fill in for the pcap?). As Shelly mentioned in her talk, the counter
to that is to try to expand the knowledge base, but at the expense of
actual abilities - we become jacks of all trades, but masters of
none. This goes directly counter to what the greatest swordsman in
all of history (no, not Yoda - <a href="http://en.wikipedia.org/wiki/Miyamoto_Musashi" target="_blank">Miyamoto Musashi</a>) wrote in his <a href="http://www.amazon.com/Book-Five-Rings-Miyamoto-Musashi/dp/1935785974/ref=sr_1_4?s=books&ie=UTF8&qid=1410136753&sr=1-4&keywords=book+of+five+rings" target="_blank">Book of Five Rings</a> - that in order to truly be a master of one thing (such as
swordsmanship), you had to become a master of all things (poetry, tea
ceremony, carpentry, penmanship). Troy Larson, in his keynote
address at the Summit, (<a href="http://digital-forensics.sans.org/summit-archives/dfir14/Don%27t_Let_Your_Tools_Make_You_Look_Bad_Troy_Larson.pdf" target="_blank">direct PDF download</a>)
brought up the concept of using the whole pig. And if you don't know
about the whole pig, you can't use the whole pig, which is this
point. But, if you don't have the whole pig, or don't look at parts
of the pig, then you're missing out. And that's the second point.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-size: large;"><b><span style="font-family: Arial, sans-serif;">A
Puzzling Equation</span></b></span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Alex's
lightning talk brought up the topic of using multiple sources of
evidence - specifically host-based and network-based data - to better
understand an attack. Yes, that's right - he was using more than one
part of the pig (Troy would be proud, I'm sure). But as we saw
earlier, there are more sources than just host/systems and network,
and a multitude of evidence types within those, and that's where it
starts to get a little more complicated, at least for some (and in
some cases). The reason I say that is that I know people who for
whatever reason, during an investigation focus on a single type of
evidence or analysis, even when they have the skills to expand on it.
For instance, they may just look at network logs, or a disk image,
or volatile data. Each of these things can bring incredible value to
an investigation, but individually, they're limited; if you don't
expand your viewpoint, you're missing the bigger picture. I'll flesh
that out with a puzzle illustration. We've probably all put together
at least one puzzle in our lifetime, and even if it's not a normal
occurrence for us, we understand the basic concepts (if not, wikiHow
lays them out in a very <a href="http://www.wikihow.com/Put-Together-a-Hard-Puzzle" target="_blank">simple format here</a>).</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Imagine
you've been handed a pile of puzzle pieces, perhaps it looks
something like this:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsKHfR_1Knvaf12jSfISUF3NH3sCCbkmCOEXNU6aKgy-9uHR8KOzQZaiZlGFONYRQ5QRhjIUu4mh4zjHxJd0BE3C2Hpq2PyvVKM2EU5NSigRJvk8QXpSwTV6af6pNP-CWGxPOAlEV32CI0/s1600/puzzle_pieces_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsKHfR_1Knvaf12jSfISUF3NH3sCCbkmCOEXNU6aKgy-9uHR8KOzQZaiZlGFONYRQ5QRhjIUu4mh4zjHxJd0BE3C2Hpq2PyvVKM2EU5NSigRJvk8QXpSwTV6af6pNP-CWGxPOAlEV32CI0/s1600/puzzle_pieces_1.png" height="465" width="640" /></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;"> (Source: http://opentreeoflife.files.wordpress.com/2012/10/puzzle2.jpg) </span></span></div>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">In other
words, you have no idea how many pieces there are (or are supposed to
be), nor what it should show when it's all put together. In case
it's not perfectly clear, this puzzle is the investigation (whether
it's internal/corporate, external/consulting, law enforcement,
military, digital forensics, or incident response). The end goal is
being able to deliver a concise, detailed report of findings that
will properly inform the necessary parties of the facts (and in some
cases, opinions) of what happened in a given scenario. If we take a
bunch of the pieces out and put them in another box somewhere, not
using them, that's probably not going to help us put it all together
(so if you ignore RAM, or disk, or network...). If we follow the
wikiHow article and start framing in the puzzle, then start taking
guesses as to what it represents (or what happened during the
commission of a crime, etc), then we're missing the bigger picture.
Get it? Picture? The puzzle makes a picture - see what I did there?
Heh heh heh. ;-) </span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">I mean,
this probably includes sea life, but we don't know for sure what is
represented, and certainly can't answer any detailed questions about
it...</span></div>
<div style="margin-bottom: 0in;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrqdp0Aek9CCATl_OEen5BHXa2pqhsUo2tVX41h0zhJlB_PffNMbEb3gFPgZf3T2bTzvWwyZ_JwCGuapxDorIKLFW5eBLS2uHgzwj5-E3bcu191jZC40fSKrWaIMFQ6uDxpEeORe4kM5aM/s1600/partial_puzzle_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrqdp0Aek9CCATl_OEen5BHXa2pqhsUo2tVX41h0zhJlB_PffNMbEb3gFPgZf3T2bTzvWwyZ_JwCGuapxDorIKLFW5eBLS2uHgzwj5-E3bcu191jZC40fSKrWaIMFQ6uDxpEeORe4kM5aM/s1600/partial_puzzle_5.png" height="539" width="640" /></a></div>
</div>
<div style="margin-bottom: 0in; text-align: center;">
<span style="font-family: Arial, sans-serif; font-size: xx-small;">(Source:
http://www.pbase.com/image/9884347)</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">What if
we start to fill more pieces in? When can we start to (or best)
answer questions? Here:</span></div>
<div style="margin-bottom: 0in;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjXVjrYKeCZ0D4PJ2rn1-447NalAQwO1AXfl_F4x5XVdEVkEx49rTYgKpAbjyZxHSmu7BaskYxaGcs2l8o1jiVsFNZcODAQcy5teBJxjZUl5h9gYO5VrUU6B05q-3rmlbnnirRF43rmPJ3/s1600/partial_puzzle_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjXVjrYKeCZ0D4PJ2rn1-447NalAQwO1AXfl_F4x5XVdEVkEx49rTYgKpAbjyZxHSmu7BaskYxaGcs2l8o1jiVsFNZcODAQcy5teBJxjZUl5h9gYO5VrUU6B05q-3rmlbnnirRF43rmPJ3/s1600/partial_puzzle_2.png" height="640" width="595" /></a></div>
</div>
<div style="margin-bottom: 0in; text-align: center;">
<span style="font-family: Arial, sans-serif; font-size: xx-small;">(Source:
http://piccola77.blogspot.com/2010_05_01_archive.html)</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Here:</span></div>
<div style="margin-bottom: 0in;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8JGt5-zJ5AnLe1DYR3N43UqRVi0M5eltD1OmYqHYRNEskvAQaCuoz7EhgRqq_v7weHYkLfWJUW6EExhE-1thlWU6vLQnHa9hSNIHwiViJD_Lw4_-oHeVcBxwC1us12ndDb47wN2FxmruY/s1600/partial_puzzle_7b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8JGt5-zJ5AnLe1DYR3N43UqRVi0M5eltD1OmYqHYRNEskvAQaCuoz7EhgRqq_v7weHYkLfWJUW6EExhE-1thlWU6vLQnHa9hSNIHwiViJD_Lw4_-oHeVcBxwC1us12ndDb47wN2FxmruY/s1600/partial_puzzle_7b.png" height="640" width="465" /></a></div>
</div>
<div style="margin-bottom: 0in; text-align: center;">
<span style="font-family: Arial, sans-serif; font-size: xx-small;">(Source:
http://3.bp.blogspot.com/-wviPW6QWJiA/U_fTcSUKoUI/AAAAAAAAZjg/KLTKLJYSnQs/s1600/Lightning%2BStriking%2BTree%2B2%2B-%2B1000%2BEurographics.jpg)</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">or here:</span></div>
<div style="margin-bottom: 0in;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdEiROXOISLQJ-Os0nO_RU_z1iri3R0awKxlyU809IDnqtUChHffcKwc3RWRcJnyGBFPkHhbRFFWSE6KHPoJW884Wbthj9s-WbDdaj-JWklaBrycI7gXpnGKC8Oa7gy4AXKKRsrk8S4MPC/s1600/partial_puzzle_4b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdEiROXOISLQJ-Os0nO_RU_z1iri3R0awKxlyU809IDnqtUChHffcKwc3RWRcJnyGBFPkHhbRFFWSE6KHPoJW884Wbthj9s-WbDdaj-JWklaBrycI7gXpnGKC8Oa7gy4AXKKRsrk8S4MPC/s1600/partial_puzzle_4b.png" height="329" width="640" /></a></div>
</div>
<div style="margin-bottom: 0in; text-align: center;">
<span style="font-family: Arial, sans-serif; font-size: xx-small;">(Source:
http://moralesfoto.blogspot.com/2011_11_01_archive.html)</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Pretty
clearly the last one gives us the best chance of answering the most
questions, but we could still miss some critical ones, because there
are substantial blank areas. Sure, it appears to be foliage that's
displayed in the background, but is it the real thing, or a
reflection off the water? Is it made up of trees, bushes, or a
combination? Is there any additional wildlife? What about predators?
Imagine you're sitting down across from a group of attorneys (maybe
friendly, maybe not), and those gaps are due to evidence not analyzed
in the course of your investigation? Ouch...</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Now,
there are multiple facets to every investigation, and within each as
well. There are differences between eDiscovery (loosely connected to
what we do), digital forensics, and incident response, and those can
probably all be argued to the nth degree and until the cows come
home. I get all that, and am taking those things into account; I'm
trying to paint a broader picture here, and get everyone to think about associated
risk. In the end, it really is about risk, and I'll
get to that. For now, let's list out a few scenarios that challenge
the "all the pieces" approach.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<ol>
<li><span style="font-family: Arial, sans-serif;">There
isn't enough time to gather all available evidence types. This is
probably most prevalent for IR cases, where time is of the essence,
and imaging 500 systems that all have 500GB hard drives when you only
have two people working on it, and executives/legal/PR/law
enforcement need answers - fast.</span></li>
<li><span style="font-family: Arial, sans-serif;">There aren't enough resources to gather all available evidence types.
Again, very common in IR cases, where you have small teams,
responsibilities are divided up, and KSAs may be lacking. We talked
about that before.</span></li>
<li><span style="font-family: Arial, sans-serif;">All
evidence is not made available to you. This factors in across the
board, and comes into play in pretty much every investigative role
(corporate, consulting, LE, etc). This could be because:</span></li>
<ul>
<li><span style="font-family: Arial, sans-serif;">The business/client/suspect is trying to hide things from you.</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, sans-serif;">The people/groups in charge of the evidence are resistant/can't be
bothered/etc (I've had CIOs refuse to give me access to systems
because it was "too sensitive" and we ended up not
gathering certain potential evidence).</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, sans-serif;">The evidence simply doesn't exist (systems/platforms don't exist,
policies purge logs w/o central storage, power was shut down, it was
intentionally destroyed, etc). </span>
</li>
</ul>
</ol>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-size: large;"><b><span style="font-family: Arial, sans-serif;">Risky Business</span></b></span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">This is
where we get to that part that didn't really dawn on me until I was
well into building the presentation. Initially, the presentation was
going to walk the audience through various investigative scenarios,
to show how it was important to know how to handle different types
and sources of evidence, and how without doing so, you could be
missing the bigger picture (or the finer details within the picture,
such as Mari DeGrazia's talk on <a href="http://digital-forensics.sans.org/summit-archives/dfir14/Supersize_Your_Internet_Timeline_with_Google_Analytic_Artifacts_Mari_DeGrazia.pdf" target="_blank">Google Analytics cookies - direct PDFdownload</a>. I still accomplished that, but also added in the new element, that of risk. </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">I can
see it in your eyes, some of you are confused about what this has to
do with risk. <a href="http://en.wikipedia.org/wiki/Risk" target="_blank">Wikipedia explains risk in part as</a> "...the
potential of losing something of value, weighed against the potential
to gain something of value."
It's a very familiar concept in financial circles, especially with
regard to the return on investment (ROI) of a particular financial
transaction. As such, it's very commonplace in businesses
(especially mature ones), along with executives and business leaders.
Information Security uses risk management as a means (among other
things) to help quantify and show value to the business, especially
preemptively or proactively, to help avoid increased costs from a
negative occurrence (such as a breach) down the road. Businesses
understand that, because they can recognize the cost associated with
a breach, with damage to brand, lawsuits, expenses to clean up, and
so forth. Okay, great, that makes perfect sense - but how does it
apply to an after-the-fact situation in DFIR? Well, remember our two
main points to which the risk pertains? Lack of knowledge, Lack of
Evidence. I'll give some examples under each, for how risk ties in
(please be warned - these won't be exhaustive).</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Lack of
knowledge/skills/abilities - personnel lacking a broad base of
expertise in dealing with multiple times of evidence or
investigations spanning computers, networks, cloud-based offerings,
mobile technologies, etc.</span></div>
<ol>
<li><span style="font-family: Arial, sans-serif;">Requires additional/new internal or external (consulting) staffing
resources, which cost money.</span></li>
<li><span style="font-family: Arial, sans-serif;">Takes longer to complete
investigations, which costs additional money, directly and indirectly
(fines and fees, for instance).</span></li>
<li><span style="font-family: Arial, sans-serif;">May
result in inaccurate findings/reports/testimony, and could result in
sanctions, fees, fines, settlements, etc.</span></li>
<li><span style="font-family: Arial, sans-serif;">Loss
of personnel who seek other positions to get the training/experience
they know they need. </span></li>
<li><span style="font-family: Arial, sans-serif;">Inability to spot incidents in the first place, leading to additional
exposure and associated costs.</span></li>
<li><span style="font-family: Arial, sans-serif;">Training staff to achieve higher levels of expertise in new areas
costs money.</span></li>
</ol>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">These
are pretty straight-forward, no-brainer sort of things, right? I
think we can all see the importance of being a well-rounded
investigator; it makes us more valuable to our employer, and helps us
do our jobs more effectively. Win-win scenario. </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Lack of
evidence - whether evidence is missing/doesn't exist, inaccessible or
not provided, or simply overlooked/ignored.</span></div>
<ol>
<li><span style="font-family: Arial, sans-serif;">Inability to answer questions for which the answers can only be found
in the "missing" evidence; can result in additional costs:</span></li>
<ul>
<li><span style="font-family: Arial, sans-serif;">Having to go back after the fact and attempt to recover other
evidence types (paying more consultants, for example).</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, sans-serif;">Potential sanctions, fines, fees due to failure in fiduciary duties,
legal responsibilities, and regulatory requirements.</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, sans-serif;">Loss of personal income due to loss of job.</span></li>
</ul>
<li><span style="font-family: Arial, sans-serif;">Potential charges of spoliation, depending on scenario, and
associated sanctions, fines, settlements.</span></li>
<li><span style="font-family: Arial, sans-serif;">Loss
of business due to lack of appropriate response, brand damage, court
costs/legal fees, etc (everyone out of a job). May seem drastic, but
smaller businesses may not be able to bear the costs associated with
a significant breach, and when part of those costs stem from
inappropriate response...</span></li>
<li><span style="font-family: Arial, sans-serif;">May
take significant time and money to collect and examine all
potential/available evidence; the cost of doing so may be more than
the cost of not doing so.</span></li>
</ol>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">The
whole "lack of evidence" area is where I tend to see the
most resistance within our field, so I'll try to counter the most
common objection. I'm not saying that if we don't collect and
analyze every single possible source and type of evidence on every
single investigation of any type, that we're not doing our jobs.
What I'm saying is that to the extent it is feasible and reasonable
to do so, we need to collect and analyze the available and pertinent
evidence in the most expedient manner, based on the informed risk appetite of
the business. </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">There, I
think that should start to set the stage for the next piece of the
conversation. In our areas of lack of knowledge and lack of
evidence, it's not necessarily a "bad" thing for them to
exist one way or the other. What is a "bad" thing is to
take certain courses of action without engaging the proper
stakeholders in a risk conversation, so that they can make an
informed decision on how doing one thing or another may negatively
(or positively) impact the business. That's what risk management is
all about, and now that we've seen that our actions can introduce new
risk to the business, we need to start engaging the business on that
level. A big piece of the puzzle here is that we, the DFIR
contingent, are not really the ones to determine whether or not
we only need to collect a certain type of evidence, or whether the
lack of a certain type of evidence has a significant negative impact
on an investigation. That's up to the business, and it's our job to
inform them of the risks involved, so that they can weigh them accordingly in the
context of the overall goals and needs of the business (to which we
are likely not privy). </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">For
example, in an IR scenario, we may not think it makes a lot of sense
to image a bunch of system hard drives, due to the time it takes. We
inform the business of the time and level of effort we estimate to be
involved, and the impact of that distracting us from doing other
things that may have more immediate relevance (such as dumping and analyzing RAM, or looking at pcaps from network
monitoring). The business (executives, legal, etc) on their side,
are aware of potential legal issues surrounding the situation, and
know that if system-based evidence (of a non-volatile nature) is not
preserved in a defensible fashion, the company could be tied up in
legal battles for years. They determine that the cost/impact (aka,
"risk") of ongoing legal battles is greater than the
cost/impact (aka, "risk") of imaging the drives, so they
provide the instruction to us. If we hadn't broached the subject and
had a risk-based conversation with the appropriate stakeholders, we
might have chosen based on our perspective, and incurred significant
costs for the business and ourselves down the road. </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">So, am I
saying we shouldn't make intelligent decisions ourselves? Should we
do nothing until someone makes a choice for us? Please don't
misunderstand me; by no means should we do nothing. But what we do
should be tempered by the scenario we're in, and the inherent risk
(to ourselves and others), juxtaposed against the risk appetite of
those are paying us. After all, let's be honest - if a business is
made to look bad or incur significant cost (whether through an
incident response scenario, or some other investigation or legal
action), most likely a "heads will roll" situation will
arise. Professionally, it's our job to help ensure the business is
well-informed, prepared, and protected from something like this
happening; personally, it's our job to make sure it isn't our heads
on the chopping block (C-levels may just move to another home, but if
those who do the work get "branded" it may not be quite as
easy). If you do a pentest engagement, what's the first thing you
get? Your "get out of jail free" card, or a properly
scoped and signed statement of work, which authorizes you to do the
things you need in order to accomplish the mission. Think of what
I'm saying from that angle: by making DFIR another risk topic,
you're protecting yourself, your immediate boss/management, and the
company/employer. There are other benefits as well - expectations
are properly set, you have clear-cut direction, and can hopefully
operate at peak efficiency. This keeps everyone happy (a very key
point) and reduces cost; you gain visibility and insight into company
needs and strategy, and are positioned to receive greater
appreciation from the business (which can obviously be beneficial in
a number of ways). </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-size: large;"><b><span style="font-family: Arial, sans-serif;">Last Things</span></b></span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Now that
we've wrapped up the risk association aspect, and everyone agrees with me
100%, we can frame in the two original areas of conversation - lack
of KSAs and lack of evidence. I think the first is a given, but the
second is the gray area for most folks. I've had numerous
conversations around this concept, online and in person, and so far
the puzzle analogy seems the easiest to digest. If you're putting
together a 1000-piece puzzle without the box or picture of the
completed puzzle (isn't that pretty much EVERY investigation you've
ever done?), no matter how much you *<b><i>think</i></b>* you know what it is, you
don't truly know until it's done. Attorneys and business
management/executives want answers, and those can't be halfway
formed, because they're making costly and potentially career-limiting
decisions based upon what we say. So if you're only 25% done with
the puzzle, you can't answer all the questions. If you limit
yourself to 25% of the puzzle (or available evidence), or you're
limited to that amount by other parties, you're limited in the information you can
provide. If you're stuck with the 25% (as by forces outside your control), then you do the best you can, and
inform the business - they might be able to apply pressure to get
you access to more evidence (but if they don't know, they can't help
you). </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Let's
look at the flip side of that briefly. If you're in an investigation
(of whatever type), and there are 500 systems with 500 GB, 5400 RPM
hard drives and only USB 2 connections; 10 TB of pcaps, 4 TB of logs
from network appliances and systems, 20 servers spread across the
country with 4 TB of local storage each and 400 TB combined network
storage (where evidence might be), total RAM of 4 TB (plus pagefile
and hiberfil), 2 people to get the work done and 1 week to do it,
you're probably not going to be very successful. You'd really need
near-unlimited resources and time, which just isn't the reality for
any of us. But the reality also is that in this imaginary scenario,
even with substantial resources, we'd still need to inform the
business of the associated risks, so that they could help establish
the true requirements, guidelines and timelines, and ultimately help us help
them (note: it is sometimes necessary for us to guide the business through this process, to help them understand the point we're trying to get to). It really doesn't matter whether we're internal or external -
our jobs put us in partnership with the business (unless the business
wants us to lie or fabricate the truth, which becomes a completely
different discussion that I won't get into here). </span>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">The goal
is to make the best use of available evidence, time, and resources,
to help the business answer the questions they need to address. If
we have the necessary KSAs, and help the business understand the
risks associated with the scope of an investigation, we can reach the
end goal in a much more efficient manner than if we just work in a
silo. I'd love to talk more; if you have any
questions/comments/concerns, comment here or hit me up on <a href="https://twitter.com/littlemac042" target="_blank">twitter</a>. Until then...</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Arial, sans-serif;">Think
risk, and carry on.</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-5627919682161577012014-05-17T17:11:00.001-05:002014-05-17T17:14:46.921-05:00Sweet Child o' LSASS<div>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: medium;"><span style="color: black; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Recently, I was channeling my inner rock star, and thought I'd share a finding regarding "normal" occurrences. You're probably all familiar with LSASS.exe, the "Local Security Authentication Subsystem Server" process, and you might also <i>know</i> that it doesn't have any children. Poor thing; children are truly a gift (and a challenge, but that's a different topic). Anyhow, as noted in the <a href="http://digital-forensics.sans.org/blog/2014/03/26/finding-evil-on-windows-systems-sans-dfir-poster-release" rel="nofollow" target="_blank">SANS DFIR "Find Evil" poster</a>, if LSASS spawns a child process, it bears looking into - and that's exactly what I was doing. </span></span></span><br />
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Given that I think it's important to be as proactive as possible with regard to incident response, I am always looking for ways to spot potential problems. Now, the SANS poster showcases things to watch for when doing memory analysis, but if you're parsing all executable activity in real time and storing that data in a way it can be queried at will (kind of like Sysinternals procmon on steroids), then why not apply the same principle and see what can be found? Yes, yes, I'm talking about <a href="https://www.bit9.com/" rel="nofollow" target="_blank">CarbonBlack (now part of Bit9)</a>, which is (in my opinion) an awesome endpoint monitoring platform. However, while this post will make use of that technology, don't think of it as being <i>about</i> Cb, but rather about the hunt, what's found, and how that informs the bigger picture (and may change some of what's considered "normal"). Keep in mind there are other tools that can help accomplish the same goal, and as noted, memory analysis (with tools like <a href="https://code.google.com/p/volatility/" rel="nofollow" target="_blank">Volatility</a>, <a href="https://code.google.com/p/rekall/" rel="nofollow" target="_blank">Rekall</a>, and <a href="https://www.mandiant.com/resources/download/redline" rel="nofollow" target="_blank">Mandiant Redline</a>) is at the forefront - so don't get hung up on the tool; it's the <i>investigator</i> that makes the difference in the long run. </span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">With that, I'd like to tell you a story about the hunt for spawn of LSASS, and how it started with a simple little query, as shown below; basically, any process for which LSASS.exe showed up as the parent...</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRtDGWD3WcPCo4LyCXTS2CvnxAoc1MzMHBO0K9Td4aE-JdY7SAZNKzTq56M3WjcQRoO6uAqAtZTFqq_yU5RZXTwYlvHtJR1V2ByiO72mOgvzVftJ6-QI8Dww1ZjIFKNCSfOp5LDZqmbnBI/s1600/parent_proc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRtDGWD3WcPCo4LyCXTS2CvnxAoc1MzMHBO0K9Td4aE-JdY7SAZNKzTq56M3WjcQRoO6uAqAtZTFqq_yU5RZXTwYlvHtJR1V2ByiO72mOgvzVftJ6-QI8Dww1ZjIFKNCSfOp5LDZqmbnBI/s1600/parent_proc.png" /></a></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNjgZgroomVkiP4W1s-7lhyphenhyphenNRQaBxzv5GYvILuAAVJXP0QNU2g-jHWGrQrexRveXHQHX2UOkNPhicgMMT7Me9voSFfHSZzRg7p-2eQSFBYfYZO5TTDHnTBumt1xm1cJ1N5MBNypuM0dxyw/s1600/proc_search.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNjgZgroomVkiP4W1s-7lhyphenhyphenNRQaBxzv5GYvILuAAVJXP0QNU2g-jHWGrQrexRveXHQHX2UOkNPhicgMMT7Me9voSFfHSZzRg7p-2eQSFBYfYZO5TTDHnTBumt1xm1cJ1N5MBNypuM0dxyw/s1600/proc_search.png" height="235" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Right away we see that there's one sweet child o' lsass, on 37 endpoints, with two different hashes showing up. Okay, so two different binaries or versions, then. Let's keep digging, starting with a listing of the search results.</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaM_N54xKvHavF9FZulIcErwOLouaKqiqfxarSTqHvjeyOvXLMnUAz3hQiqmtDwYwsJS_V5T39Vff3Dv7XPdCpOVk6BkxN2PY580qqFcqEHs1qR5I0FCOr1WwhBOn9G_V3rmEj_jQjPFDM/s1600/proc_results.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaM_N54xKvHavF9FZulIcErwOLouaKqiqfxarSTqHvjeyOvXLMnUAz3hQiqmtDwYwsJS_V5T39Vff3Dv7XPdCpOVk6BkxN2PY580qqFcqEHs1qR5I0FCOr1WwhBOn9G_V3rmEj_jQjPFDM/s1600/proc_results.png" height="464" width="640" /></a></span></div>
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">A couple things stand out; namely that each process is associated with six (6) filemods (such as create/modify/delete a file) and two (2) netconns (could be browsing to a website, IP address, hostname), while related activities for registry (regmods) and other processes/binaries (modloads) are similar in count but different. If you're the type (and I am) that likes to review data offline to filter, sort, search, and so on, you can download a CSV that looks a little something like what's below. If you have oddball md5 values, abnormal paths, or process names that stand out, it's sometimes easier to focus in on (at least for me). With this, the "start" value is the time the current instance of the process ran, and "last_update" is the most recent time it actually did something as it applies to the query at hand.</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmgSnuY9kuQfx1NAOQ7pLQSsJJDkT1gb7AXVkmn8jxTGAvR94lYysIq_Kk51foSuZ3Unjg9gQHKnGT_G1eKpGOm6npQq1aJZDDe-xA95oZ0mkHKzRfvQLgqT3oUwr_6UIwMqQ2G0IbVi02/s1600/efsui_search_results.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmgSnuY9kuQfx1NAOQ7pLQSsJJDkT1gb7AXVkmn8jxTGAvR94lYysIq_Kk51foSuZ3Unjg9gQHKnGT_G1eKpGOm6npQq1aJZDDe-xA95oZ0mkHKzRfvQLgqT3oUwr_6UIwMqQ2G0IbVi02/s1600/efsui_search_results.png" height="60" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">I mentioned oddball md5 values, right? And we know we have two different ones at play here, and 37 total processes, so what's the breakdown? Funny you should ask (well, I asked, but it was kind of rhetorical anyway - just work with me...)</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyxhmMys3oik5DMknNwXsqTUOR_pn_TBHSZiQdN9F3FSKhyphenhyphen5XGVhYnLjnCIRPd8MoTFXPGRs8El5ddycoQCc_AcB0TFc0_iYsi3joyv3ozmeigzSBX3xJ4bzqCtady0r8dZTV7yvX7_XUI/s1600/efsui_search_results2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyxhmMys3oik5DMknNwXsqTUOR_pn_TBHSZiQdN9F3FSKhyphenhyphen5XGVhYnLjnCIRPd8MoTFXPGRs8El5ddycoQCc_AcB0TFc0_iYsi3joyv3ozmeigzSBX3xJ4bzqCtady0r8dZTV7yvX7_XUI/s1600/efsui_search_results2.png" height="640" width="280" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">So apparently two out of the 37 are the "f17e" hashes, with the remainder being "bcb8." And yes, that can be identified using the GUI, but I like to see things with my own two eyes and plus this is an offline record in case I ever need it. No abnormal paths were noted.</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Anyway, since there's consistency with filemods and netconns, that's a good place to start looking, but first, I'd like to know a little more - high level - about these processes. From a tool standpoint, Cb has a "preview" feature, and so to take a peek at the different binaries involved here (remember, two different hash values)...</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQPFvqLtjLsB4VzUdG8TgOoAsGvOF2ty1N9u30J0CLX3p3_XXX3cO8gCgQViSBLxoXDIIWvRA9acrwYEylqbBNjbI5U9Pj53ILc5sOq5KEdDlqAaQn-gOoPn4RdXRal6Rt86CPOdFPLuiH/s1600/bcb8_binary_preview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQPFvqLtjLsB4VzUdG8TgOoAsGvOF2ty1N9u30J0CLX3p3_XXX3cO8gCgQViSBLxoXDIIWvRA9acrwYEylqbBNjbI5U9Pj53ILc5sOq5KEdDlqAaQn-gOoPn4RdXRal6Rt86CPOdFPLuiH/s1600/bcb8_binary_preview.png" height="290" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjejNmMOeMkTgvsIMpPtxorfZLHnQk0-pmKvJMiqVGdTeiNNbqnJ4vBHSSswv_Hen6BwWoXBYslclRDLJHh9N55Wc4cHwlnA8ryK1QX5wuuRfNyW21BlXYQLCfyyv_2yCnDoTFALm28h6X/s1600/f17e_binary_preview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjejNmMOeMkTgvsIMpPtxorfZLHnQk0-pmKvJMiqVGdTeiNNbqnJ4vBHSSswv_Hen6BwWoXBYslclRDLJHh9N55Wc4cHwlnA8ryK1QX5wuuRfNyW21BlXYQLCfyyv_2yCnDoTFALm28h6X/s1600/f17e_binary_preview.png" height="294" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">First we had "Mr. Popularity," the "bcb8" version, followed up by the indomitable "f17e." In either case, the command line parameters are the same: "/efs /enroll /setkey." If you had not already, you're probably running out and searching teh intarwebs for this executable, EFS, and whatever else might give some insight, since it appears to be from Microsoft (R) and might be legit (but you never know, right?). If that's what you're doing, no worries, I was in the same boat. I even reached out to the SANS DFIR email list to see if anyone else had encountered this, since all <i>know</i> that "normal" means LSASS doesn't have kids. No children. Nada. Zip. Zilch. <a href="http://cemarins.blogspot.com/" rel="nofollow" target="_blank">Carlos Marins</a> pointed me to the following MS document (link is direct download) <a href="http://download.microsoft.com/download/9/8/2/98207DD4-7D2C-4EF6-9A9F-149C179D053E/CommercialOSSecFunReqsPublicV2Mar09.docx">http://download.microsoft.com/download/9/8/2/98207DD4-7D2C-4EF6-9A9F-149C179D053E/CommercialOSSecFunReqsPublicV2Mar09.docx</a>, which was very helpful in understanding some of the things I would subsequently find. <a href="http://thedigitalstandard.blogspot.com/" rel="nofollow" target="_blank">Chris Pogue</a> asked a few questions and reminded me about checking the hash with <a href="https://fileadvisor.bit9.com/Services/search.aspx" rel="nofollow" target="_blank">Bit9 File Advisor</a>. </span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Speaking (er, well, writing) of hash, we'll go ahead and knock that out. <a href="https://www.virustotal.com/" rel="nofollow" target="_blank">VirusTotal</a> and File Advisor both came up clean:</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FkCqcj5qWnI1fOtYfYyeuxPVUsDQ1YFTekrsVZ4kTiwAng_RrDnFyoxLZBKwQ76b0Xov6lyfOJlZ__g4xOkLQD-BVpl_2ITFVzb5rk9Aagbyrbuwu4bUu0StnAIkyUjgK8XwRiFIACrE/s1600/bcb8_vt_results.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FkCqcj5qWnI1fOtYfYyeuxPVUsDQ1YFTekrsVZ4kTiwAng_RrDnFyoxLZBKwQ76b0Xov6lyfOJlZ__g4xOkLQD-BVpl_2ITFVzb5rk9Aagbyrbuwu4bUu0StnAIkyUjgK8XwRiFIACrE/s1600/bcb8_vt_results.png" height="640" width="524" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihpn_hPmZ1tNn7dNj91PM3n8T8Lka4QBv0nfHKkAmRGrGThViali_xx3R9m0Wuw8_vbBsME3IpGJThAmcESfK7YGI6_ErPqxqsvz8bItfcxdLzvlvUoiC4wxnkzdS1KL0_kumTeB_ZgvV6/s1600/bcb8_bit9_results.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihpn_hPmZ1tNn7dNj91PM3n8T8Lka4QBv0nfHKkAmRGrGThViali_xx3R9m0Wuw8_vbBsME3IpGJThAmcESfK7YGI6_ErPqxqsvz8bItfcxdLzvlvUoiC4wxnkzdS1KL0_kumTeB_ZgvV6/s1600/bcb8_bit9_results.png" height="570" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFjAwOIRomswidk6u9-wu8vuiW0rNSKRA1an5tjrYCPoBsEwC5eSm39XhdMdON3B6U-wQirBekndd5xEriTObfr4xJJs42N32lEe8Z5KXZcRgUyvkp5rkumROGluRCRECjcL_2d1h3IZ9W/s1600/f17e_vt_results.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFjAwOIRomswidk6u9-wu8vuiW0rNSKRA1an5tjrYCPoBsEwC5eSm39XhdMdON3B6U-wQirBekndd5xEriTObfr4xJJs42N32lEe8Z5KXZcRgUyvkp5rkumROGluRCRECjcL_2d1h3IZ9W/s1600/f17e_vt_results.png" height="640" width="578" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhchKnaBzEtDSa7o96vcW9Ug-xlTg7mTjOXgTFTA0ss_P-ZbIvUlFjQINTWKm_X4EP15tMuzbXIVT8ecQ7-lYCXmldhssPJudt6j4JW0HqRb60LfBhX3xFJQpIv56nwXAQFsEGOMu_oX8_0/s1600/f17e_bit9_results.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhchKnaBzEtDSa7o96vcW9Ug-xlTg7mTjOXgTFTA0ss_P-ZbIvUlFjQINTWKm_X4EP15tMuzbXIVT8ecQ7-lYCXmldhssPJudt6j4JW0HqRb60LfBhX3xFJQpIv56nwXAQFsEGOMu_oX8_0/s1600/f17e_bit9_results.png" height="476" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Alright, now back to the fun stuff - filemods and netconns for this sweet child o' lsass. Oh, first - this'll be quick, I promise - we can take a look at more details about the two binaries in question (as binaries, not as the named processes).</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEDNbyLok6kW5CAtf51GIOqpl5TXhdW6Ly2U7REni0nW_hDWbkrjTzDZsb-h5gC1Nm4ev9E0vhh_GULNeihVN6bvo60cqGBcBjMgDHucob8OQTALqDu1FFkHbkW7zMeCejCnvbciMU_S-x/s1600/bcb8_binary_view2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEDNbyLok6kW5CAtf51GIOqpl5TXhdW6Ly2U7REni0nW_hDWbkrjTzDZsb-h5gC1Nm4ev9E0vhh_GULNeihVN6bvo60cqGBcBjMgDHucob8OQTALqDu1FFkHbkW7zMeCejCnvbciMU_S-x/s1600/bcb8_binary_view2.png" height="334" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNStEjtDYl3rk-1DH5aMaG5w4cHzovwKtq4b37jqt65yBoC99AR6tlmOYcaslX4T_qIF0aQyspOYjC1UPFfvnRUpA-HxLFIF1KT461MqFa0B-8JljSKWkG6msN9OARleQIbIsT46qS__RU/s1600/f17e_binary_view2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNStEjtDYl3rk-1DH5aMaG5w4cHzovwKtq4b37jqt65yBoC99AR6tlmOYcaslX4T_qIF0aQyspOYjC1UPFfvnRUpA-HxLFIF1KT461MqFa0B-8JljSKWkG6msN9OARleQIbIsT46qS__RU/s1600/f17e_binary_view2.png" height="348" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">In addition to a few more details, this will show how many times that particular binary has been seen in action, without any time or other filtration (such as by parent process). In addition, using the aptly-labeled "Download" button, I can extract a copy of the raw binary for additional analysis, reverse-engineering, and so forth, offline. More on that later, as I said this would be quick. Now, back to the rest!</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Here's a quick look at each of the processes for analysis:</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCVSBRTjT8pexBzZeOuf6olYgr28gPokaWQpl7XJlhQgBCLCqXaiz8xMmsPUCXvhXbAczqbn0MHHnG464TNHDaX-cx2mweIKBNdMBufFyZULqVZ0LzHJwGJoTRcx-UikiJZPVtXSsfTUaH/s1600/efsui_bcb8_analysis.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCVSBRTjT8pexBzZeOuf6olYgr28gPokaWQpl7XJlhQgBCLCqXaiz8xMmsPUCXvhXbAczqbn0MHHnG464TNHDaX-cx2mweIKBNdMBufFyZULqVZ0LzHJwGJoTRcx-UikiJZPVtXSsfTUaH/s1600/efsui_bcb8_analysis.png" height="256" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">You can see that the relationship between wininit.exe and lsass.exe is as expected. It's just that the latter spawns efsui.exe as a process (which of course we already knew by this time). We see the commandline parameters again, and the fact that it's signed by MS. What's new here is that the username (obfuscated) is the domain account of the actual end-user; it's not System or other non-human (actually, it's in the binary preview window as well, but I really just wanted to call it out here, rather than there). Also, pay attention to the "Export events to CSV" button in the top right (more on that later as well). And, more of the same from the other version of the process...</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTQh3nfqnBYDZIO8FuF2w2c3E-UMwAt3kmi_FmSm_NvZEItYn-NGDOMBVx94h2OZRSLzV68Hm0SLAHKfWH1RbDC7H864lioBrf6SW9wiM-85Q_Dqbm8P8Sk0Cy1kCiNDyuIWurXlkmqP-B/s1600/efsui_f17e_analysis.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTQh3nfqnBYDZIO8FuF2w2c3E-UMwAt3kmi_FmSm_NvZEItYn-NGDOMBVx94h2OZRSLzV68Hm0SLAHKfWH1RbDC7H864lioBrf6SW9wiM-85Q_Dqbm8P8Sk0Cy1kCiNDyuIWurXlkmqP-B/s1600/efsui_f17e_analysis.png" height="258" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">We were going to look into filemods and netconns if I recall correctly (and of course I do), so don't stop now...</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">You can't see the whole screen above, but just underneath the process map, there are some "facets" to speed up queries/drills/searches based on different criteria (of course, we're going to look at filemods and netconns - aren't you just tired of hearing about how we're "going" to do that?). </span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEq9S8S4sQLX5ipIRNQUib_ZRE-AQ3rAOk3_XIYVTFg9g97-B9BUM9IKverSJ2FYvwx10F2i_0hHRSPiBwZ2HEa7dGzL7auZbZmj8znRf5hbhfZvxatg0AGSA_XgPhCoL9K6RORD8eSd5E/s1600/efsui_facets.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEq9S8S4sQLX5ipIRNQUib_ZRE-AQ3rAOk3_XIYVTFg9g97-B9BUM9IKverSJ2FYvwx10F2i_0hHRSPiBwZ2HEa7dGzL7auZbZmj8znRf5hbhfZvxatg0AGSA_XgPhCoL9K6RORD8eSd5E/s1600/efsui_facets.png" height="150" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Clicking on filemods highlights some other areas within that category of activity, and also focuses our results on just those. Thus, we can see that the actions are broken down equally between creation and first write, and that only three directories were utilized, all within the user profile under AppData\Roaming (clicking on any of those would highlight only those pieces of information, thus narrowing the search further). Next up are the event details.</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWOn_iWqGiWbslZi-CSbgNAGQQsdkVpkR4qYq2C9CrDVxPXrEKhYejuOYsPQiwh2T2Lp_tW73tY06G-zAy-cOajBa3C1gvvfzfZ7JL7_Q4ILE26aklYc_gk-KnnfjTAi-W6GxlzQMgjfnq/s1600/efsui_filemod_facet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWOn_iWqGiWbslZi-CSbgNAGQQsdkVpkR4qYq2C9CrDVxPXrEKhYejuOYsPQiwh2T2Lp_tW73tY06G-zAy-cOajBa3C1gvvfzfZ7JL7_Q4ILE26aklYc_gk-KnnfjTAi-W6GxlzQMgjfnq/s1600/efsui_filemod_facet.png" height="116" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiVbBm9elRjZfFyqXt0fYNqx0HDRZuYKqrpx3yz5_vWlre4YFa7mVQW2nY8yOosT25Wh5iYOhPpzNwN3z8XRN-tWgfOx9kQs0rM18cNxdeM8Wa78ugJfyHXNM8sX1PCxo6iTTALRFgC81f/s1600/efsui_filemods_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiVbBm9elRjZfFyqXt0fYNqx0HDRZuYKqrpx3yz5_vWlre4YFa7mVQW2nY8yOosT25Wh5iYOhPpzNwN3z8XRN-tWgfOx9kQs0rM18cNxdeM8Wa78ugJfyHXNM8sX1PCxo6iTTALRFgC81f/s1600/efsui_filemods_2.png" height="172" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Here, in timeline fashion, we get to see file creation, first write (if there were any file deletes, we would see those too), and some details associated with each. The expanding arrow (as shown on the top entry) shows frequency information (singular in this instance because of the nature of the path), and the "Search" (in blue) will take us to those results (for instance if there were multiple systems instead of just one, we'd get to see what those all were). The "Search" box at the top right of the event list allows us to find any search string in the results (such as username, filename, part of the path, etc), if we had something we wanted to jump to quickly (or even just see if it was present). What's of interest here are the paths involved, which start to make sense in light of the MS document I mentioned earlier (same for regmods, but I'm not going to go into those for the sake of brevity).</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Clicking on filemod in the facets again clears that drill, and we can switch over to netconns.</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZff2tWB0cJdRAWpsGE7AdthuGDl04v6GdKjoF-r77B25ejW5jStjZF31hnaJlG2mgOLK-zMJaRgwdgc-RWSkqK1xaCxcivMW1vsBiy40cAN67UuEDb3JZqTMdQ-gAt2Balym-VMLR7Ufx/s1600/efsui_netconn_detail.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZff2tWB0cJdRAWpsGE7AdthuGDl04v6GdKjoF-r77B25ejW5jStjZF31hnaJlG2mgOLK-zMJaRgwdgc-RWSkqK1xaCxcivMW1vsBiy40cAN67UuEDb3JZqTMdQ-gAt2Balym-VMLR7Ufx/s1600/efsui_netconn_detail.png" height="130" width="640" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Basically, the two netconns were pointing to domain controllers, and as can be seen from the frequency information, those DCs are quite common from a connectivity perspective (as one would expect, being DCs). The interesting thing here are the ports involved, which makes it look like LDAP is involved. </span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Okay, we're getting down to the wrap-up stage (thanks for sticking with me this far, I know it's been a lengthy post/novella at this point). What it appears we have are known, signed, MS executables associated with the Encrypting File System (EFS) for transparent file encryption, reaching out as the logged-in user to domain controllers for authentication, using LDAP. But is that really truly what's going on? Do we know enough to say that at this point? Are there any additional checks we could do, ways to validate/verify this theory? </span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">What about looking at other activity on the system for suspicious processes, network communications, or known malware? Any evidence to suggest that EFSUI.exe had been injected with other code after it started running? What about packet captures for these LDAP connections - are they really normal authentication for the process? Any corroborating logs from firewalls, the DCs, etc? Is EFS used in the environment, or is the user known to do so specifically? What about the binaries involved - does reverse engineering (RE) indicate any oddities or abnormalities? </span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Do you remember that there is the ability to extract a binary for offline analysis? So RE is definitely a possibility. Firewall and DC event logs should be reasonable to expect (although not necessarily a given). Packet captures from the time of the event (in the past) would require some dedicated NSM for streaming pcaps, but would be a really good way to help determine what's going on inside those netconns. And we can certainly dig into the more detailed process and binary analysis on the hosts in question. That "Export events to CSV" button I mentioned earlier? Gives output like this, with a CSV for each "type" of activity, and will also include child processes if available (there weren't any for efsui):</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjipXv_46BuKDuxHYEZ8nALWvVnQfyL8aMAEXBKD8ulwDZcY4A23j3ecyhRooZswoRQTiu8sMVuTH1natoKdjbwXy2pFZfpC8cY7x_Is4o0LngSiEAqw92pcx5Rk1wRFP80KNR2oXiMhbrB/s1600/efsui_analysis_export.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjipXv_46BuKDuxHYEZ8nALWvVnQfyL8aMAEXBKD8ulwDZcY4A23j3ecyhRooZswoRQTiu8sMVuTH1natoKdjbwXy2pFZfpC8cY7x_Is4o0LngSiEAqw92pcx5Rk1wRFP80KNR2oXiMhbrB/s1600/efsui_analysis_export.png" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Note: The "Summary" text file gives some info about the process or binary being analyzed (name, hash, path, etc).</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">These spreadsheets provide a veritable plethora of information about the process or binary being analyzed. Don't know if you noticed, but there was a section on the analysis page, referencing "Alliance Feeds" - this provides info about matches to Virus Total, known bad domains, and other "intel" related to activity that might be full of evil. Rather than a specific process to search for, you could also start with a given endpoint/host, any of these threat feeds, or some custom query for known indicators (based on firewall, IPS, or other threat "intel" you have). Anyway, all that to say that if you wanted to correlate the activity from EFSUI.exe as a child process of LSASS.exe, to any other activity to help determine whether this benign or the most evil thing on the planet, there's a lot you can do. And again, not just with CarbonBlack - you can set up a packet capture for a period of time (host, router, switch, firewall, etc), perform memory analysis, targeted triage (such as popularized by <a href="http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html" rel="nofollow" target="_blank">Harlan Carvey</a>, <a href="http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html" rel="nofollow" target="_blank">Corey Harrell</a>, and <a href="http://blog.spiderlabs.com/.services/blog/6a0133f264aa62970b013488d08a70970c/search?filter.q=sniper+forensics" rel="nofollow" target="_blank">Chris Pogue</a> to name a few key folks), or even (gasp!) a full disk image with timeline and analysis galore! </span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Maybe the information here is enough to make a determination and speak authoritatively about what happened, and whether there are any unremediated or ongoing risks. However, it's really ultimately about those risks, and as investigators we may not be the decision-makers (in fact, most likely are not). We can inform the decision-makers of our findings and recommendations, but we also have to be honest and explain what options are available, what those options would provide (and at what cost), and what potential risks could be incurred (and the probability thereof) by not pursuing the aforementioned options. Want to know more on this subject? Come to my talk at the SANS DFIR Summit in June - <i>To Silo, or Not to Silo: That is the Question</i>. More info is available about the <a href="http://dfir.to/1iGJSj7" rel="nofollow" target="_blank">Summit here.</a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Thanks again for "listening" to my tale about the sweet child o' lsass, and remember ... you may <i>know</i> that lsass doesn't have any child processes, but if you don't verify or validate that, you might just reach the wrong conclusions, and that probably wouldn't be good in a "real life" scenario. </span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Happy Hunting!</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;">
</span>Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-72127529977981027082014-05-10T18:34:00.002-05:002014-05-10T18:46:39.126-05:00Did You Know? ... or ... What Is Normal?<div>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">We all know that in Windows, explorer.exe (the user shell, graphical file system interface) is the parent process to applications launched by the user, such as Internet Explorer, (iexplore.exe). That's normal; we all know it, and it looks a little something like this:</span><span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><br />
<br />
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhghb6IHMTZqww3Wt5VxKGlLfKfcKsy3G45Zj3FRqVEiV_gBq9gYz4pXILC6hQQnlsRXI6_2meDv3hdOnWGOO4B9h0lGOxSibmGCdYeZ76VTAR9nqjg0iTclxlsaeZO2QCGRir8-Lnj8Wal/s1600/iexplore_ph1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhghb6IHMTZqww3Wt5VxKGlLfKfcKsy3G45Zj3FRqVEiV_gBq9gYz4pXILC6hQQnlsRXI6_2meDv3hdOnWGOO4B9h0lGOxSibmGCdYeZ76VTAR9nqjg0iTclxlsaeZO2QCGRir8-Lnj8Wal/s1600/iexplore_ph1.png" height="182" width="320" /></a></div>
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
That's great and all, but did you know that's not always the case, at least in the matter of iexplore.exe? Sure, of course you did. Maybe you haven't thought about it before, but you <i>do</i> know.</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
What happens when you're on a 64-bit system, and launch the 64-bit version of Internet Explorer? Did you note the drop-down arrow next to it in the screenshot? Well, that looks a little something like this:</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
First, there's the "parent" iexplore.exe (pay no attention to the changing PIDs, please). Path is "Program Files." But then the "child" iexplore.exe; path is "Program Files (x86)," indicating this is a 32-bit spawn of (well, you know...) which thus means that the parent is 64-bit. So, a "new" "normal," then?</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FBM2NoVQxr9z-0I5F-voPvOTIhhfW_rMLbuZKQNENWOyvuja5nI1n_jKF0mB3QcRDwGVg8zsybqqYVGl5ZEXlhf8WBlpecMeCAomo_D_LPJdzW_w66DRIh44MElWxZpHJEwgdfN6mtep/s1600/iexplore_ph2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FBM2NoVQxr9z-0I5F-voPvOTIhhfW_rMLbuZKQNENWOyvuja5nI1n_jKF0mB3QcRDwGVg8zsybqqYVGl5ZEXlhf8WBlpecMeCAomo_D_LPJdzW_w66DRIh44MElWxZpHJEwgdfN6mtep/s1600/iexplore_ph2.png" height="145" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCpIRO0qNBDf5Nd4f-qpV1EY3hI3wTJiO8DeGwqa5H5DzEj_blQ7bnmgmK3qJ9EuvUj1Hfid0dHDqqlZ3HdjmFpj5y6jbaZucZzIRinja0XYL0B5cHnzbgc9jzslr10FTw0gned3eYM-TR/s1600/iexplore_ph3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCpIRO0qNBDf5Nd4f-qpV1EY3hI3wTJiO8DeGwqa5H5DzEj_blQ7bnmgmK3qJ9EuvUj1Hfid0dHDqqlZ3HdjmFpj5y6jbaZucZzIRinja0XYL0B5cHnzbgc9jzslr10FTw0gned3eYM-TR/s1600/iexplore_ph3.png" height="188" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
And of course you realize that if IE is the default browser, and hasn't been launched when you click a link in an email application (such as Outlook), then Outlook will be the parent of IE, rather than Explorer. Another normal. You <i>get</i> it. Here's how that pans out:</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggfNw1XXP7SfVunvs_iegudVmtWcOihc-40EKhzNOQe5BedFrX-cKFJI1eg3U7S3EYIJdw1Jxtx_EmVE6CSa7uKUCPXUQlsfZFV8qcBTj2wcvk-q7LTJkHaHdcg_8G4I5_zo-R8zZ08aL_/s1600/iexplore_3b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggfNw1XXP7SfVunvs_iegudVmtWcOihc-40EKhzNOQe5BedFrX-cKFJI1eg3U7S3EYIJdw1Jxtx_EmVE6CSa7uKUCPXUQlsfZFV8qcBTj2wcvk-q7LTJkHaHdcg_8G4I5_zo-R8zZ08aL_/s1600/iexplore_3b.png" height="128" width="640" /></a></div>
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
So, the user clicks a link in email (outlook.exe), which then spawns the browser (iexplore.exe). Just as I noted above. What's cool here is that the command-line parameters (on the right in the screenshot) show where the user was being taken. Good stuff.</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
So anyway, the other day I thought I'd do some digging into all the times that Explorer is NOT the parent of IE; partly I wanted to challenge my knowledge, but also to see if I had an opportunity to find any evil, or build query filters that would help separate the signal from the noise for evil in the future. I ran some queries to find all instances of IE in my environment, where Explorer was NOT the parent process. There are actually quite a few, you might be surprised. The predominant ones were: iexplore.exe, svchost.exe, and outlook.exe. Okay, we've already discussed the first and last of those, but the middle? Do what?</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
First, let's revisit the first one, because this is not the same as above; this is 32-bit on 32-bit action at its tabular best:</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyjmVveujeMPxHm2vcmE8IsnxCHW53ZWL7Vrl_Io9H1eCW_8iUJtRrS9W5ds-OlpXtPs1qhBNwy5XLZgvIs8al8PePOA_SzIuEiTwJ73baVYkf_6gEZ49OoXWSGXEl2Z9rRQaq-0tvtYRt/s1600/iexplore_1b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyjmVveujeMPxHm2vcmE8IsnxCHW53ZWL7Vrl_Io9H1eCW_8iUJtRrS9W5ds-OlpXtPs1qhBNwy5XLZgvIs8al8PePOA_SzIuEiTwJ73baVYkf_6gEZ49OoXWSGXEl2Z9rRQaq-0tvtYRt/s1600/iexplore_1b.png" height="198" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Parent process is on the left, child on the right. Then on the right in the middle, you have the SCODEF and CREDAT references, which indicate an IE tab. SCODEF points to the PID of the parent. If you look back up at the ProcessHacker screenshots above, you'll see the parent IE is PID 7760; this is referenced by SCODEF for the child process. And it's not just me, covered in Cheetos (R) dust, making this stuff up. Here's a reference (granted, for IE8) from <a href="http://blogs.msdn.com/b/askie/archive/2009/03/20/how-to-i-determine-which-ie-tabs-go-to-which-iexplore-exe-process-when-using-internet-explorer-8.aspx" rel="nofollow" target="_blank">MSDN Blogs</a>. <a href="http://blogs.msdn.com/b/askie/archive/2009/03/20/how-to-i-determine-which-ie-tabs-go-to-which-iexplore-exe-process-when-using-internet-explorer-8.aspx"></a></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
SVCHOST! SVCHOST! WE WANT SVCHOST! </div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Yes, yes, I promised you svchost.exe as a parent to IE. Now, let's pause for a second and remind ourselves what is <i>normal</i> for svchost.exe, too. While there may be multiple instances of svchost.exe running at any one time, the parent will always be services.exe. That's <i>normal</i>, and we all know it. Okay, remember that. There is a scenario, which if you've spent some time reviewing the <a href="http://digital-forensics.sans.org/blog/2014/03/26/finding-evil-on-windows-systems-sans-dfir-poster-release" rel="nofollow" target="_blank">SANS DFIR Find Evil poster</a> you are aware of, wherein IE can be started via the command-line "-embedding" parameter; in this instance, the parent won't be explorer.exe. Looks like this:</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLIphxz2BeDkrcJk8THpf3PW6GydQL1CGvru6gludSt_LNxgOlonSjOZkA5zwX_tjH2aBv5H-NZ_qeBdCwEPtIDA1vs4J8OEzTbCRrwGLwTYrYTUv_8_N1lKtP7bVkXvWtRzAzhgxm02ns/s1600/iexplore_5b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLIphxz2BeDkrcJk8THpf3PW6GydQL1CGvru6gludSt_LNxgOlonSjOZkA5zwX_tjH2aBv5H-NZ_qeBdCwEPtIDA1vs4J8OEzTbCRrwGLwTYrYTUv_8_N1lKtP7bVkXvWtRzAzhgxm02ns/s1600/iexplore_5b.png" height="158" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
That -embedding switch is over on the right, and as you see on the left, the parent is svchost.exe. Done, right? No, not quite yet. Take a peak at what's next...</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd5jQISJ7HZZhTttwMmrvbb78-bbsG4y8jbJS2hyphenhyphengVD6mwdfQyhzHszRx9MhXkw_GxD8eaMOXpdTYZUZAvBqhj-i4vQ66BiZI2sW3Ispx6MmvCX08lMt7D-rzDgBxaWbJZH36Y1xo2T64F/s1600/rpcnet_1b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd5jQISJ7HZZhTttwMmrvbb78-bbsG4y8jbJS2hyphenhyphengVD6mwdfQyhzHszRx9MhXkw_GxD8eaMOXpdTYZUZAvBqhj-i4vQ66BiZI2sW3Ispx6MmvCX08lMt7D-rzDgBxaWbJZH36Y1xo2T64F/s1600/rpcnet_1b.png" height="232" width="640" /></a></div>
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
What we're looking at here is just a wee bit different. This isn't so much about IE, although that's come into play, too, but more to the point of svchost.exe, and it's parent. If you see a parent other than services.exe, you may start getting concerned about malware. Then you see rpcnet.exe, which sounds legit (ish), but still isn't normal, and you're probably more concerned about malware, since malware often uses names similar to legit names, so as to look "normal." In addition, this rpcnet.exe is <i>signed</i>, and we all know that signed code is used to bypass detections in antivirus, HIPS, and other products. So, is this malware? </div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Well, opinions might vary, and it certainly behaves like malware. However, it is - in this instance - normal and legit. It's actually associated with embedded tracking software to help deal with stolen computer assets. Of course, while I might "know" that, someone could be trying to get one over on me by masquerading their malware as a process I'd expect to see, so how could I further verify that? If you know anything about this tracking software, it's not designed to be "normal" and is difficult to validate - it really truly does operate very much like malware. So I'd most likely have to turn to other sources of evidence, possibly even packet captures, to see where it was going and how it was communicating. If you want to know more about why validating your findings and being able to do so from multiple types/sources of evidence, come to my talk (<i>To Silo, or Not to Silo: That is the Question</i>) at the <a href="http://dfir.to/Frank-Summit14" rel="nofollow" target="_blank">SANS DFIR Summit in Austin this June</a>. </div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Anyway, the SANS DFIR Find Evil poster talks about knowing what "abnormal" is, but in order to know that, you have to know what "normal" is. Old story, but that's the same way people are trained to spot counterfeit money - know what "good" money looks like, to be able to spot what's not. When it comes to normal with computers, and especially in enterprises, there are "global" norms and "environmental" norms. The globals are things like the 32-bit spawn from the 64-bit parent IE, the SCODEF references for child tabs (which includes the home page, by the way), and Outlook links spawning instances of IE to reach the websites. Environmentals aren't out to save the computer, but are things like tracking software sitting in between services.exe and svchost.exe. If you know what those are for your world, you'll be much better off when it comes to finding evil, and separating the signal from the noise.</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Happy Hunting!</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<br /></div>
</div>
Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com2tag:blogger.com,1999:blog-5905877434106273050.post-81920571609590926662014-03-15T19:38:00.003-05:002014-03-16T12:01:34.278-05:00Presenting DFIR, Shakespeare Style - DFIR Summit 2014I have been given the opportunity to speak at the SANS DFIR Summit in Austin this year, on a topic that I think is very important. That is, whether there is value in focusing on one discipline within the DFIR realm - not only from a skillset perspective, but also during investigations.<br />
<br />
You can read more about the Summit on the <a href="http://dfir.to/1iGJSj7">SANS website</a>, but here's a quick overview of my talk (titled <i><b>To Silo, or Not to Silo: That is The Question</b></i>): <br />
<br />
Have you ever heard someone say they do network forensics and don't need a host computer to know what happened (or vice versa)? Or an incident handler analyzing RAM make a comment about disk imaging being unnecessary and outdated? Unfortunately, these types of mindsets are problematic because they are limiting - to the investigator, to the evidence, and to our profession.<br />
<br />
These limitations show themselves through incomplete analysis and inaccurate conclusions. If the limitation is real, tangible – for instance if firewall logs are the only available evidence – then we make the most of what we have. Otherwise, incident response should be based on all of the information available to us as investigators – firewall logs, packet captures, system alerts, RAM, filesystems, malicious executables, and so forth. If these are available, but are ignored or overlooked, analysts are missing out on potentially valuable information. When that happens, the conclusions drawn and recommendations made will be incomplete or just plain wrong. In the words of Hamlet, "Ay, there's the rub."<br />
<br />
In this presentation, the audience will be taken through several different real-world scenarios dealing with potentially infected systems, where pieces of evidence are available from some of our "competing" disciplines. Background on each system will be given, to include how it showed up on the radar as potentially compromised; again, this stresses the point that we don't know what happened until we examine all of the available evidence. With each system, different types of evidence or DFIR disciplines are available to help with analysis; these examples will show how each - by itself - falls short in painting the full picture of what happened, and will illustrate our inability to draw concrete conclusions without all the pieces of the puzzle. Without being exhaustive, this presentation will demonstrate the importance of having knowledge, skills, and abilities in multiple DFIR disciplines, and how looking for additional evidence sources can help us perform more accurate analysis and reach more accurate conclusions. <br />
<br />
<i><span style="font-size: x-small;">PS: SANS has a $1000 discount when using the code "SUMMIT" - this is available from March 17th - March 31st. <a href="http://dfir.to/1iGJSj7">More info available here.</a></span></i>Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com3tag:blogger.com,1999:blog-5905877434106273050.post-32790805235804141972013-12-23T23:27:00.001-06:002013-12-23T23:29:04.200-06:00Check Your Hash at the Door<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">A friend recently asked if I would post about using md5deep; he was trying to figure out how to use it to compare against the NSRL hash library and was having some difficulties. Well, maybe it's stretching to say he asked if I would. He asked for some help in figuring it out, and at the end of it all, I offered to post some stuff; he said it might be useful. So if I put a PR spin on it, I was specifically asked, because of my great and wondrous knowledge. How's that? :)</span><br />
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span>
<br />
<div>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Oh, and if you're wondering at my use of the term "<i>friend</i>," you can always substitute "<i>person who pretends not to hate me as much as others do</i>" if that makes you feel better. I know some of you don't think it's possible that I actually have friends, so I feel I have to give you a way out...</span></span><br />
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Anyhow, to be honest, I've not ever used md5deep for that specific purpose. I've always used something like FTK or EnCase. I know, I know, don't be hatin'. I do a lot with command line tools, and prefer them in many - if not most - cases, but there are some instances where (<u>completely dependent on the scenario</u>), a GUI is just easier and/or the better option. And for what I've done with the NSRL hash libraries, those tools were what was called for (there was more than just deNISTing at hand). </span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">That said, the way I've used md5deep should still accommodate comparing against the NSRL hashes, with just a little bit of tweaking. I've always used it to compare and verify files being copied from various data sources (typically network shares), when using a copy application that couldn't do so. So in that scenario, it works out something like this:</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">We want recursion, possibly a progress/status indicator, and an output file that can be used as the input file for hash comparison.</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br clear="none" /></span>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Hash the source like:</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br clear="none" /></span>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="color: blue;"><i>user> md5deep -re "g:\loose_PST_files" > f:\psthash.txt</i></span></span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br clear="none" /></span>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Hash the destination (and compare to hash of source):</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br clear="none" /></span>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="color: blue;"><i>user> md5deep -renx f:\psthash.txt "f:\loose_PST_files" > f:\psterrorhash.txt</i></span></span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br clear="none" /></span>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">This breaks down as follows:</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> -r = recursion</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> -e = progress/status</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> -n = displays names of files not matching the input file</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> -x = negative hash matching; reports files not in the input file </span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> g: is the mapped or local source drive</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> f: is the destination drive</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> </span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Order for source is: <cmd> <flags> <src> > <log> # the flags have to be combined together (ie, -re) or it errors. It will automatically output to stdout, so we have to redirect to logfile; this gives filename and hash value only (other format cannot be read properly for use as input file).</log></src></flags></cmd></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br clear="none" /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Order for destination is: <cmd> <flags> <logfile> <dst> > <errorlog> # the error log immediately follows the flag as the first variable; this is read and compared against the hashes of the destination. Any errors in the comparison (whether the file is there but shouldn't be, or isn't there but should be) will output to the error log. The size of the log should be 0 KB when all is done, and (obviously) empty - thus showing there were no errors/mismatches. </errorlog></dst></logfile></flags></cmd></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">These were notes I made in the past, and I think were most recently updated with version 3.4. The tool is now on 4.3, so I don't know if the following has changed, but ... as noted above, the md5deep comparison (input) file had to have hash value and filename only, or could not be properly read. I couldn't find anything in the documentation to say one way or the other, but it's possible that the NSRL lists might be problematic, even though md5deep is only looking at the hash and not the filename/location. I did have occasion recently to verify the integrity of some evidence migrated to new storage, and ran md5deep in the manner above; it worked great. The only thing I'll note is that if you do want the progress indicator, it <b>WILL</b> slow down the process; use with discretion. <i>You have been warned</i>.</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">There were a couple posts related to using NSRLSrvr and NSRLLookup that showed up on the radar. The first I passed along, and the second my friend found on his own; apparently it was helpful. I don't know the first author, but Patrick puts out some good stuff on Sysforensics. If you don't keep tabs on his blog, you should. So without further ado, here they are, and they should work just fine to use md5deep to compare against NSRL.</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><a href="http://blog.jameswebb.me/2013/05/setting-up-forensic-hash-server-using.html">http://blog.jameswebb.me/2013/05/setting-up-forensic-hash-server-using.html</a></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><a href="http://sysforensics.org/2013/12/build-your-own-nsrl-server.html">http://sysforensics.org/2013/12/build-your-own-nsrl-server.html</a></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">And this wouldn't be complete if I didn't mention the NSRLookup service from Kyrus Tech:</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><a href="http://www.kyrus-tech.com/nsrlookup-service-beta/">http://www.kyrus-tech.com/nsrlookup-service-beta/</a></span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Which I first saw mentioned last year on Jesse Kornblum's site:</span><br />
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span>
<a href="http://jessekornblum.livejournal.com/278435.html?nojs=1"><span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">http://jessekornblum.livejournal.com/278435.html?nojs=1</span></a><br />
<br /></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Have fun and happy hunting (or, uh, happy hashing)!</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
</div>
<span style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: black; display: inline !important; float: none; font-family: Tahoma; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span>
Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-69771076288560593662013-12-16T23:15:00.003-06:002013-12-16T23:48:25.544-06:00What's Hash Got To Do With It? (Part 2)<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-left: 1em; margin-right: 1em; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<br />
<div>
</div>
<div>
<span style="font-family: inherit;"><span style="font-size: medium;"><span style="color: black; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Just a quick follow-up to yesterday's post, as promised. I decided to do it as a new post rather than an edit/update, figuring it would be easier to track this way. Not much to it, just a little more info to round things out.</span></span></span><br />
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">First, I got my hands on the infected PC today, pulled the hard drive, and extracted some files. I wasn't able get RAM, but I do have hiberfil and pagefile to work with, along with the user profile and registry hives, but that's not the point here. (I will note, however, that unless I can find evidence of the malware's activities in hiberfil or pagefile, I'm still - to an extent - surmising how it spawned msiexec.exe in the first place.) I found three separate executables under the user profile, as created by msiexec.exe. I copied them off into a separate directory and used md5deep to hash the files, so that I could look for them on VT or Malwr.com as well (there, now this is a post about md5deep too!). Here's what I ended up with (my own formatting):</span><br />
<br /></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><span style="color: blue;"><b>26e57bde90b43cf6dae6fd5731954c61</b></span> | <b><span style="color: red;"><i>msevaxlgn.exe</i></span></b></span>
<span style="font-family: inherit;"><span style="color: blue;"><b> </b></span></span><br />
<span style="font-family: inherit;"><span style="color: blue;"><b>26e57bde90b43cf6dae6fd5731954c61</b></span> | <span style="color: red;"><b><i>mssuhin.exe</i></b></span></span><br />
<span style="font-family: inherit;"><b><span style="color: blue;">26e57bde90b43cf6dae6fd5731954c61</span></b> | <b><span style="color: red;"><i>msyaam.exe</i></span></b></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">Did you notice that? All hashed the same. Okay, maybe that's expected, or not too unexpected at least. But did anyone note the hash value from yesterday, for the initial executable (from inside the zip)? Well, in case not, here it is again (in the same format):</span><br />
<br /></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><span style="color: blue;"><b>26e57bde90b43cf6dae6fd5731954c61</b></span> | <span style="color: red;"><b><i>order_jd4320480293.exe</i></b></span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><i><br /></i></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">See that? Yes, that's right - another md5 match, and I doubt it's due to collisions. :-) So basically, the original malware spawns msiexec.exe, creates a new executable(s) that is (or are) identical to the original (except for the name); the original is deleted, and the show goes on. I don't know about you, but that's not what I commonly see from malware.</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">Now for a few more tidbits...</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">A little header info from a network capture:</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">POST <b><span style="color: #b45f06;">/se/gate.php</span></b> HTTP/1.1<br />
Cache-Control: no-cache<br />
Connection: close<br />
Pragma: no-cache<br />
Content-Type: application/x-www-form-urlencoded<br />
User-Agent: <span style="color: #b45f06;"><b>Mozilla/4.0</b></span><br />
Content-Length: 74<br />
Host: <span style="color: #b45f06;"><b>finley.su</b></span></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">IP Addresses, as seen by the C2 blocking device:</span><br />
<br /></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho8CcqYlUWGDlijYY99sdXUzh_7LVPj2VTOuCSuyO0HXFhMz-wEZ_BcQH9QGMUXE8e_TiukkxZb-WzhK4j6XWkFuQSONIWyBP1RbqgZya1EhsNVV2IuXgkGCtcq4uR60ecx6fv2eptrwnz/s1600/Target_IPs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho8CcqYlUWGDlijYY99sdXUzh_7LVPj2VTOuCSuyO0HXFhMz-wEZ_BcQH9QGMUXE8e_TiukkxZb-WzhK4j6XWkFuQSONIWyBP1RbqgZya1EhsNVV2IuXgkGCtcq4uR60ecx6fv2eptrwnz/s1600/Target_IPs.png" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">Now, I mentioned before that there was a .ru TLD involved, and here that is:</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZAbRN83EL8ak7S97uRADDRVXsuZCZuCM6BwcDWKYZy0X75EZ4AnGnzPCr608W5n6lQ-d0G5_-3l5V8L5-FvUmRzo2HHwjiFUV5ELhej-HXAMXApVVichi3Sx0ogF-r9g2PGgM88HRaxa4/s1600/RU_TLD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZAbRN83EL8ak7S97uRADDRVXsuZCZuCM6BwcDWKYZy0X75EZ4AnGnzPCr608W5n6lQ-d0G5_-3l5V8L5-FvUmRzo2HHwjiFUV5ELhej-HXAMXApVVichi3Sx0ogF-r9g2PGgM88HRaxa4/s1600/RU_TLD.png" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">Haven't looked at that traffic yet, and it never made it to the device that blocked the C2 traffic, as it had already been blocked for other reasons. And of course, until I examine the pcaps, I won't know what that traffic was (still might not - since it was blocked, it will be a one-side conversation).</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">Last of all, a screenshot of the offending email (note some inconsistencies outlined in red):</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH5gyxQsM2mQMYlxna4zNbN6l0y4JPCVCKnMeWmy0PN8X4BcvkrbKXhk9np6BP-8ouSV_iVfxXj0nrHZR7_oJX1C0pwV5e-wEEhyyGfHTBGOU4RGu_l68Sx_b4_RWSeFL1Pc1kblewE1Cj/s1600/BackDoor2m2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH5gyxQsM2mQMYlxna4zNbN6l0y4JPCVCKnMeWmy0PN8X4BcvkrbKXhk9np6BP-8ouSV_iVfxXj0nrHZR7_oJX1C0pwV5e-wEEhyyGfHTBGOU4RGu_l68Sx_b4_RWSeFL1Pc1kblewE1Cj/s1600/BackDoor2m2.png" height="321" width="400" /></a></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">SupportAmazon<b><span style="color: #e30000;">yu</span></b>? AmazonStore<b><span style="color: red;">Idecoa</span></b>? I could get it with "Amazon," but what's with the other stuff? And the order numbers don't match up anywhere. And finally, it says, "<span style="color: purple;"><b>Well</b></span> let ..." rather than "<span style="color: purple;"><b>We'll</b></span> let ..."</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">Well, I guess you can't patch users! At least not without regression testing first. ;-)</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">I think that's it for now; if I do come up with anything else that looks interesting or useful, I'll post another update. Aside from that, I told a friend I'd post about some specific uses for md5deep; we'll see how that works out, but hopefully it will be coming soon.</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;">Happy Hunting!</span></div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;">
</span>Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-39489008244371587672013-12-15T23:11:00.000-06:002013-12-16T23:22:41.201-06:00What's Hash Got To Do With It?<div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="color: black; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Well, because that's how we're going to kick off this little story. Without further ado, here ya go: <b>26E57BDE90B43CF6DAE6FD5731954C61</b></span></span></span><br />
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Before we go too far into that, however, I need to take a step back. It's been a long time since my last post. Too long indeed (my job makes it difficult, to say the least), so let's not dwell on that, shall we? With that out of the way, I'll give just a quick back story on the above-referenced md5 hash value. Last week, on Wednesday and Thursday, I came across this malicious gem. Well, I <u><i>think</i></u> it was the same both times. From a network perspective, it was behaving the same - reaching out to the same C2 channels, attempting to post the same type of encrypted data (based on format, appearance of cipher-text, etc.). However, as it turns out there wasn't an appropriate endpoint sensor on the first box, to be able to pull back more relevant info.</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">That fact is important as we go on - that unless you have evidence across different DFIR disciplines (host and network, with all their subsets), you really can't say for certain what is occurring. You can postulate, and may very well be correct, but without RAM, RE, timeline and other host data, and various points of NSM (network security monitoring) such as FW logs, IDS/IPS, netflow, you're left at least somewhat in the dark. Anyhow, from a network perspective, these two appeared to be the same, and fortunately there was an endpoint sensor on the second box; I got to have some fun, and thought I'd share.</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">As it turns out, the infections originated not from some stealthy drive-by or infected website, but via an executable inside a zip file sent along with an "Amazon" email to personal email accounts. In the case of the second one, the user had received two previous ones that were ignored and deleted; the third was just too much and curiosity won out. User opens zip file. Oops #1. User double-clicks executable. Oops #2. At that point it's all over but the tears, and the malware has its fun. The positive side was that - finally - I got to have some fun too!</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Now, I didn't know all that at first. All I knew was that C2 traffic to <span style="color: blue;"><b><i>finley.su</i></b></span> had been blocked. That was the same domain as the previous day, so my interest was piqued. The system that blocked didn't have any info about the malware, just knew that the traffic was bad, so that was no help. I went in to my sensor logs from that box, and found the application reaching out to<i> <span style="color: blue;">finley.su</span></i> was <span style="color: red;"><b><i>msiexec.exe</i></b></span>, from the <span style="color: #b45f06;"><b>c:\windows\system32</b></span> directory. Ooh, now that's not right. The parent process for <span style="color: red;"><i>msiexec.exe</i><b> </b></span>was <span style="color: red;"><b><i>order_jd4320480293.exe</i></b></span>. Now that's not good either. And it was running from inside a zip under the user's temp directory, with a parent of <span style="color: red;"><b><i>explorer.exe</i></b></span>. Alright, that's not unexpected, especially at this point.</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">I was able to pull a copy of the binary for <b><span style="color: red;"><i>order_jd4320480293.exe</i></span></b> that the sensor had pushed to my analysis server, and saw that it had 9 hits by hash on Virus Total, so I went to check that out. There were indeed 9 engines that detected it; one from the 11th, and eight from the 12th. Most had generic names as yet; the most relevant one appeared to be from McAfee, which had it as a ZBot variant. Searching on that lead me to Malwr.com, where the binary had apparently been uploaded and analyzed already. As a side note, the next morning VT had 14 detections, and is now up to 23 (What's funny is that some of the vendors I submitted a sample to, now say they detected it back then. Hmm, really?). Since there's some RE type info on VT and Malwr, I won't try to go into that; I'll give you some reference links to go enjoy that. I will, however, give a quick rundown of what I saw. I will probably come back and add some IP addresses for the <span style="color: blue;"><b><i>finley.su</i></b></span> domain, as well as a .ru TLD I saw from the endpoint, so watch for an update.</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">So here's the quick high-level rundown:</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">* User downloads zip from <b><u><span style="color: purple;"><i>fake Amazon email</i></span></u></b>, opens, and runs <span style="color: red;"><b><i>order_jd4320480293.exe</i></b></span></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">* Malware executes, and <span style="color: red;"><i>order_jd4320480293.exe</i></span> spawns (loads) <span style="color: red;"><b><i>msiexec.exe</i></b></span> from <span style="color: #b45f06;"><i>c:\windows\system32</i></span> as a child process </span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">* Child process<i> <span style="color: red;">msiexec.exe</span></i> creates a new executable under the user profile, named (one example) <span style="color: red;"><b><i>msyaam.exe</i></b></span> or <span style="color: red;"><b><i>msevaxlgn.exe</i></b></span> (another example)</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">* Child process<i> <span style="color: red;">msiexec.exe</span></i> adds a runkey for the new executable, in the user hive, under <span style="color: #b45f06;"><b><i>Software\Microsoft\WindowsNT\Current Version\Load</i></b></span></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">* Child process <span style="color: red;"><i>msiexec.exe</i> </span>deletes original executable, <span style="color: red;"><i>order_jd4320480293.exe</i></span></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Along in there somewhere, <span style="color: red;"><i>msiexec.exe</i></span> packages up some data (probably credentials), encrypts, and tries to ship it out to remote servers. Unsuccessfully. Defense in depth... ;-)</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Well, that's it for now. Given the info available elsewhere about this malware, I probably won't post anything about its actions on the system, unless I see a very different approach take place. But I will look to post some IPs and perhaps some other tidbits that might be helpful from an IOC perspective. Other than that, here are some links:</span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Virus Total: <a href="https://www.virustotal.com/en/file/00fb48cae855a1321e9edcd2b0d9a4935dc7954f0221030a3b01dbdfe0332a44/analysis/">https://www.virustotal.com/en/file/00fb48cae855a1321e9edcd2b0d9a4935dc7954f0221030a3b01dbdfe0332a44/analysis/</a> </span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Malwr: <a href="https://malwr.com/analysis/MDU2ODNhYzA1MmIzNGZiYTkxNmQ5OWJmNGM0OWFiNGU/#static">https://malwr.com/analysis/MDU2ODNhYzA1MmIzNGZiYTkxNmQ5OWJmNGM0OWFiNGU/#static</a></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Sophos: <a href="http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~PWSZbot-X/detailed-analysis.aspx">http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~PWSZbot-X/detailed-analysis.aspx</a></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Happy Hunting!</span></span></div>
</div>
Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com2tag:blogger.com,1999:blog-5905877434106273050.post-71337380727032769782013-03-03T15:35:00.000-06:002013-03-03T15:35:10.190-06:00Getting Your Feet Wet / Joining the ConversationWell, I've been "working" on this post for quite some time now, and just haven't ever wrapped it up. Bah. To show how long I've been "working" on it, I came up with the idea before Richard Bejtlich posted on the Mandiant blog about InfoSec <a href="https://www.mandiant.com/blog/raising-public-profile-information-security-professional/">career building</a> and before Chris Pogue posted about his <a href="http://thedigitalstandard.blogspot.com/2012/12/a-changing-of-guard.html">job change</a> (and where he hinted at the possibility of a "Sniper Forensics" book - bring it, Chris!), or <a href="http://thedigitalstandard.blogspot.com/2012/12/how-do-i-get-there-from-here-part-2.html">about careers</a> (his 2nd post on this topic).<br /><br />Part of this comes from a comment that Hal Pomeranz made a while back. He said (general paraphrase) that there's no better use for social media than to help others. In context, he was talking about InfoSec jobs. Hal's a guy that I highly respect, and since I've witnessed - first hand - his willingness to put his money where his mouth is (so to speak) in this area, I take it to heart. By the way, he has an excellent series on working for yourself over on his <a href="http://righteousit.wordpress.com/">blog</a> (keyword: consulting).<br /><br />A number of great folks have posted career-focused info, including those above, and it's more recently entered my radar as I'm in more of a position to help others. I don't have the "street creds" they do, but I wanted to offer up a few things I've put together. As I moved late last year into managing our InfoSec group, as well as heading up the IR team, I've had the opportunity to mentor a couple of newcomers to our field, and I put this together in part for them, to give them some additional resources. I highly agree with what others have said, that putting yourself out there is important - blogging, tweeting, mailing lists - just talking and sharing with others. I won't go into that in any depth, as I think it's been very well-covered elsewhere; I'll just re-emphasize that it's important. I've seen it myself, where potential employers check out blogs, activity on email lists, and so on; it definitely makes a difference, because hiring someone in this field revolves around having confidence that they KNOW what they're doing, and can DO the work.<br /><br />So with that said, if you're new to InfoSec (security, forensics, incident response, auditing, etc) here are some resources that can help you start to get more comfortable and plugged in to the community. And it IS a community, more so than many other fields I've seen. <br /><br /><b>Mailing lists:</b><br /><a href="https://lists.cymru.com/mailman/listinfo/ians_dragon_newsbytes">Dragon News Bytes</a><br /><a href="http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom">PaulDotCom</a><br /><a href="http://tech.groups.yahoo.com/group/win4n6/">Win4n6</a><br /><br /><b>Websites:</b><br /><a href="http://writeblocked.org/">DFIR Online</a> - this is an excellent resource, and also hosts the monthly "DFIR Online" <br /><a href="http://pauldotcom.com/">PaulDotCom</a> - yes, it's showing up again :-)<br /><a href="http://securityfocus.com/">SecurityFocus</a><br /><a href="http://darknet.org.uk/">Darknet</a><br /><a href="http://blog.commandlinekungfu.com/">CommandLineKungFu</a> – this is just awesome and hilarious too<br /><a href="http://holisticinfosec.org/">HolisticInfoSec</a> - Russ has some great tool writeups<br /><a href="http://krebsonsecurity.com/">KrebsOnSecurity</a> - Great resource on cybercrime<br /><a href="http://team-cymru.org/">Team Cymru</a><br /><a href="http://us-cert.gov/">US Cert</a><br /><a href="http://sans.org/reading_room">SANS Reading Room</a><br /><a href="http://isc.sans.edu/">Internet Storm Center</a><br /><a href="http://jessekornblum.livejournal.com/">Jesse Kornblum</a><br /><a href="http://blog.zeltser.com/">Lenny Zeltser</a><br /><a href="http://computer-forensics.sans.org/blog">SANS Computer Forensics</a><br /><a href="http://forensicartifacts.com/">ForensicArtifacts</a><br /><a href="http://ericjhuber.com/">A Fistful of Dongles</a> <br /><a href="http://hackingexposedcomputerforensicsblog.blogspot.com/">Hacking Exposed</a><br /><br /><b>Books:</b><br /><a href="http://www.amazon.com/Basics-Information-Security-Understanding-Fundamentals/dp/1597496537/ref=sr_1_1?s=books&ie=UTF8&qid=1345042177&sr=1-1&keywords=information+security">The Basics of Information Security</a><br /><a href="http://www.amazon.com/Hackers-Beware-Ultimate-Network-Security/dp/0735710090/ref=sr_1_1?s=books&ie=UTF8&qid=1345042291&sr=1-1&keywords=hackers+beware">Hackers Beware</a> – older, but very good info<br /><a href="http://www.amazon.com/Network-Security-Bible-Eric-Cole/dp/0470502495/ref=sr_1_1?s=books&ie=UTF8&qid=1345042319&sr=1-1&keywords=network+security+bible">Network Security Bible</a> – another one by Dr. Eric Cole <br /><a href="http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867">DFWOST</a><br /><a href="http://www.amazon.com/Hacking-Exposed-Computer-Forensics-Second/dp/0071626778/ref=sr_1_1?s=books&ie=UTF8&qid=1346895143&sr=1-1&keywords=hacking+exposed+computer+forensics">Hacking Exposed</a> - any of the "Hacking Exposed" series <br /><a href="http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=sr_1_2?s=books&ie=UTF8&qid=1346895767&sr=1-2&keywords=windows+forensic+analysis+toolkit">WFAT</a> - any of Harlan Carvey's books<br />
<a href="http://www.amazon.com/Practical-Packet-Analysis-Wireshark-Real-World/dp/1593272669">Practical Packet Analysis</a><br />
<a href="http://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579">Violent Python</a><br />I’ve found great deals on books at Half-Price Books, which can make a big difference. Some of the older ones, you might be able to find at the library as well.<br /><br /><b>Twitter:</b><br />I really recommend you get on twitter if you’re not. Have a profile that’s focused on what you’re interested in, and follow people in that field. It can be a great source of information, as well as connections when you need to know something. Here are just a few folks that may be good to start with:<br /><a href="https://twitter.com/johullrich">Johannes Ullrich</a><br /><a href="https://twitter.com/joswr1ght">Josh Wright</a> <br /><a href="https://twitter.com/lspitzner">Lance Spitzner</a> <br /><a href="https://twitter.com/holisticinfosec">Russ McRee</a> <br /><a href="https://twitter.com/McGrewSecurity">Wesley McGrew</a><br /><a href="https://twitter.com/dougburks">Doug Burks</a> <br /><a href="https://twitter.com/ChristiaanBeek">Christiaan Beek</a><br /><a href="https://twitter.com/drericcole">Eric Cole</a> <br /><a href="https://twitter.com/briankrebs">Brian Krebs</a><br /><a href="https://twitter.com/mikecloppert">Mike Cloppert</a> <br /><a href="https://twitter.com/taosecurity">Richard Bejtlich</a><br /><a href="https://twitter.com/HECFBlog">David Cowen</a> <br /><a href="https://twitter.com/DidierStevens">Didier Stevens</a> <br /><a href="https://twitter.com/lennyzeltser">Lenny Zeltser</a><br /><a href="https://twitter.com/hal_pomeranz">Hal Pomeranz</a><br /><a href="https://twitter.com/chadtilbury">Chad Tilbury</a><br /><a href="https://twitter.com/sansforensics">SANS Forensics</a><br /><a href="https://twitter.com/robtlee">Rob Lee</a><br /><a href="https://twitter.com/attrc">Andrew Case</a><br />See who they're talking to, and start branching out with who you follow. Don't be afraid to join a conversation, ask questions, and share your experiences. There are also quite a few active DFIR types on Google+, and there have been some good conversations happen there (at more than 140 characters a pop), as well as some hangouts.<br /><br />Hope you find it helpful.<br />
<br />
PS: I have been advised by Counsel to at least mention that this list of
resources is by no means exhaustive, nor intended to be. In addition,
they are in no particular order, nor intended to be any sort of status
qualifier, and I'm not getting paid in any way for these references (aka, name dropping). They are just some of the resources I find helpful, and wanted to share. If you , your site, your book, or your list are not mentioned, that doesn't mean I don't follow, read, etc (see the whole "not exhaustive list" piece). There are several hundred folks I follow on twitter, over a hundred blogs, dozens of books, and websites galore where I gather info while on this journey. Quite simply, too many to mention. Thanks to you all for being available and sharing with the community! Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com1tag:blogger.com,1999:blog-5905877434106273050.post-77106563398041057022012-07-01T23:43:00.004-05:002015-12-06T10:40:09.487-06:00SANS DFIR Summit 2012 - Thoughts & LinksWell, this past week we wrapped up the SANS 2012 DFIR Summit in Austin, TX. I think it's safe to say that a great time was had by all. What was truly incredible was the time so many of us got to spend together in the week leading up to the Summit, while going through the wonderful training that SANS made available.<br />
<br />
I got to see some people I haven't seen in a year (or more), as well as meet some in person that I've only known online. And for the first time, I got to experience one of<a href="https://twitter.com/keydet89"> Harlan Carvey's</a> presentations in person. I'm not sure everyone's brains were awake enough quite yet for his keynote on day 2 of the Summit, but it really was a great talk, and he made some great points about things to consider when performing registry analysis on Win7.<br />
<br />
Anyway, back to the point of all this. I started out the Summit by eating at Stubbs BBQ with a dozen or so folks on my first day there, Wednesday the 20th. Among these were <a href="https://twitter.com/cdtdelta">Tom Yarrish</a>, <a href="https://twitter.com/forensication">J. Michael Roberts</a> and his wife <a href="https://twitter.com/sweetelement">Jennifer</a>, <a href="https://twitter.com/mikepilkington">Mike Pilkington</a>, <a href="https://twitter.com/scoobdawg">Jeremy Berger</a>, and <a href="https://twitter.com/ultradeus">Alejandro Perez</a>. I recommended the serrano cheese spinach from having eaten at Stubbs once before, and it seemed to go over very well, which was good (I think everyone at my table ordered it); it could have gone so wrong. ;D<br />
<br />
As it turned out, my time there closed out the same; a very large group of us went to Stubbs for dinner on the last day of the Summit, and we had more good food and good times, with the likes of <a href="https://twitter.com/cindymurph">Cindy Murphy</a>, <a href="https://rednogn/">Jen Krueger Favour</a>, <a href="https://twitter.com/el_killerdwarf">Kristinn Gudjonnson</a>, and <a href="https://twitter.com/nerdiosity">Shelly Giesbrecht</a>. I was scheduled to stay overnight and leave Thursday morning, but went ahead and left early to get back home and deal with the hail damage we sustained right before Summit. That's a whole story in itself!<br />
<br />
In between, we had a great opening keynote by Cindy Murphy, where she didn't talk about DFIR at all. What?! Might sound strange, but she did a great job, and we got to see <a href="https://twitter.com/lee_whitfield">Lee Whitfield</a> with a parasol on an elephant. No photo editing/alteration was involved, of course; that's just how Lee rolls...<br />
<br />
<a href="https://twitter.com/sibertor">Alissa Torres</a> (Stay Outside Your Lane), <a href="https://twitter.com/hammjd">Jeff Hamm</a> (Carve Records Not Files), <a href="https://twitter.com/cpbeefcake">Chris Pogue</a> (Sniper Forensics v3), and <a href="https://twitter.com/hal_pomeranz">Hal Pomeranz</a> (TrueCrypt Artifacts and Analysis) had just a few of the awesome presentations I attended. Having two tracks made choosing difficult at times, unfortunately. :( In addition, <a href="https://phenrycissp/">Paul Henry</a> did a SANS at Nite presentation on setting up a VMWare server on Mac Minis, and we had an awesome time at the SANS 360 Lightning Talks. This was followed by an after-hours event sponsored by <a href="http://21ct.com/">21CT</a>. 21CT, <a href="http://accessdata.com/">AccessData</a>, <a href="http://visiblerisk.com/">VisibleRisk</a>, <a href="http://jadsoftware.com/">JADsoftware</a>, and <a href="http://cellebrite.com/">Cellebrite</a> all had a vendor presence at the Summit.<br />
<br />
Also, <a href="https://twitter.com/sansforensics">SANS</a> posted on twitter that all the presentations are available <a href="http://computer-forensics.sans.org/community/summits">here</a>.<br />
<br />
I had the incredible honor of speaking at this year's Summit, and was able to close out the event by speaking at the end of the 2nd day. Hopefully I "brought it!" My talk was titled "Exfiltration Forensics in the Age of the Cloud" and was based on the idea of looking into host-side artifacts created by the client applications of cloud-based sync/backup services - namely Dropbox, SpiderOak, TeamDrive, ADrive, Carbonite and Mozy. Dropbox was updating my work from last year, and the others were expanding on that base. The idea was to show the risk that these services bring to a business (both internal and external), the types of artifacts that these applications introduce to a system, and what might be left behind after an uninstall.<br />
<br />
I had a "cheatsheet" type of handout at my talk, which gave an overview of these artifacts. I'm making that available online, along with a couple other spreadsheets, and a PDF of my presentation. For the preso, I've included the notes along with the slides, so that there's a little more context for the bare bones of the slides. Below is a download link to the 7zip archive. It is encrypted, so please contact me for the passphrase. I apologize for the inconvenience, but the reason is two-fold. One, it gives me some idea who's interested in my research, and two (more importantly), it helps protect against the unscrupulous web scrapers that repost others' content as their own (which I've had happen before, unfortunately).<br />
<br />
As a final note, I will be posting some of this over at <a href="http://forensicartifacts.com/">ForensicArtifacts</a> as a general resource for the larger community. If you haven't been to ForensicArtifacts, you should check it out - it's a great community-driven site that hosts various artifacts and IOCs, and is a wonderful way to contribute without having to create an entire blog post. <br />
<br />
Filename: Cloud_Forensics_Research_Public.7z<br />
Download: <a href="https://www.box.com/s/a5b5c5b2f11f86f24c91">https://www.box.com/s/a5b5c5b2f11f86f24c91</a><br />
Hash: a95ff597d1508db810df3a48a3313a4e (md5), cd703fc9c60d599d53f2a9758cc49770c57ed069 (sha1)<br />
<br />
PS: Since it's been several years, and much of the info has lost some usefulness (and just simplify, since people are still asking), here is the pass: gcs^6k-'mhRy{dzC=)">+fVvtA!2*P<br />
<br />Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com29tag:blogger.com,1999:blog-5905877434106273050.post-32909911017356304282012-05-11T21:23:00.000-05:002012-05-11T21:24:13.803-05:00SANS DFIRSummit 2012 - Austin TXThe <a href="http://www.sans.org/forensics-incident-response-summit-2012/"><b>SANS #DFIRSummit</b></a> in June is almost here, and those of us who are involved have been asked to share a little bit about what's going on. First, I'll give you the pertinent (aka, dull and boring) info, then move on to the juicy stuff.<br />
<br />
Who: SANS (throwing the party)<br />
What: 5th Annual Forensics and Incident Response Summit (aka, #DFIRSummit)<br />
When: Tuesday, 26 June and Wednesday, 27 June, 2012 (ie, next month)<br />
Where: <a href="http://www.omnihotels.com/findahotel/austindowntown.aspx"><b>Omni Hotel Downtown Austin</b></a><br />
Why: Because it's a great event - networking, learning, good times (aka, DFIR "heaven on earth")<br />
How: A lot of work by SANS, some generous sponsors, and incredible speakers (just can't be beat)<br />
<br />
There's another "who" and that's the speakers. Detailed <a href="http://www.sans.org/forensics-incident-response-summit-2012/bios.pdf"><b>bios</b></a>, and <a href="http://www.sans.org/forensics-incident-response-summit-2012/agenda.pdf"><b>event schedule</b></a> are on the website, but here's a quick breakdown:<br />
Keynotes by Detective Cindy Murphy, Madison Police Department and Harlan Carvey, Chief Forensics Scientist at Applied Security, Inc. Probably everyone knows Harlan from his books, and because of regripper, so he won't need much in the way of introduction. Cindy may not be as well known, so if her name doesn't ring a bell, <a href="http://www.linkedin.com/in/detectivecindymurphy"><b>look her up</b></a> - she's heavily involved in <a href="http://www.cdfs.org/"><b>CDFS</b></a>, and has done some incredible pioneering work in the field of digital forensics.<br />
<br />
The speakers over two days, in two separate tracks (last year there was only one track) are:<br />
- Windows 8 Forensic Artifacts - Kenneth Johnson<br />
- Analysis and Correlation of Macintosh Logs – Sarah Edwards<br />
- Practical Use of Cryptographic Hashes in Forensic Investigations - Pär Österberg Medina<br />
- Reasons Not to “Stay in Your Lane” as a Digital Forensics Examiner – Alissa Torres<br />
- Digital Forensics for IaaS Cloud Computing – Josiah Dykstra<br />
- Carve for Records (Not Files) – Jeff Hamm<br />
- Android Memory Acquisition and Analysis with DMD and Volatility – Joe Sylve<br />
- Sniper Forensics v3: Hunt – Christopher Pogue<br />
- Decade of Aggression – Christopher Witter<br />
- Passwords are Everywhere – Hal Pomeranz<br />
- Recovering Digital Evidence in a Cloud Computing Paradigm – Jad Saliba<br />
- Anti-Incident Response – Nick Harbour<br />
- Automating File Analysis - Pär Österberg Medina<br />
- Mac Memory Analysis with Volatility – Andrew Case<br />
- Digital Dumpster Diving – Lee Reiber<br />
- When Macs Get Hacked - Sarah Edwards<br />
- Evidence is Data: Your Secret Advantage – Jon Stewart<br />
- Taking Registry Analysis to the Next Level – Elizabeth Schweinsberg<br />
- Tales from the Crypt: TrueCrypt Analysis - Hal Pomeranz<br />
- Security Cameras: The Corporate DFIR Too of the Future – Mike Viscuso<br />
- Exfiltration Forensics in the Age of The Cloud – Frank McClain<br />
<br />
But wait, there's more! Looks like <a href="http://www.21ct.com/"><b>21CT</b></a> is sponsoring several events, including some spectacular after-hours venues; there are lunch & learns (reduces per diem expenses for the budget-conscious), a breakfast, <a href="http://www.forensic4cast.com/2012/04/meet-the-2012-nominees/"><b>Forensic4Cast Awards</b></a>, and <a href="http://www.sans.org/sans-2012/special.php"><b>SANS360</b></a> (a little over half-way down the page, just before the "NetWars" section). SANS360 is a lightning talk event, where each speaker has just 6 minutes (360 seconds) to present their topic. In that line-up we have: Andrew Case, Kenneth Johnson, Cindy Murphy, Harlan Carvey, Hal Pomeranz, Kristinn Gudjonsson (extra points if you can pronounce his name properly), Corey Harrell, Melia Kelley, Tim Ray, Alissa Torres, and David Nides.<br />
<br />
Now back in the speakers list, you might have noticed a familiar name (they saved the best for last), and I thought I'd give you all a little overview of what my talk is about. As you all probably know, I spent a lot of time last year researching the footprint of Dropbox, the popular file-sync service. This came out as a multi-part kind of thing, with some initial research posted on the <a href="http://computer-forensics.sans.org/blog"><b>SANS blog</b></a>, a more detailed article published on <a href="http://forensicfocus.com/"><b>ForensicFocus</b></a>, a post or two here, and some artifacts over on <a href="http://forensicartifacts.com/"><b>ForensicArtifacts</b></a>. <a href="http://forensicaliente.blogspot.com/2011/07/dropbox-forensics-follow-up.html"><b>Links to all of those are here</b></a>. I'd been thinking about that for a while, because I had used that service myself, and saw how easily it could be abused - especially in smaller organizations - for people to steal data. We're used to folks using thumb drives or webmail to get docs out, but what if they just kept them in a directory on their computer, and that directory was sync'd to the cloud and possibly other computers (or mobile devices) outside of the company's control?<br />
<br />
Last summer I moved out of the consulting realm and into a corporate investigative setting. Thinking about how attackers exfiltrate data got me to thinking that these types of services could potentially be exploited that way as well as used by insiders. And smaller orgs don't tend to have all the fancy monitoring and locked-down systems/networks that larger ones might (data loss prevention, application layer firewalls, deep packet inspection, reverse proxies with blocked websites, yada yada yada). So if users have local admin rights, and nothing on the network is stopping certain types of traffic, then what's to stop them from using things like Dropbox, Carbonite, and so on?<br />
<br />
So anyway, I started over with Dropbox (applications change over time, right?) (Note: Yes, it did change), and have added several others. I wanted to give forensicators an idea of what kinds of artifacts to look for on these types of applications. The preso won't be as detailed as my prior Dropbox work (I might be talking for two days if that were the case!), and I'm not delving into things like prefetch, jump lists, user assist, and so on. I think those are areas we all know to look; I wanted to give a starting point specific to some of these apps, and hopefully get everyone's minds churning.<br />
<br />
At a high level, I'll be touching on things like:<br />
- File locations/application signature<br />
- Files of note (databases, logs, etc)<br />
- Residue after uninstall (files, folders, etc)<br />
- Network connections<br />
- Traffic signature (from packet capture)<br />
<br />
I'm really looking forward to this event, and not just because I'm a speaker. I think it'll be an awesome time, and a great opportunity to get out and mix it up with the community at large. There's no other event quite like this!<br />
<br />
If you haven't registered yet, but are going to, please feel free (read: be encouraged to do so) to use the discount code "<b>PrimeLending10</b>" to save 10% off the registration fee. SANS has given each speaker a discount code to share, this year, and that one's mine (obviously, right?). And yes, I get a "li'l somethin'" if enough people use it. :)<br />
<br />
I think that's about it. Like I said, I'm looking forward to it, and I hope to see many of you there!<br />
<br />
Happy Forensicating!Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-81371904107697058612012-04-03T21:17:00.000-05:002012-04-03T21:17:15.832-05:00A Few Worthwhile UpdatesOkay, so I just need to post a couple (or maybe a few) quick updates. These are important, at least to me. :)<br />
<br />
First up is ... wait for it ... wait for it ...<br />
<br />
<b><a href="http://www.forensic4cast.com/2012/04/meet-the-2012-nominees/">Forensic4cast Awards!</a></b> There are some great folks in here, all very well-deserving. I'm not about to tell you who to vote for, as political discussions can be touchy. Oh wait, this isn't politics, so I guess I'll go ahead and get dirty. ;)<br />
<br />
Not really, except to say, vote for log2timeline in the "Computer Forensic Software Tool of the Year" section. L2T's a great tool that I use on a regular basis, probably every case I work. Hands down, it's just awesome!<br />
<br />
If for whatever reason (maybe you don't like perl) you can't bring yourself to vote for L2T, then there's another offering I can support. That's Registry Decoder, in the same category. RD is another great utility (in python, for you perl-haters) that can do for the Windows registry what L2T does for the file-system - parses the heck out of it! This bad boy is also proving extremely useful to me.<br />
<br />
Yes, it's true, I'm in a quandary, a conflict, a conundrum. Now, where's my lucky coin? <br />
<br />
Now that I'm all neurotic aboaut the choices to be made, I'll move on to the next part. Oh, but first ... <b><a href="http://www.forensic4cast.com/forensic-4cast-awards/">GO VOTE!</a></b><br />
<br />
My next topic is <b><a href="http://forensicartifacts.com/">ForensicArtifacts</a></b>. This is a community-driven site that has a very catchy name: <b><a href="http://forensicartifacts.com/">ForensicArtifacts.com</a></b>. What, you've never heard of it?! Well, shame on me if I haven't mentioned it before. ;-( <br />
<br />
Taken from the <b><a href="http://forensicartifacts.com/about/">About page</a></b>, here's a description of the site:<br />
<br />
"<i>ForensicArtifacts.com was built to become a repository for useful information forensic examiners may need to reference during the course of their analysis. Requests for artifacts of system files, programs, and malware are very common to see on computer forensic mailing lists and forums. This site strives to take the place of those requests and become a one-stop shop when it comes to forensic artifacts.<br />
<br />
This site was designed for the digital forensic community, but it also relies on the community to become stronger. Please consider submitting any artifacts you have documented that may be of use to other examiners. As an added incentive, Rob Lee and SANS have graciously offered up a SANS Lethal Forensicator Coin for anyone submitting six or more artifacts or IOCs in any given year. For more details on this, please read here</i>."<br />
<br />
This is important, because we need more community involvement. A site like this only benefits the community if the community uses it. And if you're using it, you should be contributing to it. I don't want to sound all legalistic, but you should contribute. This doesn't just mean to send in artifacts; you can post links, follow <b><a href="http://twitter.com/#!/4n6artifacts">@4n6artifacts</a></b> on twitter and retweet, and recently we've even talked about having a "suggestions box" so people can submit ideas for artifacts, and anyone who's interested (and has time) can do some research to share with the community. <br />
<br />
When it boils down to the crux of the biscuit (just mixing up various metaphors), ForensicArtifacts needs you! Only you can provide artifacts. It's low pressure, no time-table, do it as you can, just write it up and submit in the <b><a href="http://forensicartifacts.com/submit/">easy-to-follow form</a></b>. It doesn't get much better than that! Basically, if you've found something in your work or research, even if it's perhaps incomplete, submit it. <br />
<br />
We need your artifacts. We need your IOCs. And by "we" I mean the community as a whole, not just this site. When we all share the fruits of our labors, we all benefit. Pitch in! Recycle your artifacts and IOCs; it's good for the environment, and you get to make a difference!<br />
<br />
Thanks!Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com3tag:blogger.com,1999:blog-5905877434106273050.post-13491706607552907462012-03-12T20:29:00.001-05:002012-03-13T17:29:59.216-05:00I'm Goin' to Disneyland - Again!<b>Or ...</b> What a year, what a year!<br />
<br />
Not really Disneyland, but rather <a href="http://www.sans.org/forensics-incident-response-summit-2012/"><font color="red"><b>SANS DFIR Summit 2012</b></font></a> in Austin, TX. But let me back up and explain a wee bit first.<br />
<br />
Last year this time I was working along at a small forensic consultancy as a senior analyst. I was able to get approval to attend FOR563 (Mobile Device Forensics) at the SANS Summit in Austin, but wouldn't be able to attend the Summit itself. Bummer, but the training was more valuable for the business in the long run. Anyway, in May that job disappeared on me, as such things happen on occasion. More bummer.<br />
<br />
The DFIR community came around me with support, job opportunities, and in fact a way was made for me to attend the Summit directly (<a href="http://forensicaliente.blogspot.com/2011/06/im-goin-to-disneyland.html">which I blogged about last year</a>). No bummer there! I was able to meet a lot of great folks, see old friends, make new ones, network, and have a great time. I got a lot out of the event, and now I get to give back.<br />
<br />
So in the interim, I've landed a corporate gig, which vastly increases my time at home with family, scheduling consistency, and so on. I have a good boss and it's a great gig all the way around.<br />
<br />
But, to get around to the "giving back" part... I have been blessed with the opportunity to share the fruits of my research at the Summit this year, as I've been accepted as a speaker there. It's an incredible honor, and obviously very exciting! For those who might be concerned, I have no intention of making use of the term, "APT," unless I need to throw people off. :D<br />
<br />
So here's the other thing. If you sign up at the link provided above, and use the discount code below, you'll get 10% off the Summit registration fee. No joke, it's for real! Act now, SANS expects this event to sell out quickly!<br />
<br />
Discount Code: PrimeLending10<br />
<br />
Hope to see you there!<br />
<br />
PS: Just a quick update regarding the 10% discount. SANS is offering this through the speakers. They did not explain *why* in any great detail, although it seems obvious to me they want to increase attendance and think this will help. And perhaps whoever gets the most signups using their code, will be given a Ferrari. Or a SANS-branded thumb drive. Really, I'd like the Ferrari. ;)Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-20328588587001126782012-02-13T23:39:00.002-06:002012-02-14T20:33:31.412-06:00The Case for ... Investigating<a href="http://twitter.com/lee_whitfield">Lee Whitfield</a> <a href="http://www.digitaldiscoveryesi.com/Blog/Why%20Out-Source%20Computer%20Forensics?/"><font color="red">posted on his corporate blog</font></a> earlier today about reasons not to bring cyber investigations for litigation (specifically forensics and eDiscovery) in-house, in response to this <a href="http://www.bankinfosecurity.com/articles.php?art_id=4348">article making a case for the opposite</a>. I replied on twitter, and was promptly lambasted by <a href="http://twitter.com/kylemaxwell">Kyle Maxwell</a> for not blogging about it instead. You know how it is, twitter just doesn't provide a good platform for detailed response, and Kyle seemed to feel that sending several tweets was inappropriate. If it went any further, I think he would've called me old and feable. Again. :( So here's my detailed post.<br />
<br />
I think (hope) that my perspective is somewhat unique, as I have been on both sides of the fence - in consulting and corporate roles. I've spent a lot of time scoping these types of matters, talked with GCs, OCs, IT, InfoSec, and eDiscovery folks. Full disclosure, I worked for several years at the consulting firm where Lee now works (although I've never had the pleasure of working with him), and in my current corporate position I'm responsible for building out the in-house programs. Lee's company focuses on reducing datasets so that eDiscovery costs are lower. That service is nowhere near the eDisco costs, but it ain't free either. ;) I was brought on where I am now specifically because they wanted the internal capabilities, having dealt with the difficulties of not having that kind of expertise in-house, and the tremendous cost of paying outside consultants and vendors.<br />
<br />
In the original article, which was based primarily on an interview with <a href="http://www.govinfosecurity.com/interviews.php?interviewID=1336"><font color="red">Greg Thompson</font></a> of Scotiabank, the essence of Thompson's argument is that it's totally worth it. He stated that they can easily spent $2000/day with an external vendor, compared to internal costs of $800/day. That's a pretty obvious ROI. My guess is that they're talking about an all-in-one vendor that collects, processes, and produces the data, with reductions coming only from deduping and deNISTing, and that probably occurs only after loading in the eDisco software. <br />
<br />
Lee has a three-point rebuttal that centers on: Cost, Impartiality, and Skill set (not Skil saw, that's very different). Lee's company is not an eDisco processor, they're a forensic shop whose bread and butter is large-scale collection and data reduction for litigation. No, I'm not selling them, but as I said, I used to work there, so I'm very familiar. Because of the culling process they employ, data sets can be significantly reduced compared to what was collected, with associated lowering of eDiscovery processing costs. <br />
<br />
My basic response to Lee was, "It depends." Trying to expound on that in twitter is pretty much fail, so I'll attempt to do so here. Basically, you've got a "party line" on either side. No, I'm not talking about the old phone system where you could pick up your home receiver and hear your neighbors' conversation. I'm talking about the territorial/turf war approach. In general terms. The consultants say if you're not out-sourcing, you're not doing it right and risk sanctions. The corporate folks say that they don't need somebody coming in "administering" their network and charging money for something they can do just fine. From my experience on both sides of the fence, here's how I think it breaks down.<br />
<br />
Cost: <br />
In a nutshell, Lee points to the salary of the kind of experienced expertise you'll need, software/hardware, training, and certifications. That's true, it's not cheap to get that kind of personnel. There's a couple things with this though, that I think bear more discussion. As with any such position (even in consulting), it's probably not a dedicated role, so the actual percentage of salary that applies to the forensics/eDisco work is not anywhere close to the six figures Lee mentions. Anyone in IT (much less InfoSec) is going to require ongoing training and certifications, and any employer that places value on professional development will support that anyway. So that only leaves us with hardware/software, which up front may be a sizable layout in cost, but will pay for itself very rapidly. How so? Well, a single case with 30 or more custodians could quickly cost over $100K. If you have one or more of those per year, your internal programs are covered. ROI's easy there.<br />
<br />
Impartiality:<br />
This may - in my opinion - be the best argument, up to a point. The corporation is paying the internal resource's paycheck, so those individuals have to support the corporate position, right? Not a bad assumption, but the same can apply to a consultant firm - they're paid by some organization to act in support of that org; if they don't give "good" results, they're out, right? So that knife cuts both ways, I think. But to the original point, I think it comes down to ethics of the investigator, just as with any case; we have an ethical, professional, and moral responsibility to do what is right, no matter what. Since the core of our work is based on facts in evidence, this shouldn't be an issue (at least not theoretically, but again, that cuts both ways). I think in most cases, an internal investigation is acceptable; there may be times that is different, and those should be addressed accordingly. The company - and its investigators - need to be able to determine when it may not be appropriate for the investigation to be handled internally. I know Kyle has mentioned having to deal with that where he works.<br />
<br />
Skill set:<br />
I'm a little confused on this one, to be honest. Lee says that most in-house investigators come from security or investigative backgrounds, discusses that network forensics has little to do with host forensics or eDiscovery, then goes on to say that while having "IT" staff involved, they shouldn't necessarily collect data themselves, as that could stomp on its evidential value. Okay, that's a long sentence, and a paraphrase of several combined. My confusion comes in from his starting out talking about computer security, network security, investigation background, and network forensics, then pointing out that IT staff aren't trained to know about file system changes, timestamps, and so on (all the yummy metadata stuff that forensics thrives on). I don't disagree with the latter, but I don't see the correlation with the former. The former is more the Incident Response (IR) type, it seems, and in my experience those folks are rather well versed and cognizant of maintaining evidence integrity (such as all that yummy metadata) and chain of custody. Pure IT folks - sysadmins and such - not so much; that's not to place blame, it's just not their area of expertise.<br />
<br />
So here's my summary:<br />
If your company is under regular litigation - large or small - and perhaps if you have regular threats to your intellectual property (thinking internal threats here, not external), it may well be a wise move to look at developing in-house capabilities. You need to really take some time to determine your internal needs and requirements, and remember these matters are about more than just email (systems, network, database, etc), and you must have a good grasp on your environment variables. You need to determine how much of the process you want internal - you may still want to outsource final production and hosting, for instance. Make sure you get the right expertise, and be aware that there will be an up-front cost (ongoing costs for software, hardware, training and certifications are minor in comparison). But the savings can be significant, and it is possible to come out ahead, if you compare against the money you would have been spending with outside vendors. ROI, the language of C-levels... :) Bottom line is, be informed, and make intelligent choices - don't just take action based on what either "side" is telling you.<br />
<br />
I do think it may not be the best decision to try to convert your IT staff. In years of dealing with IT departments, and knowing how those personnel tend to think/approach these matters, your up front difficulties and costs are much higher, and you have a much steeper "learning curve," if you will. It pays to get someone who already knows how to do the work, has solid experience, and I would even add, has provided expert testimony in court. That is the bottom line for this field, whether one - and one's work - stands up well in court. But do be careful, as not all consultants are suited for corporate life; it's a different style of work, and you need someone for the long-term, not short-term, or your ROI decreases. You also don't want a "push button" forensics person, but someone who truly understands what's going on behind the scenes; they're going to be able to provide better development and support for your internal programs.<br />
<br />
Let's face it folks, litigation isn't going away, nor is electronically stored information (ESI). Thus, ESI will have to be produced in litigation, and in comes eDiscovery. Orgs large or small feel the sting of the associated costs (which seem to be rather unreasonable at times), and - just being realistic - people are going to look for ways to bring it in-house. Sometimes that's just not feasible, and in those cases I think it's important to look for help in pre-culling to reduce costs. But for many organizations, having an internal program makes perfect sense and is not a mistake - when approached carefully and done right. <br />
<br />
Okay, I think that's about it. No tech stuff this time, sorry to disappoint those who might've hoped otherwise.Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com5tag:blogger.com,1999:blog-5905877434106273050.post-58405639626255625902012-01-18T21:32:00.002-06:002012-01-21T20:31:55.800-06:00Forensic4cast 2012 - Kristinn Gudjonsson & log2timelineOkay, folks, it's that time of year again. Yes, it's time for the <a href="http://www.forensic4cast.com/2012/01/forensic-4cast-awards-2012-nominations-are-open/">Forensic4cast awards</a>. <a href="http://www.ericjhuber.com/2012/01/kristinn-gudjonsson-and-log2timeline-in.html">Eric Huber beat me to it</a>, which could cost me my <a href="http://forensicaliente.blogspot.com/2011/05/forensic4cast-awards-voting.html">fanboy status</a>. However, I gave a link to the Awards, so maybe that'll help. :)<br />
<br />
Anyway, here's the point: Nominate Kristinn Gudjonsson and log2timeline. For what, though? Well, I'm with Eric on this - <a href="https://twitter.com/#!/el_killerdwarf">Kristinn</a> for Examiner of the Year, and <a href="http://log2timeline.net/">l2t</a> for Forensic Software of the Year. The software wasn't initially developed this year, we all know that, but it has been under constant development, and I think that counts. Anyway, he didn't get the recognition he deserves last year (IMO), so let's get all the l2t fans together and get him in there!<br />
<br />
First thing is to nominate, then remember to vote! Be sure to nominate and vote for others as well. There are several categories, so have at 'em. Best Organization (<a href="www.cdfs.org">CDFS</a>), Best Blog [cough]<i>this one</i>[/cough], Best Article [cough]<i>Dropbox Forensics</i>[/cough], and so on. Jokes aside, I think the CDFS has a good chance to make a difference in our field, and its leaders have been working very hard to do just that. Be a part, get involved, and also - nominate and vote!<br />
<br />
That's all for now.<br />
<br />
Update - Just to add another worthwhile one into the mix, even though it is (gasp, aargh) in the same category... <a href="http://www.digitalforensicssolutions.com/registrydecoder/">RegistryDecoder</a> by <a href="https://twitter.com/#!/attrc">Andrew Case</a> and <a href="http://www.linkedin.com/in/lodovicomarziale">Lodovico Marziale</a> at <a href="http://www.digitalforensicssolutions.com/">Digital Forensic Solutions</a>. I've used RegDecoder, and I like it. Easy to use, very useful, does a great job automating registry parsing from an image, multiple extracted files, mounted image set, etc. It will even run against a live system, although I haven't used it that way. You can do keyword searches, build a timeline, and much more. So that should go for Forensic Software of the Year as well. I hate to have to suggest a competitor to l2t, but RD's very good as well. And, competition makes us all better, right?<br />
<br />
PS: While you're at it, go vote for RegDecoder on <a href="http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html">Toolsmith</a>, open until 31 Jan 2012!Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-3752674726810126262011-12-06T20:46:00.001-06:002011-12-07T17:19:57.233-06:00PDF Metadata Extraction - Multiple FilesThis is going to be just a quick, short post (hey, don't laugh - it *can* happen!) with something I wanted to pass along to all my fearless readers. <br />
<br />
Here's the scenario: I was stuck in Windows, and had a virtual ton of PDF files from which I need to extract metadata. No fancy commercial tools such as EnCase were at my disposal to automate the task for me, so I turned to pdfinfo. For those who are not familiar with it, pdfinfo is part of <a href="http://www.foolabs.com/xpdf/">xpdf</a>, an open source PDF viewer utility. PDF file metadata (author, title, revision, etc) is primarily stored in a couple different places within a PDF - the Info Dictionary, and/or the XMP (eXtensible Metadata Platform) stream. pdfinfo (which is a free utility, by the way) will extract this metadata from within a PDF file. It's a command-line utility, which is fine by me.<br />
<br />
I had already located and exported the PDF files in question out to a single directory for parsing, and I was hoping it'd be as quick and easy as pointing pdfinfo to that directory and redirecting output to a file of my choosing. Alas, that was not to be; the tool is designed to be run like <br />
<code><br />
pdfinfo.exe file.pdf<br />
</code><br />
which would give STDOUT (or could be redirected to a text file, for instance). I tried against a single file, and that worked fine. I tried to use my limited Windows CLI knowledge and get it to feed the PDFs to pdfinfo, with no joy. If I was in Linux, I would've been more comfortable with creating a loop to go through the files and feed a variable (ie, the file) to pdfinfo. I messed around with looping in Windows a bit, but - another piece of the scenario - is that time was limited (of course!). In the process of trying to work out the loops, I looked at some posts on <a href="http://blog.commandlinekungfu.com/">Commandline Kung Fu</a> and other similar (well, similar, but less awesome, no doubt) sites. I may have had some syntax error or other minor issue that caused trouble, but I couldn't ever seem to get a loop to work, and just didn't have time to keep at it.<br />
<br />
So here's my solution: I ran a quick file list for that directory, and used that in a spreadsheet to build out one line per PDF file, to parse that file's metadata and output to a plain text file (it's amazing what a little =concatenate, find/replace, and merge functions can do). I copied that over to notepad++ and saved it as a batch (cmd) file. Then I just fired off the batch file, let it run through and give me the metadata I was looking for. Not pretty, not the way that the Masters over at Commandline Kung Fu would have done it, but it got the job done. Here's an example, sanitized for public consumption.<br />
<br />
<code><br />
pdfinfo.exe "t:\output\xyz001_pdf_export\United 01.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\Carpet 02.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\Tree 03.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\Interview 04.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\Local 05.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\TipTop 06.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\Safety 07.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\Teleport 08.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\Sharp 09.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
pdfinfo.exe "t:\output\xyz001_pdf_export\Water 10.pdf" >> t:\output\xyz001_pdf_export\pdf_metadata.txt<br />
</code><br />
<br />
So there it is, a short post (perhaps my first?). Hopefully it's helpful to someone else who needs to extract metadata from PDF files.<br />
<br />
-----------------------------------<br />
<br />
Just a quick update. In discussions last night on twitter, I mentioned that I thought <a href="http://www.sno.phy.queensu.ca/~phil/exiftool/">Phil Harvey's exiftool</a> would process PDFs for metadata. Rob Lee confirmed this, and called exiftool "the bomb-diggity." :) I said I would test it to compare against pdfinfo.<br />
<br />
The two applications provide similar information; certainly the core info is the same (such as creation dates, permissions, author). pdfinfo provides information above and beyond exiftool, though, such as encryption, page size (actual dimensions), tags, form. Before you go thinking that pdfinfo is the way to go, I'll say that I find exiftool's output easier to read; each file entry is clearly separated, and the layout/format is nice (to me). BTW, pdfinfo also reports the filename based on the internal "Title." This can be confusing if the two don't match up. Exiftool reports the filename as seen by the filesystem/user, and the Title per the metadata.<br />
<br />
Exiftool also gets you past the need to do any scripting, loops, etc. That's because you can run it like this:<br />
<br />
<code><br />
"exiftool(-k).exe" -P t:\output\exports\desktop_pdf_export\*.pdf >> t:\output\exports\desktop_pdf_export\pdf_metadata_3.txt<br />
</code><br />
<br />
And it's much faster. So while I still think pdfinfo is a great tool, I'm leaning toward Rob Lee's "bomb-diggity" direction on exiftool. ;) If I'd thought of that for PDFs, I'd probably never have seen pdfinfo, so it's a good thing I got to try both out. I think both are good, both are useful, and I'd use both again, certainly for cross-validation.<br />
<br />
So there's the quick update. Enjoy!Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com2tag:blogger.com,1999:blog-5905877434106273050.post-13495503269237732342011-11-07T21:06:00.000-06:002011-11-07T21:06:03.587-06:00BSidesDFW Follow-upBSidesDFW_2011 - My Thoughts<br />
Saturday, November 5th. <br />
Check out the website - <a href="http://www.securitybsides.com/w/page/36779575/BSidesDFW%202011">speakers, planners, sponsoring vendors, etc.</a><br />
<br />
I arrived late to the fun as my daughter had a soccer game early in the morning; I deemed it a good idea to go to that first, so that delayed my start. Then poor choice of routes, road construction (thus the reference to route choice) and heavy traffic on side roads (see road construction), further delayed me, and I pulled up to the Microsoft Technology Center in the wonderful mood that traffic/road issues helps me to find when I'm trying to get somewhere. Yes, folks, that's sarcasm. Drives me nuts, truth be told.<br />
<br />
Anyway, I'm an adult, and it's not anyone's fault, so I pulled myself together and went in. I was greeted warmly at the front desk, and situated with my raffle ticket, drink tickets for the after party, and given my APT (Advanced Persistent Texans) t-shirt. Shortly thereafter I had the opportunity to meet <a href="http://www.twitter.com/diami03">Michelle Klinger</a>, the main organizer, and everyone else involved in putting the event together. Great bunch of folks.<br />
<br />
Since I was running late, I missed Lodovico Marziale's talk on Registry Decoder. That was a major bummer. I really wanted to learn more about it, and ways to use it, straight from the folks that made it. But I wiped away my tears, and headed upstairs to <a href="http://www.twitter.com/hackerhurricane">Michael Gough's</a> talk on "The BIG ONE!!!"<br />
<br />
This was an interesting talk, to put it simply. <a href="http://www.hackerhurricane.com">Michael</a> made some very salient points about needing a PLAN, needing to educate top-level management on their role, and train them on what happens in a breach (both good and bad). A big emphasis should be placed on not pointing the finger or - even worse - getting rid of InfoSec personnel when a breach occurs. It's typically seen that InfoSec is to blame for the breach, where in reality it truly is a shared responsibility by different parts of the business. It's important - for a number of reasons - to give the InfoSec team the time and resources to address and remediate the issue. Far too often, we're blamed, and key personnel are removed (aka, fired/terminated/expunged/beheaded - ok, maybe not that last one); this really doesn't help and in fact causes more problems (such as voluntary departures by additional people, public sabotage, and other ongoing problems not directly related). <br />
<br />
Another key takeaway was the need for a PLAN (I'm thinking flow charts and everything, maybe even swimlanes! ;)) As Michael described it, if X happens, we will do Y; he related this to plans at a former employer, back when Slammer hit. They actually shut down their internet connection on a Thursday, and didn't enable it again until Monday. That was the plan, and they did it. It cost them a ton of money, but saved the company 3 tons of money (interpretive paraphrase, but you get the point); some people didn't believe they would do it, and gave flack when they did, but in the long run it was worth it.<br />
<br />
That was right before lunch, so once I made it through the food line (mmm, BBQ OR mmm, pizza) - hey, as a side note, the fine folks running the event had gotten hooked up with some local beer from McKinney, so anyone interested was able to have a tasty brew as well - I went looking for faces I might know. Sure enough, I saw <a href="http://www.twitter.com/kylemaxwell">Kyle Maxwell</a>. He introduced me to a friend of his, <a href="http://www.twitter.com/chgath">Chris Gathright</a>. After a good lunch, there was a raffle drawing, and prizes were given (just not to me).<br />
<br />
Kyle and I hung out and talked until <a href="http://www.digitalforensicssolutions.com/">Andrew Case's</a> talk on Data Exfiltration. I had to decide between <a href="http://www.twitter.com/attrc">Andrew's</a> talk and Branden Williams' talk on the Anatomy of an Advanced Attack; Andrew's won out. Kyle and I were the only DFIR types in there, and Kyle had been the only one in Lodovico's presentation, but we expected that. For me, most of what Andrew brought up was just a review of information, as it was on host-based forensics (I was hoping for some network exfiltration after a breach, but it wasn't based on that). <br />
<br />
However, he did some very cool stuff that I've not done before. He used scalpel to index the image looking for a "header" of a website URL and identify disk offsets. He then used Sleuthkit tools to map between the disk offset and file system, to find what files those existed in; turns out, pagefile had numerous hits on gmail indices. So, he DD'd out sections of the pagefile, and ran scalpel against those with a custom file fignature; this allowed him to successfully carve out multiple emails that were of interest and relevance. He also used Restore Points to help map out USB history; since he had RPs containing setupapi.log and registry files, he was able to pull usage history on almost a per-use basis, to show how many times several devices were used, and when. Now that's cool! Plus he mentioned a "setupapi extractor tool" that I need to find; I've always gone through setupapi.log with Notepad++ which worked quite well, but I'm always up for some new tool to make my job easier.<br />
<br />
I wasn't sure which talk to attend next, but I was in the Track 1 room, and Michael Gough had another talk scheduled there, about Hacking a CardKey system; <a href="www.cybersecurityguy.com">Ian Robertson</a> was part of this as well. Sounded interesting, so I stuck around (Kyle went to sit in on the lightning talks); I'm glad I did, as it was interesting, scary, and informative. So as the story goes, "Peggy" (you know, from the commercials) was poking around on the internet and found some open ports (that didn't seem like they should be open), and was able to connect to them using some protocols that should didn't seem like should be allowed. Hmmm. "Peggy" was interested, and so set about finding out what was going on. Turns out, these were on cardkey systems, and they were infinitely pwnable. In the course of the research, "Peggy" and friends were able to build a mobile app that would unlock these systems (or the doors/gates they secured) at will. Ouch. "Peggy" reported the findings to the appropriate parties, and fortunately did not end up in jail. Whew! <br />
<br />
By working with vendors, "Peggy" and friends have been able to help get some changes made that will at least provide the option of AES encryption. Just a side note, never assume you know who's at these things, or that they're one type of people/experience - I was surprised when someone asked what AES was, and why they didn't just use an encrypted password that couldn't be broken; the questioner seemed to have some other very technical knowledge, but it was apparently in a different area that I expected. Anyway, the crux of the biscuit is that these systems are STILL very vulnerable, and if you have any, make darn sure they're not on the internet, or upgrade the ethernet module so that AES is an option (then make sure to enable and configure it). There are still concerns, but at least that's a big help. By the way, I wasn't in on it, but Michael gave a lightning talk about Yubikey usage, and was giving away some free upgrades to LastPass Premium in the cardkey talk. A lot of folks also received Yubikeys, as <a href="www.yubico.com">Yubico</a> was a sponsor. <a href="www.lastpass.com">LastPass</a> and Yubikey is a good combo.<br />
<br />
The keynote was by <a href="http://www.mckeay.net/">Martin McKeay</a>, giving a thought-provoking talk on fundamental flaws in Information Security. This wasn't a technical talk, which he stated up front. It was still very good, though. Don't want that to sound wrong, with the "though" in there. I think folks kind of expect to get down into the nitty gritty at these conferences, and <a href="http://www.twitter.com/mckeay">Martin</a> acknowledged that. So I'll put it this way - technical or not, it was a good talk. <br />
<br />
My key takeaway was that, as an industry (with a career path) we're very young; only 23 years old. Firefighters, which we're often compared to (and Martin did as well), have centuries of experience, science, and testing behind them. Granted, their knowledge is changing, but they have a strong foundation and a long history. By and large, they KNOW what a fire will do. However, our landscape is changing on an almost-daily basis, our forefathers/frontrunners discovered and made stuff up on the fly, and we're largely continuing in that vein. We need to KNOW infosec, and if what we're doing works. We lack solid metrics, statistics, and facts. Martin pointed to the Verizon Data Breach reports as the best we, as an industry, have, but they really present a small cross-section of what's happened. Same for the Verizon PCI report. I feel kind of like Number 5, saying, "Need more input." <br />
<br />
There was an after-party, but I did not stay for that. For whatever reason, I was really feeling tired (maybe being in a Microsoft building all day...), and it being a weekend, spending time with my family is important to me, so I headed on the house. I enjoyed the event, I think it was well-done, fun, great speakers, good swag, and best of all - free. I'm definitely looking forward to next year's.Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-66219371389821741452011-10-09T15:10:00.001-05:002011-10-09T20:48:32.565-05:00Artifacts Created by Nmap/ZenmapThe scenario is that I knew a particular system had run an Nmap scan against another particular system, using the Zenmap GUI (and was manually terminated before completion). I know, I know, why wasn't CLI used? Well, it just wasn't, and that's not really part of the problem. The problem was that after the fact, there was a need to correlate the scan against certain event log entries on the target, as it appeared that perhaps the scan had not shut down properly, and continued running in the background.<br />
<br />
So how to do it? Does Nmap/Zenmap create any logs or other artifacts on the source system, which remain afterwards? So I put on my forensicator hat, gloved up (technical term for putting your protective gloves on), then announced, "I'm goin' in!" For testing, I ran Zenmap versions 4.6 (because I had it) and 5.1 (which was the current version in question) on XP Pro and Win7 Pro, both 32-bit, both fully patched. I ran scans both from the GUI and CLI (yes, I went ahead and tested that too, as I thought it would be good to know, although not pertinent to the current scenario). The ultimate prize was to be able to show what scan ran when, for how long, against what target (specifically the scan that was terminated early).<br />
<br />
I'll also state that I wasn't trying to prove that Nmap/Zenmap was run, so I didn't look to prefetch, user assist, or other similar artifacts. I was trying to prove what was done when the application did run, more so than if it had been run or by whom. Think of a scenario where it might be legitimate for a user to use the application as part of their normal duties, and the question is whether they did something with it they should not have done. "What" and "When" became more important questions than "Who," "How" or "Why."<br />
<br />
I'd love to be able to say that I reached the goal, but I'm afraid that's not the case. I found good stuff, but nothing directly showing the terminated scan. Ultimately I did find evidence of that scan in pagefile, but nothing that gave specific time frames, or the options used. What was useful was that I saw the NSE (Nmap Scripting Engine) info, which showed some details about the scan; some of these were particulars that were useful to me (some of this was similar to some of the data from temp files that you'll read about later). So in a round-about way I accomplished the mission, just not in the neat, clear-cut way I had hoped for. But even in that respect, all was not lost...<br />
<br />
Results of testing were inconsistent. But wait, I thought you said all was not lost?! Right, it's not. Results were inconsistent, but there is stuff to look for, and I can provide some direction on that, so in case you need to know about Nmap/Zenmap artifacts, you'll have something to work with ahead of time. So, inconsistent results, what does that mean? It means that on either OS, with either version of Zenmap, some things were logged, some artifacts were created, and sometimes they weren't. That's what I mean by inconsistent. Seems like it meets the definition of the word to me. Anyhow, artifacts <b>are</b> created, and I will expand on that, so you'll know the kinds of things to look for.<br />
<br />
Basically, there were three areas containing artifacts; two under the user profile, and one in the program directory. <disclaimer>Keep in mind that sometimes some of these were present, and sometimes they were not; sometimes they had data and sometimes they did not. I'm just going to explain what I saw, when it was there to see, YMMV.</disclaimer> Note: I did not see any of these artifacts when running Nmap from CLI; only when using the Zenmap GUI front-end. Due to the otherwise inconsistent results, I don't know that CLI doesn't create some of these artifacts as well (such as the temp files you'll read about), just that in my testing, I did not see it occur.<br />
<br />
In c:\program files\nmap\zenmap\ a file was created when a scan was saved. This had the same user-selected name as the saved scan, with the extension USR. So if the scan saved was "test" then the subsequent file would be "test.usr." If you find one of these, you can bet the user saved a scan; this file should be identical to that. It is an XML file that has all the information about the scan, it starts out looking something like this:<br />
<br />
<code><br />
nmaprun profile="nmap -v %s" scanner="nmap" hint="" scan_name="" args="nmap -v xxx.xxx.xxx.2" profile_name="Regular Scan" startstr="October 1, 2011 - 16:54" options="Verbose" start="1317506087" nmap_output=" Starting Nmap 4.60 ( http://insecure.org ) at 2011-10-01 16:54 Central Daylight Time Initiating ARP Ping Scan at 16:54 Scanning xxx.xxx.xxx.2 [1 port] Completed ARP Ping Scan at 16:54, 0.48s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 16:54 Completed Parallel DNS resolution of 1 host. at 16:54, 0.00s elapsed Initiating SYN Stealth Scan at 16:54 Scanning System (xxx.xxx.xxx.2) [1715 ports] Completed SYN Stealth Scan at 16:55, 39.01s elapsed (1715 total ports) Host System (xxx.xxx.xxx.2) appears to be up ... good. All 1715 scanned ports on System (xxx.xxx.xxx.xxx) are filtered MAC Address: xx:xx:xx:xx:xx:xx (make) Read data files from: C:\Program Files\Nmap Nmap done: 1 IP address (1 host up) scanned in 39.847 seconds Raw packets sent: 3431 (150.962KB) | Rcvd: 1 (42B) " version="4.60" target="xxx.xxx.xxx.2" annotation="" description=""<br />
</code><br />
<br />
There was also a "zenmap.exe.log" file under Program Files, but it was not helpful for this purpose. It appears to be an error entry related to the application itself, not relating to activity. This might be helpful to show that Zenmap was run at some point, if that was a goal, but not for showing what scan was run or when.<br />
<br />
In %User%\.zenmap (hidden folder) there are primarily three files of interest: recent_scans.txt, target_list.txt and zenmap.db. Recent_scans.txt is a list of saved scans (or perhaps the .USR instance, it's inconclusive at this point); all it has is a list of files with their paths. Target_list.txt is a list of all target IP addresses, separated by semicolons; it has no other information, not even an associated date. Zenmap.db is the fun one; it's a SQLite database that contains a history of what scans were run - type of scan, target IP, XML output (ie, basic scan detail) and time. In my case, the killed scan was not in there, but others were. <br />
<br />
In %User%\%Local%\Temp has another potential treasure trove of evidence. I found temporary files (with no extension) located at this level. Some of contained no data, some contained only a small amount, and others looked like this (at the start):<br />
<br />
<code><br />
Winpcap present, dynamic linked to: WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5<br />
<br />
Starting Nmap 4.60 ( http://insecure.org ) at 2011-10-01 16:34 Central Daylight Time<br />
--------------- Timing report ---------------<br />
hostgroups: min 1, max 100000<br />
rtt-timeouts: init 500, min 100, max 1250<br />
max-scan-delay: TCP 10, UDP 1000<br />
parallelism: min 0, max 0<br />
max-retries: 6, host-timeout: 0<br />
---------------------------------------------<br />
Initiating ARP Ping Scan at 16:34<br />
Scanning xxx.xxx.xxx.1 [1 port]<br />
Packet capture filter (device eth1): arp and ether dst host 00:11:25:D1:04:E0<br />
SENT (1.3820s) ARP who-has xxx.xxx.xxx.1 tell xxx.xxx.xxx.2<br />
RCVD (1.3820s) ARP reply xxx.xxx.xxx.1 is-at xx:xx:xx:xx:xx:xx<br />
Completed ARP Ping Scan at 16:34, 0.80s elapsed (1 total hosts)<br />
Initiating SYN Stealth Scan at 16:34<br />
Scanning xxx.xxx.xxx.1 [1715 ports]<br />
Packet capture filter (device eth1): dst host xxx.xxx.xxx.2 and (icmp or (tcp and (src host xxx.xxx.xxx.1)))<br />
SENT (1.3920s) TCP xxx.xxx.xxx.2:49151 > xxx.xxx.xxx.1:25 S ttl=40 id=15841 iplen=44 seq=237510861 win.14 <mss 1460><br />
SENT (1.3920s) TCP xxx.xxx.xxx.2:49151 > xxx.xxx.xxx.1:554 S ttl=55 id=24142 iplen=44 seq=237510861 win=4096 <mss 1460><br />
SENT (1.3920s) TCP xxx.xxx.xxx.2:49151 > xxx.xxx.xxx.1:3389 S ttl=47 id=2030 iplen=44 seq=237510861 win=4096 <mss 1460><br />
SENT (1.3920s) TCP xxx.xxx.xxx.2:49151 > xxx.xxx.xxx.1:389 S ttl=51 id=32698 iplen=44 seq=237510861 win=4096 <mss 1460><br />
SENT (1.3920s) TCP xxx.xxx.xxx.2:49151 > xxx.xxx.xxx.1:256 S ttl=46 id=12578 iplen=44 seq=237510861 win=3072 <mss 1460><br />
SENT (1.3920s) TCP xxx.xxx.xxx.2:49151 > xxx.xxx.xxx.1:113 S ttl=54 id=21527 iplen=44 seq=237510861 win=3072 <mss 1460><br />
</code><br />
<br />
Basically this is a detailed breakdown of the scan, really the veritable motherlode, as it shows the time of the scan, each target port, protocol, scan times, and so on. Very good stuff, when present. The temporary files that had only a little content basically mirrored the type of content in the USR files, so if you don't have one, you might have the other and still have some insight into the scan. Note: All these temp filenames were 9 characters in length, and started with "tmp."<br />
<br />
And a slightly tangential question posed on twitter was how to identify a scan with packets. That's probably already documented, but since I was in testing mode, I looked into that myself as well. Fairly simple, right - just start Wireshark, run an Nmap scan, and review the results. Turns out across multiple types of scans run, that there are 60-byte packets, and all have the following content: 00 0d 60 da b4 e7 00 11 25 d1 04 e0 08 00 45 00. Obviously, that's not all the content, but that is what I saw as consistent across all packets captured. So there you go.<br />
<br />
I think that's about it for this post. Hopefully if you're doing an investigation wherein the use of Nmap/Zenmap is key, this will help get you started. As always, happy forensicating!Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-38687017503578559202011-09-05T21:32:00.000-05:002011-09-05T21:32:51.618-05:00Keep Track of File Acquisition with ProcMonThis post was inspired by Lenny Zeltser's <a href="http://blog.zeltser.com/post/9730962625/process-hacker-an-alternative-to-process-explorer">recent blogs</a> about using <a href="http://www.nirsoft.net/">NirSoft Utilities</a> in <a href="http://blog.zeltser.com/post/9610150595/processactivitymonitor-and-regfromapp">malware analysis.</a><br />
<br />
Have I said that guy rocks? If not, let it be said. He rocks.<br />
<br />
In having to do acquisition of loose native files across clients' LANs and WANs, you come across some difficulties, and slow networks. And large files, like 18GB NSFs that you find out you're pulling across the WAN from Arizona to Michigan. What? Yeah, no one realized that a guy in Michigan had his NSF in Arizona. No wonder he was complaining about email being slow... :) Anyway, aside from that, I've come across lots of situations where a file copy seems to be hung, but you don't want to kill it and try to start over in case it's actually still doing something. The things you want to know in those scenarios are:<br />
* Has the Source already been copied to the Destination<br />
* Has the Source already been hashed<br />
* Has the Destination already been hashed<br />
* Is the process still running/active<br />
* How much longer is it going to take<br />
<br />
Even if you could safely preview your destination without risking changing timestamps or otherwise messing something up, it would still show the full file size, regardless of how much has been written, so that's no good. And for the hashing bit, how could you really tell?<br />
<br />
Some applications will provide status/progress updates. For instance, <a href="http://www.pinpointlabs.com/sc2.html">Pinpoint Labs' Safecopy</a> will show progress, and even provide an indication of where you are in the process, but it can't tell you if it's still working or not. <a href="http://www.xxcopy.com/xcpymain.htm">PixeLabs' XXCopy</a> can provide a progress bar (and used with <a href="http://md5deep.sourceforge.net/">Jesse Kornblum's md5deep</a> for hashing, which can also provide a progress report), <a href="http://www.dmares.com/maresware/html/upcopy.htm">Dan Mares' upcopy</a> (my personal favorite) provides periodic updates, but none of these (or <a href="http://technet.microsoft.com/en-us/library/cc733145%28WS.10%29.aspx">robocopy</a>, <a href="http://social.technet.microsoft.com/Forums/en-US/w7itproperf/thread/33971726-eeb7-4452-bebf-02ed6518743e/">RichCopy</a>, etc) are able to tell you what you're actually dealing with. Enter <a href="http://technet.microsoft.com/en-us/sysinternals/bb896645">SysInternals' Process Monitor</a>, aka procmon.<br />
<br />
You have to know how your tool operates, but if you do, procmon can be extremely helpful for discerning if you're still good to go, where you are in the process, and how much longer you can anticipate it taking (you'll have to do your own math). For my example I'm using upcopy, and copying several 10GB files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">upcopy command<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj3XEfQl2FWtIwUHvyaOVrqPd_KmPyM6Necg97iiUtu_XnajQ34-MYqSBg7OMnc0gXFw7pMzlCVTXCA1_JNem42MitFTon5-owfAt82stlMzfz705lX6u4-aEeMXr_6l8D8HawfF9uo1L9/s1600/copy1b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="42" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj3XEfQl2FWtIwUHvyaOVrqPd_KmPyM6Necg97iiUtu_XnajQ34-MYqSBg7OMnc0gXFw7pMzlCVTXCA1_JNem42MitFTon5-owfAt82stlMzfz705lX6u4-aEeMXr_6l8D8HawfF9uo1L9/s320/copy1b.png" /></a></div><br />
Upcopy works by reading and writing the source to the destination. It then hashes the source, followed by the destination. At that point, it's done. Most apps work in pretty much the same way, but you have to know yours in order to make the best use of procmon.<br />
<br />
Naturally, there will be a lot of activity in procmon, so we have to find our executable and set a filter to show only that. Click the binocular icon or CTRL-F to open the search feature. You can also just scroll down to find the exe you're looking for, as the search feature will give you every instance of it, which could give you results from antivirus scanning it, HIPS checking it, parent process, etc. Might take longer than what it's worth that way! If you're not sure the actual EXE name, find it first in <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653">SysInternals' Process Explorer</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">Process Explorer<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8DpeAGd6ZM-tZ97JiJR507dXTt48L7RoGcKaS-tybbZymc2MGIlZDnRXNkkVfc9_TUYgryUax1qsTLFIohuCmnD7pjCIe9tst0YJzsEyEZC-p1ue756OHBf7UrWf0eIKMtqJt-TG5oAFM/s1600/copy3b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="320" width="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8DpeAGd6ZM-tZ97JiJR507dXTt48L7RoGcKaS-tybbZymc2MGIlZDnRXNkkVfc9_TUYgryUax1qsTLFIohuCmnD7pjCIe9tst0YJzsEyEZC-p1ue756OHBf7UrWf0eIKMtqJt-TG5oAFM/s320/copy3b.png" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;">procmon, "find"<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCwXM-PCRXmxtlg4kBDpxfeM85KqnfGqJ8l5M68Ep962JtcjKmgg7Jd932jKEzjrVL9PJtVwJmFCRwhfhRvcVv0DDZ_4sXU4tIsILI2DibBumyDD4UXTW9kZUsiRUWM4uLUJr9xDKr1AqZ/s1600/copy2b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="40" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCwXM-PCRXmxtlg4kBDpxfeM85KqnfGqJ8l5M68Ep962JtcjKmgg7Jd932jKEzjrVL9PJtVwJmFCRwhfhRvcVv0DDZ_4sXU4tIsILI2DibBumyDD4UXTW9kZUsiRUWM4uLUJr9xDKr1AqZ/s320/copy2b.png" /></a></div><br />
Once you locate your executable, right-click and select "include..."<br />
<br />
<div class="separator" style="clear: both; text-align: center;">procmon, "include exe"<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGmd4nJS_uCTxQPaEIz13IDzCzc2NGoNgU3Zg6_D9JR_gfRPnqXuyoMjvLkY4ccrw4ecC_jY1lvescGMd7U3GGl6oi-fn-13pxMLMJFtLPUmfS0Dhj-kW2coYhUgsx6bYA9kOKvfuAhyphenhyphenEe/s1600/copy4b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="231" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGmd4nJS_uCTxQPaEIz13IDzCzc2NGoNgU3Zg6_D9JR_gfRPnqXuyoMjvLkY4ccrw4ecC_jY1lvescGMd7U3GGl6oi-fn-13pxMLMJFtLPUmfS0Dhj-kW2coYhUgsx6bYA9kOKvfuAhyphenhyphenEe/s320/copy4b.png" /></a></div><br />
By default, procmon show the most recent activity at the bottom, so you'll need to scroll down. I don't tend to change the configuration, sorting, etc once it's running, as it does use resources. Be aware and judicious in your choices.<br />
<br />
The first set of screenshots here show the copy process, from source (F:) to destination (V:) (yes, I'm actually going local <b>to</b> network, the opposite of what we'd typically be doing in a collection; I needed to back up some files to my NAS anyway). You can see the "Offset" in the far right column increasing; this correlates to the file-size, and is one piece in checking progress.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">copy progress<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj87tW4BWpQ-LEVN_COlP8OhFD6o3G0cv3Am_xybrS6xdMunY9-s_prINro_I1XzWNzX-dMHGeH9dwOoyihYAsTtHRT-zv0WkEAOigYHjaNwljdCrziIwZKMJWzlmbzHW0ajGliCjb5LlDv/s1600/copy5b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="41" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj87tW4BWpQ-LEVN_COlP8OhFD6o3G0cv3Am_xybrS6xdMunY9-s_prINro_I1XzWNzX-dMHGeH9dwOoyihYAsTtHRT-zv0WkEAOigYHjaNwljdCrziIwZKMJWzlmbzHW0ajGliCjb5LlDv/s320/copy5b.png" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;">more copy progress<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH4Oh15rgdToBn3xCITi30sluqxUPE5-Xm_xx9ehL3kllPgwCmXEo1qrTV3fBgb7ziN2LjA2b2KaYSj3QFMvjYVWyzU2gpzbBnc7fEYRkO2ZnAWJ0MVZYDA2IdGbIPI0D6uMnDDiTi6ZvR/s1600/copy7b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="35" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH4Oh15rgdToBn3xCITi30sluqxUPE5-Xm_xx9ehL3kllPgwCmXEo1qrTV3fBgb7ziN2LjA2b2KaYSj3QFMvjYVWyzU2gpzbBnc7fEYRkO2ZnAWJ0MVZYDA2IdGbIPI0D6uMnDDiTi6ZvR/s320/copy7b.png" /></a></div><br />
Once the copy process is complete, you'll see the activity in the next screenshot. Note the "ReadFile," "END OF FILE" and the "Offset" showing the total file size in bytes (yep it's a 10GB file), followed by the file being closed on source and destination. Then the hashing of the source will commence.<br />
<div class="separator" style="clear: both; text-align: center;">copy complete<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXxjAYQotipHHD_y22by3Rp2PSDXVRIlw9xIjXcLSZpjxCkTJfoDnzNc_TGpDczzyEe_cKS-4U5YV9iVd0ZAg23RQEGcQrXRXaNSJSgh3l-w4z8dnMJpZIMr3kniqZ3IQy2EsqDwV1k3NK/s1600/copy8b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="89" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXxjAYQotipHHD_y22by3Rp2PSDXVRIlw9xIjXcLSZpjxCkTJfoDnzNc_TGpDczzyEe_cKS-4U5YV9iVd0ZAg23RQEGcQrXRXaNSJSgh3l-w4z8dnMJpZIMr3kniqZ3IQy2EsqDwV1k3NK/s320/copy8b.png" /></a></div><br />
You can follow the progress through hashing the same way. All the entries will show "ReadFile" action on the source, and you can keep tabs via the "Offset" value increasing. Note that by doing some math here (change in size over time passed), you can determine an approximate timeframe for completion of that portion.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">hashing source<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwndu-Jm-saEyxuhatTNPNz2rgYzEpVsuLFoFt1CZ_fxtKsO3U49KLQZ-D-OmrZrmVfvH7ciAZSIbsdMqwvRHx0IMnelq5RbSEZiFa1QTaif5_8Oh79rVvcYHd6XhMxM153BQjPcBOHCgw/s1600/copy6b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="46" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwndu-Jm-saEyxuhatTNPNz2rgYzEpVsuLFoFt1CZ_fxtKsO3U49KLQZ-D-OmrZrmVfvH7ciAZSIbsdMqwvRHx0IMnelq5RbSEZiFa1QTaif5_8Oh79rVvcYHd6XhMxM153BQjPcBOHCgw/s320/copy6b.png" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;">more hashing source<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggHX275qpHJ9ijx7lu8tkIkkKAWzxBtpsw_Wgb4g0vhgr6_SAtzroLx2rhKV4rgWgf3wWZCRTgk0o3Hjhp5eWpkAA0CXmgyVjIhMQkk1z_w9xbhF3H3mbrjbPw_z51-2Ze1ZE_W9bGyK51/s1600/copy9b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="32" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggHX275qpHJ9ijx7lu8tkIkkKAWzxBtpsw_Wgb4g0vhgr6_SAtzroLx2rhKV4rgWgf3wWZCRTgk0o3Hjhp5eWpkAA0CXmgyVjIhMQkk1z_w9xbhF3H3mbrjbPw_z51-2Ze1ZE_W9bGyK51/s320/copy9b.png" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;">and yet more hashing source<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRVUIlRlcdtiEximcBVatPcD0huJ9PpTSmcd1rbU0EBnnmWVBMETVQ10uhwQIbuULiJ2xMGTJiAcljtGQo2oP-bolMGiT3Haal1Dn2-yQ9CrpUct8VRgdPO0eBXRgK8QI69bkBq_lM6kv_/s1600/copy10b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="39" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRVUIlRlcdtiEximcBVatPcD0huJ9PpTSmcd1rbU0EBnnmWVBMETVQ10uhwQIbuULiJ2xMGTJiAcljtGQo2oP-bolMGiT3Haal1Dn2-yQ9CrpUct8VRgdPO0eBXRgK8QI69bkBq_lM6kv_/s320/copy10b.png" /></a></div><br />
Once it's finished hashing the source, you'll see the following. Just as before, note the "ReadFile," "END OF FILE" and the "Offset" showing the total file size, followed by the file being Closed. Then the process repeats for the destination.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">source hash complete<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioFyld4H61_tmPyTvs96TqENC2XPgCFug2S4L5Dl5nZv0Xx3CDCERzoIC_occ2d_86iLdgZtTlObS2uaCa2VFxQEqGdJ143oBvc94u-pOEXyejJ63r2mOU8O-1EZkpx5w8fDdyQfqKzAYx/s1600/copy11b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="56" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioFyld4H61_tmPyTvs96TqENC2XPgCFug2S4L5Dl5nZv0Xx3CDCERzoIC_occ2d_86iLdgZtTlObS2uaCa2VFxQEqGdJ143oBvc94u-pOEXyejJ63r2mOU8O-1EZkpx5w8fDdyQfqKzAYx/s320/copy11b.png" /></a></div><br />
Here's the destination hashing in progress; same as for the source, only the location is changed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">hashing destination<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMk8Pdo4j3PMLxIs863QJ1F6xRLa398WvFEnm_QApAXIPpWf7e6RDoI0kStlQ7ibwMv6rqUWyPzuWXBEpuEIRcOlMfC0xqy5EMRDd0hJxIAjix4ODB8B3Az882gxOUUNmGjGFDBrcL0D6a/s1600/copy12b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="55" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMk8Pdo4j3PMLxIs863QJ1F6xRLa398WvFEnm_QApAXIPpWf7e6RDoI0kStlQ7ibwMv6rqUWyPzuWXBEpuEIRcOlMfC0xqy5EMRDd0hJxIAjix4ODB8B3Az882gxOUUNmGjGFDBrcL0D6a/s320/copy12b.png" /></a></div><br />
And, just as before, when the destination is finished hashing, you'll see it clearly in the activity in procmon. There's one other item to note here, though, and that is the logfile activity for the hash data.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">destination hash complete<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitlCxQHJxMgL7QHa49e0dxyAUKQ3xVdRs9w-WcNuRL91C5Pd4_WUstztZgwjarCv_2Om-ifrMxk6pmZWi-PJOgWOXImwqDIV6-PAg_kZ3kSGOfcJRO89g7RkMr8tdtu-BKB15EH9wZfo55/s1600/copy13b.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="30" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitlCxQHJxMgL7QHa49e0dxyAUKQ3xVdRs9w-WcNuRL91C5Pd4_WUstztZgwjarCv_2Om-ifrMxk6pmZWi-PJOgWOXImwqDIV6-PAg_kZ3kSGOfcJRO89g7RkMr8tdtu-BKB15EH9wZfo55/s320/copy13b.png" /></a></div><br />
Lather, rinse, repeat, and that's about it. Do be aware that running procmon can consume system resources you might otherwise need (it lives off RAM). That's one of the reasons I like upcopy; it's no resource hog at all. And it's freakin' fast. I know Dan Mares thinks people don't use CLI anymore, but I beg to differ! <br />
<br />
No great revelation of forensic truth here, just a little something to keep you in the know on what's happening with a file copy. Could also be applied to other processes where data is being written out and taking a long time, or when you need to more accurately calculate time estimates for the same (for some reason those application/system progress reports don't seem to be very accurate). I've found it useful; I hope others do as well.<br />
<br />
Happy forensicating!Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com2tag:blogger.com,1999:blog-5905877434106273050.post-75215577135924017322011-09-03T16:00:00.000-05:002011-09-03T16:00:21.982-05:00Would You Bet Your Life On It? Or Your Company?It has been said that Information Security is Risk Management, and I agree with that. For any given situation, you have to identify vulnerabilities, threats (ie, "risk"), determine ways to mitigate these, and assign some value to that final level of risk. If that value is gauged to be acceptable to the organization (even if it's your family) then you move forward. But this isn't (or shouldn't be) limited just to Information Security groups - as I mentioned above, the same principle applies at home, on the road, and should also be in the minds of those not actively engaged in InfoSec positions. We live in a time and place in which threats abound, and Information Security is also not about saying "No" to everything; it's about figuring out how to say "Yes" where it's appropriate, and figuring out ways to reduce the risk (this also applies at home, on the road, with our kids, etc).<br />
<br />
To keep this from being a totally pensive piece, I'm going to bring it back into the context of the work we do daily. As many of you are aware, a few months ago I experienced an abrupt change in job status, while working in digital forensics consulting. I'm still in a bit of a limbo situation (no, not dancing), but am working a contract gig doing information security. While there are business types that are defined as more at risk of cyber attacks due to industry, I think it should be obvious to everyone by this point that we're ALL under attack. I hear people say things like, "Well, we've never been breached, why do you think it would happen to us?" To that I respond, "You've never been breached? How do you know? Can you prove it?" I personally refer back to <a href="http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat">Dmitri Alperovitch's</a> statement when talking about Shady Rat that in general he divides companies up as those that know they've been breached, and those that don't yet know.<br />
<br />
So what's my point? Well, I'm getting there, albeit a little slowly. My point is that I think people today should have a general awareness of security risks, and that this should occur organically (ie, without having to be told). Even granted that mainstream media doesn't talk about APT, and only mentions the smallest percentages of places that are breached and lose integral control of their data, the info that <b>does</b> get out there should be sufficient. And yet, time and again, people <a href="http://www.nbcdfw.com/news/local/Woman-Fake-iPad-Seller-Ran-Me-Over-128844008.html">buy cardboard iPads and MacBooks</a> from criminals in gas station parking lots, fall prey to <a href="http://www.fbi.gov/scams-safety/fraud">Nigerian email scams</a>, and even <a href="http://garwarner.blogspot.com/2011/08/fake-irs-emails-continue-to-spread-gov.html">fake IRS emails</a> to install malware. But, even if common folk aren't hip to the threat, those in the IT industry will be, right? After all, they've all had to clean up after someone, they follow "geek" news not just mainstream, so they at least will get the fact that there are very real threats out there. Sadly, no.<br />
<br />
I was at a presentation recently where a guy who's been working in InfoSec for 20 years told a story about his wife opening one of those IRS emails and following the link. She even put in her social security number when prompted. Then she complained of her computer acting strangely, and told him what happened. He "cleaned" the system by running a scan with an off-the-shelf antivirus/antimalware product, and went on, embarrassed that his wife had fallen prey to a scam. His opinion was that the situation was remediated. Really? You ran an AV scan and that's it? Did you analyze RAM, check network traffic, credit report activity, or do any investigation at all? Nope, just ran an AV scan and called it a day. Wow.<br />
<br />
And recently at work we had an internal server that allows certain users to perform certain tasks, return odd results for one user. It was on a Monday morning, and results for that one user all appeared to be in Chinese. Do what? Yep, and just for that one user. We approached the admin about the situation, and as it turns out, on Thursday afternoon of the prior week, the admin for that server had installed some new patch rollups. Patch rollups, not fruit rollups. He felt it was probably related to the patches, as opposed to a compromise. Ok, sounds reasonable, but we still needed to play it safe. We pulled volatile data from the machine and started going through that while the admin investigated the patch scenario. We were quickly informed that the patches were to blame; the admin uninstalled and reinstalled (along with a few more), and said everything was good to go (yes, I realize evidence could've just been stomped on). And indeed, it appeared to be fine, and the explanation made sense. But we asked some followup questions nonetheless, and were greeted with the following response (not an exact quote): "I understand you think you're doing your job, but it was the patches, and it's been fixed. I have a lot of things to do, and don't have time to continue wasting on something that's been resolved." Wow, really? Our boss got involved, and there were some additional conversations...<br />
<br />
My question when we received that response was, "Sure, it looks like that's what happened, but can you prove it 100%? Would you bet your life on it? Would you bet the company on it?" Because in essence that's what you're doing by turning and walking the other way, and if you're not willing to bet it all, it's probably the wrong answer. No root cause analysis, and with all the companies falling victim to basic compromises, and allowed to bleed data for who knows how long, and you're willing - as an intelligent IT admin - to say that a system which was serving up Chinese characters is good to go, because of a patch? That seems like a bit of a blind risk. It would have taken so little time to go through our followup questions and answer them, and that would have helped shed great light on the situation, to give us all more peace of mind. I guess I shouldn't be surprised, though. And even if I become so jaded that I'm no longer surprised, I think I still get to be disappointed. ;)<br />
<br />
Do I have a solution? I wish I did, but I don't. I understand that education is paramount, but I think it takes more than that. I think it takes an awareness and understanding that there is a clear and present <s>danger</s> (er, threat), and a desire to be part of the solution, rather than part of the problem. And that's what I think is lacking - the desire. The IT guy should already have the knowledge, and the InfoSec guy should have the knowledge. And those are just two examples; I could also talk about the IR guy who has no problem - doesn't even give it a second thought - connecting his laptop up to public wireless. Do we just get complacent and lazy as humans? Or is it that some of us aren't driven and determined to make a difference, and are just trying to get by until it's time to go? <br />
<br />
Well, I think that's about all I have. I do want to take a moment to say that there are a lot of folks out there who are driven and determined to make a difference. Just take a look at the blogs I read, for a very small selection. I don't really do the #FF thing on twitter, but I'll give a shout out to <a href="http://blog.zeltser.com/">Lenny Zeltser</a> as I find his blog extremely practical and helpful. I don't think a post goes by that I don't get something very useful out of it. Thanks for sharing!<br />
<br />
For those in the US, have a wonderful Labor Day weekend! For everyone else, get back to work! :) And since our attackers don't honor holiday weekends, be alert; we obviously need more good lerts! :DLittle Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-51918334028326714502011-08-13T21:18:00.000-05:002011-08-13T21:18:00.892-05:00Is Scottish Fiddle like Digital Forensics?A while back on a job interview, I was asked what I enjoy/how I spend my time besides digital forensics. I of course explained that I play Scottish fiddle and go mountain biking. The guy interviewing me commented that a lot of people in DFIR play music. Now, I'd not heard that before, and I have kind of wondered if it's really that prevalent, and why it might be. Is there something about DF that attracts musicians, or vice versa? And what about Hal Pomeranz's prediliction for dancing? ;) Then recently I thought of a different question - is there a similarity between Scottish fiddle (since that's my music) and digital forensics?<br />
<br />
First a little background. I hate to break it to anyone who might think there's a trend, but I'm not a musician, or at least not what I would call one. Other than a little bit of exposure to playing piano as a young child, and playing the recorder in elementary school, I've never played any musical instrument. I certainly wouldn't call either of those experiences the makings of a musician, that's for sure! I wasn't even in band in school; I had some friends there, if that counts for anything, but I got my geek card from the fact that I had a computer. Yep, a Commodore Vic20, and all mine. ;)<br />
<br />
I grew up listening to bagpipe music, and really enjoyed it. I thought it would be neat to learn how to play, but knew that pipes are expensive, and extremely difficult to play. As an adult listening to more traditional music, I realized that fiddle also played a prominent role, and in some cases sounded a lot like the pipes. A friend encouraged me to try to learn, as it seemed a less daunting task. What I came to find out is that no decent instrument is inexpensive, and the fiddle is also a very challenging instrument; it is generally considered to take years to learn to play well.<br />
<br />
I'm going to take a little side trip here, and refer everyone over to Chris Pogue's blog post, <a href="http://thedigitalstandard.blogspot.com/2011/07/how-do-i-get-there-from-here.html">How Do I Get There From Here.</a> I enjoy Chris's blog, and really enjoyed his Sniper Forensics talk at the SANS Summit this year. Something he wrote in this one really resonated, and I thought about it a lot with the question already at hand. He wrote about needing to "get" forensics in order to excel at this work, and about having the drive to succeed. He said the following in regard to his experience breaking in to the field: "I had all of the required skills (networking, Linux, Windows), no different than any of the other applicants. But, what I had that they did not was raw desire. I wanted this job more than anything. I read anything I could get my hands on that dealt with the subject, spent my own money setting up a makeshift lab to play with tools, and perform experiments." He ended up getting the job because of these characteristics.<br />
<br />
I can draw some lines between playing a musical instrument and digital forensics. You have to take care of your instrument, keep it clean, in good shape/working order, and so on - that's akin to updating your systems, firmware, laying down new baseline images, configuring software, etc. A good musician also stays in practice, playing every day. They learn new songs, new techniques, and explore their music. Concert musicians certainly warm up (not just musically, but physically as well) before a big performance. So too, we forensicators need to stay in practice, learn new things, and focus our minds (our warmup) before (and during) an investigation. The quality of your instrument (equipment) matters, but a good musician can play a cheap instrument and make it sing. The real power does not rest in the tools you use, but in the skill with which you use whatever instrument you have - starting with your mind. At the core I think they're both a Discipline, and they're both Fun. D+F. DF. Get it? Okay, okay, so I'm a geek. :D<br />
<br />
Now to take it a little further and get more specific. Scottish fiddle is not like classical violin. The instruments are the same (yes, a violin and a fiddle are the same thing), but it's the language of playing that's different. Language? Yes, absolutely. Every style of fiddle music - Bluegrass, Old Time, Cajun, Appalachian, Irish, Scottish, Galician - has its own figures of speech, idioms, and nuances of bowing patterns, fingerings, as well as rhythms and tempos. Most of it relates to a dance (Hal, that's your cue). And it is a challenging instrument. It's what's known as a "vocal" instrument because it follows the human vocal range, and there are no frets or keys to guide the player to stay in tune. The player has to be able to hear very closely the changes in pitch, feel the movement of the song and subtle intonations of the music. To do this well, I posit that you have to <b>live</b> it, <b>breathe</b> it, <b>sleep</b> it. If you don't "get" the music, you won't be able to play it well. You'll just be playing the notes; you might be in tune, you might be on time, and you might even have some feeling in it. But you won't really be playing Scottish fiddle, because you don't really understand the language (things like burl, Scots snap, back-bowing). Ever heard a Texan who learned Spanish in high school try to talk? Ay, caramba. Que lastima, pobrecito. Yeah, it's usually pretty bad.<br />
<br />
At age 28 with no prior musical background, I took up the task of learning to play Scottish fiddle. I found a guy who enjoyed (generically) Celtic fiddle, and understood the language enough to point me in the right direction while teaching me the foundations of it. I learned what I needed in order to be able to teach myself more. I took lessons for about a year and practiced an average of 6 hours per day for more than a year. I listened to Scottish music all the time until it oozed out of my pores. I started out with a cheap Chinese instrument that wouldn't stay in tune, eventually working up to a decent German one. By the way, I took after mountain biking the same way (on my department store 50-lb bike, again working up to a 26-lb aluminum hardtail), never letting any trail or obstacle daunt me. Before long I was leaving chain-ring scars on 10" logs, doing downhill nose-wheelies around hairpin turns, and climbing root-covered switchbacks without dabbing. And yes a bunch of times I wiped out hard, broke my bike, and limped home battered, bloody, and bruised. But satisified, and happy. When you really want something, and you work hard to achieve a goal, it truly feels wonderful. It's not the tool that makes this possible, it's you.<br />
<br />
So what does this mean to forensics? Well, I think it takes a whole lot of determination, guts, and sticktoitiveness (probably not a real word, but you get the point). Like Chris said, you've got to really want it, and make it your life. After some years in IT taking care of small networks and their systems (and users), I really didn't want that any more. In dealing with malware, I'd learned about the registry, prefetch, MRUs, pagefile, hiberfil, RAM, and artifacts like ntuser.dat and user assist keys. I'd worked on hardening systems as a part of protecting the network, performed rudimentary pentesting and security auditing, trying to make sure I'd done my job. I got irritated with XP's shenanigans when it decided I'd changed too much hardware and could no longer be allowed to log on to my machine (even in Safe Mode), so in addition to reinstalling fresh I started dual-booting into Linux. Ha, take that, Windows! That stuff was the fun part, not the rest of the day to day grind. Then I found forensics, and that really piqued my interest! I was graced with the opportuntity to come on as a contractor with a forensics consulting firm to help on the back-end with a large security gig. Like Chris, I devoted myself to learning everything I could about digital forensics. I couldn't afford the good books, so I had to roll drunks at forensic conferences and get their swag (signed books, course material, etc). Just kidding! Really, I went through used bookstores regularly, constantly checking for anything vaguely relevant. I asked questions, practiced, tested, applied whatever knowledge or new technique I found, and just soaked it in. After I was hired on as a permanent employee, I didn't stop, but kept living, learning, and doing more. I've been able to attend some great training, gain a few certifications, and even buy some brand-new books. Side note - if you want to try to roll folks at a forensics conference to get their swag, beware. There's something called the #___smash (name redacted to protect the innocent)! You've been warned.<br />
<br />
I've met a lot of really good IT folks, who express an interest in DF, but not enough to go after it. Not to mention when you say something about the registry, they respond with things like, "Sure, but what good is that really going to do?" or just look at you blankly. It takes more than just being "good with computers" to do well in this field. I've used myself as an example because that's the only one I have at hand, but don't think for a second that I'm saying I've "arrived." Not a chance. For everything I've learned, all I know is that I only know enough to know that I don't know the full extent of what I don't know. I consider myself blessed to have "found" digital forensics, to have had people who were willing to take a chance on me, and that we have such a wonderful community of folks who share their knowledge freely; people who break new ground daily and give back every chance they get. Folks everyone knows, like Rob Lee, Harlan Carvey and Chris Pogue. Others such as Kristin Gudjonnson (What, not mention the creator of <a href="http://log2timeline.net">log2timeline</a>? I might lose my fanboy status!), <a href="http://digiforensics.blogspot.com/">Ken Pryor</a>, and <a href="http://www.wegcomputerforensics.com/">Jimmy Weg</a>. These are just a few of the many wonderful people that make up our great community. Kudos to you all!<br />
<br />
So how is SF like DF? They are both challenging and difficult to learn. Learning and excelling at these crafts takes a lot of determination, drive, patience, and understanding (not necessarily book-learning, but a gut-level perspective). Like Chris pointed out, you have to really want it - I really think this is key. You can never stop practicing and learning (and you'll probably never want to). If you do you'll lose your edge. Finally, they're both incredibly rewarding on a personal level. Nothing like it in the world! There is still the larger question about whether there's some connection between musicians and forensicators. I'm interested to hear others' thoughts on the matter.<br />
<br />
I think that's about it. Thanks for reading, and happy forensicating!Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com2tag:blogger.com,1999:blog-5905877434106273050.post-3306140012532388102011-07-10T12:29:00.000-05:002011-07-10T12:29:12.798-05:00Encrypted Container File Recovery<b>Scenario:</b><br />
During a technical interview, I was told definitively, categorically, unequivocally that it was impossible to recover deleted files from within an encrypted container, even if you possess the key. Windows was the OS of choice, and he insisted that he knew from personal experience as they use encrypted containers. He stated that all the file data would be garbled due to the encryption, so it didn't matter if you recovered it or not; the content would not be readable. File wiping was not part of the equation (I asked). This did not sit quite right with me, but I was in the middle of an interview and did not already know the answer, as I had not ever encountered that type of situation. I expressed surprise that that would be the case, but left it at that. <br />
<br />
<b>My thoughts:</b><br />
Pondering it over on the way home, more and more it just didn't make sense to me. If they're created on the file system, the files themselves are not encrypted; the container is encrypted. It has to be mounted in order to access the files. When a file is deleted, the container is mounted and the file is in a readable state. Therefore it should exist in a readable state. If the container is deleted, that's a different matter, although it is feasible that the container could be recovered. All you should have to do is mount the encrypted container, and search within it for the file, which would still exist until overwritten. <br />
<br />
I determined to test my theory as soon as possible. Of course, that took a little longer than I initially wanted, as I was “side-tracked” by continuing Dropbox research. However, I outlined a plan, and recently sat down to work through it. Initially, I thought of looking to the host file system, as the OS would provide access to the files through the encrypted container. As I continued the thought process and began testing, I realized this would not be exactly true. <br />
<br />
The host OS' file system (ie, MFT) would not reference these files, as they only exist inside the container. The container has its own file system (and MFT), which would be the home for the files' information (and possibly the files themselves, if they were small enough to be resident. Then of course, there's unallocated space. The host OS' could potentially have residue in places like the pagefile or memory, but that should be it.<br />
<br />
Now, I don't know what type of encryption they use, but I'm thinking in the end, an encrypted container is going to work the same, regardless of flavor. If I'm wrong, well, then the following is true at least for <a href="http://www.truecrypt.org/">Truecrypt 7.0a</a>. I approached this research from the standpoint that the files would have been created directly in the container, rather than on the host file system and subsequently moved into the container. Had it been the other way around, there could be artifacts or residue left on the host. I also assumed a fixed container size; with dynamic, the process might end up being a bit more complex. <br />
<br />
<b>The process:</b><br />
The basic idea I had was to create some files inside an encrypted container. Confirm they existed there methodologically, confirm they weren't on the host file system. Then remove/delete them from the container, and try to identify their remains, attempt recovery. So here's the basic outline of my steps and actions; I've tried to retain some order to it and hope it makes sense:<br />
<br />
1. Create a 500MB TrueCrypt container. <br />
<br />
As a side note, I did this inside Dropbox and had no difficulty; some people have had trouble, and I think it might be related to creating a dynamic container, rather than fixed-size. <br />
<br />
2. Create four (4) text files inside the container, filling with specific text from Altheide & Carvey's excellent <a href="http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867">Digital Forensics With Open Source Tools</a>, since I had just read that.<br />
<br />
3. Confirm files' association to host file system<br />
a. Without mounting the container, extracted host system MFT using <a href="http://accessdata.com/">FTK Imager</a>, mounted with <a href="http://www.sandersonforensics.com/content.asp?page=4">Sanderson Forensics MFTView</a>, exported to XLS & TXT, and searched for filenames. None present, as anticipated.<br />
b. With container mounted, extracted host system MFT, mounted, exported and searched. Still nothing.<br />
<br />
4. Confirm files' association to container file system<br />
a. With container mounted, extracted logical drive's MFT (ie, for the container), exported, and searched. Files were identified, as anticipated. <br />
b. As these files were small enough to be resident in the MFT, all content is visible.<br />
<br />
5. Move all 4 files out to new location outside of the container(not securely). Obviously, the container is mounted.<br />
a. Extract logical drive's MFT, mount with MFTView, locate resident files. <br />
b. Viewing the hex/text of the entry in MFTView, was able to recover all 4 files to matching hash value. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR5h-aIhGU8iDcsAFZ5MePOjvYCUOXiWwZD9AqWAhJvppFvXQ-bWesQBV7waqgxvR0y4uBZedXEYw-rvoLETJ5MzcIdeUZwgeETWBpt6pTyWxzdhcn-sZLiV8HCX6Cj-tZRXp2gZYIfVLS/s1600/recovered_hash.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="270" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR5h-aIhGU8iDcsAFZ5MePOjvYCUOXiWwZD9AqWAhJvppFvXQ-bWesQBV7waqgxvR0y4uBZedXEYw-rvoLETJ5MzcIdeUZwgeETWBpt6pTyWxzdhcn-sZLiV8HCX6Cj-tZRXp2gZYIfVLS/s320/recovered_hash.png" /></a></div><br />
6. What about larger files not contained in the MFT?<br />
a. Copy entries.log file (4.23KB) - a Dropbox artifact – into container. <br />
b. MFT contains entry but no contents for non-resident file.<br />
<br />
7. Delete files (no wiping) from within mounted container and attempt recovery.<br />
a. Mount logical file system in FTKi. <br />
b. INFO2 file contains list of files. <br />
c. Export "Dt1" etc files w/FTKi, hashes match original. <br />
d. Exported MFT and mount in MFTView. Files are resident at “root” of MFT and in Recycler; fully recoverable from both locations.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKV98Fu-pYHopuaqJJjJduAdPvr7jB3LAbmLljm6LTOZIn9K_1cpaACJmn89NAJFEb3hQhjL-InDxNyemQIsvcOfY-i6OvtWekBM8uTcbbmLZAg1qCboO-YudRA9K0stV9KUGrH7anH-sg/s1600/recycler_hash.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="320" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKV98Fu-pYHopuaqJJjJduAdPvr7jB3LAbmLljm6LTOZIn9K_1cpaACJmn89NAJFEb3hQhjL-InDxNyemQIsvcOfY-i6OvtWekBM8uTcbbmLZAg1qCboO-YudRA9K0stV9KUGrH7anH-sg/s320/recycler_hash.png" /></a></div><br />
As a side note, sometimes MFTView seemed to have difficulty displaying the file contents correctly, and thus the extraction of that data to recover the file would result in a hash not matching. This was did not occur all the time, and was observed to happen whether the file was live or deleted. Obviously, the file contents weren't actually stored that way, so it was some programmatic issue. I don't know whether MFTView is a current application or not, as I don't see it listed on the website any longer. I have not (yet) contacted Sanderson Forensics about it, as I don't think it matters for the purpose of this research. An example is below (first with issue, then normal):<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEaEBhT8fco2MwjhyphenhyphenzfoK3XGhRQbiR7tPV_3lVFw_rp_Y4uUeMMnDJnWQ75Kh8G6rmrbPxE-a9zU0kI5DlAkwES3kwyIbqP2r2jYNZZXjK3MYZLAi7159D91sT-cDV5tm9ClIcKwzogsKk/s1600/format1.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="36" width="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEaEBhT8fco2MwjhyphenhyphenzfoK3XGhRQbiR7tPV_3lVFw_rp_Y4uUeMMnDJnWQ75Kh8G6rmrbPxE-a9zU0kI5DlAkwES3kwyIbqP2r2jYNZZXjK3MYZLAi7159D91sT-cDV5tm9ClIcKwzogsKk/s320/format1.png" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxpsmdX1L8gsUYcM4BujE3GEIrrvjPGIWjA9em-KDMSR8iL8uZxCQcoHMpZJCIqqkhwLqjo9JpRQMZRn8J3PpCdgpVZs5vM04Njxe9vzqbzrAXFVur9TT6x0lMl2Tjg-LawNvGdfyrlW10/s1600/format2.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="34" width="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxpsmdX1L8gsUYcM4BujE3GEIrrvjPGIWjA9em-KDMSR8iL8uZxCQcoHMpZJCIqqkhwLqjo9JpRQMZRn8J3PpCdgpVZs5vM04Njxe9vzqbzrAXFVur9TT6x0lMl2Tjg-LawNvGdfyrlW10/s320/format2.png" /></a></div><br />
Now back to the process...<br />
<br />
8. Search host filesystem for files (pagefile, RAM)<br />
a. Copied files back into container, reboot (this flushes my pagefile), open each file<br />
b. Used FTKi, exported host system pagefile.sys and RAM<br />
c. Ran <a href="http://technet.microsoft.com/en-us/sysinternals/bb545021">Sysinternals strings</a> (5-character minimum) and output to text files. <br />
d. Loaded & searched in notepad++. Found all 4 test files' contents, plus large portions of entries.log.<br />
<br />
Cut away from the outline for a moment. I re-deleted the files, imaged the logical FS and mounted in <a href="http://www.techpathways.com/DesktopDefault.aspx">ProDiscover Basic</a> to search for the files. Found them as they existed in Recycler, to be expected. I purged Recycler by drilling down, selecting all files and deleting again. Keyword searches in Unallocated space weren't turning up the files, and it finally dawned on me that it was because the files were resident in the MFT, so as long as the entries existed there, they wouldn't show up in Unallocated. I needed larger files across the board. So I copied back in the entries.log file, along with a DOC, XLS, and PDF. Deleted (the PDF was too large and was “permanently deleted”) and re-imaged.<br />
<br />
9. Load image, search for files (using ProDiscover)<br />
a. Content search: DOC, XLS, and TXT were in Recycler. PDF was in "Deleted" (too big for Recycler). INFO2 listed filenames. The .~Lock file for the DOC was also in Deleted. <br />
b. Cluster search: Two hits on "SIFT" that appear to be related to a PDF file, and contain the filename.<br />
<br />
10. Dig a little further (using ProDiscover)<br />
a. Emptied Recycler (drilled down, selected all files and rt-click delete)<br />
b. Re-imaged w/FTKi, reloaded, and Content search. All files found in "Deleted."<br />
c. Searched Clusters, same PDF hit, found TXT file, possibly DOC/XLS (since binary).<br />
<br />
11. Final push<br />
a. Carved image with <a href="http://www.cgsecurity.org/">photorec</a>, using default settings. <br />
b. 4 files were recovered, the PDF, TXT, DOC, and XLS. The TXT file is ~1/2 the size, but since there's no header info, it's pretty incredible anyway. All except the text file hash match to the original.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuw6ofFTiQS5Bu1P2qL-v19iRYdX7XqQKstJBIcjIAy0zT19VIpujEL_L44adVmtVHHGIHmDrAJ5qa8ND17qQvONGEJGgN6mGzIdbht3RANzGNBr2mgnorVzvb48VrESp3Am0nNBnMhECO/s1600/carved_hash.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="182" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuw6ofFTiQS5Bu1P2qL-v19iRYdX7XqQKstJBIcjIAy0zT19VIpujEL_L44adVmtVHHGIHmDrAJ5qa8ND17qQvONGEJGgN6mGzIdbht3RANzGNBr2mgnorVzvb48VrESp3Am0nNBnMhECO/s320/carved_hash.png" /></a></div><br />
<b>Summary:</b><br />
This was a fun little exercise, and I think I can categorically, definitively, unequivocally state that it absolutely is possible to recover deleted files from within an encrypted container when you have the key to the container. Obviously, there are variables. If the container size is dynamic, for instance, this could impact things, but I think the odds are still fairly good, and the process is essentially the same. The amount of time that has passed – as with any investigation – is important, but with close proximity it may even be possible to find the files' content (if previously viewed) in pagefile or RAM.<br />
<br />
But the core is that it is possible to recover. Knowing the content and the filenames, I was able to easily recover deleted and purged (but not wiped) files from within an encrypted container. I was also able to carve the files without any use of filenames, contents, or type by an automated process. The process could be done more manually by using Sleuthkit or other utilities. Anyway, it can be done, and that's that.Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-4355358584012550432011-07-06T19:36:00.002-05:002011-07-07T14:14:51.830-05:00Dropbox Forensics Follow-UpSeveral months ago I started on a quest to research locally-created artifacts related to the use of Dropbox on Windows systems. This took several months of work as time allowed, in order to complete the outline I was following. This culminated in a blog post on <a href="http://computer-forensics.sans.org/blog/2011/06/17/digital-forensics-rain-drop-keeps-falling-on-my-box">SANS</a>, a more complete article hosted on <a href="http://www.forensicfocus.com/dropbox-forensics">Forensic Focus</a>, and a summary of artifacts on <a href="http://forensicartifacts.com/2011/07/dropbox-config-files-windows/">Forensic Artifacts</a>. However, that's not all I have to offer on the subject. Yes, folks, for a limited time only, when you buy all three you get a fourth for free! That's a $19.95 value, included at no extra cost! (shipping & handling not included; residents of the UK must pay VAT - I know, it sucks)<br />
<br />
At the end of the article (hosted on Forensic Focus), I wrapped up with some outstanding items, or possible other things to research. I have spent some more time going over some (only some, not all) of those; this follow-up post will cover my additional research:<br />
1. Does unlinking (local or web) change the registry? <br />
2. What impact does uninstallation have on the registry?<br />
3. What are the various “hash” values; what do they signify?<br />
4. Do the IP addresses vary with geographic area?<br />
5. What data is transferred across the unencrypted connection?<br />
6. Do the SQLite databases contain deleted entries, and how can those be parsed?<br />
7. Are file/system IDs or encoded info stored in the databases, 'entries.log' or elsewhere?<br />
<br />
1. Instead of doing ProcMon or RegMon by Sysinternals, I ran <a href="http://sourceforge.net/projects/regshot/">regshot 1.8.2</a> to create snapshots before & after each unlinking. Initially I kept getting BSOD'd every time it would scan the registry but switching systems eliminated that issue. Ultimately there were no obvious registry changes related to the unlinking (local or web).<br />
<br />
2. I used regshot before & after the uninstallation as well, and quickly identified 49 deleted entries (truncated here; complete on Forensic Artifacts):<br />
<code><br />
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1\: "{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}"<br />
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2\: "{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}"<br />
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Dropbox\InstallPath: "C:\Documents and Settings\username\Application Data\Dropbox\bin"<br />
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}: "DropboxExt"<br />
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}: "DropboxExt"<br />
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\UninstallString: ""C:\Documents and Settings\username\Application Data\Dropbox\bin\Uninstall.exe""<br />
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\: "DropboxExt"<br />
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\: "DropboxExt"<br />
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\: "DropboxExt"<br />
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\: "DropboxExt"<br />
</code><br />
I've x'd out some of the SIDs to (hopefully) make it easier to focus, and because I didn't want to post the full SIDs on the internet. I left the first segment for some of the SIDs since that part makes a noticeable, incremental change.<br />
<br />
3. There is actually a correlation between "hash" values in the various config files. It should be noted that Dropbox hashes the files in 4MB chunks, and stores the hashes the same way (base64 encoded). Thus, there may be multiple hash values for a single file (but only when it's larger than 4MB). Here's where I've followed the trail of hash:<br />
filecache.db block hash field<br />
entries.log 5th section is hash <br />
sigstore.db stores hash (and size in bytes)<br />
<br />
4. I know that some application updates will reach out to different servers based on geographic location, and I wondered if this was the same for Dropbox. Using NirSoft CurrPorts, it was easy to gather the active connections here in Texas. I had reason to take a trip to California, so I did the same thing there. Finally, I established a VPN connection to another country and checked the connections that way as well.<br />
<br />
There were some minor variations between the locations for IP addresses, although host names remained largely the same. The one thing that did not change in any of these, was the IP and host name for the sole HTTP (unencrypted to port 80) connection.<br />
<br />
5. So then there's the question of this single unencrypted connection. I had not previously examined the content of this traffic, but I have now, using <a href="http://netwitness.com/products-services/investigator-freeware">Netwitness Investigator</a> to isolate the connection stream of interest and exporting that out for posterity and more review.<br />
<br />
It's basically a "Hello, here I am" and "Let's keep the connection going" type of conversation. Of course, it's in clear text. My only concern is that it transmits the namespace ID (from config.db, root_ns), and possibly that of shared directories as well (there's a second entry that follows the namespace format, but I haven't been able to confirm that yet). With some of the Dropbox-related security issues that have recently come to the surface, I'm a little concerned about this data being transmitted in the clear, especially when I don't know for sure if it can be exploited (and since the IP address and host name are always the same).<br />
<br />
6. Deleted entries within the SQLite database files can indeed be recovered. I suspected as much, but I'm not a DB (or SQLite) guru. Historically I've relied on others to develop a tool I can use for this purpose, and I've stuck to my guns in this instance. CCL-Forensics has a product designed for this purpose, called <a href="http://www.ccl-forensics.com/Software/epilog-from-ccl-forensics.html">epilog</a>; while it's a commercial product, there is a 7-day trial available.<br />
<br />
I must say, it works quite nicely. I removed some files from my Dropbox folder just for this test (relocated to another directory), and then downloaded (have to register, but no sales personnel have contacted me yet), installed, and ran epilog. They have some videos on YouTube, but I found the info I needed in their Help file. There are some different methods to recover deleted entries, but I simply focused on the "Free Page Analysis" which parses the link list or freelist within the database. It very definitely did what I needed it to do.<br />
<br />
Edit: I intended to note that to export a report-type of info from Epilog you basically have the option of going to an XML file, which may not be directly what you need. For me, I wanted to look at the data in a spreadsheet. Most methods to convert XML to CSV revolve around going through a couple steps (ie, XSLT), I found <a href="http://sourceforge.net/projects/xslicer/">XSlicer</a> to be very helpful. <br />
<br />
7. And yes, other encoded data does exist within different config files. Dropbox makes use of base64 encoding, and one of the key places is the "entries.log" file located within the ".dropbox.cache" directory inside the user's Dropbox folder. (This set of artifacts is discussed in more detail in the Forensic Focus article.) By cross-referencing with the various parsed database files, I was able to decipher the entries.log (pipe-delimited) file:<br />
1st section is filename (as it exists in .dropbox.cache directory)<br />
2nd section is root_ns/path <br />
3rd section is unix epoch timestamp<br />
4th section is size (bytes)<br />
In addition, the host.db file, 2nd row is user's Dropbox path.<br />
<br />
So that pretty much wraps things up. I did not do any research into alternate file transfer methods (I think Dropship has addressed that rather well), but I did note that if you share a file (Public folder) you can get the link to that file; that link can be transferred via email, IM, etc, and the file downloaded by whomever has the link.<br />
<br />
Some other resources:<br />
I've already mentioned epilog, which I think has great potential.<br />
<br />
There's also Dropbox Reader by <a href="http://www.cybermarshal.com/index.php/cyber-marshal-utilities/dropbox-reader">ATC-NY</a>; it's a set of python scripts to parse the SQLite files (they pull from the Dropship project). In addition to something like a <a href="http://sqlitebrowser.sourceforge.net/">SQLite Browser</a> this can be very helpful to gather and cross-reference information.<br />
<br />
Derek Newton has done some good research, hosted on his blog.<br />
<a href="http://dereknewton.com/2011/04/forensic-artifacts-dropbox/">Forensic Artifacts</a><br />
<a href="http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/">Security Issues</a><br />
<br />
Great paper on cloud security (with focus on Dropbox) by <a href="http://sba-research.org">SBA-Research</a>; the actual download is <a href="http://www.sba-research.org/wp-content/uploads/publications/dropboxUSENIX2011.pdf">here</a><br />
<br />
I've mentioned the Dropship project a couple times, but it has been "officially" shut down. Research determined that it was possible to "share" files without using the Public folder, thus potentially facilitating illegal file-sharing. Although Dropship is no longer developed (by the originator) other forks can be found.<br />
<br />
I think that's about it, folks. Unless something else comes up to pique my interest (I'm open to suggestions), I think I'm about done with Dropbox research for now. It's been a lot of fun going through this process, and I've learned a lot, which is also good. Hopefully this will all prove useful - to myself and others - in our forensicating efforts.Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com5tag:blogger.com,1999:blog-5905877434106273050.post-33355169725245412182011-06-29T11:16:00.000-05:002011-06-29T11:16:54.489-05:00Forensicator: A DefinitionLee Whitfield recently requested definitions for "forensicator" on twitter, as he wanted to submit to Webster's dictionary. It got me to thinking about how to define the word (yes, I enjoy thinking), so here's my stab at it (in something similar to Webster's format):<br />
<br />
<b>forensicator</b><br />
fo-ren-si-ca-tor | <i>adj</i> | \fə-ˈren-zi-kā-tər\<br />
<br />
<b>Definition of FORENSICATOR</b><br />
1 :Individual who understands and enjoys the employment of advanced techniques in the investigation or analysis of artifacts contained within digital media (computers, networks, smartphones, removable/portable storage, etc)<br />
2 :Individual professionally or personally engaged to perform the actions described above<br />
3 :Compliment typically given by one such individual to another<br />
<br />
- fo-ren-si-ca-ting | <i>verb</i><br />
<br />
<b>Origin of FORENSICATOR</b><br />
Coined by BJ Lachner and popularized on the Cyberspeak podcast. <br />
Source: http://computer-forensics.sans.org/community/lethal-forensicator<br />
_________________________________________<br />
<br />
Well, that's my contribution. Just a little fun on a Wednesday morning.Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-62105544919522567642011-06-27T10:09:00.000-05:002011-06-27T10:09:23.798-05:00Dropbox Forensics Article HostedI would consider the short writeup about Dropbox posted on the <a href="http://computer-forensics.sans.org/blog/2011/06/17/digital-forensics-rain-drop-keeps-falling-on-my-box">SANS Forensic blog</a> to be a great success. There was considerable feedback, as well as a number of folks commenting on twitter. I'm glad there was interest and that it was found to be useful; mission accomplished there.<br />
<br />
For anyone interested in the full article, it is now on <a href="http://www.forensicfocus.com/dropbox-forensics">Forensic Focus</a>. Many thanks to Jamie Morris for providing hosting - not just for my research, but for all the others out there as well.<br />
<br />
Hope you enjoy it, let me know what you think.Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0tag:blogger.com,1999:blog-5905877434106273050.post-33612235199635604612011-06-18T13:58:00.000-05:002011-06-18T13:58:49.521-05:00DFWOST Book ReviewOkay, so I promised a book review and here it is. Don't expect more of these, please. They might happen, but that's not my focus. I'm doing this one simply because I wanted to, and I guarantee there will be no forthcoming schedule of reviews, nor of any paradigm shift in this blog.<br />
<br />
So the book is <a href="http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867/ref=sr_1_1?ie=UTF8&s=books&qid=1308421221&sr=1-1"><i>Digital Forensics With Open Source Tools</i></a> by Cory Altheide and Harlan Carvey. I met Cory at the Summit, and he is - as they say - a pretty cool cat when it comes to forensicating. And he is the sole reason that Hal Pomeranz works with Mandiant (at least according to Rob Lee). ;)<br />
<br />
Unlike Eric Huber (see his review on Amazon), I did not receive a free copy of the book to review, I didn't win for getting Cory a Monster drink, or any other "gimme" version of the book. I got it the good old fashioned way - I bought it. So I'm doing my part to contribute to the financial wherewithal of the authors. :)<br />
<br />
Rob Lee made a point at Summit that the name of the FOR408 course was changed from "Computer Forensic Essentials" to "Computer Forensic Investigations - Windows In-Depth" because the former seemed to be driving folks away. They were apparently concerned that it was "basics" and thus not as valuable. Never mind that (IMO) we need to be constantly reminded of the "basics." As an example of the importance of "basics" the US Army retests soldiers every year in some core competencies including marksmanship and certain tasks that are critical to battlefield survival. Why? Because you have to be ready, you have to remember, and there's no room for error. Mistakes will still happen but the goal is to minimize those as much as humanly possible. I think forensics are very much the same. <br />
<br />
Anyway, the point of all that is that I think this book is very easily one of the "Essentials" of computer forensics. Don't get me wrong, there are a lot of other good books out there, and this is by no means a pure beginner's book. However, for someone with some basic understanding, some exposure to the field (in other words, someone who wants to be a forensicator and is doing their due diligence), this is a very good introduction to some of the deeper concepts we deal with. It's also a good refresher. I will admit, I was familiar with most of the topics in this book, but then I have Brian Carrier's masterpiece on file systems, I've been through SANS courses and so on. I will also admit that I learned new things, got some very good tips, and some great ideas from this book.<br />
<br />
Here's what I think makes this book so valuable:<br />
1. It walks you through the process of building your own investigative platform in both Windows and Linux, including which "behind the scenes" type of things you need for applications and processes to run smoothly.<br />
2. It doesn't just focus on Windows analysis. It has multiple Operating Systems, File Systems, and ways to get at the data. If you want dedicated Windows analysis, look no further than Harlan's books (well, there are other good ones there, too, so don't take it literally - but you can't go wrong with his for sure).<br />
3. It exposes you to some of the deeper concepts of these systems - inodes and journaling in EXT3, MFT and registry with NTFS, plists and user artifacts in OS X, and browser items of interest across the board.<br />
4. It demonstrates the use of some specific tools - all open source, of course - in various platforms, and explains some of the pros and cons thereof.<br />
5. [fanboy]It has a section on log2timeline. Enough said.[/fanboy] ;)<br />
<br />
The authors have carefully limited the scope, not trying to stray too far afield, not digging too deep. I think they did a great job. If you're a newcomer to forensics, it will open your eyes and make you think. It will get you started in new directions and challenge your horizons. If you're a veteran forensicator - even if you know every single thing in this book - it makes an excellent refresher, stirring you up by way of reminder, so that you can remember in greater detail the things you forget because you do them every day, as well as the things you don't.<br />
<br />
I think that about sums it up. It's a good read, and well worth it. If you're a fast reader and don't linger long on the examples I think you can wrap it up in a few short hours. If you take longer, stop to smell the roses and whatnot, it'll take a few longer hours, maybe even a couple days. I suggest you take the time, bookmark, highlight, etc to make sure you get the most out of it. Again, it's worth it.Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.com0