Wednesday, June 29, 2011

Forensicator: A Definition

Lee Whitfield recently requested definitions for "forensicator" on twitter, as he wanted to submit to Webster's dictionary. It got me to thinking about how to define the word (yes, I enjoy thinking), so here's my stab at it (in something similar to Webster's format):

fo-ren-si-ca-tor | adj | \fə-ˈren-zi-kā-tər\

Definition of FORENSICATOR
1 :Individual who understands and enjoys the employment of advanced techniques in the investigation or analysis of artifacts contained within digital media (computers, networks, smartphones, removable/portable storage, etc)
2 :Individual professionally or personally engaged to perform the actions described above
3 :Compliment typically given by one such individual to another

- fo-ren-si-ca-ting | verb

Coined by BJ Lachner and popularized on the Cyberspeak podcast.

Well, that's my contribution. Just a little fun on a Wednesday morning.

Monday, June 27, 2011

Dropbox Forensics Article Hosted

I would consider the short writeup about Dropbox posted on the SANS Forensic blog to be a great success. There was considerable feedback, as well as a number of folks commenting on twitter. I'm glad there was interest and that it was found to be useful; mission accomplished there.

For anyone interested in the full article, it is now on Forensic Focus. Many thanks to Jamie Morris for providing hosting - not just for my research, but for all the others out there as well.

Hope you enjoy it, let me know what you think.

Saturday, June 18, 2011

DFWOST Book Review

Okay, so I promised a book review and here it is. Don't expect more of these, please. They might happen, but that's not my focus. I'm doing this one simply because I wanted to, and I guarantee there will be no forthcoming schedule of reviews, nor of any paradigm shift in this blog.

So the book is Digital Forensics With Open Source Tools by Cory Altheide and Harlan Carvey. I met Cory at the Summit, and he is - as they say - a pretty cool cat when it comes to forensicating. And he is the sole reason that Hal Pomeranz works with Mandiant (at least according to Rob Lee). ;)

Unlike Eric Huber (see his review on Amazon), I did not receive a free copy of the book to review, I didn't win for getting Cory a Monster drink, or any other "gimme" version of the book. I got it the good old fashioned way - I bought it. So I'm doing my part to contribute to the financial wherewithal of the authors. :)

Rob Lee made a point at Summit that the name of the FOR408 course was changed from "Computer Forensic Essentials" to "Computer Forensic Investigations - Windows In-Depth" because the former seemed to be driving folks away. They were apparently concerned that it was "basics" and thus not as valuable. Never mind that (IMO) we need to be constantly reminded of the "basics." As an example of the importance of "basics" the US Army retests soldiers every year in some core competencies including marksmanship and certain tasks that are critical to battlefield survival. Why? Because you have to be ready, you have to remember, and there's no room for error. Mistakes will still happen but the goal is to minimize those as much as humanly possible. I think forensics are very much the same.

Anyway, the point of all that is that I think this book is very easily one of the "Essentials" of computer forensics. Don't get me wrong, there are a lot of other good books out there, and this is by no means a pure beginner's book. However, for someone with some basic understanding, some exposure to the field (in other words, someone who wants to be a forensicator and is doing their due diligence), this is a very good introduction to some of the deeper concepts we deal with. It's also a good refresher. I will admit, I was familiar with most of the topics in this book, but then I have Brian Carrier's masterpiece on file systems, I've been through SANS courses and so on. I will also admit that I learned new things, got some very good tips, and some great ideas from this book.

Here's what I think makes this book so valuable:
1. It walks you through the process of building your own investigative platform in both Windows and Linux, including which "behind the scenes" type of things you need for applications and processes to run smoothly.
2. It doesn't just focus on Windows analysis. It has multiple Operating Systems, File Systems, and ways to get at the data. If you want dedicated Windows analysis, look no further than Harlan's books (well, there are other good ones there, too, so don't take it literally - but you can't go wrong with his for sure).
3. It exposes you to some of the deeper concepts of these systems - inodes and journaling in EXT3, MFT and registry with NTFS, plists and user artifacts in OS X, and browser items of interest across the board.
4. It demonstrates the use of some specific tools - all open source, of course - in various platforms, and explains some of the pros and cons thereof.
5. [fanboy]It has a section on log2timeline. Enough said.[/fanboy] ;)

The authors have carefully limited the scope, not trying to stray too far afield, not digging too deep. I think they did a great job. If you're a newcomer to forensics, it will open your eyes and make you think. It will get you started in new directions and challenge your horizons. If you're a veteran forensicator - even if you know every single thing in this book - it makes an excellent refresher, stirring you up by way of reminder, so that you can remember in greater detail the things you forget because you do them every day, as well as the things you don't.

I think that about sums it up. It's a good read, and well worth it. If you're a fast reader and don't linger long on the examples I think you can wrap it up in a few short hours. If you take longer, stop to smell the roses and whatnot, it'll take a few longer hours, maybe even a couple days. I suggest you take the time, bookmark, highlight, etc to make sure you get the most out of it. Again, it's worth it.

Friday, June 17, 2011

Dropbox Writeup Posted on SANS Blog

The "short" Dropbox writeup I mentioned previously is now posted on the SANS Forensic Blog.

Before too long - hopefully - the full article should be up on Forensic Focus. At the end of that one I listed several things I thought were outstanding in regards to artifacts. I've been working on those, and before too long - hopefully - will be posting those here.

I'm also just wrapping up reading Cory Altheide's book and am going to post a "review" of that as well. Not really into writing reviews, but I think it's worth it.

Friday, June 10, 2011

#DFIRSummit - Afterthoughts, Part 3

Who would've thought it would take 3 posts to summarize the Summit in Austin? Not me. I did the first one because I needed (personally) to start the process; I knew then that the main body would require some dedicated space (it could probably have been broken up into 2 posts just for that piece of it). But there remains something very important to cover - the "thank you" section.

First and foremost, many thanks to SANS and their hard-working people for putting on the event. Obvious thanks go to Rob Lee as the host, but he wasn't the only there. There were people doing registration, audio-visuals, and presentation facilitators. Everyone did a great job, so thanks to all the SANS team!

In addition, there were vendors who helped make things happen. AccessData, Netwitness, and Fortinet all had a presence there (Infogressive was in the program, but I don't recall seeing a booth; conversely, Fortinet was not listed, but was there nonetheless). Netwitness sponsored a lunch & learn, and AccessData sponsored an evening reception.

All of the panelists and presenters also deserve thanks, for giving their time and efforts to be there and participate; I know all the preparations for that take a lot of time and mental effort. Some of them came not just from other States, but all over the world (Iceland, Canada, Nebraska... ;) ).

And last but not least, all the attendees deserve thanks. They took time out of their lives, work, etc to be there. I'm sure it wasn't a burden for anyone, but some of them came a very long way (Spain, Canada, Germany, etc) to be there.

Without everyone listed above, there would be no event. Many thanks to all of you!

I think this is the last post on the subject...


Thursday, June 9, 2011

#DFIRSummit - Afterthoughts, Part 2

Okay, so now we're on to the "real" content. First let me start off by addressing something I overlooked last night. Congratulations go to Eric Huber and his AFoD blog for winning the Forensic 4cast award for "Best Digital Forensic Blog." I know Eric did not anticipate winning, but he did, and deserves it! I must also say that I was sadly disappointed that log2timeline did not win the "Best Computer Forensic Software" category. I'm not the only one; there was a lot of discussion to that effect at the Summit. It seems that Guidance Software had an active internal campaign that paid off more than anything we did for Kristinn. General consensus from the Summit seems to be that l2t was the winner anyway. That's right!

I'm basically going to run through each presentation in order and give a couple tidbits. Any more than that and I'll be here all night! So without further ado...

Day 1

Andrew Hay - 5 Point Palm Exploding Heart Technique for Forensics
This was supposed to be Mike Cloppert's slot, but he was tied up (not literally).
The 5 Points:
Host/Platform forensics
Network forensics
Data Reduction
The overall idea is that you need to try to combine or integrate the various segments into one for more effective/comprehensive investigations, since host-based can no longer really be the primary focus.

Chris Pogue - Sniper Forensics 2.0
DF is constantly changing. We have to be agile & adapt
DF is the most challenging forensics discipline because of the changes
The software tools you use in an investigation don't matter - your brain is your best tool.
You have to have a plan - this is *key* (and your steps should be consistent)
CLI is your friend. Yay, Chris! :)

Sean Morrissey - iOS Forensics
I have used Lantern and tend to prefer it over Mobilyze. However, I really would have liked more info about "iOS Forensics" (ie, important artifacts and how to use them) than a presentation about Lantern.
Putting an iPhone in airplane mode does not disable WiFi. So if you are acquiring one, remove the SIM, put in AM, disable WiFi & bluetooth, and use a Faraday bag if need be.
To recover/carve deleted entries from SQLite db, look for "de-referenced" items.

NetWitness Lunch&Learn (I think the presenter was Michael Sconzo, from their CIRT)
It was technical, not a sales pitch, and very much about results of network investigation for malware, as opposed to what NetWitness can do.
The main idea was to know what "good" or "benign" http sessions look like so you can quickly recognize anomalies. I think he actually mentioned something about reading RFC 2616; I don't remember anything after that point... Just kidding; it was very informative.

Hal Pomeranz - EXT3 File Recovery via Indirect Blocks
What can I say - you give Hal a command line, a hex editer, a Linux file system, and he just starts dancing!
File-carving assumes 100% contiguous data...
Indirect block pointers are not nulled out when a file is deleted (unlike direct pointers).
When decoded, they will point to the next block #.
Hal has some tools to automate the process of recovery, rather than manually follow the indirect pointers; it basically runs on top of TSK and calls those utilities as it needs:
frib (file recovery indirect blocks) - this works if you know where the file started, and can progress forward from there.
fib (find indirect block) - finds indirect block (by signature, within the block grouping you're targeting), then counts back 12 blocks to what should be the start of the file.
He has a whitepaper and the tools on Mandiant's blog

RMO's were handed out by Rob Lee, to:
David Kovar - for AnalyzeMFT
Bamm Vischer - for sguil
Congratulations, guys!

Terry Maguire - IR Process & Smart Phones
As these phones become more common in the enterprise, we have to know how to handle them.
**Note: both android and iOS use a lot of SQLite db files.
-sqlite browser (sourceforge) is good, but no deleted entries will show
-epilog by CCL Forensics is designed to show deleted entries (not free, commercial product)
Android must be rooted to get access to any real information. This requires modifying the phone, if if you use something z4root that can be undone with the click of a button.
In order to get volatile data from iPhone, it will have to be jailbroken.
Blackberry cannot be imaged like other devices; removing & imaging chips might be possible. Blackberry file system can be mounted either through desktop manager or javaloader, but be careful; it's easy to destroy data! Blackberry Messenger SMS are not contained in IPD files; they can only be collected from mounted file system.
ABC Amber Blackberry Converter is now Backup Blackberry Explore by Elcomsoft.

Mike Cloppert - Distinguishing IR from Computer Network Defense
He's in Andrew Hay's original slot.
APT & such are much more advanced than the traditional IR models developed a decade ago:
Highly aware (situational awareness)
Lots of tools
There may be multiple adversaries/attack vectors simultaneously or near-simultaneously.
Campaigns (by adversaries) may span several years.
The conventional IR model is based on the presumption of a successful compromise. If it's an "imminent threat" the model doesn't fit. The model is reactive, not proactive. Needs to be more proactive.
Have a monthly overview of reporting to help determine where to focus preventive efforts.

Day 2

Kristinn Gudjonsson - log2timeline
version 0.60 - the "killer dwarf" release - now works on Windows; instructions on how to install in docs/install (Chris Pogue created/tested documentation).
Rewritten engine, work is done on back-end.
It is more object-oriented, and has preprocessing modules.
With the front-end not doing processing, you can easily build your own, for integration into your own processes, customize default action, etc.
It now has a Skype parser. It includes code from regripper and regtime to automatically pull in all the registry data. And (drumroll, please) David Kovar's AnalyzeMFT has been imported as well, to parse the MFT. Of course, that means it had to go from python to perl, but we won't get into that.

Mike Pilkington - Protecting Privileged Domain Accounts during Live Response!
Mission: remote access to WinXP (SP2) workstation (no patches) for analysis/triage
You don't want attackers who may be present to capture privileged credentials.
Do not use any type of interactive logon as this will cause a password hash to be stored locally. Running psexec creates a vulnerability for delegate-level access token theft. Don't set IR accounts as admin accounts; put them into different groupings and give those elevated privileges only as needed.

Panel: Professional Development in Digital Forensics and Incident Response
Lenny Zeltser, Richard Bejtlich, Ken Dunham, Joe Garcia, Bamm Visscher
Everyone had pre-formatted questions they spoke about, then it was open to questions from the audience. I will touch on one, for Richard: How do I build a computer incident response team? I thought the absolute key to it was his statement that you have to keep the groups tightly-knit and give the analysts what they need to do their jobs - training, equipment, etc. The best part was that he said you have to protect them fiercely. That's leadership! He had a blog post about this recently; it's obviously important to him.

Lee Whitfield - Digital Forensics and Flux Capacitors
Looking at reasons/ways people try to get out of trouble with their computers
Focus: Time/system clock alteration (as an excuse)
Top places to check at start of investigation
system event logs (except on XP, where it's not as important)
LNK files
Restore Points
Who is @gingerlover_17 Lee? ;)

Hal Pomeranz - EXT4: Bit by Bit
Changes in EXT4
48-bit address space
Uses extents instead of indirect block chains
64-bit nanoseconde resolution timestamps
File creation time timestamp (born, or b-time)
Backwards compatibility design goal
Inodes expanded to 256 (from 128)
Most of offsets listed in carrier's book still apply to ext4
Hal dove right in with his hex editor, heads exploded, Hal danced, twitter was on fire, etc. It was a very good presentation!

Panel: Forensics in the New Cloud Frontier
Andrew Hay, Cory Altheide, Joe Garcia, Robert Lee, Ed Skoudis
The questions were sprung on the panelists w/o preparation. Wow.
Here's my take: The cloud is here. It's not leaving. You need to know what kind of alerts your cloud provides (to indicate compromise/issue, like gmail's alerts to different locations accessing your account). Distributed processing is going to be key to future analysis (think multi-GB log files). Make sure your cloud provides you with auditing capabilities, as logs are going to be the target of your analysis. Look at the kind of data you've needed from recent incidents, and see if you can get that from your cloud.
Then it was opened up to the audience's questions, including:

#dfirsummit Q for panel: Would you get a 4Cast award for staying within a reasonable budget while proactively responding using sniper forensics, five point palm methodology and log2timeline to analyze a mobile device running ext4 whose clock was reset using false domain credentials through the cloud?

Does that question not totally sum it up?

Oh, there was one more panel, the vendor panel. I had to leave right before that, so that's where my summary falls short. However, I think the last question for the previous panel is the best place to end...


Wednesday, June 8, 2011

#DFIRSummit - Afterthoughts, Part 1

I think this tweet by David Kovar sums it up the best:

The only thing that was left out was #corn, but that's another story altogether! I was involved with corn, but I don't think it's my story to tell...

The background on the above tweet was that we had a break after Hal Pomeranz gave a VERY in-depth talk about EXT4, and brains were melting. And he was dancing. Twitter was on fire. Next up was a panel about "the cloud." A group of us on break decided we needed to submit a question that somehow encompassed every topic brought up over the course of the Summit. David Kovar tweeted it and turned in his question card; Andrew Hay read it as the last question, and Cory Altheide autographed his book.

Overall, the Summit was great. The speakers were awesome, it was a great group of folks, and dare I say, a good time was had by all.

I arrived Monday afternoon, and went to the reception. When that was over, we all went to Shiner's with Rob Lee; there was a good group in attendance. And of course, I got to meet Kristinn, which is good for my "fanboy" status ;). For those who think forensicators need to be short, overweight, or bald (as declared by Chris Pogue), well he's none of those. Of course, neither am I. This was my first time to go to something like the Summit, and after a couple introductions from Hal, we were all chatting like old friends. About corn. Very cool. I guess that's what happens when a bunch of crazy geeks get together; our minds are so similar that it's just natural to have a great time!

My wife's comment to me tonight when I got back and was sharing some stuff: "It's like you've died and gone to geek heaven!" She gets me; she so gets me...

Tuesday evening there was an after party at Buffalo Billiards and everyone got to hang out for more good times and conversation. Lest you all think it was nothing more than a big party with drinks galore, there were speakers, presentations, panels, etc. And corn. And that was all very good stuff. Naturally, props go to Kristinn (@killer_dwarf?) for a great presentation about l2t, and everything that tool can now do! However - hope this doesn't damage my status - my favorite was Chris Pogue's talk on "Sniper Forensics." I really enjoyed it, thought it was a great topic and material (and he's a good speaker).

That's it for now, as it's rather late, and I've got a technical webcam check tomorrow morning for a video conference interview tomorrow afternoon. I actually had to leave Summit a little early to head back home and do my own webcam check first in preparation. Tomorrow I will write up a post on my thoughts about the presentations.


Friday, June 3, 2011

Dropbox Forensic Artifact Analysis

In amongst my job-search duties, I've been able to take some time to complete a research project I started months ago but never finished due to work schedule, time constraints, etc. I pondered trying to get it posted to SANS Reading Room, but I'd have to completely rework it to get it comply with their formatting guidelines. I've sent it off to Forensic Focus to see if they'll post it for me.

Anyway, it's about forensic goodies that can be gleaned from the installation and use of Dropbox for file synchronization. I've got pictures and everything...

I've also submitted a "short" post to the SANS blog; hopefully that will be up soon (when it does, I'll post the link here). It's a "brief" summary of some of the stuff I found. I keep enclosing in quotes because when writing it (I even used different words/sentences/paragraphs than the whole writeup) on my system, it came out to nearly 6 pages. Of course there's margins, graphics, and such, but it's still pretty long, I think. There's just sooo much information!

Anyway, hopefully that will be useful and interesting to the forensics community.


I'm Goin' to Disneyland!

Well, actually, to SANS What Works in Forensics and Incident Response Summit 2011 (in Austin). It's absolutely incredible, and I feel incredibly blessed to be able to attend.

Obviously, there's the whole job layoff scenario, and the search continues. Good news there is that I'm short-listed with a number of places, so we seem to be getting closer. I was slated with my former employer to attend training (but not the conference itself) at Summit, and of course that went away with the job. I heard that CEIC was a great networking opportunity, and I wished that somehow there was a way I could go to the Summit, especially since I'm so geographically close. Not just for the networking opportunities, but to meet some folks that I knew would be there; including Kristinn Gudjonsson, who will be presenting on log2timeline.

When lo and behold this week a way was made! Completely out of the blue, I was provided with an opportunity to attend wherein I would not have to pay the entry fee. I shall not mention names lest anyone be embarrassed (or not want to be publicly recognized), but you know who you are. Thank you.