My Road to Digital Forensics Excellence

Archive for May, 2009

CEIC Day 3 – The Lectures

Posted by Paul Bobby on May 20, 2009

Hands on techniques to go from Forensic Examiner to eDiscovery Practitioner

No course description, considered a basic class

The idea behind this class was to address the change in mindset required when executing an eDiscovery task. In the 4n6 world we concern ourselves with unallocated, file carving, imaging the entire drive and recreating behavior. For eDiscovery, throw all of that out of the window. Your focus is on those files that are readily accessible to the user – and yes, this may even exclude files still in the recycle bin.
It’s not really all that difficult to imagine my role during a discovery request – I create criteria, connect to all workstations specified and pull files from some period in time until the present. Then perform the culling (i.e. conditions and filtering) against the collected data, produce my LEFs, and deliver to counsel.
Effort needs to go in to the creation of a pre-discovery questionnaire – this leads to a search plus criteria protocol which should be signed by counsel and becomes your get-out-of-jail-free card.
One reveal from the presenter, EnCase will feature a new indexing engine (at least that was alluded to), specifically to allow LexisNexis type index searches – the implication that the search engine will be changed was also made.
Again, this session turned in to a lecture – no ‘hands-on’ whatsoever.
Scripting Network Forensics – Featuring Powershell, Log Parser, Perl, Sysinternals

Again no course description

Let me start by saying – if you think the title implies the use of tools to conduct network forensics, you would be wrong. Network Forensics is the analysis of network traffic to determine activity. This particular session considered network forensics as analysis conducted against a target workstation ‘over the network’. Who QAs these session titles?

Powershell – quite a bit of time spent on this tool. This tool needs to get more use. Apparently everything is treated as a ‘hard drive’, the registry, WMI, network connections, and the drives. What’s cool? Powershell can be executed against drives mounted using PDE or Mount Image Pro (or some other tool). I tested this during class – and yes it works: to an extent.
Log Parser – this tool really needs better exposure. I’ve taken note to spend some serious time with this tool and to start using it more often against event logs and restore point registries.
Using VMWare Toolbox – Tools to conduct investigation

Again no course description

The presenter was all giddy about MojoPac ( I’ll have to give it a shot. If you haven’t, the idea is that you data and program can exist on a thumb drive, while the execution of that application makes use of the already installed Windows OS. The website also documents the artifacts left behind through usage of MojoPac – very cool.
Various other products were highlighted to enable virtual analysis – vmware, virtualpc, virtualbox, liveview, altiris, and easyvmx for creating VMs for use in VMPlayer.
3 slides later the 105 minute lab ran out of information. Yes, I was disappointed. These presenters need to stop naming lectures labs and to actually start making a lab.
Timeline Analysis

This lab will look at the challenges of timeline analysis and some of the key techniques for working around them

Timeline analysis has picked up recently on the interwebs, although as an analysis technique for a malware compromise it has been standard for some time. Determine when something happened, and what happened when, timeline analysis helps to identify the initial infection vector, the filesystem modifications that ensue ( registry too), and, heaven forbid, data exfiltration or when the computer was under control by the bad guy.

Today’s session focused on the FNA and SIA timestamps, their differences and how they can be affected by timestomp. Unfortunate – timeline analysis can be conducted by a larger group of people than those who know how to manually parse an MFT record and the instructor missed an opportunity to affect future investigations for good.
Couple of things I took note of for future testing and blogging: what can change the Last Accessed, and conduct various timestomp experiments and identify the FNA and SIA timestamp changes when files are then moved/copied to the same/different NTFS volume under XP/Vista.
Lose the geek speak: Creating client friendly forensic reports

A brilliant examination’s value is nil if a client can’t understand the findings.

Unfortunately, the presenter got sick and the presentation and materials weren’t made available to his co-worker who stepped in – ugh. This session had some potential, especially at the end of the day, for some humor. I mean after all, lets throw up some snippets of either actual reports, or just badly written ones. Get people laughing and make your point.
Produce snippets of good report versions to drive the point home. Kleiman produced an interesting report of his rebuttal to defense expert – the defense report was not poorly written per se, just incorrect in the assumptions. So while the analysis of this report and Kleimans’ rebuttal was interesting, it didn’t follow the spirit of the session which was to look at effective report writing (whether you are correct or not 🙂 )

And with that, the day is done. I was planning on attending the Enscript Birds of a Feather session, but I saw most of the Enscript guys I know getting on the shuttle to head to Citywalk. So I went to see Star Trek.

Awesome 😉

Posted in State of Affairs | Leave a Comment »

CEIC Day 2 – The Lectures

Posted by Paul Bobby on May 19, 2009

Overcoming the Trojan Virus Defense

“A Trojan virus downloaded those files without my clients knowledge or approval”. This session will discuss some of the aspects of this defense … techniques to combat these claims.

In the Corporate world of investigations, this particular defense does not come up often – in fact the employee almost always confesses. One time ‘it came up’, and the approach I took essentially mirrored that which was presented today. From that investigation onwards I have always conducted a malware analysis of the machine under exam, to provide the investigator (HR, Ethics) with proactive knowledge in the event the employee attempts to use this defense.
The best comment made during this session was by one member of the audience, paraphrased “If the malware defense is likely, do your best to prove it. If you cannot prove it, then the only thing left must be deliberate action on the part of the enduser”. Kind of like a forensics Occams’ Razor.
Cool, Custom, Out of the Ordinary Uses of EnCase
No session description in the official program, sounds like a filler to me. There is a similar session entitled Encase Tips and Tricks, but I decided against this – I’ve plenty of tricks to share myself. And besides, cool uses of Encase sounds … well, cool.
This session was, unfortunately, epic fail. To me, using Encase in an out of the ordinary way would be to use it to discover plagiarism, solving world hunger or keeping track of my iTunes collection across my home network. Instead, the session became a tips and tricks class. We discussed VFS, PDE, software write blocking, snapshot to DB functionality, conditions, and the all-time favorite, The File Mounter Enscript. I tell ya, that thing is going to be on Howie’s gravestone.
Still, I learnt a couple of cool tricks I hadn’t know about, for example you can Bookmark conditions so that you don’t have to recreate them (they can be ‘run’ from the bookmarks display also). Secondly, reconstructing the contents of a web page in Records is now improved in that EnCase attempts to find the necessary graphics within the parsed cache. Furthermore the Doc view can be highlighed and then bookmarked as an Image, retaining those highlights. Nice.
Building a Mega-eDiscovery Infrastructure

Take an up close look at a company’s quest for eDiscovery and capacity plan for 55,000 employees.

Interesting discussion on how Liberty Mutual addressed their eDiscovery needs by choosing the Guidance Software product, and how their unique network configuration was dealt with. It appears that they use Guidance against the workstation population, but for servers and other devices with enormous $MFT files that need to be pre-parsed, they handle it differently. Robocopy was mentioned as the tool used to connect to a UNC and make a local copy of data prior to applying the eDiscovery product.
One thing I learnt (since my eDiscovery involvement is purely academic at this point) is that non-searchable data, such as PDF and TIFF are handled through OCR. The searches are then conducted against the OCR data.
Digital Forensics – Vista SP1 & Windows 2008

..evidentiary items either unique to Vista and Windows 2008, or much changed from previous versions of Windows

Pretty good round-up of all the artifacts you expect to find when conducting a review of a Vista SP1 system or a Windows Server 2008 system. According to the presenter, both are equivalent in that they are running ‘the same engine’.
Learnt something about BitLocker. If Bitlocker is disabled, the drive is not decrypted, but the key to the volume is written to the hard drive ‘in the clear’. Therefore if you put this drive in another Vista system, you can see the contents of the drive just fine. Wow. By the way, the $MFTMirror data run points to the cluster containing this key (whether in the clear or not).
Something else, LNK files and NTFS reparse points (symbolic links, hard links and junctions) are different in that the former is considered a shell extension to explorer.exe and the latter is a feature of the filesystem.
Finally, the pagefile can be encrypted – not enabled by default however. The key is auto-generated at powerup, and lost when shutdown. Therefore the pagefile becomes an encrypted blob using a one-time password. Interesting.
Unfortunately this presentation was also ‘not as intended’, and the lab not set up correctly. This is the third one for me that suffered clerical cockups. Can’t people get things together?
The saddest thing about this session was when the audience were asked the question “who has done an investigation of a Vista system”. I think 2 people raised their hands. Just goes to show – XP really is the OS of choice still.
Oh by the way, Leonard Nimoy rocked.

Posted in State of Affairs | 1 Comment »

CEIC Day 2 – The Loot Edition

Posted by Paul Bobby on May 19, 2009

So the staple of most conferences: the exhibit hall. A place to get as much loot as possible while trying to avoid all the awkward conversations in which you pretend to be interested in their product. Yep welcome to the technical equivalent of the free food tasting at the grocery store.

Guidance provided the best – as I’d hoped. USB Hub, a t-shirt, and some cool, sticky decal thing to put on my laptop. Guidance today announced their latest product, EnCase Portable. Designed to be booted from a USB thumb drive and to provide some rudimentary collection capability. A typical scenario would be the parole officer requiring a quick search and grab from a parolees’ computer. The last freebie provided was a DVD containing one of the Encase On Demand training offerings – Facebook Chat Investigations.

CelleBrite gave out a 2gig thumb drive – nice form factor. And no malware! CelleBrite (UfedSystem) were promoting their UFED or Universal Forensic Extraction Device for cell phones.

Wiebetech gave us a Mr. Tool Molex cable remover – kinda nifty. I hope they let me get on a plane with it. Wiebetech were promoting their entire product line – always very impressive. My favorite of course was getting to play with the HotPlug device – complete with Mouse Jiggler!

Paraben had a good presence – unfortunately at the back corner in bronze sponsor location. Combined with the wetstone product offerings, their crammed booth was full of paper product sheet giveaways. They were also advertising PFIC – Paraben’s Forensic Innovations Conference. Has anyone ever been to this?

Posted in State of Affairs | 1 Comment »

CEIC Day 1

Posted by Paul Bobby on May 17, 2009

Forensic Tracking of USB Devices

This session will provide methodologies for forensic investigation of USB attached storage devices

This lab walked the student through USB, USBSTOR, MountPoints and MountPoints2, and how XP, Vista and Windows 7 each track the use of USB devices within the Registry. Of specific interest was the analysis of Last Written values and the conclusions that can be drawn from each one.

Not a bad class – but unfortunately it went a long way to show that a USB device was inserted, and when; but not much in to the analysis of how it was used, and the often-asked “what files did the terminated employee take”.

Two things I learned however:

    The Last Written timestamp of the iSerial key value pair is only updated after reboot. In other words, if I insert a thumb drive four times during the same session, the Last Written will NOT change. If I reboot and insert the USB thumb drive, the Last Written does update. I’ll be testing this myself.
    The presenter indicated that a LNK file to the VOLUME on the inserted USB device is always created when the USB device is inserted. Regardless of the presence of LNK files showing activity, there is always a LNK file to the volume itself – owned by the user. Another indicator of attribution. I’ll be testing this also.

Malware Reloaded

Last year, we hacked away at simple web based malware (Ed: javascript drivebys). This year we will do a refresher of those techniques and tools, as well as cover some more advanced …. and focus on newer attack vectors.

Unfortunately the advanced and newer attack vectors were considered XSS, XSRF, click-jacking (kinda new), SQL injection and flash-actionscript/pdf-javascript (kinda new); so these aren’t exactly new nor advanced. Still it was a good presentation that focused on a custom designed website deliberately created to be bad at input validation and vulnerable to SQL injection. Furthermore, the demonstration of the request forgery was also good.
A suggested improvement to the presentation would have been a 4n6 examination to identify file system and log artifacts to corroborate the suspected attack.

Posted in Forensics, General Research | 1 Comment »