My Road to Digital Forensics Excellence

Archive for July, 2009

Forensic research projects

Posted by Paul Bobby on July 23, 2009

I have been maintaining a list of digital forensics related research projects, from small to large. The purpose is as a source of inspiration for quick hit enscripts, analyses of artifacts and processes etc. I decided to share my current version of the list hoping it inspires readers to find opportunities to become notable in the world of digital forensics.

File Erasers

From simple deletes to commercial file system cleaners, review the tools available to hide a users’ computer tracks. For each product determine the method of cleaning, artifacts left behind, indicators of usage etc. Compare the usage of these tools in high-security mode versus panic-mode.

Internet Accelerators

Modern browser functions, plugins to browsers and independent tools provide efficiency upgrades to the Internet surfing process. These tools complicate the answer to the following question: “How responsible am I for the Internet History on my computer”?

Memory Analysis

This has been a hot topic for a while now. Some research areas:

Sweep Enterprise

Encase Enterprise specific – contains an ability to run a triage process against your Corporation, in the form of a Compromise Assessment Module. Document a process for triage using this function. There is little information for this powerful feature out there. I’ve posted a thorough and repeatable test for this module here; there is an issue currently, and I’ve received a temp fix.

Forensic Visualization

There is a lot of discussion regarding the presentation and visualization of data for various analyses. More research is needed concerning the use of visualization in forensic analysis. Timeline analysis comes to mind. Mandiants’ Log Analysis tool is another.

Windows Steadystate

This will require a significant reverse engineering effort. Windows Steadystate is gaining some headway, I have blogged about it a few times. I’ve run in to a roadblock concerning the Steadystate Cache file, and the ability to extract forensic evidence from this file.

WBEM and PCHealth

Determine if there is any 4n6 benefit to deadbox analysis of the WBEM and PCHealth data stores. Regarding system32\wbem, can WMI queries be made against the data store? Parsed out? Any benefit to doing so?

Some new timestamp sources for timeline analysis:

  • (in wbem tree). Search for <LastWriteDate>200######, and sort by hit text
  • Search Collected*.xml in the windows\pchealth tree

Exculpatory versus Inculpatory

There are a huge number of forensic artifacts and indicators discovered during an investigation. From Internet History to Antivirus hits, from file system timestamps to email creation, determine the following:

  • Inculpatory characteristics: what about the artifact proves the allegation?
  • Exculpatory characteristics: what about the artifact disproves the allegation?

Temporal Analysis

In conjunction with the above forensic visualization, this research topic will apply some intelligence to the automated visualization process. The idea is to give each item in your timeline listing a weight. For example, a single Last Written value in the registry might have more weight than 500 Last Written Values all within seconds of each other.

Malware compromise often results in a few timeline artifacts, such as a handful of registry changes, file system changes, and that’s it. This kind of block of change should stand out…

Posted in State of Affairs | Tagged: | Leave a Comment »


Posted by Paul Bobby on July 10, 2009

The solution involves basic algebra.

The crackme essentially performs two functions: one against the userid and one against the serial number. If the results of these functions match, then we have a winner.

Function against Userid

  • (c3+c6) * (c3+uc)

Function against Serial Number

  • ((c3*c3)+(c1*c3))+c2


  • ((c3*c3)+(c1*c3))+c2 = (c3+c6) * (c3+uc)
  • c3^2 + c1.c3 + c2 = c3^2 + c3.uc +c3.c6 + c6.uc
  • Divide by c3^2
  • c1.c3 + c2 = c3(uc+c6) + c6.uc
  • c1 = uc + c6
  • c2 = c6 * uc

Now that’s something we can handle pretty easily since we know how to calculate the uc and c6 complex numbers using just the Userid.

Posted in Reverse Engineering | Leave a Comment »

crackme analysis

Posted by Paul Bobby on July 10, 2009

I’ve finished my analysis of the crackme I’ve been talking about for the last couple of posts.  The userid-to-serial manipulation is accomplished using Complex numbers.

The crackme is split in to three parts:

  1. Userid manipulation
  2. Serial Code manipulation
  3. Complex number arithmetic against the manipulated Serial Code and manipulated Userid

Userid Manipulation is in four parts

  1. Sum the ordinal values of each character in the userid – this value is used in a complex number (c6.real)
  2. The imaginery part of this complex number is (c6.real-1)*3
  3. Iterate through the userid as follows
    1. EAX=0x12345678
    2. for x in userid:
      1. eax = eax XOR x
      2. rotate EAX left 5 times
  4. Create a complex number out of two parts of the processed userid
    1. userid_complex.real = (EAX / 31337) AND 0xFFF
    2. userid_complex.imag = EAX % 31337

The following Python code accomplishes the UserID Manipulation:

   1: #

   2: #Process the raw Userid in four steps

   3: #

   4: #userid munge part1

   5: userid2 = 0;

   6: for x in userid:

   7:     userid2 += ord(x);

   8: userid_munge1 = userid2


  10: #userid munge part2

  11: userid2 = (userid2-1) * 3;

  12: userid_munge2 = userid2


  14: #Userid munge part3

  15: EAX = 0x12345678

  16: useridList = []

  17: for x in userid:

  18:     useridList.append(ord(x))

  19: useridList.append(0)

  20: for EDX in useridList:

  21:     EAX = EAX ^ EDX #XOR EAX,EDX

  22:     for y in range(5): #ROL EAX,5

  23:         EAX *= 2

  24:         if EAX > 0xffffffff:

  25:             EAX -= 0x100000000

  26:             EAX += 1


  28: #Userid munge part4

  29: #Divide EAX by 0x7a69, or 31337 base10 🙂

  30: EDX = EAX % 0x7a69 #EDX contains remainder from a DIV

  31: EAX = EAX / 0x7a69

  32: EAX = EAX & 0xfff

Serial Code Manipulation

The crackme reads in a serial code, 36bytes in length. The code is manipulated by
  1. Bytes 9,18,27,36 are reset to 0
  2. Each byte in the serial number is converted
    1. ord(byte) – 0x30
    2. shift the result left 4 times
   1: def processRawSerial(rawSerial):

   2:     EAX = 0

   3:     for x in rawSerial:

   4:         y = ord(x) - 0x30

   5:         if y > 0x0A:

   6:             y = y - 7

   7:         EAX = EAX * 16 #SHL EAX, 4

   8:         if EAX > 0xffffffff:

   9:             EAX = EAX & 0xFFFFFFFF

  10:         EAX = EAX | y

  11:     return EAX

This function is used to produce four parts of the serial number: serial1 through serial4

Complex Numbers against the Serial Code and Userid

Python has builtin support for Complex numbers, making the following calculations very easy. Isn’t it interesting that I had a harder time coding Rotates and Shifts than I did complex arithmetic.

A series of complex number calculations are performed using the Serial Code. A series of complex number calculations are performed using the Userid. The outcome should be equal if you are using a valid Serial Code. Here are both processes.

  1. c3_real = 0
  2. c3_imag = 0x4e21
  3. c1 = (serial1+1J*serial2)
  4. c2 = (serial3+1J*serial4)
  5. c6 = (userid_munge1+1J*userid_munge2)
  6. uc = (userid1+1J*userid2)
  7. Loop:
    1. add 3 to c3_real
    2. subtract 2 from c3_imag
    3. c3 = (c3_real+1J*c3_imag)
    4. # Compute the serial number complex arithmetic
    5. sc1 = c3 * c3
    6. sc2 = c1 * c3
    7. c4 = sc1 + sc2
    8. c4 = c4 + c2
    9. # Compute the userid complex arithmetic
    10. sc1 = c3 + c6
    11. sc2 = c3 + uc
    12. c5 = sc1 * sc2
    13. if c5 != c4 then exit #wrong serial
    14. repeat the loop 6666 times

And that’s it. What follows will be the keygen.

Posted in Reverse Engineering | Tagged: , | Leave a Comment »

crash on take-off

Posted by Paul Bobby on July 8, 2009

Boy was I ever wrong about ROL. lol

As I started coding a python routine, I quickly found that I had completely overthought the process. What an idgit.

Here’s the python code:

1: EAX = 0x12345678
2: useridList = []
3: for x in userid:
4:  useridList.append(ord(x))
5:  useridList.append(0)
6: for EDX in useridList:
8:  for y in range(5): #ROL EAX,5
9:    EAX *= 2
10:   if (EAX > 0xffffffff):
11:     EAX -= 0x100000000
12:     EAX += 1
14: print hex(EAX)

A ROL 1 simply multiples the contents of the register by 2. Yeah I kinda knew that, ROL EAX, 5 is 2^5, or multiply by 32. The trick is, if the EAX overflows (i.e. > 0xFFFFFFFF or 4,294,967,295) THEN drop the leading byte, and add it to the end.


Posted in Reverse Engineering | Leave a Comment »