My Road to Digital Forensics Excellence

Archive for May, 2012

CEIC2012 Part 2

Posted by Paul Bobby on May 24, 2012

One of the best things about conferences is the social aspect, meeting people you only know online and getting reacquainted with those you’ve met previously. Spent some time chatting with Simon Key about the developer program, James Habben my enscript instructor. Finally met Geoff Black and Jon Stewart (you do have your Lightgrep beta right?) (btw Jon, hopefully I catch you before the conference is over). Met plenty of names from Guidance (hey Joshua), folks who recognize my name from blogging (howdy Sgt Doug Collins), and names associated with vendors, such as Blackbag, Clearwell etc.

Session 3: Anti-anti Forensics. So ever encountered ccleaner usage or other system wipers/cleaners? Of course you have. This presentation focused on ‘what was executed’ andย  ‘when was it executed’?’ The hardest bit of course, “what was deleted”? David Cowen (Hacking Exposed: Computer Forensics) has done some original research with the $Logfile. We’ve seen MFT records, INDX files and LNK files carved from the $Logfile, but those 4k record pages can contain much more. One part of the research he was willing to share is a portion of the record file that shows the before and after filename change when a file gets renamed (a typical function in system cleaners). There’s apparently plenty more research, but he’s hoping to present at Blackhat this year – watch his blog for more details. (He’ll post two tools called Splitter and SectionSearch)

Session 4: What’s new in Windows Forensics? John Marsh presenter. Couple of things I didn’t know and need to research more fully. Microsoft Virtual Disks – never really played with them, but for testing purposes they look really cool. The transaction log, $TxF – anyone know if this has been parsed or the file structure documented anywhere? The ‘Virtual Store’ folder – if 32bit apps are executed by non-admins, or 64bit apps executed that aren’t coded to ‘play well’, then they get written to a ‘virtual store’ folder structure to be separated from the Program Files area. There’s also a ‘virtual store’ registry area too – this is stored in the UsrClass.dat registry file, not in NTUser.dat. Something else I didn’t know. Gotta start looking there in general, and for testing purposes to see what gets written.

Session 5: Timelines with Encase. Sgt Doug Collins, RCMP. Good presentation, and he called out my blog and a post on the Windows Reliability Monitor. Doug has created an enscript to parse temporal data sources and feed them to a MySQL data base he runs in a custom linux VM. He’s included deduplication checks and a spreadsheet with a database query front end. Cool stuff. One source of temporal data I’d not considered before is Google Analytics cookies (almost every page uses them) – there’s several timestamps in there associated with when the site was first visited, last visited etc. He also mentioned Google Chrome and how Chrome indexes every page you visit, storing that data locally – at least that’s “how I heard him”. I need to test that – but if that’s the case, the good lord, that’s quite the treasure.

Session 6: MMA Forensics Challenge. This is the session you live for – an opportunity to flex your 4n6 muscle and take on a class of forensicators. The challenge, contrived obviously, included memory analysis, dead box analysis, pcap analysis and timeline analysis. Points awarded based on answers to five groups of questions, and prizes for the first to solve each group. I won one of the groups, and took away the prized parrot ๐Ÿ™‚ Yes there were signed copies of various 4n6 books to be won, but heck, that parrot spoke to me ๐Ÿ™‚ Pieces of forensic8 (drole).


Posted in State of Affairs | 1 Comment »

My CEIC2012 Experience

Posted by Paul Bobby on May 23, 2012

Let me begin with the obligatory “I haven’t written in a while eh?”

Now that that is over with, and with some encouragement to continue posting, here we go.

I’m attending CEIC 2012 in Las Vegas, and with only two sessions left it’s time to post my thoughts on the conference.ย  Two keynotes to attend, the first being the CEO of Guidance Software. His presentation focused on the where we came from in the forensic world, through the 2000s and a brief look in to the future. It was also used to introduce the Guidance Software App Store to arrive in the Fall. This can only be a good thing. Forensics, hardware, techniques and everything else electronic is evolving at such a fast rate that any one company cannot keep up with it all – coders have been writing enscripts for a while now, myself included, and no doubt we will continue to provide free enscripts to the community. But allow a developer to be compensated for his/her work and you create a way for coders to spend serious time developing some significant scripts and plugins for Encase. Take a look a the Volume Shadow Copy problem – I’ve been waiting ages for Guidance to incorporate native support in to Encase; others have developed tools, so the solution is well understood, but while it likely appears on a future feature list, it is not a priority. An enterprising developer can take up the challenge and probably find many a shop willing to pay $s for it.

The second keynote came from General Richard Meyers, chairman of the Joint Chiefs of Staff, retired. While he retired from service in 2005 his points of view were definitely valid, and offered clarity to the incident problem we are dealing with today. In his summary of the Top 5 threats for today, Cyber Incidents was classified as number two. He also addressed the PRC, classifying them as highly aggressive when it comes to using cyberspace to gain intellectual property. He stressed however that these incidents would not directly lead to military conflict, however the persistence of the threat undermines whatever headway is being made via diplomacy, and that an unintended conflict may occur because of this tension, for example, in another space, such as the South China Sea.

Okay session time, number 1: Manual Web Page Reconstruction. This was a 90 minute lab session, the purpose of which was to teach an approach to reassembling a web page from the artifacts present on the computer. Unfortunately we didn’t start the lab work until 70 minutes in to the presentation, this alone was enough to rate the session as disappointing. However one of the things I always gain from sessions are questions that require some research to find the answer. Here’s the problem that I thought about during this session: if you see a file called “1.jpg” and “1[1].jpg”,”1[2].jpg” in temp internet files – do you know what that means? That’s not the real question though. What I need to figure out is if the web browsing mechanism (we’ll take Internet Explorer for example) is smart enough to know which of these JPGs to pull from the cache.

Let me state it this way, using IE, a user visits website1, website2 and website3. They all have a file called “1.jpg” that is loaded during the page render. The browser stores these JPGs in the cache, but the JPGs are completely different, only their filenames are the same. When the user visits one of the sites again, say, website2, and the image is loaded from the cache, is the correct one displayed? No idea, will have to test.

Session 2: Hunting for Unfriendly Easter Eggs. Two presenters from Deloitte walking us through “Cloppert’s Kill Chain” and modifying it slightly to be a Kill Chain Life Cycle (btw this kill chain is to be credited to Amin and Hutchins as well). The life cycle modifies the chain slightly by making the initial exploit/c2/exfil phase an external phase, that is to say the first penetration in to the network, followed by a cycle of internal phases that may repeat as often as is needed while the attacker modifies the chain with new exploits/recon/c2 etc. The second part of the presentation built on existing “indicators of compromise” proposed by Mandiant, in which case studies were made of real incidents that lead to 300+ IOCs for each stage in the chain. Good stuff.

More to come

Posted in State of Affairs | 1 Comment »