Category Archives: Incident Response

Helix 3 Pro: First Impressions

0
Posted by jarocki on November 20, 2009 – 11:16 am
Filed under Computer Forensics, Evidence Acquisition, Evidence Analysis, Incident Response, Linux IR, Memory Analysis, Registry Analysis, Windows IR

I have used several versions of Helix over the recent years.  I enjoy the tool set and recommend it to forensics colleagues, sysadmins, and even family members.

Quite a substantial ruckus was raised this year when e-fense announced that Helix 3 would no longer be free to download.  Instead, would-be users must pay to register as a forum user to get access to Helix 3 Pro updates for a year.

I took the plunge and purchased my forum membership.  Here are the first things I noticed:

  • Some of the highlights…
    • The forum allows access to the Helix 3 software the member applies a registration token.
    • After adding the token, I was able to download not only Helix 3 Pro, but also Helix 3, and contributed tools.
    • Helix 3 Pro is really nothing like the 1.8 and 1.9 versions that came before it.  Although it still provides a bootable live CD as well as executables that can be run in Windows in Linux, the interfaces for all the modes of use have been made more consistent and seamless.  Also, a Mac OS X set of tools have been added.
    • The Helix 3 Pro CD also provides a set of cell phone forensics tools (that I will cover in a follow-on posting).
    • One of e-fense’s goals with the Helix 3 release was to provide a forensics tool that did not touch the host computer in any way.  I have not tried to verify this yet, although I intend to do so soon.
  • And the lowlights…
    • On my Dell D630 laptop (and few other systems), the boot process generated a number of errors and — in some cases — would not detect a graphical interface mode correctly, leaving me with an unusable Helix environment.
    • The majority of the tools that made previous versions of Helix useful are just completely gone.  This is apparently done so that the Helix Pro 3 image can be trusted.  I spoke to a sales representative at e-fense who told me that several customers were using Helix 3 Pro in environments where open source software of questionable origins is, well, frowned upon.
    • Static binaries formerly found on the Helix 1.x CDs are now separate downloads.  They are still available through the Helix forums.

This is the first in a series of blog postings I plan to publish on Helix 3 Pro.  Please post comments if there are specific tools or features of the LiveCD you would like me to cover.

John Jarocki, GCFA Silver #2161, is an Information Security Analyst specializing in intrusion detection, forensics, and malware analysis. He also holds GCIA, GCIH, GCFW and GSEC certifications and is the Treasurer of NM InfraGard.  John recently co-authored a controversial paper on using LiveCDs to mitigate online banking risks.

How to Disrupt a Botnet

2
Posted by Lenny Zeltser on November 8, 2009 – 7:58 pm
Filed under Incident Response, Malware Analysis, Network Forensics, Reporting, Reverse Engineering

The following note is inspired by the steps the folks at FireEye Malware Intelligence Lab took to disable the Mega-d/Ozdok bot network. People often wonder what it takes to shut down a botnet. Here are the key steps, which apply to “traditional” botnets, which don’t rely heavily on peer-to-peer protocols for their command and control (C&C) implementation; the number of hosts and domains that such botnets use can be sufficiently small that a group or an individual can disrupt the botnet by getting these IPs or domain names shut down.

Note that attempting to interfere with operations of a profitable botnet can be dangerous, as your actions may cause attackers to retaliate. Therefore, consider these steps as informational thoughts, rather than an encouragement to follow FireEye’s footsteps.

  1. Obtain a copy of the bot through forensic analysis of a compromised system. It helps to get hands on several instances of the malicious program, in case multiple variants possess meaningful behavioral differences.
  2. Understand the bot’s command and control mechanism. How does the attacker control the botnet? Reverse-engineer the malicious program to understand the C&C protocol and to get a sense for the commands the botnet understands. You may find a way to authenticate to the botnet and, posing as the attacker, commandeer it. (Warning: As Andre posted in the comments, “Logging on to network that is not your own, and issuing commands to take it over could potentially be considered illegal access.”)
  3. Identify which systems, if taken off line, could disrupt the botnet. To accomplish this, look for weaknesses in the command and control implementation, such as the reliance on a small set of servers to distribute commands or weakness in the C&C servers’ IP or domain names generation algorithm. (You may recall how researchers at UC-Santa Barbara gained control over an instance of the Torpig botnet.)
  4. Contact ISPs hosting suspected C&C servers. In your correspondence with them, present documentation that supports your claim that the systems they are hosting are being misused. Be specific about which IPs violate the ISP’s policy by acting maliciously and should be disabled.
  5. Contact registrars of C&C domains. In your correspondence with them, present documentation that supports your claim that the domains they are hosting are being misused.  Be specific about which domains violate the registrar’s policy by being used for malicious purposes and should be disabled.
  6. Consider registering unused domains that the botnet’s C&C mechanism may attempt to use later. This can be expensive, depending on the number of domain names associated with the botnet’s C&C implementation.

Botnets come in different shapes, sizes, and flavors. The steps above don’t apply to all of them, but they should give you a sense for how defenders can take action against traditional botnets. For an example of these steps in the context of a specific botnet, see the “Smashing the Mega-d/Ozdok botnet in 24 hours” write-up by FireEye.

Have you taken steps to disrupt a botnet? Share your thoughts and experiences in the comments below.

– Lenny

Lenny Zeltser teaches the Reverse-Engineering Malware course at SANS Institute. You can find him on Twitter as @lennyzeltser.

3 Lists for Investigating Malware Incidents

Comments Off
Posted by Lenny Zeltser on November 7, 2009 – 4:24 am
Filed under Incident Response, Malware Analysis, Network Forensics, Reverse Engineering, Windows IR

When investigating an incident that involves malicious software, it helps to understand the context of the infection before starting to reverse the malware specimen. Some of the ways to accomplish this involves:

  • Examining the websites that may be associated with the incident, often because they are suspected in hosting exploits that acted as the infection vector
  • Obtaining reputational data about IP addresses of systems involved in the incident, often because they are suspected of hosting malicious files that were dropped on the system, or acting as the command and control server for the attacker
  • Looking up IP addresses associated with the infected organization in blocklists, to determine whether additional systems may have been performing malicious activities and may have gotten compromised
  • Performing automated behavioral analysis of malware involved in the incident, to get a general sense for its characteristics to plan subsequent manual reverse-engineering tasks

Each of the following pages lists 10 or so freely-available on-line tools for helping to perform the tasks outlined above:

What other on-line tools help understand the context of the infection? Tell us in comments below.

– Lenny

Lenny Zeltser teaches the Reverse-Engineering Malware course at SANS Institute. You can find him on Twitter as @lennyzeltser.

Security Intelligence: Attacking the Kill Chain

Comments Off
Posted by mikecloppert on October 14, 2009 – 12:00 pm
Filed under Incident Response

Coming in much later than I’d hoped, this is the second installment in a series of four discussing security intelligence principles in computer network defense.  If you missed the introduction (parts 1 and 2), I highly recommend you read it before this article, as it sets the stage and vernacular for intelligence-driven response necessary to follow what will be discussed throughout the series.  Once again, and as often is the case, the knowledge conveyed herein is that of my associates and I, learned through many man-years attending the School of Hard Knocks (TM?), and the credit belongs to all of those involved in the evolution of this material.

In this segment, we will introduce the attack progression (aka “kill chain”) and briefly descibe its intersection with indicators.  The next segment will go into more detail about how to use the attack progression model for more effective analysis and defense, including a few contrived examples based on real attacks.

On Indicators

Just like you or I, adversaries have various computer resources at their disposal.  They have favorite computers, applications, techniques, websites, etc.  It is these fundamentally human tendencies and technical limitations that we exploit by collecting information on our adversaries.  No person acts truly random, and no person has truly infinite resources at their disposal.  Thus, it behooves us in CND to record, track, and group information on our sophisticated adversaries to develop profiles.  With these profiles, we can draw inferences, and with those inferences, we can be more adaptive and effectively defend our data.  After all, that’s what intelligence-driven response is all about: defending data that sophisticated adversaries want.  It’s not about the computers.  It’s not about the networks.  It’s about the data.  We have it, and they want it.

Indicators can be classified a number of ways.  Over the years, I and my colleagues have wrestled with the most effective way to break them down.  Currently, I am of the mind that indicators fall into one of three types: atomic, computed, and behavioral (or TTP’s)

Atomic indicators are pieces of data that are indicators of adversary activity on their own.  Examples include IP addresses, email addresses, a static string in a Covert Command-and-control (C2) channel, or fully-qualified domain names (FQDN’s).  Atomic indicators can be problematic, as they may or may not exclusively represent activity by an adversary.  For instance, an IP address from whence an attack is launched could very likely be an otherwise-legitimate site.  Atomic indicators often need vetting through analysis of available historical data to determine whether they exclusively represent hostile intent.

Computed indicators are those which are, well, computed.  The most common amongst these indicators are hashes of malicious files, but can also include specific data in decoded custom C2 protocols, etc.  Your more complicated IDS signatures may fall into this category.

Behavioral indicators are those which combine other indicators – including other behaviors – to form a profile.  Here is an example: ‘Bad guy 1 likes to use IP addresses in West Hackistan to relay email through East Hackistan and target our sales folks with trojaned word documents that discuss our upcoming benefits enrollment, which drops backdoors that communicate to A.B.C.D.’  Here we see a combination of computed indicators (Geolocation of IP addresses, MS Word attachments determined by magic number, base64 encoded in email attachments) , behaviors (targets sales force), and atomic indicators (A.B.C.D C2).  To borrow some parlance, these are also referred to as Tactics, Techniques, and Procedures (TTP’s).  Already you can probably see where we’re going with intelligence-driven response… what if we can detect, or at least investigate, behavior that matches that which I describe above?

One likes to think of indicators as conceptually straightforward, but the truth is that proper classification and storage has been elusive.  I’ll  save the intricacies of indicator difficulties for a later discussion.

Adversary Behavior

The behavioral aspect of indicators deserves its own section.  Indeed, most of what we discuss in this installment centers on understanding behavior.  The best way to behaviorally describe an adversary is by how he or she does his job – after all, this is the only discoverable part for an organization that is strictly CND (some of our friends in the USG likely have better ways of understanding adversaries).  That “job” is compromising data, and therefore we describe our attacker in terms of the anatomy of their attacks.

Ideally, if we could attach a human being to each and every observed activity on our network and hosts, we could easily identify our attackers, and respond appropriately every time.  At this point in history, that sort of capability passes beyond ‘pipe dream’ into ‘ludicrous.’   However mad this goal is, it provides a target for our analysis: we need to push our detection “closer” to the adversary.  If all we know is the forged email address an adversary tends to use in delivering hostile email, assuming this is uniquely linked to malicious behavior, we have a mutable and temporal indicator upon which to detect.  Sure, we can easily discover when it’s used in the future, and we are obliged to do so as part of our due diligence.  The problem is this can be changed at any time, on a whim.  If, however, the adversary has found an open mail relay that no one else uses, then we have found an indicator “closer” to the adversary.  It’s much more difficult (though, in the scheme of things, still somewhat easy) to find a new open mail relay to use than it is to change the forged sending address.  Thus, we have pushed our detection “closer” to the adversary.  Atomic, computed, and behavioral indicators can describe more or less mutable/temporal indicators in a hierarchy.  We as analysts seek the most static of all indicators, at the top of this list, but often must settle for indicators further from the adversary until those key elements reveal themselves.  The figure below shows some common indicators of an attack, and where we’ve seen them fall in terms of proximity to the adversary, variability, and inversely mutability and temporality.

indicator_mutability

Fig 1: Indicator Hierarchy

That this analysis begins with the adversary and then dovetails into defense makes it very much a security intelligence technique as we’ve defined the term.  Following a sophisticated actor over time is analogous to watching someone’s shadow.  Many factors influence what you see, such as the time of day, angle of sun, etc.  After you account for these variables, you begin to notice nuances in how the person moves, observations that make the shadow distinct from others.  Eventually, you know so much about how the person moves that you can pick them out of a crowd of shadows.  However, you never know for sure if you’re looking at the same person.  At that point, for our purposes, it doesn’t matter.  If it looks like a duck, and sounds like a duck… it hacks like a duck.  Whether the same person (or even group) is truly at the other end of behavior every time is immaterial if the profile you build facilitates predicting future activity and detecting it.

Attack Progression, aka the “Kill Chain”

We have found that the phases of an attack can be described by 6 sequential stages.  Once again loosely borrowing vernacular, the phases of an operation can be described as a “kill chain.”  The importance here is not that this is a linear flow – some phases may occur in parallel, and the order of earlier phases can be interchanged – but rather how far along an adversary has progressed in his or her attack, the corresponding damage, and investigation that must be performed.

attack_progression_basic

Fig. 2: The Attack Progression

Reconnaissance

The reconnaissance phase is straightforward.  However, in security intelligence, often times this is manifested not in portscans, system enumeration, or the like.  It is the data equivalent: browsing websites, pulling down PDF’s, learning the internal structure of the target organization.  A few years ago I never would’ve believed that people went to this level of effort to target an organization, but after witnessing it happen, I can say with confidence that it does.  The problem with activity in this phase is that it is often indistinguishable from normal activity.  There are precious few cases where one can collect information here and find associated behavior in the delivery phase matching an adversary’s behavioral profile with high confidence and a low false positive rate.  These cases are truly gems – when they can be identified, they link what is often two normal-looking events in a way that greatly enhances detection.

Weaponization

The weaponization phase may or may not happen after reconnaissance; it is placed here merely for convenience.  This is the one phase that the victim doesn’t see happen, but can very much detect.  Weaponizaiton is the act of placing malicious payload into a delivery vehicle.  It’s the difference in how a Soviet warhead is wired to the detonator versus how a US warhead is wired in.  For us, it is the technique used to obfuscate shellcode, the way an executable is packed into a trojaned document, etc.  Detection of this is not always possible, nor is it always predictable, but when it can be done it is a highly effective technique.  Only by reverse engineering of delivered payloads is an understanding of an adversary’s weaponization achieved.  This is distinctly separate and often persistent across the subsequent stages.

Delivery

Delivery is rather straightforward.  Whether it is an HTTP request containing SQL injection code or an email with a hyperlink to a compromised website, this is the critical phase where the payload is delivered to its target.  I heard a term just the other day that I really like: “warheads on foreheads” (courtesy US Army).

Compromise / Exploit

The compromise phase will possibly have elements of a software vulnerability, a human vulnerability aka “social engineering,” or a hardware vulnerability.  While the latter are quite rare by comparison, I include hardware vulnerabilities for the sake of completeness.

The compromise of the target may itself be multi-phase, or more straightforward.  As a result, we sometimes have the tendency to pull apart this phase into separate sub-phases, or peel out “Compromise” and “Exploit” as wholly separate.  For simplicity’s sake, we’ll keep this as a single phase.  A single-phase exploit results in the compromised host behaving according to the attacker’s wishes directly as a result of the successful execution of the delivered payload.  For example, if an attacker coaxes a user into running an EXE attachment to an email which contained the desired backdoor code.  A multi-phase exploit typically will involve delivery of shellcode whose sole function is to pull down and execute more capable code upon execution.  Shellcode often needs to be portable for a variety of reasons, necessitating such an approach.  We have seen other cases where, possibly through sheer laziness, adversaries end up delivering exploits whose downloaders download other downloaders before finally installing the desired code.  As you can imagine, the more phases involved, the lower an adversary’s probability for success.

This is the pivotal phase of the attack.  If this phase completes successfully, what we as security analysts have classically called “incident response” is initiated: code is present on a machine that should not be there.  However, as will be discussed later, the notion of “incident response” is so different in intelligence-driven response (and the classic model so inapplicable) that we have started to move away from using the term altogether.  The better term for security intelligence is “compromise response,” as it removes ambiguity from the term “incident.”

C2

The command-and-control phase of the attack represents the period after which adversaries leverage the exploit of a system.  A compromise does not necessarily mean C2, just as C2 doesn’t necessarily mean exfiltration.  In fact, we will discuss how this can be exploited in CND, but recognize that successful communications back to the adversary often must be made before any potential for impact to data can be realized.  This can be prevented intentionally by identifying C2 in unsuccessful past attacks by the same adversary resulting in network mitigations, or fortuitously when adversaries drop malware that is somehow incompatible with your network infrastructure, to give but two examples.

In addition to the phone call going through, someone has to be present at the other end to receive it.  Your adversaries take time off, too… but not all of them.  In fact, a few groups have been observed to be so responsive that it suggests a mature organization with shifts and procedures behind the attack more refined than that of many incident response organizations.

We will also lump lateral movement with compromised credentials, file system enumeration, and additional tool dropping by adversaries broadly into this phase of the attack.  While an argument can be made that situational awareness of the compromised environment is technically “exfiltration,” the intention of the next phase is somewhat different.

Exfiltration

The exfiltration phase is conceptually very simple: this is when the data, which has been the ultimate target all along, is taken.  Previously I mentioned that gathering information about the environment of the compromised machine doesn’t fall into the exfiltration phase.  The reason for this is that such data is being gathered to serve but one purpose, either immediately or longer-term: facilitate gathering of sensitive information.  The source code for the new O/S.  The new widget that cost billions to develop.  Access to the credit cards, or PII.

Analytical Approach

As we analyze attacks, we begin to see that different indicators map to the phases above.  While an adversary may attempt to use the exploit du jour to compromise target systems, the backdoor (C2) may be the same as past attacks by the same actor.  Different proxy IP addresses may be used to relay an attack, but the weaponization may not change between them.  These immutable, or infrequently-changing properties of attacks by an adversary make up his/her/their behavioral profile as we discussed in moving detection closer to the adversary.  It’s capturing, knowing, and detecting this modus operandi that facilitates our discovery of other attacks by the same adversary, even if many other aspects of the attack change.

This need for the accumulation of indicators for detection means that analysis of unsuccessful attacks is important, to the extent that the attack is believed to be related to an APT adversary.  A detection of malware in email by perimeter anti-virus, for instance, is only the beginning when the weaponization is one commonly used by a persistent adversary.  The backdoor that would have been dropped may contain a new C2 location, or even a whole new backdoor altogether.  Learning this detail, and adjusting sensors accordingly, can permit future detection when that tool or infrastructure is reused, even if detection at the attack phase fails.  Discovery of new indicators also means historical searches may reveal past undetected attacks, possibly more successful than the latest one.

Analysis of attacks quickly becomes complicated, and will be further explored in future entries culminating with a new model for incident response.

The Indicator Lifecycle

As a derivative (literary, not mathematical) of the analysis of attack progression, we have the indicator lifecycle.  The indicator lifecycle is cyclical, with the discovery of known indicators begetting the revelation of new ones.  This lifecycle further emphasizes why the analysis of attacks that never progress past the compromise phase are important.

indicator_lifecycle

Fig. 3: The Indicator Lifecycle State Diagram

Analysis // Revelation

The revelation of indicators comes from many places – internal investigations, intelligence passed on by partners, etc.  This represents the moment that an indicator is revealed to be significant and related to a known-hostile actor.

Search & Tune // Maturation

This is the point where the correct way to leverage the indicator is identified.  Sensors are updated, signatures written, detection tools put in the correct place, development of a new tool makes observation of the indicator possible, etc.

Discovery // Utility

This is the point at which the indicator’s potential is realized: when hostile activity at some point of the kill chain is detected thanks to knowledge of the indicator and correct tuning of detection devices, or data mining/trend analysis revealing a behavioral indicator, for example.  And of course, this detection and the subsequent analysis likely reveals more indicators.  Lather, rinse, repeat.

In the next section, I will walk through a few examples and illustrate how following the attack progression forward and backward leads to a complete picture of the attack, as well as how attacks can be represented graphically.  Following that will be our new model of network defense which brings all of these ideas together.  You can expect amplifying entries thereafter to further enhance detection using security intelligence principles, starting with user modeling.

Michael is a senior member of Lockheed Martin’s Computer Incident Response Team.  He has lectured for various audiences including SANS, IEEE, and the annual DC3 CyberCrime Convention, and teaches an introductory class on cryptography.  His current work consists of security intelligence analysis and development of new tools and techniques for incident response. Michael holds a BS in computer engineering, has earned GCIA (#592) and GCFA (#711) gold certifications alongside various others, and is a professional member of ACM and IEEE.

Reverse Enginnering Java

Comments Off
Posted by craigswright on September 28, 2009 – 2:16 pm
Filed under Computer Forensics, Incident Response, Malware Analysis, Reverse Engineering

You have just come across a site compromise. You believe that the client was impacted due to a malicious java .class file on a rogue website that they visited. The class file is compiled, what can you do?

Luckily, java class files are simple to reverse engineer. In fact, using just the native JDK, the process could not be much simpler (the setting of classpath and ensuring that your java JDK is configured correctly is critical).

At the simplest, the process would be to use the command:

  • javac -c classfile

The ‘-c’ option is used to specify that you want to decompile the java bytecode.

The term ‘classfile’ is where you specify the file that you are seeking to decode.

When reversing java based malware, the chances are that the code will have been obscured. This means that the stages above are not the totality of accessing the code. Compression and cryptors are some of the methods deployed. This will add a layer of obsfucation to the code.

For instance, a compressed class file could be called by the code you have decoded. This initial layer of code would hence form a shell that makes the code that actually did the damage harder to analyse. On top of this, a few simple techniques (such as using Unicode to hide strings) can be deployed.

You may not get a native java file, but at least you have the constructors and variables used and this gets you a long way into understanding the code.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He is engaged in his second doctorate, a PhD on the quantification of information system risk at CSU.

Windows Scheduler (at job) Forensics

7
Posted by johnmccash on September 16, 2009 – 12:20 pm
Filed under Computer Forensics, Evidence Analysis, Incident Response, Windows IR

This information may be useful to people responding to compromise incidents involving Windows. Typically these days, when a job is scheduled for execution later, possibly every day, week, or month, it’s done via a GUI tool or ‘schtasks‘. However , you can still use the original command line ‘at‘ tool. This utility also allows such jobs to be scheduled over the network if admin credentials are possessed, which makes it quite useful to an attacker for post exploitation activities. When cleaning up after something like this, it’s useful to know a bit about what it does under the hood, including the formats of the associated .job file, and the structure and location of associated log entries.

A scheduled job created by the At command

Figure 1: A scheduled job created by the At command

When the job is scheduled using the ‘at’ command, a file is created under the Windows\Tasks folder. This file has a .job extension, is named At#.job (jobs not scheduled by the ‘at’ command will have arbitrary names), and its format is described on msdn. If the job is not set up for repeat execution(weekly, monthly, etc.) then the file is deleted after the job is run. In some cases I’ve been able to extract the data portion from unallocated space by searching for a characteristic comment string that the ‘at’ command (I haven’t been able to create a search keyword that will find generic .job files that weren’t created by ‘at’), at least in Windows XP, places on all .job files that it creates, “Created by NetScheduleJobAdd.”. Note that this string is in Unicode, and is null-terminated. The 16 bits immediately following the two nulls at the end of this unicode string contain the length (little-endian) of the User Data section in bytes, and they are followed by that section (if the length is non-zero). After this section comes the reserved data size ( another 16 bit little endian value in bytes), followed by the reserved data section. Then there’s a 16 bit trigger count, which contains the size of the array of triggers that follows. According to the MS documentation, this value is supposed to be the number of bytes in the array, but as it’s one in all the examples I’ve personally seen, I think it’s really supposed to be the number of triggers defined. The trigger value starts with a 2-byte size, which should be 0×30 (little-endian, of course, which means 3000). Then there’s a 2-byte reserved field, followed by three more 2-byte little-endian values specifying the year, month, and day when the job is scheduled to execute first. Next come three more 2-byte values which would specify end year, month, & day for repeating jobs, and finally two more two byte values, for the start hour and start minute. There are other fields in the structure, but these are the important ones. (While there’s a field specifying the job’s author, in all examples I’ve seen from the At command, it’s set to “System”.)

Hex dump of the At1.job shown above

Figure 2. Hex dump of the At1.job shown above

When a scheduled job is actually executed (not when it’s scheduled), a log entry is written to the scheduler’s log file. The name of this file is defined by the registry key HKLM\Software\Microsoft\SchedulingAgent, but it defaults to SchedLgU.txt. On WinXP, this file is located in the Windows folder, but on Vista, they’ve moved it to Windows\Tasks. The log entry format looks something like the following (in unicode):

“At#.job” (filename.exe)

Started #/##/2009 #:##:## PM

“At#.job” (filename.exe)

Finished #/##/2009 #:##:## PM

Note that the numbers aren’t padded with leading zeros, and that the above lines are two separate 2-line log entries. It’s possible that other entries could fall in between the Start and Finish for a given job. Also, these entries are written for any scheduled job, regardless of whether it was created by ‘at’ or one of the other scheduler utilities. Of course if it was created by something other than ‘at’, the .job file will probably have a different name.

As always, please feel free to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.

USB Key Analysis vs. USB Drive Enclosure Analysis

2
Posted by robtlee on September 9, 2009 – 7:31 am
Filed under USB Device Analysis, Windows IR

Computer Forensic Guide To Profiling USB Drive Enclosures on Win7, Vista, and XP

There has been much talk about USB Device Forensic Analysis. Many assume that analyzing a USB Key will be the same as analyzing a USB Drive Enclosure (e.g. USB Key Analysis = USB Drive Enclosure analysis).  This is inaccurate.

External

USB Drive Enclosure

ThumbDrive

USB Key/Thumbdrive

The fundamentals of examining a USB Key and a USB Drive Enclosure are similar, but have some unique properties that require a different set of guidelines to account for the differences.  I have created a new guide that you can download at the bottom of this post that will step you through how to forensicate USB Drive Enclosures for XP, VISTA, and Win7.

The fundamentals of the USB examinations are the same with a couple of key exceptions.

1. There will not be a ParentPrefixID created for these devices.

2. You cannot figure out the device GUID by searching for the Serial Number in the SYSTEM\MountedDevices Key.

MBR Disk Signatures

The information that is needed is the MBR Disk Signature that is located in the MBR, it is a 4-byte value.  I have not had the chance to test this with a GPT table, but according to the fifth edition of Windows Internals, it is supposed to use the GUID instead of the Disk itself.

How does this work? First, written in the MBR at decimal offset 440 will be the MBR Disk Signature.  These signatures are kept in HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices for connecting disk partitions and drive letters. This 4-byte value is written to the disk.  If the disk does not have a MBR Disk Signature, windows will create one for it.

Example 1:

Here is the first example:

MBR Disk Identity Found At Decimal Offset 440

MBR Disk Signature Found At Decimal Offset 440

Finding the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices we will locate the signature in one of the drive letters and GUID found there:

SystemConfiguration

HKEY_LOCAL_MACHINESYSTEMMountedDevices

Once we have located the key, we can find the MBR Disk Signature in the MountedDevices Key:

MBR Disk Identity Found in Registry

MBR Disk Signature Found in Registry

You can see the value is 5e 82 A0 EC.  However, you might be wondering what the 8 bytes of information that immediately follows it.  Those bytes (00 00 10 00 00 00 00 00) is the byte offset of the location of the beginning of the partition.  If you convert to little endian and covert to decimal the value stored in those 8 bytes = 1048576 bytes.  If you divide by the sector size (512 bytes), the value would be sector address 2048.  If you look in the MBR above, you can see that the first partition begins at sector address (00 08 00 00 = sector 2048).  The last 8 bytes of the signature stored in the registry key point to the byte offset of the start of the partition itself after you convert the bytes into the sector address.

Why is this?  Simple.  If you have a drive enclosure or a disk drive with two or more partitions, the MBR Disk Signature will be the same.  Therefore, the last 8 bytes are needed to tell one partition apart from the other at the operating system.  In some cases, you will have two partitions that have the exact same MBR Disk Signature, but are two different partitions from the same drive.

Here is another example:

MountedDevices

Same MBR Disk Signature: Two Partitions Example

In the above example, we can see the MBR Signature is a2 ee b2 28.  We can see one partition is located at byte offset (00 00 10 00 00 00 00 00 = 1048576)  1048576/512 = Sector 2048.  In the second one, we can see the second partition located at byte offset (00 00 50 06 00 00 00 00 = 105906176 bytes) 105906176 bytes/512 bytes = Sector address 206848.

Example 2:

Here is the MBR Disk Identity found at decimal offset 440 in another drive enclosure:

FTS2

MBR Disk Signature Found At Decimal Offset 440

The MBR Disk Signature is 42 AE 74 5C.  We can also see that this is an NTFS Partition (0×07) and the begginning of the partition starts at sector address (3f 00 00 00 or Sector 63).  If we convert that to a byte offset, we multiple 63*512 bytes = 32256 which would be (00 7e 00 00 00 00 00 00) for the 8 byte partition beginning.

So for the partition located in this disk image we should find a disk signature and partition beginning noted by the following: 42 AE 74 5C 00 7E 00 00 00 00 00 00

We will now look in the HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices and compare the values there:

Reg2

As you can see above, we found it.  The key is identifying the MBR Disk Signature and if needed, we can identify the specific partition by looking at the 8 bytes following it.

USB Drive Enclosure Examination Guide

Because of this new information, I have updated the USB Forensic Guide to account for this information and created a new guide that will follow this process in XP, VISTA, and Win7.

The USB Drive Enclosure guide can be found here:

USB Drive Enclosure Guide

USB Drive Enclosure Guide

If you find any errors in the guide, please let me know.  rlee@sans.org

Some caveats.  1.  If you do not have the disk drive or enclosure when you begin forensication, I am still figuring out a way to map the GUID to the drive without knowing the MBR Disk Signature.  If you have any thoughts on how to solve this challenge, please let me know.  I am still looking for another way to figure out how to do that without having the drive handy. 2.  This guide assumes there is a single partition.  If you have more than one patition, you will need to figure out the specific starting sector, convert it to byte offset in 8 byte little endian format to find the specifc device in the MountedDevices key.

Forensicate Away!

This material was created as a part of SEC408: Computer Forensic EssentialsSANS Security 408: Computer Forensic Essentials focuses on the essentials that a forensic investigator must know to investigate core computer crime incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

__________________________________________________________________________

Rob Lee is a Director  for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute. In his spare time, he is now pondering creating additional guides for eSATA and Firewire Devices.

Updated: Computer Forensic Guide To Profiling USB Thumbdrives on Win7, Vista, and XP

Comments Off
Posted by robtlee on September 9, 2009 – 5:21 am
Filed under Computer Forensics, USB Device Analysis, Windows IR

Several times over the past year it has come up in a discussion about the key differences between examining USB Key/Thumbdrives on XP, VISTA, and Windows 7.  We did an initial post several weeks ago, but found some new information and have updated our guides as a result.  Thanks to SANS Digital Forensic Instructor Colin Cree for the wonderful feedback.

As a part of the SEC408: Computer Forensic Essentials course, we have an extensive section on residue left by USB Devices.  I am providing a single guides to help you answer the key USB Key/Thumbdrive questions for your case covering XP, VISTA, and Win7.

ThumbDrive

How would you examine these keys?  We recommend Access Data’s Registry Viewer and Regripper.  Even though you can get access to the data, there is not a tool that has this process automated yet.  The guides will help you step through the keys/values in addition to the files you will need to correctly parse the data.

USB Device Forensics for Windows XP:  DOWNLOAD

XP USB Key Guide

USB Device Forensics for Windows VISTA/WIN7: DOWNLOAD

VISTA USB Key Guide

__________________________________________________________________________

Rob Lee is a Director  for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute.

Network Forensics Puzzle Contest!

5
Posted by jhamcorp on August 19, 2009 – 12:20 pm
Filed under Computer Forensics, Incident Response, Network Forensics

By Jonathan Ham

*Prizewinner to be announced at Sec558 Network Forensics in San Diego, 9/16-9/18.

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

SEC558_4_245x90

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

  1. What is the name of Ann’s IM buddy?
  2. What was the first comment in the captured IM conversation?
  3. What is the name of the file Ann transferred?
  4. What is the magic number of the file you want to extract (first four bytes)?
  5. What was the MD5sum of the file?
  6. What is the secret recipe?

Here is your evidence file:
http://jhamcorp.com/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to contest@jhamcorp.com. The deadline is 9/10/09. Good luck!!


If you want to learn more about collecting and analyzing network evidence, check out Sec558: Network Forensics. “No harddrive? No problem!”

Jonathan Ham is an independent security consultant and a SANS Certified Instructor, who teaches forensics and other tracks. When he goes to sleep at night, he counts packets as they leap through firewalls.

Fingerprinting Systems with Firewall Logs

Comments Off
Posted by jhamcorp on August 6, 2009 – 6:13 am
Filed under Computer Forensics, Incident Response, Network Forensics

By Jonathan Ham

How can you investigate a computer that isn’t there any more?

A lot has been written about methods for “fingerprinting” systems with active scanning methods (eg. nmap). These of course require that the system be actively reachable, and that you don’t mind totally giving away your position with a very noisy scan (sort of like shooting a shotgun directly at a suspect to see if you can get him to look at you, in hopes that you’ll catch a glimpse of his face).

A lot has also been written about more covert ways of achieving the same goal, based on packets surreptitiously captured from the host of interest (a la p0f). This is certainly very cool, and can be inordinately useful…if you happen to have packet captures from the host of interest, or can begin to get them. (Either you were capturing its packets to begin with, or it’s still around to get packets from.)

But what if the system is long gone, never to return? Or what if you’re lucky enough to see it again, but for technological/logistical/legal reasons you can’t grab its packets? As we see in Sec558, all hope is not lost…

While most firewalls report only sparse information about the packets that they see (and perhaps reject), many of them at least include such information as the Time To Live (TTL) field. What a lot of forensic analysts don’t realize is that different operating systems choose different initial values for the TTL field. For example, current versions of Linux start with 64, and Windows with 128. So if you see a packet logged by a firewall with a TTL of 61, it’s a pretty good guess that it came from a Linux system 3 hops from the firewall. Of course it could be a Windows system 67 hops away, but which is more likely?

TTLs can be, and sometimes are, crafted. But when dealing with the 99% of packets whose headers aren’t crafted, this works like a charm. You can also correlate TTLs with other aspects of the network traffic logged by a firewall, such as source and destination port numbers, IP ID sequences, and such.

Here are three lines from an iptables firewall log. Can you guess what OS the client is running?  How about the manufacturer?

Mar 24 12:13:13 192.168.1.10 kernel: [  915.256256] FIREWALL:BLOCKEDIN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:4d:4f:ae:08:00 SRC=192.168.1.170 DST=192.168.1.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=61495 PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 24 12:13:14 192.168.1.10 kernel: [  916.006952] FIREWALL:BLOCKEDIN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:4d:4f:ae:08:00 SRC=192.168.1.170 DST=192.168.1.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=61496 PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 24 12:13:14 192.168.1.10 kernel: [  916.764653] FIREWALL:BLOCKEDIN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:4d:4f:ae:08:00 SRC=192.168.1.170 DST=192.168.1.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=61497 PROTO=UDP SPT=137 DPT=137 LEN=76


Solutions:

With a TTL of 128, this is probably a Windows system 0 hops away (meaning it has not traversed a router, so it is on the local segment). This is further supported by the UDP port 137 (NETBIOS) traffic, which is very common for Windows systems. The sequential IP IDs tend to corroborate this as well.

Based on the first three bytes of the MAC address (”00:21:70″), it’s probably a Dell. :-)


If you want to learn more about collecting and analyzing network evidence, check out Sec558: Network Forensics.
“No harddrive? No problem!”


Jonathan Ham is an independent security consultant and a SANS Certified Instructor, who teaches forensics and other tracks. When he goes to sleep at night, he counts packets as they leap through firewalls.