Investigate and fight cyberattacks with SIFT Workstation


Digital forensics and incident response (DFIR) has hit a tipping point. No longer just for law enforcement solving cybercrimes, DFIR tools and practices are a necessary component of any organization’s cybersecurity. After all, attacks are increasing daily and getting more sophisticated – exposing millions of people’s personal data, hijacking systems around the world and shutting down numerous sites.

SANS has a smorgasbord of DFIR training, and we also offer a free Linux distribution for DFIR work. Our SANS Investigative Forensic Toolkit (SIFT) Workstation is a powerful collection of tools for examining forensic artifacts related to file system, registry, memory, and network investigations. It is also available bundled as a virtual machine (VM), and includes everything one needs to conduct any in-depth forensic investigation or response investigation.

Capture9The SIFT Workstation was developed by an international team of forensics experts, including entrepreneur, consultant and SANS Fellow Rob Lee, and is available to the digital forensics and incident response community as a public service. Just because it’s freely available and originally designed for training, though, doesn’t mean it can’t stand up to field investigations. The SIFT Workstation incorporates powerful, cutting-edge open-source tools that are frequently updated, vetted by the open source community and able to match any modern DFIR tool suite. Don’t just take our word for it. Thousands of individuals download SIFT yearly, and it’s used by tens of thousands of people all over the world, including those at multiple Fortune 500 companies. And recently, HackRead named SIFT Workstation in a list of the top 7 cyber forensic tools preferred by specialists and investigators around the world.

SIFT got its start in 2007, during the time SANS instructors were developing virtual machines (VMs) for use in the classroom. In its earliest iterations, it was available online as a download, but was hard-coded and static so whenever there were updates, users had to download a new version. By 2014, SIFT Workstation could be downloaded as an application series and was later updated to a very robust package based on Ubuntu. It can also be installed on Windows, if there is an Ubuntu subsystem running on the system.

In November 2017, SANS unveiled a new version of SIFT Workstation that allows for much more functionality, is much more stable, and is comprised of specific tools such as the Package Manager. This time the package supports rolling updates, and uses SALT, a Python-based configuration management platform, rather than a bootstrap executable and configuration tool.

The new version can work with more than 200 tools and plug-ins from third-parties, and newly added memory analysis functionality enables the SIFT Workstation to leverage data from other sources. New automation and configuration functions mean the user only has to type one command to download and configure SIFT. Because SIFT is scriptable, users can string together commands and create automated analysis, customizing the system to the needs of their investigation.

Download SIFT Workstation today, and get started on your own DFIR initatives. And look into our FOR508: Advanced Incident Response and Threat Hunting course for hands-on learning with SIFT, and how to detect breaches, identify compromised and affected systems, determine damage, contain incidents, and more.

Shortcuts for Understanding Malicious Scripts

You are being exposed to malicious scripts in one form or another every day, whether it be in email, malicious documents, or malicious websites. Many malicious scripts at first glance appear to be impossible to understand. However, with a few tips and some simple utility scripts, you can deobfuscate them in just a few minutes.

Capture3SANS Instructor Evan Dygert conducted a webcast on October 3rd, 2018. This webcast teaches you how to cut through the obfuscation techniques the script authors use and not spend a lot of time doing it. Evan also demonstrates how to quickly deobfuscate a variety of malicious scripts.

The samples of the scripts he provided during the webcast can be downloaded here: Please note the password for the folder is: “infected”



Capture4We hope that the techniques presented in this webcast help you to begin deobfuscating potentially malicious JavaScript.  This topic is explored in depth in the SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course.  This class offers an excellent opportunity to understand the unique and insightful perspective that malware analysis can bring to your investigations.




New CheatSheets you might be interested in:

Tips for Reverse-Engineering Malicious Code – This cheat sheet outlines tips for reversing malicious Windows executables via static and dynamic code analysis with the help of a debugger and a disassembler. Download Here

REMnux Usage Tips for Malware Analysis on Linux – This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution Download Here

Cheat Sheet for Analyzing Malicious Documents – This cheat sheet presents tips for analyzing and reverse-engineering malware. It outlines the steps for performing behavioral and code-level analysis of malicious software. Download Here

Malware Analysis and Reverse-Engineering Cheat Sheet – This cheat sheet outlines tips and tools for analyzing malicious documents, such as Microsoft Office, RTF and Adobe Acrobat (PDF) files Download Here


For opportunities to take the FOR610 course, consider upcoming runs and modalities: 

US & International live training : Live events offered throughout the US, EMEA & APAC regions.

 DFIR Summits :  Two days of industry expert talks plus DFIR training events

Simulcast :   Live events from anywhere in the world.

OnDemand  : Learn at your own pace, anytime, anywhere.








DFIR Resources: Digital Forensic Blog | Twitter | Facebook | Google+ | Community Listservice | DFIR Newsletter

Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

Acquiring a Memory Dump from Fleeting Malware


The acquisition of process memory during behavioural analysis of malware can provide quick and detailed insight. Examples of where it can be really useful include packed malware, which may be in a more accessible state while running, and malware, which receives live configuration updates from the internet and stores them in memory. Unfortunately the execution of some samples can be transient and the processes will be long gone before the analyst has a chance to fire up ProcDump. A while back, HBGary released a nifty tool called Flypaper, which prevented a process from closing down, allowing more time for the memory to be grabbed, but unfortunately the tool is now difficult to find and awkward to use. I’ve spent some time considering a suitable alternative that would work on the latest versions of Windows.

A little known feature…

During my research I found an article detailing a little known feature in Windows entitled ‘Monitoring Silent Process Exit‘.

TL;DR – You can configure Windows to automatically generate a memory dump when a process with a specified name exits.

So what this means for us is, even though the malware finishes running very quickly, we can obtain a full memory dump and extract what we need from it at our leisure.

This feature is designed as part of the Windows debugging portfolio, but we can use it as a tool in our belt. The easiest way to configure is by using a Microsoft tool named gflags.exe, which is easy to download and use. The screenshot below shows the configuration that I’ve had success with. You provide the name of the executable you’re interested in keeping an eye on (it doesn’t matter from where the process is run). In addition you have the option to choose what kind of memory dump you want generating, Custom Dump Type 2 represents MiniDumpWithFullMemory, which I found to give the most comprehensive output. There are plenty of other options that can be found on MSDN. Then you just need to run the process and wait for it to finish.


Testing the concept

To test the concept I wrote a tiny program, shown below, designed to load a string to memory and have the process exit very quickly – certainly before we would have a change to pull the string from live memory.

int main()
char secretString[] = “This is a secret string!”;
return 0;

I compiled, executed and the mini dump appeared in the appropriate folder. A quick check with BinText showed the secret string that had been stored in memory.


This is all instigated through a small number of registry entries, details of which are listed in the Microsoft article on the subject, and could easily be implemented into a sandbox or endpoint security setup to gather clues about what has occurred. I’ve found this to be a neat alternative to Flypaper without having to go to the trouble of writing a hook for the ExitProcess function.

Happy analysing!

-Adam (Twitter: @CyberKramer)




This is going to be a series of blog posts due to the limited amount of free time I have to allocate to the proper research and writing of an all-inclusive blog post on iOS 11. More work is needed to make sure nothing drastic is missing or different and to dive deeper into the artifacts that others have reported to me as currently being unsupported by tools.

From what I have seen thus far, I am relieved that iOS 11 artifacts look very similar to iOS 10. This is good news for forensicators who see iOS devices and have adapted to the challenges that iOS 10 brought. Prior to writing this, I was referred to a blog post on iOS 11,that was an interesting read (thanks Mike). I suggest you also check it out as it pinpoints what is new in iOS 11 in regards to features:

Understanding what the OS is capable of doing helps us determine what we need to look for from a forensic standpoint. From what I have seen so far, the major artifact paths have not changed for iOS 11. Key artifacts for normal phone usage appear to be in the same locations:
– Contacts- /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
– Calls-/private/var/mobile/Library/CallHistoryDB/CallHistory.storedata
– SMS – /private/var/mobile/Library/sms.db
– Maps – /private/var/mobile/Applications/ – Still missing? Refer to my blog post from Dec.

When I test an update to a smartphone OS, I normally start with basic user activity (create a new contact, place some calls, send messages, ask for directions, etc.) and then I dump my phone and see what the tools can do. For this test, I created both encrypted and unencrypted iTunes backups, used PA Methods 1 and 2 and did a logical extraction with Oxygen Detective. What I found is that not all tools parsed the data in the same manner, which is to be expected. (I also plan to test more methods and tools as time allows and for my FOR585 course updates.)
To get this post done in a timely manner, I found one item that has always been parsed and jumped out as “missing” or not completely supported.


iMessages and SMS in iOS 11 were the first items that jumped out as “something is off…” and I was right. I sent test messages and could not locate them in the tools as easily as I have done in the past. I normally sort by date, because I know when I send something. Up until this release of iOS, we could rely on our tools to parse the sms.db and parse it well. The tools consistently parsed the message, to/from, timestamps, attachments and even deleted messages from this database. Things have changed with iOS11 and it doesn’t seem that our tools have caught up yet, at least not to the same level they were parsing older iOS versions.

One of the most frustrating things I find is that the tools need access to different dumps in order to parse the data (as correctly as it could for this version). For example, Oxygen didn’t provide access to the sms.db for manual parsing, nor did it parse it for examination when the tools was provided and iTunes backup. This had nothing to do with encryption, because the passcode was known and was provided. UFED isn’t the same as PA Method 1 and 2 (you have heard this from me before), but it’s confusing because most don’t know the difference. This is what it looked like when I imported the iOS 11 backup into Oxygen. Believe me, there are more than 3 SMS/iMessages on my iPhone.


However, I when I dumped my iPhone logically using Oxygen Detective, it parsed the SMS and provided access to the sms.db. When I say “parsed” the sms.db, I am not referring to timestamp issues at all, those will be addressed in a bit. Here is what my device looked like when I dumped it and parsed it in Oxygen.


Spot the differences in the messages? Yep, you now see 48,853 more! Crazy… all because the data was extracted a different way. I also tested adding in the PA, Method 1 image and those message numbers were different, but the sms.db was available and parsed. You really have to dump these devices in different ways to get the data!

Bottom line – add the sms.db to something you need to manually examine for iOS 11 to ensure your tool is grabbing everything and parsing it. The rest of this blog is going to focus on just that – parsing the sms.db in regards to changes found in iOS 11.

Let’s take a look at what is the same (comparing iOS 11 to iOS 10):
• SMS and iMessages are still stored in the sms.db
• Multiple tables in this database are required for parsing/joining the messages correctly
What is different (comparing iOS 11 to iOS 10):
• Additional tables appear to be used?
• The timestamp is different for iOS 11 – SOMETIMES!

Here is what I found (so far). The tools are hit or miss. Some tools are parsing the data, but storing the messages in a different location, others are parsing the message content, but not the timestamp… you catch my drift… What I recommend? Go straight to the database and take a look to make sure the tool(s) you rely on are not missing or misinterpreting the messages (wait… didn’t I just say that – YES, I did.)
The timestamp fields for the sms.db are all over the place now. What I am seeing is that the length of the Mac Absolute value varies between two formats and both of these formats can be stored in the same column. This is why the tools are struggling to parse these dates. Additionally, the tables in the sms.db differ in how they are storing the timestamp. So, if your tool is parsing it correctly, excellent – but still take a look at the tables.
Here are some examples of what this mess looks like. The column below is from the chat table in the sms.db. Notice how it has the traditional Mac Absolute value (number of seconds since 01/01/2001), while others are a 18 digit Mac Absolute values and some are 0 (sent messages).


Additionally, I was seeing some that were 19 digits that were not appended with 00s at the end. The “conv start date” on the left column is from the messages table in sms.db and this timestamp has not changed. As expected, your tools handle this one nicely. The table on the right column is from the chat_message_join table, and this caused a little havoc as well due to the variety of timestamps in the column. Converting this wasn’t fun! Thanks Lee for your help here. You, my friend, ROCK!


When I first ran my SQL query, I noticed this one pesky date that wasn’t converting. This is because it was the timestamp highlighted above and I needed to beef up my query to handle this. If you see a date that looks like the one below, something is up and you aren’t asking for the data to be rendered correctly. The query below will handle this for you.


Don’t believe me that this causes issues yet, take a look at how it looked in one tool.


The dates and times are not parsed correctly. I found that the dates and times appear to be consistent when the tools are parsing the 9 digit Mac Absolute timestamps from specific tables. Otherwise, expect to have to do this yourself. Here is where it was correct, but this wasn’t the case for all of my messages sent using iOS 11.


If you need a sanity check, I always like to use the Epoch Converter that I got for free from BlackBag to make sure I am not losing my mind when dealing with these timestamps. Below, you can see it was parsing it correctly (Cocoa/Webkit Date). Also, I love that it gives you both localtime and UTC.


This leads me to the good news -below is the query that will handle this for you. This query is a beast and “should” parse all sms and iMessages from the sms.db REGARDLESS of the iOS version, but only columns that I deemed interesting. (Note that I state should, because this has only been run across a few databases and you should report any issues back to me so they can be fixed.) Take this query and copy and paste it into your tool of choice. Here, I used the DB Browser for SQLite because it’s free. I limited some columns to the ones I care about the most, so you should make sure this query isn’t missing any columns that may be relevant to your investigation.

chat.chat_identifier AS “Other Party”,
datetime( + 978307200,’unixepoch’,’localtime’) AS “conv start date”,
case when LENGTH(chat_message_join.message_date)=18 then
when LENGTH(chat_message_join.message_date)=9 then
datetime(chat_message_join.message_date +978307200,’unixepoch’,’localtime’)
else ‘N/A’
END AS “conversation start date”,
datetime(message.date_read + 978307200,’unixepoch’,’localtime’) AS “date read”,
message.is_read AS “1=Incoming, 0=Outgoing”,
case when LENGTH(chat.last_read_message_timestamp)=18 then
when LENGTH(chat.last_read_message_timestamp)=9 then
datetime(chat.last_read_message_timestamp +978307200,’unixepoch’,’localtime’)
else ‘N/A’
END AS “last date read”,
left join chat_message_join on chat_message_join.message_id=message.ROWID
left join chat on chat.ROWID=chat_message_join.chat_id
left join attachment on attachment.ROWID=chat_message_join.chat_id
order by message.date_read desc

Here is a snippet of what this beauty looks like. (Note: this screenshot was taken prior to me joining attachments – aka MMS).


I always stress that you cannot rely on the tools to be perfect. They are great and they get us to a certain point, but then you have to be ready to roll up your sleeves and dive in.
What’s next – applications, the image/video files that apparently aren’t parsing correctly, interesting databases and plists new to iOS 11 and the pesky maps. That one is still driving me crazy! Stay tuned for more iOS 11 blogs and an upcoming one on Android 7 and 8.
Thanks to Lee, Tony, Mike and Sarah for keeping me sane, sending reference material, testing stuff and helping me sort these timestamps out. Like parenting, sometimes forensicating “takes a village” too.

Uncovering Targeted Web-Based Malware Through Shapeshifting

Targeted Web-Based Malware?

Malware authors are frequently observed leveraging server side scripting on their infrastructure to evade detection and better target their attacks. This includes both exploit kits and servers hosting secondary stage payloads, all of which can easily be set up to alter their responses based on the footprint of the visitor. This could include geolocation of the IP address visiting the site if the attacker is targeting users from a particular country or region, or perhaps user-agent if they are only focused on certain browsers or operating systems. Without access to the source code leveraged on the server, it is difficult to detect whether it would alter its behaviour if you were visiting from a different device or location, and therefore malware analysts may find themselves declaring a link benign, or that the payload server is down, when in fact, it is only presenting that way to the analyst in question.

Got an example?

An example of this can be seen in the Malwarebytes blog on Magnitude exploit kit which details that  “…users are inspected at a ‘gate’ that decides whether or not they should be allowed to proceed to Magnitude EK. This gate, which has been nicknamed ‘Magnigate’ by Proofpoint, performs additional checks on the visitor’s IP address and user-agent to determine their geolocation, Internet Service Provider, Operating System and browser information…”

Hmm, so what can I do?

There is of course a balance here, even if you have access to VPN software, which allows you to select the country you want to appear from, it would be extremely time consuming and cumbersome to iterate through all of the available countries, each time using different browsers and painstakingly looking to identify whether there was any variation in the responses.

To aid in this task, I have written a new tool which automates this whole process and may be useful during malware analysis if you suspect the server is hiding something from you.

It works as follows –

  1. Loads a list of countries and user-agents that you want to appear from
  2. Leverages a proxy listing website’s API to obtain various country proxies
  3. Verifies that the proxies are working, and that the geolocation is per requirements
  4. Connects to the server using the proxy and iterates through all of the user-agents requesting the site multiple times
  5. Identifies any results which are different from the control value and highlights to the analyst


I’ve uploaded a number of test documents to my webserver, which you are welcome to use for your testing: &

Both of these do the same thing – they wait until they observe someone connecting from a Chinese IP address with an iPhone user-agent before presenting the main content. The first URL will return a result in all other circumstances stating “Go away”, and the second will return a 404 error unless the conditions are met.


The screenshot below shows the script iterating through various user-agents whilst connected to a Chinese proxy. In each case we can see the result was a 404 until the iPhone user-agent was sent, after which the script presented a ‘diff’ style output on what was different about this case.


Great! Where can I get it?

The script was written in Python (v3.x) and is available from Github here.

Please feel free to use / fork / enhance / provide feedback.


Happy analysing!

-Adam (Twitter: @CyberKramer)


Rapid Provisioning of a Malware Analysis Environment

The preparation of a malware analysis environment can often be a lengthy and repetitive process. I am not referring to setting up a virtual machine which contains all of your tools, but rather recognising that each sample you analyse may have very specific environmental requirements before it is willing to execute fully. For example, it may require a certain number of files to be present in the My Documents directory, or may check for a specific registry key.

If we consider how many analysts around the world were looking at the same major threats in 2016, it seems rather silly for each of them to have to manually setup their environments as required by the sample. One solution may be sharing of VMs, but this comes with issues such as operating system licensing and the shear size of the package to be exchanged, which got me thinking, there’s got to be an easier way.

Accordingly, I have been developing an open source tool ‘rapid_env’ (as in, ‘rapid environment’) which allows for the instant, template based provisioning of a Windows environment. This can include elements such as files, registry keys, processes and mutex, all of which can alter the way that many of the current threats behave.

[View C++ Source Code]
[Download Binary]
Continue reading Rapid Provisioning of a Malware Analysis Environment

Digital Forensics – Automotive Infotainment and Telematics Systems

 Paul A. Henry – Senior Sans Instructor –



Powerful Features

There is a huge range of features now controlled / enabled by current generation automotive infotainment and telematics systems (Figure 1 – Source), including but not limited to:

  • Digital radio
  • Satellite (GPS) navigation
  • Bluetooth connectivity (the vehicle has its own phone number that SMS messages can be sent to and some systems will even read your SMS text messages to you)
  • Audio player – on CD, MP3, USB or Bluetooth
  • Internet access (Hotspot) – enables web browsing for multiple passengers via an in-built Wi-Fi connection, and can also provide real-time traffic updates for GPS navigation systems
  • Satellite TV tuners – for passengers or for everyone as long as the car is parked
  • Cameras – an array of cameras literally showing a bird’s-eye view of the car, making maneuvering in tight spaces even easier then ever before
  • Screen mirroring – wirelessly connect mobile devices to the automobile and mirror its user interface on the car’s larger touchscreen


Figure 1

As automotive infotainment and telematics systems evolve and become more powerful, the value of the historical data they contain from an evidence perspective grows as well.

Automotive Infotainment and Telematics Systems Are Not Crash Data Recorders

 It is important to understand that automotive infotainment and telematics systems are not the same as crash data recorders (CDR), or event data recorders (EDR). In a CDR, safety sensor data such as brake position, speed, steering wheel position and airbag deployment is recorded at high frequency but only for a matter of seconds leading up to a crash. In an automotive infotainment and telematics system data is collected from primarily non-safety related components (i.e. speed and coordinates from GPS at a lower frequency but for a substantially longer time period). Hence while CDR systems can determine a point of impact an automotive infotainment and telematics system can perhaps show the longer term driving habits of the vehicle’s driver.

Abundant Information but Difficult to Get To

 While there is an abundance of available information, vendors of automotive infotainment and telematics systems have not made them easy to acquire. The forensic product vendor Berla ( use various methods to extract the data. To get to the data, one must use Berla’s iVe kit, which is composed of iVe software and hardware components for accessing numerous systems from various automakers (i.e. Ford, GM, FCA, BMW, Toyota, and Volkswagen to name a few). For some systems it is as simple as plugging a USB or on-board diagnostics (OBD-II) cable from the iVe kit into a system running the iVe desktop application and walking through the on-screen steps for performing an acquisition. For some other supported systems, an iVe device interface board (DIB) from the kit is attached to the infotainment/telematics module’s PCB as outlined in the in-app instructions. The DIB is then connected to a computer running the iVe application, as well as the kit’s power supply (for certain modules). Depending on the particular type of system being acquired, iVe will offer the option for either a physical image, logical image, or both. For certain modules, one must also remove the protective solder mask from certain pads on the module’s PCB prior to connecting the DIB, though a scratch pen is included in the iVe kit, and instructions with photos showing the specific pads to scratch are included in the application.

It’s the Wild Wild West All Over Again

It is also important to note that a CDR has a definitive government requirement (CFR-2011-title49-vol6-part563) that defines not only what data is to be stored but also the format in which that data is stored. In contrast, infotainment and telematics system vendors are all over the map regarding what data is stored and how and where it is stored. Furthermore, specifically what data is stored can vary from one vehicle model to another, even when the same system appears present in two different vehicles. This requires the forensic tool developer to have a deep understanding of the data structure for each vendor’s product as well as for each car model in order to be effective. It reminds the author of the early days of mobile device forensics.

The following is a broad example of available data types for iVe-supported systems. Any given manufacturer’s system will have a select subset based on features present for that particular system. The data stored may also vary based on the vehicle’s use, actions of the occupant(s), which features were used, etc. The types of data stored can also change when a given manufacture updates the firmware of a system.

To see if a particular vehicle is supported, and what information may be available on the system, use the iVe supported vehicle lookup on Berla’s website. The lookup is also included in the iVe application itself.

Vehicle / System Information

  • Serial Number
  • Part Number
  • Original VIN Number
  • Build Number

Installed Application Data

  • Weather
  • Traffic
  • Facebook
  • Twitter

Connected Devices

  • Phones
  • Media Players
  • USB Drives
  • SD Cards
  • Wireless Access Points

Navigation Data

  • Tracklogs and Trackpoints
  • Saved Locations
  • Previous Destinations
  • Active and Inactive Routes

Device Information

  • Device IDs
  • Calls
  • Contacts
  • SMS
  • Audio
  • Video
  • Images
  • Access Point Information


  • Doors Opening/Closing
  • Lights On/Off
  • Bluetooth Connections
  • Wi-Fi Connections
  • USB Connections
  • System Reboots
  • GPS Time Syncs
  • Odometer Readings
  • Gear Indications


Oh My! Guess What I Found on eBay?


Figure 2

An eBay seller was parting out a wrecked 2015 Silverado pickup truck (Figure 2) including its infotainment system, an NG 2.0 HMI module (Figure 3, 4, 5).


Figure 3


Figure 4


Figure 5

Primary Components in the NG 2.0 HMI

  • Micron Technology N2M400JDB341A Flash – eMMC NAND, 32GB
  • Renesas uPD35003-LN6 SoC – Tri-Core ARM11, 400MHz, w/ 2D/3D Graphics Functions & Peripherals Support
  • Alps Electric UGKZ2-201A Bluetooth / WLAN Module – Bluetooth V2.1+EDR, IEEE 802.11b/g/n, Automotive
  • Micron Technology MT41J512M8RA-15E AIT:D SDRAM – DDR3-1333, 4Gb, 1.5V- (Qty: 2)
  • Epson AP-6110LR Inertial Sensor – 6-Dof, 3-Axis Gyroscope Plus 3-Axis Accelerometer, Analog Output
  • Spansion S29GL512S100DHA02 Flash – NOR, 512Mb, 100ns, 65nm
  • SMSC OS81092AM MOST Bus Controller – 50 Mbps, Automotive
  • Texas Instruments DS90UR905QSQ Serializer – FPD-Link II, 24-Bit Color, Up to 65MHz, Automotive


Lets acquire some data

Preparation for acquisition (Figure 6) involves scratching insulating material away from specific PCB pads, as specifically outlined in iVe’s instructions, to permit connectivity with the PC board traces. The fiberglass scratch pen has strands that tend to come apart during the removal process, so gloves and safety glasses are highly recommended. The iVe DIB is then connected to the PCB. Proper alignment of the DIB pins on the PCB is critical.



Figure 6


The PCB is powered with the variable power supply (Figure 7) that is included in the iVe kit. It is important to ensure the voltage is adjusted to 12V prior to connecting the leads to the PCB power connector.


Figure 7


The iVe application includes an acquisition wizard to walk the user through each step for setting up the acquisition.

The iVe DIB is connected to the computer running iVe, and power is applied. After successfully testing the hardware connections by clicking the ‘Detect’ and ‘Test’ buttons (Figure 8) in the software, the acquisition can be started. For the HMI module, iVe allows for a logical image to be acquired.


Figure 8

Once extraction has completed, analysis can be performed, and reports can be generated. iVe’s data export functionality supports .csv, tab-delimited, and .kml for GPS data, and reports can be exported in HTML or PDF format.


Below is some of the data collected by iVe for the HMI device in this test.

Attached Devices (Figure 9)


Figure 9

SMS Messages (Figure 10)


Figure 10

Call Logs (Figure 11)


Figure 11

Contacts (Figure 12)contacts

Figure 12

Device Events (Figure 13)


Figure 13

Voice Recordings (Figure 14)


Figure 14

Carved Files (Figure 15)


Figure 15

Music (Figure 16)


Figure 16

Summary of HMI Device

  • No crash data but good data to establish habits and patterns of the driver
  • Examples of available historical data included
    • Calls
    • SMS
    • Some GPS Information
    • Media (i.e. Music)
    • Connected Devices
    • More Can Possibly Be Parsed from Recovered DB Files


Another Visit to eBay

We already imaged an NG HMI so this time I was looking for an OnStar Gen 9 device to analyze (Figure 17).


Figure 17

Primary Components of OnStar Gen 9

  • Micron Technology N2M400JDB341A Flash – eMMC NAND, 32GB
  • Renesas uPD35003-LN6 SoC – Tri-Core ARM11, 400MHz, w/ 2D/3D Graphics Functions & Peripherals Support
  • Alps Electric UGKZ2-201A Bluetooth / WLAN Module – Bluetooth V2.1+EDR, IEEE 802.11b/g/n, Automotive
  • Micron Technology MT41J512M8RA-15E AIT:D SDRAM – DDR3-1333, 4Gb, 1.5V- (2)
  • Epson AP-6110LR Inertial Sensor – 6-Dof, 3-Axis Gyroscope Plus 3-Axis Accelerometer, Analog Output
  • 6-Layer – FR4, Lead-Free
  • Spansion S29GL512S100DHA02 Flash – NOR, 512Mb, 100ns, 65nm
  • SMSC OS81092AM MOST Bus Controller – 50 Mbps, Automotive
  • Texas Instruments DS90UR905QSQ Serializer – FPD-Link II, 24-Bit Color, Up to 65MHz, Automotive


Lets acquire some data

As with the previous acquisition, the iVe DIB is attached to the PCB and the computer running iVe. The variable power supply is tested to ensure it is set at 12V before connecting it to the PCB power connector. The step-by-step acquisition wizard in the iVe software is followed to begin the data extraction (Figure 18). iVe allows for a physical extraction on the OnStar Gen 9.


Figure 18


Below is some of the data collected by iVe for the OnStar Gen 9 device.

Attached Devices (Figure 19)


Figure 19

SMS Messages (Figure 20)


Figure 20

Call Logs (Figure 21)


Figure 21

Contacts (Figure 22)


Figure 22

Locations (Figure 23)


Figure 23

Power Events (Figure 24)


Figure 24

GPS Tracking (over 5000 entries in one-second intervals – Figure 25)


Figure 25


Summary of OnStar Gen 9 Device

  • No crash data but good data to establish habits and patterns of the driver
  • Tons of historical data
  • Calls
  • Tons of GPS information including over 5000 tracking entries in one-second intervals detailing speed, distance and GPS coordinates
  • Connected devices
  • More can possibly be parsed from recovered DB files


In Closing

  • No crash data but tons of historical data that can potentially show details of driver’s habits prior to a crash
  • Your “mileage may vary” as to exactly what can be recovered, partially depending on how the vehicle was used and what features and actions the occupant(s) employed
  • Big difference between HMI and OnStar devices as far as available data goes, though that is by design, as the latter is intended primarily for telematics functions rather than infotainment
  • Also data recoverable may depend on specific implementation for a given car model
  • There is no clearly defined data standard for vehicle infotainment and telematics systems
  • Very much like the early days of mobile device forensics
  • Crash forensics using Bosch does use the US government standard CFR-2011-title49-vol6-part563 – more on that later in a future blog post
  • Though the above tests covered only GM systems, iVe supports numerous makes, including Ford, GM, FCA, BMW, Toyota, and Volkswagen
  • Support for more and more vehicle makes and models is constantly being added to iVe
  • Using the supported vehicle lookup on will help determine whether a specific vehicle is currently supported in iVe




Call for Presentations Now Open!


dfirsummit 2017Submit your proposal here:
Deadline: January 16th at 5pm CT


The 10th Annual Digital Forensics and Incident Response Summit Call for Presentations is open through 5 pm EST on Monday, January 16, 2017. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Check out some of the DFIR Summit 2016 talks:


We are looking for Digital Forensics and Incident Response Presentations that focus on:

  • DFIR and Media Exploitation case studies hat solve a unique problem
  • New Forensic or analysis tools and techniques
  • Discussions of new artifacts related to smartphones, Windows, and Mac platforms
  • Focusing on improving the status quo of the DFIR industry by sharing novel approaches
  • Challenges to existing assumptions and methodologies that might change the industry
  • New, fast forensic techniques that can extract and analyze data rapidly
  • Focus on Enterprise or scalable forensics that can analyze hundreds of systems instead of one at a time


Malware Can Hide, But It Must Run


Article originally posted in
Author: Alissa Torres

It’s October, haunting season. However, in the forensics world, the hunting of evil never ends. And with Windows 10 expected to be the new normal, digital forensics and incident response (DFIR) professionals who lack the necessary (memory) hunting skills will pay the price.
Investigators who do not look at volatile memory are leaving evidence at the crime scene. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.
Although Microsoft is not expected to reach its Windows 10 rollout goal of one billion devices in the next two years, their glossiest OS to date currently makes up 22% of desktop systems according to netmarketshare.com1. By this time, as a forensic examiner, you have either encountered a Windows 10 system as the subject of an investigation or will in the near future. Significant changes introduced with Windows 10 (and actually with each new subsequent update) have required some “re-education” to learn what the “new normal” is.

Let’s jump in and check out the differences that Windows 10 has brought to the world of forensics by examining some key changes in the process list. In performing memory analysis, an investigator must understand the normal parent-child hierarchical relationships of native Windows processes. This is the essence of “know normal, find evil” and allows for effective and efficient analysis. Most of you have used the Edge browser which was released with Windows 10 in Summer 2015. Whereas Internet Explorer is typically launched by explorer.exe (run by default as the user’s initial process), Edge is spawned by the Runtime Broker process, which has a parent process of svchost (a system process). Edge runs as a Universal Windows Platform (UWP) application, one of the many Windows apps built to run on multiple types of devices. Runtime Broker manages permissions for Windows apps. This hierarchical process relationship deviates from one of the traditional analysis techniques we have relied on in past versions of Windows: System processes will have a parent/grandparent of the SYSTEM process and normal user processes, like browsers, will have parent lineage to explorer.exe. The screenshot below shows the hierarchical structures of a Win10 RTM system Build 10240 using Process Hacker tool.

Figure 1. Typical Hierarchy of Internet Explorer Process

Figure 2. Hierarchical Structure of Microsoft Edge and SearchUI Processes

Other new additions to the Windows process list are SearchUI.exe, the Search and Cortana application and ShellExperienceHost.exe, the Start menu and Desktop UI handler, . As Windows apps, they are both spawned from the same Runtime Broker process as Edge. In this screenshot above, the SearchUI and ShellExperienceHost processes are in gray, indicative of suspended processes. Only one Windows app is in the foreground at a time, those that are out of focus are suspended and swapped out, with process data being compressed and written to the swapfile.sys in the file system2.

Prepare for Internet connections to automatically be spawned by some of these new Win10 processes. OneDrive (formerly known as SkyDrive) has a connection to port 80 outbound and SearchUI (Cortana) creates outbound network connections as well when the user accesses the Start Menu. An example of network activity from the SearchUI process is shown below.

Figure 3. SearchUI.exe Network Connections

The memory data compression behavior first seen in Windows apps on Windows 8 has been implemented on a wider scale in Windows 10. Now when the memory manager detects “memory pressure”, meaning there is limited availability for data to be written to physical memory, data is compressed and written to the page file.3 Why is this relevant to the forensic examiner? Analysis of page file data can yield fruit, uncovering trace artifacts that indicate the malware at one point resided on the system. Remember that the contents of the page file was once in physical memory. This data, though highly fragmented, is great for string searches and yara signature scans. With the implementation of Windows 10 memory compression, a new obstacle exists for such analysis.

If you have done investigations involving nefarious command line activity, it is useful to know that the cmd.exe process now spawns its own conhost.exe process as of Windows 8. This is notable because in previous Windows versions, conhost is spawned by the csrss.exe process. I am always leery of a command shell running on an endpoint, particularly one to which a web browser has a handle.

It is often difficult to discern what version of Windows 10 your target system was running at the time memory was acquired. Two significant updates have been pushed since Windows 10 initial release, Threshold 2 in November 2015 and the Anniversary edition in July 2015. Shown below is imageinfo plugin output from Rekall Memory Forensic Framework (1.5.3 Furka)3 detailing the Build Version. With so many different features added between Windows versions as well as significant changes rolled out in updates, having a tool that uses the publicly available Windows symbols, like Rekall, is key. When profiles have to be created in order to support new versions of Windows as seen in analysis tools, there is lag time. Rekall automatically detects the Windows version and uses the hosted profile from its repository by default.

Pic 4

Xbox runs on Windows 10 now and you may be among those celebrating that you can now stream console games to your computer. But how does this effect our forensic findings? Expect to see Xbox gaming services present even if they are not being used. Since malware commonly instantiates new services or hijacks existing ones as a method of persistence, again, it is good to know what normal looks like.


Hopefully a recap on how things have changed in recent versions of Windows will speed your analysis as you work to unravel the story of what evil happened on a system. Happy hunting!

SANS FOR526: Memory Forensics In-Depth course provides you with the advanced skills you need to understand the newest Windows OS changes and find the evidence that might be left in the crime scene otherwise.  Learn these critical skills and master the advanced investigative methods to find evidence in volatile memory with course author Alissa Torres at SANS Security East 2017