Wednesday, December 24, 2008

Monday, December 22, 2008

Using RegRipper

Ever wonder how to use RegRipper for analysis? After all, the tool pulls data from Registry hive files, and while there is a considerable amount of data reduction, what do you do with the data you get?

Let's look at an example. Say that you've got an issue going on with some systems, and you (a) acquire an image of a system, (b) use FTK Imager to get copies of just the Registry hive files from a live system, or (c) connect to the system via F-Response...at that point, you run RegRipper, or just rip.exe with one of the plugins to extract information from the Services key in the System hive file. If you happen to see Ndisprot listed as a service, you may have found a Trojan.Flush.M infection.

*Note: Trojan.Flush.M is apparently also known as "DNSChanger", and this blog post refers to some excellent resources for checking your network for rogue DHCP servers, including MS's own dhcploc utility.

Also, RegRipper can be used to check for the existence of patches and updates, such as KB958644, which addresses the Server service vulnerability from MS08-067.

Check out the RegRipper.net forums for some new plugins uploaded by Don Weber.

How do you use RegRipper?

Saturday, December 20, 2008

Some Good Reading...

I wanted to post some interesting items I've run across and read recently...

Brian Krebs wrote an excellent article that appeared on the cover of Popular Mechanics entitled "When Hackers Attack". Page 2 of the article discusses data trafficking, which is very timely as Brian has also blogged on that topic recently.

Brett Shavers has a PDF document up called Virtual Machine Forensic Analysis, which is another excellent read and full of valuable information whether you're analyzing a virtual machine for intrusion or compromise, or as part of a malware analysis process.

For a wider range of reading, Christina's updated the eEvidence site recently; she's always posted links to some very valuable articles, presentations, and other resources.

Perl Module Updated!

Just in time from Christmas, James MacFarlane has give us some Perly goodness! James has updated Parse::Win32Registry to version 0.41! The update appears to be to get key classnames, and is demonstrated in an additional script that James has provided as part of the distro.

James has done a fantastic job with this module, making so much of what I and others do possible with respect to forensic analysis. For example, just last night, a friend of mine sent me three RegRipper plugins that he's going to be posting on RegRipper.net. While I can't say that RegRipper would not have been possible without James' module, I can definitely say that it wouldn't be in the state its in now without it.

Thanks, James!

Thursday, December 18, 2008

RegRipper

RegRipper made the SANS Forensics blog today in a post by John McCash about Windows viewers. Pretty cool stuff! John has deployed RegRipper (actually, rip) in a manner that I hadn't even considered when I wrote it...by launching rip as a viewer via EnCase. Very cool!

How're YOU using RegRipper? Have a plugin you'd like to share? Have a plugin you'd like to see? If you don't feel that your programming skills are up to the job, then all I've ever asked for is a concise description of what you're looking for, and a sample hive file. For stuff like the ShellBags keys or encrypted data, I'll need some formatting or decryption information.

Addendum: Don Weber posted three new RegRipper plugins to the RegRipper.net forums...

Less blogging, more writing

There's likely a noticeable slow-down in posts to this blog, and that will continue, as I'm working on the second edition of Windows Forensic Analysis right now.

2/e is expanding on the first edition by not only updating/adding information to the existing chapters, but also adding two additional chapters; Tying It All Together, as well as one that presents more freely available tools.

2/e should be available around May or June 2009, and thanks, but I already have a tech editor. ;-)

Saturday, December 06, 2008

Windows Hibernation files

Matthieu has made his Exploiting Windows Hibernation File presentation available...for anyone interested at all in Windows memory analysis, his presentation is well worth a look. Matthieu is the first person that I'm aware of to come up with a means of exploiting or taking advantage of the hibernation file as a viable source of data, and is a contributor to the Volatility framework. Other presentations and demos can be found here.

Issues with AV

I noticed Hogfly's been blogging lately about issues with AV, here and here. It's some good stuff, and I think bears repeating...AV is NOT a silver bullet, and I think most of us are really very well aware of that.

A while back, I commented about an issue presented by AV company write-ups providing incorrect information; in this case, identifying a Registry entry that was created not directly by the malware itself, but by the shell as a result of how the malware was launched on the system. Given the level of technical ability of many malware analysts, you'd think it would be an easy catch.

Well, I ran across this one at the MS Malware Protection Center Encyclopedia this morning - malware identified as Win32/Autorun.GR, and yet the write up (as of this morning) gives no indication of any sort of autorun capability, via a Registry setting or otherwise. Ag;ain, as of this morning (6 Dec), the description simply states that the malware writes itself to the root of all available drives; however, there's no description or discussion whatsoever of why this malware is referred to as "autorun". Yeah, yeah, I know that the Technical Details state that additional info is pending analysis, but if you're gonna call it "autorun", shouldn't there be a reason for that? After all, if the files are just written to the root of the drive without any other means of initiation, wouldn't that then be something like "Win32/Usersgottaclickme.GR"??

On the other hand, VirusList has a good write up on AutoRun.ah which pretty clearly states where the autorun capability comes from. At least from this write up, you can pretty clearly see the steps you need to take to prevent this malware from affecting your infrastructure.

The more information you can get, the better prepared you can be to address the threat. I know that on the surface, to many, the issue of viruses and malware seems pretty pedestrian, but to be honest, there are a number of organizations out there that get pretty badly hung up by viruses (not even worms) and other similar issues.

Friday, December 05, 2008

Honor Thy Settings

Some of us have been working with the Sality virus lately, which reportedly propagates by writing an autorun.inf file and an executable file to the root of all volumes or drives found on the infected system. If the user workstation maps to a file share, for example, the virus process writes the files to the volume, and anyone else that then connects to that share also gets infected. The same has been shown to be true for removable storage, such as USB thumb or flash drives.

So when working with analysts and customers, most of us tend to recommend disabling autorun capability all together, or perhaps for specific drives. Usually this is good advice, but only if it works. MS recently published this KB article which basically states that previous advice didn't work, and you need to install an update AND set another Registry value (ie, HonorAutorunSetting) for the functionality that you set to actually work.

Is this really such an important issue? Well, given stuff like this, and this...perhaps. Update your systems, and recommend that your friends and customers do the same. Even Symantec has picked this up.

Sunday, November 30, 2008

Changing the Face of IR

Major corporations handle our sensitive data...referred to as PII, PHI, PCI. Sometimes, they don't do such a great job of securing and protecting that data. The Dept of Veterans Affairs. TJX. World Bank. IMF. The list goes on. Data breaches happen...there's no question about that. If they didn't, guys and gals like me would be out of jobs.

Historically, the stimulus for change with respect to infosec (particularly with respect to IR) has been external to organizations. An attack or major breach stimulates some change, but its not long lived...once the panic wears off, executive management fails to see ROI from the resources that were suddenly (re: knee-jerk reaction) invested. According to Richard Bejtlich and others, there is no ROI from security...not directly anyway.

Legislation and regulation...with consequences...has a more lasting effect. Visa's PCI defines "compliance", which while not being what most of would consider "security", is at least a step in right direction. There are other regulatory/oversight bodies that provide their own guidelines...NCUA, HIPAA, etc. Section 748.2 of the NCUA Regulations provides guidance on "response programs". The PCI DSS (paragraph 12.9) provides compliance standards for an incident response plan.

Every organization with employees has a payroll process. Why? Well, without it, employees wouldn't get paid, and we all know that the CEO has to get paid, right? And oh, yeah...if you don't pay your employees, they don't come to work...you know where this one is heading. Many organizations have disaster recovery and business continuity plans, backup systems, etc. But why do some organizations not have computer security incident response plans, even when some regulatory body tells them that they need to have one?

Regulatory body definitions of "sensitive data" aside, what about corporations that loose intellectual property (IP)? Did you read this 12 Nov article in USAToday (additional commentary on the story at TaoSecurity)? Many organizations subsist primarily on their IP...remember Ira Winkler's Corporate Espionage?

The Verizon Business Security group put together some interesting statistics in their 2008 Data Breach Investigations Report; for example:

83% of attacks were not "highly difficult" (re: low-hanging fruit)
85% of attacks were opportunistic (re: "hey, look...someone left their keys in their car...")
87% of attacks could have been avoided with reasonable security controls
66% of breaches involved data the victim did not know was on the system

Perhaps one of the most interesting and revealing statistics was that reportedly 75% of breaches were not discovered by the victim. What this means is that data from within those organizations network infrastructure was compromised and exposed, and the breached organization had no idea until someone told them.

So, if its not enough that some regulatory oversight body requires you to have an incident response plan, how about the inevitability of an incident occurring? What's it gonna take for organizations to plan for an incident occurring, rather than reacting (poorly) after one has occurred? Oddly enough, any change in this regard with have nothing whatsoever to do with the victim "doing the right thing", and has everything to do with legislation and regulatory oversight.

Monday, November 24, 2008

IR Preparedness

As a responder, I often hear two reasons for folks calling for help after a breach has occurred (aside from the rather obvious one, that is) - the caller either wants to be sure that they're performing "due diligence", or they're interested in bringing in a disinterested third party to have a look at things.

Every now and then when I get a chance to sit back and reflect, something strikes me. Most often those things were right there in front of me all along, and I just never noticed them. Things like these reasons that people give me.

Take for example the reason of "due diligence". It occurs to me that if someone were really interested in performing due diligence, they would've called me before the incident occurred, to ensure that they were prepared to handle an incident. Closing the barn door and shutting the stall doors after the horse has left is not "due diligence".

What about the "disinterested third party"? If you call a consulting company to come help you contain and recover from an incident, the fact that you're paying them obviates the "disinterested" part of the description, doesn't it?

Many times, folks at an organization looking for assistance after an incident has been detected will say that they want an outside firm to handle the examination in case the issue ends up going to court. But what's the real difference between the victim organization performing the investigation and an outside firm doing so? The outside firm most often has a documented process, or at the very least documents what they did in their report.

The primary reason that consulting companies are called when an incident occurs is that the organization was simply unprepared for an incident. Regardless of legislative or regulatory requirements, they're simply unprepared.

This is not to say that when an incident occurs, you should not call someone for assistance. Rather, I'm reiterating my response from the SANS Forensic Summit panel when Rob Lee asked the panel members about response time to a call...my response was that the best time to call someone for help is before an incident occurs. At the very least, you can protect your organization by demonstrating due diligence.

Costs of not being prepared
Fines - legislative/regulatory oversight often comes with some kind of fine
Notification - writing and mailing letters is going to cost time and money
Charges - 20,000 Visa credit card numbers are exposed...who's going to pay for the cost of reissuing all of those credit cards? You get three guesses, and none of the answers are "Visa" or "the card holder". And two of your guesses don't count.
Suits - Civil suits have been brought against organizations as a result of a breach; just defending yourself is expensive

Something very important to remember about regulatory requirements is that in many cases, unless you're able to definitively identify the data that was exposed, you may have to notify on ALL data that could potentially have been exposed. So, if the database containing 6 million records was compromised, and you were not prepared for an incident, and you think that only 23,000 records were exposed...but you don't know for sure...guess how many people you're going to have to notify? You get three guesses, and the first two don't count.

Benefits of Incident Preparedness
Compliance - with legislative and regulatory requirements
Lower overall cost - the upfront cost of doing nothing is...nothing; in the long run, however, costs mount.
Confidence - from your Board of Directors and the consumer (b/c you're demonstrating "due diligence")

As long as we use IT assets to conduct business, and as long a people are part of the process, there will always be a need for incident response. Incidents are always going to occur, without question. The difference today (and tomorrow) is if you're going to be prepared for an incident...or not.

Thursday, November 20, 2008

Yet another way to use RegRipper

The other day, John McCash sent me an email that said the following (posted with permission):

I figured out how to make Encase switch the current working directory for the viewer and like it. The command line "/c cd /d D:\regripper&rip -r [file] -f all&pause", using "C:\WINDOWS\system32\cmd.exe" as the application path, works just dandy in the file viewer configuration.

What John's done is launch rip.exe as an EnCase file viewer. Now, I'm not sure why you'd want to use "D:\regripper&rip", and to be honest, I usually don't use file viewers in EnCase, but hey, John, if that works for you, more power to ya! Git 'er done! ;-)

Saturday, November 15, 2008

New Code Posted

I posted JT's deleted.zip code to the RegRipper site this morning...go to Downloads, click on RegRipper, and you'll see the zipped archive listed there. The forums are down at the moment so I'll post the simplest usage her...simply unzip the archive into a directory and use the command line:

C:\tools>deleted.pl path_to_hive_file

It's that easy.

Addendum: No, this is NOT a RegRipper plugin...this is JT's code which is completely separate from RegRipper.

Thursday, November 13, 2008

Rootkit Detection For Free

During an engagement not long ago, the customer's IT staff had collected bits of the suspect network traffic, and then using the source IP address from the capture, located the system in question and ran "netstat -ano" on the system to prove that the traffic really did originate from that system. Task Manager and tasklist.exe also showed the process with the PID seen in the netstat output.

What does this have to do with rootkits? Well, for one...it proves that they didn't have one! I can't tell you the number of times someone's said to me, "I didn't see anything suspicious, so it must be a rootkit." Yeah, and if I turn my face toward the monitor and close my eyes, and don't see any unusual processes (or anything else for that matter), does that mean that there must be a rootkit on the system?

Well, all I can say is that the simplicity of that finding made it all the more awesome...

Wednesday, November 12, 2008

More Deleted Keys Goodness!

I was performing some analysis recently, and ran across some real analysis goodness.

First off, I was using my usual tools to parse and analyze Windows Event Logs, and was getting a warning that some of the logs were corrupted. First, the auditpol RegRipper plugin made it clear what was being audited and logged on the system I was analyzing, and then the evtrpt tool was providing me with statistics about the total number of event records, frequency of event IDs and sources, and the date range of all event records. All of this information can give an analyst considerable insight into the content of the Event Logs before I even open them. At that point, I used a modified version of evt2xls to parse the Event Logs into Excel spreadsheet format, and then performed my analysis. Note: EventID.net is an excellent resource to have handy when doing this sort of analysis, and well worth the annual subscription fee.

So, in the Security Event Log on one system, I saw that a user account had been used to create, modify (i.e., add that account to the Local Adminstrators group), and then delete that user account. Of course, the account had been deleted, but I found no other indications that the account had even existed (user profile, etc.), not even in the SAM Registry hive file. So I pulled out JT's code and ran it against the hive file, and presto! There was the deleted key, extracted from unallocated space within the hive file, and I two source of time data with which I could correlate the events.

In another Security Event Log, from another system, I could see where a user account was accessing the Service Control Manager on a system repeatedly, starting and stopping the PSExeSVC service. However, the System hive file from that host showed no indications of the service...until I ran JT's code on it! Again, I had timestamped data from the Event Log that I could then correlate with the LastWrite time from the deleted Registry key.

I have to say that JT did a great job with her code, which she put together as part of her master's thesis from the University of Liverpool. At her request, I will be posting her code to RegRipper.net, and including it in and along with the second edition of Windows Forensic Analysis.

While we're on the subject of the Registry, a good friend of mine contacted me last week with an issue. Apparently, he was working on an examination in which a key factor of the case was determining if and when the user had uninstalled Firefox. According to him, "...install and uninstall dates of programs are of great interest. This will also show destruction of evidence and add additional charges to cases. It also increases sentences sometime by 2x." To help him out, I wrote a plugin that would parse the default browser information from the Registry, but then I compiled the (as-yet-unreleased, still-private, not-even-in-beta) ripxp code, which he used, said that it worked like a champ!

All in all, this is very cool, truly awesome stuff! While this sort of thing doesn't solve every problem, it does add an entirely new capability to the analyst's toolkit, providing answers to new (and in some cases, as yet unasked) questions!

Friday, October 31, 2008

Random Updates

I've been on the road a bit lately, and as such don't really have much info for a single post, but I have a couple of small tidbits that fit nicely when mashed into a single post...

I caught Hogfly's Beware the Key post...in it, he points to this KB article about correcting the "disable Autorun" capability in the Registry. By default, removable storage devices do not (and should not) have autorun capabilities enabled, but preventative measures pushed out via GPOs if necessary are a good thing. Why? Check out this article from India (here from Wired) about an iPod being used to steal data. The usbstor2 plugin for RegRipper was designed just for this type of incident; to help you consolidate data from multiple systems in one place for correlation and analysis. In an infrastructure with dispersed systems, F-Response Enterprise Edition would be extremely useful...I mean, "da bomb-shizzle".

If you do any incident response work at all, you should probably take a look at Didier Stevens' pdf-parser.py Python code. He made this code available from his blog post on analyzing a malicious PDF file. This can be used to narrow down the attack vector for an intrusion or malware on the system.

I've posted about free tools before (here, as well), and one that I wanted to add was a free, open-source AV scanner called MoonAV. If you're looking for other free tools, I'd suggest staying up on the NirSoft Blog, just like Claus. There are a number of very, very useful freeware utilities at NirSoft and more coming soon.

With respect to open-source AV, there are some other interesting, older links over at the OpenAntiVirus project page, as well.

Christine updated the e-Evidence site today! This is the closest thing to a monthly digital forensics e-zine available! Be sure to bookmark this site and check it out regularly.

Thursday, October 23, 2008

Bridging the Gap

I work for a large corporation that includes a vulnerability research organization. This organization is responsible for discovering vulnerabilities to operating systems, applications, etc. When they discover a vulnerability and develop a successful exploit, that information goes into the protection mechanisms produced by another part of the company, which are monitored by yet another part of the company. What this ultimately means is that attacks using those techniques are monitored or stopped before the systems themselves are compromised.

So I always think its cool when someone from a monitoring organization reveals some information about an attack that they've seen, such as this post from Symantec. I think its interesting to see this sort of thing, not only to see what an attack "looks like", but also to see if my analysis process includes the ability to find this sort of thing. As an analyst, I've been able to determine that yes, your system was compromised, Mrs. Jones, but when it comes down to it, how would I go about determining how it was compromised? There are a number of browser-borne attacks out there that are possible...how do you narrow down which one was used (if the initial compromise was via the browser?)?

In this particular case, the exploit involves overwriting a file opened by the MS Help and Support Center, so a quick way to check to see if this was the case is to use the following command (either on a live system, or on a system mounted with SmartMount):

C:\>dir /tw windows\pchealth\helpctr\system\sysinfo

Also, point #4 in the blog post states that the MS Help and Support Center Viewer handles "hcp://" links... to see the file association, check the Registry (in the following key) to see that:

HKEY_CLASSES_ROOT\HCP\shell\open\command

You should see something like this in the "(Default)" value:

%SystemRoot%\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe -FromHCP -url "%1"

What posts like this allow us to do is to bridge the gap between vulnerability and exploit, and incident response and forensic analysis.

Another such example can be seen at the MS Malware Protection Center, particularly with this post about Win32\Rustock. Looking at the write-up, you're probably wondering how you'd go about using this information...the malware comes in three components, all encrypted, packed with ApLib, and oh, yeah...its polymorphic. Nice! However, as Jesse pointed out in his rootkit paradox paper, these things usually have a persistence mechanism, and in this case, a driver is installed. Even if it's not given the same name, RegRipper can be used to parse through the System hive file using the "services2" plugin, listing the installed services and device drivers, sorted by the key LastWrite times. If you don't want to acquire an image of the system, you can extract the System hive from a running system using FTK Imager, or show how cool you are by using F-Response.

One interesting piece that I pulled out of the write-up was that early versions of the malware apparently "...used alternative streams to store the installer...", but this technique was dropped. What they're referring to here is NTFS alternate data streams. Leave it to the folks at MS to use "polymorphic terminology" (MS has referred to these as "multiple", "alternate", and "alternative", as well as simply called them "data streams") to describe something so simple.

Wednesday, October 22, 2008

What do you need as a responder?

Many times when working with customers or talking with folks who interface with incident responders (or are incident responders), the topic of what information is pertinent to a responder comes up. When receiving calls from customers, many times the people who make the call and interface with the consultants are not themselves responders (or in some cases, even technical people), and instead represent their company from a business or legal/compliance perspective. This can often lead to misunderstandings due to differing perspectives, which ultimately leads to a lack of (accurate) information. However, this isn't restricted only to non-technical people...sometimes having the sysadmins on the call can lead to the same sort of thing, which is, again, largely due to perspective.

So...what do responders need to know when you call, or what information do your responders need access to?

Well, the first thing that an incident responder is going to need to know is your goals, or what you hope to achieve from the response activities.

In an ideal world, there are four basic sources of technical data that responders will be looking to...network traffic captures, network device log data (ie, firewalls, routers w/ ACLs, etc.), and host-based volatile (memory) and non-volatile (system image) data. There may be instances when all of this information is available, and there may be times when portions of this data is available...however, in many cases, for those unprepared for an incident, very little if any of this is available to a responder. The amount of information available to the responder is going to play a direct role in how completely the responder is going to be able to help you achieve your goals.

I once received a call from someone who needed help with a laptop. Apparently, the laptop had been infected with malware, and the immediate response was to take the laptop off of the network, wipe the hard drive, and install an updated version of the operating system. The caller wanted to know if I could tell them what the malware was, and what (if any) data had been taken. Seriously.

Some questions you're likely to be asked when you call someone to perform incident response include (but are not limited to):

- What type of incident are you experiencing? How would you characterize the incident?
- Do any of the affected systems contain "sensitive data" (per PCI, HIPAA, etc.)?
- How many systems are involved? What are their status? What are their hard drive types, configurations, and capacities (SAN/NAS, RAID 5 with a total of 100GB, mirrored, single 1TB drive, boot-from-SAN)?
- What actions have you taken already (and be honest...running an AV scan and deleting files isn't "nothing")?
- What data have you already collected, if any?
- Do you have a logical network diagram, particularly of the affected systems?

Lots of questions...do you have the answers?

Tuesday, October 21, 2008

New Tools

Thought I'd take a page from Claus's book and update everyone as to some new tools that are available...

First, over on the Volatility Tumbleblog, there's mention of two new Volatility plugins that Jesse Kornblum developed for use with Volatility. Also on the same blog is a link to a tool to search memory dumps for GMail artifacts. Both look like exceptional utilities.

Speaking of Claus, be sure to check out the updated browser analysis tools over at NirSoft. Claus is also the one who pointed out that AutoRuns has been updated. Thanks! AutoRuns a great tool to use in IR, and to keep up to date on autostart locations.

Brian Carrier updated the TSK tools to v3.0, which includes the Windows versions of the tools. I've updated my own regtime.pl script to produce output similar to that of fls, so that the output of the script can be appended to the output of fls, and parsed with mactime to produce a timeline of file (and now Registry) activity on a system. At this time, only the path and mtime fields are populated for Registry keys, as the LastWrite time is analogous to the last modification times for files. With the currently available tools, deleted keys can be added to the list. I'll need to update the plugins to have RegRipper and rip produce the same output, which would be more targeted (and perhaps more valuable) than dumping all of the keys.

Monday, October 20, 2008

'Zines

For a while now, I've been asking others about what they thought about a forensics/IR magazine...a 'zine (print or electronic) dedicated to IR/CF topics. Most of the responses I've received have been mixed...some good, not many disagreements, but also not a great deal of interest in providing content. Okay, okay...maybe that was too much to ask, but I just have to wonder if there's any interest at all.

Usually the first thing folks say is that the subject is too niche...but have you been to the bookstores lately? There are multiple magazines on tattoos and skin art, antique doll collecting...you name it. If a lot of these subjects/topics aren't "niche", I don't know what topics would be.

Other 'zines that cater to the techie-nerd crowd include Hackin9, Make, (IN)Secure, and Linux Sysadmin Magazine. Even a recent issue of Linux Pro Magazine had a couple of articles aimed at incident response...while not overly technical or "forensic-y", they were useful and an interesting read. Most such articles seem to be aimed at system administrators, with the goal of introducing them to the topic, rather than immediately taking a deep dive into the subject matter.

Content - A 'zine such as this could have all sorts of great content, if some of the emails and blogs I've seen have been any indication. There are folks out there with lots of great ideas. Of course, the "usual suspects" would be included...hardware/software reviews, maybe even book reviews, etc. Sections or articles could be specific to Linux, AS/400, Windows, MacOSX, cellphones/PDAs, etc. The stuff that goes into a 'zine like this could be limitless...challenges, reader emails, ads for conferences and products, new tools or techniques, new versions of software, etc.

Audience - who would this type of media be aimed at? State, local, and federal law enforcement, college (grad/undergrad) students in computer forensics tracks, corporate responders, consultants, even hobbyists. Pretty much anyone who does or is interested in this kind of work, regardless of from which perspective (host- or network-based).

I have no idea what it takes to start something like this from the ground up...and I'm not even going to assume that it's something I can do myself. I would be very interested in contributing...heck, anyway to get CPE points, right?...and trying to get others to contribute, as well. Right now, there is the Digital Investigation Journal, and I would like to be part of attempting to make this a more hands-on journal, and less academic in nature. I have no experience planning something like this, and besides, like most of you, I already have a day job. What I would be interested in doing is perhaps assisting someone who already has the infrastructure available, and working with others to plan out an agenda or content list a year out. One way to go about this might be to email the editor-in-chief of DIJ, expressing an interest in either creating content for the journal, or simply send in your thoughts. Also, I've asked Monika of the Hackin9 staff if this is something that they'd be interested in producing...if you like the idea, and are willing to subscribe or even contribute (dude...CPE points!!!), email her and tell her so!

Saturday, October 18, 2008

Summit Takeaways

I recently received an email from the organizers of the SANS Forensic Summit and was asked to provide my biggest takeaways from the summit, and I wanted to post what I came up with, to see if others are seeing the same sorts of things...so, here's what I provided:

I would say that the key take-away for me is that speed is essential, but should not be sacrificed for accuracy. Incident responders need to respond quickly in order to identify, classify, and as appropriate, contain an incident. In part, this puts the onus on the organizations...even if they have consultants on retainer, it will still take time for them to arrive, and then they are slowed down even further having to get up to speed and learn the environment. Consultants can assist an organization in developing a tier 1 response, training them in triage, diagnosis, preview, containment, etc., even across an enterprise. I would also say that tools such as F-Response are paramount to this sort of activity, as well. Once the initial training is complete, the consultants can respond as tier 2 or 3 responders, assisting as necessary, but knowing that the necessary data has been collected.

It's clear that state (via PII notification laws) and federal legislation, as well as regulatory oversight (PCI, HIPAA, etc.), play a huge role in incident response. In fact, these are the primary drivers to IR at this point. Think about it...if a company was not required to notify someone when a breach of sensitive data occurred, would they?

To that end, there needs to be a much more immediate response...calling a consulting firm to come on-site to assist after the incident has occurred and been detected is a fantastic idea, but one of two things are going to happen; you're either going to continue "bleeding" data while you're waiting, or you're going to stomp all over the data and destroy the indicators (aka, "evidence") that those consultants will be looking for in order to answer the questions that need to be answered.

Okay, brief digression here...what questions will need to be answered? There are essentially three questions that need to be answered in the face of a breach of sensitive data...(a) was a system compromised, (b) did the system contain sensitive data, and (c) was that sensitive data exposed or compromised as a result of the breach? In order to determine (c), in most cases, you need to minimize "temporal proximity" (thanks, AAron, for that very Star Trek-y term!!)...that is, you need to detect the breach and collect data as close to the time of the breach as possible.

Rather than fall victim to a breach and not get the answers you need (by "you", perhaps a more appropriate way of saying it would be "your legal counsel or compliance officer"), why not get someone in ahead of time, before an incident occurs, to work with you in setting up a response plan, and training your staff in a timely, accurate response?

I've said before that tools like F-Response and Volatility (the combination of the two being referred to as Voltage) have changed the face of incident response. Having these tools available to you allow you to quickly collect and analyze memory in order to triage and categorize incidents. Too many times I've been asked to come on-site only to find out that prior to the call, the customer had already turned systems off and taken them offline. These tools will help you collect more data than every before, reduce that "temporal proximity", and at the very least have data available for tier 2 incident responders to process and analyze.

Thoughts?

Wednesday, October 15, 2008

SANS Forensic Summit

The SANS Forensic Summit, a first-of-its-kind event for incident responders and forensic analysts, is over and I have to give a hearty and whole-hearted thanks to Rob Lee for chairing the event and bringing everyone...consultants, practitioners, and yes, even vendors...into such a unique forum. The combination panel and presentation format provided a great opportunity for attendees to interact with speakers in ways other than just listening to their presentations.

Speaking of which, there were a number of exceptional presentations throughout the two days. Rob talked about using TSK's fls and ils to generate file system timelines, which led me to think that it wouldn't be too great a stretch to add the same sort of capability to RegRipper, and have the Registry data included in the timeline information. The guys from Verizon gave a great presentation on their incident statistics, and the Mandiant presentation illustrated some interesting artifacts from a real-world examination.

One prevalent theme throughout the summit was that there was a lot of folks "calling the baby ugly". As humorous as that may sound, that was the euphemism for being up-front and letting folks know, yes, we have a problem. At least one of the issues identified that both Richard Bejtlich and I (and others) seemed to agree on was that the need to protect data is no longer the driver for incident response...if it ever truly was. Currently, legislation (state notification laws) and regulatory oversight (PCI, HIPAA, etc.) are the drivers for incident response.

Also, a common thread from the consultants to the admins in the audience seemed to be, help us help you. At one point during a panel, Rob Lee asked something along the lines of, how soon should someone who's been breached call for help, and my response was "before it happens." Seriously. Get someone on-site before you have find a breach, and have them look at your response plan and capabilities, and help you bring them in line with what's needed for your business. Think of the first folks to deal with a breach or some other incident as EMTs and folks like me as doctors and surgeons...if you find someone who needs help, are you going to stand around and watch the guy die, or do you want to know what you can do to (at the very least) contain the issue until you can someone with a greater skillset on-site to assist?

All in all, it was a great event, very beneficial to attendees and speakers alike. Rob did a great job pulling together talent such as Richard Bejtlich of GE and TaoSecurity fame, AAron Walters, Mike Poor and Tom Liston of InGuardians, Lance Mueller, Eoghan Casey, Bret Padres and Ovie Carroll, as well as Kris Harms, Wendi Rafferty and Ken Bradley from Mandiant, and Monty McDougal. Jennifer Kolde was there representing the FBI, as was Matt Shannon...F-Response is and was a huge hit. I was talking with a couple of folks who attended the summit and when the topic of F-Response came up, you could see the light come on in their eyes as they realized the potential that could be realized through a product like this.

It was also great to be able to talk with folks like Jeff Caplan, and (me being really bad with names) Doug and the guy from Ford.

One of the big take-aways that I got from the summit is the fact that folks like the speakers (consultants, in most cases) and attendees (admins, etc.) face a lot of the same problems with respect to incident response...namely, how to preview and triage systems, and how to do so in an enterprise environment.

I'm hoping to be invited to and be able to attend the next SANS Forensic Summit, in July 2009!

See what others thought:
AAron
Matt from F-Response

Tuesday, October 07, 2008

RegRipper Plugin Generator

Jason Koppe, whom I met at DFRWS (Jason, Cory and I "helped" close out the tab at the reception at the Wharf Rat on Monday evening...you're welcome, Brian! ;-) ) has written a RegRipper plugin generator! Check it out!

Basically, what Jason has done is come up with a good overall plan to encapsulate my vision for the plugins themselves. I've found it difficult to really come up with a discernible pattern, due to the variations in the plugins...all start at a root key, and then some look for subkeys, some for specific values, some for all values, etc. Look at the UserAssist key plugin (no, seriously...open it up in an editor)...not only are the values extracted, but they need to be ROT-13 "decrypted". The USBStor2 plugin parses and correlates information from multiple keys.

Regardless of the eccentricities of my brain and perspective, Jason's done a great job of putting together a basic RegRipper plugin generator. While there are a number of dependencies to the GTk+ UI code that James used for regview.pl, it looks like Jason has made yet another excellent argument for installing them!

Great job, Jason!

Question: Besides PlainSight, where else is RegRipper being used?

Monday, October 06, 2008

New Registry Analysis Tools

As I mentioned earlier, James Macfarlane has released an update to his Parse::Win32Registry Perl module. In order to install the module, I simply downloaded the .tar.gz file, extracted everything, and copied the contents of the lib directory in the tarball to my C:\Perl\site\lib directory. Yep, that's it.

James have been nice enough to include a number of useful utilities to demonstrate the new capabilities of his modules...some of those new utilities are:

- regstats.pl - gives you statistics about a file, such as the number of keys and values, with an option to show the number of different value types
- regtimeline.pl - prints a timeline of all Registry key LastWrite times
- regexport.pl - exports the Registry hive file (or part of it) as a .reg file

One of the most interesting tools James included with his updates is regscan.pl, which parses through a Registry hive file, identifying different cells. However, instead of following the various links between cells, regscan.pl simply parses through the binary hive file one cell at a time. Running the script produces some interesting output:

0x38cd48 1 nk $$$PROTO.HIV\ControlSet003\Control\Nls\MUILanguage\RCV2\
umaxu40.dll [2004-08-23T21:24:25Z]
0x38cda8 1 vk 0 (REG_BINARY) = 00 00 28 0a 01 00 05 00
0x38cdc8 1 ..
0x38cdd8 1 vk 1 (REG_BINARY) = ab c4 e9 4c d8 fd a5 7c de 59 ff 05 93 9e 87 ba 02
0a e6 17 27 02 f9 a3 42 27 95 a0 61 0e 66 fd

Pretty cool, eh? Probably not...doesn't look very useful, does it? Well, see that "1" following the offset? That tells you whether the key or value is "in use"; that is, is it in allocated or unallocated space within the hive file? Sound interesting? Check it out...running the following command:

C:\Perl>regscan.pl d:\cases\system | find "0 nk"

...showed me a list of all of the Registry keys found to NOT be in use in the hive file! Basically, what this script and command line are showing me are a list of deleted keys in the hive file. Here's an excerpt of the output:

0x1ef020 0 nk (Invalid Parent Key)\04 [2004-08-18T00:39:36Z]
0x1f0020 0 nk (Invalid Parent Key)\Security [2004-08-18T00:32:16Z]
0x1f2020 0 nk $$$PROTO.HIV\ControlSet001\Enum\Root\LEGACY_DCOMLAUNCH
\0000\Services\SCardDrv [2004-08-23T21:34:10Z]

Notice that the first two keys don't have their full paths traced all the way back to the root key, but the last one does.

Pretty neat stuff, eh? I'm considering including the use of regscan.pl in my SANS Forensic Summit presentation demos, but I'm not sure if the usefulness of this type of information will really be apparent...what do you think?

Bluetooth in the Registry

Does anyone out there have Registry hive files available from a system that they've used (or know has been used) to complete Bluetooth pairings?

I'd like to see about writing some RegRipper plugins to assist with the analysis of situations is which this is important.

If someone wants to loan me a laptop and some Bluetooth devices, so that I can do the testing and analysis myself, I will happily return the equipment when I'm done with it (yeah, I know....that didn't work with the USB stuff, or when folks wanted info on Firewire devices, either - hopefully my luck will change).

Saturday, October 04, 2008

Hackin9 Registry Analysis Article

I received word this past week that an article I had written on Registry Analysis would be appearing in an upcoming issue of Hackin9 magazine. I wrote this article a bit ago, and it covers some basics, and includes an image/picture from an older version of RegRipper, but I hope that they'll ask me back, and I'll be able to write something a bit more up-to-date and get it out in print sooner.

SANS Forensic Summit

As the SANS Forensic Summit draws nigh, I've been preparing the demos for my presentation, Secrets of Registry Analysis Revealed. In addition to this presentation, I'll will also be participating in some panels. I've seen the current program, and there's even a panel on volatile data, which I think is very topical and very much needed. Also, Richard Bejtlich will be giving the keynote speech on the second day.

Part of my presentation will include demos (yes, Rob told me I can't just talk the whole time...) of RegRipper and rip.exe (CLI version of RegRipper), as well as a new tool I call ripXP. Before I say anything else about this, I have to say that ripXP was an idea that Rob had several months ago...he told me something like, "hey, wouldn't it be cool if you wrote a tool like RegRipper, only it would also run the plugin against the hive files in the XP Restore Points?" So, in my copious amounts of free time (HTML really needs a sarcasm or smart-@$$ tag), I put together ripXP.

Okay, so what IS ripXP? RipXP is similar to rip.exe, in that it is a CLI tool and that it uses the same plugins as RegRipper and rip.exe. You give ripXP (as command line arguments) the hive file, the directory where the Restore Points reside (more on that later), and a plugin to run. Once you have all this, ripXP will then:

-> Access the hive file and guess what kind (SAM, System, NTUSER.DAT, Software, or Security) hive file it is (if it's an NTUSER.DAT file, it will attempt to retrieve the user's SID

-> Compare the type of hive file to the hive file that the plugin was written for; that is, if you pass it a System hive file, it won't let you run a plugin meant for an NTUSER.DAT file (just like rip.exe, ripXP includes the "-l" option so you can list all available plugins)

-> Run the plugin against the hive file you selected

-> Access the System Restore RP directories, and run the plugin against the appropriate hive

All this happens automatically, and the output goes to STDOUT, so all you have to do is redirect the output to a file.

Oh, yeah...when ripXP accesses an RP directory, it also displays the Description, Type, and Creation Date of the Restore Point.

Okay, so besides being totally, AWESOMELY, AMAZINGLY cool...so what? Well, for the demos, I'm using Lance Mueller's practical images, so the number of RP directories is limited. However, in a real examination, a tool like this would allow you to see a historical progression of data. I've used only a couple of the plugins in my testing thus far, such as userassist, acmru, and a couple of others. But look at the MountedDevices key, or any of the MRU listings in the NTUSER.DAT file...this would allow you to see a historical progression over time of how the data changed.

Also, consider a Restore Point created one day, and then the following day, some data within that key was deleted by the user. Those historical artifacts would still exist in the hive files in the Restore Points, and would not only be accessible, but would also be visible sequentially.

Finally, like rip.exe, ripXP can be deployed within a batch file, and you could even create/use a Perl script to create that batch file, based on a standard methodology. Oh, yeah...the RP directories. So, you have an image...raw dd, split raw dd, EWF, whatever. What I did was open the image file in FTK Imager and export the RP directories to another location; in my case, D:\test\XP1. Then, because I wanted to use them easily and repeatedly, I burned them to CD, so I now access them as E:\XP1\RP1, RP2, RP3, etc. What I need to do is test them for use with SmartMount, and other tools like it. Yes, this will make the command line a bit longer, but it should work just fine. (Addendum: Testing using a mounted image is complete and extremely successful!)

Anyway, this will be one of my demos. If you're going to be at the Summit, be sure to stop by when we talk about Registry analysis.

Tuesday, September 30, 2008

Rootkit Detection

I received a comment to an older post from James (thanks, James!) yesterday who pointed me toward a very interesting article on Rootkit.com by Diablo. Diablo's article describes using the Windows CSRSS process as a built-in rootkit detection facility, and even provides some proof-of-concept code.

This is definitely worth a look, at least to get an understanding of the technique that Diablo is proposing. I've used RootkitRevealer and GMER as my primary tools for attempting to detect the use of rootkits on live systems, usually following some forensic analysis of the acquired image (feel free to ask me about this technique - but don't be afraid to share yours, as well).

Resources
How many csrss.exe process should be running in vista?
MS07-021
Default Processes in Windows 2000

Monday, September 29, 2008

Updates - 29 Sept

Some new items have popped up on the IR radar over the past week or so...

CyberSpeak podcast with an interview of Kevin Mandia. Kevin talks about his experiences with volatile data collection and analysis in recent incident response engagements. Much of what Kevin talked about with respect to what he's seeing...fewer attempts to obfuscate malcode, use of SQL injection, etc...that seem to be pretty common in the commercial incident response space. Kevin also talks about MIR, and a free memory acquisition/analysis tool from Mandiant called FreeAgent. Yes, I'm going to be checking that out when I get the time (work keeps me tres busy...)

Christina updated the E-Evidence site recently. Check out the RCMP Incident Responder's guide and the shoot-out between live response and memory analysis...excellent stuff. Definitely well worth the read.

Brian Kaplan has finally been able to release his Key Extraction proof-of-concept tool, which he addresses in his Master's Thesis (good job, Brian!!). Since I won't do Brian any justice at all attempting to describe the tool, It highlights the virtues of volatile memory analysis by demonstrating how key material and passphrases can be extracted from volatile memory to facilitate the analysis of encrypted media in a forensically sound manner. If you're using mdd.exe, win32dd.exe, or any other memory dumping tool, I would definitely include a copy of Brian's tool in your toolkit. (Note: Don't forget Jesse's blog post on BitLocker!)

There have been some updates to the Forensics Wiki recently involving browser forensics and network forensics. On the browser forensics side of things, Historian has been updated to include Google Chrome. The ForensicWiki is an excellent resource, and you should consider consulting and adding to it. As with any other resource, you should take the information available with a grain of salt, but to be honest, when I've needed to use it, it's been invaluable.

James McFarlane has updated the Win32::ParseRegistry module to version 0.40 and included a number of useful tools. James has left regdump.pl and regfind.pl, and added regexport.pl (dump the Registry in RegEdit 5.0 format), regscan.pl, and regview.pl (GTK+ - based Registry viewer). Thanks, James!

This wasn't so recent, but definitely worth mentioning...Moyix has been busy, and a bit ago posted on using Windows messages (from the message queue) as a resource in forensic analysis. He's got an excellent point...if you're using Volatility at all (or even thinking about using it), you should definitely take a look at his modules and be sure that you've got them added to your installation. There's no telling what artifacts you'll find laying around from the message queue.

Tuesday, September 23, 2008

RegRipper forums

RegRipper.net now has forums! Not only has Brett provided a facility for easy distribution of plugins, but he's also set up a place for folks to share their thoughts on the use of RegRipper and rip.exe.

Thanks, Brett!

Monday, September 22, 2008

Updates regarding Analysis

There's always something new on the analysis front, isn't there? It seems that I'll go away on a gig for a week or simply not pay attention to what's happening in the community, and BAM! It gets kicked up a notch!

First off, Moyix posted an excellent explanation of how the Windows message queue can be used as a forensic resource during analysis of a memory dump. Reading through the post, it's clear that while this analysis technique might not always work and provide relevant information, we all know that there are enough "buggy" apps out there that it's worth using the Volatility plugin that Moyix wrote to pull this data and have a look. The Windows message queue can hold messages that haven't been processed by the system, giving the examiner a clue as to the activity on the system at one point. The messages are associated with threads, which can be associated with a process, tying that information to an executable image file and a user.

Also, at the end of the post, Moyix mentions the possibility of getting a screen capture from a memory dump!

Excellent work, Moyix...keep it up! Also, reader...keep an eye on Moyix's blog for new plugins to add to Volatility, and expand your capabilities.

From Moyix's blog, I linked on over to the SysInternals Forums to read about a proof-of-concept tool called CrsWalker, from Diablo. This is a very interesting read...even though further down the thread, it's clear that the method of detection used by the tool is/can be circumvented, it's very interesting to see the thought process that Diablo used to develop his code. I don't think it would be a bad idea at all to get a copy of this and run it along with other tools, such as GMER or AV scanning apps.

Saturday, September 13, 2008

PlainSight

I received word from the author today of a new open-source tool that's available called PlainSight. Eoin says that the tool is part of master's program, and at this point, the tool is somewhat proof-of-concept, but looking at the tool demos, it looks as if it has a bit of promise.

The main web page describes the tool this way:

PlainSight is a versatile computer forensics environment that allows inexperienced forensic pactitioners perform common tasks using powerful open source tools.

We have taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.

PlainSight incorporates other open-source tools (RegRipper, Volatility, etc.) to create a framework for examining disk and memory images, or local disks.

Eoin says that he plans to add the following:

- Better browser support (FF3, Opera, chrome),
- Some sort of e-mail viewer,
- Integrate in moreRegRipper plugins,
- Better support for other operating systems (currently supports Windows 98/2000/XP/Vista)

I've downloaded the ISO and would like to take a look at this as soon as I get a chance. It appears that this runs in a Linux/Knoppix environment, so perhaps some suggests might be to create a Windows version. After all, the description of the tool says it's for allowing inexperienced examiners to perform some tasks...so why not provide the capability in an environment that the examiner may be more familiar with.

Even so, at first glance, this is looks like it's the kind of thinking and effort that is needed in this community, and is definitely a step in the right direction.

Mounting Images w/ SmartMount

Lately, I've been doing some work that's required me to mount images as read-only file systems. Some of the images have been dd-format images of drives, some have been EWF/EnCase .E0x files. Instead of using WinVDK or Mount Image Pro, however, I've been using SmartMount from ASRData. I can mount the drive image, regardless of the format, and test tools such as RegRipper/rip.exe to see how they behave (and they behave very well!)

Ever since I started using SmartMount (in beta, now in eval mode), I've used it primarily to mount images as read-only file systems on Windows...nothing spectacular, just mount the image, do some testing, and unmount the images. My first impression was that it was smoother and quicker than Mount Image Pro. Reviewing the web page for SmartMount, I see that Andy's got a number of features that are to be standard for both the Windows and Linux versions of SmartMount. When SmartMount goes final, we can expect to see a more-fully featured toolset than what's available out there now.

One thing I would like to see is a freeware version for Windows with a limited feature set...say, mount .vmdk, .E0x, and dd-format images as read-only drive letters on your system. None of the fancy stuff, like the layering of write protection and overlay files, etc. Free, or lower cost, so that its easily available to a wide range of folks. The reason for this, in part, is so that the usefulness of this capability can be fully recognized.

Thursday, September 11, 2008

PyFlag for Windows

Dr. Michael Cohen, the creator of PyFlag, has released a version of his forensic analysis tool for Windows! While more of an experimental tool or framework, PyFlag is provides an analyst with significant capabilities for analyzing disk images (EWF or raw formats), packet captures/pcap files, and log files.

PyFlag has also incorporated the Volatility Framework for memory dump analysis, as well. In fact, to see this capability in action, check out this DFRWS 2008 Forensic Challenge submission, from Michael, A. Walters, and D. J. Collett. If you're thinking about using PyFlag, be sure to read through the PDF to pick up some of the nuances and interesting features of PyFlag.

There are number of images available on the web, but Michael also provides some here. There are others (here, and here), so there's no shortage of stuff to use as test data to get the feel for WinPyFlag.

Be sure to thoroughly read the list of dependencies that apply to PyFlag for Windows (WinPyFlag??) and follow the prerequisites closely. If you do, you shouldn't have any trouble setting PyFlag up and getting running.

Wednesday, September 10, 2008

RegRipper.net?

What's that? RegRipper.net? Yes, that's right...RegRipper has its own web site now! Many thanks to Brett Shavers for taking the lead on setting this up. This mechanism is so much easier than using SF.net, particularly when all that needs to be posted is a small plugin.

The site provides some basic background info on RegRipper as well as a download site for the latest version and plugins.

So, check it out...this is going to be THE resource for RegRipper from here on out...

Addendum: I mentioned earlier that someone got rip.pl running on Linux...the Linux version of rip.pl is posted in a message in the Win4n6 Yahoo Group.

Wednesday, September 03, 2008

New Stuff From SANS

Rob Lee let me know that the SANS Computer Forensics and e-Discovery with Rob Lee site is up, and looking around, it's pretty interesting. If you go to the Community section, there's a blog, links to other resources, but perhaps the most interesting is the Downloads section. This is where you find the SANS Investigative Forensic Toolkit (SIFT) workstation VMWare appliance.

I downloaded SIFT and got it up and running in VMWare Workstation (you can use VMPlayer) in no time. From there, I was able to map my host XP system to the available shares that Rob had already set up (i.e., "hack" and "images").

The VMWare appliance also comes with PTK from DFLabs already set up and ready to run. Rob also provided a neat little "cheat sheet" that you can download and keep nearby and handy when you're logged into and working in the appliance.

I know that this isn't specifically about Windows IR or forensics, but it does allow you to easily use the Linux (in this case, Fedora) platform to perform some modicum of analysis.

Don't forget about the SANS Forensic Summit in Oct, in Vegas!

Sunday, August 31, 2008

Fun Stuff

While attending DFRWS 2008, I also attended the Forensic Rodeo. I say "attended" because I originally had no intention of participating, as I had wanted to watch what others did with the data and the process they used to approach their analysis. It was very interesting to watch the team at my table, and the forensic rodeo was actually somewhat realistic.

Want to give it a shot yourself? The files for the forensic rodeo have been posted here.

I'd be interested to hear your approach, and the tools you used.

Saturday, August 30, 2008

RegRipper News and Mentions

I'm never really sure who's using RegRipper and how they're using it, or how they'd like to use it. However, getting input or feedback from the folks using it inevitably leads to making RegRipper a better tool.

James E. Martin mentioned RegRipper in his Detection of Data Hiding in Computer Forensics presentation. In the presentation, Mr. Martin demonstrated the use of RegRipper to extract USB device information from a System hive file.

I was recently discussing the issue of presenting USB data from multiple systems in an easy-to-view and -manage manner using RegRipper with another examiner. RR is a GUI tool that parses one file at a time...however, rip.exe comes along with it (another user recently contacted me and informed me that he made a couple of minor modifications and now runs rip.pl on Linux) and is a command line interface (CLI) tool that is easy to automate via a batch file. In order to provide something useful to the examiner, I opened up the usbstor.pl plugin, and within minutes made some minor modifications so that the output was .csv format. I then added the code from the mountdev.pl plugin to map USB removeable storage devices to a drive letter, if the information is available. Finally, I added the code from the compname.pl plugin to extract the name of the system from the System hive file...if you're running this across multiple hive files, you will need a way to differentiate the various systems in your output.

So, the resulting plugin, which took all of maybe 30 minutes to create, tweak and test can be run via rip.exe like so:

C:\Perl\forensics\rr>rip -r d:\cases\system -p usbstor2

The output for this System hive file looks like:

PETER,Disk&Ven_&Prod_USB_DISK&Rev_1.13,0738015025AC&0,
1127776426,USB DISK USB Device,
7&2713a8a1&0,\DosDevices\E:


So, the output is:

- System name
- Device class ID
- Serial Number
- LastWrite time from the unique ID key, 'normalized' to Unix time
- The "FriendlyName" value from the unique ID key
- The ParentIdPrefix value, if available
- The DosDevice listed in the MountedDevices key, if the ParentIdPrefix value exists

So, to run this against multiple System hive files, simply create a batch file that contains lines that look like this:

C:\Perl\forensics\rr>rip -r System -p usbstor2 >> usbstor.csv

Once you run this, the usbstor.csv file can be opened in Excel and you can quickly and easily determine devices that were connected to multiple systems, etc.

This just shows you how easy-to-use and flexible this tool set is. To see even more, don't miss the SANS Forensic Summit, where I'll be discussing Registry analysis and demonstrating these tools, as well as something else very special!

Wednesday, August 27, 2008

The Need for Speed

The recent Best Western issue illustrates an important point, which was mentioned in many of the posted articles on this issue...

Compliance != Security

In the face of compromises or any other potential/verified breach, a quick response is essential. You don't know if you have sensitive data (PCI, PHI, PII, etc.) leaving your network, and your first, most immediate and natural reaction (i.e., disconnecting systems) will likely expose you to more risk than the incident itself. Wait...what? Well, here's the deal, kids...if a system has sensitive data on it, and was subject to a compromise (intrusion, malware infection, etc.), and you cannot explicitly prove that the sensitive data was not compromised, you may (depending upon the legal or regulatory requirements for the data) be required to notify, regardless.

So...better to know than to not know...right?

What you need to do is quickly collect the following items:
  1. Pertinent network (i.e., firewall, etc.) logs
  2. Network packet capture(s)
  3. Full or partial contents of physical memory
  4. An image acquired from the affected system
Of course, this assumes a great deal...that you have a CSIRP in place, that you've already identified systems that store/process sensitive data, and that you've got the tools and training to collect any of this data. Some of it is fairly trivial...collecting firewall logs may simply be as easy as a call to your NOC. Collecting packet captures is as simple as having a Windows laptop with Wireshark installed, or Linux laptop. Tools for dumping the contents of RAM have recently taken a surge forward, and acquiring an image from a live system (can't shut that server down??) is as straightforward as getting a copy of FTK Imager.

Remember to DOCUMENT everything you do! The rule of thumb is, if you didn't document it, you didn't do it.

What other tools are available? In the case of Best Western, as well as any other organization with remote systems (located in distant data centers or storefronts), something like F-Response may prove to be extremely valuable! If you're not sure about F-Response and don't believe the testimonials, give the Beta Program a try. With the Enterprise Edition of F-Response already deployed (or simply pushed out remotely as needed), getting the data you need is amazingly straightforward!

So why do all this? Why go through all this trouble? Because you will likely have to answer the question, was sensitive data leaving my network? The fact of the matter is that you're not going to be able to answer that question with nothing more than a hard drive image, and the single biggest impediment to doing the right thing (as opposed to something) in a case like this is time...when you don't have the tools, training or support from executive management, the only reaction left is to unplug systems and hope for the best.

Unfortunately, where will that leave you? It'll leave you having to answer the question, why weren't you prepared? Would rather have to face that question, or actually be prepared?

If you want to learn what it takes to be prepared, come on by the SANS Forensic Summit and learn about this subject from the guys and gals who do it for a living!

Resources
CSO Online - Data Breach Notification Laws, State by State
SC Magazine - Data Breach Blog

Sunday, August 24, 2008

The Demented Musings of an Incident Responder

I respond, therefore I am. H. Carvey, 2008

I thought I'd jot down some of the things I see from time to time in the field...

In some network infrastructures, there's no need to use rootkits or other obfuscation methods.

In fact, these attempts to hide an intruder's activity may actually get the intruder noticed...incorrectly programmed or implemented rootkits lead to BSODs, which get you noticed. Look at some of the SQL injection attacks...not the ones you saw in the news, but the ones you didn't see...well, okay...if you didn't see them, then you can't look at them. I get it. Anyway, the other SQL injection attacks would punch completely through into the interior network infrastructure, and the intruder would be on systems with privileges above Administrator. From there, they'd punch out of the infrastructure to get their tools...via TFTP, FTP (the ftp.exe client on Windows systems is CLI and allows you to use scripts of commands), their own wget.exe, etc. From there, the intruder would use their tools to extend their reach...create user accounts, etc...and many times go unnoticed.

However...while we are on the subject of rootkits...I was reading a post over on the Volatility Tumblr blog, and came across this interesting bit of analysis of the Storm bot from TippingPoint's Digital Vaccine Labs (DVL). Apparently, the rootkit capabilities of this malware were "copied" (their word, not mine) from existing code. The point of this is that some issues with rootkits are being solved by using existing, proven code. Symantec has a post on the Storm bot, showing that it doesn't just blow up on a system.

Many times, an organization's initial response exposes them to greater risk than the incident itself, simply by making it impossible to answer the necessary questions.

Perhaps more so than anything else, state notification laws (CA SB-1386, AB-1298, etc.) and compliance standards set forth by regulatory bodies ('nuff said!) are changing the face of incident response. What I mean by that is that rather than just cleaning systems (running AV, deleting files and accounts, or simply wiping and reinstalling the system) is no longer an option, because now we need to know if (a) there was "sensitive data" on the system, and then (b) if the malware or compromise led to the exposure of that data.

What this leads us to is that the folks closest to the systems...helpdesk, IT admins, etc...need to be trained in proper response techniques and activities. They need to have the knowledge and the tools in place in order to react quickly...like an EMT. For example, rather than pulling a system offline and wiping it, obtain a physical memory dump, disconnect the system from the network, obtain an image, and then wipe the system. Properly control, preserve, and maintain custody of the data so that forensic analysts can do their thing. This process is somewhat over-simplified, I know, but it's something that can be used as a basis for getting those important questions answered. Add to that network traffic captures and any available device logs, and you've pretty much got most of what incident responders such as myself are looking for when we are asked to respond.

Saturday, August 23, 2008

Browser Artifact Analysis

There are a number of times where an analyst would need to know a bit about a user's web browsing activities in order to determine what was happening on a system; was the user in violation of acceptable use policies, or did the user go someplace that ended up getting the system infected, etc? Sometimes this is how systems initially get infected.

There are two excellent articles from Jones and Belani (published on SecurityFocus here and here) that, while a little more than 3 yrs old, are excellent sources of information and a great way to begin understanding what is available via browser forensics, and how to go about collecting information.

One of the things I tend to do when setting up an examination is to open the image in a ProDiscover project, and populate the Internet History Viewer. With PDIR v5.0, this is smoother than with previous versions, and it gives me a quick overview of the browser activity on the system. However, you don't need commercial tools to do this kind of analysis...there are tools out there that you can use either against live systems, or by mounting an image as a read-only file system.

At this point, what you look for is totally up to you. Many times when performing analysis, I have a timeframe in mind, based on information I received from the customer about the date and time of the incident. Other times, I may start with Registry analysis and have some key LastWrite times to work with. In several examinations, I had user profile creation dates, so I used that as my search criteria...locate anything useful that occurred prior to the profile creation date (which, by the way, I correlated with data extracted from the SAM file using RegRipper!!).

Don't forget this little tidbit about web history located for the Default User from Rob "van" Hensing's blog. I used to see this in the SQL injection exams, where the intruder would dump wget.exe on a system, and then use that to pull down his other tools. Wget.exe would use the WinInet APIs to do its work, which would end up as "browser history"...and because the intruder was running as System-level privileges, the history would end up in the Default User account. More recently, I've seen write-ups for malware that use a "hidden" IE window...running at System privileges will leave these same artifacts.

Tools and Resources:
Mork file format
mork.pl - Perl script for parsing the Mork file format
NirSoft.net browser tools
Mandiant WebHistorian
FoxAnalysis - FireFox 3 browser artifact analysis
CacheBack 2.0 - Internet browser cache and history analysis (commercial)
FireFox Forensics (F3) - Forensic artifact analysis tool for FireFox
Historian - Converts browser history files to .csv...also does LNK and INFO2 files
OperaCacheView - Thanks for the link, Claus!