Invisible Man

Blade™ v1.9 Released - AFF® Support, Hiberfile.sys Conversion and New Evaluation Version

2012-02-17T20:18:00.000+08:00

This release of Blade™ brings a number of fixes and some great new features. This is the first release of Blade™ to have evaluation capabilities which allow the user to test and evaluate our software for 30 days. When Blade™ is installed on a workstation for the first time (and a valid USB dongle licence is not inserted) the software will function in evaluation mode.

The following list contains a summary of the new features:

Support for Advanced Forensic Format (AFF®)
Hiberfil.sys converter - supports XP, Vista, Windows 7 32 and 64bit
Accurate hiberfil.sys memory mapping, not just Xpress block decompression
Hiberfil.sys slack recovery
Codepage setting for enhanced multi-language support
SQLite database recovery
30 Day evaluation version of Blade™ Professional
New recovery profile parameters for more advanced and accurate data recovery
Support for Logicube Forensic Dossier®
Support for OMA DRM Content Format for Discrete Media Profile (DCF)

We have also been working on the data recovery engines to make them more efficient and much faster than before. The searching speed has been significantly increased.

轉自 http://blog.digital-detective.co.uk/2012/02/blade-v19-released-aff-support.html

Downloads and Full Release Information

電腦鑑識與鑑識會計

2012-02-14T20:33:00.000+08:00

轉自 law

筆者算是國內比較早接觸電腦鑑識(數位鑑識)這個領域，大約在91年間就開始閱讀相關文獻，但是那時候很少資料，連英美國家的電腦鑑識書籍，也非常少，而且概念非常混亂。(那時候差不多是網路剛興起及網路泡沫時代)

為了讓資訊科技發達的我國，也不會與電腦鑑識這個時代潮流脫節，經過努力整理當時各國的書籍與文獻，曾經於93年間出版過一本「電腦鑑識與企業安全」，但是當時這個領域太冷門，出版社後來好像也不知去向，這本書也絕版了。(希望不會是因為本書)

但無論如何，也成就了亞洲應該是第一本有關電腦鑑識的書籍。雖然從現在的角度來看，這本書的內容頗為粗淺，但畢竟是一個小小里程碑......

過了幾年，實務上有了長足的發展，政府部門也在95年間成立了第一座實驗室，又建立了第二座里程碑。

筆者沒有再深入學習進階的電腦鑑識，開始再開發更冷門的數位證據領域，也在98年間寫了一本「圖解數位證據」的著作，將法院判決中的錯誤見解，在清楚又簡單的編排架構下呈現出來。當然這個領域還是很冷門，所以銷售情況依舊慘澹。

不過這類型的書籍本來就不是以銷售為目的。經過幾年，感覺這個領域一直在冰箱中，冷到不行。在此冷到不行的同時，筆者也在100年6月完成了法律博士的學位，主題也就是「數位證據」。

99年間個人資料保護法的通過，電腦鑑識的領域突然熱門了起來。也許是電腦鑑識可以幫助瞭解資料外洩的原因，可以作為企業免責的證明，再加上個人資料保護法的賠償金額過高，迄今每一場相關的研討會都是滿場，其中也幾乎都有一場是有關電腦鑑識的議題。

本來筆者並未有意踏入個人資料這一個領域。

為什麼呢？

理由很簡單，電腦鑑識並非僅與個人資料有關係，電腦鑑識應該是與每個領域都有關聯性，因為每個領域都有可能涉及到數位證據，電腦鑑識就是一種嚴謹的採證與分析數位證據的程序。

但是筆者聽過許多講座之後，發現許多主講者也許是為了資訊產品的行銷，講偏了電腦鑑識的真正意涵，搞得好像個人資料保護法的立法目的，是為了相關資訊產業能賣出產品。

所以，近來筆者開始公告將整合個人資料保護法與電腦鑑識領域，從非商業產品推銷的角度，將正確的知識推廣給想聽的朋友。

目前也在短短的兩個月不到的期間講了六場，全省超過千人聽過，更利用自己的休閒時間，三個月內已經完成「圖解個人資料保護法」的著作，就等101年年中施行細則的通過，即可出版，相信屆時可以作為有需要朋友的參考。

最近有某研究所的教授徵詢筆者意見，希望能在其「鑑識會計」的課程中，向研究生解說一下電腦鑑識的概念。如上圖，電腦鑑識確實為鑑識會計領域中的一小部份，透過電腦鑑識的方式，找到企業營運的問題與弊病，如同前面所述，每個領域都有可能涉及到數位證據。

鑑識會計在100年高考三級中，也首次成為考題，看來繞著電腦鑑識領域打轉的議題，也將會愈來愈多。

WhatsApp Xtract

2012-02-12T20:32:00.000+08:00

I don't want to bore you explaining what is WhatsApp . If you have this serious gap, you can fill it here . Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db .

This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser , you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries.

轉自 http://blog.digital-forensics.it/2011/12/whatsapp-xtract.html

What WhatsApp doesn't tell you...

2012-02-11T20:29:00.000+08:00

It is the 'top' app in the mobile world, almost immediately followed the ' give me your mobile number ' request comes the following question ' Do you have WhatsApp? '. Clearly this application is changing the concept of free SMS messaging.

Alberto warned about insecurity issues in how WhatsApp transmits data in plain text and what this means in shared environments.

Today we have to talk about the inside, the way in which WhatsApp stores and manages its data. Looking from within the file structure of the application we have two files called msgstore.db and wa.db (locations vary, of course, between Android and iPhone). These files are in SQLite format.

Once we import these files with a tool to browse inside their content (eg SQLite Manager), here comes the first surprise: none of the information contained is encrypted . Contacts are stored in wa.db and EVERY sent messages are in msgstore.db .

Wait a sec, did I say EVERY? Absolutely, every sent and received messages are there. And why "EVERY" is in uppercase?, simply because although theoretically WhatsApp give us the opportunity through its graphical interface to delete conversations, the reality is that they still remain in the database ad infinitum.

And the issue is even more fun if we sent or received messages at a time which GPS was enabled, because WhatsApp also stores coordinates in msgstore.db

In the case of Android there are even more important things stored that might be of interest to a forensic investigator - or maybe a jealous boyfriend/girlfriend. Apparently WhatsApp is configured by default with a very 'verbose' level of logging and store, within the directory / files / Logs, files with this appearance:

# pwd

/data/data/com.whatsapp/files/Logs

# ls

whatsapp-2011-06-06.1.log.gz whatsapp-2011-06-09.1.log.gz

whatsapp-2011-06-07.1.log.gz whatsapp.log

whatsapp-2011-06-08.1.log.gz

In these files are recorded every XMPP transactions made by the application with a very high verbose (debug) level, with the timestamp of when it receives or sends a message (among other things).

011-06-09 00:47:21.799 xmpp/reader/read/message 346XXXXXXX@s.whatsapp.net 1307XXXXXX-30 0 false false

These files are easily "parseable" to extract the ratio of mobile numbers which has maintained some kind of conversation with us. I created a small script that parses the file and pulls out this list of numbers:

  import re
 import sys


 logfile = sys.argv[1]
 logdata = open(logfile,"r")
 dump = logdata.readlines()

 numerosin = []
 numerosout = []

 for line in dump:

        m = re.search('(?<=xmpp/reader/read/message )\d+', line)

       if m:

                if not numerosin.count(m.group(0)):

                        numerosin.append(m.group(0))


        m = re.search('(?<=xmpp/writer/write/message/receipt )\d+', line)

        if m:

                if not numerosout.count(m.group(0)):

                        numerosout.append(m.group(0))

 print "Messages received from\n"
 print "\n".join(numerosin)
 print "\nMessages sent to\n"
 print "\n".join(numerosout)

Executing the script, it will ouput the information as follows:

$ python whatsnumbers.py whatsapp-2011-06-08.1.log

Messages received form

34611111111

34622222222

Messages sent to

34611111111

34622222222

轉自 http://www.securitybydefault.com/2011/06/what-whatsapp-doesnt-tell-you.html

Interesting Malware in Email Attempt - URL Scanner Links

2012-02-09T20:57:00.000+08:00

Last weekend I spent some time with extended family helping confirm for them that their on-line email account got hacked and had been used to send some malware-linking spam emails to users in their contact list.

Yesterday our family email account was on the receiving end of someone -- possibly -- who fell victim to an email account hack as our email address was amongst several others included together receiving the email. I say possibly as none of us recognized the sender’s email address and it wasn’t in any of our address books. Possibly our along with the other’s email addresses had been harvested somehow and this was a fake spamming account. The “show-as” name was definitely non-standard and used some letters that related to that in the subject line.

It was pretty evident to me this was probably a dangerous site to go to, but being curiously-minded, I couldn’t pass up the chance to do some detective work.

The email originated from a yahoo mail account.

The Subject line was baited “ACH Transfer Canceled…” and the display name in the email address contained the letters “NACHA.”

ACH is meant to refer to the “Automated Clearing House” which handled financial transactions in the US overseen by the NACHA. To most Americans, I’m betting these acronyms mean very little and they would be more taken with a sudden urge to grab some NACHOES instead. Maybe Europeans would be a little more anxious emails purporting to come from ACH and NACHA. I digress.

First thing I looked at was the message header. Lots of goodies there. We can follow the bounce between the yahoo mail sender to our ISP’s email servers. Times/dates of transmission.

Since this was a Yahoo mail account, it appears the header may actually contain the IP address of the the location the mail account was logged into from. This is the first time I have seen this so I need to do more research. The IP associated with this particular email is located in France.

The website IP Address Locator has lots of good tools for locating IP addresses as well as a feature that allows a copy/paste/analyze of email headers.

The content of the email was very thin, a single line with all the text ran together. There is a URL link markup there, however it misses getting all the characters. Hmm.

Toggling between the different modes of viewing email content in Thunderbird reveals odd results. If I look at it in original html mode I see a single line of text with an hyperlink in the middle.

If I view it in simple html most of the text is the same but a few characters are different.

If I view it in plain text, there is nothing showing.

Hovering over the hyperlink displayed shows a URL shortner link. Hmm. Set that aside for a moment.

So I back and look at the full header view again and find this in the message body:

Content-Type: text/html; charset=ISO-8859-5
Content-Transfer-Encoding: base64

Ah! So I copy/paste that large text block that follow that into this base64 online encoder / decoder and get a binary file to download!

(More regarding content encoding methods here Content-Transfer-Encoding - MSDN, here The Content-Transfer-Encoding Header Field via freesoft.org and here Decoding Internet Attachments - A Tutorial by Michael Santovec.)

Opening that binary file in Notepad++ reveals the html code with the same actual URL embedded.

Guessing here they are using base64 coding for the content to try to get around email scanners.

OK, so let’s check out that URL.

Turns out it is using Google’s own URL shortning service: Google URL Shortener. More info here. Google URL shortener - Web Search Help

Turns out this is a pretty cool choice from both sides of the security fence. By appending the URL with “.info” at the end of a Goog.le shortened URL we can find out the stats from Goo.gl URL shortener (Google Groups)

This is good from an attacker standpoint as they can easily monitor their success rate on the nibbles of this hook and any “hits” to the actual URL. Researchers can get info as well by monitoring the same info and how fast/long the “click-through” may happen.

Neat isn’t it?

Now that I’ve got the actual long URL that this points to, we can start tossing the URL at some on-line link analysis/scanner tools.

VirusTotal shows both TrendMicro and SCUMWARE.org report the long URL as a Malware/Malicious site.

Quttera reports it as serving up a suspicious javascript content via HTML page code.

Anubis: Analyzing Unknown Binaries provided a deeper review of the URL by capturing Windows system events in a virutal sandbox system. It accesses the Windows registry, mucks with some keys, created a cookie, reads the autoexec.bat file, mods some files and maps dll’s to memory and appears to try to download more stuff. The report is available in HTML, XML, PDF, and TXT formats. Also, they offer a traffic.pcap file to download so you can examine the network traffic generated and perform any NFA you want to do. This site/tool rocks from a depth of information standpoint.

urlQuery gives some more report feedback when it is sandboxed. Lots of Java script stuff. Another strong URL analysis reporting site.

Trying it a few more times changing the browser type/java version/flash version gets different results and the URL serving code reflects all kinds of different IP’s each time so that long URL seems to be hosted at a dynamic IP host allowing it to bounce around (serving up HTTP redirects) and serve up the malware code depending on platform from all over the place making it harder to track down the source.

urlQuery actually identified the network traffic code as being detected as Blackhole exploit kit v1.2 HTTP GET request. Another clue.

I tossed the pcap file I got from Anubis into NETRESEC NetworkMiner. Nothing very interesting but my Microsoft Security Essentials alerted when the HTML page was reassembled by NetworkMiner and quarantined the file. It identified the page code as being Exploit:JS/Blacole.AR. (MS’s way of saying “blackhole” I suppose…)

Here are a series of links regarding these kinds of email spam threats in general as well as Blackhole info in particular as it relates with email spam campaigns, if you are curious.

Prevalent Exploit Kits Updated with a New Java Exploit - M86 Security Labs Blog
An analysis of the ACH spam campaign - M86 Security Labs Blog
Cutwail Spam Campaigns Lure Users to Blackhole Exploit Kit - M86 Security Labs Blog
“Steve Jobs Alive!” Spam Campaign Leads To Exploit Page - M86 Security Labs Blog
All Posts tagged Malicious Spam - M86 Security Labs Blog
Malicious email scam "Re: Scan from a Xerox W. Pro #XXXXXXX" returns with a new face - IT Secure Site more on a related Blackhole email spam attempt.
Blackhole exploits kit attack growing - Zscaler Research
Exploit Kit in my Morning Email (BlackHole Exploit Kit . . . Maybe) - ReverSecurity

I doubt this is the last our email inbox will see of these things, but the whole process has been quite fun to follow.

I’ve decided to leave out links/images of the actual email and the header-code/URL (short/long) but have passed it along to a number of security-spam websites in case it is of use.

A long time ago I had a list of URL-testing sites to feed a URL into to see if they were safe or not. Most seem to have gone away, however the following forums had a number of new ones worth bookmarking. Hat tip to “PROROOTECT” for the legwork!

Free Online On-demand URL Security Scanners - MalwareTips forum
FREE ONLINE SECURITY SCANS For Suspicious URL Link - Sysinternals Forums

Here is a combined and cleaned up list based on the collective work there from PROROOTECT in both places and at least one or two I’m tossing in and a few from those lists I removed that seem dead/redirected incorrectly. PROROOTECT does make a great point that the effectiveness of these vary, so a “bad” URL in one may come back as “clean” in another. So it’s best to run your URL through multiple sources.

Note, these are URL/web-page scanners. They are a bit different than on-line file-scanners/sandboxes used to analyze malware samples. Though a few seem to come pretty darn close with the depth of their reports/analysis.

Not “necessarily” ordered in order of usefulness.

IP Address Locator - Track IP, Search IP, Find IP, Trace IP Lookup, What Is My IP Address Location
TrueURL - decode short URLs
Decode Short URL Decoder - cekPR.com - decode short URLs
TinyURL.com - preview a TinyURL
LongURL - decode short URLs
Untiny - decode short URLs
base64 online encoder / decoder - decode base 64 code in emails
Quttera - FREE Online Heuristic URL Scanner
Anubis - Analyzing Unknown Binaries
vURL Online - Quickly and safely dissect malicious or suspect websites
HTTP Web-Sniffer 1.0.37 - view HTTP request/response headers
Wepawet - analyzes URLs for javascript/PDF or Flash exploits.
Finjan URL Analysis - URL analysis
VirusTotal - Free Online Virus, Malware and URL Scanner
UrlVir.com - URL scanner using domain, IP or MD5 hash value. Hosted by NoVirusThanks
SURBL Blacklist lookup - check database for known websites that have appeared in unsolicited (spam) emails. More on the program here: SURBL
URLVoid.com BETA - scan website for malware, threats and other bad things.
URL & Link Scanner - Scan URLs for malicious code - URLVoid.com BETA to scan URL with multiple AV engines.
WAVE - Web Accessibility Evaluation Tool - may not tell you if a site is “malicious” but provides a visual report on the site as well as any funky coding going on.
Comodo Site Inspector - scan page to see if it generates malicious activity or hosts malware.
Website Security Check - Unmask Parasites. Scans site for evidence of exploit code.
Norton Safe Web, from Symantec - is a site safe?
Dr.Web - is a site safe?
Trend Micro Site Safety Center - is a site safe?
AVG LinkScanner Online- is a site safe?
F-Secure Browsing Protection Portal - Can you trust a site?
AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone - Can you trust a site? (Aussie edition)
Online Link Scan - Virus, Trojan, Adware and Malware Scanner using a variety of scanning engines.
PhishTank - site to report suspicious/phishing URL sites.
Check page for sh*t - resources including a URL check in Google spyware checker.

PROROOTECT’s suggestion to use an online URL screenshotting service to capture the displayed URL safely is some good outside the box thinking. Kinda a “look-before-you-leap” thing if all the above items pass OK.

Shotbot - Screenshot Bot | Ascreen Generator - generates jpeg thumbnails of public websites.
IE NetRenderer - Browser Compatibility Check - I like this one in that you can pick your browser version from a selection. If the URL/page responds differently based on your browser, then this might show it.
thumbalizr - thumb your webpages
url2png - website screenshot service
loads.in - webpage load screenshots in multiple browser with option to pick from from over 50 locations worldwide
ShrinkTheWeb - website screenshot service
Browsershots - supports/mimics so many different browser types and OS’s and allows defining Javascript/java/flash versions that it’s just plain coolly obscene!

Fun trip if it wasn’t so serious…

--Claus V.

Update: I meant to add this in to the original post but got sidetracked. A recent Digital Forensics Case Leads post has mention of a super-fantastic investigation/forensic report involving anonymous emails. This is must-read material, not just in terms of the investigative methodology but also the way the report was composed and presented. Very clearly done! I’m keeping a saved copy of the report for future reference; both technically and as a report template. From the post via the link above:

University of Illinois recently released a detailed investigation report (PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University's Senates Conference. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.

轉自 http://grandstreamdreams.blogspot.com/2012/01/interesting-malware-in-email-attempt.html

Ripping Volume Shadow Copies – Introduction

2012-02-07T20:55:00.000+08:00

Windows XP is the operating system I mostly encounter during my digital forensic work. Over the past year I’ve been seeing more and more systems running Windows 7. 2011 brought with it my first few cases where the corporate systems I examined (at my day job) were all running Windows 7. There was even a more drastic change for the home users I assisted with cleaning malware infections because towards the end of the year all my cases involved Windows 7 systems. I foresee Windows XP slowly becoming a relic as the corporate environments I face start upgrading the clients on their networks to Windows 7. One artifact that will be encountered more frequently in Windows 7 is Volume Shadow Copies (VSCs). VSCs can be a potential gold mine but for them to be useful one must know how to access and parse the data inside them. The Ripping Volume Shadow Copies series is discussing another approach on how to examine VSCs and the data they contain.

What Are Volume Shadow Copies

VSCs are not new to Windows 7 and have actually been around since Windows Server 2003. Others in the DFIR community have published a wealth of information on what VSCs are, their forensic significance, and approaches to examine them. I’m only providing a quick explanation since Troy Larson’s presentation slides provide an excellent overview about what VSCs are as well as Lee Whitfield’s Into the Shadows blog post. Basically, the Volume Shadow Copy Service (VSS) can backup data on a Windows system. VSS monitors a volume for any changes to the data stored on it and will create backups only containing those changes. These backups are referred to as a shadow copies. According to Microsoft, the following activities will create shadow copies on Windows 7 and Vista systems:
        - Manually (Vista & 7)
        - Every 24 Hours (Vista)
        - Every 7 Days (7)
        - Before a Windows Update (Vista & 7)
        - Unsigned Driver Installation (Vista & 7)
        - A program that calls the Snapshot API (Vista & 7)

Importance of VSCs

The data inside VSCs may have a significant impact on an examination for a couple of reasons. The obvious benefit is the ability to recover files that may have been deleted or encrypted on the system. This ringed true for me on the few cases involving corporate systems; if it wasn’t for VSCs then I wouldn’t have been able to recover the data of interest. The second and possibly even more significant is the ability to see how systems and/or files evolved over time. I briefly touched on this in the post Ripping Volume Shadow Copies Sneak Peek. I mentioned how parsing the configuration information helped me know what file types to search for based on the installed software. Another example was how the user account information helped me verify a user account existed on the system and narrow down the timeframe when it was deleted. A system’s configuration information is just the beginning; documents, user activity, and programs launched are all great candidates to see how they changed over time.

To illustrate I’ll use a document as an example. When a document is located on a system without VSCs - for the most part - the only data that can be viewed in the document is what is currently there. Previous data inside the document might be able to be recovered from copies of the document or temporary files but won’t completely show how the document changed over time. To see how the document evolved would require trying to recover it at different points in time from system backups (if they were available). Now take that same document located on a system with VSCs. The document can be recovered from every VSC and each one can be examined to see its data. The data will only be what was inside the document when each VSC was created but it could cover a time period of weeks to months. Examining each document from the VSCs will shed light on how the document evolved. Another possibility is the potential to recover data that was in the document at some point in the past but isn't in the document that was located on the system. If system backups were available then they could provide additional information since more copies of the document could be obtained at other points in time.

Accessing VSCs

The Ripping Volume Shadow Copies approach works against mounted volumes. This means a forensic image or hard drive has to be mounted to a Windows system (Vista or 7) in order for the VSCs in the target volume to be ripped. There are different ways to see a hard drive or image’s VSCs and I highlighted some options:
        - Mount the hard drive by installing it inside a workstation (option will alter data on the hard drive)
        - Mount the hard drive by using an external hard drive enclosure (option will alter data on the hard drive)
        - Mount the hard drive by using a hardware writeblocker
        - Mount the forensic image using Harlan Carvey’s method documented here, here, and the slide deck referenced here
        - Mount the forensic image using Guidance Software’s Encase with the PDE module (option is well documented in the QCCIS white paper Reliably recovering evidential data from Volume Shadow Copies)

Regardless of the option used to mount the hard drive or image, the Windows vssadmin command or Shadow Explorer program can show what if VSCs are available for a given mounted volume. The pictures below show the Shadow Explorer program and vssadmin command displaying the some VSCs for the mounted volume with drive letter C.

Shadow Explorer Displaying C Volume VSCs

VSSAdmin Displaying C Volume VSCs

Picking VSCs to examine is dependent on the examination goals and what data is needed to accomplish those goals. However, time will be a major consideration. Does the examination need to review an event, document, or user activity for specific times or for all available times on a computer? Answering that question will help determine if certain VSCs covering specific times are picked or if every available VSCs should be examined. Once the VSCs are selected then they can be examined to extract the information of interest.

Another Approach to Examine VSCs

Before discussing another approach to examining VSCs it’s appropriate to reflect on the approaches practitioners are currently using. The first approach is to forensically image each VSC and then examine the data inside each image. Troy’s slide deck referenced earlier has a slide showing how to image a VSC and Richard Drinkwater's Volume Shadow Copy Forensics post from a few years ago shows imaging VSCs as well. The second popular approach doesn’t use imaging since it copies data from each VSC followed by examining that data. The QCCIS white paper referenced earlier outlines this approach using the robocopy program as well as Richard Drinkwater in his posts here and here. Both approaches are feasible for examining VSCs but another approach is to examine the data directly inside VSCs bypassing the need for imaging and copying. The Ripping VSCs approach examines data directly inside VSCs and the two different methods to implement the approach are: Practitioner Method and Developer Method.

Ripping VSCs: Practitioner Method

The Practitioner Method uses ones existing tools to parse data inside VSCs. This means someone doesn’t have to learn a new tool or learn a programming language to write their own tools. All that’s required is for the tool to be command line and the practitioner willingness to execute the tool multiple times against the same data. The picture below shows how the Practitioner Method works.

Practitioner Method Process

Troy Larson demonstrated how a symbolic link can be used to provide access to VSCs. The mklink command can create a symbolic link to a VSC which then provides access to the data stored in the VSC. The Practitioner Method uses the access provided by the symbolic link to execute one’s tools directly against the data. The picture above illustrates a tool executing against the data inside Volume Shadow Copy 19 by traversing through a symbolic link. One could quickly determine the differences between VSCs, parse registry keys in VSCs, examine the same document at different points in time, or track a user’s activity to see what files were accessed. Examining VSCs can become tedious when one has to run the same command against multiple symbolic links to VSCs; this is especially true when dealing with 10, 20, or 30 VSCs. A more efficient and faster way is to use batch scripting to automate the process. Only a basic understanding about batch scripting (need to know how a For loop works) can create powerful tools to examine VSCs. In future posts I’ll cover how simple batch scripts can be leverage to rip data from any VSCs within seconds.

Ripping VSCs: Developer Method

I’ve been using the Practitioner Method for some time now against VSCs on live systems and forensic images. The method has enabled me to see data in different ways which was vital for some of my work involving Windows 7 systems. Recently I figured out a more efficient way to examine data inside VSCs. The Developer Method can examine data inside VSCs directly which bypasses the need to go through a symbolic link. The picture below shows how the Developer Method works.

Developer Method Process

The Developer Method programmatically accesses the data directly inside of VSCs. The majority of existing tools cannot do this natively so one must modify existing tools or develop their own. I used the Perl programming language to demonstrate that the Developer Method for ripping VSCs is possible. I created simple Perl scripts to read files inside a VSC and I modified Harlan’s lslnk.pl to parse Windows shortcut files inside a VSC. Unlike the Practitioner Method, at the time of this post I have not extensively tested the Developer Method. I’m not only discussing the Developer Method for completeness when explaining the Ripping VSCs approach but my hope is by releasing my research early it can help spur the development of DFIR tools for examining VSCs.

What’s Up Next?

Volume Shadow Copies have been a gold mine for me on the couple corporate cases where they were available. The VSCs enabled me to successfully process the cases and that experience is what pushed me towards a different approach to examining VSCs. This approach was to parse the data while it is still stored inside the VSCs. I’m not the only DFIR practitioner looking at examining VSCs in this manner. Stacey Edwards shared in her post Volume Shadow Copies and LogParser how she runs the program logparser against VSCs by traversing through a symbolic link. Rob Lee shared his work on Shadow Timelines where he creates timelines and lists deleted files in VSCs by executing the Sleuthkit directly against VSCs. Accessing VSCs’ data directly can reduce examination time while enabling a DFIR practitioner to see data temporally. Ripping Volume Shadow Copies is a six part series and the remaining five posts will explain the Practitioner and Developer methods in-depth.
        Part 1: Ripping Volume Shadow Copies - Introduction
        Part 2: Ripping VSCs - Practitioner Method
        Part 3: Ripping VSCs - Practitioner Examples
        Part 4: Ripping VSCs - Developer Method
        Part 5: Ripping VSCs - Developer Example
        Part 6: Examing VSCs with GUI Tools

轉自 http://journeyintoir.blogspot.com/2012/01/ripping-volume-shadow-copies.html

base64 Encode / Decode

2012-02-04T20:31:00.001+08:00

http://webnet77.com/cgi-bin/helpers/base-64.pl

Internet Explorer RecoveryStore(Travelog) 解析工具

2012-02-03T20:26:00.000+08:00

RecoverRS

Based on the research in to Internet Explorer’s Automatic Crash Recovery files, two command line applications were created; RipRS and ParseRS; collectively known as RecoverRS. Detailed information regarding the operation of these two applications is available in Appendix C, the RecoverRS manual.

RipRS is designed to extract ACR files from a raw disk image using known decimal offsets. A list of known offsets can be obtained by using the search string discussed in the above section titled ‘Finding Compound Files in Unallocated Space’ using programs such as EnCase or FTK. Using these known offsets, RipRS uses the methodology discussed in the above section titled ‘Carving Compound Files in Unallocated Space’ to determine the compound file’s size. RipRS then searches the compound file for the string ‘0B00252A-8D48-4D0B-7B79887F2B96’, a GUID that is unique to ACR files. If RipRS determines that the compound file is in fact an ACR file, it searches the ACR file for strings unique to either recovery store files or tab data files to determine which type the file it. Once RipRS has determined the ACR file type, the file is written to the output directory specified by the user using the naming convention RecoveryStore.{offset}.dat or {offset}.dat for recovery store files and tab data files respectively.

ParseRS is designed to extract browsing information from ACR files; either those found on the system or those carved from unallocated space by RipRS. As mentioned previously, if ACR files are carved from unallocated space, information linking the tab data files with their respective recovery store files and some date/time information will be lost.

Download RecoverRS

Download RecoverRS Manual

轉自 http://www.jtmoran.com/tools/default.html

解析Internet Explorer RecoveryStore(Travelog)

2012-02-01T20:19:00.000+08:00

Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity

This artifact has attracted my attention of late as I have seen some very useful information here in a few recent cases. Here you find not only browsed urls but webpage details like title (sometimes content) and timestamps. Even data from encrypted pages (https) are stored here in plaintext, which by default IE does not save in internet cache. I have even seen email and facebook passwords here on occasion!

What is RecoveryStore and why is it present?

IE 8 and 9 have a tab recovery feature by virtue of which you can restore all your tabbed browsing sessions if IE crashes, or when you close IE and chose to save tabs on exit (so that they may be reopened automatically when IE is started next time).

With IE8, Microsoft also introduced the concept of a ‘Travelog’. This is a mechanism to track urls (and associated parameters) that are fetched from a page when AJAX is used. AJAX is a technology which enables dynamic refreshes of small portions of a page without reloading the whole page. It was popularized by gmail and subsequently most webpages use it today. With AJAX, your main page url does not change, however the page contents change when your click around in the page (accessing data from other urls), this creates problems as you cannot use the browser back button to go back one click. To solve this problem (with back and forward buttons), the travelog is used to track AJAX urls. Read up more about it on MDSN here.

So where is this cached information?

The RecoveryStore can be found under /Application Data on an XP machine and under /AppData/Local on a Vista or Windows 7 machine under subfolder Microsoft/Internet Explorer/Recovery

Location of RecoveryStore files on a Windows 7 Machine

Two folders are present by default, Active and LastActive. Sometimes a couple of other folders are seen, High and Low. All folders contain similar data, a few files with .dat as their name and a single RecoveryStore..dat file per folder. GUIDs are in the standard format {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.

Analysis of RecoveryStore files Part I

All files are in the Microsoft OLE structured storage container format. When opened with a suitable viewer (many freeware available for this, if you use encase, use ‘view file structure’ to mount), you find many streams (files) within it.

There is a single RecoveryStore..dat file which represents the recovery store preserving tab order and some other information. It references the other .dat files.

RecoveryStore..dat

This file contains 3 or more streams in it. If more than one session (instances of IE) are running, then more streams will be present.

Stream Name	Description
\|KjjaqfajN2c0uzgv1l4qy5nfWe	Contains some guids
FrameList	List of DWORDs, function unknown
TSxx	Contains guids of Tabs in Session x (ie,if TS1 then tabs in session 1)

RecoveryStore..dat file viewed in an OLE object viewer
The FrameList stream is shown above

in the filename

The GUID is actually a UUID (version 1), which is comprised of a FILETIME like timestamp and the machine MAC address. The details of this scheme can be referenced from RFC 4122 (http://www.ietf.org/rfc/rfc4122.txt).

The timestamp is the first 60 bits of the UUID, and this represents the number of 100 second nanosecond intervals since 15 October 1582. Note the only major difference from Microsoft FILETIME values used everywhere else in windows is the starting date which is 01 January 1601 for FILETIME.

This time is going to be the tab/recoverystore created time and can be used to cross check the timestamp on disk for forensic validation. These UUIDs are also found in the ‘|KjjaqfajN2c0uzgv1l4qy5nfWe’ stream in RecoveryStore..dat

Example: {FD1F46CF-E6AB-11E0-9FAC-001CC0CD46AA}.dat

From this UUID, we can extract the timestamp as 01E0E6ABFD1F46CF which decodes to 09/24/2011 12:51:58 UTC.

The last 6 bytes is the MAC address on the machine (00 1C C0 CD 46 AA), it can be from any of the network interfaces on the machine.

Timestamp Easy Conversion Process

(http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf)

An easy way of converting the timestamp without messing too much with the math behind it is to subtract the time period between 15 October 1582 and 1 January 1601 and then using a FILETIME decoder program (like DCODE) to do the rest. For the above example, we subtract 146BF33E42C000 (the excess time period) from the original value to get 1CC7AB8BEDC86CF which is decoded as 09/24/2011 12:51:58 UTC.

.dat files

Each file represents a tab in the browser. Inside each file are 3 or more streams.

Stream Name	Description
\|KjjaqfajN2c0uzgv1l4qy5nfWe	Contains some guids and last URL of tab
Travelog	List of DWORDs representing each Travelog entry
TLxx	Travelog stream (TL0, TL1, …)

'|KjjaqfajN2c0uzgv1l4qy5nfWe' stream inside a .dat file shown above

Travelog Stream

This stream has a complex binary format which stores many items. The base URL, referrer url and page title are always present. Page content, some timestamps and ajax parameters are optionally present.

I have been studying the format of the Travelog and will shortly publish it as Part II of this blog entry.

Update: An encase script is now available for download here to parse out travelog info.

轉自 http://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html

Free Wipies

2012-01-29T20:50:00.001+08:00

New Year’s Eve is almost upon us. Figured I close out 2011 with one final post.
Out of a recent TinyApps.org post on drive wiping I followed a white-rabbit and ended up on this Disk Wiping with dcfldd at the Anti-Forensics blog.
I’m always on the lookout for tips and techniques when it comes to secure-wiping drives and the post was full of great info regarding use of the dcfldd tool.
When it comes to secure drive (whole-disk) wiping, I’ve still tended to rely on two tools in particular for their ease-of-use and convenience.
The first is Microsoft Windows DISKPART command “Clean all” which “specifies that each and every sector on the disk is zeroed, which completely deletes all data contained on the disk.”
The pro is that the command is very simple to remember and use, and when coupled with a WinPE disk, is dead-simple to effectively wipe out most all drives I encounter.
The second one I love is the CLI tool “wipe.exe” as found in the Forensic Acquisition Utilities set by George M. Garner.
The pro about this one is that it actually includes a progress indicator so you have some degree of feedback on how far you’ve wiped.
I always verify my zero-out wipes when done. For that I prefer to use the sector-viewer tool HxD to scan through the post-wiped drive to ensure it all come up clean; Frhed - Free hex editor is another nice alternative.
I also keep a collection of secure file-wipe tools handy as well. These are useful for when I have a personal document with sensitive info that is no longer needed, or at work where I have successfully recovered a customer’s data from a seriously crashed drive and the files were successfully restored; don’t need to keep those around on the workbench PC.
EraserDrop Portable - PortableApps.com is an easy to use and easy-to-configure tool I find useful to manage large volumes of files/folders needing secure deletion. It is based on Eraser.
Eraser Portable - PortableApps.com - Portable software for USB, portable and cloud drives is the portable version of that tool. It is very flexible and powerful, though the interface and job/task “scheduling” might be off-putting to less advanced users. Besides handing wiping of files/folders, it also can wipe free-space on a drive.
WipeFile over at Gaijin is a simple and basic file-wipe tool with lots of options. Just launch, set your wipe-preferences, and drag-n-drop your files for wiping. See the related Gaijin tool WipeDisk as well.
File Shredder is a “new-to-me” secure-wipe tool. It is quite small and consists of two files; the main exe and a dll helper. The interface is nice and it also includes wiping of free-space.
ultrashredder is even smaller. Basically just drag-n-drop. While you can set the number of over-writes, you can’t set the pattern.
DPWipe 1.1 by Dirk Paehl is similar to Ultrashredder in the GUI layout, however it does allow selection of the wipe method.
Blowfish Advanced CS. This is an oldie-but-a-goodie which was the very first secure wipe (file and freespace) tool I started using back in my Win98 days. It probably has been passed on by other tools here but I still keep it around for fond-memories.
SDelete is Microsoft Sysinternal’s CLI tool to wipe files as well as zero-out free-space. I like it particularly well for that second task.
Disk Redactor also handles wiping of all free space on a drive very nicely with a helpful GUI interface.
These are all specialized secure-wipe tools and are pretty easy and convenient to use; a few even have options to integrate into the Windows context-menu shell. However if you frequently use an alternative Windows file manager (like I prefer to do), there are more than one which include a hand-dandy “secure-file-wipe” option baked right in!
FreeCommander remains my #1 all-time favorite “multi-pass” tool for Windows file management. it includes a secure wipe action that performs a multi-step wipe of the selected item(s). You can set how many passes you want that routine to run.
Explorer++ also includes a “destroy” option (1 or 3-pass choice) to secure delete selected files/folders.
A43 likewise includes a basic secure-destroy option.
NexusFile has a “shred and delete” feature.
My Commander reminds me in many ways of FreeCommander, and it does have a secure delete action.
Happy New Year!

轉自 http://grandstreamdreams.blogspot.com/2011/12/free-wipies.html

Make a dual-boot WinPE CD

2012-01-28T20:49:00.000+08:00

I’ve been in the workshop for the past several days hammering out a new WinPE product for our technical field-support team.
You may recall from the GSD post WinPE Building and PGP Support Links Updated that I have previously built a highly-customized PGP WDE injected WinPE boot CD to allow our team to manually off-line boot, then authenticate into a PGP v9.x encrypted hard-drive.
Now we are rolling out systems encrypting with PGP Desktop 10.x. Unfortunately the v10 isn’t backwards-compatible in supporting the v9 encrypted systems.
So I cleared off the workbench and using the techniques I have previously outlined here, built a new customized WinPE boot disk that supports PGP-WDE 10.x.
Only there was one problem; we currently now have a mixed PGP-WDE environment where some systems are running PGP Desktop v9.x and others are running v10.x.
I started to plan just having the techs carry both WinPE boot disks with them. But that seemed silly. The WIM files were both very small. Too bad I couldn’t include both BOOT.WIM files on the same CD as the rest of the CD structure was identical.
Or could I…..?
I knew a suggestion Brett had made earlier that with some BCD file editing on a customized WinPE booting USB stick, that I could multi-boot different WinPE BOOT.WIM. We outlined that process in this GSD WinPE Multi-boot a Bootable USB Storage device post. I can tell you it works like a charm.
But surely that doesn’t work for WinPE CDs. That’s crazy talk. Right?
Nope. Works fine.
David over at the “ITC Guy’s Doodles” blog has it all laid out, simple as can be (with screen-shots):

Creating WinPE multi-boot - ICT guy's doodles

David and I are assuming here you already have the WAIK installed and are long-past the steps regarding building a customized WinPE build or two. If not, check out these GSD posts first for some background if needed:

Custom Win PE Boot Disk Building: Step Four – Pulling it all together – GSD blog.
Custom WinPE Building: Post-Script and PE 3.0 - GSD blog.
QuickPost: Bootable USB Stick – GSD blog.
USB Tricks for Vista and Windows 7 – GSD blog.
Sexy USB Boots (Win PE style) – GSD blog.
WinPE and DISM/PEimg to boost Scratch Space (Ram Disk) – GSD blog.

Once you’ve done that and have your primary WinPE folder structure set as well as your custom BOOT.WIM files ready you basically do this:

Launch your WAIK Deployment Tools Command Prompt (in Windows 7 I chose to run it elevated as Administrator).
Change directories to your WinPE building folder (in my case it was C:\winpe_x86 yours may differ adjust recipe accordingly for your WinPE baking altitude).
Copy into the c:\winpe_x86\ISO\sources folder the BOOT.WIM files you want to include. Note they will need to be named different things. Your first/default booting wim can remain “boot.wim” to keep things easy, but the 2nd (and each additional one if so desired) should be named something more descriptive.
Next you will need to edit the BCD file for the booting build which is located in C:\winpe_x86\ISO\boot location.
Follow David’s steps to make a copy of the default boot entry item to a new second one with a different boot guid. Then you need to “fix” some of the copied sub-items to associate with the new guid value.
Finally, you can rename the default boot item description to something more meaningful.

Use oscdimg to build the ISO file and when you boot it, you should now see your different boot image options appear on the boot selection menu!
Sweet!
I’m not aware of any limitations to the number of different bootable wim files you can have. I suppose that’s mostly limited to the size of your CD/DVD media (if not USB-booting) as well as the size of the custom WIM files themselves.
So for me, I now have one physical bootable CD with two distinct WinPE boot choices…one for PGP v9 and one for PGP v10 support. Locked and loaded now baby!
In theory, if you weren’t really comfortable with all this CLI work, you could use one of two GUI based tools to edit the \winpe_x86\ISO\boot\BCD file.
EasyBCD 2.1.2 - NeoSmart Technologies supports WinPE BCD files. There is also a EasyBCD 2.2 Beta Build that may have additional support. Check out the forum as well as this Multiboot WinPE CD - How to specify .WIM forum post for some tips.
In fact, somewhere between eating lunch, listening to a football game, and trying to pay attention to a holiday story Lavie was telling me while I was following David’s steps, my own “descriptions” work for the BCD file got mixed up a bit and I wasn’t getting the custom boot descriptions to appear as desired.
I was able to quickly and easily use the Visual BCD Editor - Windows 7/Vista to clean up the mess I made and get it all put right. So if you knew what you were doing, you could do it all from the GUI with this tool rather than the CLI.
Anyway, thanks to Bret for his original tip and for David for the game-walkthrough for making a multi-boot WinPE CD.

轉自 http://grandstreamdreams.blogspot.com/2012/01/make-dual-boot-winpe-cd.html

Wipies -- Addendum

2012-01-27T20:38:00.000+08:00

You may recall that both GSD posts on secure wiping -- Free Wipies and Wipies - Part II (Full Coverage Cleaning) -- were both inspired by a blog post by the TinyApps.Org blogger.

Last night I received a kind message from this dear friend pulling my attention back to the deeper issue raised in that post, and while this isn’t a completely unknown issue, it is one that can be easily overlooked by the best of sysadmins in our zeal to “secure wipe the darn thing” and get on with our other daily grinds.

The TinyApps how-to post ATA Secure Erase (SE) and hdparm shares an added benefit for those who dare to tread that hard-drive wiping technique through the “enhanced secure erase” option.

(Very) Basically the issue comes down to this: hard drives may have bad sectors that have been found and so marked as well as additional “host protected area (HPA)s” both of which can be skipped by many “block-erase” wiping tools and utilities. The end result is the possibility of recoverable data left behind in these areas if a standard block-erase method is used.

Host protected area - Wikipedia, the free encyclopedia
Device configuration overlay - Wikipedia, the free encyclopedia

So even though you are diligently laying down your randomized data and/or zeros to all the (accessible) sectors of the drive, the drive itself may be actually hiding physical sectors from your software that will not get overwritten no matter how hard you try.

As TinyApps linked for me in the communication, even the almighty Darik's Boot And Nuke clearly says in its FAQ that it must be used with knowledge to address some of these issues:

Does DBAN wipe remapped sectors? - Darik's Boot And Nuke

Does DBAN wipe remapped sectors?
Use the ATA-6 wipe method if you want to wipe remapped sectors. Most methods do not wipe remapped sectors.

Does DBAN wipe the Host Protected Area ("HPA")? - Darik's Boot And Nuke

Does DBAN wipe the Host Protected Area ("HPA")?
No.
Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA.
Why not now and why not by default?
Some vendors are using the HPA instead of providing rescue media.
Wiping the HPA would surprise and strand people that expect the HPA to have rescue materials, and it often results in OEM technical support marking and abandoning people that do it. The HPA is a low risk because it is not accessible during normal operations.
DBAN defaults are chosen to best protect people with a minimal understanding of this kind of problem. This point is still open for discussion in the help forum and in the appropriate bug ticket.

That’s not to say this information makes DBAN (or any of the others like it) a bad or faulty tool, just one with some limitations (like most all other block-erase wipe tools) that must be fully understood before deciding if its methods are sufficient for the use at hand.

For example, there are forensic drive access/capture tools that can detect these areas and ensure the investigator is able to respond to them. That’s great news for the good guys and a warning that bad-guys can also take advantage of this as well: HPA/DCO Detection - WiebeTech Forensic Docks

Here (again) are links to two posts about the HPA/remapped sector issue with drive wiping well worth the read:

Securely erase hard drives - ultraparanoid
Can God Create a Rock So Heavy Even He Can’t Lift It? - ultraparanoid

I suppose one good place to start is pre-inspecting your drive before you get wiping to better understand what you are dealing with.

There are a few Windows-based tools that I am aware of that can let you look at either/both HPA area(s) as well as DCO info (if they exist). In most cases, these do require specialized booting of the system either directly with a true DOS disk or a Linux tool to access the drive correctly.

MHDD - HDDGuru
HDAT2/CBL Hard Disk Repair Utility - Lubomir Cabla
TestDisk 6.12 Release - CGSecurity

So, that brings us back to using a combo of tools and methods to wipe both check for the presence of HPA/DCO and address/remove them first before using a block-erase wipe tool or to learn some new techniques for an “all-in-one” wipe method to get it all.

For “modern” hard disk drives that support this feature the “enhanced secure erase” method may be the only option short of extreme physical destruction (with prejudice and malice aforethought) of the drive to ensure all data is irrevocably cleared from the drive.

TinyApps “how-to” post is a great starting point at using a Linux Live CD to accomplish the process and what is happening :

ATA Secure Erase (SE) and hdparm - TinyApps blog
More background here at ATA Secure Erase - ata Wiki
SSD Secure Erase with proper ATA command - mackonsti blog
CMRR - Secure Erase tool - over at the Center for Magnetic Recording Research (CMRR) is another option, though a read through of many comments and other posts suggests this tool may have some performance issues…or not.
Guide How to use HDDErase - OCZ Forum
The Parted Magic LiveCD- I have learned - includes an ERASE tool which does support the “enhanced secure erase” protocol if the drive at hand does as well. It takes care of a lot of the CLI work that might off-put casual wipers. How To Secure Erase Corsair SSDs With Parted Magic -- Corsair Blog. I’ve used Parted Magic quite a lot in the past but never for secure wiping and never realized it had this option.
GParted can do this as well, though it doesn’t seem to have the “wizard” for hdparm that Parted Magic does: Use GParted to secure erase SSD - GSKILL TECH FORUM.
Note: As TinyApps points out in his post, in-fact any Linux distro that includes hdparm at a version of 9.31 or greater would work; the lower versions have a 2-hour timeout which can leave the remaining portion of the disk unwiped.
Guide Secure Erase for Windows - OCZ Forum
Guide Secure Erase From Within Linux For Windows Users - OCZ Forum
Guide How to Restore SSD performance WITHOUT using HDDErase - OCZ Forum

It is my understanding that Windows port of hdparm may work as well that is found in Cygwin. I’ve seen some forum posts discuss that some versions (the later ones) are better than earlier ones.

The Win32/Cygwin version of 'hdparm' will tell you if you have HIPM or DIPM capabilities. - Aaron Tiensivu's Blog

Christian Franke has also provided a native Win32 tool version if you just need it without Cygwin.

Index of /hdparm - via Christian Franke

So to sum up from my perspective,

If you want to keep the OEM HPA area intact (maybe you have a Dell system with diagnostics loaded there) and plan to recycle the drive/system in your organization, then a simple whole-disk block-erase of the drive may be sufficient. Updating the DCO information probably isn’t necessary and may help -- in fact -- preserve the previously found “bad sectors” info if it is present.
If you plan on giving the drive/system away then you should strongly consider attempting the “enhanced secure erase” method first to see if your drive supports it. If not, then you may have to settle for either a whole-disk block-erase wipe and hope for the best (that there is no sensitive data in any HPA/DCO areas (if present) or use one of many reliable, complete, irrevocable, physically destructive methods.

Hopefully I have covered this sufficiently for you to Google on from here.

If not, as always your comments are welcome and appreciated.

And if anyone knows of any additional Windows/DOS/*Nix tools that can handle “enhanced secure erase” wiping of a modern drive, please leave a tip in the comments.

轉自

REMnux: A Linux Distribution for Reverse-Engineering Malware

2012-01-27T20:30:00.000+08:00

REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

About REMnux

REMnux incorporates a number of tools for analyzing malicious software that runs on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. The toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.

REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.

You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute.

Originally released in 2010, REMnux has been updated to version 3 in December 2011.

What REMnux Is Not

REMnux does not aim to include all malware analysis tools in existence, and omits the utilities designed to work on Windows. If you are looking for a more full-featured Linux distribution that supports a wider range of digital forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Downloading REMnux

You can download the REMnux distribution as a VMware virtual appliance archive and also as an ISO image of a Live CD. MD5 has values of the latest files are:

VMware virtual appliance archive: remnux-3.0-public-vm.rar (MD5 hash 4264b43aae783578ce00fdd7a5aaee64).
ISO image of a Live CD: remnux-3.0-public-live-cd.iso (MD5 hash 30cc52beed10de5c3e31a2a1d9ffdba8).

Getting Started With REMnux

Since REMnux is an Ubuntu-based Linux distribution, you need to be familiar with the basic aspects of using Linux to make use of REMnux. The good news is that you don't need to know how to perform system administration tasks to find REMnux useful, since many malware analysis tools are already preinstalled on REMnux. Below are some notes to help you get started with becoming comfortable in REMnux.

To get a sense for the tools installed, configured and tested on REMnux and how to use them for malware analysis, take a look at the REMnux Usage Tips cheat sheet.

Using the REMnux Virtual Appliance

Prior to using REMnux as a VMware virtual appliance, you need to download a VMware product, such as VMware Player, VMware Workstation and VMware Fusion. If using VMware ESX server, you can use the VMware vCenter Converter tool to convert the virtual appliance to the ESX format.

Then, download the REMnux VMware virtual appliance rar file. Extract the file's contents into a dedicated directory using a tool such as "unrar". Open the .vmx file using the virtualization tool, such as VMware Player. The REMnux virtual appliance should start up within your VMware product.

The REMnux virtual appliance is configured to use the "host only" network, isolating the REMnux instance from the physical network. To connect REMnux to the network, for instance, to provide it with Internet access, change the settings of the virtual appliance to the appropriate network, such as "NAT". Then reboot REMnux or issue the "renew-dhcp" command.

If using VMware, you can optionally install VMware Tools in REMnux to automatically adjust the screen size.

You can other virtualization software, such as VirtualBox, which is able to import VMware virtual machine images. If using VirtualBox you may need to convert the VMware virtual appliance to the VirtualBox format. Alternatively, you can create a new virtual machine using VirtualBox and point it to the hard drive file (.vmdk) that's part of the REMnux virtual appliance.

Malware Analysis Tools Set Up On REMnux

Analyze Flash malware: SWFTtools, flasm, flare, RABCDAsm and xxxswf.py

Interacting with IRC bots: IRC server (Inspire IRCd) and client (epic5)

Observe and interact with network activities: Wireshark, Honeyd, INetSim, fakedns, fakesmtp , NetCat, NetworkMiner, ngrep, pdnstool and tcpdump

Decode JavaScript: Firefox Firebug, QuickJava and JavaScript Deobfuscator extensions, Rhino debugger, JS-Beautify, SpiderMonkey, V8, Windows Script Decoder and Jsunpackn

Explore and interact with web malware: Firefox Tamper Data and User Agent Switcher extensions, TinyHTTPd, Burp Suite Free Edition, Stunnel, Tor , Jsunpackn and torsocks.

Analyze shellcode: gdb, objdump, Radare, shellcode2exe, libemu's sctest

Examine suspicious executables: upx, packerid, bytehist, DensityScout, xorsearch, xortool, TRiD, xortools.py, ClamAV, ssdeep, md5deep, pescanner and Pyew

Analyze malicious documents: Didier Steven's PDF tools, Origami framework, PDF X-RAY Lite, Peepdf, Jsunpackn, pdftk, pyOLEScanner.py and Hachoir

Decompile Java programs: Jad, JD-gui

Perform memory forensics: Volatility Framework with malware, timeliner and other modules, AESKeyFinder and RSAKeyFinder.

Handle miscellaneous tasks: unzip, unrar, strings, feh image viewer, SciTE text editor, OpenSSH server, findaes, Xpdf PDF viewer, VBinDiff file comparison/viewer, FreeMind.

Questions on and Improvements to REMnux

Do you have recommendations for making REMnux more useful? If so, please let me know. You can contact me by email or via Twitter. You're welcome to get in touch with me if you have questions regarding using REMnux.

Articles About REMnux

ISSA Journal published an article by Russ McRee on using REMnux with malware analysis (PDF). Its examples include the activation of INetSim, and the use of PDF analysis tools.
LWC.net published an article by Koen Vervloesem that showcases some REMnux capabilities. Its examples include the use of SWF and PDF analysis tools.
Christiaan Beek described how to use JSunpack-n, installed on REMnux, to analyze a malicious PDF file.
Dennis Fisher outlined the capabilities of the original REMnux release and the v3 update.
Erik Hjelmvik illustrated the use of NetworkMiner on REMnux.
Michael Kassner discussed the purpose of REMnux and outlined some of the tools installed on it.

轉自 http://www.browserunblocker.com/browse.php?u=Oi8vemVsdHNlci5jb20vcmVtbnV4Lw%3D%3D&b=29

The Password is…

2012-01-25T20:27:00.000+08:00

Last week we got a call from one of Lavie’s cousins. She and her husband had suddenly began getting phone calls from concerned friends as well as strange “undeliverable” email notices.

Mysteriously, at least one email had been sent from their on-line email account to all the recipients in their contacts in batches of ten or so. Some folks had told them their own security apps had alerted when they tried to follow the link in the email.

It was pretty apparent to the couple that “something” was amiss with their PC but exactly what, they weren’t sure. They had already downloaded a second anti-virus tool and scanned their system with nothing found. They decided to call me to see if I could help them. I recommended they change the password and any security challenge questions immediately which they did, then arranged for a house-call the following day.

I already had a clue on what probably occurred, but went though my full checklist of items as I assessed the system. No rouge processes, no unexpected auto-start items. Additional security scans came through with flying colors.

Then I turned my attention to their email account. This particular email provider (unfortunately) doesn’t provide any IP-based user sign-in event logging like some other main-stream web-mail providers do. That would have provided golden information.

Last account activity - Gmail Help
Check if Your Gmail Account is Hacked with Activity Monitor - MakeUseOf
Yahoo! Enables Monitoring of Login Activity for Better Account Protection - YDN Blog

What we did have is one overlooked original email in the “Sent” folder showing a mail time of 8:15 PM Wed night. Neither of the couple reported being logged in on the system (or the email) at that time so it seemed fairly certain that is when the event occurred.

I mailed that to myself to look into the URL more later.

They use IE 9 and the system was fully patched. Flash and Java were outdated, but not too bad.

Based on my survey and additional questioning, it appears to me that someone had “hacked” their account using some kind of brute-force attack on their account, quickly they had composed at least one email containing a single URL to everyone in their address book. I couldn’t find any evidence of a persistent threat on their system, and based on their feedback, I doubted a cross-site-scripting vulnerability had occurred.

For the really curious, here is a link to the urlQuery (free online URL scanner) findings from that particular URL I found: urlQuery scan result. Turns out that particular link leads to a compromised (?) website serving up fake AV scanner malware via some JavaScript code. That is why some recipients of the email were likely getting alerts when they visited the site. Sneaky.

Turns out hacking email accounts and appropriating them (even “non-maliciously”) for spamming is big business and a common event for many web-citizens.

Hacked! - The Atlantic - James Fallows has a fantastic cautionary tale about the loss of an email account to a hack-attack.
How Can I Find Out Why My Email Account Just Spammed My Friends and Family? - Lifehacker post has some tips on trying to get a handle on the aftermath cleanup.

This couple -- it turns out -- had been using a very weak password so it fell probably pretty fast.

Turns out weak passwords remain a common plague.

ISC Diary | Analysis of the Stratfor Password List is another clear warning of this danger.

Steve Ragan posted a simply amazing Report: Analysis of the Stratfor Password List which has crazy fascinating data on passwords and just how weak most of them were, along with his own password cracking work to show just how easy these fall. See also: Researchers find many weak Stratfor passwords -Naked Security.

A brief Sony password analysis - Troy Hunt’s Blog

Your Top 20 Most Common Passwords - Tom’s Hardware

And just over the weekend there was this: Zappos customer info is breached. Change your password now! [Updated] - TechBlog via Chron.com

What is one to do? This maybe?

xkcd: Password Strength (see also xkcd: Password Reuse)

If you want a quick way to assess the complexity/strength of the passwords you may have stored in your web-browser or some Windows applications, check out the Password Security Scanner freeware tool by NirSoft.

Some highly recommended online locations to check your current password strength against are:

Password Checker: Using Strong Passwords - Microsoft Security
How Secure Is My Password? - website
Password Strength Checker - The Password Meter
Test Your Password - website
Strength Test - Rumkin.com

Coming up with a truly secure and complex password can be a major task for some folks. And the web has no dearth of fantastic advice on the subject of what defines a strong password and how to create one.

Ten Things To Do to Secure an Important Person's Computer (or even Ashton's or a Kardashian's) - Scott Hanselman
Ultra High Security Password Generator - GRC
Password Haystacks: How Well Hidden is Your Needle? - GRC
Flexible One-Time Password MetaSystem - GRC
Password Advice - Bruce Schneier’s Schneier on Security blog
Secure Passwords Keep You Safer - Wired Security Matters post

From SophosLabs via YouTube

And just today, Lifehacker released a super-cool mega-graphic on password selection

Use This Infographic to Pick a Good, Strong Password - Lifehacker

Troy Hunt did a series of great, in-depth posts on password selection and science that are must-reads. I’m liking Troy’s writing and analysis and his blog has been added to my RSS must-read feed list.

The science of password selection - Troy Hunt’s Blog
I’m sorry, but were you actually trying to remember your comical passwords? - Troy Hunt’s Blog
Bad passwords are not fun and good entropy is always important: demystifying security fallacies - Troy Hunt’s Blog
The 3 reasons you’re forced into creating weak passwords - Troy Hunt’s Blog
Who’s who of bad password practices – banks, airlines and more - Troy Hunt’s Blog
The only secure password is the one you can’t remember - Troy Hunt’s Blog

Those last two points are my takeways, that nothing is more frustrating that internal application or external website password policies that are weak by design and force me to use a short password. And that the best password is one so damn complex there is no way I can remember it, even under duress.

I prefer to use the longest password the site/application will accept based on character count. (By the way…seriously guys, place your password policy and field limits up front to make this easy to figure out!)

How do I come up with one? I use two tools, a portable password manager application that stores the passwords in an encrypted container and a utility to generate randomized gobbly-gook passwords. In fact, many of the first item include the second item as a built in feature.

I linked to some of the GRC random password generators earlier but these other free portable password generation tools are great:

Password Guru - CEZEO Software generates complex and secure passwords with rule filters for length and special characters.
Password Generator - Gaijin Software - can generate up to 1000 passwords at once with advanced rule filters. Also includes a password checker to test password strength.
Password GeneratorXP - I’ve been using an ealier version of this app for a very long time. Latest version is 1.5 updated in December 2011. Can generate random passwords up to 99 characters long! Rules allow character inclusion/exclusion and supports special symbols. Super app.
PWGen - Open-Source Password Generator for Windows using AES and SHA-2 crytography methods. Can support passwords with up to a crazy 20,000 length, can be fed a wordlist includes file if you prefer, can exclude “ambiguous” characters (like o and 0, l and 1, etc.). It can create up to 1,000,000 passwords at a time based on your rule patterns, or a single password instantly. The included manual file is great reading regarding password security in general and not just the program operation itself.
PassworG - Free password generator software - pretty simple to use but strong password generator that might be easier for some folks to use.

So how do you manage these complex passwords?

KeePass Password Safe (or) KeePass Password Safe Portable is my personal preference. It has a ton of features, is free and portable, and has a lot of options for organizing the stored records. It is the cat’s meow.
Password Safe is a similar password keeper that comes highly recommended. The interface might be just a bit more easy for some folks to take to as opposed to KeePass.
Era Password manager is a nice password keeper tool again a bit simpler in interface but powerful under the hood if you go looking deeper.
Password Corral by Cygnus Productions is pretty nice.
Password Gorilla - See this Using Password Gorilla page for an overview.

Pick at least one tool from each category and learn to use them, then use them always.

And for those of you who say “Claus, put all my wicked crazy passwords (from PWGen) in an encrypted database password manager (KeePass) and stick them on my USB drive for fast access? What if I loose it?”

I suppose you could create a TrueCrypt encrypted file, then put the encrypted KeePass data base inside it…

Just be sure you select a different crazy complex random password for each of them.

And put them in another password manager for safekeeping in case you forget.

轉自 http://grandstreamdreams.blogspot.com/2012/01/password-is.html

It’s a USB Thing

2012-01-24T20:24:00.001+08:00

I was working on a USB project recently and needed to capture an image of a USB device for restoration.

That got me reviewing my pile of USB tools and looking for updates. Found some and a bunch of new-to-me freeware USB tools.

Here you go.

USB Image Tool - alex’s coding playground - updated to v 1.58 with some nice fixes.

ImageUSB - Write an image to multiple USB Flash Drives - PassMark Software - great standalone tool to make/push images of USB flash drive devices. Hard to go wrong with this one!

USB Disk Ejector - Quick And Easy Software - This is a “cutsie” app but seems much easer to me to use than hunting in the system tray for the Windows USB device ejection method. Definitely makes it easier to identify the correct device when there are more than one connected and I’m rushing.

Dev Eject - Stop right now and add this one to your utility pile. Seriously. A co-worker has been having problems ejecting USB HDD devices from his XP system and turned to me to figure things out. He didn’t think he had any open calls to the device running and OpenedFilesView didn’t report any clues either. I turned to Dev Eject and immediately found the culprit: Symantec AV seemed to be doing a file-scan (slowly) when he was ejecting the device. More info in this AddictiveTips post: Identify Processes Hindering Removable Media Ejection With Dev Eject.

Use command line to safely remove USB drives by Mike Williams at BetaNews has a lot of clever tips.

Want lots of freeware USB tools? Serious, low level USB tools? CLI USB tools (and then some)?

Uwe Sieber’s got you covered! Drive Tools for Windows

RemoveDrive V2.2 - Safe removal of drives
RestartSrDev - restarts "Safely Removed" devices which have the "Code 21" problem code
EjectMedia V2.2 - ejects a media from a drive
ReMount - reassigning mounpoints (change drive letters)
ListDosDevices
USB-WriteCache V0.1
USB Drive Letter Manager - USBDLM (Note: USBDLM is Freeware for private and educational (schools, colleges, universities) use only.)

HotSwap! - Kazuyuki Nakayama - gives more friendly interface than the “Safely Remove Hardware” icon in the system tray does.

USBLogView - NirSoft tool to record all USB devices plugged into a system and logs to a file.

USBDeview v2.00 - NirSoft tool to list all USB devices plugged into a system as well as all USB devices previously used (with details).

RMPrepUSB - Tool to partition and format USB drive and make it bootable. Free for private use only. If you know what you are doing, this tool isn’t needed but it goes a long way to helping noobies and the author has a large number of tutorials as well. More here: RMPrepUSB – Amazing USB Formatting Tool! - post from AgniPulse,RMPrepUSB : Install Windows on USB, Speed up USB and do more with it via The Windows Club and RMPrepUSB: Create Bootable Windows/Linux USB, Test R/W Speed & More post via AddictiveTips.

How To Create Customizable Multiboot System Rescue Disk - AddictiveTips post on using SARDU builder to make a multiboot USB tool.

轉自 http://grandstreamdreams.blogspot.com/2012/01/its-usb-thing.html

Digital Image\Video Resources

2012-01-23T20:22:00.000+08:00

Little bro recently made a Christmas contribution to the “Claus-needs-a-new-hobby” campaign.
While a portion of it does involve me staying up much later each night now (like I needed that bad-habit) reading George R. R. Martin's “Game of Thrones” series on my Kindle, the most recent focus is the coming addition of a Canon PowerShot S95 to my photography tools.
For the longest time I have been seriously looking at the newer digital rangefinder class of cameras and the Olympus PEN E-P1 (Amazon link) fell into my price-point. I’ve yearned for this one for some time, however this particular model has been updated several times (more $$) and the Canon PowerShot S95 (Amazon link) was in the same range (price-wise). Though it also has a newer version, this one just seemed to have many more features (do I really need 1080p video when the S95’s 720p only video may never get used either?).
In the end it was the collection of Flickr: Canon PowerShot S95 group photos that sold me on it along with the smaller (pocket/backpack) format over the E-P1. It came down to me being honest with myself. I can’t take good pictures and improve my technique if I don’t carry the camera with me almost all times to take pictures to begin with…and the S95 is much more pocketable (and less imposing when in use) than the E-P1 or my Canon Rebel XT DSLR. So, photography links on the sidebar have been amended to remove the PEN and add the S95.
Hope to share some pics from it soon.
So, that leads us into these great digital imaging tools I’ve found recently (or have been updated).
Microsoft Research Image Composite Editor (ICE) - This remains my favorite image-stitching tool. Can also handle video stitching techniques: Microsoft ICE update–video to panorama, lens vignette, improved blending - HD View
Hugin - Panorama photo stitcher - This is a new-to-me project. It looks a lot more sophisticated that ICE so I’m looking forward to trying it out as well. It has a lot of control.
Scarab Darkroom - Beta version is free. From the page “Scarab Darkroom is a digital camera raw file converter/photo editor that supports most raw format capable cameras from Canon, Nikon, Olympus, Panasonic, Pentax, Samsung, and Sony. It is fast, easy to use, and produces excellent results. Development is still at the beta version stage.” My S95 has Raw+JPEG shooting format…. More here at AddictiveTips: Edit And Convert RAW Images To JPG With Scarab Darkroom
It’s been a while since I last posted a roundup of freeware video editing tools: grand stream dreams: Video-Editing Resource Roundup
Here are some new links: Top 3 free video editing software for Windows 7 via The Windows Club links to Avidemux, VirtualDub, and VideoSpin.
What amazes me is that the pro-class Lightworks Open Source Project (free!) for video editing never seems to come up. It is incredible. Is it too complicated? I’m looking forward to shooting some 720p video to experiment with the application.

轉自 http://grandstreamdreams.blogspot.com/2012/01/digital-imagevideo-resources.html

Utility Updates

2012-01-22T20:19:00.001+08:00

Quick linkfest running down some old tools updated and new tools discovered.

Autoruns v11.21: This update to Autoruns fixes a number of minor bugs, including one that could result in a crash when certain scheduled tasks are configured. Microsoft Sysinternals.

Process Explorer v15.12: This update to Process Explorer makes the search dialog asynchronous and reports the types of found items. It also fixes several bugs, including showing a small font when run after an older version, a bug in the restart-process functionality, working set columns not showing data, and again shows information about service processes when run from an unprivileged user account. Microsoft Sysinternals.

Strings v2.42: This Strings release fixes a bug that would result in a crash when the –n or -b options are specified without a file name. Microsoft Sysinternals.

Mark’s Blog: Case of the Installer Service Error: Follow along with Mark in another of his popular ‘Case of the Unexplained’ troubleshooting examples where he retraces the steps of a network administrator that used Process Monitor to figure out why the Windows Intune installer failed on one of his systems and goes on to fix the problem.

Mark’s Blog: The Case of My Mom’s Broken Microsoft Security Essentials Installation: Mark goes deep with the Sysinternals tools to fix a corrupt installation of MSE on his mom’s PC over the holidays.

CSVed 2.2.1 - Now at 2.2.1 version. See also NirSoft’s CSVFileView

CCleaner v3.14 - Piriform - System cleaner

Recuva v1.42 - Piriform - File recovery tool

Speccy v1.14 - Piriform - System information collector

CCEnhancer - v 2.5 - SingularLabs - plugin for CCleaner adding support for over 500 additional aps.

JavaRa - v 1.16 - SingularLabs - not updated but great tool to remove old/redundant versions of JRE. Now under development is JavaRa 2.0 alpha build which includes updating, removal and some additional bells-n-whistles.

Wecode.biz: Alternative Flash Player Auto-Updater - interesting tool to help update Adobe Flash Player. The latest builds of Flash Player do have an auto-updating feature baked in but it doesn’t (to me) seem to fire off and find newer builds as quickly as I would like to see. This is an alternative that might work good on friends and family PC’s.

ISC Diary | Newest Adobe Flash 11.1.102.55 and Previous 0 Day Exploit -Why keeping Flash updated is important…as if we didn’t need a reminder.

Crystal Dew World - lots of updates here including CrystalDiskInfo and CrystalDiskMark

WinCrashReport - Displays a report about crashed Windows application - New NirSoft tool. See also this post by Nir Softer himself : New crash reporting utility for Windows

PST Viewer - Free tool to open and view content of PST files without Ms Outlook - Kernel Data Recovery. See also this review: Gave up Microsoft Outlook but need your PST file? There's an app for that - BetaNews. I like this tool in that when I recently had to carve the PST files off a nuked HDD to recover an end-users PST files, I got a ton of them. Rather than mounting each one to a working Outlook client profile, I just fired up this tool to inspect them with the user to find out which ones we wanted to attach and which ones were duplicates. Saved a boat-load of time. Could be good for incident responders as well.

Highlighter v1.1.3 Released - Mandiant M-unition blog notice. Download link

Download Batch Compiler - SourceForge - You need to install on a system (not portable) but still could be a great resource for building more complex batch files. See more info here at AddictiveTips: Batch Compiler: Create Batch Scripts & Convert Them To EXE Format

Splashtop Remote Desktop - interesting new tool for remote connection management. See this Splashtop Is A Better Alternative To Windows RDP at Windows7hacker blog.

Windows Live Writer Backup - Codeplex project page - See this Windows Live Writer Backup post at Windows7hacker blog.

轉自

File and Folder Linkfest

2012-01-21T20:20:00.000+08:00

As we continue the dig-out over here at the Valca link farm we now must turn attention to file and folder management tools.

Track Folder Changes - CodePlex project page - really clever tool still in development that shows (real-time) as files/folders are being changes for a specific folder/directory to be monitored. Nice GUI. More information at Track Folder Changes in Real Time Windows7hacker post and Track changes to folders with Track Folder Changes post at freewaregenius.

SearchMyFiles - NirSoft - Soo love this tool! It’s one of my must-haves for file-finding.

Everything Search Engine - Love this one too. Wicked fast but does it by building its own index database. Doesn’t search within files; just file/folder names.

UltraSearch - Freeware for Ultra-Fast File Search - JamSoftware - A bit like Everything but doesn’t build an index database rather relies on the MFT. Comes with a portable version.

Locate32 Web Site - Another nice free Windows file indexing application.

eXpress FreshFiles Finder - Super-great tool to quickly find the “freshest” files on a system.

FileProcessor - really powerful tool to find files as well as perform a number of actions on those found files. More info via AddictiveTips: FileProcessor: Set Filters, Search & Perform Batch Actions On Files

SpaceSniffer - Love it to visualize space usage on drives.

GetFolderSize - Interesting tool for scanning file/folder size usage on drives. Different GUI but pretty cool! Spotted via GetFoldersize to Determine the Size of Folders on Your Hard Drive - Windows7hacker.

FolderSize - Jan Horns tiny but quick app for folder size reporting.

NoVirusThanks Freeware tools - interesting tools (free and commercial) for Windows system monitoring. Good overview on them here: NoVirusThanks releases four handy system monitoring tools as freeware -Softwarecrew.

TestDisk - CGSecurity - Now at Version 6.13 for file/disk recovery.

ODIN - Open Disk Imager for Windows - interesting GUI/CLI based tool for drive backup and imaging. More info via AddictiveTips: Backup, Restore And Verify Disk Images With ODIN.

Hardwipe | File & Drive Wiper - GSD has had a number of posts already regarding file/drive wiping but this new-to-me tool is worth mentioning here. More info via AddictiveiIps: Easily Wipe & Clean Files, Folders And Hard Drives With Hardwipe.

Forensic Riddle #5 – Answer - Hexacorn Blog has been posting a series of great puzzlers this one leads us to this clever Microsoft resource: Naming Files, Paths, and Namespaces.

TakeOwnershipEx - WinAero - GUI tool that allows you to get full access to files and folders. More info via AddictiveTips: Take Ownership Of Files And Folders In Windows 8.

NTFS Permissions Tools 最新进展 (ver 1.0.0.45078 RC1 (2011-06-14)) - Site is Chinese but AddictiveTips has the lowdown on usage here: Allocate NTFS Permissions Easily With NTFS Permissions Tool.

Kickass Undelete - Browse /Kickass Undelete 1.2 beta - SourceForge.net - I really like this tool for file recovery. It’s not a all-in-one recovery tool, but is another great utility to keep on your response toolbelt.

WinAero: Librarian - powerful libraries manager for Windows 7. Slick interface and easy tool to use.

BExplorer (Better Explorer) - CodePlex - I want to like this project very much. I’m not feeling the love of the existing Windows 7 explorer menu-bar and this would go a long way to making it more powerful to use. However I’ve also had stability/installation issues on both Win7 x32/x64 systems so while it is on my “watch-list” it isn’t yet installed on my system.

FreeCommander - This alternative dual-pane Windows file manager remains top-of-the-heap on my systems. It is required usage here at GSD. I’ve still not found a better alternative though many come close. The developer is hard at work on a new version and the betas look very slick and powerful. Whenever the final public release of that one comes out.

My Commander - The interface on this one looks remarkably similar to FreeCommander. It comes in both 32bit and 64 bit flavors. It is quite nice and would probably be a close runner-up.

NexusFile: File Manager for Windows - This is one with GUI attitude. Want a nice “dark” look? This is it.

Explorer++ - I like this one as a USB stick alternative. Constantly updated and in both x32/x64 flavors it is a single EXE file which makes it nicely portable.

A43 - this was my original love in alternative WIndows file managers. It remains alive in development and has a lot of handy plugins in a format that others don’t seem to offer. Check it out.

EXIF/meta-data Linkage

2012-01-20T20:18:00.000+08:00

Been sitting on these for a while (sigh).

Metability Software is building a really cool and powerful tool to work with and explore EXIF data in images. FileMind Professional. It has a really nice tabbed main workspace and supports importing/exporting and reporting of EXIF data. I’m using the current (free) Beta Software version and it rocks.
They also offer a cool little freeware app FileMind QuickFix which can strip out sensitive EXIF data before posting photo files to the web. Check it out.
PhotoME - Exif, IPTC & ICC Metadata Editor is another free tool which can be used to show/display meta-data of image files. It is exceptionally well-rounded and has been around for a long time. Hat-tip to AddictiveTips for their post which led me to it: PhotoMe Lets You View, Analyze and Edit Image EXIF & IPTC Metadata
BatchPurifier LITE - Free Metadata Removal Tool - Another free tool to remove meta-data from files in batch. See a review at AddictiveTips: Batch Remove Image/JPEG Metadata With BatchPurifier Lite
AutoJpegTrunk (Google Translated) - very simple freeware tool/wrapper for ExifTool by Phil Harvey to clean meta-data. Again spotted at AddictiveTips: AutoJpegTrunk: ExifTool-Based Utility To Batch Remove Image Meta Data
ExifTool by Phil Harvey - freeware awesomeness for the core tool of all things meta-data handling.
Need more? see these Additional Resources on Phil Harvey’s page.
Vinetto : a forensics tool to examine Thumbs.db files
Vinetto - A Thumbs DB Parser/Viewer - Computer Forensics/E-Discovery Tips/Tricks and Information blog - includes info to get it running on Win32 as well as a built Win32 copy of Mark McKinnon’s work.

Why do we care about meta-data (examining and/or purging)?

Well for starters “dere’s gold in dem dere hills!”

Stealing GPS Data from Images in Pentests - Security Aegis
Strip your Images, not Yourself- Metability Software blog
What the Situation Room REALLY Shows…- Metability Software blog
Know Your Files - Metability Software blog
Beyond Data about Data: The Litigator's Guide to Metadata [PDF] 2005 - found via e-evidence.info
What's a Little Metadata Mining Between Colleagues [PDF] 2006 - Jessica M. Walker found via e-evidence.info
Mobile Phones: Digital Photo Metadata [PDF Poster] 2007 - found via e-evidence.info. Note link to the “Carvey_gmu2005.zip” file is broken so either it got moved or dropped. Maybe Harlan can repost or share the updated link? I’d love to see it.
GMU2005 presentations [Zipped PP Presentations] August 2005 -Harlan Carvey - Topics: The Windows Event Log file format; Tracking USB storage devices across Windows systems; File/document metadata.
Windows Incident Response: Updates - Quoting Keydet89 from the linked post:

“Did you map all of the USB removable storage devices that had been connected to the system? You don't need to have the management software installed to copy images and videos (hint, hint) off of a phone...just connect it via a USB cable and copy the images (which will likely have some very useful EXIF data available).”

In addition, there are a number of freeware (and $-$$$$) image viewers/tools that also include meta-data handling embedded in them. This post is focused on meta-data specific tools. I’ll post linkage on some of the other applications that are more in this later class soon.

轉自 http://grandstreamdreams.blogspot.com/2012/01/exifmeta-data-linkage.html

Active Directory Linkfest

2012-01-19T20:12:00.000+08:00

I’m working hard at getting up to speed on the whole Microsoft Active Directory thing.

Until lately, I’ve not had either the need nor the opportunity to get heavily involved in supporting customers in a full-blow AD environment. Sure, there are some basic “foundational" things I’ve been able to pick up and use, but now we are moving forward into a brave new world and I gotta kick up my expertise a bit. I’ve already purchased and am working through this excellent Active Directory: Designing, Deploying, and Running Active Directory, Fourth Edition (Amazon.com link) book to get the ball rolling.

So expect a few more AD-related posts around here…at least on the front end they will be more resource linking related as I fill out my virtual bookshelf.

Group Policy for Beginners - Microsoft Download Center - Great MS Word file to introduce basic Group Policy concepts.
Introduction to Active Directory - Learnthat.com - Nice heavily illustrated tutorial on Active Directory basics.
Active Directory Search Results - Microsoft Download Center. Lots and lots of documents, tools and tips.
Microsoft Events (Beta) - Amazing Microsoft site chock-full of awesome webcasts, podcasts, and virtual training sessions. All categorized, searchable, and level-rated Note the only “gotcha” is that the site seems to be driven by Silverlight and is very Internet Explorer dependent. Don’t hop to these pages in another browser unless it contains an IE-engine rendering engine.
Active Directory Related Pages - Microsoft Events - honed down to just AD items. I’ve got a lot of work here. For example, there is this Migrating from Novell NetWare to Windows Server 2003 you can eventually find which includes the full lab as well as a PDF guide. Cool!
Free Active Directory Virtual Labs - The Life of Brian
Download: Remote Server Administration Tools for Windows 7 with SP1 - Microsoft Download Center - Download Details
Download: Group Policy Documentation Survival Guide - Microsoft Download Center - Download Details

The 4sysops - For Windows Administrators website hosted by Michael Pietroforte is my go-to source for the best of tools and tips related to Windows system administration. It is full of great information and resources related to Active Directory items!

Active Directory - 4sysops - Link roundup of ALL AD-tagged posts at 4sysops
Free Active Directory Tools - 4sysops - Link roundup of ALL (free) AD-related tools featured on 4sysops
FREE: Active Directory Telephone Book - 4sysops - free tool to create an organizational phone-book based on AD information. Knowledge is power!
FREE: Active Directory Topology Diagrammer - 4sysops - New feature/tool supported by Visio 2003 or higher.
FREE: SysAdmin Anywhere – Active Directory Management - 4sysops - really slick interface on this tool to manage users in AD.
FREE: AD Info – User friendly Active Directory reporting tool - 4sysops - full featured tool that has lots of pre-built queries for reporting.
FREE: Account Lockout Tools – View lockout status and unlock account - 4sysops - Feature post on a component from Microsoft’s Account Lockout and Management Tools. Sweet.
FREE: AD Tidy – Identify last logged on user and computer accounts - 4sysops - “It can be used to identify when user/computer accounts last logged on to the network and can tidy up these accounts in various different ways.”
FREE: Active Directory Explorer – Active Directory Viewer - 4sysops - Review and reminder of the must-have Microsoft Sysinternals AD Explorer utility. Power to the people!
How to disable USB drive use in an Active Directory domain - 4sysops - Just in case you need to…
Troubleshoot slow logon – Part 1: Profile size - 4sysops - Great troubleshooting guide on login issues.
Troubleshoot slow logon – Part 2: The 3-headed monster- 4sysops - Great troubleshooting guide on login issues continued.
Change the local administrator password on multiple computers with PowerShell - 4sysops - Who doesn’t have to deal with this monster from time to time.

Expect more AD-related resource posts moving forward.

If you have any great and free AD-related tools, tips and resources please share in the comments!

Cheers!

轉自 http://grandstreamdreams.blogspot.com/2012/01/active-directory-linkfest.html

Dual Purpose Volatile Data Collection Script

2012-01-13T21:50:00.000+08:00

When responding to a potential security incident a capability is needed to quickly triage the system to see what's going on. Is a rogue process running on the system, whose currently logged onto the system, what other systems are trying to connect over the network, or how do I document the actions I took on the system. These are valid questions during incident response whether the response is for an actual event or a simulation. One area to examine to get answers is the systems' volatile data. Automating the collection of volatile data can save valuable time which in turn helps analysts examine the data faster in order to get answers. This post briefly describes (and releases) the Tr3Secure volatile data collection script I wrote.

Tr3Secure needed a toolset for responding to systems during attack simulations and one of the tools had to quickly collect volatile data on a system (I previously discussed what Tr3Secure is here). However, the volatile data collection tool had to provide dual functions. First and foremost it had to properly preserve and acquire data from live systems. The toolset is initially being used in a training environment but the tools and processes we are learning need to be able to translate over to actual security incidents. What good is mastering a collection tool that can’t be used during live incident response activities? The second required function was the tool had to help with training people on examining volatile data. Tr3Secure members come from different information security backgrounds so not every member will be knowledgeable about volatile data. Collecting data is one thing but people will eventually need to know how to understand what the data means. The DFIR community has a few volatile data collection scripts but none of the scripts I found provided the dual functionality for practical and training usage. So I went ahead and wrote a script to meet our needs.

Practical Usage

These were some considerations taken into account to ensure the script is scalable to meet the needs for volatile data collection during actual incident response activities.
Flexibility

Different responses will have different requirements on where to store the volatile data that’s collected. At times the data may be stored on the same drive where the DFIR toolset is located while at other times the data may be stored to a different drive. I took this into consideration and the volatile data collection script allows for the output data to be stored on a drive of choice. If someone prefers to run their tools from a CD-ROM while someone else works with a large USB removable drive then the script can be used by the both of them.
Organize Output

Troy Larson posted a few lines of code from his collection script to the Win4n6 sometime ago. One thing I noticed about his script was that he organized the output data based on a case number. I incorporated his idea into my script; a case number needs to be entered when the script is run on a system. A case folder enables data collected from numerous systems to be stored in the same folder (folder is named Data-Case#). In addition to organizing data into a case folder, the actual volatile data is stored in a sub-folder named after the system the data came from (system's computer name is used to name the folder). To prevent overwriting data by running the script multiple times on the same system I incorporated a timestamp into the folder name (two digit month, day, year, hour, and minute). Appending a timestamp to the folder name means the script can execute against the same system numerous times and all of the volatile data is stored in separate folders. Lastly, the data collected from the system is stored in separate sub-folders for easier access. The screenshot below shows the data collected for Case Number 100 from the system OWNING-U on 01/01/2012 at 15:46.

Documentation

Automating data collection means that documentation can be automated as well. The script documents everything in a collection log. Each case has one collection log so regardless if data is collected from one or ten systems an analyst will only have to worry about reviewing one log.

The following information is documented both to the screen for an analyst to see and a collection log file: case number, examiner name, target system, user account used to collect data, drives for tools and data storage, time skew, and program execution. The script prompts the analyst for the case number, their name, and the drive to store data on. This information is automatically stored in the collection log so the analyst doesn’t have to worry about maintaining documentation elsewhere. In addition, the script prompts the analyst for the current date and time which is used to record the time difference between the system and the actual time. Every program executed by the script is recorded in the collection log along with a timestamp of when the program executed. This will make it easier to account for artifacts left on a system if the system is examined after the script is executed. The screenshot below shows the part of the collection log for the data collected from the system OWNING-U.

Preservation

RFC 3227’s Order of Volatility outlines that evidence should be collected starting with the most volatile then proceeding to the less volatile. The script takes into account the order of volatility during data collection. When all data is selected for collection, the memory is first imaged then volatile data is collected followed by collecting non-volatile data. The volatile data collected is: process information, network information, logged on users, open files, clipboard, and then system information. The non-volatile data collected is installed software, security settings, configured users/groups, system's devices, auto-runs locations, and applied group policies. Another item the script incorporated from Troy Larson’s comment in the Win4n6 group is preserving the prefetch files before volatile data is collected. I never thought about this before I read his comment but it makes sense. Volatile data gets collected by executing numerous programs on a system and these actions can overwrite the existing prefetch files with new information or files. Preserving the prefetch files upfront ensures analysts will have access to most of the prefetch files that were on the system before the collection occurred (four prefetch files may be overwritten before the script preserves them). The script uses robocopy to copy the prefetch files so the file system metadata (timestamps, NTFS permissions, and file ownership) is collected along with the files themselves. The screenshot below shows the preserved files for system OWNING-U.

Tools Executed

The readme file accompanying the script outlines the various programs used to collect data. The programs include built-in Windows commands and third party utilities. The screenshot below shows the tools folder where the third party utilities are stored.

I’m not going to discuss every program but I at least wanted to highlight a few. Windows diskpart command allows for disks, partitions, and volumes to be managed through the command line. The script leverages diskpart to make it easy for an analyst to see what drives and volumes are attached to a system. Hopefully, the analyst won’t need to open up Windows explorer to see what the removable media drive mappings are since the script displays the information automatically as shown below. Note, to make diskpart work a text file needs to be created in the tools folder named diskpart_commands.txt and the file needs to contain these two commands on separate lines: list disk and list volume.

Mandiant’s Memoryze is used to obtain a forensic image of the system’s memory. Memoryze supports a wide range of Windows operating systems which makes the script more versatile for dumping RAM. The key reason the script uses Memoryze is because it’s the only free memory imaging program I found that allows an image to be stored in a folder of your choice. Most programs will place the memory image in the same folder where the command line is opened. This wouldn’t work because the image would be dropped in the folder where the script is located instead of the drive the analyst wants. Memoryze uses an xml configuration file to image RAM so I borrowed a few lines of code from the MemoryDD.bat batch file to create the xml file for the script. Note, the script only needs the memoryze.exe; to obtain the exe install Memoryze on a computer then just copy memoryze.exe to the Tools folder.

PXServer’s Winaudit program obtains the configuration information from a system and I first became acquainted with the program during my time performing vulnerability assessments. The script uses Winaudit to collect some non-volatile data including the installed software, configured users/groups, and computer devices. Winaudit is capable of collecting a lot more information so it wouldn’t be that hard to incorporate the additional information by modifying the script.

Training Usage

These were the two items put into the script to assist with training members on performing incident response system triage.
Ordered Output Reports

The script collects a wealth of information about a system and this may be overwhelming to analysts new to examining volatile data. For example, the script produces six different reports about the processes running on a system. A common question when faced with so many reports is how should they be reviewed. The script’s output reports have numbers which is the suggested order for them to be reviewed. This provides a little assistance to analysts until they develop their own process for examining the data. The screenshots below shows the process reports in the output folder and those reports opened in Notepad ++.

Understanding Tool Functionality and Volatile Data

The script needs to help people better understand what the collected data means about the system where it came from. Two great references for collecting, examining, and understanding volatile data are Windows Forensic Analysis, 2nd edition and Malware Forensics: Investigating and Analyzing Malicious Code. I used both books when researching and selecting the script’s tools to collect volatile data. What better ways to help someone better understand the tools or data then by directing them to references that explain it? I placed comments in the script containing the page number where a specific tool is discussed and the data explained in both books. The screenshot below shows the portion of the script that collects process information and the references are highlighted in red.

Releasing the Tr3Secure Volatile Data Collection Script

There are very few things I do forensically that I think are cool; this script happens to be one of them. There are not many tools or scripts that work as intended while at the same time provide training. People who have more knowledge about volatile data can hit the ground running with the script investigating systems. The script automates imaging memory image, collecting volatile/non-volatile data, and documenting every action taken on the system. People with less knowledge can leverage the tool to learn how to investigate systems. The script collects data then the ordered output and references in the comments can be used to interpret the data. Talk about killing two birds with one stone.

The following is the location to the zip file containing the script and the readme file <zip download link is here>. Please be advised, a few programs the script uses require administrative rights to run properly.

轉自 http://journeyintoir.blogspot.com/2012/01/dual-purpose-volatile-data-collection.html

找出 Linux 是否有隱藏的 Process 與 Port - unhide

2012-01-11T21:29:00.000+08:00

很多 rootkits 用了一些隱藏技巧，用 netstat 也找不出來，這個時候可以用 chkrootkit 這類工具掃瞄，另外還可以用 Unhide 搜索是否有不尋常的 process 及 port。
Unhide 是一個輕巧的安全工具，可以找出 rootkit 所開啟的 process 或 TCP/UDP ports，除了 Unix 版本外，它還有 Windows 版本。

如果是使用 Redhat，可以到 pkgs.org 下載相應版本的 rpm 檔案裝。
在 Debian / Ubuntu 則較簡單，用 apt-get 安裝就好了。

# apt-get install unhide

至於使用上也是很簡單，一般上以下幾個指令就會搜索系統內隱藏的 process 及 ports:

# unhide-posix proc
# unhide-posix sys
# unhide-tcp

轉自 http://www.hkcode.com/linux-bsd-notes/615

Jump List Analysis

2012-01-09T21:53:00.000+08:00

I've recently spoke with a couple of analysts I know, and during the course of these conversations, I was somewhat taken aback by how little seems to be known or available with respect to Jump Lists. Jump Lists are artifacts that are new to Windows 7 (...not new as of Vista...), and are also available in Windows 8. This apparent lack of attention to Jump Lists is most likely due to the fact that many analysts simply haven't encountered Windows 7 systems, or that Jump Lists haven't played a significant role in their examinations. I would suggest, however, that any examination that includes analysis of user activity on a system will likely see some significant benefit from understanding and analyzing Jump Lists.

I thought what I'd try do is consolidate some information on Jump Lists and analysis techniques in one location, rather than having it spread out all over. I should also note that I have a section on Jump Lists in the upcoming book, Windows Forensic Analysis 3/e, but keep in mind that one of the things about writing books is that once you're done, you have more time to conduct research...which means that the information in the book may not be nearly as comprehensive as what has been developed since I wrote that section.

In order to develop a better understanding of these artifacts, I wrote some code to parse these files. This code consists of two Perl modules, one for parsing the basic structure of the *.automaticDestinations-ms Jump List files, and the other to parse LNK streams. These modules not only provide a great deal of flexibility with respect to what data is parsed and how it can be displayed (TLN format, CSV, table, dumped into a SQLite database, etc.), but also the depth to which the data parsing can be performed.

Jump List Analysis

Jump Lists are located within the user profile, and come in two flavors; automatic and custom Jump Lists. The automatic Jump Lists (*.automaticDestinations-ms files located in %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations) are created automatically by the shell as the user engages with the system (launching applications, accessing files, etc.). These files follow the MS-CFB compound file binary format, and each of the numbered streams within the file follows the MS-SHLLINK (i.e., LNK) binary format.

The custom Jump Lists (*.customDestinations-ms files located in %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations) are created when a user "pins" an item (see this video for an example of how to pin an item). The *.customDestinations-ms files are apparently just a series of LNK format streams appended to each other.

Each of the Jump List file names starts with a long string of characters that is the application ID, or "AppID", that identifies the specific application (and in some cases, version) used to access specific files or resources. There is a list of AppIDs on the ForensicsWiki, as well as one on the ForensicArtifacts site.

From an analysis perspective, the existence of automatic Jump Lists is an indication of user activity on the system, and in particular interaction via the shell (Windows Explorer being the default shell). This interaction can be via the keyboard/console, or via RDP. Jump Lists have been found to persist after an application has been deleted, and can therefore provide an indication of the use of a particular application (and version of that application), well after the user has removed it from the system. Jump Lists can also provide indications of access to specific files and resources (removable devices, network shares).

Further, the binary structure of the automatic Jump Lists provides access to additional time stamp information. For example, the structures for the compound binary file directory entries contain fields for creation and modification times for the storage object; while writing and testing code for parsing Jump Lists, I have only seen the creation dates populated.

Digging Deeper: LNK Analysis
Within the automatic Jump List files, all but one of the streams (i.e., the DestList stream) are comprised of LNK streams. That's right...the various numbered streams are comprised of binary streams following the MS-SHLLINK binary format. As such, you can either use something like MiTeC's SSV to view and extract the individual streams, and then use an LNK viewer to view the contents of each stream, or you can use Mark Woan's JumpLister to view and extract the contents of each stream (including the DestList stream). The numbered streams do not have specific MAC times associated with them (beyond time stamps embedded in MS-CFB format structures), but they do contain MAC time stamps associated with the target file.

Most any analyst who has done LNK file analysis is aware of the wealth of information contained in these files/streams. My own testing has shown that various applications populate these streams with different contents. One thing that's of interest...particularly since it was pointed out in Harry Parsonage's The Meaning of LIFE paper...is that some LNK streams (I say "some" because I haven't seen all possible variations of Jump Lists yet, only a few...) contain ExtraData (defined in the binary specfication), including a TrackerDataBlock. This structure contains a machineID (name of the system), as well as two "Droids", each of which consists a VolumeID GUID and a version 1 UUID (ObjectID). These structures are used by the Link Tracking Service; the first applies to the new volume (where the target file resides now), and the second applies to the birth volume (where the target file was when the LNK stream was created). As demonstrated in Harry's paper, this information can be used to determine if a file was moved or copied; however, this analysis is dependent upon the LNK stream being created prior to the action taking place. The code that I wrote extracts and parses these values into their components, so that checks can be written to automatically determine if the target file was moved or copied.

There's something specific that I wanted to point out here that has to do with LNK and Jump List analysis. The format specification for the ObjectID found in the TrackerDataBlock is based on UUID version 1, defined in RFC 4122. Parsing the second half of the "droid" should provide a node identifier in the last 6 bytes of stream. Most analysts simply seem to think that this is the MAC address (or a MAC address) for the system on which the target file was found. However, there is nothing that I've found thus far that states emphatically that it MUST be the MAC address; rather, all of the resources I've found indicate that this value can be a MAC address. Given that a system's MAC address is not stored in the Registry by default, analysis of an acquired image makes this value difficult to verify. As such, I think that it's very important to point out that while this value can be a MAC address, there is nothing to specifically and emphatically state that it must be a MAC address.

DestList Stream
The DestList stream is found only in the automatic Jump Lists, and does not follow the MS-SHLLINK binary format (go here to see the publicly documented structure of this stream). Thanks to testing performed by Jimmy Weg, it appears that not only is the DestList stream a most-recently-used/most-frequently-used (MRU/MFU) list, but some applications (such as Windows Media Player) appear to be moving their MRU lists to Jump Lists, rather than continuing to use the Registry. As such, the DestList streams can be a very valuable component of timeline analysis.

What this means is that the DestList stream can be parsed to see when a file was most recently accessed. Unlike Prefetch files, Jump Lists do not appear (at this point) to contain a counter of how many times a particular file (MSWord document, AVI movie file, etc.) was accessed or viewed, but you may be able to determine previous times that a file was accessed by parsing the appropriate Jump List file found in Volume Shadow Copies.

Summary
Organizations are moving away from Windows XP and performing enterprise-wide rollouts of Windows 7. More and more, analysts will encounter Windows 7 (and before too long, Windows 8) systems, and need to be aware of the new artifacts available for analysis. Jump Lists can hold a wealth of information, and understanding these artifacts can provide the analyst with a great deal of clarity and context.

Resources
ForensicsWiki: Jump Lists
Jump List Analysis pt. I, II, III
DestList stream structure documented
Harry Parsonage's The Meaning of LIFE paper - a MUST READ for anyone conducting LNK analysis
RFC 4122 - UUID description; sec 4.1.2 describes the structure format found in Harry's paper; section 4.1.6 describes how the Node field is populated
Perl UUID::Tiny module - Excellent source of information for parsing version 1 UUIDs

轉自 http://windowsir.blogspot.com/2011/12/jump-list-analysis.html

How to Use Advanced Google Search Techniques to Resolve your Investigations

2012-01-07T20:22:00.000+08:00

If you’re like me, you probably use Google many times a day. But, chances are, unless you are a technology geek, you probably still use Google in its simplest form. If your current use of Google is limited to typing a few words in, and changing your query until you find what you’re looking for, then I’m here to tell you that there’s a better way – and it’s not hard to learn. On the other hand, if you are a technology geek, and can use Google like the best of them already, then I suggest you bookmark this article of Google search tips. You’ll then have the tips on hand when you are ready to pull your hair out in frustration when watching a neophyte repeatedly type in basic queries in a desperate attempt to find something.
The following Google tips are based on my own experience and things that I actually find useful. The list is by no means comprehensive. But, I assure you that by learning and using the 12 tips below, you’ll rank up there with the best of the Google experts out there. I’ve kept the descriptions of the search tips intentionally terse as you’re likely to grasp most of these simply by looking at the example from Google anyways.

12 Expert Google Search Tips

Explicit Phrase:
Lets say you are looking for content about internet marketing. Instead of just typing Bill Clinton into the Google search box, you will likely be better off searching explicitly for the phrase. To do this, simply enclose the search phrase within double quotes.

Example: "Bill Clinton"

Exclude Words:
Lets say you want to search for content about a certain phone number, but you want to exclude any results that contain the term eBay. To do this, simply use the "-" sign in front of the word you want to exclude.

Example Search: 555-1212 -eBay

Site Specific Search:
Often, you want to search a specific website for content that matches a certain phrase. Even if the site doesn’t support a built-in search feature, you can use Google to search the site for your term. Simply use the "site:somesite.com" modifier. This will allow you to search the entire site for the given search term.

Example: "ipod 32gb touch" site:www.craigslist.org
Example: "Brittany Spears" site:www.facebook.com

Similar Words and Synonyms:
Let’s say you want to include a word in your search, but want to include results that contain similar words or synonyms. To do this, use the "~" in front of the word.

Example: "Apple Ipad 32gb" ~Ipod 32 gb

Specific Document Types:
If you’re looking to find results that are of a specific type, you can use the modifier "filetype:". For example, you might want to find only PowerPoint presentations related to internet marketing.

Example: "internet marketing" filetype:ppt

This OR That:
By default, when you do a search, Google will include all the terms specified in the search. If you are looking for any one of one or more terms to match, then you can use the OR operator. (Note: The OR has to be capitalized).

Example: internet marketing OR advertising

Phone Listing:
Let’s say someone calls you on your mobile number and you don’t know who it is. If all you have is a phone number, you can look it up on Google using the phonebook feature.

Example: phonebook:617-555-1212 (note: the provided number does not work – you’ll have to use a real number to get any results).

Area Code Lookup:
If all you need to do is to look-up the area code for a phone number, just enter the 3-digit area code and Google will tell you where it’s from.

Example: 617

Numeric Ranges:
This is a rarely used, but highly useful tip. Let’s say you want to find results that contain any of a range of numbers. You can do this by using the X..Y modifier (in case this is hard to read, what’s between the X and Y are two periods.) This type of search is useful for years (as shown below), prices, or anywhere where you want to provide a series of numbers.

Example: president 1940..1950

Stock (Ticker Symbol):
Just enter a valid ticker symbol as your search term and Google will give you the current financials and a quick thumb-nail chart for the stock.

Example: GOOG

Calculator:
The next time you need to do a quick calculation, instead of bringing up the Calculator applet, you can just type your expression in to Google.

Example: 48512 * 1.02

Word Definitions:
If you need to quickly look up the definition of a word or phrase, simply use the "define:" command.

Example: define:plethora
Hope this list of Google search tips proves useful in your future Google searches. If there are any of your favorite Google expert power tips that I’ve missed, please feel free to share them in the comments. If you would like to learn more about using this powerful tool you can check out the Social Networking Investigations Webinar at the McAfee Institute.

轉自 http://www.mcafeenetwork.com/forum/topics/how-to-use-advanced-google-search-techniques-to-resolve-your-inve

Ripping Volume Shadow Copies Sneak Peek

2012-01-06T21:47:00.000+08:00

I was hesitant to do a sneak peak about a different approach to examine Volume Shadow Copies (VSCs). I personally don’t like sneak peeks and would rather wait to see the finished product. I think it’s along the lines of starting a movie then stopping it after 15 minutes and being forced to finish watching months later. If I don’t like sneak peeks then why am I putting others through it? I previously mentioned how I wanted to spend my furlough days by putting together some posts about another approach to examining VSCs. Well last week was my furlough week and my family wrote a new version to the carol The Twelve Days of Christmas. Four out of town trips, three sick kids, two family emergencies, and one blogger quarantined to his room. Needless to say I had to spend my time focused on my family. I won’t have time to write the VSCs blog posts until next month so I at least wanted to show one example on how I use this method.

There are times when I get a system that has been altered and one change is removing financial software from the system. This is pretty important because if I’m trying to locate financial data then I need to know what software is on the system so I know what kind of files to look for. There is a chance some file types might initially be missed if I’m not aware a certain program was installed at some point in the past. Different registry keys can help determine what programs were installed or executed but you can get a more complete picture about a system by looking at those same registry keys at different points in time. Performing registry analysis in this manner has allowed me to quickly identify uninstalled financial applications which reduced the time needed to find the data. Anyone who has used Harlan’s RipXP understands the value in seeing registry keys at different points in time. I used the same concept with one exception: numerous registry keys can be queried at the same time when dealing with VSCs.

The system I used for this demonstration was a live Windows 7 Ultimate 32 bit system. In the past I also used it against Windows 7 and Vista. forensic images

Obtaining General Operating System Information

I discussed previously one initial examination step is to get a better understanding about the system I’m facing. I use a batch script with Regripper to obtain a wealth of information about how the system was configured when it was last powered on. The configuration information is from only one point in time but if the system has VSCs then that means the same information can be obtained from different points in time. Seeing the same configuration information enables you to see how the system changed slightly over time including what software was installed or uninstalled. To do this I made some modifications to the general operating system batch script which lets me run it against VSCs I have access to.

I’m not going to discuss accessing VSCs in this post. For information on how to access VSCs I’d check out Harlan’s Even More Stuff post since he provides a link to his slide deck he gave to the online DFIR meet-up on the topic. My Windows 7 system had 19 VSCs and for the demonstration I only used the following:
        - ShadowCopy19 12/13/2011 6:13:35 PM
        - ShadowCopy16 12/01/2011 8:08:50 AM
        - ShadowCopy3 11/28/2011 11:19:40 AM
        - ShadowCopy1 8/26/2011 12:15:34 PM

The screen shot below shows the main menu to the vsc-parser (most selections have sub menus). To review the system to identify software of interest I’m interested in selection 2: “Obtain General Operating System Information from Volume Shadow Copies”.

The selection will immediately execute my Regripper batch file against every VSC I have access to. The picture below shows the script running against my four VSCs. I highlighted the samparse and uninstall plug-ins that executed.

The output from the script is nicely organized into different folders based on what the information is.

I’m interested in the software on the system which means I need the reports in the software-information folder. A report was created for each VSC I had access to (notice how the file name contains the VSC number it came from).

Now at this point I can review the reports and notice the slight differences between each VSCs. I tend to look at the most recent VSC then work my way to the oldest VSC. It makes it easier to see how the system slightly changed over time from the forensic image I examined first.

On a case I used this technique and it helped me to identify a financial application that was removed from the system. In the end it saved some a lot of time because this was one of my initial steps and I knew right off the bat I was looking for specific file types. Some may be wondering why I decided to highlight the samparse plug-in as well. At another time the same technique helped me verify a user account existed on the system and narrow down the timeframe when it was removed from the system.

I showed an example running Regripper against registry hives stored in VSCs on a live Windows 7 system. However, the approach is not only limited to registry hives or Regripper since you can pretty much parse any data stored in a VSC.

轉自 http://journeyintoir.blogspot.com/2011/12/ripping-volume-shadow-copies-sneak-peek.html

Android邏輯數據手動提取和分析

2012-01-04T22:41:00.000+08:00

Android邏輯數據手動提取和分析

1. SMS、MMS相關信息的手動提取

首先，通過鏡像或者具備ROOT權限的程序將以下文件夾完整提取：

以下分別對各個目錄進行解釋：

App_parts:

手機中收發的彩信附件，如圖片：

該文件是以附件添加/收到的時間命名的，時間戳採用毫秒換算，由於不熟悉C語言，只能用Excel做一個換算式：

文件解析為圖片：

Databases

該文件夾下包含兩個文件：

分別包含手機APN信息：

手機短信、彩信中包含的所有號碼信息（推薦號碼/典型號碼）：

以保存（已發送/已接收）的彩信結構：

快速回覆短信：

全部短信內容：

提取出的數據經時間戳轉化後與原信息無異。

2. 通訊錄手動提取和解析

手機中設置同步的Gmail帳戶：

最近500條通話記錄：

所有聯繫人：

所有事件（如聯繫人生日）保存信息：

聯繫人分組：

所有聯繫人對應Gmail服務器的同步地址：

從以上分析可以看出，Android系統的邏輯數據與應用程序一樣，存儲結構都比較簡單，且基本不採用加密，取證人員掌握簡單的取證技術均可實現手動提取和分析。

作者後期還將繼續針對Android和iOS等智能手機系統的取證進行深入探究，歡迎各位從事計算機取證工作的朋友及時批評指正，共同探討學習。

轉自 http://www.cnblogs.com/ysun/archive/2011/08/12/2136766.html

EnCase v7 簡介

2012-01-02T22:39:00.001+08:00

Guidance 將於今年年底之前發佈EnCase v7，今日拿到了v7測試版本，下面對新功能進行簡要介紹並截圖說明。
（Version 7.0.20.13）

新用戶界面

EnCase v7相對於傳統的v5、v6界面有了較大改變，一改以往的四格和多級Tab界面，而採用了單頁面多窗口的「瀏覽器式」風格，估計會讓很多v6用戶感到極不適應。

新建案例窗口，案例信息採用模板方式，調查人員可根據自己需要定製案例信息模板

主界面窗口

添加證據界面，新版本將Neutrino整合，可直接添加智能手機，這也是v7的一大新功能。

Entries部分，之前的多級標籤式結構已經變為單級標籤+前後頁面導航

新功能和改進

1. 新的案例信息界面（見上節）
2. 關聯Hash Library：新的散列庫功能允許用戶指定一個Primary和一個Secondary散列庫，方便在調查時使用多個散列集以及針對特定案件指定特定散列集。
3. 添加案例部分，界面進行了較大改進，把原來的Source樹形結構+Sessions、物理內存、進程內存三個複選框改為了嚮導式選擇，並提供DCO支持。
4. 獲取：新的證據文件界面如下，如需對加載驅動器進行獲取，則需要進行Evidence Process，這也是v7的一個新功能，將簽名校驗、哈希計算等整合在「案例處理器」中（案例處理器後述），個人認為這是EnCase 「FTK化」的標誌之一

Evidence Processor

獲取選項，可以看到新的證據文件格式Ex01

5. 新證據文件格式Ex01：Guidance秉承了他們只要更新版本就會有大改動的「優良傳統」，此次推出了Ex01格式，官方解釋是由於E01已不能夠滿足新版本EnCase的需求，且v7很多功能都需要新的證據文件格式配合（如Indexing），新的Ex01較E01的主要改變在於，內部數據塊全部加密，加密方式為AES，同時，原有的壓縮選項由三項改為兩項「啟用」和「禁用」，證據文件散列自校驗支持MD5、SHA-1以及MD5+SHA-1。
6. 證據文件處理器：Evidence Processor，新功能，整合了Recover Folders、文件簽名分析、查找加密文件（與Passware合作）、散列分析、展開符合文件、查找電子郵件、查找互聯網信息、關鍵字搜索（值得一提的新功能，不需建立全局關鍵詞或者案例關鍵詞，直接輸入關鍵詞便可進行查找，便於初期分析）、索引（值得一提，全新的索引引擎，可以添加Noise File，並且支持在殘留區和未分配空間索引，Guidance開發經理號稱這個是他們自己開發的一項與眾不同的技術）。
需注意的是，v7的Evidence Processor是支持多線程處理的。

Evidence Processor 中的索引選項

7. 智能手機支持：雖說相對於Oxygen和Paraben還具有一定差距，但畢竟EnCase不是Cell Phone Forensic軟件，所以能提供這樣的功能客觀地說已經比較難得，不過這部分在最終發佈時可能還會採取單獨的模塊銷售。

智能手機報告生成器，可自動對添加的手機證據文件生成報告，值得一提的是，可以把手機（或GPS）當中的地理位置信息或包含地理位置信息的圖片直接生成為kmz, 可使用Google Earth直接打開查看，非常方便

Tag，"FTK化"的又一典型標誌

8. 報告
在v7中，報告功能得到了極大增強，用戶可以定製自己的模板，Guidance甚至允許用戶直接使用代碼編輯報告模板（相似於html代碼，使用非常簡單）

報告模板代碼編輯頁面

可隨時預覽的報告

9. 打包，v7允許用戶將案例、證據文件、Primary&Secondary Cache打包保存或轉移，（//這應該是EnCase轉向網絡調查方向的一個標誌），可供用戶選擇的有副本、存檔和自定義模式。

另外，v7中，EnScript語言也進行了一些改動，在此不再贅述。
總之，EnCase v7功能上的改動很大，後續使用感受擇日再發。

轉自 http://www.cnblogs.com/ysun/archive/2011/05/23/2054580.html

使用Winacq製作磁碟映像檔

2011-12-31T22:38:00.000+08:00

EnCase從6.16版本開始，提供了命令行工具Winacq用於獲取E01鏡像文件，並且，該命令可以支持處理器多核、多線程獲取。Winacq命令使用參數如下：

-p 證據文件路徑
-m 證據文件名稱
-c 案例名稱
-e 調查員姓名
-r 證據編號
-d 壓縮方式（0=不壓縮，1=最快，2=最好，默認為0）
-n 備註
-s 最大文件大小（設置分隔大小，最小1MB，最大1048576MB，默認640MB）
-b 塊大小（默認64，最小1，最大1024）
-f 配置文件
-t 計算MD5值（默認true，可選true和false）
-l 計算SHA-1值（設置同上）
-wrk 設置工作線程數（默認10，最小1，最大20）
-rdr 設置讀取線程數（默認5，最小1，最大5）
-hsh 使用獨立線程計算散列
-dev 需獲取的物理磁盤的編號
-cdrom 指定獲取光驅
-vol 需獲取的卷標
-h 幫助信息

轉自 http://www.cnblogs.com/ysun/archive/2010/05/31/1748297.html

vdi與vmdk/vhd/raw之間的轉換

2011-12-30T20:46:00.000+08:00

Virtual Disk Conversion
VirtualBox uses VDI files for primary hdd image. After you export the VM it will become a VMDK. I f you want to convert it back to VDI, or just want to convert image type you can do it with the following command:
Syntax:

#VBoxManage.exe internalcommands converthd -srcformat FORMAT1 -dstformat FORMAT2 SRCFILE DSTFILE

Example:

v:\VM\HD>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" internalcommands co
nverthd -srcformat VMDK -dstformat VDI V:\VM\HD\W2003_Ent_R2_SP2.vmdk v:\VM\HD\W
2003_Ent_R2_SP2_DC.vdi

轉自 http://www.cnblogs.com/ysun/archive/2011/10/11/2206737.html

iOS 4 (iPhone/iPad/iPod Touch) 密碼破解

2011-12-29T20:44:00.000+08:00

蘋果iOS 4中，文件系統是加密的，且用戶可以通過設置鎖屏密碼來保護自己的iOS設備
不知道有沒有手機取證調查人員記得，在iOS 3中，可以通過刪除keychain和springboard兩個文件來實現清空密碼，但在iOS 4中，這個方法無效，只會導致所有賬戶保存設置丟失。
那麼，手機取證調查人員如何才能繞過或者破解iOS 4設備的密碼呢？
CelleBrite近期推出了Physical Analyzer 2.2.1版本，該版本新增了針對iOS 4設備的密碼破解功能

可以完整恢復iPhone 4、iPad等iOS 4設備（含4.3.3、4.3.4和4.3.5）的密碼，並能夠對1G系統區和用戶數據區進行完整img鏡像
其他不再贅述，上圖。

轉自 http://www.cnblogs.com/ysun/archive/2011/09/02/2163884.html

SQLite資料庫取證工具

2011-12-28T20:40:00.000+08:00

由於目前大部分智能手機數據存儲都採用SQLite數據庫，所以SQlite數據庫的恢復成了是否能夠恢復被刪除數據的關鍵。
目前針對SQLite數據庫，國內尚無成熟的解決方案，更沒有專用的取證工具；而國外目前有兩款專門用於SQLite數據庫取證的工具： Epilog 和 SQLite Forensic Reporter

Epilog
這款軟件從界面上看很強大，據其官方演示（有興趣的可以Youtube搜關鍵詞epilog），該軟件可進行SQLite結構解析、日誌恢復和完整數據結構恢復。

SQLite Forensic Reporter
該軟件號稱目前最專業的SQLite取證軟件，主要功能：

文件頭識別和恢復
自動化表結構分析
多種編碼內置解析

兩款軟件，前者可以在網上找到試用版，後者需要郵件向作者申請試用，有興趣的朋友可以自行嘗試。

轉自 http://www.cnblogs.com/ysun/archive/2011/09/01/2162287.html

Mena Step Innovative Solutions | Magic Berry IPD Parser

2011-12-27T20:37:00.000+08:00

Download Magicberry ver 3.1.0 NOW

MagicBerry is the blackberry IPD reader that can read and extract the following database from the mobile IPD backup file:

SMS Messages, Phone Call Logs, Address Book, Service Book, Tasks, memos, Calendar and export them.

The project is under continual development and currently the release is on Beta testing.

轉自

Elcomsoft iOS Forensic Toolkit

2011-12-25T20:35:00.000+08:00

Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple iOS

Perform the complete forensic analysis of encrypted user data stored in certain iPhone/iPad/iPod devices running any version of iOS. Elcomsoft iOS Forensic Toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. Access to most information is provided in real-time.

轉自 http://www.elcomsoft.com/eift.html

和亞桑傑通聯　美大兵證實洩密維解

2011-12-23T21:32:00.000+08:00

法新社馬里蘭州米德堡20日電：美國大兵曼寧（Bradley Manning）遭控向維基解密（WikiLeaks）網站洩密。軍方調查人員今天首次端出直接連結曼寧和維解創辦人亞桑傑（Julian Assange）的證據。

調查人員出庭作證時表示，曼寧電腦硬碟裡發現亞桑傑的聯絡資訊。曼寧案庭訊將決定他是否需至軍事法庭受審。

數位鑑識專家也表示發現曼寧和另1名網路帳號為「亞桑傑」的電腦使用者交談證據。

庭訊在馬里蘭州米德堡（Fort Meade）基地舉行，目前已進入第4天。今天的證詞是截至目前政府在建立曼寧和此案關聯上，所拿最具說服力的證據。此案也是美國史上最重大情資外洩案之一。

美軍電腦犯罪調查小組（CCIU）的約聘人員強生（Mark Johnson）表示，曼寧電腦硬碟裡有亞桑傑的聯絡資料。

軍方檢察官展示硬碟檔案1則訊息的螢幕快照，當中顯示：「你可以直接連絡我們在冰島的調查編輯－354 862 3481－24小時都可－找亞桑傑。」

調查人員也指出，他們回復曼寧和1名為「亞桑傑」的電腦使用者之間的交談紀錄，當中在討論維基解密。

轉自 http://www.cdnews.com.tw/cdnews_site/docDetail.jsp?coluid=109&docid=101766046

BlackBerry Backup Extractor: extract and convert IPD BlackBerry backups

2011-12-23T20:34:00.000+08:00

We're working on a rescue tool for missing BlackBerry data. If you have lost or broken your BlackBerry, our software can automatically extract the contacts, emails, saved emails, memos, call history, calendar, SMS messages, tasks and other data from your BB's IPD backup file. This BlackBerry IPD reader is free.

When run, the application will extract all sent and received email messages cached on the device into a "Messages" folder. Saved messages will go into a "Saved Email Messages" folder. Other BlackBerry content will go into "Content Store".

Screenshot of the Blackberry converter

You can read more about our Blackberry converter.

Free BlackBerry IPD reader download

You can download the BlackBerry IPD Backup extractor here.

轉自 http://www.reincubate.com/labs/blackberry-backup-extractor-extract-and-convert-ipd-blackberry/

iPhone Backup Extractor

2011-12-22T20:30:00.001+08:00

Recover lost iPhone contacts, calendar events, photos, SMS messages, notes, location data and more.

轉自 http://www.iphonebackupextractor.com/

BlackBerry Desktop Software

2011-12-21T20:28:00.001+08:00

Manage the link between your computer and your BlackBerry device

BlackBerry® Desktop Software for PC coordinates the link between your smartphone, tablet, email accounts, calendars and more. With BlackBerry Desktop Software 6.0, managing this link is even easier.

轉自http://us.blackberry.com/apps-software/desktop/

Elcomsoft Blackberry Backup Explorer

2011-12-20T20:26:00.001+08:00

Explore Information Stored in BlackBerry Backups

Extract essential information stored in BlackBerry backups. Elcomsoft Blackberry Backup Explorer allows forensic specialists investigating the content of BlackBerry devices by extracting, analyzing, printing or exporting the content of a BlackBerry backup produced with BlackBerry Desktop Software.

轉自 http://www.elcomsoft.com/ebbe.html

IOC Editor

2011-12-19T20:44:00.000+08:00

MANDIANT IOC Editor is a free editor for Indicators of Compromise (IOCs). IOCs are XML documents that help incident responders capture diverse information about threats including attributes of malicious files, characteristics of registry changes, artifacts in memory, and so on. IOCe provides an interface into managing data within these IOCs including:

Manipulating the logical structures that define the IOC
Applying meta-information to IOCs including detailed descriptions or arbitrary labels
Converting IOCs into XPath filters
Managing lists of "Terms" that are used within IOCs

轉自 https://blog.mandiant.com/archives/2050?utm_source=rss&utm_medium=rss&utm_campaign=redline-openioc-build-effective-indicators

Lantern Lite

2011-12-16T20:42:00.001+08:00

Katana Forensics, Inc. The creators of the leading iOS Forensic analysis software”Lantern” has created a free imager for iOS Devices. Katana believes that imaging should be free. Analysis is where critical thinking is accomplished. Imaging shouldn’t also be only in the domain of just one sector of forensics, but should also be available to all to include the Security sector that needs to analyze mobile devices more and more.

Lantern Lite!!! The first Mac based GUI iOS Imager that is completely free. This site is dedicated to those that perform digital forensics. This application is intended to be free and not meant for those corporations that don’t innovate. The code released here is all GPL. Any use, part or in whole by a proprietary program must therefore release their code as well.

What will Lantern Lite do?

Fully automated
Automated device identification
Brute force a simple passcode
Image a device
decrypt an image
Decrypt the keychain (later versions)

What devices will Lantern Lite Support?

iPhone 3GS
iPhone 4 (GSM & CDMA)
iPod Touch 4G
iPod Touch 3G
iPad 1G

What version of iOS will be supported?

iOS 4
iOS 5

Will there be any improvements to Lantern Lite?

Since this is an open source application, the community can add changes
Future developments will include, iOS 3 support

轉自 http://lanternlite.org/lantern-lite

Windows 8 Forensic Overview

2011-12-11T16:09:00.000+08:00

I finally submitted my term paper for my Forensics class, While there are some things to be said for waiting until the last minute, my problem was as I delved into the four points I wanted to cover, I found Windows 8 exhibiting some interesting behavior, I also noticed that some of the things I thought would change, did not.

I will be making my paper available for download soon, but I need to clean up a few things, and will let you know when you can grab it. Meanwhile, here is a few things that I want to pass on.

When I initially started this paper I took a dive into Windows Registry I was at a loss with what to look for. I posted questions onto Twitter with some guidance of where to look. Eventually I stumbled across the Registry Key called TypedURLsTime, trying to decipher the value contained in the data field I posted to Twitter the information I was looking at. Harlan Carvey explained that this data is filetime data; I came to rely on the experience of Harlan and others as I asked questions, I am grateful for their experience and willingness to answer my questions and be patient with me. Harlan, went as far to help as sending me a copy of his Windows Registry Forensics book, this is an incredible resource for anyone interested in looking at and understanding the registry.

Building off what I learned from Harlan's book Windows Registry Forensics I was able to confirm that the primary registry hives, SAM, System, Security, Software, NTUser and UsrClass all were retained within Windows 8. I returned to the Registry Keys for the typedURLs and TypedURLsTime and did some more digging around. Here are the keys below for reference, as you can see URL10 is in both locations, one showing the location visited and the other the filetime that is was accessed.

Through some more analysis of the registry I came across the following keys, which appear to be related to the Immersive Browser that Microsoft is pushing in Windows 8. I attempted to test the typedurls-immersive-browser key, but this feature was not accessible in this build.

While listening to Wade Wegner presentation at the 2011 Build conference, Microsoft touted the ability to allow applications and user to save data to the cloud. With the option of using your Windows Live ID as your user name to facilitate this idea I decided to look a little more regarding this. I found the following while digging into the directory structure of a Live user:

C:\Users\USERID\AppData\Local\Microsoft\Windows\Live\Roaming\2d5b1639895c2556\CloudSync

Within this directory there were numerous files with the SDF file type, some of the files are named the same as the immersive browser keys in the previous images. I decided to look further into the registry to see if I could find any reference to the CloudSync option and I came across the following:

It appears that the Immersive Browser and CloudSync Registry keys will need to be analyzed further. I am planning on looking into them more over the next few weeks, will update blog with the information.

When I was typing out this blog I had I was going to delve deeper into Jump Lists, but they appear to be similar to the Windows 7 area, and felt that my research could be utilized in a different approach. It does not appear that Metro Applications keep a jump list; instead they keep their information in the respective program folder within AppData. I noticed this behavior while utilizing the PicStream Metro App. Digging into the file path I found the following folder structure:

Within each of those sub directories there was a regular file and a file slack for each image I viewed through Picstream application. Further research should define the naming convention of the INetCache sub directories.

Within the Windows 8 Operating system, they have introduced file history backup which changes the way that backups were previously used. In previous versions of windows, backups could only be maintained and restored using the default system. Within windows 8 this solution is more robust and allows backups to be stored both on removable media and remote network shares. By default this will backup folders such as Music, Documents, Videos, Contacts and Favorites.

There are a few artifacts that are established when file history is turned on, this includes File History folder, Registry Value, and Windows Events. The file history folder can be found at C:\Users\USERID\AppData\Local\Microsoft\Windows\FileHistory within this folder there is a configuration folder and a data folder. The data folder is a temporary staging directory for the files that are to be backed up. The Configuration folder contains at least 2 files, they are an EDB file named Catalog#.edb and a XML file names Config#. These files are created both Locally and on the drive being used as backup. As of this writing I have not be able to explore the EDB file. The Config file on the other hand offers the following information:

If the File History option has been turned on there is also a registry key that is created, this key is only found on users that have turned on this feature. The Registry key can be found at:

HKU\Software\Microsoft\Windows\CurrentVersion\FileHistory

Within this directory there is a key named ProtectedUpToTime that shows the last time this process backed up the files. This value can be deciphered utilizing a 64 Bit Hex Value - Big Endian values. The DCode application can handle this.

There is also another area in the HKLM registry that may provide more information and keys of importance, this is t. This is the FHSVC which is the File History Service and can be found here:

HKLM\System\Controlset001\Services\fhsvc.

Keys in the FHSVC folder

Keys in the Config files

Another area worth looking at in gathering File History information is within the System Events. The following Event Sources provide us with auditing information related to the File History:

FileHistory-Catalog
FileHistory-ConfigManager
FileHistory-Core
FileHistory-Engine
FileHistory-EventListener
FileHistory-Service

The final features of Windows 8 that I am going to cover in this blog are the Refresh and Recovery options. The Recovery feature will bring your windows to a factory state, similar to re-installing the operating system, the refresh feature acts like a restore point, but will clean everything needed for the OS to run, leaving individual files, and applications from the Microsoft store untouched, deleting any other 3rd party application.

When looking at a refreshed image of the windows operating system within AccessData FTK Imager, there are three items that are quickly noticed. These are two partitions and an unpartitioned space.

Partition 1 is a 350MB partition that contains the information needed to boot up the operating system. There are a few interesting files that can be found in this partition that can provide some more clues about what has happened on with the operating system and if the device has been recovered or refreshed. When comparing this partition against machines that have had the refresh/recover option ran against them and those that have not we can see some differences in files.

The screen shot on the left is from a machine that has not been refreshed or restored, while the one on the right has been refreshed. From my analysis of this partition from a refreshed or recovered is there will be more unallocated spaces in a recovered machine. On all images there is a folder called Recovery in the System32 folder, within this directory there is a file called ReAgent.xml, this file is used to recover or refresh.

On a Refreshed/Recovered machine there is a new folder named Log under the recovery folder. In that folder is a file called Reload.XML. The Reload.xml is an updated ReAgent.xml file; it will also have a different timestamp from the ReAgent. This folder and file will give a good idea if the machine has been refreshed or restored. Out of the 24 lines in these xml files, the only line different is:

For a non-refreshed or recovered system the state and status would both be 0.

Partition 2 is the main system partition that is mapped to the C: Drive. This partition also allows us to know if the machine was refreshed or restored. A restored machine will have a lot of unallocated spaces of various sizes that can still be data carved against. The directories and files shown between a Restored and a Non-Restored machine will be similar, but against a refreshed machine there will be two new Directories that contain data. These folders are the $SysReset and Windows.old, as can be seen below.

Within these folders we can still access the previous data that was on the drive, this data still remains in its file structure under the Windows.Old folder. Within the $SysReset there are two directories that contain what appears to be potential useful information. Within the Logs folder there are three files that will provide some usable data. The SystemResetPlatform.log and the setupact.log provides details of what was changed, the MigLog.xml will contain the Users that were retained and their current mappings. This can be beneficial after a reset a user account is deleted. There two files located in the Framework/Migration/Preserve that also may provide evidence at a later date, they seem to deal with the Microsoft Store, and since this feature is currently not available I am unable to investigate.

Over the next few months I will research more artifacts that might be left behind in Windows 8, and the behaviors that the new operating system brings with it. As more features are unlocked there is potential for more locations that must be analyzed to find the big picture.

轉自 http://randomthoughtsofforensics.blogspot.com/2011/12/windows-8-forensic-overview.html

Back to Basics, CD and DVD basic forensics

2011-12-09T20:07:00.000+08:00

At G-C (my company) we try to have an internal training topic for about 30 minutes to an hour every day (that I'm in the office). Often times we will go over case studies of recently solved cases but other times we get back to basics because you can't assume everyone knows everything you do. One class we recently did was on CD/DVD forensics and since it was received well I thought I should do a similar thing here on the blog. I admit I was watching the barefoot contessa's 'back to basics' show before i wrote this so the title is most likely influenced by delicious food.

I think a lot of people have forgotten about DVDs and CDs as important forensic evidence with the widespread use of cheap reusable USB storage (commercially introduced in December 2000 (Thanks wikipedia!)), but back when I got started (1999) it was very much 'a thing'. There are four important things we can determine forensically from a CD/DVD.

1. The volume name of the CD (always)
2. When it was burned (always)
3. What software made the CD (sometimes)
4. The previous burns (always)
and some easter eggs.

1. The volume name of the CD
All of the CDs I reviewed start with a ISO9660 session on the disk which began at an offset of 8000. You can see in the screenshot below that standard identifier has been set as 'CD001' which is the default for most burners when a ISO9660 session is selected. However what we care about is right after that the name of the CD is ' Oct 28 11 09:33'.

You may think, why do I care about this, this is the volume name that I can see in any tool? Well if you have a multi session disk the volume name will be set to the current session, this may be the only way you have to determine the labels of the prior sessions. We will talk more about sessions in 4.

2. When it was burned
Near the end of the ISO9660 session block are four time stamps, I've always seen them set to the same time. This is the time the CD/DVD was created.

Let's break the timestamp down to a more readable form:

2011102808333500è
2011102808333500è
2011102808333500è
2011102808333500è

As you can see each of them terminates with ascii character è which is hex E8. Breaking down an individual entry we can see that the time is:
2011 10 28 08 33 3500
So October 28, 2011 at 8:33:35am is when the CD was burned, notice this is one hour off of the CD label time. Note that this time is only as accurate as the system clock that burned the CD/DVD.

3. What burned it
Depending on what software burned the CD/DVD many of them will also place the name and version of the software in the reserved space of the ISO9660 session start. In our example we can see that the name of the software that burned it is 'PRASSI2.1.374'.

Doing some quick searches for 'Prassi cd burning software' reveals that this is Primo Prassi version 2.1.374 a now defunct company whose software was bundled with some CD/DVD burners.
Why do we care? If you are trying to prove that a CD/DVD was burned on a particular system matching the software name and version to what was installed on the system can be one indicator that you can use.

4. The previous burns
If you are inspecting a rewritable CD/DVD and it has had more than one write burned to it, then each of the writes are still available. There are multiple layers of burnable media within a rewritable disk and when inserted into a CD/DVD ROM your computer will only show the most recent session. When you image the CD/DVD using a tool like FTK Imager all the prior sessions will be viewable. This is why determining the name of the session may be important as we detailed in 1.

5. Easter Eggs
Sometimes you'll find something unexpected. The ISO9660 specification does not state what can't exist within the reserved space of the session start and systems don't parse for unused areas. For instance within MSDN DVDs you'll be Microsoft's name, address and phone number. What is contained within the session start beyond what we've described here will also depend on what the burning software programmer decided to place within it.

That's it, I hope this shined some light on a possibly forgotten set of facts. Let me know what you think, your comments help to motivate me to keep posting in between baby bottles.

轉自 http://hackingexposedcomputerforensicsblog.blogspot.com/2011/12/back-to-basics-cd-and-dvd-basic.html

Malware Detection Checklist

2011-12-07T21:17:00.000+08:00

Malware Detection Checklist
The following is a sample checklist that you can use as part of your malware detection process. All of the tasks listed in this checklist are taken from chapter 6, “Malware Detection”, of Windows Forensic Analysis 3/e. Please feel free to use this checklist, or modify it to suite your needs.

	Task	Findings/Notes
	Check for installed AV
	Review available Logs (MRT, Defender, McAfee, Application Event Logs, etc.)
	Scan mounted image with AV
	Scan for packed files
	Digital Signatures (Sigcheck.exe)
	WFP Check (wfpchck.pl)
	ADS check (lads.exe)
	PE file “compile time check”
	MBR check (mbr.pl)
	Registry Analysis – autostart & artifact locations, modifications to firewall settings, etc. (RegRipper)
	Registry Analysis – System hive, enum\Root\Legacy_* subkeys (RegRipper)
	Check for web activity/history in LocalService/Default User profiles
	Check System Event Log; Event ID 7035 with user SID
	Check Scheduled Tasks, Scheduled Task Log (SchedLgU.txt)
	User %Temp% dir: PE files, with .exe or .tmp extensions; Java .jar files/JavaFX key, updates to jusched.log, etc.)
	MFT checks (mft.pl)

Invisible Man

Blade™ v1.9 Released - AFF® Support, Hiberfile.sys Conversion and New Evaluation Version

Downloads and Full Release Information

Downloads and Full Release Information

Downloads and Full Release Information

電腦鑑識與鑑識會計

WhatsApp Xtract

What WhatsApp doesn't tell you...

Interesting Malware in Email Attempt - URL Scanner Links

Ripping Volume Shadow Copies – Introduction

base64 Encode / Decode

Internet Explorer RecoveryStore(Travelog) 解析工具

RecoverRS

解析Internet Explorer RecoveryStore(Travelog)

Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity

Free Wipies

Make a dual-boot WinPE CD

Wipies -- Addendum

REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux: A Linux Distribution for Reverse-Engineering Malware

About REMnux

What REMnux Is Not

Downloading REMnux

Getting Started With REMnux

Using the REMnux Virtual Appliance

Malware Analysis Tools Set Up On REMnux

Questions on and Improvements to REMnux

Articles About REMnux

The Password is…

It’s a USB Thing

Digital Image\Video Resources

Utility Updates

File and Folder Linkfest

EXIF/meta-data Linkage

Active Directory Linkfest

Dual Purpose Volatile Data Collection Script

找出 Linux 是否有隱藏的 Process 與 Port - unhide

Jump List Analysis

How to Use Advanced Google Search Techniques to Resolve your Investigations

Ripping Volume Shadow Copies Sneak Peek

Android邏輯數據手動提取和分析

Android邏輯數據手動提取和分析

1. SMS、MMS相關信息的手動提取

2. 通訊錄手動提取和解析

EnCase v7 簡介

新用戶界面

EnCase v7相對於傳統的v5、v6界面有了較大改變，一改以往的四格和多級Tab界面，而採用了單頁面多窗口的「瀏覽器式」風格，估計會讓很多v6用戶感到極不適應。

新建案例窗口，案例信息採用模板方式，調查人員可根據自己需要定製案例信息模板

主界面窗口

添加證據界面，新版本將Neutrino整合，可直接添加智能手機，這也是v7的一大新功能。

Entries部分，之前的多級標籤式結構已經變為單級標籤+前後頁面導航

新功能和改進

Evidence Processor

獲取選項，可以看到新的證據文件格式Ex01

Evidence Processor 中的索引選項

智能手機報告生成器，可自動對添加的手機證據文件生成報告，值得一提的是，可以把手機（或GPS）當中的地理位置信息或包含地理位置信息的圖片直接生成為kmz, 可使用Google Earth直接打開查看，非常方便

Tag，"FTK化"的又一典型標誌

報告模板代碼編輯頁面

可隨時預覽的報告

使用Winacq製作磁碟映像檔

vdi與vmdk/vhd/raw之間的轉換

iOS 4 (iPhone/iPad/iPod Touch) 密碼破解

SQLite資料庫取證工具

Mena Step Innovative Solutions | Magic Berry IPD Parser

Download Magicberry ver 3.1.0 NOW

Elcomsoft iOS Forensic Toolkit

Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple iOS

和亞桑傑通聯 美大兵證實洩密維解

BlackBerry Backup Extractor: extract and convert IPD BlackBerry backups

Screenshot of the Blackberry converter

Free BlackBerry IPD reader download

iPhone Backup Extractor

BlackBerry Desktop Software

Manage the link between your computer and your BlackBerry device

BlackBerry® Desktop Software for PC coordinates the link between your smartphone, tablet, email accounts, calendars and more. With BlackBerry Desktop Software 6.0, managing this link is even easier.

轉自http://us.blackberry.com/apps-software/desktop/

Elcomsoft Blackberry Backup Explorer

Explore Information Stored in BlackBerry Backups

IOC Editor

Lantern Lite

和亞桑傑通聯　美大兵證實洩密維解