Category Archives: Digital Forensics

BlackLight Forensics Software

BlackBag BlackLight

I had no idea just how tightly BlackLight would grab onto my attention and then keep its hold. Yet, here I am. While I’ve heard positive feedback from people in the information security community regarding BlackBag’s forensic software products, I have not had the opportunity to use one of their products on my own. Thus, I was thrilled to review BlackBag’s BlackLight product.

For those who are not familiar, BlackBag’s BlackLight is a piece of comprehensive forensics analysis software that supports all major platforms, including Windows, Android, iPhone, iPad, and Mac. In addition to analysis, it can logically acquire Android and iPhone/iPad devices. You can also run the software on both Windows and Mac OS X.

In this particular review, I used the latest version of BlackLight (2016 release 3). I decided to use it on Mac. The main reason I chose Mac was that most of analysis that I have performed thus far has been with the traditional Windows Forensic Recovery of Evidence Device (FRED) and I figured this would be a great opportunity to try something different.

Installing BlackLight on Mac was a breeze. I simply downloaded the installation file from BlackBag’s website and entered the license key upon initial file execution. The single installation file took care of all of the dependencies needed for the software, which I was glad to see.

BlackLight Actionable Intel

BlackLight Actionable Intel

Here were the configurations for my Mac: MacBook Pro running Sierra OS version 10.12.2. The hardware included Intel Core i7 with 2.5 GHz with 16GB memory and a standard hard disk drive.

With review, I wanted to make a use-case in which I would perform basic processing and analysis of a traditional disk image using BlackLight running on Mac. Without any real experience with BlackLight, I focused on usability and intuitiveness.

Processing

For this review, used a 15GB physical image of Windows XP SP3 E01 Disk. I processed this image through BlackLight with all of the ingestion options available in the software and to my surprise, it took under 10 minutes to complete.

What was even more impressive was that it had very little performance impact on my system. In fact, as the image was being processed in the background, I continued to perform normal operations such as browsing the web and using Open Office software with no problem. Continue reading at forensicfocus.com by clicking here!

Advertisements
Tagged , ,

Advanced Forensic Toolkit (FTK) Course Review

For a few years, I had been using Access Data’s FTK (Forensic Toolkit) software without any formal training. I had managed to work my way through the fundamentals on my own, but I always sensed that there was much on which I was missing out.

emailvisualization

FTK  Email Analysis Visualization

It was only after I recently attended the Advance FTK class offered by AccessData (Syntricate) that I realized the enormity of what had been right under my nose the whole time.

You can read my complete review of this course at Forensic Focus or by clicking here.

Tagged ,

Forensic Timeline with Autopsy and More

The process of timeline creation is extremely critical in forensic because it provides you with a holistic view of the system in question and gets you one step closer to answering those key questions. There are multiple ways that you can create a system’s timeline. However, the one I recently came to know is Autopsy’s Timeline Analysis module and here is my first experience with it.

Autopsy can be downloaded from here. The installation is simple – no dongle required!

Welcome Screen

Welcome Screen

To test the timeline module, I used one of my test windows 7 machines. And to create some activity, I browsed the known-bad-URLs and downloaded some potentially malicious files. Also, installed AVG AntiVirus Free edition as  a basic detection mechanism. However, to my surprise, AVG was able to detect and block most of the executables that I tried to run.

AVG DetectionsSince, I had to run some executable to create the lab, so instead of making exceptions in AVG – I decided to uninstall it. I figured it would be interesting to see how the evidence of software uninstall will be presented.

I went back and ran the following three executables: sydzcr22.exe, b.exe, b01.exe. 

In addition, I added total of two new accounts on this machine. First one (admin01) I created using the windows “Manage Accounts” interface and the second (admin02) via command prompt. Both accounts have administrative privileges.

Account Management

Lastly, I made a logcial image of the target system and created a new case in Autopsy. Here is a guide on how to create a case and add evidence in autopsy.

This is how the output after the initial processing is completed looks like:

Initial Processing

As you will notice from the screenshot above, a lot of the common places that you would want to look in an image are readily available in a nice, organized manner. The first thing I did was perform keyword searches for the three executables that I ran earlier (sydzcr22.exe, b.exe, b01.exe) just to confirm their presents.  

Keyword Search

The keyword search was pretty fast and it found all the three exe files that I had browsed and installed. In the screen shot we can see the exes’ browsed URL, date, and the location on the disk where that piece of evidence is locatedindex.dat. I searched the Temporary Internet Files but was only able to find one B01.exe but not others; not sure why.

 B01The second thing I wanted to look for is the installation of the AVG antivirus and then the removal. Lets see what we find.

The first place I looked at was the “Installed Programs” menu option:

Installed Programs

I do not see any instance of AVG here. But regardless, I guess this is a handy feature to have quick access to in order to see the installed applications at the time the image was acquired. I see the AVG2015 folder under Program Data directory but not much more:

AVG2015 Directory Folder

So with this, now we get to the reason why we started this project – timeline! The process for generating a timeline is pretty simple. You go to Tools and the Timeline. You see a status bar and at least for my image (120G) it took  around 2-3 minutes and I had my timeline opened in the second window:

 Generating TimelineTimeline Window

Graph Legend

Graph Legend

As you will notice in the second screenshot above, there are some anomalies in the time range. You can easily modify the scope by using the the scale on the top left, the start and end (not shown in the screenshot) options towards the middle of the screen as well as using the graph itself to zoom into the date of interest. From all of these options, the one that I liked the most is right clicking on the time range of your interest and select the “Zoom into Time Range” options. In my option this is faster and easier then messing with the scales:

Zoom into Time Range

As you continue to zoom in you will get to the month timeframe where you can see which date of the month had what amount of events:

Zoom In To MonthLastly, when you zoom into one specific day of the month you can see the events by the hour:

Zoom In To TimeSo getting back to finding AVG activity, I first see the web activity

AVG Web Download

In the screenshot above, please take a note of the “Text Filter” option; which comes handy in narrowing down results. In fact, if you don’t narrow down the results the system will not be able to display the events and instead will give the following message:

5000Max

However, it seems like if you change the “Visualization Mode” from “Count” to “Details” you are able to overcome the above limitation. However, the output is in a different format:

Details Visualization Mode

Notice above that when you hover over any of the events, you receive the option for further details by the symbols of “+” and “-“. However, after spending sometime going through the information presented above, I did not get close to finding answers to the original questions. This is not to say that information here is not valuable, it just did not come handy in answering our particular questions.

So my next step was to extract windows event logs from the image and review them. And pretty quickly we find the following entries:

AVG Installation Completed Successfully

AVG Installation Completed Successfully


AVG Installation Successful Without Errors

AVG Installation Successful Without Errors

Similarly, we find log entries for removal:

AVG Successful Removal Without Errors

AVG Successful Removal Without Errors


AVG Removal Completed Successfully

AVG Removal Completed Successfully

With the information presented from our target system’s event logs we are now able to see both the successful installation and later the removal of the AVG anti-virus software. It would have been nice to see some of the event log information in our timeline.

On a side note, while looking through application logs, I found two application crash events; one for our b.exe and the second for sydzcr22.exe – both of which we attempted to install from the browser earlier in the lab.

b.exe Application Crash

b.exe Application Crash

The last question that we wanted to answer was the evidence of account creation for admin01 and admin02. Both of which we created earlier – one using Windows Account Management interface and the second via command prompt. Here is the windows log event for the first one:

Admin01 Account Here is the evidence for the second account creation:

Admin02 Account

Based on the above to account creation logs, we cannot tell which account was created via windows interface vs command prompt. The only difference that we see is that one account has its password set (which is the account we created through command prompt and had to give it a password but without this knowledge we cannot tell the difference). Also the account created from command prompt (admin02) does not have the “Display Name” set; maybe this could be an identifier.

On a separate note, if we go back to our timeline and see the events around the time frame of the above windows events we see the following activity.

Admin01 Created

Admin02 Created

If you look at that first entry, it refer to the following default account display picture:

Account Picture

Around the same time we see security logs getting updated:

Security Log

This is all the information that I can pick out from our timeline that I think is there to indicate creation of an account. However, what’s interesting is that in our timeline we do not see any entry to command prompt – which we used to create the second account and if there was an entry for it, it could be used as another hint.

Anyway, at this point I was not sure how to go about getting user account artifacts so I reached out to the people of DFIR community via Twitter and as always got wonderful feedback. One of the suggestions was to perform shellbag analysis. This was a great suggestion however, this was not going to work in our situation. The reason being, shellbag analysis requires two artifacts for each account: ntuser.dat and usrclass.dat. These two artifacts are created the first time the user interactively logs on at the computer; establishing a user account on the computer does not create a profile for that user. In our case, we did not login using either of the (admino1, admin02) accounts after we created them, hence there aren’t any profile files like there are for our main (dfir) account:

ntuserSome of the other suggestions included examining memory of the target system (which we did not acquire) and reviewing windows command line history (which is not saved by default on the disk running Win7-32 but again could have pulled from memory).

So the last thing I wanted to check out before closing out this lab was do a quick comparison with traditional log2timeline. So I ran l2t against the same disk image and here is the outcome of our supertimeline:

SuperTimeLine

There is a lot that is going on here but the key things to look at is when the two accounts are created and what happens around them. The first account (admin01 – created via GUI) is underlined in red and the second account (admin02 – created via cmd) is underlined in blue. The section marked in green shows the launch of command prompt. It is obvious that the first account was created right after the creation of few security event logs however, the second account was created right after the launch of windows command prompt (there is some delay in seconds but that was due to me confirming the cmdline syntax before executing).

The last thing I want to point out from our supertimeline – which correlates with our earlier finding during manual review of event logs and is the small section in the screenshot above highlighted in yellow. You will notice that for the first account, admin01 there is an account name right next to the SAM ID of the same name. However, for the second account we just see the SAM ID but no account name.

This concludes my exploration with Autopsy and its timeline feature. The goal here was not to simply go through the different menu options of this powerful tool but rather run it against a made up scenario. And even the scenario itself is something that I made up as I went along in the process; so to be honest, I am not sure how some of the other (even commercial) tools would handle this scenario. In the end, the whole post became another CDR entry where we almost went through all the three stages to an extent. Anyway, it took me sometime to gather all the screenshots and do this write up from the time when I actually did the lab; so I am sure numerous updates have been made to the tool since then. Overall, I am very pleased with the tool and the capabilities that it provides; hard to believe its free! When I did the lab, the timeline feature was fairly a new addition to the tool but we can sure except some awesome updates to it. Definitely an awesome, powerful and fast tool to have in your toolbox – check it out!

Acknowledgements for responding to the original Twitter question:

—-

(Here is the update on user account creation analysis done by @b!n@ry – Great job!; instead of looking for usrclass.dat for the new accounts created, you would look into the account you suspect created those two new accounts! Ref: 1 and 2. Also the net.exe and net1.exe prefetch files proved to be extremely valuable). #NoteToSelf! :)

Tagged , ,

Physical Drive Image With Plugable USB Hub

The other day I was trying to image a physical 250GB desktop hard drive using FTK Imager but I continued to get the following error under status: Failed: The specified network name is no longer available. This was the first time that I received this error so first I was not sure what caused it. Here was my setup:

The error was little random in that it would fail at different places – anywhere between 2% – 13%. My first thought was that the docking station was bad; so I took out my WiebeTech write-blocker and attempted to image the drive again. But I received the same error at 6%. At this point I knew that the docking station was fine and that the problem had to be with either the FTK Imager software, Windows Server 2012 (my first time using Server 2012 during imagining) or the USB hub. I decided to start with the hub; I unplugged the docking station from the hub and connected it directly to the server’s USB port – skipping the hub completely. I started FTK Imager and began the imagining process – and to my surprise the imaging completed without any errors!

From the 7 ports provided by the hub, only one port was being utilized (connected only to the docking station) eliminating the possibility of overwhelmed hub. In fact, the hub worked fine when I copied large operating system .iso files from an external hard drive to the server. So, I am not sure where the problem is within the hub but in this situation I was unable to image a relatively small hard drive due to this hub.

Tagged

Support For Your Anti-Virus

Few months ago I published two blogs around having additional layers of security for your home computers. You can read them here: part 1 and part 2. The goal of those two blogs were to first bring awareness – using my personal experience around how we simply cannot rely on anti-virus software to protect our personal computers. And second to demonstrate how effective some free browser extensions are in reducing unwanted and potentially malicious programs from downloading in the background without much of our knowledge or interaction.

This blog is not exactly a continuation of the other two but it is definitely related. While in the previous posts I focused on free extensions, however in this post I want to talk about an application that is though not free but definitely worth looking into.

The EXE Radar Pro application from NoVirusThanks group (besides this particular software this group has bunch of free and extremely useful online utilities that I have been using for sometime and you should check those out too!). As far as the EXE Radar Pro goes – it is for $19.99 with the option to try free for 30 days. They do a pretty straight forward job explaining what the software does so I won’t waste time repeating what is already there. Instead I will briefly explain my experience with this software; both the pros and cons.

First the pros: the software is easy to install and seems to get to work immediately. There isn’t a lot of configuration or overly complicated interface that you need to worry about; it simply sits in your windows tray and all of the management is done by selecting the tray icon. Some of the more specific features that I like about this software is that I think this is the closest that you can get to an enterprise level endpoint monitoring software for such a low price. The software pretty much tracks all the running system processes, the associated parent process and monitors as new processes start. You also have to ability to tag  processes to either a blacklist or a whitelist based on what you think should be allowed or blocked. The software does prompt you when it thinks a suspicious/unknown process is trying to run. I believe some of the basic checks that it does to determine a good from a bad process it by simply checking if the process itself is digitally signed and if the process is making any specific/unusual command arguments. If fact it presents all this information on the prompt dialog:

EXE Radar Pro - Prompt Alert

 

From the dialog above you can simply choose to allow, block or use the drop down arrow to add the process to either the white/black list.  While the above dialog box is well designed and self explanatory – I also experienced some annoying cons with this dialog. For example, when you are prompted with the dialog box you do not have the option to ignore it. You can move it around the screen to get it out of the way but you have to make the decision to either allow/block. In addition, until you make your selection – you will not be able to execute another process. For example, when the above prompt came up on my screen and I wanted to take the screenshot using the Microsoft built-in snipping tool – I was not able to because the snipping application would not execute until I made my selection on the dialog box (I was able to do it using the keyboard print screen key).

Second major con that I experienced is that on each boot of the system there would a half-dozen prompts that I had to go through before the system would be fully up and functional. I understand that there is some learning that is involved in the beginning for the software but even after two weeks and several whitelistings I would still receive numerous prompt during startup. And as you can imagine, when you are trying to get something done quickly – these prompt becoming irritating. In fact, one of the applications that EXE Radar Pro did not like in particular was Splunk. Well before I downloaded EXE Radar Pro – I had the Splunk Free installed on the computer to do basic log analysis. But when I installed EXE Radar Pro – I would constantly get prompts. Eventually, I became irritated and ended up uninstalling Splunk from the system. In fact, even during the uninstall process of Splunk, I had to hit Allow at least 8 times before the uninstall process completed.

Overall, EXE Radar Pro is a good software for personal use because it provides that additional layer of protection and control around what runs in your system. I would say that while the interface is simple and self explanatory – an average user may not appreciate the frequency of the prompts, the technical  details and the decision making that would be required. On the other hand, if you like have such visibility and control of your system then for $19.99 you cannot go wrong with this software!

 

Tagged

Finding Known Evil With Nessus – Part 2

This post is a continuation of my earlier post about finding known bad process with Nessus vulnerability scans. In this post I will share my experience after I finished running my first scan using this new scan policy.

Unlike the regular vulnerability scans, the duration for this scan was much less. The reason for this was because the scan policy consisted of only selected plugins. However, even with only selected plugins, the scan results were very comprehensive.

First, the scan result show the MD5 hash of the suspicious process. Now you can take this MD5 hash and search sites like VirusTotal but on the scan results page you will find a direct link to a Tenable website that will provide additional information about the suspicious process. This information is similar to what you would find on VirusTotal but with little less information. In my case I still searched VirusTotal for more detailed information.

Second, the scan result show the path of where the suspicious process in located on the target system. Obviously, this is great because now you don’t have to search the system and locate the executable in question. But what’s even better is that the scan results even show all the instances of that suspicious process that the scan found. For example, in my test scan the same suspicious process was located under numerous user profiles.

With the above information in hand, you can quickly develop you indicators of compromise (IOCs) and begin your investigation. My initial step was to review all the processes on my target machine and identity the process ID (PID) of the executable that the scanner identified. From here you can look at all the network connections related to this process, the system handles, any additional sub-processes, etc.

Overall, I am satisfied with what I have seen so far. I think that it is great that Tenable has incorporated these checks because in my option it makes perfect sense to check for known bad stuff during the time that you have already allocated for vulnerability scans. However, I would recommend that you separate your suspicious process and vulnerability data because do you not want to alarm the system owners without properly doing your own investigation. The easiest way to do this is by creating two different repositories and then drafting different reports/dashboards from each of those repositories.

My final comment is that if you have Nessus (I used SecurityCenter); please try to run this scan with the new scan policy. You can find the link to download this scan policy in my first post. Let me know what you guys think!

Tagged , ,

Finding Known Evil With Nessus

When is comes to performing vulnerability assessments, Nessus is by far the industry leader.  Nessus is known as “world’s best vulnerability management tool” and I think the reason for this is because of the continuous research the Nessus team does around new vulnerabilities and push them out to their customers in a timely manner. If you are not families with Nessus here is a very high level overview – Nessus uses “plugins” which simply put are scripts that run on the target hosts to see if it meets the criteria for a certain vulnerability. And as new plugins get pushed to customers the old plugins also get updated daily.

I have been using Nessus for sometime now and I have been very pleased with their level of commitment and excellent support. And recently as I was going through their blogs, I came across an interesting post regarding finding malware through Nessus scans. I found this interesting for two reason: first because I had not tried this before and second because as a security professional its better if you find evil in your environment before it gets reported to you.

The process for running malware scan is same as running the normal vulnerability scan. You just need to make sure that you select the appropriate plugins in your scan policy and use credentials that have administrative privileges on the target system. The following blog post lists the default plugin you can use to get started with malware scans – a sample scan policy is available for you to download which you can simply upload in your scanner and run the scan. This blog post also contains links to other related posts that talk about additional plugins that you can enable in your scan policy.

I have not had the chance to run this scan however, I plan to give this a try this coming week using the sample scan policy. I will write a follow up post to share my experience.

Tagged , ,

VMware and Digital Forensic Process

Recently, I have started performing digital forensics on virtual images and wanted to briefly share the process that I am following and the challenges that I am facing:

The Process:

  • Originally, the machines in the environment are virtualized via VMware ESX.
  • To take the forensic image at a given point, the virtual machine is suspended and copied to a forensic workstation.
  • Following the second step, retains the memory in the vmem file and allows for memory analysis.
  • The suspended machines is resumed on the forensic workstation via VMware Workstation.

The Challenge:

  • Usually, the machine coming from the ESX has large resource allocations that are not available on the forensic workstation. For example, the machine in ESX can be allocated 12GB of RAM and 4 processors – however, this cannot be met with what is available on the forensic workstation. This results in machine being non-responsive when resumed on the VMware Workstation.
  • When you are able to resume the machine in VMware Workstation you are not able to transfer any tools over without first installing the VMmware tools – sometimes this requires a restart.
  • If the machine was originally part of a domain and the machine was suspended without someone already logged-in; you do not have a way to get into the system other than resetting the password via some live disk. The other option is to retrieve password from the memory.
  • If the machine itself does not have enough disk space for you to save output from all your tools then you have to enable Folder Sharing feature on the VMworktation.

These are some of my immediate experience from performing forensic on virtual images. The reason for this post is to get feedback from the forensic community on how I can improve my process and make sure I minimize the changes made to the evidence.

Tagged , , ,