All posts by cderk

A Different Perspective to Instagram

While browsing Instagram this afternoon it came to me how great Instagram really can be. Over the past several months I’ve found myself using Instagram to search for and review personal things like #braidhairstyles and #browneyes #makeup for days I’m feeling confident, #mealprep and #30dayfitness #challenge for new “get fit” goal ideas with a friend, @reillysribcage for when I am curious about a new food joint in town and can quickly see their food looks amazing 👌🏼 I use it to check out car parts, and can research how different mods may look on my Mustang before I take the leap and purchase.

From finding products and real-person reviews, to seeing if a business is open before a snow storm, Instagram is a place where businesses and ideas and creativity are promoted. It’s a place to quickly and easily find pictures of things for those visual learners who can’t quite interpret the whole picture through words. It’s a place to find tutorials, and hear how things sound. What a place looks like on any given day.

For those who think that people post too much to social media, or the Internet in general, I appreciate those who do (for more than just the obvious social media investigation side of me). I almost want to see it as people providing back to the “community” what people of those interests might want to see. Through proper tagging, people searching for those tags can see what behind-the-scenes for so many different things. The images aren’t pulled of business or personal websites that may or may not have anything to do with what you’re searching for, but are pulled from people’s experiences and perspective who share them on Instagram.  It’s easier for the general population to spin up an Instagram account than it is to create a website. More people do it. I personally have two Instagram accounts for two different branches of interests, but only one website. Being someone who has always wanted a decent app that allows you to take a picture of something and be able to “Google” it accurately, I thank Instagram for being a popular and easy way for everyone to participate in further tagging the Internet, and the world.

Filtering with Process Monitor

For anyone performing dynamic (live) analysis of malware, an essential tool to have at hand is Windows Sysinternal’s Process Monitor. So why is this a must for malware analysis? The website describes the tool best:
“Proces Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry, and process/thread activity”
It monitors as much or as little activity as you want. It can be used as a very detailed timeline for malware execution, or set to display the activity associated with a targeted process. Plus, all of the output can be exported out to a file for later viewing, which makes life pretty simple.
With that being said, the output from Process Monitor can be a bit overwhelming (to say the least) if you don’t know how to use it. This is due to the fact that hundreds of events can occur per second, and letting malware run for 10-15 minutes will produce hundreds of thousands of events that are logged. Thankfully PM has a range of filters that can include or exclude data from the output.

Filters to Include:

  • WriteFile/CreateFile: These operations are recommended when doing malware analysis. They include events that write and create files, although, I have a few comments about this (I will mention it in the IRP_MJ_CREATE portion)
  • Process Create/Process Start: These operations will include processes that are created and started during execution
  • RegCreateKey/RegDeleteKey: This operation will include registry keys that are created and/or deleted by a process
  • RegSetInfoKey: This operation (in association with RegCreateKey) is where the value for the registry keys get set (Autorun keys will be created, then the value can be found here to see what malicious process it points to)
  • TCPConnect/TCPReceive: These operations will include any TCP connections that malware may try to start while it’s running
  • Load Image: This operation will show what dll’s are loaded during malware execution

Filters to Exclude:

  • Procmon.exe/Procmon64.exe: These will exclude any events related to Process Monitor
  • Profiling: This is an automatic filter built into Process Monitor. Keeping this excluded takes out a lot of unnecessary noise in the logs.
  • Add filters to exclude any monitoring tools or AV running

Additional Filtering Tips:

  • Go to Tools > Process tree to see the processes that are stemmed from the execution. To filter on these, right-click the parent process and select “Add Process and Children to Include Filter”
  • Filter by Operation contains WriteFile
  • Filter by Path contains <malicious executable> to see where it gets saved
  • Filter by Path contains “\Run” to see any registry edits to the numerous AutoRun keys
With these filters, most of the unwanted noise is taken away, and events related to malware are pinpointed. The best part about this, is that even though events are filtered, if/when you go to export, you have an option to export ALL events, not just the filtered ones. After analysis (after logging is turned off) filtering by process name or PID is helpful for narrowing down what a malicious executable does. There’s also the option for highlighting certain events/processes to help point them out.
All-in-all, Process Monitor is a powerfully overwhelming tool unless you know how to utilize it for all it’s worth. It takes a good amount of time, practice, and experience to narrow down exactly what you want to get out of the logs (it took me about 6 months), but using these filters is a good start for dynamically analyzing malware

Mac Forensic Artifacts

Below are a list of forensic artifacts for Mac devices, categorized by file location

*This is a running list of notes gathered based on experience investigating devices. This is very much an incomplete collection of artifacts*

Epoch Time = seconds since 1/1/1970

Mac Epoch Time = seconds since 1/1/2001

Difference = 978307200 seconds

mac time + 978307200 = epoch time

  • ~/System/Library/CoreServices/
    • SystemVersion.plist
      • ProductVersion: Operating System version.
        • 10.10.x  = Yosemite
        • 10.9.x = Mavericks
        • 10.8.x = Mountain Lion
        • 10.7.x = Lion
        • 10.6.x = Snow Leopard
  •  ~/Users/user/Library/Preferences
    • com.apple.finder.plist
      • FXDesktopVolumePositions – list of volume names
      • FXRecentFolders – string name for 10 most recent folders
    • com.apple.recentitems.plist
      • RecentApplications: CustomListItems contains 10 most recent applications
        • Application names
      • RecentDocuments: CustomListItems contains 10 most recent Documents
        • File names
      • RecentServers: CustomListItems contains 10 most recent connected servers
        • Server names
    • com.apple.sidebarlists.plist
      • FavoriteItems: Shares/Folders/Drives listed in “Favorites” in Finder
        • Names of items
      • FinderProjects: Tag colors
        • Red, Orange, Yellow, Green, Blue, Purple, Gray, Work, Home, Important
      • SystemItems > VolumesList: Mounted volumes
        • Volume names
    • com.apple.Safari.plist
      • DownloadsPath: Default location of downloaded files
      • HomePage: Default homepage settings
      • LastOSVersionSafariWasLaunchedOn: Version number
      • RecentSearchedStrings: recent strings searched in Address Bar
      • SuccessfulLaunchTimestamp: Last time Safari was launched successfully in Epoch time
  • ~/Users/user/Library/Safari
    • Browsing History
      • History.plist (10.9 and below)
      • History.db (10.10 and later)
        • Opened in a SQLite browser
        • History_items: Each URL visited, domain, and its associated ID #
        • History_Visits: Mac Epoch time associated with with history_item ID #
          • Need to associate history_item ID number in this table with the entry in History_items table to determine timestamps of visits
  • ~/.fseventsd
    • File system events daemon
    • System process that is responsible for handling changes to the file system
    • Writes file system event log files and monitors file system changes
    • /.fseventsd is a staging or buffer area
    • http://techblog.willshouse.com/2011/05/05/what-is-fseventsd/
  • ~/private/var/log
    • system.log
      • Logs all kernel related messages
      • Archives to compressed folders – .bx2 extensions
      • Old system log archived 12:30am local time if machine is left on at that time
      • Not comprehensive log
    • fsck_hfs.log
      • Shows disks/partitions mounted (no volume names)
      • Timestamps available (not Epoch in Plist Editor Pro)
      • i.e. /dev/rdisk3s2
    • hdieject.log
      • Limited eject notices for drives
      • can tie disks/partitions to volume names, but not for all instances
      • Timestamps available
  • ~/Library/Logs
    • DiskUtility.log
      • Individual user records for Disk Utility
      • Does not show every mount
      • Times of drives erased/renamed etc. in Disk Utility
      • Occasionally shows Volume names if logging the drive being renamed

Bit Rap

As a stress relief, a coworker of mine and I created our own parody to “99 Problems” by Jay-Z. Enjoy.

If you’re having parity problems I feel bad for you son
I got 99 problems but a bit aint one
PING ME
 
I’ve got the right controls, on the host patrol
Those that wanna make sure my ports are closed
Bad critics find those “honeypot holes”
I’m from the web, stupid, what type of ACKs are those
I’ll throw stuff at you like my zapatos
You’ll celebrate the minute you’re DDOS’n those
I’m like “f*** APT you can kiss my whole a**hole”
If you don’t like my proxy you can just fast forward
Got beef with UDP If I don’t hear, they slow
They don’t send my data, well I don’t give a sh*t SO
You cracks can kiss my missing ACKs
Maybe I’ll acknowledge your packets for cash…hackers
I don’t know what you install me  as
Or understand the intelligence that Kazy has
I went from rags to riches like a 0 to 1
I’ve got 99 problems but a bit aint one
PING ME
 
The year is 1974 the unix epoch plus four
in my voip system the encoding… ULAW
I’ve got binary 10 choices ya’ll rate limit some or
Push all the packets with the pedal to the floor
Now I aint trying to see no bandwith chase with AT&T
plus I gotta few routers I can fight the case
So I, talk to the provider after putting them on hold 
and I heard “son do you know what we’re blocking you for?”
“Cuz I’m young and I’m torrenting an album by All Time Low?
“Do I look like I sniff your packets sir, I don’t know”
“Am I getting a cease and desist or should I get some mo’”
“Well you was pulling down 5MB when you were only provisioned for 4
Username and password, now tell me what they are
Are you TORing your IP I know alotta you are”
“I aint stopping sh*t all my downloads legit”
“Well do you mind if I look around your drive a little bit?”
“Well my true crypt is intact and my executables are packed
and I know my rights, you’d be violating the computer abuse act”
“Well we don’t want that, you some kind of blogger or something?
Or somebody always writing about important somethings?”
“I ain’t got a wordpress but I know a little bit
enough that I’d go public with this shit”
“We’ll see how much you say when the FBI comes”
I’ve got 99 problems and now the feds are one
FIN

Gone Phishin’

No, not the band. And yes, I did spell it right. I’m talking about phishing emails. I’m sure everyone’s come across at least one. Phishing emails are the type use social engineering to try and get users to reveal personal information, such as usernames, passwords, credit card numbers, social security numbers, and other information. Releasing this information allows the bad guy to use that information against you, by means of logging into your accounts, using your credit card information to make transactions, or maybe even stealing your identity.

Identifying Phishing Emails

There are numerous factors that can help identify phishing emails; a sense of urgency, a suspicious link, poor branding, unknown senders, and also generalized referencing to the intended recipient(s). Lets look at the sample below

PhishingEmail

1. Unknown Sender: Lets first look at the “From” message header. It looks like this email is from Fidelity, but the email address associated with does not associate at all with the company it is supposedly being sent from. Nonetheless, the email address in general is someone who is unknown. This causes suspicion.

*Occasionally, phishing emails with be “spoofed” This means that it looks like it was sent from a sender whom you know, although it was actually sent from the bad guy to trick you into trusting the email if it is sent from someone you know

2. Sense of Urgency: Did you see the subject? “Alert! Urgent Action Required” Phishing emails want you to feel like you have to respond right now, and that it is a higher priority. Many times, phishing sites will only be up for a day, maybe even a few hours. By making the user feel like it’s important, the user is more likely to comply sooner rather than later.

3. Generalization: Normally, legitimate emails sent to a user will include the recipients name, whether it’s in the form of “Hey Corrie!” from a friend, or even “Dear Corrie” (or something along those lines).  Phishing emails are usually sent to numerous people all at once, making it difficult to personalize the email. Be suspicious of emails that are not addressed to you personally, but addressed to a general customer, user, or group of people.

4. The Link: At first glance, the link looks legitimate, right? Look closer. Fidelity is spelt with an e instead of an i after the F. Fidelity.com would be the legitimate site, but the link to fedelity.com is definitely suspicious. In this circumstance, the link is clearly presented within the email, making it easier for the user to know where they are heading when they click the link. Although, many phishing emails will have hyperlinks saying “CLICK HERE”  in blue, underlined font, for example, and when the user clicks the button they are led to a site. Hovering your mouse over that hyperlink will display a pop-up revealing where the hyperlink is actually going, as opposed to where it looks like it might lead.

5. Poor Branding: Phishing emails pretending to be sent form a company, or other entity often have poor branding. Legitimate emails may have logos, contact information, or other unique identifiers to validate their emails. Phishing emails often times won’t contain that type of branding.

Another thing to note — phishing emails may also contain attachments asking you to reply to the email with your contact information because you suddenly inherited $1,000,000 from a far distant relative in Nigeria. If a suspicious email has any attachments, don’t open them

Stay tuned for how to deal with phishing emails

Mac OS X Internet History

As most forensicators would agree, index.dat files are an extremely valuable Windows artifact to an investigation. These files store all sorts of internet browsing history from Internet Explorer, as well as where a user browsed to within directories on the device using Windows Explorer. Even after clearing the internet history, emptying your cache, and removing cookies in Internet Explorer, the logs of where a user surfed on the internet remains stored within the file.

Even though Windows operating systems are still the most prevalent, what is the equivalent to Mac operating systems, which are quickly becoming just as popular? The sad revelation (in my mind) is that there is no exact equivalent of an index.dat file on a Mac. For Safari, internet browsing history is stored in a plist (property list file which stores application information) within the system library. This plist is located at:

/username/Library/Safari/History.plist

*One commonality between index.dat files and history.plist is that they are both stored locally under the user’s profile

To view plist files, I use a program called PlistEditor Pro which is a standalone version of the tool that is integrated with the Xcode 4 developer application. 

One Xcode4 is installed, navigating to the history.plist file and double-clicking it will automatically open the file in the PlistEditor. Under “WebHistoryDates” will be each entry in the browser history.

Screen Shot 2013-04-05 at 6.33.24 PM

 

The history.plist files are read in chronological order from the bottom to the top, meaning that the top entry (Item 0) is the most recently visited website.

Expanding each item in the history will show its contents

Screen Shot 2013-04-05 at 6.33.52 PMAs you can see, the browsing history is displayed. Although, by default the LastVisitedDate is displayed as a string. This can be changed by clicking “String” next to the value and selecting “Date”

Screen Shot 2013-04-05 at 6.34.13 PM

By doing this for the logs, the timestamps will be converted into date/time format.Screen Shot 2013-04-05 at 6.34.18 PM

Although, one flaw (forensically speaking) of this plist file is that unlike the index.dat files, the history.plist file gets cleared when the browsing history is cleared from Safari. Because of this, a lot of valuable data can become lost. When a user is in Safari and goes to History > Clear History (which is the easy way to clear browsing history) there are still some artifacts left behind that investigators can use to determine other sites that were browsed before history was cleared. One of these artifacts is the Cache.

The first method is to carve deleted browsing history from unallocated space. More details on this methodology can be found on Richard Drinkwater’s blog.

Cached entries are located at /username/Library/Caches/com.apple.Safari where there is a Cache.db (SQL Database file) and a folder called “Webpage Previews” The Webpage Previews folder will contain snapshots of webpages that were previewed even before the browser history was clearedScreen Shot 2013-04-05 at 6.50.54 PM Screen Shot 2013-04-05 at 6.51.28 PM

Opening the cache.db file is a bit different. A program I like best for opening these on a Mac is called File Juicer which will parse this database file and display its contents, including a range of image files, html files, javascripts, and text files

Screen Shot 2013-04-05 at 7.04.45 PM

In my opinion, analyzing the web browsing history on a Mac operating system can be much more work intensive than analyzing an index.dat file, seeing as an investigator has to look in multiple places on a Mac device to find the same information that can be found in the index.dat. Learning forensics on a Windows device, I was surprised when I found out that deleted browsing history is not kept on the device normally. On the other hand, when I mentioned this topic to a coworker, he was surprised that Windows actually kept that information.

If anyone has any further guidance or comments, please feel free to post. Mac analysis is extremely new to me, but what I’ve found so far is extremely interesting

Mandiant’s APT1 Report – Real or Fake?

Anyone in the malware/forensic/security industry has probably heard about the report released by Mandiant titled  APT1: Exposing One of China’s Cyber Espionage Units. This paper (which is incredible by the way) outlines several years of research on APT1, including their attack methods, targets, and general goals. It was only a matter of time before Mandiant’s report was a target for a new attack.

Now, we are seeing spear phishing emails taking advantage of the widespread, highly intriguing news. What a better way to attack those who are interested in the topic, right? The emails identified appear to be someone (particularly from the media) recommending the report to the user, and even attaching the document for their convenience (file names such as Mandiant.pdf and Mandiant_APT1_Report.pdf). Unfortunately, the report attached is not the actual report (gotcha!) but is a malicious pdf. When a user opens this pdf, the malicious code embedded exploits the recent Adobe vulnerability (CVE-2013-0641) in order for malicious actors to execute remote code on a system. In the end, the PDF drops malware. The type of malware installed depends on the version of the malicious PDF, and is classified differently by each security vendor, but either way it’s not good.

Moral of the Story

1. Do not open email attachments titled Mandiant.pdf or Mandiant_APT1_Report.pdf, or any other variation

2. Do not trust email attachments, period. Always verify the attachment is legitimate, even from a trusted sender (emails can easily be spoofed, and the amount of phishing emails these days can lead to many compromised IDs)

3. Update your Adobe software ASAP. CVE-2013-0641 is now patched with their most recent update.

4. Always keep your Anti-Virus updated (even you Mac users!). I’ve been working with SUPERAntiSpyware lately, and it’s done a wonderful job at detecting most of these recent infections.

5. Always hover. If there’s a link within the email, hover your mouse over the link before clicking it. The email may show that the link goes to www.goodsite.com, but hovering your mouse may reveal that it actually leads to www.badsite.com.

6. If you want to read the real report from Mandiant, I have linked the report within my paragraph above. If you do download any reports, check the MD5 hashes that Mandiant provided for it:

Mandiant_APT1_Report.pdf

MD5: 936FEB234F60CFBF6916BA61FBAB2781

SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84

Mandiant_APT1_Report_Appendix.zip

MD5: FD103F16BBBB28162C23BE3A47371AA9

SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154

References: Symantec’s Blog Post

Calling all expertise

Being a good student, I have learned that while a tool is designed to automate a portion of an analysis, it’s always good to have a general understanding as to how the tool is able to accomplish this. One feature of FTK that has me questioning is the fact that given a pst, the tool is able to determine which emails were read vs. which were unread. One thing I cannot find solid research on is how FTK is able to parse this information. A friend has conducted experiments around this by viewing an unread message, a read message, and a message marked as unread forensically. There are slight differences in the hex, but what does that mean?

Is there a bit somewhere in the message headers that determines this? (True/False?)

Is it a hidden setting in message headers?

Is it determined based on timestamps? (Modified/Accessed dates)

Is there a way to forensically distinguish between a message that was truly unread, or that was “mark as unread”?

 

If anyone has any resources or ideas, please let me know. I’d love to learn about it.

 

HTCIA Conference Recap

I know it’s been almost a month since the HTCIA Conference that was hosted in Hershey, PA, but life’s been busy lately. Anyways, to cut to the chase…

The HTCIA Conference was absolutely incredible. Great people, great food, great knowledge, and LOTS of chocolate!

I flew into Harrisburg Airport Sunday night, and stayed at a hotel across the street from the Hershey Lodge (where the conference was held).

Sunday night I decided to wander over to the lodge to find where I had to go to avoid confusion the following morning. Wandering the halls of the hotel, I ran into the second VP of the association, who gave me a tour of the location. He showed me where to register, where to get lab tickets, and where the lectures were generally going to be held. Either way, I say thank you to him, because he saved me a lot of stress.

So I know that I posted the lectures and labs that I signed up for (that I planned on attending), but some of those changed. They opened up additional labs as a first-come-first-serve, so I was able to attend a couple more labs in replacement for lectures.

Lectures & Labs & Notes — if you can decipher my notes, bonus points for you.

Monday’s Schedule:

  • Lecture: Solid State Drives – A true game changer in computer forensics!
  • Lab: iOS Forensics in a BYOD World
  • Lab: Network Forensics – The Final Frontier (Until the Next One)

 

Tuesday’s Schedule
  • Lecture: Finding Evidence in a Brave New World
  • Lab: Cerberus – Malware Triage and Analysis without the Sandbox
  • Lecture: Forensic Analysis of Malware and Intrusion Artifacts
  • Lecture: Best Practices to Smartphone Forensics

Wednesday’s Schedule

  • Lecture: Challenges in Analyzing Full Communication Information from Mobile Devices
  • Lab: HB Gary Memory Analysis

Overall it was a great experience. Learned a lot of cool stuff that I was able to bring back to the table at home base, and got some pretty neat swag!