Cya at the HTCIA Conference

Getting ready and packing up! Headed off to Hershey PA for the International HTCIA Conference! Here’s my schedule:

LEC – Sept 17 – Cocoa 1 – 2: LECTURE – Solid State Drives — a true Game Changer in computer forensics! (1.5 hours) – Monday 10:30 AM

LAB – Sept 17 – Crystal A – 3: LAB – iOS Forensics in a BYOD World (1.5 hours) – Monday 1:30 PM
LEC – Sept 17 – Cocoa 3 – 4: LECTURE – Emerging Threats; is Technology the Problem or the Solution? (1.5 hours) – Monday 3:30 PM

LEC – Sept 18 – Cocoa 1 – 1: LECTURE – Finding the Evidence in a Brave New World (1.5 hours) – Tuesday 08:30 AM
LAB – Sept 18 – Cocoa 4 – 2: LAB – Cerberus: Malware Triage and Analysis without the Sandbox (1.5 hours) – Tuesday 10:30 AM
LEC – Sept 18 – Cocoa 3 – 3: LECTURE – Forensic Analysis of Malware and Intrusion Artifacts (1.5 hours) – Tuesday 1:30 PM
LEC – Sept 18 – Cocoa 1 – 4: LECTURE – Best Practices to SmartPhone Forensics (1.5 hours) – Tuesday 3:30 PM

LEC – Sept 19 – Cocoa Suite Terrace -1: LECTURE – Challenges in Analyzing Full Communication Information from Mobile Devices (1.5 hours) – Wednesday 08:30 AM
LEC – Sept 19 – Cocoa 2 – 2: LECTURE – Wireless Security: Attack, Penetration & Defense (1.5 hours) – Wednesday 10:30 AM
LEC – Sept 19 – Cocoa Suite Terrace – 3: LECTURE – Investigating Internet-related digital artifacts (1.5 hours) – Wednesday 1:30 PM
LAB – Sept 19 – Cocoa 6 – 4: LAB – HB Gary Memory Analysis Lab – (BYOL) (1.5 hours) – Wednesday 3:30 PM

I’ll be updating with cool stuff I learned =)

MoVP

Volatility (in chemistry) — the property of changing readily from a solid to a vapor
Volatility (in finance) — a measure of price variation over time
Volatility (in technology field) — when memory loses its contents when the device is turned off
Volatility (in computer forensics) — an open source set of forensic tools used to extract artifacts from memory used for incident response and malware analysis
Volatility (in Corrie’s world) — being easily excited and excitable…about the next 4 weeks

This month, Volatility (the forensic kind) is starting the Month of Volatility Plugins (MoVP) where they are releasing new plug-ins every day in anticipation for the new release of Volatility 2.2. According to the blog, “Each plugin will describe a brand new capability exclusive to Volatility that deals with analyzing Windows or Linux RAM dumps for malware infections or compromises.”

Sound pretty neat. They’ve only released three new plugins, and already it looks pretty neat. Take a look!

http://volatility-labs.blogspot.com/2012/09/month-of-volatility-plugins-movp.html

Google Antivirus?

VirusTotal just announced today that they have been bought out by Google. HIP HIP HOORAY!

I personally am super excited to see what comes from the service from here on out. For those of you who might not know, virustotal.com is a wonderful site to start out analyzing malware. You can upload a malicious file or URL and it will do a quick analysis of the content, providing information on the hash values, exports and imports, metadata and more, while scanning it against 42 of the leading security vendors to determine what it gets detected as, if anything. Now that it is owned by Google, I see so much more potential for the service. Funding is everything now-a-days, and we all know Google basically owns everyone and everything. More funding can bring more (and better quality) services, better tools and more reliable data now that they have Google’s resources at hand.

What I told a coworker today was that VirusTotal is like my shy best friend I go to for advice before I take action. Google is like that friend I can’t get rid of, so I use them for what they can give me. Now that these two have meshed, my friend group just became stronger.

This is so exciting and I’m anxious to see what becomes of Virus Total in the future. Who knows…maybe Google will be coming out with their own AntiVirus one day in the near future.

Check out the blog post by VirusTotal to see what they have planned:
http://blog.virustotal.com/2012/09/an-update-from-virustotal.html

Malicious PDF Triage

Today was the first time I was able to analyze malicious PDFs. I previously knew nothing about how to treat these potential infections, but learned the tactics through research.

Malicious PDFs usually spread through spam emails, depending on uneducated users to open the PDF attachment. The PDFs will generally execute malicious code when opened, exploiting a vulnerability in an outdated version of Adobe Reader or Java to open a backdoor into the system. From there, the infection will call home every so often, waiting for instructions by an attacker.

Therefore, handling these files are a bit different than playing around with a malicious executable or dll. Standard static analysis tools (like PE Explorer, PEiD) do not support PDF files. Uploading the file to VirusTotal also showed no results. Everything I previously had known about static analysis did not apply in this case. Fortunately, there are a series of free tools out there that will help identify what kind of PDF you’re looking at. Disclaimer: Tools used by Didier Stevens can be found here

I started off by using a tool called PDFiD by Didier Stevens. This tool is really helpful in determining the strings within a PDF. It’s a python script, so it has to be run in command line (Python also needs to be installed). In command prompt, navigating to the directory where the script is stored, running “pdfid.py filename.pdf” will give you the output (for Mac python is pre-installed, so the command would be “python pdfid.py filename.pdf“)

The output will look similar to what you see above — the object string on the left and the number of instances it’s found on the right. The objects/strings to pay attention to are boxed in red. The /Page string tells you how many pages the PDF is. *Most malicious PDFs are only one page in length* The /JS and /JavaScript strings will tell you if there’s JavaScript embedded. *In this case, it’s 0, but if there is an instance of JavaScript, this is a red flag and requires further investigation* The /AA and /OpenAction functions are equally as important, because an instance of this would allow the JavaScript within the PDF to execute without user interaction.

Now, lets say there was an instance of JavaScript embedded with the PDF. How do we pull this out? Fortunately, Didier Stevens also has another python tool called PDF-Parser, which will pull apart the objects that make up a PDF file and display them (I would suggest having the output save to a text file for easier viewing. The results can be a bit overwhelming, but if you know what you’re looking for, a simple Control+F in the text file for /JavaScript will make life easier) Running the command “pdf-parser.py filename.pdf > filename.txt” will do this for you. You will then be able to determine what the JavaScript does, and how that relates to the opening of the PDF file.

A tool I found later down the road called PDFScope will combine the functionalities of pdfid and pdf-parser into one GUI that separates results by tabbed functions. It’s pretty nifty and easy to use to quickly get everything you want to know into one place.
Another interesting tool is part of the PDF Toolkit (Pdftk). Using the switch data_dump with the tool will pull all the metadata for the file.

 

The timestamps are represented as yyyymmddhhmmss (so in this case, the file was created on 7/24/2012 at 00:28:27 [12:28:27am]) The PDFID’s are MD5 hash values for the information within the metadata to help identify the data. Also, in this case the Title is different than the Filename — something to keep in mind.

In the case I dealt with today, there was no fun JavaScript or other red flags of a malicious document. The only off-setting qualities was that it was one page in length, and was discovered in a series of spam emails. In this case, this was just a phishing email. It basically said that so-and-so’s email was pulled in an international drawing, the ONLY won $2,000,000, and to claim the prize you needed to send all this information (including copies of passport and license) to a guy in Belgium (he clearly stated he’s in Belgium…email actually came from the Netherlands).

Even though the file was “boring”..it was still a great day learning about all this!

AccessData’s MPE+ Potential

Eventually we will be getting AccessData’s Mobile Phone Examiner Plus as part of our forensic toolset in the lab. I’m not a huge AccessData product user (even though I just got re-certified as an AccessData Certified Examiner today) so I know basically next to nothing about the product. I participated in a Webex that AD presented on the tool, and I surprised myself when I realized I’m excited to use it.

The difference between EnCase’s Smartphone Module and AD’s MPE+ is that EnCase supports phones based by operating system, whereas AD supports media by manufacturer and model of the phone. My first intention is that EnCase would be a better solution because there are zillions of smartphones, with new ones being released every week. How can MPE+ keep up with all the new technologies? Theoretically, EnCase would be able to support a wider range of mobile devices since it parses information based on a handful of operating systems (which usually update less frequently) as opposed to trying to support thousands of phones being released. Although, there were plenty of things I learned in the Webex that caught my eye and made me all giddy inside:

  1. It supports 3,500+ phones. With some afterthought, our company only uses a certain few types of phones, so worrying about support with over 3 thousand options is behind me.
  2. It supports phones running Android, Windows Mobile, iOS, Symbian, and Blackberry (as well as SIM cards, and blackberry/iOS backup files)
  3. There is a TABLET version, which has the software installed so you can do mobile phone analysis in the field — COOL!
  4. There is an auto-update prompt at startup if there are any new releases. This might run into a problem at our lab because our forensic machines are not connected to any network, so updates will have to be checked and installed frequently.
  5. When you add a phone, it shows a picture of the manufacturer and model you selected. I like this as a verification that I selected the correct phone I’m trying to analyze.
  6. Once a phone is added, the acquisition can be exported as an AD1 image if I decide to analyze the contents in FTK.
  7. If a phone is jailbroken (iOS) or rooted (Android) MPE+ is able to take a PHYSICAL image of the device (something EnCase is not able to do…they only support logical acquisition)
  8. MPE+ supports a whole slew of image formats — E01, DD, AD1, etc. This is awesome if lets say I image a phone using EnCase or the Oxygen Suite, I can throw it into MPE+ and examine the contents using the parsing tools that’s built in
  9. It has the ability to play videos within the interface — as opposed to opening an external application like Windows Media Player
  10. It allows you to data carve within the folders and files
  11. It parses by OS for folders that hold valuable information, even protected data files, and will pull all of the information out and display it into a spreadsheet-esque report for easy viewing
  12. It will (unofficially) support hard drive images, like Mac for example. You add the image to the MPE+ case as if it was iOS, then use the tools to extract data
  13. Password protected device? MEH! It has brute-force password cracking options built-in.
  14. Android has what is called as “Forensic Files” which allows you to see the protected user data that wouldn’t normally be seen on the phone (like Google contacts, for example)
  15. It has Android support for multiple partitions. Aka, you can see every partition that’s created on the device (which is normally hidden)
All-in-all, I’m super excited to get this tool in the lab. I was a bit weary at first, but this thing seems PRETTY nifty! =D

EnCase 7: Smartphone Frustrations

We recently upgraded to EnCase 7, and now with smart devices becoming a hot commodity in the business, there’s a need for smartphone analysis. Now, I haven’t done much with smartphones when it comes to acquiring them (anything I have done has been infrequently on a Celebrite) so playing around with version 7’s new smartphone functionality has been, a bit challenging.
My first fight was with iOS. Understandably, I needed to install iTunes on the forensic machine so that the device would be able to talk with the Windows machine. I got that. That was fine. I first tried an iPad. Everything worked great — it acquired, I was able to pull information, and EnCase was able to put it in a report format for me. Awesome. I next played with an iPhone (which had the same iOS version, settings, apps, etc., mind you) and ran into all sorts of difficulties. I entered the passcode for the iPhone to unlock it (just as I had done with the iPad) but the contents seemed to be encrypted. I was able to read the names of the files, but the contents were all jibber-jabble. As I said before, the settings were all the same on the iPhone as they were on the iPad, and the backups weren’t encrypted, so what’s the problem? Why would the iPad read perfectly fine, but the iPhone not? Mysteries Mysteries…
Today I tried acquiring a Blackberry. Once again, I got nowhere significant. EnCase was able to detect it, but wouldn’t acquire it. After research, I found that I also needed to install a program and/or driver for Blackberry, since Device Manager recognized it, but I wasn’t able to access it. The driver I needed was included in a Windows Update (which I cannot perform because our forensic machines are not connected to any network) so further research continued. A few forums mentioned installing Blackberry Desktop to help the computer talk with the Blackberry, but ran into issues installing that, with error after error during the install (“The installation files cannot be validated. Please verify the installer package and try again.”). Websense blocked a few websites which Google displayed having an answer for these errors, so at the time I dropped the project. Now, I might have a solution to the digital signature problem with the Blackberry which I will try tomorrow.
My experience with the EnCase smartphone suite was not an easy task. Maybe it’s because I’m inexperienced (I just got my first smartphone a couple weeks ago) or because EnCase’s tool isn’t all that great. I’m going to look into and play around with Oxygen Forensic Suite to look at their mobile forensic solution, in anticipation for AccessData’s Mobile Phone Examiner Plus software to be installed and tested.

Hello World

Well, here’s my first blog post! Welcome to SecuriTree, my blog on malware and forensics topics. I picked the name as a play on words (“Security” for those who might not get that) to discuss different branches of security I deal with on a daily basis, or am unsure of, or just generally interested in.

Things you can expect to see on here:
  • My experiences
  • My findings
  • News articles
  • General nerd topics
I always encourage comments, especially advice. I’m new to all of this “forensics” stuff, and appreciate any input anyone has!