Keeping with the GSD Theme this weekend…
Hang on, I’ve tried to group these a bit but it is still a ride all over the place.
The Windows Forensic Environment blog has some WinFE Teaser Screenshots showing some of some of Colin Ramsden’s custom WinFE build Work. Very sexy stuff! I can’t wait! And for the CLI-challenged crowd, working with DiskPart in WinFE might take a moment to get used to. Luckily Brett Shavers has some easy tips in his DiskPart article as well as a cross link provided to his exhaustive The (Nearly) Perfect Boot CD (PDF) document.
For the past two weeks I’ve been working on a special project recovering lost files from a 1 TB drive (well, recovering them from a cloned copy of the original drive). Although I already had my tools and methodology down before beginning, I did some some research in the process to make sure there weren’t any tips and tricks that could enhance my response work. Here are some links that I found resourceful to save. I may or may not be able to share details on this project sometime in the future.
- Recovering deleted files with a Ubuntu CD – Ubuntucat
- Data Recovery forum – Ubuntu Rescue Remix
- DataRecovery - Community Ubuntu Documentation
REMnux: A Linux Distribution for Reverse-Engineering Malware is another pretty cool LiveCD ISO and/or VMWare image.
Finally, the off-line bootable Offline NT Password & Registry Editor for Windows systems has been updated to 100627 at the end of June 2010 by Petter Nordahl-Hagen. Supports NT/2k/XP/Vista/Win7.
Computer Forensics - Windows Search forensics – by Joachim Metz is a great review on “Analyzing the Windows (Desktop) Search Extensible Storage Engine database”
Quickpost: Preventing the /Launch Action “cmd.exe” Bypass and Quickpost: No Escape From PDF by Didier Stevens get into PDF security issues.
Harlan Carvey Windows Incident Response: Links post touches on Didier’s work and then goes deeper on infection vector sources. Also spotted in that post is that ShadowExplorer is at version 0.7. This Manual page should give you an overview.
Lots of goodies in this Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More SANS Forensic Blog post including the Orion Live CD (read the paper PDF first), and an assortment of free tools (link lists) provided by Forensic Control.
We are now doing regular network traffic monitoring, so all things Wireshark and forensic packet analysis are top on my read/watch list. Such as this video of Hansang Bae’s presentation with Wireshark regarding his responsibility for Packet Capture Infrastructure at Citi.
The H Security has an incident summary by Frank Boldewin CSI:Internet - The image of death based on deconstruction of an email containing a suspicious PowerPoint presenation. Great detail and chock-full of tips for incident responders to take note of. See also his previous incident story Alarm at the pizza service.
Frank’s website, reconstructer.org, contains even more incident responder goodies.
- his blog page includes a link to this A brief analysis of a malicious PDF file which exploits this week’s Flash 0-day - zynamics.com blog post.
- his Code I’ve done includes his OfficeMalScanner forensic tool to scan MS Office files for malcode and other signature items, as well as extract them to disk. See his New advances in Ms Office malware analysis (PDF) for details of it in action.
Nir Sofer’s been busy with a post on Recover L2TP,PPTP,PPPOE,DNS password from the router Web interface as well as updates to SniffPass Password Sniffer and SmartSniff.
Autoruns and Dead Computer Forensics at the SANS Forensic and Incident Response blog details added features (and limitations) of the latest vrsion of Microsoft Sysinternals Autoruns tool; the ability to load and analyze the autorun items from an offline system. While not perfect it is a large step forward. In addition, I found that it now loads saved autorun session files (*.ARN) much more cleanly than before.
Help Net Security had a tip to Casper Secure Drive Backup 2.0, a commercial ($) solution for complete system backup of PGP-WDE drives while still in their encrypted state. This is one of the headaches of WDE. I work with PGP-WDE systems almost daily, and performing incident response and system support to them is a headache. Sure you can make a backup of your system/data, but unless you capture a sector-based disk image of the whole system for restoration, or off-load the system backup in some “unencrypted” manner, and then re-encrypt that back up data, your back-up version might circumvent the whole point of having WDE in the first place. Anyway, this is a pretty cool featured solution and the only one specifically for PGP-WDE that I have come across. A free 30-day trial version is provided by the company. So from both a drive imaging/cloning and PGP-WDE perspective, I’m intrigued.
cqure.net contains quite a collection of script/tools by Patrik Karlsson, primarily vulnerability and penetration testing. I came across this while looking for a tool to extract my home TightVNC 2.0.2 passwords (which I stupidly set without writing down!). Alas even Nir’s VNCPassView wasn’t able to handle the new version. So I just uninstalled TVNC from my couple of systems, then reinstalled and set new passwords, writing them down this time.
WinTaylor 2.0 is out! via the CAINE forensic LiveCD folks. WinTaylor is a Windows based auto-launching interface for a collection of utilites for incident response, system auditing, and forensics work. There are a few distros like this, boot the system with the LiveCD side, or auto-run the CD in a running Windows system and use these tools.
The Sleuth Kit (TSK) & Autopsy: Open Source Digital Investigation Tools – yes, probably anyone and everyone who cares knows that TSK is now updated to 3.1.3 at the start of July 2010.
- Opinion: The unspoken truth about managing geeks – Computerworld’s J.Ello – must read for all IT workers and managers.
- How To Respond To An Unexpected Security Event – Presentation by Lenny Zeltser that is very detailed. Harlan voiced his enthusiasm on the content as well.
As you may or may-not know, Google has been offering https:// based encrypted search support now via https://www.google.com. However, that did cause some issues for users doing regular Google site searches when network administrators blocked the https:// based google location. So now it has bee moved to https://encrypted.google.com. I mention this mostly as traffic monitoring might turn up some indication of these sessions but without the details normally expected to be found from google.com bases search traffic. This Official Google Enterprise Blog: An update on encrypted web search in schools post gets into some of the details as do these posts:
- Google Secure Search – Google Operating System blog
- Google’s encrypted search casts shadow on web analytics • The Register
- Side-Channel Attacks on Encrypted Web Traffic -- Schneier on Security
- Website Auto-complete Leaks Data Even Over Encrypted Link -- Darknet
- A few thoughts on SSL Search –- Matt Cutts
- Peeking at Google's Secure Search Beta Traffic – Laura Chappell
- Google's Secure Search Not So Secure? – Laura Chappell
- Watch OUCH! Google over SSL - Cached Link Issue – Video [12:48] – Laura Chappell’s WireSharkBook “Coffeee…and a Quickie” page
- Watch Analyzing Google HTTP/HTTPS Traffic – Video [10:35] – Laura Chappell’s WireSharkBook “Coffeee…and a Quickie” page
For forensic packet capture reassembly, NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer is a favorite tool and I see it was updated to version 0.92 back at the end of May 2010. I’ve had stability issues on my XP/Win7 systems for some reason with it, the packet capture assembly bombs out when loading PCAP files. I’ve not tried 0.92 yet and had to go all the way back to v 0.88 or 0.89 for a stable build for some reason. Don’t forget about NetWitness Investigator Software (also free) and Xplico - Internet Traffic Decoder updated to version 0.5.8 in late June 2010. You can find it now on many LiveCd’s but they also now offer a VirtualBox image for it as well. Cool!
Finally, this Digital Forensics Case Leads: Ann’s Aurora Edition at the SANS Forensic and Incident Response blog ended being a real time-sink for me!
Somehow from that post I tripped over all the following links chasing the white rabbit.
- log2timeline Version 0.50 Released - IR and forensic talk blog
- Timeline Analysis 101 - IR and forensic talk blog
- Mastering_the_super_timeline_log2timeline_style – (PDF) -
- The Digital Standard: Timeline Analysis Part 4 : Timescanner – The Digital Standard blog
- Ex-Tip – “a proof-of-concept project to demonstrate the utility of a portable, extensible forensic timeline framework written in Perl." by Mike Cloppert
- System Combo Timeline – Security Ripcord – Utility.
Looks like it is one of many tools that uses Python. I’m seeing it pretty often so I wonder if it would be worthy my while to get some foundational knowledge and experience in working with it on Windows systems?
- life is short - you need Python!: Run Python program in windows ...
- 3. Using Python on Windows — Python v2.7 documentation
- Beginner's Guide
- Audio/Visual Talks