Brett's Blog

Just some ramblings.

What is this thing "privacy" you speak of?

What is this thing "privacy" you speak of?

 

I luckily missed being born into the Internet generation.  Facebook creeped me out with the amount of information demanded to create an account.  It took me all of 1 minute to create an account, 5 minutes to decide to delete it, and then two hours to figure out how. That was years ago and I still receive email reminders from Facebook to re-join with all my information still in the deleted  account, as if I never deleted it. If you ever wondered what Mark Zuckerberg thought of Facebook users, you may want to take a look...http://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-help-facebooks-privacy-problems-2010-5 

Perhaps a decade of working undercover has made me ultra-paranoid on personal information. At the time of doing UC work, I had little concern of sitting in an illegal business, having dinner with an organized crime figure and having one of his goons run me through Google, because there was no Google when I first started. That changed before I left the narc world and an undercover friend of mine was identified with Internet searches (while he was in the midst of a group of bad guys). If I was still doing undercover work, I'd no longer be doing undercover work. Thanks Google...

I can imagine that being born into the Internet age means never knowing what privacy is, nor have any concern about it all. Kids are literally texting in grade school, Facebooking in middle school, and blogging by high school.  Every generation now willfully gives up every aspect of their lives on social media and to buy some gadget online.

So when I see that the majority of people could care less about their most intimate and private details of their lives, it gives me pause. If you don’t think your Internet searches and web browsing is intimate, take a look at your web history and tell me that you don’t have some secrets in what you look at that you wouldn’t want anyone else to know about you. Health, wealth, and interests. How much more intimate can you get?

Despair at the Number of Americans Who Choose Security over Liberty, Privacy - Reason (blog)

http://news.google.com Thu, 31 Dec 2015 17:41:15 GMT

Reason (blog)Despair at the Number of Americans Who Choose Security over Liberty, PrivacyReason (blog)According to a new, frustrating poll, a majority of Americans in both the major parties appears to support warrantless government surveillance of Am ...

Read more ...

 

I’m not sure if people just don’t care the government watches and logs their Internet activity or if they just don’t know that they have a right to be secure in their homes, papers, and possessions. Either way, the result is the same. Privacy no more, and like the arrow flown, you can’t get the data back.

I can say that there are government organizations that actually take issue with privacy, one for example: Public Libraries. I’ve had criminal investigations where I needed information about a library patron for serious felonies. Not only were librarians willing to throw down with me to fight giving it to me, but I was promptly kicked out and told to get a warrant (which I did every time).  The library in the county where I live takes privacy seriously (KCLS). No security cameras anywhere. Not inside the library. Not in the parking lots. Nothing recorded. Patrons can use Tor if they bring it on a CD or flashdrive to plug into public use computers. The WiFi is free, no login required, no tracking of the users. 

For this, I say libraries may be the last bastion of personal privacy protection, but then again, I have no idea how many national security letters have been handed out to librarians

Certainly the day is close where privacy no longer exists in any manner. Already, if you ever applied for a security clearance, foreign governments have your application and probably your fingerprints too.

China says OPM breach was the work of criminal hackers - Engadget

http://news.google.com Thu, 03 Dec 2015 04:59:00 GMT

EngadgetChina says OPM breach was the work of criminal hackersEngadgetChina says the massive security breaches at the US Office of Personnel Management (OPM) that exposed the personal information of more than 21.5 million US government employees, con ...

Read more ...

I can say with experience, the Internet is great for investigators. Finding suspects has never been easier. In fact, finding an entire life history of a suspect takes on a whole new meaning with Facebook and every other type of social networking account.  Heck, they list their associates too. How much easier can it get? Criminals are people too, and they put as much personal information online as everyone else. Take the Dark Web as one example.  The Silk Road creator took massive steps to hide his identity, but an IRS agent identifed him with Google searches...

The Tax Sleuth Who Took Down a Drug Lord - New York Times

http://news.google.com Fri, 25 Dec 2015 17:48:14 GMT

New York TimesThe Tax Sleuth Who Took Down a Drug Lord New York Times It was Mr. Alford's supervisors at the I.R.S. who assigned him in February 2013 to a D.E.A. task force working the Silk Road case. The Strike Force, as it was known, had so far had l ...

Read more ...

My only concern with personal privacy evaporating like dry ice in the summer is that criminals also have an easier time of finding enough personal information to do damage to anyone, whether as ID theft, stalking, or worse.  It's bad enough that there are several levels of government agencies tracking everyone (including you), and that the criminals are using the same methods, but we also have the foreign governments doing it too.

Probably the best thing that can happen to the Internet is that it breaks...but then again, how will students find answers to their homework if they can't access Wikipedia? Can you imagine telling your kids to go to the library? The horror!

1173 Hits
0 Comments

The best part of writing a book is finishing the book.

The best part of writing a book is finishing the book.

I choose the title of my latest book (Hiding Behind the Keyboard) to be provocative, although the book may not completely be what you would expect if you think that it is a manual to hide yourself on the Internet. Being from Syngress, this is technically a technical book in that it discusses how to uncover covert communications using forensic analysis and traditional investigative methods.

The targeted audience is those charged with finding the secret (and sometimes encrypted) communications of criminals and terrorists.  Whether the communications are conducted through e-mail, chat, forums, or electronic dead drops, there are methods to find the communications to identify and prevent crimes.

For the investigators, before you get uptight that the book gives away secrets, keep in mind that no matter how many “secrets” are known by criminals or terrorists, you can still catch them using the same methods regardless of how much effort criminals put into not getting caught.

As one example, one of the cases I had years ago as a narcotic detective was an anonymous complaint of a large, indoor marijuana grow operation.  Two plainclothes detectives and I knocked on the door and politely asked for consent to search the home for a marijuana grow.  I told the owner that he didn’t have to give consent, or let us in, and could refuse consent at any time.  He gave consent and we found hundreds of marijuana plants growing in the house.  The point of this story was that on a table near the front door, was a book on how to grow marijuana that was opened to the page that said “when the cops come to your door for consent, say NO!”.  He had the book that advised not to do what he did anyway.

The point being, even when knowing how to commit crimes, criminals are still caught and terrorist plots are still stopped. The more important aspect is that investigators need to know as much as they can and this requires training, education, and books like Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard.

I had help with this book with early reviews, suggestions, recommendations, and co-authoring.  Most of what is in the book, I’ve done or helped others do. Some things work sometimes, other things work other times, and nothing works all the time. But having a toolbox to choose from gives you choices of methods that can fit individual cases.

As a side note, many of the methods can work in civil litigation depending upon cooperation and legal authority. For example, use of the Tor browser in a corporate espionage or employee IP theft case can make a huge difference in the direction a forensic analysis takes.

For anyone going to Las Vegas for the Enfuse conference, I’ll be presenting on this book and look forward to meeting you there (please say hi).

You can order Hiding Behind the Keyboard here:

1207 Hits
0 Comments

RegRipper

RegRipper

The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)

http://github.com/keydet89

 

What is RegRipper?

RegRipper was created and maintained by Harlan Carvey.  RegRipper, written in Perl, is the fastest, easiest, and best tool for registry analysis in forensics examinations.  RegRipper has been downloaded over 5000 times and used by examiners everywhere.

How can you make it better?

If you want RegRipper to be better, you can help by first sending in registry hives with specific information of what you need RegRipper to do with that hive to Harlan Carvey.  Is it a P2P application of interest?  Or USB devices? Or…?

What is the RegRipper?
RegRipper is *not*…it’s not a Registry Viewer.  An examiner would not open a Registry hive file in RegRipper to “look around”.

Further, RegRipper is NOT intended for use with live hive files.  Hive files need to be extracted from a case (or from a live system using FTK Imager…), or accessible via a tool such as Mount Image Pro or F-Response.

RegRipper is a Windows Registry data extraction and correlation tool. RegRipper uses plugins (similar to Nessus) to access specific Registry hive files in order to access and extract specific keys, values, and data, and does so by bypassing the Win32API.

How does RegRipper work?
RegRipper uses James McFarlane’s Parse::Win32Registry module to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API.  This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data.  When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand.  Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.

Who should/can use RegRipper?
Anyone who wants to perform Windows Registry hive file analysis.  This tool is specifically intended for Windows 2000, XP, and 2003 hive files (there has been limited testing on Vista/Win2K8 hive files…everything has worked fine so far…).

How do I use RegRipper?
Simply launch rr.exe.  Also, please be sure to read the RegRipper documentation.

Do I have to install anything to use the RegRipper?
Nope, not a thing.  RegRipper ships as an EXE file, able to run on Windows systems.  All you need to do is extract the EXE and DLL in the same directory. The source file (rr.pl) is also included, as are the plugins.

Further, RegRipper doesn’t make any changes to your analysis system…no Registry entries are made, nor are any files installed in odd, out-of-the-way locations.

HC

—————————————————————

RipXP

Installing
RipXP uses all of the same plugins available with RegRipper, so simply extract the files in this archive into the same directory with RegRipper (rr.exe) and rip (rip.exe).

Running
1. Using your tool-of-choice (I use FTK Imager), open the image and extract the hive files you’re interested in from the system32\config directory, as well as from user profile(s), into a directory (ie, D:\cases\case001\xp\config).

2. Using that same tool, within the image navigate to the directory where the Restore Point directories are located (usually C:\System Volume Information\{GUID}\). Extract all of the RP* directories into a directory on your analysis system (ie, D:\cases\case001\xp\restore).

3. To see the options used by RipXP, simply type:
C:\ripXP>ripxp

RipXP allows you to run one plugin across a designated hive file, and all corresponding hive files in the Restore Point directories.

C:\ripXP>ripxp -r d:\case\config\ntuser.dat -d d:\case\restore -p userassist

——————————————————————————

RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

RegRipper consists of two basic tools, both of which provide similar capability. TheRegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it’s activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).

RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it’s activity.

RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.

Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.

The use and function of RegRipper is discussed in great detail in the book, Windows Registry Forensics.

How do I..

…install RegRipper?

Go to the download site for RegRipper and get the archive that contains the most recent version of RegRipper (in this case, rrv2.5.zip). Extract the archive into a directory on your system, such as “C:\rr”.

Next get the latest plugin archive, based on the date of the archive, and extract everything in the archive into “C:\rr\plugins”.

That’s it…you’re done. Either launch rr.exe (the GUI) or run rip.exe (CLI) from the command prompt.

…get a list of all plugins?

This is actually pretty straight-forward. To list all of the plugins in the \plugins folder, simply open a command prompt, navigate to the folder where you installed RegRipper, and type:

rip -l

Another way to see what plugins are available is to launch the Plugin Browser (pb.exe), and navigate through the list of plugins, one at a time. In order to get a .csv listing of the available plugins, use this command:

rip -l -c > plugins.csv

You can then open the resulting file in Excel.

In order to get just a listing of plugins available for a particular hive file (in this case, the Software hive), type:

rip -l -c | find ",Software" /i

Does RegRipper do…?

Perhaps one of the biggest misconceptions regarding the RegRipper plugins is whether or not it does specific things; that is, does it check for specific values, parse specific data, or enumerate the contents of specific keys? This isn’t the right question to ask.

From the beginning, RegRipper plugins have been created and updated based on needs. Some needs are relatively easy to meet, due to the availability of data; most Windows systems have a ‘Run’ key. Other plugins have been created/modified due to unique circumstances based on analysis; finding something new or unusual during an examination will very often result in a new plugin, or an update to an existing plugin.

Of those currently writing plugins, it appears that few have encountered systems on which the P2P application Ares has been installed and used. As such, the ares.pl plugin may be somewhat limited and not meet the complete needs of a specific examiner working on a specific case.

In short, the power of RegRipper is in the plugins, and for this to be a truly powerful tool, it depends on examiners sharing their needs and data before hand, rather than asking, “Does it do…?” after the fact.

If you have any suggestions, recommendations, or questions about RegRipper, just ask Harlan.  Don't be afraid. Don't post all over the Internet that RegRipper doesn't do what you thought it would or is defective.  Ask Harlan. http://windowsir.blogspot.com

This email address is being protected from spambots. You need JavaScript enabled to view it.

 

ASEPs

Auto-Start Extensibility Points (ASEPs) checked by RegRipper's plug-ins

Details

Run Keys

Software Hive Run keys

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKLM\Software\ Microsoft\Windows\CurrentVersion\RunServices

• HKLM\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• soft_run plugin

NTUSER.DAT Hive Run keys

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

o Run and Load values

• user_run plugin

System Services

• HKLM\System\CurrentControlSet\Services

o services plugin (list services by last write times)

o svcdll plugin (list services with ServiceDLL values)

o svc plugin to (list services and drivers by last write times)

o svc_plus plugin (short format with warnings for type mismatches)

o svc2 plugin (csv output)

• Legacy registry keys located at HKLM\System\CurrentControlSet\Enum Root

o legacy plugin

Software Registry Hive ASEPs

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

o winlogon plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

o installedcomp plugin

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

o installedcomp plugin

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

o shellexec plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

o shellexec plugin

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

o bho plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

o bho plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

o drivers32 plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

o drivers32 plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

o imagefile plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

o imagefile plugin

• HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)

o cmd_shell plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

o appinitdlls and init_dlls plugins

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

o appinitdlls plugins

• HKLM\SOFTWARE\Microsoft\SchedulingAgent

o schedagent plugin

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

o shellext plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

o svchost plugin

System Registry Hive ASEPs

• HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls

o appcertdlls plugin

• HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

o securityproviders plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

o lsa_packages plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

o lsa_packages plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

o lsa_packages plugin

• HKLM\SYSTEM\ControlSet00.$current.\Control\Session Manager\CWDIllegalInDllSearch

o dllsearch plugin

• HKLM\SYSTEM\ControlSet00.$current.\Control\SafeBoot

o safeboot plugin

NTUSER.DAT Registry Hive ASEPs

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

o winlogon_u plugin

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

o load plugin

• HKCU\Software\Microsoft\Command Processor\Autorun

o cmdproc plugin

UsrClass.dat Registry Hive ASEPs

• HKCU\Classes\Exefile\Shell\Open\Command\(Default)

o cmd_shell_u plugin

This section presents and discusses a list of artifact categories, as they relate to the RegRipper tools and plugins. As they are defined or described (see below), each of these categories applies specifically to artifacts found within the Windows Registry.

Many of the available Registry artifacts persist beyond file and program deletion, providing indications of system or user activity that occurred in the past.

Many artifacts can and may fall within multiple categories. For example, the File Access category by extension indicates Program Execution.

Multiple categories of artifacts can be used in analysis though the use of an analysis matrix.

Categories are identified within plugins as part of the configuration hash (%config) provided as part of the plugin. The use of categories in this manner does not obviate the use of profiles within RegRipper; instead, it enhances that capability.

Note: This should be considered to be a living document, subject to update and modification.

Category Definitions

What follows are some of the categories that have been identified, along with descriptions of each of the categories.

Where applicable, examples of available RegRipper plugins are provided.

OS Info

Basic OS information, such as version, installation date, install source path, time zone information, etc.

Example plugins: winver.pl, compname.pl

User Account Info

Basic user account information.

Example plugins: samparse.pl, profilelist.pl

Network Configuration

Artifacts associated with the network configuration of the system.

Example plugins: compname.pl, networklist.pl

AutoStart

Registry artifacts associated with the autostart of applications and programs (those programs/applications that are launched with no interaction from the user or system).

This category can overlap with and include some of the same artifacts as those from the Program Execution category.

Example plugins: services.pl, legacy.pl

Program Execution

Artifacts that relate to or indicate that programs were executed.

Example plugins: appcompatcache.pl, direct.pl, sysinternals.pl, muicache.pl, userassist.pl

Installed Programs

Installed Programs artifacts differ from Program Execution artifacts, in that many applications/programs are installed on a Windows system via a setup.exe file, or via an MSI file. As such, the program itself has artifacts in the Software hive, and then user-specific artifacts "live" in the user's NTUSER.DAT hive.

An example of this includes Adobe Reader; the Software hive will contain information about the system-wide application configuration, while the NTUSER.DAT hives will indicate not only which user(s) launched the application, but also maintain an MRU list of files that the user accessed.

Note: A program or application can be installed, but may not have been executed.

Example plugins: apppaths.pl

Storage Information

This category pertains to the usage of or access to storage media, including (but not limited to) USB devices, network shares, "cloud" storage, etc.

Example plugins:

Log Info

This category pertains to artifacts related to the configuration of log files on the system, which can include Windows Event Logs, as well as application specific logs.

Example plugins:

Malware

This category pertains to artifacts that specifically provide indications of malware infection or activity. This category differs from the AutoStart category, in that legitimate applications can make use of AutoStart artifacts. In many instances, the AutoStarts or Program Execution categories can be used to extract general information (i.e., contents of the Run key, etc.) that the analyst can review, plugins in the Malware category can be used to look for specific artifacts related to a variety of specific malware samples, or related to malware families.

Examples of a malware specific artifacts include:

  • Variants of Zeus have been known to add "sdra64.exe" to the UserInit Registry value
  • OSVerion

Example plugins: osversion.pl, zeus.pl

File Access

This category pertains to files that a user has accessed, which is most often through the use of a specific application. As such, artifacts within this category will indicate Program Execution (or usage), but the purpose of this category is to provide indications of files that a user specifically had access to, via downloading, or through creation or modification.

Example plugins: recentdocs.pl, trustrecords.pl

Communications

This category can be a subset of the Installed Programs and Program Execution categories, and is specific to programs/applications intended for off-system communications. While the Program Execution category may be used to look for indications of the use of ftp.exe or chat programs, this category is intended for communication application-specific artifacts.

Example plugins:

Analysis Matrix

The above listed categories can be used in an analysis matrix; several categories of artifacts may be used in specific types of analysis activities.

The following table is a notional analysis matrix, and is intended to serve as a starting point for both discussion and analysis:

  Malware Detection Data Exfil Unauth Use Illicit Images
Program Execution X     X
Malware X     X
File Access   X   X
Storage Info   X   X
Comms X X    

 

Tool Architecture  

RegRipper is actually a suite of tools that all rely on a core set of functionality.

Helper Functions

The main user interface (UI) tools for RegRipper (ie, the RegRipper GUI and the rip CLI tools) provide a number of functions to the plugins. These functions are included in a separate .pl file, and are accessed by the UI code via the require pragma (allows the code to be loaded at run-time). This allows for the following:

  • The one set of code is available to the UI tools in a uniform manner.
  • The helper function code can updated and made available without requiring the tools themselves to be completely recompiled.
  • The code is completely transparent; anyone can open the helper files and see what the code is doing.

Note: In order to make the code portable and usable by the widest range of users, any modules required to use the helper functions (ie, Time::Local) will be compiled into the UI.

Time

This secton is about how time is treated on Windows systems, as well as the various time formats found on Windows systems.

Formats

Time in recorded in a number of formats on Windows systems. Even though MS maintains a page that discusses time formats, there are other formats available, as well.

Unix Time

Unix epoch time - yes, there are time values recorded on Windows systems in the 32-bit Unix epoch time format, which is the number of seconds since midnight UTC, 1 Jan 1970.

This time format has a granularity of 1 second.

This time format is found in Windows XP/2003 Event Log records, as well as some Registry value data.

To convert this time format to something readable, use the built-in gmtime() function.

DOSDateTime

DOSDateTime - Date and time format encoded in two 16-bit values. Used as part of the shell item format specification, described by Joachim Metz. Shell item ID lists appear in the Shell\BagsMRU Registry values, as well as part of the MS-SHLLINK binary format for Windows shortcut files.

This time format has a granularity of 2 seconds.

Python code for translating the DOSDateTime values into something readable can be found as part of the libforensics package.

Perl code (note: requires the Time::Local module to translate to a Unix epoch time):

sub convertDOSDate {
  my $date = shift;
  my $time = shift;
  if ($date == 0x00 || $time == 0x00){
    return 0;
  }
  else {
    my $sec = ($time & 0x1f) * 2;
    $sec = "0".$sec if (length($sec) == 1);
    my $min = ($time & 0x7e0) >> 5;
    $min = "0".$min if (length($min) == 1);
    my $hr  = ($time & 0xF800) >> 11;
    $hr = "0".$hr if (length($hr) == 1);
    my $day = ($date & 0x1f);
    $day = "0".$day if (length($day) == 1);
    my $mon = ($date & 0x1e0) >> 5;
    $mon = "0".$mon if (length($mon) == 1);
    my $yr  = (($date & 0xfe00) >> 9) + 1980;
    return "$yr-$mon-$day $hr:$min:$sec";
#   return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr));
  }
}

UUID

UUID - Windows systems maintain volume GUIDs, particularly those associated with volumes beneath the MountedDevices and MountPoints2 keys, in UUIDv1 format. Part of this format specification includes a 60-bit time value, which indicates the number of 100-nanosecond intervals since 15 Oct 1582 (this date is described in the RFC as the date of Gregorian reform to the Christian calendar).

This time format has a granularity of 100 nanoseconds.

Note: This format also includes a "node" value, which for several of the volume GUIDs is a MAC address that was available on the Windows system at the time that the GUID was generated.

FILETIME

FILETIME - A 64-bit time value representing the number of 100-nanosecond intervals since midnight UTC, 1 Jan 1601. Used pervasively throughout Windows systems, and can be found:

  • $STANDARD_INFORMATION and $FILE_NAME attributes within MFT records
  • Registry key properties
  • Registry value data

This time format has a granularity of 100 nanoseconds.

Perl code for translating a FILETIME object into a Unix epoch time (borrowed from Andreas Schuster):

#-------------------------------------------------------------
# getTime()
# Translate FILETIME object (2 DWORDS) to Unix time, to be passed
# to gmtime() or localtime()
#-------------------------------------------------------------
sub getTime($$) {
  my $lo = shift;
  my $hi = shift;
  my $t;

  if ($lo == 0 && $hi == 0) {
    $t = 0;
  } else {
    $lo -= 0xd53e8000;
    $hi -= 0x019db1de;
    $t = int($hi*429.4967296 + $lo/1e7);
  };
  $t = 0 if ($t < 0);
  return $t;
}

SYSTEMTIME

SYSTEMTIME - 128-bit format, and according to MS, "The time is either in coordinated universal time (UTC) or local time, depending on the function that is being called." This time format is used in a number of artifacts on Windows systems, including (but not limited to) in XP Scheduled Task/.job files, as well as in value data beneath the Vista/Win7 NetworkList key (within the Software hive).

It is important to note that this value can be stored in the Registry in either UTC or localtime format. Beneath the NetworkList key, for example, the value is stored in localtime format.

This time format has a granularity of 1 millisecond.

Example Perl code to parse this date format appears as follows:

sub parseDate128 {
  my $date = $_[0];
  my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
                      "Aug","Sep","Oct","Nov","Dec");
  my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
  my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
  $hr = "0".$hr if ($hr < 10);
  $min = "0".$min if ($min < 10);
  $sec = "0".$sec if ($sec < 10);
  my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom."
     ".$hr.":".$min.":".$sec." ".$yr;
  return $str;
}

Strings

Strings - Date and time values may be stored in Registry value data in string format; ie, "2011-06-07" or "1/2/2011". This is often found in Registry values in specific applications.

To convert data stored in this format to a Unix epoch time, parse the strings and use the Time::Local module to convert the information.

File System Tunneling

MS KB172190 describes file system tunneling, which can have a significant impact on your analysis.

Links

MS KB299648: Description of NTFS date and time stamps

MS: File Times

MS KB188768: Working with the FILETIME structure

MS: SYSTEMTIME structure

MS: DosDateTimetoFileTime function

Software Sleuthing: DateTime formats and conversions

Old New Thing Blog: DateTime formats and conversions

Shellbags

MS KB 813711 describes what actions cause data to be added to the Shell Bags values.

The structure of shell items is very important to understand, as these structures are used in multiple locations on Windows systems, not just in the Shell BagMRU subkeys within the Registry. For example, the structures are used in the shell item ID list section in Windows shortcut LNK files, as well as within the LNK streams in .automaticDestinations-ms Jump List files on Windows 7. These structures are also used within the data of values beneath the OpenSavePidlMRU keys within the Windows 7 NTUSER.DAT hives (full path is "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU").

As such, being able to recognize and parse these structures is essential to being able to fully understand the data that you're looking at, and what it's telling you.

GUIDs

The Variable type (type == 0x00) data structures can contain a variety of information, in various formats. One of the data structures, in particular, can be seen (when viewed in hex) to contain "1SPS" in several places. If the data is broken up, using "1SPS" as a separator (ie, via Perl's split() function), the first 16 bytes of each section appears to be a GUID.

One GUID in particular appears as follows:

{B725F130-47EF-101A-A5F1-02608C9EEBAC} - Ref: Schema (Windows)

Apparently, this GUID applies to both desktop and Metro-style (Win8) apps, and is referred to as both a SHCOLUMNID and a PROPERTYKEY structure. The contents of the subsection of data that begins with this GUID can be further parsed using a distinct set of rules.

References

MS: Canonical Names of Control Panel Items

MS: Known Folder GUIDs

MS: KnownFolderID

Links

Joachim Metz's Windows Shell Item format specification paper (PDF)

ShellBagMRU.py, part of Registry Decoder (written by Kevin Moore)

Willi Ballenthin's Windows Shellbag Forensics

Alerts

The purpose of adding alerts (or an alerting function, via alertMsg()) is to provide a facility for identifying items of interest (from previous analyses) within the vast wealth of data available within a Windows system, and in particular the Registry. This allows an analyst to identify "low-hanging fruit" that may be of value to an examination.

This page will serve as a facility for collaboration amongst the admins of this site, to add, revise, and hone the information alerted on within various plugins.

Plugins

Many plugins provide path information that can be searched via grep() for specific indicators of suspicious or malicious activity:

  • appcompatcache.pl
  • userassist.pl
  • service.pl - also, added Beth S.'s checks from svc_plus.pl to the services.pl plugin

Note: To avoid issues with case sensitivity, process the path through the lc() function first, and then grep for the lower-case string of interest.

Paths

Below are some paths to check for:

  • Recycle
  • GlobalRoot
  • System Volume Information
  • App + Data (gets "Application Data", and "AppData")
  • Temp
  • ADSs - split() the path, check the final element for a colon

Example Code:

my @vals = ("Recycle","GLOBALROOT","System Volume Information", "Temp",
  "Application Data","AppData");

foreach my $v (@vals) {
  ::alertMsg("ALERT: ".$v." found in path: ".$_) if (grep(/lc($v)/,lc($_));
}

Example ADS Check:

my @vals = split(/\\/,$_);

my $int = scalar(@vals) - 1;

::alertMsg("ALERT: Possible ADS found: ".$_) if (grep(/:/,$vals[$int]));

Other Checks

 

  • appinitdlls.pl - generate an alert if the value is NOT blank
  • imagefile.pl - generate an alert if a Debugger value is found
  • attachmgr.pl - generate an alert based on MS KB 883260
  • winlogon.pl - generate several alerts; UserInit value with multiple entries, 'TaskMan', 'System, 'load' or 'run' values found, etc.

Checking for Encryption

 

  • MountedDevices key - check value data for "TrueCryptVolume"; access to a TrueCrypt volume often results in a volume GUID within the MountedDevices key that includes "TrueCryptVolumeN" in the data (with N being a volume letter)
11184 Hits
3 Comments

Massive Government Surveillance - Not a new thing

I'm close to wrapping up my latest book, Hiding Behind the Keyboard. One of the more interesting things I found while researching the electronic surveillance chapter is a historical note of massive electronic surveillance...way back in the early  1890s

Considering that government surveillance is one of the hottest topics today, no doubt brought into the spotlight by Edward Snowden, I found this one historical bit of surveillance in New York to be a reminder that electronic surveillance has been around much longer than what the average person may know.

Before getting into the New York Police massive surveillance story, you should know that wiretapping has been around as long as communicating electronically has existed.  For example, as soon as the telegraph was used, the telegraph communications were intercepted. During the Civil War, a "wire tapper" was an actual job in the war to intercept telegraphs!  But that's not what I mean in regards to mass goverment surveillance. The New York Police Department's history with wiretaps is what I found to be really interesting, even more interesting than the NSA surveillance disclosures

In short, back in the late 1800s, New York made wiretapping a felony but the NYPD believed they were above this law. They tapped people at whim and without warrants, including tapping Catholic priests.

In fact, NYPD quickly discovered that they could tap into any phone line of the New York Telephone Company, at anytime  to listen to any person on the line. They even tapped into hotels to listen to hotel any guest.

Obviously, this free-wheeling phone tapping ended after the Supreme Court decided that the Fourth Ammendent protected "intangles" such as communications when it was previously believed that only "tangibles" were protected against unreasonable search and seizure. However, the NYPD experience shows that when  given unfettered access to monitoring and surveillance, government can go too far with good or bad intentions.

The solution to prevent going too far is simple. Get a warrant. Smart government employees know that a warrant protects the people and the employee's career. For anyone to say warrants are difficult, impossible, or too burdonsome simply has not written an affidavit for a warrant or just doesn't have the probable cause in the first place (or may be lazy....).  Warrants are easy to write if you have probable cause.  In fact, some warrants don't even need to be written for approval as a recorded phone call to a judge can get you a telephonic warrant approved in less than half an hour or faster.

For those against any government surveillance, such as wiretaps or pen registers, as long as there is a warrant, there really isn't any problem.  The Constitution and state or federal  laws that approve wiretaps require that the searches not be unreasonable or unnecessary (meaning, there must be cause).  Technically, it is almost as easy as flipping a switch, but practically, it takes takes an investigation to develop probable cause that a crime exists in the first place.  No crime = no probable cause = no warrant.

As a disclaimer to my personal experiences, I have initiated and supported dozens of wiretaps, pen registers, trap and traces, hidden cameras, GPS installations, body wires, and bugs during my time in criminal investigations. I've had probable cause every single time, so much so, that PC dripped out of my investigation binders. And with that, I'm not a fan of unfettered, massive government surveillance without cause...

1193 Hits
0 Comments

Libraries and the Tor Browser

Libraries and the Tor Browser

A few weeks ago, I was asked by a librarian for my opinion on library patrons using Tor in public libraries. My initial reaction, based upon having done more than a few cybercrime cases, is that Tor in public libraries is a bad idea. How can law enforcement track criminals who use library computers when the Tor browser is being used?  And libraries are government entities! Tax dollars would be spent helping criminals commit crimes on the Internet and remain anonymous. By all means, NO! Don’t do it!

From a law enforcement perspective (which I have not lost since my days in law enforcement), the Tor browser makes cybercrime investigations practically impossible to identify the user for 99% of cyber detectives and this is a major problem for investigators.  The remaining 1% of cyber analyts have access to supercomputers and virtually unlimited budgets that is beyond the scope and reach of the regular police detective.   Since the Tor network is so effective in providing anonymity to Internet users and police are practically powerless against it, why support it since criminals are using it?

About a half second later, my opinion changed.

The public library protects freedoms more than most people will ever know (except for librarians…they know about freedom protections). Sure, police protect freedoms by protecting Constitutions (state and federal versions) but law enforcement has a dilemma. On one hand, they swear to protect freedoms and on the other, the freedoms restrict their ability to protect.  Using the First Amendment as an example;

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Taking the freedom of speech as an example, people have a right to express themselves and that not only includes speaking, but also reading, and communicating (assembly) with other people. Libraries provide access to information and support intellectual freedom.  And of course, people abuse freedoms and commit crimes, such as harassment where free speech goes too far and intrudes on someone else’s rights. Maybe it's easier to protect speech by getting rid of it? Nope. That doesn't work...

Many (all?) public libraries today in the United States provide Internet access with WiFi and public terminals. Complete freedom to browse the Internet and communicate with people around the world certainly meets freedom of speech criteria.  You can’t get much more supportive in providing access to information than that. As a government entity, the public library supports the First Amendment more than any other entitity.

Here comes Tor.

Without getting into too much detail about “Tor” (The Onion Router: http://www.torproject.org), let’s just say that Tor can be looked at simply as an Internet browser that hides the Internet Protocol (IP) address of the computer user. That means that a computer user can be practically anonymous online when using the Tor browser.  The Internet history cannot be tracked, the physical location of the user cannot be tracked, and users can feel secure that they have privacy online without interference from government or other persons.

Internet privacy is important. Not only is government tracking of Internet users invasive, but so is corporate intrusions into personal privacy. Every person has different tastes, likes, interests, and beliefs. The founding principle of privacy is…privacy. Tor provides that privacy when it is used appropriately.

Running the Tor browser is simple enough since it is just an Internet browser (basically anyway). For a library to support Tor use, IT staff just need to download the browser to the public computers and put the icon on the desktop.  That’s all there is to it to give library patrons access to Internet privacy.

During a recent conversation with a librarian, I was told that the library (in the Seattle area), does not monitor, track, record, or even look at patron Internet history and useage. After explaining that the library certainly has the technology to do so, by default in their network system, and that every patron’s Internet history can be viewed, tracked, recorded, logged, and be required to be produced to law enforcement by court order, the conversation changed quite a bit. Obviously, if a crime has been committed and a search warrant is obtained, providing any information to investigate and prosecute criminals is a good thing for society as a whole.  The drawback is Internet history being logged or viewed for all patrons, in any manner, for general purpose or for later historical analysis. That negates privacy and goes against intellectual freedoms for which the public library stands.

With Tor, patrons can generally be assured their Internet use is private (barring screen capture software, keyloggers, compromised systems, etc…). This is a good thing for patrons to have as a choice. Tor is not perfect and has drawbacks to the ‘normal’ Internet browsers, but for the most part, if privacy is a concern, the Tor browser relieves the concerns.

As an investigative point, if a criminal wants to remain anonymous and use Tor to commit crimes, the library probably isn’t the best place to do it. Although most libraries do not have video surveillance cameras, some do.  There are libraries (the East Baton Rouge Parish Library as one example) that hire police officers as security! For a criminal to use a library computer to commit a crime may make it easier to get caught.

Tor relays: it’s Tor, but a little bit different topic. One of the methods that Tor is effective is that when using the Tor browser, computer relays (“Tor relays”) are being used to route the computer user’s traffic around the world.

http://www.torproject.org 

Anyone can volunteer to be a Tor exit relay, where Internet traffic running through the Tor network will ‘exit’ from your system. By being a volunteer, you help world-wide Internet anonymity by providing a Tor exit relay. For the most part, nothing bad happens, but occasionally, the Internet traffic leaving your relay could be criminal in some aspect, such as child pornography. You won’t see it, nor have anything to do with it, but your IP address will be tied to it since your relay is the last relay to receive/send it.

Not that this makes you a criminal, or that you facilitated a crime any more than if you sold a Ford that was used in a bank robbery as a getaway car, but it can happen. Today, law enforcement is more aware that Tor exit relays are not the source of crime, and the person running the relay is not the criminal they are looking for.

https://www.propublica.org/article/library-support-anonymous-internet-browsing-effort-stops-after-dhs-email

So it was strange to find an article where law enforcement pressured a library to not volunteer as a Tor relay. Tor relays exist world-wide. There are literally thousands of relays, everywhere. Shutting down every relay is virtually impossible. So why push libraries to not volunteer when it is the public library standing for the freedoms in the first place?

As a business consideration, my opinion on public libraries being Tor exit routers depends upon the cost required to set up and maintain it since public libraries are funded by the public with taxes. Other than that, if the public supports it and libraries can do it, why not? A public library can do little more for intellectual freedom than not only providing use of the Tor browser, but also operating a Tor relay.

Restricting or eliminating use of the Tor network would be like shutting down Toyota dealerships because the Toyota Camry is used for bank robbery getaway cars.

For the investigators worried about rampant crime in the library because of Tor…you can still catch the cybercriminals.  And for libraries worried that they will facilitate crime, don’t worry about that either. Tor users can’t choose the Tor exit relays.  It won’t be like cybercriminals will be able to pick a library Tor exit relay and commit crimes.  I give an entire chapter on beating Tor in my next book, at least as much as Tor can be beaten.

 

 

 

4270 Hits
0 Comments

Teaching Digital Forensics at the University of Washington

Teaching Digital Forensics at the University of Washington

Several years ago, I taught at the UW Digital Forensics Continuing Education program before taking a break. Now I'm back at it.  A new course with new material, including mobile device forensics.  A change in the program is that the course is offered online as well (not on demand, as the classroom will be broadcast in real-time).

A continual theme in the program is case development.  From the smallest piece of evidence through gathering more evidence, broad analysis to specific targeting focus, to search warrants, and putting an entire case together; that is the goal of the course.

My primary purpose is teaching how to do an actual digital forensic case as I firmly believe that a certification without competence is not useful in the least bit.

A potpourri of software is used throughout the program to show that there are many ways to get to the answer using different tools.  In fact, the tool is not the focus as much as running a case is.  Using software tools gets the information you need to further your case development through case closure.

Consider registrating for the course, it'll be lots of work, but lots of fun to work cases along the way.

b2ap3_thumbnail_UW.JPGhttp://www.pce.uw.edu/certificates/digital-forensics.html

1462 Hits
0 Comments

A little update coming for Mini-WinFE

A little update coming for Mini-WinFE
b2ap3_thumbnail_misty.jpg b2ap3_thumbnail_miniwinfe.JPG    The developer of Mini-WinFE will be adding a script that will install EnCase Forensic Imager into Mini-WinFE. Misty is a little busy right now, but in a few weeks, should be a reality.  So, you'll have another imaging tool option in WinFE that is freely available to use.    You'll notice that WinFE hasn't had much of any updates  for some time and when the updates do happen, they are little tweaks if much else. That is because there isn't too much more that can be added to WinFE. It's quick and easy to build, easy to use, and fills a niche when and where needed.    If you haven't built a WinFE yet...why not? To date, there have been over 8,000 downloads of Mini-WinFE alone, not counting thousands of downloads of Winbuilder to build WinFEs, and thousands of builds using the command line.    Lastly, since WinFE is rarely updated, I've imported the free wordpress blog to mine for simplicity of keeping up with WinFE updates and posts. To keep up with WinFE updates, follow me on Twitter
Tags:
3238 Hits
0 Comments

Tor is perfect! (except for the user....)

Tor is perfect!  (except for the user....)

I have been spending so much time with the Tor browser over the past months that I have forgotten just how seamlessly it uses a complex network of global servers, and encryption to provide a near perfect level of online anonymity. The Tor browser is extremely effective in providing near 100% anonymity that if not for one little flaw, it would be perfect, and I found that flaw.

The flaw is the user. Yes, every physical device and software application has the same flaw, but with Tor, it is a flaw that can completely negate using Tor for anonymity with misuse. Something as simple as a user not updating the Tor browser when prompted in bold print is enough to break anonymity. The Tor browser can only do so much to warn users to update the browser...

On one hand, criminals using the Tor browser who are lazy, too busy, or not accepting the danger of using outdated Tor browsers run the risk of getting busted.  On the other hand, legitimate users, such as those living under oppressive governments, can be discovered and imprisoned (or worse!) for exercising speech online.  Both situations generally require the user to be the weak link.

FBI Uses Spyware to Catch Tor-Based Child Pornography Suspect - Softpedia News

http://news.google.com Thu, 01 Oct 2015 02:46:49 GMT

http://t1.gstatic.com/images?q=tbn:ANd9GcQxYPXiaO7F03zDfLzy9fCeiyj7obMA0G6jj8US0UWF_LBSKY7Tuq7WFLZykSGdtdYjjBoDZl4Softpedia NewsFBI Uses Spyware to Catch Tor-Based Child Pornography If you were wondering, the Flash plugin comes turned off by default in all Tor Web browsers. For this particular reason, if you ever read a tutorial on how to pr ...

Read more ...

I have been known to have the superpower of being able to break steel balls while locked in a rubber room, so trying to break Tor seemed possible. With more than a few personal tests, I found Tor works well.  Reading through dozens of white papers written by computer scientists (waaaayyyy smarter than me) only confirmed that Tor works...very well.  It is just the user, either by using outdated Tor browser bundles or other user-created accidents that are easily led to their front door.  In my current book, Hiding Behind the Keyboard, I have written a chapter solely dedicated to the Tor browser and included some methods where investigators can force a user error to identify criminals. In short, for investigators it is a game of chance when Tor is involved in an investigation.

Writing about Tor is a bit touchy. Generally, individual countries create and enforce laws for that country. Some countries allow near unfettered freedom of speech and others less so. Some countries go to extreme measures to identify and punish anyone speaking out against their government or government officials.  Technically, the methods to uncover Tor users in both types of countries are the same.  Some countries go so far as to shut down the entire Internet to prevent any use at all by its citizens. The touchy part is that the methods to go after criminals are the same methods used to go after legimiate users (whistleblowers, activists, etc...).   

China tightens noose on Internet as anti-censorship tools suddenly shutter - Washington Times

http://news.google.com Wed, 26 Aug 2015 20:29:28 GMT

http://t3.gstatic.com/images?q=tbn:ANd9GcQ4S__sARQwUCjQj6xlXikkzYxHZMr-5dgXdzJOKPjG_VEKcHE0UIUw5bD8w0DKowAhIVMKwiJ4Washington TimesChina tightens noose on Internet as anti-censorship tools suddenly shutter. Censorship circumvention tools designed to bypass Internet restrictions are again under attack in China as software meant to let users around th ...

Read more ...

Which brings me to the many news articles and NSA/Snowden leaks about Tor. Nearly all are based on exploiting the user and not Tor. Sure, high-tech spyware has been used to infect Tor browsers to uncover IP addresses and such, but the only reason this has been working is because the user has failed to use the most current version of Tor. And much like a house of cards will fall with one card pulled out, an entire criminal organization using Tor to commit crimes will fall when one thing (the user) is exploited through user errors or forced errors.

Tor is not perfect, and certainly not best for all Internet use, but it has its place when needed. As one example, whistleblowers have a legitimate need for anonymity to report violations. Another would be anyone using a public computer (library, hotel, etc...) and would like the Internet provider see everything they are doing online, not for criminal activity, but simple personal privacy.

For forensic analysts, the biggest takeaway I can give is that if you are not looking for Tor use in your cases, you may be missing LOTS of evidence. Think back to the last time you even searched for Tor remnants in an analysis. How about the last time you even thought about looking for Tor in an examination.  Or better yet, have you ever even considered it? Examiners who conduct an "Internet Analysis" of a computer system is not being complete without including searching for remnants of the Tor browser.  The mere existence of the Tor browser can affect your analysis conclusions.

In two investigative/forensic books I have been working, Tor is a factor for analysts, but it is not the only factor. Tor is but one part of any person's overall communication strategy. Rare is communication based on a single method, but instead included many types of communication methods used in conjunction with other.  A cell phone text message can be a reply to an e-mail sent through Tor which was a reply to a face-to-face contact.  When uncovering covert communications, the goal is to find all the methods in order to put the entire communication threat together, without missing pieces. If you have not been looking at Tor, most likely, you have missing pieces.

Tags:
3126 Hits
0 Comments

I had a blast presenting for ICAC at Microsot

I had a blast presenting for ICAC at Microsot
b2ap3_thumbnail_ICAC.JPGI gave two presentations today at the NW ICAC conference hosted by Microsoft in Redmond, Washington on the same topic in two parts. I met some great folks in the field doing so really awesome work to protect children. Plus, I got to see some people that I have not seen in a long time. All the sponsors set up a great conference with Microsoft providing the venue. I was only there for the first day and I'm sure the next two days will be just as beneficial to attendees. b2ap3_thumbnail_book4.jpgThe first presentation (Part 1) was a broad overview of my first book, Placing the Suspect Behind the Keyboard. My primary goal was to give a ton of investigative tips in hopes that at least one will be able to save investigators hours (or weeks or months) of labor in their cases. I flew through the material like a firefighter putting out a house fire to make sure enough tips were given to fit as many investigators needed in their specific cases. Definitely covered a lot of ground in a short amount of time. Reading my book covers a lot more, but this was fun. http://brettshavers.cc/images/articleimages/book3.jpg      b2ap3_thumbnail_book3.jpgThe second presentation (Part 2) was a brief intro to one chapter in my upcoming third book, Hiding Behind the Keyboard. Probably the best tips came from how to identify Tor users along with how to explain Tor to the layperson, which is sometimes one of the hardest things to do in a courtroom setting. Both Part 1 and Part 2 presentations are independent of each other but the information is complimentary just like both books are. 

 If you are in law enforcement and would like a copy of both presentations, you can download them here for the next month or so before I update the presentations:

 

Placing the Suspect Behind the Keyboard-ICAC.  

Send me a message after you download the file and I'll e-mail you the password (the slidedeck will be available for short time).

673 Hits
0 Comments

Book Review: Windows Forensic Analysis Toolkit, 4th Edition

WFAI’ve been waiting until I received the hard copy of this book to write the review. I had the fortune of being the tech editor for this book and enjoyed every minute of it. Although I do not have an ongoing financial interest in this book, I do have a vested personal interest based on the reasons Harlan Carvey lays out in many chapters. I’ll get to my personal interest later in this review.  Also, Harlan has a post on updated book contents here: http://regripper.wordpress.com/2014/04/14/regripper-download-2/

Without reading any reviews, those analysts who buy Harlan’s books will keep buying his books with the full expectation of having a well-written (as in easy-to-read) book on Windows OS forensics. There is no need to read any further in this review if you fit in this category. This is Harlan’s new book. That is all you really need to know. But if you just want my opinion, read on…

The topics in the 4th Edition of WFA are all eye-catching. Volume shadow copies, file analysis, registry, malware, timelines, tracking user activity, and more.   Every topic detailed in all the chapters, is relevant to everyone that touches a Windows system to examine. The difference between Harlan’s books and others is the guidance given. For example, rather than reading a discourse on some technology, Harlan gives practical advice, suggestions, and real-life stories that relate to the points in the book. Since we have all made mistake (or will make mistakes, or have made mistakes but just don’t know it yet), having guidance that reduces mistakes in the way of stories and plain talk is well worthwhile to read.

The book has too much information to be covered in a review. There is more information on accessing volume shadow copies using several different methods than I want to review. The same can be said for file analysis, registry analysis, timelines, and every other topic. Harlan gives several options to accomplish the same task, using different software.   Although I wrote a book on one software (X-Ways Practitioners Guide), I obviously use more than just one software. Any forensic book, other than a manual or software guide, that does not give options with various types of software does not give the reader options to solve problems.

Another facet of Harlan’s book is his never-ending harping of asking everyone to ‘share information’. That sentence may sound negative, but truthfully, I don’t know how Harlan has the energy to push the sharing of information for so long. The book is sprinkled with this tone and I echo the importance of sharing information. I did my best to keep up with Harlan’s book as I tech edited it, working his suggestions. Some of the methods he wrote were new to me, which I would not have found on my own without happening upon the method in a blog..maybe.

Those examiners who conduct investigations, not just an analysis of a machine, will enjoy the guidance on tracking user activity, writing reports, drawing conclusions, correlating data, and making inferences.  Those topics are my personal favorites.

Harlan writes in this book that sharing helps us to know what is possible. That makes sense, because how can you know what you don’t know.

I can say unequivocally that writing a digital forensics book is primarily, if not solely, to share information. Few (no one?) gets rich writing a computer technical book in the niche of digital forensics. The market for a digital forensic book is probably a fraction of a fraction of a fraction when compared to a Tom Clancy or JK Rowling book. With that, consider that when Harlan says he writes to share, he really means that he writes to share, just like all other forensic book writers.

The personal risk to sharing, which everyone knows, is that you could be totally wrong, slightly inaccurate, poorly written, disproved later, or maybe you “discovered” something that everyone else already knew. This risk of sharing keeps the majority of examiners quiet and makes it seem that there are only a few examiners that share information. That is why we see the same names popping up online and conferences through the years. But in the audiences listening to these same names, there are smarter people, better examiners, and great investigators. They just don’t speak up or share information.  (nudge..nudge...feel free to share...no one will bite you).

That is one of Harlan’s premises to keep going and he reiterates it in the book and his blog and when he speaks. We all get ‘smarter’ when we share. None of us move forward when we don’t share.   To share is to take a risk of being wrong and embarrassed. Worse still is the fear to be wrong and get attacked online. However, for all those that share, either by asking questions, giving suggestions, or describing methods you have created or use, my hat goes off to you. It takes guts to put yourself out there, knowing that the sharks are circling and sniffing for blood.

Back to my personal interest in this book. When I have found a method or tool that I like, I want everyone to use it. I don’t hold it close to my chest or hide it. I share it. I become an evangelist to that tool or method to get the word out. The reason? The more examiners in the field that use it, the more chance the method/tool becomes an industry standard. Then it gets improved upon, further developed, “court accepted” in that the results obtained by that tool/method are accepted into a court, and I get to use the tool/method more.

The best personal example I can give to prove this point is with WinFE (http://winfe.wordpress.com). From a two-page Word document typed by Troy Larson of Microsoft, I marketed that little ingenious tool as if I was making a million bucks off it. It’s now in use by every country that does forensics and in just about every agency or company in those countries. It’s even taught in forensic training programs in both the public and private sector. So now, anyone can create and use WinFE without worry of using a non-industry accepted tool. This happened only because those that used WinFE, shared the knowledge of how to use and when to use it. Imagine if we did that with every “new” effective method or tool.

The key point in the prior two paragraphs is that Harlan’s book has lots of those types of ideas that he has shared. He gives credit to ideas created by others along with sharing his own ideas.

My only negative words on WFA/4 is…maybe X-Ways Forensics could have been put in it...but that's what we have the XWF Guide for..

My suggestion on WFA/4…buy the book. You will not regret it.  My other favorite books are here http://winfe.wordpress.com/books/.

 

Tags:
787 Hits
0 Comments