I have been spending so much time with the Tor browser over the past months that I have forgotten just how seamlessly it uses a complex network of global servers, and encryption to provide a near perfect level of online anonymity. The Tor browser is extremely effective in providing near 100% anonymity that if not for one little flaw, it would be perfect, and I found that flaw.
The flaw is the user. Yes, every physical device and software application has the same flaw, but with Tor, it is a flaw that can completely negate using Tor for anonymity with misuse. Something as simple as a user not updating the Tor browser when prompted in bold print is enough to break anonymity. The Tor browser can only do so much to warn users to update the browser...
On one hand, criminals using the Tor browser who are lazy, too busy, or not accepting the danger of using outdated Tor browsers run the risk of getting busted. On the other hand, legitimate users, such as those living under oppressive governments, can be discovered and imprisoned (or worse!) for exercising speech online. Both situations generally require the user to be the weak link.
http://news.google.com Thu, 01 Oct 2015 02:46:49 GMT
Softpedia NewsFBI Uses Spyware to Catch Tor-Based Child Pornography If you were wondering, the Flash plugin comes turned off by default in all Tor Web browsers. For this particular reason, if you ever read a tutorial on how to pr ...
I have been known to have the superpower of being able to break steel balls while locked in a rubber room, so trying to break Tor seemed possible. With more than a few personal tests, I found Tor works well. Reading through dozens of white papers written by computer scientists (waaaayyyy smarter than me) only confirmed that Tor works...very well. It is just the user, either by using outdated Tor browser bundles or other user-created accidents that are easily led to their front door. In my current book, Hiding Behind the Keyboard, I have written a chapter solely dedicated to the Tor browser and included some methods where investigators can force a user error to identify criminals. In short, for investigators it is a game of chance when Tor is involved in an investigation.
Writing about Tor is a bit touchy. Generally, individual countries create and enforce laws for that country. Some countries allow near unfettered freedom of speech and others less so. Some countries go to extreme measures to identify and punish anyone speaking out against their government or government officials. Technically, the methods to uncover Tor users in both types of countries are the same. Some countries go so far as to shut down the entire Internet to prevent any use at all by its citizens. The touchy part is that the methods to go after criminals are the same methods used to go after legimiate users (whistleblowers, activists, etc...).
http://news.google.com Wed, 26 Aug 2015 20:29:28 GMT
Washington TimesChina tightens noose on Internet as anti-censorship tools suddenly shutter. Censorship circumvention tools designed to bypass Internet restrictions are again under attack in China as software meant to let users around th ...
Which brings me to the many news articles and NSA/Snowden leaks about Tor. Nearly all are based on exploiting the user and not Tor. Sure, high-tech spyware has been used to infect Tor browsers to uncover IP addresses and such, but the only reason this has been working is because the user has failed to use the most current version of Tor. And much like a house of cards will fall with one card pulled out, an entire criminal organization using Tor to commit crimes will fall when one thing (the user) is exploited through user errors or forced errors.
Tor is not perfect, and certainly not best for all Internet use, but it has its place when needed. As one example, whistleblowers have a legitimate need for anonymity to report violations. Another would be anyone using a public computer (library, hotel, etc...) and would like the Internet provider see everything they are doing online, not for criminal activity, but simple personal privacy.
For forensic analysts, the biggest takeaway I can give is that if you are not looking for Tor use in your cases, you may be missing LOTS of evidence. Think back to the last time you even searched for Tor remnants in an analysis. How about the last time you even thought about looking for Tor in an examination. Or better yet, have you ever even considered it? Examiners who conduct an "Internet Analysis" of a computer system is not being complete without including searching for remnants of the Tor browser. The mere existence of the Tor browser can affect your analysis conclusions.
In two investigative/forensic books I have been working, Tor is a factor for analysts, but it is not the only factor. Tor is but one part of any person's overall communication strategy. Rare is communication based on a single method, but instead included many types of communication methods used in conjunction with other. A cell phone text message can be a reply to an e-mail sent through Tor which was a reply to a face-to-face contact. When uncovering covert communications, the goal is to find all the methods in order to put the entire communication threat together, without missing pieces. If you have not been looking at Tor, most likely, you have missing pieces.
If you are in law enforcement and would like a copy of both presentations, you can download them here for the next month or so before I update the presentations:
Send me a message after you download the file and I'll e-mail you the password (the slidedeck will be available for short time).
I’ve been waiting until I received the hard copy of this book to write the review. I had the fortune of being the tech editor for this book and enjoyed every minute of it. Although I do not have an ongoing financial interest in this book, I do have a vested personal interest based on the reasons Harlan Carvey lays out in many chapters. I’ll get to my personal interest later in this review. Also, Harlan has a post on updated book contents here: http://regripper.wordpress.com/2014/04/14/regripper-download-2/
Without reading any reviews, those analysts who buy Harlan’s books will keep buying his books with the full expectation of having a well-written (as in easy-to-read) book on Windows OS forensics. There is no need to read any further in this review if you fit in this category. This is Harlan’s new book. That is all you really need to know. But if you just want my opinion, read on…
The topics in the 4th Edition of WFA are all eye-catching. Volume shadow copies, file analysis, registry, malware, timelines, tracking user activity, and more. Every topic detailed in all the chapters, is relevant to everyone that touches a Windows system to examine. The difference between Harlan’s books and others is the guidance given. For example, rather than reading a discourse on some technology, Harlan gives practical advice, suggestions, and real-life stories that relate to the points in the book. Since we have all made mistake (or will make mistakes, or have made mistakes but just don’t know it yet), having guidance that reduces mistakes in the way of stories and plain talk is well worthwhile to read.
The book has too much information to be covered in a review. There is more information on accessing volume shadow copies using several different methods than I want to review. The same can be said for file analysis, registry analysis, timelines, and every other topic. Harlan gives several options to accomplish the same task, using different software. Although I wrote a book on one software (X-Ways Practitioners Guide), I obviously use more than just one software. Any forensic book, other than a manual or software guide, that does not give options with various types of software does not give the reader options to solve problems.
Another facet of Harlan’s book is his never-ending harping of asking everyone to ‘share information’. That sentence may sound negative, but truthfully, I don’t know how Harlan has the energy to push the sharing of information for so long. The book is sprinkled with this tone and I echo the importance of sharing information. I did my best to keep up with Harlan’s book as I tech edited it, working his suggestions. Some of the methods he wrote were new to me, which I would not have found on my own without happening upon the method in a blog..maybe.
Those examiners who conduct investigations, not just an analysis of a machine, will enjoy the guidance on tracking user activity, writing reports, drawing conclusions, correlating data, and making inferences. Those topics are my personal favorites.
Harlan writes in this book that sharing helps us to know what is possible. That makes sense, because how can you know what you don’t know.
I can say unequivocally that writing a digital forensics book is primarily, if not solely, to share information. Few (no one?) gets rich writing a computer technical book in the niche of digital forensics. The market for a digital forensic book is probably a fraction of a fraction of a fraction when compared to a Tom Clancy or JK Rowling book. With that, consider that when Harlan says he writes to share, he really means that he writes to share, just like all other forensic book writers.
The personal risk to sharing, which everyone knows, is that you could be totally wrong, slightly inaccurate, poorly written, disproved later, or maybe you “discovered” something that everyone else already knew. This risk of sharing keeps the majority of examiners quiet and makes it seem that there are only a few examiners that share information. That is why we see the same names popping up online and conferences through the years. But in the audiences listening to these same names, there are smarter people, better examiners, and great investigators. They just don’t speak up or share information. (nudge..nudge...feel free to share...no one will bite you).
That is one of Harlan’s premises to keep going and he reiterates it in the book and his blog and when he speaks. We all get ‘smarter’ when we share. None of us move forward when we don’t share. To share is to take a risk of being wrong and embarrassed. Worse still is the fear to be wrong and get attacked online. However, for all those that share, either by asking questions, giving suggestions, or describing methods you have created or use, my hat goes off to you. It takes guts to put yourself out there, knowing that the sharks are circling and sniffing for blood.
Back to my personal interest in this book. When I have found a method or tool that I like, I want everyone to use it. I don’t hold it close to my chest or hide it. I share it. I become an evangelist to that tool or method to get the word out. The reason? The more examiners in the field that use it, the more chance the method/tool becomes an industry standard. Then it gets improved upon, further developed, “court accepted” in that the results obtained by that tool/method are accepted into a court, and I get to use the tool/method more.
The best personal example I can give to prove this point is with WinFE (http://winfe.wordpress.com). From a two-page Word document typed by Troy Larson of Microsoft, I marketed that little ingenious tool as if I was making a million bucks off it. It’s now in use by every country that does forensics and in just about every agency or company in those countries. It’s even taught in forensic training programs in both the public and private sector. So now, anyone can create and use WinFE without worry of using a non-industry accepted tool. This happened only because those that used WinFE, shared the knowledge of how to use and when to use it. Imagine if we did that with every “new” effective method or tool.
The key point in the prior two paragraphs is that Harlan’s book has lots of those types of ideas that he has shared. He gives credit to ideas created by others along with sharing his own ideas.
My only negative words on WFA/4 is…maybe X-Ways Forensics could have been put in it...but that's what we have the XWF Guide for..
My suggestion on WFA/4…buy the book. You will not regret it. My other favorite books are here http://winfe.wordpress.com/books/.
I will be publishing an X-Ways Forensics Online Training Course on June 30, 2014. The course is based off the X-Ways Practitioner's Guide, the X-Ways manual, and a decade of experience using X-Ways...it is not the official X-Ways training course, but it also does not come with the price tag of the official course. From Monday, the X-Ways course will be $195 but I will publish a discount code good for two weeks (through July 14) for 25% off.
I'll send out a reminder on June 30 through twitter and the XWF blog, so follow the blog or twitter account to catch the discount code.
The manner in which I made the X-Ways course is so that you can follow along with XWF in learning how to work a case with X-Ways Forensics. The course describes the options and buttons in XWF, but also shows how to simply work a case. There are literally so many features in X-Ways, that without training, you will be missing about 50% of what you should be doing. I found that even the most current version of the X-Ways manual does not list features in XWF...lots of information to keep up with, tons of features to consider, easy to miss something that you should not miss for such a powerful forensic tool.
If you want to be notified of the coupon code, be sure to follow the X-Ways blog at http://xwaysforensics.wordpress.com/ or the twitter account at https://twitter.com/XWaysGuide.
I also have just released an online course on the Windows Forensic Environment (WinFE). I have videos of most build methods, tips and tricks, pro's and con's, and aspects of WinFE that you may find important. I also included every bit of downloadable swag in the course too (batch files, wallpaper, scripts, etc...).
All in all, this is probably the best source of WinFE you will find. I encourage you to share it and use it, after all, this is a free tool and this course is free. If anyone has suggestions on making the course better, let me know and I can try to squeeze in some improvements.
[caption id="attachment_1231" align="aligncenter" width="700"] http://courses.dfironlinetraining.com/windows-forensic-environment
I was right. This is cool.
Using Autopsy on WinFE Lite worked as expected; however, I wanted to test it with a WinBuilder build of WinFE to address limitations found on WinFE Lite (notably, the inability to view videos or inside zip files).
In short, the WinBuilder build allowed viewing of videos and accessing zip files with Autopsy. There were a few other customizations that I made for appearance and ease of use that you may find helpful in presenting training on WinFE (if you do that) or in creating your own WinFE for onsite preview/triage.
Basically, with Autopsy, any first responder or parole supervisor can triage/preview an evidence machine, onsite, without cost of software or hardware. You just need a CD, DVD, or USB with WinFE and Autopsy. For the first responders who are not forensic examiners, a WinFE boot disc/USB can be made with Autopsy clearly presented on the desktop and start menu. I would suggest that other forensic tools be included in the event they may be needed by a forensic analyst. An example would be a first responder finding evidence on a machine during a triage/preview and the machine needs to be imaged. Either the first responder can image the machine or preferably, a trained person should be called to image the machine. Having the apps pre-installed eliminates the need to reboot the machine to another build of WinFE, or plugging in additional drives with programs, and so forth.
In order to get you in gear with the potential of a completely free WinFE and software (you need a license for Windows to build it…but otherwise, it’s all free), I’ve posted the steps below. Before you ask for help with WinBuilder, go to www.reboot.pro and read the help forums. There is as much documentation you need for directions on how to download and run WinBuilder along with as many scripts (added features) as you could ever need.
1) Download Autopsy and install to your workstation.
2) Download Winbuilder
3) Download the WinFE write protection script (place in the WinBuilder tweaks folder)
4) Build your WinFE
Download and install Autopsy to your workstation. http://sleuthkit.org/autopsy/
Download the WinFE write protect script. http://winfe.wordpress.com
Place the write protect script (WP.script) in the Tweaks folder of WinBuilder
Run WinBuilder. Read my previous write up on how to do this to save time in trying to figure it out. I’ve already spent more than a few hours which you don’t have to go through. Be prepared, you will have errors and builds that don’t work. But once you get it right and see how it works, you will have a tool which will provide invaluable use for years. Trust me on this; you will not regret spending the time. The only regret you will ever have is waiting to try it out.
Update November 14, 2014
Unfortunately there are so few updates nowadays to WinFE, that this blog is woefully neglected...on a positive note, since WinFE practically needs no updates, there is hardly a need to keep up on WinFE once you have mastered building it.
The best and most current source of all-things-WinFE is from a free online course at http://courses.dfironlinetraining.com/windows-forensic-environment so other than taking the course, this blog will not have additional information building WinFE.
The course includes downloads and links to downloads to build every publicly known version and build type of WinFE, from the basic WinFE, WinFE Lite, WTE WinFE, Mini-WinFE, and WinBuilder WinFE.
The WinFE wordpress blog will be used only for sporadic WinFE updates and related information since WinFE has practically reached the best it can be at current software standards (Windows 8). The only posts that may be original from here on out would be case examples, but that quickly grows old (I booted a machine to WinFE and imaged it...). A few instances are very neat, like imaging a Surface Pro, and for those interesting cases, I'll post them as I come across them or am sent information about them.
At its foundation, WinFE is a strong forensic OS platform, built on the latest Windows operating system, which can run most types of forensic software. That's about it. Simple, but amazingly effective at a forensic boot platform. Since it is so very simple, the updates to the WinFE blog become less and less. Therefore, the free webinar course covers everything you need to learn about WinFE along with every download needed, plus tips on building, using, and testifying to the use of WinFE.
After you view the course and build a few WinFEs, you'll see that WinFE is only a forensic boot OS. But you will also see that because it is a Windows boot OS, you can do so many things with it that you can not do with a Linux forensic OS or with a hardware writeblocker. That is the beauty of WinFE. Simple. Ingenious. Hard to improve upon (at this point...).
You have my permission to use the WinFE course and its materials in a manner that benefits WinFE at no cost. That means you can use information from the course to teach WinFE at conferences or any training session. WinFE is free (technically, you need a Windows OS license...but otherwise its free), and I've made the course free as well. When teaching or writing about WinFE related to the source and you choose to attribute to the source, that's nice of you, but not necessary if you don't want.
Take a run at the WinFE course. Watch all the videos or only the videos of interest. They are broken down by build types and how-to videos. The most important benefit you can get out of the course (other than learning how to build/use WInFE) is getting some formalized training in front of you about WinFE. It's one thing to spend hours (days?) figuring out something but quite another when you can get the meat-and-potatoes of what you need to know in the shortest period of time. I'd reckon that even if you attend a presentation on WinFE, you will get so much more out of the online course that you won't regret the time spent.
I've also said a few times, that once you build and use a WinFE, you will regret not having done so years earlier. Don't forget, WinFE has been around since 2008...it works even better now than back then.
Hashbrown program 64 bit version only http://1drv.ms/1tLsNnG updated October 10 2014
Cool WInFE work done by Jeffrey A. Cunningham, Sr Digital Forensic Examiner, US Army (ChiefCham), on imaging a Surface Pro using a bootable UEFI WinFE. It is certainly neat to see this type of testing and research done on ANY forensic tool where the results can be shared with everyone.
Image a Surface Pro using bootable UEFI WINFE
Every now and then, I get email from readers who have difficulties, and some areas come up more often. I also learn a few things as time goes by, and I gain some valuable pointers from colleagues who share my interests. Therefore, I want to update or amend a few procedures as well as review some of the more basic steps that folks may overlook.
A little while back, I posted on building VMs from UEFI/GPT systems, found most often in Windows 8. Since then, I’ve seen more of these outfits arrive in my shop, as the use of Windows 8 and large disk grows. If you document your target system before an exam, which requires accessing the setup in most cases, you’re sure to recognize that the setup doesn’t resemble the BIOS of old. There’s a sample screenshot in the above post. Even if you dive straight away into your exam, you’ll find a clue when you study the partitioning of your target image file:
X-Ways Forensics users will receive the answer to the clue without having to guess. The GPT partitioning style with the four partitions, including the MS reserved partition, mean that you have a UEFI system. The FAT32 partition likely holds your EFI boot data:
The first reminder is that we usually must edit the registry and at least one user’s password to boot into Windows 8. Since the beginning of my blog, I described how to build your VM by selecting the option for a SCSI disk in VMware.
That option required an edit to the registry to enable the LSI SCSI service to start on boot:
After mounting our VM, we loaded the target’s System hive into our own registry. We navigated to the proper control set’s Services key and then to the LSI_SCSI subkey. There, we edited the Start value’s data to 0x00, as above.
Well, what happens if you find a System hive that looks like this:
As you can see, there is no LSI_SCSI key. If you find this to be the case, you have a couple of choices. You can start over and select the LSI Logic SAS option as in the Virtual Machine Wizard screenshot above that displays the controller types. Then, edit the registry by setting the first LSI_SAS controller’s Start value data to 0x00. A quicker alternative is to edit the mounted registry hive and your VMX file by replacing the highlighted line the next screenshot with the one that follows. Of course, if you examine the target registry in your forensic tools you can determine the configuration before you even consider building a VM.
Replace the above parameter with this one:
Please don’t forget to insert the firmware = “efi” parameter that I described in earlier posts! If you edit the VMX and your VM hangs, reboot into the Boot Manager, which you usually can access by pressing F2 a few times during the boot process. There, just select the virtual VMware Virtual SCSI disk and hit Enter.
Back here, I described the Windows 8 feature that allows users to log on to their systems with MS Account credentials. This feature allows both local and online logon. The required password strength makes a hash attack a little more difficult. However, the most important thing to remember is that, to gain access to the system, a password is required. You cannot “blank” the password using tools like the Linux-based boot CD or NTPwedit. You must change the password. Although some tools ostensibly allow you to change the password, I’ve found that they fail in that regard. I still know of only one tool (commercial, but cheap) that works: Reset Windows Password (RWP), which is available at http://www.passcape.com/reset_windows_password and produced by Passcape Software. I described its use and a UEFI workaround process here.
The workaround arose from the need to edit the password on a UEFI/GPT MS Account system with a tool on a bootable ISO/CD. In hindsight, I should have suggested a quicker approach, which I will describe here. As seen in one of the above screenshots, we edited our VMX file to enable the EFI firmware. Passcape’s RWP is not yet available for use on a bootable UEFI, USB device. So, if you use RWP or any tool on a bootable ISO, you need to re-edit your VMX as follows:
Once you re-edit the VMX file, you can boot to a non-EFI medium. Just remember to change it back to EFI thereafter, or you system will not boot to Windows (“operating system not found” message). I’ll add that RWP also allows you to invoke regedit and several other utilities directly from within the application.
This is another topic that folks bring up occasionally. If we mount a shadow volume directly from an image or from an image that we boot in VMware, we’ll find that the shadow volume, itself, contains a System Volume Information (SVI) folder that contains shadow volumes. Let’s say that we mount a shadow volume that was created on October 1, 2014, and was the earliest shadow volume in our target system. When we look in the SVI folder of that mounted shadow volume, we may find a shadow volume that was created on September 1, 2014. Now, it seems logical to assume that we can mount the latter shadow volume and go back in time even further, perhaps to the date when the system first was used. We can’t. I’ve tried a few approaches, including running vssadmin against the mapped shadow volume and attempting to boot the mapped shadow volume. Neither method worked. I wasn’t able to boot a shadow volume, even by reconstructing a physical disk with that volume. I also ran this theory by one of the world’s leading Windows forensics experts, Troy Larson, who, not surprisingly, thought about this concept long before I did. In short, Troy suspected that the shadow volume files and other data within a mounted shadow volume were incomplete and could not be reliably processed by the system. Remember that shadow volumes really are “difference” files that depend on one another, and inconsistencies in any of them can affect their functionality.
NOTE: I’d like to direct readers to the comment posted by Joachim Metz. He’s done a great job of documenting shadow volumes and provided a link to a paper that he published. His comment and paper may provide the precise answer.
For those who want to play around with UEFI, VMware has preview edition available that affords some undocumented (buggy) enhancements, so be careful if you give it a shot. That’s all for now.
The recent release of USB malware, in which any USB device is suspect of being infected after plugging into an unknown-if-clean machine, makes a problem for bootable USB devices in forensic collection. Some of the very scary claims to the USB malware are (http://news.discovery.com/tech/gear-and-gadgets/warning-usb-malware-code-unleashed-141006.htm):
That is bad stuff for a forensic bootable USB device. I've seen a few suggested solutions to the USB infection issue, but the fastest solution with WinFE is to burn to a CD/DVD instead of making a USB bootable. Problem solved.
Building a WinFE is still very very very very easy. Using the Mini-WinFE build, I just timed creating a WinFE DVD is less than 6 minutes. That was a few minutes with Winbuilder and a few minutes burning the ISO to DVD, while taking my time in the short process. If you haven't yet built a WinFE, the process is almost completely automated. Just point Winbuilder to your Windows 7/8 source and press go. Less than 5 minutes later, you have a forensically sound, bootable ISO/CD/DVD/or USB.
Granted, creating a WinFE CD/DVD in less than 10 minutes is not going to save you time compared to imaging a removed hard drive using a hardware imaging device. But...if you have LOTS of machines to image, booting the machines to be seized to WinFE most likely will be faster than removing hard drives and sharing hardware imaging devices. And for those pesky drives that won't come out, WinFE may be a good solution than fighting with an ultralight, can't-find-the-screws-to-remove-the-darn-hard-drive machines.
New version of X-Tension
-adds the functionality to create a picture/video library.
-adds the ability to extract pictures or movies that are type status of 'not confirmed'
(this was added as there are so many variations of avi formats, that even some valid working movies were not 'confirmed')
If the user does not want these files, they can be filtered out and the X-Tension run excluding filtered or excluded files
This is the same as version 3.5.12.k except adds the function to create a CETS manifest XML needed for those using CETS.
Arnold will post information for CETS users regarding changes needed to properly use the X-Tension.
C4All X-Tension CETS compatible version 3.5.13.a
For use with CETS:
1. This will provide a generic "CETS Media Manifest.xml" file
2. This generic file will not include the digital signature InvestigationID, ManifestID, or CategorizationID. However, the CategorizationID can be added manually.
3. With the CETS Media Uploader you can "re-sign" the manifest file if you use "adminmode" of the CETS Media Uploader.
To enter into Admin Mode:
1. Right Click on "CETSMediaUploader.exe"
2. Select: Sent To, Desktop (create shortcut)
3. Locate the shortcut on your desktop
4. Right Click on the shortcut and select : Properties
5. In the Target Field append to the end of the line(after the closing "): -adminmode
6. Double click the edited Short Cut
When you launch the CETS Media Uploader in Admin Mode you will a new button to "Sign Manifest" file.
Clicking on the button will bring up a dialogue window to manually select a user and the related investigation.
Keep in mind, that you must manually cut and paste your Categorization settings into the XML file.
Canadian Police Centre for
Missing and Exploited Children.
Neat to see WinFE being taught everywhere, as in, everywhere by many. Wish I could have been there for this presentation (mostly because I'd have to be in Australia to see it...).