The 2 Worst Games to Play in #infosec

The “Hot Potato” Game

The goal of the Hot Potato Game is to simply pass off responsibility to the next person as soon as you can before something bad happens.  When the responsibility lands in your lap again, you pass it to someone else as soon as you can.  Eventually, someone gets caught holding the hot potato and they lose (and you win!!).  A similar version of this game is “Musical Chairs” game or “Kicking the Can Down the Road” game.  By the way, it sucks to lose this game.

I have seen this game played in both the government and the private sector.  Any long-time government employee can point to dozens of managers who are experts at this game.   I believe there are so many experts because it is rare for a government employee to actually suffer when losing this game, which only encourages more people to play and gain experience in tossing the hot potato to the next guy at the table.

In the private sector, losing this game is an entirely different matter, especially when PII or PHI has been stolen.  When that happens, fingers get pointed awfully quick and the government comes in with a hammer to smash as many thumbs as they can find.  Did I mention that losing this game sucks?

  1. The “Are We There Yet” Game

The "Are We There Yet" game is another popular game played in both the public and private sector.  This particular game is also known as “We’ll Cross that Bridge When We Come to It” game.   In this game, you know bad things are coming one day, and you accept that being worry-free today is worth the stress of dealing with an incident tomorrow, because we all know that tomorrow never comes.

I have actually seen budgets with anticipated expenses planned for incidents that could be avoided with preparation and less money.  I guess some organizations believe that if they don’t spend money now on preparation (defense), they may not need it for remediation after a breach, so it may make a better business decision.  This game is also known as “Craps”.

When I consult for corporations and government entities, I always advise to not play these games (in a professional manner rather than saying 'don't play these games').  Fortunately, I find that many organizations are spending money now to prepare rather than hope for the best.  The organizations that want to prepare are doing really good, taking advice, and in some cases, going beyond what is required.  In technical terms, I call this a great job.

I have gotten to the point that when I hear a client choose to play either of these games, I don’t laugh out loud anymore, especially when I hear verbatim, “We’ll cross that bridge when we come to it”.   When I hear that, I usually leave a half dozen business cards…

Hopefully you aren’t forced to play in these games and that when you say that you need money and time to prepare for unexpected breaches, you get it.  This same thing applies to internal employee matters too.  Any organization that haphazardly gives out electronic devices without any controls to employees….is an organization playing the hot potato game.  I tend to believe that with so many attacks, so many breaches, and so many organizations frozen with Ransonware, organizations start to take notice.  It's kind of like everyone in your neighborhood getting burglarized.  You can choose to either hope your house is not burglarized or you can install an alarm, lock your doors and windows, and prepare just in case.

0
  900 Hits
  0 Comments

The 2 Fastest and Least Expensive Ways to Learn X-Ways Forensics

***4/18/2017***

***UPDATE ON THE PROMO***

This is all you need to know: The X-Ways Forensics Practitioner's Guide online course is still available at only $119 instead of the regular tuition of $599 until April 19.

If you missed the promo for 80% with a FREE copy of the X-Ways Forensics Practitioner's Guide book, you still have time to get 80% off the online course without a free copy of the book.  This is still a great deal off the 12-hour, $599 course at only $119.  There will never be a discount this steep again for this course, so get it while you can, because the time to register is running out.

 

   

XWF Practitioner's Guide Promo Countdown! Wednesday, April 19, 2017 11:59 PM 366 Days XWF Practitioner's Guide Promo Countdown!

 

-------------------------------------------------

My advice to X-Ways Forensics users is to stop thinking you can figure it out by yourself, even if you have been using X-Ways Forensics for any length of time.  There are simply far too many nuances and hidden features that you are missing every time you try to figure it out or use on cases.  If you really want to get down and dirty to learn X-Ways Forensics fast and cheap, here is the ONLY way to do it.

  1. Buy the book (list price is $59.95)
  2. Take the online class (regular price is $599.00)

But, wouldn't you rather want to learn how to use X-Ways Forensics saving even more money?  If so, you want to sign up right now because right now is the biggest discount for the course while getting the most swag! Get up to 80% off the price PLUS a FREE copy of the book and if you act fast enough, be invited to even more FREE trainingFree book offer has expired.

If you register within the next 7 days (April 19), you can get the X-Ways Forensics Practitioner’s Guide online course at 50% off for only $299.  80% off for only $119.

**UPDATE  4/16/2017**

The promo is almost over for the free book...  

 

If you do not receive your 80% promo link via Twitter DM, email at This email address is being protected from spambots. You need JavaScript enabled to view it. and I'll email it to you.

How about even more!  The first 20 registrations will be invited to a live, 2-hr online X-Ways Forensics course with me to demonstrate using X-Ways Forensics as a triage tool and for electronic discovery (this includes using the latest build of the Windows Forensic Environment – WinFE).  These first 25 registations still receive over 12 hours of the online X-Ways Forensics Practitioner's course and a FREE COPY of the book!   The first 20 just filled up the live course, but the promo for up to 80% plus a FREE book is still good.

The course has never been discounted this deep, so this is the best time to take advantage of learning to how you can exploit X-Ways Forensics to its fullest potential, learning from your computer, on your own time, at the lowest price.  

Since 2014, more than 2,000 students have registered and taken my online courses with 24/7 access.  

“It has helped shed lights on things I have missed in the past.”  -student

“I got to say I’m enjoying the videos.” – student

Don't miss the boat!  80% off 12 hours of X-Ways Forensics Practitioner's Guide training plus a FREE COPY of the X-Ways Forensics Practitioner's Guide.  ONLY $119 for the regular $599 tuition with a free copy of the book!

http://bit.ly/xwfpromo80 expired

 

*For outside the USA, only a Kindle version is available as part of this promotion.  Registrations within the USA can choose between print or Kindle.

0
  2392 Hits
  0 Comments

FREEZE! Busted by the Fridge. The ways that tech influences writing fiction, making movies, and busting criminals.

One interesting investigation I had was that of a murder-for-hire in one city that the suspect used a Google search to find the victim’s home address in another city.  Simple enough crime to plan.  Google the name, find the address, do the hit.  Except in this particular case, although the suspect Googled the correct name, there were two people with the same name in the same city and he picked the wrong one.  I called this case my “Sarah Connor” case.

Fortunately, we intercepted the hit before it happened and prevented a random murder on the wrong person (as well as preventing the murder of the ‘right’ person).  In a basic sense, the suspect used the technology of one of the most advanced computer systems in the world (Google….) to attempt a murder only to choose the wrong name in a Google search hit.  This type of criminal incompetence and carelessness is commonplace.  It is also the way that most get caught. 

On the other end of the spectrum, we have Hollywood’s version of high tech crime fighting.  Minority Report with Tom Cruise showed us that not only can crimes be solved with technology, but that crimes can also be prevented with technology.  As for the technology used in the movie, it could have only been more accurate had a predictive analysis computer system been used in place of the fortune-telling humans (“Precogs”) in a big bathtub.

In a turn-key surveillance system, no person is anonymous.  Whether it is a private business or government agency, no one is immune from potentially being watched, tracked, or reported.  Private businesses use facial recognition for both improving customer service by detecting your mood through facial expressions as well as preventing crime.

“…faces of individuals caught on camera are converted into a biometric template and cross-referenced with a database for a possible match with past shoplifters or known criminals.” https://www.theguardian.com/cities/2016/mar/03/revealed-facial-recognition-software-infiltrating-cities-saks-toronto  

Criminals who try to avoid using technology are severely limited on the type of crimes they can commit.  That’s a good thing.  A drug dealer without a cell phone is like a taxi cab driver without a taxi.  It is part of the business and can be tracked, traced, monitored, intercepted, and forensically examined.  Technology is a natural and required part of any criminal’s operations.  Criminals not using technology are ineffective as criminals, for the most part.

Criminals who try to avoid surveillance technology in public, such as license plate readers and facial recognition are also extremely limited in the crimes they can commit since they would have to remain in their homes to commit crimes outside of public surveillance methods.  Even then, committing a crime in a home is not without the risk of being monitored, either by a government agency, a private corporation, or an electronic device plugged into an outlet.  If you own a Vizio television, consider yourself tracked, hacked, and sold to the highest bidder. http://www.theverge.com/2017/2/7/14527360/vizio-smart-tv-tracking-settlement-disable-settings

From Amazon’s Echo to an Internet-connected fridge, data is collected as it happens, and stored either locally on the device or on a remote server (or both).  Depending on how ‘smart’ a home is, every drop of water usage can be tracked, every door opening logged, and every person entering and leaving the home gets recorded.  This does not even include cell phone use that is tracked within the home by providers.  And the computer use!  The things we do on the computer leave traces not only on the hard drive, but also on the servers we touch with every www typed.  Criminals in their home are no more protected from being discovered than on the street.  This is a good thing.

As to the significance of some of these high tech smart home devices, consider that water usage can give inferences as to what was done in a home, such as cleaning up a crime scene…

 

https://arstechnica.com/tech-policy/2016/12/police-ask-alexa-did-you-witness-a-murder/ 

During all the years of being a detective, I did trash runs.  Lots and lots of trash runs.  I hated the trash runs until I found good evidence.  Garbage smells really bad, especially during the summer.  Digging through garbage bags in a dumpster in the middle of a hot day can make the toughest person gag or puke.  But you can get some really good information on the criminals you seek. Did I mention it can smell really bad?

That is one of the reasons I really enjoyed moving into digital forensics.  Digging through the garbage of data on a hard drive is a lot easier on the nose than digging through a dumpster.  Plus, the information you get is sometimes a lot better than what you can find in a garbage can.  There are exceptions…you won’t find the murder weapon in a folder on the C:/ drive of a hard drive unless the murder weapon was a computer program. 

You would think that with the amount of technology available and already in place that police would be able to uncover more crimes, find more criminals, and be more effective.  When a smart home can email the home owner a photo of someone ringing the doorbell, newer cars come with pre-installed GPS tracking systems, and a fridge can record a live stream of residents in the kitchen, the ease of finding evidence should be easier…right?

Not quite.

That brings us to the biggest hurdle to crime fighting: incompetency and laziness.  Government agencies are not immune to the same human fallacies found elsewhere. There are hard workers in government just as there are hard workers in the private sector.  Same holds true for laziness and incompetence, which criminals take advantage.

In any case where electronic devices are not being seized for examination, evidence is intentionally being left behind.  I am not referring to the electronic devices that are difficult to find, like a camouflaged USB device hidden within a teddy bear. I’m talking about the cell phone sitting on the car seat of the suspect arrested for burglary.  Yes. I’ve seen it happen.  Part of the reason is that unless lead is flying, most criminal cases and dispatched calls are boring to the responding officer.  As an example, with a residential burglary, the suspect is usually gone and the victim is lucky if the officer even tries to recover prints from the scene.  Stolen car?  Oh well. Fill out the report and call your insurance company.

I have been out of police work for about 10 years and I had hoped this lack of urgency in police work has changed.  But apparently not.  I recently helped someone with their stolen purse from a gym.  I got the call first instead of 911, but that’s another story.  Anyway, I showed up to give some guidance and eventually the district officers arrived.  Even after being told that video cameras faced the parking lot, and that the suspect/s went inside another victim’s car, the officers said, “The cameras probably didn’t get it”. The manager of the gym even offered up the video and said the cameras face the victim’s car... but the officers they left without even asking to see the video.  After telling the officers that the suspect/s just used the stolen credit cards in a store less than 5 miles away and that the store surely must have cameras, one of the officers said, “We can’t get much from a store’s security cameras.  You just need to call your bank to cancel your cards.” End result: File a report.  Call the banks. Get a replacement driver’s license.  Yes.  This still happens.  And criminals thrive on it.

The irony with a lack of seizing electronic evidence is that for most of the forensic examiners in law enforcement, they love to dig and dig and dig and dig through data to find the smoking gun.  It is the lifeblood of what they do.  If only the devices were seized and given to them.  Case in point:  I was called to exam a laptop of a missing teenager, six months after she was reported missing.   The detective simply did not put any reliance on a laptop, in which the teenager was religiously using for social media, as a source of important evidence.  The teen’s body was later found buried less than 5 miles from the police department where this detective drank coffee at his desk, with the laptop sitting downstairs in evidence for months.  I would have loved to examine that laptop ON THE SAME DAY the teen was reported missing.  It was virtually useless by the time I got it.

Seeing that tech should make it easier for police work, it should make it easier for writers of fiction.  It doesn’t.  I read (and write) a lot.  Technology can ruin good fiction.  No longer can a fictional criminal live his or her life under the radar.   Even the good guys can’t avoid ‘the radar’.   The Jack Reacher series should have been set in the 80s, because there is no way that Jack Reacher can roam the country without ever ringing some bells in surveillance tracking technology and live only with the technology of a single ATM card.  I was lucky that my undercover work was before the Internet really took off.  Backstopping an ID today requires way more than it did when I was undercover.

Writing fiction set in today requires knowing technology, because any scene that should have technology but doesn’t simply makes that scene unbelievable.  Same with Hollywood. Seriously.  It gets harder and harder to watch a movie that intends to be realistic without realistically using technology.   Show me a movie where no one is texting anywhere in a scene and I’ll show you a movie where technology is selectively ignored for the sake of simplicity at the cost of plausibility.

I can hear it now.  Police work is hard.  It’s not easy to get search warrants.  Not every department has a forensic unit.  We are too busy to solve crimes.  We are short-staffed. We don’t get enough training.  Blah blah blah.  I’ve heard it before and proved it can be done time and time again.  I have always believed that 10% of law enforcement do 90% of the work while 90% of law enforcement try to pawn off the remaining 10% of the work (while fighting over taking credit for it).  If just another 10% of law enforcement suddenly got a sense of urgency to require high tech investigations be a part of every crime scene, we’d reduce crime stats in half and solve twice as many crimes.

Now if only I can find a book or movie that doesn’t pretend technology doesn’t exist..

 

0
  1370 Hits
  0 Comments

Want to know how to break into DF/IR?

I see the digital forensics training market reaching a saturation point in some aspects.  Most, if not all, forensic software companies provide training, govt agencies provide internal training, individuals provide training, every college looking for a new revenue stream is adding forensic programs for training, and a new forensics book comes out every few weeks or so.  Add that to those who can teach themselves and you have DF/IR training market that is fat.  By the way, if you can teach yourself forensics by gobbling up every crumb you can find, you will have a long career in this field. 

There have been a lot of blog posts, articles, forums, and opinions posted online about how to break into the field of DF/IR.  Here are a few decent links, and of course, a Google search will find dozens more. You will see by the dates that it has been years of the same question being asked...

https://digital-forensics.sans.org/blog/2010/08/20/getting-started-digital-forensics-what-takes/ 
http://www.techrepublic.com/blog/it-security/breaking-into-the-digital-forensics-field-melia-kelleys-path/
https://www.reddit.com/r/computerforensics/comments/1o2s5x/looking_to_get_into_computer_forensics/
http://www.techexams.net/forums/jobs-degrees/99839-looking-enter-into-digital-forensics-field-need-advice.html
http://smarterforensics.com/2016/08/so-you-want-to-break-into-the-field-of-digital-forensics/
https://www.thebalance.com/how-to-become-a-digital-forensic-examiner-974633
https://articles.forensicfocus.com/2011/10/07/advice-for-digital-forensics-job-seekers/

The common theme is asking, "How do I get into digital forensics?" when the better questions to ask are, "Which college program will work best for me?", "Which discplines in DF/IR should I focus on?", "Which programming languages are relevant?", "Which software should I learn?", "What are hiring managers looking for?".  

You won’t usually find this topic constantly being brought up in other career fields. For example, if someone wants to become a doctor, there isn’t much to the answer other than, “go to a medical school.”  If someone wants to become a lawyer, the answer is typically, “to go a law school.”

To become a digital forensics analyst, there isn’t an answer like “go to a digital forensics school” because there are more than a few ways to get into the field depending upon your individual and unique situation.  On top of that, simply getting a degree in digital forensics doesn’t automatically make you qualified.  Many forensic analysts fell into the job while working another job, like a police detective suddenly having to do computer-related crime cases, takes lots of training, and works major cases.  The rest have to fight to get into the job or to at least get through the door.

My brief opinion on getting into the field is that a new person needs one or more (sometimes all) of these:

  • Certs and/or degrees
    • Helps check the boxes on the job application
    • Shows that you sat in a chair and passed tests
    • Shows that you paid lots of money (or may have lots of student loans)
    • Shows that you can complete a system of training/learning
    • Implies you should know what the paper says you should know
  • Experience in a close-enough-related-job
    • Shows that you have been doing the job, or close-enough-related-job
    • Implies that you have competence, since you were being paid
  • Competence
    • Hardest way to get in without something else (experience and/or education)
    • Difficult to get past the application if blindly applying to jobs if you can’t check the required boxes
    • Have to prove yourself beforehand (write a software program, discover something useful for the field, etc...)
    • Nothing is implied, because you need proof of competence.

Each of these require time.  If you want to get into a good digital forensics job within a year, and the only thing you have ever done is read a blog about forensics, then consider that it might not happen as quick as you would like.  If you don’t want to spend any money (on tuition, tools, books, training courses), then you must be able to learn open source forensics…and teach yourself.  Lastly, you need capability.  Not everyone can or wants to spend the time and money to become competent.  You have to put in your dues to get the potential rewards.  If you don't work on being able to do the job, simply wanting to do it is not going to be enough.  A lot of people want to be a cyber hero, but not a lot of people want sacrifice for what it takes to get there.

A brief note about the exceptions and exceptional people: I have met some exceptions to the rules of getting through the DF/IR door. I am referring to those who are mostly self-taught and have no education to speak of (insofar as a technical education).  If you are one of those, then you go through the back door.  You just need to find someone to show you where the back door is.  If you are an exception, that means that you can be given a desk and computer and from Day – One, you can do magic.  If you are not an exception, you will be knocking on the front door.

So, to be able to at least submit an application, get qualified enough to check the boxes.  One of the things I have never understood is that some (many?) jobs require a bachelor’s degree in virtually anything in order to apply for a job that clearly does not require a college education.  If that is the kind of job you want, which is a considerable amount of federal jobs, get the degree or you will not even be able to check the one box that is required to apply, no matter your experience (for exceptions, refer to the previous note). 

On picking a training path, be choosy because it’s not only money you are spending. It is also your time.  I started a college program once, only to quit because I could have taught it since the ‘professor’ never ever never even imaged a hard drive, nor did a forensic exam ever.  It was clearly a new revenue stream for the college.  I’ve taken a few private courses that had the effect of me trying to forget what I learned because so much of it was incorrect or out-of-date.  I’ve been "taught" how to testify in court by someone who never testified in court…or tried a case…or ever practiced law.  Conversely, I have taken some outstanding training, college courses, and attended superb conferences that made all the difference in the world.  The trick is sorting through which is which.  Those are the questions to ask.

Disclaimer: I am but a lowly forensic guy, not the end-all-be-all or know-it-all (I learn something every day).  These are just my opinions.  I have hired and fired employees, passed and failed students, taught and been taught forensics.  But like everyone, experiences, perceptions, education, and opinions vary.

0
Tags:
  2053 Hits
  0 Comments

Reminder for the last discount for the X-Ways Forensics Practitioner’s Guide Online and On demand course.

If you were thinking of doing it, this is the best time since the $599 online course will only be at a discount of 60% for less than two weeks (until Dec 31, 2016) for only $235.  PLUS, registering before December 31, 2016 gets you a print copy of the book, the X-Ways Forensics Practitioner’s Guide shipped to you. Unfortunately, the book is only included for US/Canada registrants since shipping a book outside the USA or Canada costs more than the book.  Shipping to some countries costs more than the entire X-Ways online course costs.  I’m happy to ship a copy, but the shipping fees must be added.  Best bet is to order a book online that delivers locally without extreme duty fees.

Register with the 60% discount using this URL: 

Just a few notes on the online XWF course based on emails I have received:

Time limit:  You have a year to view the course as often as you want.

Software: Not included.  You don’t need it for the course, but I think you’ll want to have a license.  If you want to know how XWF compares to other tools, you can get 12 hours of instruction showing how it works and much of what it can do.  Once you start using XWF, you’ll begin to see that it can do a lot more than what the manual or any course can teach. 

About forensics: The online course doesn’t teach forensics, except to demonstrate features of XWF.  Don't expect to learn 'what is the registry' in this course.  It's all about X-Ways Forensics, to get you up and running right away.

Competence: If you go through this course (and you have a foundation of digital forensics knowledge), you’ll have enough knowledge to use XWF on a real case.

Students: If your school uses XWF, you’ll be much better off learning XWF online away from class to get the full benefit of using XWF.   School programs can only teach so much with software in courses where they must teach everything.

The book:  Through Dec 31, 2016 the X-Ways Forensics Practitioner’s Guide book (print copy) is included with your tuition (USA/Canada shipping only).   There is no other book on X-Ways Forensics available.  The next edition may not be for another year or two.  Get your copy as part of the course.  The cost savings of a book + 12 hours of X-Ways Forensics training at $235 is the best deal you can find anywhere.

Course updates: The course may be updated throughout the year when XWF has enough smaller updates to add up to a new course or updated lessons.  You get that as part of your registration.  Revisit the course throughout the year, anytime you want, from anywhere online.

XWF as a primary or other forensic tool:  If you currently use or plan to use XWF in your work, get some training.  Either this course or a course from X-Ways AG, or somewhere.  XWF is not a tool for self-learning when you need it for casework tomorrow.  Especially for a primary tool, get some training.  This course gives you the information to use it either as your primary tool or secondary tool.

If you have any questions, hit me up J

This email address is being protected from spambots. You need JavaScript enabled to view it.

 

0
  2377 Hits
  0 Comments

The most important tool in DFIR that you must have...

One of the workstations I have ranks up there in the clouds insofar as hardware.  You name it, this machine has it.  Lots of it.  Crammed into a huge case with lots of lights and liquid cooling hosing.  I call it the “Monster”.  No matter what I throw at it, it chews it up, spits it out, and smiles asking for more.  Seriously.  It’s a dream machine of a forensic workstation.

One thing about it however is that no matter how fast it is, or how cool it looks, it doesn’t really do forensics.  You see, I have this other little computer (laptop).  It’s really really small and light.  No CD/DVD drive, one USB port, and stuffed with high-speed hardware, but not that you can stuff that much in such a small laptop.  I call this one my “Little Baby”.

When I go somewhere, I take my Little Baby.  It does everything I need for the most part.  I would not want to try to index a terabyte or more to index, or try to do any serious processing with it.   However, this Little Baby does forensics work.  I've done forensic work in the offices of lawyers, in front of judges, and in court.  Each time using my Little Baby (I have a few, but they are all my Little Babies).  

I mean this in the manner that it’s not the machine (such as my Monster or Little Baby), but the examiner, that does the forensic work.  If you forego “processing” and “indexing”, the forensic machine comparisons in speed become irrelevant and everything comes down to the examiner.  I mean everything.  The best examiner can use X-Ways or Encase or FTK or any open source forensic tool on practically ANY computer when it comes down to deep-diving into electronic evidence.  The machine allows the examiner to use a software to access the media.  That’s it.  A million gigs of RAM won’t let you examine the registry any faster than 4GB will.  Your eyes and the stuff between your ears will get the job done.

When I teach forensics, one of the things I try to get across is that it is the person that gets the job done.  Flashing lights are cool on a computer, but if the examiner doesn’t know how (or where) to find evidence on a hard drive, then the flashing lights are not going to help.  If the examiner does not have critical thinking skills to investigate (or now commonly being described as "hunting") threats or evidence, then the tools are useless.

Don’t get me wrong. I like fast machines.  I need fast machines for some work.  But that work isn’t typically “forensics” but rather automated processes like imaging, or indexing, or some specific processing or decryption. That type of work requires computing power to get done.  Once that part is done, it comes down to fingers, eyes, and brain to do the real work.

I’m not advocating to not have a Monster machine or two, but I am advocating to rely on your brain, not the machine to the analysis.

BUT.  There is always an exception to forensic machines.  If you choose to have a RAM-sucking, space-eating, and overly-hungry-system-resource software as your primary forensic software, you are going to need a Monster machine to run it.  And if you expect to take that resource-intensive software outside the lab for use, you’ll need a 15-pound laptop along with a small RAID box to bring along so you can use it.

Be able to do anything you need to do with anything you have at hand at anytime needed. I've been around a lot of people with a lot of excuses ("I can't do this without my particular workstation or my particular software or etc...").  The world of DFIR is similar to the military. Make do with what you got.  Excuses not accepted.

I’m sure Picasso could paint a masterpiece using peanut butter and jelly.   An effective digital forensics analyst could do worse than being able to run a forensic application on a little bitty laptop if she knows what she is doing.  The most important tool in DFIR work?  That's your brain.  Think critically.  Link inferences.  About hardware and software?  Those are just things to let your brain connect to the evidence.  

In short, become a Picasso of forensics.  

1
  1673 Hits
  0 Comments

Learn by drawing out the experiences of others

I have taught digital forensics at the University of Washington (on and off) for the better part of a decade.  I have also been a guest speaker at several universities for longer than that.  One thing that I learned from the continuing education courses is that most of the students are already working adults with many already working in the IT industry, and I take advantage of their experience by incorporating it into the classroom.

For example, I have had attorneys (prosecutors, public defenders, and civil attorneys), police officers, federal agents, software developers (some were founding members of commonly used software), and a few ‘white hat’ hackers in my courses.  Students who did not fit in any of those categories sat right next to them.
 

Can you imagine what you can learn being a student sitting next to the developer of a major Microsoft program for 10 weeks? Or next to a federal agent who was involved in well-known national security investigations?  Or a homicide detective of a large police department?

That was the benefit to the students: being able to absorb information from fellow students with years, if not decades, of experience.  On the first day of every course, I stress this to the students.  Take advantage of the 10-minute breaks, not by checking your email, but by talking.  Those 10-minutes breaks produce more relevant information than can be gained from a Google search, because you can talk to the people who have done it, do it every day, and want to share.  Rather than 'read' about a case, speak directly with someone who does those cases.

As for me, you better believe I took advantage of the students with experience, all for the betterment of the courses and myself.  In my prior law enforcement career as a city cop, I was a detective that worked undercover and was assigned to state, local, and federal task forces as well as investigated cyber-related crimes that spanned the planet.  I also investigated multi-national organized crime groups (drug trafficking organizations, gun trafficking, outlaw motocycle gangs, street gangs, human trafficking, counterfeit goods, etc…), terrorist cells in the United States, along with a few other crimes that took me across several states.

I give my brief background not to brag, but to show that even with my experience, I gained something from every class from nearly every person and I asked for it directly.  When I found that I had a software developer from a major software company in class, who worked on a program that I use daily…I used him for discussions in class on incorporating that program into forensic analysis reporting and visualization.  Every student in the course may not have recognized the value of speaking with someone instrumental in that one program, but we all learned new ways to use something in forensics that we would not have learned otherwise.  

Courses with law enforcement and attorneys as students also created a great amount of material and discussion based on how they do different aspects of the same job, in their different positions, titles, and agencies.  Hearing from a federal public defender talk about how forensics fits in with her work alongside a prosecutor talking about the same information but applied differently really gives the entire room a wide spectrum of knowledge.  Throwing in the investigator perspective rounds it all out. 

Granted, I’m only talking about continuing education programs.  I’ve taken and spoken at a few college degree programs where the students are students and not yet even in the workforce.  That type of class is an entirely different animal where the instructor had better know what she is talking about.  And yes, I’ve taken courses where a professor had never connected a write-blocker to a hard drive, ever…not in real life or in the classroom…never testified…never created a forensic image…yet teaches the students to do this by reading a book.  That is not the case with most schools, but certainly a few.  

In the course I teach at the University of Washington (I will call it “my” course…), I give students maximum hands-on, maximum time on the keyboard, maximum time working with the tools and maximum real-life information so that they are not only near-competent to competent, but marketable.  I call my course, “Brett’s Digital Forensics Bootcamp” (without the yelling). I don’t like wasting time and I want to teach a course that I wish I could have taken when first starting out.  That means getting your hands on data as much as possible.

One last point about continuing education programs (for higher education courses)

A conversation I had last week about DFIR certifications ended with me talking about continuing education and college degrees as perhaps a better route over certifications for certain people.  For anyone already in the IT field, I find that a continuing education certification from a major university to be ‘better’ than a vendor certification, or if not better, certainly worthwhile.  I say ‘better’ in the sense that most people in IT already have some certs on their resume.  They may not be digital forensics certs, but technology-related certs nonetheless.  Certs also expire, or are discontinued because a business goes out of business or decides to create a new cert.  Having a continuing education cert from the University of Name Your College doesn’t expire, has more clout (or is that now called klout?) through regional accreditation, and is most times considered graduate-level instruction. 

Another benefit of a continuing education course is that since the courses are not vendor specific, the whole gamut of tools can be explored along with the SPECIFICS OF THE JOB.  Vendor courses focus so much on the sale and function of their tool, little time is left to the other aspects of the job that are just as important, if not more important.  I’ve taken well over a dozen vendor courses and I cannot remember any of the courses teaching forensics, other than what their tool does for forensics.

Not knowing how to collect, analize, and present defensible evidence effectively makes the examiner ineffective, incompetent, and can ruin a case.  Especially when someone has not been taught "what is evidence", finding the elusive evidence is near impossible if you don't know what it is.  Even police officers must know the elements of a crime in order to know what a crime looks like.

Yes, you must know how software works, but you also must know the job.  It’s like driving.  You may know how to drive a car, but if you don’t know the rules of the road, you will end up getting ticketed or worse.

0
  1719 Hits
  0 Comments

Jimmy Weg's blog archive

Most people in the DF field know or know of Jimmy Weg.  His blog was one of the most popular in the community, but like anyone, Jimmy has retired and will be retiring his blog.  

However, he has offered the blog to be used by anyone until the domain expires.  I know that one DF association (IACIS) will be archiving the blog for its members and Jimmy graciously has allowed me to archive it as well for anyone to use as reference.

Over the next weeks or so, I will be adding each of Jimmy's posts onto my blog, with Jimmy as the author.  You will be able to find all his blog posts on my blog, but under the JustAskWeg category (http://brettshavers.cc/index.php/brettsblog/categories/justaskweg).  Some of the posts are old, as in 2 years which can be old in the tech world, but the information from those posts, especially those concerning virtualization should be relevant for more years to come.  Jimmy's blog is one of those blogs that are valuable to many folks working in the DF field, and it is my pleasure to host his blog while it is still useful. Thanks to Jimmy!

About Jimmy Weg

0
  1805 Hits
  0 Comments

Ye ol’ Windows FE

Not to get into the long history of WinFE, but rather focus on the course I created about 2 years ago…it’s time for an update to the course.  There have been almost 5,000 people that signed up for the online WinFE course since 2014.  WinFE has been taught everywhere since its inception, from colleges to federal forensic courses to everything in between.  

Technology changes and with that, WinFE needs to be updated along with a second related topic to be included in the course.  In the next few weeks, I am updating the WinFE course and adding Linux distros to the mix (only the most current Linux forensic distros, not the outdated and non-maintained systems).  The new course is tentatively titled,

"Bootable Forensic Operating Systems"

or something to that affect of having both Windows and Linux forensic boot systems.

The intention of this new course is the same as the previous course: Give forensic analysts additional options in collection, preview/triage, and analysis.

On a side note, I have had about a dozen or so emails about WinFE telling me that;

  1. You have to use a write-blocker

  2. You can’t trust bootable media to be forensically sound

  3. No one does it this way anymore

  4. Today’s computers don’t allow booting to external media

Each time, I have said, “You’re right.  Feel free to use what you want.”  I really don’t see a need to argue with anyone set in his or her ways in the DFIR field.  My opinion is simply that if something works, use it.  If something doesn’t work, don’t use it.  This applies to WinFE, a Linux forensic boot disc, or a write blocker as much as it applies to X-Ways, EnCase, or FTK.

Seriously, if WinFE works for you in a given situation, and you have a choice, feel free to use it.  It’s been battle-proven more than enough.  Same with the Linux distros. If you like it, and it works, and it fits to your needs, why not use it.

With that, I still believe forensically sound bootable media still has its place in the forensic world.  The upcoming course will talk all about it, including building a WinFE and perhaps even putting together your own Linux distro.

0
  3167 Hits
  0 Comments

X-Ways Forensics Sucks….

…only with decryption, and even at that, it does everything else superbly.

I probably caught your attention if you are an X-Ways Forensics user.  The only thing that sucks about X-Ways Forensics is that it doesn’t do encryption.  By “doing encryption”, I mean that it doesn’t decrypt encrypted files or systems.  Besides that one aspect of forensic work, X-Ways Forensics rules.

**UPDATED X-WAYS FORENSICS PRACTITIONER’S GUIDE ONLINE COURSE**

I completely updated and extended an online course based on my book, the “X-Ways Forensics Practitioner’s Guide”.  It has taken some time to create a course that has 95% of what you need to use X-Ways Forensics without being an overly long instruction of the software.  The remaining 5% changes every week or so with new features and updates added by X-Ways.  This course covers X-Ways Forensics up to version 19, but know that X-Ways will be adding new features every week that aren’t included in this course yet.  After enough ‘little’ features and improvements have been added, more content to the course will be added as well.

Here is the gist of this post

Register before November 8, 2016 to get both 50% off tuition and a printed copy of the X-Ways Forensics Practitioner’s Guide.  Use this link for the discount: http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide-online-and-on-demand-course?pc=blog

Personal anecdote: While sitting in BCERT at FLETC years ago, I brought my trust X-Ways Forensics v13 to class.  FLETC issued FTK and Encase as the forensic suites during this time, and also issued a license for WinHex. The Winhex instruction was probably 30 minutes long.

I had already been using X-Ways Forensics and the FLETC instructors allowed me to use my license alongside their issued tools.  With a FLETC provided image that was given to every student in the course, X-Ways data carved hundreds of pornography pictures from my image while both FTK and Encase did not.  The instructors thought I had been surfing porn in class until I carved from someone else’s image.  Encase and FTK, for some reason, did not carve up the pictures that X-Ways did.  In about 5 minutes after seeing that X-Ways carved up porn that other tools missed, every image was collected from class by the instructors….

I emailed Stefan Fleischmann of X-Ways during lunch to let him know that his X-Ways Forensics program works pretty good.

My personal experience with X-Ways Forensics started because I was a curious about a ‘new’ forensic program based off of Winhex. I only tried X-Ways Forensics because (1) it was cheaper than anything else, (2) looked kinda cool, (3) and got deep into the actual files like a hex editor.  However, I tried to figure it out and the best way to do that was to host a course.  The only reason I gave X-Ways Forensics a chance was because X-Ways agreed to give a training course in Seattle if I would arrange it, their first course ever.  After seeing how X-Ways worked in that one course, I was hooked using X-Ways Forensics as my primary forensic tool for well over a decade.

I have met many examiners who have tried to use X-Ways Forensics and have nearly always gone back to their other tools, like Encase or FTK.  Mostly, I see this to be because of fear of change and lack of information to use X-Ways Forensics.  There were no books about X-Ways Forensics.  The manual was (is) clearly lacking in giving instruction in using X-Ways, the courses were (are) expensive and not typically where you’d like them to be.  Compared to Encase, as one example, books on using Encase have been around for some time, Encase has been taught in government forensic courses for well over a decade, and courses have been planted everywhere around the world for so long that it seems strange to not have a course local to you every year or so.  Plus, the other tools throw parties, like huge beer fests poolside in Vegas or somewhere neat.  X-Ways? No parties.  No beer fests.  It’s all down and dirty with hex, which is just the way I like it.

The manner in which this online course works is similar to the book that Eric Zimmerman and I wrote on X-Ways Forensics.  We wrote, and titled, the book for practitioners.  The manual is not for practitioners.  Do not start reading the manual hoping to find the ‘how to use X-Ways’.  Do read the X-Ways Forensics Practitioner’s Guide to find out.  Unfortunately, books and manuals simply do not fill the remaining gap of instruction and demonstration.  Short videos on Youtube won’t do it either.  You need a course to learn what you need to learn as fast as you can learn it in order for you to be able to use it right away.

If you cannot attend the official X-Ways Forensics course due to time/money, or maybe you want a refresher to the course you took five years ago, or maybe you are in a forensic course in college that uses X-Ways, this online course is the least expensive you can find (the only one currently in the world) that fills that need.

I can promise that after you complete the course, you will have a different perspective of X-Ways.  You most likely will use X-Ways Forensics as a secondary or validation tool.  Many of you will move completely over to X-Ways Forensics and turn your other tools into secondary tools.  Some of you will turn your entire lab into an X-Ways Forensics lab that uses the “other tools” as validation.

One thing the online course does not do is teach forensics.  You might learn a little something since the course uses publicly available forensic images and gives suggestions on workflows (based on case types, such as picture intensive or user document intensive cases), but don’t expect this course to teach everything about forensics.  For that, you need to take a digital forensics course to show what a “lnk” file is, or how to examine the registry.  The X-Ways Forensics Practitioner’s Guide course teaches you how to plug the X-Ways Forensics dongle into your machine and push all the buttons you need to push to get what you are looking for.  That’s more than half the battle for any forensic software: what button do I push to get forensic artifact “x”, “y” and “z”?

Watch the introductory video (free) to get a handle on why you should take this course.  Whether you have been using X-Ways Forensics for more than a day, new to X-Ways Forensics, or thinking about trying it out, this course is the fastest, least expensive, and easiest method to learn. Bar none.

 

0
Recent Comments
Brett Shavers
Sorry, but the promo expired.
Saturday, 02 September 2017 16:04
  4125 Hits
  2 Comments

Virtual Machines, like anything else in technology, can be used for bad

Virtual machines have always been one of the neatest aspects in computer technology.  My first exposure to a virtual machine was in a digital forensics courses I took at FLETC and I knew that this would be the coolest thing ever.  The coolness factor of being able to run one operating system (the virtual machine or VM) inside another operating system (the host) has not grown old for me especially because of the forensic and security implications that exist more so today than that day of first exposure.

It has been 10 years since I wrote the first of two papers on virtualization and forensics.  The first, “vmware as a forensic tool” and subsequentlyVirtual Forensics: A Discussion of Virtual Machines Related to Forensic Analysis”.  Some of the information has been outdated, but most of the information and certainly the concepts are still in play today.  I recommend looking at these two papers to get started on thinking about VMs as it relates to your cases.

Skip forward some years after those first papers; I began to find VM use occur more often on forensic cases in civil litigation matters.  In the majority of the cases, the VMs I found were not used to facilitate any malicious activity, but did result in longer examination time of each hard drive with VMs.  In one case of my cases, a single hard drive contained over 50 (yes, FIFTY) virtual machines and each one VM had multiple snapshots and practically all were being used with malicious intent.  After that case, I made sure to include virtual machine investigative information in two books I wrote (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard) to make sure investigators consider VMs as a source of evidence.

There was a time when computer users, including criminal using computers, were oblivious to the amount of evidence a forensic analysis can recover.  Those days are virtually gone since most anyone with a computer knows for the most part, that a ‘deleted’ file can be recovered.  In addition, with Hollywood producing movies and TV shows showing forensic analysis of computers, common criminal knowledge now includes knowing about electronic evidence that is created on computers and forensics recovers it.  Every push of a button, click of a mouse, and click of a link litters the system with evidence.  The litter (creation/modification/access/deletion of files) is everywhere in the system, spread out among various locations from the registry to free space to system files, and most can be attributed to a user’s activity.  Getting rid of every bit of the electronic litter is practically impossible, even as certain amounts can be wiped securely.

However, with a VM, all of that electronic litter, aka evidence, is kept within one file that stores the virtual machine.  The user need only wipe that one file to destroy all the electronic litter and evidence that was created during the malicious activity.   The only evidence able to be found will be on the host, and usually that will just show a VM had been started.  The malicious activity/user activity…gone.    Going a step further, a VM booted to a Linux bootable OS (even to an .iso file), will have no evidence saved in the VM to begin with.

I am not discounting other important evidence, such as network logs, captured traffic, or the evidence that can be recovered on the host machine.  That is all good evidence too, but when the actual user activity is contained in a single file that can be wiped securely, digital forensics gets harder if not downright impossible.

A recent article I read on malicious use of VMs goes one-step further.  In the article (https://www.secureworks.com/blog/virtual-machines-used-to-hide-activity), an attempt to remotely start a VM inside a compromised system failed only because the compromised system was also a VM.  Considering that scenario, a hacker starting a VM on a compromised machine can effectively hide nearly all activity within that VM by subsequently wiping it after the hacker is finished.  Incident response just got harder.

Not only are virtual machines used to facilitate criminal activity, but can also be used as a tool to compromise systems.  One creative example of malicious VM use can be read here: https://www.helpnetsecurity.com/2016/08/18/compromising-linux-virtual-machines/  where virtual machines in the cloud can be used to attack another virtual machine if hosted on the same server.  Now that is clever.

Virtual machines are here to stay for all the good uses they provide, which also means they are here for all the bad uses too.  In the world of cyber-cop vs cyber-criminal, every day is another day where each side tries to out-MacGyver the other side with something new, unique, and sometimes pretty cool.

 

 

 

 

0
  1637 Hits
  0 Comments

Mini-WinFE and XWF

Due to a dozen tragedies, a half dozen fires popping up, and twice as many projects due at the same time, I’ve been way late in updating an X-Ways Forensics course along with updating the WinFE.  But now, the X-Ways course is about done to be uploaded as soon as the finishing touches are finished.  The new course includes a whole lot more than originally made and updated to the current version of X-Ways (everyone currently registered will receive an email when  the course has been published (no cost to current registrants). 

The WinFE online course will be depreciated and replaced with a longer ‘Forensic Boot CD Course” that includes Linux forensic CDs along with some updated WinFE  information.  The goal of this course is to complete cover just about every aspect of using a forensic boot OS (CD/DVD/USB), with examples of the most currently updated Linux forensic CDs.  There are plenty of outdated distros to avoid and those are not described in the course.

Until the Forensic Boot CD Course is uploaded, you can download the Mini-WinFE builder from this link: http://brettshavers.cc/files/Mini-WinFE.2014.07.03.zip  as currently, the reboot.pro download link for Mini-WinFE is broken.  I have sent the developer a message to repair it.

0
  3313 Hits
  0 Comments

Compiling Identity in Cyber Investigations

Digital forensics analysis is the easy part of an investigation. That is not to say that the work of digital forensics is simple, but rather recovering electronic data is a rote routine of data carving and visual inspection of data. Interpreting the data requires a different type of effort to put together a story of what happened ‘on the computer’.  As important an analysis is to determine computer use, it is just as important to identify the user or users and attribute computer activity to each user.  An investigation without an identified suspect is a case that remains open and unsolved..sometimes for years or forever.

In many investigations (civil and criminal), identifying the computer user is obvious through confessions or by process of elimination.  Proving a specific person was at the keyboard is barely a consideration since the person either admitted control of the device or was caught red-handed and the examiner can focus more on the user activity on the computer devices rather than spending time identifying the user.

However, simply accepting the suspect’s identity without further investigation into other aspects of the suspect’s identity may sell the investigation short.  Whether the suspect is known or unknown, compiling a complete identity of the suspect adds important information that is beneficial to a case, such as motives, intentions, and identification of more crimes.  The most important point is that a physical person that has been identified, or even arrested, does not give a complete identity of that person.  It is only the physical identity.  Investigators should strive to compile a complete identity that includes digital identities.

So what’s in it for you?

Building a case against a suspect requires more than just finding evidence.  A case needs evidence to point to a suspect as well as showing motive and opportunity.  Providing evidence of every identified persona of a suspect paints a picture of the suspect, to include intent, desires, motive, behaviors, and overall character to add to the supporting evidence.  In short, you get a better case.

The Complete Identity

A physical identity (aka biometric identity) and digital identity comprises the complete identity of a person.  Biometrical features of a person, such as fingerprints and eye color, are bound to the physical identity and typically permanent to the person depending on the feature.  Although eye color can be temporarily changed with color contacts and hair can be temporarily dyed to a different color, the majority of physical features cannot be changed without drastic injury or surgery. 

Internet users create digital trails of use and subsequently (and without intention) create digital personas based on their unique computer use.  The normal, everyday use of the Internet creates a digital identity that is based on Internet surfing habits (the Websites visited), communications made online through forums, chats, e-mails, blog posts and comments, and through the accounts created for online services to include online shopping.

Compiling the digital identity and physical identity may seem like an obvious and easy task, but assembling the identities is not so simple.  In an ideal case, a suspect has a single physical identity and a single digital identity, but in reality, a person may have multiple physical personas tied to a single physical identity and multiple digital personas.  Some personas may be intentional while others unintentional.  For example, a criminal wanting to travel in a name other than his true name may create or purchase a fake driver’s license. As he goes about using the fake or stolen driver’s license, he creates a persona under the false name.  Although this persona is not truly a ‘physical’ identity, as it is not biometrically tied to a physical body, it is part of his physical identity as he uses the false name as if it were his true name. 

One example of a digital identity is the accumulation of normal Internet and computer use.  A person’s computer use is generally a reflection of that person’s personality, desires, and intentions.  The unique activity of one device is typically replicated across devices under that person’s control.  For instance, given a new computer, a user will configure it by personal preference by arranging icons, colors, sounds, and folder structure to save.  When the user has an additional computer, both computers will have a very similar order of computer activity when used over time and will even look the same, such as the placement of desktop icons and wallpaper choice.  Configurations of the computers will likely be similar, if not exact for some items, and Internet use will most certainly mirror each other by bookmarks and frequently visited Websites.  Merely comparing the type of computer use and configuration between two or more devices can give an indication that the same person used all of the devices. 

Adding to the complexity of finding both digital and physical identity of a suspect is that of multiple aspects of both types of identity.  A person leading a double life may have two spouses and two jobs with one being a false identity.  This person is physically tied to both identities, even if the false identity contains no true information.   Leading a double life is an extreme example of a fake physical identity, and examples that are more common include using a fake ID to make consumer purchases, or using fake names to register at hotels.  The depth of a fake physical identity depends upon the person’s intention and resources. Types of physical identifiers are seen in the following figure.

Digital identities, being far easier to create, generally mean that any one person can have multiple, or even hundreds, of fake digital identities.  A harassment suspect may have dozens of online identities that he uses to harass a single victim or victims through repeated e-mails from different e-mail accounts created to appear as different people.  In any investigation, treat each digital identity as its own identity that will be tied to a physical person at some point in the investigation.  Each identity gives information about a person based on the fake identity, whether the only information is the username of an e-mail or a completely falsified social networking account.

An example of having multiple digital identities is that of one fake identity used to create specific online accounts and a different fake identity used to create other specific online accounts.  In this manner, a person is simply trying to distance himself from something (such as registering for a pornographic Website) by using a fake digital identity while using a different fake identity to distance himself from other aspects of his online life.  An investigator who can identify the fake accounts adds to the case by showing the intentionally hidden aspects of a personality, motive, or intention of the real person based on the real person’s actions under the fake digital identities.  A pedophile whose physical identity has no ties to pedophilia may appear innocent until fake digital personas are found and tied to his physical identity.

Of note is that each person has a true physical identity and a true digital identity.  Typically, the true digital identity shows the real information, such as a real name, and is easily tied to the physical person.  However, every identity and persona (real and fake, digital and physical) should be compiled together to show the complete identity of a person.  False information is just as important as the true information to build a complete picture of a suspect.

A great example of tying a physical identity to a false persona is in the Silk Road case where the creator of Silk Road (Ross Ulbricht) used his public e-mail/forum (rThis email address is being protected from spambots. You need JavaScript enabled to view it.) account on the open Internet to market the Silk Road.  One simple post eventually tied his legitimate physical identity to a secret, false, and criminal persona on the Dark Web site, the Silk Road.

Identifying the digital identity becomes easier as Big Data continues to grow exponentially through massive data collection by government and corporations.  Social media sites contribute to identifying digital identities as the connectivity between sites exists through single usernames, using the same e-mail address across online accounts, and algorithms created to ‘find’ friends based on relationships and Internet use.  The digital identity is the sum of all electronic information of a person.  Corporations have been compiling digital identities of consumers in order to focus on advertising efforts.  Investigators should focus on compiling digital identities of suspects to determine motive and opportunity.

Any investigation benefits by compiling the complete identity of suspects.  Whether the identities contain true information about a suspect is not as relevant as tying the identities and personas to a person. Motives and intentions are clearer with a complete picture of a person in both the physical and digital worlds. 

Now that you know the ‘why’, become competent in the ‘how’ in each investigation with thorough research to find the connection between each identity in order to place your suspect at the keyboard.  Digital forensic skills are necessary and important, but solid cases usually need some old fashioned, gumshoe detective work too.

0
  2974 Hits
  0 Comments

The Secret to Becoming More-Than-Competent in Your Job

The Secret to Becoming More-Than-Competent in Your Job

I was part of an interesting and product online podcast today.   You can check it out at: http://nopskids.com/live/

The topics ranged from hacking, forensics, how to catch hackers, and a little on how criminals sometimes get away with it. Although I didn’t give any tips on how to get away with a crime, other than DON’T DO IT, I did speak a little on some of the things that can be found forensically on a hard drive.  Actually, I think I only had time to talk about one thing (the Windows registry) for a few minutes and nothing of which that has any impact on a criminal using the information to get away with a crime.

The one thing I wanted to stress that even if every top secret, secret squirrel, spy and investigative method was exposed, criminals would still get caught using the very techniques they know.  Proof in the pudding is seeing cops being arrested for committing crimes.  You’d figure they would be the most knowledgeable of not getting caught, but they get caught. Same with accountants being arrested for fraud, and so forth.  I’ve even arrested criminals when they had in their possession, books on how not to get caught.   The most diligent criminal can be identified and arrested by simple mistakes made and sometimes by sheer massive law enforcement resources put on a single case to find a criminal or take down an organization.

With that, I learned a few things from the podcast too.  One of the moderators was actually a case study in my latest book (Hiding Behind the Keyboard).  To be an expert, to be knowledgeable, and to be more than just competent requires talking, listening, and sharing.  That doesn’t mean sharing trade secrets or confidential information, but it does mean having conversations to learn your job better.

When I worked as a jailer, I talked to every person I booked (at least the sober arrestees and those cooperating with the booking process).  I asked personal questions like, “how did you get started with drug use?” and “how did you start doing X crime”?  I learned a lot after hundreds of bookings.  I learned so much that when I make it to patrol and hit the streets, I had a big leg up on the criminal world, in how it worked with people.  That directly helped me in undercover work.  I spoke to so many criminals, both as a police officer and as an undercover (where they didn’t know I was a police officer), that I learned how to investigate people who committed crimes.  I was darn effective.

The point of all this is that talking to “the other side” is not a terrible idea.  Working on the law enforcement side, I promise that if you have a conversation with a criminal defense expert, you will learn something to help win YOUR case.  If you talk to a hacker, you will learn something to help figure out YOUR cases.  The best part, like I said, nothing you give will make a criminal’s job easier.  In fact, anything you say will only make them worry and make more mistakes.

If you are more-than-competent, you can do your job like a magician.   My first undercover case was buying a gram of meth from a cold phone call of a guy I didn’t even have a name for.  As soon as we met, I recognized the meth dealer as someone I arrested a half dozen times when I was in patrol.   Luckily for me, he didn’t recognize me and believed my UC role.  Arrested, booked, and convicted.  This was a career criminal with dozens of arrests who probably met more cops that I ever did at that time.  Still, he was arrested, by me, because I was more-than-competent in my job.  Digital forensics work is no different.

Talk to everyone and share.  I promise you will get more than you give.  And there is no shame in learning that you don't know it all, because none of us do.

0
  1860 Hits
  0 Comments

Behind the Keyboard - Enfuse 2016 Presentation download

I had the amazing honor of speaking before a full room at Enfuse this week.  This was not only my first time speaking at Enfuse, it was my first time at Enfuse. The conference was put together well.  Kudos to poolside event coordinator.  Those who know my forensic tool choices also know that I do not use Encase as my primary forensic tool.  However, I have a license for v7 and have used Encase since v4 (with sporadic breaks of use and licensing).

This year at Enfuse, I did not speak on any forensic software (or hardware) at the conference. I gave a snippet of two recent books I published (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard).  I say “snippet” because one hour is not even near enough time to talk about the investigative tips in the books.  I was able to give a few good tips that I hope someone will be able to take the bank and boost case work.   I could spend weeks talking about investigative methods of not only finding suspects that are using computers to facilitate crimes, but also to place them at a specific device with both forensic analysis and traditional investigative techniques.   

After my talk, I received emails from some who did not or could not attend my Enfuse talk; I am providing my slidedeck for them and others who may want to see high-level notes from the Powerpoint slides.  However, I removed a number of slides that had personally identifiable information to avoid any embarrassment from Google searches and cases.  I did not get to a few slides in the presentation due to time (only one hour!), and I removed them as well.   Nonetheless, the meat and potatoes of the presentation is in the below PDF.

  

 

A few toughts on digital forensic skill development and giving away investigative secrets

Forensic examiners/analysts generally follow the same path in skill development, with some exceptions of course.  For most of us, the tools are just plain neat and we initially focus on the tools.  High tech software and using the type of hardware that you cannot find at Frys turns work into play.  We dive into the box, swim around in it for days, weeks, or even months, and then we pull out every artifact we can to write a report of what happened ‘in the box’.  Writing a report usually means pushing the "Create Report" button. I suggest that every examiner go through this stage quickly and move forward.  Get it out of your system as soon as you can. There is more to digital forensics than the toys, I mean, tools.

Digital forensics investigators must investigate, unless your job is solely looking at data because someone else is investigating the case.  This is where leaving the stage of ‘playing with high-tech toys’ turns the new forensic examiner into a real digital forensics crime fighter.  When an examiner can integrate data recovered from ‘the box’ with information collected from ‘outside the box’, using any tool and investigative method available, we have a competent and effective digital forensics investigator, not just a tool user.

I have always believed that a good digital forensics investigator can practically use any software, as long as the software can do the job, without relying on the software to do the complete job.  Pushing a button to find evidence, then pushing another to print a report does not a forensic analysis make.  Just as Picasso could paint a masterpiece only using an old paintbrush and watercolors, a good forensic examiner can make a great case with only using a hex editor and gumshoe detective mindset.  The high-tech tools should be used to make the work easier and faster without becoming a crutch.

And that was the inspiration of why I wrote Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard, boiled down in two simple intentions:

1) To push forensic examiners out of the high-tech toy reliance into becoming a well-rounded, effective, efficient, and competent investigator.

2) As a reminder to the former investigator-turned-forensic-analyst to get back into the investigative mindset.

If you are currently in the ‘gotta-have-the-most-expensive-tools-on-the-planet’ stage while at the same time not working outside the CPU, don’t fret. It happens to most everyone, and not just in the digital forensics field.  When I was a young Marine, I went to the local army surplus store and base PX to buy every cool tool I could think that would help me in the field.  I had so many ‘tools’ that my ALICE pack looked like a Christmas tree dangling a five years' worth of trinkets from New Orleans’ Mardi Gras parades.  After one trip to the field, I realized how much money I wasted on unnecessary gear (if you could actually call some of those things I bought "gear"..) and focused on using only the things that work and making things work for me.  Digital forensics work is no different.  Consider yourself DFIR SEALTeam 6 once you can work a case using ANY computer and ANY tool.

Giving away trade secrets?

There is a long-standing problem in the digital forensics world: Sharing, or rather, lack of sharing.  Yes, experts and practitioners share their work, but many do not.  I completely understand why.  When you share your ideas and research to the public, there is a fear that the bad guys will see it and use it for their benefit.  The fear is that once the methods are known to the criminal world, the methods become ineffective.

In short, that thinking is incorrect.

First off, cybercriminals and criminals, in general, share information with each other.  They share the methods when they work together to commit crimes, they share it online,  and they share it during their stays in the big house.  Still, they get caught.  Still, they make mistakes. Still, the methods work against them.  I have even arrested drug dealers when they had in their possession, books on 'how not to get caught dealing drugs'.  Cybercrime is no different.  An entire website can be written on how to get away with crime on the Internet and read by every cybercriminal, and yet, they can still be identified, found, and arrested.  

Second, lack of sharing only hurts us all. If you were to find a better way to find evidence, but keep it to yourself, the entire community stagnates.  But when shared, we push ourselves ahead in skills.  Do not be afraid that the bad guys will get away with crimes if they know how you catch them.  Just as watching a Youtube video on Marine Corps boot camp does not make boot camp any easier, criminals that know how we place them behind a keyboard does not negate the process that can place a suspect behind a keyboard.  In fact, the more they know, the more chance they will slip up more than once out of sheer fear of how easy it is to put enough investigative resources to find a criminal that cannot be countered with any amount of preparation.  

0
  2084 Hits
  0 Comments

Reviewing a tech book technically makes you a peer reviewer…

    If you have been in the digital forensics world for more than a day, then you know about peer reviews of analysis reports.  If you have ‘only’ been doing IR work where forensics isn't the main point (as in taking evidence collection all the way to court), then you may not be reading reports of opposing experts.  Anyway, the opposing expert peer review is one of the scariest reviews of all since the reader, which is again, the opposing expert, tries to find holes in your work.  The peer review is so effective to push toward doing a good job that I think it prevents errors by the examiner more than it does help opposing experts find errors of the examiner.  Peer reviews take different shapes depending on where it is being done (review of a book draft, review of a report, etc...) but in general, a peer review is checking the accuracy of the written words.

    Academia has always been under the constant worry of peer reviews.  One professor's journal may be peer reviewed by dozens of other professors in the same field, with the end result being seen by the public, whether good or bad. Peer reviews are scary, not for the sake that you made a mistake, but that maybe you could have missed something important that someone else points out to you.

    If you read a tech book and write a review of it (formally in an essay/journal, or informally on social media), consider yourself a peer reviewer of tech writings.  That which you say, based on what you read, is a peer review of that material.  Think about that for a second.  If you are in the field of the book you are reviewing, you practically are tech reviewing that book for accuracy (so make sure you are correct!).  That is a good thing for you as it boosts your experience in the field.  Always be the expert on the stand who can say, “I’ve read x number of forensic books and have given x number peer reviews on social media, Amazon, essays, etc….”.  If for nothing else, this shows more than that you just read books.  You read for accuracy and give public review of your findings. Nice.

    There is some stress in writing a peer review because you have to be correct in your claims.  Sure, maybe some things in the book could have been done a different way, but was it the wrong way?  The manner in which you come across in a peer review is important too.  Crass and rude really doesn't make you look great on the stand if you slam a book or paper.  You can get the point across just as well by being professional.

    Writing books takes no back seat to peer review stress, especially when it comes to technical books.  Not only does the grammar get combed by reviewers, but the actual technical details get sliced and diced.  Was the information correct? Was it current and up-to-date?  Is there any other information that negates what was written in the book?

    So, to get any positive reviews makes for a good day.  Not for the sake of ego, but for the sake of having done it right so others can benefit from the information.  Writing is certainly not about making money as  much as it is putting yourself out there to share what you have learned at the risk of having your work examined under a microscope by an unhappy camper.

    b2ap3_thumbnail_HBTK.JPGWhich brings me to my latest reviews for Hiding Behind the Keyboard.  This is my third tech book (more to come in both nonfiction and fiction) and with each book, I have always cautiously looked at Amazon book reviews each time.  Not that I have written anything inaccurate, inappropriate, or misleading, but that I just want to have written something useful in a topic that I wish existed when I started out in the digital forensics field.  My best analogy of what it is like to write a book is to walk outside to your mailbox nude and then check Facebook to see what people say about you…then do it again.  At least I don't have a Facebook account...

    So far, the reviews for my latest book show that I did a good job (my gratitude to the reviewers).

And that brings me to another point of this post. 

    One of the social media reviewers is actually in a case study in the book.  Higinio Ochoa read and reviewed my book in a Tweet (as seen below).   

 

    You will have to check the Internet to get Hig’s story, or read it my book…  Suffice to say he was a hacker who was caught, and then ended up as one of the case studies in my book.  Positive reviews from forensic experts are great, but so are reviews from former hackers that can double-validate the work.  Like I said, it takes a lot of guts to write a book and almost as much guts to peer review it in public.  That’s what we are doing when we write a review of a tech book.  We are all peer reviewers.

 

0
  1408 Hits
  0 Comments

Bio-hacked humans and digital forensic issues...

Bio-hacked humans and digital forensic issues...

If you thought The Grudge was the scariest thing you’ve seen on screen, you must have not yet watched Showtime’s ‘The Dark Net’.  In short, the series show how humans are procreating less and merging digitally into technology with bio-hacks. That makes for a bad combination on a few different levels.

Without getting into non-techical issues (such as moral, ethical, or legal), I have a technical question: How the heck are we going to going to do a forensic analysis of a bio-hacked…human?

Before the human race ends up looking like robots, we are already in the era of implanting electronic data devices in our bodies.  Check out http://dangerousthings.com to find how you too can jab an injection device into your hand and shoot a RFID under your skin…all by doing it yourself. As for me, I don't think I'll be joining in that movement anytime soon.

RFID (http://en.wikipedia.org/wiki/Radio-frequency_identification) tags store data. Data such as medical, financial, personal, or any type of information can be stored on a RFID tag, although the amount is quite limited currently (2-10 kilobytes?).  That's not much data, but depending on the content, it may be more than enough to cause a war or bankrupt a company.

But even at that low amount of storage, it can raise suspicions in theft of intellectual property, trade secrets, or national security information.  Imagine the use of implanted RFID chips by criminals, terrorists, and corporate spies to exfiltrate and transport sensitive data.  Just when you thought the MicroSD cards presented a threat because of their small sizes, the RFID is even an even bigger problem.  We can find a USB since we can see it. RFID chips implanted under the skin…not so easy.

b2ap3_thumbnail_implant.JPG

Now back to my first question of how we will be doing forensic analysis on a bio-hacked human. When the time arrives where humans are embedded with multiple types of technology and devices, where and how do we start the data acquisition process?   Depending on how much technology is embedded, where it is embedded, and what it is connected to, forensic imaging takes on a whole new world.  

And what if the person (or man-machine cyborg…) doesn’t want to be forensically analyzed? 

b2ap3_thumbnail_robocop.JPG

Maybe for imaging software, we can try Robocopy (looks like the software is already here….).

b2ap3_thumbnail_header.JPGb2ap3_thumbnail_robocopy.JPGhttp://sourceforge.net/projects/robocoprobocopy/

 

 

 

 

 

 

 

 

0
  2178 Hits
  1 Comment

Tech Talk Can Get You Lost in Lingo

Tech Talk Can Get You Lost in Lingo

    Every career and academic field has its own “lingo” to the extent that a conversation buried deep in lingo sounds like a foreign language. I have experienced military lingo, law enforcement lingo, and technical lingo in my life to the point that I practically dream in acronyms, speak with words not recognized by Webster’s Dictionary, and instantly recognize the glazed-over look when speaking to an non-native lingo listener.

                The reasons for individualized lingo range from the coolness factor such “oh dark thirty”  in order to express time as ‘really damn early’ to efficiency such as using “HMMWV” instead of saying “High Mobility Multi-purpose Wheeled Vehicle”.  Many acronyms are spoken as works when gives an added effect of the listener not having a clue of what you are talking about.  For example, “I’m going to pick up a hum-v” means “I’m going to pick up a high mobility multipurpose wheeled vehicle”. Even in law enforcement, the acronyms can irritate the most patient listener if they are not in the club.

b2ap3_thumbnail_hmmwv.JPG

                There are two situations where lingo can get you killed, or at least make you feel like you are getting killed. One is in court. The other in your writing.

                Getting killed in court by lingo as a witness is painful. In fact, I’ve seen witnesses get physically ill as if the roach coach burrito eaten at lunch has suddenly reached its final destination in all its glory. Getting beat up on the stand by an attorney or judge is so unpleasant, that time actually slows to a stop and you wonder why you even got up that morning. Using lingo on the stand can give you a bad case of ‘why did I say that?” when being cross examined.

                I talk about lingo today, because I recently experienced one of the best cases of using lingo in all the wrong ways in a federal district court.  I gave my testimony first as the defense expert in a class action lawsuit, and spoke as simply as I could to make sure the judge understood what I intended to say. Then the opposing expert was called. One of the attorneys asked her a question, she answered, but her answer was not only complicated, it was complex, full of lingo, and I even felt a sway of arrogance. I barely understood what she said and took notes to make sure I got correct what she said.

b2ap3_thumbnail_courtrooom.JPG

                Then the beating started. The judge asked her to repeat her answer. She did. Then the judge asked her the same question by rephrasing it and asked for a better explaination. The expert answered again but it sounded even more complex. After three more tries with increasing tension and the judge telling the witness that she does not understand the answer, the judge turned to me at the back of the courtroom and said, “Can you tell me what she is trying to say?”

                That is when I knew this cross country trip for court was worth the trip. I translated the opposing expert’s answer, the judge understood it, and the opposing expert said I was correct.  Boom. Lingo killed that day, but luckily it didn’t kill me.

                The other place where lingo can kill is in writing. I’ve written more police reports and affidavits for search warrants than I could ever count and the one thing I learned is to keep lingo out unless it is pertinent, relevant, and understandable. Jurors don’t get lingo and much of what they hear in the movies is incorrect or misused. Judges don’t like it either.  Don’t be the only person in the room that understands what you are saying…

In fiction books where computer technology is a key element or theme, using lingo without explanation is like using a foreign language to frustrate a reader. I say this because I just read an unnamed book that when I read it, I had to really slow down my reading in order to understand what was being described. I don’t like reading slow...which means I won’t finish reading it if I don’t have to.

It is one thing to use a technical term in a sentence, but there comes a point that when the majority of words in a sentence are acronyms and “words” not found in a dictionary, the reader becomes lost and frustrated. That’s not good. It’s not good for reports, testimony, or fiction writing. Nonfiction technical writing is a little different since generally, the reader of a technical writing is a technical person.  For those types of writing, give the definition once and move on since the audience is a technical reader audience. In the other types, even though you give the definition once, the reader/listener is going to forget by the time the uncommon word or acronym is used again. So be sparse in the lingo unless it really matters or that it is used so often, your reader won’t be frustrated trying to figure out what it means.

I’ve given a few talks of putting ‘cybercrime’ into writing for fiction authors who are not computer experts.  Some of the talk is showing what forensics look like (hint: it’s not like what you see in James Bond…) as well as how to use technical terms without turning off the reader or sounding like you don’t know what you are talking about. For me, when I read, I just want to read without having to say to myself, “Excuse me, that’s not how Tor works…”.

Remember, lingo kills.

0
Tags:
  2628 Hits
  1 Comment

The best part of writing a book is finishing the book.

The best part of writing a book is finishing the book.

I choose the title of my latest book (Hiding Behind the Keyboard) to be provocative, although the book may not completely be what you would expect if you think that it is a manual to hide yourself on the Internet. Being from Syngress, this is technically a technical book in that it discusses how to uncover covert communications using forensic analysis and traditional investigative methods.

The targeted audience is those charged with finding the secret (and sometimes encrypted) communications of criminals and terrorists.  Whether the communications are conducted through e-mail, chat, forums, or electronic dead drops, there are methods to find the communications to identify and prevent crimes.

For the investigators, before you get uptight that the book gives away secrets, keep in mind that no matter how many “secrets” are known by criminals or terrorists, you can still catch them using the same methods regardless of how much effort criminals put into not getting caught.

As one example, one of the cases I had years ago as a narcotic detective was an anonymous complaint of a large, indoor marijuana grow operation.  Two plainclothes detectives and I knocked on the door and politely asked for consent to search the home for a marijuana grow.  I told the owner that he didn’t have to give consent, or let us in, and could refuse consent at any time.  He gave consent and we found hundreds of marijuana plants growing in the house.  The point of this story was that on a table near the front door, was a book on how to grow marijuana that was opened to the page that said “when the cops come to your door for consent, say NO!”.  He had the book that advised not to do what he did anyway.

The point being, even when knowing how to commit crimes, criminals are still caught and terrorist plots are still stopped. The more important aspect is that investigators need to know as much as they can and this requires training, education, and books like Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard.

I had help with this book with early reviews, suggestions, recommendations, and co-authoring.  Most of what is in the book, I’ve done or helped others do. Some things work sometimes, other things work other times, and nothing works all the time. But having a toolbox to choose from gives you choices of methods that can fit individual cases.

As a side note, many of the methods can work in civil litigation depending upon cooperation and legal authority. For example, use of the Tor browser in a corporate espionage or employee IP theft case can make a huge difference in the direction a forensic analysis takes.

For anyone going to Las Vegas for the Enfuse conference, I’ll be presenting on this book and look forward to meeting you there (please say hi).

You can order Hiding Behind the Keyboard here:

0
  2043 Hits
  0 Comments

RegRipper

RegRipper

The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)

http://github.com/keydet89

 

What is RegRipper?

RegRipper was created and maintained by Harlan Carvey.  RegRipper, written in Perl, is the fastest, easiest, and best tool for registry analysis in forensics examinations.  RegRipper has been downloaded over 5000 times and used by examiners everywhere.

How can you make it better?

If you want RegRipper to be better, you can help by first sending in registry hives with specific information of what you need RegRipper to do with that hive to Harlan Carvey.  Is it a P2P application of interest?  Or USB devices? Or…?

What is the RegRipper?
RegRipper is *not*…it’s not a Registry Viewer.  An examiner would not open a Registry hive file in RegRipper to “look around”.

Further, RegRipper is NOT intended for use with live hive files.  Hive files need to be extracted from a case (or from a live system using FTK Imager…), or accessible via a tool such as Mount Image Pro or F-Response.

RegRipper is a Windows Registry data extraction and correlation tool. RegRipper uses plugins (similar to Nessus) to access specific Registry hive files in order to access and extract specific keys, values, and data, and does so by bypassing the Win32API.

How does RegRipper work?
RegRipper uses James McFarlane’s Parse::Win32Registry module to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API.  This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data.  When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand.  Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.

Who should/can use RegRipper?
Anyone who wants to perform Windows Registry hive file analysis.  This tool is specifically intended for Windows 2000, XP, and 2003 hive files (there has been limited testing on Vista/Win2K8 hive files…everything has worked fine so far…).

How do I use RegRipper?
Simply launch rr.exe.  Also, please be sure to read the RegRipper documentation.

Do I have to install anything to use the RegRipper?
Nope, not a thing.  RegRipper ships as an EXE file, able to run on Windows systems.  All you need to do is extract the EXE and DLL in the same directory. The source file (rr.pl) is also included, as are the plugins.

Further, RegRipper doesn’t make any changes to your analysis system…no Registry entries are made, nor are any files installed in odd, out-of-the-way locations.

HC

—————————————————————

RipXP

Installing
RipXP uses all of the same plugins available with RegRipper, so simply extract the files in this archive into the same directory with RegRipper (rr.exe) and rip (rip.exe).

Running
1. Using your tool-of-choice (I use FTK Imager), open the image and extract the hive files you’re interested in from the system32\config directory, as well as from user profile(s), into a directory (ie, D:\cases\case001\xp\config).

2. Using that same tool, within the image navigate to the directory where the Restore Point directories are located (usually C:\System Volume Information\{GUID}\). Extract all of the RP* directories into a directory on your analysis system (ie, D:\cases\case001\xp\restore).

3. To see the options used by RipXP, simply type:
C:\ripXP>ripxp

RipXP allows you to run one plugin across a designated hive file, and all corresponding hive files in the Restore Point directories.

C:\ripXP>ripxp -r d:\case\config\ntuser.dat -d d:\case\restore -p userassist

——————————————————————————

RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

RegRipper consists of two basic tools, both of which provide similar capability. TheRegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it’s activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).

RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it’s activity.

RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.

Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.

The use and function of RegRipper is discussed in great detail in the book, Windows Registry Forensics.

How do I..

…install RegRipper?

Go to the download site for RegRipper and get the archive that contains the most recent version of RegRipper (in this case, rrv2.5.zip). Extract the archive into a directory on your system, such as “C:\rr”.

Next get the latest plugin archive, based on the date of the archive, and extract everything in the archive into “C:\rr\plugins”.

That’s it…you’re done. Either launch rr.exe (the GUI) or run rip.exe (CLI) from the command prompt.

…get a list of all plugins?

This is actually pretty straight-forward. To list all of the plugins in the \plugins folder, simply open a command prompt, navigate to the folder where you installed RegRipper, and type:

rip -l

Another way to see what plugins are available is to launch the Plugin Browser (pb.exe), and navigate through the list of plugins, one at a time. In order to get a .csv listing of the available plugins, use this command:

rip -l -c > plugins.csv

You can then open the resulting file in Excel.

In order to get just a listing of plugins available for a particular hive file (in this case, the Software hive), type:

rip -l -c | find ",Software" /i

Does RegRipper do…?

Perhaps one of the biggest misconceptions regarding the RegRipper plugins is whether or not it does specific things; that is, does it check for specific values, parse specific data, or enumerate the contents of specific keys? This isn’t the right question to ask.

From the beginning, RegRipper plugins have been created and updated based on needs. Some needs are relatively easy to meet, due to the availability of data; most Windows systems have a ‘Run’ key. Other plugins have been created/modified due to unique circumstances based on analysis; finding something new or unusual during an examination will very often result in a new plugin, or an update to an existing plugin.

Of those currently writing plugins, it appears that few have encountered systems on which the P2P application Ares has been installed and used. As such, the ares.pl plugin may be somewhat limited and not meet the complete needs of a specific examiner working on a specific case.

In short, the power of RegRipper is in the plugins, and for this to be a truly powerful tool, it depends on examiners sharing their needs and data before hand, rather than asking, “Does it do…?” after the fact.

If you have any suggestions, recommendations, or questions about RegRipper, just ask Harlan.  Don't be afraid. Don't post all over the Internet that RegRipper doesn't do what you thought it would or is defective.  Ask Harlan. http://windowsir.blogspot.com

This email address is being protected from spambots. You need JavaScript enabled to view it.

 

ASEPs

Auto-Start Extensibility Points (ASEPs) checked by RegRipper's plug-ins

Details

Run Keys

Software Hive Run keys

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKLM\Software\ Microsoft\Windows\CurrentVersion\RunServices

• HKLM\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• soft_run plugin

NTUSER.DAT Hive Run keys

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

o Run and Load values

• user_run plugin

System Services

• HKLM\System\CurrentControlSet\Services

o services plugin (list services by last write times)

o svcdll plugin (list services with ServiceDLL values)

o svc plugin to (list services and drivers by last write times)

o svc_plus plugin (short format with warnings for type mismatches)

o svc2 plugin (csv output)

• Legacy registry keys located at HKLM\System\CurrentControlSet\Enum Root

o legacy plugin

Software Registry Hive ASEPs

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

o winlogon plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

o installedcomp plugin

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

o installedcomp plugin

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

o shellexec plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

o shellexec plugin

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

o bho plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

o bho plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

o drivers32 plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

o drivers32 plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

o imagefile plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

o imagefile plugin

• HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)

o cmd_shell plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

o appinitdlls and init_dlls plugins

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

o appinitdlls plugins

• HKLM\SOFTWARE\Microsoft\SchedulingAgent

o schedagent plugin

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

o shellext plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

o svchost plugin

System Registry Hive ASEPs

• HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls

o appcertdlls plugin

• HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

o securityproviders plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

o lsa_packages plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

o lsa_packages plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

o lsa_packages plugin

• HKLM\SYSTEM\ControlSet00.$current.\Control\Session Manager\CWDIllegalInDllSearch

o dllsearch plugin

• HKLM\SYSTEM\ControlSet00.$current.\Control\SafeBoot

o safeboot plugin

NTUSER.DAT Registry Hive ASEPs

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

o winlogon_u plugin

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

o load plugin

• HKCU\Software\Microsoft\Command Processor\Autorun

o cmdproc plugin

UsrClass.dat Registry Hive ASEPs

• HKCU\Classes\Exefile\Shell\Open\Command\(Default)

o cmd_shell_u plugin

This section presents and discusses a list of artifact categories, as they relate to the RegRipper tools and plugins. As they are defined or described (see below), each of these categories applies specifically to artifacts found within the Windows Registry.

Many of the available Registry artifacts persist beyond file and program deletion, providing indications of system or user activity that occurred in the past.

Many artifacts can and may fall within multiple categories. For example, the File Access category by extension indicates Program Execution.

Multiple categories of artifacts can be used in analysis though the use of an analysis matrix.

Categories are identified within plugins as part of the configuration hash (%config) provided as part of the plugin. The use of categories in this manner does not obviate the use of profiles within RegRipper; instead, it enhances that capability.

Note: This should be considered to be a living document, subject to update and modification.

Category Definitions

What follows are some of the categories that have been identified, along with descriptions of each of the categories.

Where applicable, examples of available RegRipper plugins are provided.

OS Info

Basic OS information, such as version, installation date, install source path, time zone information, etc.

Example plugins: winver.pl, compname.pl

User Account Info

Basic user account information.

Example plugins: samparse.pl, profilelist.pl

Network Configuration

Artifacts associated with the network configuration of the system.

Example plugins: compname.pl, networklist.pl

AutoStart

Registry artifacts associated with the autostart of applications and programs (those programs/applications that are launched with no interaction from the user or system).

This category can overlap with and include some of the same artifacts as those from the Program Execution category.

Example plugins: services.pl, legacy.pl

Program Execution

Artifacts that relate to or indicate that programs were executed.

Example plugins: appcompatcache.pl, direct.pl, sysinternals.pl, muicache.pl, userassist.pl

Installed Programs

Installed Programs artifacts differ from Program Execution artifacts, in that many applications/programs are installed on a Windows system via a setup.exe file, or via an MSI file. As such, the program itself has artifacts in the Software hive, and then user-specific artifacts "live" in the user's NTUSER.DAT hive.

An example of this includes Adobe Reader; the Software hive will contain information about the system-wide application configuration, while the NTUSER.DAT hives will indicate not only which user(s) launched the application, but also maintain an MRU list of files that the user accessed.

Note: A program or application can be installed, but may not have been executed.

Example plugins: apppaths.pl

Storage Information

This category pertains to the usage of or access to storage media, including (but not limited to) USB devices, network shares, "cloud" storage, etc.

Example plugins:

Log Info

This category pertains to artifacts related to the configuration of log files on the system, which can include Windows Event Logs, as well as application specific logs.

Example plugins:

Malware

This category pertains to artifacts that specifically provide indications of malware infection or activity. This category differs from the AutoStart category, in that legitimate applications can make use of AutoStart artifacts. In many instances, the AutoStarts or Program Execution categories can be used to extract general information (i.e., contents of the Run key, etc.) that the analyst can review, plugins in the Malware category can be used to look for specific artifacts related to a variety of specific malware samples, or related to malware families.

Examples of a malware specific artifacts include:

  • Variants of Zeus have been known to add "sdra64.exe" to the UserInit Registry value
  • OSVerion

Example plugins: osversion.pl, zeus.pl

File Access

This category pertains to files that a user has accessed, which is most often through the use of a specific application. As such, artifacts within this category will indicate Program Execution (or usage), but the purpose of this category is to provide indications of files that a user specifically had access to, via downloading, or through creation or modification.

Example plugins: recentdocs.pl, trustrecords.pl

Communications

This category can be a subset of the Installed Programs and Program Execution categories, and is specific to programs/applications intended for off-system communications. While the Program Execution category may be used to look for indications of the use of ftp.exe or chat programs, this category is intended for communication application-specific artifacts.

Example plugins:

Analysis Matrix

The above listed categories can be used in an analysis matrix; several categories of artifacts may be used in specific types of analysis activities.

The following table is a notional analysis matrix, and is intended to serve as a starting point for both discussion and analysis:

  Malware Detection Data Exfil Unauth Use Illicit Images
Program Execution X     X
Malware X     X
File Access   X   X
Storage Info   X   X
Comms X X    

 

Tool Architecture  

RegRipper is actually a suite of tools that all rely on a core set of functionality.

Helper Functions

The main user interface (UI) tools for RegRipper (ie, the RegRipper GUI and the rip CLI tools) provide a number of functions to the plugins. These functions are included in a separate .pl file, and are accessed by the UI code via the require pragma (allows the code to be loaded at run-time). This allows for the following:

  • The one set of code is available to the UI tools in a uniform manner.
  • The helper function code can updated and made available without requiring the tools themselves to be completely recompiled.
  • The code is completely transparent; anyone can open the helper files and see what the code is doing.

Note: In order to make the code portable and usable by the widest range of users, any modules required to use the helper functions (ie, Time::Local) will be compiled into the UI.

Time

This secton is about how time is treated on Windows systems, as well as the various time formats found on Windows systems.

Formats

Time in recorded in a number of formats on Windows systems. Even though MS maintains a page that discusses time formats, there are other formats available, as well.

Unix Time

Unix epoch time - yes, there are time values recorded on Windows systems in the 32-bit Unix epoch time format, which is the number of seconds since midnight UTC, 1 Jan 1970.

This time format has a granularity of 1 second.

This time format is found in Windows XP/2003 Event Log records, as well as some Registry value data.

To convert this time format to something readable, use the built-in gmtime() function.

DOSDateTime

DOSDateTime - Date and time format encoded in two 16-bit values. Used as part of the shell item format specification, described by Joachim Metz. Shell item ID lists appear in the Shell\BagsMRU Registry values, as well as part of the MS-SHLLINK binary format for Windows shortcut files.

This time format has a granularity of 2 seconds.

Python code for translating the DOSDateTime values into something readable can be found as part of the libforensics package.

Perl code (note: requires the Time::Local module to translate to a Unix epoch time):

sub convertDOSDate {
  my $date = shift;
  my $time = shift;
  if ($date == 0x00 || $time == 0x00){
    return 0;
  }
  else {
    my $sec = ($time & 0x1f) * 2;
    $sec = "0".$sec if (length($sec) == 1);
    my $min = ($time & 0x7e0) >> 5;
    $min = "0".$min if (length($min) == 1);
    my $hr  = ($time & 0xF800) >> 11;
    $hr = "0".$hr if (length($hr) == 1);
    my $day = ($date & 0x1f);
    $day = "0".$day if (length($day) == 1);
    my $mon = ($date & 0x1e0) >> 5;
    $mon = "0".$mon if (length($mon) == 1);
    my $yr  = (($date & 0xfe00) >> 9) + 1980;
    return "$yr-$mon-$day $hr:$min:$sec";
#   return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr));
  }
}

UUID

UUID - Windows systems maintain volume GUIDs, particularly those associated with volumes beneath the MountedDevices and MountPoints2 keys, in UUIDv1 format. Part of this format specification includes a 60-bit time value, which indicates the number of 100-nanosecond intervals since 15 Oct 1582 (this date is described in the RFC as the date of Gregorian reform to the Christian calendar).

This time format has a granularity of 100 nanoseconds.

Note: This format also includes a "node" value, which for several of the volume GUIDs is a MAC address that was available on the Windows system at the time that the GUID was generated.

FILETIME

FILETIME - A 64-bit time value representing the number of 100-nanosecond intervals since midnight UTC, 1 Jan 1601. Used pervasively throughout Windows systems, and can be found:

  • $STANDARD_INFORMATION and $FILE_NAME attributes within MFT records
  • Registry key properties
  • Registry value data

This time format has a granularity of 100 nanoseconds.

Perl code for translating a FILETIME object into a Unix epoch time (borrowed from Andreas Schuster):

#-------------------------------------------------------------
# getTime()
# Translate FILETIME object (2 DWORDS) to Unix time, to be passed
# to gmtime() or localtime()
#-------------------------------------------------------------
sub getTime($$) {
  my $lo = shift;
  my $hi = shift;
  my $t;

  if ($lo == 0 && $hi == 0) {
    $t = 0;
  } else {
    $lo -= 0xd53e8000;
    $hi -= 0x019db1de;
    $t = int($hi*429.4967296 + $lo/1e7);
  };
  $t = 0 if ($t < 0);
  return $t;
}

SYSTEMTIME

SYSTEMTIME - 128-bit format, and according to MS, "The time is either in coordinated universal time (UTC) or local time, depending on the function that is being called." This time format is used in a number of artifacts on Windows systems, including (but not limited to) in XP Scheduled Task/.job files, as well as in value data beneath the Vista/Win7 NetworkList key (within the Software hive).

It is important to note that this value can be stored in the Registry in either UTC or localtime format. Beneath the NetworkList key, for example, the value is stored in localtime format.

This time format has a granularity of 1 millisecond.

Example Perl code to parse this date format appears as follows:

sub parseDate128 {
  my $date = $_[0];
  my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
                      "Aug","Sep","Oct","Nov","Dec");
  my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
  my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
  $hr = "0".$hr if ($hr < 10);
  $min = "0".$min if ($min < 10);
  $sec = "0".$sec if ($sec < 10);
  my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom."
     ".$hr.":".$min.":".$sec." ".$yr;
  return $str;
}

Strings

Strings - Date and time values may be stored in Registry value data in string format; ie, "2011-06-07" or "1/2/2011". This is often found in Registry values in specific applications.

To convert data stored in this format to a Unix epoch time, parse the strings and use the Time::Local module to convert the information.

File System Tunneling

MS KB172190 describes file system tunneling, which can have a significant impact on your analysis.

Links

MS KB299648: Description of NTFS date and time stamps

MS: File Times

MS KB188768: Working with the FILETIME structure

MS: SYSTEMTIME structure

MS: DosDateTimetoFileTime function

Software Sleuthing: DateTime formats and conversions

Old New Thing Blog: DateTime formats and conversions

Shellbags

MS KB 813711 describes what actions cause data to be added to the Shell Bags values.

The structure of shell items is very important to understand, as these structures are used in multiple locations on Windows systems, not just in the Shell BagMRU subkeys within the Registry. For example, the structures are used in the shell item ID list section in Windows shortcut LNK files, as well as within the LNK streams in .automaticDestinations-ms Jump List files on Windows 7. These structures are also used within the data of values beneath the OpenSavePidlMRU keys within the Windows 7 NTUSER.DAT hives (full path is "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU").

As such, being able to recognize and parse these structures is essential to being able to fully understand the data that you're looking at, and what it's telling you.

GUIDs

The Variable type (type == 0x00) data structures can contain a variety of information, in various formats. One of the data structures, in particular, can be seen (when viewed in hex) to contain "1SPS" in several places. If the data is broken up, using "1SPS" as a separator (ie, via Perl's split() function), the first 16 bytes of each section appears to be a GUID.

One GUID in particular appears as follows:

{B725F130-47EF-101A-A5F1-02608C9EEBAC} - Ref: Schema (Windows)

Apparently, this GUID applies to both desktop and Metro-style (Win8) apps, and is referred to as both a SHCOLUMNID and a PROPERTYKEY structure. The contents of the subsection of data that begins with this GUID can be further parsed using a distinct set of rules.

References

MS: Canonical Names of Control Panel Items

MS: Known Folder GUIDs

MS: KnownFolderID

Links

Joachim Metz's Windows Shell Item format specification paper (PDF)

ShellBagMRU.py, part of Registry Decoder (written by Kevin Moore)

Willi Ballenthin's Windows Shellbag Forensics

Alerts

The purpose of adding alerts (or an alerting function, via alertMsg()) is to provide a facility for identifying items of interest (from previous analyses) within the vast wealth of data available within a Windows system, and in particular the Registry. This allows an analyst to identify "low-hanging fruit" that may be of value to an examination.

This page will serve as a facility for collaboration amongst the admins of this site, to add, revise, and hone the information alerted on within various plugins.

Plugins

Many plugins provide path information that can be searched via grep() for specific indicators of suspicious or malicious activity:

  • appcompatcache.pl
  • userassist.pl
  • service.pl - also, added Beth S.'s checks from svc_plus.pl to the services.pl plugin

Note: To avoid issues with case sensitivity, process the path through the lc() function first, and then grep for the lower-case string of interest.

Paths

Below are some paths to check for:

  • Recycle
  • GlobalRoot
  • System Volume Information
  • App + Data (gets "Application Data", and "AppData")
  • Temp
  • ADSs - split() the path, check the final element for a colon

Example Code:

my @vals = ("Recycle","GLOBALROOT","System Volume Information", "Temp",
  "Application Data","AppData");

foreach my $v (@vals) {
  ::alertMsg("ALERT: ".$v." found in path: ".$_) if (grep(/lc($v)/,lc($_));
}

Example ADS Check:

my @vals = split(/\\/,$_);

my $int = scalar(@vals) - 1;

::alertMsg("ALERT: Possible ADS found: ".$_) if (grep(/:/,$vals[$int]));

Other Checks

 

  • appinitdlls.pl - generate an alert if the value is NOT blank
  • imagefile.pl - generate an alert if a Debugger value is found
  • attachmgr.pl - generate an alert based on MS KB 883260
  • winlogon.pl - generate several alerts; UserInit value with multiple entries, 'TaskMan', 'System, 'load' or 'run' values found, etc.

Checking for Encryption

 

  • MountedDevices key - check value data for "TrueCryptVolume"; access to a TrueCrypt volume often results in a volume GUID within the MountedDevices key that includes "TrueCryptVolumeN" in the data (with N being a volume letter)
0
  19146 Hits
  3 Comments