Wednesday, November 25, 2009

You just gotta think outside the box...the logical box that is!

I recently ran across an article published by well-knowned security researcher Joanna Rutkowska. She prepared a very detailed article on a new attacked she calls the "Evil Maid Attack" - named after a possible "vector of attack." An attack can be launched by an infected USB thumbdrive (full .img image available on the site), which is inserted into a powered-down laptop. The laptop is booted to the USB drive, and after 1-2 minutes, the hard drive is infected with the "Evil Maid Attack." The next time the owner boots his laptop and enters his encryption password, it is captured for retrieval. The attacker simply boots the laptop a second time, again with the infected USB thumbdrive, and the password is displayed.

A full explanation for how this attack works is on her website. (hint...first 63sectors of Physical drive, locates TrueCrypt loader, launches attack to hook the TrueCrypt function that asks for the password.....)

When the image is run against anti-malware programs, the following results were obtained:
VirusTotal 1/41 (Sophos)
Jotti's 1/21 (Sophos)

Like I have to think outside of the "logical box".

Friday, November 13, 2009

Internet Evidence Finder - new release and more

Jad from JadSoftware has released v3.0 of Internet Evidence Finder. While the program has now made the move to commercial, I doubt you'll find another tools that is as effective at parsing out artifacts as does this program. The pricing ranges from $29.99 for a single licence, to $129.99 for an unlimited site licence. In the field of forensics, we pay more for add-ons.

I'm not sure where Jad finds the time, but he has added several more features. Included in the 10 new features are Limewire® ver 5.3.6 Search History, Limewire.props files, IE8 InPrivate/Recovery URLs, Yahoo!® Messenger Group Chat, Yahoo!® Webmail email, Hotmail® Webmail email, AOL® Instant Messenger chat logs, Messenger Plus!® chat logs, MySpace® chat, Bebo® chat. He includes an index.htm page to index the some the searches and made several tweaks to the existing searches. The program is FREE for Law Enforcement use (thanks Jad!).

On top of that, he has created another program called Facebook JPG finder (v1.0.0). The program will search for images, and provide details about the date/times of the file, MD5, location, and possible ID/Profile name. He qualifies the program by indicating that the user must realize that the program locates the photo and cannot guarantee the photos are from Facebook.

Oh yeah...those in Law Enforcement and may be looking for an "Incident Response/Live Analysis" scripted tool, head on over to . They have been kind enough to post the law enforcement version of DriveProphet for free use. I realize that those who consider themselves "masters" of all, this program (an in fact Cofee) can be defined as scripted tools that simply automate the use of other freely available tools. You know WHAT...we aren't all as gifted as others....we occasionally need formatted and trusted tools which we are confident will do the job, in a prompt and efficient time, and punch out a nicely formatted report for our investigations. Maybe it's just me, but I simply cannot recall the commands and switches for 20-50 commands, which I like to run during incident response. FWIW....

Wednesday, November 4, 2009

Raptor - another solid tool updated...

The folks over at Forward Discovery, Inc have updated their Intel-based Mac forensic boot-cd Raptor. You will find two versions of the product, one aimed at the Intel-based processor, and the other for the PPC (beta). I personally have used the Intel-based CD and found it to work flawlessly. Although Apple has been kind enough to make the hard drives in the recent MacBook Pro more accessible, the older versions are very difficult to disassemble; particularly if you may be required to image a device in a "time-sensitive" situation (and perhaps without others knowing ....).

Raptor can image in DD, EnCase .E01, DMG or even clone to a destination drive, which can be formatted FAT32, NTFS, EXT3 or HFS+. And for those who prefer to create a pristine, original image and a lab image to analyze, you can create two simultaneous images at the same time.

I haven't had an opportunity to use the PPC version, except for testing it on a few lab models. I recall having to play with the boot options to get the disk to boot properly.

That being said, I'm very anxious to get this image burn and "take 'er for a rip." This IS a tool you should have in your toolkit. From what I've seen in the forensic community, the staff at Forward Discovery are great to deal with as well.

I'll keep you updated.........

Thursday, October 29, 2009

FTK 3.01 and IEF

I realize that there are many who are still sore over the troubles with v2.0 of FTK. But I've been using v3.01 (x64) for a few weeks now, and I'm quite impressed. While there are a few of the nagging issues that continue to annoy me (lack of ability to use "sweeping bookmarks"), the product seems to have integrated several other features that make up for these other small annoyances. First of all, it's MUCH faster. Remember trying to sort a column in v1.8x - no more! The time to sort a column, remove checkmarks, load images.... everything seems to move much faster. I like the integration of Registry reporting, indexed search results and the flexible reporting options. The carving and sorting of files into various categories is impressive. If only you could find a way to make it easier for an investigator to go through thousands of HTML pages in search for emails, banking artifacts, etc!

Admittedly, I installed FTK onto a new clean machine but colleagues in our office have upgraded from v2.0x and are also seeing similar advantages.

My suggestion to Accessdata - more research and whitepapers ie: Vista Registry, more information on using FTK for Mac analysis, etc.

Overall, very impressed by these significant upgrades and improvements.

Also, take a look at Jad's site. He's been busy working on his program, Internet Evidence Finder and has made some significant improvements - now up to v2.07. A quick poll at our last office meeting - over 1/2 of our investigators are using his product. Keep it coming Jad- much appreciated!

Caine v1.0

I see that CAINE has released v1.0 today - from it's previous 0.5 release. From an initial view, it appears that many of the included programs have been updated. Overall, it has a nice selection of tools, including those used for both acquisition and analysis (Sleuthkit 3.01, MDD, Autopsy 2.21, Winen, Win32DD and probably about another 50 tools). Clear instructions on how to create a bootable USB drive as well.

The mounting policy claimed by the program states that it is the "same as Helix" and when the user clicks on a drive, it will mount as read-only. If the user mounts in terminal, it will mount "rw" by default unless the necessary "ro" commands are included.

Not sure how you feel about these all-inclusive tool sets, but like SIFT, it's nice to have all the necessary tools in a bootable CD or VM. Reboot and your workspace is clear.

Downloading v1.0 right now......let's take it for a spin!

Monday, October 12, 2009

NirLauncher package

NirSoft tools has introduced a new "front-end tool" allowing approx 100 of their tools to be run from a GUI console. The tool, named NirLauncher, can be run from a directory created on a USB thumbdrive. The tool qualifies if the program can be run on a 32 and/or 64 bit system and allows you to integrate SysInternals tools into the program. At this time, they warn against using the product in "Run as Administrator" mode in Vista and Windows7 until a bug has been fixed. Nice addition to a fantastic tool set! Be sure to read the comments on his blog for additional tips and reviews from readers.

Sunday, October 11, 2009

Live Forensics just got a little easier....

Matthieu Suiche has released his latest version of his imaging tool "win32dd" (v. 1.3 final). Up until now, I've been using FastDump Pro and Winen as my imaging tools, largely because of the robustness and wide range of OS's, >4GB and 32vs64 bit platform support. With the release of Matthieu's latest tools (which I see has been under beta testing), you can be assured that this tool will also be making it to my list of memory acquisition tools. All this and MD5, SHA1 and SHA256 support.

What I find intriguing about this new product is the fact that you have the option of generating a "blue screen" or send a system into hibernation.

Matthieu has a great slide presentation titled "Challenges of Windows physical memory acquisition and exploitation". The presentation was given at Shakacon2009.

With the enhanced abilities of these tools, I'm interested in finding solutions to faster acquisition times using USB drives. Any comments? (ie: Thumbdrives with fast i/o times, external USB 2.5" drive, SSD, how about a SD card with 30MB/Sec transfer speed?) With larger and larger acquisitions, the time at scene is becoming an issue.

Wednesday, September 9, 2009

LiveDetector - H11 Digital Forensics

I spent some time testing LiveDetector from H11 Digital Forensics. The program(s) can be run from a CD however, I chose to run it from a USB thumbdrive to allow the output files/report to be exported.

When I first looked at the tool, I noticed that is uses Mantech Memory DD to capture RAM. Although this product captures a nice variety of 32-bit Windows OS's, it is "governed" by a 4GB RAM maximum and I read nothing about it working for 64-bit machines. The GUI is very easy to understand but does not allow for configuration of process (to run). The tool allows you to "Collect Volatile Data" (including or excluding RAM) and "Collect Nonvolatile Data".

Data is exported to a directory defined during the initial screen which allows you to enter case "tombstone" information. Reporting is actually quite nice. Sharp HTML reports with links to report generated by the individually-run apps. The apps are almost exclusively Nirsoft apps.

Overall, the program ran very nice. I'm not sure if the program is at the level that I could recommend it for "forensic" or "incident response" but perhaps for non-evidentiary type data collection. Two other suggestions: consider a more robust RAM acquisition tool and allow a greater degree of configurability ie: allowing user to chose which tools/features to run. .... now that Win32dd has been renamed Windd and supports 64-bit systems. Thanks Matthieu!!
Price: free

Wednesday, September 2, 2009

Accessdata Imager Lite and RAM

Accessdata has recently released it's lite version of Imager, which now has the ability to image RAM - Imager v2.6.1. The full install version came out a while back, but recently they update their lite version. Haven't had an opportunity to test it beyond 32-bit XP, but the free all-in-one product is appealing. Only tools you'll need is forensically clean USB Thumbdrive. Give yourself some room to spare and consider imaging the RAM to the thumbdrive. I'm waiting for information on the memory footprint. Updates like this certainly add polish to v2.2.1 of it's full FTK product which I've recently added to my arsenal. Take my word - it's now worth the upgrade from v1.8.
Next.....speed. I'm really thinking that my new Digital Media card - SanDisk Extreme III -(30MB/Sec) may allow faster acquisition. Certainly faster than my cheap $9 thumbdrive. Time to dig out the benchmark software.

Monday, August 31, 2009

"Click" kiddies

I was doing an assessment today and thought to myself....outside of using our traditional commercial forensic software, what steps has this employee taken to the "why" and "how" the software does what it does.

Have we become too reliant on software that does "what it is supposed to do" or are you routinely validating the software to ensure it's accuracy? It seems to me that the course materials being taught in the SANS Forensic tracks do just that - teach us how to use more of a "grassroot type" forensics whereby we are able to better validate our results.

My conclusion - we need a little bit of both. The commercial software is polished and quite frankly, I don't know if we could keep up without it. That being said, as a Forensic Analyst I believe it is important for us to "question the obvious", "test our theories" and quite frankly, do what we can to disprove our assumptions. Back to basics - when we can answer the 5 "W's" and "how", perhaps we can truly be confident of the integrity of our results.

Saturday, August 29, 2009

Internet Evidence Finder - IEF

Trying a tool from JadSoftware which can be run against a physical drive, or a logically mounted drive (PDE, Mount Image Pro) or a single file (such as a imaged memory, pagefile or hyberfil). Tool now extracts:
  • Facebook Chat
  • Yahoo Messenger Chat
  • Live Messenger Chat
  • GoogleChat
  • Yahoo Mail Chat
  • Facebook Page Fragments
  • Limewire Search History
  • GMail fragments

Output is placed into folders that are created for each type of evidence being searched for. From initial testing, it appears to work quite nice and has even pulled chat that EnCase EnScripts have missed. The program references the physical sector where the chat/fragments, etc are located allowing for a manual verification.

v2.0.1 now released. Price: Free.

Update August 31st, 2009
And v2.0.2 was released today to correct the accuracy of a LimeWire Keyword Search.