Web shells epitomize the hacking tenant of hiding in plain sight.  In a previous post, we showed how a web shell could hide as a single file among thousands present on a web server and as a single line of code in an otherwise legitimate page on a site. The best web shells are not detected by anti-virus and can defeat vulnerability scanning applications using novel techniques like cookie and HTTP header authentication. Identifying the presence of a web shell can be difficult, but there are effective and repeatable ways to find them in your network. Today we will cover log review, concentrating on the following techniques:

  • SQL injection identification
  • Directory enumeration
  • Statistical web log analysis

Continue Reading…

It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage. Worldwide trust in United States tech companies has undoubtedly been shaken. Cisco Systems blamed a ten percent revenue drop on fallout from the leaks. Microsoft is offering the ability for foreign customers to have their data stored outside of the United States. And Silicon Valley stalwarts from Apple to Google to Yahoo have spent considerable resources defending themselves as each new embarrassing revelation becomes public. The trickle-down effect of this is even touching the small niche of digital forensics. Personal privacy has been central to the Snowden debate, and users today are more educated than ever about how their information is stored and transmitted. Web services companies are taking notice, and we have already seen some very useful artifacts disappear. I expect the trend to continue and would like to share a few examples.

Google Chrome

On October 1, 2013, version 30 of Google Chrome was released. Absent in this release was one of the most unique browser artifacts available: History Index files. Prior to version 30, Chrome not only stored browser history, cache and cookies but also recorded a full text index of each visited page. Since page content can change, this was a wonderful forensic artifact for proving what existed on a given page when a user viewed it. Chrome version 30 not only stopped recording this information, it also deleted any existing History Index files from the user’s profile.

Google Chrome Index c2body

Figure 1: The Chrome c2body field previously held a full text index of visited pages.

Continue Reading…

Ouch! Security Awareness

The December 2013 issue of OUCH! is out, and I am pleased to be this month’s guest editor.  The SANS Securing the Human team is impressive and it is always a pleasure to work with professionals with such diverse security backgrounds.  If you aren’t familiar with OUCH!, it is a free Creative Commons resource intended to supplement user awareness training.  OUCH! is translated into over 20 languages by a team of incredible volunteers.  Pass it along to any loved ones getting a tablet computer this holiday season!

Malware Analysis Quant Research ProjectTom from the c-APT-ure blog recently pointed me to the Malware Analysis Quant Research Project spearheaded by Securosis.  The goal of the project is to develop a malware analysis model, complete with specific processes and metrics.  The published white paper is 53 pages.  Every organization has a malware problem and rapid identification and scoping is a big step towards successfully allocating precious security resources towards important events like attacks from determined adversaries as opposed to commodity worms and malware.  The open nature of the model allows existing infrastructure within your organization to be readily integrated, shifting the focus towards identification and measurement of any process gaps. Those of you routinely hammered by ROI questions will applaud the focus on actionable metrics aimed at cost quantification.

Cyber Espionage Continue Reading…

Oct 16

 

The Forensics From the Sausage Factory blog details a different technique for EXIF data carving here.

Oct 7

SANS recently posted a webcast I recorded on memory forensics.  While the presentation is from early 2012, the concepts are solid and this deck was eventually expanded to the full day of memory forensics training present in the updated Forensics 508 course.

Despite being written in 2006, Chris Ries’ paper Inside Windows Rootkits is still surprisingly relevant.  About the only thing missing is a discussion of new(er) x64 mitigation techniques like Kernel Mode Code Signing and Kernel Patch Protection (aka PatchGuard).  Few resources have explained rootkit internals so simply.  As an example, Figure 2 from the paper neatly ties together the rootkit hooking universe:

Figure 2, Inside Windows Rootkits by Chris Ries

Figure 2: Potential places to intercept a call to the FindNextFile function, Inside Windows Rootkits by Chris Ries

The original PDF is a little hard to find these days, but here are a couple of links:

http://www.scribd.com/doc/74418240/Chris-Ries-Inside-Windows-Rootkits

http://thehackademy.net/madchat/vxdevl/library/Inside%20Windows%20Rootkits.pdf

 

 

With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface.  This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.

You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box): Continue Reading…