Archives For Computer Forensics

It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage. Worldwide trust in United States tech companies has undoubtedly been shaken. Cisco Systems blamed a ten percent revenue drop on fallout from the leaks. Microsoft is offering the ability for foreign customers to have their data stored outside of the United States. And Silicon Valley stalwarts from Apple to Google to Yahoo have spent considerable resources defending themselves as each new embarrassing revelation becomes public. The trickle-down effect of this is even touching the small niche of digital forensics. Personal privacy has been central to the Snowden debate, and users today are more educated than ever about how their information is stored and transmitted. Web services companies are taking notice, and we have already seen some very useful artifacts disappear. I expect the trend to continue and would like to share a few examples.

Google Chrome

On October 1, 2013, version 30 of Google Chrome was released. Absent in this release was one of the most unique browser artifacts available: History Index files. Prior to version 30, Chrome not only stored browser history, cache and cookies but also recorded a full text index of each visited page. Since page content can change, this was a wonderful forensic artifact for proving what existed on a given page when a user viewed it. Chrome version 30 not only stopped recording this information, it also deleted any existing History Index files from the user’s profile.

Google Chrome Index c2body

Figure 1: The Chrome c2body field previously held a full text index of visited pages.

Continue Reading…

Oct 16

 

The Forensics From the Sausage Factory blog details a different technique for EXIF data carving here.

Oct 7

SANS recently posted a webcast I recorded on memory forensics.  While the presentation is from early 2012, the concepts are solid and this deck was eventually expanded to the full day of memory forensics training present in the updated Forensics 508 course.

Jun 11

The GUI control panel is a long-standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features.  It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes).  From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:

  • Firewall changes made for unauthorized software (firewall.cpl)
  • User account additions / modifications (nusrmgr.cpl)
  • Turning off System Restore / Volume Shadow Copies (sysdm.cpl)
  • System time changes (timedate.cpl)
  • Interaction with third-party security software applets

While identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time.  Context provided by other artifacts may provide further information.  As an example, imagine you were reviewing control panel usage on a system and came across Figure 1.

Brutus Password Cracker

Figure 1: Sample Userassist Output

Context is critical, and, while access to the Windows Security Center might not normally be particularly interesting, the fact that it was accessed immediately following the execution of a known (router) password cracking tool might make all the difference.

Continue Reading…

With the major expansion of forensic curriculum at the SANS Institute, I frequently get questions about what class(es) to take. If you are trying to decide between FOR408 (Windows Forensics) and FOR508 (Advanced Forensics and Incident Response), this is the best comparison I have seen online.

I found the following quote particularly insightful: “508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.”

Last year I covered the free Encrypted Disk Detector (EDD) tool and challenged the community to help crowdsource its development [link].   Thank you to all that took part in the experiment.  Magnet Forensics announced today that Encrypted Disk Detector version 2 is available [get it here].

Survey Results

In addition to encouraging additional development of EDD, a side benefit of the project was to get an idea of the most popular disk encryption products being deployed.  Figure 1 provides the survey results, with Checkpoint Full Disk Encryption, Symantec Endpoint Encryption, and Sophos (formerly Utimaco) Safeguard rounding out the top three.   I think many of us could have guessed that big players like Symantec and Sophos would be near the top, but I was surprised to see products like BestCrypt and SecureDoc pull ahead of Credant Technologies (now owned by Dell).

EDD Survey Results

Figure 1: EDD Survey Results

Continue Reading…

Like many great inventions, the idea behind F-Response is so simple and elegant it is hard not to punish yourself for not thinking of it.  Using the iSCSI protocol to provide read-only mounting of remote devices opens up a wealth of options for those of us working in geographically dispersed environments.  I have used it for everything from remote imaging to fast forensic triage to live memory analysis.  F-Response is vendor-neutral and tool independent, essentially opening up a network pipe to remote devices and allowing the freedom of using nearly any tool in your kit.   The product is so good, I really wouldn’t blame them for just sitting back and counting their money.  Luckily, counting money gets boring fast, so instead the folks at F-Response have kept innovating and adding value.  Their latest additions are new “Connector” tools: Database, Cloud, and Email.

Continue Reading…

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources.  The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics.  I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly.  That said, the topics covered do not fit within the classical definition of network forensics.  A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing.  The authors blended dense material with relevant examples and insightful and engaging text boxes.  Some of my favorite “side” topics were:

  • “Cross-platform Forensic Artifacts”
  • “Registry Research”, illustrating the use of Procmon for application footprinting
  • “Time is of the Essence”, explaining fast forensics using event logs and the registry

Mastering Windows Network Forensics and InvestigationThe book begins with four chapters familiarizing the reader with Windows networking.  While this may slow down those hungry for forensics topics, they are replete with information.  Windows domains, hacking methodology, and Windows credentials are all described in these early chapters.  Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise.  While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks.  It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts. Continue Reading…