Archives For Tool Review

The third release of the free CrowdResponse incident response collection tool is now available!  This time around we are including plugins facilitating collection of Windows registry data.  Our inspiration for this release was one of those vulnerabilities that just won’t die, Windows Sticky Keys, and we’ll show how to identify this attack while demonstrating the new additions.

New Plugins

@RegDump [-ds]

RegDump recursively extracts Windows registry key and value data.

-d  Nested output format
-s  Recursive dump
<reg key> Registry key to start dump from

Valid registry hive names are: HKLM, HKCU, HKCR, HKU, and HKAU (pseudo key representing all users)

@RegFile [-scmh]

RegFile searches for registry string values (REG_SZ and REG_EXPAND_SZ) and identifies file path data.  If the file exists on disk, file information, hash, and digital signature details are recorded.  Continue Reading…

CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows platforms up to Server 2012 and is command-line based making it easy to deploy at scale. Version 1.0 focuses on signature detection, with a powerful YARA scanning engine. It ships with a very detailed user manual but since only a few actually read such things, I thought it would be interesting to show the tool in action.

Running YARA Scans

YARA, or Yet Another Regex Analyzer, has become one of the leading tools for describing and detecting malware. A YARA rule consists of a series of strings tied together by a Boolean condition. It facilitates searching with text, hex, Unicode, wildcards, case-insensitivity, and regular expressions. Combining these options allows construction of complicated tests to limit false positives. As an example, consider this YARA rule:

Continue Reading…

Last year I covered the free Encrypted Disk Detector (EDD) tool and challenged the community to help crowdsource its development [link].   Thank you to all that took part in the experiment.  Magnet Forensics announced today that Encrypted Disk Detector version 2 is available [get it here].

Survey Results

In addition to encouraging additional development of EDD, a side benefit of the project was to get an idea of the most popular disk encryption products being deployed.  Figure 1 provides the survey results, with Checkpoint Full Disk Encryption, Symantec Endpoint Encryption, and Sophos (formerly Utimaco) Safeguard rounding out the top three.   I think many of us could have guessed that big players like Symantec and Sophos would be near the top, but I was surprised to see products like BestCrypt and SecureDoc pull ahead of Credant Technologies (now owned by Dell).

EDD Survey Results

Figure 1: EDD Survey Results

Continue Reading…

Like many great inventions, the idea behind F-Response is so simple and elegant it is hard not to punish yourself for not thinking of it.  Using the iSCSI protocol to provide read-only mounting of remote devices opens up a wealth of options for those of us working in geographically dispersed environments.  I have used it for everything from remote imaging to fast forensic triage to live memory analysis.  F-Response is vendor-neutral and tool independent, essentially opening up a network pipe to remote devices and allowing the freedom of using nearly any tool in your kit.   The product is so good, I really wouldn’t blame them for just sitting back and counting their money.  Luckily, counting money gets boring fast, so instead the folks at F-Response have kept innovating and adding value.  Their latest additions are new “Connector” tools: Database, Cloud, and Email.

Continue Reading…

Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss.  If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine.  Establishing an acquisition process is important, and a critical part of your process should be checking for the presence of full disk and volume-based encryption.   Disk encryption is more prevalent than many believe –I am anecdotally seeing it in use on nearly thirty percent of the computers I encounter.  If a system is running, the examiner often has a one-time shot to capture any mounted volumes in their decrypted state.

The inherent challenge is how to determine if an encrypted disk or volume exists.  From the perspective of the operating system, data on a mounted volume is available in unencrypted form.  A separate abstraction layer takes care of encrypting write operations and decrypting data for read operations.   Thus  when encountering a live system, investigators are often left with ad-hoc tests to try and make a determination.   They can look for telltale installed software, or particular icons present on the system, but there are few reliable ways to get a confident answer whether encryption does or does not exist.

Truecrypt in Taskbar

Bitlocker is Installed

See any evidence of encryption products?

Continue Reading…

OUCH! Security Awareness Newsletter

I recently had the opportunity to collaborate with the SANS Institute Securing the Human team as a guest editor for their OUCH! Security Awareness Newsletter.  It was a rewarding experience working with such a competent and professional team.  The theme of the September 2012 newsletter is “Hacked: Now What?”.  While I am more used to writing technical articles, topics in OUCH! are written at a higher level and  oriented towards the average computer user.  It was fun to collaborate on topics relevant to this audience.  The goal of the newsletter is to serve as a free resource that organizations of any size can use to increase the security awareness of their employees.  Looking back through the archives, I think it consistently achieves this goal.

Continue Reading…

A year after release, the Malware Analyst’s Cookbook continues to elicit uniformly high praise from the security community.  It is one of those rare books that only come around once every few years.  The breadth of information covered is staggering, and it makes an excellent reference to return to as your skills develop.  If I could make one recommendation, I would encourage readers to not wait to read the last four chapters of the book.

The last quarter of the book covers memory forensic analysis, and it is the definitive resource currently available on the subject (either online or in print).   Continue Reading…

$I30 (NTFS INDEX Attribute) parser from @ http://t.co/sShGNgE <- Awesome!
@chadtilbury
Chad Tilbury

I have been using F-Response Tactical lately and wanted to share some of my thoughts.  When I first encountered the Tactical product, I had to brainstorm with Matt Shannon at F-Response to understand its use cases.  I spend a lot of my time doing incident response, and in that role I have used many of the enterprise forensic platforms.  These tools are largely agent based, meaning a small application is run on the target system allowing raw device access to system components and communication back to a central hub for analysis.  F-Response has this capability in their Consultant and Enterprise editions, and the capability has even started to filter down to some of our standard forensic suites, such as FTK 3 covered in this previous post.   F-Response Tactical takes a different approach.  It uses a paired set of dongles instead of  agents.  While limiting for some applications (such as geographically remote acquisition), it makes up for it by being dead simple to use.  To start, you plug the “Subject” dongle into your target system and execute an application to begin beaconing on the network.  The matched “Examiner” dongle plugs into your forensic workstation and is used to connect to the Subject.  Once connected, you have full access to all physical disks, volumes, and memory on the Subject system.  Since access is at the raw device level, even files traditionally locked by the filesystem can be accessed, like Exchange .edb database files, Registry hives, and System Restore Points.  These items are mounted on your forensic workstation, allowing analysis using your favorite forensic software.

Live Response Applications

Continue Reading…

I recently attended a presentation by Phil Hagen named “SQL Ginsu” and it reminded me of just how important SQL can be for data reduction.  I previously wrote a How-To on Log Parser and recently saw a great article on using Log Parser to assist with reviewing the massive amounts of data we can pull from Windows 7 Volume Shadow Copies (link here).  It all led me to remember the Microsoft Log Parser Toolkit book sitting on my shelf and my intention to write a book review.  In short, I found the book to be very informative and relevant.  It should be required reading for any incident responder or forensic analyst.  The review follows.

From my five-star Amazon book review:

My only regret with this book is that I didn’t read it much earlier in my career.  Log Parser is a must have tool for every forensics professional and incident responder.  Imagine having the ability to take almost any chunk of data and quickly search it using SQL-based grammar.  Given the sheer amount of data the average security professional must analyze, Log Parser is perhaps even more relevant today than it was ten years ago.  Gabriele Giuseppini is the creator of Log Parser and he and his co-authors do a superb job of teaching the tool and demonstrating its often overwhelming feature set.  What could be a very dry manual turns out to be very engaging through copious use of real-world examples that can be used immediately to jump start your investigations.  A model for how technical books should be approached.