Packers are most commonly used for compression, code obfuscation, and malware anti-reversing.  While not always malicious, packers are often a clue to look a little deeper into a particular binary.  Ange Albertini did a marvelous job of representing the (known) universe of executable packers in this infographic.

Universe of Executable Packers

[Click to enlarge]

The full PDF file can be found here.

Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss.  If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine.  Establishing an acquisition process is important, and a critical part of your process should be checking for the presence of full disk and volume-based encryption.   Disk encryption is more prevalent than many believe –I am anecdotally seeing it in use on nearly thirty percent of the computers I encounter.  If a system is running, the examiner often has a one-time shot to capture any mounted volumes in their decrypted state.

The inherent challenge is how to determine if an encrypted disk or volume exists.  From the perspective of the operating system, data on a mounted volume is available in unencrypted form.  A separate abstraction layer takes care of encrypting write operations and decrypting data for read operations.   Thus  when encountering a live system, investigators are often left with ad-hoc tests to try and make a determination.   They can look for telltale installed software, or particular icons present on the system, but there are few reliable ways to get a confident answer whether encryption does or does not exist.

Truecrypt in Taskbar

Bitlocker is Installed

See any evidence of encryption products?

Continue Reading…

OUCH! Security Awareness Newsletter

I recently had the opportunity to collaborate with the SANS Institute Securing the Human team as a guest editor for their OUCH! Security Awareness Newsletter.  It was a rewarding experience working with such a competent and professional team.  The theme of the September 2012 newsletter is “Hacked: Now What?”.  While I am more used to writing technical articles, topics in OUCH! are written at a higher level and  oriented towards the average computer user.  It was fun to collaborate on topics relevant to this audience.  The goal of the newsletter is to serve as a free resource that organizations of any size can use to increase the security awareness of their employees.  Looking back through the archives, I think it consistently achieves this goal.

Continue Reading…

New anti-forensics tool SetRegTime can change Registry last write times. | http://t.co/atWsf4sE via @
@chadtilbury
Chad Tilbury

 

Harlan Carvey discusses the ramifications of Windows Registry anti-forensics on his blog:  http://windowsir.blogspot.com/2012/08/setregtime.html.

You can find SetRegTime here: http://code.google.com/p/mft2csv/wiki/SetRegTime

Collusion for Chrome Graph

While doing some browser forensics research, I stumbled upon a Chrome extension named Collusion for Chrome.     This extension provides a visual representation of the tracking information shared with third party sites during web browsing .  While the notion of browser tracking is hardly surprising these days, Collusion provides some of the most compelling evidence I have seen for the “Do Not Track” movement.

As an example, the image above shows my browser activity during a brief period.   I selected a specific node corresponding to Wired.com and you can see the vast number of external connections a visit to Wired spawns.  Information about the various contacted sites can be identified using the following key:

  • Blue nodes:  Sites previously visited by the user
  • Gray nodes:  Third party sites receiving browser data (never visited by user)
  • Red nodes:  Known aggregators of tracking information (the slash indicates the site was blocked by Collusion)

Continue Reading…

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources.  The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics.  I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly.  That said, the topics covered do not fit within the classical definition of network forensics.  A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing.  The authors blended dense material with relevant examples and insightful and engaging text boxes.  Some of my favorite “side” topics were:

  • “Cross-platform Forensic Artifacts”
  • “Registry Research”, illustrating the use of Procmon for application footprinting
  • “Time is of the Essence”, explaining fast forensics using event logs and the registry

Mastering Windows Network Forensics and InvestigationThe book begins with four chapters familiarizing the reader with Windows networking.  While this may slow down those hungry for forensics topics, they are replete with information.  Windows domains, hacking methodology, and Windows credentials are all described in these early chapters.  Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise.  While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks.  It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts. Continue Reading…

Excellent intro to Windows Internals: Windows Exploratory Surgery with Process Hacker | http://t.co/2B4mFYuf #DFIR
@chadtilbury
Chad Tilbury

History of Encryption Continue Reading…

Excellent guide to Windows 8 forensic artifacts. Nice work @! http://t.co/pY0l3IlE
@chadtilbury
Chad Tilbury

 

UPDATE:  A new version of the Windows 8 Forensic Guide can be found here:  http://propellerheadforensics.com/

One of the fun things I have been working on is the huge revision of the SANS Forensics 508: Advanced Forensics and Incident Response material.  Rob Lee has spent the last ten years building and updating what has become one of the most well-known and respected digital forensics training courses.  The golden age of hacking is in full swing and a whole host of new threats have emerged, including state-sponsored espionage (aka APT), hactivism, client-side attacks, and crimeware.  Digital forensic investigations have never been more in demand.  However, computer intrusion and malware investigations require a very different skill set than the cases seen by the average forensic examiner.  Rob saw a great opportunity to update the FOR508 course to train this next generation of forensic professionals.  I estimate that at least 60-70% of the course and nearly every exercise  is new within the last year.  My specific part in the course is writing the new memory forensics day.  My forensic experience dates to the late 1990s, and I can’t remember any other advance in the field that has so fundamentally shifted the balance from the bad guys to the good guys.  Memory forensics is now a mature discipline and we have a wonderful array of  tools available, allowing us to analyze everything from raw memory files to hibernation files to crash dumps to live memory audits.   Memory analysis is a game changing skill and we spend a significant part of the new 508 course learning and incorporating the results of that analysis into the broader forensic process.

Continue Reading…