Announcing: Forensic Mania 2019

I’ve long been wanting to publish comparisons between some of the big commercial Digital Forensic tools. After recently playing around with triage ideas with the MUS2018 CTF image compiled by Dave and Matt, I thought now is as good a time as any.


Meet Jack

As we dig in, allow me to introduce you to hypothetical Jack. (Don’t worry, Jack is not a real person, but a photo generated by some funky algorithms on https://thispersondoesnotexist.com)

Jack would like to start his own Digital Forensic and Incident Response company in sunny South Africa. We’ll refer to this hypothetical company as DFIRJack Inc. DFIRJack Inc will focus on Windows Forensics for now. Following some Googling, Jack has come to a shortlist of commercial Digital Forensic tools that he wants to put through some tests. This is to aid him in making a final decision on where he should spend his hard earned cash.


The Tools

  • Access Data FTK v7.0.0 (Date Released: Nov 2018)
  • BlackBag BlackLight v2018 R4 (Date Released: Dec 2018)
  • Magnet Forensics Axiom v2.9 (Date Released: Jan 2019)
  • Opentext EnCase v8.08 (Date Released: Nov 2018)

Side note 1_ Jack always thought that Blacklight was predominantly a Mac forensics tool, but after seeing posts on Twitter by one of their new training guys punting it’s Windows Forensic capabilities, he thought it can’t hurt to give it a shot.

Side note 2_ In the midst of writing this, Magnet released Axiom v2.10. By the time that I hit publish on this post, v2.11 will most likely be uploading for release. I’ll stick with version v2.9 for now. If you work for Magnet and want to persuade me with some swag to use v2.10 in this series going forward (or whatever version you’re going to be on next week Tuesday), send me a DM to negotiate.


The Cost

Jack’s research has brought him to the conclusion that a single user license (the standard license for computer analysis, no cloud or mobile extras) will cost more or less the same for either FTK, Axiom or EnCase. Interestingly enough, he can buy two BlackLight licenses for the price of one of the other three.

After making some South African market related comparisons, Jack realized that he can either buy one of the aforementioned licenses (two in the case of BlackLight), or a secondhand 1992 Toyota Land Cruiser GX with 350,000km on the clock.

This is the GX:

Jack has long dreamt of buying a GX and taking the fam to the Central Kalahari Game Reserve (CKGR) in Botswana on an overland expedition. But that’ll have to wait, as it looks like he’ll be spending that money on a license dongle. What will it be? A GX or pure forensic joy? (Jack did find it odd that the only place where he can buy the licenses for these tools were from the same companies that he’ll be competing against with DFIRJack Inc. Kind of like the Bulls only being allowed to buy their Rugby kit from the Stormers.)


The Plan

In order for Jack to decide which license dongle will take the place of his GX, he opted to put these tools through some head-to-head tests.


We’ll call it Forensic Mania



Forensic Mania will run for an undefined number of rounds or blog posts. (Undefined, yes, but most likely until I loose interest and move on to a new blog idea…)


Series 1

For the first series, we’ll use the MUS2018 CTF image of Max Powers to run the tests. Why this image?

  1. The forensic image is publicly available (here)
  2. There are write ups available online of the answers, so you can run and verify your answers (here and here)
  3. It’s small enough (50GB) to throw the kitchen sink at it, and all the tools should be able to swim.
  4. It’s a Windows 10 image. Windows 10 was released in July 2015 and brought lots of new forensic artifacts with it. Almost four years later, I’d expect that the big forensic tools should be able to exploit this.
  5. It’s my blog, so I make the rules. Get off my lawn.

Bias alert: The forensic image was created for a CTF set to run specifically at MUS2018. Did Matt & Dave design the CTF image to benefit Axiom? Maybe. But we’ll try and be as objective as possible.

Following this series, I’m planning to run similar style tests against more real world images to see how the tools hold up.


Whats next?

Episode 1 – Processing is coming soon…


What can you do?

You can vote! <Voting has now closed>

Check back soon…



Calculating the Cost: Triaging with Axiom and EnCase

https://www.worldwildlife.org/magazine/issues/winter-2017/articles/brandon-davis-uses-improved-tracking-collars-to-keep-african-painted-dogs-roaming-free

Having seen Eric Zimmerman’s release of Kape (Or Kale as Ovie Carol calls it) I thought it could be insightful to play around with the Triage idea some more.

Basic premise for this post was this:

For an Incident Response type case, how much answers can you get to by just grabbing and analyzing selective data (triage) versus full disk images.

With remote acquisition, acquiring only a few GB’s of data instead of full images can, in some cases, make a difference of a few hours – depending on network speed. The same calculation applies when it comes to processing the data.


To run this exercise, I dusted off the evidence files from the 2018 Vegas Magnet User Summit CTF. I managed to win the live CTF on the day, but didn’t get a full score. Oleg Skulkin and Igor Mikhaylov however did a write-up of the full CTF that we’re going to use.

You can check out their write-ups here:

https://cyberforensicator.com/2018/06/28/magnet-user-summit-ctf-anti-forensics/
https://cyberforensicator.com/2018/07/01/magnet-user-summit-ctf-exfiltration/
https://cyberforensicator.com/2018/06/29/magnet-user-summit-ctf-misc/
https://cyberforensicator.com/2018/07/01/magnet-user-summit-ctf-intrusion/

For this test, I created a quick and dirty condition in EnCase that only targets specific data. Things like Registry files, Event logs, Browser Artifacts, File System Artifacts etc. A good place to start with a Triage list is to have a look at the Sans Windows Forensics “Evidence Of…” poster for areas of interest.

A condition in EnCase is basically a fancy filter, allowing you to filter for files with specific names, paths, sizes etc. Not that it matters, but I named my condition Wildehond, which is the Afrikaans name for Wild Dog or Painted Wolf. Wild dogs are known to devour their prey while it’s still alive, and that’s what we’re trying to do here… (You can Youtube it at your own risk).

Running my Wildehond condition in EnCase on the Max Powers hard drive image, resulted in 2,279 files totaling 2.5GB. The mock image of Max Powers, the victim in the CTF, was originally 50GB. After running the condition I created a Logical Evidence File of the filtered triage files.


So, the question is, can you get a full score for the CTF from processing and analyzing 5% of the data?

Let’s try.

First off, I processed the ‘full’ image in Axiom v2.9:

And selected all available artifacts to be included:

Processing ran for around 45 minutes, with another 15 minutes to build connections. That’s a round 60 minutes.

The processing resulted in about 727,000 artifacts:


Next up, I used the exact same processing settings on the 2.5GB Triage image I created with EnCase and Wildehond.

Processing took 13 minutes, with another minute to complete the connections. A cool 14 minutes in total. This left us with around 290,000 artifacts for analysis:

So yes, as expected, there is a large difference (45 minutes) in processing 2.5GB in stead of 50GB. (This difference will be a lot bigger between a real world 500GB drive and a 2.5GB triage set)

But this doesn’t mean anything if we can get to the answers, so lets go.


After running the processing, I did a side-by-side comparison between the two sets of data, and worked through the CTF questions on each side.

All of the questions were answerable on the full image processed with Axiom 2.9, except for three questions relating to the $MFT, where a tool like Eric Zimmerman’s MFTEcmd would do the trick.

This is how the two images did in providing answers:

So, with the Triage set of 2.5GB, we could answer 23 of the 28 Questions (82%… which is more than what I got for C++ at University).

However, real world incidents can differ quite a bit from question and answer style exercises, especially if you don’t know what exactly you are looking for.


For the 5 questions that could not be answered from the Triage set, below is the reasons why:

Wiped file names:

Strangely enough, the UsnJrnl did not parse in my Triage image.

From the full image:

However, nothing from my Triage system.

I confirmed that the file was present in my image:

So, to troubleshoot, I used Joachim Schicht’s UsnJrnl2Csv to try and parse the UsnJrnl that was in my Triage image.

And… It liked my UsnJrnl exported from the Triage image:

So… for some odd reason Axiom doesn’t recognize the $UsrnJrnl•$J file when contained in my Triage LX01 image. Will do some more trouble-shooting to figure out why this is the case.

Browser to download Dropbox:

From the full image, the answer was quite clear: Maxthon

Yes, my Triage image contains lots of artifacts referencing Maxthon and Dropbox separately, but no immediate obvious link that Maxthon was used to download Dropbox. The main reason for this is that I did not capture Maxthon web histories (i.e. mxundo.dat) in my Triage image.

Email data:

The last two questions where my Triage image came up short related to Email. As no email was targeted with my Triage, this was to be expected.



So, there you have it. In this case, you could do a pretty good job at getting a handle on a your case by only using Triage data.

Will full disk imaging and analysis not provide you with better context? Yes, perhaps… but with the likely trade-offs in Triaging, it’s worth exploring it first.

Jakkals – Feb ’19 _Episode 2_

– InfoSec stories scavenged for you from across the internet –


Three new stories this week:

  1. Two Nigerians Visit Kuala Lumpur (and Hack 20 US Universities)
  2. Phishing for iPhones (Breaking into iCloud-Locked phones)
  3. A Bad Week At Eskom (Malware, data leakage and a breakup)


1_ Two Nigerians Visit Kuala Lumpur

Back in 2014, two Nigerian chaps (sorry folks, you’re not helping the stigma) were living with expired Visas in Kuala Lumpur.

Instead of using their new found freedom to enjoy the sights of say, the Petronas Twin Towers, they launched phishing campaigns. These campaigns were targeted at employees at 140 educational institutes across the United States. Once usernames and passwords were obtained via their phishing emails, Olayinka and Damilola acquainted themselves with the financial systems of said institutes.

Their end game was to change the banking details of employees in order to reroute salary payments to accounts they (or their more unscrupulous friends) controlled. These phishing attacks were successful at 20 schools; however, when Georgia Tech personnel didn’t get their Thanksgiving paychecks, they caught wind of what was going on and called the Feds.

After some proper investigation and cooperation with the Malaysian authorities, Olayinka and Damilola was given silver arm bracelets and extradited to the US to face trial. Olayinka got six years behind bars, with Damilola receiving three.

In addition to their prison sentences, the judge also ordered them to pay restitution of $56,175.44 each (about ₦20,358,214). Back in Lagos, this can buy them around 76,000 heads of lettuce, each.

Read the FBI reports here:
https://www.fbi.gov/news/stories/cyber-thieves-sentenced-for-hacking-scheme-targeting-universities-020419
https://www.justice.gov/usao-ndga/pr/jury-convicts-cybercriminal-hacking-universities
https://www.justice.gov/usao-ndga/pr/jury-convicts-cybercriminal-hacking-universities


2_ Phishing for iPhones

Joseph Cox and Jason Koebler over at Motherboard wrote a detailed piece titled: “How Hackers and Scammers Break into iCloud-Locked iPhones“. In this piece they delved into the world of thugs stealing iPhones and what goes into getting them unlocked.

If you are planning to not read their article, at least know this:

If your iPhone / iPad is stolen, the thug typically can’t do anything with it unless they have your unlock code or iCloud password. (Read the full piece to see why I say ‘typically’). This means they can’t factory reset it to sell it on.

However, there is a fairly good chance that the thieve might target you with phishing or other social engineering attacks. Reason: To get you to give up your device lock code or your iCloud account details.

And if you’re thinking: ‘Ah, first world problems, won’t affect us down South’ Think again… same attacks have been running here for the last few years already.

Read the full piece over at Motherboard:
https://motherboard.vice.com/en_us/article/8xyq8v/how-to-unlock-icloud-stolen-iphone


3_ A Bad Week At Eskom

Eskom, our local (South African) electricity provider is having an interesting week.

First, a guy on Twitter claimed to have found an online database of Eskom that’s exposing customer details. Following attempts to responsibly disclose this, he voiced his concerns in a tweet. However, Eskom has come back stating that the database he identified is not theirs, but they are investigating if the data is…

Second, another guy on Twitter claimed to have identified an Eskom computer which was infected by a RAT. It does not seem like this is a critical system (i.e. SCADA stuff) but rather a computer of a Tannie that shops for Bernina sewing supplies at Makro (based on her desktop icons). But, nether the less, still not where you want to be.

Finally, our President just announced that Eskom is being split into three separate entities (generation, transmission and distribution). This is in an attempt to prevent the corruption ridding entity from dragging the entire country’s economy down the pooper. Not that it has anything to do with points one and two, but now you know.

And lastly… I’ll leave you with some wise electricity related words:

If you can’t fix it with a hammer, it’s an electrical fault.


Top 7 Bangs For Your Security Bucks

Marcus J Carey and Jennifer Jin recently published Tribe of Hackers – Cybersecurity Advice from the Best Hackers in the World.

Inspired by Timothy Ferriss’ book Tribe of Mentors, Marcus compiled a list of the fourteen most common questions he gets asked about cybersecurity. These questions were then posed to seventy notable InfoSec practitioners, with their responses recorded across more than four hundred pages in Tribe of Hackers.

Question number two caught my eye:

What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?

Assuming the 70 has seen some stuff over the years, I thought this would be good advice to follow for most companies. I was also interested to see if there would be any commonalities between the answers, so I read through the seventy responses and compiled a Top 7 list of common responses.

Again, go get the book, the proceeds are going to charity after all.

So, here we go:

The Top 7 Bang-For-Your-Buck Actions To Improve Your Security Posture.

For each of the Top 7 Bang-For-Your-Buck responses, I’ve quoted some comments from the answers. However, read the book for the full responses and more in-depth reasoning.

Number 7_ Conduct Risk and Threat Assessments (4 mentions)
“Once an organization identifies and quantifies risks and the assets associated with their key function(s), it becomes inherently easier to identify potential causes of a critically impactful incident.” – Lesley Carhart

Number 6_ Hire Good People (6 mentions)
“Hire good people. You will never spend money on something more effective within this domain than talented people.” – Ben Donnelly

Number 5_ Asset Management (7 mentions)
“You can’t protect it if you can’t find it” – Cheryl Biswas

Number 4_ Least Privilege | Limit Administrative Access (8 mentions)
“Get users out of the local administrators group” – Jake Williams

Number 3_ Do The Basics (9 mentions)
There’s a lot of talk about the basics. If the basics were easy, everybody would be doing them. But I think they’re still worth calling out, even though they are difficult.” – Wendy Nather

Number 2_ Security Culture (11 mentions)
“Culture change impacts behavior, incentive models, accountability, and transparency — and myriad other critical enablers that help to mature and improve cybersecurity programs. Until organizational culture — comprised of values and behaviors—is substantially reformed, cybersecurity
failures will continue to abound.”
– Ben Tomhave

Number 1_ Security Awareness Training (14 mentions)
“I have gotten the best return on investment from security awareness training.” – Brad Schaufenbuel
“Invest in educating employees. Awareness goes a long way in a world where lying and “social engineering” are the key to most doors.” – Edward Prevost

And now you know.

Jakkals – Feb ’19 _Episode 1_

– InfoSec stories scavenged for you from across the internet –


Your three stories for this week are:

  1. How to Stuff a Chicken (Dailymotion Gets Attacked)
  2. Old Ladies Making Payments (Mikko on Payment System Segregation)
  3. Cyber Attacks In Real Life (Great Awareness Video from Hiscox)


1_ How To Stuff A Chicken

(Dailymotion suffers a credential stuffing attack)

If you are on the market for some roast chicken tips, here are a few great ones from Jamie: https://www.youtube.com/watch?v=bJeUb8ToRIw

Back to today’s actual program: Credential Stuffing Attacks.

The online video streaming site Dailymotion (which is a treasure trove for bootlegging MasterChef Australia episodes) was recently the target of a Credential Stuffing Attack. According to their website, Dailymotion attracts “300 million users from around the world, who watch 3.5 billion videos on its player each month.

Dailymotion published the following alert on January 25th 2019:

The attack consists in “guessing” the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion.

Credential Stuffing attacks aren’t anything new. In October 2018, the American Cloud Services Provider, Akamai, published a report on Credential Stuffing attacks. They recorded around 8.35 billion credential stuffing attempts world wide between May and June 2018, with the US and Russia being the main attack sources.

The report further notes:

“These botnets attempt to log into a target site in order to assume an identity, gather information, or steal money and goods. They use lists of usernames and passwords gathered from the breaches you hear about nearly every day on the news. They’re also one of the main reasons you should be using a password manager to create unique and random strings for your passwords. Yes, remembering that “*.77H8hi9~8&” is your password is difficult, but having your login at the bank compromised is a much bigger hassle.”

There you go, don’t reuse passwords!


2_ Old Ladies and Payment Systems

(I’m not going to write too much about this one)

Mikko Hypponen from the Finnish Cyber Security company, F-Secure, did a keynote at BSides London in June 2018. During his talk ‘State of the Net’, he addressed the common issue of securing computer systems used for financial payments. However, he was not talking about securing servers and things making up advanced payment systems. He was rather talking referring to the laptops and desktops used by employees who make the actual payments that keep your business running.

And… he makes a very valid point:
Don’t use the same computer that you use for things like Facebook, Twitter, Email and Instagram for your business’ online banking system. Rather use a designated and segregated computer to load and process your payments. This simple step will go a long way in ensuring that the computers used for payments remain secure.

Have a look at the talk here:



3_ Cyber Attacks In Real Life

UK company Hiscox has made a clever video illustrating how a cyber attack would look if it happened in real life.

They show three attack scenarios:
• IP Theft: Robbing companies of their ideas and inventions.
• Phishing: Fraudulently pretending to be someone else.
• Denial of Service: Flooding the target with traffic triggering a crash.

I think this is quite effective in order to create awareness for espcially small businesses, without the usual FUD (Fear, Uncertainty and Doubt) used by lots of security vendors.

Have a look: