#ForensicMania S01E02 – MISC

Well, hello and welcome to the second episode for Season 1 of #ForensicMania.

Today we are looking at answering the ‘Misc’ section of questions from the 2018 MUS CTF, putting our four tools head-to-head with some analysis work.

Why are we doing this? To give you, the reader, a view on how different commercial tools compare with digital forensic analysis.

To recap, in Episode 1 – Processing we processed our evidence file with the four tools, after which the scoring looked as follows: Axiom took a narrow lead with 10 coins, while Blacklight was chomping at its heels with 9. In third place was EnCase with 7 coins and bringing up the rear of the pack was FTK with 5.

Sidenote_ Check out Craft Beer Forensicator @kevinpagano3 (https://www.stark4n6.com/2019/02/ctf-review-magnet-user-summit-2018-part.html) who did a writeup of the CTF with free tools.

Scoring

“How will the scoring work this round” I hear the masses scream from the districts. For the ‘Misc’ section, we have 2 coins up for grabs for each question, that is, if the tool gets to the correct answer with an acceptable amount of effort, 2 coins are awarded. However, if the tool hides the answer under a rock, but you can still get to it, or if the answer is only halfway there, only 1 coin will be awarded. Finally, 0 coins for wrong answers.

This means we have a total of 22 coins up for grabs in this round.

So… will Axiom keep it’s narrow lead or trip over its connections? Does Blacklight know how to spell Shimcache? Can EnCase parse web histories? And FTK, will it fly, or just try to sell me Quin-C instead?

So many questions, so little time. Let’s dig in!


Question 1

Timezone: What is the system’s timezone set to?

Correct Answer: Mountain Standard Time


AXIOM

Axiom parses this key as an Operating System artifact:

Coins: 2


Blacklight

Under Blacklight’s “System” section, open the registry sections and it shows you the “TimeZoneInformation” registry key:

Coins: 2


EnCase

Following processing, EnCase has a ‘Case Analyzer’ option which provides various reports about artifacts identified. One of these shows the Time Zone:

Coins: 2


FTK

Navigate to the System hive in the folder structure, right-click to open with Registry Viewer, hit the ‘Common Areas’ toggle, and Bob’s your uncle:

However, this is an obvious artifact that could be shown more easily to the investigator in the ‘System Information’ tab, than having to open it with Registry Viewer first.

Coins: 1


Question 2

File Sequence Number: What is the MFT file sequence number for the Python27\python.exe file? [This is not the MFT entry number]

Correct Answer: 1


AXIOM

Axiom does not parse MFT file sequence numbers.

Coins: 0


BlackLight

Blacklight shows the correct value in the “Data Structure” view for the file:

Coins: 2


EnCase

EnCase doesn’t parse the $MFT. However, if you’ve attended EnCase training at some stage, you would’ve probably have received an EnScript (“NTFS Single MFT Record & Attributes”) that will do this for you. Unfortunately, as this isn’t included as stock with EnCase, it doesn’t exist for most users (and it’s also not available in the Guidance App store).

Coins: 0


FTK

FTK doesn’t parse MFT file sequence numbers.

Coins: 0


Question 3

FileName Lookup: What is the name of the file that has MFT entry of 86280?

Correct Answer: $USNJrnl.


AXIOM

in the ‘File System’ view, you can filter on ‘MFT record number’ to get to the desired file:

Coins: 2


Blacklight

Blacklight allows you to filter all files based on “File System ID”, which is the MFT Record Number:

Coins: 2


EnCase

EnCase shows the ‘MFT record number’ in the columns under the label ‘File Identifier’. So just show all files, and sort according to the ‘File Identifier’ to get to the answer:

Coins: 2


FTK

You can get to this quite easily by listing all entries and sorting according to MFT Record Number in the columns.

Coins: 2


Question 4

FileTimestamp: What is the Standard Information Attribute’s Access timestamp of the Windows\Prefetch\CMD.EXE-89305D47.pf file? [UTC in YYYY-MM-DD hh:mm:ss format]

Correct Answer: 2018-04-26 15:48:40


The Access timestamp from the Standard Information Attribute is what is displayed by our tools. Check out more info about Standard Information Attributes here:

https://cyberforensicator.com/2018/03/25/windows-10-time-rules/
https://www.andreafortuna.org/cybersecurity/macb-times-in-windows-forensic-analysis/


AXIOM

Coins: 2


Blacklight

Coins: 2


EnCase

Coins: 2


FTK

Coins: 2


Question 5

VSN-C: What is the C: volumes’ serial number?

Correct Answer: 6C19-1B65


AXIOM

Shown nicely in the File System Information artifact

Coins: 2


Blacklight

So… Blacklight shows the Volume Serial Number for a specific volume in the “Details” section under “Disk View”. However, it shows the value in Big Endian (which you can then convert to Little Endian with another tool):

So, only halfway there.

Coins: 1


EnCase

When the volume is selected in the Tree view, it shows the volume serial for you:

Coins: 2


FTK

Head over to the file structure and navigate to the OS volume, and click on Properties:

Coins: 2


Question 6

YouTube Search: What term was searched in YouTube on 3/28/2018?

Correct Answer: “simpsons max power”.


AXIOM

Looking at ‘Web Related’ artifacts and applying a date filter for March 28th 2018, get’s you the answer:

Coins: 2


Blacklight

Hop on over to the “Internet” tab, and you’ll get the answer:

Coins: 2


EnCase

EnCase seems to be the tool that you hope the opposing party used when reviewing your client’s web histories… Cause there’s no way a sane person will enjoy using this for analysing internet artifacts.

I did a separate write-up about EnCase’s inability to parse Firefox histories correctly: https://www.dfir.co.za/2019/03/09/encase-you-were-hoping-to-parse-firefox/
After lodging a support ticket with OpenText, it’s been confirmed that EnCase currently can’t parse Firefox internet histories. Apparently, the upcoming release of v8.09 will have proper support.

Coins: A shocking 0


FTK

Head over to the “Internet/Chat” tab, sort by time and you get the Youtube search on the date:

Coins: 2


Question 7

Sleuthkit + PowerShell: Max Powers was playing with ways he could extract files using Sleuthkit and PowerShell. What was the exact command he used in attempting to extract the SRUM database?

Correct Answer: $inode = ifind -n /Windows/System32/sru/SRUDB.dat \\.\C: ; icat \\.\C: $inode > SRUDB.dat


For me, there’s two ways of approaching this one:

  1. Find the “ConsoleHost_history.txt” file which contains the PowerShell command history, and search in the file for “SRUDB.dat”.
  2. Search the entire case for “SRUDB.dat”, which will lead you to the “ConsoleHost_history.txt” file.

For this question we’ll go with door number 2, as I didn’t (and don’t) necessarily know this path or filename off by heart.


AXIOM

Searching for “SRUDB.dat” shows the “ConsoleHistory_history.txt” log listed as a Document artifact:

Coins: 2


Blacklight

Blacklight does not have an index search function, but only live searches. I ran a live search for ‘srudb.dat’ which took a few minutes to get to the Powershell log with the ifind command in it

Coins: 2


EnCase

Searching for “srudb.dat” in the indexed search provided a hit for the Console_history.txt file, showing the ifind command.

Coins: 2


FTK

Search for “SRUDB.dat” in FTK index search, which will get you bunch of hits, one of which is the “ConsoleHost_history.txt” file showing the command used.

Coins: 2


Question 8

Administrator Logon Count: How many times did Administrator logon to the system?

Correct Answer: 2018-04-11.


AXIOM

The ‘User Accounts’ artifact shows this for the Administrator account:

Coins: 2


Blacklight

Blacklight’s ‘Actionable Intel’ section gives you the Logon Count for each local user account:

Coins: 2


EnCase

EnCase’s ‘System Info Parser’ artifact does provide info about the local user accounts, however, there’s nothing about logon count:

You can view the SAM hive’s structure from within EnCase, but again, they want you to work for it. In order to get this value in EnCase, you need to go to offset 66-67 of the F value of the user’s subkey:

This then translates to the integer value of 14.

Again, a simple artifact that should be shown to the user in a much simpler way. I’m giving EnCase a 0 for this one, as having to highlight offsets of the F value, is just not ideal.

Coins: 0


FTK

FTK does have a ‘SAM Users’ section in their ‘System Information’ tab, but this only shows you SIDs and User Names. So, find the SAM in the tree structure. This will then show the content in readable way in the ‘Natural’ view pane, without having to open it with Registry Viewer:

Coins: 2


Question 9

Install Q: What day was the Go programming language installed on? [Answer format: YYYY-MM-DD

Correct Answer: 2018-04-11


AXIOM

This is recorded in the ‘Installed Programs’ artifact

Coins: 2


Blacklight

Blacklight did not list the Go Programming Language under it’s Application artifact:

But, you could however find it under the “Uninstall” registry key with the built in registry viewer:

Coins: 1


EnCase

EnCase lists installed software under: Artifacts > System Info Parser > Software.

However, Go was not listed by EnCase:

By manually traversing the SOFTWARE hive in EnCase, I got to the Uninstall key for Atom (based on what the other tools showed), but for the life of me I couldn’t figure out how to get actual data to be shown in EnCase for this key:

Coins: 0


FTK

The System Information tab shows this quite easily:

Coins: 2


Question 10

Who Installed Atom?: Which user installed Atom? [Answer is the complete SID not the username]

Correct Answer: “S-1-5-21-2801897208-1878083585-4182000528-1002”


For this question, I’m looking for proof that the Atom installer, AtomSetup_x64.exe, was downloaded (Chrome Web History) and that the file was executed by the user (Windows OS Artefact).


AXIOM

After searching for “Atom” in Axiom, you can get to the install file “AtomSetup-x64.exe”. In the connections view, it shows the installer being downloaded by the ‘maxpowers’ account in Chrome and then executed by the same account via the Shimcache:

In addition to the above, there is also a SRUM Application Resource Usage entry linking the installer to the profile.

To get the SID for the profile, head over to the ‘User Accounts’ tab which shows the SID for ‘maxpowers’:

Coins: 2


Blacklight

Blacklight recorded the installer being downloaded by the profile ‘maxpowers’ in Chrome:

You can then link the SID to the profile via the registry viewer:

However, there was no artifact recording AtomSetup-x64.exe being executed

Coins: 1


EnCase

I could not get to the downloading of the AtomSetup-x64.exe in it’s Chrome histories, nor any artefacts showing the execution of AtomSetup-x64.exe by ‘maxpowers’.

Coins: 0


FTK

The ‘Internet/Chat’ tab in FTK shows the ‘maxpowers’ profile downloading the setup file:

However, FTK did not have any artefacts showing the file was executed by the user profile.

The ‘Sam Users’ section then shows you SIDs mapped to usernames.

Coins: 1


Question 11

Deletion in LogFile: The $LogFile shows at LogFile Sequence Number [LSN] 4433927454 a file is deleted. What is the name of the file that was deleted?

Correct Answer: 7z.dll


AXIOM

Axiom parses the $LogFile entries, so you can search for 4433927454, which will take you to the 7z.dll entry in the ‘$LogFile Analysis’ artifact

Coins: 2


Blacklight

Blacklight did ‘parse’ the $LogFile, but not properly:

Coins: 0


EnCase

EnCase also ‘parsed’ the $LogFile, but doesn’t show LSN numbers:

Coins: 0


FTK

FTK doesn’t parse the $LogFile.

Coins: 0



And that’s it!

Scoreboard:

After a gruelling round, let’s have a look at the scoreboard for Episode 2:

Well, there you have it: Congratulations to Axiom for taking pole position once again. Taking second is BlackLight, with FTK following close behind in third.


Episode 3 coming soon!

EnCase you were hoping to parse Firefox

[Update 2019-03-10] I’ve added the version numbers of Axiom, Encase and FTK used. Also added details about EnCase Firefox support update coming in next release.

So, last night, after watching the Forensic Dinner (yeah yeah it’s the Forensic Lunch, but hello time zones) I was busy with some testing for #ForensicMania.

Dealing with a simple question ‘What was searched for in Youtube on xx date’, I came to bit of a speed bump in EnCase. In short, I couldn’t get to the answer in EnCase for Youtube web histories viewed in Firefox. It was late, so I wasn’t sure if I were to blame, or EnCase. With this, I stopped with the #ForensicMania stuff and thought, let’s do some targeted testing.

The next morning (today), I decided to do a quick and simple test:

  • Conduct a few searches in Chrome and Firefox
  • Parse the web histories with Axiom, EnCase and FTK
  • Compare the results

I fired up Chrome and Firefox, and made sure they were up to date:


With last night’s Forensic Lunch still fresh in my mind, I Googled the following between 11:00 and 12:00 on 2019-03-09.

The same searches were done with Chrome first, and then with Firefox.

Google search:Is lee whitfield brittish?
Result opened: “https://www.sans.org/instructors/lee-whitfield”

Google search:How do you spell british?
Result opened: “https://en.oxforddictionaries.com/spelling/british-and-spelling”

Google search:Where did Matt get the cool blue sunglasses?
Result opened: https://www.menshealth.com/style/a26133544/matthew-mcconaughey-blue-colored-sunglasses/

Google search:Why is no one having lunch on the Forensic Lunch?
Result opened: https://www.youtube.com/user/LearnForensics/videos

Youtube search: “drummer at the wrong gig”
Video played: https://www.youtube.com/watch?v=ItZyaOlrb7E

And then played this one from the Up Next bar:
https://www.youtube.com/watch?v=RvatDKpc0SU

Google search:Can you nominate yourself in the Forensic 4Cast awards?
Result opened: https://www.magnetforensics.com/blog/nominate-magnet-forensics-years-forensic-4cast-awards/


Following this, I created a logical image of the Chrome and Firefox histories on my laptop with EnCase. The total size for the histories were 3GB. (Yes, lots of historic stuff included there as well).

So the testing is pretty straight forward: Can I get to the above listed searches and web histories in Axiom, FTK and EnCase. Let’s see:


Axiom (v2.10)

Parsing the logical image in Axiom gave us the following for ‘Web related’ artifacts:

Chrome

Firefox

Result: Great Success


FTK (v7.0)

Same thing, processed the image and got the following from the ‘Internet’ tab:

Chrome

Firefox

Again: Great Success


Now, let’s fire up the ‘2019 SC Magazine Winner‘ for ‘Best Computer Forensic Solution‘…

EnCase (v8.08):

After processing the image with EnCase, we hobble on over to the ‘Artifact’ tab and open the ‘Internet Records’ section.

First up, Chrome histories:

Great, it works as expected.

Next up, Firefox (The browser with 840,689,200 active users in the past 365 days)

And this is where we ran into trouble: EnCase was able to parse Firefox Cookies and some cache files, but for the life of me I couldn’t get to any actual browsing histories.

I suspect that, as it’s shown on the processing window, EnCase only supports Firefox up until v51.0.0. The current Firefox version is v65.

Firefox version 51.0.0 was released to channel users on January 24th 2017. That is the same month when Ed Sheeran released his single “Shape of You”. (And now you can’t unsee the singing dentist guy covering the song)

What I’m trying to say is that Firefox v51 is old.

I’ve logged a query with OpenText about this and will update this post if and when I get feedback. (Really hoping this is something I’m doing wrong, but we’ll see.)

[Update 2019-03-10: EnCase v8.09, set for release in April, is said to have updated Firefox support]


What’s the point of this post?

  1. Test stuff. If something doesn’t look right, test it.
  2. You don’t need test images to test your tools. If you have a laptop or a mobile phone, then you have test data.
  3. Don’t assume stuff. If my results above are correct, there’s a good chance you could have missed crucial Firefox data if you were only relying on EnCase.
  4. If I’m wrong, then at least I’ll hopefully know pretty soon how to get EnCase to parse Firefox histories correctly… and someone else might learn something too.

#ForensicMania S01E01 – Processing

Welcome to Forensic Mania 2019 – Episode 1. If you’re new to #ForensicMania, catch the full lowdown here.


To recap, we are testing the latest versions of four of the big commercial forensic tools against the MUS2018 CTF image.

Side note_ Following my intro post, promises were made by certain Magnet folk (you can run but you can’t Hyde). So I reprocessed with the newly released version of Axiom, v2.10. If said promises aren’t kept, we might need to roll back to version 1.0.9 just for fun.


EPISODE 1

Today we’ll be running through processing the MUS forensic image with the four tools.


Analysis Workstation Details

For these tests, we will be using a Dell workstation, with the following specs:

  • Intel Xeon Gold 6136 CPU.
  • 128GB ram.
  • Windows 10 Pro.
  • OS Drive: 2.5″ AData SSD.
  • Case directories and the MUS2018 image file was located on separate Samsung M.2 SSDs.

How does the scoring work

The scoring for this section kept the adjudication committee deadlocked in meetings for weeks, grappling with the question: “How do you score forensic tools on processing, in a fair manor“. After a few heated arguments, the committee realised that this was not the NIST Computer Forensics Tool Testing Program, but a blog. With that pressure off, they created a very simple scoring metric.

First, to get everyone on the same page, consider the following: Say MasterChef Australia is having a pressure test, where each of the Top 25 need to bake a lemon meringue tart. Best tart wins an immunity pin.

Being the first contestant to separate your egg yolks from the whites is pretty cool, might even get some applause from the gantry. But, the proof will always be in the pudding, which is when you start whisking your whites for the meringue. If you did a messy job during the separation, you ain’t going to see firm glossy peaks forming, no matter how hard you whisk.

This then is typically where Maggie Beer and George comes walking over to your bench and drops a comment like “a good meringue is hard to beat“.
You get the point.


The Scoring System

In this round, the tools will be judged in two categories, each with 5 points up for grabs. These two categories are:

1_ Processing Progress Indication. We’ll be looking at how well the tool does at providing accurate and useful feedback during processing. “Does it matter?” you may ask… Well, it is the year of our Lord 2019. I can track the Uber Eats guy on my phone until he gets to my door. Similarly, I expect a forensic tool to at least provide some progress indication, other than just “go away, I’m still busy”.

2_ Time to Completion. Yes, the big one. Pretty straight forward. How long did it take to complete the processing task.

Points will be awarded in the form of limited edition (and much coveted across the industry) #ForensicMania challenge coins:

Side note_ I initially planned on putting a bunch more categories in adjudicating the processing phase (things like how customizable are the processing options, ease of use, can it make waffles etc) but it got a bit too complex and subjective. These tools have fairly different approaches to processing data, so let’s leave the nitpicking for next week when we start analyzing data.

This means there is a total of 10 points up for grabs in Episode 1.


Setting up processing

In order to keep these posts within a reasonable readable length, I’m not going to delve into each granular step that was followed. For each tool, I’ve provided the main points of what was selected in processing, as well accompanying screenshots.


Axiom

  • Full Searches on partitions, Unpartitioned space search on the unpartitioned space of the drive.
  • Keyword Search Types: Artifacts. Note: Axiom does not have the functionality to do a full text index of the entire drive’s contents, but only indexes known artifacts.
  • Searching of archives and mobile backups.
  • Hashing (MD5 and SHA1). Limited to files smaller than 500MB.
  • Enabled processing of the default custom file types.
  • All computer artifacts were selected
1 search type
Author: Jaco Swanepoel
« 1 of 6 »

BlackLight

  • File Signature Analysis
  • Picture Analysis
  • Video Analysis
  • Hashing (MD5 and SHA1)
  • File Carving: All available file types were selected
  • Advanced Options: All available options were selected (see screenshots)
1 add ev
Author: Jaco Swanepoel
« 1 of 4 »

EnCase

  • File Signature Analysis
  • Thumbnail Creation
  • Hash Analysis (MD5 & SHA1)
  • Expand Compound Files
  • Find Email
  • Find Internet Artifacts
  • Index text and Metadata
  • Modules:
  • System Info Parser (All artifacts)
  • File Carver (All predefined file types, Only in Unallocated and Slack)
  • Windows Event Log Parser
  • Windows Artifact Parser (Including Search Unallocated)
1 Processing
Author: Jaco Swanepoel
« 1 of 9 »

FTK

For FTK, I used their built-in ‘Forensics’ processing profile, but tweaked it a bit.

  • Hashing (MD5 & SHA1)
  • Expand all available compound file types
  • Flag Bad Extensions
  • Search Text Index
  • Thumbnails for Graphics
  • Data Carving (Carving for all available file types)
  • Process Internet Browser History for Visualization
  • Generate System Information
1 procOpts
Author: Jaco Swanepoel
« 1 of 3 »

To give each tool a fair chance, the MUS image was processed twice with each.


Results: Processing Progress Indication.

Here are the results for each tool’s ability to provide the user with adequate feedback regarding what is being processed:

Axiom

Axiom’s processing window is quite easy to make sense off. It shows which evidence source is currently processing (partition specific), as well as which ‘search definition’ it’s currently on. During the testing, the percentage progress indicators also seemed to be reliable.

In the category of “Processing Progress Indication”, the adjudication committee scored Axiom: 5 out of 5.


BlackLight

BlackLight also has a great granular processing feedback window. For each partition, it shows what it’s busy with processing as well as progress indicators. These were deemed reliable with the tests.

In the category of “Processing Progress Indication”, the adjudication committee scored Blacklight: 5 out of 5


EnCase


EnCase’s processing window seems a bit all over the show. More like something you’ll look at for diagnostic info, not processing progress. It was a bit difficult to gauge what it was actually busy with. It does have a progress indicator showing a ‘percentage complete’ value, however, this was quite unreliable. When processing the MUS image, it hit 99% complete quite quickly and then continued processing for another hour at 99%, before completing. This happened with both tests. I again processed the same image on a different workstation and got similar results.

In the category of “Processing Progress Indication”, the adjudication committee scored EnCase: 3 out of 5.


FTK

FTK’s processing window is quite straight forward. Perhaps too much so. It does have an overall process bar, although not entirely accurate, and shows which evidence item (e01) it’s currently processing. However, because you have no idea what it’s actually busy with processing, it remains a waiting game to see how many files it discovers, processes and indexes. And once you think it’s done, you get a surprise with a couple hours of “Database Optimization”.

In the category of “Processing Progress Indication”, the adjudication committee scored FTK: 3 out of 5.



Results: Time To Completion.

These are pretty straight forward. How long did it take to process the MUS image with the above noted processing settings?

Axiom

Axiom took 52 minutes and 31 seconds to process the MUS image. Following this, the ‘building connections’ process took another 17 minutes and 25 seconds.

This gave Axiom a total of 1 hour, 9 minutes and 56 seconds.


BlackLight

BlackLight took 1 hour flat to process the image. Following this, the option was available to carve the Pagefile for various file types. This added another 14 minutes and 30 seconds.

This gave BlackLight a total of 1 hour, 14 minutes and 30 seconds.



EnCase

EnCase took 1 hour, 23 minutes and 25 seconds.

No additional processing required, all jobs were completed in one go.


FTK

FTK took 59 minutes and 9 seconds to process and index the image. That’s faster than all the others… But, before you celebrate: Following the processing, FTK kicked off a “Database Optimization” process. This took another 2 hours and 17 minutes! Although it’s enabled by default, you can switch off this process in FTK’s database settings. However, according to the FTK Knowledge BaseDatabase maintenance is required to prevent poor performance and can provide recovery options in case of failures.” Seems like it’s something you rather want to run on your case.

This gave FTK a total of 3 hours, 12 minutes and 9 seconds.


Let’s dish out some coins:

For winning the time challenge, Axiom gets 5/5

Not too much separated BlackBag and EnCase from Axiom, both gets 4/5

And, bringing up the rear, taking almost 3 times as long as the others, FTK with 2/5


Before we look at the totals for this week, here is the result of the poll from last week:

Pretty much in line with what we saw this week…

Here’s your scoreboard after S01E01 of #ForensicMania


What’s Next?

Tune in next week to see if Axiom can keep it’s narrow lead, whether BlackLight knows what to do with a Windows image and if FTK can pick itself up by it’s dongles. We’ll start with analyzing the MUS image, so stay tuned for all the drama, first and only on The Swanepoel Method.

Side note_ It is still early days. Don’t go burning (or buying) any dongles after this post alone. The proof will be in the analysis capabilities of these tools, so check back next week.

Announcing: Forensic Mania 2019

I’ve long been wanting to publish comparisons between some of the big commercial Digital Forensic tools. After recently playing around with triage ideas with the MUS2018 CTF image compiled by Dave and Matt, I thought now is as good a time as any.


Meet Jack

As we dig in, allow me to introduce you to hypothetical Jack. (Don’t worry, Jack is not a real person, but a photo generated by some funky algorithms on https://thispersondoesnotexist.com)

Jack would like to start his own Digital Forensic and Incident Response company in sunny South Africa. We’ll refer to this hypothetical company as DFIRJack Inc. DFIRJack Inc will focus on Windows Forensics for now. Following some Googling, Jack has come to a shortlist of commercial Digital Forensic tools that he wants to put through some tests. This is to aid him in making a final decision on where he should spend his hard earned cash.


The Tools

  • Access Data FTK v7.0.0 (Date Released: Nov 2018)
  • BlackBag BlackLight v2018 R4 (Date Released: Dec 2018)
  • Magnet Forensics Axiom v2.9 (Date Released: Jan 2019)
  • Opentext EnCase v8.08 (Date Released: Nov 2018)

Side note 1_ Jack always thought that Blacklight was predominantly a Mac forensics tool, but after seeing posts on Twitter by one of their new training guys punting it’s Windows Forensic capabilities, he thought it can’t hurt to give it a shot.

Side note 2_ In the midst of writing this, Magnet released Axiom v2.10. By the time that I hit publish on this post, v2.11 will most likely be uploading for release. I’ll stick with version v2.9 for now. If you work for Magnet and want to persuade me with some swag to use v2.10 in this series going forward (or whatever version you’re going to be on next week Tuesday), send me a DM to negotiate.


The Cost

Jack’s research has brought him to the conclusion that a single user license (the standard license for computer analysis, no cloud or mobile extras) will cost more or less the same for either FTK, Axiom or EnCase. Interestingly enough, he can buy two BlackLight licenses for the price of one of the other three.

After making some South African market related comparisons, Jack realized that he can either buy one of the aforementioned licenses (two in the case of BlackLight), or a secondhand 1992 Toyota Land Cruiser GX with 350,000km on the clock.

This is the GX:

Jack has long dreamt of buying a GX and taking the fam to the Central Kalahari Game Reserve (CKGR) in Botswana on an overland expedition. But that’ll have to wait, as it looks like he’ll be spending that money on a license dongle. What will it be? A GX or pure forensic joy? (Jack did find it odd that the only place where he can buy the licenses for these tools were from the same companies that he’ll be competing against with DFIRJack Inc. Kind of like the Bulls only being allowed to buy their Rugby kit from the Stormers.)


The Plan

In order for Jack to decide which license dongle will take the place of his GX, he opted to put these tools through some head-to-head tests.


We’ll call it Forensic Mania



Forensic Mania will run for an undefined number of rounds or blog posts. (Undefined, yes, but most likely until I loose interest and move on to a new blog idea…)


Series 1

For the first series, we’ll use the MUS2018 CTF image of Max Powers to run the tests. Why this image?

  1. The forensic image is publicly available (here)
  2. There are write ups available online of the answers, so you can run and verify your answers (here and here)
  3. It’s small enough (50GB) to throw the kitchen sink at it, and all the tools should be able to swim.
  4. It’s a Windows 10 image. Windows 10 was released in July 2015 and brought lots of new forensic artifacts with it. Almost four years later, I’d expect that the big forensic tools should be able to exploit this.
  5. It’s my blog, so I make the rules. Get off my lawn.

Bias alert: The forensic image was created for a CTF set to run specifically at MUS2018. Did Matt & Dave design the CTF image to benefit Axiom? Maybe. But we’ll try and be as objective as possible.

Following this series, I’m planning to run similar style tests against more real world images to see how the tools hold up.


Whats next?

Episode 1 – Processing is coming soon…


What can you do?

You can vote! <Voting has now closed>

Check back soon…



Calculating the Cost: Triaging with Axiom and EnCase

https://www.worldwildlife.org/magazine/issues/winter-2017/articles/brandon-davis-uses-improved-tracking-collars-to-keep-african-painted-dogs-roaming-free

Having seen Eric Zimmerman’s release of Kape (Or Kale as Ovie Carol calls it) I thought it could be insightful to play around with the Triage idea some more.

Basic premise for this post was this:

For an Incident Response type case, how much answers can you get to by just grabbing and analyzing selective data (triage) versus full disk images.

With remote acquisition, acquiring only a few GB’s of data instead of full images can, in some cases, make a difference of a few hours – depending on network speed. The same calculation applies when it comes to processing the data.


To run this exercise, I dusted off the evidence files from the 2018 Vegas Magnet User Summit CTF. I managed to win the live CTF on the day, but didn’t get a full score. Oleg Skulkin and Igor Mikhaylov however did a write-up of the full CTF that we’re going to use.

You can check out their write-ups here:

https://cyberforensicator.com/2018/06/28/magnet-user-summit-ctf-anti-forensics/
https://cyberforensicator.com/2018/07/01/magnet-user-summit-ctf-exfiltration/
https://cyberforensicator.com/2018/06/29/magnet-user-summit-ctf-misc/
https://cyberforensicator.com/2018/07/01/magnet-user-summit-ctf-intrusion/

For this test, I created a quick and dirty condition in EnCase that only targets specific data. Things like Registry files, Event logs, Browser Artifacts, File System Artifacts etc. A good place to start with a Triage list is to have a look at the Sans Windows Forensics “Evidence Of…” poster for areas of interest.

A condition in EnCase is basically a fancy filter, allowing you to filter for files with specific names, paths, sizes etc. Not that it matters, but I named my condition Wildehond, which is the Afrikaans name for Wild Dog or Painted Wolf. Wild dogs are known to devour their prey while it’s still alive, and that’s what we’re trying to do here… (You can Youtube it at your own risk).

Running my Wildehond condition in EnCase on the Max Powers hard drive image, resulted in 2,279 files totaling 2.5GB. The mock image of Max Powers, the victim in the CTF, was originally 50GB. After running the condition I created a Logical Evidence File of the filtered triage files.


So, the question is, can you get a full score for the CTF from processing and analyzing 5% of the data?

Let’s try.

First off, I processed the ‘full’ image in Axiom v2.9:

And selected all available artifacts to be included:

Processing ran for around 45 minutes, with another 15 minutes to build connections. That’s a round 60 minutes.

The processing resulted in about 727,000 artifacts:


Next up, I used the exact same processing settings on the 2.5GB Triage image I created with EnCase and Wildehond.

Processing took 13 minutes, with another minute to complete the connections. A cool 14 minutes in total. This left us with around 290,000 artifacts for analysis:

So yes, as expected, there is a large difference (45 minutes) in processing 2.5GB in stead of 50GB. (This difference will be a lot bigger between a real world 500GB drive and a 2.5GB triage set)

But this doesn’t mean anything if we can get to the answers, so lets go.


After running the processing, I did a side-by-side comparison between the two sets of data, and worked through the CTF questions on each side.

All of the questions were answerable on the full image processed with Axiom 2.9, except for three questions relating to the $MFT, where a tool like Eric Zimmerman’s MFTEcmd would do the trick.

This is how the two images did in providing answers:

So, with the Triage set of 2.5GB, we could answer 23 of the 28 Questions (82%… which is more than what I got for C++ at University).

However, real world incidents can differ quite a bit from question and answer style exercises, especially if you don’t know what exactly you are looking for.


For the 5 questions that could not be answered from the Triage set, below is the reasons why:

Wiped file names:

Strangely enough, the UsnJrnl did not parse in my Triage image.

From the full image:

However, nothing from my Triage system.

I confirmed that the file was present in my image:

So, to troubleshoot, I used Joachim Schicht’s UsnJrnl2Csv to try and parse the UsnJrnl that was in my Triage image.

And… It liked my UsnJrnl exported from the Triage image:

So… for some odd reason Axiom doesn’t recognize the $UsrnJrnl•$J file when contained in my Triage LX01 image. Will do some more trouble-shooting to figure out why this is the case.

Browser to download Dropbox:

From the full image, the answer was quite clear: Maxthon

Yes, my Triage image contains lots of artifacts referencing Maxthon and Dropbox separately, but no immediate obvious link that Maxthon was used to download Dropbox. The main reason for this is that I did not capture Maxthon web histories (i.e. mxundo.dat) in my Triage image.

Email data:

The last two questions where my Triage image came up short related to Email. As no email was targeted with my Triage, this was to be expected.



So, there you have it. In this case, you could do a pretty good job at getting a handle on a your case by only using Triage data.

Will full disk imaging and analysis not provide you with better context? Yes, perhaps… but with the likely trade-offs in Triaging, it’s worth exploring it first.

Jakkals – Feb ’19 _Episode 2_

– InfoSec stories scavenged for you from across the internet –


Three new stories this week:

  1. Two Nigerians Visit Kuala Lumpur (and Hack 20 US Universities)
  2. Phishing for iPhones (Breaking into iCloud-Locked phones)
  3. A Bad Week At Eskom (Malware, data leakage and a breakup)


1_ Two Nigerians Visit Kuala Lumpur

Back in 2014, two Nigerian chaps (sorry folks, you’re not helping the stigma) were living with expired Visas in Kuala Lumpur.

Instead of using their new found freedom to enjoy the sights of say, the Petronas Twin Towers, they launched phishing campaigns. These campaigns were targeted at employees at 140 educational institutes across the United States. Once usernames and passwords were obtained via their phishing emails, Olayinka and Damilola acquainted themselves with the financial systems of said institutes.

Their end game was to change the banking details of employees in order to reroute salary payments to accounts they (or their more unscrupulous friends) controlled. These phishing attacks were successful at 20 schools; however, when Georgia Tech personnel didn’t get their Thanksgiving paychecks, they caught wind of what was going on and called the Feds.

After some proper investigation and cooperation with the Malaysian authorities, Olayinka and Damilola was given silver arm bracelets and extradited to the US to face trial. Olayinka got six years behind bars, with Damilola receiving three.

In addition to their prison sentences, the judge also ordered them to pay restitution of $56,175.44 each (about ₦20,358,214). Back in Lagos, this can buy them around 76,000 heads of lettuce, each.

Read the FBI reports here:
https://www.fbi.gov/news/stories/cyber-thieves-sentenced-for-hacking-scheme-targeting-universities-020419
https://www.justice.gov/usao-ndga/pr/jury-convicts-cybercriminal-hacking-universities
https://www.justice.gov/usao-ndga/pr/jury-convicts-cybercriminal-hacking-universities


2_ Phishing for iPhones

Joseph Cox and Jason Koebler over at Motherboard wrote a detailed piece titled: “How Hackers and Scammers Break into iCloud-Locked iPhones“. In this piece they delved into the world of thugs stealing iPhones and what goes into getting them unlocked.

If you are planning to not read their article, at least know this:

If your iPhone / iPad is stolen, the thug typically can’t do anything with it unless they have your unlock code or iCloud password. (Read the full piece to see why I say ‘typically’). This means they can’t factory reset it to sell it on.

However, there is a fairly good chance that the thieve might target you with phishing or other social engineering attacks. Reason: To get you to give up your device lock code or your iCloud account details.

And if you’re thinking: ‘Ah, first world problems, won’t affect us down South’ Think again… same attacks have been running here for the last few years already.

Read the full piece over at Motherboard:
https://motherboard.vice.com/en_us/article/8xyq8v/how-to-unlock-icloud-stolen-iphone


3_ A Bad Week At Eskom

Eskom, our local (South African) electricity provider is having an interesting week.

First, a guy on Twitter claimed to have found an online database of Eskom that’s exposing customer details. Following attempts to responsibly disclose this, he voiced his concerns in a tweet. However, Eskom has come back stating that the database he identified is not theirs, but they are investigating if the data is…

Second, another guy on Twitter claimed to have identified an Eskom computer which was infected by a RAT. It does not seem like this is a critical system (i.e. SCADA stuff) but rather a computer of a Tannie that shops for Bernina sewing supplies at Makro (based on her desktop icons). But, nether the less, still not where you want to be.

Finally, our President just announced that Eskom is being split into three separate entities (generation, transmission and distribution). This is in an attempt to prevent the corruption ridding entity from dragging the entire country’s economy down the pooper. Not that it has anything to do with points one and two, but now you know.

And lastly… I’ll leave you with some wise electricity related words:

If you can’t fix it with a hammer, it’s an electrical fault.


Top 7 Bangs For Your Security Bucks

Marcus J Carey and Jennifer Jin recently published Tribe of Hackers – Cybersecurity Advice from the Best Hackers in the World.

Inspired by Timothy Ferriss’ book Tribe of Mentors, Marcus compiled a list of the fourteen most common questions he gets asked about cybersecurity. These questions were then posed to seventy notable InfoSec practitioners, with their responses recorded across more than four hundred pages in Tribe of Hackers.

Question number two caught my eye:

What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?

Assuming the 70 has seen some stuff over the years, I thought this would be good advice to follow for most companies. I was also interested to see if there would be any commonalities between the answers, so I read through the seventy responses and compiled a Top 7 list of common responses.

Again, go get the book, the proceeds are going to charity after all.

So, here we go:

The Top 7 Bang-For-Your-Buck Actions To Improve Your Security Posture.

For each of the Top 7 Bang-For-Your-Buck responses, I’ve quoted some comments from the answers. However, read the book for the full responses and more in-depth reasoning.

Number 7_ Conduct Risk and Threat Assessments (4 mentions)
“Once an organization identifies and quantifies risks and the assets associated with their key function(s), it becomes inherently easier to identify potential causes of a critically impactful incident.” – Lesley Carhart

Number 6_ Hire Good People (6 mentions)
“Hire good people. You will never spend money on something more effective within this domain than talented people.” – Ben Donnelly

Number 5_ Asset Management (7 mentions)
“You can’t protect it if you can’t find it” – Cheryl Biswas

Number 4_ Least Privilege | Limit Administrative Access (8 mentions)
“Get users out of the local administrators group” – Jake Williams

Number 3_ Do The Basics (9 mentions)
There’s a lot of talk about the basics. If the basics were easy, everybody would be doing them. But I think they’re still worth calling out, even though they are difficult.” – Wendy Nather

Number 2_ Security Culture (11 mentions)
“Culture change impacts behavior, incentive models, accountability, and transparency — and myriad other critical enablers that help to mature and improve cybersecurity programs. Until organizational culture — comprised of values and behaviors—is substantially reformed, cybersecurity
failures will continue to abound.”
– Ben Tomhave

Number 1_ Security Awareness Training (14 mentions)
“I have gotten the best return on investment from security awareness training.” – Brad Schaufenbuel
“Invest in educating employees. Awareness goes a long way in a world where lying and “social engineering” are the key to most doors.” – Edward Prevost

And now you know.

Jakkals – Feb ’19 _Episode 1_

– InfoSec stories scavenged for you from across the internet –


Your three stories for this week are:

  1. How to Stuff a Chicken (Dailymotion Gets Attacked)
  2. Old Ladies Making Payments (Mikko on Payment System Segregation)
  3. Cyber Attacks In Real Life (Great Awareness Video from Hiscox)


1_ How To Stuff A Chicken

(Dailymotion suffers a credential stuffing attack)

If you are on the market for some roast chicken tips, here are a few great ones from Jamie: https://www.youtube.com/watch?v=bJeUb8ToRIw

Back to today’s actual program: Credential Stuffing Attacks.

The online video streaming site Dailymotion (which is a treasure trove for bootlegging MasterChef Australia episodes) was recently the target of a Credential Stuffing Attack. According to their website, Dailymotion attracts “300 million users from around the world, who watch 3.5 billion videos on its player each month.

Dailymotion published the following alert on January 25th 2019:

The attack consists in “guessing” the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion.

Credential Stuffing attacks aren’t anything new. In October 2018, the American Cloud Services Provider, Akamai, published a report on Credential Stuffing attacks. They recorded around 8.35 billion credential stuffing attempts world wide between May and June 2018, with the US and Russia being the main attack sources.

The report further notes:

“These botnets attempt to log into a target site in order to assume an identity, gather information, or steal money and goods. They use lists of usernames and passwords gathered from the breaches you hear about nearly every day on the news. They’re also one of the main reasons you should be using a password manager to create unique and random strings for your passwords. Yes, remembering that “*.77H8hi9~8&” is your password is difficult, but having your login at the bank compromised is a much bigger hassle.”

There you go, don’t reuse passwords!


2_ Old Ladies and Payment Systems

(I’m not going to write too much about this one)

Mikko Hypponen from the Finnish Cyber Security company, F-Secure, did a keynote at BSides London in June 2018. During his talk ‘State of the Net’, he addressed the common issue of securing computer systems used for financial payments. However, he was not talking about securing servers and things making up advanced payment systems. He was rather talking referring to the laptops and desktops used by employees who make the actual payments that keep your business running.

And… he makes a very valid point:
Don’t use the same computer that you use for things like Facebook, Twitter, Email and Instagram for your business’ online banking system. Rather use a designated and segregated computer to load and process your payments. This simple step will go a long way in ensuring that the computers used for payments remain secure.

Have a look at the talk here:



3_ Cyber Attacks In Real Life

UK company Hiscox has made a clever video illustrating how a cyber attack would look if it happened in real life.

They show three attack scenarios:
• IP Theft: Robbing companies of their ideas and inventions.
• Phishing: Fraudulently pretending to be someone else.
• Denial of Service: Flooding the target with traffic triggering a crash.

I think this is quite effective in order to create awareness for espcially small businesses, without the usual FUD (Fear, Uncertainty and Doubt) used by lots of security vendors.

Have a look:

Jakkals – 2019_01_25

– InfoSec stories scavenged for you from across the internet –


Three stories this week (again):

  • DDoS-ing a Country (Guy who took Liberia offline is jailed)
  • Lazarus at the Waterhole (Company breached in nifty attack)
  • Incoming! (Hijacked camera sends false ‘Incoming Missile’ warning)


1_ DDoS-ing a Country

(Guy who used the Mirai botnet against Liberia gets jail time in the UK)

In 2016, researchers detected one of the largest publicly recorded Distributed Denial of Service attacks (DDoS). The attack made use of hijacked webcams part of the Mirai botnet and generated traffic up to 500 Gbps. This traffic was directed at the internet infrastructure of the West African nation of Liberia. See 2016 article from Threatpost detailing the attack.

Fast forward 3 years later and one Daniel Kaye has been sentenced to 32 months in the slammer for this DDoS attack. Turns out an employee of the Liberian telecoms company Cellcom (now rebranded as Orange Liberia) hired Mr Kaye to launch the attack on their competitor, Lonestar Cell MTN. Not only did it successfully disrupt Lonestar’s network, it also took down the entire country’s internet!

After the Liberian attacks, Mr Kaye attempted to take control of some of Deutchse Telekom’s routers for more attacks, but this ended up taking about 900,000 routers offline. A week later he again fumbled and inadvertently took down 100,000 UK based routers from three separate ISPs. In the end this was what got the fuzz to hunt him down.

Turns out your actions was not O-Kaye, Daniel.

Links:
https://www.zdnet.com/article/hacker-bestbuy-sentenced-to-prison-for-operating-mirai-ddos-botnet/
https://www.bbc.com/news/uk-46840461


2_ Finding Lazarus at the Watering Hole

(For a quirky video about a ‘actual’ watering hole, check this)

Attackers, allegedly linked to North Korea’s Lazarus group, have been fingered for an attack on a Chilean networking company. This company, Redbanc, is basically responsible for all of Chile’s ATM networks.

What makes this attack notable is the method in which Redbanc was compromised – a watering hole attack. Attackers put an advertisement up on LinkedIn, to which a Redbanc employee responded. This then led to a phony Skype interview with a Spanish speaking ‘recruiter’. During the ‘interview’ the employee was tricked into downloading what appeared to be an application form. The application form however turned out to be malware which subsequently infected his work computer.

Luckily the introduced malware was picked up by Redbanc before too much snooping could be done on their network…

Links:
https://nakedsecurity.sophos.com/2019/01/21/attackers-used-a-linkedin-job-ad-and-skype-call-to-breach-banks-defences/
https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/


3_ Incoming!

(Hijacked Nest camera sends false ‘Incoming Missile’ warnings)

Laura was cooking up a storm in her California kitchen, when the loud noise of an emergency broadcast interrupted the bubbling sounds from her simmering chicken broth:

You have three hours to evacuate! North Korea has launched a missile attack on the United States. Move!

Ok, she was probably not making a chicken broth, but you get the idea. Needless to say, panic ensued after the family heard the announcement, thinking it came from their television. It turned out that an attacker managed to hack into their internet connected (IoT) Nest Security Camera and play the fake alert. Luckily, sanity prevailed after an excruciating 30 minutes of trying to figure out which of your favorite cast iron frying pans to take along in the evacuation.

Reminds me of the saying: “The S in IoT stands for Security”.

Links:
https://www.csoonline.com/article/3335637/security/hijacked-nest-camera-blares-warning-about-north-korean-missiles-headed-to-us.html
https://nakedsecurity.sophos.com/2019/01/23/hijacked-nest-cam-broadcasts-bogus-warning-about-incoming-missiles/

Jakkals – 2019_01_20

– InfoSec stories scavenged for you from across the internet –


Three stories this week:

  • Hackwurst (The German Hack)
  • Un DoS Tres (Guy who dossed a Children’s Hospital sentenced)
  • Collection #1 (The Massive 773million record data breach)


1_ Hackwurst

(Hackwurst is a play on Bockwurst, which is what the Germans came up with to counter boerewors. You might also now be wondering what’s the difference between Bockwurst, Knockwurst and Bratwurst. The answer is waiting for you here: https://www.epicurious.com/archive/holidays/oktoberfest/germansausagesbruceaidells)

A 20-year-old German man managed to obtain and publish a bunch of personal information of, among others, the Chancellor of Germany, Angela Dorothea Merkel, as well as the German head of state.

If, at this point, you are confused that Merkel is not the German head of state, welcome to the party. Here’s a video of the inauguration of the German President, Frank-Walter Steinmeier: https://www.youtube.com/watch?v=6UsXzwke6OE.

But we digress…

The suspect, who still lives with his parents, claimed to have acted alone when police arrested him earlier this month. The reason for his actions was attributed to anger at “public statements made by politicians, journalists and public figures”. It is unclear how he obtained the leaked information, but it is said to include contact information, credit card details, banking and financial details as well as ID cards and private chats.

Links:
http://
https://


2_ Un DoS Tres

(Guy who dossed a Children’s Hospital sentenced)

First things first: If the title of this one made you think of the 1995 Ricky Martin song… here’s the music video for your pleasure: https://www.youtube.com/watch?v=vCEvCXuglqo (and the chap in this story’s name is Martin… Coincidence??)

In 2013, Martin Gottesfeld came to hear about the ‘medical’ child custody case of Justina Pelletier. She was being treated at Boston Children’s Hospital at the time. Taking her fight upon himself, Martin posted a video online claiming to be part of the Anonymous hacking group. He followed this by doxing personal information from people involved in her treatment and then launched a Distributed Denial of Service (DDoS) attack on the Boston Children’s Hospital. The DDoS knocked their internet facing systems offline for two weeks. Fearing arrest by the FBI, Martin and his wife bought a speedboat and fled for Cuba.

Unfortunately for the Gottesfelds, their boat broke down in rough seas and they were forced to send out a distress signal… only to be rescued by a Disney Cruise Liner of all things. In the end, he was arrested and sentenced to 10 years in prison for his efforts.

Links:

https://hotforsecurity.bitdefender.com/blog/the-ddos-attacker-rescued-by-a-disney-cruise-ship-is-sentenced-to-over-10-years-in-prison-20730.html
https://www.rollingstone.com/culture/culture-features/the-hacker-who-cared-too-much-196425


3_ Collection #1

(The massive 773million record data breach)

By this time, you would most probably have heard or read about this one, as it is widely reported on. But, before you start running down corridors screaming ‘the end is nigh!‘, read this first.

This isn’t a new single breach. To quote Troy Hunt, who runs Have I Been Pwnd: The leaked data set is “made up of many different individual data breaches from literally thousands of different sources.

Brian Krebs also notes that this is old data and offers the following advice relating to the ‘breach’:

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password).”

Links:
http://
https://