DON’T CLICK THAT LINK (Unless it’s us)

Don’t do it!

A common piece of advice we often give to users is:

Do not click any links in unexpected emails.

Good advice. Let’s put it to the test:

The South African Revenue Service (SARS) brand is notorious for being used in Phishing attacks, trying to trick users into divulging banking or other personal information.

See some of the samples here: (Yes, I know it’s a link…)

SARS also shares warnings for things to look out regarding phishing mails:

  • “Members of the public are randomly emailed with false “spoofed” emails made to look as if these emails were sent from SARS, but are in fact fraudulent emails aimed at enticing unsuspecting taxpayers to part with personal information such as bank account details.”
  • “Importantly, SARS will not send you any hyperlinks to other websites – even those of banks.”

Good advise, however, the following happened:


It is a Phish?

Yesterday, I received an email message with subject “Please rate your SARS experience“. Now, if you’re a law abiding citizen of the Republic, you’ll know that your online eFiling deadline was 31 October 2018. So emails like these could be expected, but could also be phishing:

In this instance, Gmail is kind enough to show us that the email did not originate from SARS, but came in via bounce.mkt2356[.]com:

South African Revenue Service (SARS) via 

And they are asking me to click on a link, which is bad. So let’s investigate further…


The Post Office

For this analogy, we’ll run with the idea that I have a letter that I’d like to send to the friendly people at Eskom to enquire about their power generating capability as we are having Stage2 load shedding today.

I decide to drop my well worded letter off at the big red metal post box at the Hatfield Post Office in Pretoria, South Africa.

Upon receiving my letter, the Post Office adds something called an email header to it. An email header keeps track of (among others) all those stamps added to your envelope as it travels past different post offices and mail sorting stations on its way to the friendly folks at Eskom.


Message IDs

One of the many fields contained in the email header is called the Message-ID. This field can help us in our quest to determine where the email originated from. This is in essence the name and serial number of the post box at Hatfield Post Office, as well as a uniquely created tracking number for my letter.

Our SARS email had the following Message-ID:

Message-ID: <>

Normally, you’d expect the portion after the “@” sign to denote a legitimate domain. For example, emails sent from Gmail will have something like this for a Message-ID:

Message-ID: <>

However, in our case rbg13.atlis1 isn’t a valid domain, which is odd for an email received from SARS.


Received Fields

Next, lets look at the “Received” field. This field records all the email servers which handles an email on it’s way to it’s destination.

For our letter we sent to Eskom, the Received fields will look something like this (simplified, I know):

Received: by Hatfield Post Office from Some Guy; 29 Nov 2018 13:15

Received: by Tshwane Distribution Center  from Hatfield Post Office; 29 Nov 2018 16:00

Received: by Midrand Distribution Center from Tshwane Distribution Center; 30 Nov 2018 09:00

Received: by Midrand Post Office from Midrand Distribution Center; 30 Nov 2018 12:15

Received: by Eskom Offices from Midrand Post Office; 30 Nov 2018 16:15

In our case, the Received fields show the SARS email traveled the following path to my Gmail account:

1. mail6613.grapevine.mkt7212[.]com

Yes, that shows a pretty short path. Basically one hop from the mkt7212[.]com server to Gmail’s server.


The Link

Next up is the link in the email (the reason I wrote this whole thing).

If you scroll up and look at the screenshot again, you’ll see that the email contains a “Survey Link” to click and complete.

This link in the email shows that it’s for:


(I’ve changed the URL a bit as it’s most likely unique to each address the mail was sent to)

But mkt2356[.]com isn’t SARS. Let’s take a look where you’ll end up if you clicked it:

So, clicking that link for http://links.mkt2356[.]com would actually get you to the legitimate SARS website https://tools.sars[.]

However, to make things worse, mkt2356[.]com has a Certificate Name Mismatch error, which will be cause lots of security products to warn you before visiting the site:

And here’s what it looks like when you eventually end at the actual SARS website:

So, it turns out that the MKTxxx domains are owned by IBM’s Watson Campaign Automation digital marketing solution.

So What??

Ok, so at this point you are asking the following: “Come on dude, it’s just SARS using a marketing company to send out emails with unique links so that they can track who actually clicks it after which it take you to the actual SARS page so no need for all this screenshots and stuff so get of your horse and enjoy your load shedding.

Well, my point is this:

This is not helpful.

We can’t be telling people “DON’T CLICK ON ANYTHING! JUST DON’T” and then send them crappy survey emails with links we want them to click. So the message becomes:


*Unless we send you stuff via a third party, so then please go ahead and click it, even if it was set up crappy, don’t worry, it’s fine, trust us.


That my friend, is confusing.

Security Awareness – One Password To Rule ‘em All

This is part 2 of our look into the life of Frik and his daughter Marietjie. (Catch part 1 here)

During August 2018, Frik’s plumbing business went through a bit of a slump. Business was slow, the clients he had were increasingly difficult and drains didn’t clog as they used to.

In order to unclog Frik’s business (pardon the pun) Marietjie had an idea: “Why not up your social media presence?

At this stage, Marietjie was the family social media expert: Dishing out advice on creating WhatsApp stories, doing live video streaming via Facebook and even helping Gran with applying Snapchat stickers. Frik decided to give it a shot, after all, nothing to loose, right? Facebook, Instagram, Snapchat, WhatsApp, Youtube, you name it and Plumber Frik had a profile. Marietjie also convinced him to change his online profiles from ‘Plumber Frik’ to ‘Plombier Frik’.

It will appeal to a more sophisticated clientele” she said.

Pretty soon Plombier Frik was the most followed plumber on Social Media in all of the East Rand. Doing live Facebook broadcasts while unclogging shower traps, creating how-to videos on setting your geyser thermostat and Instagramming before and after photos when replacing burst galvanized pipes. However, keeping track of all his social media profiles were a bit of a mission. Luckily, he had developed a nifty approach…

One password to rule them all, One password to find them, One password to bring them all, and in the darkness bind them.

Ok, to be honest, Frik has only watched the first half of the first LOTR movie (never mind having read the books). So this quote is a bit out of place for Frik, but please, humor me:

One fateful evening, Frik went through his list of social media accounts. One by one he changed each password to GeeVirFriknDruk007. (The equivalent of “Give Frik a Hug 007” for our English speaking listeners). Each account Frik changed was like a step closer to Mordor. The password started to burn him, he just had to use it again. And again. And again. By 1:30am that evening, Frik had changed everything, including his Gmail account password to GeeVirFriknDruk007.

By 1:30am that evening, Frik had changed everything, including his Gmail account password to GeeVirFriknDruk007.

“Lekker man, lekker” Frik said to himself.

As Frik’s social media following increased, so did the fan mail. Ladies from Prieska to Pretoria were sending him email, asking about his thick Afrikaans accent, where he grew up, what size wrench was his favorite and every now and again the odd question about re-enamelling old baths.

The fan mail started to take up a lot of Frik’s free time, but he wasn’t going to disappoint his newly acquired fan base. He still remembers the rejection he felt as a young man in 1996 when Neil Tovey didn’t respond to the letter he wrote him after Bafana Bafana’s African Cup of Nations victory. No, he’ll respond to each and every email. After a while, Frik established a nice rhythm. Monday to Thursday nights after dinner, he’ll settle into his favourite lazy chair in the living room, put on some sweet tunes from Albert Frost and respond.

Late one evening, just as Frik was wrapping up his last few fan mail responses, he received an email:

“Dear Frik,

We are importers of only the highest quality copper pipe bends.

For your perusal, we’ve attached our latest price list to this email.

Looking forward to doing business with you.

Kind regards,

Mr G Ollum.”

Ah, this should be interesting.” Frik thought to himself. “I wonder if they’ll beat the prices of Frodo’s Plumbing Supplies around the corner?

The email had a single attachment: ‘Price List.html

Clicking on the attachment opened Internet Explorer. Next loaded a Google Docs page.

Marietjie! Frik yelled.

Ja dad, whats wrong? She replied.

“What’s Google Docs?”

“It’s a thing from Google where you can create and edit documents in the cloud. Why?”

“A supplier send me a price list on Google Docs. Is it safe?”

“Yes, don’t worry.”

“Ok, it’s asking me to log in or register.”

“Just use your Gmail account to log in”

After Frik enters his Gmail username and password, the page seems to load, but only comes back to a Gmail login page.

Frik tries again, this time the page loads and redirects back to Google.

“Marietjie, it’s not working!”

“Ok dad, can I check tomorrow?”

“Ja, ok” Frik closes his laptop and stands up from his lazy chair. As the closing theme of tonight’s NCIS: Los Angeles episode plays in the background, he meanders off to bed.

The next morning, just before the crack of dawn, a strange thing started to happen. While Frik was happily snoring away, his social media accounts undergone an evolution of sorts.

In stead for being all about plumbing, it was now showing pictures advertising Ray Ban sunglasses at 90% discount!

Frik could not log in to any of his accounts anymore.

Amazing!” Frik thought to himself later in the day as he stared at a pair of Ray Ban Aviators for only R199 shown on his Instagram page. There was one issue however, Frik could not log in to any of his accounts anymore. Nothing wanted to work: Facebook, Instagram, Pinterest and Twitter. That’s odd, he thought. Alas, let’s reset the passwords for the lot.

As he went through the “Forgot my Password” option on each website, he waited with great anticipation for the familiar “ding” his phone makes when a new email arrives. However, this time Frik was only met with deafening silence. As he opened his Gmail app on his phone, he was greated with a login screen. “Odd” he thought. Entering his username and password however changed “Odd” to “Oh no“. He now could also not log into his email either.

What happened?

Frik got Phished. Properly phished. The email that he thought he received from a supplier was in fact a phishing email. An email from an attacker pretending to be a supplier. This message was specially crafted to convince Frik to open the attached Price List.html file. Once opened, it loaded a fake Google Docs page in stead of an actual price list. Again, this was just a rouge to trick him into entering his Google username and password. Once entered, his username and password was sent to that attacker without him realising.

This was just a rouge to trick him into entering his Google username and password.

Following a careful study of his email communications by the attacker, they were able to get access to his social media accounts. “How?” You might ask. Well, in this case they only had to use his email address and password, off course! Frik had the same username and password for each account. Basically the same key for every lock he had. As such, stealing one key provided access to all the locks.


Enter Two Factor Authentication (2FA)

Phishing is a problem, yes. However, two factor authentication (2FA) may have prevented this. 2FA is the tech that uses two ways of authenticating you when you sign on. Typically, this translates to you using a username and password combination to log in, as well as entering an additonal passcode sent to your mobile phone.

Had this been enabled, the attacker wouldn’t have had the ability to log in to any of Frik’s accounts, even though they had his user name and password. This is because the 2FA passcodes would have been sent to his mobile phone, leaving the attacker high and dry.

“But how do I enable this magic?” I hear you ask. Below is a list of common platforms with their how-to guides on enabling 2FA:

And lastly, password reuse is bad. Don’t do it, just don’t. Use a password manager that allows you to securely store passwords for your accounts. This will enable you to generate secure, unique passwords for each place you log on. A good free one you can have a look at is LastPass.

Security Awareness – Meet Frik and Marietjie.

October is National Cyber Security Awareness Month (NCSAM). Although NCSAM is United States initiative promoting Cyber Security Awareness during the month of October, the rest of the world usually jumps on the bandwagon as well. So, it’s becoming more like International Cyber Security Awareness Month.

During the month of October, large volumes of (usually) very valuable information are published regarding information security awareness. This month, I shall join the fray with a couple of stories promoting Security Awareness. Let’s go.


Frik and Marietjie:

Meet Frik. Or rather, allow me to be more descriptive, meet Frik the plumber. Frik is your typical East Rand plumber. A good guy at heart, not too fond of technology, unless you’re referring to Showmax (but he’s starting to adapt). In the last couple of years, Frik’s business has grown tremendously and he has had to enroll the services of his eldest daughter, Marietjie, to assist with the admin side of things. Frik is able to do miracles with copper pipe, a shifting spanner and some soldering wire, but generating invoices and keeping track of payments isn’t his strong suite. This brings us to Marietjie, who has always been the tech savvy one in the family. Some of her friends would call her a tech guru, due to her being one of a select few in their close circle with the ability to type with two hands. She uses a newly bought desktop to generate invoices, pay Frik’s suppliers and verify electronic payments made by his clients.

Marietjie is however easily distracted, disappearing down Instagram rabbit holes for hours at a time. When it’s not Instagram, she keeps up with happenings on Facebook, Twitter & News24. Don’t forget the daily musings of her personal diary on Evernote. This all done from her Android phone.

At this stage, everyone is probably asking: Marietjie, did you install an antivirus application on the desktop?

Answer: “Oh cool, a new season of Greys Anatomy. Still can’t believe they let McDreamy die… Oh, you asked about antivirus. Yes off course, the thing came pre-installed with some antivirus thing. Don’t worry.

Every now and again, Marietjie skims by an article on Twitter about some sort of hacker thing. “Hackers gonna hack” she ponders as she scrolls away. On Tuesday, midway between one of her regular afternoon Showmax binges, an email notification pops up on the desktop. With one eye on the computer screen and the other on the latest episode of Grey’s, she swiftly deduces it’s some supplier sending an invoice.

A new invoice has been generated, please click <<here>> to view.” the email reads.

Click goes the mouse.

Marietjie pauses abruptly. “What just happened? What’s going on?? Meredith just said the patient’s tumor is inoperable, and now the red head army ginger guy is pushing him to the theater for emergency life saving surgery?“.

Meanwhile on the computer: “Error 500 – The page you are looking for cannot be displayed”.

That’s odd she thinks, I thought Meredith knew how to interpret brain scans? How could she make such a mistake?

F5 (refresh), still the invoice isn’t loading. She taps F5 a couple more times. “Well, if they really want us to pay, they need to sort out their system. Anyway, I’ll deal with it later.” Whilst Marietjie starts to meaninglessly scroll through Pinterest posts about dog blanket ideas for her new Yorkshire Terrier puppy, the desktop’s processor begins churning away.

The ‘broken’ link she so ferociously clicked on in the email wasn’t broken. It was purposely showing her a fake error message, whilst in the background executing a browser exploit. Basically this malicious link she clicked, unknown to her, led to all sorts of nasty files being downloaded and executed on the system. This desktop Marietjie is using for invoicing, online banking and email communication with Frik’s clients, is now infected with a Remote Access Trojan, a RAT. As a new episode of Grey’s start, the RAT begins to secretly communicate back to it’s master via the internet. This includes daily updates of what Marietjie is doing on the computer, where she logs in and who she emails. It even takes screenshots of those Google searches for “does Yorkshire Terriers like perfume?” and “why did they call him Mc Dreamy?”.

But wait. Remember earlier when we asked Marietjie about antivirus and she so confidently replied between Mc Dreamy comments that it came with the computer? Taking a closer look reveals that there was indeed an antivirus application which came preinstalled with the desktop. What our dear Marietjie failed to notice was, that this was only a 30-day trial. After the initial 30 days passed, the protection stopped working. In essence, her antivirus last protected the desktop while Mc Dreamy was still alive and in love with Meredith.

This brief look into Marietjie’s life highlighted two important concepts:

  1. Be careful of what you click on. Bad guys make use of email messages to trick you into compromising your security. This can be in the form of an attachment, which masquerades itself as a document but in actual fact is packed full of bad things. Another method, as in Marietjie’s case, is a link included in an email message which when clicked, goes to a bad website to download more bad stuff to your computer. There are a lot more sly tricks attackers may use to compromise your system, but these examples will do for now.
  2. Install and check up on your antivirus application. Remember: “if it ain’t running it ain’t protectin’ “. You get the point. It also need to be regularly updated. Using an outdated antivirus is like a police officer looking for criminals in 2018, with a Most Wanted list from 1980.

#Cryptojacking – A ‘Not Too Technical’ Story

Bitcoin, blockchain, bitcoin mining, mining bitcoin on the blockchain, using the blockchain to mine bitcoin in order to buy Ethereum so that you can in turn buy stuff on the dark web. Yeah, that doesn’t make a lot of sense. Now, add another word to the already confusing list of cryptocurrency terms: #Cryptojacking.

Side note: The term Cryptojacking is not to be confused with malware families like CryptoShuffler or ComboJack. These are geared towards stealing actual bitcoin.

Cryptojacking however is when a victim’s computing resources are hijacked and used to mine cryptocurrency. On a basic level, this means that the targeted computer’s processor and GPU are used by an attacker to process the complex algorithms as part of cryptocurrency transactions. The resulting reward (coins) from the mining is then received by the attacker.

Currently, there are two flavours of Cryptojacking:

  1. Via the browser. When a user visits a website that has a cryptomining script enabled, the processing power available from the user’s computer is used, via the browser, to mine cryptocurrency. Mining scripts are often added to compromised websites where mining takes place without a user’s knowledge or consent. The malicious mining seizes once the browser tab for the infected website is closed.
  2. Via malware infections. Cryptojacking malware running on an infected computer will allow for continuous mining. An example of this is the Powerghost miner.

Cryptojacking is in essence the digital equivalent of someone breaking into your tool shed at night and, instead of stealing your stuff, they use your tools:

Creating amazing wood furniture, those projects you see on Pinterest where a guy with a leather tool belt takes old wood pallets and creates the most amazing chest of drawers within 22minutes, flat.

Is Cryptojacking an issue that deserves priority?

This is a legitimate question, seeing that ‘no one is getting hurt‘.

Let’s continue with our tool shed analogy: You now suspect that someone is making use of your tools at night. Do you interrupt your hard earned sleep and hold a stake out to catch the bugger? Or should you rather focus on the real criminals that might actually steal your stuff?

Although our miscreant is bringing along his own upcycled pallets, he is still using your machinery. Say he does it once or twice a month, that ain’t bad you think. But, unfortunately, he does not have the woodworking finesse of Nick Offerman, and for all you know, he’s doing it every night. Using your electricity, breaking your drill bits, leaving the wood glue bottle open and not to mention the wear and tear of your machinery. Some nights he even let your mitre saw run for 8 hours straight, allowing it to overheat and damage the motor.

This guy is now pretty much spending 12 hours a night, 7 nights a week in your tool shed, which also gives him time to look around the yard. One night during a smoke break, he sees that kitchen window with the broken latch you’ve been meaning to fix for the last 4 Saturdays. Miscreant ponders to himself: “A cup of coffee would sure be nice…

As you wake up the next morning, you realise that our miscreant was in your kitchen and used your last batch of Legado Guatemalan Finca El Rincon single origin coffee beans to create the smoothest of cappuccinos in your newly Italian imported Rocket Espresso machine.

As you sip on a stale cup of instant coffee (which you think to yourself tastes more like a cardboard box than pure exhilarating caffeine), you decide that this was the last straw… It is time for action. That afternoon , you swing by the local hardware store and buy a new window latch and a proper hardened steel padlock for the shed. “That’ll keep ‘em out” you think to yourself as you lock the shed and smile at the newly fixed kitchen window latch.

The next morning, as you awake from a restful sleep, you stroll down to the kitchen, already planning an amazing breakfast for the missus (eggs benedict with a chili hollandaise sauce and streaky bacon).

“This is going to be the best…. WORST BREAKFAST EVER!!”.

It’s gone. Everything is gone. Your fridge with the eggs and streaky bacon, gone. Your vegetable rack with the fresh chilies, gone. Your Rocket Espresso machine… GONE. As the horror of what could only have happened during the night dawns upon you, your eye catches a glimpse of the open patch of lawn where your tool shed once stood. FREAKIN GONE. How the dangit did someone steal a tool shed and MY ENTIRE KITCHEN?

During the next few hours as policemen walk up and down the yard looking for clues, it dawns upon you. The woodworking miscreant had other skills as well. He wasn’t only a Pinterest level craftsmen, but also a master thief (he was able to carry away your entire kitchen without you waking up), a pretty decent truck driver (reversing a flatbed truck down your driveway and lifting your tool shed takes some work) and a meticulous planner. During the past week of night time craftsmanship, the miscreant cloned your house keys and your gate remotes. This allowed him to open front the gate with a remote, reverse the truck in and unlocked the kitchen door after loading the shed.

Fairly dramatic, yes, but the take home remains:

Cryptojackers aren’t just a nuisance. In the recent case of the Rakhni Miner, upon successful infection, the malware makes the decision if it wants to encrypt your data (Ransomware) or if it is going to use your resources to mine cryptocurrency.

If there are Cryptojackers running around in your environment, it should be a red flag that there are some definite weaknesses that needs to be addressed within your environment.


For further reading on cryptojacking, have a look at the following articles:

Detecting Time Changes with L2T (Ain’t Nobody Got Time For That)

Every good blog post about time issues in forensics needs a theme song.

Today’s theme song is Ain’t nobody got time for that from the local band Rubber Duc:

Having a theme song, and more importantly, embedding the Youtube video for said theme song in your blog post, serves the following two purposes:

  1. It keeps the reader here for 3minutes and 18seconds (when viewing it embedded on this page), which will make me and my post analytics think that they actually spent time reading through the entire article.
  2. Gets a song stuck the reader’s head, ideal for when you go back to writing that report you’ve been putting off all week.

Now that we got that out of the way, lets get down to the business of the day:

Identifying Time changes in Windows Event Logs with L2t:

As you’d recall from my previous post,  the aim of this series is to play around with quick things you can do at the beginning of an investigation, while for example, waiting for processing to complete. Specifically, those ‘nice to know’ things that takes only a couple of minutes to check…

Time changes on a system can make a simple investigation quite complex very quickly. Sample case is often where a user backdates a system before deleting / creating files.

The following steps should be enough to give you a quick view of user initiated time changes on a system. Remember, this is only to get a high level view, just enough to let you know you need to dig deeper.

Let’s start:

Step 1

First off, we start with processing only the Security and System event logs with Log2Timeline, followed by psort-ing it using the l2tcsv output format. The reason for having a look at the Security and System event logs is that Time change events are recorded in both. Often, the Security event log is quite busy, so chances are that historical events will get overwritten a lot quicker than those in the System event log. My current Security event log has 30,000 entries, with System only sitting at 10,000.

Step 2

Now that we have an output file (in my case SecSysEvt.l2t.csv) which contains the L2T output from the Security.evtx and System.evtx, we can start Grepping.

We’ll do this in two sections:

  1. Dealing with time change events in the Security Event log (this post).
  2. Dealing with time change events from the System event log (next post)

Security Event log

When a time change occurs on a Windows 7 and later system, Event Id 4616 fires. See more about this event at Ultimate Windows Security.

So let’s get grepping:

grep Security\.evtx SecSysEvt.l2t.csv

This will gives us events in our L2T output which came from our Security.evtx file (ignoring events from the System.evtx for now). In my case I have 27,884 Security.evtx events.

Next, we want to narrow it down to only Event ID 4616. The following should do the trick:

grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616"

After this, we clear out some unwanted 4616 events. In this case we are excluding events that were not caused by user action. Remember, we want to know if a user was messing around with the system time.

To accomplish this, we exclude events containing LOCAL SERVICE as well as S-1-5-18:

grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616" |grep -v "SubjectUserName\">LOCAL SERVICE\|S-1-5-18"

Our output is now ready for us to only extract the columns we want. To do this we make use of awk. First up, we output only the xml section of the L2T output:

grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616" |grep -v "SubjectUserName\">LOCAL SERVICE\|S-1-5-18" | awk -F"xml_string: " '{print $2}'

This gives us something like:

L2T xml Output

We now use awk to only give us the columns we are currently interested. For this scenario, I’m only looking for the following columns:

  • Event ID
  • User SID Responsible for the change
  • User Profile Name
  • Computer Name
  • The process responsible for the change
grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616" |grep -v "SubjectUserName\">LOCAL SERVICE\|S-1-5-18" | awk -F"xml_string: " '{print $2}' | awk -F'[<,>]' '{print $9 "\t" $57 "\t" $61 "\t" $65 "\t" $85 }'

Using this, we get the following output:

Awk Columns

All that’s left now is some sorting and unique-ing:

grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616" |grep -v "SubjectUserName\">LOCAL SERVICE\|S-1-5-18" | awk -F"xml_string: " '{print $2}' | awk -F'[<,>]' '{print $9 "\t" $57 "\t" $61 "\t" $65 "\t" $85 }'| sort | uniq -c | sort -n -r

This gives us the following:

For this event log, there were 8 time changes, resulting from user actions. 6 by SystemSettingsAdminFlows.exe and 2 by dllhost.exe.

From what I can see on my Win10 test system, SystemSettingsAdminFlows.exe is responsible for making system time changes when a user made use of the “Adjust Date\Time” option from the taskbar. I’m doing some more testing with regards to when dllhost.exe fires on Windows 10. So far I haven’t been able to replicate it…

Remember, this is just a pointer or a flag that gets raised to let you know that it might be useful to have a deeper look at time change events on a system.

Lastly, this grep should work on Windows 7 Security event logs as well (Haven’t tested it on Win8). I ran it on a couple of test Win7 systems, and it was good enough to show a specific application installed by a user was making regular time adjustments across these systems.

Next time, we’ll look at time change events in the System event log.

Finding Failed Logon Attempts With Log2Timeline While You’re Searching For Your FTK Dongle

I have recently been thinking through ideas for some quick and dirty initial processes one can do at the start of an investigation.

This would typically be whilst you’re doing one of the following:

  1. Waiting on full disk (including VSS) log2timeline processing to complete.
  2. Waiting on Axiom to run the ‘build connections’ module because you forgot to enable the option prior to the initial processing phase.
  3. Waiting on EnCase 8.07 to finish processing, although it’s been sitting at 100% for the last 2 hours.
  4. Trying to figure out where you last saw your FTK dongle.

This brings us to a New Blog Series:

The aim of this post (and hopefully this series) is to play around with things you can do at the beginning of an investigation, while for example, waiting for processing to complete. Specifically things that could be of value to know at the beginning of an investigation.


And, that brings us to today’s post:

Finding failed logon events.

Identifying failed logon events in the Security event log of a system could mean a couple of things:

  1. Someone is attempting to brute force an account.
  2. <add a list of more possible reasons here>

The above extensive list provides good reason why it could be of value to have a quick squiz through a system’s Security Event logs for failed logon attempts.

As such, I wanted to know the following relating to failed logon events:

  • How many (if any) failed logon attempts were recorded in the system’s security event log.
  • Which accounts were attempted to log on with the most, as well as the logon types.
  • What were the top failed source IP addresses recorded.
  • What date(s) did the most failed logon attempts occur on.

Side note: The sample data I used for this post came from the image provided by Dave and Matt (The Forensic Lunch) as part of the MUS CTF. More about the MUS CTF and the image, check here.

To answer these questions, here’s one quick and dirty way:

Step 1:

Process the Security event log with Log2Timeline (this took just over a minute to process 33,000 events from Security.evtx) :

$ mus.sec.evtx.l2t securityevt/

Log2Timeline Output


Step 2:

Run psort across the output using the l2tcsv  format (this took 30 seconds to run):

$ -o l2tcsv -w mus.sec.evtx.csv mus.sec.evtx.l2t

Psort Output


Step 3: Grep & Awk

This is where the fun starts. Because it is expected that the output from running log2timeline / psort on a Security event log should provide the same output structure each time, the same commands should work. (I tested this with Security Event logs from Server 2012, Windows 7 and Windows 10 and seems to work on all the different outputs).

This may appear ugly, but it works.

Grep & Awk Output

Total Failed Logons: grep “EventID>4625” mus.sec.evtx.csv | wc -l

Top Failed Accounts: grep “EventID>4625″ mus.sec.evtx.csv | awk -F”xml_string: ” ‘{print $2}’ | awk -F”TargetUserName\”>” ‘{print $2}’ | awk -F”<” ‘{print $1}’ | sort | uniq -c | sort -n -r | head

Top Failed Logon Accounts: grep “EventID>4625″ mus.sec.evtx.csv | awk -F”xml_string: ” ‘{print $2}’ | awk -F”LogonType\”>” ‘{print $2}’ | awk -F”<” ‘{print $1}’ | sort | uniq -c | sort -n -r | head

Top Failed IP Address Origins:
grep “EventID>4625″ mus.sec.evtx.csv | awk -F”xml_string: ” ‘{print $2}’ | awk -F”IpAddress\”>” ‘{print $2}’ | awk -F”<” ‘{print $1}’ | sort | uniq -c | sort -n -r | head

Top Dates With Failed Logons: grep “EventID>4625″ mus.sec.evtx.csv | awk -F”xml_string: ” ‘{print $2}’ | awk -F”TimeCreated SystemTime=\”” ‘{print $2}’ | awk -F”T” ‘{print $1}’ | sort | uniq -c | sort -n -r | head


And the end result:


We can now see that there were 612 failed Type 3 logon attempts, all on May 5th 2018. It also shows us that the Administrator account was most often attempted to log in with, as well as the top IP addresses where the logon attempts came from.

All this in less that 5 minutes.

Highway To The Danger Zone.Identifier

Phill Moore recently did a write-up on some pretty cool changes made to the data being recorded within the Zone.Identifier Alternate Data Streams (ADS) for downloaded files.

Have a read here:

Now, if you’re not going to read Phill’s blog and just opened this article because of your innate love for Tom Cruise and bad Top Gun puns, shame on you.

Son, before your ego starts writing checks your body can’t cash, let’s at least assume we all agree on the following:

A ZoneIdentifier ADS is an extra piece of information stored with downloaded files. This is done to assist Windows in determining if a file should be trusted or not. For example, an executable file downloaded from the internet will be treated with the necessary suspicion based on the zone it came from (i.e. the Internet).

Phill’s testing has highlighted two additional fields that are being stored within the Zone.Identifier:

  • HostUrl
  • ReferrerUrl

This is a great source of information as it can assist in determining where (URL) a downloaded file originated from.

A bit of Googling revealed the following response to a Bugzilla report by a Windows Defender ATP team member regarding the addition of these fields in Windows 10:

This feature was added in Windows 10 release 1703 (build 15063).
The HostUrl and ReferrerUrl are set by Microsoft Edge and Google 
Edge also sets a HostIpAddress field.

It is used for protection purposes.
Specifically, Microsoft’s Windows Defender Advanced Threat 
Protection exposes this info to the SOC, who can then identify where 
attacks came from, which other downloads might be related, and 
respond/block accordingly.
I don't know which other products/tools use this feature.

(from the Windows Defender Advanced Threat Protection team)

I haven’t seen the HostIpAddress field before, so I decided to run similar tests with three browsers, identical to those used by Phill:

    • Firefox 60.0.2 (64-bit)
    • Chrome Version 67.0.3396.87 (Official Build) (64-bit)
    • Microsoft Edge 42.17134.1.0

For my tests, I downloaded the file with each browser from the following URL:




Firefox behaved as expected with no additional fields added to the Zone.Identifier:

Firefox Zone.Identifier


Chrome added the ReferrerUrl and HostUrl as follows:

Chrome Zone.Identifier


In my case, Edge also added the ReferrerUrl and HostUrl:

Edge Zone.Identifier

This is interesting as it differs from Phill’s testing. Will compare notes to see if there’s a specific reason for this.


Archives, Zone.Identifiers & ReferrerUrls

Now, if you’re one of those analysts who wont be happy unless you’re going Mach 2 with your hair on fire, you’ll like this:

If you use the built in Windows “Extract All” option to extract the downloaded archives, you get a Zone.Identifier for each extracted file:

Zone.Identifiers in Extracted Files

Note: when testing the same by extracting the archive with 7zip, it did not create the Zone.Identifiers for the extracted files.

In addition to the zones, the Zone.Identifier now records the path of the parent archive where the extracted files originated from in the ReferrerUrl field:

Zone.Identifier in Extracted File Showing Parent

Not only are you now able to determine from which URL a downloaded file originated, you may also be able to track an extracted file back to it’s original archive.


Copying files to an external hard drive

“But Maverick” you interject, “what happens when the files are copied to an external hard drive?”

“Fear not Goose, the lovely thing about Zone.Identifiers are that they travel oh so well.”

Copying the downloaded zip to an NTFS formatted external hard drive still kept the Zone.Identifier intact:

Zip Zone.Identifier on External HDD


The same was found for the Zone.Identifiers for the extracted files:

Zip Zone.Identifier for Extract Files on External HDD


Till next time…

Update [2018-06-19]

Welcome to Next Time.

Thanks to Paul Bryant (see comments below the post) we have more ‘clarity’ on when Edge will add a HostIPAddress field to downloaded files.

Saving the with Edge:

The following DOES NOT store a HostIPAddress:
1. Clicking on a file link to directly download the file.
2. Right-Clicking on a file link > Save Target As > And directly click save without changing the path.

The following stores a HostIPAddress:
1. Right-Clicking on a file link > Save Target As > Changing the target directory and saving the file.
2. Right-Clicking on a file link > Save Target As > Changing the target directory to something else, and then changing the target dir back to the original default folder.

Here is a sample of a Zone.Identifier containing a HostIpAddress for a file downloaded with Edge, where the target directory was changed a couple of times and the then changed back to the Downloads dir:

So now, calculate how many users are on Windows 10, uses Edge as their browser, and are “Right-Clicking, Save Target Assing, Change Dirring” when they save data.

That’s how often you’ll see the HostIPAddress field in a Zone.Identifier (that I know of)

Seems to be an Edge case, if you pardon the pun.

Parsing APFS with Axiom before the thing from Lost eats you

During the latter part of 2017, Apple introduced their APFS file system which is being rolled out with their High Sierra macOS.

The following section was taken from an Apple support article:

When you install macOS High Sierra on the Mac volume of a solid-state drive (SSD) or other all-flash storage device, that volume is automatically converted to APFS. Fusion Drives, traditional hard disk drives (HDDs), and non-Mac volumes aren’t converted. You can’t opt out of the transition to APFS.

Although there are a couple of articles floating around which shows ways to ‘opt-out’ of APFS, it is still likely that 99% of High Sierra systems with Solid State Drives you’re going to come across will have APFS running.

Now, picture this scenario:

You are stuck on an island with a forensic image of an APFS volume and a toolbox full of your favorite commercial forensic tools. Contained in the APFS volume is a backup of an iPhone 6s which contains a WhatsApp message with the instructions on how to make one mean coconut Mojito. You need to access said message in order to make the Mojito before sunset. Should you fail,  you’ll be forced to do manual USB device history analysis for 26 Windows 7 internet café PCs, after which, you may or may not get eaten by that thing that was eating people in Lost.

So, your options:

  • Blackbag’s BlackLight — Yes, it works.
  • Autopsy — No support as of version 4.7.
  • AccessData FTK — No support as of version 6.4. Their online tech support noted that APFS support is planned for future releases, however no eta yet.
  • Magnet Forensics Axiom — No support as of version Jad Saliba mentioned at the Magnet User Summit in Las Vegas (May 2018) that they’re currently working on it, but no eta yet.
  • OpenText EnCase — Officially: Yes, Unofficially: Sort of. Although EnCase announced APFS support in version 8.07, I’ve dealt with two separate Macs where EnCase is refusing to parse the APFS volumes. I’ve put one of the images through a few tests. The image happily parses with Blackbag’s Blacklight and mounts with both Paragon‘s APFS mounter and Simon Gander’s APFS-Fuse library. OpenText Tech support is currently looking into this.
  • X-ways — No support in version 19.6, however, according to this tweet from Eric it should be coming soon:


Plan A: Blackbag

After your confidence grows while scrolling through the heaps of tweets about Blackbag being ‘the only end-to-end solution for APFS’, you realize that your 30 day trial license has just expired… As you were about to accept your fate and Google “sans usb profiling cheat sheet“, you find two articles from Mari Degrazia on mounting APFS images:

As the daylight starts to fade and you try and remember how many episodes of Lost you actually watched before losing interest, you devise a new plan:


Plan B: Quick and dirty way to process APFS with Axiom and friends.

I was specifically looking for a way to get my APFS image parsed with Axiom.

The following approaches did not work:

Experiment 1:

Mount E01 with Arsenal Image Mounter > Mount resulting APFS partition with Paragon’s ‘APFS for Windows’ > Add files & folders in Axiom.

Result: It processed, but for some files Axiom wasn’t properly linking back to the actual source files to display their content. Not sure who’s fault it is, but most likely something to do with the mounting of a mounted image.


Experiment 2:

Mount E01 with Arsenal Image Mounter > Mount APFS partition with Paragon’s ‘APFS for Windows’ > Create AD Image with FTK Imager > Process AD Image with Axiom.

Result: It processed, but again had issues with displaying actual content for some of the files processed. During the creation of the AD Image, FTK Imager encountered a large volume of files it claimed couldn’t be added to the logical image, again likely due to the various mountings.


Experiment 3:

Mount E01 in SIFT with ewfmount (libewf) > mount APFS partition with APFS-fuse > Create a tar of mounted data > Process tar with Axiom

Result: Again got a similar result where Axiom processed the data, but didn’t display actual content for some files.


At this stage most island-stricken forensicators would have given up and resigned themselves to a life of USBSTORs and Volume GUIDs. But luckily, you’re not most forensicators and you try one more way:

Experiment 4:

  1. Mount E01 in SIFT with ewfmount (libewf)
  2. Mount APFS partition with APFS-fuse
  3. Create an empty DD image, give it a volume and copy mounted APFS data to new DD image. For a step by step walk through of basically creating a DD image from files and folders, check out Andy Joyce’s 2009 post:
  4. Process DD image with Axiom.
  5. Success and Mojito’s.

Axiom was happy to process the DD, as well as the iPhone backup which was contained on the APFS volume in one go.

And yes, copying the mounted data to a DD container will update the creation dates of the files. If this makes you feel uneasy, remember, you also just used an ‘experimental’ driver to mount an APFS volume.

At least the thing from Lost didn’t eat you… #winning