Category Archives: #security

Updates, Malware Analysis Links, Meltdown, & Spectre

Readers,

My apologies for not posting more often. I’ve been busy with my studies (and occasionally reading and writing off-site). There’s been so many new forensics blogs, mailing lists, and infosec communities recently that I’ve been content with reading instead of writing my own posts. Bad habit, I know! I’ve also taken part in a number of security CTF and infosec challenges. I said that I’d be covering past challenges and their solutions in greater depth in my DC3 post and that’s still a plan for the future (if time permits).

I’ve also been toying with the idea of setting up an up-to-date CTF challenge section on site since I have enough content from past CTFs and challenge organizers. We’ll see. I did make a challenge to de-anonymize target onion sites, the solution to which would be in discoverable data about the target web server. But I’ve been told that this might come across as hostile and not helpful for learning purposes, so I’ll probably just end up with standard jeopardy-style questions. Other options include the obligatory stegano in images, sound files, whole forensic images of disks with flags for various forensic artifacts, etc. Since security challenges are time consuming to create, it’ll have to wait a little longer. As always, feel free to subscribe to the blog for future updates.

I’ve also been looking for quality reverse engineering malware resources. I’m still new to that arena but what follows is a list of some really helpful sites, webinars, and books for learning to disassemble programs and study malware both from a static and dynamic perspective. I realize many readers here already do malware analysis, but this is intended for others looking to get into it. Some of the sources are older but all of them are worth checking out. Regretfully I can’t go through every examiner’s quality blog here, but check the site for more links! I’m also happy to read, study, and add any sites or research if submitted.

Malware Resources

Blogs, Articles, Webcasts, & General Papers

Introduction to Malware Analysis by Lenny Zeltser (Webcast), 12/6/2016.
Note – Webcasts, webinars, white papers, blog entries, conferences, I’ve seen a lot of Lenny Zeltser’s work and I’m a big follower. So I often link to his work.

Malware Analysis: An Introduction (GIAC Gold Paper) by Distler. 12/14/2007.

5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser. 3/14/2015.

Malware Analysis Essentials Using REMnux w/ Lenny Zeltser (Webcast), SANS Institute, 4/17/2014.

4 Cheet Sheets for Malware Analysis by Lenny Zeltser, SANS Blog, 9/13/2017.

Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser. 9/7/2017.

Thoughts on Malware, Digital Forensics, and Data Breaches by Hal Pomeranz, SANS Blog, 1/18/2012.

CyberBit’s 5 Open Source Malware Tools You Should Have in Your Arsenal

Projects To Watch/Tools to Know:

FLARE VM – The Windows malware platform by FireEye, a company known for their malware analysis and incident response know-how. 1/16/2018 Update: This tool is really outstanding. The packages can be imported into any VM, preferably newly rolled evaluation copies of Windows 10 VM, since you can just keep restoring back if you max the 90 day eval. Flare includes many tools for file analysis out-of-the-box such as hex editors, debuggers, disassemblers, text editors, PE tools, process hacks, packet analyzers, alternate data stream manipulation tools, and more (official list on Github). Package installation is made simple with Chocolatey. My own custom box includes essentials I downloaded such as OWASP ZSC for Python shellcode generation, Yara, stegano detection tools, audio editors, and more. Definitely not an exaggeration to say that you can make this into the best security platform available on Windows.

REMnux – A Linux Toolkit for Reverse-Engineering and Analyzing Malware

Kali Linux – I use Kali a lot so I highly recommend it. It’s an extremely well maintained distro, adding your own packages as needed is simple and usually everything just works (thanks to all the modules and dependencies pre-rolled into Kali). There are some great tutorials for pentesting and forensics on Udemy and through Offensive Security. Adding malware tools is easy.

SIFT Workstation – I’ve used multiple versions of SIFT from Linux to Windows 7 and 10. I highly recommend it for forensics work. It does have more timeline tools than Kali (although you can add packages to Kali as you see fit). SIFT VM + Kali VM = ideal. I have heard great things about BlackArch for penetration testing but have yet to try it (I do have fond memories of Archlinux and Archbang, so it’s on my to-do list).

Yara Analysis Tool – industry leading tool in signature and behavioral rule-set matching for malware.

Cuckoo Sandbox – Sandboxing tool for malware. If you’re just using VMware, be careful of VM escape vulnerabilities, bogging down resources, etc.

IDA & IDA Pro – Ideal for static analysis. Disassembler for every major operating system. I’ll be honest, my assembly skills are weak, but this is one tool worth sticking with. There’s even a great No Starch book on IDA to help you out! (IDA Pro Book, 2nd Edition by Chris Eagle — fair warning, the assembly sections are pretty light and assume you know what you’re doing, so I’d suggest supplementing it with another resource to familiarize yourself with the subject prior to diving into IDA. One good (and free) course is the x86 class by Open Security.)

OllyDbg – The Gray Hat Hacking books use OllyDbg a lot.

Immunity Debugger

Automatic Malware Analysis and Sandbox Services by Lenny Zeltser

Classes:

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration w/ Xeno Kovah (Open Security Training)

Introduction To Reverse Engineering Software by Matt Briggs & Frank Poz (Open Security Training)

Reverse Engineering Malware by Matt Brigs & Frank Poz (Open Security Training)

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Jake Williams (SANS Institute)
Note- I haven’t had a chance to take this class but it’s pretty much the de-facto malware analysis class in digital forensics.

Again, there are many courses and tutorials available through Lynda, Udemy, and YouTube. Here… hold up. There we go (had to do it!).

Technical References:

Tech refs can be expensive but these are totally worth it if you’re committed to learning the subject matter (or, like me, you’re equally committed to making a visually impressive security bookshelf /modestyfail). Most well-maintained, high traffic libraries should have some of them. Sure, there are plenty of online sources with similar information but these texts are definitely helpful.

Malware Analyst’s Cookbook: Tools and Techniques for Fighting Malicious Code by Hartstein, Richard, Ligh, and Adair. 2010.
Note: It’s the bible of malware analysis. It was one of the first larger-works to tackle malware head-on. While it isn’t as technically in-depth for complicated tasks (I found that GHH was more technical for some things), it’s a must have. New to malware analysis, I can honestly say it’s readable and worth checking out.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz. 2015.
Note: One of my all time favorites. Black Hat-style techniques are explored using Python code and popular modules. There’s something for everyone here. (I often use BHP or GHH – mentioned below – as a springboard for Python projects, so I can also recommend getting physical copies as opposed to eBook versions.)

Gray Hat Hacking, 2nd Edition & 3rd Edition by Harper, Harris, Ness, Eagle, Lenkey, Williams. 2008 & 2011 respectively.
Note: When I first picked up the 2nd edition from the library I had no idea what IDA Pro was and wanted more on pentesting. Immediately dismissing GHH something I wouldn’t use. In retrospect, GHH is an awesome guide to DLLs, handles, processes, reverse engineering, and malware analysis.

Data Hiding Techniques in Windows OS: A Practical Approach to Investigation and Defense by Hassan & Hijazi. 2017.
Note: This book should just be called “How to Win at CTF Every Time.” While it doesn’t explore malware in-depth, it does talk about various forms of data hiding and data manipulation (ADSs, stegano, etc). Since malware utilizes different methods of remaining hidden, DHTIWO is a great guide for developing critical thinking skills. This and File System Forensic Analysis by Brian Carrier are so easy to use as regular resources in forensics.

Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers & Security Engineers. TJ. O’Connor. 2013.
Note: I used to really love this book prior to finding BHP and the Gray Hat books. It has drone hacking and Twitter OSINT hacks, what’s not to love? The code is hit or miss but it has some good ideas for Python coders. It does also contain a section on Virus detection. I prefer Justin Seitz’s work, but respectful nod to TJO’s great resource.

Miscellaneous Resources:

Mitre’s CVE Page (Security Bug/Exploit Lookup)
Yara Official Documentation
Yara Definitions & Rulesets
Offensive Security’s Exploit-DB (Exploit Lookup & Sample Code)

Also check the links to other blogs around the site as there are a fair amount that cover malware research.

Meltdown & Spectre Links

Meltdown Paper | Spectre Paper | FAQs: https://meltdownattack.com/#faq-fix

You know that feeling when you’re lurking darknet forums or Inj3ct0r for information on new malware and you’re like, “what a liar, that’s not a revolutionary 0day exploit, that’s yet another buffer overflow exploit!” This is a fair bit more serious.

Thanks to Jann Horn and the analysts at Google Project Zero, two new dangerous exploits were discovered. Spectre – which leverages a processor’s speculative execution to pull data from memory to an attacker via side channels* – and Meltdown – which uses out-of-order code execution on processors to leak sensitive information across any form of virtualized environment or through any form of protected memory space. Unfortunately, fears are that they’re so deeply embedded in modern processor architecture that they’re nearly impossible to temporarily patch without crippling current infrastructure. They aren’t entirely software issues that can be patched easily. Dynamic execution speeds up computing performance drastically while Spectre potentially effects so many different types of processors. I’ve tried to include some useful links here for understanding the severity of Meltdown and Spectre.

* Yes, Spectre sounds like the coolest thing since poptarts. So much for professionalism.

FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (FireEye), 1/5/2018.

Researchers Discover Two Major Flaws in the World’s Computers by Cade Metz and Nicole Perlroth (New York Times), 1/3/2018.

The Complete List Of CPUs Affected By Meltdown / Spectre by Dr. Adrian Wong, 1/8/2018.

In response to worries of Spectre being able to extract passwords from application password managers and vaults, Dashlane’s Eitan Katz wrote an article on the state of Dashlane and what Meltdown and Spectre do. Check it out here: Meltdown and Spectre: What you Need to Know to Stay Safe by Eitan Katz (Dashlane), 1/5/2018.

It’s not every day you see patches that cause entire Linux communities to freak out. If you’re an Ubuntu user, be sure to check out this article regarding Ubuntu 16.04’s patch: Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers by Catalin Cimpanu, 1/10/2018. The patch in question only applied to Meltdown. The problem was fixed with subsequent updates after the article was released.

Be sure to check out the CVEs below for more technical information about each of the exploits. The links contain a lot of critical information such as sample source code that you can attempt to run in a virtual environment. Note that your mileage may vary in VMs, some have reported BSoDs and not useful crashes when attempting to execute the exploits.

Spectre CVEs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
Meltdown CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Top Articles & WordPress Session Hijacking

The blog has successfully been migrated to the new self-hosted WordPress (forensicsblog.org), simple name, same great flavor! We’ve got a double feature for you this evening. First, is a list of some of the articles generating the most views on here (thank you for reading!), followed by some WordPress Session Hijacking resources.

Also, please take the time to visit some of the great forensics resources along the right side of the blog. I’ve tried to keep the list to (in my mind) the most interesting blogs/bloggers in information security. They all have great content and research worth reading.

Top Articles on fork()

  • Research: GPS Device Analysis” — research on the manual forensic examination of a Garmin Nüvi 1490. Piece includes a comprehensive breakdown of the GPX file structure, how it’s used to store trackpoint data and information on GPS metadata.
  • Thoughts on viaExtract (Demo)” — discusses the viaExtract utility designed by viaForensics for the analysis of android devices. Highlights artifact extraction with AFLogical and viaExtract case reports. Also discusses the Santoku Linux distribution for mobile forensics.
  • Updates to GPS Utility (Timestamp Features)” — TrackerCat’s latest post to date: adds timestamp extraction of trackpoint data within GPX files to CSV file format. Also includes the ability to recursively export GPX files from a user-specified path and displays embedded file metadata time.

There are a lot more interesting posts here so be sure and scroll down or use the Monthly Archives menu on the side panel. You can also use the site-wide search for topics such as “encryption” or “OpenPGP.”

WordPress Session Hijacking

Since I’ve been tinkering with this blog, I’ve noticed that WordPress is still vulnerable to session cookie hijacking. This is a topic that WordPress or plugin developers should address in much greater detail since many use WP as a site-wide CMS. This section is to share some links on the subject and increase awareness of it.

To those that may not know, session hijacking is when an attacker copies authenticated session cookies from an authorized user and uses them as his own. This is done by first monitoring unencrypted network traffic and then modifying the appropriate cookie and sending it back to the server. HTTP or poorly implemented HTTPS are most at risk. There’s nothing new about this and it’s extremely simple to execute.

These sources can be invaluable for understanding and mitigating the risk:

There are too many MITM tools to list. I’ve included the Fern link to demonstrate how such attacks can be carried out over a wireless network. The following tools are for either modifying HTTP headers or crafting clone cookies:

Almost every new installation of WP.org I’ve seen is susceptible to this attack. WordPress recommends using HTTPS. If you don’t have SSL enabled on your site or haven’t set up HTTPS properly, your site could be at risk. Other forms of risk mitigation include:

  • Use a trustworthy VPN when logging into a WordPress to prevent eavesdropping. If using a mobile device or laptop to access your blog a VPN is the simplest way to ensure your safety on an public hotspot.
  • The Safer Cookies Plugin by Janis Elsts which restricts an IP address to one session at a time, solving half the problem for blog owners. It would have been nice to see this as an option in out-of-the-box WordPress. It’s almost ludicrous that WP doesn’t come with a feature like this (even Facebook allows for terminating multiple simultaneous sessions).
  • Deploy WP security suites and WP firewall plugins such as Cloudflare Threat Management, WordfenceBetter WP Security or Bulletproof Security. Firewalls don’t protect against session hijacking directly but helps by adding IP-based controls such as blacklisting and white listing single IPs or addresses within a specific range. They may slow down the site’s loading speed but they’re worth it.
  • WordPress login control plugins are extremely useful to setup on your blog. There’s Login Lockdown and Lockdown WP Admin. The first provides excellent rules for login expiration and maximum login attempts before an account is locked down. The second offers the ability to hide the WP admin page from individuals that aren’t logged in. It also has the option of making logins use basic HTTP authentication (but without SSL, that isn’t as secure as it sounds).
  • Sandboxing. If an attacker does gain a foothold by accessing an account, make sure it isn’t your admin account (if you’re using your WP admin account to log in regularly, you shouldn’t be doing it from an open wifi network beyond your control). Also make sure your account’s user directory and all files within it are safe (this is critical if you’re using WP plugins that allow you access to modify files without having to FTP/SFTP in).

WordPress has yet to come up with a fix for this type of attack as it’s considered “low priority.” This is probably due to the fact that this attack isn’t direct, it’s passive and requires being in a position to capture network data. The problem is that WordPress isn’t necessarily responsible; HTTP is not secure and website owners should be aware of this threat.

Hope you found the resources above interesting. Thanks for reading!

TrackerCat: GPX-to-KML Active Log Mapping Tool

To supplement my GPS research, I created a simple tool for the extraction of Active Log data from GPX files. This tool will transform GPS device data files into keyhole markup language files for easy mapping (GPX to KML). The output can easily be opened in programs like Google Earth. This tool will provide analysts with a better understanding of data contained within GPXs and their Active Logs. The KMLs are complete with timestamps and trackpoint coordinates.

Prior to TrackerCat – and without the use of expensive utilities – analysts had to manually re-save exported GPX files as KMLs in mapping programs. TrackerCat automates the transformation process while striving to preserve as much forensic data as possible.

While the tool is really just a simple XML-to-XML XSLT transform script (that parses the appropriate formats), you can join the the project to improve its functionality! You can use the project’s Github to show off your own GPS device forensics scripts. Also be sure to check out the PowerPoint here.

Official Github Logo

Click on the Official GitHub logo above for TrackerCat’s reader-friendly GitHub landing page, or go right to the project’s GitHub.

Metadata Extraction of GPX Files

To briefly supplement my GPS Device Analysis research, the GPX file itself should have interesting metadata qualities that can help you decide its relevance to your case. For example, I was able to pull the following data out of my GPX file using ExifTool by Phil Harvey:

Gpx Metadata Link Href : http://www.garmin.com
Gpx Metadata Link Text : Garmin International
Gpx Metadata Time : 2013:03:03 19:38:00Z
Gpx Trk Name : ACTIVE LOG: 03 MAR 2013 14:11
Gpx Trk Trkseg Trkpt Lat : 11.111111
Gpx Trk Trkseg Trkpt Lon : -11.111111
Gpx Trk Trkseg Trkpt Ele : 143.85
Gpx Trk Trkseg Trkpt Time : 2013:03:03 19:35:50Z
Gpx Trk Trkseg Trkpt Extensions Track Point Extension Speed: 8.24
Gpx Trk Trkseg Trkpt Extensions Track Point Extension Course: 292.24

This provides yet another quick way of determining whether the GPX’s last Active Log corresponds with your working timeline.

Research: GPS Device Analysis

After much work, I’ve released my research covering the analysis of a Garmin Nuvi 1490 GPS device.

There’s not a lot of accurate information out there on GPS forensics. What you typically find is that some sites have information on only a select number of GPS devices, and that information is extremely shallow at best. The other end of the equation is companies selling their services. Seeing the need for a clear, free and open forensic report, I conducted the research and published it on my site free of charge.

The goal of this paper is meant to aide in providing meaningful analysis for one of the most popular Garmin devices. This particular model was sold heavily through the U.S. wholesaler Costco a few years ago and has been a GPS of choice for many casual users since then. It also uses industry adopted GPX file standard to store Track data which is of significant importance to GPS forensics.

Such skills are absolutely essential whether you work for law enforcement, military or in the private sector. I hope that my small contribution can help. Expect more research papers in the future.

Please click here for the research paper: Research: GPS Device Analysis

Thoughts on viaExtract (Demo)

I recently had the opportunity to try the viaForensics viaExtract VM utility. viaExtract is essentially a framework in which many different advanced analysis features can be utilized (and automated). Based on Ubuntu, the VM utility is easy to setup and even easier to operate.

Although I’m not terribly advanced in mobile forensics (more of a hobby at the moment), I’ve used Santoku and acquired android data through AFLogical OSE. The law enforcement/government-only AFLogical proper is offered through viaExtract and enables the reporting and harvesting of many different types of data, including:

* Device Information
* Browser History including Searches & Bookmarks
* An in-depth call log
* In-depth contact information acquisition
* Thumbnailed photos each including their own hash
* Application installations
And more…

Much like using AFLogical OSE within Santoku, the analyst can easily deploy the ADB daemon onto the device and have the workstation connect to it so long as the android is set into debugging mode and the VM properly passes through the USB connection. The daemon essentially allows you to execute commands on the device and is packaged with the SDK (in case you haven’t had the pleasure of using ADB in the past). As with all viaForensics tools, there’s no digging around the Android SDK for ADB to manually deploy it. But in viaExtract there’s the added benefit of automated deployment of AFLogical OSE on the smartphone. In fact, the data collection process is fully automated and shouldn’t require the analyst to actually touch the mobile device at all.

Along those lines you don’t actually have to pull the acquired reports from the device’s SD card. All of that is also automated. But should you want to push any additional tools to the device, you can do so with the command line (via adb push).

Case management is one of viaExtract’s most important features. You can manage your entire case using viaExtract and include multiple devices for inspection.

Whereas in Santoku the reports output in CSV, viaExtract allows you to compile PDF-reports based on HTML reports it acquires. The feature is as simple as selecting the PDF option on the toolbar.

But what other advanced features does viaExtract have? While I can’t access them within the demo version, the tool offers the analyst the following additional options:

* Gesture Key Code (if used to lock a device)
* Image Storage Device (SD)
* Unlock Screen (Thomas Cannon mentioned in his Defcon speech how 4 digit pins are extremely easy to crack whereas using complex passphrases may not be as simple)
* Sleuth Kit Timeline exporting (allows for use in generating super timelines)
* Encryption Brute Force (makes use of file headers and footers akin to the bruteforce_stdcrypto Python script in Santoku, but fully automated and makes use of the viaExtract GUI)

Despite being limited to basic data acquisition with the demo version, I can already tell how valuable this tool can be when conducting forensic examinations. Automation, case management and advanced mobile forensic features rolled all into one easy-to-use package marks viaExtract as a good product for law enforcement personnel.

On AFLogical OSE and SD Card Limitations

While it’s beyond the scope of this post, when using AFLogical OSE in Santoku reports are saved to the device’s SD card and must be copied to the analyst’s workstation via the command line. But devices like the Razr Maxx HD only allow for pictures and video to be transferred to the SD card (this limit seems to coincide with the release of MTP with jelly bean). This limitation is imposed on many newer devices running android 4.2+. Upon some research into the matter, I believe this limitation does not  restrict AFLogical OSE reports from being saved to the card.

Santoku aside – and more to the point of using viaExtract with AFLogical-proper – vE worked flawlessly as advertised and automatically extracted the needed data for me, reporting on it with ease.

Type of device used: Unrooted Motorola Razr Maxx HD and a rooted Motorola Razr.

Note: I do not work for viaForensics, I was simply interested in this tool and decided to test it. The reason for the blog post is to help others make the decision to try it if they’re looking for a valuable android forensics tool.

Resources

viaExtract: https://viaforensics.com/products/viaextract/
AFLogical & AFL OSE: https://viaforensics.com/resources/tools/android-forensics-tool/
Santoku Linux: https://santoku-linux.com/

ADS Links

I’ve been doing a lot of research into encrypting data into alternate data streams (what, I was bored one night!). Instead of boring you with more of the same (this topic has been covered extensively by others), I’d like to share some links with you.

One of the best sources I’ve read regarding ADS is Harlan Carvey’s Windows Forensic Analysis 2E. It was my first real exposure to the wonderful world of alternate data streams and file/folder/executable piggy-backing. (Rob Lee mentioned alternate data streams in SANS FOR408, which piqued my interest.)

The Gabro Blog entry on ADS is extremely insightful as well. Although it does say how the ADS has different encryption attributes than the parent. That’s somewhat misleading as you can’t actually EFS-encrypt an ADS at all (trust me, I’ve tried via cipher /E /A and it isn’t… nor does it make too much sense logically). Of course you can encrypt content with something like GPG and then “push” the content into something else with type.

Additional Resources

Quinn Shamblin’s “Alternate Data Streams Overview” (SANS Blog)
Harlan Carvey’s Blog entry on ADS entitled, “NTFS Alternate Data Streams

Mandiant APT1 Report & New IOCs

I’m a little late writing about this but, as many people now know, U.S. security and forensics firm Mandiant has released critical information in regards to the Chinese state sponsored group known as APT1. As a student of digital forensics I find this kind of stuff very interesting. I’ve been having some great discussions on various forums with fellow (usually more experienced) security buffs in the field with regard to the 60-page report so I thought I’d reshare the links.

APT1: Exposing One of China’s Cyber Espionage Units (Mandiant Intelligence Center)

IOCs w/ hashes as part of Mandiant’s OpenIOC ProjectDigital Appendix & Indicators

So be sure to add those IOCs to a Redline collector and get scanning!

Google Map Tiles: Forensics & IEF

I stumbled upon something neat I thought I’d share with you all while playing around with a demo of Internet Evidence Finder by Magnet Forensics. It is essentially using a memory image to determine where an individual may have been based on his/her geolocation queries, crowd sourced GPS check-ins (using Google Maps), etc. by analyzing Google Map tiles.  Obviously, although IEF is known in the forensics community, I was impressed when using it for the first time.

I allowed IEF to carve web browser artifacts, chat sessions and Google map tile artifacts from a memory image (acquired via FTKi). Then had IEF map the coordinates from the tile file names and plot them across a world map (it is as simple as hitting “World Map” in the Report Viewer). You can also use Magnet’s free standalone GMTI (Google Maps Tile Investigator) to plot specified coordinates if you’ve pulled the artifacts using another method.

Although this is a known feature of the software, I found it incredibly impressive very useful. That you can do this directly from a memory image –  with the same amount of success as from a hard drive image – is pretty cool.

Using that information you can get a general sense of where an individual was by what map information he or she searched for using Google Maps.

memorytriangulation

You can begin to develop a hypothesis as to the location’s significance when you compare this information to other known facts within your investigation. Knowing this information can help you weigh the importance of a cluster of plots and determine whether they are significant.

Instructions and more information on Google Map tile forensics is available in a great post by Magnet on their blog: http://www.magnetforensics.com/investigating-google-maps-how-the-tiles-tell-all/

For more information on Magnet’s IEF see: http://www.magnetforensics.com/products/internet-evidence-finder/

Information on the standalone (free) GMTI can be found at this address: http://www.magnetforensics.com/google-maps-tile-investigator/

In NTFS Secure Erase Leaves Remains

I was wondering as to whether or not drive wiping tools in Windows actually performed as expected by wiping all previously securely deleted content from a mechanical hard drive’s unallocated space. I was also curious as to know what information could be gleaned from a wiped drive as to the files that were wiped and if such a find was worthwhile. My tool of choice for the exercise was CCleaner’s free space wiper.

For those that don’t know, wiping is essentially instructing a program to flip bits so that the data’s pattern is permanently unrecoverable. 1 would become a 0 and a 0 would become a 1. Ideally one good pass is all that’s needed to perform this operation but rarely does so efficiently. The DoD is known for using a 7 pass method in order to be safe, erring on the side of caution. Relying on statistics, pioneer of the Gutmann Method, Peter Gutmann, opted for a 35 pass wipe which is widely regarded as over kill. Which method is best? There’s no way to be certain. Different erase tools perform differently and some secure erase programs fail to “scramble” data in the appropriate fashion.

For my desires to wipe the data from the hard drive I decided on being cautious but not outright paranoid (most of the files I deleted to do this exercise were junk anyhow). I opted for the standard 7 pass method. Regardless of what type of pattern wipe you choose – or what wiping program you use – the results below will be the same.

I found that while alternate data streams and unallocated space on the drive were essentially wiped clean, file names were recoverable in the $I30 allocation index in sub-folders on the drive. How was this possible if the $MFT also didn’t indicate that data?

I’m relatively new to forensics and didn’t have a clue at first but with proper research I figured it out. All credit belongs to those that came before me. A blog post that explained it was entitled, “NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files” by Chad Tilbury, a SANS Institute Instructor.

If you’re interested in learning more please check out that post. Essentially I learned that that in forensics we can find wiped content by viewing the NTFS Index Allocation File, $I30, still located in NTFS allocated space (FYI, I triaged the drive by examining it in FTKi). (Also if the file was ever EFS encrypted, an $EFS file may also be present in the folder in which it resided. One of the many reasons using the cipher command warns the user to encrypt an entire folder instead of contents within a folder.)

While I was unable to actually recover the files, I was able to glean the names of the files that I previously erased. Knowing that the index was in a particular sub-folder would also show a forensic investigator where the data was actually stored. But what is even more interesting is that Tilbury’s article states that MAC times can also be gleaned from an $I30. Plus, knowing file types or securely erased data may lend a hand to advanced data carving. Very cool. It truly makes the index a trove of useful information in an investigation.

As a student currently enrolled in forensics classes, my goal was to see if secure erasing completely removed “all traces” of said evidence on a Windows system. I was shocked to learn that it does not (yeah, I’m a “noob” with some things – this information has been out for a while – but I’m not afraid to admit that I’m learning). But for more in-depth information on parsing through the index or extracting more information from the file system please see the links below.

Apparently there are lots of remains left behind that indicate a drive has been wiped (the launching of the executable itself, obviously, but also of the content). If your interested in the topic I highly recommend researching it more thoroughly.

Obviously there are ways of getting rid of a data in a more effective manner. Wiping the entire disk from outside of Windows is preferable though manufacturer-style wipes are always the best. After my recent class I’ve been toying around with hdparm against SATA drives that accept the SE commands and found this method to be best. Of course you could use dc3dd/dcfldd’s pattern filling function as well.

File Wiping/Free Space Wiping Methods Used

Files securely erased with Eraser using 7 pass wipe and then performed a Free Space Wipe on the same drive in CCleaner (7 pass).

Sources

Tilbury, Chad. “NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files.” SANS Blog. September 20, 2011.

Read about the blog post first on the Wilder Security Forums after doing a Google search for $I30.