Tag Archives: dc3

Updates, Malware Analysis Links, Meltdown, & Spectre

Readers,

My apologies for not posting more often. I’ve been busy with my studies (and occasionally reading and writing off-site). There’s been so many new forensics blogs, mailing lists, and infosec communities recently that I’ve been content with reading instead of writing my own posts. Bad habit, I know! I’ve also taken part in a number of security CTF and infosec challenges. I said that I’d be covering past challenges and their solutions in greater depth in my DC3 post and that’s still a plan for the future (if time permits).

I’ve also been toying with the idea of setting up an up-to-date CTF challenge section on site since I have enough content from past CTFs and challenge organizers. We’ll see. I did make a challenge to de-anonymize target onion sites, the solution to which would be in discoverable data about the target web server. But I’ve been told that this might come across as hostile and not helpful for learning purposes, so I’ll probably just end up with standard jeopardy-style questions. Other options include the obligatory stegano in images, sound files, whole forensic images of disks with flags for various forensic artifacts, etc. Since security challenges are time consuming to create, it’ll have to wait a little longer. As always, feel free to subscribe to the blog for future updates.

I’ve also been looking for quality reverse engineering malware resources. I’m still new to that arena but what follows is a list of some really helpful sites, webinars, and books for learning to disassemble programs and study malware both from a static and dynamic perspective. I realize many readers here already do malware analysis, but this is intended for others looking to get into it. Some of the sources are older but all of them are worth checking out. Regretfully I can’t go through every examiner’s quality blog here, but check the site for more links! I’m also happy to read, study, and add any sites or research if submitted.

Malware Resources

Blogs, Articles, Webcasts, & General Papers

Introduction to Malware Analysis by Lenny Zeltser (Webcast), 12/6/2016.
Note – Webcasts, webinars, white papers, blog entries, conferences, I’ve seen a lot of Lenny Zeltser’s work and I’m a big follower. So I often link to his work.

Malware Analysis: An Introduction (GIAC Gold Paper) by Distler. 12/14/2007.

5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser. 3/14/2015.

Malware Analysis Essentials Using REMnux w/ Lenny Zeltser (Webcast), SANS Institute, 4/17/2014.

4 Cheet Sheets for Malware Analysis by Lenny Zeltser, SANS Blog, 9/13/2017.

Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser. 9/7/2017.

Thoughts on Malware, Digital Forensics, and Data Breaches by Hal Pomeranz, SANS Blog, 1/18/2012.

CyberBit’s 5 Open Source Malware Tools You Should Have in Your Arsenal

Projects To Watch/Tools to Know:

FLARE VM – The Windows malware platform by FireEye, a company known for their malware analysis and incident response know-how. 1/16/2018 Update: This tool is really outstanding. The packages can be imported into any VM, preferably newly rolled evaluation copies of Windows 10 VM, since you can just keep restoring back if you max the 90 day eval. Flare includes many tools for file analysis out-of-the-box such as hex editors, debuggers, disassemblers, text editors, PE tools, process hacks, packet analyzers, alternate data stream manipulation tools, and more (official list on Github). Package installation is made simple with Chocolatey. My own custom box includes essentials I downloaded such as OWASP ZSC for Python shellcode generation, Yara, stegano detection tools, audio editors, and more. Definitely not an exaggeration to say that you can make this into the best security platform available on Windows.

REMnux – A Linux Toolkit for Reverse-Engineering and Analyzing Malware

Kali Linux – I use Kali a lot so I highly recommend it. It’s an extremely well maintained distro, adding your own packages as needed is simple and usually everything just works (thanks to all the modules and dependencies pre-rolled into Kali). There are some great tutorials for pentesting and forensics on Udemy and through Offensive Security. Adding malware tools is easy.

SIFT Workstation – I’ve used multiple versions of SIFT from Linux to Windows 7 and 10. I highly recommend it for forensics work. It does have more timeline tools than Kali (although you can add packages to Kali as you see fit). SIFT VM + Kali VM = ideal. I have heard great things about BlackArch for penetration testing but have yet to try it (I do have fond memories of Archlinux and Archbang, so it’s on my to-do list).

Yara Analysis Tool – industry leading tool in signature and behavioral rule-set matching for malware.

Cuckoo Sandbox – Sandboxing tool for malware. If you’re just using VMware, be careful of VM escape vulnerabilities, bogging down resources, etc.

IDA & IDA Pro – Ideal for static analysis. Disassembler for every major operating system. I’ll be honest, my assembly skills are weak, but this is one tool worth sticking with. There’s even a great No Starch book on IDA to help you out! (IDA Pro Book, 2nd Edition by Chris Eagle — fair warning, the assembly sections are pretty light and assume you know what you’re doing, so I’d suggest supplementing it with another resource to familiarize yourself with the subject prior to diving into IDA. One good (and free) course is the x86 class by Open Security.)

OllyDbg – The Gray Hat Hacking books use OllyDbg a lot.

Immunity Debugger

Automatic Malware Analysis and Sandbox Services by Lenny Zeltser

Classes:

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration w/ Xeno Kovah (Open Security Training)

Introduction To Reverse Engineering Software by Matt Briggs & Frank Poz (Open Security Training)

Reverse Engineering Malware by Matt Brigs & Frank Poz (Open Security Training)

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Jake Williams (SANS Institute)
Note- I haven’t had a chance to take this class but it’s pretty much the de-facto malware analysis class in digital forensics.

Again, there are many courses and tutorials available through Lynda, Udemy, and YouTube. Here… hold up. There we go (had to do it!).

Technical References:

Tech refs can be expensive but these are totally worth it if you’re committed to learning the subject matter (or, like me, you’re equally committed to making a visually impressive security bookshelf /modestyfail). Most well-maintained, high traffic libraries should have some of them. Sure, there are plenty of online sources with similar information but these texts are definitely helpful.

Malware Analyst’s Cookbook: Tools and Techniques for Fighting Malicious Code by Hartstein, Richard, Ligh, and Adair. 2010.
Note: It’s the bible of malware analysis. It was one of the first larger-works to tackle malware head-on. While it isn’t as technically in-depth for complicated tasks (I found that GHH was more technical for some things), it’s a must have. New to malware analysis, I can honestly say it’s readable and worth checking out.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz. 2015.
Note: One of my all time favorites. Black Hat-style techniques are explored using Python code and popular modules. There’s something for everyone here. (I often use BHP or GHH – mentioned below – as a springboard for Python projects, so I can also recommend getting physical copies as opposed to eBook versions.)

Gray Hat Hacking, 2nd Edition & 3rd Edition by Harper, Harris, Ness, Eagle, Lenkey, Williams. 2008 & 2011 respectively.
Note: When I first picked up the 2nd edition from the library I had no idea what IDA Pro was and wanted more on pentesting. Immediately dismissing GHH something I wouldn’t use. In retrospect, GHH is an awesome guide to DLLs, handles, processes, reverse engineering, and malware analysis.

Data Hiding Techniques in Windows OS: A Practical Approach to Investigation and Defense by Hassan & Hijazi. 2017.
Note: This book should just be called “How to Win at CTF Every Time.” While it doesn’t explore malware in-depth, it does talk about various forms of data hiding and data manipulation (ADSs, stegano, etc). Since malware utilizes different methods of remaining hidden, DHTIWO is a great guide for developing critical thinking skills. This and File System Forensic Analysis by Brian Carrier are so easy to use as regular resources in forensics.

Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers & Security Engineers. TJ. O’Connor. 2013.
Note: I used to really love this book prior to finding BHP and the Gray Hat books. It has drone hacking and Twitter OSINT hacks, what’s not to love? The code is hit or miss but it has some good ideas for Python coders. It does also contain a section on Virus detection. I prefer Justin Seitz’s work, but respectful nod to TJO’s great resource.

Miscellaneous Resources:

Mitre’s CVE Page (Security Bug/Exploit Lookup)
Yara Official Documentation
Yara Definitions & Rulesets
Offensive Security’s Exploit-DB (Exploit Lookup & Sample Code)

Also check the links to other blogs around the site as there are a fair amount that cover malware research.

Meltdown & Spectre Links

Meltdown Paper | Spectre Paper | FAQs: https://meltdownattack.com/#faq-fix

You know that feeling when you’re lurking darknet forums or Inj3ct0r for information on new malware and you’re like, “what a liar, that’s not a revolutionary 0day exploit, that’s yet another buffer overflow exploit!” This is a fair bit more serious.

Thanks to Jann Horn and the analysts at Google Project Zero, two new dangerous exploits were discovered. Spectre – which leverages a processor’s speculative execution to pull data from memory to an attacker via side channels* – and Meltdown – which uses out-of-order code execution on processors to leak sensitive information across any form of virtualized environment or through any form of protected memory space. Unfortunately, fears are that they’re so deeply embedded in modern processor architecture that they’re nearly impossible to temporarily patch without crippling current infrastructure. They aren’t entirely software issues that can be patched easily. Dynamic execution speeds up computing performance drastically while Spectre potentially effects so many different types of processors. I’ve tried to include some useful links here for understanding the severity of Meltdown and Spectre.

* Yes, Spectre sounds like the coolest thing since poptarts. So much for professionalism.

FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (FireEye), 1/5/2018.

Researchers Discover Two Major Flaws in the World’s Computers by Cade Metz and Nicole Perlroth (New York Times), 1/3/2018.

The Complete List Of CPUs Affected By Meltdown / Spectre by Dr. Adrian Wong, 1/8/2018.

In response to worries of Spectre being able to extract passwords from application password managers and vaults, Dashlane’s Eitan Katz wrote an article on the state of Dashlane and what Meltdown and Spectre do. Check it out here: Meltdown and Spectre: What you Need to Know to Stay Safe by Eitan Katz (Dashlane), 1/5/2018.

It’s not every day you see patches that cause entire Linux communities to freak out. If you’re an Ubuntu user, be sure to check out this article regarding Ubuntu 16.04’s patch: Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers by Catalin Cimpanu, 1/10/2018. The patch in question only applied to Meltdown. The problem was fixed with subsequent updates after the article was released.

Be sure to check out the CVEs below for more technical information about each of the exploits. The links contain a lot of critical information such as sample source code that you can attempt to run in a virtual environment. Note that your mileage may vary in VMs, some have reported BSoDs and not useful crashes when attempting to execute the exploits.

Spectre CVEs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
Meltdown CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

DC3 Challenge & VSC Analysis on Linux

I recently had to analyze a Windows 7 system’s Volume Shadow Copies (VSCs) that were stored on a Virtual Machine Disk (VMDK) as part of an advanced-level DC3 challenge exercise.  While there are a few great resources out there regarding forensics and VSCs, most of these methods use Windows workstations or commercial tools for conducting an examination.

More often than not I’ve found the aforementioned methods limiting, their success either hit-or-miss. I’ve been looking for open source alternatives for VSC analysis that work on my Linux workstations.

While reading the Malware Analyst’s Cookbook section entitled “[w]orking With Virtualbox Disk and Memory Images,” I decided to convert the VMDK the DC3 provided to VHD using VBoxManage. Harlan Carvey’s post entitled, “How to Mount and Access VSCs” also helped me understand VHDs and how they were used in forensics. But for some reason I couldn’t mount my VHD properly in Windows using his approach. After re-converting the VHD to every major image file type, I decided to go with a libvshadow approach that tackled both the VMDK conversion and provided the ability to analyze the evidence on my Ubuntu box.

Knowing I needed to convert the VMDK provided into some kind of usable format, I set out to find the best guide to mounting VSCs. EpyxForensics has a terrific guide to this entitled,“Mounting Shadow Volumes in Linux Ubuntu 12.04” (see “Resources” below).

Using the EpyxForensics approach, I was able to both mount the virtual disk and extract the data I needed in a fast and efficient way. I’ve tweaked some of those methods below to suit my needs for the challenge and I’m more than pleased with the results. Although you – the reader –may not be using VMDKs, using libvshadow to analyze VSCs is extremely beneficial and worth trying.

What follows is my experiences with the 2013 DC3 Forensics Challenge as well as my methodology on the Volume Shadow Copy exercise.

Why Shadow Copy Analysis?

Without re-quoting every single resource on the topic I’ve read, VSCs provide a great way for examiners to see a system up to the time of a snapshot. This snapshot is a sort of time machine that can be crucial in understanding the intricacies of user activity on the system.

Volume Shadow Copy analysis is also an interesting avenue if other anti-forensics techniques were used. Smart criminals can cover their tracks by wiping Prefetch, using encryption, scripting tools to sanitize registry keys, use timestomp to control timestamping, perform drive wipes, tamper with MFT records or other anti-forensics measures.

Snapshot and backup examination techniques are often left out by forensics suites. All too often developers of such suites are left playing “catch up” when adding new features to their tools. But criminals are people too; sometimes the convenience of having a backup outweighs the desire to hide data. Enter VSCs.

An example could be a snapshot that was created after the installation of a new program. The user may not be aware that VSC is being created to begin with. Once created, the snapshot may contain unencrypted copies of files that were later encrypted. Other artifacts important to your case may also reside within copies.

It goes without saying that I found this DC3 VSC to be extremely rewarding. While I can’t give actual exercise questions or case files, I’ve tried to outline the steps I used below.

Installing VBoxManage & Sleuthkit 4.0.2

On Ubuntu I was able to install the required tools automatically with APT:

For Sleuthkit you can: sudo apt-get install sleuthkit

For VBoxManage you’ll need Oracle VM Virtualbox:

sudo apt-get install virtualbox

Linux: VMDK to RAW

To convert a VMDK to a RAW/dd image you can:

VBoxManage clonehd vdisk.vmdk newvdisk.dd –format RAW

The percent status of the conversion will keep you informed as to the status of the conversion.

Windows: VMDK to RAW (QEMU)

The alternative to the linux method in Windows is to use the QEMU Windows Binaries. Due to a lot of misinformation on the subject, I’ve included the method used for performing the conversion on Windows below.

With QEMU installed on Windows, navigate to your QEMU folder (or if you have it in path), open a cmd shell. We can use qemu-image to convert the VMDK to the desired format:

qemu-img convert -f vmdk shadows.vmdk shadows.raw

Determining Offset of Partition

Calculating an offset is fairly straightforward if you’ve used linux for forensics in the past. First see the partitions and their starting locations with:

mmls newvdisk.dd

Multiply the starting point with the sector size (usually 512, mmls reports this when you run the command). The resulting number will be what we use to target the NTFS partition on the image. This is important if the image represents a physical whole disk or multi-partitioned system. In my case, it simply represented one partition on which resided the critical files. My working offset was 65536, the subsequent mount would look like:

sudo mount -t ntfs -o ro,offset=65536 shadows.dd /mnt/evidence

Take a peek inside with:

cd /mnt/evidence/System\ Volume\ Information/; ls -la

For those that don’t know the format of VSCs, check the MSDN article here. We see the identifying GUID and unique set IDs.  This is a great way of gauging where to focus your efforts.

libvshadow by Joachim Metz is an excellent tool for conducting a deeper analysis of shadow copies. We’ll set up the tool’s requirements and set it up from its latest source below.

libvshadow

Install the requirements:

sudo apt-get install libfuse-dev

Install libvshadow’s latest source and unpack it, configure and make install.

To get basic information about the VSCs, we can use vshadowinfo with the following syntax:

vshadowinfo -o [offset] [image]

The order of shadows listed is also neat. The top store will be the furthest back in time while the latest would be the last (kind of self-explanatory but you probably know that I enjoy being long winded online). The listing also helped me answer a number of temporal questions in the exercise. This information can correspond with your case’s timeline so examining the output is critical.

The output looks like:

vshadowinfo 20131003
Volume Shadow Snapshot information:
Number of stores:           4

Store: 1

Identifier                        : e132d30a-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID        : f24f1ec4-e556-473f-b8dd-3417944d613d
Creation time                 : Jun 22, 2011 17:26:18.953125000 UTC
Shadow copy ID             : 4db4b198-10bf-412a-8168-82aab3ad66e5
Volume size                   : 2144337920 bytes
Attribute flags                : 0x0042000d

Store: 2

Identifier                        : e132d310-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID        : 7d330a7f-eaaa-47e6-a7ae-ec586cb60705
Creation time                 : Jun 22, 2011 18:11:35.484375000 UTC
Shadow copy ID             : a3de8297-e174-4cc6-af1e-14b97b228b91
Volume size                   : 2144337920 bytes
Attribute flags                : 0x0042000d

Store: 3

Identifier                       : e132d31d-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID       : ca46eac5-70eb-4c53-a21a-b6a6b66ba245
Creation time                : Jun 22, 2011 18:15:52.140625000 UTC
Shadow copy ID            : 94d3e514-62db-4dd2-89e1-7ff3810bb861
Volume size                  : 2144337920 bytes
Attribute flags               : 0x0042000d

Store: 4

Identifier                     : e132d322-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID      : 31f43d93-881f-43b2-bd40-86133cba47d7
Creation time               : Jun 22, 2011 18:19:45.484375000 UTC
Shadow copy ID           : 2740b68b-cdb2-4c13-a535-f2f6f1ecb352
Volume size                 : 2144337920 bytes
Attribute flags              : 0x0042000d

But what if you need access to the actual data within the shadow copy? The EpyxForensics post told me about a great utility in libvshadow, vshadowmount. This awesome feature allows you to select which VSCs to mount with traditional linux mountings. It does this by allowing you to mount the partition by offset on the image and mount each store individually (the latter is the amazing part).

sudo vshadowmount -o 65536 shadows.dd /mnt/vssvolume

To mount each store individually (if you know what time frame you are working with), you can:

sudo mkdir /mnt/vss1; sudo mount -o ro /mnt/vssvolume/vss1 /mnt/vss1

There were 4 VSCs to mount in the exercise (as seen in /mnt/vssvolume). To mount them you could also create a bash or Python script to do it for you automatically. I ran the commands by hand for each store. Tedious but I like having control over what’s going on. The not-so-simplified version looks like this:

sudo mkdir /mnt/vss1; mkdir /mnt/vss2; mkdir /mnt/vss3; mkdir /mnt/vss3; mkdir /mnt/vss4; sudo mount -o ro /mnt/vssvolume/vss1 /mnt/vss1; sudo mount -o ro /mnt/vssvolume/vss2 /mnt/vss2; sudo mount -o ro /mnt/vssvolume/vss3 /mnt/vss3; sudo mount -o ro /mnt/vssvolume/vss4 /mnt/vss4

If you want to find a particular file that’s pertinent to your case, you can do that with the find command (find -name [file]*). You can also view the shadow copies from your desktop environment’s built in file manager as you can with any mounted device in Linux (this helps with viewing thumbnails of JPGs captured in the shadow copy).

Another good find trick is to use the –mtime [day] option to find files that were modified after a certain amount of days in the past. Or use your favorite regular expression against the mounting to find specific pieces of information.

Since the primary questions dealt with timestamps I set up Phil Harvey’s ExifTool and ran it against the desired files within the copies. Obviously you can also use this tool to acquire metadata timestamps residing within the file’s themselves (such is the case with artifacts like LNK files).

Shadow Explorer

The only tool I really don’t like using is Shadow Explorer for Windows. It may be a fine tool for general VSC work but I don’t see it as useful in forensics. This is a personal opinion and I know many great examiners that use it regularly. I certainly mean no disrespect to the tool’s author.  I’d try it if you are limited to working on a Windows forensics workstation but much prefer using a Linux-oriented approach.

My main reason for disliking Shadow Explorer is that it doesn’t seem to work with virtual mountings (FTKi mountings set physical or logical, ImDisk, Winmount, etc). The author recommends enabling system protection on devices so that they appear in Shadow Explorer but this isn’t an option for as I’m concerned.

Closing Remarks

The solution above worked for me and fulfilled my needs on the challenge but this approach isn’t the only approach. I’ve created a list of VSC references below in hopes of helping others find a solution they’re comfortable with. Feel free to submit your own site or article by emailing me at adam [at] forensicsblog.org — I’ll add it to the list.

Lastly I should note that the methods I’ve described above are not new or Earth shattering, libvshadow is used by other examiners. It’s simply new to me, now it’s also my method of choice.

DC3 Challenge Exercises Completed

The forensics challenge was hosted by the DoD Cyber Crime Center (DC3) and was a terrific experience for me considering I’m relatively new to forensics (the challenges are similar to online jeopardy style CTF). While there will be other challenges, this will likely be the DC3’s last. This is really unfortunate news: nothing reinforces infosec skills like challenges and competitions. I have yet to see a forensics-specific competition that has as much scope and depth as the DC3 Forensics Challenge.

I got into the challenge during its last month by running solo and without a boost from the missed bonus rounds. Despite these set backs, I did manage to get in the Grand Champion category with pretty good standing in both the Overall Civilian and the U.S. Overall categories. I’m proud of this, I did much better than I thought I would. While it doesn’t make me an authority on digital forensics (I’m not), I’d be glad to write about other exercises attempted.

Special thanks to the DoD Cybercrime Center (DC3) and the Air Force Office of Special Investigations (AFOSI) for hosting such a cool event for civilians and military personnel alike. I’m in no way affiliated with and/or endorsed by AFOSI or DC3.

Resources

There’re a lot of good resources out there regarding Volume Shadow Copies.  Many of which are written for examiners by examiners. Anyone interested in VSS or VSC analysis should definitely check them out:

Mounting Shadow Volumes in Linux Ubuntu 12.04” by EpyxForensics.

Ripping Volume Shadow Copies – Introduction,” Journey Into Incident Response (blog) by Corey Harrell – note: his entire VSC series is really terrific.

Shadow Timelines and Other VolumeShadowCopy Digital Forensics Techniques with Sleuthkit on Windows,” SANS Computer Forensics Blog by Rob Lee

Accessing Volume Shadow Copies,” by Harlan Carvey

Mount shadow volumes on disk images,” forensicswiki.org (site lists various methods)

Into the Shadows,” forensic4cast, by Lee Whitfield

libvshadow’s Project Page: http://code.google.com/p/libvshadow/

How Volume Shadow Copy Service Works,” TechNet (Microsoft)

Volume Shadow Copy Service,” MSDN on VSS and how it works

Volume Shadow Copy System Restore” (VSS FAQs) by Tomasz P. Szynalski

Volume Shadow Copy Forensics.. cannot see the wood for the trees?” by Richard Drinkwater, FFTSF blog

Examining Volume Shadow Copies – The Easy Way!” by Simon Key, Digital Forensics Today (EnCase/Guidance Software) – note: this piece is very interesting and helps explain what’s going on behind the scenes when snapshots are taken. It also discusses the EnCase PDE approach to analyzing them.