Tag Archives: forensics

Updates, Malware Analysis Links, Meltdown, & Spectre

Readers,

My apologies for not posting more often. I’ve been busy with my studies (and occasionally reading and writing off-site). There’s been so many new forensics blogs, mailing lists, and infosec communities recently that I’ve been content with reading instead of writing my own posts. Bad habit, I know! I’ve also taken part in a number of security CTF and infosec challenges. I said that I’d be covering past challenges and their solutions in greater depth in my DC3 post and that’s still a plan for the future (if time permits).

I’ve also been toying with the idea of setting up an up-to-date CTF challenge section on site since I have enough content from past CTFs and challenge organizers. We’ll see. I did make a challenge to de-anonymize target onion sites, the solution to which would be in discoverable data about the target web server. But I’ve been told that this might come across as hostile and not helpful for learning purposes, so I’ll probably just end up with standard jeopardy-style questions. Other options include the obligatory stegano in images, sound files, whole forensic images of disks with flags for various forensic artifacts, etc. Since security challenges are time consuming to create, it’ll have to wait a little longer. As always, feel free to subscribe to the blog for future updates.

I’ve also been looking for quality reverse engineering malware resources. I’m still new to that arena but what follows is a list of some really helpful sites, webinars, and books for learning to disassemble programs and study malware both from a static and dynamic perspective. I realize many readers here already do malware analysis, but this is intended for others looking to get into it. Some of the sources are older but all of them are worth checking out. Regretfully I can’t go through every examiner’s quality blog here, but check the site for more links! I’m also happy to read, study, and add any sites or research if submitted.

Malware Resources

Blogs, Articles, Webcasts, & General Papers

Introduction to Malware Analysis by Lenny Zeltser (Webcast), 12/6/2016.
Note – Webcasts, webinars, white papers, blog entries, conferences, I’ve seen a lot of Lenny Zeltser’s work and I’m a big follower. So I often link to his work.

Malware Analysis: An Introduction (GIAC Gold Paper) by Distler. 12/14/2007.

5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser. 3/14/2015.

Malware Analysis Essentials Using REMnux w/ Lenny Zeltser (Webcast), SANS Institute, 4/17/2014.

4 Cheet Sheets for Malware Analysis by Lenny Zeltser, SANS Blog, 9/13/2017.

Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser. 9/7/2017.

Thoughts on Malware, Digital Forensics, and Data Breaches by Hal Pomeranz, SANS Blog, 1/18/2012.

CyberBit’s 5 Open Source Malware Tools You Should Have in Your Arsenal

Projects To Watch/Tools to Know:

FLARE VM – The Windows malware platform by FireEye, a company known for their malware analysis and incident response know-how. 1/16/2018 Update: This tool is really outstanding. The packages can be imported into any VM, preferably newly rolled evaluation copies of Windows 10 VM, since you can just keep restoring back if you max the 90 day eval. Flare includes many tools for file analysis out-of-the-box such as hex editors, debuggers, disassemblers, text editors, PE tools, process hacks, packet analyzers, alternate data stream manipulation tools, and more (official list on Github). Package installation is made simple with Chocolatey. My own custom box includes essentials I downloaded such as OWASP ZSC for Python shellcode generation, Yara, stegano detection tools, audio editors, and more. Definitely not an exaggeration to say that you can make this into the best security platform available on Windows.

REMnux – A Linux Toolkit for Reverse-Engineering and Analyzing Malware

Kali Linux – I use Kali a lot so I highly recommend it. It’s an extremely well maintained distro, adding your own packages as needed is simple and usually everything just works (thanks to all the modules and dependencies pre-rolled into Kali). There are some great tutorials for pentesting and forensics on Udemy and through Offensive Security. Adding malware tools is easy.

SIFT Workstation – I’ve used multiple versions of SIFT from Linux to Windows 7 and 10. I highly recommend it for forensics work. It does have more timeline tools than Kali (although you can add packages to Kali as you see fit). SIFT VM + Kali VM = ideal. I have heard great things about BlackArch for penetration testing but have yet to try it (I do have fond memories of Archlinux and Archbang, so it’s on my to-do list).

Yara Analysis Tool – industry leading tool in signature and behavioral rule-set matching for malware.

Cuckoo Sandbox – Sandboxing tool for malware. If you’re just using VMware, be careful of VM escape vulnerabilities, bogging down resources, etc.

IDA & IDA Pro – Ideal for static analysis. Disassembler for every major operating system. I’ll be honest, my assembly skills are weak, but this is one tool worth sticking with. There’s even a great No Starch book on IDA to help you out! (IDA Pro Book, 2nd Edition by Chris Eagle — fair warning, the assembly sections are pretty light and assume you know what you’re doing, so I’d suggest supplementing it with another resource to familiarize yourself with the subject prior to diving into IDA. One good (and free) course is the x86 class by Open Security.)

OllyDbg – The Gray Hat Hacking books use OllyDbg a lot.

Immunity Debugger

Automatic Malware Analysis and Sandbox Services by Lenny Zeltser

Classes:

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration w/ Xeno Kovah (Open Security Training)

Introduction To Reverse Engineering Software by Matt Briggs & Frank Poz (Open Security Training)

Reverse Engineering Malware by Matt Brigs & Frank Poz (Open Security Training)

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Jake Williams (SANS Institute)
Note- I haven’t had a chance to take this class but it’s pretty much the de-facto malware analysis class in digital forensics.

Again, there are many courses and tutorials available through Lynda, Udemy, and YouTube. Here… hold up. There we go (had to do it!).

Technical References:

Tech refs can be expensive but these are totally worth it if you’re committed to learning the subject matter (or, like me, you’re equally committed to making a visually impressive security bookshelf /modestyfail). Most well-maintained, high traffic libraries should have some of them. Sure, there are plenty of online sources with similar information but these texts are definitely helpful.

Malware Analyst’s Cookbook: Tools and Techniques for Fighting Malicious Code by Hartstein, Richard, Ligh, and Adair. 2010.
Note: It’s the bible of malware analysis. It was one of the first larger-works to tackle malware head-on. While it isn’t as technically in-depth for complicated tasks (I found that GHH was more technical for some things), it’s a must have. New to malware analysis, I can honestly say it’s readable and worth checking out.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz. 2015.
Note: One of my all time favorites. Black Hat-style techniques are explored using Python code and popular modules. There’s something for everyone here. (I often use BHP or GHH – mentioned below – as a springboard for Python projects, so I can also recommend getting physical copies as opposed to eBook versions.)

Gray Hat Hacking, 2nd Edition & 3rd Edition by Harper, Harris, Ness, Eagle, Lenkey, Williams. 2008 & 2011 respectively.
Note: When I first picked up the 2nd edition from the library I had no idea what IDA Pro was and wanted more on pentesting. Immediately dismissing GHH something I wouldn’t use. In retrospect, GHH is an awesome guide to DLLs, handles, processes, reverse engineering, and malware analysis.

Data Hiding Techniques in Windows OS: A Practical Approach to Investigation and Defense by Hassan & Hijazi. 2017.
Note: This book should just be called “How to Win at CTF Every Time.” While it doesn’t explore malware in-depth, it does talk about various forms of data hiding and data manipulation (ADSs, stegano, etc). Since malware utilizes different methods of remaining hidden, DHTIWO is a great guide for developing critical thinking skills. This and File System Forensic Analysis by Brian Carrier are so easy to use as regular resources in forensics.

Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers & Security Engineers. TJ. O’Connor. 2013.
Note: I used to really love this book prior to finding BHP and the Gray Hat books. It has drone hacking and Twitter OSINT hacks, what’s not to love? The code is hit or miss but it has some good ideas for Python coders. It does also contain a section on Virus detection. I prefer Justin Seitz’s work, but respectful nod to TJO’s great resource.

Miscellaneous Resources:

Mitre’s CVE Page (Security Bug/Exploit Lookup)
Yara Official Documentation
Yara Definitions & Rulesets
Offensive Security’s Exploit-DB (Exploit Lookup & Sample Code)

Also check the links to other blogs around the site as there are a fair amount that cover malware research.

Meltdown & Spectre Links

Meltdown Paper | Spectre Paper | FAQs: https://meltdownattack.com/#faq-fix

You know that feeling when you’re lurking darknet forums or Inj3ct0r for information on new malware and you’re like, “what a liar, that’s not a revolutionary 0day exploit, that’s yet another buffer overflow exploit!” This is a fair bit more serious.

Thanks to Jann Horn and the analysts at Google Project Zero, two new dangerous exploits were discovered. Spectre – which leverages a processor’s speculative execution to pull data from memory to an attacker via side channels* – and Meltdown – which uses out-of-order code execution on processors to leak sensitive information across any form of virtualized environment or through any form of protected memory space. Unfortunately, fears are that they’re so deeply embedded in modern processor architecture that they’re nearly impossible to temporarily patch without crippling current infrastructure. They aren’t entirely software issues that can be patched easily. Dynamic execution speeds up computing performance drastically while Spectre potentially effects so many different types of processors. I’ve tried to include some useful links here for understanding the severity of Meltdown and Spectre.

* Yes, Spectre sounds like the coolest thing since poptarts. So much for professionalism.

FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (FireEye), 1/5/2018.

Researchers Discover Two Major Flaws in the World’s Computers by Cade Metz and Nicole Perlroth (New York Times), 1/3/2018.

The Complete List Of CPUs Affected By Meltdown / Spectre by Dr. Adrian Wong, 1/8/2018.

In response to worries of Spectre being able to extract passwords from application password managers and vaults, Dashlane’s Eitan Katz wrote an article on the state of Dashlane and what Meltdown and Spectre do. Check it out here: Meltdown and Spectre: What you Need to Know to Stay Safe by Eitan Katz (Dashlane), 1/5/2018.

It’s not every day you see patches that cause entire Linux communities to freak out. If you’re an Ubuntu user, be sure to check out this article regarding Ubuntu 16.04’s patch: Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers by Catalin Cimpanu, 1/10/2018. The patch in question only applied to Meltdown. The problem was fixed with subsequent updates after the article was released.

Be sure to check out the CVEs below for more technical information about each of the exploits. The links contain a lot of critical information such as sample source code that you can attempt to run in a virtual environment. Note that your mileage may vary in VMs, some have reported BSoDs and not useful crashes when attempting to execute the exploits.

Spectre CVEs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
Meltdown CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Android USB Device Support

While reading Android Forensics by AH and setting up the SDK on my Ubuntu box, I noticed the udev rules needed an update. Makes sense considering there’s been many new vendors since the book was published.

I’ve compiled an up-to-date ruleset that uses the standard format and includes comments indicating each vendor. While not a terribly new contribution, I’ve decided to post the rules here to allow android devs and examiners the opportunity to use them with little effort.

Copy & paste it:

# 51-android-rules should be placed in /etc/udev/rules.d (chmod 664 or a+r)
# Official Guide & Vendor IDs: http://developer.android.com/tools/device.html#Acer
SUBSYTEM==”USB”, SYSFS{idVendor}==”502″, MODE=”0666″
#ASUS
SUBSYTEM==”USB”, SYSFS{idVendor}==”0b05″, MODE=”0666″
#Dell
SUBSYTEM==”USB”, SYSFS{idVendor}==”413c”, MODE=”0666″
#Foxconn
SUBSYTEM==”USB”, SYSFS{idVendor}==”0489″, MODE=”0666″
#Fujitsu
SUBSYTEM==”USB”, SYSFS{idVendor}==”04c5″, MODE=”0666″
#Fujitsu Toshiba
SUBSYTEM==”USB”, SYSFS{idVendor}==”04c5″, MODE=”0666″
#Garmin-Asus
SUBSYTEM==”USB”, SYSFS{idVendor}==”091e”, MODE=”0666″
#Google
SUBSYTEM==”USB”, SYSFS{idVendor}==”18d1″, MODE=”0666″
#Haier
SUBSYTEM==”USB”, SYSFS{idVendor}==”501E”, MODE=”0666″
#Hisense
SUBSYTEM==”USB”, SYSFS{idVendor}==”109b”, MODE=”0666″
#HTC
SUBSYTEM==”USB”, SYSFS{idVendor}==”0bb4″, MODE=”0666″
#Huawei
SUBSYTEM==”USB”, SYSFS{idVendor}==”12d1″, MODE=”0666″
#K-Touch
SUBSYTEM==”USB”, SYSFS{idVendor}==”24e3″, MODE=”0666″
#KT Tech
SUBSYTEM==”USB”, SYSFS{idVendor}==”2116″, MODE=”0666″
#Kyocera
SUBSYTEM==”USB”, SYSFS{idVendor}==”0482″, MODE=”0666″
#Lenovo
SUBSYTEM==”USB”, SYSFS{idVendor}==”17ef”, MODE=”0666″
#LG
SUBSYTEM==”USB”, SYSFS{idVendor}==”1004″, MODE=”0666″
#Motorola
SUBSYTEM==”USB”, SYSFS{idVendor}==”22b8″, MODE=”0666″
#MTK
SUBSYTEM==”USB”, SYSFS{idVendor}==”0e8d”, MODE=”0666″
#NEC
SUBSYTEM==”USB”, SYSFS{idVendor}==”0409″, MODE=”0666″
#Nook
SUBSYTEM==”USB”, SYSFS{idVendor}==”2080″, MODE=”0666″
#Nvidia
SUBSYTEM==”USB”, SYSFS{idVendor}==”0955″, MODE=”0666″
#OTGV
SUBSYTEM==”USB”, SYSFS{idVendor}==”2257″, MODE=”0666″
#Pantech
SUBSYTEM==”USB”, SYSFS{idVendor}==”10a9″, MODE=”0666″
#Pegatron
SUBSYTEM==”USB”, SYSFS{idVendor}==”1d4d”, MODE=”0666″
#Philips
SUBSYTEM==”USB”, SYSFS{idVendor}==”0471″, MODE=”0666″
#PMC-Sierra
SUBSYTEM==”USB”, SYSFS{idVendor}==”04da”, MODE=”0666″
#Qualcomm
SUBSYTEM==”USB”, SYSFS{idVendor}==”05c6″, MODE=”0666″
#SK Telesys
SUBSYTEM==”USB”, SYSFS{idVendor}==”1f53″, MODE=”0666″
#Samsung
SUBSYTEM==”USB”, SYSFS{idVendor}==”04e8″, MODE=”0666″
#Sharp
SUBSYTEM==”USB”, SYSFS{idVendor}==”04dd”, MODE=”0666″
#Sony
SUBSYTEM==”USB”, SYSFS{idVendor}==”054c”, MODE=”0666″
#Sony Ericsson
SUBSYTEM==”USB”, SYSFS{idVendor}==”0fce”, MODE=”0666″
#Teleepoch
SUBSYTEM==”USB”, SYSFS{idVendor}==”2340″, MODE=”0666″
#Toshiba
SUBSYTEM==”USB”, SYSFS{idVendor}==”0930″, MODE=”0666″
#ZTE
SUBSYTEM==”USB”, SYSFS{idVendor}==”12d2″, MODE=”0666″

Or you can download it from my Sourceforge @ https://sourceforge.net/projects/forensicscripts/files/android/

Edit: Do you see android running on a device that works but somehow isn’t officially mentioned in the SDK docs? Feel free to grab the vid and comment with it (to get the vid you can connect the device and run a simple dmesg | usb.)

Google Map Tiles: Forensics & IEF

I stumbled upon something neat I thought I’d share with you all while playing around with a demo of Internet Evidence Finder by Magnet Forensics. It is essentially using a memory image to determine where an individual may have been based on his/her geolocation queries, crowd sourced GPS check-ins (using Google Maps), etc. by analyzing Google Map tiles.  Obviously, although IEF is known in the forensics community, I was impressed when using it for the first time.

I allowed IEF to carve web browser artifacts, chat sessions and Google map tile artifacts from a memory image (acquired via FTKi). Then had IEF map the coordinates from the tile file names and plot them across a world map (it is as simple as hitting “World Map” in the Report Viewer). You can also use Magnet’s free standalone GMTI (Google Maps Tile Investigator) to plot specified coordinates if you’ve pulled the artifacts using another method.

Although this is a known feature of the software, I found it incredibly impressive very useful. That you can do this directly from a memory image –  with the same amount of success as from a hard drive image – is pretty cool.

Using that information you can get a general sense of where an individual was by what map information he or she searched for using Google Maps.

memorytriangulation

You can begin to develop a hypothesis as to the location’s significance when you compare this information to other known facts within your investigation. Knowing this information can help you weigh the importance of a cluster of plots and determine whether they are significant.

Instructions and more information on Google Map tile forensics is available in a great post by Magnet on their blog: http://www.magnetforensics.com/investigating-google-maps-how-the-tiles-tell-all/

For more information on Magnet’s IEF see: http://www.magnetforensics.com/products/internet-evidence-finder/

Information on the standalone (free) GMTI can be found at this address: http://www.magnetforensics.com/google-maps-tile-investigator/

Links- Ophcrack for Windows Password Extraction

With forensics in mind, there’s literally a ton of ways to gain access to Windows. From clear text password exploits that dump the password in plaintext to your screen to bootable CDs that reset the Windows password outright (just search Google for “Windows Password Recovery” to see what I mean). This post isn’t meant to cover all password recovery bases, just briefly explain why reset tools may not be forensically sound and provide some links that may be of value to you if you need a good tool (my current favorite method is utilizing tool known as Ophcrack).

For those that don’t know, 0phcrack is a free but powerful utility that makes use of rainbow tables to crack NT HASH and LM passwords. It utilizes a method known as Time-Memory Tradeoff (discussed earlier on the blog). The best tables that support different types of characters for use in password extraction (and for different OS types) can be rather large. Cracking passwords can also be time consuming.

Distributions like the now-defunct free version of e-fense’s Helix 3 (no longer supported in favor of a paid pro version), and DEFT Linux, made/makes use of 0phcrack and provided access to basic rainbow tables for this purpose. If you don’t have Helix or 0phcrack as part of your forensic tool-set, you should. If you are interested in expanding your tables and have access to a large enough medium, feel free to check FreeRainBowTables.com to get more tables generated using distributed computing methods). The basic tables can also be found on 0phcrack’s Sourceforge and are suitable for basic use, but they also have paid tables as well.

0phcrack can be used during the analysis of a target’s SAM and SYSTEM Hivehive. It can be run as an executable from within Windows or in a bootable environment. Such information could provide forensically invaluable in accessing EFS-protected files on the system. From what I know, using methods like chntpw in Backtrack do reset Windows passwords but do then make accessing EFS encrypted files impossible.

Check this video created and posted by TechnologyCrazy to see how to setup 0phcrack (completely unaffiliated with this site).

As I always state, this site does not condone illegal activity. Link posts are links to pre-existing content (I’m actually considering making my own informational videos at some point when I have the time. Maybe even a step-by-step guide).

For links to computer security related tools or resources, feel free to check this Neuralhub post.

If you have access to any related instructional video please post it in the comments! If they are any good (and they are publicly accessible), I’ll share them.

Edit: This post is fairly old and I’ve used some really great programs since then. Here are some further notes to help you decide which encryption auditing tool you should use and when:

Ophcrack Project Homepage

This tool is good for LM and NT hash; quick and easy SAM hive cracking which is ideal if you don’t happen to have a license for PRTK but do for FTK and wish to crack EFS; uses rainbow tables for speed (pre-calculated hashes), for brute force see l0phtcrack below.

l0phtcrack Password Auditor

Offers excellent brute force, support for rainbow tables and dictionary attacks. Some that are coming from PRTK may note l0phtcrack seems to be missing PRTK’s biographical dictionary attack… one of my favorite tools. But that’s not necessarily true: you can accomplish this by loading biographical information in by creating your own dictionaries. Also one of the coolest features of l0phtcrack is the network sniffer which pulls password hashes transmitted across a network… but fair warning: it doesn’t always work, if in doubt, read the documentation).

** Note: thanks to my nameless friend for letting me try his l0phtcrack. Much appreciated.

AccessData’s PRTK

One of my all time favorite tools. Although brute forcing and standard dictionary attacks may take a long time and be resource intensive, PRTK also includes some pretty powerful dictionaries straight off the bat. Also nothing beats the simple and straight forward interface. I’m a huge fan of the biographical dictionary attack in which you can import string data from FTK and FTKi to accomplish a user-specific attack (that is to say, things like directory listings, FTK dtIndex’d results, etc. can all be imported to speed up attacks).  I used PRTK extensively in my AccessData Certified Examiner studies and found it to be one of the best tools to date.

Interesting side note regarding EFS cracking if you have a license to FTK but not to PRTK:

If you are running FTK4+, you can first crack the Windows user password in Ophcrack (SAM & SYSTEM hives) and then, after selecting the EFS encrypted file, allow FTK to decrypt it with the password you’ve discovered. FTK also includes allows you to list multiple passwords if you’re unsure of which it may be. If PRTK is installed on the same system, it’ll use PRTK in the background and decrypt the file. Of course, as an ACE, I advocate getting a license to PRTK if you can, but thankfully PRTK can be used for this at the back-end with little trouble.

Link/Article – Memory Forensics & Encrypted Data Extraction

I’d like to post a link to a very neat paper I found which discusses the ability analyze RAM in hopes of targeting encrypted drives, volumes, files or folders (cited below). A forensic investigator can recover encryption keys and even acquire passphrases with no hash cracking needed. Once a key and/or passphrase is obtained, any encrypted medium on the hard drive using the same credentials may be compromised.

Brian Kaplan’s RAM is Key – Extracting Disk Encryption Keys From Volatile Memory, Carnegie Mellon University (May 2007).

The paper is somewhat dated as it was released in 2007. But what’s cool about it is that such analysis wasn’t as common then as it is now (live acquisition was frowned upon). While it doesn’t highlight anything new (and, indeed, shows its age at times), the paper does make for some interesting reading.

While I’m still relatively new to forensics and currently studying DFIR, I figured that this paper may be of interest to some (I found it interesting from a historical aspect). Plus this article is a good way of introducing more forensic posts to the blog.

Feel free to share similar (or more timely) articles using the comments field below!

Related Tools

Volatility by Volatile Systems

Memoryze/AuditViewer & Redline by Mandiant

Finding Encrypted Drives/Volumes on Hard Drive

EDD and, I hear, TCHunt are both excellent tools. I’ve only played around with EDD but I plan on exploring other forms of encrypted drive/volume discovery and decryption in the future.