Monday, June 23, 2014

Daily Blog #365: The year of blogging complete and the stage 1 question

Hello Reader,
        Thank you to those of you have kept up for the last 365 days, it has been both challenging and rewarding to force myself to keep looking, researching, documenting and sharing what I know with all of you. I hope you found some benefit to the last year, but I have received enough personal satisfaction and knowledge to make it worthwhile regardless. I highly recommend anyone else out there who wants to push themselves forward in their understanding of all things DFIR to give the Zeltser challenge a shot.

Now for what you all came here for, the 1st stage challenge in the 5 stage Sunday Funday challenge for a free vLive class from SANS.

  • Email me your answers at dcowen@g-cpartners.com

  • The contest will run until July 6th

  • To get the 2nd stage you must successfully email me the answer to the 1st.


Stage 1 Question:
You are dealing with an attacker who has used the volume shadow service to create a a new copy of the volume and then exported the active directory database from it, a common tactic and one we use at NCCDC. If they cleared the security logs after doing this how could you recover where they logged in from.

FAQ:
1. Keep the answer to the server, no firewall logs here or SIEM accessible. The 1st stage is testing your knowledge of Windows Server 2008.
2. The attack happened a week ago
3. Keep re-reading the question if you haven't picked up the clue

Sunday, June 22, 2014

Daily Blog #364: Sunday Funday 6/22/14

Hello Reader,
 

The Prize:
A free vLive DFIR Class from SANS a prize worth $5,000, you can choose from the following:





The Rules, Have Changed!:


  1. This will be a multi stage contest lasting two weeks
  2. Final answers must be in by July 6th
  3. 6/23/14 The first question will be posted
  4. New questions will be given to those who answer the first question correctly
  5. You can start the contest at any point leading up to July 6th, there is no penalty for starting late
  6. All submissions must be sent to dcowen@g-cpartners.com, do not post answers in the comments
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:     Will be announced tomorrow. The year of blogging ends tomorrow as do the restrictions I have in having to get up daily content for you. So let's change things up! Tomorrow on Daily Blog #365 the first question will be given. Your goal is to answer this question via email to me dcowen@g-cpartners.com. On receiving a correct answer you will be notified that you have entered stage 2 and that another question will be sent to you. There are 5 stages and the player who makes it the farthest with the most correct answer will win!

Make sure to watch the Forensic Lunch to get clues and good luck!

Saturday, June 21, 2014

Daily Blog #363: Saturday Reading 6/21/14

Hello Reader,
         It's Saturday! I don't know about you but it's been a long week. While we both finishing tracking down those miscreants we've been hunting this week, here's some links to make you think while volatility runs in this weeks Saturday Reading!

1. We had a great forensic lunch this week.  We had (in order of appearance)

  • Blazer Catzen, of Catzen Forensics, talking all about File System Tunneling in an extensive piece of research that goes beyond the STDINFO and into the File Name attributes and Object IDs. Blazer has two presentations he has done on the subject so I hope to talk him into a guest blog about it, if he does not put up his own blog first.
  • Detective Cindy Murphy, with the Madison Wisconsin police talking all about Mobile Forensics and her journey in DFIR. 
For those who watched the link to the SANS Work Study program is here:
https://www.sans.org/work-study

You can watch it here:  https://www.youtube.com/watch?feature=player_embedded&list=UUZ7mQV3j4GNX-LU1IKPVQZg&v=bI9T2-bnbM0

2. AppleExaminer has updated the OSX and IOS focus lists, cheat sheets of where to look for artifacts. Get it here: http://www.appleexaminer.com/files/b79f4470195d89b9d6a6ec0e4f8799fa-68.html

3. Craig Ball has a new post up and his perspective as a special master is always interesting. This week he is talking about an issue he is facing where he's trying to understand someones motive for inflating their fees http://ballinyourcourt.wordpress.com/2014/06/19/unconscionable/

4. Corey Harrell has posted up a review of Harlan's updated WFA http://journeyintoir.blogspot.com/2014/06/review-of-windows-forensic-analysis-4th.html

5. Matthew, my partner in lunch, posted a new entry to his new blog. Talking all about additional fields stored within the prefetch files revealing file record numbers and sequence numbers http://forensicmatt.blogspot.com/2014/06/possible-new-field-identified-in.html

That's all for this week!

Friday, June 20, 2014

Daily Blog #362: Forensic Lunch 6/20/14

Hello Reader,
          We had a great Forensic Lunch today, we had (in order of appearance)

  • Blazer Catzen, of Catzen Forensics, talking all about File System Tunneling in an extensive piece of research that goes beyond the STDINFO and into the File Name attributes and Object IDs. Blazer has two presentations he has done on the subject so I hope to talk him into a guest blog about it, if he does not put up his own blog first.
  • Detective Cindy Murphy, with the Madison Wisconsin police talking all about Mobile Forensics and her journey in DFIR. 
For those who watched the link to the SANS Work Study program is here:
https://www.sans.org/work-study

 You can watch the lunch below:

Thursday, June 19, 2014

Daily Blog #361: SCCM and IR

Hello Reader,
           You may not often combine the ideas of SCCM (System Center Configuration Manager) and Incident Response together, but you should. I wanted to pass a long something that I've used as a recurring script to track users to computers and in IR situations to find possible compromised system if the attacker is doing interactive logins.

Step 1. Ask the SCCM admin for read only access to the back end SCCM database. This is important, the SCCM MS SQL database and not the SCCM front end.

Step 2 .Get a MS SQL client, I like navicat for SQL Server, http://www.navicat.com/products/navicat-for-sqlserver, which has a free trial

Step 3. Access the database and find the computer table, I've seen it named 'v_GS_COMPUTER_SYSTEM' and 'COMPUTER_SYSTEM_HIST'. Look for something similar .

Step 4. Run the following query:

select Name0 from (COMPUTER_SYSTEM_TABLE_YOU_FOUND) where UserName0=

What will come back is a list of all the systems that recorded that the compromised account was the last account to have logged in. This will obviously get changed quickly once the next user logs in back can bring back a lot of intelligence to you as to where an active attacker has been hitting.

Wednesday, June 18, 2014

Daily Blog #360: NIST Mobile Forensics Workshop streaming live today

Hello Reader,
             As I type this I'm listening to the live webcast from the NIST Mobile Forensics workshop. There are some great speakers lined up and they are streaming all the presentations live, no registration required, to the world. So if you want to hear about some great mobile forensics research and state of the industry make sure to tune in.

You can read more about the event here:
http://www.nist.gov/forensics/mobile_forensics2.cfm

You can watch it live here:
http://www.nist.gov/forensics/nist-mobile-forensics-webcast.cfm

Tuesday, June 17, 2014

Daily Blog #359: Carving USN Records

Hello Reader,
           Today I want to talk about something I find very exciting. You know how much we enjoy USN journals but as with all the best artifacts its limited in scope as to amount of time the journal goes back. We previously found joy in the fact that USN Journals are included in the Volume Shadow Copies meaning we could recover much more data about what happened in the past, but now we can get even more!

I was under the misconception in the past that USN Journals like the $logfile was a circular log, meaning the data at the beginning of the journal would be overwritten when the space allocated ran out. This belief though did not line up with what we saw in the journal itself, we just kept seeing blocks of 0's assigned and no overwritten records. After talking to Troy Larson though I now understand that this behavior is due to the fact that the journal is not circular but rather pages are allocated and deallocated as the journal grows.

Why is this exciting? This means that old records are not overwritten just deallocated and hanging out in the unallocated space in the partition. That means we can carve for these records and recover much more USN Journal data. USN Journal data when carved is especially useful as a record contains everything you need to know within (timestamp, file reference number, filename, etc...) nothing leading up to or proceeding a record will detract from the value of carving even a single record.

Currently I know X-ways Forensics supports carving these entries and we will be coming out with carving signatures for you to use as well. This is great news and will lead to even more great evidence! As we move forward with the commercial version of the Triforce you should expect to see this carving functionality built in as well.