Tuesday, August 5, 2014

Triforce at Blackhat Arsenal

Hello Reader,
          It's been a bit I know, I've enjoyed my brief time off from blogging which coincided with a lot of work! I am heading to Blackhat today and I am excited to say that I will be at Blackhat Arsenal on Wednesday 8/6/14 showing Triforce ANJP Commercial edition from 10:00am-12:30am. If you are going to be there I hope you come by and say hi if nothing else. We are working a lot of new features that I'll be demoing such as:

  • Support for Carved USN Journal Entries
  • Support for forensic images
  • Support for journals over 400gb in size
  • Faster processing
  • More signatures!
For those current license holders we will be sending you this version this month as we finish our internal testing!

Want to know more? Click here to see our listing for Arsenal: https://www.blackhat.com/us-14/arsenal.html#Cowen

Click here to learn more about Triforce ANJP: https://www.gettriforce.com/product/triforce-anjp/

Monday, June 23, 2014

Daily Blog #365: The year of blogging complete and the stage 1 question

Hello Reader,
        Thank you to those of you have kept up for the last 365 days, it has been both challenging and rewarding to force myself to keep looking, researching, documenting and sharing what I know with all of you. I hope you found some benefit to the last year, but I have received enough personal satisfaction and knowledge to make it worthwhile regardless. I highly recommend anyone else out there who wants to push themselves forward in their understanding of all things DFIR to give the Zeltser challenge a shot.

Now for what you all came here for, the 1st stage challenge in the 5 stage Sunday Funday challenge for a free vLive class from SANS.

  • Email me your answers at dcowen@g-cpartners.com

  • The contest will run until July 6th

  • To get the 2nd stage you must successfully email me the answer to the 1st.


Stage 1 Question:
You are dealing with an attacker who has used the volume shadow service to create a a new copy of the volume and then exported the active directory database from it, a common tactic and one we use at NCCDC. If they cleared the security logs after doing this how could you recover where they logged in from.

FAQ:
1. Keep the answer to the server, no firewall logs here or SIEM accessible. The 1st stage is testing your knowledge of Windows Server 2008.
2. The attack happened a week ago
3. Keep re-reading the question if you haven't picked up the clue

Sunday, June 22, 2014

Daily Blog #364: Sunday Funday 6/22/14

Hello Reader,
 

The Prize:
A free vLive DFIR Class from SANS a prize worth $5,000, you can choose from the following:





The Rules, Have Changed!:


  1. This will be a multi stage contest lasting two weeks
  2. Final answers must be in by July 6th
  3. 6/23/14 The first question will be posted
  4. New questions will be given to those who answer the first question correctly
  5. You can start the contest at any point leading up to July 6th, there is no penalty for starting late
  6. All submissions must be sent to dcowen@g-cpartners.com, do not post answers in the comments
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:     Will be announced tomorrow. The year of blogging ends tomorrow as do the restrictions I have in having to get up daily content for you. So let's change things up! Tomorrow on Daily Blog #365 the first question will be given. Your goal is to answer this question via email to me dcowen@g-cpartners.com. On receiving a correct answer you will be notified that you have entered stage 2 and that another question will be sent to you. There are 5 stages and the player who makes it the farthest with the most correct answer will win!

Make sure to watch the Forensic Lunch to get clues and good luck!

Saturday, June 21, 2014

Daily Blog #363: Saturday Reading 6/21/14

Hello Reader,
         It's Saturday! I don't know about you but it's been a long week. While we both finishing tracking down those miscreants we've been hunting this week, here's some links to make you think while volatility runs in this weeks Saturday Reading!

1. We had a great forensic lunch this week.  We had (in order of appearance)

  • Blazer Catzen, of Catzen Forensics, talking all about File System Tunneling in an extensive piece of research that goes beyond the STDINFO and into the File Name attributes and Object IDs. Blazer has two presentations he has done on the subject so I hope to talk him into a guest blog about it, if he does not put up his own blog first.
  • Detective Cindy Murphy, with the Madison Wisconsin police talking all about Mobile Forensics and her journey in DFIR. 
For those who watched the link to the SANS Work Study program is here:
https://www.sans.org/work-study

You can watch it here:  https://www.youtube.com/watch?feature=player_embedded&list=UUZ7mQV3j4GNX-LU1IKPVQZg&v=bI9T2-bnbM0

2. AppleExaminer has updated the OSX and IOS focus lists, cheat sheets of where to look for artifacts. Get it here: http://www.appleexaminer.com/files/b79f4470195d89b9d6a6ec0e4f8799fa-68.html

3. Craig Ball has a new post up and his perspective as a special master is always interesting. This week he is talking about an issue he is facing where he's trying to understand someones motive for inflating their fees http://ballinyourcourt.wordpress.com/2014/06/19/unconscionable/

4. Corey Harrell has posted up a review of Harlan's updated WFA http://journeyintoir.blogspot.com/2014/06/review-of-windows-forensic-analysis-4th.html

5. Matthew, my partner in lunch, posted a new entry to his new blog. Talking all about additional fields stored within the prefetch files revealing file record numbers and sequence numbers http://forensicmatt.blogspot.com/2014/06/possible-new-field-identified-in.html

That's all for this week!

Friday, June 20, 2014

Daily Blog #362: Forensic Lunch 6/20/14

Hello Reader,
          We had a great Forensic Lunch today, we had (in order of appearance)

  • Blazer Catzen, of Catzen Forensics, talking all about File System Tunneling in an extensive piece of research that goes beyond the STDINFO and into the File Name attributes and Object IDs. Blazer has two presentations he has done on the subject so I hope to talk him into a guest blog about it, if he does not put up his own blog first.
  • Detective Cindy Murphy, with the Madison Wisconsin police talking all about Mobile Forensics and her journey in DFIR. 
For those who watched the link to the SANS Work Study program is here:
https://www.sans.org/work-study

 You can watch the lunch below:

Thursday, June 19, 2014

Daily Blog #361: SCCM and IR

Hello Reader,
           You may not often combine the ideas of SCCM (System Center Configuration Manager) and Incident Response together, but you should. I wanted to pass a long something that I've used as a recurring script to track users to computers and in IR situations to find possible compromised system if the attacker is doing interactive logins.

Step 1. Ask the SCCM admin for read only access to the back end SCCM database. This is important, the SCCM MS SQL database and not the SCCM front end.

Step 2 .Get a MS SQL client, I like navicat for SQL Server, http://www.navicat.com/products/navicat-for-sqlserver, which has a free trial

Step 3. Access the database and find the computer table, I've seen it named 'v_GS_COMPUTER_SYSTEM' and 'COMPUTER_SYSTEM_HIST'. Look for something similar .

Step 4. Run the following query:

select Name0 from (COMPUTER_SYSTEM_TABLE_YOU_FOUND) where UserName0=

What will come back is a list of all the systems that recorded that the compromised account was the last account to have logged in. This will obviously get changed quickly once the next user logs in back can bring back a lot of intelligence to you as to where an active attacker has been hitting.

Wednesday, June 18, 2014

Daily Blog #360: NIST Mobile Forensics Workshop streaming live today

Hello Reader,
             As I type this I'm listening to the live webcast from the NIST Mobile Forensics workshop. There are some great speakers lined up and they are streaming all the presentations live, no registration required, to the world. So if you want to hear about some great mobile forensics research and state of the industry make sure to tune in.

You can read more about the event here:
http://www.nist.gov/forensics/mobile_forensics2.cfm

You can watch it live here:
http://www.nist.gov/forensics/nist-mobile-forensics-webcast.cfm