2013

• Officially opened the beta for the Advanced NTFS Journal Parser
• Launched the beta for the Advanced HFS+ Journal Parser
• Presented at CEIC, SANS DFIR Summit, HTCIA Austin, Bsides DFW, TexasLawyer Technology Summit, The Masters Conference and PFIC
• Launched another successful campaign at NCCDC 2013
• Start the blog a day challenge and now 1/2 done
• Started our official intern program
• Opened an office in Silicon Valley
• Starting learning python
• Put out a new book
• Got a smoker, smoked lots of things
• Started the forensic lunch
• Got to meet the future DFIR rockstars at Champlain
• Continued to learn and discover new forensic artifacts
• Got to meet lots of great DFIR peers out there and geek out about research and analysis
• Started the Encyclopedia Forensica
• Won a 4Cast Award for Best DFIR Article!

2014 

• Release a commercial version of ANJP as well as maintain the free version
• Launch the beta of our Plist parser
• Get perl-TSK integration finished and open sourced onto CPAN
• Finish the third edition of Hacking Exposed: Computer Forensics
• Write two SANS classes along with my great co-authors
• Hopefully present at CEIC, ADUC, PFIC, HTCIA, SANS DFIR Summit and Bsides
• Get our new intern up to speed
• Teach SANS 408
• Finish the blog a day challenge, and then see what I want to do after
• Continue to work on the Encyclopedia Forensica
• Be a good dad
• Get more of you to get on the Forensic Lunch
• Get even better prizes for Sunday Fundays 
• Unleash a new campaign of fun at NCCDC 2014
• Book a cruise
• Learn more python 
• Finish the Windows Internals books
• Do more research!

System Registry

DeviceClasses

SYSTEM\ControlSet001\Control\DeviceClasses\{6ac27878-a6fa-4155-ba85-f98f491d4f33}\##?#WpdBusEnumRoot#UMB#2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#

DISK&VEN_LINUX&PROD_FILE-CD_GADGET&REV_0000#P752A15&0##{6ac27878-a6fa-4155-ba85-f98f491d4f33}

• Last write time 1/2/14 22:31:30 UTC

 SYSTEM\ControlSet001\Control\DeviceClasses\{6ac27878-a6fa-4155-ba85-f98f491d4f33}\##?#USB#VID_19D2&PID_0307#P752A15#{6ac27878-a6fa-4155-ba85-f98f491d4f33}

• Last write time 1/2/14 22:31:39 UTC

Enum\USB

SYSTEM\ControlSet001\Enum\USB\VID_19D2&PID_0307\P752A15\Device Parameters
 "%SystemRoot%\system32\wpdshext.dll,-701"

"WpdMtpDriver"

NTUSER.DAT 

Explorer

"MSWPDShellNamespaceHandler"

• Sean Conover from Sony Online Entertainment talking about his work doing memory analysis and forensics to stop game cheats. Follow him at https://twitter.com/seanconover
• Nicole Ibrahim, now from G-C Partners, talking about her research into USB storage drivers including MSC, MTP and PTP. You can read Nicole's Blog here: http://nicoleibrahim.com/

• Lee Whitefield, from Digital Discovery, talking about the forensic 4cast awards which are now available for 2014 nominations! You can nominate someone here: http://forensic4cast.com/2014/01/4cast-awards-2014-nominations 

• A RiffBox, http://www.riffbox.org/, a JTAG box for full physical imaging of many mobile phones

Your suspect was identified with a Samsung Galaxy S3 device attached to his work computer on the day of his departure. On a Windows 7 system what would you do to determine the following:
1. When the phone was first and last connected
2. What was being accessed from the phone
3. If data had been copied to the phone
4. The contents of files accessed from the phone

I can actually look at my information from Saturday.  On January 1, I did a factory restore on my laptop.  It’s so nice to have a clean computer!  I connected my phone for charging in the afternoon.

1. When the phone was first and last connected

First Time Connected:  Utilizing Nicole Ibrahim’s research on USB devices, I learned that the follow registry keys would have information regarding times that they were created upon device insertion.   However, it may be possible that some of these are added by default and are actually related to potential events or actions that could take place at some time on the device.  I’ll show an example below, but verifying against the Setupapi.dev.log would be more conclusive of the first insertion time.

SYSTEM\CurrentControlSet\Control\DeviceClasses\

SYSTEM\CurrentControlSet\Control\Class\

This Snapshot of the SetupApi.dev.log shows more conclusive evidence of an MTP device being inserted at the time of interest.  You can see the VID & PID match the entries in DeviceClasses above.

>>>  [Device Install (Hardware initiated) - USB\VID_04E8&PID_6860\8d638616]

>>>  Section start 2014/01/04 14:39:33.433

     ump: Creating Install Process: DrvInst.exe 14:39:33.438

     ndv: Retrieving device info...

     ndv: Setting device parameters...

     ndv: Searching Driver Store and Device Path...

     dvi: {Build Driver List} 14:39:33.462

     dvi:      Searching for hardware ID(s):

     dvi:           usb\vid_04e8&pid_6860&rev_0400

     dvi:           usb\vid_04e8&pid_6860

     dvi:      Searching for compatible ID(s):

     dvi:           usb\ms_comp_mtp

     dvi:           usb\class_06&subclass_01&prot_01

     dvi:           usb\class_06&subclass_01

     dvi:           usb\class_06

     cpy:      Policy is set to make all digital signatures equal.

     dvi:      Enumerating INFs from path list 'C:\windows\inf'

     inf:      Opened PNF: 'C:\windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\wpdmtp.inf' ([strings.0409])

     dvi:      Created Driver Node:

     dvi:           HardwareID   - USB\MS_COMP_MTP

     dvi:           InfName      - C:\windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\wpdmtp.inf

     dvi:           DevDesc      - MTP USB Device

     dvi:           DrvDesc      - MTP USB Device

     dvi:           Provider     - Microsoft

     dvi:           Mfg          - (Standard MTP Device)

     dvi:           ModelsSec    - Generic.NTamd64

     dvi:           InstallSec   - MTP

     dvi:           ActualSec    - MTP.NT

     dvi:           Rank         - 0x00ff2000

     dvi:           Signer       - Microsoft Windows

     dvi:           Signer Score - INBOX

     dvi:           DrvDate      - 06/21/2006

     dvi:           Version      - 6.1.7600.16385

     dvi:      Created Driver Node:

     dvi:           HardwareID   - USB\Class_06&SubClass_01&Prot_01

     dvi:           InfName      - C:\windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\wpdmtp.inf

     dvi:           DevDesc      - MTP USB Device

     dvi:           DrvDesc      - MTP USB Device

     dvi:           Provider     - Microsoft

     dvi:           Mfg          - (Standard MTP Device)

     dvi:           ModelsSec    - Generic.NTamd64

     dvi:           InstallSec   - MTP

     dvi:           ActualSec    - MTP.NT

     dvi:           Rank         - 0x00ff2001

     dvi:           Signer       - Microsoft Windows

     dvi:           Signer Score - INBOX

     dvi:           DrvDate      - 06/21/2006

     dvi:           Version      - 6.1.7600.16385

     inf:      Searched 1 potential matches in published INF directory

     inf:      Searched 35 INFs in directory: 'C:\windows\inf'

Last Time Connected:  The last time connected was more difficult to determine, however after reviewing more entries, this was the latest time I discovered for this device.  This was near the time I removed the device from the computer and plugged it into the wall for charging.  I’m not aware of what actions created this entry, as I was unable to get this time to update with connection testing today.  The registry entries I’m using for this portion of the report, by the way, were all saved prior to any testing.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\...

Device Name – Software Hive

I did find out that the Microsoft\Windows Portable Devices\Devices\USB#...  key updates when the Device Name changes on my Samsung Galaxy S4.

Here, the first entry shows the device name I had set up (I had performed a factory reset on my phone after a troublesome software update so I changed the name after having connected my phone an earlier time).  I was curious why this time was different from the install times, as Nicole mentioned this key is created initially at the time of the first device install.  I changed the Device Name to TEST (SGH-M919), then rechecked the key and the time value was again changed to the time that I plugged in the phone.

2. What was being accessed from the phone?

Looking over the ShellBag entries from the UsrClass.dat.  These are the folders I created for testing.  The folders name “AllReadyOnDevice”, were created on the microSD card, then the card was placed into the phone to be accessed.  The “CopiedFromComputer” folder was created on my computer, then copied to the microSD card, while it was being access from the phone.  These entries are from when I accessed each folder while they were on the phone.

Background:

Problem:

mount: block device /dev/sdb2 is write-protected, mounting read-only

Solution:

• A ticket to the SANS DFIR Summit 2014 in Austin, Tx worth $1,495

 Write your most challenging DFIR case and how you overcame the obstacles and the outcome. I'll take the top best cases based on our opinion and open it up for voting to all of you to pick the winner. Any kind of DFIR case is valid here, there are no boundaries on what makes something a good case. We will be judging your case with the following criteria to determine those cases to vote for:
1. Technical Challenges faced
2. Novel solutions
3. Result of your work
4. Interesting scenario

 

This was one of my first DFIR experiences so I learned a lot from this and got me my first taste and want to get into IR and forensics.

I was working as a NT Server administrator for a dot com back in the late 90s/00s.  The security team for the company was contacted by a three letter agency that our IP addresses had been seen in part of another case they were working on led them to believe we had a compromised host.  The IP address given to us was of course the one and only email server for the entire company.  We had a dedicated security team but they were all linux guys and we were using NT4 and Exchange 5.5 for email.  Being the lone windows admin meant the investigation fell upon me.  I was told that to make sure the investigation was in-depth as if it wasn’t then there was a chance the three letter government agency may come in and seize the equipment.

First the technical challenges faced:

This was a long time ago and DFIR is not what it is today so the tools, documentation, etc was not what it is today so one of the first challenges was having to make it up as I went along.  Since it was a mail/web server it obviously had several paths of entry.  First I went and logged directly into the server from the console and began looking at running processes and other active sessions on the system.  I ended up finding Serv-U FTP had been installed and had a user list with accounts that were all using leetspeak.  Luckily the ports being used for Serv-U FTP was blocked at the firewall so it had only been installed but wasn’t able to be accessed.  As part of the investigation I also ran into some a folder that were flagged as hidden and no matter what I did to change permissions I could not access it.  

Novel solution:

After trying several methods to access it I dug out an old copy of dos based file/folder viewer.  It somehow was able to ignore permissions, flags, etc and allowed access to it.  Within the folder I was able to find a clear text log file from where msgina.dll had been replaced and any accounts that had logged directly into the console had been logged with their password in clear text! This was both good and bad as it was the first time I had seen my own account and the domain admin account in a clear text keylog file.  This of course led to more efforts and had to force password changes on every account, service, etc.

Results of the work:

Since the server was obviously compromised the end result was the decision to wipe and rebuild the server.  Of course this was all decided on a Friday afternoon and it was my task to now figure out how to wipe the OS, rebuild it, and retain all the MS Exchange databases and have it all back clean and working by Monday morning to minimize the impact to the company.  Given this scenario I made my first and only call to Microsoft to get exact detailed directions from them on the process of rebuilding an Exchange server but retaining all the mail databases.  So just to ensure I could successfully do this I took the process and verified I could successfully complete it using other hardware before I completely wiped the lone corporate mail server.  After a very late night on Friday I had success and came back in the next day and had to repeat the process on the real server.  In the end the agency didn’t come take away our mail server, I got to learn more about IR and Exchange, and I ended up finding an interest in the security side of IT.  So to whoever it was all those many years ago thanks for helping me find the desire and interest in having a career in DFIR.

TLDR; Bad guys own company mail server, server admin thrown into DIFR and decides to make a career of it.

In this walk-through, I’ll show you how to create a multi-boot USB drive to carry lots of great DFIR tools, or whatever else you want.

We started with a USB 3.0 32GB thumb drive.  They are very cheap now-a-days.  You can use a smaller drive.  We actually still have a lot of extra space, but that does leave plenty of room for add-ons later.

To keep the tool compatible with older systems, we used FAT32 and added several distros of linux to cover many situations and configurations.  Some of the distros will boot on USB 3 and some will not, however, they will all boot from USB 2.  Here are the distros we are using:

• SIFT 2.14
• Kali Linux
• Paladin 5
• Raptor 3

These will give a lot of compatibility with multiple systems and many tools for multiple situations.  Paladin and Raptor will even boot on MAC systems.   Feel free to add your favorite!

To make this tool even more versatile, we will add a second FAT32 partition for any other tools we wanted to have available.  Such as tools for Windows systems like the SysInternals Suite, FTK Imager Lite, among many others.

You can partition it with whatever tool you find that will partition removable drives.  I chose EaseUS Partition Master Free Edition, which has been pretty easy.  It is recommended that you make all your partitions Primary, however.  As apparently Windows will only look at the first Primary partition on a removable drive.  We can use another program called RMPrepUSB to switch the order of the active partitions (Ctrl-O) so we can manipulate each partition individually.  RMPrepUSB will do many of the other steps we need, too.  However, I found the other tools more intuitive.  Though I did not find another tool that would swap the order of the partitions, which we will need.

Once you have the thumb drive partitioned how you like, use XBoot to create the multi-boot partition.  When you add the ISO file to XBoot, select “ISO files which support Live-media-path kernel parameter”. 

Then add as many distros as you would like, in this manner.  Once you have all your distros added, you can select “Create USB”, a pop-up will appear to select the USB drive (make sure you get the right one!).  Syslinux bootloader is recommended for FAT32.  Select “OK”, then it will begin to create your bootable partition and add the distros you selected.  Be sure to test this out!  You can use the QEMU to test.

It’s not difficult to edit the menu, just grab a text editor and make adjustments to the right .cfg files.   For the image, I merely edited the default xboot.jpg image.  It’s a fun way to further customize your toolkit.   Add some extra information to assist you in choosing the right tool for the job.  For example, so far in my testing only Paladin and Raptor would boot on a MacMini here in the lab.  So I added information to save time and trouble later.

To add tools to the second partition, use RMPrepUSB tool (option Ctrl-O), to switch the partition that windows is showing you.

At this point, you have access to the non-boot partition, then just add whatever you would like.  There are many portable apps available.  I’d recommend, considering forensic use of this device, that you create a separate folder for any programs that require installation or just leave them out.

To keep the drive bootable and to always have access to the non-boot partition in Windows, make sure once you have finalized your customizations that you have the non-boot partition set as the first Primary partition.  That way Windows will always find it.  The computer will still see the boot partition when you’re booting from the thumbdrive, assuming you have the bios setup right.

• A 128GB USB3 Kangu SS3 Thumbdrive with a write protect switch, preloaded with our multiboot image

 1. How does the write blocking become effective between XP, Vista and 7? What steps between applying the registry key and the write protection coming into effect need to take place.

In Windows XP and later a user can add/modify the registry value “WriteProtect” found in HKLM\System\CurrentControlSet\Control\StorageDevicePolicies to enable write blocking for USB devices.

The StorageDevicePolicies key may not exist by default and must be added by an administrator. If the value is set to “00000001” then all newly connected USB drives will be write blocked.

In the test that I performed on Windows 7 the effect was immediate, however according to an article on Howtogeek.com (1), on Windows XP; a restart is required when the key is initially added.

1. http://www.howtogeek.com/howto/windows-vista/registry-hack-to-disable-writing-to-usb-drives/- Not that the reg files provided are mixed up and the “EnableUSBWrite” sets the key to 00000000.

2. What windows subsystem is enforcing the write protection?
Unsure.

The Plug-and-Play manager receives notification that a drive has been connected and then queries a number of keys in the SYSTEM hive. I imagine that it looks for the StorageDevicePolicies key if it exists and acts accordingly.

2. Windows Registry Forensics, Carvey, p 110.

3. What happens to USB devices already plugged in when the write protection?
If a USB device is currently connected when the registry key is changed it will remain writeable until it is removed and reconnected.

4. Can anything bypass the write protection offered by this registry key?
Yes, using a hex editor will bypass this kind of write protection (but not a physical write blocker).

3. http://lowcostwin4n6.blogspot.com.au/2011/06/testing-my-software-write-blocker.html

5. Does this registry key protect MTP USB Devices?
No.

I performed a quick test using my Nexus 5 and saw that it mounted as a portable device. I then successfully copied a file onto the device even though write protection was enabled.

6.  Why does this registry key not protect non USB Devices?

Unsure.

I imagine it has something to do with the way that Windows checked the registry key before it mounts USB drives but not before it mounts hard drives or portable devices.

It is possible to write protect hard disks using diskpart

http://pario.no/2011/05/23/clear-read-only-flag-on-disk-in-windows-7-using-diskpart/