Quantcast
Channel: Hacking Exposed Computer Forensics Blog
Viewing all 877 articles
Browse latest View live

Daily Blog #402: Solution Saturday 6/23/18

June 23, 2018, 1:19 pm
$
0
0
Hello Reader,
             This week was really tough as I got a lot of really good submissions. In the end the winning submission from Phil Moore was selected because much like the other submissions that made it to the final round of consideration he listed which apps he tested that contained Zone.Identifiers and what different data points they contained. But Phil took it one step further and not only tested the application he tested the behavior such as saving different file types in IE or different moods of operation like InPrivate Browsing.  Last Phil added in a bonus OSX artifact to boot.

Here was the challenge:
The Challenge:
Zone.Identifier alternate data streams have been around for awhile please answer the following questions.
1. What version of Windows introduced zone.identifier
2. What data is contained with in a zone.identifier
3. What sets the zone.identifier
4. what conditions causes them to be created
5. What are the limitations of zone.identifier

So here is this week's winning entry from Phil Moore.


1. What version of Windows introduced zone.identifier
Windows Xp sp2

Reference: https://www.forensicswiki.org/wiki/New_Technology_File_System_(NTFS)
http://www.sandersonforensics.com/Files/ZoneIdentifier.pdf


2. What data is contained with in a zone.identifier
“Windows Internet Explorer uses the stream name Zone.Identifier for storage of URL security zones.”
(Reference: https://msdn.microsoft.com/en-us/library/dn392609.aspx)

This relates to data stored in the registry in the Zones key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones



(Reference: https://blogs.msdn.microsoft.com/oldnewthing/20131104-00/?p=2753/)

Until recently, the only information located within the ZoneID Alternate Data Stream related to the above settings:
 
In 2017, Twitter user @Ericlaw identified (https://twitter.com/ericlaw/status/903065616055185409) that browsers were putting additional information in the ADS ZoneID.

Independantly of this, I discovered that URLs and program identification information may also be found (Reference: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/)




Other examiners were able to replicate the findings (https://www.dfir.co.za/2018/06/18/highway-to-the-danger-zone-identifier/), as well as identify further information from the “Edge” browser.



Jaco Swanepoel eventually did figure out how to do it. I haven’t been able to replicate the HostIpAddress yet.



What this means is that we can also find the location from which the file originated in some instances, and also infer the browser used to download the file.

3. What sets the zone.identifier
As above, the browser checks the registry (NTUSER.DAT) and acts accordingly.

“URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust.” (Reference: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85))

The domains that have been stored can be located here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains and EscDomains.

Adding items to these keys can be done through Internet Options:
The Internet Options can be accessed through Windows Settings or Internet Explorer.


As a test, I added a site to the restricted list and when saving the item, I observed that it had a ZoneID of 4.

Similarly, if I added an item to “Trusted” then it doesn’t get a ZoneID

4. What conditions causes them to be created
“Browsers and other internet clients (e.g. email and chat programs) can participate in the MOTW-marking system by using the IAttachmentExecute interface’s methods or by writing the Alternate Data Stream directly.” (Reference: https://textslashplain.com/tag/security/page/2/)

Forensic Wiki indicates that ZoneID’s were originally set when a file was downloaded using “Internet Explorer, Outlook, and Windows Messenger”.

I performed a majority of my testing on Win10; there’s plenty more to do however.
Task
ZoneID?
ADS Contents
Save picture (IE)
No

Save ZIP (IE)
Yes
ZoneID
Save file (Chrome, Chrome-based browser)
Yes
 ZoneID
RefererURL
HostURL
Save file (Firefox)
Yes
ZoneID
Save file (Edge)
Yes
ZoneID
LastWriterPackageFamilyName (Application name)

File saved out of Outlook (o365 desktop)*
Yes
ZoneID
File saved out of Mail “Trusted Microsoft Store” app*
Yes
ZoneID
File saved out of Skype “Trusted Microsoft Store” app
Yes
ZoneID
Skype (Classic) App
Yes
ZoneID
Wget under Windows Subsystem for Linux
No

Powershell
No

FTP.exe (inbuilt)
No

Tor Browser Bundle (Firefox)
Yes
ZoneID
Private Browsing (IE - Zip)
Yes
ZoneID
Private Browsing (Firefox - Zip)
Yes
ZoneID
Private Browsing (Chrome - Zip)
Yes
ZoneID
RefererURL
HostURL

Private Browsing (IE - Zip
Untested - download kept failing

Save a webpage to the desktop from a link (Chrome)
Yes
ZoneID
RefererURL
HostURL

Save current page***
No

Telegram (Windows)
No

Sync with Mega
No

Sync with Dropbox
No**

Sync with OneDrive
No


*apparently you can also drag and drop files from emails and these won't be given the zoneID however this wasn’t tested.

** Dropbox does create ADS’s for the files, but not a ZoneID.

*** Indication of originating URL identified in the saved HTML code.

On Windows 7 I observed ZoneIDs from saving files out of webpages, however no additional data was located.
I did not have a Windows 8/8.1 sytsem to test.

Internet Explorer doesn’t always create ZoneIDs, for example saving a picture did not create a ZoneID. All other browsers did however for the same test. As a guess, any file that IE thinks the user needs to be protected from should have a ZoneID.

5. What are the limitations of zone.identifier
“The Alternate Data Stream travels with the file as it’s copied between NTFS disks, but will be lost if the file is ever copied to a FAT file system disk (like many USB keys, CDs, etc) that doesn’t support ADS. If you use Windows Explorer to extract a ZIP file with the MotW ADS, it will be copied to each file extracted from the archive.” (Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/03/23/understanding-local-machine-zone-lockdown/)

Didier Stevens wrote a a post about propagation of ZoneIDs from ISO containers.
For example, if you open an ISO in Win10 and open the file, the file will not identify that it has come from the Internet (and I would guess if you copied it out it would not transfer the ZoneID with it).
(Reference: https://blog.didierstevens.com/2017/07/18/iso-files-with-zone-identifier/).


Addendum:

MacOS NTFS Drives
If you save a file to an NTFS drive using the Tuxera NTFS driver for MacOS you don’t get a ZoneID, but you do get Extended Attributes.


Program Execution:
On win8 if a program is executed and smart screen is displayed, if the user bypasses smartscreen to execute the application then this will replace the ZoneID with “AppZoneId=4”. This is not to be confused with “ZoneID=4” which would mean that the file came from a restricted zone.
I do not have a Win8 system to test this on, and was unable to replicate it on Win10.

This is another execution artefact however.
(Reference: https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/)

Removing ZoneIDs:
If you download an executable from the web you will get a Security Warning. If you deselect the “Always ask before opening this file” then the ZoneID will be removed.

Alternatively, if you go to the properties of the executable and select “Unblock” it will also remove the ZoneID.


Lastly, you can use the streams application (https://docs.microsoft.com/en-us/sysinternals/downloads/streams) by Mark Russinovich to remove ADS’s.
Search

Daily Blog #403: Sunday Funday 6/24/18

June 24, 2018, 1:04 am
$
0
0
Hello Reader,
             Thanks to your great submissions last week I had a really tough time picking a winner. In the end the community as a whole has benefited from your research. You will have a five days to try to complete this challenge now that answers are not due till Friday. Send in your answer as you have it and you are allowed to update your submission if you find new information.

ExFAT has been on my mind lately. Let's talk about documentation, expectation and reality in this weeks file system forensics challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 6/29/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:
ExFAT is documented to have a timezone field to document which timezone a timestamp was populated with. However most tools just see it as FAT and ignore it. For this challenge document for the following operating systems how they populate ExFAT timestamps and which utility will properly show the correct values.

Operating systems:
Windows 7
Windows 10
OSX High Sierre
Ubuntu Linux 16.04

Daily Blog #404: Exploring Extended Mapi Part 11

June 25, 2018, 3:31 am
$
0
0
Hello Reader,
          In this post I want to follow up on an earlier post questioning what was left behind in a forwarded message extended MAPI wise that would allow an examiner to know more about the message. Well it's appropriate that this is Daily Blog 404 because within the extended MAPI i did not find any of the original dates contained in a property.

I still need to decode the conversation index though and I'll be working on that tomorrow as well as putting all of the logic into python code to automate this process.

Daily Blog #405: Exploring Extended MAPI Part 12

June 26, 2018, 2:51 am
$
0
0
Hello Reader,
           For today's post I've wanted to share some testing I've been doing of Arman Gungor's research into Extended MAPI data. Arman has agreed to come on the Forensic Lunch next month and talk about his work and this post I'd like to focus on some research he's done on how some file system timestamps are preserved from the sender's system when a file is attached in Outlook.

First you can read Arman's post here:
https://www.meridiandiscovery.com/articles/email-attachment-timestamps-forensics-outlook/

I emailed myself one of the pictures from Saturday's solution post and then examined the Extended MAPI data of the attachment with Outlook spy to see if I could confirm what Arman found.

Here are the file system timestamps on my system for pic10.png:

Looking at the Extended MAPI for the attachment I found the following. For the creation time I have the creation time of the message rather than the file attachment. The time is displayed is in UTC and I'm currently in is UTC +10.

Looking at the Modification time though we do find the correct file system time:

Which +10 hours is 6/24/18 at 6:14PM.

This is fascinating to me as I thought all file system metadata was stripped away when a file was attached. I am going to do more testing with Outlook attachments and the dates applied to see how these changes my prior results.

Daily Blog #406: Exploring Extended MAPI Part 13

June 27, 2018, 4:21 am
$
0
0
Hello Reader,
           In my prior post I was looking at the file system metadata stored based on Arman's blog post. In this post I wanted to see if something had changed with how Outlook was assigning creation times on saving a file. In the past I had found that Outlook would look into Word documents and retrieve the dates from the metadata in the document to apply to the file system, and in this post I am looking to see if that has changed.

I haven't tested a regular file before in looking to see what dates got applied and when I saved the attachment to my disk I was surprised to see the following

The creation time was sent to the time the message was received and matched the PR_CREATION_TIME I saw in the prior post. But the Modification time was reapplied from the data that was saved in the attachment extended mapi property! Notice that the Access time is set for today even though access times have been disabled since Windows 10. This because the access time is being set to the actual time of creation and then the other two dates have been rolled back by Outlook.

This is very interesting to me and I plan on testing this with some more file types this week and next.





Daily Blog #407: Exploring Extended MAPI Part 14

June 28, 2018, 2:12 am
$
0
0
Hello reader,
        In yesterdays post I showed how saving an attachment applied the modification date that was stored within the attachment extended mapi properties. I was wondering how from a filesystem perspective you could tell the actual date the file was saved to the disk and as it turns out the filename attribute metadata has the dates the attachment was actually saved to the disk as seen below:


This is a png file, in the upcoming posts I'll be trying other file types to see if Outlook shows any different behaviors.

Daily Blog #408: Exploring Extended MAPI Part 15

June 30, 2018, 5:20 am
$
0
0
Hello Reader,
            Another Friday where I'm not able to get a forensic test kitchen done due to my travel and teaching schedule but next week should be better!

Instead lets continue our outlook attachment testing, in the prior post I tested a png file. Let's test an Microsoft Excel document now to see how a file with a metadata structure Outlook would know effects our testing.

First here is the metadata on the file on the disk





Here is the extended mapi properties of the attachment when I sent the message a minute after creating the file.



As you can see the last modification time is being preserved again but the creation time is actually being set to the message creation time as seen in the delivery time below.


I then made sure it wasn't just a rounding issue by sending the same attachment the next day


which shows that the creation time is being sent to the date the message was sent and the modification time of the file is being preserved.


Saving the attachment back to the disk gives the following dates



As we can see the creation time is being set to when the message was sent and the modification time is being reapplied. The Access date appears to be updated but really that's just the real creation time before Microsoft Outlook rolled back the date.

More to come as we test other formats!

Daily Blog #409: Solution Saturday 6/30/18

June 30, 2018, 5:45 am
$
0
0
Hello Reader,
      Another contest has completed and changing the time frame of the contest seems to have benefited all of us. It benefits the people playing as they get more time to complete their answer, it benefits me as I get to ask more in depth questions and it benefits you the reader as you get even more information!

The Challenge:
ExFAT is documented to have a timezone field to document which timezone a timestamp was populated with. However most tools just see it as FAT and ignore it. For this challenge document for the following operating systems how they populate ExFAT timestamps and which utility will properly show the correct values.

Operating systems:
Windows 7
Windows 10
OSX High Sierre
Ubuntu Linux 16.04 

This weeks' winning answer from Paul Bryant, Senior Lecturer at  Wellington Institute of Technology (WelTec) can be downloaded here as there is no way I can embed this into the post:
https://www.dropbox.com/s/h8omup03bxoblkp/exfat_os_dir_entries.pdf?dl=0

Enjoy and great work Paul!
Search

Daily Blog #410: Sunday Funday 7/1/18

July 1, 2018, 12:20 am
$
0
0
Hello Reader,
             Another great week of reading your submissions. I'm loving how the extra time is really letting people push the 'most complete answer' portion of the rules. Every week I'm hard pressed to decide who should win but there is always one thing within the answer that pushes it over the top and makes it a winner. Last week it was not just testing the timezone's set but how the dates themselves are set for accuracy on a per operating system basis. Let's see what happens this week!


I taught a great FOR500 class in Canberra this week and when I teach I always get a new question that needs an answer. So here is this week's bitlocker based Sunday Funday.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 6/29/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:
A computer without TPM and has Windows 10 with a bitlocker encrypted drive is being upgraded. When it reboots in the upgrade process it does not prompt for the bitlocker password and it appears as though during the upgrade process the system is not protected. Your challenge is determine what level of access an examiner has during the upgrade process on a windows 10 system that is bitlocker encrypted during the reboot. 

1. Can you access the contents of the disk?
2. Can you boot to alternative media while it boots?
3. Can you access the drive if you prevent the reboot process from completing?
4. What is the mechanism that Windows is using to do this?
5. Can you force an update without logging in or while it is locked?
6. Can you reboot for an upgrade without logging in?

Daily Blog #411: Exploring Extended MAPI Part 16

July 2, 2018, 4:30 am
$
0
0
Hello Reader,
                 I decided to test a Microsoft Word attachment this time to see if the results would be any different. In the end the results were the same but I need to do one more test tomorrow to see if the internal metadata varies from the file system metadata if their is any difference.

Here is the original file metadata:


This is the Extended MAPI properties of the attachment


Again the creation time is being set to when the message was sent, this is different than Arman's testing so I'm trying to see what I'm doing different. I'll know for sure when he comes on the Forensic Lunch this month.

Here is the resulting metadata of the saved file:

More testing to come!

Daily Blog #412: The importance of blogging,,, daily

July 3, 2018, 6:52 am
$
0
0
Hello Reader,
          I'm up in the air on my way to Bangkok, Thailand at the moment. I was planning on doing some attachment testing by changing file system timestamps but leaving the internal metadata timestamps in place to see what happens. BTW Emirates Wifi is good enough for googling and blog posting. However I've also been reading, or trying to read, what other people have been writing as well and I thought I'd reference what I've been seeing.

If you've seen Brett Shavers most recent post he made the point that of all of the quick publishing methods available to the examiner/researcher/enthusiast that the blog is still the longest live form of documentation we could make. I agree with Brett on this as I regularly google blog posts, including my own, to find details of things I've seen in the past. I find that googling a blog is much more reliable than trying to find a tweet or a slack message.

If you have been following my cohorts in the Zeltser challenge (knowledgebean and archerforensics) you would see that both are putting out content they think is relevant and helpful based on their own interests. Between the three of us we've covered iOS backups, getting into DFIR and my own journal into Extended MAPI (again). What I want to point out here is that each one of us is focusing on what we think is interesting, if you the reader agrees you'll follow.... if you don't it's ok there are other blogs out there for you.

What's important to me as the person who is finding time to write a blog post everyday even when traveling around the world and losing days (its a good thing I number these!) is that doing this pushes me to keep researching and publishing. While I appreciate everyone who reads this in the end I do the blog and the work within it because it makes me stay curious about DFIR. Every time I find or validate an artifact or technique I'm pushing myself to stay current and relevant.

If you noticed prior to daily blogging my posts were sparse and far between. In that time I didn't stop working on cases, far from it. Instead what happened was that I made it OK not to focus on anything that wasn't case work. Not forcing myself to look at new things means eventually I won't be prepared for the case that needs those answers, or to answer a question one of you or a student has. That is what pushes me, trying to know as much as possible and staying on the edge of what possible.

That I believe is the real point of the Zeltser challenge and its why what really inspired to do it in the first place was Lenny's comment when I first heard about it. After doing it for 16 months in a row (Lenny holds the record btw, maybe this time I'll go for two years) I mentioned he most feel some relief. Instead he looked at me and said 'Actually, I miss it'. At the time I didn't fully understand what he meant but after doing my own year and then taking a multi year break in between, I get it. Pushing yourself to do researching SOMETHING, write SOMETHING, think about SOMETHING every day makes you better no matter what that SOMETHING is.

So what I would say to my compatriots in the daily blog challenge. the point isn't writing a blog every day. The point is to never stop pushing yourself, because no matter who you are and how long or short you've been in DFIR we all have more to learn and things are always changing. So if you missed a day, SO WHAT! No one is keeping score, instead we are all hoping you keep going so we can keep learning from each other. If you are thinking about doing it, just go for it. Even if you just write one or more posts and stop, you still did more than 99% of the people out there and someday someone is going to be helped by what you wrote.

So reader, remember this. Just by reading this, we are friends. You share a common passion for finding the unknown in our field. Whether your interests lie in memory, malware, reverse engineering, mobile, windows, osx, linux or even car forensics we share a need to solve the unknown and answer the questions that need answering.

Want to know what you can do to help? Leave a comment, like a tweet, say hello in person to anyone you read. Everyone thinks that we must be overwhelmed with messages and don't want to be bothered but the truth is most of the time I'm just looking at a glowing screen writing to who I assume is reading this by view count hoping that it helps someone today or in the future.

Tomorrow, back to technical posts. But today I thought it was important to just reaffirm what others are saying. Write now. Write Often, Never stop learning.

Daily Blog #413: Exploring Extended MAPI part 17

July 4, 2018, 8:33 am
$
0
0
Hello Reader,
            With all the talk about the Office 365 API I thought it might be worth testing how OWA (Outlook Web Access) accesses in Office 365 modified my local sync'd Outlook OST. This is important as there are many situations where the victim and the attacker are accessing the same mailbox in different forms and knowing what to expect when you do your analysis is important.

So the first thing I did today was to mark an item unread in OWA and then I sync'd my Outlook folders and saw the message go unread. After which I pulled up the Extended MAPI data within Outlook Spy and well, it didn't go as I expected.

When I looked at the last modification I found this

Which is showing that even though the message was marked unread and read again that the last modification time didn't change from the time it was originally. In fact going through all the dates i didn't find any updates made at all.

I think next I need to retrieve the message directly to test it again but tomorrow I'll be doing more Outlook testing.

Daily Blog #414: Exploring Extended MAPI part 18

July 5, 2018, 9:03 pm
$
0
0
Hello Reader,
         I'm in the BKK airport heading to Phuket today in my continued adventures. Got here nice and early so now I'm at the gate writing a blog post! After my last post I'm very curious now about what other actions I take in OWA will effect my already downloaded Outlook mail. So to get a base line I'm doing something that I think will for sure modify the message on both sides, I'm reply to the message.

In my initial testing, replying to a message in OWA for a message I sent through Outlook connected to the same account, I brought up the original message and inspected the Extended MAPI to find there was No Change!

Meaning that the message wasn't marked a replied to and within outlook it didn't recognize the conversation thread within the message. Something very interesting is happening.

I'm going to attempt to restart Outlook and see if I can get it resync everything but this certainly changes how I'm going to have to approach these investigations. I need to start pulling the data from exchange directly to see if doing that will update the metadata.

Daily Blog #415: The Death of a Unicorn

July 6, 2018, 9:12 am
$
0
0
Hello Reader,
      If you followed the original Crowdstrike post or the follow on post from LMG security calling the Activities API a 'unicorn' of sorts then I'm sorry to say the technique now appears to no longer be functional. It's been a long time since I've seen the DFIR community be this obsessed with a single artifact but either Microsoft is closing this for good or is going to replace this with maybe default mailbox audit logging in the future.

To be clear this isn't the first or only evidence source that a company has retained as a secret. I'm not in the business of airing companies internal choices but I will point this out to put this in a larger context. DFIR is made up of two niche industries, Digital Forensics and Incident Response. There are differences between these two fields of work and while they may rely on each other to function those on the DF side need to document their new research in reports and disclose them to allow another party to verify and respond to their work. There are normally two or more experts from different companies working on every case.

Compare this to the very competitive Incident Response world where a company can get a substantial competitive advantage by finding a new evidence source. If one IR company can tell a client they can find evidence another can't they might win more business while if a DF expert tells a client they can find evidence no one else can it might not be admissible unless they can explain how to do it to the other side. There are many IR companies right now sitting on undisclosed evidence sources and threat intelligence sources. They will continue to do so until they are required not to.


The point? In this case the public disclosure of an evidence source has ended its use by all parties. Whether this was because
  •  it wasn't supposed to be used for these purposes
  •  too many people began taxing the use of the API
  • the powers that be at Microsoft were worried about people misinterpreting the results of the API 
  • or just a large company not enjoying being called unethical for people using an API that was documented but had a use that most within the company were not aware of
We won't know unless they come out publicly and state it, which seems highly unlikely.  What we do know is that they have responded in one way we can all see and that is by turning off the source of all the controversy in the first place.

If I was arguing to disclose a secret evidence source within my company I'm pretty sure I just lost that argument to those who worry it would stop working after disclosure.

Daily Blog #416: Solution Saturday 7/7/18

July 7, 2018, 8:11 am
$
0
0
Hello Reader,
            Looks like I went a little too far with this weeks challenge, I'll make sure that next weeks is more in line with the level of effort people are willing to spend in a week.

The Challenge:
A computer without TPM and has Windows 10 with a bitlocker encrypted drive is being upgraded. When it reboots in the upgrade process it does not prompt for the bitlocker password and it appears as though during the upgrade process the system is not protected. Your challenge is determine what level of access an examiner has during the upgrade process on a windows 10 system that is bitlocker encrypted during the reboot. 

1. Can you access the contents of the disk?
2. Can you boot to alternative media while it boots?
3. Can you access the drive if you prevent the reboot process from completing?
4. What is the mechanism that Windows is using to do this?
5. Can you force an update without logging in or while it is locked?
6. Can you reboot for an upgrade without logging in?

The winning answer:
Phil Moore


Since Adam's going with "I dunno, probably" I figured I'd do the same:

A computer without TPM and has Windows 10 with a bitlocker encrypted drive is being upgraded. When it reboots in the upgrade process it does not prompt for the bitlocker password and it appears as though during the upgrade process the system is not protected. Your challenge is determine what level of access an examiner has during the upgrade process on a windows 10 system that is bitlocker encrypted during the reboot. 

1. Can you access the contents of the disk?
Sounds like it's still in a decrypted state; probably even stores the key somewhere during the reboot process

2. Can you boot to alternative media while it boots? 
Maybe

3. Can you access the drive if you prevent the reboot process from completing?
I'm guessing it'll be re-encrypted once it loses power. 
Would probably be able to get the key out of memory

4. What is the mechanism that Windows is using to do this?
Not sure

5. Can you force an update without logging in or while it is locked?
Dont know, highly doubt it

6. Can you reboot for an upgrade without logging in?
Doubt it

But yes I think this challenge was a little bit more hands on than the previous.
Although you could do it in a VM I suppose
 
Search

Daily Blog #417: Sunday Funday 7/8/18

July 8, 2018, 2:48 am
$
0
0
Hello Reader,
          The Unicorn is dead so it's time to move on with the resources that we have for an investigation. So let's see what you can do with this weeks Office365 focused challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 7/13/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:
Explain in a compromise of a Office365 account what you could review in the following circumstances.

Scenario a: only default logging in a E3 plan

Scenario b: Full mailbox auditing turned on

You are attempting in both scenarios to understand the scope of the attackers access 

Daily Blog #418: Exploring Extended MAPI part 19

July 9, 2018, 1:49 am
$
0
0
Hello Reader,
         Since my last test that showed that the Extended MAPI data wasn't be updated when I modified a message in OWA in my local outlook client I've been testing ways to get this updated data.

First I tried to download my mailbox, but apparently I need to get a working EWS url first. So I'll try that again tomorrow.

Second I went into the compliance center and searched for and found my test message I've been experimenting with. In doing this I downloaded the original message in EML format (the only option given) and I still did not find the updated extended MAPI data as seen below:


Here the Last Modification time got set to when I downloaded the message from Compliance Center and the original submission time exists. But I have no Last Verb time or code showing this message was replied too.

Third I emailed myself the message in OWA as an attachment by drag and dropping the message into a new email, this actually put the message as a MSG attached to the email message. Once I accessed this within Outlook in my local system I was able to see the expected data:



Here you can see that we finally have the expected Last Verb time showing when the message was replied to and when it was replied to. The Last Modification has been updated to reflect when I sent the message to myself as an attachment.


So I now need to download the mailbox fresh and then look into my local outlook account to see if this data has finally been updated.

Daily Blog #419: Unofficial Defcon DFIR CTF 2018

July 10, 2018, 6:17 pm
$
0
0
Hello Reader,
            Matt and I are working on creating the evidence you will be examining for next months Unofficial Defcon DFIR CTF! This post is here to let you know that:

1. We plan to do it again this year
2. We will be distributing the files electronically this year, no in person transfer needed
3. Signups will happen through CTFd I'll be posting the link closer to Defcon
4. If you or your company wants to supply a prize we open to working with you on that. Last year we did it in partnership with SANS who provided DFIR Netwars Continuous to the winners
5. This years scenario is set to be much more involved than last years, if everything we are planning works out
6. We are still planning on restricting this to people who are in Las Vegas for the event. Why? So we can get everyone who qualifies together at the end

We had a lot of fun last year and we look forward to meeting new talented examiners this year.

You can sign up here:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055

Matt and I will be doing a live stream during the event to provide some commentary on how it's going. This is something we wanted to do after the Magnet CTF and it should be fun.

Daily Blog #420: 2018 Unofficial Defcon CTF Update

July 12, 2018, 3:35 am
$
0
0
Hello Reader,
           In the first 24 hours we've already had 39 signups for the CTF, last year we had 125 and I've expanded the initial amount to 200 to start with. I wanted to provide an update because we are going to cap this to keep it manageable and I expect that we are going to hit our max again this year.

Why do I expect to hit the max? Well if you consider there are over 10,000 people at Defcon then 200 is only .02% of the total population. We think there are more DFIR and DFIR interested people at Defcon than most of us realize and our hope is to build the interest into a community there to bring people into out world that may not realize we exist.

Make sure to sign up here:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055

Daily Blog #421: Magical DFIR Beasts and where to find them

July 13, 2018, 5:18 am
$
0
0
Hello Reader,
                  Good news, the Unicorn maybe dead but it turns out all of the issues that it raised is causing a major change from the Office 365 team. You can read the official announcement here: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Exchange-Mailbox-Auditing-will-be-enabled-by-default/ba-p/215171 but here is the TLDR:

1. Mailbox auditing will now be turned on in full mode by default for all commercial tenants
2. If you already have mailbox auditing turned on it will continue to be on
3. They are going to add more audit flags to provide more granular access

This is great news and it should be on by default across your potential investigations by the end of year, but you could always just try to talk people into turning it on now!
Viewing all 877 articles
Browse latest View live
Search