Forensic Incident Response

On the sophistication of attacks

2011-04-14T23:27:00.003-04:00

If they appear unsophisticated, you will believe that they are not capable of more.

If you believe that is all they are capable of, you will assume they are not dangerous.

If you don't see them as dangerous, Your arrogance will cause you to look down on them.

In your arrogance, You will underestimate them.

If you underestimate them, then you have already lost.

You have been losing for 20 years, and you didn't even know it.

Late night thoughts

2010-12-28T01:58:00.003-05:00

We're in an OE we created and don't control.

Cyber is the new Urban and the adversary is the insurgent.

The adversary looks like the populace, sounds like them, lives in their midst, and hides his activities among the normal and legitimate activities of the populace.

Regular tactics don't work against irregular adversaries.

Know your doctrine, study the adversary's.

If someone punches you in the face, you're in a fight.

If you stand still you will continue getting punched in the face.

Espionage is a peacetime effort to us. To them, it's used as an opening salvo to position the pieces to control the center.

There is a lot of room for deception in the modern computing environment.

A mix of unorthodox and orthodox strategies is the only way to succeed.

Know and understand the needs, capabilities, tactics, tools and methodologies of the adversary. This is asymmetry.

Predictive capability can only come from studying history, yours and theirs.

The use of malware, viruses, worms and other destructive software is encouraged, and condoned. This is killing with a borrowed knife.

If I was in a different country, I would be expected to use my computer as a weapon.

The siegfried line was overrun through cunning and persistence.

The maginot line was flanked.

A hardened structure can only protect you from that which it is hardened against.

Siege warfare mentality no longer applies, yet it is practiced.

A stationary target will always succumb to cunning and persistence, if it remains stationary.

Counter offensives launched from stationary positions will hardly be effective.

You must move as quickly as the adversary.

Your culture has shaped your entire life. Study a different culture and adapt.

When a country only wants to buy two of your products, it's so they can reverse engineer and copy them. Russia learned this the hard way.

The farewell dossier event occured nearly 30 years ago.

Master your own perception before manipulating the adversary's.

If the adversary is hungry. He can be easily manipulated.

Learn to build snowmobiles.

The world is non-linear. Think in conceptual spirals.

True intelligence is the result of synthesis.

Once a target, always a target. Once a target, always a victim. Once a victim, always a victim.

checkmate

2010-05-06T10:44:00.001-04:00

After reading the review by Kasparov on Chess Metaphors I began thinking of a few completely unrelated subjects.

On chess,

In the great game of chess, outright domination is not the goal - unless you outclass your opponent so badly that they have no chance of winning. Winning at chess is a mental game. The game is won through feints, sacrifices, and outsmarting your opponent through the use of strategy and tactics depending on the state of the board. It requires an immense number of calculations per second to be able to not only assess the current situation, but the results of the move you are about to make, and your opponents response. Not simply in the action->result mode of thinking, but in the symbiotic relationship that occurs when two grandmasters are locked in a titanic battle of the mind.

Plays are not made, they are developed. This is a guiding principle. No chess move is made for the sake of making the move. A chess move is made to develop a play that may not occur unless 15 other moves take place. This development comes in the form of moving pieces to positions on the board where they will have a greater overall impact in the middle and endgame.

Yet another guiding principle is that of controlling the center. Controlling the center refers to the squares in the center of the board. Controlling these squares, directly, or through pieces with direct access to them from afar can have a huge impact on the success of your game. Unsurprisingly, controlling the center influences your opponents maneuvers, cramps the available space on the board, and may ultimately provide openings for attack if and when your opponent makes a mistake due to your positional influence.

Paraphrased from the article: It used to be that becoming a chess expert would take years of study and practice. With the advent of computers and chess software, the game has changed in that young children are attaining a very high status in the field. What we now see in the game of chess is that the computer has leveled the playing field. In 2005, a "freestyle" tournament took place where competitors were allowed to use computers and the winners were not grandmasters. They were amateurs using three computers at the same time. It was their skill in manipulating the computers that allowed them to win. He summarizes this nicely with the following: "Weak human + machine + better process was superior to a strong computer alone and, more remarkably, superior to a strong human + machine + inferior process."

Better process wins.

Kasparov also discusses his experiences in using computers when he battled Topalov in a heads up competition.
"[..]With that taken care of for us, we could concentrate on strategic planning instead of spending so much time on calculations. Human creativity was even more paramount under these conditions."

Kasparov's tactical advantages were nullified by the computer and its ability to perform more calculations. Here he suggests that the ability of humans to think on their feet, to adapt to unfolding situations, the ability to innovate is what allows the human-computer combination to prevail.

"[..]Correctly evaluating a small handful of moves is far more important in human chess, and human decision-making in general, than the systematically deeper and deeper search for better moves—the number of moves “seen ahead”—that computers rely on."

Again, here he suggests that our ability to make the correct decision when faced with evaluating a small set of moves is a vital component to our decision making processes. All in all, Kasparov's review of the book is quite possibly just as fascinating as the book itself.

And now I leave Kasparov and the world of chess for a world of six legged pests known as ants.

Where I reside, it's getting warm again. When it gets warm in the house, I open up my windows at night to allow cold air in and warm air out. Unfortunately, this permits bugs to enter my residence. Ants are a fascinating little creature. They are full of a complex set of communication and societal roles and responsibilities. One day this past week I saw one of the forager ants making its way through my hallway. As you might be aware, when foragers are out exploring, they mark a path for others to follow. So as it was making its way through my house it was leaving invisible breadcrumbs for other foragers to follow. I quickly squashed the ant and went on my merry way, before it could continue to forage and perhaps find a food source. How could I know if it had already found a food source? How could I know if it wasn't already on its way back to the food source? How could I know it wasn't leading a more serious infiltration? Was it alone? I couldn't answer these questions, I squished it without bothering. I had work to do and no time to bother with ants. Working my way through the house..I spotted another ant. I squashed that one too, its carapace crunching beneath my shoe! I was victorious, two ants detected and killed in a few minutes. I was the defender of my home and I'd be damned if some ants were going to infiltrate my home!

Of course, having some experience with ants I knew full well that by the time I'd spotted those two, I had already been infiltrated. Over the next few days I spotted and squashed several more of the foragers, knowing there would be more. You see, ants are clever little creatures and the foragers may penetrate the house via different means and locations, they may work together or individually but their goal is a common one. Identify a food source, communicate it back to the colony, and begin exfiltrating in an effort to keep the colony healthy, strong and growing and continue foraging. Based on my experiences I had prepared for the inevitable infiltrators success. I had ant traps at my disposal and a plan to take care of them. The thing to remember about ants is that they need forage to find food sources worthy of taking back to the colony. I, as owner of the residence know where the food sources are, how the food moves throughout my house, how frequently the trash goes out, what windows were open, and based on other experiences what other ways the ants might be getting in. Of course there are ways in to the house that I have not yet identified. Ants are tiny little things and are very adept at crawling through the smallest of spaces! My battle with them persists, though I've deployed bait, traps and other active defensive measures. Here, take my poisoned food back to the colony, feed it to your queen and larvae.

So what does all of this have to do with anything? I'm not talking about chess and ants. I'm talking about the APT.

As it relates to chess, the APT are much like an advanced player thinking several moves ahead. Their process is well thought out. They have developed tactics to not only attack but defend their positions once they've made a move as part of a larger strategy to gain and keep access for extended periods of time. They may use complex moves to attempt to outsmart the opposition, they may use simple moves to lull us in to a sense of over confidence about the state of the board. They have a definitive offensive advantage. They can penetrate defenses pretty easily. They may have studied our culture to learn our biases to use them against us. They may use this to convince you to think that you can't stop them, you can only hope to contain them. They may be amateurs in some cases, but their ability to manipulate computers and follow a strong process creates situations where they can win just about every game they play. Their tactics may not be all that different than that of an ant. It can take an awful lot of effort to defend the home-front against the infiltrators. If, like me you find yourself too busy trying to take care of business by defending against them, you will have already lost, and eventually you may not have a business to attend to. Your product may no longer be yours. Your food will be exfiltrated, and you will continue to suffer infiltrations all season long. A good plan, and strong process for defending what's yours is in order. This is why things like IPB exist. To support decision making and allow your boss to apply appropriate resources to defend the enterprise at critical paths when and how he/she chooses. Nobody should know your environment better than you. If you don't know your own environment, stop and take the time to learn about it, otherwise your environment is not yours. Learn what defenses and resources are available and how to apply each one ahead of time. This is not something you want to learn about while under fire. Given the situation at hand, decide which measures to apply. Developing templates may or may not be the way to go. They can aid you greatly by removing a lot of the judgment calls, and by identifying available resources so you don't have to think about it. I know that in my current environment they have helped greatly, particularly around phishing attacks. Defending against advanced intruders takes an advanced defense, effective manipulation of the systems under your control and human creativity. Remember, it takes People, Ideas, and Hardware. The bad guys work in shifts around the clock to attack you. Are you working nearly as hard to defend?

The Tiger and the Ghost

2010-03-18T08:57:00.042-04:00

Companies like Mandiant have placed themselves in the lead of the counter-APT fight in a lot of people's eyes. I respect this, and they certainly have teams with great skill and experience. They have done a great job of stirring up a lot of discussion, and have caused a lot of debate. An unfortunate side effect of this is that a lot of people have put on their firefighter hats, and are chasing ghosts. No, not ghosts that pop out of closets and say "boo!". I mean ghosts as in invisible warriors. Unfortunately, this effect is precisely what is expected, and possibly even wanted by our enemies.

A quick word about Mandiant's claims about our adversaries tactics. They are spot on.

Yes, this post is about the APT. However, it is not about their specific tactical assaults. I would submit that though this is important, the most important aspect of countering the APT is understanding him. I've asked before if it really matters how new this threat is. I still contend it does not. Walking that path is wasted effort. It's time to step up our game to understand the enemy.

For several years there have been warnings and warning signs that this adversary was up to something. Several ally countries were penetrated by the ghosts. The U.S. was hit hard during this time as well. While all of this is going on, officials are disavowing and claiming no knowledge of these attacks. Meanwhile, the military general standing behind said official is trying hard to keep his lip from curling in to a tiger's smile.

Stratagem 1:
Deceive the heaven to cross the sea.

For years, we have invited the tiger in for dinner. And why not? He knocked at the door and asked nicely. Only he didn't outright kill us. He learned about us, in the open, and with our invitation. It was accomplished through foreign exchange studies, open trade agreements, imports & exports, business mergers, the legal system, and watching us fight in Kosovo, Iraq, and Afghanistan. They watched us unleash our strike packages, and watched others defend against it. This was done until he felt he could learn no more. He took all he learned and used it for further study.

Stratagem 3:
Kill with a borrowed knife.

Our enemy is no doubt using the works of others to strengthen himself while wearing us down. If your army is not strong enough for attack, let the works of others weaken the enemy. They let our industries get worn down by the daily barrage of malware infections, lesser intrusions, and perhaps some more skilled adversaries. While all of this is going on, they conserve strength.

Stratagem 4:
Wait at ease for the enemy.

Our networks are under constant barrages by lesser opponents, or skilled opponents using simple techniques and tactics to wear down defenses and tie down huge numbers of opponents. Exhaust his will to fight before the real fight comes. This enemy clearly practices this strategy. These ghosts do not step up their game until they have to, they do not reveal the full breadth and depth of their plans until we match them.

What does our enemy want?
To establish the links between political, economic and military installations. To exploit ways to control & disable our ability maintain C2 or C4I. To identify key systems and perform what Mr. Tim Thomas calls "acupuncture warfare" with precision strikes. The adversary is aiming to close market gaps and gain the information advantage. This allows him to control and predict our responses and behaviors. Based on the study of "three-three" this adversary focuses on obtaining, transmitting, handling, and protecting information. He defends himself while controlling our actions or attempting to control our actions with the incursions we are seeing. He seeks to level the playing field through the use of information.

Too much reliance on technology to do the work has led us to a situation where many don't know how to begin fighting this adversary. He has been honing his skills in this space for nearly two decades. If you don't know yourself you will lose. That is, what are your key systems, what relationships do you have with other organizations and who maintains these relationships? What are your true capabilities? Do they match your requirements? These are just some of the questions that need to be answered.

This has nothing to do with what technology you can buy. This has everything to do with how you think, how your boss thinks, how their boss thinks and so on, and how your enemy thinks. If you're just joining, welcome to the fight.

Triage of Agent.BTZ

2010-03-04T19:28:00.002-05:00

I'm a huge proponent of triage incident response. So much so that I developed procedures based on the idea that gathering a little information from key data points early can lead to an accurate assessment of the situation without having to conduct laborious processes such as creating a full disk image all the time. Triage saves time and effort. The purpose of triage is not to conduct a full analysis. The purpose is to 1) sort and prioritize and 2) gather enough information to decide whether or not to continue an investigation. It also maximizes the effectiveness of analyst, systems, and tools. Tools like F-response make triage possible. Tools like Responder Pro from HBgary make triage possible. Speaking of Responder pro..

I recently upgraded my copy of Responder 1.5 to Responder 2. I've got some great things to say about this product but I'll save that for another post. I ran an analysis some time ago in 1.5 against a dangerous little piece of malware that got quite a bit of press in 2008. The malware in question is Trojan.Agent.BTZ. This little gem is what ransacked the military and pentagon. Vendors like to call it Autorun malware, as that's really how it works but it's of course more than what a vendor will tell you.

Generally speaking I was looking for a piece of malware that infects removable media, phones home, gives remote control and downloads other malware. I arrived on scene a short while after the alert and after talking to the admin, decided to plug in my USB key, knowing full well what would probably happen to it. USB key defenses aside, I ran FastDump Pro and grabbed an .hpak memory dump.

So now I had a memory dump and I grabbed a disk image from the computer. In this case I decided to take the drive because I would use this later in a lab scenario for training. Triage requirements aside, this was a good case to capture for later use.

Let's analyze it quickly with 2.0 eh?

*note I've already done this in 1.5 I'm just re-doing it in 2.0 and during the middle of this I experienced a licensing hiccup*

My standard technique for beginning memory analysis in Responder is as follows:
1) Evaluate DDNA listing.

DDNA while not perfect, can be used to quickly hone in on oddities and badness. It helps identify WHAT is on the box, WHAT it might be, and HOW it might be working. Add a cross reference listing to the modules running on the box for more detailed information. DDNA is a boon to any analyst looking to conduct rapid analysis.

Here's what the DDNA output looked like for BTZ. Focusing on the left hand side, we don't see a whole lot that sticks out. A sea of Orange really...

2) Evaluate Network connections. This helps me answer two questions. WHAT is talking, and to WHOM? I tend to go for Network connections before Processes as network connections often identify the process I need to investigate. For all intensive purposes, 2&3 are interchangeable.

3) Evaluate Process lists.
Typically I evaluate processes in a number of ways. I'll look for processes that don't belong, those with odd names, those that are 'hidden', all svchost processes since they are a huge target for process and dll injection attacks, those processes that are "red flags" such as ones executing from the wrong directory or with incorrect paths and processes that don't normally exist.

4) Open file handles and Registry keys.
This should be fairly obvious as to the why. It allows me to find out what process has what file handles and reg keys open.

5) Use a DNS blacklist or keyword list. There are great blacklists out there plus I have a few extras. This immediately helps with data reduction in some cases. It can also assist in zeroing in on the malware. This is great for casting a drag net on a network to look for other infections.

6) Other poking - looking for clues that might tip me off to the true nature of the infection or compromise.

This usually does the trick for the overwhelming majority of malware cases I look at. Granted there are more difficult ones but with malware being as templated as it is..this tends to work.
So now let's work through this for real...

DDNA in this case didn't appear to be helpful, or was it? Looking at the listing, there's a wide variety of suspicious looking processes and modules. That's not really that helpful by all appearances. Let's add a little intelligence to this analysis by pulling up the module listing next to the DDNA listing for processes. This is what that looks like:

So, now we have even more orange...GREAT you might be thinking sarcastically..but what do we see if we look closely? Like a simple equation we can rule out common processes and modules that we have a possible explanation for now and I've highlighted something that looks REALLY suspicious..a process loading a module out of the user's profile. As I said DDNA is not perfect, but what it does is raise the interesting stuff to the top by severity and color coding. This is automated analysis and while it has limits, when we add human intelligence to the analysis process we get an immediate bead on the target.

So what are the key indicators?

* The .dll
* rundll32.exe is calling a .dll out of the user profile
* The file path for the .dll.

Yeah that's pretty odd isn't it? What traits does it have?

Nothing sticks out a whole lot, but there are some good clues in there.

So now I've found something odd and definitely worth looking in to a bit further. This happens to be the jackpot but let's keep evaluating.

How about the DNS blacklist for connections to known bad domains?

The list of hits was far too many to show here. The matches numbered upwards of 336 bad domains. That's too many domains to be helpful but it's definitely a sign that the computer was talking to a lot of known bad actors.

And Network Connections?

The network cable in this incident was unplugged when I arrived. No joy for active connections.

And the process listing?

There's one above the rest that sticks out:
C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\ctuser\Application Data\HELP\system32\rtn.dll"

That just about settles it for me. rtn.dll does not belong. Let's go ahead and process it. I always start by right clicking and taking a look at the strings. This allows me to drill right in to what I am interested in.

Immediate strings of interest:
C:\DOCUME~1\ctuser\LOCALS~1\Temp
C:\DOCUME~1\ctuser\LOCALS~1\Temp
C:\DOCUME~1\ctuser\LOCALS~1\Temp\
C:\DOCUME~1\ctuser\LOCALS~1\Temp\~DFD.tmp
C:\Documents and Settings\ctuser\Application Data\Help
C:\Documents and Settings\ctuser\Application Data\Help
C:\Documents and Settings\ctuser\Application Data\HELP\
C:\Documents and Settings\ctuser\Application Data\HELP\\system32\
C:\Documents and Settings\ctuser\Application Data\HELP\\system32\mswmpdat.tlb
C:\Documents and Settings\ctuser\Application Data\HELP\\system32\wmcache.nld
C:\Documents and Settings\ctuser\Application Data\HELP\system32
C:\Documents and Settings\ctuser\Application Data\HELP\system32\rtn.dll

Yep, this tells us a little about the files the malware is using. Point of interest here is that the malware created a directory structure for the user the malware was run under, and one of the few directories it could write to was in the profile as the user had no elevated privileges. Many people still think that Administrator rights is a means of stopping the execution of modern malware. Those people couldn't be more wrong but I digress...

Right now we don't know what the files are are specifically but we will soon...

How about this?
1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s

My that's odd isn't it? And it's referenced in three different memory locations. So just what is that string? The following code should give you a big hint.

If you can't tell that's an XOR key and function. We can use that bit of information later when we want to do deeper analysis. As we learn from later analysis, this XOR key is used to encode data written to log files by the malware.

When I did this analysis for real I completed the analysis and decoded the log files kept by the malware, and conducted a more thorough disk based analysis. The purpose of this posting is to illustrate a quick analysis method that pays off with the extraction of the XOR key to encode log files created by malware. In all, doing it this way takes about 15 minutes to get actionable intelligence. Think about it. In a just a few minutes we've gathered:

* Filenames on a filesystem. Pass that information off to your windows admins, and they can search desktops for the files.
* The XOR key to decrypt any discovered log files
* There's more to be seen in the memory dump that allows us to create a snort signature if need be(of course one already exists at present time).
* The malware does not require administrative privileges to execute or maintain persistence.

I realize this post is a bit incomplete..hopefully I'll get back to a continuation piece.

TACTICAL trial by fire

2010-02-24T10:06:00.005-05:00

Last week, I received a phone call to perform a sensitive acquisition for Law Enforcement. A tragedy really, but out of it arises a short story of success with modern forensics tools.

When I arrived on scene I was briefed and went to search for the requisite equipment to perform the acquisition. As it turned out, the entire stock of wiped drives was gone. A 500GB drive was located, but it needed to be wiped. Wiping a 500GB drive takes up to a few hours, so that was no good. I did have some clean space on an acquisition RAID device though. Given the sensitivities of the operation I had to do this quickly, efficiently, and right the first time. The margin for error was slim as there was information on the desktop that couldn't be lost.

I went for the Ace up the sleeve. I had up to this point only used it in testing, but I went for a tool I knew could trust. The tool was none other than F-response TACTICAL. Yeah that's right, I went for live imaging in a Law Enforcement case. There are still plenty of those doubters and naysayers out there, so let me be clear. The time to adapt has passed, the need to preserve evidence when lives are at stake is paramount. It's time you adopt modern techniques. There is no such thing as forensic purity, in any forensic discipline when you've got volatile evidence. That's a myth created by those that have never worked in the field.

Photos taken, and requisite documentation completed, I plugged the victim system in to a local switch I had for this purpose. I then proceeded to insert the subject dongle in to the subject computer. I quickly popped the examiner dongle in to my station attached to the acquisition RAID. Configuration, always quick, included physical memory. Then I simply clicked on "auto connect" on the examiner console. Just like that, the disk and memory objects I needed were exposed. Firing up FTK imager, I made the acquisitions I needed. The case proceeded as many do, with hurried phone calls and stress like no normal incident can create. The evidence was secured for examination and the subject laptop was turned over.

I'm an Incident Responder, and a Forensic Examiner. I need tools I can rely on, tools that work in the clutch, tools that don't break the bank, tools to use when life and limb are at stake. For me, that's F-response. A very big thanks to Matt Shannon and the folks at F-response. I'm not sure how the field got along without you and you've made technology available that makes a real difference.

We just don't get it

2010-02-06T12:46:00.003-05:00

Given all the talk about APT lately I'm still shocked. Shocked that there are those out there on the 'good guy' side that can do nothing but criticize. One recent discussion that's been heavily debated is one of how "new" Advanced Persistent Threats are. My question to everyone out there:

"Does it really matter ?"

Every day these enemy combatants are lifting data. Lifting data from organizations they're not supposed to be lifting data from. These data are then being used against us to gain political, economic and military advantages. I've watched the data pass through systems for months and it turns my stomach to think that it's being done with such ease. Especially considering where the data is from. That these attacks occur is nothing new. That these attacks are taking place on such a broad scope is entirely new. That the enemy elements are moving against so many targets at the same time and in such different industries is alarming.

For years I've investigated cybercrime and done malware analysis and intrusion investigations. I can say with relative ease that while the tactics used in these attacks are not necessarily new, there is a certain 'newness' to this type of enemy. The majority of cybercrime that occurs today is automated. Malware has reached a point of templatization such that these toolkits are sold so others can perpetrate more crimes. While certain high profile attacks are definitely not automated and require a crew of clever individuals, many cybercrime incidents are automated.

These attacks are not very automated. Like a skilled tradesman, they reduce overhead by automating simple things. When the enemy gains access to your networks, reads your email, browses the internet on your computer, pretends to be you to garner more information from your colleagues, ignores your bank statements but takes schematics, ignores your customer credit card database, but steals your organizations futures documents and pilfers from your R&D group there's a difference. When the same group penetrates military systems and networks there's a difference. The difference is due to the global scale, the difference is in our ability to remain a competitive nation. The difference is in our military's ability to remain effective. The difference is that this is not just about money.

Regarding their malware:
Is it any wonder that the malware used by this enemy shares a common trait with other malware? There are a finite number of methods to accomplish a goal in a given programming language. Is there a reason not to re-use code if it works? Is it any wonder we can look at multiple samples of malware and draw comparisons? Give a fool a katana and he'll cut off his nose. Give a Samurai a katana and he'll cut you in half before you can blink your eyes. Malware is a tool of the enemy, not the enemy himself. The right malware in the hands of a skilled opponent is a force multiplier for a real threat, while malware in hands of a lesser opponent is a nuisance. This enemy is more than their malware.

There is no data breach notification when this enemy penetrates a network and steals data. The notification comes when we have another financial crisis and a foreign government is bailing us out. The notification comes when we have another gas shortage like in the '70's. The notification comes when power grids fail. The notification comes when more of our commerce is outsourced and jobs are lost. The notification comes when our companies are being bought by foreign companies because they can no longer compete. The notification comes when our military can not protect our interests. This problem is bigger than the security industry. This problem is bigger than IT. The security and IT industries are impotent in this situation. This problem will take governments to solve.

The people that call it hype have not seen this enemy work. They have not seen the contents of the stolen files. The business that have recently started doing "Anti-APT audits" are missing the point and trying to capitalize on the situation to further their own business.

What should matter is how successful they have been. What should matter is defending ourselves. What should matter is how and where we share this information. What should matter is taking this information to those with the ability to do something about it. What should matter is taking the fight to the enemy.

So I ask again, does it matter if this threat is new?

The APT is on your webserver

2010-02-04T14:12:00.002-05:00

One of the key ways APT gets in to your network is through human exploitation. Duh. We are the weakest link and in my experience it's usually those with some form of fiscal responsibility(re: business offices) that are the weakest. The APT also uses remote exploitation as a weapon. If there's a vulnerable system out there, they find it, exploit it and set up shop. This is done quickly and is done often times before public exploits are available and before the related vulnerability is being widely scanned for.

However, they, at least in my experience, are limited. They seem to limit themselves to Windows systems. I've not yet seen (not that it hasn't happened, but I've not seen it) a Unix system compromised by the APT. If you have, chime in at any time. So far, they've all been Windows systems. This is understandable and predictable. One place I've seen the APT establish a presence is on a web server. Yes, the APT is on your web server. In my experience this has been for C2.

Common traits of an APT web server compromise that I've seen:

System traits:
Windows Server 2003
IIS 6

Management traits:
Often poorly managed - the system may be a development system, or one that is in the process of being decommissioned.
Administrator is the most commonly used account for management.
Security logs and auditing is weak and not offloaded or rolled over periodically.
RDP is available

Compromise traits:
They modify forward DNS lookups for their domains to point to your system.
They don't really attempt to hide their presence.
They create files and host them on your webserver.
Excessive use of the Administrator account, often during non-business hours.
Server may begin proxying traffic to/from China.
A pattern change of many to one relationships, meaning your server will begin seeing requests from many hosts that it normally never receives traffic from and requests are for files and pages that didn't exist prior to the incident. This is often a behavioral pattern anomaly.

Anomalies:
Logs on the server will likely indicate the presence of new files in the form of excessive requests to which your server will likely respond with a 404. That is of course, until your server goes active and DNS propagation occurs.

Your webserver may begin to initiate outbound connections to remote systems that it is not cleared to communicate with and may begin acting as a proxy.

The administrator account is being used to browse the web from the web server. This should be a no-no in any environment and is therefore an anomalous event.

Your webserver may resolve to a domain that is not yours.

As mentioned above, you'll note a behavioral change in who is talking to your server and for what.

Detection:

*note these are not "special techniques". This is standard tradecraft.*

Cull your logs for:

Many hits from different IP's to the same page returning a 404. This is not uncommon on today's webservers, but if you exclude commonly searched for vulnerabilities you can easily do data reduction. This can easily be done with Logparser. A good but old article is here.

Administrator logins to your webserver from ip addresses that have no business with your server with administrative rights.

Administrative RDP sessions from external sources. Again a no-no..but if you've got it open, they'll use it.

Inventory your webservers and do DNS lookups (forward and reverse) on them using external DNS servers. If they're resolving odd domains then you've got something to look for.

M-trends reaction

2010-02-03T13:46:00.000-05:00

**FTC disclaimer (re: middle finger) I'm not affiliated with Mandiant. I know folks at Mandiant only by name recognition and perhaps a few blog comment exchanges, or mailing list/forums posts. I, like you, have read the M-trends report. I do not have access to anything other than M-trends, a few M-unition blog posts from Mandiant and random interweb babble on the subject. I would love to have a discussion with the folks over at Mandiant but I do not see that happening any time soon.
FTC disclaimer**

Now that the obligatory disclaimer is out of the way..When reports like this come out it's interesting what happens. The reactions range all over the map. We, the good guys, are too busy sizing each other up, calling each other ignorant, pretending to know what we don't and holding on too tight to really discuss the issues. What I find most interesting is how apparently everyone is an APT expert all of a sudden, with 15 years of experience battling them, and yet for all of this experience and worldly knowledge, none of it has been shared beyond the contents of this report. Sure, it's discussed privately, in secrecy and behind closed doors but there is an entire industry that plays a part in this, and I'd estimate that perhaps 10% of it knows what's going on.

I looked at the M-trends report and thought wow this is a good explanation of what happens and how. This is good information for folks up the ladder to have. This report is what security folks have been talking about for years, what we're all actually so paranoid about. Mandiant does a great job of presenting the scope of the issue and provide a good explanation. However, there is little to no information at the tactical level and no information related to actually countering the APT in an organization. I understand this..it's a report and they don't want the Chinese (oh don't act so surprised) to know just how 'on to them' the good guys really are. Mandiant also wants to continue to make money doing consulting work and selling premium services such as "counter-APT" investigations and what not. I understand this and do not begrudge them. They apparently do a great job and I'm sure their services are well worth it.

When vague reports like this get released, very few people attempt to validate the findings. Even fewer have the data to do so. As it so happens I've got a bit of data that's APT related. Well, maybe more than a bit and in short order will be sharing some of my own findings. Counter-APT operations are not simply after the fact. The reason they seem to be solely after the fact is due to the cost of defending an enterprise, the lack of awareness and poor governance in organizations. I do not want to make an APT "splash". I do want to unveil a bit of the mystery behind the Advanced and Persistent part of the APT. As I've said before, they are human, they are fallible, they are an anomaly, they are more than their malware, and they can be detected.

Back for another year.

2010-02-03T13:39:00.002-05:00

Yeah I've been quiet..really quiet. I've got a lot of ground to make up. I've got products to write reviews about, important issues to discuss, things to say and share. Welcome 2010, it's February already and it's time to catch up.

APT..still an anomaly

2009-11-16T13:00:00.000-05:00

Time for a little more on the APT.

Well first, lets call a spade a spade.. it's the state sponsored recon, intrusion and theft of key industrial, financial, and military assets. There, now that we're no longer jumping at shadows because of this "new threat" we can discuss a method of detecting the APT. We've established that these adversaries are intelligent, efficient and worthy enemies but here's the thing, they are an anomaly. In a well managed environment, even one that contains tens of thousands of hosts they stick out. Even in a moderately well managed environment, they are still an anomaly. So, you're asking..how does one detect them?

1) Use Anomaly Detection.

Suppose for a moment that you're monitoring at the perimeter, or even the core of your network. You don't typically allow Remote Desktop Connections from the outside world but your organization has made allowances in particular places. Ok, great so now you've got an attack vector. How are you monitoring it?

How about the following :
Administrative (or any other) RDP Sessions from China
New Services being installed
Network behavioral changes

How would you determine this you might be asking? Well let's evaluate how we can detect them.

1) The endpoint itself
Perform simple checks against services listings. For instance, services that don't belong;
Like one called MCupdate (Mcafee Update) on a system running Symantec Antivirus.

Or services calling a DLL that is named incorrectly in the 'Path to executable' field.

Look for Executables in places where they don't belong such as:
C:\Windows\System32\Config

or having hashes similar to the following:
768:xRhzolZP75giNs7WPaLr1JWa304IvwghoPTrH2oI:zhzol8iWWPkrDWa3vCw9TCo

384:MUYJfQuuOZ2XYiUj/S0AL6hImJbiGwSeulswOezXzFdlIWO+RbBzqTqoMefZx966:EoVOZ2c/1S6xwS/dzDFpRbErx9b

6144:U1cKrvLpMm6Yo9VtJNcUTqoFDf4OUOsrhnte38uyLdQn528Igf0qSI8N5yhFa0y4:KbvujF97J+atUvr3pLdQn52XgMNAFa0p

Did someone say fuzzy hashing was cool? Yeah it's very cool..thanks Jesse.

2) The network, through an IDS or NBAD looking for the following type of traffic:

Administrative RDP connections:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY RDP attempted Administrator connection request"; flow:to_server,established; content:"|E0|"; depth:1; offset:5; content:"mstshash"; distance:0; nocase;
pcre:"/mstshash\s*\x3d\s*Administr/smi"; reference:bugtraq,14259;
reference:cve,2005-1218; reference:url,www.microsoft.com/technet/security/bulletin/MS05-041.mspx; classtype:misc-activity; sid:4060; rev:3;)

3) Anomalous traffic:
Traffic that doesn't belong on certain ports:
For instance non HTTPS traffic on port 443 or Non DNS traffic on port 53.

Example: the string [SERVER] doesn't belong anywhere on port 443.

3) Behavioral changes in the system.

If the system never listens on port 443, and all of a sudden it begins communicating with China on port 443, that's an anomaly.

If the system never visits defense contractors or manufacturers, and all of a sudden it begins doing so, that's an anomaly.

If a webserver typically receives 10,000 visits per day during business hours and all of a sudden it's receiving 30,000 and there was no product release or new project etc.. that's an anomaly.

You can then add time, rates, and frequencies in to the algorithm to tune the detection.

Some other food for thought. Don't rely upon your Antivirus products to protect you. Their code is changed regularly and will not be detected.

And finally, these guys are good. Very good. But, they are human and while they cover their tracks well and hide well, they are fallible. They are creatures of habit, they can be profiled, they do things to blend in to the best of their ability by using built-in tools along with their own but they can be found. They are an anomaly.

SPILLED COFFEE...who cares?

2009-11-10T22:17:00.006-05:00

So COFFEE got leaked..is anyone surprised?

I liken this story to the fact that radar detectors exist to evade speed traps. The truth of the matter is, when you speed you're bound to get caught regardless of your knowledge of radar or laser guns and regardless of the fact that your detector is beeping. Typically by the time your detector is beeping loudly enough for you to pay attention you're already painted and are in the process of being pulled over. Many people are so convinced that COFFEE is this panacea of LE forensics capabilities that the leaking of it will spell doom and disaster for Law Enforcement everywhere. Boy will they be surprised when they learn what it's made of.

"But they'll detect it and subvert it"

Maybe they will, maybe they won't. Does it really make a difference? This is part of the game. The tool was widely released, why is this leak a shock? If the computer is the only source of evidence in a case, then you don't have that strong of a case to begin with. Even so, police raids and seizures are not exactly broadcast to the suspect. COFFEE is a meta-tool anyways, or a tool made up of tools, just like every other live toolkit. COFFEE is not magic. It's a script.

"But now that they know what it does they can prevent it from being useful"

Funny, the same was said of just about every forensics tool out there. The good guys have a toolset, just as the bad guys do. Who can use their tools more effectively?

"But but but...the sky is falling!"

No Chicken little, the sky is not falling...it's just another acorn.

Why limited privileges don't matter

2009-11-10T21:21:00.005-05:00

One day, financial administrative officer Jane Q. received an email from the bank. It read "Dear valued customer, we need to validate your account due to a system upgrade. Please click the following link[..]" Jane, not wanting to lose access to the account clicked the link..and got infected with ZeuS. Unknown to Jane, her stored IE passwords were immediately offloaded. Later that day when she went to do her daily "close of business" process there were some additional fields on the affiliate banking website her company partnered with. "Hmm must be that upgrade they did" She thought to herself. She happily entered the requested information. The next day, Jane opened up the same site but there was a problem. The account was missing $400,000! It was discovered that Jane's credentials were compromised and the account was drained and the money went to 3 dozen accounts all over the world.
How could this have happened? Jane only had user level privileges.

For years, the common thought has been follow the Principle of Least Privilege. Which is to say, don't give people more rights than they need to do their job, or in a windows centric world, no administrative access.

What if the job requires access to the company finances, and the position is authorized to transfer funds? limiting the privilege of the user on the operating system is of no consequence. When sensitive data is accessed by authorized users, it becomes exposed to processes designed to steal it running with the privileges of the authorized user. Simple concept right? This concept has been overlooked for years because it didn't matter. For years, restricted rights meant no compromise of consequence. Those days are gone.

It used to be that malware wouldn't run unless it was originally executed with administrative or higher level privileges. if executed with limited privileges, it would execute, and run until the computer rebooted but it could not establish a persistence mechanism, and did not have access to key parts of the operating system.

Modern malware as many are aware no longer requires administrative privileges to execute, communicate and establish persistence. The "bad guys" figured out that we, the "good guys" started restricting admin rights. Big shocker right? They figured out how to use windows variables and stopped hard coding %systemdir%. They figured out that those rights weren't required to achieve their objective. Accounts were decoupled from the system and re-coupled with the data those accounts have access to. If your goal is data-theft, then full access to the system isn't required. Access to the account that has access to the data is all you need. I refer back to Marc Weber Tobias..."The key does not unlock the lock, it actuates the mechanism which unlocks the lock".

These days the only benefit to restricting privileges is to limit the scope of the damage caused by a compromise. Limiting privileges does not prevent compromise. It's still a good practice but myth that limiting privileges will prevent compromise has been BUSTED.

New tools on the horizon

2009-08-24T17:49:00.004-04:00

Been busy again but here's a brief update..

Recently I read about the upcoming release of Accessdata FTK 3.0. Yikes! 3.0 so soon? If you ask me it looks like Accessdata wants to get away from the 2.0 brand name and on to something that may have appeal to most people.

Why am I excited by 3.0? It's really quite simple. 3.0 allows you to have 4 workers for the same price as the one worker that was available in 2.x. Hopefully the processing speed is infintely faster, assuming they did it right. With 2TB drives being available I don't really see another way for the common examiner to keep up, especially when you have to do full indexes, hashing, carving and so on. Here's to hoping that 3.0 lives up to the marketing slicks...and for Accessdata's sake lets hope it does.

What else is coming? The Image Masster Solo-4. Now this device looks appealing to me as it meets my current requirement set for a hardware imaging device. It supports encryption of the image on the fly using ICS drive cypher. It can send the image over the network through a 1 GB interface. It runs a windows xp OS? That has me a little worried (imagine the imaging device getting compromised by a network worm if used in a hostile network environment) but to be honest but I don't know enough about it just yet. The device will be around $2500 according to the rep I spoke to.

HBGary expanded Responder Pro to include some very interesting tools like REcon, and C# scripting capabilities. FastDump Pro also got a bit of a facelift to include Process Probing via the -probe switch. Basically you take a process and force all of its paged out memory back in to physical memory for analysis. More on these developments soon.

Reasonable Belief - Depth of Penetration

2009-07-31T12:36:00.000-04:00

This is a v.1 figure. Comments, suggestions welcome.

Back in March I began with a high level overview of reasonable belief as it applies to intrusions and notification. I'd like to take a little time to examine the Depth of Penetration as it applies to reasonable belief to see where I end up.

First some criteria.

Depth of Penetration can be simply defined as: The scope of access to resources gained by an intruder.

Major questions to answer:

What account(s) were compromised?
What level of privilege does the account have?
What systems were accessed during the Window of Risk?
What data is the account authorized to access?
What data are at risk?

We also collect system meta-information. This includes:
Who has administrative rights
Who has access to it
What role the system holds in the organization
Where the system is accessible from
What IP address it uses

Discussion:
The objective in establishing depth of penetration is to determine what the intruder compromised, had access to, and the level of privilege obtained.

When a system or network is penetrated by an attacker, an account is involved, even if the account is an anonymous or guest account. If the account is used by an attacker, it is considered compromised. This account will be authorized to access specific resources within a network or system. The intruder will therefore have credentials to access systems and data.

Can a domain or local system account be compromised, and not have resource accounts compromised? Yes. Let's say my local system gets hacked in to and my domain login is compromised. I also have accounts on an ftp server, a web server, a database server, and email. When my domain account is compromised, it does not mean that the other accounts were compromised. If my domain account is compromised, we need to establish the authentication and authorization methods used on each of the resource systems. If the AAA is integrated with the domain, then the attacker will potentially have cart blanch access to all of the resources and data that I have access to. If AAA is not domain integrated, then An investigation in to each of the resources I have access to is required to determine the veracity of the claim that other accounts/resources and data are at risk. This establishes scope.

Suppose a keylogger were installed on my machine. Does that mean that all of my resource accounts were compromised? Again, that's not necessarily true. We can assume the worst and say that everything I have access to is compromised because there was a keylogger on the system. We can also go the route of - whatever is in the keylog file is what was compromised. Which is correct? In reality, neither is true and neither is wrong. The only way to truly determine the correct path here is to examine the keylogger and it's logging mechanisms. Does it write to a buffer and mail it out? Does it log it to a file? Is the file encrypted? Can you decrypt it? This also puts too much emphasis on the keylogger. An examination of other artifacts is required to validate any conclusions drawn from a keylogger examination.

In a third scenario, let's say a system is compromised and a packet sniffer is installed. The depth of the penetration can be difficult to establish in this scenario because many organizations do not log internal network traffic. We must determine what data travelled to/from the system, or was sniffable by the system.

In a fourth example, consider that I am a user working from a desktop machine. I have no privileges beyond an authenticated and valid user account. I am in other words, a "regular user". I visit a website and contract a malware infection. This malware provides remote control over my system, and does not require administrative privileges. The system is now "botted". The person, assuming there is one, at the other end of the connection now has access to whatever I have access to, and may be able to escalate privileges. In this scenario we need to determine if the attacker escalated privilege, and to what degree. In addition we must examine what actions I took while infected; What intranet sites were visited, what systems did I log in to or access? What data did I work with or access during the compromise window? What data did my account have access to?

These examples are slight digressions from the singular topic of Depth of Penetration, but they are important to establishing the actual depth of the penetration.

How does Depth of Penetration actually inform reasonable belief?
Remember that Reasonable Belief is what a layperson believes given similar circumstances. A decision maker is more likely to believe that data is at risk and/or compromised when there is no hard evidence to confirm or refute the data loss if the intruder gained access to a resource with the authorization to read the data stored therein. In the eyes of the layperson, access often equals acquisition. When an attacker gains elevated privileges on a system containing sensitive data, a layperson will inherently lean towards a reasonable belief that the data was acquired. Conversely, a layperson will be less likely to believe data was acquired if elevated privileges were not obtained, even if the compromised account had direct access to sensitive data. In addition, a layperson tends to think less is at risk when a compromise affects one system than they do of a critical or multiple system compromise. These beliefs are commonly strengthened if the examination lacks depth and does not provide a more plausible explanation.

To be effective, this portion of the examination must be able to show in enough detail the accounts used by the intruder;which systems were compromised or used by the intruder;what level of privilege each account had on each system accessed by the intruder;If the account was able to access and/or acquire the data from each system;What data was present.

Don't worry it's just cybercrime

2009-07-28T12:30:00.002-04:00

In countries with corrupt politicians (That's all of them isn't it?), corrupt authorities, corrupt businesses, criminals reign supreme. Throw off years of oppressive government and what do you have? You have Ph.D's in engineering, computer science, economics, and yes...rocket science sitting around wondering what to do with themselves. The weight has been lifted and now there's nothing to do with a fantastic education, so they apply their skills where they're needed. They do anything and everything to survive and ultimately thrive. In a country with no authority figures that can't be bribed and businesses looking to establish themselves there are two primary motivating factors; Money and Power, Power and Money. In countries full of people with nothing to lose, these two factors become the keystones of Maslow's heirarchy.

Survival mode; The purpose of survival mode is to "get yours" at whatever the cost. You do what it takes to get a loaf of bread, to secure your family, to protect yourself and those you care about. The now abandoned Ph.D's have a new purpose and it's money. Money and Power, Power and Money...Money=Power. Those without money and power will always be subject to those that have it, especially in transition economies with weak governments. These enterprising individuals have been swept up in to the world of organized crime and they're loving it. What's not to love? The money, the power, the women, the cars, the lifestyle? It's easy to love it when it's going well. That's right..all the hallmarks of modern organized crime exist and it's going well, very well. If they can keep the cash flowing, they can continue to pay off authorities and the businesses are clamoring all over each other for their piece of the pie and they're willing to do whatever it takes as well.

Organized crime has existed for centuries and it's just recently branched in to the digital realm. Why should anyone be surprised by this? It's a target rich environment, the risks are low, the rewards are high, and internationally there is nothing stopping you. There are whole new rackets, and re-invented rackets that are applied. Intimidation, fake lotteries, scams, protection, extortion, trafficking, controlling and influencing industries (Gas & Oil, construction)...sounds familiar doesn't it? This is nothing new, they've just adapted. Let's say that again...this is nothing new, they've just adapted. Since the dawn of crime, there's been a fight against it. That's right, this fight has been fought before but many pieces had to fall in to place for that fight to truly take place. The following components are missing from this new fight.

Government

The governments in many of these countries are simply too afraid and corrupt to stand up and establish laws that punish criminals and criminal organizations. They do not participate in the international creation and adoption of laws designed to combat this new type of crime.

Law Enforcement

Law enforcement is in the same boat as government. Law enforcement would be fighting itself if they decided to take a stand. Former secret police and officers joined the rank and file of organized crime when the wall came down.

Populace

The populace, as it is in many cases, is the key. If people decided to care, they could force their government to establish laws, which in turn would give law enforcement something to enforce. The populace has been beaten down, abused and lacks trust in their government unfortunately. It hasn't gotten bad enough for them to want to truly do something.

Security researchers, security companies, all are saying "Oh my god cybercrime is this terrible thing and it's huge!" We read headlines detailing hundreds of thousands of identities being stolen, of large sums of money being lifted from bank accounts, of thousands of credentials being compromised. Meanwhile the rest of the world just keeps on ticking, moving forward like nothing is happening.

One has to ask..do they care? There are no bombs, no known murders associated with cybercrime gangs(at least I don't know of any..if you do tell me). Cybercrime has been relegated to the realm of "nuisance" crime, right next to harrassment and stalking. Computers are still seen as magic, and cybercrime is seen as smoke, mirrors and illusion. It's not a personal crime, and the pain is temporary for most, and not all that painful compared to a personal crime. Ask a cop to investigate cyber crime and expect to get asked which murder shouldn't be investigated so your cyber crime can be.
And then there's the lack of understanding. Identity theft is a paper crime. Your identity gets stolen and you get a letter in the mail saying "There is no evidence to suggest...." or "We don't believe...[]..but here's some credit monitoring just in case." That's it...poof it's gone like vapor. Whether its apathy, lack of understanding, lack of pain and suffering, the crime is never fully understood or cared about. In reality, the company that wrote the letter has no idea, and they hope that your identity doesn't get stolen, and it's not because they actually care about you, they care about the price of their stock, their shareholders, their brand.

This lawless world of crime without punishment will soon result in what it has always resulted in...vigilante or shadow organizations and "private security" companies stepping up for hire to take the fight to the enemy. They will exploit the lack of policy and enforcement for gain.

Some time ago I met with a few FBI agents and when they said they wanted to help in any way they could I kept thinking to myself...You want to help? Put tac teams in Odessa, Kiev, Little Odessa and starting arresting or shooting. Find a way to make these ventures risky, costly and unappealing. The new breed of criminal is not nearly as secretive as those from the older mold. So exploit their egos. Poison the money sources, do something other than build a case against people you can't prosecute. Infiltrate, manipulate, lie, cheat and steal to get in to their organizations and take them down and for crying out loud..assign a cybercrime investigator to work with "informants". This isn't a fight against cybercrime, it's a fight against organized crime. treat it like a vapor crime and it will be so in the eyes of politicians, law enforcement and the populace. Treat it like organized and personal crime and people will notice.

When news articles come out about cybercrime related news they are gone in a flash and given cute names like "april fools worm". Did you know that TJX arrests happened? Significant or not, they did. To be frank, they only got low rung members and affiliates of the ring. How many major news outlets covered it? I can't think of a single one. Instead, Cybercrime gets the "on hold treatment". It's like being on hold and hearing that voice say "Don't worry, it's just cybercrime"... "your business is important to us, please stay on the line".

Thanks John

2009-07-27T13:23:00.004-04:00

This afternoon John Mellon announced his retirement from the ISFCE. As a member for a few years now and as an active CCE, I take my hat off to you John. You've done an awful lot for this profession, the ISFCE and the CCE community and we all owe you a debt of gratitude for your time, countless efforts and devotion to making the industry, the ISFCE and the CCE what it is today. Enjoy your well deserved retirement.

Lessons learned - a menagerie

2009-07-23T16:30:00.000-04:00

While writing up a paper the other night I got inspired to share some things...some lessons learned from incidents over the past year. Here's to hoping this helps or entertains.

Communication needs to be accurate and timely

When your IRT is in the middle of a widespread incident and you need to notify the organization at large, the information must be accurate. Tech support - your boots on the ground - needs accurate information to take remediation steps at the micro level. This information must also be communicated in a timely manner. At least two communications need to go out within the first 24 hours. One to alert the organization, and the second to provide a status update.

SITREPS are valuable

When you or your IRT are dealing with an incident it is vital to provide Situation Reports or SITREPS to your client and managment. The frequency and depth of these SITREPS can be determined by the scope and severity of the incident.
A simple chart like this helps:
Tier 1 Incident - SITREP ea. 1-4 hrs.
Tier 2 Incident - SITREP ea. 8 hrs.
Tier 3 Incident - SITREP ea. 24 hours.

SITREPS should contain the following information.
Who is doing What, Where there are doing it, When it will be done.
Assessment of the situation
Updates on old news
Updates on new news

Partnerships work well in a distributed environment

When you are the incident manager and you do not have full authority over a distributed environment, you must partner with the people in charge of the distributed environment. This is the only way to be successful in a crisis situation. The incident must become everyone's problem with the seriousness being communicated effectively.

Tech support and end users are like eye witnesses

70% of what they tell you will be incomplete, misinformed or just plain wrong.

There will always be information that would have been helpful yesterday

Incidents do not always go perfectly. You will never have the full picture when you need it. Gather what information you can, assess the collected information, and make a decision. Adaptability is one of the key traits of a good incident responder.

Stop trying to prevent the last incident and focus on the next incident

Often times after a significant incident and organization will enter a tailspin trying to solve the last incident. Numerous resources will be poured into making sure 'it never happens again'. The reality of the matter is that it will happen again, just not in the same way. This is why incident follow up is important. After an incident, you do need to address the Root Cause but you need to look forward to the next incident and begin preparation. As a former coach once said "don't stand there and admire the ball after you shoot, keep moving"

In 30 years of computing the security industry has never solved a problem

Every time I go out on a call I am reminded of this nasty little truth. The security industry has never solved a problem. Imagine taking an exam with 8 non-trivial proofs. You are expected to complete them in 30 minutes. This is an almost impossible task. My money is on an incomplete exam and mistakes in the proofs you have attempted. Due to the constant evolution in the technology world, problems never get solved and history repeats itself frequently. It is because of this that Incident Responders should keep current, and pay attention to history.

Don't be afraid to say you don't know

This one is tough for a lot of people to digest. People seem to want the wrong answer instead of a non-committal one. There is nothing wrong with not knowing everything. Better to not know and find out, than to appear to know and show yourself to be wrong later.

Due Diligence is not the same as Investigation

If you are approached by a client and they engage you to perform a task to do their due diligence, it is not the same as investigating a matter to search for the truth. Those that want due diligence are simply looking to CYA. Those that truly want an investigation will be in search of root cause, impact, and conclusion.

Routine Investigations only exist in news articles

Every investigation this past year has been different. The only thing routine about an investigation is the tools and process used. Nothing takes 5 minutes, and getting to point B is never a straight line. Commit your tools and process to memory and train yourself and your team. This way when the investigation changes course you can adapt easily.

Establish working relationships with key vendors you rely on, and customers that rely on you

Incident response is a two way street. If you have a product that your organization relies on to conduct operations, ensure you have a strong working relationship with them. Meet with all vendors at least once per year, if not more. This pays off for both sides and keeps both sides informed of needs and opportunities. In a time of need, you will want that vendor on the phone assisting you with their product. Likewise, if you are serving a client, you want to have a good relationship. Visit your clients when there is not a crisis. This lowers stress and fosters trust and respect.

Don't hold on too tight and remember to breathe

When functioning at a high operational tempo for extended periods of time, you will experience burnout. As a result, efficiency and productivity decreases drastically. Know yourself well enough to know when it's time to decompress and give yourself some breathing room. If you manage a team, take your team out for drinks and laughs once in a while, send people to training, give them comp time. Do anything and everything to keep yourself and your team operating at peak performance levels.

Incident detection should not overwhelm analysis capabilities

When you are drafting budgets or you seek funding for projects that involve incident detection, you should try to remember that incidents require resources to respond to and ultimately analyze data. When detection overwhelms your ability to analyze incidents you experience backlogs and rash decision making. Remember that an analysis takes approximately 20-40 hours on average and a good analysis can not be rushed. Keep analysis requirements in mind any time you are looking to improve your detection. Great, you detected an incident, can you respond to it and analyze it?

The FTK 2 dilemma

2009-07-20T13:48:00.007-04:00

So you're using FTK 2.x...Does the separate database server buy you anything? This is the question I've been asking myself for about a week now. After having good success with FTK 2 on a standalone system I moved to a split box configuration. Per the recommendations here, I put my more powerful system in place as the Oracle Database.

In addition I threw a quad core processor with 8GB and a handful of new SATA 2 drives in to a second system. It's not a brand new system but it meets the specs for an FTK2 worker system.

As it turns out, and in my humble opinion, the documentation appears to be misguided for a two box configuration. Here are a few thoughts.

FTK 2 worker:

The worker is truly the worker. Splitting the configuration puts the majority of the load on the worker machine. The database system simply shuffles records across the network and handles queries.
The worker requires a lot of resources - especially while processing a case. While processing a case, the CPU/memory/disk combination kept the worker box pegged, meanwhile the database server was sleeping. Pictures coming soon.
The worker system not only does the heavy lifting, it also needs to manage the GUI. Try processing evidence and moving around the GUI..you'll see what I mean.

Database Server:

The database server is mostly idle until you load it up with data and need to 'work' the case. Even then, it doesn't require a lot of resources. It needs to fulfill queries and this isn't a transaction level oracle server. It does a lot of reading at one time and a lot of writing at one time.
The database server only needs to meet the specs of the worker machine. It does not need to be more powerful than it as the worker machine is doing the heavy lifting.
The database server requires disk and memory. CPU is nice to have but it doesn't need to be dual quad cores when you only have one worker.

If doing a two box configuration, here are my worker recommendations:

CPU - Quad core or Dual Quad Core CPU. The 9400+ series for core 2 quad, or if you've got the money for a new system, go with the i7. If you've really got some cash..go quad core xeon.
RAM - At least 2GB memory for each CPU Core; 4GB/Core if you can afford it. Trust me, don't skimp on the RAM.
DISK - This is broken down in to categories.

OS: A raid 1 works nicely here.
Index drives: At least a 4 drive Raid-0. This is where your indexes will be stored. These drives need to be the fastest available. 300GB WD velociraptors should do the trick. However, remember your storage requirements. Expect indexing to use 1/5th of the total evidence set. e.g; 1TB evidence = approx. 250GB indexing space.
Image drives: When you load a case you want to put your images on a locally attached storage media. I'd go with at least a 2 drive Raid-0.

Controller - Is it me, or is adaptec the only raid controller manufacturer that seems to be making good controllers anymore?
Adaptec 5805(internal) or the 5085(external) seems to be the best controller out there for the price.

And here are my oracle server recommendations:

CPU - A single quad core CPU.
RAM - 2GB/core.
DISK -

OS: Use a Raid 1 here.
This is a database server. The question you need to ask yourself is: Do I want redundancy? If yes, go with at least a 4 drive raid 10, if not more. If no, go with a 4+ drive raid 0. Remember your space requirements. Expect to use 10% of the size of the evidence for database storage in each case, in addition to the minimum 6GB.

Controller - Adaptec 5405 or better.

And if you combine the two systems in to one here are my recommendations:

CPU - Dual Quad Core Xeon
RAM - 4GB/Core
DISK - Face it, you don't have enough space internally, even the cosmos can be tight on space (best case ever). Get an external disk array. Addonics has some very interesting cage configuration options here. Others have done the homework to spec out their own arrays, saving $$. You'll want Multilane E-sata or SAS drives. As with any I/O intensive operation..you need spindles to spread the load.

OS: Raid 1 still works here.
Indexing
Database
Images

Controller - the Adaptec 5085 gives the required connections to do an external SAS or SATA array. Get the Battery Backup.

And don't forget the backups. Backup servers/devices don't need to be high powered, they need to be reliable. Get a raid 5 NAS or a bunch of disks in older hardware.

Now that hardware is out of the way let's look at the real dilemma.

Does a separate database server provide any utility when you have two computers? My response is no, you don't. An average case these days will be fully processed(indexed, hashed, KFF, duplicates etc) in about 24 hours. I haven't seen any benefit in moving to two systems..it still takes 24 hours or more. There are major drawbacks to a two box configuration as well.

FTK 2 has been so heavily over-engineered that all you need is network and agent complexity. The worker loses connectivity even on a dedicated link. How does it recover from this? Does it recover every thing completely?
Backups on a two box system requires it's own whitepaper. If a GUI product requires a separate paper for backing something up when the single system backup is straightforward, there are too many variables.
You now have to maintain two operating systems, two sets of hardware, twice the expense and two times as many failure modes.

My conclusion: A two box configuration makes no sense in FTK 2 as long as you only have one worker. If multiple workers were processing the case, or if the database server contributed to the processing it might make sense but as of FTK 2.2.1, it makes no sense whatsoever and provides no benefit. As I was writing this Accessdata appears to have released a paper on performance statistics. Interesting how they don't even mention a two box configuration in it and some of the nuances are left out of the document. FTK 1.x is Memory intensive. FTk2 is resource intensive. To run FTK 2 optimally, you need to have about $10,000(hardware+licensing). Don't have the money? Don't bother. I'll be moving the GUI and database server when I get my other system back in to production.

Addendum Pictures:

The Worker while processing a case
And the database server at the same time

Drive encryption

2009-07-16T16:56:00.007-04:00

Target drive encryption is not a standard practice...the question is..should it be?

First some assumptions.

The source drive is not encrypted

Now let's evaluate some scenarios.

1) You're an intrusion examiner. You are investigating PII data theft and the computer you happen to be imaging for the case contains 200,000 SSN's. You're imaging the data that's handled by the custodian and the PII of 200,000 individuals nationwide. This now legally makes you the custodian of the data. Your image isn't encrypted..there's only 1 tool I know of that encrypts the images. If the target drive gets stolen, say goodnight to your livelihood. Errors and Omissions insurance won't cover the cost of notification and credit monitoring and lawsuits.

Should you encrypt the drive?

2) You're a forensic examiner. You are investigating a IP theft case. You image a drive from a laptop. The data on the drive is considered to be worth millions to the company. You are now in possession of this very important data that belongs to someone else.

Should you encrypt the drive?

Asset theft is a pretty common occurrence and they tend to be opportunistic. backup tapes, hard drives, laptops, usb keys, blackberries...all have been stolen/lost.

As forensic examiners we are the custodians for a lot of other people's stuff. We compile images of a lot of private information and store them in an unencrypted format. The questions in my mind are does chain of custody trump the need for full disk or image encryption? Should target drives/images being encrypted as an industry standard?

What do you think?

If an identity gets stolen on the internet

2009-07-13T15:40:00.000-04:00

Does anyone notice?
How about when 1000 identities get stolen? What about 2000? What about 50,000?

While doing a "routine investigation" of a Qakbot infection I discovered a dropzone for the malware. I say 'a' and not 'the' because the DZ was a configuration option and it could be updated at any time. The DZ I found was full of thousands of keylog files and other data uploaded from infected systems. This information was promptly sent to some contacts in the FBI.

What I begin to wonder is...did any one of these people actually know their identity was at risk or in fact actually stolen? How many of the companies whose users were infected actually knew about the real risk this malware infection posed to their organization? How many FTP servers were abused as a result of this infection, how many webservers were compromised? How many sensitive intranet systems were exposed?

Qakbot, like many current threats, was short lived, with longer lasting effects. It was a sortie if you will, a quick blitz to get out, infect thousands of systems, capture as much information as possible and send it back to the people behind it to sell, or use in other attacks.

This type of blitz happens daily. For every Conficker worm there are thousands of malware samples that do just as much damage as the media friendly worms using Guerilla style tactics, and it is these smaller samples that eat away at individuals and organizations. Certainly there are large breaches that cause massive damages in one fell swoop, but it is more common to see smaller infections get ignored, and they therefore create more of a problem in the long term. It is unfortunate when organizations don't take these small infections seriously. How many malware infections made the media in the past year that weren't conficker or other major media frenzy type worm and caused serious damage?
Like this one(or 8000), or this one, or this one...hopefully you get the point.

Many organizations don't discover these simple compromises for weeks or months and when they do, it's likely because their antivirus product updated definitions (which are largely ignored) or a third party identified the compromise. Do a quick evaluation of your customers and your own internal organization and look at the malware infections that have taken place over the past 6 months. How many affected individuals reset their passwords? Did any of the systems get "cleaned" and not get rebuilt? How many of those individuals had access to company web or ftp servers? How many of those people are in your Business Service Centers or administrative offices? How many of those people work with sensitive data on a daily basis? How many take their laptops home and let little johnny play on it?

OR

Suppose the following:
John Q Public works for your organization..let's call it Booze Brothers inc. John works in the HR department. John is on vacation and logs in to a public kiosk in the business office at the hotel that happens to be infected with Qakbot to do the following five things:

Visit amazon to see when that special gift for his daughter will arrive at home
Check his bank account because he was waiting on a reimbursement
Check personal email account to see how things are going at home
Log in to twitter to tell everyone how he's doing
Log in to facebook to update his page

Based on some statistics it is likely that John Q Public just exposed your organization because he uses the same password for one of the five sites above as he does at your organization. The lines between personal identity and work identity are blurred because of this password synchronization that is a common practice. His information gets sent to the DZ and later it is culled and re-used, sold or traded. It may be 24 hours, it may be a week but you'll likely see John Q's account used in an attack against your organization - maybe phishing, maybe used to upload javascript to a webserver, or maybe just a brute force attack.

Identities fall each day to the malware infections that plague us, though recall I don't believe in simple malware infections due to the gateway malware theory. As always, if you haven't done so in the past year, it's probably time to revisit your IR plan to address this sort of stuff.

Real world APT

2009-07-11T23:08:00.008-04:00

In a break from the traditional topics I tend to discuss here I wanted to spend a little time on APT since there's been a surge in discussion around it. There's been some buzz over APT or Advanced Persistant Threat in the past few days. Like Richard noted very few people know what it is or have experience with it. Not only that, those that have been exposed to it don't talk about it for various reasons. Here's my experience with it in a very simplified post.

Their behaviors:

They tend to work from 9-5, suggesting they are professionals and this is their job
They are methodical in their work and it is not random
They target Defense manufacturers, military and government personnel
They make use of compromised SSL certificates
They make use of compromised credentials to gain access to military and government email and documents
They compromise systems in traditional manners but they fly in under the radar, are precise in the compromises
They use customized tools
They leverage tools available on the compromised systems

Like any attacker, they make mistakes. I won't share those here considering the public nature of a blog, but suffice it to say that the trail is evident.

Most people are intent on finding the bad guys and removing the threat from their organization. This is great and all..but this is also where counter-intelligence plays a role. Passive monitoring can pay off if you don't rush to shut them down. They do not make half-assed attempts at compromising assets and they make good use of their time on a compromised asset. Rapid detection, analysis and decision making must follow suit.

Digital Forensics and Incident Response techniques play an important role in monitoring their activities.

How can you combat them? I use what I've been calling the holy trinity of Digital Forensics.

Memory dumps

Memory Dumps can be used to extract encryption keys, not to mention a lot of other interesting stuff.

Disk images

Disk images should be obvious. There's a lot of information to be gathered here.

Emergency NSM

NSM is absolutely vital. Deploy a dedicated monitoring system in a passive capacity and capture everything they do. Using the extracted keys from memory, you can decrypt the network traffic.

In the words of others, these guys are "top shelf". They are professional reconnaissance teams, they slip in under the radar, they do not waste time, and they have one goal in mind; To collect information. There are ways to identify them, and watch them but you must move as quickly and you and your organization need to be as committed as they are.

Unsung tools - Raptor Forensics

2009-07-02T13:32:00.017-04:00

Every so often you come across tools that get very little press. One such tool in my humble opinion is Raptor Forensics bootable CD from the fine folks at Forward Discovery. In short, this cd needs to be in your toolkit if it isn't already.

One of the most popular questions I see is "How do I acquire a macbook air?". While I'll try to address that question specifically, I want to widen the scope because it applies to any mac system that need to be imaged.

When dealing with a macbook air your options are somewhat limited.

There's no firewire
There's no network card (unless you use the usb port)

What's an investigator to do?

Well obviously if the box is on you can use F-response to acquire it rather quickly. You can only do this however if you have the proper credentials.

What if you're going in clandestinely? What if the system is handed to you and it's off? This is where Raptor Forensics bootable CD comes in.

Burn the iso
Attach a powered USB hub to the macbook air.
Attach a USB target drive formatted however you see fit(though you can do this within Raptor).
Attach a USB cd drive.
Insert the cd.
Boot the mac while holding down 'c'.
The environment will boot.

After the system boots click on the Raptor Toolbox. When it opens you'll see the following.

This is where my biggest problem with tool originates. The workflow from left to right is all out of whack. In order to acquire an image, you need to mount the target drive. In order to mount the target drive it needs to be formatted. In order to be formatted it should be wiped. Now, you've probably already done this but in my opinion, and in terms of workflow in this toolkit it should be changed.

That said, let's format and mount a target drive. First, click the 'format' tab.

Next, Click the 'mount' tab and select your target device. You'll want it to be read/write.

Great! Now that it's formatted and mounted let's acquire something!

In this case I'm imaging a USB key, but it works just fine for the macbook air and other macs. Since everything is point and click it's a pretty straight forward process. Just select the source, target, name and make sure you select 'verify' and then Start.

An imaging window will appear as well as a verification window (which looks the same) when the time comes.

Once acquisition and verification complete you'll see a nice log window appear that shows the acquisition command line and hashes.

And it's just that simple. Hopefully this helps those in need. Raptor Forensics is a great utility to include in your kit and there are 239 reasons it's better than helix for this purpose.

What do you seek?

2009-06-20T20:23:00.016-04:00

If you work in this field long enough you will come across a situation where you need to justify your methodology. You will be asked to show why you need to look at all of the data points you look at. It's par for the course. When I get asked to do this I respond simply by asking the following question in return.

Do you seek an answer or do you seek the truth?

This question tends to make the doubter pause. When you are staring a potentially damaging case in the face, do you seek an answer or do you seek the truth? More importantly do the decision makers seek an answer or the truth?

There is a school of thought out there that says if any file containing sensitive data is accessed after the system is compromised, then analysis should stop right there, a line should be drawn and anything accessed post compromise date should be notified upon. I talked about it back in December when discussing footprints in the snow. Think on that for a moment. If a system in your organization is compromised and you run an antivirus scan and trample on Access times, it means you're done, you're notifying, and you're going to have a lot to answer for when your customers get a hold of you. You will not have given the case its due diligence.

In just a second you'll see a graph that I generated. It shows file system activity based on a mactime summary file. Take a few moments to analyze the graph. *I did have to truncate the data set. There were hundreds of thousands of files touched on 5/12*

Does it tell you anything? Imagine the system were compromised on 5/5/09. There are a few things that should stand out almost immediately; Such as the dramatic increase in file system activity beginning on 5/11 and continuing through 5/12. Or how about more simply that there is a story to be told here.

Do you seek an answer or the truth?

A person in search of an answer is going to get a response of "ZOMG the attacker stole a lot of data and you're notifying on every single file contained on the system that contains PII data". If you seek an answer you are not interested in the story that needs to be told, you are not interested in any of the details of the case. You want simply to put the matter to rest, get it behind you and move on to the next case that will be decided by the uninformed.

A truth seeker will ask what happened on 5/11 and 5/12. A truth seeker will interview key individuals, a truth seeker will evaluate the log files present on the system and many other data points to determine what the cause was. A truth seeker will want to hear the story based on your expert opinion, which you reached by examining all sources of data.

A truth seeker will take interest upon hearing that the system administrator not only scanned the hard drive for malware, but he copied hundreds of thousands of files from the drive. A truth seeker will want to see the keystroke log files. A truth seeker will thank you for decrypting the configuration file and output used by the attacker to determine intent and risk. A truth seeker will ask you to look at network logs and a variety of other sources of data to reach a conclusion and render an opinion.

So, the next time someone questions your methodology ask them if they want an answer or the truth. If all they want is an answer, more power to them, ignorance is bliss after all but there is always a story to be told.

Windows Forensic Analysis 2E - a review

2009-06-20T13:36:00.000-04:00

In ancient times, when philosophers and scientists gathered to discuss and debate important topics, people would travel for weeks and months to arrive, just to hear the debates. To listen to the great minds of the time, to learn from them, and on occasion ask questions. In 2009 that trend continues though in a different fashion.

In the case of Windows Forensic Analysis we are fortunate enough to have Harlan Carvey. He has a deep well of knowledge to pull from and he continues to pull buckets of information out of the well to keep us all well hydrated. I was honored to read this book, and it's my privilege to write a review. It's the least I could do.

It's a text book, it's a field manual, it's reference material. This is Windows Forensic Analysis Second Edition and it's the best damn book on the planet for Windows Forensics. I thought I liked the first edition and then I read the second.

It's been updated to be sure, but it's also been expanded. There's current information contained in the over 400 pages of content. There are case studies, there are details you won't find elsewhere.

Want to know how to dump memory and collect volatile data? It's in the book.
Can't recall which tool has certain limitations or what the tool can do? It's in the book.
Want to know how to analyze volatile data? It's in the book.
Want to learn how to registry works? It's in the book.
Want to know how to do Windows Forensic Analysis? Read this book.

I've watched the forums and mailing lists since the first edition of the book was released two years ago. Time after time I read the questions being asked and went to the book. In an overwhelming majority of cases, the answer was there. To those of you that asked these questions, do yourself a favor. Go to the bookstore, or online store and buy the book, read it, highlight it, dog ear pages for reference. Make use of the knowledge that has been shared, your clients deserve it.

In ancient times, people would travel for weeks or months to listen and learn from the greats..all you have to do is spend a little money and open the book.

The need for speed

2009-06-18T23:01:00.008-04:00

When it comes to incident response we are still struggling to close the gap. It's been mentioned here before, and other places. When a compromise occurs, how quickly do you get to analyze the compromise? Hours, days? Some time even weeks!

And when you do get your hands on a system what are you left with? A lot of trampled data points and an incomplete data set. And..what kind of time frame are we talking about to conduct the analysis, just to make a cut as to whether or not it passes the "who cares" test? Consider the time it takes to acquire and process an image in FTK or Encase. This is commonly referred to as machine time, and it's not uncommon to have too many systems locked up in machine time while the analyst waits for the case to process. And then of course you have the report writing part of the process. All told this takes an Average of 20-40 hours per case, often times more. This equates to two bottlenecks in the process.

The two primary bottlenecks are

The time it takes to get to the point where analysis data points are collected, processed and analyzed. There is a lot of time wasted when the analyst is waiting for "machine time" to complete.
The time it takes to generate a report.

This is the traditional model and its inefficiencies. If this doesn't make sense, perhaps the picture below will help.

So now let's look at a model that involves a triage phase.

By including a triage process that collects primary analysis datapoints while the system is live we increase our efficiencies by multi-tasking. Collection of primary data points can be largely automated. The analyst can then focus on analysis of the collected datapoints while the traditional acquisition and case processing takes place. Essentially what this does is take advantage of all available resources - human time and machine time by changing the model.

The benefits of this model are

Not always having to acquire a disk image. If the "who cares" test isn't passed with the datapoints that are collected early, then you can easily move on.
This is a one-to-many relationship. An analyst can quickly collect datapoints from several systems and conduct triage analysis instead of waiting for a linear acquisition process to progress.
It uses all available resources at the same time instead of waiting on one component to complete.

Here is another illustration.

Again...it's not like this is built around F-response or anything. I'm not saying..I'm just saying.

What are your thoughts? I *am* looking for feedback.

Active Directory Snapshots

2009-06-17T22:30:00.004-04:00

With Vista, Microsoft finally made proper use of Volume Shadow Copy and the Volume Shadow Copy Service. A lot of great work was done to help others use this during analysis. Server 2008 continues this model but it applies it to Active Directory. Sounds cool eh?

First off, let me say that this is well known to sysadmins, but I'm fairly certain it's not well known in this part of the industry. I've not seen it discussed on any list or forum I pay attention to at least.

For background - Read these pages here and here...I'll wait.

And now, go read this page here....I'll wait for you again.

So, now that you've read about creating Active Directory Snapshots and how to mount a VHD file in windows, let's discuss it.

When performing incident response in an Active Directory Environment, you're most likely going to want to look at a domain controller, especially if the domain controller is compromised, or there is something funky happening in the directory itself. Any self respecting sysadmin is going to have a regular system state backup of the domain controller. This is done so restores can occur if objects are inadvertently deleted, and also as a good practice. In server 2008, this backup is stored as a .VHD file. In a response scenario involving AD, we want to maintain our methodology of not modifying the system any more than we have to, so, we don't want to work on a live copy of Active Directory, we want to work from a snapshot of it.
Here's a pseudo scenario.

A compromise is believed to have occured in Active Directory.
Logging was disabled by the attacker on the domain controller, or the attacker covered his tracks in the logs.
You have been tasked with figuring out what was changed.
You have a recent system state backup.
You mount the system state backup and recover the AD core files.
You create an Active Directory Snapshot.
You load up Sysinternals Active Directory Explorer
You load the snapshot and the AD core files and Diff them in AD explorer.
You now have a smaller dataset to work with and you have a point in time diff of "what changed".

I'll be putting this together in a more formal manner..but I wanted to throw this out there for anyone that deals in Active Directory Compromises, especially with server 2008 domain controllers.

Memory Acquisition for First Responders

2009-06-17T15:28:00.009-04:00

Not long ago I sat down with a group of First Responders to discuss triage of security incidents. I discussed leaving the network connection up so I could remotely access the drive and physical memory. Their response is one that I expect many to have come across.

"If we leave the system up, even if we tell the user to not use the computer, the minute we walk away, the computer will be used."

That was kind of interesting to me considering what's at stake but I completely understood their point of view. Too many organizations can't trust their users. So then I thought hmmm....well memory acquisition has come so far so fast that I can simply teach tech staff at any level to collect physical memory. With targeted training and proper documentation it's a fairly straightforward process to follow on contained systems.

Here's a sample from a doc I drafted detailing use of mdd from mantech.

ManTech DD (MDD)

Limitations:
Less than 4GB memory
32 bit Windows Operating System

Installation
Download mdd from Mantech
You can download the standalone executable (recommended) or a .zip file.
Copy the file(s) to a directory on your USB key
Rename the mdd executable to mdd.exe

Usage
Log in to the compromised system
Insert USB drive
Create a directory for the incident on the USB key or SMB share
Open the trusted command prompt for the operating system
Change directories to where mdd is installed
Execute mdd

Command line
E:\IR\mdd>mdd.exe –o E:\00000\memorydump.img

Where 00000 is the case number you've been given.

Notes
Mdd creates an md5 hash of the output of the memory dump. It’s important to capture this information. You can take a screenshot of the window using Ctrl+Alt+Print Screen or copy/paste from within the command line to a text file. Both forms of output are acceptable. Save this file as memorydump.md5

Training first responders to do a memory acquisition is much easier these days.

START methodology

2009-06-17T14:52:00.010-04:00

START is a methodology applied to Mass Casualty Incidents or triage centers and frequently it is applied to battlefield medicine. START stands for Simple Triage and Rapid Treatment. I will focus primarily on Mass Casualty Incidents and triage centers. This methodology has a direct tie to The Golden Hour.

It is my humble opinion that START can be applied easily to Computer Security Incidents; Those of both the mass casualty and triage center variety. In a Mass Casualty Incident you are typically confronted by several potential issues ranging from sensitivity of data to criticality of the resource and the threat posed by the compromise. These casualties come from all sides of the organization. The same holds true when you have an influx of dissimilar incidents and you need to prioritize them - think the ER at a major hospital on a warm Friday or Saturday night.

That said I humbly present my adapted START methodology.

Stage 1 Triage
Stage 1 triage is completed on a live system. This stage requires a network connection.

Conduct Rapid Triage

Collect Volatile Data
PII search non system created directories
Limited malware scan
FLS & MACTIME

Conduct Rapid Assessment

Preliminary memory analysis
Review PII tool logs
Review Antimalware logs
Review FLS & MACtime logs
Establish Time of Compromise

Influential factors in Stage 1

MADtime

MAD time is the Maximum Allowable Downtime an organization can withstand the loss of a resource. Or more the point…the time it takes for someone to get pissed off(MAD).

Initial Threat assessment

Is it known
Identify any knowns
Is it attacking other systems
Is it spreading

Initial Risk assessment

Sensitive Data presence
System Profile

Stage 2 Triage

Stage 2 triage is completed on a disk image either after Stage 1 has been completed, or in place of Stage 1 in the case of a physical drive being delivered or acquired from an unpowered system.

Conduct Rapid Triage

PII search disk image

Data point collection

Network Logs
Prefetch
Registry
Browser History
MACtime data
Malware scan
Event Logs
Application Logs

Log the case and turn it over for analysis. The combination of the above data points is more than enough to get an examiner started.

This sure looks like a case for F-response especially if you combine Stage 1 and Stage 2 triage...I'm not saying I built this around it or anything...I'm just saying.

Responder Pro use case

2009-06-17T13:21:00.012-04:00

And then conficker woke up...

It was April 10th and there was a bad moon rising. Three systems (one laptop, two desktops) woke up, updated and began attacking the network infrastructure at a customer site. Within minutes, hundreds of accounts were locked out. Within hours, all were locked out. After the initial screams for help and DoS complaints I got onsite, got the interview out of the way I was off to do the field work.

After collecting memory dumps - using FastDump Pro - I went back to the office of the local system administrator and fired up my mac and my XP virtual machine with Responder Pro installed.

After running the memory dumps through Responder Pro I did a quick analysis and compare and contrast. The questions I had to answer immediately was "HOW the hell did this happen?" and "HOW do we prevent it from happening again?"

I won't bore you with gritty details.

To answer the first question of "HOW the hell did this happen?" let's take a look. Two desktop systems and one laptop. I had my suspicions but me being me..I had to know. Using DDNA I quickly identified the injected svchost.

Next I quickly viewed the strings of the binary.

Note the telltale signature of the HTTP string http://%s/search?q=%d. That's confirmation of Conficker.

And for the coup de grace I looked at the Internet History.

That was easy. HOW the hell did this happen? The laptop user who had been out of the office for a while returned, plugged in and nailed two unpatched systems, and instructed them to download a copy from the laptop on port 4555. All told it was 15 minutes to Root Cause Analysis. That's what I like to call Rapid Assessment.

HOW the hell do we keep this from happening again? Well that's an exercise I leave to you..needless to say NAC has gained traction at this customer site.

The human dimension

2009-06-16T13:30:00.002-04:00

I've been on a rather large engagement for the past few weeks and as a part of it I was co-opted to provide some education to "the end user". I know what you're saying and you're probably right. End user training doesn't work. Unfortunately it's part of the process and no amount of technology can solve the human factor.

Let me begin with a personal opinion on malware infections, especially those that are based on browser hijack, drive by downloads, and all other web based exploitation of end user systems.

"In the majority of browser based, malware related incidents, systems get compromised because the person using the computer, unless it is their job to browse the web outside of corporate resources, is not working at the time of infection".

So then, let's explore the human dimension when it comes to these cases. As Microsoft mentioned recently, the fastest growing threat right now is Rogue Antivirus. The question is why? Why is it so successful? How have so many people been duped by it? The answer is not as clear unfortunately but I do have some thoughts on the issue.

First there's the economics of it all. These guys can do this cheaply and they are making a small fortune doing it. Second, there is no deterrent. Third and more importantly, there is the human dimension of it. Since item 1 and 2 are something that won't be solved easily, let's evaluate the human side of the equation.

What's in play during a rogue antivirus malware incident?

1) A user is browsing the web.
2) The user is assaulted with popups.
3) The popups take advantage of common flaws in human computer interaction.

We are more and more stimulated by visuals than we are by written words.
We click before we think and read the message in front of us.
The depth of knowledge of computers has drastically decreased as the technology has become more a part of our life. Therefore what is being presented is not understood.
Anything that is perceived to "get in the way" will be ignored, avoided, and subverted.
A panic situation is created and the user reaches an emotional state by appearing to lose control of the system.
A familiar setting (My Computer window) is presented in an altered state, with signs of alarm, further contributing to the panic and emotion.
The system is exerting authority over the user by claiming in no uncertain terms that something is wrong with the system.
What happens on a computer has not been translated to the physical world. The fear factor doesn't exist.

4) An executable is presented as the solution.
5) Then, salvation is presented to the user in the form of rogue antivirus products.
6) After this, the credit card limit is reached quickly.

With that background in hand why don't we look at the average user and common pitfalls when trying to train them, and why delivering technical training to non-technical people fails more often than it succeeds.

Why it fails more often than not:

1) We're boring the audience.
2) Technical jargon doesn't work.
3) What we're saying lacks relevance.
4) The average person comprehends at a 6th-8th grade level. We tend to assume people are smarter than they actually are, and certainly in terms of computer use.
5) People tend to have two types of actions burned in to the brain; humor & trauma. Presentations tend to by dry, dull, and lack interaction as well as either humor or trauma.
6) There is no relationship made to the real world, analogies aren't as digestible as they need to be to have an impact.

More on this subject later.

Too close to the problem

2009-06-15T21:43:00.012-04:00

This is probably the 20th time I've sat down in an attempt to complete a blog post in the past month or two. With that many "draft" posts I finally realized what the problem has been. I've been too close the problem of forensics and incident response to write. The past few months has been a period of escalating action and reaction. An arms race if ever there was one. I feel comfortable saying that I've seen more cases in the past few months than many people see all year long. I do not say this in a gloating fashion or as an indication of anything other than it's been hell. I have been too involved in many cases, cases I never wanted to but secretly hoped to see, those full of intrigue and shadowy figures that I may never get the opportunity to meet face to face, so I must battle them from afar, armed only with my knowledge of his behavior and his tools, cases involving life and death and various other types. I have had talks with various government agencies of late, and had more run-ins with local and state law enforcement than I can recall having in the past 5 years combined. I have been too deeply entrenched in a backlog of cases to see beyond a tactical level.

I guess you could say this is the fog of war. I am too close to the problem and my writing and this blog has suffered. During this time I took an old adage in to account and that adage is "You can't learn anything when you're talking". Needless to say I've learned a lot in two long months.

The malware question

2009-05-05T16:45:00.002-04:00

Not long ago I asked myself a simple question.

How does an organization deal with malware when it comes to incident response and investigation?

The answer turned out to be quite complex and vague in nature. My answer? It depends.

So I started thinking..well what does it depend on?

I came up with the following list(with a little commentary):

What is it? Is it known or unknown? This is tricky because even the known (according to vendor definition) holds a lot of unknowns.

In an ever increasing trend, even the malware that has definitions, is poorly defined. These are what I've been calling "undocumented features". An antivirus vendor will commonly only provide a partial technical analysis to its customers. This leaves us in a state of having a definition, but only one that provides enough information to classify something as malicious. Your organization must evaluate what requires analysis and to what depth. In the past year or so, definitions are generic and generally useless in helping you determine the true capabilities of malware.

What is it capable of?

As above, malware capabilities must be learned before determining the risk to the organization. At present, I no longer believe in 'simple' malware. Each day I find the Gateway Malware Theory to be true. Capabilities tend to fly under the radar of many tools. In many organizations, if malware is detected, the threat is considered contained, even though this has been shown to be untrue. Containment is just the beginning.

What privileges does it require?

In several cases, malware that executes with user level privileges is operating in a crippled manner. Likewise, there is malware that only requires user level privileges to pose a risk. Many types of malware will lose their ability to establish a persistence mechanism when executed without elevated privileges.

What privileges did it have at the time of infection?

As above, If the malware executed with administrative rights, then regardless of its capabilities, it has all the access it requires to completely overtake a system. It can download additional malware and that malware adds more risk. Additionally, depending on its intended purpose, it will have full access to the data on the system.

How does it communicate?

This is important for a few reasons, not the least of which is encryption. If the malware communicates in an encrypted manner with a controller, then there may be almost no way to determine the contents of any transfer. This communication channel can help dictate the type of response to the infection.

Is it designed to search for or steal data?

Malware designed to search for or steal data obviously poses a greater risk to an organization than malware that is not designed for that purpose. The type of data that malware is intended to steal presents another twist. Take an Infostealer variant. On one hand, it may be designed to steal credit cards and bank account information. Another Infostealer variant may be designed to go after World of Warcraft information. It's all in the details.

Is data of a sensitive nature present or processed on the infected system?

This is important. If sensitive data is not present, processed on or accessible from the infected system, then what is the real risk? Maybe credential theft?

Does the user or system have access to other systems processing or storing sensitive data?

If the user that was logged in during the infection has access to sensitive data, or sensitive data is accessible from the system, then there is an inherently higher risk to the organization. If sensitive data is passed through the system, it's at risk. Simple enough.

Does the malware pose a risk to the individual user data or the organizations data?

Using the infostealer variant from above, if the malware is designed to steal things like amazon and ebay payment information versus say, execute a weaponized version of an SSN identification tool, then the risk to the organization is likely lower, unless of course the organization deals with amazon or ebay.

How long was the malware on the affected system, how was it detected, what actions were taken to remove the threat?

This one is kind of important. Many times I end up looking through antivirus log files and prior to the detection of the malware by the antivirus product- usually within the same 24 hour period, the antivirus definitions on the system were updated. What does this imply? It implies that the system was likely infected for longer than 24 hours. Was the malware caught before execution(auto protect mechanisms) or was it caught during a routine manual or scheduled scan? Again, the details make a difference. The delta from Time of Compromise to Time of Containment conributes to the Window of Risk. In addition, if the antivirus product did not fully remove the threat (some products will log certain types of threats versus actually stop them), then there is still a problem.

Being able to answer these questions will allow you to make a stronger case when presenting a case to a decision making body. This applies directly to the Reasonable Belief Criteria

DNS poisoning - visually

2009-04-08T10:18:00.009-04:00

Notice anything wrong with this picture?

The real question is, would one of the hundreds of millions of internet users notice anything wrong with this picture, or would they just think that an online pharmacy was hawking their crap(I mean advertising) on amazon.com?

Let's take a packet level look at this shall we?
192.168.30.128 is my host that's infected with Tidserv.G.

I opened Internet Explorer here.
22:26:00.658521 IP 192.168.30.128.1025 > 85.255.112.229.53: 59534+ A? ie.search.msn.com. (35)
22:26:00.692644 IP 85.255.112.229.53 > 192.168.30.128.1025: 59534 1/0/0 A 194.126.101.166 (51)

Look at the supposed A record. Who is that? *Hint* it's not msn.

inetnum: 194.126.101.0 - 194.126.101.255
netname: EE-ESTPAK
descr: backbone and servers
descr: Sole 14
descr: Tallinn
descr: Estpak Data/Estonian Telephone Co
country: EE
admin-c: ET332-RIPE
tech-c: ET332-RIPE
rev-srv: dns.estpak.ee
rev-srv: dns2.estpak.ee
status: ASSIGNED PA
mnt-by: ESTPAK-MNT
source: RIPE # Filtered

Maybe that's why this happened to a previously working IE instance when I tried to do a 'live' search?

What about other domains?

22:28:39.238470 IP 192.168.30.128.1038 > 85.255.112.229.53: 15535+ A? www.googleadservices.com. (42
)
22:28:40.225710 IP 192.168.30.128.1038 > 85.255.112.140.53: 15535+ A? www.googleadservices.com. (42
)
22:28:40.249730 IP 85.255.112.140.53 > 192.168.30.128.1038: 15535* 1/0/0 A 67.210.14.103 (58)
22:28:40.297489 IP 192.168.30.128.1038 > 85.255.112.140.53: 47016+ A? js.doubleclick.net. (36)
22:28:40.321746 IP 85.255.112.140.53 > 192.168.30.128.1038: 47016 1/0/0 A 67.210.14.81 (52)
22:28:41.477518 IP 192.168.30.128.1038 > 85.255.112.140.53: 8873+ A? info-feed.com. (31)
22:28:41.502943 IP 85.255.112.140.53 > 192.168.30.128.1038: 8873 1/0/0 A 67.210.14.81 (47)

Here's a first hand look at what happens when DNS is poisoned. No Mic on my workstation so you'll just have to watch.

Digital DNA

2009-04-06T20:32:00.010-04:00

You may or may not have heard of it yet, but HBGary has added an exciting new feature to their Responder Pro product called Digital DNA. I'm still in the process of learning more about it but I'll try to summarize it.

Malware has components that constitute its existence. Much like a person, these components are traits that are inherited upon creation. In the malware sense, traits are inherited through programming behaviors that, generally speaking, can't be avoided if you wish to achieve a specific goal. Keyloggers, rootkits, droppers, process injection and so on all have modes of operation that can be identified. Not in the sense of a traditional signature but more in the sense of a behavioral signature. The individual characteristics don't matter as much here.

Generally speaking, a specific piece of malware has several traits that make it malicious and define its individual behaviors. These class characteristics when applied to the individual malware specimen, become a series of individual characteristics, or a DNA chain. This DNA chain can then be used to identify the software as malicious in nature.

So let me clarify before continuing.

A piece of malware is installed on a computer. It
a) opens a backdoor
b) hides processes
c) injects itself in to a running process
d) speaks HTTP
e) logs keystrokes

These are all class characteristics of malware. They are non-specific in nature, yet they are indicative of malicious behaviors. Taken individually, they are innocuous. Taken together they are a problem. Taken together, they form a DNA chain that can be used to identify potentially malicious processes on your computer. You can take my word for it, or check out these screen shots of it.

The following image was taken from malware that is identified by 11/39 on Virustotal.

And here's what an Infostealer looks like

And it's then simple to go from that to this:

and then this:

Malware identification and analysis just got that much easier.

DNS poisoning - What is it good for?

2009-04-03T14:00:00.001-04:00

This really should be two posts but sometimes thoughts just flow. Pay close attention to the end of the post.

In a recent post I showed a little bit about Tidserv.G and made it available for analysis. One of the fun features of this and other malware like it is that it poisons DNS. The biggest question to date is "Why?" The second question is "What are they doing?" Throughout this post there will be threat intelligence for you..

For background on the problem start here:
Security Fix

I'm going to attempt to explain it a little further. Brian Krebs says in his article that "[...]But the authors of DNSChanger appear to have instead chosen a more low-key approach: Machines infected with DNSChanger will seem to only merely have a small subset of their Web searches hijacked."

Granted his article is now a few months old. So, what's new?

First let me explain what this variant actually does.

1) It gets downloaded as a fake codec from the RBN marketing and advertising department in Latvia hosted here. One could reasonably state that if you're downloading fake codecs, you're watching videos you shouldn't be. Remember that The internet is for porn.

2) It proceeds to poison the DNS configuration of the local host to point DNS to the ukraine hosted here. So if you were to check the dns configuration of the infected host you'd see 85.255.xxx.xxx for the nameservers. This host them immediately sends an HTTP POST to 94.247.2.107 with a string 'POST /cgi-bin/generator'. This is the checkin to let the bad guys know they've got another poisoner out there in the wild.

Now here's something the vendors don't tell you.
It also sends out another HTTP POST to the same host in the form of:
POST /adc.php to 94.247.2.107
POST /clk.php to 94.247.2.107

the adc POST is an HTTP/1.0 format whereas clk.php is HTTP/1.1. The user agent string for both is: Mozilla/4.0 Compatible; MSIE 6.0; Windows NT 5.1; SV1;

3) It then begins a routine to snoop DHCP requests and provide DHCP addresses to hosts in the local broadcast domain. You'll likely see some gratuitous arp'ing on the subnet when this occurs. It commonly fails to provide the real IP address to the requesting host, so you'll see IP hopping occur on the network. In addition, any DHCP leases handed out by this system will provide DNS addresses of:

64.86.133.51 (primary)
63.243.173.162 (secondary)

These IP's are actually hosts in canada.

So, if you see IP's in a subnet making DNS queries to canada, look for the host sending dns queries to the Ukraine and you'll find the poisoner. The leases last for one hour (not sure I understand why they chose an hour, unless they're building up their backend and want the poisoned hosts to get different nameservers more frequently)

Seems rather straightforward right?

So, once DNS is poisoned, what happens?

Here's where things get interesting.

Let's say you're browsing the tubes and you visit amazon.com. Amazon, just like many other sites will show advertisements on the side and top of the page. These ads tend to be served by doubleclick.net. In the case of Tidserv, ads are not served by doubleclick, they are served by Internet Path/Cernel. But that's not all. They are also redirecting googleadservices, so any site using googleadservices will also have ads served by this group.

some of the domains embedded in the binary:
search.yahoo.com
search.aol.com
search.live.com
search.msn.com
search.icq.com
wzus1.ask.com
wikimedia
opselect.com
o.aolcdn.com
rds.yahoo
revsci.net
microsoft
hotmail
digitalcity
atwola
atdmt
amazon.com
altavista.com
alltheweb.com
wikipedia.com
youtube.com
yimg.com

There's even a typo: saerch.aol

So to clarify, if you're infected and browsing the web, and you visit these sites or search engines etc.. expect to see fake ads, that will generate revenue for the criminals living in eastern europe.

Here's one more thing your Antivirus vendor isn't telling you:
The worm spreads by copying itself to all drive letters available on the compromised computer, including removable drives and mapped network shares[...].

What it really does:
Spread through mapped drives and spread through brute forcing network shares and it will also brute force network devices.

What's the remote IP you ask? Why it's 93.188.166.4
Where is it you ask?

Non-authoritative answer:
4.166.188.93.in-addr.arpa name = 93.188.166.4.static.ukrtelegroup.com.ua.

Yeah, that's the Ukraine.

Check exemplar18 yourself. Here's the strings dump from the .tmp file:

This was extracted through HBGary Responder Pro.

Package Offset String
tempo-447187.tmp 0x000021E9
hTF*
tempo-447187.tmp 0x000041D4 !root:
tempo-447187.tmp 0x00007720 %
tempo-447187.tmp 0x000070F4 %
tempo-447187.tmp 0x000030A0 %d.%dA%X%X%X%X
tempo-447187.tmp 0x0000475C %s;%d;%d;%d

tempo-447187.tmp 0x00004710 %wZ
tempo-447187.tmp 0x00000238 .reloc
tempo-447187.tmp 0x000001C0 .text
tempo-447187.tmp 0x000047A4 /control/abrute.php
tempo-447187.tmp 0x0000478C /control/acontrol.php
tempo-447187.tmp 0x00004774 /control/aoffline.php
tempo-447187.tmp 0x00003110 /dlink/hwiz.html
tempo-447187.tmp 0x00003100 /home.asp
tempo-447187.tmp 0x00003124 /index.asp
tempo-447187.tmp 0x000030F4 /wizard.htm
tempo-447187.tmp 0x000040CC :_Cisco
tempo-447187.tmp 0x00004184 :1064
tempo-447187.tmp 0x0000417C :1234
tempo-447187.tmp 0x00004174 :12345
tempo-447187.tmp 0x00004168 :1234admin
tempo-447187.tmp 0x00004160 :3477
tempo-447187.tmp 0x00004154 :3ascotel
tempo-447187.tmp 0x00004148 :4getme2
tempo-447187.tmp 0x00004140 :9999
tempo-447187.tmp 0x000040C4 :access
tempo-447187.tmp 0x000040BC :admin
tempo-447187.tmp 0x00003FFC :administrator
tempo-447187.tmp 0x000040B4 :ascend
tempo-447187.tmp 0x000040AC :atc123
tempo-447187.tmp 0x00004138 :BRIDGE
tempo-447187.tmp 0x000040A4 :cisco
tempo-447187.tmp 0x00004130 :Cisco
tempo-447187.tmp 0x00004098 :connect
tempo-447187.tmp 0x0000408C :default
tempo-447187.tmp 0x00004084 :enter
tempo-447187.tmp 0x00004078 :epicrouter
tempo-447187.tmp 0x00004070 :help
tempo-447187.tmp 0x00004064 :hs7mwxkk
tempo-447187.tmp 0x00004128 :Intel
tempo-447187.tmp 0x00004058 :letmein
tempo-447187.tmp 0x00004050 :medion
tempo-447187.tmp 0x00004048 :nokia
tempo-447187.tmp 0x0000403C :password
tempo-447187.tmp 0x0000411C :PASSWORD
tempo-447187.tmp 0x00004034 :pento
tempo-447187.tmp 0x0000402C :public
tempo-447187.tmp 0x00004024 :secret
tempo-447187.tmp 0x00004018 :sitecom
tempo-447187.tmp 0x0000400C :smcadmin
tempo-447187.tmp 0x00004114 :SMDR
tempo-447187.tmp 0x00003FF0 :speedxess
tempo-447187.tmp 0x0000410C :SUPER
tempo-447187.tmp 0x00004104 :Symbol
tempo-447187.tmp 0x00003FE8 :sysadm
tempo-447187.tmp 0x00003FE0 :system
tempo-447187.tmp 0x000040F8 :TANDBERG
tempo-447187.tmp 0x000040D4 :Telecom
tempo-447187.tmp 0x000040E0 :TENmanUFactOryPOWER
tempo-447187.tmp 0x0000020F @.data
tempo-447187.tmp 0x00004A54 _snprintf
tempo-447187.tmp 0x000001E7 `.rdata
tempo-447187.tmp 0x000041B8 11111:x-admin
tempo-447187.tmp 0x0000460C 1234:1234
tempo-447187.tmp 0x000041A0 1500:and 2000 Series
tempo-447187.tmp 0x00004194 1502:1502
tempo-447187.tmp 0x00004714 93.188.166.4
tempo-447187.tmp 0x000039E8 aaa:often blank
tempo-447187.tmp 0x000030B0 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
tempo-447187.tmp 0x0000464C admin:
tempo-447187.tmp 0x00003F7C Admin:
tempo-447187.tmp 0x00004604 admin:0
tempo-447187.tmp 0x000045F8 admin:1111
tempo-447187.tmp 0x000045EC admin:123
tempo-447187.tmp 0x000045E0 admin:1234
tempo-447187.tmp 0x000045D4 admin:12345
tempo-447187.tmp 0x00004634 admin:123456
tempo-447187.tmp 0x00003F6C Admin:123456
tempo-447187.tmp 0x000045C4 admin:1234admin
tempo-447187.tmp 0x000045B8 admin:2222
tempo-447187.tmp 0x000045AC admin:22222
tempo-447187.tmp 0x00004510 admin:access
tempo-447187.tmp 0x00004618 admin:admin
tempo-447187.tmp 0x00003F60 Admin:admin
tempo-447187.tmp 0x00004500 admin:admin123
tempo-447187.tmp 0x000044EC admin:administrator
tempo-447187.tmp 0x000044D8 admin:adslolitec
tempo-447187.tmp 0x000044C8 admin:adslroot
tempo-447187.tmp 0x000044B8 admin:articon
tempo-447187.tmp 0x000044A8 admin:asante
tempo-447187.tmp 0x0000459C admin:Ascend
tempo-447187.tmp 0x0000449C admin:asd
tempo-447187.tmp 0x0000448C admin:atlantis
tempo-447187.tmp 0x0000447C admin:barricade
tempo-447187.tmp 0x0000446C admin:bintec
tempo-447187.tmp 0x0000445C admin:changeme
tempo-447187.tmp 0x0000444C admin:comcomcom
tempo-447187.tmp 0x0000443C admin:default
tempo-447187.tmp 0x0000442C admin:draadloos
tempo-447187.tmp 0x00004418 admin:epicrouter
tempo-447187.tmp 0x00004408 admin:extendnet
tempo-447187.tmp 0x000043F8 admin:hagpolm1
tempo-447187.tmp 0x000043EC admin:hello
tempo-447187.tmp 0x000043DC admin:hp.com
tempo-447187.tmp 0x000043CC admin:imss7.0
tempo-447187.tmp 0x000043BC admin:ironport
tempo-447187.tmp 0x000043B0 admin:isee
tempo-447187.tmp 0x000043A0 admin:leviton
tempo-447187.tmp 0x00004394 admin:linga
tempo-447187.tmp 0x00004380 admin:michelangelo
tempo-447187.tmp 0x0000436C admin:microbusiness
tempo-447187.tmp 0x0000435C admin:motorola
tempo-447187.tmp 0x00004350 admin:mu
tempo-447187.tmp 0x00004340 admin:my_DEMARC
tempo-447187.tmp 0x00004330 admin:netadmin
tempo-447187.tmp 0x0000458C admin:NetCache
tempo-447187.tmp 0x00004578 admin:NetSurvibox
tempo-447187.tmp 0x00004324 admin:noway
tempo-447187.tmp 0x0000456C admin:OCS
tempo-447187.tmp 0x0000455C admin:OkiLAN
tempo-447187.tmp 0x00004314 admin:operator
tempo-447187.tmp 0x0000454C admin:P@55w0rd!
tempo-447187.tmp 0x00004624 admin:password
tempo-447187.tmp 0x0000453C admin:Password
tempo-447187.tmp 0x00004304 admin:passwort
tempo-447187.tmp 0x000042F4 admin:pfsense
tempo-447187.tmp 0x0000452C admin:Protector
tempo-447187.tmp 0x000042E4 admin:rmnetlm
tempo-447187.tmp 0x000042D4 admin:secure
tempo-447187.tmp 0x000042C8 admin:setup
tempo-447187.tmp 0x00004520 admin:Sharp
tempo-447187.tmp 0x000042B4 admin:smallbusiness
tempo-447187.tmp 0x000042A4 admin:smcadmin
tempo-447187.tmp 0x00004294 admin:switch
tempo-447187.tmp 0x00004284 admin:symbol
tempo-447187.tmp 0x00004274 admin:synnet
tempo-447187.tmp 0x00004264 admin:sysAdmin
tempo-447187.tmp 0x00004258 admin:w2402
tempo-447187.tmp 0x00004248 admin:x-admin
tempo-447187.tmp 0x000039D8 admin2:changeme
tempo-447187.tmp 0x00004238 administrator:
tempo-447187.tmp 0x00003F50 Administrator:
tempo-447187.tmp 0x00003F3C Administrator:3ware
tempo-447187.tmp 0x00003F28 Administrator:admin
tempo-447187.tmp 0x00003FC4 ADMINISTRATOR:ADMINISTRATOR
tempo-447187.tmp 0x00003F10 Administrator:changeme
tempo-447187.tmp 0x00003EF8 Administrator:ganteng
tempo-447187.tmp 0x00003EE0 Administrator:password
tempo-447187.tmp 0x00003ECC Administrator:pilou
tempo-447187.tmp 0x00003EB4 Administrator:smcadmin
tempo-447187.tmp 0x00004228 adminstat:OCS
tempo-447187.tmp 0x00004210 adminstrator:changeme
tempo-447187.tmp 0x000041FC adminttd:adminttd
tempo-447187.tmp 0x000041EC adminuser:OCS
tempo-447187.tmp 0x000041DC adminview:OCS
tempo-447187.tmp 0x00003FB8 ADMN:admn
tempo-447187.tmp 0x00003FA8 ADSL:expert03
tempo-447187.tmp 0x00004A10 ADVAPI32.dll
tempo-447187.tmp 0x0000A4DA ADVAPI32.dll
tempo-447187.tmp 0x00003F9C ADVMAIL:HP
tempo-447187.tmp 0x00003F84 ADVMAIL:HPOFFICE DATA
tempo-447187.tmp 0x0000A2B0 ALL/V32/Answer/Rx/Eq
tempo-447187.tmp 0x0000A1E0 ALL/V32/Caller/Tx/States
tempo-447187.tmp 0x00003EA8 Any:12345
tempo-447187.tmp 0x000039C8 apc:apc
Authorization: Basic %s
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
tempo-447187.tmp 0x0000A28C BCS_EVENT_MEASUREMENT_NOTIFICATION
tempo-447187.tmp 0x000039B8 cablecom:router
tempo-447187.tmp 0x000039A4 cac_admin:cacadmin
tempo-447187.tmp 0x00003994 ccrusr:ccrusr
tempo-447187.tmp 0x00003984 cellit:cellit
tempo-447187.tmp 0x0000397C cisco:
tempo-447187.tmp 0x00003E80 Cisco:Cisco
tempo-447187.tmp 0x00003E98 CISCO15:otbu+1
tempo-447187.tmp 0x0000396C citel:password
tempo-447187.tmp 0x00003960 comcast:
tempo-447187.tmp 0x00003950 comcast:1234
tempo-447187.tmp 0x00003948 craft:
tempo-447187.tmp 0x0000A47A CreateMutexA
tempo-447187.tmp 0x00004AF6 CreateThread
tempo-447187.tmp 0x00003E8C CSG:SESAME
tempo-447187.tmp 0x00003934 cusadmin:highspeed
tempo-447187.tmp 0x00003924 customer:none
tempo-447187.tmp 0x00003914 dadmin:dadmin01
tempo-447187.tmp 0x00003908 davox:davox
tempo-447187.tmp 0x0000A064 DELAYED_STS_RESET_DMA calling Rksample
tempo-447187.tmp 0x000038F4 deskalt:password
tempo-447187.tmp 0x000038E0 deskman:changeme
tempo-447187.tmp 0x000038CC desknorm:password
tempo-447187.tmp 0x000038B8 deskres:password
tempo-447187.tmp 0x000038A8 device:device
tempo-447187.tmp 0x0000389C diag:danger
tempo-447187.tmp 0x0000A2C8 diskdump.pdb
tempo-447187.tmp 0x0000A104 dispatch: invoke handler for %s
tempo-447187.tmp 0x0000388C disttech:4tas
tempo-447187.tmp 0x00004A2C DNSAPI.dll
tempo-447187.tmp 0x00004A20 DnsQuery_A
tempo-447187.tmp 0x00003878 e250:e250changeme
tempo-447187.tmp 0x00003864 e500:e500changeme
tempo-447187.tmp 0x00009E9F eBCS_STATE_CHANNEL_SWITCH_PROCESSING
tempo-447187.tmp 0x0000A190 EV_HMAC_OID_DOT11_CURRENT_OPERATION_MODE
tempo-447187.tmp 0x0000A1BC EV_HMAC_OID_DOT11_QOS_ADDTS_REQUEST
tempo-447187.tmp 0x0000A138 EV_MMAC_HAP_WAKE_ME
tempo-447187.tmp 0x0000A14C EV_MMAC_OID_TGH_IBSS_RADAR_DETECTION
tempo-447187.tmp 0x0000A270 EV_MMAC_TX_CTR_FRAME_SEND
tempo-447187.tmp 0x0000A250 Exact path to App + arguments
tempo-447187.tmp 0x0000A3E2 ExitProcess
tempo-447187.tmp 0x00004B18 ExitThread
tempo-447187.tmp 0x00003DF0 Factory:56789
tempo-447187.tmp 0x00003E70 FIELD:HPONLY
tempo-447187.tmp 0x00003E5C FIELD:HPP187 SYS
tempo-447187.tmp 0x00003E48 FIELD:HPWORD PUB
tempo-447187.tmp 0x00003E3C FIELD:LOTUS
tempo-447187.tmp 0x00003E2C FIELD:MANAGER
tempo-447187.tmp 0x00003E20 FIELD:MGR
tempo-447187.tmp 0x00003E10 FIELD:SERVICE
tempo-447187.tmp 0x00003E00 FIELD:SUPPORT
tempo-447187.tmp 0x0000A218 G_ApplyPJP
tempo-447187.tmp 0x00003DC8 Gearguy:Geardog
tempo-447187.tmp 0x00003DE4 GEN1:gen1
tempo-447187.tmp 0x00003DD8 GEN2:gen2
tempo-447187.tmp 0x0000A514 GetActiveWindow
tempo-447187.tmp 0x000049AA GetAdaptersInfo
tempo-447187.tmp 0x0000A3B2 GetComputerNameA
tempo-447187.tmp 0x0000A40E GetCurrentDirectoryA
tempo-447187.tmp 0x0000A44C GetCurrentProcessId
tempo-447187.tmp 0x0000A3FA GetCurrentThread
tempo-447187.tmp 0x0000A48A GetCurrentThreadId
tempo-447187.tmp 0x0000A4FE GetForegroundWindow
tempo-447187.tmp 0x00004AE0 GetModuleFileNameA
tempo-447187.tmp 0x00004AA8 GetProcessHeap
tempo-447187.tmp 0x0000A4A0 GetStdHandle
tempo-447187.tmp 0x0000A436 GetSystemDirectoryA
tempo-447187.tmp 0x0000A4EA GetSystemMetrics
tempo-447187.tmp 0x0000A4CC GetUserNameA
tempo-447187.tmp 0x0000A3C6 GetVersionExA
tempo-447187.tmp 0x00004ABA GetVersionExA
tempo-447187.tmp 0x0000A462 GetWindowsDirectoryA
tempo-447187.tmp 0x00001279 Gj h,G*
tempo-447187.tmp 0x00004750 go_offline
tempo-447187.tmp 0x0000A2D8 GR: SW Method Error
tempo-447187.tmp 0x0000385C guest:
tempo-447187.tmp 0x00003850 guest:guest
tempo-447187.tmp 0x00004A90 HeapAlloc
tempo-447187.tmp 0x00004A9C HeapFree
tempo-447187.tmp 0x00004AD2 HeapReAlloc
tempo-447187.tmp 0x00003DB4 HELLO:FIELD.SUPPORT
tempo-447187.tmp 0x00003DA0 HELLO:MANAGER.SYS
tempo-447187.tmp 0x00003D90 HELLO:MGR.SYS
tempo-447187.tmp 0x00003D7C HELLO:OP.OPERATOR
tempo-447187.tmp 0x00003840 helpdesk:OCS
tempo-447187.tmp 0x00003834 hsa:hsadb
tempo-447187.tmp 0x00003D70 HTTP:HTTP
tempo-447187.tmp 0x00004950 HttpOpenRequestA
tempo-447187.tmp 0x00004916 HttpQueryInfoA
tempo-447187.tmp 0x00004964 HttpSendRequestA
tempo-447187.tmp 0x00003824 images:images
tempo-447187.tmp 0x0000465C infersearch.com
tempo-447187.tmp 0x00003814 install:secret
tempo-447187.tmp 0x00003800 installer:installer
tempo-447187.tmp 0x000037F4 intel:intel
tempo-447187.tmp 0x000037E0 intermec:intermec
tempo-447187.tmp 0x00004988 InternetCloseHandle
tempo-447187.tmp 0x00004928 InternetConnectA
tempo-447187.tmp 0x00004978 InternetOpenA
tempo-447187.tmp 0x0000493C InternetReadFile
tempo-447187.tmp 0x00003D5C IntraStack:Asante
tempo-447187.tmp 0x00003D48 IntraSwitch:Asante
tempo-447187.tmp 0x000049BA iphlpapi.dll
tempo-447187.tmp 0x0000A2EC ipinip.pdb
tempo-447187.tmp 0x000037D8 isp:isp
h8G*
tempo-447187.tmp 0x000037CC jagadmin:
tempo-447187.tmp 0x0000A4BC KERNEL32.dll
tempo-447187.tmp 0x00004B24 KERNEL32.dll
tempo-447187.tmp 0x000037C4 l2:l2
tempo-447187.tmp 0x000037BC l3:l3
tempo-447187.tmp 0x0000A4B0 LocalAlloc
tempo-447187.tmp 0x0000A3D6 LocalFree
tempo-447187.tmp 0x000037AC login:access
tempo-447187.tmp 0x000037A0 login:admin
tempo-447187.tmp 0x000049F6 LsaClose
tempo-447187.tmp 0x00004A02 LsaFreeMemory
tempo-447187.tmp 0x000049E6 LsaOpenPolicy
tempo-447187.tmp 0x000049CA LsaQueryInformationPolicy
tempo-447187.tmp 0x00003794 m1122:m1122
tempo-447187.tmp 0x00003D38 MAIL:HPOFFICE
tempo-447187.tmp 0x00003D2C MAIL:MAIL
tempo-447187.tmp 0x00003D20 MAIL:MPE
tempo-447187.tmp 0x00003D14 MAIL:REMOTE
tempo-447187.tmp 0x00003D04 MAIL:TELESUP
tempo-447187.tmp 0x00003788 maint:maint
tempo-447187.tmp 0x00003778 maint:ntacdmax
tempo-447187.tmp 0x00003768 manage:!manage
tempo-447187.tmp 0x00003B54 Manager:
tempo-447187.tmp 0x00003758 manager:admin
tempo-447187.tmp 0x00003294 manager:change_on_install
tempo-447187.tmp 0x00003CF4 MANAGER:COGNOS
tempo-447187.tmp 0x00003748 manager:friend
tempo-447187.tmp 0x00003B44 Manager:friend
tempo-447187.tmp 0x00003CE0 MANAGER:HPOFFICE
tempo-447187.tmp 0x00003CD0 MANAGER:ITF3000
tempo-447187.tmp 0x00003738 manager:manager
tempo-447187.tmp 0x00003CBC MANAGER:SECURITY
tempo-447187.tmp 0x00003CB0 MANAGER:SYS
tempo-447187.tmp 0x00003CA4 MANAGER:TCH
tempo-447187.tmp 0x00003C94 MANAGER:TELESUP
tempo-447187.tmp 0x00003728 manuf:xxyyzz
tempo-447187.tmp 0x0000A08C Max NE tap location %d
tempo-447187.tmp 0x00003C84 MDaemon:MServer
tempo-447187.tmp 0x00003714 mediator:mediator
tempo-447187.tmp 0x00003C74 MGR:CAROLIAN
tempo-447187.tmp 0x00003C6C MGR:CCC
tempo-447187.tmp 0x00003C60 MGR:CNAS
tempo-447187.tmp 0x00003C54 MGR:COGNOS
tempo-447187.tmp 0x00003C48 MGR:CONV
tempo-447187.tmp 0x00003C3C MGR:HPDESK
tempo-447187.tmp 0x00003C2C MGR:HPOFFICE
tempo-447187.tmp 0x00003C20 MGR:HPONLY
tempo-447187.tmp 0x00003C14 MGR:HPP187
tempo-447187.tmp 0x00003C08 MGR:HPP189
tempo-447187.tmp 0x00003BFC MGR:HPP196
tempo-447187.tmp 0x00003BF0 MGR:INTX3
tempo-447187.tmp 0x00003BE4 MGR:ITF3000
tempo-447187.tmp 0x00003BD8 MGR:NETBASE
tempo-447187.tmp 0x00003BCC MGR:REGO
tempo-447187.tmp 0x00003BC4 MGR:RJE
tempo-447187.tmp 0x00003BB8 MGR:ROBELLE
tempo-447187.tmp 0x00003BA8 MGR:SECURITY
tempo-447187.tmp 0x00003BA0 MGR:SYS
tempo-447187.tmp 0x00003B94 MGR:TELESUP
tempo-447187.tmp 0x00003B88 MGR:VESOFT
tempo-447187.tmp 0x00003B7C MGR:WORD
tempo-447187.tmp 0x00003B6C MGR:XLSERVER
tempo-447187.tmp 0x0000A2F8 MIB
tempo-447187.tmp 0x00003B60 MICRO:RSX
tempo-447187.tmp 0x00003708 mlusr:mlusr
tempo-447187.tmp 0x000036F8 monitor:monitor
tempo-447187.tmp 0x0000466C Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
tempo-447187.tmp 0x000036E4 mso:w0rkplac3rul3s
tempo-447187.tmp 0x000036D4 naadmin:naadmin
tempo-447187.tmp 0x00003B3C NAU:NAU
tempo-447187.tmp 0x000036C0 netadmin:nimdaten
tempo-447187.tmp 0x000036B8 netman:
tempo-447187.tmp 0x000036A8 netrangr:attack
tempo-447187.tmp 0x00003694 netscreen:netscreen
tempo-447187.tmp 0x00003B2C NICONEX:NICONEX
tempo-447187.tmp 0x00004654 nobrute
tempo-447187.tmp 0x0000368C none:0
tempo-447187.tmp 0x00003680 none:admin
tempo-447187.tmp 0x00004A84 ntdll.dll
tempo-447187.tmp 0x00003674 operator:
tempo-447187.tmp 0x0000365C operator:$chwarzepumpe
tempo-447187.tmp 0x00003B1C OPERATOR:COGNOS
tempo-447187.tmp 0x00003B0C OPERATOR:DISC
tempo-447187.tmp 0x00003648 operator:operator
tempo-447187.tmp 0x00003AF8 OPERATOR:SUPPORT
tempo-447187.tmp 0x00003AE8 OPERATOR:SYS
tempo-447187.tmp 0x00003AD8 OPERATOR:SYSTEM
tempo-447187.tmp 0x00003638 patrol:patrol
tempo-447187.tmp 0x00003ACC PCUSER:SYS
tempo-447187.tmp 0x00003628 piranha:piranha
tempo-447187.tmp 0x0000361C piranha:q
tempo-447187.tmp 0x00003AB0 Polycom:456
tempo-447187.tmp 0x00003AA0 Polycom:SpIp
tempo-447187.tmp 0x00003ABC PRODDTA:PRODDTA
tempo-447187.tmp 0x00003614 public:
tempo-447187.tmp 0x00003604 public:public
tempo-447187.tmp 0x00005000 r=%s&f=%s&p=%s&u=%s&i=%s&g=%d
tempo-447187.tmp 0x000035F4 radware:radware
tempo-447187.tmp 0x000035DC readonly:lucenttech2
tempo-447187.tmp 0x000035C4 readwrite:lucenttech1
tempo-447187.tmp 0x000035AC replicator:replicator
tempo-447187.tmp 0x0000A0D0 RKCFG_AGGRESSIVE_SPEED: buffer size %d is too small
tempo-447187.tmp 0x00003A8C RMUser1:password
tempo-447187.tmp 0x000035A4 ro:ro
tempo-447187.tmp 0x00004644 root:
tempo-447187.tmp 0x00003A78 Root:
tempo-447187.tmp 0x00003598 root:0P3N
tempo-447187.tmp 0x0000358C root:1234
tempo-447187.tmp 0x00003580 root:12345
tempo-447187.tmp 0x00003570 root:3ep5w2u
tempo-447187.tmp 0x00003548 root:admin
tempo-447187.tmp 0x00003538 root:admin_1
tempo-447187.tmp 0x0000352C root:ascend
tempo-447187.tmp 0x00003520 root:attack
tempo-447187.tmp 0x00003510 root:blender
tempo-447187.tmp 0x00003504 root:calvin
tempo-447187.tmp 0x000034F4 root:changeme
tempo-447187.tmp 0x00003564 root:Cisco
tempo-447187.tmp 0x000034E8 root:davox
tempo-447187.tmp 0x000034D8 root:default
tempo-447187.tmp 0x000034C8 root:fivranne
tempo-447187.tmp 0x000034B8 root:iDirect
tempo-447187.tmp 0x00003554 root:Mau'dib
tempo-447187.tmp 0x000034AC root:pass
tempo-447187.tmp 0x0000349C root:password
tempo-447187.tmp 0x00003490 root:root
tempo-447187.tmp 0x00003480 root:tslinux
tempo-447187.tmp 0x00003A80 RSBCMON:SYS
tempo-447187.tmp 0x00003478 rw:rw
tempo-447187.tmp 0x00003470 rwa:rwa
tempo-447187.tmp 0x00003458 scmadmin:scmchangeme
tempo-447187.tmp 0x0000344C scout:scout
tempo-447187.tmp 0x00003438 security:security
tempo-447187.tmp 0x00003A28 Service:5678
tempo-447187.tmp 0x00003428 service:smile
tempo-447187.tmp 0x0000A124 SeShutdownPrivilege
tempo-447187.tmp 0x0000472C setgroup
tempo-447187.tmp 0x00004738 settempgroup
tempo-447187.tmp 0x00003418 setup:changeme
tempo-447187.tmp 0x0000340C setup:setup
tempo-447187.tmp 0x0000A1FC SetupDiCreateDeviceInfoList
tempo-447187.tmp 0x00004A3A SHGetValueA
tempo-447187.tmp 0x00004A46 SHLWAPI.dll
tempo-447187.tmp 0x00004724 sleep
tempo-447187.tmp 0x00004ACA Sleep
tempo-447187.tmp 0x0000A3F0 SleepEx
tempo-447187.tmp 0x000033FC smc:smcadmin
tempo-447187.tmp 0x00003A64 SPOOLMAN:HPOFFICE
tempo-447187.tmp 0x00004A6A sprintf
tempo-447187.tmp 0x00003A5C SSA:SSA
tempo-447187.tmp 0x0000A174 STATUS_DUPLICATE_OBJECTID
tempo-447187.tmp 0x0000A0A4 STATUS_KEY_DELETED
tempo-447187.tmp 0x000033E4 storwatch:specialist
tempo-447187.tmp 0x000033CC stratacom:stratauser
tempo-447187.tmp 0x00004A74 strncmp
tempo-447187.tmp 0x000033BC super.super:
tempo-447187.tmp 0x000033A8 super.super:master
tempo-447187.tmp 0x00003398 super:5777364
tempo-447187.tmp 0x0000338C super:super
tempo-447187.tmp 0x00003378 superadmin:secret
tempo-447187.tmp 0x00003364 superman:21241036
tempo-447187.tmp 0x00003354 superman:talent
tempo-447187.tmp 0x00003344 superuser:admin
tempo-447187.tmp 0x00003338 supervisor:
tempo-447187.tmp 0x00003324 supervisor:PlsChgMe
tempo-447187.tmp 0x0000330C supervisor:supervisor
tempo-447187.tmp 0x000032FC support:h179350
tempo-447187.tmp 0x000032EC support:support
tempo-447187.tmp 0x000032E0 sys:uplink
tempo-447187.tmp 0x00003A4C SYSADM:sysadm
tempo-447187.tmp 0x000032D0 sysadmin:PASS
tempo-447187.tmp 0x000032BC sysadmin:password
tempo-447187.tmp 0x00003A38 SYSDBA:masterkey
tempo-447187.tmp 0x00003284 system:password
tempo-447187.tmp 0x000032B0 system:sys
tempo-447187.tmp 0x00003270 teacher:password
tempo-447187.tmp 0x00003260 telecom:telecom
tempo-447187.tmp 0x0000324C tellabs:tellabs#1
tempo-447187.tmp 0x0000323C temp1:password
tempo-447187.tmp 0x00004B06 TerminateThread
tempo-447187.tmp 0x0000A224 The mirrored volume creation setup failed
tempo-447187.tmp 0x0000322C tiara:tiaranet
tempo-447187.tmp 0x0000321C tiger:tiger123
tempo-447187.tmp 0x00003A14 TMAR#HWMT8007079:
tempo-447187.tmp 0x00004A60 tolower
tempo-447187.tmp 0x00003208 topicalt:password
tempo-447187.tmp 0x000031F4 topicnorm:password
tempo-447187.tmp 0x000031E0 topicres:password
tempo-447187.tmp 0x0000A0B8 UpstreamQamAllowed %d
tempo-447187.tmp 0x00003154 user:
tempo-447187.tmp 0x00003144 user:password
tempo-447187.tmp 0x000031D0 user:tivonpw
tempo-447187.tmp 0x00003138 user:user
tempo-447187.tmp 0x0000A524 USER32.dll
tempo-447187.tmp 0x00003A04 USERID:PASSW0RD
tempo-447187.tmp 0x000031C4 vcr:NetVCR
tempo-447187.tmp 0x0000A058 VESA DMT
tempo-447187.tmp 0x0000A426 VirtualAlloc
tempo-447187.tmp 0x000031B4 vt100:public
tempo-447187.tmp 0x000031A4 webadmin:1234
tempo-447187.tmp 0x00003190 webadmin:webadmin
tempo-447187.tmp 0x0000317C websecadm:changeme
tempo-447187.tmp 0x0000499C WININET.dll
tempo-447187.tmp 0x00003170 wlse:wlsedb
tempo-447187.tmp 0x000039F8 WP:HPOFFICE
tempo-447187.tmp 0x0000315C wradmin:trancell
tempo-447187.tmp 0x00004908 WS2_32.dll
tempo-447187.tmp 0x00003130 xd:xd
tempo-447187.tmp 0x000041C8 zxc:cascade

I'll probably have more to say about this soon.

Addendum 1:
The brute forcing functionality is through remote control over HTTP.

Addendum 2:
Virustotal detection is poor at 2/40.

Addendum 3:
The .tmp file is a new variant of the Zlob trojan.

Responder Pro - A review

2009-04-01T23:49:00.001-04:00

Here's a short disclaimer before I get in to this.
*I'm not paid by nor affiliated with HBGary. This is an honest review of their product(s).*

A short while ago I received a demo copy of HBGary's Responder Pro product. A big thanks goes out to Rich and the HBGary team for letting me demo their tools. My demo period has now expired so I wanted to share my experience.

During my demo I used Responder Pro almost exclusively to analyze malware, and perform memory analysis. There's a bit of a learning curve with the product, mainly in getting used to the layout of the GUI which was at first a senseless morass of windows and tabs. After I adapted my thinking and used the tool a few times, the GUI made some sense.

Once I got acclimated to the GUI, memory analysis couldn't have been any easier. The GUI is pretty powerful and allows for a quick examination of the 'big win' components of memory - processes, modules, open files, open registry keys, network connections. Identifying process and DLL injection was in a word 'simple' once I figured out how the tool laid out the process and module information. Image(executable) extraction is simple - a right click does the trick.

A warning though. If you're using Antivirus products on the system you use this tool on, be prepared to redo your analysis or make exceptions for files and folders. More than once I was frustrated by having Symantec Endpoint Protection delete the extracted binary, leaving Responder in a state of confusion and inability to complete an analysis. I have many v.2 case files due to this.

The automated malware analysis of the memory dump was a huge timesaver. Based on a file called baserules.txt, a memory dump will be analyzed for processes and modules that are exhibiting potentially malicious behaviors. If you highlight a module, it will be selected for a deeper dive analysis. Did I mention it's a time saver? Analyzing module after module in a process can be tedious work. Having the information presented to you allows you to quickly weed out what looks normal from the abnormal.

My one nit about the automated analysis was the transition from 1.3 to 1.4. 1.4 had far too many rules commented out, and while this led to fewer false positives, it greatly contributed to more manual work because it missed a lot of things.

During my demo period HBGary updated Responder Pro from version 1.3 to version 1.4. The transition added interesting capabilities such as pulling out URL's from the memory dump as well as passwords. Harlan discussed this a bit while looking at one of my memory snapshot project images.

Memory analysis-wise Responder is right up there for commercial tools. I'd pretty much say it's the best around for the price point ($1000 for Field edition). It also integrates with Encase, which is nice for a lot of people.

And then there's the graphing for malware analysis. One of my colleagues summed it up accurately by calling it very 'seductive'. Now, graphing has been around a while for malware analysis. There's a difference though when it comes to using Responder. The difference is you don't have to screw around with the reindeer games that various packers use. When you're analyzing a memory dump of malware, you're seeing the unpacked malware and it makes for a very straightforward analysis. In more than one case I was able to do analysis in about an hour or so on something that would have otherwise taken a few hours. The ability to pull out a subroutine, and analyze it graphically and having the code available as well is a fantastic feature. Or, if you want to, you can begin by performing an analysis of a process, and looking at the strings. Then just pull the string you're interested in, in to the working canvas, and begin analysis on something that looks like it's of direct interest to you. That's what I was doing here. The bookmarking and layering made it almost photshop'esque. I only had to look at what was of interest and I could go back to it later. While analyzing virut.CF the bookmarking feature was very handy, especially when I discovered some Passthru driver configuration files intact while doing a graphical analysis. I won't get in to the differences between IDA pro and Responder Pro for analysis but I will say that I had a much faster time of doing analysis in Responder than in IDA, and I think the reason was due to using a memory dump rather than static binary analysis.

So that's enough talking about why I like the product. Case Study-wise I used Responder Pro to look at several poorly classified malware types during my demo. In the field I use Responder Pro to analyze several USB related malware variants that my other vendors called "downloader" or "trojan horse" or "SillyFDC". In a wave of compromises I didn't want any other tool for analysis. I reached for Responder Pro when I needed to do an analysis to determine scope and the REAL risk to data. I reached for Responder Pro when I needed to determine the capabilities of a few very nasty pieces of malware. Why? Because I needed accurate, actionable intel fast.

Just this evening I wanted to do an analysis of an InfoStealer variant I discovered in the wild. The tool I went for? Responder Pro. As I said though, my demo expired and I felt a bit lost. Gone was the quick analysis. Gone was the interface. I still have Volatility and Memoryze and they certainly have their strengths but I had gotten very used to using Responder. I still have the old tried and true tools around but it's a bit of a disappointment to go back to them.

The biggest issue I have is unfortunately not technical at all. It's price - which is currently the biggest concern for us. For $9000 I could license my entire team with IDA pro and train them all in Memoryze and Volatility.

Do I recommend the Responder family of products?

Absolutely. The products have a lot of strengths including time saving techniques and easy analysis and presentation of otherwise complex data sources. For many people in the industry Responder Field Edition is more than appropriate.

Responder Pro is an entirely different beast and to be frank I feel a little naked right now.

Quickpost - new malware

2009-03-25T21:36:00.006-04:00

New malware uploaded this evening. It's been causing problems everywhere.

Symantec Calls this TidServ.G - It poisons DHCP and DNS and redirects DNS to the Ukraine. This is the latest in DNS/DHCP poisoning malware.

I call it exemplar18 ;)

A quick word about the graphic (being a graphical person)..

The screenshot above is from HBGary's Responder Pro looking at the memory dump. Note the loop on the left hand side? That's an awesome representation of an 'if' loop that is checking if the host is running security software (anti malware). The malware will kill that software.

Gateway Malware Theory

2009-03-22T22:44:00.000-04:00

Over time I've started developing a simple theory I'm calling the Gateway Malware Theory. Stated simply, "Simple malware leads to more complex malware, and there is no such thing as simple malware".

In more detail...

In the early days of malware we had single purpose, single focus malware that spread through a single mechanism. These days, even the simple malware is multi-vectored, multi-staged and downloads other more nefarious malware. Take Vundo for instance.

Vundo is, in other words a downloader. Once it makes its way on to a system it tends to download rogue programs or 'scareware'. On occasion I've seen it download hupigon or some other nasty program. It also infects dll's, exhausts system resources, downloads other malware and so on. According to Fireeye, it's now downloading copies of Randsom and encrypting user documents.

Vundo is "simple malware", yet it can take a mere infection from nuisance, to a fully compromised system that poses a real risk. It's what I'm calling Gateway Malware.

This leads to the Gateway Malware Theory, which goes something like this....

Simple malware infections, if not dealt with quickly, will inevitably lead to the download and installation of poorly detected malware that poses a real and true risk to organizations. The focus of any investigation of malware should be less focused on the malware and more focused on the data that is contained on, or accesible from the infected system. Therefore the first step in the investigation of malware should be data centric. If the contents of a system are unknown, then the risk, regardless of the presence of malware, can not be known or determined. As such, the presence of malware is irrelevent unless the contents of the system are known, and one must know what level of access the infected system, or user of the system has to sensitive data.

As I said I'm developing this theory still, and it's incomplete but take a look at some of the memory dumps I'm making public through my Memory snapshot project if you think you disagree. Thoughts?

Malware project updates

2009-03-21T12:09:00.005-04:00

As I mentioned in the addendum to the last post, I had a flaw in the method I was using.

The flaw was twofold. Memory page trimming in vmware, and I wasn't allowing the malware to execute fully. I've fixed this and as a result you'll see some fairly dramatic changes in the contents of the memory snapshots.

I've uploaded a few snapshots today including:

Ackantta
Koobface
Infostealer

and I also reloaded the exemplar4 snapshot, which is an IRCbot with a few twists ;)

I'll be adding a Mebroot and Randsom variant soon. I've added a link to the blog for accessing my skydrive. Expect regular updates. If you've got specific malware you want to see in memory, email me.

Updates:

I've now uploaded 10 samples including: Waledec, Mebroot, and more.

Memory snapshot Project Part II

2009-03-19T00:18:00.009-04:00

It appears that the memory snapshot idea has been well received so I'm in the process of uploading more snapshots to my skydrive. I think I've got a decent format now.

Under my public folder you'll see a series of exemplarX files where X is a number.

Within each directory you can expect to find the following:

about.txt - This identifies the malware and provides an md5. The binary is uploaded at offensivecomputing.net.

virustotal_.pdf - This is a .pdf file containing virustotal results for the binary.

Exemplar segments - I decided on a more universal method of compression (tar.gz) and I've split the segments using the linux split command. These segments will need to be concatenated. This can be done in linux by using the cat command. In windows, it's a copy command.

on Linux:
cat exemplar5.tar.gz.* > exemplar5.tar.gz

on Windows:
copy /b exemplar5.tar.gz.* exemplar5.tar.gz

Simply extract the .vmem from the .tar.gz file and off you go.

hashes.txt - This is a list of md5 hashes of all segmented files, the .vmem file, the .pdf, and the about.txt file.

This seems like a fairly decent model to follow though I'm open to suggestions.

I've posted a few more images and I'm in the process of creating several more.

One thing to keep in mind is that while I try to validate the execution of the malware in a virtual setting, I am fallible. If you think there's no trace of the malware in the memory dump, let me know.

Happy malware hunting.

3/21/09 addendum

A quick update.

I realized a flaw in my methodology. I didn't give the malware enough time to fully execute so I'm re-doing the exemplars.

If you downloaded exemplar4 already, I invite you to download it again.

A memory snapshot project

2009-03-17T23:08:00.007-04:00

Some time ago, I got really tired of seeing lame attempts at proving the value of memory dumps by vendors showing that you could find "hxdef" strings in memory dumps. Today, I'd like to announce a fledgling personal project of mine. I don't yet have a name for it and it's in the very early stages but it goes something like this...

I see a lot of malware and I know there are a lot of people that don't. I also know that people want to do memory analysis but the only real source of samples is from DFRWS from 4 years ago. Here's what I'm doing...

I take 'in the wild' malware, load it up in a virtual machine, suspend the virtual machine and extract the .vmem file. I then upload the .vmem file and make it available to you, my faceless readers and the world at large. This isn't one of those "contests" where I challenge you to analyze a memory dump. Rather I am providing memory dumps of 'in the wild' malware being run in a controlled environment. Maybe this will help developers build better tools, maybe this will educate examiners, maybe this will build incident response IQ, maybe this will give students something to work with, or maybe I'll just waste some cycles providing this stuff. Time will tell.

This post is more or less a test to see if the public can access my skydrive to download the memory snapshots. Up until now, I've had issues sharing files with others. Hopefully skydrive helps with this issue.

My first snapshot is here. The file is a split .AD1 file created with FTK imager 2.5.5. You'll need to combine the segments and extract the contents. It's incredibly easy with FTK imager. The file contained within is a 7zip compressed memory image. Simply uncompress and have fun. All I ask at this point is that you let me know if you have issues, and maybe let me know if you find it valuable.

Disaster averted

2009-03-15T22:22:00.007-04:00

It's a rare day when I have truly exciting things happen. Tonight of course was the exception. A few months ago I had a hot water heater installed by so called "professionals"..you know, the factory trained kind. I use a night rate unit that controls when the unit is active. This evening when the unit turned on all was well or so I thought. When I went to the basement to look at something, I noticed an acrid chemical smell of something metallic and plastic burning. Having had "some" experience in this arena, I could tell that it was an electrical fire. If you've never smelled an electrical fire, there's nothing else like it. The smell of the metal wire, and the plastic shielding produces a smell and taste that doesn't leave your mouth or nostrils any time soon. Anyways, I had to locate the smell. The problem with electrical fires when you're in a room full of electrical wiring, is trying to locate exactly where the smell is coming from. For this, unless you have a "hot spot" detector, you usually have to rely on the tried and true sniff test.

So, there I was sniffing around my basement like a bloodhound trying to locate the source. Finally I reached the hot water heater. When you find the source, boy...you find the source. Getting that close to the source of an electrical fire creates a bit of a gag factor but it's temporary. Needless to say I turned off the breaker and called the Fire department. The problem was contained, but I wanted to make sure there were no hot spots growing in the conduit.

Not wanting to lose the opportunity to learn, I tried to pay attention to every detail - you know, that whole "study the methods used by others" idea that I mention quite a bit. The Captain was the first on the scene. I showed him where the fire was and got out of his way. He surveyed the area, asked me a few questions and previewed the hot water heater - meaning he did a sniff test too. When the rig arrived, I went out to let them in, and I showed them where to go. They checked the area with the hot spot detector and validated my findings, then proceeded to tear apart the wiring to determine the scope of the damage. You've already seen the wiring from inside the water heater. Here's the wiring from inside the conduit.

Suffice it to say the wiring is just destroyed. The root cause was a short within the wire nut, caused by poor installation. That smoldered lump of plastic in the first picture is what used to be the wiring nut. Anyways all is well and the aftermath begins tomorrow.

Naturally, this post isn't about the fire in my hot water heater tonight. It's about incident response and a few of the things that contribute to, and separate a good outcome from a bad outcome.

1) Knowing the environment you're dealing with. In this case, this was my house. I knew what I done today that could have created the situation, I knew where each electrical item was in my basement, I knew my wiring panel, and had it labeled.

In the digital world, this is the same as knowing your organization. You need to know where your assets are, what the assets are, how they are connected and you should have an updated topological diagram.

2) Experience and awareness. I've dealt with electrical fires before and knew what the smell was. I knew that a fire was nothing I was qualified to deal with, so I called the professionals without poking around more than was necessary. I also knew that once I described the problem, answered questions and showed them the location of the fire, I should get out of their way and let them work.

In the digital world, if you're the first responder or discover the incident, if you can't solve the problem yourself and you have someone on the way, don't meddle with the system and when the IRT arrives, show them where to go, answer their questions and get out the way. Hovering when an IRT is working does not help the situation. If your assistance is required, you'll be asked to help.

3) Factory trained professionals don't always do the right thing and cut corners. As the firefighters worked they were talking to one another and discussing their findings and theorizing the root cause. The root cause was the people that installed my hot water heater.

In the digital world, consultants are well paid but don't always do the right thing. I've dealt with many cases where the root cause was the consultant's poor choices during installation. Dropping firewalls, poor password security etc. When entering an engagement with a consultant, be sure that you know what you're getting.

These are just a few of the things that you should be aware of in the world of incident response. The biggest lessons of the night for anyone out there that has an Incident Response Team at your disposal is:

If you are unsure, call the trained people that do know, before you do anything.
There's no shame in admitting you don't know everything and can't solve the problem.
If you know something is out of the ordinary, call quickly.

A safe evening to all.

reasonable belief

2009-03-15T12:13:00.001-04:00

Just about every state now has a law that addresses data breaches and notification thereof. One thing they pretty much fail to do though is provide criteria for establishing reasonable belief. Well, what is it you might be asking?

Troy Larson provided the following to me for a definition: "As a legal standard, reasonable belief is defined as what an average person in similar circumstances might believe."

Ok, so that's easy enough. What would a layperson believe if presented with the circumstances. As it pertains to data loss investigations, we are never able to present our findings to an "objective" jury. Instead, we present our findings to a subjective group of individuals that have a stake in the data loss process. Sometimes you will be lucky enough to find yourself presenting your findings to a group or person with high ethical and moral standards who wants to do the 'right thing'(TM). If you are lucky enough to find yourself in front of a decision making group, what do you present? Of course, you present your findings in a factual manner, without attempting to inject bias or opinion (unless asked to render one). The role of decision maker is not ours afterall. However, we must take great care to not poison or influence the decision making process. Our analysis must be thorough and complete. It should not be based on assumption or speculation of "what if" or "they could have". That is not our role. Our role is to present what we found, and if something we expected to find, is not found, then we may have reason to suspect something is wrong.

So we must ask ourselves this question - Given normal circumstances, what would a layperson base their decision on? How is reasonable belief actually established?

I'm attempting to answer this very question. To do so, I pored over numerous reports and analyses and their resulting decisions. I did some other research and came up with the following areas that I think influence how a person develops a reasonable belief when weighing the decision to notify as a result of a data loss investigation.
*note these are high level and not intended to be 100% complete. The idea is to highlight areas of influence*

MAC times – Access times post compromise date, not explained by business processes or applications, not attested to by a user, not explained by registry analysis. No sign of MAC time tampering.

Depth/Breadth of penetration - System/root/administrative level access obtained on a system or obtained on multiple systems having access to sensitive data. Attacker had access to files or databases containing sensitive data. Stolen credentials used to log in to business systems and user account has access to sensitive data.

System - Log files suggest data was acquired. Registry analysis shows signs of searching for, or looking through files, opening files containing sensitive data, USB history shows signs of unrecognized devices being used. Internet history shows attacker activity indicating data exfiltration. In other words, this is the typical forensic analysis of a system.

Attack Profile - Targeted attacks, spear phish against specific group or individuals having access to sensitive data. Attack directed at a singular and specific target containing sensitive data.

Detection - I've discussed time previously so I won't cover it, but I will summarize it by saying that when the window of time from time of compromise to time of containment is longer than 3 months, the decision maker tends to be influenced by this fact. The same applies if the window is very small, say 24 hours. The speed with which an incident is detected is a large factor for the decision maker.

Network - Flows/packet captures suggest that data traveling to external entities involved in the incident contained sensitive information. Encrypted traffic flows to/from attack related IP addresses that can not be explained by configuration file.

Malware - Sophistication of malware suggests the ability to log keystrokes, sniff network traffic, modify timestamps, search for and/or steal data. Malware related artifacts show sensitive data being accessed. Malware is designed for theft of sensitive data.

Of course there will be corner cases where companies *SHOULD* automatically notify as in the case of a stolen or lost laptop/tape/hard drive, and data is unenecrypted. This is a huge topic so I'll be discussing it again...

Outbreak!

2009-03-15T08:52:00.000-04:00

I have briefly mentioned Mass Casualty Incidents in the past. It's time to delve in to this a little and see where we end up. I'll likely spread this out over a few posts.

One of the most widespread diseases in existence is malaria. There's an estimated 200 to 300 million cases worldwide each year. 2-3 million of those result in death. There is currently no vaccine.

Let's focus on malaria for the time being. Malaria is primarily spread through female mosquitos that pass a parasite to the victim. That is to say a mosquito attaches itself to a victim, and injects saliva in to the wound to keep blood from clotting and the blood flowing. There are areas of the world where mosquitos are highly prevalent, and these are also places of high infection rates.

Wait a second. Let's summarize. An infectious disease, spread worldwide, causes death, and there is no vaccine, only treatment?

Sounds a bit like a malware infection, or rather a malware outbreak doesn't it? What if I were to tell you this is like the USB malware infections that spread all over, and caused the military to take a draconian approach of banning USB keys?

I say this quite a bit but the best way to master your field is to study the methods used in other fields. For an outbreak of this nature I refer to treating and preventing of malaria.

Think about it. Infected USB media is exactly like a mosquito, they contain a parasite and infect computers by injecting the executable referenced in their autorun files.

Let me spell this out for you. When you're faced with a transient population in the tens of thousands and a computer population of twice that number, and you have malware that spreads from one population to another, what do you do? That is to say you've got mobile people with infected USB keys and systems that are either infected or about to be infected.

Think malaria. Kill the mosquitos, innoculate and protect the uninfected, treat the infected. Unfornately this is a problem. Ever tried to track down thousands of USB keys? How do you get a hold of the USB keys? How do you kill the infection on their USB keys?

The answer is obvious. You can't track them down. So, let's focus on the second and third problem. The solution, as is often the case, presented itself.

In a highly distributed and decentralized environment (as many large organizations are), what needs to occur? Coordination, Communication, Information. This is step 1. Without this, everything else fails.

Consider calling emergency gathering of key staff to establish the process and procedure for dealing with the threat. Once the scope of the threat is conveyed, the action plan is established and off you go. Instructions and ideas get shared and the uninfected population is already in the process of being further protected by local IT staff.

What about the infected and the unknown?

In the digital world, you can't kill USB keys by spraying them with repellent and other chemicals and you can't compel tens of thousands of people to turn over their USB keys. But you can establish a triage center for the people in posession of them, and ask them to bring them in. There are two problems with this approach.

1) Scope of population. There is of course a realization that not all USB keys will be accounted for, but through the coordination of efforts to innoculate and protect the uninfected, while treating the infected, an intersection occurs, whereby both populations get protected and treated.

2)Laziness. People will not go out of their way to get a flu shot and they will not go out of their way to get their USB key checked. So, do what the medical field does, establish triage centers in multiple, high traffic areas.

So just what is a triage center for USB keys? It consists of uninfectable systems (mac and/or linux systems), and scripts to detect infected USB keys. Simply have an individual insert their usb stick and within seconds you know if you've got an infection. Then you innoculate the USB stick and make changes to attempt to prevent a recurring infection. In addition, you provide the person with the equivalent of a flyer that has detailed instructions to follow to innoculate and prevent infection of their computer.

But wait..what's missing here? Knowledge of the threat. In the midst of all of this, signature development needs to occur and threat assessments must continue. This is all about continuous information gathering. Samples need to be gathered and analyzed to determine the types and functionality of the malware. A line must be drawn that differentiates high value assets from the assets of little to no value. This is where further triage takes place.

More on this later.

The F-bomb

2009-03-11T23:25:00.009-04:00

I'm in one of those moods this evening and I recently saw something that just makes me laugh and cry all at once. This is to be considered not safe for work as I'll probably let loose the F-bomb a few times.

I'm pointing the finger directly at Guidance software and their classy representatives who see fit to trash their competition. Quid Pro Quo Guidance.

To begin...Guidance is feeling the pressure of a small company breathing down their backs. This product is being mentioned left and right in Guidance's own forums. At one point, Guidance saw fit to blacklist all use of the name of the product. Is that fear? Afraid someone will catch on to your fleecing of the industry?

First they begin by insulting the rest of the industry by saying that this "inferior tool" appeals to novice investigators. As someone with many years of investigative experience I heartily disagree. Maybe your internal investigators should take a few more classes , because the last time I checked, you use your own "superior" tools internally and when asked to produce documents you are magically unable to. I'm fairly certain that even a "novice" could find those files. I'm also fairly certain that a novice knows they're not supposed to store customer credit card information.

How about this "inferior product" appeals to the rest of the world because it costs a fraction of what FIM and EE cost. More on that later. How about it appeals to the rest of the world because it works? How about it appeals to the rest of the world because it's simple? How about it appeals to the rest of the world because it meets our needs? A wise man once said "buy the cheapest product that meets your needs". Guess what Guidance, your products are too expensive. In these trying economic times, people don't have millions to invest in to EE or tens of thousands to invest in FIM when this "inferior product" does just fine.

There are claims that this "inferior product" is not court validated. Well Guidance, what does that mean? Court validation is not something whereby someone waves a magic wand and stamps a product as "court validated". Validation comes through the process of presenting a case in front of a judge and withstanding scrutiny from the opposition. "court validation" is merely a forensic buzzword just as is "forensically sound". DNA is court validated, is it questioned? You betcha! as is blood evidence, and fingerprints. Guidance says "our products have been vetted through court and industry peer review". Is that why I see your customers bitching and moaning about how encase (all flavors) keeps crashing on them? Let's discuss error rates hmmmm? I don't recall seeing anything in Digital Investigation or other Scientific Journals showing industry peer review.

Acquiring data using a new transfer method. Guidance claims this "inferior product" uses an untested acquisition and transfer method. Guidance, are you saying that Encase acquisition is untested? I thought you said it was court validated? Afterall, your tool is what's being used to do the acquisition. Are you also saying that an industry standard protocol is untested for data acquisition and transfer. My god, stop the presses and contact all of your SAN manufacturers that use iSCSI. Your data is not to be trusted when crossing the wire using that protocol! I guess I better comment on those RFC's. Why, in their message, they even mention AccessData Enterprise as being unproven. Let's not leave anyone out here. Did Guidance forget all the issues they had with their agent? Apparently so.

They go on to mention that there are no granular permissions used by this "inferior tool". Tell me something, if I have the dongle and the dongle needs to be plugged in to my machine, and I set a username and password of my choosing, what more do I need?

No auditing. My god stop the presses again. Windows stopped auditing events. This "inferior tool" provides no auditing. 1) That's easily fixed. 2) It's not required. The process is documented by the investigator. Don't you teach that in your own classes? Let's see..I have a read only connection to a target. Better audit that. Oh wait, that's already done either by the operating system or the tool itself. And besides, do you mean to tell us that Encase doesn't provide an audit log of actions taken. tsk tsk.

No end node processing. Uhm...do I care about this when all I need to do is acquire an image? Do I care about this when I need to examine an intrusion? That your product does this client side...how about impact analysis?

Limited Volatile Data capabilities. Uh-oh..here it comes...what are you talking about on this point? Do you even know? Volatility can't identify hidden processes or injected Dll's or better yet NIC information (what do you mean here anyways, that I can't determine what NIC is in the machine?)? I better let AAron Walters know! Better yet I better let Mandiant know that their product can't do these things. Finally they get to the point. Ahh..Snapshot can do all this and better yet it makes it easy! Not to mention that EE can dump the memory space for a single process! I can't do that with other tools? Guess I better stop doing it with Volatility. That capability can be yours through Guidance for $$$$$$$$$$$$$$$$$$$$$$$ . Guess we're all screwed in the memory analysis field. Let's not mention that they're attacking a beta product. Is that fear I smell again?

No solaris, mac, linux, aix, novell. Hey I have an idea, why not throw in plan9 while you're at it? Newsflash! It supports Mac and Linux. I should know..I did an awful lot of testing on both. Guess that takes care of about 95% of the market. Time to check those sources before you start a smear campaign.

No encryption during transfer. This is true, but let me say right off, that IPsec is built in to windows, and works just fine.

No compression. I've acquired terabytes and never had an issue caused by lack of compression. Try again.

64bit examiners. This entire section is based on supposition. Using terms such as (un)likely and "not yet developed" is something that should never be said. Are you on the development team? Are you in the private meetings? If you have no facts to backup your claim, keep your mouth shut.

Limited Stealth capabilities. Guidance can install a better trojan. There's a point in your favor. Hold on to that for dear life. Why not use that in your marketing?

Invasive compared to servlet. The "inferior tool" is not passive. That's right, it doesn't sit there disabled until I want to enable it. They say it requires copying it to the end node. Guess I better shred my CD's that I run it from, and better burn my USB keys that I run it from too. They say it disturbs the endpoint more than the servlet which uses about 1MB of space. Oh I get it, it overwrites diskspace. Now we're talking bits and bytes consumed by agents. Here's a hint, check your facts. This "inferior tool" uses less space than your agent. In addition, if any agent is part of a standard build process then it doesn't alter anything. Deploying an agent in a triage situation is what's called "acceptable", just like inserting an IV is acceptable if the patient needs it.

Agent deployment is manual and doesn't scale. Newsflash! Check out the videos. Management of the agent is manual they say..but it's installed as a service on a remote system. Stop the presses! Microsoft has no way of managing services remotely. Better get Redmond on the phone!

A user can not ask the service to perform a task and receive feedback. Hmmm let's see. I tell a service to start and open a connection. Did it connect? I'd call that feedback.

No throttling of the service. No service management in windows? Encase can set low, medium and high priorities for processes? I can't say I understand the point they're trying to make with this argument.

Ah yes.. the enterprise sweep enscript. psst...let me clue you in...who says I need your script to search my own mapped drives? Guess a for loop stopped being useful. And another powerful utility is the database snapshot utility! pssst...guess what..I can have a look at the database using native tools.

And now we get to my favorite part. Money. Encase FIM costs approximately what? $15k to start?

What can I get with $15k?
AccessData FTK or X-Ways
Two Cisco ASA's
The "inferior tool"

and I've still got $5k. I can ship an ASA to a client, preconfigured to create a tunnel back to my shop and voila, encryption solved. Not to mention I've got $5k in my pocket. With that extra $5k, I can even deploy a dedicated system in the remote location.

Now let's discuss Encase Enterprise. Average cost of an Encase Enterprise deployment? Well over the 6 figure mark just to start! A real deployment is in the millions. There are a few corporations that will spend this kind of money. If that's what they need, then so be it. They've got the budget for it. For the rest of the world, there's no way anyone is going to buy it. I refer to the wise man for this. "Buy the cheapest that meets your needs". So I think to myself, what can I buy for $250,000? I can buy myself an awful lot of hardware that provides all the infrastructure needed. I can even purchase dedicated lines to those "important clients". I can buy an entire development team to build me a product. Point is I can build a bigger, better, more robust forensic capability by NOT using your product for the same amount of money, or less. And that's a low end Encase Enterprise deployment.

A few litigious words come to mind after reading the message from Guidance but that's not for me to worry about. What concerns me most, is that this message is from the "world leader in digital investigations". Time to change that slogan to "The biggest douche bags in the forensics industry"TM. Honestly, is this who we want representing the industry? Is this the kind of stuff that should be tolerated? I don't mind and in fact I fully support an honest competition, but when you start this game, it's bad for everyone. This is an outright smear campaign by Guidance and there are too many false statements to count, unfortunately given the history of Guidance I'm somehow not surprised. I am, like I said in the beginning amused by this as well. Guidance is actually showing fear. Only those who are afraid lash out. Guidance has lashed out at a number of vendors in the industry with this message. It's truly sad when they have to resort to this.

Harlan has picked up on this story as well.

Flypaper

2009-03-09T23:18:00.008-04:00

Years ago I played football and I can recall the day when my coach grabbed me before the game and gave me a pair of receiver gloves. He said "Here, now your hands are like flypaper." If you've never worn receiver gloves before I can tell you they have a sticky substance on the palms and fingers when the gloves are new. Not a ton, but enough to make them tacky...like flypaper.

While testing HBGary's Responder Pro product, Rich Cummings turned me on to a secondary product in their lineup. It's called flypaper. It's currently a free download and I've got to tell you it's been a great experience using it. The process is simple.

Load a virtual machine from a snapshot.
Run flypaper.
Execute the malware or binary of your choice.
Suspend the virtual machine.
Examine the .vmem file.
Unpause the virtual machine.
Stop flypaper.
Extract the flypaper log file - which happens to log changes to the system. (You could extract the file from the .vmdk if you were inclined of course.)

A quick look at how simple the flypaper interface is:

You're probably saying..uhh I do that anyways. Ahh but flypaper allows you to have great control over what can happen. For instance, you can block all network traffic to and from the virtual machine. You can also prevent processes from exiting. Why is this important? Well friends, have you ever tried to reverse engineer something that's packed with themida or armadillo? These are two of the most advanced packers out there and they are pretty useless when flypaper is involved. How about a multistage packed binary? When a program executes and loads in to memory, it's unpacked. Flypaper keeps it that way and allows you, the examiner an opportunity to look at a completely naked version of the malware. How's that for a time saver? How about that's flippin sweet? Is it 100% effective? No it's not, but it gives us a chance to examine malware without a lot of the pains involved with reverse engineering packed malware. And if you were to do the memory dumping with FastDump or FD pro, you could get a copy of the page file for complete analysis of memory. With Responder and Responder pro in the mix and the ability to analyze the pagefile and memory dump, HBgary is building an impressive suite.

Why your antivirus can't tell you anything useful.

2009-03-09T22:37:00.005-04:00

I wrote about your antivirus being unable to tell you anything here and here. I want to take a quick minute to tell you why your antivirus product can't tell you the things you want to know. Or how about you hear the AV industry tell you why they can't tell you anything? The following two quotes are from an AV vendor.

"The most effective detection nowadays is either generic (detection of whole families and sub-families), proactive (heuristics, sandboxing, emulation etc), or hybrid.”

“In the 90s, a good heuristic scanner could claim to detect something like 70-80% of new malware: clearly, that's no longer the case.“

That sort of explains some things I think. The primary detection method is generic, followed by a proactive and hybrid detection model. In short, Antivirus products can't do what they claim to - which is protect your system from malware infections. And when they do detect malware, they are unable to tell you a whole lot about it since the method of detection is nonspecific. Harlan's been on a rampage lately discussing how antivirus vendors are unable to provide adequate information to Incident Responders and I tend to think this explains the source of the problem.

That AV vendors are admitting they can't do the same thing they used to, I tend to think it's past time organizations move beyond antivirus products and in to new markets. Antivirus products are now marginalized and they can't keep up with the malware onslaught. I don't say this to be pessimistic, but I do tend to think it's true. The battle is not being lost, it already is lost. Relying on Antivirus products alone is simple negligence.

Who dropped their pants?

2009-03-09T20:21:00.001-04:00

I am developing a new reality game show for intrusion analysts and investigators. I'm calling it
"WHO DROPPED THEIR PANTS?"

There are several ways systems get compromised, but more often than not it's due to a misconfiguration or sloppy management of controls. I constantly refer back to something Charl van der walt of sensepost said a few years ago about sysadmins being able to screw up only once. That has stayed true. I've analyzed countless incidents where the root cause was determined to be gross misconfiguration leading to compromise. The vendor could come in and instruct the sysadmin to disable the host firewall to make a specific piece of software able to function. A sysadmin could tire of testing and rush a system in to production before it was ready. A list of passwords could be stored on root of the drive in cleartext. You get the idea. Someone is dropping the pants on a system right now in your organization in order to get something to work. Why, for many people what's the first troubleshooting step when there's a firewall involved? Disable the firewall of course. Well, did they turn it back on? My most favorite line in the past has been "That system is a Mac running OSX, are you sure it's compromised?"..this being a question I receive from clients when I alert them that something is amiss.

The first thing I want to know is why in this day and age are people still being given absolute control over a system when their job is to manage only one functional role held by the system? Take a database server for instance. Does the DBA need full admin rights over the operating system, or do they need limited or no rights to the operating system, and full rights over the database they are responsible for? When the untrained has more access than required and they are knowledgeable enough to inadvertently do damage the organization is begging for trouble. Unfortunately this is an all too common occurrence in the IT field. Hence the name of my new game "WHO DROPPED THEIR PANTS?" So for us as responders what do we do?

Well, you want to find out who has access to a system and what rights do they have. Then you want to find out when they were logged in to the system and were they logged in at or around the time of compromise. In addition, is the proper logging in place to determine their actions at the time of compromise? These are just a few things to keep in mind when determining "WHO DROPPED THEIR PANTS?"

A long month

2009-03-07T20:21:00.003-05:00

February was in a word 'brutal'. Time has been very short, leaving me with just a few hours of sleep each night. It was such a long month that I can't yet recall all that happened, it just hasn't processed. The engagements were long and arduous, arguably some of the most interesting to date, full of new challenges. I'm hoping to find some time to finish a few posts and add new ones.

Support Talk Forensics

2009-02-08T07:50:00.005-05:00

There's a new podcast/online radio show by Larry Daniel called Talk Forensics. I'm really looking forward to this since Larry is bringing real forensics experts in to discuss forensics. It's every Sunday at 4 pm Eastern, starting today when Larry talks with a cadaver and trailing dog expert. Apparently Larry needs at least 500 downloads to extend his show. Larry's blog, if you didn't know is over at exforensis.

Graphical representation of concepts

2009-02-05T00:19:00.002-05:00

Recent discussions led me to do a little homework and reading in the past few days. These discussions were more or less along the lines of how to make an impact when presenting data of interest to decision makers. As you all should know by now I am a very visually oriented person. If a graphic can help make sense of a difficult to explain subject, then use the graphics.

To date, the best presentation I've seen that included graphics was given by James Aquilina at TechnoSecurity 2008. His use of animated characters to present concepts was just brilliant. I wish I had been able to ask him a few questions after the presentation.

Anyways, I had to present to a group of decision makers some time ago about the Master Boot Record Rootkit and how it worked. I fought for hours trying to figure out what would make sense. How could I describe a MBR rootkit in simple terms? I determined there was simply no easy way to describe it's complexity and have them understand. So, why try? If I would only confuse them by talking about it, why not have a graphic or two that would get my point across and make sense to them?

I simply developed the following:

We of the technical breed need to realize something and need to realize it fast. If you're going to work in this field, you need to make people understand difficult subjects. If you can maintain technical accuracy and make a lay person understand you, then you've succeeded. In this case, using the graphics removed the need to describe the ins and outs of sectors and MBR code and JMP instructions and turned it in to a discussion of "this malware is bad" after a simple explanation, and allowed the decision makers to focus on the meaningful stuff.

Now let's discuss issues of time. How do you use time in a presentation to the lay person?

In many cases we may do this with a report that reads something like this:

11/2/08 9:25 AM
FTP service on server was modified.

An FTP account with a weak password was created and the account was granted access from external hosts.

11/8/08 9:22 PM
System was remotely compromised by brute force FTP attack.

11/8/08-1/12/09
FTP access was used for distribution of warez.

1/20/09
Sensitive data was downloaded from the server.

2/4/09
System Administrators discover the incident and respond by pulling the network cable, scanning the computer with antivirus, and deleting the files created by the attackers.

2/5/09
IRT responds and collects incident data.

Sure this is simplified greatly, but it's a common method of using time. Let me point something out if you didn't catch it. There was a three month gap in the incident, from the time of compromise to the time of containment. There was a two month period of time when the system was being used for warez distribution. The brain must process that time lapse in a textual presentation. Math must be done to calculate the temporal proximity. *hint* people reading your report don't want to do math or think too hard.

Now look at this:

What are you drawn to? The green? The red? That there is an apparently large gap between the two green items? Now we're getting somewhere.

Harlan's concepts for using time are a great starting place for this. As he says, and I agree, we identify a point or span of time where actions took place and present them using various elements. I'm not *yet* using this graphical representation at a micro level where we present MAC times and small correlated events to tell the story. I'm using this at a high level to tell the story of the events leading up to, and during the incident. This is an abstracted view of an incident that can be used to explain incident events to the decision maker or lay person. Think about a presentation you might have to give to a body responsible for deciding the fate of an organization. This group might include C level execs and their underlings. How would you present an incident to them? Is a report format appropriate? Would your report even get read in enough detail? My philosophy is write your technical report as normal, but create an executive report with a graphic or two and a timeline that highlights important points in time.

The goal should be to explain the incident, but keep it simple enough to keep their attention or call their attention to specific items of interest. One can get as fancy as you like, as long as you don't lose the audience. The following is a different way of looking at the same timeline. *think timed presentation*. I do apologize for the poor quality, the video did not render properly from the original to youtube. I'm working on a different render and hope to have it updated soon.

There is definitely more work to be done with using time and timelines.

Say what?

2009-01-30T14:20:00.000-05:00

So you've hired an expert. They're supposed to be representing you as an 'expert' in a court of law. Here are some things you never want to hear them say. These are real statements. If anyone wonders why regulation of our field is a requirement, think about these quotes and what it means when a qualified expert makes them.

"The EnCE is like a little badge of honor".

"I took two five day courses, and no other formal training".

"My analysis looked the other direction".

"Most likely it's an issue related to our examination computer".

"We have no procedure for chain of custody".

Friday thoughts to expand on

2009-01-30T11:00:00.009-05:00

I've been having some interesting discussions of late. Instead of keeping these things 'close to the chest' I figured I'd throw out some thoughts and questions(some rhetorical) here. This is more of a placeholder than anything but if you have thoughts of your own please share them.

Do particular sources of artifacts speak more loudly or carry more weight when they are reviewed by the trier of fact(think lay person in a decision making role) in a case?

Do more sources of artifacts automatically mean a stronger case, or must they agree to make a stronger case? Which ones matter and which ones have a "who cares" factor?

Think preponderance of evidence.

Reasonable belief is a game that can't be played in digital forensic science due to the circumstantial nature of digital evidence as it pertains to intrusions. It's like working a murder case with no body and no weapon. A clinical approach is required and a clinical approach requires criteria yet there has been no established criteria in any state.

If given SYSTEM or root level privileges on a computer, could you, with your knowledge set, defeat your own ability to accurately analyze that same system?

Does Access equal Acquired? Acquired is what the law looks for.

With operating systems and applications being as over-engineered as they currently are, is there any possibility of anyone being able to show cause and effect?

Using RegRipper

2009-01-28T08:34:00.008-05:00

I have been doing oodles of analysis lately (6+TB since December!) and have been making heavy, heavy use of registry analysis in each case. For this I've been using Regripper so I figured I would dedicate at least one post to it, and how I make use of it. I also happen to be a firm believer that someone can tell a person to use something 1000 times, but until they actually see it in use or can see the utility in using it, they are less likely to follow your recommendation. With that said, here's a few ways I use regripper.

1) Determine group membership.

Like no other tool I've used to date, the samparse module has saved me hours of analysis time in determining who belonged to what group and what privileges they had. Just this morning I saw some mailing list posts about determining why there was no user account listed for a particular account in the SAM on a windows XP box. The answer was rather simple - The account was a domain account.

Here's an abridged example of what I'm talking about:

User Information
------------------------------------------------
Username: Administrator [500]
Username: Guest [501]
Username: SUPPORT_388945a0 [1002]
Username: SUPPORT_3f151ab9 [1003]
Username: HelpAssistant [1004]
Username: ASPNET [1006]

Group membership information
------------------------------------------------
Group Name: Power Users [1]
Users: S-1-5-21-1461745249-492156796-3006755465-1119

Group Name: Administrators [3]
Users: S-1-5-21-296978250-731684933-3931576523-500

To explain, the top portion are the local user accounts. Under the Group membership section we can see the power users group with a SID/RID combination that doesn't fit with the system. How do I know this? This is easily determined by examination of the Administrators group section of the file. The Administrator account is a well known SID of S-1-5-N-500. As such, I now know the system SID and can say that the account in the power users group is NOT a local account. This can and *should* be correlated to the software hive analysis of the profilelist key and its values that details user account and the SID. When looking at the software hive, you can quickly determine the account name from the SID and the domain name in question.

2) Determine services installed.

Regripper has a great module to determine what services were on the system sorted by last write time. Comparing this to an exemplar list of windows services allows you to a) do data reduction and b) determine what services may have been installed or leveraged by an intruder.

3) Windows Firewall configuration.

I once had an incident where an external consultant claimed the firewall was not disabled by them(which is what caused the incident), however the firewall according to regripper was disabled, and other logs confirmed this with all roads pointing to the consultants.

4) Confirmation of devices in use on the system.

There's been a number of times when I could say to a customer that had been infected with removable media malware "You'll want to make sure you clean up these devices" or identify "rogue" devices that had been used on a system.

5) Determine network configuration.

In a world dominated by a lot of DHCP and variety of network usage, determining the last known IP address used by the system is invaluable, especially when you need to plug the IP address in to various network analysis utilities. I use this (and other markers) to make sure I've got the system I'm supposed to have.

6) Determine user activity.

Naturally there's a bunch of good things here to look at and every investigation includes a look here.

In short there's untold ways to use regripper for analysis. These are just a few small examples of how I've made use of the tool. I don't really know how many people are using it, but there sure are a bunch of people who aren't, and that's just a shame. It's a great tool that simplifies the process of registry analysis and simply stated it saves time. As we all know, time is money and saving both is important to everyone involved in investigations. Don't forget, as I showed in the video I posted some time ago, it can be run in concert with F-response to look at an otherwise "locked" registry hive on a remote system, while it's live.

There's much more I could say about using regripper but I imagine there will be plenty included in Windows Forensic Analysis second edition.

The internet is for porn

2009-01-10T11:46:00.005-05:00

It's a well known saying to be sure. The internet is for porn. Perhaps the funniest depiction of this was a chappelle show episode . It's probably NSFW if you've never seen it, and it's absolutely hilarious, but it definitely raises a number of points that speak to the industry we work in.

Here's a scenario for you..

Joe the finance executive at a bank is browsing the web. He visits a news site, and a link to a site that suggest adult conversations is flashing in the ad banner space. Joe is happily married yet he's curious, and temptation overrules logical thought. He's acting completely right brained. Living in the moment for the moment, not thinking about the future. He visits the "adult conversation" site and bam! he's assaulted with pictures and popups of all forms of pornography. Now Joe's in a whole other world. His basal instincts have taken over and what was supposed to be a quick check in of the local news turned in to a trip down porn lane. A few clicks later and an install of flash player, and he's merrily watching some streaming porn on his laptop at work.

Joe is happy, Joe is enjoying himself.

You, sitting in your position of overwatch, looking for strange and outlandish network behavior notice Joe's computer doing something like this:

111.222.33.44,FSPA,27289,72.213.167.190,FSA,80,909,573,11,6,0,0,TCP,POST / HTTP/1.1..Host: iexujguw.com..Content-Length: 116..Connection: close.....,HTTP/1.1 200 OK..Server: nginx/0.5.33..Date: Fri. 05 June 2008 16:20:27 GMT.

111.222.33.44,FSPA,42583,212.55.163.216,FSA,80,784,687,10,6,0,0,TCP,POST /4D3D07E3ABDFC3C5/qxUX4xETUFYBWqc0kaWCzvoCcAQCYSNwZgcyFiBAByC73XXm0CcAYgVSB,HTTP/1.1 200 OK..Server: nginx/0.5.35..Date: Fri. 05 June 2008 16:40:16 GMT.

111.222.33.44,FSPA,16197,212.55.163.216,FSA,80,848,1054,11,7,0,0,TCP,POST /4D3D07E3ABDFC3C5/qxUX4xETUFYBWqc0kaWCzvoCcAQCYSNwZgcyFiBAByC73XXm0CcAYgVSB,HTTP/1.1 200 OK..Server: nginx/0.5.35..Date: Fri. 05 June 2008 17:00:17 GMT.

111.222.33.44,FSPA,3884,66.102.1.101,FSPA,80,1334,12549,13,14,0,0,TCP,POST /safebrowsing/downloads?client=navclient-auto-ffox&appver=3.0.5&pver=2.2&wr,HTTP/1.1 200 OK..Content-Type: application/vnd.google.safebrowsing-update..Date:,,1010,,

111.222.33.44,FSPA,4124,66.102.1.100,FSPA,80,1322,12549,13,14,0,0,TCP,POST /safebrowsing/downloads?client=navclient-auto-ffox&appver=3.0.5&pver=2.2&wr,HTTP/1.1 200 OK..Content-Type: application/vnd.google.safebrowsing-update..Date:,,1010,,

111.222.33.44,FSPA,59619,212.55.163.216,FSA,80,784,687,10,6,0,0,TCP,POST /4D3D07E3ABDFC3C5/qxUX4xETUFYBWqc0kaWCzvoCcAQCYSNwZgcyFiBAByC73XXm0CcAYgVSB,HTTP/1.1 200 OK..Server: nginx/0.5.35..Date: Fri. 05 June 2008 17:20:18 GMT.

111.222.33.44,FSPA,51889,212.55.163.216,FSA,80,784,687,10,6,0,0,TCP,POST /4D3D07E3ABDFC3C5/qxUX4xETUFYBWqc0kaWCzvoCcAQCYSNwZgcyFiBAByC73XXm0CcAYgVSB,HTTP/1.1 200 OK..Server: nginx/0.5.35..Date: Fri. 05 June 2008 17:40:18 GMT.

111.222.33.44,FSPA,4392,66.102.1.101,FSPA,80,1438,12549,13,14,0,0,TCP,POST /safebrowsing/downloads?client=navclient-auto-ffox&appver=3.0.5&pver=2.2&wr,HTTP/1.1 200 OK..Content-Type: application/vnd.google.safebrowsing-update..Date:,,1010,,

111.222.33.44,FSPA,58415,212.55.163.216,FSA,80,784,687,10,6,0,0,TCP,POST /4D3D07E3ABDFC3C5/qxUX4xETUFYBWqc0kaWCzvoCcAQCYSNwZgcyFiBAByC73XXm0CcAYgVSB,HTTP/1.1 200 OK..Server: nginx/0.5.35..Date: Fri. 05 June 2008 18:00:20 GMT.

Joe has managed to visit one of the countless porn sites that is actually owned and/or operated by a sub-group in organized crime, or hosts malicious flash or other malware.

Joe, in his quest for local news, and following his temptations has opened up the organization to a whole new world of risk.

Joe is compromised.

Not only is he compromised but he's managed to get a copy of Sinowal loaded on to his computer. Joe, being the finance director at the bank has access to all of the financial information of all of the bank's customers, and he uses this access to run reports. Joe is now responsible for exposing the records for all of the customers of the bank.

Ok, enough about Joe.

What I find interesting about this all is how in a matter of a few seconds, one can go from a nice clean site to an awful bodega of porn in a matter of a few clicks. Like six degrees of separation, the internet appears to be '6 clicks to porn', as in from any site you can end up at a porn site in 6 clicks. It's like walking down a street in a major city and from block to block, you can go from the best part of the city, to the worst and most dangerous. I don't know many people that would willingly walk down a dark dank avenue known to have muggers and other dangerous people. Yet, people do it daily on the internet. Most users don't seem to put the two together. For some reason it's as if people still believe that computers are in a separate reality and whatever happens on a computer does not have the ability to affect real people or their lives.

If the saying is to be believed, that computers are deterministic then it can easily be stated that computers don't do bad things. People using computers doing stupid things leads to computers doing bad or stupid things.

That said, in the case of Joe, do you think he should be punished or should you simply investigate the computer intrusion? Do your intrusion investigations lead to investigation of the people using the computer? Is Joe the Witness, the Perpetrator, or the Victim? What's your decision making process?

There is a bit of intel to be gained from this post. Sinowal has definite characteristics on the network. In my experiences they are as follows:

Always communicates with nginx webservers, acting as proxies.
Uses a 20 minute timer, and will skew on occasion but not by much.
Uses a static HTTP POST with 16 hex characters followed by a trailing slash.
Uses a domain generation routine much like Srizbi and will do an HTTP POST to / at that domain name.

A call to arms

2009-01-04T12:37:00.003-05:00

Well not really to arms in that we should be brandishing weapons. Rather we should be brandishing our legal arms and need to stand up for ourselves and protect our industry and our right to perform our duties. Nothing in 2008 illustrated this more than the Private Investigator laws that popped up in many states. The legislators are perhaps the worst informed about how our industry actually works. Conversely they have been lobbied the hardest by those who wish to force their wills upon us and our industry. In some states, forensic analysts and small business owners stood up for themselves and managed to have laws drawn up appropriately. However, in many other states we stood idle while the laws that affect us were drawn up around us. We still have no governing body for digital forensics. We are still an industry born out of Information Technology rather than science. Yes, steps are being taken to get us included in scientific forensic organizations, but this is not enough. We need to get more involved in the decisions that affect us the most. For example, physical memory analysis has been huge since it's true inception in 2005. We need to decide how we want this type of analysis to be used in a legal setting. There will likely come a time when legal matters can be decided on the basis of memory analysis. Many people were taken by surprise when the PI laws seemingly materialized from thin air, yet they had been in process for quite some time already.

We need to be prepared as an industry. We need to stand up for our industry. We need to improve our industry. We need to pay attention to the legislation that affects our ability to perform our duties. Digital Forensics must become Digital Forensic Science.

The golden hour

2009-01-03T20:03:00.025-05:00

I briefly mentioned the golden hour in a recent post. Matt beat me to the punch in his post, but I wanted to spend a little time on the golden hour. In my opinion, the golden hour exists in two places for incidents and incident response.

1) The time between the time of compromise and time of containment
2) The time between the time of containment and the point in time where response truly begins

This post will focus on the second frame of time.

The golden hour is a medical term generally reserved for a period of time that is most critical for a patient in need of care. The idea is that if the proper care can be given within this golden hour, the chances the patient will survive increases dramatically. This isn't necessarily a hard period of 60 minutes, rather it can be seen as a principle of providing high quality care as rapidly as possible.

I like to think of it as a guiding principle for Incident Response.

You see, I think it applies to Incident Response in a way that I don't think many people pay attention to. Of all the people I have been in contact with, there is one that really gets it ( actually he preaches it as well ) and I can't count the times Harlan has said something to the effect of "incident responders are like EMT's". EMT's play a huge role in the success of the golden hour. They are responsible for providing immediate care and transport of the patient. The symbol of the EMT is known as the star of life. It's a symbol many have seen but I wonder how many people understand the meaning behind each point and the symbol in general.

I won't attempt to reiterate the details of the symbol and it's humble beginnings, and under no circumstance would I attempt to in any way take anything away from the folks that wear the symbol by doing a direct comparison between EMS work and Incident Response. I know several people that wear or have worn that symbol and simply stated, they save lives. We work with bits and bytes and there is no comparison.

That said, as I have said before, the best way to master our own field is to study the methods used in other fields. So here goes.

The 6 points of the 'star of life' each represent a specific portion of the role EMS plays. They are as follows:

Detection
Reporting
Response
On Scene Care
Care in Transit
Transfer to Definitive Care

This is where our 'golden hour' begins to take shape.

If we can do the following, our OODA loops close quicker, our response is more effective and who knows..we might be able to get closer to the truth. Our goals are (or should be):

Early Detection
Early Reporting
Rapid Response
Good on scene practices
Care in transit
Solid Forensic analysis

Early detection I think I covered already.

Early Reporting
The reason this is here is twofold. We want our clients and customers to file reports with us as early as possible. In addition, we need to be able to provide our reports, to the proper people in a timely manner and communicate as often and as appropriately as possible. The worst decisions are made when the decision maker is uninformed. It is our duty to inform the decision maker as early as possible provided we have something substantial to share.

Take the following in to consideration regarding reporting:

Provide your clients with a standard reporting template. This template should be updated regularly to ensure it allows the client to provide you with enougn information to respond properly
Provide multiple intake options such as Web, phone, paper
Use a standardized report template
Notify the proper people within your organization within 24 hours of an incident occurring
Get in touch with the client as soon as possible to establish expectations

Rapid Response
This is where Matt's post filled in a gap for me. Rapid Response is essential to effective response. It is for this reason that a mandatory response time should be established. Every minute that passes after an incident occurs without a response is a minute that you've given to the intruder. Unfortunately responding to an incident takes time. Typically there's a huge gap whereby the intruder can do any number of things to the system.

Getting on scene physically or remotely as quickly as possible is tough. I've had incidents where I had to get to no fewer than 5 physical locations. There are others who have geographical concerns. This is where F-response closes the gap and allows us to respond rapidly. Think about it. What is in the standard toolbox of a technician that might respond to a compromised system? Antivirus programs, file deletion, backup/restore software, hijackthis(or similar), netstat, task manager and other similar diagnostic tools. These tools are known to stomp all over the things we tend to care about. By the time we get on scene a technician will likely have touched the computer. Again, this is where F-reponse can play a role. I'd love to get F-response in to the hands of every technician out there. Why F-response over something like Encase Enterprise you might ask? Simple.

1) EE is expensive. Think of what else you could do with that money that would beef up your response.
2) F-response is inexpensive. This is the most appropriately priced tool in the industry.
3) It's simple. I can give a client a CD and tell them to simply pop it in a drive, and I can begin to analyze a system. I can teach them how to use the product in about 5 minutes.
4) It's tool agnostic. It provides the ability to use any of your other tools to do analysis. You aren't locked in to Encase or FTK or X-ways, you can use all three if you want to.

Putting a tool this simple in the hands of technicians would allow for an even more granular tier or response whereby the technician could gain access to a system in a protected manner and they could then perform basic triage functions. Antivirus scans could be run safely to identify any malware the AV product is capable of detecting. The rebuilding process could begin on another physical computer while you either travel or prepare to respond remotely. Either way what I think we tend to miss most often is setting the expectation for the technician or first responder. What do you want them to do, and what do you not want them to do? I can't count the times I've heard techs say "Sure you can have the disk for imaging but I need to get some files off first", or "I copied the files I could find and zipped them up, then I deleted the files. I thought I was doing the right thing". From their perspective I can understand that, however that's not what we want them to do. In order the create a granular response capability whereby the technician or local sysadmin can assist what do you need?

1) Training
2) Usable Procedures - think basic flowchart
2) Simple tools that work

In addition to tools like F-response, live response procedures must exist and they must be followed. If your team members are going out in the field, and they are dealing with systems that are still on when they arrive, they need to know how to conduct a live response. Where resources are spread thin, you can provide a rapid response capability by creating tiers of response. Not all incidents require a full incident response team traveling on site. Some incidents are minor or can be triaged by local staff before you can arrive.

Rapid response is founded on early and accurate reporting. Imagine getting on scene and not having the proper equipment. That would be a disaster. We need to be informed before we respond. You should be able to define for someone what you need to know.

When you are on site in a response situation, you should be able to make decisions when you need to. There are times when you should follow the playbook and there are times when you should throw out the playbook because the playbook doesn't cover the situation at hand and you need to make a solid tactical decision.

Some things to consider about rapid response:

Geographic separation
Resource availability and tiered response
Training of response staff
Training of first responders
Tools that enhance or provide rapid response capability
Knowledge of diverse set of operating systems
Established protocols
Response team is cleared to make decisions
Response team should be properly informed

Good on scene practices

Once we arrive on scene we need to know what we're doing and we need to be able to do it well. Getting on scene and screwing something up is unacceptable. The right person needs to be available for the response and the right people need to be available from the organization you're serving. It does us no good to have the web guy when we need the database guy. So what helps when you're on scene?

Establish protocols for common scenarios
Ensure your tools are updated and work as expected
Be thorough
Be flexible
Have the right people available

Care in transit
This for incident responders is relatively simple. Not only must we travel safely, but if we have taken a disk or a disk image we need to transport it safely. Carrying a bare disk around is not something I enjoy seeing. Drives should be packaged carefully as should systems that are seized. If a drive dies in our possession we are to held responsible. So what must we do?

We need to prevent tampering, static and shock from affecting a drive we've seized. These are the principles of device and drive seizure yet they are not always taken in to account. I use a combination of drive cases and anti-static bags for this purpose.
Take the following in to consideration for care in transit:

Safety
Shock
Static
Tampering

Solid Forensic analysis
Finally we need to provide solid forensic analysis. Once the drive or image has arrived in our various evidence lockers and we are ready to perform an analysis, it must be thorough, complete, accurate and precise. The use of "I believe" or "perhaps" in our conclusions is nothing more than self reassurance and these statements tend to falter in the face of scrutiny. We must be careful in our analysis and in our presentation of data. I will not spend to much time on this as it tends to be a subject worthy of other future discussions. Forensic analysis is the final destination for Incident Response.

Our goal is to reach this stage as rapidly and as effectively as possible. Our clients count on it. It is our duty as incident responders to provide proper response in the golden hour. Have any thoughts to add?

Tales from the field - the degausser

2009-01-01T11:07:00.006-05:00

Until recently I had never seen nor used a degausser. Sure I'd read about them, heard folks talk about them, but never had the fun of using one or seeing one in use. The solution of choice had been to ship the drives out for shredding. With the economy being what it is we invested in a degausser that looks something like this

Like anyone else that gets a new toy we were excited to test this thing out. We had a few spare hard drives ready for destruction and wanted to see if degaussing even worked. The instructions were simple: put a drive in the tray, put the gloves on, and step on the peddle. Swirl the tray around in the provided circles for 10 seconds per side, and voila you'll have a cooked drive.

Sounded simple enough....

First we tried a 2.5" drive. BBBBBRRRRRRRRRRMMMMMMMMMMMMM...the degausser sounded off as it did its dirty work. Flip the drive over and BBBBBRRRRRRRRRRMMMMMMMMMMMMM...We pulled the drive off. Yep, it was toasty alright and it was accompanied by the the smell of hot metal. I took the drive back to my workstation after it had cooled off a bit. I wanted to see what had happened and wanted to see if the drive was still usable.

I plugged it in to my trusty writeblocker and turned on the writeblocker. The familiar whirring of the platters was quickly accompanied by a shocked "HOLY @$*%" coming out of my mouth. I could read the drive just fine. Not only was the drive intact, the filesystem was consistent and boy could I read the files. I quickly called over my teammates and we all looked at the drive contents as if we'd never seen a directory before.

Quickly I ran down the hall accompanied by another round of BBBBBRRRRRRRRRRMMMMMMMMMMMMM as the degausser chewed up another drive. This time it was a 3.5". I walked in to the room as the tray rattled around on top of the degausser. Not long after I entered the room was I walking back down the hall with two very hot hard drives in hand. I couldn't wait to see these not work.
I plugged in one drive and wouldn't you know it, I could read that one too. In disbelief I tried the other one. Yep I could read that one too. I pulled the drive from the write blocker and tried to format it. That actually did not work. Ok, so I could read the drive but could not write to it. That's reassuring but I care about someone being able to read it.

It was as if I'd been punched in the face. It was then that I recalled what the gentleman at EDR said when I was talking to him at technosecurity. He said "The problem with degaussers is that yeah sure, it's been marked as degaussed, but that's all you've got. Someone else saying they ran that drive through a degausser. What guarantee do you have that the drive is useless?"

Apparently I had no guarantee that the degausser works. If we couldn't get it to work properly, how would the people at the location actually housing this thing be able to ensure the drives were rendered useless. Promptly the vendor was contacted. They suggested we try to rotate the drive on another axis in addition to laying the drive flat. Willing to give it another try we turned the drive on its side and rotated it for the prescribed time. This time when I plugged in the drive, I could not read it. This was reassuring. Each successive time we tried a drive I was unable to read it.

This certainly reinforced the need to test all new equipment regardless of what its purpose is. It also reinforces the need to periodically verify the equipment to ensure its still working and you can trust it. Degaussing a drive is an interesting experience. I know that I for one would rather see a drive physically shredded, ground or smelted than degaussed. At least that way I can guarantee the drive is useless.

Have any degaussing stories?

sticking out

2009-01-01T09:31:00.001-05:00

Commonly, when an intrusion occurs, an attacker will leave behind various types of detritus. Often times this is in the form of malware or a toolkit. In a recent compromise the attacker downloaded and left 80 MB of tools behind! This is admittedly not par for the course. Typically I'll see about 5-10 MB of detritus per incident. Identifying these files and classifying them is increasingly difficult. Consider the picture I've placed here. In a world where all items are of approximately the same color, this ball sticks out like an eye sore against the backdrop. How about in a filesystem where good files are known, an unknown file will stick out. Ah...if only that utopia existed. It can, if you invest in whitelisting a common build, but for most people out there that's just not reality. Unfortunately not only is identifying malware difficult, but what do you do with something you suspect of being malicious?

Suppose you are a technician checking out a system that you suspect has been compromised. You check with your antivirus program and fail to detect anything strange. However, you notice something looks out of place. You could submit the malware to your antivirus vendor of choice, but depending on your licensing you may not get a response for 4-8 hours. Imagine malware living in your intranet for 4-8 hours because your vendor is slow. Believe me when I say that makes for a long day if you've never had to do it.

You could also bypass your vendor, get results quickly, develop a solution and roll it out in the time the vendor is working on a new definition. How would you do this?

As far as identification goes, what options are available? There are of course the more well known websites for submission. These sites have been mentioned and used by many for a long time now:
Virustotal
Anubis
CWSandbox
Norman
Jotti
Bit9

That's all well and good. I use these sites with some regularity, and the results have been good to date. There are some other options that you may or may not be aware of when you want to determine the badness(TM) of a file. Many of us are familiar with NSRL and other hashing projects and we should all be familiar with hashes and hashing files. Our tools do this for us automagically when we process an image, and if not, it's easy enough to generate a hashlist of the files in an image.

Suppose for a second that you have a list of files and their hashes, such as one generated by FTK Imager's directory listing capability. Suppose you want to take this list and look for possible malware. You could spend an obscene amount of money on a particular tool that matches hashes, or you could try some of these options:

Virus total hash matching
Offensivecomputing hash search
Team Cymru malware hash registry

And what about web based malware such as Javascript or Flash?

You could try these tools and sites:
Iseclabs Wepawet (The people behind Anubis)
Malzilla

For a little fun let's take a test drive of the Cymru malware hash registry.

First I'll hash some files(90% of which are malware):
loki:~ hogfly$ md5 *.exe
MD5 (724L1_setup_e.exe) = 848c95260d147543eff2e2c15acb58f1
MD5 (BR165652.exe) = d77d96af740af6805abcb2c572a758ce
MD5 (BR165680.exe) = 31c1d83de1db1aa5a806434d81183d79
MD5 (DNC-P-Ver.2.7.0.0.exe) = 518bcc3a6633dec8ceae3e0f02b4df60
MD5 (NATEON.exe) = af3c4884f690c48c115c8d9c55998141
MD5 (NVC.exe) = ee862735812241719960f2e069d99680
MD5 (abo.exe) = d2e23dbcbdd9a580b7897add524e4b09
MD5 (autorun.exe) = 3240c08878c7491b85b79c97db5c9204
MD5 (comrepl.exe) = 1d696a5dc70caa34d116344f50854d7f
MD5 (comrereg.exe) = 3619935460ddcb79f1ec9cc5710befc3
MD5 (dw8.exe) = f6da944f7c1ec3f0f8e6d673d9e9ff71
MD5 (envsetup.exe) = a1f8a82aad23a6b44cc92ee2eb1a10ef
MD5 (ff.exe) = 8a1b427981eecf67c60370b599c87dc6
MD5 (file.exe) = 107961dbceea53f729474b43c04302d4
MD5 (flvspeed.exe) = 45ce6d98337e4dba3e87d34adaf6d366
MD5 (hails.exe) = 5ebfe73e4fe237654a6bc07ed1712e7a
MD5 (hails2.exe) = 649d11e8d5676f0cee5c2a4a17f7e1a8
MD5 (index.exe) = 10980f4df2060b86a72eb5e533102980
MD5 (l07.exe) = 072ebc79aa1ff532c0d95f9a1ce4a395
MD5 (mfsl.exe) = 8fe25f71cbda9202995d74686eb5473e
MD5 (msdtc32.exe) = 205ca7ed3e6d8ae218c7fde2c50149f9
MD5 (net.exe) = c9c9a40e8a72907228e6a1bc9b5728ac
MD5 (net1.exe) = b8b857f3b5d8a8ef043fcf80120d0248
MD5 (omg.exe) = 654eef6ff6dbe666c1d9fd1f6049d525
MD5 (palzbn32.exe) = 28f02d257002221d367c0b43202c7a21
MD5 (pinyin.exe) = f9cbef1d67230b3845782b6fa11b976a
MD5 (rsscanner.exe) = a5953f3447a851f665702dd9afa63005
MD5 (scan.exe) = 29e20a4a5df73afee7acb3194f244b8e
MD5 (scann32.exe) = e464fb612104cc1da12c4d501cebe8df
MD5 (sss.exe) = 846790691b6f9717b9a1bf68e0bcd6e5

loki:~ hogfly$ whois -h hash.cymru.com 649d11e8d5676f0cee5c2a4a17f7e1a8
649d11e8d5676f0cee5c2a4a17f7e1a8 1224720131 31

loki:~ hogfly$ dig +short 649d11e8d5676f0cee5c2a4a17f7e1a8.malware.hash.cymru.com TXT
"1224720131 31"

loki:~ hogfly$ whois -h hash.cymru.com e464fb612104cc1da12c4d501cebe8df
e464fb612104cc1da12c4d501cebe8df 1221755478 25

So what do we have here? Two separate methods of doing a malware lookup (this is all explained on their site by the way). We simply feed them a hash and get back a unix datetime and the detection percentage of the malware. The detection percentage is a bit behind the curve and not all that accurate, but I would argue that it doesn't matter that much considering it's in their database and registered as malware. That doesn't mean I wouldn't like to see those numbers updated more frequently though. Cymru does support sending a large list of files via netcat for comparison, and I suspect that will be the most useful method of analysis for many out there.

For more active detection..If you've got about $25k I would strongly suggest you invest in a product called FireEye. I recently completed a demo of their product and all I can say is wow. I was most impressed. If you don't have the money for that you may want to try bothunter.

Here's to hoping you can identify and prosecute the investigation of suspicious files a little faster this year.

Footprints in the snow

2008-12-30T16:06:00.031-05:00

A computer intrusion takes approximately 60 seconds (usually far less) from initial entry to setting up a back door with administrative access. If not detected within the golden hour, it tends to be about a month or more before someone notices they've been breached. Imagine you've been called to a crime scene involving a theft. The footprints above are representative of the footprints left by the suspect.

By the time we arrive on scene a lot has happened that affects our ability to accurately investigate the scene. Forces and Factors are at play. Time....it is the constant factor..the one force multiplier that can confound an investigation, above all else. You see, time is not a force in and of itself. It is a constant (as far as those of us who are not full time philosophers are concerned) that never changes. Consider the footprints in the photo above. All things being equal, if the weather did not vary from today's weather, and the temperature did not change; the snow would not melt, there would be no rain, no wind or other elements that would otherwise alter the footprints in the snow. However, as we are aware (again for those of us who are not full time philosophers), though time is a constant, the weather and other elements are not constant; they vary. It could be 60 degrees tomorrow, it could rain, or it could snow. Someone could ski over the footprints, someone could shovel it away...you get the idea.

Regarding digital investigations, time is what allows systems (Antivirus scans, scheduled defragmentation for instance) to impact artifacts left by an intruder, it is what allows the attacker more of an opportunity to find your PII data and cover their tracks. It is what allows the user to modify their files and the system. It is what allows untrained technicians the ability to delete files left by the attacker.

In short, Time is what permits other forces to have an effect on the persistence of data. We must be careful in this thinking so let me restate that it permits other forces to have an effect. It does not guarantee that a change will occur that will impact our ability to investigate the intrusion. So how do we use time in an investigation?

First we must accurately identify the time of intrusion. Once the intrusion is contained, we have what is called temporal proximity or the duration of time between two separate points in time. Our evaluation of artifacts takes place within this time frame. This is fairly well known, however I have seen this evaluation of artifacts squandered by those who suggest that the only evaluation that needs to take place is that of time itself. In practice what I have seen are those that simply evaluate MAC times. The evaluation is simple - any file containing PII data with an Access time that postdates the time of compromise is considered to be notifiable. This is a safe play and I congratulate those that feel morally and socially responsible enough to notify so easily, however it is a knee jerk reaction and indicates laziness. Look at this photo here, of the same location taken a day after the initial footprints were made.

What has happened to the footprints in the snow?

Time moving forward allowed the nights snow to cover the footprints. Are the footprints still present, or has the overnight period completely confounded the investigation? Would you be prone to suggesting that simply because there is fresh snow, the footprint is destroyed? Take a closer look. You can still see the feint outlines of footprints. Applying even the slightest amount of investigative elbow grease what do we see?

Hmmm..an impression of a foot, or footprint is easily visible. Now, we can easily expose the obscured tracks within a certain amount of time, though after enough time passes, the footprints will be indistinguishable from the surrounding area. As time passes the ability to identify accurately explain the source of the original footprints will become more difficult. It is because of this that speed is of the essence. We must close the gap between time of compromise and time of containment.

As seen below I have exposed the tracks but what else do you see?

That's right, you see additional footprints. How were they made, who made them and when? Were they made by another person, the intruder, me, or some other unknown force? Each footprint must now be analyzed individually. Had we casted the footprints after documenting the scene, and taken the casts for immediate analysis, our investigation would be more complete and accurate. Now we will have a slightly more difficult time but it can still be done. However we must be able to explain the changes that occurred in the time that elapsed since the original footprints were made.

You may be starting to see how time can confound the investigation of the original footprints. As time continues forward, the first responder and investigator must be even more careful to preserve the original. This is the reason documentation and a sound approach, especially when dealing with volatile data is critical.

And if time continues, then what? Will time allow more environmental forces to influence the ability to accurately investigate?

We can still see the rough outline of a footprint here, even though the snow is in the process of melting. Time has once again allowed another force to alter the original. Eventually, our ability to see the footprint disappears. After more time passed the footprint looks like this.

Wait. We can no longer accurately establish the location of the footprint. Now, in this case I simulated about 4 months of time, and it is around this point that our ability to accurately investigate an actively used system in an intrusion becomes nearly nil.

Okay..enough meatspace.

Remember I said that time is what permits other forces to have an effect on the data. This applies greatly to MAC times. An Antivirus scan could take place after the time of compromise that updates MAC times, a user could have accessed those files containing PII data; Simply put any force capable of modifying timestamps post compromise could have updated the timestamp. Given this, MAC times for this reason do not provide us with anything other than a point in time, a measurement if you will.

Secondly, time needs to be evaluated as a point or points when change occurs. Our role is to explain the cause of the change. When discussing digital forensics, systems should be evaluated as a world of events running in a steady mechanism of before and after, of cause and effect. When an intrusion has finally been contained and the analysis is underway we must evaluate the changes that took place during that window. Was a key file accessed? Who accessed it? Can we explain the access? Did the intruder gain administrative access? Did they have access to files containing PII data? Did they have access to other systems? Did they use that access? Did they install a backdoor? Did they enumerate your other systems? Did they attempt to cover their tracks? Is malware present? What are its capabilities? These are just some of the evaluations that must take place during the investigation.

Finally when a change occurs at a specific time, there will be several plausible explanations for the change. This is where we must apply a scientific method of testing the most plausible explanation for the change. We can reduce the noise.

For example:
FACT:
A file had an access time updated during the time an attacker was operating on a computer.

BACKGROUND:
Q: Under what conditions is an access time updated?

A: An access time is updated when a file is opened for reading, specifically a file's attributes.

Q: Does a file access time being updated indicate execution?

A: NO. It simply indicates that the file's attributes were accessed.

Example: the 'touch' command would update an access time, as would an A/V scan and many other utilities.

Conclusion: There are many plausible explanations for a file's access times being modified.

Our job: Determine what is most plausible and present your conclusions with supporting documentation.

Assuming a Windows XP system:
In the case of executable being executed under normal circumstances, what artifacts could we expect to find?
1) A prefetch file would be created
2) Depending upon method of execution we could expect to find artifacts in the registry.
3) Memory analysis would show that it had been executed
4) Other sources yet to be discovered or mentioned.

Variables: (Factors and Forces).
1) Intruder privileges - with full administrative privileges, the attacker effectively has their hand on the clock's dial, and do what they please.
2) System operation - Antivirus scans, backups, other scheduled tasks that have the potential to alter an access time.
3) User activity - a user logged in to the system at the time could have done something to update the access time.
4) Intruder activity - The attacker used ftp.exe or had a tool capable of modifying timestamps on the system.
5) Unknown possibility - something that hasn't been thought of or discovered that has the possibility to modify access times.

So, let's start processing this:

What we know:
- An antivirus scan was being run when the file access time was updated.
- The sysadmin confirmed this.
- There are no artifacts present in the registry suggesting execution.

Given the data presented, what do you believe? More important, what would someone else, a lay person (read: decision maker) in particular, be likely to believe?
That an access time had been updated by:
A) a normal system operation (A/V scan)
B) The attacker had executed the file and exfiltrated data.

Are these the only possibilities? No they are not. However, absent any data to refute that A is the most likely answer, what would someone be likely to believe?

For B to be the more likely answer in this case what must be present?
1) Network or other logs during the time of compromise suggesting ftp connections.
2) Artifacts suggesting execution of ftp.exe

Let me summarize:

1) Speed is of the essence. The gap in temporal proximity must be closed. Others have said this (notably AAron Walters and Harlan Carvey)
2) Time is a force multiplier that allows other forces to impact artifacts.
3) Intrusions must be analyzed in terms of changes that take place between t1 and t2.
4) Strict MAC time analysis is lazy and inaccurate, and should be a last resort investigative method.
5) Changes of probative value should be examined in depth and plausible explanations should be presented along with an opinion and documentation.

A quick analysis helper

2008-12-29T20:19:00.004-05:00

I commonly analyze systems that run Symantec Antivirus Corporate Edition. A common question we have to answer is regarding the last date a scan was run and the date of the definition files. I did some quick research and came up with the following. May it also help others in the same situation.

The registry keeps track of symantec definition dates in:
HKLM\Software\Symantec\SharedDefs

Defwatch_10 is the value and the data contains the path and date of definitions and revision.

EX:
DEFWATCH_10 REG_SZ C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080902.016

Defdate is: 20080902, rev 16.

Log files are located in C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Antivirus Corporation Edition\7.5\Logs

The key to the logfile is here

Files are timedate stamped as follows: mmddyyyy.Log

Pulling out relevant information can be accomplished in many ways.

One simple way is by doing the following:

[root (Logs)]# awk -F, '{print $5" "$6" "$7" "$8" "$35}' 09102008.Log

This returns the following information:

Computer Name, User logged in, Name of the malware identified, File location of the malware, IP Address of the system

A scan starting looks like this:

260A1C0B2618,3,2,9,D98B90D03,Administrator,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1227890305,,0,,,,,0,,,,,,,,,,,{C446AF0D-2434-4C32-99F7-
B41DC042A2DC},,(IP)-0.0.0.0,,WORKGROUP,00:0C:29:E6:8C:72,10.1.6.6000,,,,,,,,,,,,,,,,0,,,,D98B90D03

The key to interpretation are fields 1-3. In this case it's 3,2,9 which indicates a realtime scan started. A realtime scan is obviously different than a manual scan in that a realtime scan is initiated by the system and a manual scan is initiated by the user. A manual scan looks like this:

260B1D142927,3,2,1,D98B90D03,Administrator,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1230601302,,0,,,,,0,,,,,,,,,,,{C446AF0D-2434-4C32-99F7-B41DC042A2DC},,(IP)-0.0.0.0,,WORKGROUP,00:0C:29:E6:8C:72,10.1.6.6000,,,,,,,,,,,,,,,,0,,,,D98B90D03

The key again are fields 1-3 which in this case are 3,2,1. This is a clear indicator that a manual scan was started by Administrator. When someone says "I didn't run an antivirus scan", you now have a quick way to determine whether or not they are telling the truth.

The witness, the perpetrator and the victim Part I

2008-12-29T12:43:00.015-05:00

When we investigate a system compromise we are often left with only one portion of the cause->effect equation. It's up to us to take what we are presented with, and reconstruct a crime scene in order to determine what happened and often times determine whether or not PII data was acquired.

Using your imagination, try picturing the following scenario:
You arrive at a crime scene at a jewelry store and are lead to a body laying on the floor in a pool of blood. There is a broken lamp on a table, a large dent in the painted wall at about the 5'6" mark near the victim, a hole farther down on the wall at about the two foot height mark. There's blood spatter on the wall, floor and ceiling. Bloody footprints surround the victim and lead away from the victim out the back door of the store. The jewelry cases are smashed and there's blood on some of the glass. The victim is wearing a blue sweater and grey pants, is female, weighs 120lbs and is 5'6" tall.

So what you have is an apparent homicide with many traditional sources of evidence in play. How would you begin to investigate this scenario?

Now imagine the following. You are lead to the scene of a computer intrusion at a local bank. You arrive at the office of a credit card manager and see the following:

A black dell optiplex 755 sits under a desk and a 19" monitor resides on the tabletop. An external hard drive is plugged in to the computer and resides on the tabletop, and you note a USB key plugged in to the USB hub on the monitor. A small HP MFC unit is plugged in and rests on a small table next to the desk. Some papers litter the desk along with a tabletop calendar, a rolodex and a phone and a blackberry. The computer is on, and has Microsoft Outlook 2003 open on the desktop along with excel, Internet Explorer and one of the banks internal applications for credit card management.

This is pretty typical. So, how do you begin your investigation? What's the major difference in the two scenarios ?

In scenario 1, you have appear to have no one to interview. You must examine the deceased, review tapes, interview acquaintances and so on.

In scenario 2, you have a person to interview. The credit card manager was obviously using the computer and someone decided to call you for one reason or another. You must be able to determine if they are the witness to the intrusion, the perpetrator or the victim. Or if they are all three!

Suppose in scenario 2 you conduct your interview before you touch the computer (which I always recommend). What questions do you ask? Questioning a person can be seen as a bit of an arcane art form. The goal is to get the interviewee to be forthcoming with responses. Many people get embarrassed easily and get defensive, especially if they know they did something they probably shouldn't have. We want them to be calm and accepting of us and our questions. So, set some ground rules with your own team first. A few helpful rules of interviewing could be:

1) Never accuse.
2) Keep your cool. Emotions play a larger role in system compromises than people believe.
3) Be aware of your body language. You must always be aware that your face, posture and hand play, are a huge role in gaining the trust of the interviewee.
4) Ask leading questions.
5) Listen. You can't learn anything if you're talking.
6) Be nice.
7) Get them talking and keep them talking until you have enough information to proceed appropriately.

With the information I provided in scenario 2, you have no way of knowing what has happened yet, however, I am willing to bet you have already made some assumptions and perhaps even made some hypotheses. This is a natural occurrence in the brain and it's not a bad thing, unless you fail to view every angle because you develop tunnel vision.

Assuming the credit card manager told you the following how would you proceed?

They arrived at 7:45am
They opened Outlook to check email, and read some mail
They opened an excel attachment containing this month's stats
They plugged in their blackberry to sync it
They plugged in their usb key to copy files they were working on at home
They opened IE and visited yahoo.com and started researching colleges for their teenage daughter who is looking at schools.

Books to buy

2008-12-29T12:31:00.002-05:00

I'm ordering the following books this holiday season. What's on your list?

Windows Forensic Analysis Second Edition by Harlan Carvey

This book was awesome the first time around and now there's even more of it.

SQL Server Forensic Analysis by Kevvie Fowler

If you haven't heard of Kevvie or read his paper you're missing something special.
Kevvie's book is probably my most anticipated book for this year other than WFA.

Oracle Forensics using Quisix by David Litchfield

An oracle forensics book by litchfield..need I say more?

What your antivirus isn't telling you part II

2008-12-04T17:31:00.003-05:00

If my last post on this subject wasn't clear. Here's an illustration:

12/2/08 - The Hallmark/Coke/Mcdonalds postcard/promotions/coupon malware was being sent via email.

12/2/08 - Malware was submitted at 3:30pm

12/2/08 - At 6:15pm the malware was classified as downloader by Symantec.

The definition of downloader?

Downloader connects to the Internet and downloads other Trojan horses or components.

What does that malware actually do?

It spreads in multiple ways:
Reads your address books and emails the malware
Copies itself to USB media

It also:
is a keylogger
opens a backdoor
Phones home over port 80
Injects itself in to explorer.exe

12/3/08

For 24 hours this was detected as "downloader" yet it is clearly more than that. In fact it was given it's own name of W32.ackantta@mm.

24 hours is enough time to do a good amount of damage depending on where this thing is installed.

Let the class action suit begin

2008-12-01T12:21:00.002-05:00

It's about time. BNY mellon is now facing a class action lawsuit for "losing" a box of unencrypted backup tapes containing PII data for millions of people. The breachblog has information on this rediculous incident. I sincerely hope that BNY mellon gets nailed on this one. Their actions - negligent, fraudulent, reckless, wrongful, and unlawful is something I just don't get. I'm sure there are a whole host of "reasons" (re: excuses) for this.

The 62 page class action complaint can be found here.

If you received a notice from BNY mellon, check your credit reports and contact the law office listed at the breachblog link above.

Redemption

2008-11-26T07:43:00.008-05:00

Though I missed the true beta period I downloaded and installed the pre-release version of FTK 2.1 last night. FTK 2.0 left us all in a state of shock. Many questions and accusations flew around various industry forums and mailing lists. Prices went up, quality went down, and we were wanting what we paid for. A lot of faith was lost in Accessdata and their ability to provide a solid product moving forward.

Don't throw away your dongles quite yet. 2.1 is the product 2.0 was supposed to be.

Compared to 2.0, the installation of 2.1 was a breeze. The only missing link was that I needed to reboot to get KFF installed.

Some remarkable improvements I noticed are:
Speed - moving between tabs is as it should be. Processing is much much faster.

Resource usage - Obviously with a 64bit install FTK will use as many resources as can be thrown at it. I like this. I have a good machine, with plenty of resources and before I moved to 64bit, I always watched in horror as my resources just didn't get used.

Here's a shot of FTK just beginning to process an image:

Here it is 10 minutes in to processing:

Usability - Wow, when you click on a tab, you open that tab immediately, even while processing a case.

Does it still require a huge amount of resources? Why yes, yes it does. My test rig has the following specs:
8GB ECC 667 RAM
Dual Xeon 2.66GHz Quad Core processors
System drive is a raid-0 on two 146GB SAS drives
Database drive 3*500GB SATA raid-0

All in all I have to hand it to Accessdata. After all the tongue lashing they took when 2.0 was released, they listened to their customers, licked their wounds, and went back to the drawing board and worked to remedy the problems. I won't say just yet that all of the problems have been fixed. I just installed the product last night, and I'm still processing cases, but this is what I wanted to see - a solid product capable of living up to its marketing, and a product that gives me what I paid for.

Addendum: An 80GB disk took about 6 hours to process and index. I imagine if I had more disk available I could get it taken care of in under 4 hours. Compared to FTK 1.7 which took 20 hours to process an image, I'm happy, very happy with the performance. Currently, I'm processing two more images of 100GB and 150GB in the same case.

What your antivirus isn't telling you

2008-11-23T16:45:00.008-05:00

Ever look at your antivirus logs or the antivirus logs of a compromised computer and found something like SillyFDC or Trojan.horse? These happen to be generic definitions provided by Symantec, but other vendors have generic detection signatures too. Generic detection is a common method of dealing with malware. While generic detection is generally fantastic, it's a big double edge sword.

Let me explain about the two types of malware above.

SillyFDC is a generic signature for removable media malware.

Trojan.horse has the following caption: Symantec antivirus programs use Trojan horse as a generic detection when detecting many individual but varied Trojan horse programs for which specific definitions have not been created.

So, using these signatures, we call things we don't have signatures for but exhibits trojan like properties a "trojan horse" and something that uses removable media as a spreading mechanism "SillyFDC". Ok, no problem right?

It is in fact a problem.

Antivirus now being the 40% solution against bots, it's likely to miss a recent variant of malware. Additionally, when your clients or users discovered a variant of these types of malware, how are they to know what to do? It's been detected generically. Symantec says that the malware is a low risk. Is it really? Again, how is an organization to know? What about how long it takes for an infection to be detected?

In a real world scenario, I first discovered a variant of removable media malware some 30 days before a definition was made available by Symantec. This malware, not only spread by removable media, but was a key stroke logger as well. Once Symantec generated a definition for it, it was labeled as trojan.horse.

Now, let's look at this from a sysadmin perspective. You run a managed antivirus environment and one day, after your server and clients grab the latest set of definitions, you get an alert for malware called trojan.horse. Great! you say to yourself. My antivirus has done its job. You move on about your day as if nothing happened, afterall your AV product detected and removed the threat. You never bother to look at the file, or the timestamps of the file, and you certainly don't bother to investigate. This is an all too common problem and scenario.

What's my point?

When an antivirus product fires an alert for a generic detection, it always bears investigation. It stands to reason that when something is generically detected, it's much more serious than it appears. Using Trojan.horse as the example, when no existing definition exists, it gets classified as trojan.horse so it can be detected and removed. That's fine, but you have no idea what that malware is actually capable of. An immediate threat assessment should take place, even if you simply submit the malware to an automated sandboxing web site.

What should you look at:

How long has the malware been on the system?
What capabilities does it have?
Has data been exfiltrated as a result of it?

Generic detection, while a good thing for the vendor, is a bad thing for the rest of us. It's misleading and provides no information whatsoever. Trojan.horse is a low threat level according to Symantec. I can think of no small amount of people that would consider a key logger a huge threat, especially one that was present on a system for 30 days before a definition was available.

*note I'm not picking on Symantec. This is an issue with all antivirus products*

Double take

2008-11-04T08:22:00.002-05:00

This is short. Very short.

Accessdata offered to purchase Guidance Software's remaining stock.

Read about it here

The offer was rejected, but Guidance should now be aware that there are sharks in the water, and they smell blood.

Beware the key

2008-10-30T09:56:00.003-04:00

USB keys are prevalent. They are used heavily by many incident response teams and first responders. They're less fragile than CD's, faster and offer greater storage.

They are also weapons of destruction and can become fast victims of compromised systems. It's been estimated that 10% of malware has the ability to infect removable media devices. Recall if you will that old is new. When you respond in an incident, you'll want to take some precautions if you use USB devices.

1) Make sure your devices are wiped and formatted after each case. If your device infected, your device becomes a weapon.

2) Create a directory named Autorun.inf in the root of your devices. This offers some protection against autorun malware.

To protect your Windows workstations if you haven't already, do the following things.

Copy and paste this in to a .reg file and merge it.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Follow the instructions here:
http://support.microsoft.com/kb/953252

OODA at play

2008-10-20T14:48:00.021-04:00

Imagine the following scenario:

You've identified a system communicating with an botnet C&C over IRC. This system happens to be a system that should never be communicating via IRC. It's a webserver. It's running multiple Vhosts and has multiple IP addresses. The IRC connection is active. You check in with the system administrator and inform him of the situation. You discover that the webserver is merely serving public data. It doesn't process or store sensitive information. It's a good case for root cause analysis, eradication and rebuilding.

The system administrator calls you back and says it looks like SSH binaries have been replaced on the system. The administrator happens to be running cfengine and informs you that a large amount of systems have had ssh binaries replaced. What was a run of the mill investigation and analysis just blew up and turned in to an incident for which there is no playbook. Friends, this is a triage situation.

Triage is less about solving the problem as it is about prioritizing systems and stopping the bleeding to buy time to properly assess the situation, and react appropriately. The problem with triage is business continuity. Triage situations would be much easier if we could identify all of the affected systems, contain systems based on priority and threat, and move to more thorough response and analysis. Unfortunately we can't do that. The systems that need to be contained more often than not, can't be contained because they are critical to operations, meaning they can't be shut down.

Returning to the incident at hand. Over 50 systems have had SSH binaries replaced. At this point we need to triage the situation. Were we dealing with human beings, this would be a mass casualty incident and a methodology called START is applied to the situation. When dealing with human beings in an MCI, the priority goes to the most critical patient that can't survive long without immediate treatment. The job of the people performing triage is to assess only. No care is provided except opening airways and tending to patients that are bleeding severely. A good starting point is here. People get classified in to the following categories:

Dead
Immediate
Minor
Delayed

There's a lot that can be taken from this type of real triage in a mass casualty situation and applied to Incident Response when dealing with a lot of systems.

What kind of systems do we typically come across? Let's use the incident I mentioned above. Assume 50 systems. Assume the attacker is actively attacking and compromising systems. There are obvious limitations to physically visiting each system. So what can we do? Assess the situation from the network. In a few easy steps we can triage the situation. With 50 systems its rare that you would find different attackers and different methodologies being used against you. So, we make an assumptive hypothesis based on the following premise. Cfengine detected ssh binary replacement on 50 systems, therefore the attack signature will be similar across systems. In addition, we can assume that very few remote systems will be used in such an attack. So what can be done to triage?

We can quickly divide the systems in to the following categories:

4) Systems that can't be blocked at the perimeter
3) Systems that can't be taken offline (network or power)
2) Systems that that can be blocked at the perimeter (internally critical systems)
1) Systems that can be taken offline (network or power)

Now you might be asking why is priority 1 a system that can be taken offline rather than the system that can't be taken offline? The idea is simple. If I can take it offline, then I should do so by whatever means are necessary. If I can't take the system offline, the task of response is more advanced. Assign the system administrators or other tech staff the role of identifying and containing the systems that can be quickly contained. The idea being that if you are hemorrhaging from 50 holes, and can close 30 of them then you've cut down the tedious work by 60%. Get them under control and off of the immediate concern list.

If I can block a host at the perimeter, then I should do so, quickly. This is a solution that can work to directly cut off the attacker, however with so many systems, there is no way to guarantee the effectiveness of this type of action. An indirect attack is still very possible. Sometimes though, you just have to make a decision, and adapt.

If I can't take a system offline, and I can't block it at the perimeter then I need to respond quickly and carefully. These are the business continuity cases that hamper triage and response. So what can be done to triage them? Remember we're buying time, not solving the problem 100%.

If we work based on our assumptive hypotheses, we can enable a perimeter block to stop the remote sites from being accessed by any of the compromised or soon to be compromised systems.

Have you noticed the OODA loops?

As systems are being contained - via network blocks and physical containment - more compromised systems begin actively attacking. Port scanning begins on internal hosts. Initial triage, while containing 60% of systems left an opening. Once again, division of forces is key to success. With two IR staff, one can work on active containment, while the other works to gather more intelligence.

F-response is a fantastic intelligence gathering tool in this case. Using it, a remote system can be analyzed in real time. Connecting to a system, being able to identify the files created/modified/accessed during the attack lends itself to a more rapid action cycle. Combined with traffic captures and live access to disk based data, we can break in to the OODA loop of the attacker. We can predict what the tools being used will be used for and what files get replaced. We can predict what the attacker will do at each step and can develop a rapid active response to stop him before he begins. With the situation unfolding and new information, further containing the systems that couldn't be taken offline or blocked at the perimeter becomes simple. With a tool like cfengine, a few commands can remove the active threat and we can continue working the problem.

As the situation is contained, a signature is developed and active monitoring is implemented to watch for other systems showing signs of intrusion.

The clock is ticking

2008-10-18T14:41:00.000-04:00

When an incident has been detected or an event has been escalated to incident status a timer starts. The attacker is now inside your OODA loop. Every minute wasted could be money lost, identities stolen, disruption of operations. He/She controls of, or has access to something of yours and can disrupt your ability to determine the correct measures. The speed and accuracy of your response will make all the difference.

Regarding the OODA loop, there's one thing to remember. The attacker has the initiative, we have to play catch up and out maneuver. In a non automated attack scenario, an attacker has presumably done a reasonable amount of homework on the target host or target network. In the majority of scenarios the attacker has been entrenched in a system for hours, days, weeks or even months before their presence is detected. They are already two or more steps ahead of us. As Incident Responders we are at an immediate disadvantage and we have many foes working against us. Not just the intruder, but many times the local IT staff work against us, albeit unintentionally for the most part.

So, how do we, as incident responders react? What must we do to be effective?

Our response must be fast, accurate, appropriate. What does our OODA loop look like?

Observe:
Confirm Incident - Are we certain we're dealing with an incident?

Threat assessment - What's the threat doing? Is it actively attacking or scouring systems for data? What's the depth of the penetration? What has local staff done already?

Prior Reference - Have we seen this before? What happened then? What's different?

Victim assessment - Is sensitive data present on the system? Where is sensitive data stored, how is it processed?

Business Continuity assessment - Can the system be shut down? How long can the system be down? If the system goes down, what is impacted?

Defense mechanism assessment - What options do we have for containment? How quickly can we enable them?

Orient:

In this portion of the loop we take our various assessments and synthesize and analyze our results. We must weigh them against each other and they feed one another. This is by far the most thought intensive portion of the process. We take large amounts of data must process it quickly as time is of the essence.

Decide:

Decisions need to be made. In a recent incident this phase was done on a whiteboard with a co-worker. We identified what we knew about the scope and gravity of the situation, and what options were available to us. We then, on the best information available at the time made a decision to do a specific set of things. An evaluation takes place during the decision making, generally along the lines of "If I do X, what will happen"?

Act:
At this point we act upon those decisions that make the most sense. Not all decisions get acted upon, because not all decisions are appropriate. Action feeds back in to Observation and Orientation.

Now, recall that this is a loop. It's not a step by step protocol. It's a thinking, living, breathing course of Assessment, testing, action, reaction, and adaptation. We tend to do these things naturally. Assuming the intruder is in the system during a response, they will be working through their own OODA loop and will be attempting to subvert and disrupt your OODA loop.

But wait. What advantages do we have, or rather what advantages does your client have?
The good news is that the battlefield is one of our choosing. We know the landscape and have the opportunity to plan ahead. This is a great place to inject an Incident Response Playbook.

What is an IR playbook? It's a set of protocols that educate responders - from the first responder to the tier 1 responder, and it allows the incident handler to make faster decisions, and provides a control structure for handling the incident. It allows everyone involved a chance to orient themselves to the landscape, thereby speeding up the defender OODA loop. In a playbook, many things can be decided ahead of time, and the answers to questions are already present. For instance we can walk in to an incident already knowing:

1) If sensitive data is on the system, and how it gets processed and stored.
2) What containment options are available.
3) Business continuity can be pre-assessed.

With a playbook we can short circuit the initial OODA loop and improve our response accuracy and speed. Of course we can't always rely upon a playbook. There will be times when the playbook must be thrown out because it doesn't apply to the situation at hand.

All the credit for OODA obviously belongs to John Boyd. A fantastic book is here.

Remotely examining a disk image

2008-10-15T22:20:00.002-04:00

Recently I've been exploring new modes of operation. One such mode is working on disk images remotely. This has become increasingly important as cases roll in constantly. Disk to Disk or Disk to Image imaging is great for small operations. It's mandatory when working a criminal case. A new mode of operation I'm exploring is image to SAN and analyze from SAN. Imaging to SAN is a great way of operating if you can swallow the cost. One of the best, and most cost effective tools on the market today is F-response. It's now cross platform. As I've mentioned to Matt Shannon - It's mac-tested and mother approved. I've used it several times in such cases. It sure beats doing target disk mode let me tell you. Imaging is a pretty straight forward activity. Imaging to a SAN is no different. Where it gets interesting is analysis. How do you do it?

My current tests center around using multiple platforms.

I have a linux box that I have attached to the SAN. It has access to my disk images that are stored there.

I mount the disk image in a particular directory as follows:

mount -o offset=32256,ro,noatime,noexec,nosuid,nodev,show_sys_files,nls=utf8 image.dd /path/to/case

This is a straight forward method of mounting a disk image for analysis in linux. Now, how to gain access to it from Windows, where the armory of analysis tools exists?

I've been using sftpdrive. I enter all the requisite login information and folder location and voila. sftpdrive is really the windows equivalent to the native linux sshfs. After logging in I now have an SSH secure tunnel to a mounted disk image, that is listed as drive letter in windows. I can run any and all analysis tools I need to. One caveat I've run in to has been a timeout issue. The fix to this has been to "always trust" the SSH key within sftpdrive.

Do you image and analyze disk images from a SAN? What methodology do you use if you use a non-traditional method?

Old is new - Tales from the field

2008-10-15T21:54:00.000-04:00

If we believe in certain truths such as "past is prologue" or "life is circular" or "security is cyclical" and "what was, is, and what is, will be again", then what we are seeing in the field is easily explained and indicates the cycle is starting all over again. If I've confused you, then my job is done here.

No really, let me explain. In the past two months I've seen compromises that take me back to the days of yore, when we had malware like stoned floating around on boot sectors of floppy disks. I can recall one bit of malware a friend shared with me at the time that would play a "drip drip drip" sound as it deleted the contents of the system from underneath you. Why did these types of malware work? Well, think about it. Floppies were prevalent, and they were primary storage medium of users. In order to move data from computer to computer you put it on a floppy disk and carried it to the next system you needed to use. This was otherwise known as using a sneaker net.

Stepping forward, developers figured out how to largely prevent this type of infection from taking root in a system. Soon we had Bios detection of boot sector viruses, we had antivirus detection of removable media and the threat changed. This type of malware was removed from our forward thinking minds. Self spreading worms were the threat of the day soon after and the world suffered. We then moved in to the user being our weakest link. Browser based exploitation of systems is popular, phishing works and so on.

Apply brakes here.

In the past 30 days I've seen compromises that are based on MBR rootkits, and removable media. I will not spend a lot of time detailing the intricacies of the malware, because others have done so really well. This was detected as..well it wasn't detected by antivirus. It couldn't be. Because of the way the malware loads and runs, Antivirus could not detect the malware on a live running system. Oddly enough, Antispyware software identified the malware through the presence of registry keys. RegRipper was able to assist in this identification. Harlan, has the world said "thank you" yet? Full detection could only occur by mounting the disk image I had. In testing after the fact I was able to mount the disk remotely and detect the trojan using F-response. This trojan, while using OLD concepts, uses new techniques. Discovery of files in C:\Windows\Temp is what really got the blood boiling. One contained a logfile of keystrokes entered in Internet Explorer. Another was XOR'ed. Thanks to Didier Stevens fantastic tool XORsearch I was able to determine the key used (11 byte XOR using keyword "bank") and the file was "un xor'ed". A list of over 900 banks was uncovered. The malware's intent was revealed and the case moved on.

Next....

Let's now discuss removable media malware. This is floppy malware all over again. Except this is 2008 and self spreading worms are dead right? Well, not quite. They've simply ducked under the external threat radar and they are using the internal threat agent - the user. The class of malware is Worm.Autorun and the name says it all. It functions by creating autorun.inf files on removable media and fixed drives and relies upon the user and windows autorun functionality. Once the malware makes its way on to a host, the real fun begins.

The malware hooks in to the registry and replaces your registry key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to point to a new userinit.exe that is created on the system by the malware. Why is this important? userinit.exe is responsible for execution of scripts and other programs that need to get loaded before explorer.exe runs such as establishing network connections. That's under normal operation. This replacement userinit.exe is a keystroke logger that has a degree of shell integration, since it's loaded before, and injected in to explorer.exe. It grabs the window titles and contents of balloon windows and all else that exists in explorer.

Attempt to remove or rename the autorun.inf from the infected system, and 2-10 seconds later a new one is created. Upon attempted deletion you receive a dialog box asking if you're sure you want to delete it. Guess what generates that dialog?

Lots of things happening, lots of cyclical security issues are reaching their return time, so it may be time to revisit old and forgotten response models, brush the dust off and update them.

Drive Erazer

2008-09-16T14:01:00.009-04:00

Historically I've always done disk wiping through DBAN. It's free, and easy to use. I have had a system capable of attaching plenty of drives and drive types for just this purpose.

Recently though, our tech shop purchased a bunch of Wiebetech Drive Erazers because the thought was it's easier and sometimes faster to just plug a drive in and flip a switch. Well, these devices fit that niche perfectly. They ended up tossing one at me and asked me to verify their functionality.

They ordered the "Pro" model which can do ATA-6 secure wiping as well as writing a simple zero pattern to the disk. So I first wanted to test the basic wiping functionality.

I hooked up a 13GB IDE drive and flipped the switch.

About 10 minutes and an 'xxd' check later and I had a disk full of zeroes that was verified. Not bad.

Next up an 80GB IDE drive. No problems here either. Approximately 40 minutes later I had a zeroed disk.

As I write this I'm about 50 minutes in to a 'secure wipe' of a 250GB SATA disk. This device also detects and removes HPA and DCO on the device, which I really like. I expect it to take a reasonable amount of time, around two hours or so. Weibetech states approximately 35MB/s wipe speed which is respectable for the pricetag and functionality. So far this little device is as good as advertised.

Procedurally I like devices like this, because a tech can easily attach a drive, flip the switch and go do something else while the device is working. As much as I like DBAN for my own use, I think these little drive erazers are very handy to have around, and they're extremely portable (fit in my palm) which only adds to the usability.

Some dislikes:
Counting blinks to determine error or time to completion. It's a little like morse code but for the price tag it's not a showstopper.

The jumper location in the device is all but unreachable unless you have fingers the size of paper clips. A precision set of needle nose pliers takes care of this though.

The IDE ribbon should be a little bit longer. At current length, you need to bend it too far to keep the hard drive flat.

Conclusion:
I like the drive erazer. For the $149 price tag on the Pro model I'd recommend it to people who don't want a computer dedicated to wiping disks, but a few more tests need to be completed before I "approve" it. I have a few small quibbles about design but none are major.

If you have thoughts about these devices or can recommend similar and similarly priced devices I'm all ears.

Addendum The 250GB disk finished wiping in one hour and twenty-two minutes.