log2timeline-sift: Set it Up and Running....

I know sometimes getting things to work in Ubuntu is like trying to tell Fenton to stop chasing deer in Richmond Park. You keep trying and trying only to see it slowly slip from your grasp, all while amusing friends and random people you will never meet (just click the link, trust me you will giggle).

Fear not for Kristinn has created a very lovely installation guide for us all.

So me just saying to sudo apt-get install the log2timeline package was a bit weak sauce of me. You have to ADD the website containing the code to your source list and well as add Kristinn's GPG Key (think PGP but not really). You can figure out what version of linux you are using by running

$cat /etc/issue

Do a bit of apt-get update... THEN run the apt-get install and VOILA, dependencies and log2timeline installed! If you are feeling super nerdy and want to compile yourself, feel free, but there are a decent number of dependencies. I always feel its better to do less work, especially on a Saturday morning :)

Well so maybe I lied again... you also need sleuthkit installed on your machine. Luckily this can be done via

$sudo apt-get install sleuthkit

I also suggest looking at the sift.conf file which is located in /etc/log2timeline.

default sift.conf file.. I had to modify the location of the TSK binaries

Log2timeline makes guesses on where additional dependencies are (I assume based on SiFT workstations),so you may need to point the log2timeline to the path the program are on your machine. This is done with good ol find:

Finding mmls on your system

My mmls command is located at  '/usr/bin/mmls' so I modified the sift.config accordingly. You can also change your mount point as well as where output will be saved to-- make sure you are root when you open the file for editing! P.S. If you keep the default options you will have to make these directories, remember this is geared for SiFT.....

Its always good to look at config files so you have a better idea of how the program works, dependencies, and additional variables you can utilize (says the girl who use apt... I know I know)

So executing log2timeline-sift with no parameter gives you the help options. For a more detailed help page go to the man page.

Now when you give it an -i switch (if you omit the timezone it will grab the timezone from the registry) it starts mmls so you can choose the partition you want to run the tool against.

choose the number... in this case 2

 Based on this input it will mount the dd for you. Then away it goes.... now is the time to click on the Fenton video or grab some coffee, this may take a while :)

Go baby go!

 So about an 1.5 hours later the tool has finished and now I have a pretty hefty (~250mb) file. Now you can open this bad boy up in your spreadsheet program or simply use some grep action to search for the presence of a file.

This is a hard drive image after I opened up a malicious PDF, the file began with RR_11105,so lets do a quick grep of the file to see where we see this file:

To be fair I ran this PDF multiple times on the OS, hence it being seen a few times...this is a snippet of the output, the green number is the line the search term was seen on

Once you know this, you can open up the file and go directly to the timeframe in question and see what other actions took place around that time. With this file encompassing so many different logs and artifacts on the hard drive, it is a pretty thorough timeline.

So, now one can ask, why do all of this setup when the SiFT workstation (which is free) has this all done for you? Sometimes you want this on your own Linux build, or you just don't have the time to download the 1.5 GB VM. My internet speeds at my house can be quite atrocious, and then is something very depressing about waking up to some errors and the failed download. Or maybe you just want to peek a little bit under the hood and see what is underneath the hood.... nothing wrong with that.

Don't be disheartened when a binary does not work right off the bat-- check the error, google the error, check the known bugs page, and see what others have to say about it. Chances are someone has had the same issue and already discovered the solution. Keep at it!

log2timeline-sift: Proof HD analysis is still vital!

My tummy full of scrumptious turkey and my body slowly breaking down tryptophan (not to mention mildly sore feet from running the longest consecutive running road race in America) -- I decided I really should update the blog.

So I have been talking a lot about timeline creation. Using memory dumps can unearth a ton of information. I would be remiss however if I did not mention timeline analysis using the good ol hard drive.

Rob Lee has made famous SuperTimeline using log2timeline (from Kristinn Guðjónsso), regripper (Harlan Carvey), and a few other tools (including Brian Carrier). In my old job I created a perl script which would automate as much of possible the steps required to produce a timeline from a hard drive. I found out last week that all this work has been done for me-- earlier this year.

Kristinn created the log2timeline-sift application which automates the mounting, extraction, and program execution. You can see the PDF here. It bases the timezone by the timezone used on the hard drive (based on registry settings). So now all you have to do is literally one command and voila-- and it attempts to grab all the NTUSER.DAT files for each user. Its... almost cheating :P

This comes standard with the new SiFT workstation, or you can easily install in linux with:

$sudo apt-get install log2timeline-sift-perl

The arguments passed on the command line depend on if you have a whole disk image or just a partition image, and if you want to tweak some settings. Read the man page to get the low down but the command is generally run as such:

$log2timeline-sift -z (TIMEZONE) (DD FILE)

So what does this grab you? A whole treasure trove of information, here are some artifacts which can be seen using supertimeline:

• Modified Accessed Created Birth times of all files on the system  
• More information about MACB times by filesystem are here
• Registry Keys 
• Internet History for users
• Prefetch Files
• System Logs
• Skype logs
• UserAssist
• (some) AV logs
• Recycle Bin information

So, this is great if you have a timeframe in question or a known bad file, you can simply scroll to the questionable row in Excel (after a quick CTRL-F) and see A) what happened immediately before and B) what happened immediately after.

You can also search against the file (read: grep or FINDSTR) to find the existence of a file/event. This is much quicker than trying to open large files in Excel or whatever spreadsheet program you use so you can limit your search. 

Sweet. I found out a bit late (staying on top of everything is insane), however I definitely want to start using this in my forensic investigations. Now I know I said you can do something similar with a memory dump, but you won't always get that memory dump. Plus, well... you only grab what was in memory-- which granted is A LOT but its not everything. AND if you have both you can find discrepancies and further build on your investigation. There is power in corroboration! 

I hope everyone had a wonderful Turkey Day and to all those attempting a Black Friday-- best of luck. I will be busy snoozing ^_^

On The Road: But answer me these questions... one

So I am currently traveling for work but one of my colleagues emailed me about the following problem: getting different results for memory analysis based on the tool he used. He specifically mentioned volatility and Mandiant's Redline. Here is his email:

I've been scratching my head on this memory image because when I do a connscan and sockscan [using volatility], I noticed some WEIRD activity, specifically, high PIDS and one with a PID of 0 and their offsets are just "-------". These PIDS have strange IPs associated with them, some of which are "blacklisted" according to www.robtex.com. Also, when doing a sockscan, one of the strange listings doesn't have a Protocol, instead of TCP or UDP it just shows a hyphen "-" . More importantly, these PIDS don't show up in pslist, psscan or psxview!!

Has anyone else ran into this issue? I am assuming it is because each program parses memory a different way. For example, does Mandiants tool show terminated connections when Volatility's connscan can do exactly that? I am not 100% sure-- so I ask the collective out there. And do not worry, you will not be thrown into a volcano or anything like that regardless of your answer :)

 

Lazy Sunday Reading

Thinking about setting up your own lab at home and not sure what tools to use? It can be daunting with the plethora of tools out there, you could spend hours researching... well over at SecTools.org they listed the top 125 Network Security Tools which could be a good place to look.

One thing I am lacking in my VM environment is Servers and Domain Controllers... which is sad because PaulDotCom blogged about grabbing hashes from a live DC via Volume Shadow Copies (VSC). VSCs seem to be a treasure trove for forensic information and a place for malicious to lurk (see the video "Lurking in the Shadows" from Hack3rcon II). Both Rob Lee and Harlan Carvey have blogged about grabbing and parsing through the VSC.

Off to learn some PDF analysis, if you are looking to do your own analysis and need samples try contagio.
While I am waiting to hear back from some issues I have had with Volatility (when I try the printkeys command it says it can't find the key, even when I did a hash dump and am staring at it) and getting Yara to compile in Windows--- I think I will post a video about PDF analysis with REMNux. I will also be trying out Camstudio more than likely.

Enjoy your Sunday... for us we have only 14 minutes left of it :) 

PDF Analysis

So a coworker turned me on to REMnux, a Linux build for reversing malware. It has a ton of good tools (including my fav Volatility) and has a few tools for PDF analysis. You can even set up INetSim and simulate the common internet services you can point your victim box to and see how the bad code acts. *HINT* It helps  to configure your IP address right,' almost' only counts in horseshoes and hand grenades....

I have not done much PDF analysis besides for executing in a VM and watching it run... so I figure this may be a source for an upcoming video. I have been reading Didier Stevens work on it and its so amazing how much you can learn about file.... by simply looking at it. That sounds silly but most people are nervous attacking a file in this manner (I won't understand it/I am not a programmer/I need answers fast), when in reality with the tools at your disposal it can actually be a good quick n dirty for determining if a PDF is indeed malicious and what it potentially is doing, thus finding your vulnerability. Heck you may get SO good at it you may write your own tool! That is not to say that you will understand ALL PDF's that cross your path, but everyone is learning... so don't be afraid to ask questions!

In other news:

I may do a video about YARA and show how versatile it can be when added with volatility. It will more than likely tie in with the on-going scenario.

I may even go old school and do a video about tcpdump. I personally have not used it in a long time and I have a feeling I will be using it more in work... so it's time for a refresher :)

Someone has suggested I try Camstudio for my recordings. I see no issue with this as its free. The next video will be made with that. Much thanks for the feedback!

Using Volatility: Suspicious Process

Wow guys, this video took a long time to finally make. As you can see I actually have two videos because the first one cut out on me. This was the 2nd take and man was it annoying to see I accidentally hit the 'PAUSE' button but kept cheerily talking to myself (I do this a lot anways so it was par for the course). Never mind, here are both videos (the first one should be first).

 Like I state in the videos, this is a learning process for me as well so please offer any suggestions/comments. This was a pretty good analysis of a lot of the functionality in Volatility, and probably a bit overkill for what we were up against, but I just wanted to highlight how powerful and extremely useful memory dumps can really be.

Fun Things I Mentioned in the Videos:

HKLM\Enum Registry Keys Information
Fun Command-Line Kung-Fu to find Meterpreter
 VirusTotal: upload possibly malicious file/MD5 to determine what the AV guys think
Timeline Analysis: from the SANS website
Timerliner Plugin (and more!) for Volatility: from Gleeda
One of Harlan Carvey's (many) blogs about Timeline Analysis
A article about Sessions, Desktops, and WindowStations...oh my!

Additional Links for Memory Forensics:

• HolisticInfoSec.org
• Evil3ad 
• Case Studies/ Forensic Challenges