Timelines... Everywhere I look Timelines!

So if you have not updated to the latest SIFT (2.13) I highy recommend taking the plunge. EWF is fully supported in all its glory and the log2timeline cheatsheet on the Desktop is a sure fire WIN for people who are not sure what exactly to do to create a timeline. I hade an E01 file which was not cooperating on 2.11 (I know --WAY-- far behind) and on 2.13 it is merrily processing. Another good link I found for explaining the MACB timestamps for those who are still stuck on MAC is here.

Whilst agonizing in 2.11, I was able to do a timeline in Autopsy no issues (although not as verbose as log2timeline). My good buddy Iz actually wrote a posting in Hakin9 Magazine on how to set about it. I do not use Autopsy very often, but I may start to now as it accepts E01's no issues and pretty rapdily created a timeline for all three paritions for me (it does not show URL history or system file logs though, but its a great place to start!).

Back down the rabbit hole I go!

Scripting Continued

So at work I thought I had to fly very quickly somewhere to help fix something. I was thinking 'sheesh I don't have a script I can quickly run on a system to grab volatile data. Shame on me!' Also not knowing if I was going to an XP land or potentially Win7 world , I decided to use SysInternals tools and DumpIt! in my script, as I can easily get their hashes, load them on a USB drive- and lug them with me.

My script wasn't horrible, but it wasn't super awesome either. It got the key aspects for live response, but thats it.

Then my buddy HiddenIllusion reminded me of Triage-IR, a tool written by Michael Ahrendt, and talked about in his blog Student of Security (aren't we all Michael). This tool pretty much blew mine out of the water. All you have to do is download the package, and be sure to add the SysInternalsSuite folder under 'Tools' and kablamo.

So what does this tool grab? Some highlights:

• Memory (although when I ran it on Win7 it did not work... still troubleshooting)
• Registry Hives
• Network Connections (including net sessions and files)
• Prefetch Files
• Services
• Processes
• Jump Lists

He then takes every file created in the script and creates MD5 and SHA1 hashes of each. He also has an incident log showing each command that has been executed including date and time. Oh, and THEN he compresses everything via 7-zip.

Why reinvent the wheel when someone else has done it? :)

Now of course a potential downfall is you cannot modify this to add/remove tools and commands-- however its a great script which works in many scenarios.
UPDATE: Michael let me know the source IS included, and it's in the AutoIT Script Language. Modify away!!

Does anyone have a script for volatile data collection they hold near and dear to their hearts? Let us know about it! The more versatile our arsenal-- the better we can combat threats.

Second Verse: Same as the First (but in Windows)

Ahhh... Windows. Love it or hate it, the OS is here to stay. In my last post I talked about parsing a file in Linux to whittle it away to exactly what you need it to do. Let's face it, the linux command line totally rocks for that type of stuff. For Windows.... ehhhhhhh

Then Powershell came along and rocked it hard core! I still think its not as intuitive as linux (I can see the hate mail now) but what I did in linux is easily doable in Windows too via the Powershell...

cat foo.txt | %{$_.split('/')[3]} > bar.txt

So in layman's terms, we are viewing our file (cat) and piping (|) that thru the split function. The '$_' bit is an implicit variable and used a lot in the programming world for looping statements. Right now think of it as a variable for a line in the file we are cat'ing. When we get to the next line, the variable changes to that line. If that's confusing check out this explanation. Anyways, from that variable we are calling the split function on it, using the '/' again as our delimeter and requesting the 3rd field. I find it interesing that in linux it is the 4th field and Windows the 3rd, must be having to do with how each one parses a line of text....

Cool now we got the domains saved to a file, lets try and get some IP's from them. From the command-line we can do it like so:

cat bar.txt | Foreach {ping -n 2 $_}

We are again using are implicit variable to make life easier for ourselves. This line is saying 'Go thru the file bar.txt and for each line in bar.txt ping the address 2 times (please).

And for those who detest powershell and have not heard the word (where word eq cygwin) and demand to use the old command line -- Well we can do this for you too!

FOR /F "tokens=3 delims=/" %A IN  (foo.txt) DO echo %A >> bar.txt

A bit messier but still doable...  the FOR statement with the /F switch is used in dealing with files and directories. The option 'token' means which field to grab while 'delims' means delimeter (whoa). We have a variable %A and give the name of the file we want to parse, then say what we want to DO with it.

We can use the FOR statement again to ping as well...

FOR /F %A IN (bar.txt) DO ping -n 2 %A >> results.txt

So there you have it! Parsing thru files in three different command lines... enjoy the weekend everyone!

P.S. One of the joys of scripting is that there are multiple ways to go about doing this... so if you have others ways please share! Also, if you would like to see some real Fu done on the command line... check out Command Line Kung Fu. Prepare to be humbled.   

Scripting - Making Life Easier

I was using INetSim (within REMNux) today to mimic internet services so I could fool my little malware to thinking it was connected to the real world. Anyways, the malware started looking for certain URLs, of course when INetSim dutifully returned with a page (but not the right one), it kept looking for other URLs. After 20 minutes I realized I would have a lot of IPs on my hands... scripting to the rescue!

So for those of you who use INetSim (or those who don't, we don't judge here), the output of the service log looks something like this:


OK, so first off, we need to figure out how we can narrow this file down to the date we want and the lines that only say 'Request URL'. This is where grep is your friend:

cat service.log | grep "\[2012-05-03" | grep "Request URL" > foo.txt

 Cool, that reduces some noise and leaves us with:

The google.com ones above were ones I did to test that InNetSim was up and running, so I can edit those out in vi. The juicy bits start where the censored blocks are (sorry!)

So now what? Well lets see if we can get any IP addresses from the domain names. In linux world we can use the 'host' command. Here is a quick example of host in action (if you want to see the syntax available just enter 'host':

Awesome, so if we want to get a list of IPs up we simply have to feed it all of the domains we have. Now just how many is that per chance? 'wc' with the 'l' switch is our friend!

O_o I don't know about you, but I don't want to manually feed those in! Plus we need to get rid of the extraneous info on each line, all we need is the domain. This is where the 'cut' command comes in:

cut -d/ -f4 foo.txt > bar.txt

So we are setting our delimeter to '/' because we do not need 'http://' for our lookups. the -f switch says what field (or column) we want to display. Looking at the 2nd screenshot and counting along, our domains lie in the 4th column. So now we should have each domain on its own line in the file 'bar.txt'. Ok onto the script!

file=bar.txt

for i in `cat $file`

do

      host $i

done

Yes this can be done from the command line, but with a bit of tweaking this little bad boy can be used for all sorts of things! All that's left is to chmod the script to be executable and run. If you want you can output to a file rather than the screen, or even use tee and have your cake and eat it too!
 
None of this is new, however its simply another way of tackling the problem of too much data :)

Perusing the BlackBerry

Blackberries are all over the place... but you don't hear too much about analyzing them forensically (anyone have a good source?). I thought maybe it was time to crack into mine and see what I can find.

Most people know the Research in Motion (RIM) uses their own proprietary protocols. It has its own wireless modem which is uses to connect to the BellSouth Intelligent Wireless Network. It also has two transport options AES and Triple DES. If you use the password keeper on your phone, that implements AES by default (which is more secure anyways).

Caveat! The BlackBerry is one of those 'always-on' devices... even turning it off does not power it down completely. So that means you could be imaging the device when suddenly data could be pushed to it, potentially overwriting some data (and altering your image, never good in court). This means you need to either turn off the radio so no pushing can be done to the device -OR- put it somewhere where it cannot receive a data push (a faraday bag or my flat). Even 'off'-- a queue (you can tell it was created by a commonwealth country) will form of data waiting to be pushed to the device... so when you power it back on, it is literally flooded with new data, overwriting evidence. If you are doing mobile forensics, buy faraday bags. Oh and chargers to ensure the phone doesn't die before you image it.

So I performed a simple DD of the device and lets see what I can find:

Why... HELLO MBR! How are you?! Well since you an unpartitioned device, you are the Volume Boot Record. Yes its good ol 512  record of Windows fame, it even has the h55 hAA terminating values! From this we can see:

• Running MSDOS 5.0?
• FAT16 filesystem
• Name of Blackberry (clever)

Well lets do a quick perusal of what the tree pane view has to offer us:

Nothing too overly exciting here... lets go thru the potentially interesting bits:

/app_world: These all have the .REM file association, this has to do with BlackBerry World

/camera: all of my photos from my phone. These are in EXIF data format and begin with the hex value 'FF D8' and end with 'FF D9'

BBThumbs.dat: This was in both my music and videos directories. This is pretty much a cache of the actual music/video itself, which means when the library is accessed it can call the cache if the hash matches rather than checking the library over and over. Each entry within the dat file starts with hex value '01 00' and ends with 'FF'
 

/system/info.mkf: This file contains the password (hashed) if you have the SD card within the card password encrypted. This can be cracked (and potentially the phone password if its set to be the same via a tool from Elcomsoft.

I have the weirdest musical selection!

The BlackBerry Web Browser

 /system/appdata/rim/webstorage/net_rim_bb_browser_daemon: This looks to be the web browser. There are a lot of db file extensions but are actually REMF files (so can't be easily viewed). However in /database I see the https_mail.google.com_0 folder so the user has a gmail account and has used it from the device. Checking out the local storage is a bit more fruitful in helping to determine browsing


I enjoy securitybananas, beer, and long walks on the beach...

/tmp : full of 0 size files with the prefix 'SU.tmp'. They were created on 11/29/11... I feel that was around the day I accidentally wiped my phone, but don't remember....

Of course you can do the same things you can do on regular OS's: recover files, copy out files, hash files, run enscripts... etc

Where are my text messages? Contacts? Or my phone call history? I assume stuck in one of those REMF files and in the SIM... perhaps if I get some mobile forensic software I may be able to produce more fruitful results. Apparently if I download the BlackBerry SDK I can grab the flash RAM?? Mobile forensics is such a fascinating field. Definitely more to research and if anyone has any tips please feel free!

Sources:
Scene of the CyberCrime (2nd Edition) Michael Cross
Wikipedia