Ubiquity Forensics - Your iCloud and You - SANS Institute. Ubiquity Forensics - Your iCloud and You Wednesday, September 09 at 7:00 AM EDT (11:00:00 UTC) Sarah Edwards You can now attend the webinar using your mobile device! Overview Ubiquity or "Everything, Everywhere - Apple uses this term describe iCloud related items and its availability across all devices. iCloud enables us to have our data synced with every Mac, iPhone, iPad, PC as well as accessible with your handy web browser. Much of this data gets cached on your devices, this presentation will explore the forensic artifacts related to this cached data. Speaker Bio Sarah Edwards Sarah is an experienced digital forensic examiner who has worked with various federal law enforcement agencies. Anders Orsten Flaglien.pdf. Investigating iOS Phone Images, File Dumps & Backups | Magnet Forensics. As of January 2013, Apple announced it had sold over 500 million iOS devices. While iOS seems to be the leading operating system for tablets worldwide, Android continues to be the leading operating system for mobile phones worldwide.
Regardless of the statistics, if you are an active forensic examiner, chances are very high you will need to conduct an examination of an iOS mobile device (if you haven’t several times already). This article will discuss some of the steps involved and areas of interest when conducting an analysis of an iOS device for Internet related activity. Handset Passcodes Depending on the version of iOS, different passcode lengths and complexities are supported.
A simple four digit passcodeA complex numeric passcodeA complex alphanumeric passcode or passphrase In many cases, you will need the passcode in order to obtain a physical image or a file system dump. Physical memory dump vs. file dump vs AFC file backup Physical memory image File system dump AFC backup Windows XP: BH_US_11_ButlerMurdock_Physical_Memory_Forensics-Slides. SampleMemoryImages - volatility - Public Memory Images - An advanced memory forensics framework. Windows 8 File History Analysis. File History is a new backup service introduced in Windows 8. By default this feature is off and to turn it on, user has to select a backup location – either a network drive or external storage media. Thus, it does not allow user to use the same disk. File History backs up files of the Libraries, Desktop, Contacts and Favorites folders.
There is an option to exclude any folder(s) that users don’t want to backup. Notice that File History is unable to backup your folders synced with cloud storage service(s). 1.1. The idea behind backing up through File History is to trace USN journal. MyABC (2013_10_03 03_37_37).doc MyABC (2013-11_03 04_55_20).doc This way it maintains a log of files along with their versions. CASE 1- When the backup drive is available If the external/network drive is available, it backs up the new copies of modified files to the given drive unlike saving only the modified content in case of differential backup. 1.2.
The cache folders get their name in sequence. Table 1. TeamViewer 8 | Forensic Artifacts. Author Name Matt Nelson Submission Title TeamViewer 8 Artifact or Program Version 8.0.16447 Artifact Description TeamViewer is a program that provides remote desktop software, remote control access, VPN capabilities, file transfers, etc. It can be installed, run temporarily, or used as portable application. One interesting capability is that it can determine if the Remote and Local host are on the same network and it will conduct P2P activity and connect directly, rather than use gateway servers. It is also proxy aware…you can configure it to connect through your network proxies or even a TOR proxy.
While there are important artifacts in the registry, there are a few important files that can help decipher details and events that occurred with the software. #1 file on Local Host: C:\Program Files (x86)\TeamViewer\Version8\TeamViewer8_Logfile.log <—–wealth of knowledge in this file “CMD_MEETING_AUTHENTICATION From=155xxx982 To=312xxx388 L=53″ <—– “ID” to “ID”connecting information. Untitled. Live Linux forensics in a KVM based environment (part 1 memory) Most of this blog will be based on a image that I created that I will be walking through. You can obtain this image . You will need to image this to a usb drive preferably a 8gb drive like I used in the talk To write the image you just need to issue a dd if=./4n6.img of=/dev/your_drive.
Scenerio: Network team has mentioned they are seeing abnormal traffic to 172.20.20.114 please check out srv03 at 192.168.122.226. Host system: OS= ubuntu 12.04 server user = admin-user pass = master Compromised guest: OS= centos 6.4 64bit HDD config = 3 disk RAID5 luks encrypted luks passphrase = mi4n6mi4n6 root pass = master I will try and write this in a way that will parallel using the techniques on a live virtual instance.
Second, note that the domain that I will be using is srv03. Memory One important piece of the incident response puzzle is a memory dump. The quick and dirty You can dump using "virsh dump svr03 . autogen.sh . Decoding malware SSL using Burp proxy. When performing dynamic analysis of malware, you will occasionally encounter SSL being utilized for network communication, thus preventing you from analyzing the content. Typically Wireshark is utilized to examine network traffic at the packet level. Wireshark has an SSL dissector that allows for the decryption of SSL traffic if you provide the decryption keys. This technique is described in detail on the Wireshark wiki. However, I prefer to use an intercepting proxy to attempt the SSL analysis.
My proxy of choice is BurpSuite, however you can utilize other proxies such as Paros, Webscarab, or Fiddler. I'll first provide an example where a particular malware specimen was utilizing SSL to communicate with Craigslist. However when using Burp as an intercepting proxy, you can easily see the SSL traffic and get a pretty good idea of what the malware is doing. The following images show the Raw, html, and rendered page views of the server response.
Process Monitor Filters for Malware Analysis and Forensics. Process Monitor is a free tool from Microsoft that displays file system, registry, process, and other activities on the system. It’s an invaluable tool for troubleshooting Windows problems as well as for malware forensics and analysis tasks. The thoroughness of the tool is also weakness, as the amount of data captured by Process Monitor can easily overwhelm the analyst. Filters for Sifting Through Process Monitor Data Finding meaningful events in Process Monitor’s voluminous log file is simpler by using the tool’s filtering capabilities, which allow the analyst to conditions for determining whether records should be shown or hidden. You can define the filters by pressing Ctrl+L in Process Monitor or through the Filter > Filter… menu option. As you can see, the tool comes with several pre-defined filter to eliminate a small set of common Windows events: Even with the default filters, there is usually too much noise in Process Monitor’s log file.
Saving and Organizing Custom Filters. The Autopsy Forensic Browser v 3.0.0 released. The Autopsy Forensic Browser is a graphical interface to The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3). Version 3.0 of Autopsy is a complete re-write and this page describes its features. Autopsy 3 has been designed to be a graphical platform for open source digital forensics tools. It was written in Java using the NetBeans Platform.
This approach allows Autopsy to run on multiple platforms (Windows, OS X, Linux, etc.) and have a modular framework that makes it easy to incorporate other open source forensics tools and create an end-to-end solution. Autopsy 3.0 is faster and easier to use than Autopsy 2.0 New features: - Using Sleuthkit 4.0.0 - Integrated plugin installer. - New options menu to globally access module options. - Added custom ingest module loader and ingest module auto-discovery Improvements: - Updated ingest framework APIs. - Merged the main modules into Autopsy-Core and Autopsy-CoreLibs. - Build system improvements.
Sans. Creating a VM from E01 Images. My first post described how to build a VMware VM from a single dd image. A few folks “just asked Weg” to demonstrate how to do that from E01 images. Note that it doesn’t matter whether we start with a single or segmented E01 image (or whether we use a single or split dd image). Why? Because we’re going to build a VM from a physical disk, which really is a virtual disk that was mounted from an image. I’ll mention again a tool named Virtual Forensic Computing (VFC), which can automatically build a VM from either a dd or E01 image.
In case some of you don’t mount images very often, I’ll provide a video on the process. Mount E01 <p>JavaScript required to play <a hreflang="en" type="video/mp4" href=" E01</a>. We’re going to do things in somewhat of a reverse order from where we built a VM from a dd image. First, note that VMware must be opened after you mount your image. VMware does not allow snapshots of physical disks inherently.
Blog » Blog Archive » Released New Tool – Router Password Kracker. Viewcontent.cgi?article=1074&context=adf&sei-redir=1&referer=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3Dmalware%2520forensics%26source%3Dweb%26cd%3D10%26ved%3D0CIEBEBYwCQ%26url%3Dhttp%253A%252F%252Fro.ecu.edu.au%252Fcgi%252Fviewcontent. NSRL Downloads. In September, 2013 the following entries in RDS 2.41 were found to have incorrect hash values associated with their descriptive metadata. These lines have been corrected in RDS 2.42. The following entry in RDS 2.41 was found to have its filesize incorrectly calculated and has been corrected in RDS 2.42. "EF9D0AA866E736343C8E6978A4D7C3C40DC0CCEA","E24F3C4D34B73E86EFDD8B4DF2F5CB89","B2C91839","data2.cab",2105535626,8929,"XP SP2","" Pending review, all entries in RDS 2.41 associated with the prodcode 12798 have been removed. 12798,"Oracle eMail Server","5.2","1","696","English","E-mail" RDS 2.43 , January 2014 The full RDS Release has become too large for distribution on four CDROMs.
For users interested in processing a unified RDS set, a directory called RDS_Unified can be found on this DVD. Combo DVD - A single 5.8 GB ISO containing all data DVD signatures - SHA1, MD5, and filesize of the DVD image Content Description - List of the DVD contents Product listing - 3MB text file Encase Hashkeeper. Understand iOS backups; Decrypt iPhone backup with known password « SECURITYLEARN. iPhone forensics can be performed on the backups made by iTunes or directly on the live device. Previous article on iPhone forensics detailed the forensic techniques and the technical challenges involved in performing live device forensics.
Forensic analysis on live device reboots the phone and may alter the information stored on the device. In critical cases, forensic examiners rely on analyzing the iPhone logical backups acquired through iTunes. iTunes uses AFC (Apple file connection) protocol to take the backup and also the backup process does not modify anything on the iPhone except the escrow key records. This article explains the technical procedure and challenges involved in extracting data and artefacts from the iPhone backups. Understanding the forensics techniques on iTunes backups is also useful in cases where we get physical access to the suspect’s computer instead of the iPhone directly. Note: iPhone 4 GSM model with iOS 5.0.1 is used for the demos. iCloud Backup: Volatility: Advanced Memory Forensics. The OpenIOC Framework. The OpenIOC Framework. Nsrlquery. _V4_1_Lessard_Kessler. Lime-forensics - LiME - Linux Memory Extractor. Jumplistforensics. 5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser.
Examining the capabilities of malicious software allows your IT team to better assess the nature of a security incident, and may help prevent further infections. Here's how to set up a controlled malware analysis lab—for free. A large number of computer intrusions involve some form of malicious software (malware), which finds its way to the victim's workstation or to a server. When investigating the incident, the IT responder typically seeks to answer questions such as: What actions can the malware specimen perform on the system?
How does it spread? How, if at all, does it maintain contact with the attacker? These questions can all be answered by analyzing the offending malware in a controlled environment. A simple analysis toolkit, built from free and readily available software, can help you and your IT team develop the skills critical to responding to today's security incidents. Step 1: Allocate physical or virtual systems for the analysis lab Step 3: Install behavioral analysis tools. Snow. How to detect reverse_https backdoors. Saturday, 09 July 2011 17:42:00 (UTC/GMT) According to Mandiant 83% of all backdoors used by APT attackers are outgoing sessions to TCP port 80 or 443. The reason for why APT, as well as other attackers, are using these two ports is primarily because most organizations allow outgoing connections on TCP 80 as well as 443. Many organizations try to counter this by using web-proxies, which can inspect the HTTP traffic and block any malicious behavior.
But TCP 443 cannot be inspected in this way since SSL relies on end-to-end encryption. By end-to-end encryption I mean that the session must be encrypted all the way from the server to the client without having any SSL proxies or MITM devices that break the encryption between the server and client. Inserting an SSL proxy would typically result in a certificate error in the client's web browser. TCP 443 is therefore left untouched on most organizations' Internet connections. ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff # . # . #Tools - #Forensic email data analysis tool. DIGITS Forensics Software. DIGITS LLC was founded in 2006 to fill the need in the legal and corporate communities for highly skilled digital forensics, proactive cyber security services, corporate computer investigations, cyber security incident response and advisory services, eDiscovery and litigation support services, and general digital forensic consulting needs.
DIGITS LLC's officers have over 115 years of combined federal and state law enforcement experience and decades of experience as leaders in digital forensics and advanced technology investigations. Headquartered from Buffalo, New York, our core business is designed to help our clients take full advantage of today's information technologies while guarding against the ever-changing threats posed by those very technologies. DIGITS LLC's Accident Reconstruction Unit is your go to provider when your clients are involved in an accident, both pedestrian and vehicular collisions.
>More information about DIGITS LLC's Accident Reconstruction Unit Data Recovery: Forensic Linux Live CD issues. DarunGrim: A Patch Analysis and Binary Diffing Tool. Detecting_Data_Theft_Using_Stochastic_Forensics.pdf. OS X Lion Artifacts | Forensic Artifacts. SQL Server Forensic Analysis - Playing CSI with databases. SQL Server Forensic Analysis - Playing CSI with... You get a call from a colleague who thinks that his financial information system has been hacked. Of course this system uses a SQL Server Database back-end.
In this session we'll uncover the basics of digital forensics: how to find out whether the system has been accessed by the intruder? What data has been accessed? Was there anything modified? We'll learn on how to find evidence of what happened and also on how to create a report that can be served as evidence in a court of law. SQL Server Forensic Analysis - Playing CSI with databases About This VideoThis is a recording from an event organized on February 28, 2011 by the Belgian SQLUG ( Abstract You get a call from a colleague who thinks that his financial information system has been hacked. Speaker Tom Van Zele is a seasoned IT professional with more than 10 years experience, first in large scale Active Directory implementations, later moving on to SQL Server. WireShnork - A Snort plugin for Wireshark | The Honeynet Project.
Malware sites already capitalizing on announcement of Osama Bin Laden's Death. Blog Archive » VM Detection by In-The-Wild Malware.