Firefox Cache Format and Extraction « Forensic Focus – Articles. Introduction In the forensic lab where I work, we frequently investigate malware-infected workstations. As our user population started shifting from Internet Explorer to Firefox, we observed that one of our favorite forensic tools, Kristinn Gudjonsson’s log2timeline, wasn’t able to provide as much data for Firefox as it was for IE. The missing component was cache data; log2timeline was capable of parsing IE cache but not Firefox. In order to fix this deficit and contribute to log2timeline, I decided to write a log2timeline module for the Firefox cache. During the course of writing that module (ff_cache.pm – available in log2timeline 0.62), I researched how the Firefox cache works, wrote a tool to extract data from it (ff_cache_find), and learned traits of Firefox that have implications for forensic acquisition and analysis.
This paper describes the format and functionality of the Firefox cache in order to help forensic investigators understand how to make the most of Firefox evidence. How to: Mount A USB Drive Read Only In Windows XP/Vista/7 | Motersho. There are times that it would be nice to mount a drive in Windows and set it to read only to avoid accidentally over writing data on that drive. After some Google searching this is what I found. This will only work on Windows XP sp2 and later and Windows 7. I have not tested it on Vista although I assume that it will work. Step 1 Open regedit.exe Start > Run Type regedit.exe Click OK Step 2Navigate to the following registry key. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies Step 3 Next create a new DWORD called WriteProtect and give it a value of 1 Step 4 Now plug in your USB drive and you will not be able to write to the device.
To make it writable again you will have to change the WriteProtect DWORD to 0 and unplug and replug in your device. Windows Forensic Analysis Toolkit, Third Edition: Advanced Analysis Techniques for Windows 7 (9781597497275): Harlan Carvey. Esearchy - my new favorite OSINT script Security Aegis. Last 25 papers added to the Reading Room. ICS security: SANS needs your input on attacks and threats and how you're preventing and mitigating them in the industrial control systems environments. Share your experiences and enter to win a $400 Amazon gift card! More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,650 original computer security white papers in 102 different categories.
Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation STI Graduate Student Research by Jeremiah Hainly - March 15, 2017 in Automation, Incident Handling, Free and Open Source Software Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). All papers are copyrighted. Jessekornblum: Updating findaes. I have updated my findaes utility. This program searches for 128, 192, and 256-bit AES keys in input files. It was intended to search memory images for the keys used by programs like BitLocker and TrueCrypt, but can be used on any kind of data. The new version is much faster! For each key schedule found, the program displays the offset and the key itself, like this: C:\> findaes file.vmem Searching file.vmem Found AES-128 key schedule at offset 0x23f20cc: 6f 98 76 7f 65 b0 6e a6 6d 6f 65 48 60 6f ad be Found AES-128 key schedule at offset 0x23f2354: 93 8e 8b d3 9b 14 d6 a3 4d 30 83 fb 11 96 74 ee Found AES-256 key schedule at offset 0x3fc93008: c9 4d a2 7b e9 a0 76 18 67 18 a3 26 e4 33 08 1c 7f ed b0 b2 9c 9f 31 5c 51 03 bb 52 b8 01 2d 4e Found AES-256 key schedule at offset 0x3fc944d4: ea ef 70 ee 22 c4 a1 3a 21 cb 5e 53 ea 2e 98 c8 a6 21 ef 9e d6 d7 92 fb f9 70 b2 cc 94 64 f7 2e It takes some work to use these keys to decrypt a protected volume.
Protecting Privileged Domain Accounts: Safeguarding Password Hashes. Have you ever made a connection to a potentially compromised remote machine using a privileged domain account and wondered if there was any chance that your privileged credentials could be revealed in some way to the attacker? I have. After wondering and worrying about it, the curiosity (and paranoia) finally got to me and so I set off on a journey to research attacks against domain credentials, and in particular, their implication for incident responders. I've presented on this topic a few times and now I will (finally) take the time to document my findings. This is the first article in what will be a multi-part series on this research.
I find this to be a fascinating topic and one which should be of interest to the entire IR community. That said, be forewarned that these articles will not be quick reads. So here we go! The Scenario Now in order to assess and triage this potentially compromised machine, we need the ability to do several tasks: The Requirements Password Hashes Test Setup. Building the next generation file system for Windows: ReFS - Building Windows 8. We wanted to continue our dialog about data storage by talking about the next generation file system being introduced in Windows 8. Today, NTFS is the most widely used, advanced, and feature rich file system in broad use. But when you’re reimagining Windows, as we are for Windows 8, we don’t rest on past successes, and so with Windows 8 we are also introducing a newly engineered file system. ReFS, (which stands for Resilient File System), is built on the foundations of NTFS, so it maintains crucial compatibility while at the same time it has been architected and engineered for a new generation of storage technologies and scenarios.
In Windows 8, ReFS will be introduced only as part of Windows Server 8, which is the same approach we have used for each and every file system introduction. Of course at the application level, ReFS stored data will be accessible from clients just as NTFS data would be. In this blog post I’d like to talk about a new file system for Windows. File structures. Computer Forensics How-To: Microsoft Log Parser. As any incident responder will agree, you can never have too many logs. That is, of course, until you have to analyze them! I was recently on an engagement where our team had to review hundreds of gigabytes of logs looking for evidence of hacking activity. I was quickly reminded of how much I love Microsoft Log Parser. Log Parser is often misunderstood and underestimated. It could possibly be the best forensic analysis tool ever devised.
Figure 1: Architecture Diagram from Log Parser Documentation In my mind, two things have limited the use of Log Parser in the forensics community: the command-line requirement and the fear of SQL queries. Log Parser GUI Log Parser's command-line isn't particularly onerous, but when staring at logs all day, I'm not afraid to admit that I prefer a GUI. Figure 2: Saved Queries Organized by Log Parser Lizard SQL Query Basics The Internet is rife with excellent examples of Log Parser queries. Figure 3: Log Parser Output Showing File Extension Counts from IIS 1.
36526 - Match a user profile to folders in HKEY_USERS. Summary Instructions provided describe how to identify which folder stored in the registry under HKEY_USERS is associated with each user profile on the computer. The Security Identifier (SID) is a unique name (an alphanumeric character string) that is assigned by a Windows Domain controller during the login process that is used to identify a user. This procedure enables administrators to make modifications to specific user profiles located in HKEY_USERS, mimicking those found in HKEY_CURRENT_USER when that user is logged in.
Procedure Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Select each folder individually and look at the 'ProfileImagePath' key to identify the user profile associated with the selected folder: The folder name in the above example; it is S-1-5-21-2060139532-2050374463-2073913816-1157.Expand HKEY_USERS\<folder>. In this example, HKEY_USERS\S-1-5-21-2060139532-2050374463-2073913816-1157.
Related Information. Digital Forensics Case Leads: RAM Capture Tool DumpIt, Monitoring Applications with Carbon Black, a Brief History of Malware, and the Impact of Technology in Trials. This week's edition of Case Leads features a couple of tools for Windows including a memory capture application, a kernel driver that monitors and reports on interesting processes, and a tool for exporting data from "the Cloud. " We've also included a TED talk on the history of malware and we have an article on the role of technology in the recent Casey Anthony trial. Apple released Lion along with a change to the license which now allows the new OS to be virtualized. As always, if you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.
Tools: Matthieu Suiche has made DumpIt available as a free download. Matthieu describes DumpIt as a fusion of win32dd and win64dd in one executable that does not require the user to respond to any prompts. Good Reads: Mikko Hypponen recently gave a TED talk about fighting viruses and defending the net. Digital Forensics Case Leads for 20110721 was compiled by Ray Strubinger. De-mystifying Defrag : Identifying When the Windows Defragmenter Has Been Used for Anti-Forensics (Part 2 - Vista) In Part 1 of this post, we explored defragmenter usage in Windows XP, specifically trying to gain more information about user activity when we see the following in the Prefetch directory: Figure 1: Defrag entries shown from C:\\Windows\\Prefetch directory Vista made many file system changes, modifying some of the XP artifacts we relied upon in Part 1 and adding some artifacts that can greatly simplify our investigation.
Importantly, Vista ships with a default scheduled task for a full volume defragmentation every Wednesday evening at 1am. This is in addition to the limited defrags conducted by the Prefetch / Superfetch components. Thus we should expect to see even more defragmenter activity on a Vista machine. Taking this into consideration, we will perform the same analysis that we did for Windows XP.
We will focus on the two primary methods a user can invoke the Windows Defragmenter tool: Prefetch EntriesUserAssist Registry KeyFile TimestampsEvent / Scheduler LogsPrefetch Entries.
Little Black Book of Windows Forensic Secrets. This is a page where I post little one-off hints and tips to performing forensic analysis of Windows systems. Expect this page to change over time, as items are added, removed, or simply managed a bit better. The Task Scheduler log file (SchedLgu.txt) can be used to not only show what scheduled tasks have run, but also when the system itself was running.
F-Response TSK's fls can be run over F-Response using the following command line: fls -f ntfs -m C:/ -p -r \\. \F: RDP Notes default.rdp: Change RDP port number: Files Download Manager %UserProfile%\Application Data\Download Manager\DownloadManagerList.dmc HTML Help %UserProfile%\Application Data\Microsoft\HTML Help\hh.dat Media Player %UserProfile%\Local Settings\Application Data\Microsoft\Media Player\LastPlayed.wpl - last file to be played, XML Windows Media Player playlist format.
Understanding and Working in Protected Mode Internet Explorer. Marc Silbey, Peter Brundrett Microsoft Corporation January 2006 Last Updated: February 2011 Applies to: Windows Internet Explorer 7 in Windows Vista and later Summary In Windows Vista, Internet Explorer 7 runs in Protected Mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter, or destroy data on the user's machine or to install malicious code.
This topic introduces Protected Mode, describes the Windows Vista features used to implement Protected Mode, shows how to develop extensions that work with Protected Mode, and provides guidelines for developing more secure applications. Contents Understanding Protected Mode Protected Mode is an important step forward in security for Internet Explorer (IE); it helps protect users from attack by running an IE process with greatly restricted privileges on Windows Vista. Introducing Protected Mode Microsoft 0x80000.