Ubiquity Forensics - Your iCloud and You - SANS Institute. Ubiquity Forensics - Your iCloud and You Wednesday, September 09 at 7:00 AM EDT (11:00:00 UTC) Sarah Edwards You can now attend the webinar using your mobile device! Overview Ubiquity or "Everything, Everywhere - Apple uses this term describe iCloud related items and its availability across all devices. iCloud enables us to have our data synced with every Mac, iPhone, iPad, PC as well as accessible with your handy web browser. Much of this data gets cached on your devices, this presentation will explore the forensic artifacts related to this cached data. Speaker Bio Sarah Edwards Sarah is an experienced digital forensic examiner who has worked with various federal law enforcement agencies.
TeamViewer 8 | Forensic Artifacts. Author Name Matt Nelson Submission Title TeamViewer 8 Artifact or Program Version 8.0.16447 Artifact Description TeamViewer is a program that provides remote desktop software, remote control access, VPN capabilities, file transfers, etc. It can be installed, run temporarily, or used as portable application. One interesting capability is that it can determine if the Remote and Local host are on the same network and it will conduct P2P activity and connect directly, rather than use gateway servers. It is also proxy aware…you can configure it to connect through your network proxies or even a TOR proxy.
While there are important artifacts in the registry, there are a few important files that can help decipher details and events that occurred with the software. #1 file on Local Host: C:\Program Files (x86)\TeamViewer\Version8\TeamViewer8_Logfile.log <—–wealth of knowledge in this file “CMD_MEETING_AUTHENTICATION From=155xxx982 To=312xxx388 L=53″ <—– “ID” to “ID”connecting information. Untitled. Live Linux forensics in a KVM based environment (part 1 memory) Most of this blog will be based on a image that I created that I will be walking through. You can obtain this image . You will need to image this to a usb drive preferably a 8gb drive like I used in the talk To write the image you just need to issue a dd if=./4n6.img of=/dev/your_drive. Scenerio: Network team has mentioned they are seeing abnormal traffic to 172.20.20.114 please check out srv03 at 192.168.122.226. Host system: OS= ubuntu 12.04 server user = admin-user pass = master Compromised guest: OS= centos 6.4 64bit HDD config = 3 disk RAID5 luks encrypted luks passphrase = mi4n6mi4n6 root pass = master I will try and write this in a way that will parallel using the techniques on a live virtual instance.
Second, note that the domain that I will be using is srv03. Memory One important piece of the incident response puzzle is a memory dump. The quick and dirty You can dump using "virsh dump svr03 . autogen.sh . Decoding malware SSL using Burp proxy. When performing dynamic analysis of malware, you will occasionally encounter SSL being utilized for network communication, thus preventing you from analyzing the content. Typically Wireshark is utilized to examine network traffic at the packet level. Wireshark has an SSL dissector that allows for the decryption of SSL traffic if you provide the decryption keys. This technique is described in detail on the Wireshark wiki. However, I prefer to use an intercepting proxy to attempt the SSL analysis. My proxy of choice is BurpSuite, however you can utilize other proxies such as Paros, Webscarab, or Fiddler. I'll first provide an example where a particular malware specimen was utilizing SSL to communicate with Craigslist.
However when using Burp as an intercepting proxy, you can easily see the SSL traffic and get a pretty good idea of what the malware is doing. The following images show the Raw, html, and rendered page views of the server response. Windows Timestamp Tampering. By Glenn P. Edwards Jr. From time to time someone will bring up the topic of Windows time stamp manipulation and if it’s not related to a piece of malware then it’s generally about Timestomp or touch. These discussions usually contain the same repetitive information – most notably being to check the time stamp values of the file (in NTFS everything, including directories, is considered a file) in the $MFT and see if anything stands out. This is usually done by looking at the $STANDARD_INFORMATION and $FILE_NAME attributes for each file. In regards to the $FN attribute, Brian Carrier states that “Windows does not typically update this set of temporal values like it does with those in the $STANDARD_INFORMATION attribute, and they frequently correspond to when the file was created, moved, or renamed," (page 318).
There’s been previous write ups regarding time stamp manipulation and Rob Lee has also created some great charts outlining rules for time stamp changes. MACE timestamps explained: Process Monitor Filters for Malware Analysis and Forensics. Process Monitor is a free tool from Microsoft that displays file system, registry, process, and other activities on the system. It’s an invaluable tool for troubleshooting Windows problems as well as for malware forensics and analysis tasks. The thoroughness of the tool is also weakness, as the amount of data captured by Process Monitor can easily overwhelm the analyst. Filters for Sifting Through Process Monitor Data Finding meaningful events in Process Monitor’s voluminous log file is simpler by using the tool’s filtering capabilities, which allow the analyst to conditions for determining whether records should be shown or hidden.
You can define the filters by pressing Ctrl+L in Process Monitor or through the Filter > Filter… menu option. As you can see, the tool comes with several pre-defined filter to eliminate a small set of common Windows events: Even with the default filters, there is usually too much noise in Process Monitor’s log file. Saving and Organizing Custom Filters. The Autopsy Forensic Browser v 3.0.0 released. The Autopsy Forensic Browser is a graphical interface to The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3). Version 3.0 of Autopsy is a complete re-write and this page describes its features. Autopsy 3 has been designed to be a graphical platform for open source digital forensics tools. It was written in Java using the NetBeans Platform.
This approach allows Autopsy to run on multiple platforms (Windows, OS X, Linux, etc.) and have a modular framework that makes it easy to incorporate other open source forensics tools and create an end-to-end solution. Autopsy 3.0 is faster and easier to use than Autopsy 2.0 New features: - Using Sleuthkit 4.0.0 - Integrated plugin installer. - New options menu to globally access module options. - Added custom ingest module loader and ingest module auto-discovery Improvements: - Updated ingest framework APIs. - Merged the main modules into Autopsy-Core and Autopsy-CoreLibs. - Build system improvements. Sans. Creating a VM from E01 Images. My first post described how to build a VMware VM from a single dd image. A few folks “just asked Weg” to demonstrate how to do that from E01 images. Note that it doesn’t matter whether we start with a single or segmented E01 image (or whether we use a single or split dd image).
Why? Because we’re going to build a VM from a physical disk, which really is a virtual disk that was mounted from an image. I’ll mention again a tool named Virtual Forensic Computing (VFC), which can automatically build a VM from either a dd or E01 image. In case some of you don’t mount images very often, I’ll provide a video on the process. Mount E01 <p>JavaScript required to play <a hreflang="en" type="video/mp4" href=" E01</a>.
We’re going to do things in somewhat of a reverse order from where we built a VM from a dd image. First, note that VMware must be opened after you mount your image. VMware does not allow snapshots of physical disks inherently. Blog » Blog Archive » Released New Tool – Router Password Kracker. Viewcontent.cgi?article=1074&context=adf&sei-redir=1&referer=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3Dmalware%2520forensics%26source%3Dweb%26cd%3D10%26ved%3D0CIEBEBYwCQ%26url%3Dhttp%253A%252F%252Fro.ecu.edu.au%252Fcgi%252Fviewcontent.
NSRL Downloads. In September, 2013 the following entries in RDS 2.41 were found to have incorrect hash values associated with their descriptive metadata. These lines have been corrected in RDS 2.42. The following entry in RDS 2.41 was found to have its filesize incorrectly calculated and has been corrected in RDS 2.42. "EF9D0AA866E736343C8E6978A4D7C3C40DC0CCEA","E24F3C4D34B73E86EFDD8B4DF2F5CB89","B2C91839","data2.cab",2105535626,8929,"XP SP2","" Pending review, all entries in RDS 2.41 associated with the prodcode 12798 have been removed. 12798,"Oracle eMail Server","5.2","1","696","English","E-mail" RDS 2.43 , January 2014 The full RDS Release has become too large for distribution on four CDROMs.
For users interested in processing a unified RDS set, a directory called RDS_Unified can be found on this DVD. Combo DVD - A single 5.8 GB ISO containing all data DVD signatures - SHA1, MD5, and filesize of the DVD image Content Description - List of the DVD contents Product listing - 3MB text file Encase Hashkeeper. Understand iOS backups; Decrypt iPhone backup with known password « SECURITYLEARN.
iPhone forensics can be performed on the backups made by iTunes or directly on the live device. Previous article on iPhone forensics detailed the forensic techniques and the technical challenges involved in performing live device forensics. Forensic analysis on live device reboots the phone and may alter the information stored on the device. In critical cases, forensic examiners rely on analyzing the iPhone logical backups acquired through iTunes. iTunes uses AFC (Apple file connection) protocol to take the backup and also the backup process does not modify anything on the iPhone except the escrow key records.
This article explains the technical procedure and challenges involved in extracting data and artefacts from the iPhone backups. Understanding the forensics techniques on iTunes backups is also useful in cases where we get physical access to the suspect’s computer instead of the iPhone directly. Note: iPhone 4 GSM model with iOS 5.0.1 is used for the demos. iCloud Backup: Volatility: Advanced Memory Forensics. The OpenIOC Framework. The OpenIOC Framework. _V4_1_Lessard_Kessler. Malware sites already capitalizing on announcement of Osama Bin Laden's Death. Update (025/02/11 9:40am EST): A before/after comparison of the photoshopped image used in the malicious post can be found here.
Within hours of the announcement of Osama Bin Laden's death, we are already seeing malicious sites emerge to capitalize on the news. One Spanish language site displays a purported photo of a murdered Osama Bin Laden and includes a story about the US led operation. Farther down the page, the reader is presented with a Flash Player window with a message indicating that the user must first update a VLC plugin, which is a popular media player, in order to view the video. When the user clicks on the link, they will download a file titled XvidSetup.exe. Sadly, there will be no shortage of scams taking advantage of this historic global news. . - michael. Blog Archive » VM Detection by In-The-Wild Malware.
A large number of security researchers use Virtual Machines when analyzing malware and/or setting up both active and passive honeynets. There a numerous reasons for this, including: scalability, manageability, configuration and state snapshots, ability to run diverse operating systems, etc.. Malware that attempts to detect if it’s running in a Virtual Machine (then change its behavior accordingly to prevent analysis by security people) is not a subject of academic fancy. A recent search of VirusTotal showed they receive 1,000 unique samples a week with VM detection capabilities. (This search was performed by searching for known function import names from non-standard DLLs.) Personally, my first encounter with malware that behaved completely differently inside a Virtual Machine (from a real host) was approximately eight years ago.
VM detection does not apply just to the realm of APT-level malware. 3 – Examples where simple code samples could not be produced will not be considered here.