Although I quite like this blogging lark, you will notice from the total lack of activity in recent months that I’m not very good at it. Fact of the matter is that I’ve been extremely busy, which I guess in the current climate I should be thankful for. Computer Forensics is a good career choice in a recession as, simply put, there are always bad people. In fact there is some evidence that white collar crime (and today that almost always involves computers) is on the rise as people worry about jobs, mortgages etc and when an opportunity to pilfer away a quick buck is found, many will succumb.

I’m writing this on a train to the Midlands where I’m helping a Bank improve its analysis of Malware written specifically to target its customers. This too is on the rise with phishing attacks commonplace. The problem with Malware written specifically for a task is that the AV products often don’t have a signature for it and hence it renders itself fairly invisible even from the ‘Heuristic’ scanners. To counter this it seems that the AV companies are lowering the bar, almost every time I write a script or compile a new piece of code, Kaspersky or AVG or McAfee scream that its Root Ware, or a Trojan or something equally nasty.

If you download virtually any of the fabulously useful tools from Nirsoft (www.nirsoft.com) such as their password recovery, USB key parser or Wifi tool and, wham, ‘It’s a virus!!’. No its not. Cain and Able password recovery tool recently started triggering an alert, Nessus fires an alert….what is going on. It feels at the moment that any software tool not in their database is automatically a Trojan come to steal your car, wallet and way of life.

Anyhow, rant aside, there has to be a better way of analysing Malware and I think RAM is the answer. Nothing can hide in RAM, processes hidden from the OS can be uncovered in RAM. Many tools do a process called List Walking to discover processes running in live RAM or a RAM dump however manipulating the DKOM object can render a process out of the ‘flow’ and essentially invisible from the OS or from list walking programs. Psscan2 in the volatility suite overcomes this by scanning the dump file for process objects whether or not they are connected to others. Outputting this view in a dot format and opening in something like graphwiz provides a fantastic, clean view of the running processes and their threads. Simply invoke by:-

Python volatility psscan2 –d –f > output.dot

Analysing the process start times, thread and parents, exe path and other variables provides a very ‘quick win’ when searching for malware of any type.

This is a manual process and would be tricky to automate but very worthwhile to do if malware analysis is your business.

Few minutes til the train is due in so will speak later, hopefully sooner!

ACPO and RAM Analysis course

It’s been a busy few weeks which is why I haven’t had a chance to blog for a while. I had the opportunity to present at the ACPO Conference 2 weeks back which is always a good event, with friends and colleagues from many different Forces and Agencies. It is normally a chance for a late night drink but exhaustion from the past few weeks activities had me in bed by 11pm each night.

My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.

The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.

Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!

ACPO and RAM Analysis course

It’s been a busy few weeks which is why I haven’t had a chance to blog for a while. I had the opportunity to present at the ACPO Conference 2 weeks back which is always a good event, with friends and colleagues from many different Forces and Agencies. It is normally a chance for a late night drink but exhaustion from the past few weeks activities had me in bed by 11pm each night.

My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.

The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.

Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!

Imaging Windows 7 Live

I've been spending some time working with Matt Blackband today on issues surrounding imaging Windows 7 disks and RAM. I've got a copy of Windows 7 32bit RC1 installed under VM Fusion with 2 Processors and 2 Gig of RAM allotted to it.

Before I start I just want to point out that although I have quite a bit to do with e-fense on a day to day basis including teaching the use of Helix 2.0, I do not make anything out of the new Helix Pro. This bit of research was just myself and Matt wanting to see whether it worked well under Windows 7 and compared to Helix 2.0. This is NOT an infomercial!

Although there has been alot of talk about exFAT and its uses, Windows 7 installs with NTFS as default and installed very quickly indeed. There have been some concerns and questions over whether our current typical live forensic tools would be able to successfully run and acquire drives and RAM. As Helix is a personal favourite tool and one that I teach, I focused my attention on that.

I loaded the latest Beta 2 version of Helix Pro (Should be released soon) which loaded quickly and successfully. Helix Pro saw the connected drives and partitions and also correctly reported the RAM size. Running the Helix RAM acquisition I was able to acquire 2 Gig of RAM, writing to a shared drive on the host MAC in a little over 2 minutes which is very good indeed. I was then able to successfully run Strings and Foremost to extract text data and carve files respectively. As expected Volatility refused to run and we wait to see if a Vista/7 update is forthcoming?

Disk imaging also worked correctly as expected for making both a RAW and an Encase 6 image, also creating disk and imaging information and checksum PDF's.

One of my favourite aspects of Helix Pro is its lightening fast volatile data acquisition. I was a little dubious that it would work under 7, but work it did, finishing in less than 20 secs and producing a 96 page report! Enjoy reading that!

Helix 2.0, the remaining free offering, as expected, did not fare as well. The GUI fires up OK but you are unable to trigger a command shell from the GUI as no Windows 7 shell exists on the disk, however browsing to /IR/Vista, and opening a Vista cmd file directly and then running cmdenv, did provide a usable shell which enabled me to run binaries on the disk.

System Information worked correctly reporting Owner, Network and Logical disks.

As expected the GUI would not image RAM or Disks although extracting MDD from /IR/RAM to a USB key and running it, successfully imaged the RAM in a little under a minute to the local disk (not recommended in the real world :)).

After some down and dirty testing today it is good to see that Helix Pro is up to the task of working with 7 which I guess makes it a £200 tool worth having in your toolkit. Of course, it will be interesting to see the take up of 7 after the lack-lustre reaction to Vista, but I have to say, even as a hard and fast Mac user, its not too bad. It installed very quickly and just worked out of the box. The interface is clean and simple and programs pop up nice a fast. Could this be a 'good' version of Windows? Time will tell. More research to be done.

Apple and Pears

I had a couple of chaps turn up for a meeting yesterday from a certain UK Law Enforcement Agency and due to a crackingly sunny day were able to sit in a pub garden for a late and leisurely lunch. Anyway, thats not the point!

One of the chaps, Simon, pulled a little Netbook PC out of his bag and low and behold it was running OSX. It was really impressive to see such a tiny machine, designed for Linux or Windows to be running, very successfully, OSX in all its 'never crashing' glory. Being very small and light its essentially a MacBook Air but about £1000 cheaper.

I guess because I'd never gone to look, I did not know that since Apples move to Intel chipsets there has been a huge amount of effort in the hacking community (I use the word hacking in its proper sense) to get OSX successfully working on PC architecture. The Netbooks with their Intel Atom processors are, apparently, perfect.

Wired magazine wrote about it late last year (http://blog.wired.com/gadgets/2008/10/os-x-running-on.html) with similar results, although they noted that some elements such as Wifi and Sound fail to work on some Netbooks including the one they tried.

A very good list of Netbooks with the elements that work or do not can be found at http://gadgets.boingboing.net/2008/12/17/osx-netbook-compatib.html. It appears that the Dell Mini 9 is perfect and virtually anything can be made to work.

It is worth noting that although a great fun project, by loading OSX onto a 3rd party piece of hardware you are breaking the Apple licensing agreement, really fancy getting a Dell Mini on order though :)

...and the Supercomputer gets even better!

Since the Supercomputer got fixed I've been doing some tinkering with quite staggering results. Elcomsoft have released a new version of their Wireless Cracking tool and you can now specify multiple dictionaries which is very useful. In addition, ATI now have new drivers that improve the GPU acceleration so I've got those downloaded and installed.

It then occurred to me that processing time would be taken up with the software figuring out all the permutations for each word in the dictionary, so I took a good 3 million word dictionary and ran it through the permutation generator that is part of John the Ripper.

john -w:dictionary.txt -rules -session:johnrestore.dat -stdout:63 > newdict.txt

This turned a 40 meg dictionary file into a 1.6 Gig monster with a staggering array of derivatives for each word. Feeding this into the cracker I have now raised my cracking speed from around 18000 passwords a second to a mind-blowing 45000 per second, or 3.8 billion a day. Not too shabby!

To deal with purely numeric WPA passwords I've got a friend writing a bit to code to generate a dictionary with every permutation up to 10 billion which is a nice long 11 digit password. Although we are looking at the best part of a week to run I believe that it is worth the effort.

Crack on - if you pardon the pun!

Expoliting the MSN protocol

This is a post where I am not going to say anything :) I'm not going to say what we have found, what we can do and how we do it, but let me explain the problem.

Many Police Agencies have an interest in where a particular Internet user may be located and to achieve this, detecting their IP address and then asking the ISP for user information is a great way to do it. It is no secret that some Agencies monitor chat rooms and ingratiate themselves with known offenders on Instant Messaging (CEOPS invited the BBC in last year to discuss this), however chat using something like Windows Live Messenger proxies and anonymizes at Microsoft meaning a whole load of paperwork is needed to get the actual subjects IP.

Well that's the problem and Microsoft say that there is no way to circumvent this issue. If you are in this position and would like to discuss the 'problem', you know where to find me.