Friday, October 23, 2009

Although I quite like this blogging lark, you will notice from the total lack of activity in recent months that I’m not very good at it. Fact of the matter is that I’ve been extremely busy, which I guess in the current climate I should be thankful for. Computer Forensics is a good career choice in a recession as, simply put, there are always bad people. In fact there is some evidence that white collar crime (and today that almost always involves computers) is on the rise as people worry about jobs, mortgages etc and when an opportunity to pilfer away a quick buck is found, many will succumb.

I’m writing this on a train to the Midlands where I’m helping a Bank improve its analysis of Malware written specifically to target its customers. This too is on the rise with phishing attacks commonplace. The problem with Malware written specifically for a task is that the AV products often don’t have a signature for it and hence it renders itself fairly invisible even from the ‘Heuristic’ scanners. To counter this it seems that the AV companies are lowering the bar, almost every time I write a script or compile a new piece of code, Kaspersky or AVG or McAfee scream that its Root Ware, or a Trojan or something equally nasty.

If you download virtually any of the fabulously useful tools from Nirsoft (www.nirsoft.com) such as their password recovery, USB key parser or Wifi tool and, wham, ‘It’s a virus!!’. No its not. Cain and Able password recovery tool recently started triggering an alert, Nessus fires an alert….what is going on. It feels at the moment that any software tool not in their database is automatically a Trojan come to steal your car, wallet and way of life.

Anyhow, rant aside, there has to be a better way of analysing Malware and I think RAM is the answer. Nothing can hide in RAM, processes hidden from the OS can be uncovered in RAM. Many tools do a process called List Walking to discover processes running in live RAM or a RAM dump however manipulating the DKOM object can render a process out of the ‘flow’ and essentially invisible from the OS or from list walking programs. Psscan2 in the volatility suite overcomes this by scanning the dump file for process objects whether or not they are connected to others. Outputting this view in a dot format and opening in something like graphwiz provides a fantastic, clean view of the running processes and their threads. Simply invoke by:-

Python volatility psscan2 –d –f > output.dot

Analysing the process start times, thread and parents, exe path and other variables provides a very ‘quick win’ when searching for malware of any type.

This is a manual process and would be tricky to automate but very worthwhile to do if malware analysis is your business.

Few minutes til the train is due in so will speak later, hopefully sooner!

Thursday, July 9, 2009

ACPO and RAM Analysis course

It’s been a busy few weeks which is why I haven’t had a chance to blog for a while. I had the opportunity to present at the ACPO Conference 2 weeks back which is always a good event, with friends and colleagues from many different Forces and Agencies. It is normally a chance for a late night drink but exhaustion from the past few weeks activities had me in bed by 11pm each night.

My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.

The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.

Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!

ACPO and RAM Analysis course

It’s been a busy few weeks which is why I haven’t had a chance to blog for a while. I had the opportunity to present at the ACPO Conference 2 weeks back which is always a good event, with friends and colleagues from many different Forces and Agencies. It is normally a chance for a late night drink but exhaustion from the past few weeks activities had me in bed by 11pm each night.

My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.

The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.

Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!

Friday, June 5, 2009

Imaging Windows 7 Live


I've been spending some time working with Matt Blackband today on issues surrounding imaging Windows 7 disks and RAM. I've got a copy of Windows 7 32bit RC1 installed under VM Fusion with 2 Processors and 2 Gig of RAM allotted to it.

Before I start I just want to point out that although I have quite a bit to do with e-fense on a day to day basis including teaching the use of Helix 2.0, I do not make anything out of the new Helix Pro. This bit of research was just myself and Matt wanting to see whether it worked well under Windows 7 and compared to Helix 2.0. This is NOT an infomercial!

Although there has been alot of talk about exFAT and its uses, Windows 7 installs with NTFS as default and installed very quickly indeed. There have been some concerns and questions over whether our current typical live forensic tools would be able to successfully run and acquire drives and RAM. As Helix is a personal favourite tool and one that I teach, I focused my attention on that.

I loaded the latest Beta 2 version of Helix Pro (Should be released soon) which loaded quickly and successfully. Helix Pro saw the connected drives and partitions and also correctly reported the RAM size. Running the Helix RAM acquisition I was able to acquire 2 Gig of RAM, writing to a shared drive on the host MAC in a little over 2 minutes which is very good indeed. I was then able to successfully run Strings and Foremost to extract text data and carve files respectively. As expected Volatility refused to run and we wait to see if a Vista/7 update is forthcoming?

Disk imaging also worked correctly as expected for making both a RAW and an Encase 6 image, also creating disk and imaging information and checksum PDF's.

One of my favourite aspects of Helix Pro is its lightening fast volatile data acquisition. I was a little dubious that it would work under 7, but work it did, finishing in less than 20 secs and producing a 96 page report! Enjoy reading that!

Helix 2.0, the remaining free offering, as expected, did not fare as well. The GUI fires up OK but you are unable to trigger a command shell from the GUI as no Windows 7 shell exists on the disk, however browsing to /IR/Vista, and opening a Vista cmd file directly and then running cmdenv, did provide a usable shell which enabled me to run binaries on the disk.

System Information worked correctly reporting Owner, Network and Logical disks.

As expected the GUI would not image RAM or Disks although extracting MDD from /IR/RAM to a USB key and running it, successfully imaged the RAM in a little under a minute to the local disk (not recommended in the real world :)).

After some down and dirty testing today it is good to see that Helix Pro is up to the task of working with 7 which I guess makes it a £200 tool worth having in your toolkit. Of course, it will be interesting to see the take up of 7 after the lack-lustre reaction to Vista, but I have to say, even as a hard and fast Mac user, its not too bad. It installed very quickly and just worked out of the box. The interface is clean and simple and programs pop up nice a fast. Could this be a 'good' version of Windows? Time will tell. More research to be done.

Friday, April 24, 2009

Apple and Pears

I had a couple of chaps turn up for a meeting yesterday from a certain UK Law Enforcement Agency and due to a crackingly sunny day were able to sit in a pub garden for a late and leisurely lunch. Anyway, thats not the point!

One of the chaps, Simon, pulled a little Netbook PC out of his bag and low and behold it was running OSX. It was really impressive to see such a tiny machine, designed for Linux or Windows to be running, very successfully, OSX in all its 'never crashing' glory. Being very small and light its essentially a MacBook Air but about £1000 cheaper.

I guess because I'd never gone to look, I did not know that since Apples move to Intel chipsets there has been a huge amount of effort in the hacking community (I use the word hacking in its proper sense) to get OSX successfully working on PC architecture. The Netbooks with their Intel Atom processors are, apparently, perfect.

Wired magazine wrote about it late last year (http://blog.wired.com/gadgets/2008/10/os-x-running-on.html) with similar results, although they noted that some elements such as Wifi and Sound fail to work on some Netbooks including the one they tried.

A very good list of Netbooks with the elements that work or do not can be found at http://gadgets.boingboing.net/2008/12/17/osx-netbook-compatib.html. It appears that the Dell Mini 9 is perfect and virtually anything can be made to work.

It is worth noting that although a great fun project, by loading OSX onto a 3rd party piece of hardware you are breaking the Apple licensing agreement, really fancy getting a Dell Mini on order though :)

Friday, April 17, 2009

...and the Supercomputer gets even better!


Since the Supercomputer got fixed I've been doing some tinkering with quite staggering results. Elcomsoft have released a new version of their Wireless Cracking tool and you can now specify multiple dictionaries which is very useful. In addition, ATI now have new drivers that improve the GPU acceleration so I've got those downloaded and installed.

It then occurred to me that processing time would be taken up with the software figuring out all the permutations for each word in the dictionary, so I took a good 3 million word dictionary and ran it through the permutation generator that is part of John the Ripper.

john -w:dictionary.txt -rules -session:johnrestore.dat -stdout:63 > newdict.txt

This turned a 40 meg dictionary file into a 1.6 Gig monster with a staggering array of derivatives for each word. Feeding this into the cracker I have now raised my cracking speed from around 18000 passwords a second to a mind-blowing 45000 per second, or 3.8 billion a day. Not too shabby!

To deal with purely numeric WPA passwords I've got a friend writing a bit to code to generate a dictionary with every permutation up to 10 billion which is a nice long 11 digit password. Although we are looking at the best part of a week to run I believe that it is worth the effort.

Crack on - if you pardon the pun!

Thursday, April 16, 2009

Expoliting the MSN protocol

This is a post where I am not going to say anything :) I'm not going to say what we have found, what we can do and how we do it, but let me explain the problem.

Many Police Agencies have an interest in where a particular Internet user may be located and to achieve this, detecting their IP address and then asking the ISP for user information is a great way to do it. It is no secret that some Agencies monitor chat rooms and ingratiate themselves with known offenders on Instant Messaging (CEOPS invited the BBC in last year to discuss this), however chat using something like Windows Live Messenger proxies and anonymizes at Microsoft meaning a whole load of paperwork is needed to get the actual subjects IP.

Well that's the problem and Microsoft say that there is no way to circumvent this issue. If you are in this position and would like to discuss the 'problem', you know where to find me.

...and it breaks

In addition to my last post, after just a couple of days of password cracking my super-beasty computer packed in. It seems the 4 uber GPU units decided to up and die which is not helpful when everything is GPU accelerated. Engineers turned up and we are firing on all cylinders again.

Interestingly I am now getting the full 20,000 passwords per second cracking speed that I was expecting whereas before I was only getting a fraction of that, I think there was something wrong from the start. As I look to my left a cracking job for a Police Agency is running at 18,000 per second, not too shabby.

Tuesday, March 3, 2009

'Super' Computing!

It's been a big day! My supercomputer arrived in a rather large box, much to the obvious annoyance of the delivery man who had to drag the thing 30 yards as he couldn't get the van up the lane near the office.

Unwrapped and connected up to a suitably large screen the beasty purred into life and promptly crashed. No Apple technology here. Side off, found a couple of loose cards,tighten up, reboot and we are away.

The machine is based on AMD motherboard technology with 2 uber ATI 4870X2 boards providing 800 parallel processing cores per board giving a total of 1600 processing cores. With the right software designed for GPU parallel processing it will chug along at 2.4 terraflops or 2.4 trillion floating point calculations per second.

The definition of a supercomputer is 1 trillion terraflops and the first one was built by Intel just 11 years ago, it took up 2000 sq ft of space. 11 years on I have a machine 2 1/2 times more powerful under my desk, the lights dim when I fire it up but you can't have everything!

I've bought it to carry out super fast password cracking, I can chew through 60,000 passwords per second or 5.1 billion per day which is some work rate especially when using intelligent varying dictionary based attacks. Instead of pure brute forcing which is all down to key space (password length * all possible combinations), an intelligent varying dictionary attack takes a word such as 'password' and attempts all likely variations such as :-

pa55word
pa55wOrd
6a55w0rd
password1
password123 etc etc

Using this process a 3 million word dictionary can quickly be turned into a 150 million word table or much more. When done 60,000 times per second you can try an awful lot of variations and the success rate becomes very high indeed. A completely, pattern free, randomized password/phrase will still require brute forcing and we will all probably retire before a guaranteed success.

The new software I'm using focuses on WPA 4 way handshake attacks, you can check it out here. Other software allows the GPU accelerated attacks against Office files and loads of others.

My first job arrived from a Police Department yesterday so we shall see how it goes.

Wednesday, February 11, 2009

We're jamming

Again, I have been neglecting my blog and I apologise! Little one was in hospital for the first 2 weeks of the year and I've taken 3 weeks to catch up.

Continuing with the wireless attack theme I came across an interesting way (illegal) to force a deauth. As some of you will know, to get the 4-way handshake needed for WPA cracking you need to force a authentication of a client and pick up the transaction of packets as it reauthenticates. However, this is easier said than done and does not always work.

One way to ensure deauth is to employ a hardware wifi jammer. You can readily source from the Far East a jammer with 30+ft range which is sufficient to take out a house's wifi network whilst walking by. Now I am at pains to say that jamming a radio signal in the UK is illegal and I mention this only for my LE friends who may be able to get the appropriate clearances/warrant to achieve a deauth this way. Of course you would need an antenna faced on the property ready and running Kismet or Airodump to grab the packets as the reauth takes place. I wrote some great Linux Shell scripts to automate the process recently to achieve just this type of situation.

I wont publish where to purchase them, you can always get in touch.

You can also pick up a GSM jammer while you have your credit card out and next time you see in your rear view mirror the lorry driver chatting on the phone whilst passing the local primary school you could have the satisfaction of hitting the button and jamming his call. Oh if only it was legal!!