SANS SIFT – Using SleuthKit June 10, 2009

In my last post, I used the regtime.pl and mactime tools to help determine the potential time a malware infection occurred. In this post, which is very similar to the previous post, I will follow the same steps, however this time I will use the Sleuthkit tools and mactime to analyse the file system changes to determine potential infection time. Normally, you would start with either the registry or the file system mactime, and then move to the alternative based on your findings. However, I thought it would be beneficial to show how the timeline generation and analysis is the same no matter which you start with.

This time using the SANS Forensics SIFT Workstation VM image, I will use the SleuthKits fls and ils commands to produce file system information that can be used by the mactime utility to produce a timeline.

After starting the SIFT workstation I mounted the suspect hard drive to a read-only mount point.

Using the command format of “fls –r –m C: <filepath> > /tmp/fls.log” the file system on the suspect drive was processed for to retrieve any information on allocated or unallocated files in the file system.

The options used were:-

-m	mactime output
-r	recursive
<filepath>	/dev/sdc1   – This is the device file for the partition being analysed

Using the command format of “ils –m <filepath> > /tmp/ils.log” the filesystem on the suspect drive was processed to retrieve any unallocated inodes on the partition being analysed.

The options used were:-

-m	mactime output
<filepath>	/dev/sdc1   – This is the device file for the partition being analysed

Once I had the separate output files I then ran “cat” to join them all together. This was done by using the command:

cat <filename> >> /tmp/mactime-body

Then I ran the Sleuthkit mactime program across the mactime body file in 3 ways.

1. 1. Mactime -b /tmp/mactime-body > /tmp/mactime-body.log
   2. Mactime -b /tmp/mactime-body -d -m > /tmp/mactime-body.csv
   3. Mactime -b /tmp/mactime-body -d -m 2009-01-01 > /tmp/mactime-body2009.csv

-b	format output in mactime body format
-d	create a comma delimited file
-m	use numeric months and not named (i.e. 01 not Jan)
2009-01-01	print only timestamps after this date

The first one will give a full dump in standard Sleuthkit mactime default output. The second one will output a full mactime file in a comma delimited format where each line has its own timestamp. The last one is the same as the second except I am only outputting any information that changed after the 1st Jan 2009.

From there I copied the processed mactime files from the SIFT virtual workstation onto a machine with Excel2007 on it. You really want to be using Office2007 to get around the row limit in previous versions of excel. The benefit of using Excel is that it can be quick and easy to sort, search and filter information that may be of interest in the mactime output files. For example, loading up the mactime-body2009.csv file I can do a find all on .exe files that are modified (including created and deleted) in the C:\Windows\system32 directory. The main reason any  .exe should be modified here is if there is a Microsoft patch installed. However, since this directory is included normally in the execution search path, malware likes to be dropped in here to avoid execution issues.

Attached is a copy of the the output of the find all command in Excel 2007. When reviewing the timeline we can locate the same time period that was determine in the previous blog as a point in time of interest.

SANS SIFT – Using regtime.pl June 7, 2009

The following is an overview of how I used the SANS Forensics SIFT Workstation VM image to investigate a laptop that was infected with malware. The goal of the investigation was to determine if possible how the machine got infected, and when it was infected. To this end I used the regtime.pl utility that is supplied with the image.

The regtime.pl utility will process the timestamps in each key of a registry HIVE and produce output that is compliant to the SleuthKit’s mactime format.

After starting the SIFT workstation I mounted the suspect hard drive to a read-only mount point. The regtime.pl utility can be found in the the “/usr/local/src/windows-perl/” directory.

cd /usr/local/src/windows-perl/

Using the command format of “perl regtime.pl -m <HIVENAME> -r <filepath> > /tmp/regtime-<HIVENAME>” the regtime.pl each HIVE on the suspect drive was processed.

The options used were:-

-m	mactime output
<HIVENAME>	HKLM/SAM HKLM/SECURITY HKLM/Software HKLM/SYSTEM HKLU
<filepath>	/<read-only mount path>/windows/system32/config/SECURITY /<read-only mount path>/windows/system32/config/system /<read-only mount path>/windows/system32/config/software /<read-only mount path>/Document & Settings/<username>/NTUSER.DAT

Once I had the separate output files I then ran “cat” to join them all together. This was done by using the command:

cat <filename> >> /tmp/regtime-body

Then I ran the Sleuthkit mactime program across the mactime body file in 3 ways.

1. 1. Mactime -b /tmp/regtime-body > /tmp/regtime-mactime
   2. Mactime -b /tmp/regtime-body -d -m > /tmp/regtime-mactime.csv
   3. Mactime -b /tmp/regtime-body -d -m 2009-01-01 > /tmp/regtime-mactime2009.csv

-b	format output in mactime body format
-d	create a comma delimited file
-m	use numeric months and not named (i.e. 01 not Jan)
2009-01-01	print only timestamps after this date

The first one will give a full dump in standard Sleuthkit mactime default output. The second one will output a full mactime file in a comma delimited format where each line has its own timestamp. The last one is the same as the second except I am only outputting any information that changed after the 1st Jan 2009.

From there I copied the processed mactime files from the SIFT virtual workstation onto a machine with Excel2007 on it. You really want to be using Office2007 to get around the row limit in previous versions of excel. The benefit of using Excel is that it can be quick and easy to sort, search and filter information that may be of interest in the mactime output files. For example, loading up the regtime-mactime2009.csv file I can do a find all on common registry keys that malware play with.

Attached is a copy of the first item found in the registry and the items around it. When reviewing the timeline there is a 3 minute interval where a number of registry keys are modified, however there is no other activity for hours on either side of this activity. This would be a good indication that we may want to look at exactly what changes were made in the registry (if they still exist) to see if this was malware activity.

In the next blog post, I will use the same process using the Sleuthkit tools.

AUSCert 2009 Wrap-Up May 22, 2009

Sometimes it’s the small things that makes a conference more enjoyable:-

• Full-time vendor sponsored barrister for good caffeine injections at anytime – nice
• Full-time vendor sponsored drinks fridge for your cold drink alternative – nice
• Full-time vendor sponsored ice creams – nice
• Vendor sponsored Wireless LAN – would have been handy if I wanted to use it

Sometimes it’s the big things that makes a conference more memorable:-

• Insane storm that hit on third day – impressive distraction
• Decent lunch time food and seating – nice
• Gala dinner, MC choice and entertainment (sans bonny and clive) – nice

Its always good to be amused:-

• Hotel staff running through vendor stand at an IT conference asking for electrical equipment to be powered off because of power failure in storm
• Watching a TV entertainer as MC trying to control 8 security experts having a debate – and he probably thought it would be a boring, dry gig.
• Gala event – 100s of men + one toilet block with 3 urinals

The other stuff:-

• Networking was excellent
• As with any conference, you have your mix of good and bad talks
• Use of wireless voting tech was quick and painless. After all, who really fills in the paper surveys at the end of talks.
• David Rice – finally got to see him talk – impressive, entertaining and thought provoking
• Patrick Gray – nice talk on the social media. And kudos for not bowing to pressure for the opinion you wouldn’t give on one of the panel debate questions. It says a lot for your character and journalistic integrity. If anyone disagrees, would you trust Pat with off the record comments, or on the records comments to be kept in context if he had given in to pressure so easy. It doesn’t really matter the reasons why he wouldn’t offer an opinion.
• Peter Gutmann – to talk so fast, concisely and in-depth is impressive.

Will I be back in 2010. Hopefully.

Bootvis replacement for Vista May 12, 2009

In the past, when my frustration with the time it took to boot up my Windows XP laptop finally got the better of me, I would track down a copy of the old Microsoft Bootvis utility. This provides a nice graphical view of what is happening as a machine is booting. However like many things, a little bit of knowledge can be dangerous. Therefore, unless you really have a deep understanding of the Operating System’s architecture, there is a good chance that you will end up using such tools incorrectly. This is part of the reason why I have read Microsoft removed the support for the Bootvis utility. I will happy put myself in the category of “a little bit of knowledge” when it comes to the internal architecture of Microsoft’s kernel. However, because I recognise my limitations I am careful to use such tools to only find obvious potential problems.

The other day, the long boot time for my Vista laptop finally got to me and I went looking for a replacement for bootvis that would work in Vista. I wanted to see if I could find any obvious culprits that were causing such a long boot up time. I came across the Microsoft Performance Analysis Tools (http://msdn.microsoft.com/en-us/performance/default.aspx). This is a much better set of tools than then old Bootvis utility, and the performance hooks are built into the Vista and Server 2008 operating system. At its most basic, you can use the tools to provide you with a similar graphical display of boot performance which was provided by Bootvis.

In the end I found a problem hardware driver that wasnt loading properly and was fixed with an update. The Logitech webcam services seem to have a known conflict with cygwin, so I disabled those (dont use the webcam all that much and I can always turn them back on when I need to), and an update of the VPN software. These were very obvious candidates to research for problems, or do basic testing (e.g. disable and see if there is a boot time difference), when comparing them against the other drivers and services load times that were being undertaken. Given the power of the tools, I am sure there is a wealth of information that can be gathered to find less obvious issues, but it would require me to find some time to really learn how to use these tools as they were intended. So I am happy to fix the obvious problems to provide just enough improvement to satisfy my boot time frustrations.

Inappropriate Content Visualization April 1, 2009

For those of you who came here hoping to see some visually inappropriate content I am sorry to disappoint you. What I am writing about to day is a technique that I have developed over a number of internal Enterprise HR investigations that I supported involving the emailing of inappropriate material.

Historically when I have supported HR in their inappropriate content investigations (our company takes a strong stand on such unprofessional behaviour in the work place), I would produce for them a standard FTK (Forensic Tool Kit) HTML report. This would have each email (based on sender) bookmarked and the original email and attachments linked in the report. This was great from an detailed evidence point of view, however it did lack a lot of detail to give an over all view of the scope of the problem. The biggest issue was, there was no easy way (especially as the number of people involved grew) to show how each individual was linked in the email/forwarding behaviour with others with-in the company.

In the later half of last year I started to work on providing HR with an overview of email communications between employees using a linking visualization technique that I had seen used in a vendors product. I have also seen this a similar example is Raffael Marty’s (http://secviz.org/content/applied-security-visualization) book as shown in the Facebook application “Friend Wheel”.

The visualization technique involves mapping all the internal senders of inappropriate material around a circle, and then linking a sender and recipient by a line that crosses the inside of the circle. Arrow heads on the lines were used to represent who was sending the inappropriate email and each sender was represented by a different colour line. If the email had originated from external to the company, then a small line from the outside to the internal employee was used, and the colour was selected as if the recipient had sent the email (this would make it easier to see if employees were getting external emails and then forwarding them on). If during the analysis of an email, only one email was found after it had been forwarded a couple of times (with other sending details still forwarded), then an appropriate line would still be added based on who sent the email to whom during the chain of emails. This would allow me to show how emails were passed from one person to another, even if I didn’t have copies of the original emails from the each of the senders mailboxes.

Mapping of Emails Sent

I manually mapped this out using Microsoft Visio, and also used the layering capability to give each sender their own Visio layer. This would allow me to later select just a single sender layer to provide HR with employee specific visualizations of their inappropriate email usage. Using the custom properties of each Visio line, some of the FTK data was recorded. This allowed for double checking all the linking later. The format I used was generally the title set as the mailbox of the specific email evidence was found, and the value set to the subject of the email and the date sent. This would enough details to search the FTK evidence quickly to find the original evidence.

Emails From User 46

From User 28

Often during the investigations using FTK I would come across the same inappropriate content numerous times as being sent or received. If this was the case then I created a dedicated layer for such attachments. This allowed me to easily show how the specific inappropriate material entered the Enterprise, and how it got forwarded around to different employees.

Inappropriate Attachment Flow

Using this visualization technique has served to give HR greater confidence when interviewing employees based on their behaviour. They are able to structure the interview and council/discipline an employee knowing if they had only received inappropriate content once but had not deleted it, had received inappropriate material multiple times but may not have requested for such material to be sent to them, or were participating in forwarding such content around the Enterprise. The visualizations were also a good tool to show those employees who were “network hubs” the extent of what the investigation had found with out needing to walk through a large pile of email evidence.

Since then I have also added an Excel chart to the individual senders diagrams to show the time period that each emails were sent. This was to overcome the problem with a natural assumption when first viewing a visualization that a lot of emails were sent by a person. It may instead have been the case that they had only been a couple of specific emails sent out to two different groups of people with the incident being separated by months of time.

New Email Flow

Any improvements that can be suggested to help non-technical HR personal understand investigation evidence would be greater appreciated.

While I was drafting this blog I noticed Raffy twit that he was playing with the MooWheel (http://www.unwieldy.net/projects/moowheel/) code to do similar wheel visulisations with network data (http://raffy.ch/moo/moowheel.html). This code could have the potential to embed a dynamic visualization for HR along with the FTK report. I have have not had a chance to look at the MooWheel, but the potential at this stage does intrigue me.

Update 4th April 2009 I have uploaded the full size images to http://secviz.org

What is an Enterprise Ready eBook Reader March 12, 2009

The growing market of eBook readers has started to get my wallet itching. However being from “the land Down Under”, I am limited as to what I can buy directly. Or more importantly, what I can walk into a store and play with first before coughing up all the money and buying it online.

Even so, from a Enterprise perspective, which is what most of my e-reading would be for, I believe the most appropriate viewing format would be the full size A4 or 8″x11″ screen. As I would be viewing work related documents, I believe this size format would be better for reading PDF’s, Word documents etc etc. Along those lines, I like the look of the I-Rex models, but the price does hurt.

Wearing my corporate hat, one thing that does worry me if I were to allow the use of eBook readers by others in the Enterprise, is how the company information stored on the readers is protected. The readers suffer the same data leakage risks as other mobile storage media (which includes laptop hard drives and USB sticks). Therefore, some level of encryption is needed. The question is, what is the most appropriate type of encryption . Especially as encryption is a CPU intensive operation, I am sure the eBook vendors are scared off at the potential impact of the battery life drain when encryption is thrown in the mix.

Maybe in this case, where one of the main goals and benefits of eBook readers is to have extremely long battery life, is to look at file level encryption support. This way only those files that need to be protected are, while the rest (i.e. magazines, whitepapers, novels, manuals, technical books) are left unprotected.

And now we come to a common problem for the vendors and the Enterprise. How do we make the encryption process convenient enough that end users will make use of it. To that end, I think any such encryption should be designed to protect the majority of Enterprise information in an acceptable fashion, and leave the more sensitive information to utilise other solutions (i.e. full disk encryption on a laptop). When we talk about the majority of Enterprise information we are talking about classifications such as X-In-Confidence , where X can be Commercial, Security, HR, Legal or any other Enterprise body. To define it more clearly, I will make use of the definition from SRMBok (Security Risk Management Body of Knowledge) which is:

“Private, security or commercial information prepared with an expectation it may be shared with external parties with a legitimate need to know, subject to relevant restrictions.

If the information were released to the media or competitors organisation XYZ could expect: minimal damage to corporate interests, including reputation; minor potential for financial loss; minor embarrassment to the company or its business partners and minor detriment to employees or customers.”

A solution that may protect against material that falls into this category, while maintaining ease of use, would be to introduce the fingerprint technology that you see a numerous laptops these days to authorized the decryption processes. If the fingerprint technology were combined with well designed eBook synchronization software, the protection process may become easy enough that people wont avoid the “hassle” of having to encrypt sensitive information.

To protect sensitive information, the synchronization software needs to have a very simple way to encrypt data that is to be transferred. This may simply mean having a special “Protected” container for users to copy Enterprise information into. Given that encryption/decryption functions are CPU intensive, we don’t want to encrypt all files if there is no need. This should minimize the impact on battery usage/CPU to only when “Protected” files are decrypted and displayed.

A fingerprint scanner would be used to protect a random password key that is generation during the eBook reader initiation. Then “Protected” files can be encrypted as they are passed from the synchronization software to the eBook reader. If this method is followed, then the random key never needs to leave eBook reader. This suggests that a tamper resistant/TPM like chip might be important to protect the key from general access if the reader is lost. As long as the person using the eBook reader has their fingerprint authorized, they will be able to display the protected Enterprise material.

Another option for encryption is for the eBook reader to pass the key securely to the synchronization software. This would allow the PC to encrypt the files on its faster CPU first before passing them to the eBook reader. However, once the key is removed from the eBook reader, it opens another source where the key may be found by an attacker to be able to view the eBook readers contents. But lets be realistic, if someone is able to pull the encryption key from the computers eBook synchronization software, then they its very likely that the attacker already has access to all the information stored on the eBook reader anyway.

Of note, Hoff also recently wrote about the same need for a password on the Amazon Kindle2 for Enterprise use.

More than just a fingerprint for authentication December 1, 2008

For those interested in a new spin on biometric authentication using the finger, you may want to have a look at VeinID from Hitachi. The marketing hype is certainly working on overdrive with impressive technical terms like “vascular pattern recognition” and LED’s that penetrate the bodies tissues with near infrared light which is sure to get some excited.

Not to take away from the technology, but reading the website (http://www.hitachi.co.jp/products/it/veinid/global/index.html ) did make me chuckle. If you want to see Hitachi’s opinion on how this technology compares to other biometrics they provide a nice table at:http://www.hitachi.co.jp/products/it/veinid/global/introduction/comparison.html

While I am not sure how successful they will be with the USB reader due to its clunky design, I can appreciate the use of such a technology as an alternative biometric reader for physical access control.  As it is unlikely that I will be rushing out to buy a USB reader to play with, I guess time will tell how successful Hitatchi will be.

Is ERM a Better Investment for DLP in an Virtualised Future October 8, 2008

Having a look at all the vendors out there doing virtualisation, it seems like the common strategy is to be able to offer central virtualised application (ala Citrix published apps style) or centrally deployed virtual PC images (ala thin client / Sun Ray style). Even Google is in on the act, however, following a different path of making the browser the OS and pushing the apps into the cloud.

I do have a question to all the security architects, or the organisational IT strategists. Do you like the idea of pursuing such a virtualisation strategy, and if so, are security mitigations you are planning on deploying relevant in such an environment. Or more specifically, if you are planning on an organisational wide rollout out of a desktop DLP suite, will it be relevant if you are potentially heading back to a partial thin client model? When you make security strategies are you considering what the IT technology landscape may look like in 18 months? DLP may be a sensible solution today, but is it just a point in time solution. How long is it really going to roll out your DLP solution, compared to what you expected ( you know, before reality gets in the way). You may just be starting to get to the last of the DLP roll out (after probably being through a partial refresh of the product version and configuration) by the time your organisation starts heading down the virtual OS/apps/thin client path.

Maybe a better strategy, if you think you will be heading into the great virtualisation future, is to invest in education and culture change for the end users so that they start classifying (and shock, horror, taking ownership of) their electronic information. Purchase the right tools to make it easy for the end users to undertake the classification process and potentially pilot a ERM solution. Why? Because any classification of information is only going to make the push of virtualisation to the end points that much easier. There would be a good case to give thin clients/virtualised OS’s to those end users that deal with sensitive information (that has been classified, and because its been classified it so much easier to justify) first. Once you have such a configuration, then you can consider if DLP products offer any additional benefits to plug left over information leakage risks.

I think its more logical to try protect the information, at least at the individual file level by encryption, so that if the file leaks it is not a major concern.

PKI – Failure due to Utopian Practices October 7, 2008

I have been considering in the back of my mind for a while now what the best approach would be to deploy an enterprise wide PKI infrastructure. You know the deal, everyone has read the theory. Build your root CA, have a root key signing party, then sign a child CA with the root and then go bury the root CA under 6 meters of concrete so no-one can ever touch it. Then use the secondary CA to sign other certificates or child CA’s in the enterprise. The theory all makes sense, but why has it been so hard for PKI to be successful in the enterprise. Maybe because the “required” policies and procedures are not rooted in the every day realities of IT operations in a business. Sure, there are very good reasons in any number of sensitive situations where the full gamut of best practice PKI policies should be followed, but lets face it, for the average enterprise, who has time or the technically skilled resources in IT operations to support such a solution (or the risk profile to require it).

If I want to implement some sort of technical security strategy, the last thing I want is to have to be supporting it personally for the next X number of years. It can be hard enough to embed a security culture into IT operations to ensure security is a consideration during break-fix/implementation decisions. Who is going to want to support a system that require all these checks and balances, as well as potential documentation requirements which goes direct against the nature of you normal techie. IT operations will resist supporting enterprise wide PKI’’s because of the overheads and the aura of “black magic” in the technology.

So what’s the solution? As is the answer to a lot of problems, make it simpler. What is the risk you are trying to mitigate, or reduce by deploying an enterprise PKI? And what is the risk that you are living with today? Is the cost and the overhead of a best practice PKI really going to be cost justified? Why do you need an enterprise wide single PKI architecture at all. If you can use vendor PKI solutions that are internally built into various systems (i.e. email gateways, authentication servers, proxies…) why not just run them as separate PKI’s. Once its configured, its likely IT operations wont even realise they are managing PKI’s within the solutions due to the vendor making the function transparent. Sometimes a small improvement is better than waiting for the perfect overall solution.

I think the key is to consider what you are already living with today. User authentication via passwords, unencrypted communications on the LAN (and maybe the WAN), clear text emails …. Yes, PKI can help in many ways, but lets face it. For the average enterprise’s PKI requirements, if you are worried about protecting the root certificates, the “keys to the kingdom”, then you have lost already. Because while you spend your time protecting the keys to the kingdom, one of your users will likely leave the front gate open anyway. In a lot of cases, PKI should only be considered to be another way to treat opportunistic security threats (e.g. sniffing on the wire, password cracking …) and more consideration should be given to the operational impact of supporting such a system, and the real benefit to the business by having such functions available.

If you want a good reference book on PKI architectures I would recommended:
“Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure” by Russ Housley and Tim Polk. ISBN 0471397024

Why Internet Explorer (IE) Wins in the Enterprise September 25, 2008

In the last few weeks we have seen Google come out with Chrome. All the news surrounding this got me to thinking what this really means for browser management on the enterprise network. The answer unfortunately is probably not much. Lets face it, which browser out there has tried to address enterprise management requirements in their solutions. While I do like my Firefox icon, from my initial thinking I am left with believing it is Internet Explorer. Tell me how the other browsers supply functionality for:

- Centrally controlled and scheduled updates
- Centrally deployable and enforceable policies for configuration options in the browser
- Deployment of internal CA root certificates (yes this may not be an IE function, but it is much easier because the browser uses the OS certificate store, and therefore the deployment and management functionality).
- Third party browser add on restrictions

While there may be have been attempts in the community to address these issues (i.e. Firefox ADM for Firefox), why should an enterprise commit to such solutions if the commitment of the developer into the future is an unknown. Guys, AD is everywhere, or its has enough of a penetration that surely its worth the effort to try build/support GPO enforcement options.

Now, we can look at it from a business model for the alternative models. Why should they care about the enterprise. The enterprise brings a whole heap of functionality requirements that the consumer space does not, and lets face it, the consumer space is much more forgiving and much larger. However, with the push into the Web console/interface for enterprise systems, by not supporting enterprise requirements the alternative browser teams are giving up on the opportunities for enterprise to require the use of more non-proprietary frameworks from their third party software vendors (bring on the death of ActiveX).

The majority of people may have IE forced upon them during their work life, which is a considerable amount of time. Naturally they become trained/self-trained on the use of IE, so why would they go home and not use IE. Its what they known, its what they are comfortable with. So you can argue that IE maintains its market penetration because it comes with the OS, but maybe the answer is not that simple. People are lazy and don’t like pain, so why would the general population even care about the alternative browsers. Those that have changed, are those that appreciate certain features and functionality, and therefore have got past the personal pain/effort barrier .

Consider this thought: “Hey I have to use Firefox/Opera/Chrome/Safari at work and I like it so much better than IE. How do I install it at home”.

So browser developers, give us real enterprise browser alternatives, and we will train our end users in your solution, and maybe…. Just maybe, it may drive your consumer market adoption.