Thursday, December 29, 2016

DFIR Command Line Analysis - Moving from Bash to Powershell

Windows has become a more compelling platform for CLI enthusiasts with Powershell and the release of Windows 10. Add to that the recent controversial Apple hardware choices (no physical escape key, USB-C all the things!) and you have a number of powerusers and infosec professionals moving more work to Windows. Obviously we supplement with virtual machines regardless, but your base OS is generally where you want to do your heavy lifting. 

One of the main use cases that has kept me on a *Nix platform is my time investment in learning the Bash terminal, sed/awk/grep/cut/wc/etc. This post is my first attempt to replicate common analysis workflows in Powershell. Please comment or reach out to me @securitymustard if you have better ways or anything to add.

For this post I'll create a CSV timeline from the evidence on my "Baud.. James Baud" exercise using Plaso. First I mounted the roger_image.ad1 image from the "Baud James Baud" forensics CTF using FTK imager. Make sure to select "File System / Read Only" when mounting to ensure any tools you want to run against the mounted image will work.

log2timeline.exe C:\Users\Username\Desktop\baud.plaso D:\   
(D is the drive letter FTK assigned the mounted image).

A logical next step is to run "pinfo.exe" from the Plaso toolkit to show what events were processed.

pinfo.exe C:\Users\Username\Desktop\baud.plaso

Finally to complete a CSV timeline we run "psort.exe" to create a CSV from the Plaso database in Eastern Standard Time.

psort.exe -o l2tcsv -z EST -w C:\Users\Username\Desktop\baud.csv C:\Users\Username\Desktop\baud.plaso

The end result is a CSV file containing ~320,000 rows. On a Linux or OSX box in Bash we'd easily verify exactly how many using "wc -l baud.csv". How do we do this in Powershell?

gc .\baud.csv | measure-object -Line

Returns the line count of 323365 minus 1 line for headers and 323364 rows.

In Bash we'd likely size up the data by viewing the first 10 rows with the head command. "head -n10 .\baud.csv". The equivalent command in Powershell would be:

gc .\baud.csv | select -first 10

Looking at the first line, we see that the 5th column is the "Source". In Bash we'd likely run "cut -d',' -f5 baud.csv | sort | uniq -c | sort -n" to see the distribution of the timeline. 

gc .\baud.csv | %{$_.split(',')[4]} | group-object -noelement

Our Powershell equivalent above shows the number of records for each source type. The next logical move is to start using grep to filter this list based upon what questions we're trying to answer. Unfortunately we don't have grep - but we do have "Select-String" which in this case will do just fine.
As far as questions we're trying to answer - lets focus in on the malware that was run in the "Baud, James Baud" scenario (file information, execution, surrounding events). There was a file named "conneryhaters.hta" so "conneryhaters" is a good first search.

Select-String -pattern "conneryhaters" .\baud.csv

This quickly shows us the time that the user downloaded the file from "" and the file was written to "Users\RogerMoore\AppData\Local\Microsoft\Windows\INetCache\Low\IE\DT34KEU7\conneryhaters[1].hta". Looks like the user chose to "Run" rather than simply save.

Excellent Resources on moving from Bash to Powershell:

Monday, December 19, 2016

Forensic CTF: Baud.. James Baud ANSWERS

Here are the answers to the Forensic CTF. The main idea behind this scenario was to analyze a memory image that doesn't seem to work with any Volatility profile (it's 32 bit Windows 10 - who uses that?). Most of the answers can be retrieved through string searching, coreutils and pivoting off of each piece of data you get. Please send me feedback on Twitter @securitymustard. Thanks and Merry Christmas!

1. Whose computer is this evidence from? Roger Moore
2. Who is the other actor? Sean Connery
3. What email service are they using (include TLD)?
4. What makes this email service difficult to analyze? encryption
5. What is the email address of the user?
6. What email address does he correspond with?
7. What type of file is the payload? html application .hta
8. What is the first Google search the user made about the other individual? sean connery is a fake
9. What is the second Google search the user made about the other individual? sean connery scandal
10. What is the third Google search the user made about the other individual? compromising photo sean connery
11. What IP address was used by the attacker for C2?
12. What is the exact name of the payload? conneryhaters[1].hta or conneryhaters.hta
13. What is the first time the user logged into their email (MM/DD/YYYY H:MM:SS AM/PM)? 10/29/2016 10:05:47 PM
14. What is the mail server name used to send these messages?
15. What is the UTC time of the initial email (as stated in the email header)? October 30, 2016 2:11 AM
16. What is the email subject of the first threatening email sent by the user? 24 HOURS UNTIL THE WORLD KNOWS THE TRUTH
17. What insult does the other individual use in his response? rather cheeky fearlash bashtard

Saturday, November 5, 2016

Forensic CTF: Baud.. James Baud..



SCENARIO: You're on deck to investigate the high profile hack of a celebrity. Your client provided two screenshots of pop-up message boxes he saw on his system, after which he noticed several vital files were deleted from his system.

IR PROCEDURES: A junior analyst from your team accessed the user's system directly and used FTK Imager to  take a memory capture as well as create a custom content image (user profile, hives, lnk files, etc). Unfortunately the analyst saved the data directly to the user's desktop before transferring to an external drive, but in this case it shouldn't make a difference in terms of necessary evidence or integrity.

Figure 1: Your client reports that he was hacked and threatened.

Figure 2: The client provided two screenshots that may indicate the perpetrator may have history with the client.

CTF Questions:

  1. Whose computer is this evidence from?
  2. Who is the other actor?
  3. What email service are they using (include TLD)?
  4. What makes this email service difficult to analyze?
  5. What is the email address of the user?
  6. What email address does he correspond with?
  7. What type of file is the payload?
  8. What is the first Google search the user made about the other individual?
  9. What is the second Google search the user made about the other individual?
  10. What is the third Google search the user made about the other individual?
  11. What IP address was used by the attacker for C2?
  12. What is the exact name of the payload?
  13. What is the first time the user logged into their email (MM/DD/YYYY H:MM:SS AM/PM)?
  14. What is the mail server name used to send these messages?
  15. What is the UTC time of the initial email (as stated in the email header)?
  16. What is the email subject of the first threatening email sent by the user?
  17. What insult does the other individual use in his response?

Friday, June 10, 2016

Forensic CTF - Bob's Chili Burgers Website Hacked

Link to Download E01 for Case

Setting the Scene:
You're a consultant who has been called in to conduct a forensic investigation for Bob's Chili Burgers LLC. Bob Barnascus, owner of the company, is disturbed by customer reports that their website was infecting customers with malware. The website was just debuted and within an hour customers sent complaints and legal threats. Bob and his executive leadership team of crack Chili experts have asked the below analytic questions to guide your analysis.

Figure 1: Bob's lengthily developed website captures the essence and substance of his well reputed business.

Mounting the Image on SIFT or Kali:
  1. Place the image in your /cases directory
  2. sudo su   # become root
  3. ewfmount /cases/BobsFamousChiliCase_Logical.E01 /mnt/ewf_mount1/ # Mount the E01 as a RAW in /mnt/ewf_mount1/
  4. mount -t ext4 -o ro,loop,noexec,noload /mnt/ewf_mount1/ewf1 /mnt/e01 # Mount the RAW in /mnt/e01, use "noload" option to fix filesystem
For more info:

  1. Verify SHA1 Checksum of the image provided:
  2. Through what protocol was this system compromised? 
  3. What distribution and version is this system?
  4. What country is the attacker's IP address from? 
  5. What time was the attacker account created in UTC (XX:XX:XX format)?
  6. What port is the protocol used to compromise the system set on?
  7. How many different countries are represented by the IP's in the web server log?
  8. What date and time (directly copy/paste from log) did the attacker first log in?
  9. What is the IP that failed to log in directly before the attacker successfully logged in? 
  10. What day of the week does the attacker's cron job fire?
  11. What is the name of the user account the attacker made?
  12. The attacker set a password for the account that they made, what is it set to?
  13. The attacker changed the root password, what is it set to?
  14. What addition to the website is causing users to get redirected to malicious pages?
  15. What exploit kit is the link associated with?
  16. What is the sha256 hash of the first file the attacker added to /var/www/html?
  17. What is the ClamAV name for the second file the attacker added to /var/www/html?
  18. What file was exfiltrated?
  19. What command line tool did the attacker use to exfiltrate the file?
  20. BONUS: URL for the exfiltrated file?
I hope you enjoy this, it was fun making it!

Sunday, April 24, 2016

NIST Hacking Case Tutorial: Wrap up an Old-School Badguy by Happy Hour

Link to the case and evidence download

Link to lab setup post

I'm not looking to create a one shop stop for homework answers, I'd rather use these cases to demonstrate a methodology to efficiently analyze a case. Thus we won't be answering all of the questions from the NIST site, we'll be setting objectives that support the case and using only the evidence and tools needed to answer them. Please read the details on the NIST site and download the evidence E01 image files.

Greg Schardt is suspected to be associated with this acquired laptop and to go by the alias "Mr. Evil", known to war-drive T-Mobile and Starbucks WiFi, intercepting network traffic and stealing user information.

Figure 1: The hacking tools in this case are so nostalgic, they are only relevant to a student in a CEH prep course (Burn!)

Our Basic Objectives:
  •  Document basic information on system (time zone, hostname, usernames etc)
    • Evidence Needed: Reg hives
    • Tools Needed: Registry Ripper (
  •  Find evidence of the real owner of this computer. Is this system tied to Greg Schardt / Is Schardt Mr. Evil?
    • Evidence Needed: Mounted image (for keyword search) and Reg hives
    • Tools Needed: Registry Ripper (, GoG (Good Ole' Grep)
  •  Find evidence of any hacking activity, tools and devices and tie them back to a user.
    • Evidence Needed: Reg hives, Prefetch, MFT
    • Tools Needed: Filesystem Timeline (fls, mft2csv, or log2timeline/plaso), Registry Ripper (
Given these objectives I've selected a handful of tools to process the evidence and answer our questions. No rabbit holes here (hopefully). Based upon this plan the only environment we should need to process the case is our SIFT Workstation VM.

Here's a link to my evidence and timeline spreadsheet I created throughout the below process if you want to follow along. I have the commands run and the output mapped back to the set objectives. I've found Google Docs to be a KEY tool for documenting cases especially if you're collaborating with multiple analysts. By mapping evidence back to objectives and documenting every significant command run, it's very easy to pick and choose the items that tell the story when writing the report.

1. Prework and Evidence Collection
  • Mount the image in the SIFT-Workstation (see link for more detail)
  • Ewfmount the E01 in SIFT. This will create a raw image of the drive in the mountpoint you select (replace with full path to your image if necessary): ewfmount 4Dell\ Latitude\ CPi.E01 /mnt/ewf/
  • Find the correct offset for mounting the NTFS partition. mmls /mnt/ewf/ewf1 - This disk has 512-byte sectors and the NTFS partition begins at sector 63 thus "expr 63 \* 512" = the NTFS partition starts at byte 32256.
  • Mount the raw image stored in "ewf1" as a read only, with the ability to read Windows Alternate Data Streams, starting at the offset we determined previously: mount -o ro,loop,show_sys_files,streams_interface=windows,offset=32256 /mnt/ewf/ewf1 /mnt/windows_mount
  • Create a case folder: mkdir /cases/nist
  • Assuming we mounted the E01 in /mnt/windows_mount/ run the following command to make a new folder and copy the registry hives to it: mkdir /cases/nist/reg && cp /mnt/windows_mount/WINDOWS/system32/config/*  /cases/nist/reg
  • find /mnt/windows_mount -iname "ntuser.dat" -exec cp -v --backup=numbered {} /cases/nist_hack/reg/ \;     <-- the "-exec cp -v --backup=numbered {}" portion of this ensures we copy ALL of the ntuser.dat files into our reg folder.
  • Assuming we mounted the E01 in /mnt/windows_mount/ run the following command to make a new folder and copy the MFT to it: mkdir /cases/nist/mft && cp /mnt/windows_mount/\$MFT  /cases/nist/mft
  • Is there a hiberfil.sys file? If so lets copy it, this is a memory dump from a point in time: mkdir /cases/nist/hiberfil/ && cp /mnt/windows_mount/hiberfil.sys  /cases/nist/hiberfil/
Figure 2: The "mmls" tool from The Sleuth Kit is vital for finding the partition information used to mount a raw image.

2. Process registry hives
  • Many analysts (myself included) use more modules than they need in Reg Ripper, or resort to using another "kitchen sink" tool. Get used to running just the modules that you need. You can search the modules you need using: -l | grep "keyword"
  • In this case we need to use at least: compname (hostname), logonusertimezone (determine the timezone), appcompatcache (shimcache - evidence of execution), prefetch (to determine if prefetching is enabled), network (for system hive - look at adapters), network (for software hive - look at connected networks)
  • Run the Reg Ripper commands that you need to run using: -r <hive> -p <modulename>
  • Output of all the commands I ran in the Google Sheet
Figure 3: I wonder what the timezone for this system... Oh wait, Thanks Harlan Carvey :-)

3. Keyword Searching
  • Based upon the registry hive review - it's clear there are quite a few hacking tools that were installed in the vicinity of 8/27/2004 and adequate evidence that they were run. My main goal in keyword searching this image is to tie Greg Schardt to the "Mr. Evil" account.
  • The simplest keyword search against this image is just: grep -r -i -a "schardt" /mnt/windows_mount/" (-r recursive, -i case insensitive, -a don't ignore binary files) which will come back with several hits. A tool such as Autopsy (or a commercial forensic suite) can do a better keyword search - but this is free, fast and sufficient in this case.
  • Based upon the user's index.dat file there are several indications that Greg Schardt is in fact "Mr. Evil" and he's tied to the "" email address and accompanying "mrevil2000" Yahoo ID. Additionally - the "Look@Lan" software was downloaded by "Mr. Evil", and installed with "Greg Schardt" as the registered owner. Either Mr. Evil is Greg Schardt or someone is planting consistent misinformation.
Figure 4: Simple keyword search using Grep finds ties between "Mr. Evil" and "Greg Schardt" in index.dat file.
Figure 5: Keyword searching helped discover a configuration file linking "Mr. Evil" and "Greg Schardt".

4. Create and Analyze Basic Filesystem Timeline
  • Using legacy Log2timeline (or tool of your choice) to create a filesystem timeline: log2timeline -z US/Central -r -w /cases/nist/timeline.csv /cases/nist/mft/   (Note - we found the timezone for this host during registry analysis)
  • Open the CSV in LibreOffice OR simply use the CLI (Grep, Cut, Sort, Awk if you're so inclined, etc) to analyze the data.
  • Document the significant events in your timeline, evidence of creation of the significant files, evidence of execution (Prefetch creation and last modification times), evidence of installation (creation of installer files, Prefetch creation for installer), etc.  
5. Process and Analyze Memory Image
  • We found a hiberfil.sys file on this computer, which essentially means that hibernate is enabled. Our filesystem timeline showed us that this hiberfil was created on 8/19/2004 @ 6:04PM CST (before the hacking activity appears to have began). This limits the utility but it could still lead to new evidence and insights.
  • Use Volatility to convert the hiberfil to a raw memory dump: imagecopy -f hiberfil.sys -O winxp.img
  • Determine the Volatility profile to use with the "imageinfo" command: -f winxp.img imageinfo
  • Use the pslist command to determine what processes were running at the time: -f winxp.img --profile=WinXPSP2x86 pslist   <-- Interesting entries: mirc.exe (IRC client) and msmsgs.exe (instant messenger)
  • String searching is still a very valid method of finding certain types of evidence within a memory dump: strings winxp.img | grep -i "keyword"  additionally you can use the YARA functionality in volatility to search strings and determine which process they originated from with this format: -f <image> --profile=<profile> yarascan --yara-rules="keyword"
  • The most valuable keyword search to run on memory is "://" because this generally catches URL's, UNC paths, all kinds of goodness
  • In this case this search identifies highly suspect IRC channel access that could indicate child exploitation activity by Mr. Evil. The text from the IRC channels is explicit - I won't post it here, however let it be known I'd stop examining and be on the phone with the local FBI field office if I encountered this @dayjob.
  • We can find some additional value by using the iehistory (gives us IE history as of 8/19 - could show something the user deleted), consoles (command line sessions from 8/19), connscan (network connections from 8/19), and mftparser (extract and analyze MFT from 8/19) commands. 

Figure 6: Network connections from the time the system was hibernated could prove useful.
Figure 7: You could use a command like the above to attempt to find passwords in memory (this one targeting the mirc.exe and msmsgs.exe processes). I have a YARA rule on my Github for this purpose
Figure 8: A simple string search can show IRC interactions in this case. This view shows every time "mrevilrulez" posted in IRC and the surrounding context.
Closing Thoughts:
There is even more one could do with this case, but in my opinion there is more than enough evidence in the Google Sheet to pick and choose through to make a very compelling, concise report that fulfills the objectives we set at the beginning of this post. I hope you picked up a few nuggets from this post, please do me a favor and leave any questions or recommendations in the comments.

Sunday, April 17, 2016

Incident Response Practice Exercise Walkthrough Series: Part 1 Initial Lab Setup

In my time in infosec I've had the privilege to work on awesome teams, projects and operational roles and gained skills that have served me well in my career. Though I'm not even close to a virtuoso or expert, I'd like to give something back to the community in the form of write-ups for commonly available forensic practice materials. In general I find that there is far more training material available for offensive security than for DFIR (CTF, "boot2root" VM's, etc). That said: Let's Go!

This is the first post in a series where we will walk through forensic practice materials. I will introduce process, tools, and try to show multiple ways to accomplish an objective. I know when I was getting started in this field I would use the practice images/memory dumps/pcaps/etc but not exercise an effective process (which can create bad habits), and as a result I didn't get the most out of the exercises.

Part 1: Create Free and Open Source VM Lab for Forensic Analysis

We will be using only free and or open source tools in this series, the one non-free requirement will be a Windows license to be used in a VM (Win 10 Enterprise Trial here if needed).

This series will assume you have a Windows, Linux or Mac OSX laptop with at least 8GB of RAM, a processor from the last 5 years, and 100GB of free disk space. VMware Player, Fusion, or Workstation (depending on platform and licensing) needs to be installed. These exercises can also work just fine in VirtualBox, though additional configuration may be needed. I'll try to assume as little as possible about DFIR knowledge but I will assume basic OS and infosec knowledge.

VM 1: SIFT Workstation

SANS does an excellent job maintaining a Linux forensics environment free of charge, we would be downright ungrateful to not use this toolbox. Thanks SANS. This distribution is offered as a VMware image, or as a post install script for Ubuntu 14.04. It's up to you which way you'd like to install SIFT.

Download link:
YouTube Series:
How to mount images:

This is a fairly complete DFIR toolset, in the same way that Kali Linux is a fairly complete offensive toolset. We will add another set of malware analysis tools from Lenny Zeltser's Remnux distribution with the following command:
wget --quiet -O - | sudo bash 
(Didn't your mother tell you not to pipe HTTP output to a root shell? She didn't? Ok, should be fine then :-)

Update the box:
sudo apt-get update && sudo apt-get upgrade
Take a "Fresh Install SIFT + Remnux" snapshot of this VM before proceeding.

VM 2: Windows Forensics 

A mentor once told me "if you're hacking/forensicating Windows, use Windows. If you're hacking/forensicating Linux, use Linux." and while I often use a *nix environment for everything I can, I think there is an element of truth to his sentiment. While performing many forensics tasks in SIFT is excellent, there are certain tasks that are simply better suited in a Windows environment. My personal ideal environment is my Macbook Pro host with Linux and Windows VM's for analysis.

Install and update a vanilla Windows 7 or 10 virtual machine. Don't install antivirus or other security tools that may stomp on our evidence. Update the system using Windows Update and take a clean "Fresh Install" snapshot of this box.

Unlike SIFT, we are going to need to download/install quite a few tools on this system to make it useful for DFIR. This is far from comprehensive, these are just the tools I can foresee us needing for the practice scenarios.

Forensics Tools:
Autopsy 4.0 - Forensics suite built on The Sleuth Kit (by Brian Carrier) with the addition of a nice GUI. This is the tool most similar to Encase or FTK suites that we'll be using in this series.
FTK Imager - This free tool from AccessData can be used to mount common image formats, create images, create filesystem timelines ("Directory Listing" feature), and even dump memory from a host.
RegRipper - Excellent Windows Registry analysis framework from Harlan Carvey. This tool dramatically simplifies our analysis of common registry artifacts.
Registry Explorer - Another Registry hive viewer from Eric Zimmerman. This is essentially a replacement for regedit that allows easy access to common evidence and the all important last write timestamps.
Shellbags Explorer -  Another from Eric Z. At its simplest: Shellbags are an artifact that allows us to enumerate what folders a user viewed in Windows Explorer. View more here on SANS blog.
MFT Parser - Redwolf Forensics free tool for processing, filtering and analyzing the master file table.
Bulk Extractor - Excellent simple tool that can scan any file(s) for significant artifacts and their frequency (image, pcap, memory dump, etc).
Volatility - Plugin based memory analysis framework. Many analysts are using the Rekall framework now, but I haven't switched. We will install both and I'll be exploring the strengths and weaknesses of both as we go.
Rekall Framework - Rekall was originally a fork from Volatility, which now likely has very little of the original code. The Google team has added many features, including remote live response for OSX when used in conjunction with GRR (very cool!)
Mandiant Redline - Mandiant's free incident response tool. This provides user configurable incident response scripts that can be run on a victim system the output can be analyzed in the Redline console. Some memory analysis operations are more convenient in this GUI than in the CLI tools.
Sysinternals Suite - Mark Russinovich rocks. Sysinternals is a must have on any Windows box and is vital for live response.
PEstudio - Malware analysis isn't the focus of this series, however PEstudio is a very simple to use all in one PE triage tool that will come in handy.

Network Tools:
Wireshark - Core pcap capture and analysis tool.
NetworkMiner - Useful tool for extracting files from a pcap and finding the significance of different objects in a pcap. Generally a good second view after Wireshark.

Notepad++ - General purpose excellent text editor. Replace with your choice if desired.
HxD - Hex editor. Replace with your choice if desired.
7zip - Swiss army knife compression tool.
Firefox + TamperData + Firebug + NoScript + uBlockOrigin + PrivacyBadger OR Chrome equivalent - Browser with security and analysis tools. Replace with your favored browser setup if desired.
Python - Sometimes it's best to just code our own tool.

Whew.. Now take a "All Tools Installed" snapshot of this VM!

Configuration Notes

  • Sift workstation creates a /cases and /mnt share which are shared via Samba by default with no security. Mount these shares in your Windows VM and your host OS to allow easy sharing of mounted images and case evidence between all systems.
  • Configure both VM's with a "NAT" network interface. This ensures that your (extremely open) SIFT workstation isn't exposed to the network while retaining internet and local host networking. 

Next Post

In my next post we will be deep diving the classic NIST "Hacking Case", a cold case (around 10 years old!) criminal investigation with a Windows XP image. We'll be able to take that case further than the authors probably even knew was possible with modern tools! Stay tuned.