Sunday, April 24, 2016

NIST Hacking Case Tutorial: Wrap up an Old-School Badguy by Happy Hour

Link to the case and evidence download

Link to lab setup post

I'm not looking to create a one shop stop for homework answers, I'd rather use these cases to demonstrate a methodology to efficiently analyze a case. Thus we won't be answering all of the questions from the NIST site, we'll be setting objectives that support the case and using only the evidence and tools needed to answer them. Please read the details on the NIST site and download the evidence E01 image files.

Greg Schardt is suspected to be associated with this acquired laptop and to go by the alias "Mr. Evil", known to war-drive T-Mobile and Starbucks WiFi, intercepting network traffic and stealing user information.

Figure 1: The hacking tools in this case are so nostalgic, they are only relevant to a student in a CEH prep course (Burn!)

Our Basic Objectives:
  •  Document basic information on system (time zone, hostname, usernames etc)
    • Evidence Needed: Reg hives
    • Tools Needed: Registry Ripper (
  •  Find evidence of the real owner of this computer. Is this system tied to Greg Schardt / Is Schardt Mr. Evil?
    • Evidence Needed: Mounted image (for keyword search) and Reg hives
    • Tools Needed: Registry Ripper (, GoG (Good Ole' Grep)
  •  Find evidence of any hacking activity, tools and devices and tie them back to a user.
    • Evidence Needed: Reg hives, Prefetch, MFT
    • Tools Needed: Filesystem Timeline (fls, mft2csv, or log2timeline/plaso), Registry Ripper (
Given these objectives I've selected a handful of tools to process the evidence and answer our questions. No rabbit holes here (hopefully). Based upon this plan the only environment we should need to process the case is our SIFT Workstation VM.

Here's a link to my evidence and timeline spreadsheet I created throughout the below process if you want to follow along. I have the commands run and the output mapped back to the set objectives. I've found Google Docs to be a KEY tool for documenting cases especially if you're collaborating with multiple analysts. By mapping evidence back to objectives and documenting every significant command run, it's very easy to pick and choose the items that tell the story when writing the report.

1. Prework and Evidence Collection
  • Mount the image in the SIFT-Workstation (see link for more detail)
  • Ewfmount the E01 in SIFT. This will create a raw image of the drive in the mountpoint you select (replace with full path to your image if necessary): ewfmount 4Dell\ Latitude\ CPi.E01 /mnt/ewf/
  • Find the correct offset for mounting the NTFS partition. mmls /mnt/ewf/ewf1 - This disk has 512-byte sectors and the NTFS partition begins at sector 63 thus "expr 63 \* 512" = the NTFS partition starts at byte 32256.
  • Mount the raw image stored in "ewf1" as a read only, with the ability to read Windows Alternate Data Streams, starting at the offset we determined previously: mount -o ro,loop,show_sys_files,streams_interface=windows,offset=32256 /mnt/ewf/ewf1 /mnt/windows_mount
  • Create a case folder: mkdir /cases/nist
  • Assuming we mounted the E01 in /mnt/windows_mount/ run the following command to make a new folder and copy the registry hives to it: mkdir /cases/nist/reg && cp /mnt/windows_mount/WINDOWS/system32/config/*  /cases/nist/reg
  • find /mnt/windows_mount -iname "ntuser.dat" -exec cp -v --backup=numbered {} /cases/nist_hack/reg/ \;     <-- the "-exec cp -v --backup=numbered {}" portion of this ensures we copy ALL of the ntuser.dat files into our reg folder.
  • Assuming we mounted the E01 in /mnt/windows_mount/ run the following command to make a new folder and copy the MFT to it: mkdir /cases/nist/mft && cp /mnt/windows_mount/\$MFT  /cases/nist/mft
  • Is there a hiberfil.sys file? If so lets copy it, this is a memory dump from a point in time: mkdir /cases/nist/hiberfil/ && cp /mnt/windows_mount/hiberfil.sys  /cases/nist/hiberfil/
Figure 2: The "mmls" tool from The Sleuth Kit is vital for finding the partition information used to mount a raw image.

2. Process registry hives
  • Many analysts (myself included) use more modules than they need in Reg Ripper, or resort to using another "kitchen sink" tool. Get used to running just the modules that you need. You can search the modules you need using: -l | grep "keyword"
  • In this case we need to use at least: compname (hostname), logonusertimezone (determine the timezone), appcompatcache (shimcache - evidence of execution), prefetch (to determine if prefetching is enabled), network (for system hive - look at adapters), network (for software hive - look at connected networks)
  • Run the Reg Ripper commands that you need to run using: -r <hive> -p <modulename>
  • Output of all the commands I ran in the Google Sheet
Figure 3: I wonder what the timezone for this system... Oh wait, Thanks Harlan Carvey :-)

3. Keyword Searching
  • Based upon the registry hive review - it's clear there are quite a few hacking tools that were installed in the vicinity of 8/27/2004 and adequate evidence that they were run. My main goal in keyword searching this image is to tie Greg Schardt to the "Mr. Evil" account.
  • The simplest keyword search against this image is just: grep -r -i -a "schardt" /mnt/windows_mount/" (-r recursive, -i case insensitive, -a don't ignore binary files) which will come back with several hits. A tool such as Autopsy (or a commercial forensic suite) can do a better keyword search - but this is free, fast and sufficient in this case.
  • Based upon the user's index.dat file there are several indications that Greg Schardt is in fact "Mr. Evil" and he's tied to the "" email address and accompanying "mrevil2000" Yahoo ID. Additionally - the "Look@Lan" software was downloaded by "Mr. Evil", and installed with "Greg Schardt" as the registered owner. Either Mr. Evil is Greg Schardt or someone is planting consistent misinformation.
Figure 4: Simple keyword search using Grep finds ties between "Mr. Evil" and "Greg Schardt" in index.dat file.
Figure 5: Keyword searching helped discover a configuration file linking "Mr. Evil" and "Greg Schardt".

4. Create and Analyze Basic Filesystem Timeline
  • Using legacy Log2timeline (or tool of your choice) to create a filesystem timeline: log2timeline -z US/Central -r -w /cases/nist/timeline.csv /cases/nist/mft/   (Note - we found the timezone for this host during registry analysis)
  • Open the CSV in LibreOffice OR simply use the CLI (Grep, Cut, Sort, Awk if you're so inclined, etc) to analyze the data.
  • Document the significant events in your timeline, evidence of creation of the significant files, evidence of execution (Prefetch creation and last modification times), evidence of installation (creation of installer files, Prefetch creation for installer), etc.  
5. Process and Analyze Memory Image
  • We found a hiberfil.sys file on this computer, which essentially means that hibernate is enabled. Our filesystem timeline showed us that this hiberfil was created on 8/19/2004 @ 6:04PM CST (before the hacking activity appears to have began). This limits the utility but it could still lead to new evidence and insights.
  • Use Volatility to convert the hiberfil to a raw memory dump: imagecopy -f hiberfil.sys -O winxp.img
  • Determine the Volatility profile to use with the "imageinfo" command: -f winxp.img imageinfo
  • Use the pslist command to determine what processes were running at the time: -f winxp.img --profile=WinXPSP2x86 pslist   <-- Interesting entries: mirc.exe (IRC client) and msmsgs.exe (instant messenger)
  • String searching is still a very valid method of finding certain types of evidence within a memory dump: strings winxp.img | grep -i "keyword"  additionally you can use the YARA functionality in volatility to search strings and determine which process they originated from with this format: -f <image> --profile=<profile> yarascan --yara-rules="keyword"
  • The most valuable keyword search to run on memory is "://" because this generally catches URL's, UNC paths, all kinds of goodness
  • In this case this search identifies highly suspect IRC channel access that could indicate child exploitation activity by Mr. Evil. The text from the IRC channels is explicit - I won't post it here, however let it be known I'd stop examining and be on the phone with the local FBI field office if I encountered this @dayjob.
  • We can find some additional value by using the iehistory (gives us IE history as of 8/19 - could show something the user deleted), consoles (command line sessions from 8/19), connscan (network connections from 8/19), and mftparser (extract and analyze MFT from 8/19) commands. 

Figure 6: Network connections from the time the system was hibernated could prove useful.
Figure 7: You could use a command like the above to attempt to find passwords in memory (this one targeting the mirc.exe and msmsgs.exe processes). I have a YARA rule on my Github for this purpose
Figure 8: A simple string search can show IRC interactions in this case. This view shows every time "mrevilrulez" posted in IRC and the surrounding context.
Closing Thoughts:
There is even more one could do with this case, but in my opinion there is more than enough evidence in the Google Sheet to pick and choose through to make a very compelling, concise report that fulfills the objectives we set at the beginning of this post. I hope you picked up a few nuggets from this post, please do me a favor and leave any questions or recommendations in the comments.

Sunday, April 17, 2016

Incident Response Practice Exercise Walkthrough Series: Part 1 Initial Lab Setup

In my time in infosec I've had the privilege to work on awesome teams, projects and operational roles and gained skills that have served me well in my career. Though I'm not even close to a virtuoso or expert, I'd like to give something back to the community in the form of write-ups for commonly available forensic practice materials. In general I find that there is far more training material available for offensive security than for DFIR (CTF, "boot2root" VM's, etc). That said: Let's Go!

This is the first post in a series where we will walk through forensic practice materials. I will introduce process, tools, and try to show multiple ways to accomplish an objective. I know when I was getting started in this field I would use the practice images/memory dumps/pcaps/etc but not exercise an effective process (which can create bad habits), and as a result I didn't get the most out of the exercises.

Part 1: Create Free and Open Source VM Lab for Forensic Analysis

We will be using only free and or open source tools in this series, the one non-free requirement will be a Windows license to be used in a VM (Win 10 Enterprise Trial here if needed).

This series will assume you have a Windows, Linux or Mac OSX laptop with at least 8GB of RAM, a processor from the last 5 years, and 100GB of free disk space. VMware Player, Fusion, or Workstation (depending on platform and licensing) needs to be installed. These exercises can also work just fine in VirtualBox, though additional configuration may be needed. I'll try to assume as little as possible about DFIR knowledge but I will assume basic OS and infosec knowledge.

VM 1: SIFT Workstation

SANS does an excellent job maintaining a Linux forensics environment free of charge, we would be downright ungrateful to not use this toolbox. Thanks SANS. This distribution is offered as a VMware image, or as a post install script for Ubuntu 14.04. It's up to you which way you'd like to install SIFT.

Download link:
YouTube Series:
How to mount images:

This is a fairly complete DFIR toolset, in the same way that Kali Linux is a fairly complete offensive toolset. We will add another set of malware analysis tools from Lenny Zeltser's Remnux distribution with the following command:
wget --quiet -O - | sudo bash 
(Didn't your mother tell you not to pipe HTTP output to a root shell? She didn't? Ok, should be fine then :-)

Update the box:
sudo apt-get update && sudo apt-get upgrade
Take a "Fresh Install SIFT + Remnux" snapshot of this VM before proceeding.

VM 2: Windows Forensics 

A mentor once told me "if you're hacking/forensicating Windows, use Windows. If you're hacking/forensicating Linux, use Linux." and while I often use a *nix environment for everything I can, I think there is an element of truth to his sentiment. While performing many forensics tasks in SIFT is excellent, there are certain tasks that are simply better suited in a Windows environment. My personal ideal environment is my Macbook Pro host with Linux and Windows VM's for analysis.

Install and update a vanilla Windows 7 or 10 virtual machine. Don't install antivirus or other security tools that may stomp on our evidence. Update the system using Windows Update and take a clean "Fresh Install" snapshot of this box.

Unlike SIFT, we are going to need to download/install quite a few tools on this system to make it useful for DFIR. This is far from comprehensive, these are just the tools I can foresee us needing for the practice scenarios.

Forensics Tools:
Autopsy 4.0 - Forensics suite built on The Sleuth Kit (by Brian Carrier) with the addition of a nice GUI. This is the tool most similar to Encase or FTK suites that we'll be using in this series.
FTK Imager - This free tool from AccessData can be used to mount common image formats, create images, create filesystem timelines ("Directory Listing" feature), and even dump memory from a host.
RegRipper - Excellent Windows Registry analysis framework from Harlan Carvey. This tool dramatically simplifies our analysis of common registry artifacts.
Registry Explorer - Another Registry hive viewer from Eric Zimmerman. This is essentially a replacement for regedit that allows easy access to common evidence and the all important last write timestamps.
Shellbags Explorer -  Another from Eric Z. At its simplest: Shellbags are an artifact that allows us to enumerate what folders a user viewed in Windows Explorer. View more here on SANS blog.
MFT Parser - Redwolf Forensics free tool for processing, filtering and analyzing the master file table.
Bulk Extractor - Excellent simple tool that can scan any file(s) for significant artifacts and their frequency (image, pcap, memory dump, etc).
Volatility - Plugin based memory analysis framework. Many analysts are using the Rekall framework now, but I haven't switched. We will install both and I'll be exploring the strengths and weaknesses of both as we go.
Rekall Framework - Rekall was originally a fork from Volatility, which now likely has very little of the original code. The Google team has added many features, including remote live response for OSX when used in conjunction with GRR (very cool!)
Mandiant Redline - Mandiant's free incident response tool. This provides user configurable incident response scripts that can be run on a victim system the output can be analyzed in the Redline console. Some memory analysis operations are more convenient in this GUI than in the CLI tools.
Sysinternals Suite - Mark Russinovich rocks. Sysinternals is a must have on any Windows box and is vital for live response.
PEstudio - Malware analysis isn't the focus of this series, however PEstudio is a very simple to use all in one PE triage tool that will come in handy.

Network Tools:
Wireshark - Core pcap capture and analysis tool.
NetworkMiner - Useful tool for extracting files from a pcap and finding the significance of different objects in a pcap. Generally a good second view after Wireshark.

Notepad++ - General purpose excellent text editor. Replace with your choice if desired.
HxD - Hex editor. Replace with your choice if desired.
7zip - Swiss army knife compression tool.
Firefox + TamperData + Firebug + NoScript + uBlockOrigin + PrivacyBadger OR Chrome equivalent - Browser with security and analysis tools. Replace with your favored browser setup if desired.
Python - Sometimes it's best to just code our own tool.

Whew.. Now take a "All Tools Installed" snapshot of this VM!

Configuration Notes

  • Sift workstation creates a /cases and /mnt share which are shared via Samba by default with no security. Mount these shares in your Windows VM and your host OS to allow easy sharing of mounted images and case evidence between all systems.
  • Configure both VM's with a "NAT" network interface. This ensures that your (extremely open) SIFT workstation isn't exposed to the network while retaining internet and local host networking. 

Next Post

In my next post we will be deep diving the classic NIST "Hacking Case", a cold case (around 10 years old!) criminal investigation with a Windows XP image. We'll be able to take that case further than the authors probably even knew was possible with modern tools! Stay tuned.