First, A Note on Windows Passwords ...
Thought I should include some relevant theory rather than dive striaght in as I have been doing ...
Jesper M. Johansson has written an excellent PowerPoint presentation on "Windows Passwords: Everything You Need To Know" here.
I'm not sure when it was written, but he also wrote a similar MS Technet article in 2005 here.
In both, he describes how Windows stores/uses passwords. There are 2 types of password hashes stored in Windows - the LanManager (LM) password hash and the more recent NT password hash.
The LM password is a holdover from the past and is still included for backward compatibility. It relies on padding, capitalising and splitting a password into 2 seperate 7 character parts. These parts are then used as (DES) encryption keys to encrypt a known constant. The two resultant encrypted outputs are then joined together to form the LM "hash". There are only 142 possible useable characters that can be entered by the user (of which only 68 appear on English keyboards) and the maximum number of password combinations is 6.8 x 10^12.
In contrast, the NT password hash uses the MD4 hash function on a Unicode (65 535 symbols) based password. If we limit ourselves to use the same character set/password length as LM, there are 4.6 x 10^25 combinations. Which is a LOT more combinations than LM! And once we allow ourselves to use anything from the full symbol list, the number of 14 character length password combinations increases to 2.7 x 10^67. Clearly, NT hashes are a lot more secure than LM hashes.
By using a password longer than 14 characters, Windows will not store the LM password hash (only the NT hash). You can also create/set a NoLMHash Registry value to stop LM hash storage.
I suspect if you want to login to an XP system on your desk, you will need the NT password. But if all you have is the LM password, you could start capitalising various combinations until you get a valid login. eg given a LM password of "NEON96" try Neon96, nEon96 etc.
Using SIFT ophcrack
So as promised, here's how to crack a Windows password using ophcrack on the SIFT Workstation.
1. Go here and download the XP Free Fast (703 Mb) zip file to SIFT (eg save to "/home/sansforensics").
2. Launch a new command terminal window and type "mkdir ~/ophcrack_tables" followed by "mkdir ~/ophcrack_tables/tables_xp_free_fast". Note: The "~/" is shorthand for your home directory ie "/home/sansforensics/". In this step, we are creating a directory structure to store our rainbow tables.
3. Type "mv ~/tables_xp_free_fast.zip ~/ophcrack_tables/tables_xp_free_fast/" to move the downloaded zip file to our new directory structure. This step assumes that you downloaded the zip file to "/home/sansforensics/".
4. Type "cd ~/ophcrack_tables/tables_xp_free_fast" followed by "unzip tables_xp_free_fast.zip" to extract the zip file to the "~/ophcrack_tables/tables_xp_free_fast/" directory.
5. Assuming you've already done step 6 from the previous Volatility post and have obtained the XP hash password file (in "~/xp-passwd"), type "ophcrack -d ~/ophcrack_tables/ -t tables_xp_free_fast,0,1,2,3 -n 4 -f ~/xp-passwd -l ophcrack-vol-op.txt" to load/use all 4 tables to crack the "xp-passwd" hash file and then store the results in the "ophcrack-vol-op.txt" file in the current directory.
The output at the command line will eventually look like:
0h 4m 11s; search (98%); tables: total 4, done 3, using 1; pwd found 4/7.
6. By typing "more ophcrack-vol-op.txt" we can see the actual results:
15 hashes have been found in /home/sansforensics/xp-passwd.
Opened 4 table(s) from /home/sansforensics/ophcrack_tables//tables_xp_free_fast,0,1,2,3.
0h 0m 0s; Found empty password for user Guest (NT hash #1)
0h 0m 0s; Found empty password for 2nd LM hash #4
0h 0m 0s; Found empty password for user Sarah (NT hash #6)
0h 0m 1s; Found password 6 for 2nd LM hash #0
0h 0m 53s; Found password NEON199 for 1st LM hash #0in table XP free fast #2 at column 4645.
0h 0m 53s; Found password Neon1996 for user Administrator (NT hash #0)
0h 0m 59s; Found password NEON96 for 1st LM hash #4in table XP free fast #1 at column 4368.
0h 0m 59s; Found password Neon96 for user phoenix (NT hash #4)
0h 1m 6s; Found password JVYMGP1 for 2nd LM hash #2in table XP free fast #0 at column 4037.
Results:
username / hash LM password NT password
Administrator NEON1996 Neon1996
Guest *** empty *** *** empty ***
HelpAssistant .......JVYMGP1 .......
SUPPORT_388945a0 *** empty *** .......
phoenix NEON96 Neon96
ASPNET .............. .......
Sarah *** empty *** *** empty ***
It looks like the NIST "HelpAssistant" password cracking attempt has failed - it might have special characters in it. You can also see it took A LOT less time than using John The Ripper (minutes vs hours) and that ophcrack provides the case-sensitive version of the passwords under "NT password" rather than the "LanManager" all caps version.
Just FYI, ophcrack also has a nice Windows GUI available for download from sourceforge but it will only be as good as the rainbow tables you give it.
So I think that about covers Windows Password cracking for now. Please feel free to suggest a new forensicatory area to investigate next.
The (Badly) Illustrated Musings of a Cheeky Forensics Monkey ...
Tuesday 27 December 2011
Using SIFT to Crack a Windows (XP) Password from a Forensic Image
In the previous post, we focused on retrieving Windows login passwords from a memory dump using Volatility.
But what happens if you don't have a memory dump / only have a forensic image of the hard drive?
Well, Rob Lee has kindly provided the tools in the SANS SIFT (V2.12) workstation and Irongeek has previously posted a how-to-guide. Additional information is also available in "Windows Registry Forensics" by Harlan Carvey (p 95) which describes other tools that can be used to crack Windows passwords (eg pwdump7, Cain, ophcrack).
For this exercise, we will be using the M57 Jean image (mounted as before) and seeing if we can extract any Windows passwords.
Windows (XP) uses a "bootkey" to encrypt the SAM password hashes so we need to determine this (using bkhive) first. We can then retrieve the unencrypted password hashes (using samdump2) and crack them using John The Ripper.
Note: With this knowledge comes great responsibility - seriously, please don't abuse it.
At a terminal command prompt:
1. Type "bkhive /mnt/m57jean/WINDOWS/system32/config/system saved-system-key.txt"
which should give the following output:
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it
Root Key : $$$PROTO.HIV
Default ControlSet: 001
Bootkey: 02d709efb8514a2fc7474b28a30e0180
The "saved-system-key.txt" file now contains the bootkey
2. Type "samdump2 /mnt/m57jean/WINDOWS/system32/config/SAM saved-system-key.txt > jean-passwords.txt" to extract the hashes and store them in "jean-passwords.txt".
The screen output looks something like:
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it
Root Key : SAM
And we can view the contents of "jean-passwords.txt" by typing "more jean-passwords.txt":
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:c3bdfc311d5a1fc504f78d8f541b1278:ec90e2f6d084b8da1fd45605f51770a6:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:b4bc4c178aa19d6a32960f64e16b6944:::
Kim:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jean:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Addison:1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Abijah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Devon:1007:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Sacha:1008:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Note: looking at the first hash group ("aad3b435b51404eeaad3b435b51404ee") for each login suggests that they all have the same password except for "HelpAssistant".
3. Type "john jean-passwords.txt" to brute force the password hashes. You might need to copy the "john.conf" to the local directory if you haven't already done this (see the previous post exercise's step 8).
The output should be something similar to:
Loaded 2 password hashes with no different salts (LM DES [128/128 BS SSE2])
guesses: 0 time: 0:00:00:35 (3) c/s: 9522K trying: JD43877 - JD43804
guesses: 0 time: 0:00:01:36 (3) c/s: 12533K trying: MDLIDL - MDLA39
guesses: 0 time: 0:00:01:48 (3) c/s: 12610K trying: H2OUB1$ - H2OUGY!
guesses: 0 time: 0:00:13:20 (3) c/s: 15198K trying: EL3CFR9 - EL3CFSU
guesses: 0 time: 0:00:19:48 (3) c/s: 15325K trying: VWATIBN - VWATLA.
guesses: 0 time: 0:00:27:03 (3) c/s: 15364K trying: 4VA1RWW - 4VA1TA4
guesses: 0 time: 0:00:27:09 (3) c/s: 15367K trying: R318IP8 - R318I2T
guesses: 0 time: 0:00:37:19 (3) c/s: 15617K trying: 3LP7VNZ - 3LP7V40
2KPLRCM (HelpAssistant:2)
guesses: 1 time: 0:00:39:55 (3) c/s: 15300K trying: KMX1MP1 - KMX1MCS
guesses: 1 time: 0:00:48:17 (3) c/s: 14007K trying: GMEL-1D - GMEN315
guesses: 1 time: 0:01:00:39 (3) c/s: 12784K trying: IEH;G F - IEHKIQN
guesses: 1 time: 0:01:07:02 (3) c/s: 12274K trying: HX0RW8F - HX0RJE0
guesses: 1 time: 0:01:16:48 (3) c/s: 11733K trying: J SJF5Y - J SJFP5
guesses: 1 time: 0:01:26:37 (3) c/s: 11303K trying: LL*MKH0 - LL*MKT2
guesses: 1 time: 0:01:30:49 (3) c/s: 11166K trying: MKGU97X - MKGU90L
guesses: 1 time: 0:02:03:45 (3) c/s: 10335K trying: LT8HFGI - LT8HFMG
guesses: 1 time: 0:02:21:02 (3) c/s: 10011K trying: K_)LILG - K_)LLS&
guesses: 1 time: 0:02:22:42 (3) c/s: 9970K trying: ZW6RCD@ - ZW6RB5Z
and if you keep waiting .... eventually (several hours later on my VM)
LL@1WI8 (HelpAssistant:1)
4. Typing "john -show jean-passwords.txt" will show the results in full:
Administrator::500:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:LL@1WI82KPLRCM:1000:ec90e2f6d084b8da1fd45605f51770a6:::
SUPPORT_388945a0::1002:b4bc4c178aa19d6a32960f64e16b6944:::
Kim::1003:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jean::1004:31d6cfe0d16ae931b73c59d7e0c089c0:::
Addison::1005:31d6cfe0d16ae931b73c59d7e0c089c0:::
Abijah::1006:31d6cfe0d16ae931b73c59d7e0c089c0:::
Devon::1007:31d6cfe0d16ae931b73c59d7e0c089c0:::
Sacha::1008:31d6cfe0d16ae931b73c59d7e0c089c0:::
11 password hashes cracked, 0 left
So we can conclude that there was only one set password ("LL@1WI82KPLRCM" for "HelpAssistant"). It appears that all other logins did not use a password - Oh The Horror!
We can then infer that access to the Windows system is/was effectively uncontrolled and anyone could have access. Thus planting some seeds of doubt when trying to attribute a user's activities.
A quicker password cracking method would be to use ophcrack (also provided on SIFT) and download the XP rainbow table(s). The rainbow table contains pre-calculated results to compare the hashes to so the process should run much quicker.
Looking at the ophcrack tables info page shows that we would need to use the XP Special (7.5 Gb) table to handle the special "@" character in the "HelpAssistant" password.
This table is not free so thats where I'll choose to end this exercise (cheap b@stard!). The smaller free tables only handle upper and lower case letters and numbers - no special characters. Just for completeness, I'll probably do a future post about ophcrack using the hashed SAM passwords from the Volatility post - none of those passwords use special characters.
But what happens if you don't have a memory dump / only have a forensic image of the hard drive?
Well, Rob Lee has kindly provided the tools in the SANS SIFT (V2.12) workstation and Irongeek has previously posted a how-to-guide. Additional information is also available in "Windows Registry Forensics" by Harlan Carvey (p 95) which describes other tools that can be used to crack Windows passwords (eg pwdump7, Cain, ophcrack).
For this exercise, we will be using the M57 Jean image (mounted as before) and seeing if we can extract any Windows passwords.
Windows (XP) uses a "bootkey" to encrypt the SAM password hashes so we need to determine this (using bkhive) first. We can then retrieve the unencrypted password hashes (using samdump2) and crack them using John The Ripper.
Note: With this knowledge comes great responsibility - seriously, please don't abuse it.
At a terminal command prompt:
1. Type "bkhive /mnt/m57jean/WINDOWS/system32/config/system saved-system-key.txt"
which should give the following output:
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it
Root Key : $$$PROTO.HIV
Default ControlSet: 001
Bootkey: 02d709efb8514a2fc7474b28a30e0180
The "saved-system-key.txt" file now contains the bootkey
2. Type "samdump2 /mnt/m57jean/WINDOWS/system32/config/SAM saved-system-key.txt > jean-passwords.txt" to extract the hashes and store them in "jean-passwords.txt".
The screen output looks something like:
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it
Root Key : SAM
And we can view the contents of "jean-passwords.txt" by typing "more jean-passwords.txt":
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:c3bdfc311d5a1fc504f78d8f541b1278:ec90e2f6d084b8da1fd45605f51770a6:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:b4bc4c178aa19d6a32960f64e16b6944:::
Kim:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jean:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Addison:1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Abijah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Devon:1007:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Sacha:1008:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Note: looking at the first hash group ("aad3b435b51404eeaad3b435b51404ee") for each login suggests that they all have the same password except for "HelpAssistant".
3. Type "john jean-passwords.txt" to brute force the password hashes. You might need to copy the "john.conf" to the local directory if you haven't already done this (see the previous post exercise's step 8).
The output should be something similar to:
Loaded 2 password hashes with no different salts (LM DES [128/128 BS SSE2])
guesses: 0 time: 0:00:00:35 (3) c/s: 9522K trying: JD43877 - JD43804
guesses: 0 time: 0:00:01:36 (3) c/s: 12533K trying: MDLIDL - MDLA39
guesses: 0 time: 0:00:01:48 (3) c/s: 12610K trying: H2OUB1$ - H2OUGY!
guesses: 0 time: 0:00:13:20 (3) c/s: 15198K trying: EL3CFR9 - EL3CFSU
guesses: 0 time: 0:00:19:48 (3) c/s: 15325K trying: VWATIBN - VWATLA.
guesses: 0 time: 0:00:27:03 (3) c/s: 15364K trying: 4VA1RWW - 4VA1TA4
guesses: 0 time: 0:00:27:09 (3) c/s: 15367K trying: R318IP8 - R318I2T
guesses: 0 time: 0:00:37:19 (3) c/s: 15617K trying: 3LP7VNZ - 3LP7V40
2KPLRCM (HelpAssistant:2)
guesses: 1 time: 0:00:39:55 (3) c/s: 15300K trying: KMX1MP1 - KMX1MCS
guesses: 1 time: 0:00:48:17 (3) c/s: 14007K trying: GMEL-1D - GMEN315
guesses: 1 time: 0:01:00:39 (3) c/s: 12784K trying: IEH;G F - IEHKIQN
guesses: 1 time: 0:01:07:02 (3) c/s: 12274K trying: HX0RW8F - HX0RJE0
guesses: 1 time: 0:01:16:48 (3) c/s: 11733K trying: J SJF5Y - J SJFP5
guesses: 1 time: 0:01:26:37 (3) c/s: 11303K trying: LL*MKH0 - LL*MKT2
guesses: 1 time: 0:01:30:49 (3) c/s: 11166K trying: MKGU97X - MKGU90L
guesses: 1 time: 0:02:03:45 (3) c/s: 10335K trying: LT8HFGI - LT8HFMG
guesses: 1 time: 0:02:21:02 (3) c/s: 10011K trying: K_)LILG - K_)LLS&
guesses: 1 time: 0:02:22:42 (3) c/s: 9970K trying: ZW6RCD@ - ZW6RB5Z
and if you keep waiting .... eventually (several hours later on my VM)
LL@1WI8 (HelpAssistant:1)
4. Typing "john -show jean-passwords.txt" will show the results in full:
Administrator::500:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:LL@1WI82KPLRCM:1000:ec90e2f6d084b8da1fd45605f51770a6:::
SUPPORT_388945a0::1002:b4bc4c178aa19d6a32960f64e16b6944:::
Kim::1003:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jean::1004:31d6cfe0d16ae931b73c59d7e0c089c0:::
Addison::1005:31d6cfe0d16ae931b73c59d7e0c089c0:::
Abijah::1006:31d6cfe0d16ae931b73c59d7e0c089c0:::
Devon::1007:31d6cfe0d16ae931b73c59d7e0c089c0:::
Sacha::1008:31d6cfe0d16ae931b73c59d7e0c089c0:::
11 password hashes cracked, 0 left
So we can conclude that there was only one set password ("LL@1WI82KPLRCM" for "HelpAssistant"). It appears that all other logins did not use a password - Oh The Horror!
We can then infer that access to the Windows system is/was effectively uncontrolled and anyone could have access. Thus planting some seeds of doubt when trying to attribute a user's activities.
A quicker password cracking method would be to use ophcrack (also provided on SIFT) and download the XP rainbow table(s). The rainbow table contains pre-calculated results to compare the hashes to so the process should run much quicker.
Looking at the ophcrack tables info page shows that we would need to use the XP Special (7.5 Gb) table to handle the special "@" character in the "HelpAssistant" password.
This table is not free so thats where I'll choose to end this exercise (cheap b@stard!). The smaller free tables only handle upper and lower case letters and numbers - no special characters. Just for completeness, I'll probably do a future post about ophcrack using the hashed SAM passwords from the Volatility post - none of those passwords use special characters.
Wednesday 14 December 2011
Using SIFT to Crack a Windows (XP) Password from a Memory Dump
Introduction:
Recently, I was thinking about writing a blog entry on Volatility but then found out that SketchyMoose has done an awesome job of covering it already (in a Windows environment). Thinking of my fellow SIFT-ians / SIFT-ers / SIFT-heads (what?!) - I figured I could still write an entry with a focus on using the SIFT VM to crack a Windows password *evil laugh*.
To give an example of a DFIR scenario, FTK Imager can be used to capture a live Windows memory image and then the SIFT VM can be used to determine the Windows password(s). Or the responder could always nicely ask the owner for the password ;)
For this scenario however, we will be using a Windows XP memory image supplied by NIST. It's not that I don't trust you all with the contents of my memory ... *sarcastic laugh*
Here are the resources I used:
- The SketchyMoose's Blog entry that inspired me (to copy it ;) :
http://sketchymoose.blogspot.com/2011/10/cracking-passwords-with-volatility-and.html
with some further demos:
http://sketchymoose.blogspot.com/2011/11/using-volatility-suspicious-process.html
- For the official Volatility Documentation (eg plugin usage with example outputs) see:
https://code.google.com/p/volatility/wiki/CommandReference
and for some brief notes about Volatility from the SANS Forensics 2009 - Memory Forensics and Registry Analysis Presentation by Brendan Dolan-Gavitt see:
http://www.slideshare.net/mooyix/sans-forensics-2009-memory-forensics-and-registry-analysis
- The official John The Ripper Documentation is available at:
http://www.openwall.com/john/doc/
with usage examples at:
http://www.openwall.com/john/doc/EXAMPLES.shtml
So what I'm now about to cover is specific to using Volatility (2.1a) and John The Ripper as provided on the SANS SIFT Virtual Machine V2.12.
Volatility can be used to analyse a variety of Windows memory images. The general usage syntax is:
vol.py plugin_name memory_image_name
where plugin_name can be things such as pslist (list of running processes), pstree (hierachical view of running processes), connections (live network connections), connscan (live and previous network connection artifacts), hivelist (Windows hive virtual addresses), hashdump (extracts hashes of domain credentials). For more plugins refer to the Volatility Documentation Wiki link mentioned previously.
Method:
Here are the steps I followed:
1. From the command prompt in the SIFT VM, type "sudo mkdir /cases/mem" to create a directory "/cases/mem"
2. Copy/Download "memory-images.rar" (~500 Mb) to "/cases/mem/" from NIST's CFReDS Project at http://www.cfreds.nist.gov/mem/Basic_Memory_Images.html
3. Type "sudo unrar e /cases/mem/memory-images.rar" to extract NIST images to "/cases/mem/"
4. Type "vol.py imageinfo -f /cases/mem/xp-laptop-2005-07-04-1430.img"
This should return an output something like:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/cases/mem/xp-laptop-2005-07-04-1430.img)
PAE type : No PAE
DTB : 0x39000
KDBG : 0x8054c060L
KPCR : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2005-07-04 18:30:32
Image local date and time : 2005-07-04 18:30:32
Number of Processors : 1
Image Type : Service Pack 2
5. We then use the "WINXPSP3x86" profile to search/parse thru the dump. Type "sudo vol.py --profile=WinXPSP3x86 hivelist -f /cases/mem/xp-laptop-2005-07-04-1430.img" so we can obtain the virtual addresses for the SAM and System hives. Note without the "sudo", I was getting some errors so I decided to play it safe. I also tried using it with "--profile=WinXPSP2x86" but got similar errors.
The resulting output will look something like:
Volatile Systems Volatility Framework 2.1_alpha
Virtual Physical Name
0xe2610b60 0x14a99b60 \Device\HarddiskVolume1\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe25f0578 0x17141578 \Device\HarddiskVolume1\Documents and Settings\Sarah\NTUSER.DAT
0xe1d33008 0x0f12c008 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c73888 0x0efc5888 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1c04688 0x0e88e688 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1b70b60 0x0dff5b60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1658b60 0x0c748b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1a5a7e8 0x094bf7e8 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe165cb60 0x0c6ecb60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1a4f770 0x0948c770 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe1559b38 0x02d64b38 [no name]
0xe1035b60 0x0283db60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02837008 [no name]
0x8068d73c 0x0068d73c [no name]
6. Now we can extract the hashed password list to a file (in the current directory) called "xp-passwd" by typing "vol.py --profile=WinXPSP3x86 hashdump -y 0xe1035b60 -s 0xe165cb60 -f /cases/mem/xp-laptop-2005-07-04-1430.img > xp-passwd"
Note: 0xe1035b60 = system hive virtual address, 0xe165cb60 = SAM hive virtual address which we obtained previously in step 5.
7. (Optional) If you type "cat xp-passwd" you should get something like:
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
8. For clarity, I am assuming that you will be running these commands from "/home/sansforensics". I had some initial problems launching John The Ripper from there - it was complaining that it couldn't open "john.ini" which contains the configuration info/rules. Consequently, I copied/renamed the John configuration file into "/home/sansforensics" using the command "cp /etc/john/john.conf ~/john.ini". This ensures that John's rules will be initialised properly when we proceed with the next step.
9. Type "john xp-passwd" and depending on your CPU, wait a while ... you should get something like this:
Loaded 10 password hashes with no different salts (LM DES [128/128 BS SSE2])
(Sarah)
(SUPPORT_388945a0)
(Guest)
6 (Administrator:2)
NEON96 (phoenix)
guesses: 5 time: 0:00:01:27 (3) c/s: 33842K trying: FG#NNJG - FG#NNNI
guesses: 5 time: 0:00:01:32 (3) c/s: 33771K trying: SWY1-4C - SWYEGAD
guesses: 5 time: 0:00:01:38 (3) c/s: 33981K trying: 0INHM1 - 0INIEK
guesses: 5 time: 0:00:03:35 (3) c/s: 35750K trying: KM51319 - KM5135E
NEON199 (Administrator:1)
guesses: 6 time: 0:00:16:35 (3) c/s: 30877K trying: 3S35/5# - 3S35/EA
guesses: 6 time: 0:00:17:49 (3) c/s: 30836K trying: 06OZJYB - 06OZJ4U
guesses: 6 time: 0:00:20:14 (3) c/s: 30332K trying: GM5BOM! - GM5BILI
guesses: 6 time: 0:00:20:19 (3) c/s: 30341K trying: HMO-F37 - HMO-FM.
guesses: 6 time: 0:00:40:15 (3) c/s: 30880K trying: EYGOMOA - EYGOP5U
guesses: 6 time: 0:00:52:16 (3) c/s: 30931K trying: W8W24EI - W8W24N6
JVYMGP1 (HelpAssistant:2)
guesses: 7 time: 0:01:22:17 (3) c/s: 28872K trying: V4VBN69 - V4VBN8F
guesses: 7 time: 0:01:23:37 (3) c/s: 28802K trying: UCBKWW0 - UCBKWG6
guesses: 7 time: 0:01:28:01 (3) c/s: 28419K trying: SGVRGO6 - SGVRGUV
guesses: 7 time: 0:01:38:31 (3) c/s: 28008K trying: #04CR3 - #04CM!
guesses: 7 time: 0:01:47:08 (3) c/s: 27758K trying: UFE'ACB - UFE'ABN
guesses: 7 time: 0:01:49:04 (3) c/s: 27620K trying: FXRG7D - FXRBOVW
guesses: 7 time: 0:02:02:48 (3) c/s: 27110K trying: DYCIAQD - DYCIIHK
guesses: 7 time: 0:06:31:50 (3) c/s: 24555K trying: )K6T-. - )K6T_F
guesses: 7 time: 0:06:32:15 (3) c/s: 24557K trying: )^Y3G_ - )^Y3TT
Session aborted
You can see where I ran out of patience with my single core Athlon64 CPU and aborted the session after approx 6.5 hours (by pressing CTRL-C). Your mileage will vary methinks - so feel free to let it run to completion. Whilst John is running, whenever the operator presses a key, a timestamped statistics message is printed to screen.
So from the output above, we now know the "Administrator" password is "NEON1996". John displays passwords in groups of 7 letters so we append the results of Administrator:2 (ie "6") to Administrator:1 (ie "NEON199"). In contrast, "phoenix" has the password "NEON96" - there is no second half to append / there is no numbered index associated. Also, "Sarah" / "SUPPORT_388945a0" / "Guest" do not appear to have a password set.
Also from the output above, we can theorise that "HelpAssistant" and "ASPNET" have passwords greater than 7 characters long (ie they each use 2 password hashes). John reports 10 loaded password hashes = 1 hash each for "Sarah" / "SUPPORT_388945a0" / "Guest "/ "phoenix" + 2 hashes for "Administrator" which implies 4 password hashes left between "HelpAssistant" and "ASPNET".
10. If we type "john -show xp-passwd" we will get a summary of the findings so far:
Administrator:NEON1996:500:ed88cccbc08d1c18bcded317112555f4:::
Guest::501:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:???????JVYMGP1:1000:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0::1002:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:NEON96:1003:53905140b80b6d8cbe1ab5953f7c1c51:::
Sarah::1006:31d6cfe0d16ae931b73c59d7e0c089c0:::
7 password hashes cracked, 3 left
Note: The second field is the password field eg for "Administrator", the password is "NEON1996". There are no passwords set for "Guest", "SUPPORT_388945a0" and/or "Sarah". I stopped John before it could calculate the passwords for "HelpAssistant" and "ASPNET".
The John results are stored in a file called "john.pot" and events are logged to "john.log". Both of these files are located in the directory where "john" was launched from (eg "/home/sansforensics"). So if we want to restart a cracking attempt from scratch, you can use "rm -f john.pot" before re-launching "john". Should "john" crash/be CTRL-C'd, there will be a "john.rec" recovery file generated so "john" can restart from its last calculation point (as opposed to from the beginning).
So thats about all I have to show you for now ... if you decide to try it out, I'd be interested to hear you comment on how long your processing time took. Go bananas !
Recently, I was thinking about writing a blog entry on Volatility but then found out that SketchyMoose has done an awesome job of covering it already (in a Windows environment). Thinking of my fellow SIFT-ians / SIFT-ers / SIFT-heads (what?!) - I figured I could still write an entry with a focus on using the SIFT VM to crack a Windows password *evil laugh*.
To give an example of a DFIR scenario, FTK Imager can be used to capture a live Windows memory image and then the SIFT VM can be used to determine the Windows password(s). Or the responder could always nicely ask the owner for the password ;)
For this scenario however, we will be using a Windows XP memory image supplied by NIST. It's not that I don't trust you all with the contents of my memory ... *sarcastic laugh*
Here are the resources I used:
- The SketchyMoose's Blog entry that inspired me (to copy it ;) :
http://sketchymoose.blogspot.com/2011/10/cracking-passwords-with-volatility-and.html
with some further demos:
http://sketchymoose.blogspot.com/2011/11/using-volatility-suspicious-process.html
- For the official Volatility Documentation (eg plugin usage with example outputs) see:
https://code.google.com/p/volatility/wiki/CommandReference
and for some brief notes about Volatility from the SANS Forensics 2009 - Memory Forensics and Registry Analysis Presentation by Brendan Dolan-Gavitt see:
http://www.slideshare.net/mooyix/sans-forensics-2009-memory-forensics-and-registry-analysis
- The official John The Ripper Documentation is available at:
http://www.openwall.com/john/doc/
with usage examples at:
http://www.openwall.com/john/doc/EXAMPLES.shtml
So what I'm now about to cover is specific to using Volatility (2.1a) and John The Ripper as provided on the SANS SIFT Virtual Machine V2.12.
Volatility can be used to analyse a variety of Windows memory images. The general usage syntax is:
vol.py plugin_name memory_image_name
where plugin_name can be things such as pslist (list of running processes), pstree (hierachical view of running processes), connections (live network connections), connscan (live and previous network connection artifacts), hivelist (Windows hive virtual addresses), hashdump (extracts hashes of domain credentials). For more plugins refer to the Volatility Documentation Wiki link mentioned previously.
Method:
Here are the steps I followed:
1. From the command prompt in the SIFT VM, type "sudo mkdir /cases/mem" to create a directory "/cases/mem"
2. Copy/Download "memory-images.rar" (~500 Mb) to "/cases/mem/" from NIST's CFReDS Project at http://www.cfreds.nist.gov/mem/Basic_Memory_Images.html
3. Type "sudo unrar e /cases/mem/memory-images.rar" to extract NIST images to "/cases/mem/"
4. Type "vol.py imageinfo -f /cases/mem/xp-laptop-2005-07-04-1430.img"
This should return an output something like:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/cases/mem/xp-laptop-2005-07-04-1430.img)
PAE type : No PAE
DTB : 0x39000
KDBG : 0x8054c060L
KPCR : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2005-07-04 18:30:32
Image local date and time : 2005-07-04 18:30:32
Number of Processors : 1
Image Type : Service Pack 2
5. We then use the "WINXPSP3x86" profile to search/parse thru the dump. Type "sudo vol.py --profile=WinXPSP3x86 hivelist -f /cases/mem/xp-laptop-2005-07-04-1430.img" so we can obtain the virtual addresses for the SAM and System hives. Note without the "sudo", I was getting some errors so I decided to play it safe. I also tried using it with "--profile=WinXPSP2x86" but got similar errors.
The resulting output will look something like:
Volatile Systems Volatility Framework 2.1_alpha
Virtual Physical Name
0xe2610b60 0x14a99b60 \Device\HarddiskVolume1\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe25f0578 0x17141578 \Device\HarddiskVolume1\Documents and Settings\Sarah\NTUSER.DAT
0xe1d33008 0x0f12c008 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c73888 0x0efc5888 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1c04688 0x0e88e688 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1b70b60 0x0dff5b60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1658b60 0x0c748b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1a5a7e8 0x094bf7e8 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe165cb60 0x0c6ecb60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1a4f770 0x0948c770 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe1559b38 0x02d64b38 [no name]
0xe1035b60 0x0283db60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02837008 [no name]
0x8068d73c 0x0068d73c [no name]
6. Now we can extract the hashed password list to a file (in the current directory) called "xp-passwd" by typing "vol.py --profile=WinXPSP3x86 hashdump -y 0xe1035b60 -s 0xe165cb60 -f /cases/mem/xp-laptop-2005-07-04-1430.img > xp-passwd"
Note: 0xe1035b60 = system hive virtual address, 0xe165cb60 = SAM hive virtual address which we obtained previously in step 5.
7. (Optional) If you type "cat xp-passwd" you should get something like:
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
8. For clarity, I am assuming that you will be running these commands from "/home/sansforensics". I had some initial problems launching John The Ripper from there - it was complaining that it couldn't open "john.ini" which contains the configuration info/rules. Consequently, I copied/renamed the John configuration file into "/home/sansforensics" using the command "cp /etc/john/john.conf ~/john.ini". This ensures that John's rules will be initialised properly when we proceed with the next step.
9. Type "john xp-passwd" and depending on your CPU, wait a while ... you should get something like this:
Loaded 10 password hashes with no different salts (LM DES [128/128 BS SSE2])
(Sarah)
(SUPPORT_388945a0)
(Guest)
6 (Administrator:2)
NEON96 (phoenix)
guesses: 5 time: 0:00:01:27 (3) c/s: 33842K trying: FG#NNJG - FG#NNNI
guesses: 5 time: 0:00:01:32 (3) c/s: 33771K trying: SWY1-4C - SWYEGAD
guesses: 5 time: 0:00:01:38 (3) c/s: 33981K trying: 0INHM1 - 0INIEK
guesses: 5 time: 0:00:03:35 (3) c/s: 35750K trying: KM51319 - KM5135E
NEON199 (Administrator:1)
guesses: 6 time: 0:00:16:35 (3) c/s: 30877K trying: 3S35/5# - 3S35/EA
guesses: 6 time: 0:00:17:49 (3) c/s: 30836K trying: 06OZJYB - 06OZJ4U
guesses: 6 time: 0:00:20:14 (3) c/s: 30332K trying: GM5BOM! - GM5BILI
guesses: 6 time: 0:00:20:19 (3) c/s: 30341K trying: HMO-F37 - HMO-FM.
guesses: 6 time: 0:00:40:15 (3) c/s: 30880K trying: EYGOMOA - EYGOP5U
guesses: 6 time: 0:00:52:16 (3) c/s: 30931K trying: W8W24EI - W8W24N6
JVYMGP1 (HelpAssistant:2)
guesses: 7 time: 0:01:22:17 (3) c/s: 28872K trying: V4VBN69 - V4VBN8F
guesses: 7 time: 0:01:23:37 (3) c/s: 28802K trying: UCBKWW0 - UCBKWG6
guesses: 7 time: 0:01:28:01 (3) c/s: 28419K trying: SGVRGO6 - SGVRGUV
guesses: 7 time: 0:01:38:31 (3) c/s: 28008K trying: #04CR3 - #04CM!
guesses: 7 time: 0:01:47:08 (3) c/s: 27758K trying: UFE'ACB - UFE'ABN
guesses: 7 time: 0:01:49:04 (3) c/s: 27620K trying: FXRG7D - FXRBOVW
guesses: 7 time: 0:02:02:48 (3) c/s: 27110K trying: DYCIAQD - DYCIIHK
guesses: 7 time: 0:06:31:50 (3) c/s: 24555K trying: )K6T-. - )K6T_F
guesses: 7 time: 0:06:32:15 (3) c/s: 24557K trying: )^Y3G_ - )^Y3TT
Session aborted
You can see where I ran out of patience with my single core Athlon64 CPU and aborted the session after approx 6.5 hours (by pressing CTRL-C). Your mileage will vary methinks - so feel free to let it run to completion. Whilst John is running, whenever the operator presses a key, a timestamped statistics message is printed to screen.
So from the output above, we now know the "Administrator" password is "NEON1996". John displays passwords in groups of 7 letters so we append the results of Administrator:2 (ie "6") to Administrator:1 (ie "NEON199"). In contrast, "phoenix" has the password "NEON96" - there is no second half to append / there is no numbered index associated. Also, "Sarah" / "SUPPORT_388945a0" / "Guest" do not appear to have a password set.
Also from the output above, we can theorise that "HelpAssistant" and "ASPNET" have passwords greater than 7 characters long (ie they each use 2 password hashes). John reports 10 loaded password hashes = 1 hash each for "Sarah" / "SUPPORT_388945a0" / "Guest "/ "phoenix" + 2 hashes for "Administrator" which implies 4 password hashes left between "HelpAssistant" and "ASPNET".
10. If we type "john -show xp-passwd" we will get a summary of the findings so far:
Administrator:NEON1996:500:ed88cccbc08d1c18bcded317112555f4:::
Guest::501:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:???????JVYMGP1:1000:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0::1002:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:NEON96:1003:53905140b80b6d8cbe1ab5953f7c1c51:::
Sarah::1006:31d6cfe0d16ae931b73c59d7e0c089c0:::
7 password hashes cracked, 3 left
Note: The second field is the password field eg for "Administrator", the password is "NEON1996". There are no passwords set for "Guest", "SUPPORT_388945a0" and/or "Sarah". I stopped John before it could calculate the passwords for "HelpAssistant" and "ASPNET".
The John results are stored in a file called "john.pot" and events are logged to "john.log". Both of these files are located in the directory where "john" was launched from (eg "/home/sansforensics"). So if we want to restart a cracking attempt from scratch, you can use "rm -f john.pot" before re-launching "john". Should "john" crash/be CTRL-C'd, there will be a "john.rec" recovery file generated so "john" can restart from its last calculation point (as opposed to from the beginning).
So thats about all I have to show you for now ... if you decide to try it out, I'd be interested to hear you comment on how long your processing time took. Go bananas !
Saturday 19 November 2011
Don't Let This Happen To YOU !
Here is list of interview questions compiled by Libby - my Computer Forensics study partner. I've added a few more towards the end. They were sourced from questions posted on websites and questions asked in interviews. Feel free to add more questions and/or any tips for answering in the Comments section.
From my limited (entry-level) interview experience, it seems that character related questions are just as, if not more important as the technical ones. Having an encyclopaedic technical knowledge is probably less important than showing that you can work effectively with others (ie the interviewers). Showing a willingness/capability to learn independently and communicate ideas is also important. I also think that while you should be on your best behaviour (so-to-speak), you should also be YOURSELF. The interviewers will find out one way or another if you are acting. Speaking of which, it can't hurt to get some background on the interviewers (eg read their LinkedIn page, their company profile). If you have something in common, you might like to mention it during the interview (in a completely non-stalker way of course!) so as to build a rapport/be more memorable.
- Describe the different file systems? FAT 12, FAT 16, FAT 32, NTFS
- Describe the Windows operating systems?
- What imaging tools and techniques are you familiar with?
- What is the basic command line syntax for dd or dcfldd? What are the differences between the two?
- Describe the steps to image a laptop with a bootable forensic cd?
- What are some options to write block a drive before imaging or previewing?
- What are two ways to do a network acquisition using Helix? List hardware and software required for each method.
- What is the bare minimum equipment needed to image a desktop?
- What is an MD5 checksum and how is it used in forensics?
- What are some other hashing algorithms besides MD5?
- What is a .ISO?
- What is a bit level image and how is that different from an ISO?
- What is the SAM file? Which operating system has it?
- What is data carving?
- What is live previewing of a system?
- How would you image a hard drive on a system that cannot be shut down?
- If a file is labeled .tar.gz what is it and why is it in .tar.gz format?
- Describe the chain of custody in detail?
- How would you be able to tell at the hex level that a file has been deleted in FAT 12?
- How would you go about imaging a network without taking it down?
- What is metadata? What is affected by it? What attributes does it represent?
- Why is it important to sanitize your analysis media?
- You have an IDE drive and it is not reading. Why is this?
- Describe the difference between wiping and formatting drives?
- How many timestamps are there in NTFS and what are they?
- Does the registry have any timestamps?
- What is the ntuser.dat file?
- What do the MRU keys tell you in the registry?
- What is a three way handshake in TCP/IP?
- How does TCP differ from UDP?
- What would I bring to the position?
- What are the steps when taking a computer from the home?
- What is the step by step procedure after receiving a hard drive which contains child pornography?
- Someone willingly brings their computer in for some minor offense. After imaging, it is returned to the person. During the examination child pornography is found, what do you do?
- What is slack space?
- What is unallocated space?
- What are bits, bytes, nibbles and clusters?
- What is the hex value for a deleted file or directory in FAT systems?
- What is the hex value for a directory?
- How to calculate disk capacity?
- What is volatile data?
- What happens when a disk is formatted?
- What is the numeric base system for hexadecimal, decimal, octal and binary?
- What motivates you?
- What are some challenges to computer forensics in the future?
- Tell us about a time you faced a (technical) challenge and how you overcame it?
- Give us an example of when you worked independently/within a team to meet a deadline?
- Have you ever communicated technical concepts to a non-technical audience?
- What brought you to this point in your career?
- What do you know about our industry? Our organisation?
- How can you help us? eg What skills do you have?
- What are your career plans for the next 3 and 5 years?
- What are your strengths/weaknesses?
- Do you have any other interests/hobbies?
And here are some questions candidates might like to ask the interviewers ...
- Where would I fit into the team? How big is the team? What is the experience level of the team?
- What is the technical environment like? What tools/storage/hardware do you use?
- What upcoming projects will I be involved in?
- How is training organised?
- What are the typical working hours/travel requirements?
And here are some websites chock full of forensicky advice goodness for the newbie ...
"What makes a good forensicator? or how to get a job in Digital Forensics..."
(*GRATUITOUS NAMEDROP* Written by Mike Wilkinson - one of my previous Lecturers :)
Corey Harrell blogs about entry into Computer Forensics
Harlan Carvey blogs about entry into Computer Forensics
ForensicFocus Job Seeking Advice by Joe Alonzo
Magazine Article on Digital Forensics in Australia
Eric Huber Interviews Detective Cindy Murphy (Law Enforcement)
M57.biz Practice Investigation (Pt 3 - Final)
RESULTS AND LEARNING OUTCOMES
Welcome to the M57 entry where I present what I learnt during this investigation. Due to its ongoing use, I have removed my results/analysis section. I have also removed any comments mentioning any tools/strategies.
Learning Outcomes:
I spent several days on this - the briefing PDF mentions spending "until lunch" using EnCase (LOL!).
This investigation took a lot longer than I estimated - part of it was learning about/setting up the tools, part of it was discovering Windows places of interest (eg Registry artefacts), part of it was the snoopy factor ("What has this user been up to?") and part of it was just repeating commands so I could document the results more comprehensively. I am still not 100% sure that someone from the company was NOT involved with the bogus email but I can't seem to find anything to support it.
In the future, I should pay more attention to documenting my progress as I investigate. I was using a old fashioned notebook and pen - maybe I should be using a text file / word document? It would certainly make capturing the command lines / paths much easier.
By learning on the fly/diving in and not having a set process to follow, I don't think I was maximising my efficiency either. Still, I guess you have to walk before you run etc.
Also, all details from the client brief should be confirmed/verified before starting - I spent quite some time searching for a .xlsx file as stated in the PDF brief only to find it was a .xls file.
Postscript:
'Nother practice scenario which might interest y'all (see, I can speak like a Southerner too!) is:
http://www.cfreds.nist.gov/dfrws/Rhino_Hunt.html
In this scenario, possessing more than 9 Rhino pictures has been declared illegal in New Orleans (those dirty Rhinos!). You've been tasked to find as much evidence as you can from 3 tcpdumps and a 256 Mb USB key dd image. This is good for gaining experience using the WireShark network analyser (also included on SANS SIFT) and "foremost". And they have kindly supplied the answers too!
Welcome to the M57 entry where I present what I learnt during this investigation. Due to its ongoing use, I have removed my results/analysis section. I have also removed any comments mentioning any tools/strategies.
Learning Outcomes:
I spent several days on this - the briefing PDF mentions spending "until lunch" using EnCase (LOL!).
This investigation took a lot longer than I estimated - part of it was learning about/setting up the tools, part of it was discovering Windows places of interest (eg Registry artefacts), part of it was the snoopy factor ("What has this user been up to?") and part of it was just repeating commands so I could document the results more comprehensively. I am still not 100% sure that someone from the company was NOT involved with the bogus email but I can't seem to find anything to support it.
In the future, I should pay more attention to documenting my progress as I investigate. I was using a old fashioned notebook and pen - maybe I should be using a text file / word document? It would certainly make capturing the command lines / paths much easier.
By learning on the fly/diving in and not having a set process to follow, I don't think I was maximising my efficiency either. Still, I guess you have to walk before you run etc.
Also, all details from the client brief should be confirmed/verified before starting - I spent quite some time searching for a .xlsx file as stated in the PDF brief only to find it was a .xls file.
Postscript:
'Nother practice scenario which might interest y'all (see, I can speak like a Southerner too!) is:
http://www.cfreds.nist.gov/dfrws/Rhino_Hunt.html
In this scenario, possessing more than 9 Rhino pictures has been declared illegal in New Orleans (those dirty Rhinos!). You've been tasked to find as much evidence as you can from 3 tcpdumps and a 256 Mb USB key dd image. This is good for gaining experience using the WireShark network analyser (also included on SANS SIFT) and "foremost". And they have kindly supplied the answers too!
Monday 14 November 2011
M57.biz Practice Investigation
INTRODUCTION AND SETUP
The first image my study partner ( http://computerforensicgraduate.wordpress.com/ ) and I decided on is located here:
http://digitalcorpora.org/corpora/scenarios/m57-jean
Its an investigation into how a spreadsheet was exfiltrated from a laptop. The laptop image is contained on 2 EnCase .E0 files (3 Gb total) which you can look at using a similar methodology to whats listed in "Digital Forensics with Open Source Tools" by Altheide & Carvey (the "Simon and Simon" of Computer Forensics, if I might be so bold / old).
Note: the case briefing pdf lists a different filename / filetype for the spreadsheet. I tried doing a "m57plan.xlsx" keyword search but didn't find it - using FTK Imager I found it as "m57plan.xls". Double-DOH! Live and learn ... take client briefings with a grain of salt?
We have both installed VMware Player 3 thru which we use the SANS SIFT Ubuntu virtual workstation (1.8 Gb download).
The SIFT workstation already contains several of the tools mentioned in Altheide & Carvey plus more. There's unallocated file carving, email extraction from PST files, RegRipper, FTK Imager just to name a few and all for FREE!
Be sure to download the VM "Distro version" ZIP file and not the bootable ISO image. SANS have set it up so you can unzip that file and then use VMWare Player 3 to open the "SIFT Workstation 2.1.vmx" file (via File, Open a New VM and then select the .vmx file). Keep the ZIP file after extracting it so that after each case you can delete the SIFT VM in VMWare player and start again fresh. Anyhow, once you've told VMWare Player where to find the .vmx file you just "play it" by double clicking on it. Everything should be automatic from then on and hopefully you get the login window.
Ubuntu will probably run a bit slower via VMware than if installed seperately but I found it OK using a circa 2003 single core Athlon64 with 2 Gb RAM running WinXP. And this way, I didn't need to spend time reformatting or dual booting the sucker and/or if I stuff up the SIFT, I can easily reset to a known good state. There's a pretty helpful forum at http://ubuntuforums.org/ if you have Ubuntu issues.
Tools Used:
VMWare Player 3.1.5 ( http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0 ) - you might have to sign up first (for free)
SANS SIFT Workstation ( http://computer-forensics.sans.org/community/downloads ) - requires a SANS login (free)
Forensic Corpora Jean Encase Image ( http://digitalcorpora.org/corpora/scenarios/m57-jean )
Aim:
To find out:
- When did Jean create this spreadsheet?
- How did it get from her computer?
- Who else from the company is involved?
Setup Method:
A. Install SANS SIFT Virtual machine under VMWare Player 3 (as described earlier).
B. Download/Copy Jean's Encase files (.E01 & .E02) to the SANS SIFT VM "/cases" directory.
I used Windows File Explorer to copy the 2 EnCase files to the "cases" folder on the SIFTWorkstation in the SANS workgroup but you could also download it directly to the SIFT using the SIFT Firefox browser.
C. Read-only Mount the Encase image such that we can see them from the Ubuntu OS
Tthis blog describes how to do it (more or less):
http://stephenventer.blogspot.com/2009/02/mount-ewf-e01-on-linux.html
The SIFT 2.1 VM has most of the software/tools mentioned in the blog already installed / configured.
And pp 20-22 of "Digital Forensics with Open Source Tools" (Altheide & Carvey) details a similar process.
But there is one complication - the SIFT VM doesn't seem to recognise the HPFS (High Performance File System) / NTFS filesystem of the given EnCase files. The blog example doesn't mention this as a problem but I couldn't follow the blog/book procedures without getting errors.
I ended up using the Ubuntu Synaptic Manager (from the System, Control Center, Synaptic Package Manager menu) to install the "ntfs-config" package/software and Ubuntu then recognised/mounted the image. Not 100% sure why, but it seems to work ...
The Synaptic Package Manager is a GUI for installing Ubuntu software packages. Its kinda like the App store for iPhones. However, unlike iPhones you can also download source code seperately and compile/build it on your Ubuntu system. eg if its not available in a package.
So here's the full procedure I ended up performing:
This article also has more information on read-only mounts for SIFT:
http://computer-forensics.sans.org/blog/2009/02/19/digital-forensic-sifting-how-to-perform-a-read-only-mount-of-evidence/
Some other potentially useful information:
Between steps 4-7 above, you can also use "fdisk -lu /mnt/ewf/nps-2008-jean" to show the filesystem type info (ie HPFS / NTFS).
If you need to unmount a directory, use "umount /mnt/m57jean" for example.
If you need to reset the loopback device, you can use the "losetup -d /dev/loop0" command.
If you restart the SIFT, it will lose all the mounting stuff and you'll have to do it all over. Can be helpful if you make a mistake and can't figure out how to recover.
You can also load up FTK Imager to preview the .E01 file directly from "/cases" but while you can browse the files thru FTK Imager, the other SIFT tools won't be able to read the EnCase format.
You can also browse the "/mnt/m57jean" folder using the Ubutu file explorer - just double click on one of the folders on the left hand side of the desktop and navigate to "/mnt/m57jean" (after completing steps 1-7).
I'll stop here and post my method(s) of investigation in the next post - just in case you want to figure out the next part yourself...
The first image my study partner ( http://computerforensicgraduate.wordpress.com/ ) and I decided on is located here:
http://digitalcorpora.org/corpora/scenarios/m57-jean
Its an investigation into how a spreadsheet was exfiltrated from a laptop. The laptop image is contained on 2 EnCase .E0 files (3 Gb total) which you can look at using a similar methodology to whats listed in "Digital Forensics with Open Source Tools" by Altheide & Carvey (the "Simon and Simon" of Computer Forensics, if I might be so bold / old).
Note: the case briefing pdf lists a different filename / filetype for the spreadsheet. I tried doing a "m57plan.xlsx" keyword search but didn't find it - using FTK Imager I found it as "m57plan.xls". Double-DOH! Live and learn ... take client briefings with a grain of salt?
We have both installed VMware Player 3 thru which we use the SANS SIFT Ubuntu virtual workstation (1.8 Gb download).
The SIFT workstation already contains several of the tools mentioned in Altheide & Carvey plus more. There's unallocated file carving, email extraction from PST files, RegRipper, FTK Imager just to name a few and all for FREE!
Be sure to download the VM "Distro version" ZIP file and not the bootable ISO image. SANS have set it up so you can unzip that file and then use VMWare Player 3 to open the "SIFT Workstation 2.1.vmx" file (via File, Open a New VM and then select the .vmx file). Keep the ZIP file after extracting it so that after each case you can delete the SIFT VM in VMWare player and start again fresh. Anyhow, once you've told VMWare Player where to find the .vmx file you just "play it" by double clicking on it. Everything should be automatic from then on and hopefully you get the login window.
Ubuntu will probably run a bit slower via VMware than if installed seperately but I found it OK using a circa 2003 single core Athlon64 with 2 Gb RAM running WinXP. And this way, I didn't need to spend time reformatting or dual booting the sucker and/or if I stuff up the SIFT, I can easily reset to a known good state. There's a pretty helpful forum at http://ubuntuforums.org/ if you have Ubuntu issues.
Tools Used:
VMWare Player 3.1.5 ( http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0 ) - you might have to sign up first (for free)
SANS SIFT Workstation ( http://computer-forensics.sans.org/community/downloads ) - requires a SANS login (free)
Forensic Corpora Jean Encase Image ( http://digitalcorpora.org/corpora/scenarios/m57-jean )
Aim:
To find out:
- When did Jean create this spreadsheet?
- How did it get from her computer?
- Who else from the company is involved?
Setup Method:
A. Install SANS SIFT Virtual machine under VMWare Player 3 (as described earlier).
B. Download/Copy Jean's Encase files (.E01 & .E02) to the SANS SIFT VM "/cases" directory.
I used Windows File Explorer to copy the 2 EnCase files to the "cases" folder on the SIFTWorkstation in the SANS workgroup but you could also download it directly to the SIFT using the SIFT Firefox browser.
C. Read-only Mount the Encase image such that we can see them from the Ubuntu OS
Tthis blog describes how to do it (more or less):
http://stephenventer.blogspot.com/2009/02/mount-ewf-e01-on-linux.html
The SIFT 2.1 VM has most of the software/tools mentioned in the blog already installed / configured.
And pp 20-22 of "Digital Forensics with Open Source Tools" (Altheide & Carvey) details a similar process.
But there is one complication - the SIFT VM doesn't seem to recognise the HPFS (High Performance File System) / NTFS filesystem of the given EnCase files. The blog example doesn't mention this as a problem but I couldn't follow the blog/book procedures without getting errors.
I ended up using the Ubuntu Synaptic Manager (from the System, Control Center, Synaptic Package Manager menu) to install the "ntfs-config" package/software and Ubuntu then recognised/mounted the image. Not 100% sure why, but it seems to work ...
The Synaptic Package Manager is a GUI for installing Ubuntu software packages. Its kinda like the App store for iPhones. However, unlike iPhones you can also download source code seperately and compile/build it on your Ubuntu system. eg if its not available in a package.
So here's the full procedure I ended up performing:
- Boot up SIFT VM and login as sansforensics (password is "forensics" ... shhh! )
- At a terminal window, use the command "sudo su -" to login as root so we can issue commands with the appropriate privileges i.e. make data accessible/mount stuff.
- Use the command "mount_ewf.py /cases/nps-2008-jean.E* /mnt/ewf/" to combine the two evidence files into a single Unix style image file called "/mnt/ewf/nps-2008-jean" (note: we use the "nps-2008-jean.E*" argument so it picks up all EnCase parts). Afterwards, there will also be a text file containing the MD5 hash as originally calculated by EnCase. You can then use the command "md5sum /mnt/ewf/nps-2008-jean" to calculate a local MD5 hash for comparison with EnCase but it took a few minutes on my VM.
- Install the "ntfs-config" package using the Synaptic Manager.
- Use "losetup -o32256 -r /dev/loop0 /mnt/ewf/nps-2008-jean" to map the image file to a loop device (ensuring you specify the offset 32256 so the loop device is mapped to the Filesystem and not the beginning of the disk image. Blog/book has more info).
- Use "mkdir /mnt/m57jean" to create a mountpoint directory that we can use later.
- Use "mount /dev/loop0 /mnt/m57jean/ -o loop,ro" so we can map the loop device to a read only directory.
- As a test, use "ls -al /mnt/m57jean" to list the contents of the filesystem. You should see your typical Windows XP folder structure eg Documents and Settings, Program Files etc.
This article also has more information on read-only mounts for SIFT:
http://computer-forensics.sans.org/blog/2009/02/19/digital-forensic-sifting-how-to-perform-a-read-only-mount-of-evidence/
Some other potentially useful information:
Between steps 4-7 above, you can also use "fdisk -lu /mnt/ewf/nps-2008-jean" to show the filesystem type info (ie HPFS / NTFS).
If you need to unmount a directory, use "umount /mnt/m57jean" for example.
If you need to reset the loopback device, you can use the "losetup -d /dev/loop0" command.
If you restart the SIFT, it will lose all the mounting stuff and you'll have to do it all over. Can be helpful if you make a mistake and can't figure out how to recover.
You can also load up FTK Imager to preview the .E01 file directly from "/cases" but while you can browse the files thru FTK Imager, the other SIFT tools won't be able to read the EnCase format.
You can also browse the "/mnt/m57jean" folder using the Ubutu file explorer - just double click on one of the folders on the left hand side of the desktop and navigate to "/mnt/m57jean" (after completing steps 1-7).
I'll stop here and post my method(s) of investigation in the next post - just in case you want to figure out the next part yourself...
Sunday 13 November 2011
Law Enforcement?
To be balanced and equally offend / amuse our Law Enforcement friends, here's a LE version ... I was thinking of having Cheeky4n6Monkey toting a nightstick and Ray Ban sunglasses but thought he'd look a little too mean / fierce.
For my next post, I reckon I should post some actual CF stuff. I'll give a summary of a couple of practice investigations using SANS SIFT. Hopefully, that might help other beginners save some time.
E-Disco(very)?
This idea came to me after coming across the shortened slang term for Electronic Discovery ... Admittedly, this is VERY loosely related to computer forensics - but wait, there's more to follow ...
Saturday 12 November 2011
So What Next?
So, what next? I'm kinda out of ideas for now ...
Any suggestions related to computer forensics and/or themes for future monkey mayhem are welcome at this time.
Just For Laughs
So this one was just for laughs. Nothing too forensicky about it. Like I said before, I have a weird (juvenile/disturbing/dirty) sense of humour ... Monkeys with lipstick on FTW!
It looks like a bit of rush job - drawing that monkey body took AGES. So by the time I got to the face, I don't think I kept it consistent with the earlier toons.
My Previous Career
So this is what I used to do for a career. Truth be told, I was OK at it - I could get by but I was not a guru. Not even close. Probably explains why I got so frustrated with it. That and the fickleness of GUI design.
Still, I figure it should help with all the scripting in Computer Forensics.
Dilbert was popular at my old workplace(s) - especially the Software Development themed ones. Who knows, maybe Cheeky4n6Monkey could find another "alternative career" ... But not yet with this clumsily drawn monkey anatomy!
Job Hunt
Like so many others, I have finished my formal University studies in Forensic Computing and have been trying to land that oh-so-elusive first Computer Forensics job. Something in law enforcement would be ideal but E-Discovery and/or Consulting has not been ruled out either. Beggars can't be choosers and all. This toon is just summing up my frustration at my current employment situation.
In the meantime, I have been doing some research - mainly using the SANS SIFT kit to work though some scenarios and reading up on whatever Computer Forensics material I can get my paws on.
First Post
So this is my first publishable attempt at humour. I was tempted to use Harlan Carvey's Windows Forensic Analysis for the book title but figured he might not share my sense of humour. Not many people do ;)
Welcome To The Jungle
Greetings fellow primates!
Cheek4n6Monkey just checking in here. I originally started drawing these pictures for a laugh and to pass the time away ... Its not like computer forensics peeps don't spend enough time in front of a computer screen already eh?
Anyway, from time to time, I may stumble my way through an ephiphany (for me) but I shall try to keep it light and entertaining. At some point, I may also try talking about some technical stuff - please feel free to correct/advise me.
Comments are always welcome and appreciated.
Yours in Bananas,
Cheeky4n6Monkey
Cheek4n6Monkey just checking in here. I originally started drawing these pictures for a laugh and to pass the time away ... Its not like computer forensics peeps don't spend enough time in front of a computer screen already eh?
Anyway, from time to time, I may stumble my way through an ephiphany (for me) but I shall try to keep it light and entertaining. At some point, I may also try talking about some technical stuff - please feel free to correct/advise me.
Comments are always welcome and appreciated.
Yours in Bananas,
Cheeky4n6Monkey
Subscribe to:
Posts (Atom)