Sunday, August 10, 2014

4n6time v.06 - minor update

I posted a new version of 4n6time for Windows only. Download link here:


Not many significant changes. Below is a short summary.
-Using latest plaso "release v.1.1.0" source code base dated early June. Also includes newer versions of the plaso dependencies dated as of early August. 
-Lots of bug fixes and minor GUI tweeks.
-Extended image support (consistent with plaso) for timeline creation. Note file interaction is only supported with Raw disk images atm. 
-Enhanced timeline creation wizard (e.g. disk scanner implementation, parser selection gui, etc.)
-New window/pane to monitor plaso timeline creation process. 
-Lots of other little things, minor speed improvements, etc.

To be honest I did not do as much testing this time around then previous releases so encourage feedback, issues, questions, bugs, whatever just let me know. I just didn't want to delay the release any further. 

I'll also try to work with Kristinn when he gets some time to try to create a linux / SIFT 3.0 release!

Sunday, February 16, 2014

4n6time v.05 - anyone know how I get a tax write off on this???

I been super busy and actually forgot to announce that I posted 4n6time, v.05 a few months ago. So here it is boys and girls. As always none of this would be possible without the tools that create timeline data (e.g. log2timelineplaso) and the help of MANY people.

Before I get into what's new, I would like to quickly reflect. 4n6time was introduced as a proof of concept application demo'ed at the 2011 SANS 360 Summit and has grown into a global user base. In 2013, 4n6time was nominated for the "tool of the year" award by forensic4cast (vote again this year!).

I remember joking that 4n6time would be free to everyone except LE. A lot of people laughed at that joke. However, in hindsight LE is one of my primary motivators to continue to invest personal time and expenses in this project.

Mid last year I received an e-mail stating 4n6time was used to help prosecute a murder case by presenting a complex set of data to a jury in a way they could understand. A few weeks later I received an email that 4n6time helped a family understand the facts leading up to a suicide. I get testimonial emails like this all the time from people.

Hearing feedback that Davnads potentially impacted someones live is surreal. It really is. Now only if I can figure out how to get a tax write off on this??? Lol.

The general feedback I get is that 4n6time does not make evidence available that other tools do not. It just makes evidence more readily accessible, presents it in a way that is logical, and makes telling the story easy with a mouse. In fact I think the download counts from last year speak for themselves. Although I suspect Kristinn would argue that the logs all point to Davnads downloading his own tool ;-)


I guess the reason I am sharing this story is to encourage others to contribute to existing projects like plaso or new projects. Everyone has to start somewhere and you never know where it will end up. I am also sharing this to thank people for the feedback. If it wasent for the emails, challenge coins, patches and other swagg I probably would have stopped investing in this project a long time ago.

Now let's take a look at what's under the hood in 4n6time, v.0.5...
  • Contains latest "release" of plaso v.1.1.0 and dependencies. 
  • More intuitive create timeline wizard with ability to enable parser(s) visually amongst other enhancements.
  • Ability to interact with all charts (e.g. click on source and update data grid view to only show source).
  • Mouse hover over "tool tips" on all major buttons.
  • Filter query preview (e.g. how many/types of results will be returned).
  • Filter pivoting in data grid view based on various time criteria.
  • Enhanced charting and reporting.
  • EVT ID look up / deeper VT integration.
  • More export to CSV options.
  • Every time data is added to database prompts for evidence number. Used to differentiate multiple data sources in timeline.
  • Advanced filtering.
  • Lots of GUI enhancements and better error handling.
  • Proof of concept MySQL back end - this adds a collaborative (server/client) review approach to timeline analysis. Also allows to scale timelines a lot more efficiently. 

Note: There is a beta linux version (thanks to Kristinn Gudjonsson). This should be part of new SIFT 3.0. The OSX version has not been compiled yet. I'll try to get this done in the next few weeks.



Friday, September 13, 2013

EnCase via RDP (part 2)

As you probably already know, Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7, Server 2008, etc. As posted a few years agothere are a work arounds but none are perfect. Even buying the NAS licensing server has limitations.

...I spent weeks trying to figure out a true solution.Then randomly, out of complete nowhere, a co-worker one day sends an email to our team () saying "Hey, if you ever have this problem with Encase and RDP .. just do this..." I was shocked, amazed, but more importantly it worked!

Before you get started:
  • Note this program requires Administrative Rights to run!
  • Caution it requires User to Re-Login to RDP Session (user is not logged out)
  • Modified from http://community.spiceworks.com/how_to/show/873 and http://community.spiceworks.com/scripts/show/190-disconnect-terminal-services-session-remotely
  • I don't have time to support this but feel free to leave comments and I can see if my co-worker is interested in answering questions there.
Directions:

1. Copy the text below into a text file
2. If you have EnCase installed somewhere other than the default location, you’ll need to update the section starting at line 23.
set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"
set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"
set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"
set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"

3. Save as "Start Encase.bat"
4. Just double click "Start Encase.bat" after connecting via RDP to the workstation.

Start Encase.bat:
@echo off

:: EnCase Starter from RDP Session
:: Author: ALG
:: DATE: 2013.03.06
:: Purpose: Fixes issue of EnCase starting in Acquisition Mode when executed from RDP Session
:: Caution: Requires User to Re-Login to RDP Session (user is not logged out)
:: Modified from http://community.spiceworks.com/how_to/show/873
:: and http://community.spiceworks.com/scripts/show/190-disconnect-terminal-services-session-remotely

:WinVersion
cls
echo ## Definig Windows Version
ver>"%temp%\ver.tmp"
find /i "6.0" "%temp%\ver.tmp">nul
if %ERRORLEVEL% EQU 0 goto ADMIN
find /i "6.1" "%temp%\ver.tmp">nul
if %ERRORLEVEL% EQU 0 goto ADMIN

:MENU1
title Choose EnCase Version to Start via RDP (Requires Reconnect to RDP Session)
:: EnCase Installations (Update to Install Location)
set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"
set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"
set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"
set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"
cls
echo 1: EnCase V6 (32-Bit) [%encase_v6x32%]
echo 2: EnCase V6 (64-Bit) [%encase_v6x64%] 
echo 3: EnCase V7 (32-Bit) [%encase_v7x32%]
echo 4: EnCase V7 (64-Bit) [%encase_v7x64%]
echo ---------------------------------------
echo Type EnCase Version ID (above) or Full Path to EnCase.exe
echo Type R to refresh user list
echo Type Q to quit
echo.
set input=R
:: Prompt for Install
Set /P input=
if /I %input% EQU Q goto END
if /I %input% EQU R goto USERS
if /I %input% EQU 1 set input=%encase_v6x32%
if /I %input% EQU 2 set input=%encase_v6x64%
if /I %input% EQU 3 set input=%encase_v7x32%
if /I %input% EQU 4 set input=%encase_v7x64%
set path=%input%
goto USERS

:USERS
title Users on Localhost
cls
qwinsta /server:localhost
echo.
echo Type Session ID of current RDP session
echo Type R to refresh user list
echo Type Q to quit
echo.
set input=R

:: Prompt for Install
Set /P input=
if /I %input% EQU Q goto END
if /I %input% EQU R goto USERS
set session=%input%
goto DISCON

:DISCON
title Disconnecting User
cls
tscon %session% /dest:console
echo Log off in process
echo .
goto STARTER

:STARTER
cls
START /b "" %path%
exit

:ADMIN
cls
cd %systemroot%\System32
if /I %CD% EQU %systemroot%\System32 goto MENU1
goto ERR1

:ERR1
title Error
cls
echo This program requires Administrative Rights to run!
echo.
pause
goto END

:END
exit


Thursday, July 25, 2013

New weapon, Emailtime!


I often rely on timelines to tell the story. However it’s imperative to understand how the story was constructed to do this effectively.

Thanks to tools like log2timeline and plaso it’s easy to create timelines! Like any tool it’s helpful to understand how these work.  I am not implying you need to start brogramming, but you should at least learn the capabilities of the tools. This primarily requires understanding what input modules or parsers are available (and how they are invoked). If you’re relying strictly on timelines for analysis this knowledge should enable you to understand if the "entire story” is being told.

For instance, according to the timeline below, on March 4, 2012 at 00:28:17, a Windows Application (McAfee) Event Log entry was created. The description of this event states “The Scan was unable to scan password protected file 2011-W2.zip\\2011-W2.pdf. Scan engine version used is 5400.1158 DAT version 6498.0000.”

  
Looking at the context of this event I don’t see any notable activity that could be contributable to the source of this event log entry. However, taking a step back from this timeline example, knowing what I am NOT seeing could equally important to what is shown…

According to a 2012 Trend Micro report, Spear-Phishing Email: Most Favored APT Attack Bait, “91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.” Thus adding e-mail as a source in a timeline might be insightful.

As displayed below, seconds before the event log was created, an e-mail was received. This e-mail contained the attachment “2011-W2.zip”.

Now you probably want to know how e-mail magically appeared in the timeline above? At the SANS #DFIRSummit I introduced a new cmdline tool called Emailtime. The purpose of the tool is to create log2timeline CSV format timelines of PST files.

The tool was written in Python and is packaged as an EXE for distribution. It requires you to download the Developers version of Redemption as a dependency first. Oh, and run the Redemption installer as Administrator.

Special thanks to Steve Gibson (@stevegibson) the ninja for helping pull this tool together. Note the tool is super ALPHA/BETA/WHATEVER so use at your own risk. We look forward to bug reports and feedback. I already have a short list of “to do” items including adding time zone offset and MSG support but didn’t want it to hold back releasing any further.


The usage of the tool is pretty simple:

Usage:
emailtime.exe -p -e -H -F -S

Additionally, as shown in the examples below it has some neat filtering capabilities. This allows you to target e-mails of relevance quicker based on e-mails that contain keywords, attachments, and/or hyperlinks.

Examples:

Export all emails:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer"

Filter emails with hyperlinks only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -F hyperlink

Filter emails with hyperlinks and attachments only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -F hyperlink attachments

Filter emails containing string evil only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -S evil

Provided the output of Emailtime, a log2timeline CSV file, you can import it to a new 4n6time database for review (File > Create Database).  Alternatively, you can append it into an existing timeline database to overlay it with other timelines (File > Append Database).  



Wednesday, May 1, 2013

Melting snow, flash floods, and only a new 4n6time release ;-)


So where ever Kristinn Gudjonsson lives, there are apparently Flowers, blossoming trees and a new plaso release. That must be really nice. In Chicago we still have melting snow, flash floods, and only a new 4n6time release ;-)
 

For anyone that saw me speak at the HTCIA conference in Minnesota a few weeks ago, you know I am VERY excited about the new version of 4n6time (and some other soon to be released tools to make your timelines epic!). Months of development and user feedback have been put into this release. There’s really too much to list about "whats new", so here’s a few of my favorite improvements:
  • Updated plaso engine to version 1.0.1-1 (alpha) – As Kristinn pointed out the latest version of plaso has many new enhancements and features. Also included are 2 new parsers contributed by me (thank you Kristinn for the help), Symantec AV and Google Drive!
  • Control plaso with a mouse! – Create your timeline(s) using a simple yet comprehensive user wizard. Create a timeline from a disk image, mount point, directory, CSV file, or body file! Also take advantage of plaso’s amazing file filtering and pre-filtering capabilities.
  • Tabbing – Because one timeline is never enough you can now view and jump between multiple timelines (subsequent to filtering) in tabs within the data grid view.
  • VirusTotal integration – In addition to right clicking on an event and Viewing it with a external file viewer, MD5 hashing it, or exporting it, you can now check to see if it’s a known file in the VirusTotal database (provided an internet connection).
  • Speed – The tool has more or less been completely refactored. It is 5x faster. This includes opening saved database files instantly (no more loading!).
  • GUI –  Enhanced User Interface, charting, filtering tricks, and reporting.
  • So much more!!!!
It was almost a year ago, at the SANS DFIR summit, when Rob Lee gave me the opportunity to introduce 4n6time (then “l2t_Review”) to the community. I only had 360 seconds to show off the hundreds of hours of personal time I spent learning and developing the initial proof of concept.


Almost a year later, I am overwhelmed by the response from the community. 4n6time has been nominated for the 2013 forensic4cast award for the “Computer Forensic Software of the Year” and there are hundreds of folks using the tool all over the world. This has made every minute working on the project all so worth it.


As always, this project would not be possible without the existence and contributions to timeline creation tools. Special thanks to Kristinn Gudjonsson, Joachim Metz and others for development on log2timeline and now Plaso. Also a special thanks to Eric Wong who has been assisting me with the development these days.


You can download the latest Windows version of 4n6time (0.4) on Google Code.  Note you do not need to request a new cert file if you are an existing user, you can simply transfer your old cert file over to the new version following the directions in the FAQ. The FAQ is also a useful place for other common questions and getting started information. If you are completely new to plaso and/or 4n6time you may also want to check out the article Kristinn and I co-authored in issue 15 of Digital Forensic Magazine.


As always happy to answer any questions and look forward to receiving feedback as development starts on the next release.


Thanks!!!


-David Nides (@DAVNADS)

Tuesday, January 8, 2013

My Windows 8 DFIR Reading List

Below is my reading list for Windows 8 DFIR. I suspect it’s only a matter of time until everyone sees a hard drive with Windows 8. If you have any other resources to add to the list, feel free to drop a comment and I'll add it to the list.

Windows 8: Important Considerations for Computer Forensics and Electronic Discovery

http://articles.forensicfocus.com/2012/12/09/windows-8-important-considerations-for-computer-forensics-and-electronic-discovery/

Windows 8 Forensics - A First Look (ForensicFocusVideos)

https://www.youtube.com/watch?v=uhCooEz9FQs

Forensic Artifact: Malware Analysis in Windows 8

http://resources.infosecinstitute.com/forensic-analysis-windows-8/

Windows 8 Forensics: USB Activity

http://www.infosecisland.com/blogview/22235-Windows-8-Forensics-USB-Activity.html

Champlain College Windows 8 Forensics 3 Part Series

http://computerforensics.champlain.edu/blog/windows-8-forensics

http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2

http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3

Windows 8 Forensics: Reset and Refresh Artifacts

http://cyberarms.wordpress.com/2012/08/30/windows-8-forensics-reset-and-refresh-artifacts/

Windows 8 Forensic Guide

http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf

Ken Johnson's Research

https://computer-forensics.sans.org/summit-archives/2012/windows-8-recovery-forensics-understanding-the-three-rs.pdf

http://randomthoughtsofforensics.blogspot.com/2011/12/windows-8-forensic-overview.html

http://randomthoughtsofforensics.blogspot.com/2012/06/windows-8-forensic-file-history.html

http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html