Forget The Beer I Will Take Wine

Wine is a program that lets Windows software run on other operating systems. This means Wine can be used to run Windows only forensic or malware analysis tools on the Sift workstation and REMnux. It’s so easy to get Wine up and running I wasn’t even sure if a blog post was needed. However, it never hurts to be informed. Here's a quick post on installing Wine and running Windows tools on Sift and REMnux.

Install Wine

The Sift v2 workstation and REMnux v2 both were built using Ubuntu Linux. The Wine website shows the different options for installing Wine on Ubuntu including using repositories, the GUI, or the command line. All of these options require the Sift and REMnux to have Internet access. I used the command line option since it only involved running the following commands:

          * sudo add-apt-repository ppa:ubuntu-wine/ppa
          * sudo apt-get update
          * sudo apt-get install wine1.3
               - Enter Yes to proceed with the installation

That’s right, just three commands to install Wine. The next few pictures show Wine being installed on the Sift workstation.

Running Windows Programs on the Sift and REMnux

Wine can be used to run standalone Windows programs or programs that require an installation process. I wanted Wine so I could run a few standalone Windows programs so this post won’t cover installing a program in Wine (the Wine website has information on this topic). To run a standalone Windows program the program needs to be launched with Wine. Most of the programs I’ve tested run without any issues but a couple programs required some tinkering. The pictures below show Windows programs running on the Sift and REMnux.

First up is Nirsoft’s IEHistoryView running on Sift.

Next is McAfee’s BinText running on REMnux.

Here is PEID running on REMnux.

As I mentioned before, not all of the Windows programs will run without any issues. For example, Digital Detective’s Dcode program fails to run because of a missing dll. This is shown below with the missing dll highlighted in the red box.

A quick search on a Windows system locates the msvbvm60.dll in the Windows\System32 folder (this search was done on a Windows XP system). To fix the missing dll error, just copy the msvbvm60.dll from a Windows system to Wine’s Windows\System32 folder as shown below.

Now here is the picture of Dcode running on the Sift. Some messages appear while Dcode runs so testing has to be done to make sure the program still converts all of the dates properly.

REMnux and Sift are great distributions since they come preconfigured with some of the tools I use. My main platform is Windows so REMnux and Sift save me a lot of time because I don’t have to setup my own Linux environments. At times I find myself switching between Windows and Linux to run certain tools. Wine gives me the option of bringing a few Windows tools over to the Linux so I won’t have to switch between the two operating systems as much.

Read More

Forensicator Readiness

I attended a lot of trainings as a communications technician in the Marines. There were formal trainings by outside parties, organized trainings by my unit, and formal education on my own to hone my troubleshooting skills. The goal of all of those trainings was to prepare me to perform my job regardless of the situation I might face. Even though I left the Marines, I carried over the same mentality to my career in information security especially for digital forensics. Using a mixture of formal education, paid training, and a lot of self training to ensure I'm capable of performing my job regardless of the situation I might encounter. However, outside of forensic challenges or forensic datasets I never had an organized way to approach self training until I wanted to learn about incident response investigations. This post will explain the approach I've been using but haven't documented until now.

Forensicator readiness is the method I've been using to help prepare myself to be able to investigate any situation regardless of the circumstances. If someone said "I need you to help figure out what caused this incident” I wanted to be able to hit the ground running. This is better than having to reply with "I'd like to help out but first I have to attend a training which by the way costs a few thousand dollars". I'm sharing my approach because I think it might be useful to others. Experienced analysts/examiners can use it to learn how to investigate new types of cases or students can use it to help prepare them for the common cases they might face. Forensicator readiness consists of the following six steps:

          * Pick a Scenario
          * Establish the Scenario’s Scope
          * Collect Digital Information
          * Examine Digital Information
          * Scenario Simulation
          * Identify Areas for Improvement

Ever since I read the Alexiou Principle (as described by Chris Pogue here and here) I've been using it in my cases. The principle has been helpful in planning out the investigation and keeping the investigation on track. I thought if it works for actual cases then it should work for simulations. Well, the principle does work in simulations so I use it in the forensicator readiness steps.

Pick a Scenario

There is always something to learn in digital forensics whether it’s a student studying the field in school or a forensicator who has been in the field for a number of years. It could be trying to understand how to investigate different types of cases, how to examine new data, or how to extract data from certain devices. The first step is to pick a scenario containing the item or situation of what is to be learned. The scenario could be based on the common types of cases processed in your organization or on a potential situation someone might need to investigate. A few scenario examples are: data leakage through USB device, sexual harassment involving company email, or a malware infected server.

Next a determination needs to be made to see if it’s possible to set up test systems to simulate the scenario. Research is completed in the collection, examination, and simulation steps and systems will be needed to run a few tests on. For example, I’d like to learn how to investigate a hacked database server. Unfortunately, I can’t use this scenario since I can’t simulate a SQL injection attack against a test database server. As a result, my focus is on the scenarios I can simulate in a test environment such as a malware infected system.

Having a scenario by itself isn’t enough because an end goal hasn’t been established; what is trying to be accomplished. This is where the first question of the Alexiou principle comes into play which is “what question are you trying to answer”. Identify a few potential questions to help guide the goal of the investigation. For example, the two potential questions of a suspected malware infected system I've been using are: is the system infected and how did the system become infected. The two questions identify what I’m trying to accomplish and helped guide my research in investigating a malware infected system.

Establish the Scenario’s Scope

The selected scenario has an end goal and can be replicated in a test environment. The next step is to determine the scope of the testing environment. Is the test environment going to be one computer or multiple computers? What operating systems are going to be on the computers? Are there going to be any networking devices such as routers, switches, or firewalls? Another consideration when determining the scope of the testing environment is what resources are available. Is there the necessary hardware and software to build the test environment? I'd like to be able to simulate a test environment of over 20 machines for my malware scenario but I can’t pull it off due to the lack of resources. I had to settle on just a few test systems and I’m still able to simulate my scenario. The above questions are only some of the things that have to be considered when scoping the test environment.

Setting up of the test environment during the next few steps may take some time. Despite the time required, one of the benefits of setting up your own environment is learning about the technology as you install and configure it. For example, if your scenario requires a web server running IIS (Windows Internet Information Service) then setting up IIS will provide a better understanding of what the default settings are and how it can be configured.

Collect Digital Information

At this point, the scenario has been identified, goals have been established, and the testing environment has been identified. The next step is to collect the digital information. The second question in the Alexiou principle states “what data do you need to answer that question”. The data sources in the test environment need to be evaluated to determine which ones can help you answer your question(s). The data sources could include hard drives, memory, logs, or captured network traffic.

Once the data sources of interest are identified then it’s time to research how these sources should be collected and what tools can be used. The amount of research required for this step will depend on the experience of the person conducting this exercise. In some instances, a person will already have a procedure in place for collecting the data sources and will have knowledge of the tools to use so additional research may not be necessary. On the other hand, the person may be facing a new data source(s) so there won’t be a procedure for the collection and the person won’t have knowledge about the tools to use. For example, in one of my scenarios I wanted to collect a hard drive and volatile data. I had experience with hard drives but collecting volatile data was new. I conducted research with the intention of modifying my collection procedures to include volatile data. The research involved reviewing RFC 3227, forensic books, blogs, and forums to determine what procedural steps were required to collect volatile data and what tools could be used to acquire volatile data from a system.

The new procedural steps and tools will need to be evaluated to determine if they work as intended. This evaluation will require a small test environment. Continuing with my volatile data example, I tested the procedural steps I researched and my list of tools to see which one best met my needs. I ran a few tests against Windows XP virtual machines by acquiring the volatile data from them. This not only allowed me to see if the steps were correct and what tool worked best but it also showed me what changes I had to make to the collection steps.

Examine Digital Information

At this point it's time to identify and extract the data required to answer the scenario questions. Continuing on with the Alexiou principle's second question “what data do you need to answer that question”; this question can further identify the data needed to answer the questions. The data sources have already been identified so the next part is to identify what information in those data sources can answer the questions. For example, in my scenario one of my data sources was volatile data so I had to figure out what information I needed from it. Some of the information was the running processes, established network connections, and loaded drivers. Once the exact information in the data sources is identified, the third Alexiou principle comes into play which is "how do you extract the data". Using the volatile data example, this would be determining how to extract the established network connections, loaded drivers, and running processes from the data.

As might be expected, research has to be conducted to decide what information in the data sources is needed to answer the questions and how that information can be extracted. The same types of references used in the collection step can be used such as blogs, forums, and forensic books.

Similar to the collection step, the new examination steps and tools need to be evaluated to see if they work as intended. The evaluation can use available forensic datasets or a small test environment. Forensic datasets can be used for testing different types of data sources and this is a faster option then setting up a test environment. The datasets available for testing the examination steps and tools for the volatile data example include: NIST CFReDS Project, Forensic Educational Datasets, Honeynet Challenges, or the memory images on the Forensic Incident Response blog. If there isn't an available dataset then a small test environment has to be set up. The fourth question of the Alexiou principle is "what does the data tell you". This question should be kept in mind during the evaluation because the purpose of the examination steps and tools are to extract information needed to answer the scenario questions. If the information doesn't help answer the question then additional research may have to be performed so the examination steps and tools can be adjusted.

Scenario Simulation

This step is where all of the hard work of researching and evaluating pays off. The scenario simulation is when the test environment is created and the scenario is simulated in that environment. The first scenario I've been working with is a computer infected with malware, and one of the ways I simulated this scenario was by visiting known malicious websites with a computer running vulnerable software. After the scenario is simulated then the next step is to treat the test environment like a real investigation. The data sources of interest get collected, and information is extracted from those sources to answer the scenario's questions.

Identify Areas for Improvement

Now that the dust has settled from investigating the scenario in a test environment; it's time to reflect back on what was done. The purpose of this step is to see if there is anything to improve upon. A few things for consideration are: did the tools perform as expected, were the procedures correct, what didn't work, and what can be done better. Something else to keep in mind during this reflection is to decide if any additional research has to be performed on any artifacts in order to get a better understanding about them. During my simulation, I didn't have a good understanding about the attack vector artifacts such as those left by exploits. I spent some time researching a few of these artifacts so I'd have a better understanding the next time I come across a similar artifact.

Summary

There isn’t a set time table to complete the forensicator readiness steps. It could take days, weeks, or months to complete. The time all depends on the scenario and how much of an understanding someone wants. People prepare for things differently and forensicator readiness is no different. If the steps can accomplish the end goal of preparing someone to investigate an incident regardless of the circumstances - like it did for me- then the process has served its purpose.

So when someone said to me "I need your help to figure out what caused this infection"; I was ready to rock and roll. I’ve been successful numerous times locating malware on systems and identifying the attack vector that put the malware on the systems. A few of the vectors were: a malicious email attachment, a drive-by download using a malicious PDF, and third party content pointing to a website hosting Windows help center and Java exploits. I don't think my success is a string of luck. It's due to my preparation for a situation I thought I would face sooner or later. It just so happened to be sooner than I was expecting.

Read More

Autoplay and Autorun Exploit Artifacts

Artifact Name

Autoplay & Autorun Exploit Artifacts

Attack Vector Category

Exploit

Description

Microsoft stated the main purpose of Autorun is "to provide a software response to hardware actions that you start on a computer". The software response is to start media or applications on a computer when a drive is mounted to the operating system. Prior to Windows XP, Windows only had the Autorun feature which would start items based on commands in the autorun.inf file located in the root of the drive.

With the release of Windows XP, a new feature called autoplay was included and this feature is enabled by default starting with XP SP2. Autoplay will review a mounted drive for content such as multimedia and will prompt the user to display the content using the appropriate application. Autoplay will start to examine a drive as soon as the drive is mounted and will parse an autorun.inf file if the is present.

The Autorun and Autoplay features have been leverage to automatically start malicious software. One example of this is the w32/Autorun.worm.g (McAfee’s detection). According to McAfee’s write-up, the worm spreads using an autorun.inf to automatically start the worm when the media (removable media or network shares) is connected to a computer.

Attack Description

1. Create an autorun.inf file with a command to launch the intended application.

2. Place the autorun.inf in the root of a drive that will be mounted such as removable media or a network share.

3. Place the application in a location where it can be executed.

4. Have the drive mounted on the target computer in order for the autorun.inf file to be parsed.

Exploits Tested

Two custom autorun.inf files, one file used the open command while the other file used the shellexecute command. A renamed Windows command prompt was the payload of both files.

The open command specifies the application to be started when a drive is mounted. The picture below shows the entire autorun.inf file with the open command.

The shellexecute command uses file association to determine what application is used to launch the file listed in the command. The picture below shows the entire autorun.inf file with the shellexecute command.

Target System Information

* Two Windows XP SP3 virtual machines using an administrative user account (one VM was used for each autorun.inf)

* Two Windows XP SP3 virtual machines using an administrative user account (one VM was used for each autorun.inf)

* Two Windows XP SP2 virtual machines using an administrative user account (one VM was used for each autorun.inf)

* Two Windows XP SP2 virtual machines using an administrative user account (one VM was used for each autorun.inf)

Different Artifacts based on Administrator Rights

No

Different Artifacts based on Tested Software Versions

No difference between XP SP2 and XP SP3

Potential Artifacts

The potential artifacts include the changes in the operating system environment. The artifacts can be grouped in the following two categories:

        * Windows Parsing the Autorun.inf File
        * Registry Modification When Autoplay Window Closes

Note: The testing to locate the exploit artifacts involved using the Autoplay window in XP SP3 while in XP SP2 the removable media icon in My Computer was double clicked to launch the payload. There were minimal exploit artifacts as compared to the artifacts left by the delivery mechanism (removable media) and payload (Windows command prompt). The identified artifact  filenames and values are inside of brackets in order to distinguish what may be unique to the testing environment.

        * Windows Parsing the Autorun.inf File

Windows makes modifications under \Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{GUID}\ registry key of the user account that mounted the drive. The modifications are made based on the contents of the autorun.inf file. The picture below highlights the relationship between the commands in the autorun.inf file and the registry modifications.

           - Autorun.inf action command altered the data in MountPoints2\{GUID}\Shell\AutoRun\command\(Default). [data for the open command was E:\dmc-test.exe while data for the shellexecute command was C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dmc-test.exe]

           - Autorun.inf icon command altered the data in MountPoints2\{GUID}\_Autorun\DefaultIcon\(Default). [data was E:\dmc-test.exe,0]

           - Autorun.inf shell open command altered the data in MountPoints2\{GUID}\Shell\open\command\(Default). [data was E:\dmc-test.exe]

           - Autorun.inf shell explore command altered the data in MountPoints2\{GUID}\Shell\explore\command\(Default). [data was E:\dmc-test.exe]

           - Data in MountPoints2\{GUID}\Shell\Autoplay\DropTarget\CLSID was modified. [data was {f26a669a-bcbb-4e37-abf9-7325da15f931}]

        * Registry Modification When Autoplay Window Closes

           - The registry key MountPoints2\{GUID} was modified when the autoplay window closes (the window closes when the payload is executed).

Timeline View of Potential Artifacts

The image below show the above artifacts in a timeline of the registry (system, software, and ntuser.dat hives) from the Windows XP SP3 with an administrator user account (autorun.inf file with the open command). A few entries from the file system timeline were added.

References

   Autoplay Information

Microsoft support article on how to disable autorun http://support.microsoft.com/kb/967715

   Other information

Autorun.inf Wikipedia http://en.wikipedia.org/wiki/Autorun.inf

Autoplay Wikipedia http://en.wikipedia.org/wiki/AutoRun

McAfee W32/Autorun.worm.g AV write-up http://vil.nai.com/vil/content/v_142616.htm

Read More

CVE-2010-2883 (PDF Cooltype) Exploit Artifacts

Artifact Name

Exploit Artifacts for CVE-2010-2883 (PDF Cooltype) Vulnerability

Attack Vector Category

Exploit

Description

Vulnerability present in the Cooltype.dll affects Adobe Reader and Acrobat versions 9.x before 9.4 and 8.x before 8.2.5 on Windows and Mac OS X systems. Exploitation allows remote attackers to execute arbitrary code or cause a denial of service.

Attack Description

This description was obtained using the Mitre and ISS X-Force Database references.

1. Create a PDF document with a “long field in a Smart Independent Glyphlets (SING) table in a TTF font".

2. Open the PDF document on the target system.

Exploits Tested

Metasploit v3.5 windows\fileformat\adobe_cooltype_sing

Target System Information

* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using administrative user account (No PDF files were opened on system prior to test)

* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using non-administrative user account (No PDF files were opened on system prior to test)

* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using administrative user account (Non-malicious PDF file was opened on system prior to test)

Different Artifacts based on Administrator Rights

Yes, MFT entry for "Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" was modified when user account had administrative privileges.

Different Artifacts based on Tested Software Versions

Not tested

Potential Artifacts

The potential artifacts include the CVE 2010-2883 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:

    * PDF Document Creation

    * References of the PDF Document Being Accessed

    * Indications of the Vulnerable Application Executing

note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

    * PDF Document Creation

note: the location of the PDF document will vary depending on the delivery mechanism involved

         - PDF document being created on the system in the timeframe of interest. [C:\msf-cooltype.pdf which VirusTotal confirmed as being the exploit]

    * References of the PDF Document Being Accessed

note: the artifacts may vary depending on the method used to access the document. For example, Windows Explorer will leave different artifacts as compared to a web browser involved in a drive-by download. The testing involved opening the document using Windows Explorer.

         - Web browser history with entries containing the PDF document. Entries may involve HTTP or file. [Internet Explorer entry file:///C:\msf-cooltype.pdf]

         - Link files of the PDF document being opened. [C:\Documents and Settings\Administrator\Recent\msf-cooltype.pdf.lnk]

        -User registry keys with values containing the PDF document. [HKCU-\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf. This key had the name of the PDF in the MRU]

    * Indications of the Vulnerable Application Executing

         - Prefetch files of the vulnerable application executing. [C:\WINDOWS\Prefetch\ACRORD32.EXE-3A1F13AE.pf and C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-242CE4AA.pf]

         - Registry modifications involving the vulnerable application. [modifications made to subkeys under HKCU-\Software\Adobe\Acrobat Reader\9.0\]

         - Folder activity involving the vulnerable application. [C:\Program Files\Adobe\Reader 9.0, C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0, or C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0]

         - Temp files being created. [C:\Documents and Settings\Administrator\Local Settings\Temp\A9R9E95.tmp. The file signature indicated it was a PDF.]

Timeline View of Potential Artifacts

The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system that had a non-malicious PDF file opened on the system prior to test. The timeline includes the relevant registry and Internet explorer history entires.

References

Vulnerability Information

     Mitre’s CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2883

Other Information

     Metasploit Blog Post http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html

     Mila's Contagio Malware Dump David Leadbetter Post

     ISS X-Force Database http://xforce.iss.net/xforce/xfdb/61635

Read More