Don t Let Your Tools Make You Look Bad

Transcription

1 No Substitute for Knowledge Troy Larson TwC Network Security Analytics Microsoft Corp.

2 Tools: Necessary. But not a substitute for knowing. Consider a simple task...

3 Raw bits:

4 Bits to Bytes: Convert to hex (for ASCII/Unicode mapping): x80 0x40 0x20 0x10 0x08 0x04 0x02 0x01 0x40 0x04 0x40+0x04 = 0x44

5 Bytes to Hex: 44 6F 6E C F F 6F 6C D 61 6B F E 6F E 74 2E 0D 0A

6

7 Hex to Text: Don t let your tools make you ignorant.

8 Tools necessary, but not everything.

9 Tools have bugs: Crashes Data is misinterpreted Data is wrong Data is missed

10 Tools have limitations. Works as designed, but not as represented. Works as intended and as represented, but incomplete.

11 Tools have myths: Court approved.

12 Tools shape your view of the reality. The identity that we ascribe to things is only a fictitious one, established by the mind, not a peculiar nature belonging to what we re talking about. -David Hume

13

14

15

16 0: kd>.reload /f Loading Kernel Symbols..*** ERROR: Symbol file could not be found. Defaulted to export symbols for kdcom.dll -...*** ERROR: Module load completed but symbols could not be loaded for iastor.sys...*** ERROR: Module load completed but symbols could not be loaded for PxHlpa64.sys...*** ERROR: Module load completed but symbols could not be loaded for stdflt.sys.*** ERROR: Module load completed but symbols could not be loaded for spldr.sys...*** ERROR: Module load completed but symbols could not be loaded for MpFilter.sys...*** ERROR: Module load completed but symbols could not be loaded for iesvc_.sys...*** ERROR: Module load completed but symbols could not be loaded for bcmwl664.sys...*** ERROR: Module load completed but symbols could not be loaded for Rt64win7.sys...*** ERROR: Module load completed but symbols could not be loaded for SynTP.sys...*** ERROR: Module load completed but symbols could not be loaded for Acceler.sys

17

18 Critical Thinking: Accurate, complete, or evident What you need to know How do you know

19 Any tool can encourage analytical blinds spots CF E $ E x t e n d 00002D H 00002D ( $ I D D D E ` N 00002D50 0B B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002D60 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002D70 B1 47 AC 12 9C 51 CC ±G œqì 00002D & 00002D F A $ O b j I d 00002DA E ` N 00002DB0 0B B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002DC0 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002DD0 B1 47 AC 12 9C 51 CC ±G œqì 00002DE & 00002DF F F8 06 $ Q u o t a ø 00002E00 1A h R 00002E10 0B B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002E20 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002E30 B1 47 AC 12 9C 51 CC ±G œqì 00002E & 00002E $ R e p a r s

20 Proficiency with a forensics tool is not the same as proficiency in digital forensics. Even the best tool is limited by the investigator s understanding.

21 To prevent your tools from making you look bad, you must not rely on them to make you smart. Master the data, not just the tool.

22 Develop an understanding of forensics subject matters outside of [name of favorite forensics tool]. What evidence does an OS offer What evidence does a file format offer A file system The shell Memory

23 Learn to use the whole animal. Thank you Jesse Kornblum

24

25 ARM ReFS Boot Sector Malware Code Sets String Search Internet Linux MRU MFU UTF-8 ASCII CD ROM Office BIFFs FAT ExFAT NTFS Dates EVTX DOS Time Stamp TIF DOS < 3.1 VHDX Prefetch Shell Bags Info2 FAT Undelete Sectors Super Fetch User Assist NTFS DOS 6.1 VSC Windows 95 Registry Hard Drives Floppy Disk Jump Lists Open Office SSD TRIM USN:J Index.dat Unicode Tracks TxR TxF DOS > 3.1 EFS FAT32 X64 Junctions MAC Dates FAT16 VHD.LNK 32 Bit DOS Boot Disks Disk Imaging

26 MAC Dates TIF Don t Let Your Tools Make You Look Bad FAT Undelete FAT ASCII DOS Time Stamp FAT32 FAT16 Sectors EVTX UTF-8 Index.dat Tracks DOS < 3.1 DOS > 3.1 Linux DOS Bit Malware ExFAT Internet VSC VHD EFS SSD VHDX Info2 Registry Office BIFFs Windows 95 Floppy Disk Hard Drives NTFS Unicode Boot Sector X64 Disk Imaging Code Sets String Search DOS Boot Disks TxF Junctions Open Office USN:J.LNK MFU Prefetch TxR MRU User Assist Shell Bags ReFS Super Fetch Jump Lists ARM TRIM NTFS Dates CD ROM

27 Manageable parts: Features and components. PS> ForEach-Object Ask-AboutIt What does it do Is it evidence or can it impact investigation Is it stateful How does it work How can we read its data What does its data tell us

28 Learn about features and components what do they do

29 The critical question is it stateful Does the feature or component appear to store useful information E.g., browser tab and session recovery, link files, prefetch files, etc. Offset A B C D E F 0466E4000 1A F SCCA ð7 0466E4010 4E E 00 N E T S T A T. 0466E E X E 0466E E F 90 5A 5A ZZ 0466E B E4060 F DC FE 0B E ñ Ü' þ à3 0466E E DA D6 4D 9C 1C CF 01 D5 E9 C8 A6 D1 17 CF 01 ÚÖMœ Ï ÕéÈ Ñ Ï 0466E BE 9B CC 22 EA CE E8 58 F7 71 AE CE 01 G¾ Ì"êÎ èx q Î 0466E40A0 0C CE F4 44 6E AE CE B6 1F 6C AE CE 01 ÎôDn Î A l Î 0466E40B0 BC 34 4D C7 69 AE CE D 2F B2 22 AC CE 01 ¼4MÇi Î d /²" Î 0466E40C0 00 8C C Œ G Œ G 0466E40D ( 0466E40E E40F

30 Learn how features and components work.

31 Identity the important data structures and learn how to parse them.

32 What can a feature or component artifact tell us

33 Artifact focused research, studying, and thinking model: What Impact or interesting Proves Stateful Parse Works how

34 Model in action: What Large sectors hard drives: Windows 8 is the first OS with full support for both types of AF disks 512e and 4K Native. Does it matter to forensics Stateful

35 How does it work No cluster slack!

36 How does it work

37 Parse Will [forensics tool] work Not if it expects $MFT FRS size to be 1kb. Proves/Ramifications No cluster slack. Larger resident files. Probably more resident files. Problem for wiping tools Proves What Parse Impact or interest How Stateful

38 Model in action: What A new registry hive. Impact or why does it matter Stateful

39 Think through the model. How What Impact or interest Proves Stateful Parse Registry file parsers. Proves Executable file was there. Parse How

40 Sometimes it works backwards: Offset A B C D E F 1E029A0D C a i t 1E029A0D E E a g e n t. e x 1E029A0D e c f 0 H 1E029A0D E029A0DA E029A0DB p b 1E029A0DC B1 6A b 1'@±j 1E029A0DD0 D C 00 Ð 1E029A0DE S X 1E029A0DF0 E F 00 à p 1E029A0E X X 8 1E029A0E B E 45 4C 2E E $KERNEL.PURGE.ES 1E029A0E BCACHE 8 1E029A0E C A 8A CE *Š WVÎ 1E029A0E E029A0E D 85 0B 94 7E 75 CD 01 FF ] ~uí ÿ 1E029A0E A 00 h 1E029A0E $ T X F 1E029A0E80 5F _ D A T A c f 0 1E029A0E E029A0EA0 C A E È t` ~ 1E029A0EB

41 Sometimes it works backwards: Offset A B C D E F 0C07CED x U 0C07CEDA0 5A FB 1E Z û 0C07CEDB0 82 8B E0 82 1F D4 CE 01 D B3 8A 6E CF 01 à ÔÎ ÐH#³ŠnÏ 0C07CEDC0 5E 5E AA DB F3 6E CF B E0 82 1F D4 CE 01 ^^ªÛónÏ à ÔÎ 0C07CEDD0 00 A H H 0C07CEDE C E 00 W i n 0C07CEDF E H e x 6 4. e 4 0C07CEE D DD B e 1 ( 0C07CEE C07CEE20 D4 DD 73 4A E B D y!g9-0c07cee H 0C07CEE C07CEE A H 0C07CEE H H 0C07CEE A BE D Š 4¾0 Ð 0C07CEE V 0C07CEE C E h l à ˆ 0C07CEEA C W l 0C07CEEB0 6C C B E 45 4C 2E l G $KERNEL. 0C07CEEC E E PURGE.APPID.HASH 0C07CEED0 49 4E 46 4F INFO AID1 0C07CEEE A 75 7F :u H

42 One more thing: Learn to recognize important structures and strings on sight C FILE0 Offset A B C D E F E hbin B E vk 0 èb Offset A B C D E F D 5A FF FF MZ ÿÿ B D B D4 CE B PK Offset A B C D E F D0 CF 11 E0 A1 B1 1A E ÐÏ à ± á E FE FF > þÿ Offset A B C D E F FF D8 FF E A ÿøÿà JFIF

43 The most important forensics tool comes pre-installed, but unformatted.

44 Resources Microsoft: Trial versions on virtual hard drives. Windows Internals, now in 6 th Edition. MSDN. Open Specifications TechNet. SysInternals. Tools and information. A good hex editor.

45 Resources The Internet. Windows Incident Response, by Harlan Carvey. Journey Into Incident Response, Corey Harrell. Grand Stream Dreams, Claus Valca. M-unition, Mandiant. Sans Computer Forensics Blog. Research papers and forensics documentation. Old New Thing, Raymond Chen.

46 Go ahead and fire up your favorite forensics tool.