Don t Let Your Tools Make You Look Bad

No Substitute for Knowledge Troy Larson TwC Network Security Analytics Microsoft Corp.

Tools: Necessary. But not a substitute for knowing. Consider a simple task...

Raw bits: 0100010001101111011011101001001001110100 0010000001101100011001010111010000100000 0111100101101111011101010111001000100000 0111010001101111011011110110110001110011 0010000001101101011000010110101101100101 0010000001111001011011110111010100100000 0110100101100111011011100110111101110010 0110000101101110011101000010111000001101 0000101000100000001000000100010001101111

Bits to Bytes: 01000100 01101111 01101110 10010010 01110100 00100000 Convert to hex (for ASCII/Unicode mapping): 0 1 0 0 0 1 0 0 0x80 0x40 0x20 0x10 0x08 0x04 0x02 0x01 0x40 0x04 0x40+0x04 = 0x44

Bytes to Hex: 44 6F 6E 92 74 20 6C 65 74 20 79 6F 75 72 20 74 6F 6F 6C 73 20 6D 61 6B 65 20 79 6F 75 20 69 67 6E 6F 72 61 6E 74 2E 0D 0A

Hex to Text: Don t let your tools make you ignorant.

Tools necessary, but not everything.

Tools have bugs: Crashes Data is misinterpreted Data is wrong Data is missed

Tools have limitations. Works as designed, but not as represented. Works as intended and as represented, but incomplete.

Tools have myths: Court approved.

Tools shape your view of the reality. The identity that we ascribe to things is only a fictitious one, established by the mind, not a peculiar nature belonging to what we re talking about. -David Hume

0: kd>.reload /f Loading Kernel Symbols..*** ERROR: Symbol file could not be found. Defaulted to export symbols for kdcom.dll -...*** ERROR: Module load completed but symbols could not be loaded for iastor.sys...*** ERROR: Module load completed but symbols could not be loaded for PxHlpa64.sys...*** ERROR: Module load completed but symbols could not be loaded for stdflt.sys.*** ERROR: Module load completed but symbols could not be loaded for spldr.sys...*** ERROR: Module load completed but symbols could not be loaded for MpFilter.sys...*** ERROR: Module load completed but symbols could not be loaded for iesvc_.sys...*** ERROR: Module load completed but symbols could not be loaded for bcmwl664.sys...*** ERROR: Module load completed but symbols could not be loaded for Rt64win7.sys...*** ERROR: Module load completed but symbols could not be loaded for SynTP.sys...*** ERROR: Module load completed but symbols could not be loaded for Acceler.sys

Critical Thinking: Accurate, complete, or evident What you need to know How do you know

Any tool can encourage analytical blinds spots. 00002CF0 07 03 24 00 45 00 78 00 74 00 65 00 6E 00 64 00 $ E x t e n d 00002D00 90 00 00 00 48 02 00 00 00 04 18 00 00 00 04 00 H 00002D10 28 02 00 00 20 00 00 00 24 00 49 00 33 00 30 00 ( $ I 3 0 00002D20 30 00 00 00 01 00 00 00 00 10 00 00 01 00 00 00 0 00002D30 10 00 00 00 18 02 00 00 18 02 00 00 00 00 00 00 00002D40 19 00 00 00 00 00 01 00 60 00 4E 00 00 00 00 00 ` N 00002D50 0B 00 00 00 00 00 0B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002D60 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002D70 B1 47 AC 12 9C 51 CC 01 00 00 00 00 00 00 00 00 ±G œqì 00002D80 00 00 00 00 00 00 00 00 26 00 00 20 00 00 00 00 & 00002D90 06 00 24 00 4F 00 62 00 6A 00 49 00 64 00 00 00 $ O b j I d 00002DA0 18 00 00 00 00 00 01 00 60 00 4E 00 00 00 00 00 ` N 00002DB0 0B 00 00 00 00 00 0B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002DC0 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002DD0 B1 47 AC 12 9C 51 CC 01 00 00 00 00 00 00 00 00 ±G œqì 00002DE0 00 00 00 00 00 00 00 00 26 00 00 20 00 00 00 00 & 00002DF0 06 00 24 00 51 00 75 00 6F 00 74 00 61 00 F8 06 $ Q u o t a ø 00002E00 1A 00 00 00 00 00 01 00 68 00 52 00 00 00 00 00 h R 00002E10 0B 00 00 00 00 00 0B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002E20 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002E30 B1 47 AC 12 9C 51 CC 01 00 00 00 00 00 00 00 00 ±G œqì 00002E40 00 00 00 00 00 00 00 00 26 00 00 20 00 00 00 00 & 00002E50 08 00 24 00 52 00 65 00 70 00 61 00 72 00 73 00 $ R e p a r s

Proficiency with a forensics tool is not the same as proficiency in digital forensics. Even the best tool is limited by the investigator s understanding.

To prevent your tools from making you look bad, you must not rely on them to make you smart. Master the data, not just the tool.

Develop an understanding of forensics subject matters outside of [name of favorite forensics tool]. What evidence does an OS offer What evidence does a file format offer A file system The shell Memory

Learn to use the whole animal. Thank you Jesse Kornblum

ARM ReFS Boot Sector Malware Code Sets String Search Internet Linux MRU MFU UTF-8 ASCII CD ROM Office BIFFs FAT ExFAT NTFS Dates EVTX DOS Time Stamp TIF DOS < 3.1 VHDX Prefetch Shell Bags Info2 FAT Undelete Sectors Super Fetch User Assist NTFS DOS 6.1 VSC Windows 95 Registry Hard Drives Floppy Disk Jump Lists Open Office SSD TRIM USN:J Index.dat Unicode Tracks TxR TxF DOS > 3.1 EFS FAT32 X64 Junctions MAC Dates FAT16 VHD.LNK 32 Bit DOS Boot Disks Disk Imaging

MAC Dates TIF Don t Let Your Tools Make You Look Bad FAT Undelete FAT ASCII DOS Time Stamp FAT32 FAT16 Sectors EVTX UTF-8 Index.dat Tracks DOS < 3.1 DOS > 3.1 Linux DOS 6.1 32 Bit Malware ExFAT Internet VSC VHD EFS SSD VHDX Info2 Registry Office BIFFs Windows 95 Floppy Disk Hard Drives NTFS Unicode Boot Sector X64 Disk Imaging Code Sets String Search DOS Boot Disks TxF Junctions Open Office USN:J.LNK MFU Prefetch TxR MRU User Assist Shell Bags ReFS Super Fetch Jump Lists ARM TRIM NTFS Dates CD ROM

Manageable parts: Features and components. PS> ForEach-Object Ask-AboutIt What does it do Is it evidence or can it impact investigation Is it stateful How does it work How can we read its data What does its data tell us

Learn about features and components what do they do

The critical question is it stateful Does the feature or component appear to store useful information E.g., browser tab and session recovery, link files, prefetch files, etc. Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0466E4000 1A 00 00 00 53 43 43 41 11 00 00 00 F0 37 00 00 SCCA ð7 0466E4010 4E 00 45 00 54 00 53 00 54 00 41 00 54 00 2E 00 N E T S T A T. 0466E4020 45 00 58 00 45 00 00 00 00 00 00 00 00 00 00 00 E X E 0466E4030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0466E4040 00 00 00 00 00 00 00 00 00 00 00 00 8F 90 5A 5A ZZ 0466E4050 00 00 00 00 30 01 00 00 1B 00 00 00 90 04 00 00 0 0466E4060 F1 02 00 00 DC 27 00 00 FE 0B 00 00 E0 33 00 00 ñ Ü' þ à3 0466E4070 02 00 00 00 10 04 00 00 05 00 00 00 01 00 00 00 0466E4080 15 DA D6 4D 9C 1C CF 01 D5 E9 C8 A6 D1 17 CF 01 ÚÖMœ Ï ÕéÈ Ñ Ï 0466E4090 47 BE 9B CC 22 EA CE 01 85 E8 58 F7 71 AE CE 01 G¾ Ì"êÎ èx q Î 0466E40A0 0C CE F4 44 6E AE CE 01 97 41 B6 1F 6C AE CE 01 ÎôDn Î A l Î 0466E40B0 BC 34 4D C7 69 AE CE 01 64 9D 2F B2 22 AC CE 01 ¼4MÇi Î d /²" Î 0466E40C0 00 8C 86 47 00 00 00 00 00 8C 86 47 00 00 00 00 Œ G Œ G 0466E40D0 28 00 00 00 05 00 00 00 02 00 00 00 00 00 00 00 ( 0466E40E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0466E40F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Learn how features and components work.

Identity the important data structures and learn how to parse them.

What can a feature or component artifact tell us

Artifact focused research, studying, and thinking model: What Impact or interesting Proves Stateful Parse Works how

Model in action: What Large sectors hard drives: Windows 8 is the first OS with full support for both types of AF disks 512e and 4K Native. Does it matter to forensics Stateful

How does it work No cluster slack!

How does it work

Parse Will [forensics tool] work Not if it expects $MFT FRS size to be 1kb. Proves/Ramifications No cluster slack. Larger resident files. Probably more resident files. Problem for wiping tools Proves What Parse Impact or interest How Stateful

Model in action: What A new registry hive. Impact or why does it matter Stateful

Think through the model. How What Impact or interest Proves Stateful Parse Registry file parsers. Proves Executable file was there. Parse How

Sometimes it works backwards: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 1E029A0D60 20 00 00 00 00 00 00 00 0C 03 61 00 69 00 74 00 a i t 1E029A0D70 61 00 67 00 65 00 6E 00 74 00 2E 00 65 00 78 00 a g e n t. e x 1E029A0D80 65 00 63 00 66 00 30 00 80 00 00 00 48 00 00 00 e c f 0 H 1E029A0D90 01 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 1E029A0DA0 26 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 & @ 1E029A0DB0 00 70 02 00 00 00 00 00 00 62 02 00 00 00 00 00 p b 1E029A0DC0 00 62 02 00 00 00 00 00 31 27 40 B1 6A 00 00 00 b 1'@±j 1E029A0DD0 D0 00 00 00 20 00 00 00 00 00 00 00 00 00 0C 00 Ð 1E029A0DE0 08 00 00 00 18 00 00 00 53 00 00 00 58 00 00 00 S X 1E029A0DF0 E0 00 00 00 70 00 00 00 00 00 00 00 00 00 0F 00 à p 1E029A0E00 58 00 00 00 18 00 00 00 58 00 00 00 00 16 38 00 X X 8 1E029A0E10 24 4B 45 52 4E 45 4C 2E 50 55 52 47 45 2E 45 53 $KERNEL.PURGE.ES 1E029A0E20 42 43 41 43 48 45 00 38 00 00 00 02 00 02 00 02 BCACHE 8 1E029A0E30 00 00 00 0C 00 00 00 80 2A 8A 89 57 56 CE 01 00 *Š WVÎ 1E029A0E40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1E029A0E50 00 00 00 00 00 00 00 5D 85 0B 94 7E 75 CD 01 FF ] ~uí ÿ 1E029A0E60 00 01 00 00 68 00 00 00 00 09 18 00 00 00 0A 00 h 1E029A0E70 38 00 00 00 30 00 00 00 24 00 54 00 58 00 46 00 8 0 $ T X F 1E029A0E80 5F 00 44 00 41 00 54 00 41 00 63 00 66 00 30 00 _ D A T A c f 0 1E029A0E90 05 00 00 00 00 00 05 00 01 00 00 00 01 00 00 00 1E029A0EA0 C8 03 04 00 00 00 00 00 0A 74 60 00 7E 00 00 00 È t` ~ 1E029A0EB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Sometimes it works backwards: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0C07CED90 30 00 00 00 78 00 00 00 00 00 00 00 00 00 55 00 0 x U 0C07CEDA0 5A 00 00 00 18 00 01 00 FB 1E 00 00 00 00 07 00 Z û 0C07CEDB0 82 8B E0 82 1F D4 CE 01 D0 48 23 B3 8A 6E CF 01 à ÔÎ ÐH#³ŠnÏ 0C07CEDC0 5E 5E AA DB F3 6E CF 01 82 8B E0 82 1F D4 CE 01 ^^ªÛónÏ à ÔÎ 0C07CEDD0 00 A0 48 00 00 00 00 00 00 94 48 00 00 00 00 00 H H 0C07CEDE0 20 00 04 00 00 00 00 00 0C 00 57 00 69 00 6E 00 W i n 0C07CEDF0 48 00 65 00 78 00 36 00 34 00 2E 00 65 00 34 00 H e x 6 4. e 4 0C07CEE00 65 00 31 0D DD B5 02 00 40 00 00 00 28 00 00 00 e 1 ݵ @ ( 0C07CEE10 00 00 00 00 00 00 05 00 10 00 00 00 18 00 00 00 0C07CEE20 D4 DD 73 4A 12 40 E3 11 82 79 00 1B 21 67 39 2D ÔÝsJ @ã y!g9-0c07cee30 80 00 00 00 48 00 00 00 01 00 00 00 00 00 01 00 H 0C07CEE40 00 00 00 00 00 00 00 00 89 04 00 00 00 00 00 00 0C07CEE50 40 00 00 00 00 00 00 00 00 A0 48 00 00 00 00 00 @ H 0C07CEE60 00 94 48 00 00 00 00 00 00 94 48 00 00 00 00 00 H H 0C07CEE70 32 8A 04 34 BE 30 00 00 D0 00 00 00 20 00 00 00 2Š 4¾0 Ð 0C07CEE80 00 00 00 00 00 00 56 00 08 00 00 00 18 00 00 00 V 0C07CEE90 68 00 00 00 6C 00 00 00 E0 00 00 00 88 00 00 00 h l à ˆ 0C07CEEA0 00 00 00 00 00 00 57 00 6C 00 00 00 18 00 00 00 W l 0C07CEEB0 6C 00 00 00 00 1C 47 00 24 4B 45 52 4E 45 4C 2E l G $KERNEL. 0C07CEEC0 50 55 52 47 45 2E 41 50 50 49 44 2E 48 41 53 48 PURGE.APPID.HASH 0C07CEED0 49 4E 46 4F 00 00 00 00 41 49 44 31 00 00 00 00 INFO AID1 0C07CEEE0 14 00 00 00 20 00 00 00 97 3A 75 7F 18 05 48 92 :u H

One more thing: Learn to recognize important structures and strings on sight. 46 49 4C 45 30 00 03 00 FILE0 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000002000 68 62 69 6E 00 10 00 00 00 10 00 00 00 00 00 00 hbin 000002010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000002020 20 00 00 00 76 6B 03 00 30 03 00 00 E8 42 00 00 vk 0 èb Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ ÿÿ 000000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 @ 000000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 7D B8 02 44 D4 CE 01 50 4B 03 04 14 00 02 00 PK Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000000 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 ÐÏ à ± á 000000010 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 > þÿ Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000000 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 ÿøÿà JFIF

The most important forensics tool comes pre-installed, but unformatted.

Resources Microsoft: Trial versions on virtual hard drives. Windows Internals, now in 6 th Edition. MSDN. Open Specifications http://www.microsoft.com/openspecifications/ TechNet. SysInternals. Tools and information. A good hex editor.

Resources The Internet. Windows Incident Response, by Harlan Carvey. http://windowsir.blogspot.com/ Journey Into Incident Response, Corey Harrell. http://journeyintoir.blogspot.com/ Grand Stream Dreams, Claus Valca. http://grandstreamdreams.blogspot.com/ M-unition, Mandiant. https://www.mandiant.com/blog/ Sans Computer Forensics Blog. http://computer-forensics.sans.org/blog Research papers and forensics documentation. http://computer-forensics.sans.org/community/whitepapers Old New Thing, Raymond Chen. http://blogs.msdn.com/b/oldnewthing/

Go ahead and fire up your favorite forensics tool.