If you are working in the Global Company environment, where you have multiple Domain Controller (Authentication) Server all around the world location. Please make sure all the DC timezone setting are set properly according to the location. In digital forensics world "Date & Time" is very critical and important!.
Beside that, if you have Central Log Management Server, please make sure it has the capability to translate the timezone captured to GMT time setting once it log in the server. This will make your life easy. Else you will need to translate the time manually when you want to trace the actual incident happen.
Domain Logon Event Log is the best place to trace where the subject have gone and your starting point for forensics case investigation.
Tuesday, November 29, 2011
Monday, November 14, 2011
Unified Extensible Firmware Interface - UEFI
According to the article below "UEFI" will be replacing BIOS by 2012/13. We just wait an see.
Q: What is UEFI?
A: UEFI (Unified Extensible Firmware Interface) will be a specification detailing an interface that helps hand off control of the system for the pre-boot environment (i.e.: after the system is powered on, but before the operating system starts) to an operating system, such as Windows* or Linux*. UEFI will provide a clean interface between operating systems and platform firmware at boot time, and will support an architecture-independent mechanism for initializing add-in cards.
URL: http://www.uefi.org/about/
This sure will give an impact to the Digital Forensics work in some way. More ways for data storage and malware/virus to hide. ;).
Goodbye BIOS, hello UEFI
"UEFI is a mini-operating system that sits on top of a computer's hardware and firmware. Instead of being stored in firmware, as is the BIOS, the UEFI code is stored in the /EFI/ directory in non-volatile memory. Thus, UEFI can be in NAND flash memory on the motherboard or it can reside on a hard drive, or even on a network share."
UEFI System control from Asus
Details: http://www.itworld.com/hardware/222791/goodbye-bios-hello-uefi?page=0,1Q: What is UEFI?
A: UEFI (Unified Extensible Firmware Interface) will be a specification detailing an interface that helps hand off control of the system for the pre-boot environment (i.e.: after the system is powered on, but before the operating system starts) to an operating system, such as Windows* or Linux*. UEFI will provide a clean interface between operating systems and platform firmware at boot time, and will support an architecture-independent mechanism for initializing add-in cards.
URL: http://www.uefi.org/about/
This sure will give an impact to the Digital Forensics work in some way. More ways for data storage and malware/virus to hide. ;).
Thursday, November 10, 2011
Investigate and Verify an SSL or code signing certificate
These day you can hear a lot of news regarding certificate compromise issues in the news as below link:
Malware Signed With a Governmental Signing Key
URL: http://www.f-secure.com/weblog/archives/00002269.html
Experts weigh in on Comodo SSL certificate fraud
URL: http://www.scmagazineus.com/experts-weigh-in-on-comodo-ssl-certificate-fraud/article/199109/
DigiNotar said attack is to blame for certificate compromise
URL: http://www.scmagazineus.com/diginotar-said-attack-is-to-blame-for-certificate-compromise/article/210891/
If you need to investigate or validate who is the owner of specific SSL Certificate, you can get the information from below link. It is an online search database for an SSL or code signing certificate provided by VeriSign Authentication Services. This is one of the provider. You can also Google around for more. ;)
URL: https://securitycenter.verisign.com/celp/enroll/outsideSearch?application_locale=VRSN_US&originator=VeriSign:CELP
Malware Signed With a Governmental Signing Key
URL: http://www.f-secure.com/weblog/archives/00002269.html
Experts weigh in on Comodo SSL certificate fraud
URL: http://www.scmagazineus.com/experts-weigh-in-on-comodo-ssl-certificate-fraud/article/199109/
DigiNotar said attack is to blame for certificate compromise
URL: http://www.scmagazineus.com/diginotar-said-attack-is-to-blame-for-certificate-compromise/article/210891/
If you need to investigate or validate who is the owner of specific SSL Certificate, you can get the information from below link. It is an online search database for an SSL or code signing certificate provided by VeriSign Authentication Services. This is one of the provider. You can also Google around for more. ;)
URL: https://securitycenter.verisign.com/celp/enroll/outsideSearch?application_locale=VRSN_US&originator=VeriSign:CELP
Monday, November 7, 2011
Recovering and identifing the owner of the NTUSER.DAT from a re-format Windows OS hard disk
Challenges:
Suspect manage to reformat the desktop machine before the raid.
Objective:
To recover and identify the owner of the "NTUSER.DAT" registry file from a re-format Windows OS hard disk.
Research:
Found one good mini-whitepaper from Andrew Case regarding "Recovering and Analyzing Deleted Registry Files" at http://dfsforensics.blogspot.com/2011/09/recovering-and-analyzing-deleted.html. I can use some of the steps to speed up my process.
I used Encase to do the data recovery process. Once the recovery process completed, I filter out the files and extract "NTUSER.DAT" files using "copy folder" feature. Now I have about 10 "NTUSER.DAT" files in their original folder structure ready to inspect. So, which one is the valid registry files?
Base on the mini-whitepaper, I can use "reglookup.exe" to validate the good registry files. Here the author used one-liner bash scripting, but I am on Windows platform now. Ok, here come some creative thinking to polish up my MS Dos batch scripting. I have created 2 batch files which is "Generate_File_Listing.bat" to list down the NTUSER.DAT files path and "Find_Valid_Registry_Hive.bat" to validate the registry files as below.
File Name: Generate_File_Listing.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
echo !N!-%%a >> %ReglookupOutputFolder%\List_of_NTUSER.DAT.txt
)
File Name: Find_Valid_Registry_Hive.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupExe="C:\Tools\reglookup-win32-1.0.1\reglookup.exe"
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
%ReglookupExe% "%%a" > %ReglookupOutputFolder%\result-!N!.txt
)
Here is the result:
So now I know that I got only 2 "NTUSER.DAT" valid registry files to check. The rest of the files is not valid since the result file is 0 KB. Next I need to check who is the owner of the "NTUSER.DAT" file. Here I used another tool called "Windows Registry Recovery" from http://www.mitec.cz/wrr.html to get the user owner information. You also can read it from the RAW "NTUSER.DAT" files if you know the location of the information.
Suspect manage to reformat the desktop machine before the raid.
Objective:
To recover and identify the owner of the "NTUSER.DAT" registry file from a re-format Windows OS hard disk.
Research:
Found one good mini-whitepaper from Andrew Case regarding "Recovering and Analyzing Deleted Registry Files" at http://dfsforensics.blogspot.com/2011/09/recovering-and-analyzing-deleted.html. I can use some of the steps to speed up my process.
I used Encase to do the data recovery process. Once the recovery process completed, I filter out the files and extract "NTUSER.DAT" files using "copy folder" feature. Now I have about 10 "NTUSER.DAT" files in their original folder structure ready to inspect. So, which one is the valid registry files?
Base on the mini-whitepaper, I can use "reglookup.exe" to validate the good registry files. Here the author used one-liner bash scripting, but I am on Windows platform now. Ok, here come some creative thinking to polish up my MS Dos batch scripting. I have created 2 batch files which is "Generate_File_Listing.bat" to list down the NTUSER.DAT files path and "Find_Valid_Registry_Hive.bat" to validate the registry files as below.
File Name: Generate_File_Listing.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
echo !N!-%%a >> %ReglookupOutputFolder%\List_of_NTUSER.DAT.txt
)
File Name: Find_Valid_Registry_Hive.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupExe="C:\Tools\reglookup-win32-1.0.1\reglookup.exe"
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
%ReglookupExe% "%%a" > %ReglookupOutputFolder%\result-!N!.txt
)
Here is the result:
Wednesday, November 2, 2011
Unlock the process that holding folder or file
Today I got one annoying error message given by Windows OS when I want to delete one folder name. The folder name is "." and it keep on giving me this error message "Cannot delete file: Cannot read from the source file or disk".
I try to use command prompt to delete it, changed permission, take owner ship of the folder and many more. However it still give me the same error message back.
Why I cannot delete this folder? I want to know is there any process holding this folder? My objective is simple to find the process that holding the folder. May be "Process Explorer" from Windows Sysinternals can help and after do some research I found that there is one nice free tool called "unlocker" from "Empty Loop" http://www.emptyloop.com/unlocker
Once you have installed the application, just go to the folder/file that you want to check and simply right click the folder/file and select "Unlocker" to display any process that holding the folder/file. Then you can unlock/kill the process that holding the folder/file.
After that I try again to delete the folder. Walaaaaaa..it work, I manage to delete the folder as normal again. ;)
-Other annoying error message given by Windows OS when you want to delete folder/file:
Cannot delete file: Access is denied
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.
Subscribe to:
Posts (Atom)