NTFS Object IDs in EnCase

Over on the Hacking Exposed Computer Forensics blog, David Cowen has been posting up weekly challenges. I love that he is investing in the DFIR community (literally with $100 prizes).

He posted a challenge on September 9, 2018 for readers to develop a python script to parse the NTFS $ObjId:$O alternate data stream. He apparently didn’t get any takers since on September 15, 2018 he put up a short post stating exactly that.

Commercial Solution

I am all for Open Source and Free Software options in the DFIR community, and I also frequently contribute to that collection through my various GitHub repositories. I have also spent an insane amount of time working with EnCase in my years past, so I wanted to show the way to view the data related to Dave’s challenge in a tool that some of you might have available.

Don’t blink!

Here are the steps to see the Object IDs that are assigned to files in EnCase v7+:

  1. Load your local preview or evidence file into the evidence tab
  2. Click on the evidence name to have EnCase start parsing the file system
  3. Find a file you know to have an Object ID
  4. Click the Attributes tab in the view pane

Here is what that looks like:

encase-attr-objid

You can also see that EnCase parses the GUID and displays the various components. Just expand the field, or hover the mouse over like this:

encase-attr-objid-long

This was just a short post for now. Next one, I will show how to build a condition to narrow down the view to only those files having Object IDs assigned.

 

James Habben
@JamesHabben

Parsing CFBundleURLSchemes from MacOS Apps

Several days ago, Objective-See shared details about an attack vector used by advanced attackers to target MacOS users. If you haven’t read about it, I encourage you to do that now since this post really won’t make a lot of sense otherwise. It is a very creative way to gain remote execution.

Quick Review

  1. Applications on MacOS are distributed as ‘.app files’ and they are really just folders that MacOS displays as files.
  2. Application .app folders have a prescribed internal architecture since MacOS parses many of the files for functionality.
  3. Plists are settings files that can store many formats of name value data pairs (somewhat similar to the registry in Windows world).
  4. All the points from the Objective-See blog about the attack chain.

Defense Approach

There are all kinds of ways to attempt to control this type of attack. One area that came to my mind was using a packet capture device to parse downloaded files for the required ‘info.plist’ file needed for this attack. Not on this post though, maybe another post.

Forensic Approach

When analyzing a computer(s) for attacks, we rely on tools to do the monotonous work of pulling data from known locations. I found this attack interesting and decided to build one of these tools. It is standalone since I don’t know of any regripper like tools for MacOS. Drop a comment if I am uninformed.

My approach is written in Python so it can be run on multiple OS platforms, and requires a MacOS drive to be mounted or files/folders to be copied to some drive. The script looks for ‘info.plist’ files inside a ‘content’ folder inside another folder ending in ‘.app’. Essentially ‘*.app/content/info.plist’, since there can be a whole lot more ‘info.plist’ files spread all over the place.

Once the proper plist file is located, it looks for a ‘CFBundleURLTypes’ value to ensure the application is attempting to register a URL handler. Then it looks for a ‘CFBundleURLSchemes’ value to get the handler prefix. Application can claim multiple URL handlers.

The default output is simple JSON data that is really more like CSV data, only hipper. Use pip to install pandas and give it a ‘-g’, and you will get a grouped list of handler prefixes with a count of how many applications are registering that prefix.

Enterprise Approach

I haven’t had a chance to test this yet, but theoretically this script would work as a sensor in Tanium to scan an enterprise at scale and identify all URL handlers attempting to be registered by applications on endpoints. The benefit with the enterprise scale of scanning is the ability to stack these URL handlers across multiple endpoints and identify the less frequent handlers more likely to be used for this type of attack.

Important Note

This python script parses the application files themselves and does not query MacOS for the live handlers currently registered. The linked blog post gives the command to do that.

 

Find the script here: https://github.com/JamesHabben/HelpfulPython/blob/master/list-mac-app-urls.py

Let me know if you see any modifications or improvements to make this more helpful.

James Habben
@JamesHabben

Show and Search for Owner ID in X-Ways

I previously wrote about the digital forensic artifact left behind by a user creating a file on a Windows computer with NTFS. I also showed how to display the owner ID and search for all files owned by that ID. In this post, I am showing how to accomplish the same tasks in W-Ways Forensics (XWF). It is a much shorter post because it is much easier to do.

Owner ID in Details

The first way to see the Owner ID in XWF is by viewing in the Details tab in the bottom pane. Select a file and click on the details tab. This view is pretty similar to EnCase, but it only works if you have the separate viewer component enabled.

xwf-details-owner

Owner ID in a Column

The next way is a nice add that EnCase cannot do. You can turn on the column to show the name or ID while browsing around in the folders and files. Just open the dialog for columns and type in a value. If you have accounts, such as domain users, that aren’t resolving, the column width will have to be a bit wider.

xwf-col-setting

Once you give it a number, you can manually adjust the width to best show the values you have in this case.

xwf-col-view

Filtering on Owner ID

Since XWF shows the values in the column format, it is easy to filter on specific values. Click on the funnel icon and you get this window.

xwf-filter-box

Set that User ID to the value you want, and do a recursive view of the file system. Boom!

 

James Habben
@JamesHabben

Show and Search for NTFS Owner in EnCase

Windows can be such a weird and wonderful thing, both at the same time. In a digital forensics sense, the artifacts left behind from user activity often give me delight. The same artifacts can often leave me scratching my head about why it exists in the first place. One of those features is the owner property in the NTFS file permissions.

User Activity

When a user creates a file, Windows typically drops that user account as the named owner of that file in the NTFS permissions. Sometimes, it assigns a local user group (say administrators) instead of a specific user, though I do not know the details of conditions surrounding that difference. Not the point of this post anyways.

To steps to see the owner of a file will vary a bit depending on the version of Windows you are using. The artifact itself is not affected by the version.

In Windows 8, right click on the file and choose properties. At the top, switch from the general tab to the security tab. Then, click the advanced button at the bottom. A new window will show, and the owner is listed near the top.

encase-owner-win-prop

Showing in EnCase

To see the very same data in EnCase is fairly straight forward. Choose a file in the table pane. Then in the view (lower) pane, you will see a tab called permissions. The view will switch and list one of the records as the owner.

encase-owner-view

Forensic Usefulness

As you might have noticed, the file system in the above image looks a lot like a CMS package on a web server. If you did, great eye! Web servers use a specific account to access and store content for the anonymous users that make requests. This user account is assigned permissions on the file system to prevent that anonymous user from going where they aren’t allowed.

Some web applications allow those anonymous users to upload files to be used by the web application or even submitted to the company for some purpose. Because the web server user account is used for these interactions, you will find that user account as the owner for any files that were uploaded through the web application.

In the event of a web server compromise, this web server user account is often the early stages of attackers interacting with the computer. Attackers want to get their files into that file system to allow more control. These are called web shells and offer nearly identical functionality to the typical remote access tool category, only through a website interface.

What if we could get EnCase to display all files that are owned by this web server user account? I am glad you asked!

Filtering in EnCase

EnCase offers conditions and filters to limit the files shown on screen. Simply put, conditions are easier to create (point and click) while filters are hard (type EnScript code). I will show you the steps to create a condition that will show you only the files with the prompted value in the owner field. This can be done in EnCase v5 through v8 and the windows will look nearly identical.

First step, find the conditions tab and create a new one. I name mine “find sid as owner”, but you can call it whatever makes sense to you.

Next, we have to create a mini-filter before the condition can function. Go to the filters tab, then double click on the PermissionRoot option on the right. Name it “prm_sid2owner”.

Add a new term. Choose ID in the properties list, choose find in the operators list, leave the value box empty, and check the ‘prompt for value’ checkbox. Click ok.

Add another new term. Choose property in the properties list, choose matches in the operators list, type ‘owner’ in the value box. Click ok.

Now right click on the ‘main’ at the top of the tree and choose change logic. Click ok. You should see ‘prm_sid2owner’ listed on the left.

encase-owner-filter-list

Now, go back the conditions and add a new term. At the bottom of the property list, you will find the mini-filter we just created.

encase-owner-condition-list

Now you can apply this to your case. You can supply a fill SID value or a partial. You can also give a list of SID values to search for if you were looking for multiple users.

 

Hope this helps! Reach out with any questions or comments.

James Habben
@JamesHabben

Show Your Timezone in X-Ways

I posted earlier about how to enable EnCase to show the timezone for all of the timestamps that it displays. I wanted to follow that up with a post on how that can be accomplished with X-Ways Forensic (XWF) as well.

Showing Your Timezone

This is a pretty simple one. Don’t do anything. The default setting already has the timezone offset displayed with times. Well, you have to do one small thing, and that is to expand the column. XWF has it displayed in a slightly greyed color and all you have to do is make the column wider to show it.

xwf-time-display

Setting Time Zones

I haven’t done extensive testing on this, but it seems that XWF is similar to EnCase in that it takes the timezone setting of the machine your are running on to use inside the case.

To change that setting, use the ‘Options’ menu and select ‘General Options’. In there, you will find a button at the button at the bottom of the window for ‘Display Time zone…’. Click that.

xwf-time-general

Once you have that window open, choose your timezone and click OK and OK.

xwf-time-timezone

Edit: Jarle gave me a couple more ways to change the timezone.

You can set the timezone with a right click at the top of the case tree in the Case Data window on the left of the screen. Choose the ‘Properties…’ option.

xwf-time-click

On that window, you have two options. Set the timezone for the entire case (orange arrow), or unlock the option (pink arrow) to set the timezone for each evidence file or even for each partition of each evidence file.

xwf-time-case

If you check the box, then you do another right click > properties on each item you need to change the setting for and you will get this window.

xwf-time-partition

Thanks for reading!

James Habben
@JamesHabben

Show Your Timezone in EnCase

A question came up on my team about how to adjust time zones on evidence in EnCase. I figured I would put together a short post in case it might help others.

Setting Time Zones

When you start a case with EnCase, it grabs the timezone that is currently being used by the workstation you are running it on. All of the evidence that you bring into that case is assigned that same timezone.

You can apply a timezone change at a couple levels. First, directly to an evidence file. Second, to multiple evidence files. In EnCase v6, you open a case directly to whats called the ‘entries’ view. Entries are a generic name given to refer to any object inside an evidence file such as files, folders, alternate data streams, NTFS meta files, partitions, etc. even including the evidence file itself. Starting in EnCase v7 (and carried into v8), you are dropped in the ‘evidence’ view and must interact with that list in order to enter the ‘entries’ view. Whatever version you are using, go into the entries view.

To set the timezone, decide if you want an evidence specific or global change. Then right click on the evidence name or the ‘entries’ item at the top of the tree. Towards the bottom find the ‘Device’ sub-menu, then choose the ‘Modify time zone settings…’ option.

encase-tz-rc

A small window will pop up to show the list of time zones that EnCase has available. If you are examining a computer that isn’t properly patched with the current Daylight Saving Time setting, you can force that.

encase-tz-window

Click OK, and the times showing in EnCase will all be adjusted without having to do anything further.

Showing Your Timezone

I encourage everyone reading this to update this setting. Digital forensics requires us to be very accurate and specific. It tells EnCase to attach the timezone setting to every date that is displayed. It has saved me from a situation of reporting an incorrect time more than once. After changing this setting, your dates will look like these. I typically keep the columns smaller and only expanded the ‘Last Accessed’ field to show the full value.

encase-tz-dates

To make this change, find the ‘Tools’ menu in the bar at the top, and choose the ‘options’ option. Then click on the ‘Date’ tab. Check the box at the top of that tab page.

encase-tz-show

Thanks for reading!

James Habben
@JamesHabben

Living with a Credit Freeze

Brian Krebs published an article “How I Learned to Stop Worrying and Embrace the Security Freeze” in 2015. I decided to embark on that journey as well, although my laziness caused the onset of that journey to be staggered longer than it should have. I have had freezes in place for quite a few years now, and I wanted to share my experiences for each of the major bureaus.

Creditors

First, I want to say that it is very surprising, even to this day, to see the staggering number of companies (that deal with pulling credit reports or scores) that have never heard of a credit freeze. There are so many places that want to run your credit, from as simple as getting electricity turned on and all the way to getting a home mortgage. I feel like I have been more of an educator to that industry than anyone else!

Some have heard of a freeze, and are very curious to ask questions about it. It feels almost like being a celebrity with questions like “what’s it like to have a freeze?” (no joke). Others have heard of it and straight up dismiss me because they claim to have no ability to handle the freeze except for me having to unfreeze and then refreeze when they are done. Many of them think it is so simple and free (it’s not), so they just expect you to take that on. One company straight up refused to work with me at all until there was no freeze on my credit.

Bureaus

The current situation has no standards on how these credit freezes should work. There are some various state laws that define how much the bureaus can charge to place a freeze, but there is nothing in those laws to define the process. Each of the three major bureaus does things slightly different.

In general, you visit the web portal for each bureau and supply enough personal information to identify yourself. Stuff that really wouldn’t be hard to assemble about a target victim for those inclined to that side of morals, but that’s another rambling for another day. After validating you know enough about someone yourself, you pay some amount of money to place the freeze. After that clears, you get a PIN code. Equifax gave me a 10 digit, Experian gave me a 10 digit, and TransUnion gave me a 6 digit. These numbers have different uses depending on the bureau.

In general, I haven’t had problems with the companies knowing who they use to pull credit history. They are willing to discuss and work with me when I explain that I have a freeze and the reason for the freeze. Sometimes, they have to pass you off to a different person who is the one responsible for performing the task.

Experian

I want to start with this one because it is the one I have held a freeze with for the longest, and it seems to be the most popular credit bureau with the companies I have interfaced with.

For those companies that were willing to work with me, it has been the absolute smoothest of all three bureaus. I store the 10 digit PIN in my KeePass database, and I can give this number to the company looking to pull information about my credit history. Simple as that. Later, I can go onto the Experian web portal to change that PIN. The process is similar to when you first place the freeze in supplying enough personal information to identify yourself.

I had to unfreeze with Experian one time when a company absolutely refused to accept a PIN to process the transaction. It cost me something like $20 to schedule an unfreeze followed by a refreeze after so many days.

Equifax

I list this one next because it has been the next easiest to work with in pulling credit history. The PIN you get from them is only to use when interacting with the web portal, so supplying this PIN to a company seeking your credit info will come back with a refusal based on being a wrong number. In fact, the PIN you receive as a part of the freeze process is a 10 digit, and the creditor company is prompted for only 4 digits – an obvious mismatch.

The code required by those companies has to be generated each time, but the best part is that Equifax doesn’t charge for creating these codes. The downside is that you need to login to their web portal to generate them, so you have to be more prepared. You can create a global temporary lift for a time period or a temporary lift for a single company. When doing a temporary lift for a single company, the portal asks you for the company name seeking your credit, but funny enough they only allow you to type 9 characters in that box. It seems that the name is more of a note for reference later than it is as a part of the validation. The other thing is asks you for is that 10 digit code you received when placing the freeze. At the end of that process, you get a link to open a PDF file that contains a 4 digit single use code. Give that to the company running your credit and it will go through, even immediately within minutes of generating that code.

TransUnion

I put this one last because I wasn’t able to figure out a way to have a temporary lift without having to pay some amount of money. I have had to login to the web portal to place a temporary lift. They charged me $10 and it didn’t matter if it was a global lift or a specific company lift.

Takeaway

I have lived with these credit freeze for many years, and it has allowed me to have a little more peace in light of the world I live in. It sets a much higher wall in front of my metadata and I can deal with the occasional hassle that I described above.

 

I hope this helps you. I encourage you to look at getting a credit freeze to protect yourself.

 

James Habben

@JamesHabben