NTFS Object IDs in EnCase – Part 3

In a previous post, I showed you how to make a condition to find all files in an NTFS volume that have Object IDs associated with them in NTFS. In this post, I will be showing you how to create a condition to search through the values of the Object IDs to filter on specific strings.

The condition I build below is designed to search for a provided value, and then remove that from the filtered list. The goal is to allow the examiner to use this to identify files that were created on computers with difference MAC addresses.

In the image below, I found 229 files that have Object IDs but don’t have my VM’s MAC. The previous condition found 442 total files on this disk with Object IDs. Many Windows files were in the list, but the EnCase.exe file jumped out. MAC address of the engineer that executed the build process?

encase-objid-c2-result

Using EnCase Conditions to Search Inside Object IDs

Similar to the last condition, this requires the mini-filter feature inside the condition to dig inside the attributes for each file. Here is how to build that condition:

  1. Find the conditions pane in the bottom right corner and click on the ‘user’ folder. Use the ‘new’ option in the toolbar or mouse right click to open the condition dialog. I created a folder to organize a bit. EnCase throws an error if you try to create a new condition in the ‘default’ folder.
  2. Click on the ‘filters’ tab and then double click on the ‘AttributeValueRoot’ item in the list.
    encase-objid-c1-filters
  3. Five things to do in this window. We need to give this a unique name since it will show up in the property list later. I chose to use the FullPath property to reduce false positives over using a name only check. The path I used is based on what EnCase displays when viewing in the attributes tab of the details pane.
    1. Name mini-filter ‘zFindObjectId’
    2. Use ‘new’, choose ‘fullpath’, choose ‘find’, type ‘object identifiers\own id’ in the value
    3. Use ‘new’, choose ‘value’, choose ‘Find’, type ‘NOT value’, and check ‘prompt for value’
    4. Right click on ‘Value find [NOT value]’ and choose the ‘Not option’
    5. Right click on the ‘Main’ item at the top of the tree and use ‘change logic’ to flip the ‘or’ to ‘and’
    6. Click ‘ok’
      encase-objid-c2-filter-terms
  4. Back on the main condition window, click on the conditions tab.
    1. Use the ‘new’ option
    2. Scroll to the bottom of the list and click on ‘zHasObjId’
    3. Click on ‘has a value’
    4. Click ‘ok’
      encase-objid-c2-term
  5. Name your condition and click ‘ok’
    encase-objid-c2-final

 

Let me know if you find other uses to search for using this condition. I would love to read about it.

James Habben
@JamesHabben

NTFS Object IDs in X-Ways

Another post in the series of using commercial tools to access Object IDs, only this time switching over to X-Ways Forensic (XWF). I don’t think that it is any secret that EnCase has been my primary forensic tool suite for a really long time, but I like to have options and XWF is one I have available. This will be a pretty short post and mini-series, however, because it doesn’t seem that XWF does much with Object IDs other than simply display them.

Using XWF to View Object IDs

Open up a preview on a disk, and browse to a file or folder that you know has an Object ID assigned to it. Click on the ‘Details’ tab in the bottom pane and scroll all the way down. If you don’t have the viewers properly setup, then you have to configure those first.

xwf-objid

Comparing XWF to EnCase

This section is the one that will bring the hater comments, but I will put it in anyways. Let me state here that I think XWF has a lot of great and unique features, many that EnCase doesn’t, and I like having it as an option for those times.

Let’s borrow the image from my previous EnCase post:

encase-attr-objid-long

The Object ID shows the same value. The parsed values match up as well (0x2bb==699). Always great to see validation across tools, not that this is a really hard problem.

The point that caught my attention was the missing ‘Birth’ IDs. EnCase shows three total values here, and I haven’t been able to locate either ‘Birth Volume ID’ or ‘Birth Object ID’ in XWF. Let me know if you know where these are located!

XWF Filtering on Object ID

One of the things I really like about XWF is the ability to add columns for many of the fields that we might want to quickly see and even filter on. When the column is available, it makes for extremely quick filtering by clicking on the funnel in the column header (much faster than creating a condition in EnCase). Unfortunately for us on this topic, there is no column available for the Object IDs.

xwf-objid-columns

XWF will show you the associated Object ID, but it doesn’t seem to give you the option to narrow down your file sets based on those having or not having Object IDs assigned. If you are following Dave’s quest, you know that these IDs get created as part of the link tracking system and there are numerous user actions that are associated with their existence. If you know the file you are looking for, then XWF will show you. If you are looking for any files that have the IDs, then you will have to use EnCase or one of the many open source options.

 

James Habben
@JamesHabben

NTFS Object IDs in EnCase – Part 2

I posted previously about how to view the Object ID values, stored by NTFS, using EnCase as a forensic tool. In this post, I will show you a method to identify the files in your case that have an Object ID assigned to them. You can follow this using EnCase v7 or v8.

Using EnCase Conditions to Find Object IDs

This method requires a user-built custom condition because EnCase doesn’t have any in the default set to search for these values. Because the Object IDs are shown in the attributes tab of EnCase, it makes for a little more advanced condition than the typical. Here is how to build that condition:

  1. Find the conditions pane in the bottom right corner and click on the ‘user’ folder. Use the ‘new’ option in the toolbar or mouse right click to open the condition dialog. I created a folder to organize a bit. EnCase throws an error if you try to create a new condition in the ‘default’ folder.
  2. Click on the ‘filters’ tab and then double click on the ‘AttributeValueRoot’ item in the list.
    encase-objid-c1-filters
  3. Four things to do in this window. We need to give this a unique name since it will show up in the property list later. I chose to use the FullPath property to reduce false positives over using a name only check. The path I used is based on what EnCase displays when viewing in the attributes tab of the details pane.
    1. Name mini-filter ‘zHasObjId’
    2. Use ‘new’, choose ‘fullpath’, choose ‘find’, type ‘object identifiers\own id’ in the value
    3. Use ‘new’, choose ‘value’, choose ‘has a value’
    4. Right click on the ‘Main’ item at the top of the tree and use ‘change logic’ to flip the ‘or’ to ‘and’
    5. Click ‘ok’ to save it
      encase-objid-c1-filters-terms
  4. Back on the main condition window, click on the conditions tab.
    1. Use the ‘new’ option
    2. Scroll to the bottom of the list and click on ‘zHasObjId’
    3. Click on ‘has a value’
    4. Click ‘ok’
      encase-objid-c1-term
  5. Name your condition and click ‘ok’
    encase-objid-c1-final

It is ready to use now. This condition is doing an extra lookup for every file in your case and it causes the operation to take a bit longer. Be patient and it will finish. If you haven’t changed any settings with the view after running a condition, it will come back without the tree pane. I used the ‘ctrl+space’ shortcut to have EnCase blue-check everything in the view. As you can see, I have 442 out of 363,168 files on this disk with Object IDs associated in NTFS.

encase-objid-c1-result-table

You can change from the table-only view with an easy fix. Just use the drop down and select ‘tree-table’.

encase-objid-c1-change-view

Click on the attributes tab in the bottom pane, and you get the same view as before.

encase-objid-c1-result-detail

 

Next post will be another condition that will allow you to search for a partial or full Object ID value across the evidence in your case. Let me know if you have any questions or other thoughts on something to filter on.

 

James Habben
@JamesHabben

NTFS Object IDs in EnCase

Over on the Hacking Exposed Computer Forensics blog, David Cowen has been posting up weekly challenges. I love that he is investing in the DFIR community (literally with $100 prizes).

He posted a challenge on September 9, 2018 for readers to develop a python script to parse the NTFS $ObjId:$O alternate data stream. He apparently didn’t get any takers since on September 15, 2018 he put up a short post stating exactly that.

Commercial Solution

I am all for Open Source and Free Software options in the DFIR community, and I also frequently contribute to that collection through my various GitHub repositories. I have also spent an insane amount of time working with EnCase in my years past, so I wanted to show the way to view the data related to Dave’s challenge in a tool that some of you might have available.

Don’t blink!

Here are the steps to see the Object IDs that are assigned to files in EnCase v7+:

  1. Load your local preview or evidence file into the evidence tab
  2. Click on the evidence name to have EnCase start parsing the file system
  3. Find a file you know to have an Object ID
  4. Click the Attributes tab in the view pane

Here is what that looks like:

encase-attr-objid

You can also see that EnCase parses the GUID and displays the various components. Just expand the field, or hover the mouse over like this:

encase-attr-objid-long

This was just a short post for now. Next one, I will show how to build a condition to narrow down the view to only those files having Object IDs assigned.

 

James Habben
@JamesHabben

Parsing CFBundleURLSchemes from MacOS Apps

Several days ago, Objective-See shared details about an attack vector used by advanced attackers to target MacOS users. If you haven’t read about it, I encourage you to do that now since this post really won’t make a lot of sense otherwise. It is a very creative way to gain remote execution.

Quick Review

  1. Applications on MacOS are distributed as ‘.app files’ and they are really just folders that MacOS displays as files.
  2. Application .app folders have a prescribed internal architecture since MacOS parses many of the files for functionality.
  3. Plists are settings files that can store many formats of name value data pairs (somewhat similar to the registry in Windows world).
  4. All the points from the Objective-See blog about the attack chain.

Defense Approach

There are all kinds of ways to attempt to control this type of attack. One area that came to my mind was using a packet capture device to parse downloaded files for the required ‘info.plist’ file needed for this attack. Not on this post though, maybe another post.

Forensic Approach

When analyzing a computer(s) for attacks, we rely on tools to do the monotonous work of pulling data from known locations. I found this attack interesting and decided to build one of these tools. It is standalone since I don’t know of any regripper like tools for MacOS. Drop a comment if I am uninformed.

My approach is written in Python so it can be run on multiple OS platforms, and requires a MacOS drive to be mounted or files/folders to be copied to some drive. The script looks for ‘info.plist’ files inside a ‘content’ folder inside another folder ending in ‘.app’. Essentially ‘*.app/content/info.plist’, since there can be a whole lot more ‘info.plist’ files spread all over the place.

Once the proper plist file is located, it looks for a ‘CFBundleURLTypes’ value to ensure the application is attempting to register a URL handler. Then it looks for a ‘CFBundleURLSchemes’ value to get the handler prefix. Application can claim multiple URL handlers.

The default output is simple JSON data that is really more like CSV data, only hipper. Use pip to install pandas and give it a ‘-g’, and you will get a grouped list of handler prefixes with a count of how many applications are registering that prefix.

Enterprise Approach

I haven’t had a chance to test this yet, but theoretically this script would work as a sensor in Tanium to scan an enterprise at scale and identify all URL handlers attempting to be registered by applications on endpoints. The benefit with the enterprise scale of scanning is the ability to stack these URL handlers across multiple endpoints and identify the less frequent handlers more likely to be used for this type of attack.

Important Note

This python script parses the application files themselves and does not query MacOS for the live handlers currently registered. The linked blog post gives the command to do that.

 

Find the script here: https://github.com/JamesHabben/HelpfulPython/blob/master/list-mac-app-urls.py

Let me know if you see any modifications or improvements to make this more helpful.

James Habben
@JamesHabben