Show Your Timezone in X-Ways

I posted earlier about how to enable EnCase to show the timezone for all of the timestamps that it displays. I wanted to follow that up with a post on how that can be accomplished with X-Ways Forensic (XWF) as well.

Showing Your Timezone

This is a pretty simple one. Don’t do anything. The default setting already has the timezone offset displayed with times. Well, you have to do one small thing, and that is to expand the column. XWF has it displayed in a slightly greyed color and all you have to do is make the column wider to show it.

xwf-time-display

Setting Time Zones

I haven’t done extensive testing on this, but it seems that XWF is similar to EnCase in that it takes the timezone setting of the machine your are running on to use inside the case.

To change that setting, use the ‘Options’ menu and select ‘General Options’. In there, you will find a button at the button at the bottom of the window for ‘Display Time zone…’. Click that.

xwf-time-general

Once you have that window open, choose your timezone and click OK and OK.

xwf-time-timezone

Edit: Jarle gave me a couple more ways to change the timezone.

You can set the timezone with a right click at the top of the case tree in the Case Data window on the left of the screen. Choose the ‘Properties…’ option.

xwf-time-click

On that window, you have two options. Set the timezone for the entire case (orange arrow), or unlock the option (pink arrow) to set the timezone for each evidence file or even for each partition of each evidence file.

xwf-time-case

If you check the box, then you do another right click > properties on each item you need to change the setting for and you will get this window.

xwf-time-partition

Thanks for reading!

James Habben
@JamesHabben

Show Your Timezone in EnCase

A question came up on my team about how to adjust time zones on evidence in EnCase. I figured I would put together a short post in case it might help others.

Setting Time Zones

When you start a case with EnCase, it grabs the timezone that is currently being used by the workstation you are running it on. All of the evidence that you bring into that case is assigned that same timezone.

You can apply a timezone change at a couple levels. First, directly to an evidence file. Second, to multiple evidence files. In EnCase v6, you open a case directly to whats called the ‘entries’ view. Entries are a generic name given to refer to any object inside an evidence file such as files, folders, alternate data streams, NTFS meta files, partitions, etc. even including the evidence file itself. Starting in EnCase v7 (and carried into v8), you are dropped in the ‘evidence’ view and must interact with that list in order to enter the ‘entries’ view. Whatever version you are using, go into the entries view.

To set the timezone, decide if you want an evidence specific or global change. Then right click on the evidence name or the ‘entries’ item at the top of the tree. Towards the bottom find the ‘Device’ sub-menu, then choose the ‘Modify time zone settings…’ option.

encase-tz-rc

A small window will pop up to show the list of time zones that EnCase has available. If you are examining a computer that isn’t properly patched with the current Daylight Saving Time setting, you can force that.

encase-tz-window

Click OK, and the times showing in EnCase will all be adjusted without having to do anything further.

Showing Your Timezone

I encourage everyone reading this to update this setting. Digital forensics requires us to be very accurate and specific. It tells EnCase to attach the timezone setting to every date that is displayed. It has saved me from a situation of reporting an incorrect time more than once. After changing this setting, your dates will look like these. I typically keep the columns smaller and only expanded the ‘Last Accessed’ field to show the full value.

encase-tz-dates

To make this change, find the ‘Tools’ menu in the bar at the top, and choose the ‘options’ option. Then click on the ‘Date’ tab. Check the box at the top of that tab page.

encase-tz-show

Thanks for reading!

James Habben
@JamesHabben

Living with a Credit Freeze

Brian Krebs published an article “How I Learned to Stop Worrying and Embrace the Security Freeze” in 2015. I decided to embark on that journey as well, although my laziness caused the onset of that journey to be staggered longer than it should have. I have had freezes in place for quite a few years now, and I wanted to share my experiences for each of the major bureaus.

Creditors

First, I want to say that it is very surprising, even to this day, to see the staggering number of companies (that deal with pulling credit reports or scores) that have never heard of a credit freeze. There are so many places that want to run your credit, from as simple as getting electricity turned on and all the way to getting a home mortgage. I feel like I have been more of an educator to that industry than anyone else!

Some have heard of a freeze, and are very curious to ask questions about it. It feels almost like being a celebrity with questions like “what’s it like to have a freeze?” (no joke). Others have heard of it and straight up dismiss me because they claim to have no ability to handle the freeze except for me having to unfreeze and then refreeze when they are done. Many of them think it is so simple and free (it’s not), so they just expect you to take that on. One company straight up refused to work with me at all until there was no freeze on my credit.

Bureaus

The current situation has no standards on how these credit freezes should work. There are some various state laws that define how much the bureaus can charge to place a freeze, but there is nothing in those laws to define the process. Each of the three major bureaus does things slightly different.

In general, you visit the web portal for each bureau and supply enough personal information to identify yourself. Stuff that really wouldn’t be hard to assemble about a target victim for those inclined to that side of morals, but that’s another rambling for another day. After validating you know enough about someone yourself, you pay some amount of money to place the freeze. After that clears, you get a PIN code. Equifax gave me a 10 digit, Experian gave me a 10 digit, and TransUnion gave me a 6 digit. These numbers have different uses depending on the bureau.

In general, I haven’t had problems with the companies knowing who they use to pull credit history. They are willing to discuss and work with me when I explain that I have a freeze and the reason for the freeze. Sometimes, they have to pass you off to a different person who is the one responsible for performing the task.

Experian

I want to start with this one because it is the one I have held a freeze with for the longest, and it seems to be the most popular credit bureau with the companies I have interfaced with.

For those companies that were willing to work with me, it has been the absolute smoothest of all three bureaus. I store the 10 digit PIN in my KeePass database, and I can give this number to the company looking to pull information about my credit history. Simple as that. Later, I can go onto the Experian web portal to change that PIN. The process is similar to when you first place the freeze in supplying enough personal information to identify yourself.

I had to unfreeze with Experian one time when a company absolutely refused to accept a PIN to process the transaction. It cost me something like $20 to schedule an unfreeze followed by a refreeze after so many days.

Equifax

I list this one next because it has been the next easiest to work with in pulling credit history. The PIN you get from them is only to use when interacting with the web portal, so supplying this PIN to a company seeking your credit info will come back with a refusal based on being a wrong number. In fact, the PIN you receive as a part of the freeze process is a 10 digit, and the creditor company is prompted for only 4 digits – an obvious mismatch.

The code required by those companies has to be generated each time, but the best part is that Equifax doesn’t charge for creating these codes. The downside is that you need to login to their web portal to generate them, so you have to be more prepared. You can create a global temporary lift for a time period or a temporary lift for a single company. When doing a temporary lift for a single company, the portal asks you for the company name seeking your credit, but funny enough they only allow you to type 9 characters in that box. It seems that the name is more of a note for reference later than it is as a part of the validation. The other thing is asks you for is that 10 digit code you received when placing the freeze. At the end of that process, you get a link to open a PDF file that contains a 4 digit single use code. Give that to the company running your credit and it will go through, even immediately within minutes of generating that code.

TransUnion

I put this one last because I wasn’t able to figure out a way to have a temporary lift without having to pay some amount of money. I have had to login to the web portal to place a temporary lift. They charged me $10 and it didn’t matter if it was a global lift or a specific company lift.

Takeaway

I have lived with these credit freeze for many years, and it has allowed me to have a little more peace in light of the world I live in. It sets a much higher wall in front of my metadata and I can deal with the occasional hassle that I described above.

 

I hope this helps you. I encourage you to look at getting a credit freeze to protect yourself.

 

James Habben

@JamesHabben

Reputations and PCI Data Breaches

The natural human reaction to reading a company’s announcement about a Payment Card Industry (PCI) data breach is to declare a boycott against this company. How dare they be so nonchalant and careless with my handling our information? This reaction appears to be common when you read news articles about this very topic.

“87 percent would not (or were not very likely to) do business with a company that had faced a data breach”
http://www.nationalcybersecurityinstitute.org/general-public-interests/how-does-a-data-breach-affect-your-business-reputation/

The public fears a data breach because the majority of people out there have no idea what that actually means. I am sure all of you in this ‘cyber’ community get these questions constantly from friends and family about how these things can happen. I certainly do.

I am going to put myself out there though and make a fairly bold statement:

A PCI data breach is good for a company

The Priorities

I provide advisory and investigative consulting to companies from Fortune 1 to Fortune 5839827495, and there is a theme that I see from the top to the bottom. The companies that have experienced data breaches have stronger information security (InfoSec) programs as a result.

Almost every company I engage with asks me “How does my security team compare to other companies in my industry?” and this is the biggest problem. The business side of these companies are all about keeping up with or getting ahead of competitors in their field. If everyone across your industry jumps off a bridge, would you jump also?

The priorities of an InfoSec program should not be driven by others. This needs to be driven on internal needs and deficiencies. There are tons of ways to push this forward, however this isn’t the point of this post. The business side has a hard time allocating money to these priorities because most InfoSec program leads aren’t able to speak the right language.

The Breach

Enter the PCI data breach. This demands immediate attention that cannot be ignored by the business. It also spins up a lot of resources with enormous costs.

Some costs not always seen by an outsider to the breach investigation:

  • outside legal counsel / breach coach
  • public relations firm
  • PCI mandated investigation firm known as PCI Forensic Investigation or PFI
  • another firm hired under legal privilege
  • travel and accommodations for employees and contractors
  • software and hardware to support investigation
  • extra online storage costs to preserve data on-prem and cloud
  • extra instances of computers to offset loads
  • premiums for expedited services with vendors

These all typically happen before any public notification of the breach is made.

The Announcement

Once you read about a PCI data breach in news stories, there has been an army of people working on this breach. The InfoSec focused expertise involved can easily be 10x or 20x multiplier of the team that is normally employed for this role in calmer times.

The public thinks:
“Oh no, I am never shopping there again. I don’t want my data stolen.”

In reality, this is the safest that network has ever been. There are tons of people looking over every possible problem. The affected company is getting a massive overload of recommendations on how to improve. It will also be under heightened scrutiny by the public and any regulatory bodies they are involved with, namely PCI for one.

The Response

We have worked with customers on post breach projects that have taken a 5 year timeline down to as little as 6 month. Money comes raining down from the top. Many times, the PCI breach uncovers less than ideal practices in other aspects of the infrastructure as well.

Some go on to really make a huge difference:
https://corporate.target.com/article/2015/07/cyber-fusion-center

Of the causes for breaches that I have seen, almost zero of them were ultimately a surprise. It is usually a weakness as a part of some aspect where a project exists to address. The InfoSec teams working for these companies do well to identify the improvements that are needed. It has never been due to laziness or lack of knowledge.

Breaches are Good

Companies are collecting more and more data about us. I prefer seeing breaches of PCI data over even more personal data or intellectual property. Although it is a costly incident, the damage done can be fixed relatively well.

 

Let me know what you think of breaches.

James Habben
@JamesHabben

Evolve Version 1.6

evolve-logo

New features in #EvolveTool!

API Doc

The new part of this feature is the HTML to outline all the various URLs that can be used to interact with Evolve. They have mostly been there in the background already, although a couple of the URLs are new. These URLs give the ability to have Evolve work in a sort of headless mode. You can use any scripting language that can GET or POST. The return data is in JSON format.

evolve-api

Plugin Search

The plugin list for Volatility commands keeps growing thanks to the great support by the core dev team and all the gracious developers in the community. I’m sure the annual contest giving away money had no part in it either. Anyways, I figured it would be helpful to have the ability to run a quick search over the plugin list where you can type a part of what you are looking for. It doesn’t support any fancy matching though, and just puts wildcards in front and behind whatever you type. It searches while you type and you can use [ESC] or click the X to the right to quickly clear the box.

Try typing ‘dump’ and you will get a list of those plugins that Evolve doesn’t yet support:

evolve-plugin-search

Teaser: Volatility Command Line Options

Speaking of Volatility plugins that aren’t supported in Evolve, I was able to dig into the Volatility core and determine where those options are stored in Object Oriented (OO) data structures. You will see a couple new URLs listed in the API doc that take advantage of this new found knowledge.

The first is a list of all the default options that Volatility has. You can see those by running ‘vol.py -h’ in the shell, or accessing the API here:

evolve-options

The second builds on the above URL to get more specific options that any of the plugins are allowed to add into the list to accept during processing. You can display the full collection of options with the plugin specifics listed at the bottom with ‘vol.py dumpregistry -h’ or you can get only the specific options that each plugin adds by accessing this API:

evolve-options-plugin

Some Background

I originally took on the project of making Evolve to learn Python. I wanted to build something that required research and learning, and something that would make me stretch. I could have written this project in any language and just made calls to vol.py to get things running. I’ve seen many of these projects pop up over the years and they work great. I decided to fully integrate with Volatility to better learn Python and have more power and control over how I hand off processing jobs. That decision has caused some headaches, so I try to share the solutions when I can.

The challenge in here is that Volatility uses a library for parsing command line options that is built into Python. This setup works great for the scenario that Volatility is typically run, at a command prompt, where the user has to supply all those parameter names and values up front. It doesn’t make it so easy to fetch a list of the various options any of the plugins might want to take advantage of because those options aren’t built into OO to just get.

The plugins written for Volatility interface with optparse to add in the recognition for the short and long parameter designations. The optparse object is a member of Volatility’s ConfObject class, but not really integrated.

To get to the list of default options is pretty straight forward. You have to build a ConfObject anyways when integrating with Volatility, and the default options all come along as it is built.

To get the options that any of the plugins add on top of the default, you have to utilize the ConfObject again, but as a parameter when initiating the plugin of choice. The result is a full list of all the options that are now available, including those earlier found default options. You have to do the work of differentiating the newly added from the defaults. To prepare for doing this, I created a second ConfObject and pulled the new list in.

The next challenge is the structure of the options being held in the optparse object isn’t really straight forward. The items are not provided in a list, so you can’t do much with them as they sit. Fortunately they are iterable, so that allows for Python to use in as a collection in a for loop. You can see the debug view getting to one of these options here:

evolve-options-debug

I chose not to deal with all of those properties since I don’t think the Volatility plugins have that much ability to manipulate, but I will doing some further testing on this. If there are more properties that are needed in Evolve, they are fairly simple to add into the JSON return at this point.

After grabbing the handful of properties into a dictionary, I stuff that dictionary into a tuple. You can read more about the differences since I won’t go into that here. The tuple made it easier to work with, and I don’t have the need to change that object.

With a tuple of options from two ConfObjects, I could now determine which of those options were added by the provided plugin. Now I had to repeat that process for every plugin available in Volatility, and I am very thankful for loops and automation.

Check it out on GitHub.
https://github.com/JamesHabben/evolve

I hope you find these new features helpful, and the upcoming features exciting. Please reach out if you have any questions or feature suggestions for Evolve.

James Habben
@JamesHabben

Malicious USB Devices

I put together some slides over a year ago after working several cases involving suspicious USB devices. The slides cover some studies that threw USB devices on the ground, and a couple scenarios from the Verizon Data Breach Digest (shameless promo). There is a lot of significance in these links, and presenting these slides has shown me that this threat is very widely underappreciated.

We, and InfoSec and even more specifically as DFIR specialists, are not immune to an attack conducted through a USB device. Some of us hold a more traditional stance that the forensic workstation remains unconnected from any network connection, but this is an increasingly difficult stance to hold in more recent years. The source evidence drives are getting larger and larger, and this is forcing examiners to take advantage of network storage solutions. We are also seeing many tools with increasing reliance on network for collection and analysis through integrations with other products.

I worked with some others on my team to develop a forensic methodology that has been tried and true. It gives us the best chance of preserving any data that may exist on this USB device and protects our forensic infrastructure from any potential attack. I am putting this methodology in this blog post in an effort to get it out to a wider audience than the folks that have sat through one of my talks. You can see a video from BsidesSLC if you would like, or feel free to contact me and I would be very happy to head out somewhere to give the talk live.

The High Level Methodology

  • Collect image
  • Collect volatile data
  • Analyze file contents
  • Analyze volatile data
  • Collect firmware

The Methodology Steps

  1. Collect Image
    1. Physical machine
    2. Linux forensic boot cd
    3. Hardware USB write-blocker
    4. dd, dcfldd, linen, etc
  2. Collect Volatile Data
    1. Physical machine
    2. Windows OS – Small HDD, forensic wipe (0x00)
    3. Software USB write-blocker
    4. Collect before images: HDD & RAM
    5. Prep volatile collection tools & scripts
    6. Start PowerShell diff-pnp-devices.ps1*
    7. Insert USB, wait for a minute
    8. Finish diff-pnp-devices.ps1
    9. Finish volatile tools & scripts
    10. Collect image: HDD & RAM
  3. Analyze File Contents
    1. Automated AV scans
    2. IOC Searches
    3. File format specific tools
  4. Analyze Volatile Data
    1. Compare disk images
    2. Compare RAM images
    3. Review new devices from diff-pnp-devices.ps1
    4. Look for evil
  5. Collect Firmware
    1. Only needed if device has additional device
    2. Identify controller chip – ChipEasy
    3. Acquire correct tool to dump firmware
    4. Reverse engineer firmware

The PowerShell Tool

The script mentioned in this methodology is in my GitHub. It does a very simple thing.

https://gist.github.com/JamesHabben/

  1. Get a list of PnP devices
  2. Wait for user to continue after inserting USB
  3. Get another list of PnP devices
  4. Compare the two lists and print the differences

Takeaway

These USB devices can do a log of damage, and I continue to see a lot of very surprised faces during my talks. It is a real threat (Stuxnet!) and it needs to be accounted for in your incident response.

Here are the slides with a bit more information, and please reach out if you have questions.

James Habben
@JamesHabben

Skills and Knowledge for InfoSec

As a consultant for an incident response firm, the engagements we get are typically fairly fleshed out in terms of being a security or operational incident. Every once in a while, we have calls come in that seem very security focused when described by the customer contact but after arriving onsite they work out to be an operational incident. It can take a lot of experience to really take the problem down to its roots to even make an approach at root cause.

There have been a lot of discussions flying around about various skill levels required for InfoSec jobs. Along with that, many have expressed concerns about the job postings and the requirements that get listed, and I joined in a little while back. Others have made bold statements that InfoSec jobs shouldn’t be entry level jobs since the skills needed are gained through other roles. I am in the middle on that feeling. I have met some very smart people that seem to just ‘get it’ and do well in InfoSec without other prior experience, and I have also met people that have spent 20 years in IT that don’t understand some of the basic concepts. It really goes both ways.

Although I do not hold the opinion that InfoSec is not an entry level job, I do think there is a lot to learn that can be extremely beneficial to a role in InfoSec. I recently went out on an engagement that required an incredibly deep understanding of routing and switching concepts. I am not talking about having the magical skill of being able to calculate subnets in your head (although I was able to do that at one point in my past). I was facing one of those security vs operational incidents I mentioned above.

I spent a lot of time in a network admin role. I took over management of a medium sized business nationwide network. The network had previously been built (incorrectly) by a supposed networking expert. I spent a lot of time understanding what the problems were and addressed each of them as components to an overall problem. The result was a lot of positive comments from end users about the improved speed and reliability of the network. I ended up rebuilding about 90% of that network at another point later during a move from Frame Relay to MPLS. I spent time studying proper network design and function to make sure I was doing things correctly.

I mention this because the recent engagement I went out on involved a few components that at a glance could easily appear like very serious security issues. A proper understanding of networking principals, and along with that the OSI model, was absolutely essential. There were a ton of components that when viewed as a whole would lead down a ton of rabbit holes.

In Incident Response especially, we need to have the ability to view the problem as a whole, but also be able to break the problem down into the various smaller components. That is what an investigative / analytical mind does. Those components often times are not all contributing to the problem. They are often times a symptom or result of another problem. If you don’t have the knowledge to separate those components from the overall problem, then your incident is going to be much more difficult to resolve.

To those of you that are considered entry level:

  1. You can learn on the job, but you need to make sure that you take on a job that will give you that opportunity. Make sure that your role will be involved in technology across the board to get the exposure.
  2. Find a mentor that seems to be the right personality for you. That mentor can guide you to various topics that would be very beneficial to your career in InfoSec.
  3. Understand that there will be jobs that are requiring skills that you don’t posses. The postings don’t always reflect the true picture of what that company is willing to hire.
  4. Ask your mentor for help in applying. Ideally, that mentor will be well connected in the industry and would have already started to expose you to various people around the industry. If that hasn’t happened yet, there might be a reason for it (maybe you aren’t ready), or your mentor might not be supporting you as well as needed.
  5. Show your efforts in learning. Make sure that people understand the time you are putting into improving yourself. This doesn’t mean that you constantly brag about your self, but you can demonstrate your learning in many different ways.

InfoSec can be a tough place to work since we have to know a little about a lot. Embrace your curiosity.

James Habben
@JamesHabben