Show and Search for Owner ID in X-Ways

I previously wrote about the digital forensic artifact left behind by a user creating a file on a Windows computer with NTFS. I also showed how to display the owner ID and search for all files owned by that ID. In this post, I am showing how to accomplish the same tasks in W-Ways Forensics (XWF). It is a much shorter post because it is much easier to do.

Owner ID in Details

The first way to see the Owner ID in XWF is by viewing in the Details tab in the bottom pane. Select a file and click on the details tab. This view is pretty similar to EnCase, but it only works if you have the separate viewer component enabled.

xwf-details-owner

Owner ID in a Column

The next way is a nice add that EnCase cannot do. You can turn on the column to show the name or ID while browsing around in the folders and files. Just open the dialog for columns and type in a value. If you have accounts, such as domain users, that aren’t resolving, the column width will have to be a bit wider.

xwf-col-setting

Once you give it a number, you can manually adjust the width to best show the values you have in this case.

xwf-col-view

Filtering on Owner ID

Since XWF shows the values in the column format, it is easy to filter on specific values. Click on the funnel icon and you get this window.

xwf-filter-box

Set that User ID to the value you want, and do a recursive view of the file system. Boom!

 

James Habben
@JamesHabben

Show Your Timezone in EnCase

A question came up on my team about how to adjust time zones on evidence in EnCase. I figured I would put together a short post in case it might help others.

Setting Time Zones

When you start a case with EnCase, it grabs the timezone that is currently being used by the workstation you are running it on. All of the evidence that you bring into that case is assigned that same timezone.

You can apply a timezone change at a couple levels. First, directly to an evidence file. Second, to multiple evidence files. In EnCase v6, you open a case directly to whats called the ‘entries’ view. Entries are a generic name given to refer to any object inside an evidence file such as files, folders, alternate data streams, NTFS meta files, partitions, etc. even including the evidence file itself. Starting in EnCase v7 (and carried into v8), you are dropped in the ‘evidence’ view and must interact with that list in order to enter the ‘entries’ view. Whatever version you are using, go into the entries view.

To set the timezone, decide if you want an evidence specific or global change. Then right click on the evidence name or the ‘entries’ item at the top of the tree. Towards the bottom find the ‘Device’ sub-menu, then choose the ‘Modify time zone settings…’ option.

encase-tz-rc

A small window will pop up to show the list of time zones that EnCase has available. If you are examining a computer that isn’t properly patched with the current Daylight Saving Time setting, you can force that.

encase-tz-window

Click OK, and the times showing in EnCase will all be adjusted without having to do anything further.

Showing Your Timezone

I encourage everyone reading this to update this setting. Digital forensics requires us to be very accurate and specific. It tells EnCase to attach the timezone setting to every date that is displayed. It has saved me from a situation of reporting an incorrect time more than once. After changing this setting, your dates will look like these. I typically keep the columns smaller and only expanded the ‘Last Accessed’ field to show the full value.

encase-tz-dates

To make this change, find the ‘Tools’ menu in the bar at the top, and choose the ‘options’ option. Then click on the ‘Date’ tab. Check the box at the top of that tab page.

encase-tz-show

Thanks for reading!

James Habben
@JamesHabben

Living with a Credit Freeze

Brian Krebs published an article “How I Learned to Stop Worrying and Embrace the Security Freeze” in 2015. I decided to embark on that journey as well, although my laziness caused the onset of that journey to be staggered longer than it should have. I have had freezes in place for quite a few years now, and I wanted to share my experiences for each of the major bureaus.

Creditors

First, I want to say that it is very surprising, even to this day, to see the staggering number of companies (that deal with pulling credit reports or scores) that have never heard of a credit freeze. There are so many places that want to run your credit, from as simple as getting electricity turned on and all the way to getting a home mortgage. I feel like I have been more of an educator to that industry than anyone else!

Some have heard of a freeze, and are very curious to ask questions about it. It feels almost like being a celebrity with questions like “what’s it like to have a freeze?” (no joke). Others have heard of it and straight up dismiss me because they claim to have no ability to handle the freeze except for me having to unfreeze and then refreeze when they are done. Many of them think it is so simple and free (it’s not), so they just expect you to take that on. One company straight up refused to work with me at all until there was no freeze on my credit.

Bureaus

The current situation has no standards on how these credit freezes should work. There are some various state laws that define how much the bureaus can charge to place a freeze, but there is nothing in those laws to define the process. Each of the three major bureaus does things slightly different.

In general, you visit the web portal for each bureau and supply enough personal information to identify yourself. Stuff that really wouldn’t be hard to assemble about a target victim for those inclined to that side of morals, but that’s another rambling for another day. After validating you know enough about someone yourself, you pay some amount of money to place the freeze. After that clears, you get a PIN code. Equifax gave me a 10 digit, Experian gave me a 10 digit, and TransUnion gave me a 6 digit. These numbers have different uses depending on the bureau.

In general, I haven’t had problems with the companies knowing who they use to pull credit history. They are willing to discuss and work with me when I explain that I have a freeze and the reason for the freeze. Sometimes, they have to pass you off to a different person who is the one responsible for performing the task.

Experian

I want to start with this one because it is the one I have held a freeze with for the longest, and it seems to be the most popular credit bureau with the companies I have interfaced with.

For those companies that were willing to work with me, it has been the absolute smoothest of all three bureaus. I store the 10 digit PIN in my KeePass database, and I can give this number to the company looking to pull information about my credit history. Simple as that. Later, I can go onto the Experian web portal to change that PIN. The process is similar to when you first place the freeze in supplying enough personal information to identify yourself.

I had to unfreeze with Experian one time when a company absolutely refused to accept a PIN to process the transaction. It cost me something like $20 to schedule an unfreeze followed by a refreeze after so many days.

Equifax

I list this one next because it has been the next easiest to work with in pulling credit history. The PIN you get from them is only to use when interacting with the web portal, so supplying this PIN to a company seeking your credit info will come back with a refusal based on being a wrong number. In fact, the PIN you receive as a part of the freeze process is a 10 digit, and the creditor company is prompted for only 4 digits – an obvious mismatch.

The code required by those companies has to be generated each time, but the best part is that Equifax doesn’t charge for creating these codes. The downside is that you need to login to their web portal to generate them, so you have to be more prepared. You can create a global temporary lift for a time period or a temporary lift for a single company. When doing a temporary lift for a single company, the portal asks you for the company name seeking your credit, but funny enough they only allow you to type 9 characters in that box. It seems that the name is more of a note for reference later than it is as a part of the validation. The other thing is asks you for is that 10 digit code you received when placing the freeze. At the end of that process, you get a link to open a PDF file that contains a 4 digit single use code. Give that to the company running your credit and it will go through, even immediately within minutes of generating that code.

TransUnion

I put this one last because I wasn’t able to figure out a way to have a temporary lift without having to pay some amount of money. I have had to login to the web portal to place a temporary lift. They charged me $10 and it didn’t matter if it was a global lift or a specific company lift.

Takeaway

I have lived with these credit freeze for many years, and it has allowed me to have a little more peace in light of the world I live in. It sets a much higher wall in front of my metadata and I can deal with the occasional hassle that I described above.

 

I hope this helps you. I encourage you to look at getting a credit freeze to protect yourself.

 

James Habben

@JamesHabben

Reputations and PCI Data Breaches

The natural human reaction to reading a company’s announcement about a Payment Card Industry (PCI) data breach is to declare a boycott against this company. How dare they be so nonchalant and careless with my handling our information? This reaction appears to be common when you read news articles about this very topic.

“87 percent would not (or were not very likely to) do business with a company that had faced a data breach”
http://www.nationalcybersecurityinstitute.org/general-public-interests/how-does-a-data-breach-affect-your-business-reputation/

The public fears a data breach because the majority of people out there have no idea what that actually means. I am sure all of you in this ‘cyber’ community get these questions constantly from friends and family about how these things can happen. I certainly do.

I am going to put myself out there though and make a fairly bold statement:

A PCI data breach is good for a company

The Priorities

I provide advisory and investigative consulting to companies from Fortune 1 to Fortune 5839827495, and there is a theme that I see from the top to the bottom. The companies that have experienced data breaches have stronger information security (InfoSec) programs as a result.

Almost every company I engage with asks me “How does my security team compare to other companies in my industry?” and this is the biggest problem. The business side of these companies are all about keeping up with or getting ahead of competitors in their field. If everyone across your industry jumps off a bridge, would you jump also?

The priorities of an InfoSec program should not be driven by others. This needs to be driven on internal needs and deficiencies. There are tons of ways to push this forward, however this isn’t the point of this post. The business side has a hard time allocating money to these priorities because most InfoSec program leads aren’t able to speak the right language.

The Breach

Enter the PCI data breach. This demands immediate attention that cannot be ignored by the business. It also spins up a lot of resources with enormous costs.

Some costs not always seen by an outsider to the breach investigation:

  • outside legal counsel / breach coach
  • public relations firm
  • PCI mandated investigation firm known as PCI Forensic Investigation or PFI
  • another firm hired under legal privilege
  • travel and accommodations for employees and contractors
  • software and hardware to support investigation
  • extra online storage costs to preserve data on-prem and cloud
  • extra instances of computers to offset loads
  • premiums for expedited services with vendors

These all typically happen before any public notification of the breach is made.

The Announcement

Once you read about a PCI data breach in news stories, there has been an army of people working on this breach. The InfoSec focused expertise involved can easily be 10x or 20x multiplier of the team that is normally employed for this role in calmer times.

The public thinks:
“Oh no, I am never shopping there again. I don’t want my data stolen.”

In reality, this is the safest that network has ever been. There are tons of people looking over every possible problem. The affected company is getting a massive overload of recommendations on how to improve. It will also be under heightened scrutiny by the public and any regulatory bodies they are involved with, namely PCI for one.

The Response

We have worked with customers on post breach projects that have taken a 5 year timeline down to as little as 6 month. Money comes raining down from the top. Many times, the PCI breach uncovers less than ideal practices in other aspects of the infrastructure as well.

Some go on to really make a huge difference:
https://corporate.target.com/article/2015/07/cyber-fusion-center

Of the causes for breaches that I have seen, almost zero of them were ultimately a surprise. It is usually a weakness as a part of some aspect where a project exists to address. The InfoSec teams working for these companies do well to identify the improvements that are needed. It has never been due to laziness or lack of knowledge.

Breaches are Good

Companies are collecting more and more data about us. I prefer seeing breaches of PCI data over even more personal data or intellectual property. Although it is a costly incident, the damage done can be fixed relatively well.

 

Let me know what you think of breaches.

James Habben
@JamesHabben