ANAB - Guiding Principles of Professional Responsibility for Forensic Service Providers and Forensic Personnel

Long title, great document:
https://anab.qualtraxcloud.com/ShowDocument.aspx?ID=6732

From the ANSI National Accreditation Board(ANAB) these are some great forensic principals for forensic work.

Guiding Principles of Professional Responsibility for Forensic Service Providers and Forensic Personnel

1. Are independent, impartial, detached, and objective, approaching all examinations with due diligence and an open mind.

2. Conduct full and fair examinations. Conclusions are based on the evidence and reference material relevant to the evidence, not on extraneous information, political pressure, or other outside influences.

3. Are aware of their limitations and only render conclusions that are within their area of expertise and about matters which they have given formal consideration.

4. Honestly communicate with all parties (the investigator, prosecutor, defense, and other expert witnesses) about all information relating to their analyses, when communications are permitted by law and agency practice.

5. Report to the appropriate legal or administrative authorities unethical, illegal, or scientifically questionable conduct of other forensic employees or managers. Forensic management will take appropriate action if there is potential for, or there has been, a miscarriage of justice due to circumstances that have come to light, incompetent practice or malpractice.

6. Report conflicts between their ethical/professional responsibilities and applicable agency policy, law, regulation, or other legal authority, and attempt to resolve them.

7. Do not accept or participate in any case on a contingency fee basis or in which they have any other personal or financial conflict of interest or an appearance of such a conflict.

8. Are committed to career-long learning in the forensic disciplines which they practice and stay abreast of new equipment and techniques while guarding against the misuse of methods that have not been validated. Conclusions and opinions are based on generally accepted tests and procedures.

9. Are properly trained and determined to be competent through testing prior to undertaking the examination of the evidence.

10. Honestly, fairly and objectively administer and complete regularly scheduled:

• relevant proficiency tests; 
• comprehensive technical reviews of examiners’ work; 
• verifications of conclusions. 

11. Give utmost care to the treatment of any samples or items of potential evidentiary value to avoid tampering, adulteration, loss or unnecessary consumption.

12. Use appropriate controls and standards when conducting examinations and analyses.

13. Accurately represent their education, training, experience, and area of expertise.

14. Present accurate and complete data in reports, testimony, publications and oral presentations.

15. Make and retain full, contemporaneous, clear and accurate records of all examinations and tests conducted, and conclusions drawn, in sufficient detail to allow meaningful review and assessment of the conclusions by an independent person competent in the field. Reports are prepared in which facts, opinions and interpretations are clearly distinguishable, and which clearly describe limitations on the methods, interpretations and opinions presented.

16. Do not alter reports or other records or withhold information from reports for strategic or tactical litigation advantage

17. Support sound scientific techniques and practices and do not use their positions to pressure an examiner or technician to arrive at conclusions or results that are not supported by data.

18. Testify to results obtained and conclusions reached only when they have confidence that the opinions are based on good scientific principles and methods. Opinions are to be stated so as to be clear in their meaning. Wording should not be such that inferences may be drawn which are not valid, or that slant the opinion to a particular direction.

19. Attempt to qualify their responses while testifying when asked a question with the requirement that a simple “yes” or “no” answer be given, if answering “yes” or “no” would be misleading to the judge or the jury.

MacOS - Property List Files

Property list or ".plist" files can contain relevant data for forensicating on Apple computers and iOS devices.

In a kind of obscure similarity, like how windows stores configurations and setting in the windows registry.  Apple devices can store system and user settings in .plist files.  Can show a user's preferences and/or how he/she uses an application.

Several plist files are created when a system or application is first ran.  Aside from configuration info, plist files can provide information recent items and recently accessed files.

Some plists of potential interest include:
* (~) tilde means current logged in user user's folder.  (/Users/<username>)

• Recent Apps in the Apple Dock 

~/Library/Preferences/com.apple.dock.plist

• OS Version and Info

/System/Library/CoreServices/SystemVersion.plist 

• Last Logged-in user

/Library/Preferences/com.apple.loginwindow.plist

• Deleted Users

/Library/Preferences/com.apple.preferences.accounts.plist

• User Interaction with Apple Finder

~/Library/Preferences/com.apple.finder.plist

• Tracking volumes from the sidebarlist

~/Library/Preferences/com.apple.sidebarlists.plist

• Shared files list and recent items

/Users/<username>/Library/Application Support/com.apple.sharedfilelist/

• Recent Spotlight Searches

~/Library/Application Support/com.apple.spotlight.Shortcuts

• Installed Updates

/Library/Receipts/InstallHistory.plist

• List of User who can sign in

<VolumeUID>/System/Library/CoreServices/SystemVersion.plist

/<VolumeUID>/com.apple.installer/SystemVersion.plist

<VolumeUID>/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey

• User Information

<VolumeUID>/var/db/CryptoUserInfo.plist

CyLR — Live Response Collection tool

CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge
Windows exe found at:

https://github.com/orlikoski/CyLR/releases

and

https://github.com/orlikoski/CyLR





CyLR was first brought to my attention from the SANS "FOR500: Windows Forensic Analysis"
course.
Used for collection and artifact processing.

FOR ARTIFACTS COLLECTION
This tool looks in:

Windows Default

• System Level Artifacts
  • %SYSTEMROOT%\SchedLgU.Txt
  • %SYSTEMROOT%\Tasks
  • %SYSTEMROOT%\Prefetch
  • %SYSTEMROOT%\Appcompat\Programs
  • %SYSTEMROOT%\System32\drivers\etc\hosts
  • %SYSTEMROOT%\System32\winevt\logs
  • %SYSTEMROOT%\System32\Tasks
  • %SYSTEMROOT%\System32\LogFiles\W3SVC1
  • %SYSTEMROOT%\System32\config\"REGISTRY HIVES"
  • %PROGRAMDATA%
  • %SystemDrive%$Recycle.Bin
  • %SystemDrive%$LogFile
  • %SystemDrive%$MFT
• Artifacts For All Users
  • {user.ProfilePath}\NTUSER.DAT and \AppData

*Among other places and other locations for linux and macOS shown on the github page

Simulating Collecting on Remote System

The above diagram simulates as an admin remoting into a Desktop, running CyLR and sending the results to a SFTP server for retrieval

1. SETTING UP THE SFTP SERVICE IN WINDOWS

Open Start menu.
Type Apps.
Click on Apps & features.
Under “Apps & features,” click the Manage optional features link. 

Apps & features settings.
Click the Add a feature button. Manage optional features on Windows 10.
Select the OpenSSH Server option.

Select Install

May need to start service 

 Control Panel > System and Security > Administrative Tools and open Services.

Start OpenSSH SSH Server service

May need to Set up Firewall exceptions

Allow incoming connections to SSH server in Windows Firewall:

• Either run the following PowerShell command (Windows 8 and 2012 or newer only), as the Administrator: 
  New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -DirectionInbound -Protocol TCP -Action Allow -LocalPort 22
• or go to Control Panel > System and Security > Windows Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 22.

May need to generate a keypair

 In WinSCP can select advanced settings > Authenitcation > Tools Generate New Key Pair with PuTTYgen

Or can use OpenSSH-Win64 "ssh-keygen.exe"

2.  COPYING CyLR.exe TO REMOTE DESKTOP

$s = New-PSSession -Computername DESKTOP-REMOTE -Credential Win10

s$ is the variable.  For the creation of a powershell session to the remote host.  Ideally using admin credentials

Prompt for credentials

3. COPYING CyLR to remote host in session with powershell:

Copy-Item –Path C:\USERS\Win10\Desktop\CyLR_win-x64\CyLR.exe –Destination 'C:\' ToSession $s

Using the previously created "$s" session to copy to the C: drive of the target

4. Enter session with powershell:
Enter-PSSession -Session $s

5. Run CyLR and point to SFTP server's IP address:
C:\CyLR.exe -u SFTP_Server -p password -s 192.168.28.128

Using the parameter to point to the SFTP server.  *Not recommended to use "password" as password

RUNNING

 
 

5. Verifying results on the SFTP server

RESULTS include:





 

 

Contains "NTUSER.dat registry hive for each user

In conclusion:
I think CyLR is a neat tool and can potentially be used by a IR shop to collect relative artifacts.  May try it on a Mac and/or Linux host and see what it retrieves.

Also looking to try out Eric Zimmerman's KAPE(Kroll Artifact Parser and Extractor) tool to simulate a remote collection.
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape


--Bryan

Referenced:

Sectechno. (2018, October 10). CyLR - Live Response Collection Tool. Retrieved from http://www.sectechno.com/cylr-live-response-collection-tool/

Orlikoski. (2019, March 18). Orlikoski/CyLR. Retrieved from https://github.com/orlikoski/CyLR

Extracting Pcap from a Memory Image

Continuing from "https://www.datadigitally.com/2019/06/retrieving-memory-image-remotely.html"
where memory was captured remotely with the Windows Sysinternal's tool, psexec.exe, and memory capture tool, dumpit.exe.

This post will test the net capture extractor feature of the bulk extractor tool against the previously created memory image "memdump.mem".

From bulk extractor found here: http://downloads.digitalcorpora.org/downloads/bulk_extractor/

The command that will be used is:

bulk_extractor64.exe -x all -e net -o test/ memdump.mem

This command uses the "-x all" to disable all scanners.  And the "-e net" for the net scanner option of the tool.

The "-o test/" signifies the directory to which to output the extracted net objects.

*As a note network connections related to a memory image are a great way to try and see what the machine was connected to at the time of the memory capture.
Using, the memory forensics tool, Volatility's netscan module, will provide insightful data regarding network connections at the time of the capture.  Including source and destination IP addresses, ports, protocols, and process ids (PIDs).

After running the above command the output of the bulk_extractor64.exe tool is located in the "test/" directory is as follows:

There now contains text files detailing network artifacts from the image

This being a memory capture from a Windows 10 machine, and with the bulk extractor open source from a few years back.  I tend to wonder if offsets and structure locations in memory have changed to where certain outputs may be effected by the net scanner.

However we do get a pcap, and can view in wireshark.

It is not a complete packet capture that one may get from a network sensor.  And timestamps are off.

Can select from the wireshark menu
Statistics --> Conversations

This will show IP address talking to each other, ports, and packet/byte numbers

We see a potential IP of interest:

64.207.134.54

Checking the reputation of the IP address on virus total we see a communicating file reported:
https://www.virustotal.com/gui/ip-address/64.207.134.54/relations

With a pretty high red reported malicious reputation:

And a description of Emotet Trojan

This is just a brief over view of a method to extract pcap from a memory image with the bulk extractor tool.  The goal would be to extract possible network indications from an image.  As previously noted the volatility suite is a great option for memory analysis.  But this may serve as a potential secondary method.

--Bryan



Reference:
SANS Internet Storm Center. (2016). SANS ISC: Extracting pcap from memory - SANS Internet Storm Center
Retrieved from https://isc.sans.edu/forums/diary/Extracting pcap from memory/20639/

Enable "Last Access" Time Updates

If you have been in the computer forensics field since the Windows XP days and before, then you probably already know that Windows had/has the ability to record a timestamp for all files and folders of when a user "last accessed" and opened for reading or writing.

However...
For resource and performance improvements, in the NTFS filesystem, from Windows Vista to present the last access times for files and folders are not updated.

In one of his recent books, Investigating Windows Systems, Harlan Carvey mentions that:

"The version of Windows can impact our analysis...When files were accessed on Windows XP, the file system last accessed time was updated.  However, as of Windows Vista, this functionality was disabled by default, via a Registry value.

The value is named NtfsDisableLastAccessUpdate, and is found beneath the

HKLM\System\CurrentControlSet\Control\FileSystem key."

In his book, Mr. Carvey, goes into detailed reasons for the importance of timestamps and timelines in intrusion cases.  And following the above he mentions a real life story in his book how the last access time stamp was was helpful in leading him to find a malicious DLL that was loaded via search order hijacking based off last access times.

I just recently finished reading, Investigating Windows Systems, and do recommend it for those in the field of incident response.  Especially for sharpening the discipline that is walked through in the analysis process and in looking for key findings in the Windows environments.  It makes for a great read.

 

Link to Amazon

Carvey, H. (2018). Investigating Windows Systems. London: Academic Press, an imprint of Elsevier.







ENABLING THE LAST ACCESS KEY


*Looking at some documentation, it was noted that the default key value for the NtfsDisableLastAccessUpdate key was updated in Windows 10 April 1803 edition to read
=dword:80000000 .  And in later versions can show as ending in 2 or 3, instead of just all zeros.

Taken from the Forensixchange blog:
https://forensixchange.com/posts/19_04_22_win10_ntfs_time_rules/

"The NtfsDisableLastAccessUpdate registry key can be on the default value which is: dword:80000003. This value means: System Managed, the “Last Access” updates are disabled."




Below are 2 methods to change the value.
*NOTE enabling the registry key value may effect performance for read/writes on HD and SSD drives

1.  Using the Windows Registry Editor, Regedit, to change the below value.

This value is the default to disable the Last Access times.
Can end in "3" which is also default disabled.

Changing the value to read a "1" at the end will enable Last Access update times for NTFS.

Enabled by changing last digit to "1"

  










2.  Another method via an elevated admin command prompt

This disables the disable, then must reboot for changes to take place

Lastly, if the policy to update LastAccess times is in place:
A neat powershell command can be had to recursively list the file names and sort on last access times

gci -recurse . | select name,lastaccesstime,psparentpath |sort lastaccesstime

 *This can be ran from a target directory and outed to a text file to sort and see recently accessed items

These are sample malwares that I had on a test VM.  But this method can help to assist in getting sense of a timeline for last access.

--Bryan