Bradley Schatz on the intersection of technology and the law.
Back in August this year, I delivered the keynote speech at an Oracle organised eDiscovery roadshow, which travelled to most of the capital cities in Australia.
I have packaged the audio of my speech and powerpoint slides into a SlideCast, which can be viewed and listened to below.
For the entire event, including an mp3 containing both mine and the other speakers speeches, Paul Ricketts of Oracle has blogged it over here.
In the last couple of days I have taken a few moments to familiarise myself with F-Response. The tool has been getting a lot of buzz lately amongst the forensic community, as it allows read-only raw access to the drives of remote computers, using one’s regular forensic toolset. Think encase enterprise at a lower price tag and open tool access.
For the more technical reader, it does this by setting up an iSCSI target on the remote (target, or suspects) computer.
The field kit and consultant edition of this tool require you to run a GUI agent on the target computer, which is not stealthy. The enterprise version of this tool however allows the agent to be run as a service.
Stealth Deployment
The supplied manual shows you how to install the enterprise agent using a combination of command line and GUI, but dosen’t go so far as to instruct how to do this remotely, via only the command line. This post is to document how I achieved this.
I note here that these instructions apply to a Windows Domain based setup, with firewall rules on workstations set to enable remote administration and file sharing from the investigation computer.
1. Open two windows command prompts. One is to be for work on the target machine and one on the investigation machine.
2. On the target machine command prompt, we first want to get a shell on the target computer, by using psexec, xcmd or other. I am logging in here as a user with Administrator priveleges:
C:\Documents and Settings\bschatz>”c:\Documents and Settings\bschatz\Desktop\tools\psexec.exe” -u VINCENTS\bschatz_admin \\192.168.20.195 cmd
PsExec v1.94 – Execute processes remotely
Copyright (C) 2001-2008 Mark Russinovich
Sysinternals – www.sysinternals.comPassword:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>mkdir f-response
3. Then in the same window, we make a directory to put the f-response agent and configuration file in.
C:\WINDOWS\system32>cd f-response
C:\WINDOWS\system32\f-response>
4. On the investigator machine command prompt, we now want to copy the f-response agent and configuration file (f-response-ent.exe and NetUniKey.ini) over to the target machine, and into the directory we just created. Look out for escaping of quotes here:
C:\WINDOWS\system32>runas /user:VINCENTS\bschatz_admin “xcopy \”c:\Program Files (x86)\F-Response\F-Response Enterprise Edition\”\* \\192.168.20.195\c$\windows\system32\f-response\ /e /s /v /y /i”
5. Back in the target machine command prompt, we (in order of commands below) first install the f-response agent as a service, start the service, and finally, assuming that your clients firewall rules prevent connection to the f-response iSCSI target, open the windows firewall on that port:
C:\WINDOWS\system32\f-response>f-response-ent -cC:\WINDOWS\system32\f-response>net start “F-Response Enterprise Service”
The F-Response Enterprise Service service is starting.
The F-Response Enterprise Service service was started successfully.C:\WINDOWS\system32\f-response>netsh firewall set portopening protocol=TCP port=3260 name=iSCSI mode=ENABLE profile=DOMAIN
Ok.
6. At this point the regular connection to f-response may be performed.
When you are done
How to undo the above?
C:\WINDOWS\system32\f-response>netsh firewall delete portopening protocol=TCP port=3260
Ok.C:\WINDOWS\system32\f-response>net stop “F-Response Enterprise Service”
The F-Response Enterprise Service service is stopping.
The F-Response Enterprise Service service was stopped successfully.C:\WINDOWS\system32\f-response>f-response-ent -d
C:\WINDOWS\system32\f-response>del *.*
C:\WINDOWS\system32\f-response>cd ..
C:\WINDOWS\system32>rmdir f-response
My Ph.D. thesis was accepted by my university a while ago. A result of this is that my thesis is now publically available at the Australian Digital Thesis project. The citation for the thesis is reproduced below.
This thesis addresses problems related to the complexity and volume of evidence drawn from computers and other digital devices (so-called digital evidence) in policing and legal matters. The research identifies methods for increasing the efficiency and reliability of investigations employing digital evidence, by proposing automated methods of processing and documenting such information. The research examined at a fundamental level the role of representation in interpreting and analysing digital evidence, identifying where a formal approach to representing digital investigations and digital evidence reduces the complexity and volume problems. A formal approach was shown to be of benefit in automating the identification of situations of interest from correlated event records sourced from computer security and other disparate event logs. Additionally a formal approach was shown to facilitate granular sharing of evidence and extensible documentation of investigations. Finally, the research identified flaws in the fundamental assumptions in the interpretation of time-stamped evidence, and proposed a novel method of inferring the temporal behaviour of arbitrary computers.
Many thanks to my Ph.D. supervisory team: Ajd. Prof. George Mohay, Dr. Andrew Clark, and Dr. Peter Best. Your support and encouragement have been instrumental in directing my research to this conclusion. Finally, thanks to my thesis examiners for their valued criticism and recommendations.
I will be giving a short half hour talk titled “Recent developments in volatile memory forensics” at the Brisbane Computer Security Day on Friday 29th November, 2007. In this talk I will be giving an overview of where volatile memory forensics fits into the general practice of forensics, identify the benefits and limitations of the current toolset, and outline the current developments in the field. The subjects of other talks include PCI data security, google hacking, and web application security.
This event has been organised by the Information Security Insititue, the Australian Information Security Association and AUSCERT.
UPDATE: The slided of my talk can be found here.
The 1st International Conference on Forensic Applications and Techniques in Telecommunications,
Information and Multimedia (e-Forensics 2008) is being held in Adelaide, Australia from 21st – 24th January, 2008. The second call for papers is still open.
(via Andrew Clark)
The 5th Australian Digital Forensics Conference will be held from 3rd-4th December 2007 at Edith Cowan University, Perth, Western Australia.
The call for papers is open until 1st September.
I haven’t seen this announced widely. A special issue of the ACM SIGOPS Operating Systems Review, focusing on computer forensics, is currently accepting papers.
More details are here
My paper “BodySnatcher: towards reliable volatile memory acquisition by software” has been accepted at the 2007 Digital Forensics Research Workshop (DFRWS) conference in August this year. The abstract is below:
Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose, threatens to undermine the reliability of such memory images, and digital evidence in general. In this paper we propose a method of acquiring the contents of volatile memory from arbitrary operating systems in a manner that provides point in time atomic snapshots of the host OS volatile memory. Additionally the method is more resistant to subversion due to its reduced attack surface. Our method is to inject an independent, acquisition specific OS into the potentially subverted host OS kernel, snatching full control of the host’s hardware. We describe an implementation of this proposal, which we call BodySnatcher, which has demonstrated proof of concept by acquiring memory from Windows 2000 operating systems.
See you in Pittsburgh!
I am in Lafayette, Indiana this week at DFRWS2006. A gent from CERT was present and demonstrating an excellet tool called “Live View” which, from first impressions to be a p2v GUI that automates running dd images in vmware. It appears that the features of it are far beyond what dd2vmdk does in some respects: you appear to point it at an image upon which it:
* generates a vmware vmdk
* generates a corresponding virtual machine definition
* fixes up the driver boot problem
* optionally lets one set the time to a different value.
* automatically boots up the image in vmware
On the downside, it doesnt appear to handle disk images, just partition images. This introduces further complications such as having to specify the OS used, and remapping of drive letters, which they do however handle. I am not convinced that their insistence of replacing the MBR is necessary either.
When I get back from DFRWS I will be testing if it does handle disk images, and if it does, how it copes with geometry problems and LDM.
I am off to the DFRWS 2006 conference in a week or so to present my paper “A correlation method for establishing provenance of timestamps in digital evidence”. In this paper I describe some research I have performed in characterising where the behaviour of computer clocks differs from the ideal.
A second theme of the paper is the identification of methods of correlating commonly found evidence to establish provenance of timestamps. In this case, I have been correlating Internet Explorer Cache and History files with Squid cache logs.
As a part of my work I reimplemented and extended a parsing tool for the IE cache and history index.dat files. This was due to finding bugs in the initial pasco tool (which was missing some error conditions from the read() system call). That and I am more productive using java.
The tool, which I have named pasco2 in honour of Keith Jones’ earlier IE parser, pasco , can be found here: pasco2.
Inside out by Bradley Schatz is licensed under a Creative Commons Attribution-Non-Commercial-Share Alike 2.5 Australia License.
Schatz Forensic