everyone, and welcome to the SANS special
webcast titled, "DFIR Techniques Using
the SIFT Workstation". I am Alex Bass with
the SANS Institute and I will be
moderating this webcast. Today's featured
speaker is Rob Lee. He is the curriculum
leader Digital Forensics and Incident Response
at the SANS Institute.
Before I turn things over
to Rob, the Q&A portion of this webcast will take
place throughout the webcast. Please feel free to submit
your questions at any point by using the chat window
and we will answer them as they come in. Right now, I would like
to hand over the mic to our first featured
speaker, Rob Lee. Rob, would you
like to take over? - [Rob] Thanks Alex.
I really appreciate that. Hello, everyone. My name's Rob Lee. Alex did a really nice
introduction for me online and I really appreciate that.
Just looking through
the participants here, I see a lot of old friends
and a lot of new ones. So hello to everyone. Hi Jess Hamm and others that
I'm seeing on the (mumbles) and a bunch of others. I'm just going through
and just seeing a quick, Doug Barkes, and others.
So glad you guys all could
come out and hang out with me, discuss the SIFT workstation. The SIFT workstation is
a project that I started for the Forensics 508
class, probably about six years ago now and
it's really taken off in terms of, a lot of
different people requesting it. The kind of history of the
SIFT workstation is that after about a few classes, I
noticed a lot of the students would come back up to me
after class, when we come back and take other
classes at SANS and say, "Hey, can I get the
latest copy of it?" And we discussed it, it was probably about
four years ago now, that with the SANS Institute, about possibly putting it online and that, after some back
and fourth about the download size and bandwidth
and everything else, the SANS Institute
agreed to hosting it and I started converting
the SIFT workstation, instead of being a
classroom-only tool into something that is
particularly used by a lot of different individuals
that are out there. And in doing so,
I've actually gotten a lot of volunteers along
the way to help me out with mutuals, casting
it, and a bunch of other different capabilities in it.
Now this session is meant
to basically help those who are not familiar
with the SIFT workstation see some of the capabilities
in the SIFT workstation. What it can do, what it
can't do, why someone might want to add this as
an augmentation tool to your current
toolkit and the future. I'll talk about the future
a little bit later on as we're moving towards
what I have now pet-named, "SIFT 3G", which is
a third generation of the SIFT workstation. Before I begin, I just
want to quickly point out that for those of you that
are from the European side of the pod, we are gonna
be at SANS Forensics Prague in 2012.
This October, myself, Chad
Tilbury, Lenny Zeltser, Jess Garcia are all gonna be
teaching over there in Prague from the 7th through the
13th and we're also doing a one day mini-summit
at the beginning of this where we're gonna be
inviting speakers from around you to come join us to talk
about digital forensics over in European continent. So I'm really
excited about that. I haven't been to
Europe in quite a while and we've had a lot
of requests over there to start to expanding our
forensics presence, so, maybe, we see a lot of
Europeans come over to the US. To take courses.
Maybe we'll get some from the
US to head over to Europe. And it'd, mini-vacations
to go spend in Prague. It's a great city. And for those of you
beer lovers out there, it's a great beer city, too.
So, the SIFT workstation
of this presentation, as I said before,
the aim of this, and what I hope to show you
throughout this presentation, is a basic intro to
the SIFT workstation. What it can do,
what it can't do, and also talk about
the future of it. SIFT workstation, I listed
five for the overall Digital Forensics and
Incident Response curriculum, but it also talks about
where you can download the SIFT workstation from. If you look at the
middle of the slide here on the left-hand
side, there is a link.
Now the SIFT workstation
is completely free. It's a GPL. So anyone else out
there can use it. And all the tools on
it are either GPLed or reexhibitions from
the authors to be able to distribute their tools and
also that others can use it.
We only ask, if you
end up using it, in another course,
we've actually had a
lot of universities start using the
SIFT workstation,
that you just credit the SANS Institute for
the creation of it. That's the only thing
that we request is just giving us a nod for the product. That way the team
that's currently working with the SIFT workstation
and developing a future component of it will
still get the recognition that they so deserve for
keeping this thing up to date. So there's actually
two different SIFT workstations out there.
There's a Windows 7 version,
which you would receive if you come to our initial
course, Forensics 408. And then if you come to
any of the other classes, which includes our brand
new Forensics 508 class, we really stepping through some
of the advanced capabilities built into the SIFT workstation. And here's the quick
download location for this. Just
download
from
computer-forensics.Sans.Org/dow.
The only requirement for
the download, by the way, is that you have a portal
registration address and the main reason for
that is to prevent it from too many people
linking to it at once, and we can also help
throttle bandwidth during major releases. We actually used to
have an online portal and we actually ran into the
problems of too many people trying to link to it
at once and it ended up crashing the SANS servers,
which was fairly bad at the time that it occurred. And again, during this session,
if anyone has any questions about the SIFT or if anyone
wants to bring up anything, please do so on the
question window, or also, drop it into a
hashtag into Twitter. I'll be glancing over
there from time to time.
If someone does ask a
question through Twitter, if someone wants to repost
it in the window below, that way I could probably
see it a little bit easier, so if anyone's on Twitter
and asks me a question there, either or, but if someone
wants to drop it in, I'll try to be looking at
Twitter every now and then, but at the same time, I'll
be primarily focusing in on. There's a "404 Page Not
Found". That's not good. Make sure you
spelled it correctly.
Maybe there is a 404 that they
knew I was about to do this. If someone could've blocked
that no one could download it. So the SIFT workstation,
the way I did this, usually discuss it with
individuals, is think of it like FTK or Encase, think
of it as an application rather than a separate
operating system. The way we have it
currently developed is in two different
forms of distribution.
The first distribution
is in a virtual machine, and VMware is what we
chose for this mutual virtual machine, which
you could utilize in being more player, very
easily without any restrictions. It's a (mumbles) tool
that's out there. So the virtual machine,
the reason why I like the virtual side is
that you could still give it a lot of memory,
give it multiple processors, in, depending on your
hard drive, it actually'll function quite easily,
almost as fast as your entire computer, if you
dedicate enough RAM, INT feed process into it. Not hogging anything
else on your host box.
Alternatively, we also
distribute an .Iso. And it's an install .Iso. It's really not mean to be
a bootable acquisition .Iso. It's mainly that
you'll take this .Iso, you'll drop it into a
workstation, boot into it, and the idea is that you
would then install it at the dedicated SIFT
workstation instead
of having it run within a virtualization
of VMware.
Also, for those of you
who like any of the other virtualization products
that are out there, you could also use the
.Iso to install a desk .Os on any of the other
virtualization products that are out there. So, for those who are not
happy that we only dedicate to VMware only, you would be
able to take the .Iso file that you download from
computer-forensics.Sans.Org, in that you will be able
install that in your secondary virtualization platform
of your choice. The flexibility is
definitely built into it. So going back to the idea
that it's more of a toolkit, but if it would function with
FTK, the only downside is we don't have as much
gooey stuff built into it that a lot of people
that are familiar with, when you use FTK or Encase or
any other commercial tools.
Most of this is a
lot of smaller tools that are posted
together that includes a much greater
capability as a whole. And in some cases, we added
a thing, a little bit more bleeding edge than a lot
of other capabilities that are out there, mainly
because it's a lot easier for us to get brand new
code into it and do it with release, than a lot of
the other commercial vendors are able to do. So we end up being
a little bit more on the bleeding edge
side than you say, an FTK or Encase
product probably is. That comes with its
downsides though.
Obviously, things need
to go through more testing and evaluation
and things end up conditionally having bugs in it. So you constantly need to
be upgrading and looking at reviving the SIFT workstation
for the latest versions. So in the end, our
goal here is to create a portable forensics
workstation for free that you could use for
your investigations. And as I said before, think
of it as Encase or FTK.
But for free. For those of you just getting
into digital forensics, it's a great capability
to use as your first digital forensics
processing platform, or for those veterans out there
looking for something else to move it beyond
what you're able to do with commercial tools,
this ends up being a great capability overall. One thing I will note
about the SIFT workstation is that even though I
use the SIFT workstation almost exclusively in a
lot of my investigations, I also tend to go back
and use FTK and Encase quite regularly. Depending on the case,
especially if it's something that is, and that has a lot
of data to craze through, I might set it up
on auto-forensicate from an FTK or Encase
platform so I could do quicker string searches or I
could want to do massive picture recovery on
some things like that, email analysis, things
that there's a lot of data to go through, instead of
using the SIFT workstation.
Typically I'm using SIFT
workstation in situations where in my mind where it's
well like a scalpel, I just really need to
dig deep for something, not something that is,
I'm looking for doing a massive amount
of processing for, even though I have no people
to use for the larger cases as well, I tend to use
SIFT as more of the scalpel instead of the
sledgehammer capabilities. Now, all of the analysis
capabilities are built into the memory analysis
in one location. We have memory analysis,
timeline analysis, file system analysis,
and a lot more. And I'll demonstrate some
of those capabilities in the SIFT
workstation right here.
When you initially install
the SIFT workstation from the VMware side, the
memory's currently pegged at one gigabyte and
CPUs are one CPU. So from the start, if
you want to increase the capabilities of the SIFT,
you can increase the memory and increase the number of CPUs. Now to go ahead and take
care of one question that I know a lot of you are
gonna be having out there is, "Well what about moving
to a, from the 32-bit "architecture that
you're currently on, "moving to a 64-gig
architecture?" And we are planning to
do that with SIFT 3G. So SIFT 3G, go ahead
and write it down in saying that it's gonna
be, probably gonna be built on a 64-bit
platform or about to, and that will take
care of a lot bigger, more processing and
building more memory, and just overall more
pleasurable experience.
And I've gotten a lot
of requests out there for the 64-bit size. So respect it that the
last couple versions of the 32-bit with what we'll
see in the next few weeks and then as we start switching
over into 3G development, that is gonna be a
64-bit base architecture. The login and password
for the SIFT workstation is "sansforensics" and the
password is "forensics". Obviously, if you're using
this on your own systems, you wanna protect it.
Definitely wanna change it. But from the start, it's
pretty easy to figure out how to log in to the machine. You'll log in as normal user
and if you need to elevate your privileges to do
something useful like mounting disk images,
then all you need to do is just type "$ sudo su -". That will get you there.
Now your desktop, and
I'll be switching over to a couple demos here
in just a few minutes, your desktop when you initially
log in will look like this. Actually I'm gonna go ahead
and see if I can switch over because the new desktop
has some pretty cool things I want to show you. Let's see if I can get
it up and running here. (Clicking) Right.
So here's the current desktop. And it'll take a
second to reveal itself through the webcast
connection here. But when you initially
fire up the desktop, there is a lot of documents
that are already existing that are sitting on the desktop
of the SIFT workstation. And a lot of these are
cheat sheets that I really, that a lot of others,
including myself, have put together to
aid individuals in working with the
SIFT workstation.
So if your brand new to
it, you're really not sure how to do memory forensics,
there is a dedicated memory forensics cheat sheet
right here on the desktop. And this is typed the
volatility tool set. There is a cheat sheet for
timeline analysis as well that's also on the desktop. And there's a catalog/cheat
sheet which is multiple pages for the overall SIFT
workstation here.
Now for a complete
listing of the tools that are currently embedded
in the SIFT workstation, there's a single
document here, that, what I've tried to do here
is link to the homepages of each one of the tools
that if you do open up the tool description, and
you wanna know specifically how to use one of
the tools in here, you will be able to do so. So say for example,
if we ended up having anything to do with
the VMDK, we could do search through the document
here and see if there's any mention of being the case
inside SIFT workstation. For example, there
is a command "qemu" that will help us convert
images to another format, such as raw to vmdk
or vmdk to raw. And utilization of that command.
Then there's some blog
articles here, potentially, that I linked to
that also discuss it. So what, when you start looking
at the overall output here, all we tried to do is list
different capabilities that are within the
SIFT workstation, and link to external
blogs that also might discuss some of those
capabilities that are out there. How do you get tools inside
the SIFT workstation? A lot of these either
I've discovered, that part of my team has
discovered, or there are individuals out there that
send me a link and saying, "Hey I'd really like
you to include tool x "as a part of SIFT workstation." And if it's not
GPLed at that point, typically I'll reach out
to the author and ask them for permission to include it. And if the author's willing
then we'll also share it within the SIFT workstation.
So let me go back to my slides. In moving forward. Please ask any questions
along the way here. So the file system support.
One of the great things
about SIFT workstation is it has multitude of
file system support already built into it. From being able to do
MAC analysis with HFS, Solaris, UFS, Linux EXT2/3
with upcoming support for EXT4, Windows, FAT and NTFS, no XF though. Hopefully that will be
coming out shortly as well. And then for evidence
image support, one of the things that
you should probably do is take a look at the fact
that we can work with E01 in the Expert Witness
format, Raw dd, and the new and open source,
Advanced Forensic Format, the AFF format that's out there.
About the new EnCase
format, we do, we are not compatible
with the new EnCase image format yet. It's still, but again, I'll
see, I haven't encountered a lot of people using the
older format at this point. So typically what will
happen is one of the things that you'll wanna do is when
you first gather your images, you wanna be able to mount them
within the SIFT workstation and there's multiple
different ways to do this. So when you're mounting
a partition or volume, there is, you can mount
a partition/volume, you can mount a physical
disk, or you can mount any of the forensic image
formats that are out there.
And when you mount them,
typically what you will do is you'll mount 'em into a
directory called the case, excuse me, MNT directory. And I'll do put demo here
to be able to show you that, being able to access and mount
multiple disk image formats that are out there. There is a question from Eugene. Question one.
How to avoid imaging a lot of
five hundred gigabyte drives, how can you just sit kind
of (mumbles) forensics? One of the things that you can
do with the SIFT workstation which is actually not
in this presentation is that the SIFT workstation
is 100% compatible with F-Response. And what I've been doing
for a sniper like forensics is by using the
F-Response dongles, to be able to mount
the remote's hard drive within the SIFT workstation, and then perform memory
analysis or timeline analysis from the remote
system from afar. It was a very good point,
'cause it actually ties back into the mounting disk images. Then within the
F-Response capabilities, you now have full capability
of either mousing a remote, Windows system or Linux
box or a Mac machine into your SIFT workstation
remotely at will without any problems whatsoever.
So that ends up being
a really kinda cool capability that's out there. If you've ever seen
F-Response just go ahead and just type it in
here, it is a bigger tool and I would recommend it if
you haven't seen it before and they do have a really
cheap capability called F-Response Tactical, not
cheap in terms of quality but cheap in terms of
most people should be able to afford it, under four
hundred dollars I think, to be able to get a remote
capability at a basic level inside this out
SIFT workstation. From an enterprise
level, being able to do multiple machines,
multiple analysts to do multiple
different workstations, we do have F-Response
Enterprise, which again, if for a commercial
capability, it is one of the cheapest ones that are out
there in order to be able to make this compatible. So that's what I usually
recommend for the sniper like forensics, using
the SIFT workstation, without having to first
image five hundred gigabytes and then work with the remote,
work with a local disk image.
You can use everything we'll
talk about here remotely and be able to
see the hard drive as you were across the wire. So F-Response is
that capability. I don't know of anything. If someone does have another
capability out there, you could do the same
from remotes on the, from machine to machine for
free, please let me know.
I do know Google
Rapid Response (GRR) and some of the other
capabilities out there are being developed, but I
haven't seen anything else that's actually released yet. So I do know there's some
people looking into it for a open source
capability but I'm not sure if anything's been released. But there's a lot of things
I haven't been exposed to, so if there's anyone out
there that has any ideas on how to do a free solution
for that, please let me know. So what I'm gonna do is just
quickly switch back over to my desktop and
I'm gonna show you several capabilities here.
From the basic side of how
this SIFT workstation works. Now I do have some
links at the end of this that will take you to
documents that will discuss how to do the mounting and
how to be able to get access to your disk images. First thing I'm gonna do is,
I'm gonna get my privileges to admin level, read
level privileges and go back into
my cases directory, where I'm going to be
keeping most of my evidence. So in here, I actually have multiple different
pieces of evidence.
I have a raw memory image. I have xp dblake. Standard NT (mumbles)
and then in the Windows 7 32-bit nromanoff,
a c-drive image, you go drive to here, I
end up seeing, (mumbles) expert Windows format images. But before I go to that,
what I'm gonna first do is show you how to mount
the standard xp dblake, in this case it's
a, can't type it, this image here is a, and I'll show you the
size of it right now, is a raw image.
Can get it to play the options. Here we go. 1.2 Gigabytes
inside's very small and to mount this image
within the SIFT workstation is fairly simple using
the mount options. Again, it's in the cheat
sheet, but there's also blog articles at the
end of our notes here that will give it, read only,
loop back, show_sys_files to be able to show all of
our dollar sign files we can, that would be c
volume directory.
And you also give it a
streams_interface=windows. The reason for the
streams_interface=windows is now we can actually
see alternate data streams and call it from the command
line, like on Windows using the colon. I'll point it at
the xp dblake image and give it a mount point. In this case, my mount
point's just gonna be /mnt/windows_mount/.
I press return. It began to /mt/windows_mount. I can now see all my
files and folders. This equivalent type of
tool that's out there is (mumbles) that will be
able to get you to mount.
There are no restrictions
on permissions, though. So if I get into system
volume information, it doesn't, "Hey
you can't do that." Once you looked up from a lot
of Windows machine that do free mouse. Educamature also doesn't
have that problem. But at least we can see all
of the dollar sign files as normal through
our disk image.
And so this gives us kind
of a basic capability to get access to it. The other great thing is,
from our Windows machine, if I go into my
SIFT workstation, which I already have
two shares set up, which is the cases folder and
then MNT folder for mounts, I go into the mount
folder under windows_mount and I also will now be able to
see all the files and folders from my Windows machine. So for anyone out there
wanting to have a dual Windows and a Lunix environment, this
provides you that capability and it's one of the things I
tend to use quite frequently is I can use any tool
on the same disk image to be able to pars it. PSE file on one end or BL2.
I'd go to another box and be
able to, on my Linux side, be able to use some of
the Linux-only based tools that are there. So that's my first demo is to
be able to just do a simple mount of a raw disk image. And for my second demo, it's
a little bit more complex, but, I get first,
unmount my Windows mount, and I forgot to, 'xcuse me,
you have to make sure you're completely closed out of
the, on all your windows, including the one I'm in right
now, to be able to unmount the Windows mount site. So I currently don't have
anything mounted there.
Again, it's clear. It's empty. So now going, when you go back
into my case introductory, and here what I'm
gonna end up doing is going into my Windows 7
machine that I've imaged with FTK imager where we see
all of the, in this case, the standard expert
witness file formats. And again, in a, at
the same blog article that's at the end of our
notes here, what you'll see and what you'll want to
be able to accomplish is to be able to
mount any of these expert Windows file format
mounts into our disk image to be able to get access to it like it's a regular disk image.
A lot of forensicators out
there both wound up doing, you just have to deal
with image conversion from the one format
to a raw format. You don't actually need
to do that open set. All you have to do is use
command call mount_ewf.Py. You'll point it at the first
E01 image in the mount it asks, mount, in this (mumbles),
mount, expert witness file format, mount ewf.
You'll get your prompt
add, and I'll go into the expert witness location,
and now, in here, if I deal with a long listing, this image for the
win7 nromanoff-c-drive, is my raw drive for the
expert file format that we had pure for E01 and
combined everything
and uncompressioned it and it doesn't
really confirm it. All we're doing is
just like I'm clicking on a .Zip file and just
combining everything and putting it
together via memory. It's like putting a
lens on that hard drive and you're looking through
the lens, uncompressed, at the raw data. So at this point, once we
have access to the raw image, same as before, we'll do
a read only, loop back, show_sys_files.Streams_interfacs will point at the raw drive
and then we'll mount it at /mnt/windows_mount/.
And I'll cd, I'll cd and
do the /mnt/windows_mount/. (Mumbles) Now I can see all
the files and folders just like I saw them before,
and from my hook machine, I can now see the into
the SIFT workstation as normal. So we see here in
the mount directory, I should now be able to see
the Windows 7 directory, directories, in this
case, from my Windows box, which include the users,
directory, enrollment office, the username for
that specific user. Alright, I do have a question, let me switch back to
my normal slides here.
So the question is, for
a chain of evidence, do you need a special
hardware to copy a disk or can you just copy
an image to work from? Typically, what I
recommend folks to do is, since the SIFT workstation
has full capability to be USB device or even
you can connect it to a SANS. Is that depending on
where your evidence is currently located, if
it's on a removable media, such as a external drive, you
would be able to plug the USB. Adapter into the
SIFT workstation and work directly from that, or, and if you wanna
use a right blocker on the original evidence, you'd
be able to do that as well. If you're connecting to a
SANS, all you have to do is an NFS bounce or if
it's a UNC Windows share, you can use the mount
command to be able to mount one of the remote shares on
your (mumbles) area network.
So it really depends on
where your evidence is at, and typically, it's just
giving access to the SIFT. To your data store that
contains your evidence. One of the great things
within the SIFT workstation, if you do have evidence
that you are working with directly into it, and I learned
this from my good friend, share my desktop again, my
good friend Hal Hanranse is that, let's say for example
you did copy your evidence into your case, and
you wanted to make sure you didn't accidentally
clown something up, which we always have a
fear of, you can actually do a command call chattr,
change attributes, and we do the +i option,
which is the (mumbles) against our evidence, in
this case xp_dblake.Dd. And when you do
so, at that point, that evidence, you cannot
remove the evidence, change the evidence,
without first removing the mutable bits.
So basically, it's
another restriction you can actually
set on your evidence to be able to do this. This capability, by
the way, does not exist within Windows. There's a couple
hacks you can do to get something
like that on Windows, but Hal has a blog out there
called "Command Line Kung-Fu" that they specifically
talk about the comparison between chattr +i and
the same capability you have on Windows. And it is 10 times
easier to do it within the unixi to be able
to protect evidence using the change
attributes option.
So, it's one of the things
that you would be able to to keep track of. Alright, so going back
to my presentation, so just (mumbles) able
to mount the evidence ends up being one
of the first things you wanna be able to do
at the SIFT workstation. And then once everything's
up and running, you wanna be able to access
things from Windows shares. The Windows shares,
again, you can either go to the IP address or just
type in "-\\SIFTWORKSTATION" if you're running this
within a Windows host.
Pretty easy, pretty simple. It's already set up for you. And for anyone who's
advanced users, all you have to do
is go in (mumbles) with the new administrators
on the appointee side to be able to change or
add additional directories and to be able to
share this out. Now, please know,
this is an anonymous, no password needed
share, so, you obviously could password protect
it, and those of you who work in the domain,
could actually set domain credentials to be
able to access this as well.
But by default, it is
shared out, so you locally could get access to it without
having to put a password, but those who wanna go a little
bit further in configuration can do so through the
soma configuration. Alright, so, where are all
the programs installed? They're all under
usr/local/src or usr/local/bin. There's a variety of
programs already installed, including The Sleuth
Kit, Timeline Generation, Volatility are
some of my favorite to be able to use within
the SIFT workstation. There are some gooey
programs that are out there.
DFLabs PTK is installed. Autopsy's installed. PyFLAG is installed
and others out there for those who do
appreciate the gooeys on the free side. So let's talk about, oh,
here's where I thought, two double slides.
Bad on me. But here's that slide
that I basically have discussing where
the blog article is on how to mount your images, and if you wanted to be
able to see that link, you can come back here later. Click on it when you
download the PDF in gen all. Alright.
So useful SIFT utilities
that are out there. Now, about ones
you sell on these, these are some of my favorite
tools that are within the SIFT. That I was gonna talk
to some folks about. There's RegRipper.
For those of you who
liked running RegRipper via the command line,
you have ripped up PL. That's built into it, plus all
the latest RegRipper plugins and user local source
plugins director. YARU, which is a
registry analyzer, and deleted.Pl will recover
deleted registry keys. Exiftool is a very great tool.
Very powerful tool. That you just light
the command file, you just point at a
file and it'll rip out all the exit data, and libpff, which is a mail examination tool who Joachim Metz
created that tool. It's a really cool capability. Now within the SIFT workstation, to be able to RegRip,
with the SIFT workstation, I don't like the gooey side
because the gooey side, that's all I have to do,
script's easy to run.
So I have a lot of scripts when
I'm pre-processing evidence that once I have them just
mounted, I press 'go', it'll actually start
ripping all the empty, all the registry hives
across the system and dropping it into
the cases folder. So you can actually have a
script of all the command built out. Just a simple bash
script does this for you, that will basically recourse
through trajectories looking for a road
(mumbles) about that, hives are. How you use it.
It's still simple to run. You do rip.Pl. You get -4 at the <HIVEFILE> and questions that
you wanna rift. Dash F is the hive type.
So this example I'll do here
is going back to our desktop. So I have a mounted directory, so we'll go into Windows and we'll go into
Windows directory, system 32, and go into
the config directory, where we have a lot
of our hive files that are sitting in here. So let's take our example,
I wanna do rip.Pl-r as my stand hive, and make sure
we have it, it's uppercase, 'cause capitalizations
can matter. Dash f and we give it
either sam security stop for a system and I'll
pipe this to you less, they'll be able to
rip it out correctly.
And all this does is drop it
out to you my standard out via my command line
and gathers all the RegRipper information
from the SIFT workstation. And that's all the command does. You can do it
against any of 'em, or, in this case, what I
do is redirect it to my cases folder and I can
write this to you san.Text for later examination, even
from my Windows machine going in cases, I can
click on san.Text and course word wraps that, but at
least there's all your data. They'd be able to get
access to, probably, a running of that command.
So ripping from your
registry is quite easy. Most people prefer
the gooey side, but if you wanna
do scriptability, and have things that do
more cyber forensics, just a single command, rip
everything that's in there, come back after lunch,
and there's all your data. That's one way to
potentially accomplish that. So RegRipper and the capability.
Really nice capability that
Harlan Carvey has created here and a lot of people
are now contributing to on the plugin side. So everyone, thank you for all the plugins that are out there that are continually
being (mumbles) within the (mumbles) interface that
Harlan Carvey has put together. Another capability
that's out there is, it's kinda combined
actually to be able to examine deleted registry keys. The first is deleted.Pl.
You can point at a high
file and it'll rip out the deleted keys out. The second is a tool
card called YARU. And YARU is a capability
that is a gooey capability released by TVWorks, and again, let me go over to my demo
to show you this one. Share back entire desktop.
To be able to speak YARU, I'll just go my
forensics dropdown menu, and it's hidden in here. We'll do file and we'll
just simply open a hive. The hive that we're gonna
open up is sitting within my Windows mount. It's goin' to the user
trajectory and goin' to enrollment off and we'll see
the entiuser.Thathive here.
Double-click on this. And what it will do
is basically it's like a registry
here where we'll see all of the different
files, excuse me, keys and values that are
within the registry here, and then anytime a
bottom will have both a (mumbles) space,
plus any deleted keys that it has been able
to find that and. This is where we end
up finding there's any deleted information in
here, where that is. And there's not a lot
but in this example, where we only have one
key that is deleted, but if you actually go
back and look at this slide that I have, this is
what it looks like when someone uses
a privacy cleaner across the system where
you see recent docs and the MRU list that are clear.
And there's a bunch
of different locations within the registry that
are actually cleared, but again, the data's still
recoverable fairly easy using a utility like YARU
to be able to help us out. Another great
capability is libpff, written by Joachim Metz
and the source website that you see here. And one of the things I
end up doing with this is extracting outlook
data from a nail store. Functions extremely quick to
be able to do this as well.
So what you see the command
here is the pff export -q, which has quiet mode, -f
is all, meaning it's gonna rip out html, rtf, and
text for the default, - m is going to say all,
and now, for allocated and recovered items,
so you could actually just have it go through
and pull out all of your deleted data and
he's cleaning it, your allo PST file. So there's examples
here that I'll have. I have a PC file for nromanoff and go back into my Windows
mount, or hers specifically. Users, nromanoff, app data.
I have to remember where it is. I think it's local. Microsoft. Oops.
(Singing) Outlook. (Mumbles) I always have to
remember where it is. Maybe it's in roaming. This is why we created
that poster, by the way.
So I could always look
this up and find it. Oh shoot. Okay I can't find it right now, 'cause this stupid demo. Oh.
Hello? Did you lose me? Hello? Did you lose me? Just the app share, okay. Not sure what happened there. We can still hear me. So you heard me cussing
there for a second, did you? (Laughing) Hold on.
Let me look up
the, I always have, I can't believe I
have to do this. Every single time. I always forget the exact
directories where things are. Okay.
Two seconds as I'm
looking this up. It goes to show, you
can't remember everything, where everything's at, but
I do know where to find it. Pretty quickly. Boaster.
There it is. Okay. Someone's gonna look it up
probably faster than me on here. Oh not seeing my demo screen.
Oh, got it, got it, got it. Okay. So here you go. (Singing) (mumbles) Local
Microsoft albums.
Should be there. (Typing) So why did I find it? (Mumbles) Microsoft Outlook. Now, DSE file. Am I in the wrong location? Well.
Maybe there's no
PSE file on here. Thought there was. Okay, so there's if no PSE
File on here, then my bad. Really bad demo that I
was going to do here.
But, hmm. Okay. Well no demo on that one. I thought there was one
on that specific location but I did not find my allo PST.
All this is going to do
for you when you run it, is going to basically
create a top-level directory and then it's going to
export into subdirectories within your SIFT workstation,
all the different emails handled by a message
header that's out there. (Laughing) The interesting thing when
I start looking at this is that for those of you
wanting to use grab and find to be able to find specifics,
it's really easy to use this capability
that's out there. And it makes heads
or tails of PST. And the attachments
are automatically saved as a result, filing.
So you can actually
go through there and deal grep for
or find in this case for all PDFs that have
been sent to this user and if you're looking
for an (mumbles) case. Other capabilities
that are out there. The Volatility tool set is
inside the SIFT workstation and it's in quite a capability. Now, of course
there's the question, Rob, did you get the
(mumbles) timelines, or six in the latest SIFT yet? We're working on it.
One of the things that we found
for the Timeliner capability and this is something
that I've seen also that Jamie has said
across the board that is a challenge is that we actually have to have
the different versions of the Volatility
that are out there. And I'll show you the different
versions that are actually inside the SIFT workstation. So we actually have
three different
versions of Volatility. We have the Volatility
2 out of stable release.
This is the one that supposedly
had timeliner working in it okay but there's
still a bug in there. I'm still trying to
troubleshoot that. This is the one where we
have a stable release, which is the last hard release with all the Volatility. We have the SDN
release for Volatility, which is the bleeding
edge version, and then we also have a
Volatility 4, Volatility 2.0 That was forked by
Jessie Cornbloom for our new and upcoming forensics
526 Memory Forensics class, which is going to be
a five-day course, dedicated to memory analysis.
Which our betas for
that course, by the way, are upcoming later
this summer in August and one in September,
probably be before we officially have the
course out there and some folks
starting in December. Now, it is a result
of the different
versions of Volatility. We actually have vol.Py,
which is attached to the stable release,
we have vol 64, which is attached
to the sdm release, and then you have
volsans, which is a link attached to the
Volatility SANS release. So the reason why we have
multiple versions of Volatility is that things break between
the different versions and even the posted working
on the different tools out there admit, and I
learned this from Jamie, Jamie Levy, @gleeda, that
the different releases end up, because of where
they're at, end up basically, one thing actually
might deprecate another.
And so Timeliner is a
good example of that that we try to get
Timeliner working in one but it might not work in
the sdm release version. So that's one of the
reasons for the multiple different variations
that are out there. And so as a result, we
just continue this trend and we'll try to, I need
the next version of this, SIFT.2.14, I already
know where the problem is in Timeliner and I'll
basically refactor that in and get Timeliner
working that next time. So, great question
Christopher McKeon.
But one of the things you'll
start to see in our releases is the multiple versions
Volatility, mainly because I wanna keep the
bleeding edge version so that latest, coolest
stuff that's out there can be included, but
I also do realize that some people definitely
need the stable release for that hard versions as well. So great question with the
Volatility tools that's there. So going back to our notes, we actually have a six
step process for analyzing memory analysis if in SIFT. Step one, identifying
rogue processes.
Step two, analyzing
process DLLS, step three, reviewing
network artifacts, step four, look for
evidence of code injection, step five, look for
signs of rootkit, and then step six,
dump suspicious
processes and drivers. I'm not gonna go through
all the different steps here how to do that, but if you
actually go back to your cheat sheet that is on
your SIFT workstation, take a look at your memory
forensics cheat sheet and you'll notice that
for these different steps, there're actually identify
rogue processes listed. Evidence of code injection,
analyzing process DLLs, dump suspicious processes
and drivers, reviewing network artifacts. The cheat sheet basically lists
the command how to run it, and so when you point
out your memory image, everything will work okay.
So the cheat sheet is what
I usually point people to, and you don't have to worry
about compiling Volatility on your own, but you do
have to be familiar with the three versions of Volatility
that will be on here. One's a bleeding edge,
one's a stable release, and one's the forked
version for Forensics 526, Jessie Cornbloom's new course. And that's just, again,
multiple reasons why but at the same time,
it's a great tool, I highly recommend it
for anyone that's doing memory forensics work
that's out there. And again, the SIFT
workstation has already built so you don't have to worry
about building that on your own.
Alright, so moving
forward, in addition, and this is basic how
to use volatility, is you run Volatility
against your image, run the plugin and set
it for your profile. Highly recommend always
use the profile option, even if it'll probably
work in some cases native, but in some, like doing
image copies, extracting hibernation data from
a raw memory image from hibernation file, makes
it a lot easier to do so from setting your
profile correctly. One of the ways that I make
sure that everything's set up, there's a lot of environment
variables that can be set up, not only for the profile but
for your memory image location, and on your cheat sheet
it also lists these for export VOLATILITY_LOCATION
for your memory image, and then you export Volatility
profile for your profile as well, so all you have
to do is run vol.Py, type the plugin, and
automatically will output the different capabilities
of that parsing element, such as network
connections or processes from Volatility within the SIFT. And here's just a cheat
sheet that basically talks about that, and just
a call out from our slides in general.
Timeline analysis is built
into the SIFT workstation. There's two capabilities
that are built into the SIFT workstation. The first is file system
focused, which is from the (mumbles) version,
I'll call fls. There's also the
SuperTimeline version, the log2timeline version,
which is to obtain everything, but this is also pretty much
targeted at Windows only, where fls has more files
and types that it's able to pars, including
Apple, Solaris, Linux, and Windows, whereas
the log2timeline is almost primarily
at this point focusing on Windows
analysis and doesn't have as much capabilities
beyond that for, limited for Linux and
Mac, but not near as much as what we have for Windows.
There's another
question from Jean. When you talk
about log2timeline, how do you solve
the timeline sift now that it's on its
second hard drives, not on an image same
five hundred gigabyte one terabyte one,
thanks so much. How do you use log2timeline
on mounted hard drives, not on an imaged,
maybe on, Eugene, are you basically asking
how to use the command log2timeline sift, or is it
your second part of the command is what you're trying to
focus in on, which is the, how do you be able to do that against a very large hard drive? If you'll maybe
clarify that question, potentially help me out. Okay how do you do it against
a very large hard disk drive? It's interesting you say that
because, without imaging it, the same thing in f
response, we'll be able to do it against a remote
drive and using log2timeline and point it at the dev ftd
and then log2timeline sift will do the attempted
mouse of it, just like you would from
a standard hard drive.
There is a challenge with
the much larger hard drives, not about data space
but if you have much, a lot of files that
it needs to pars. I've actually encountered in
some very rare circumstances, where log2timeline will fail
because too much is in memory. Doesn't, that's one of
the reasons going over just to keep orbit
architecture might help out with log2timeline
processing, so on a very very massive amount of elements
that it needs to pars, log2timeline I have noticed
has had some issues with, so I usually have to
do log2timeline against a targeted timeline, and
manually piece and piece some things together. And that's on some hard
drives that also has a million artifacts to pull together.
On an average Windows
system, you're looking between 70 and a hundred
thousand different artifacts, where as the Windows 7
installs like 30 thousand files by default. So some systems like
databases and others where you have more file
shares, where you potentially have up to a million
different artifacts on it, I've seen log2timeline
sometimes fail based off of some
memory management stuff. I think that's what it is. And one of the
individuals that I talk to said he fixed it by switching
over to 64-bit platform.
So the SIFT timeline
analysis procedure. This is what I usually
run to with people is determine the timeline scope, narrow down your pivot points,
your pivot point is basically what are you focusing on
your timeline of interest, potentially no one something,
potentially happening, maybe you're looking
for a file type, maybe you're looking for when
this physical process started, determine the best process
for your timeline creation, either automated
or you do targeted, filter your timeline, which
includes d duplication of multiple different
timeline artifacts that are the same, and
then finally, analyze the overall timeline. And of course you can use
your evidence of cheat sheet and the poster to be able
to help you out here. There is a wonderful cheat
sheet that is created by David Nines and I'm
not sure if he's on this presentation or not,
just quickly looking, but David Nines from
TTG put this together, and if you look at the slides
here from start to finish and this is also distributed
within the SIFT workstation, it goes step one, download
SIFT, step two, boot into it, step three, ld your
privileges, step four, connect your image to the
SIFT, step five, mount it, so there's multiple different
ways to step through here and basically you create
an overall process for creating a log2timeline
output from your hard drive evidence.
And if you wanted to,
again, what I usually do if I'm trying to do this
remotely sniper forensics style, what I'll end up doing
is using a response or another kind of
capability like that. Now for those of you looking
for more in-depth resources for creating via the
SIFT workstation, there is a ton of articles
that I've written online and blogs that you'd
be able to go reference are associated with the
SIFT workstation in general that you could go through
and I'm not the only one who's done this, SIS
Forensics and others have also put things
together as well using the SIFT workstation. So if you just do a
sift, the word 'sift' and 'forensics' and
'timeline', 'blog' for keywords into Google, I'm sure
you're gonna run across multiple different blogs
that will discuss this. For data extraction,
on the SIFT side of using data extraction,
there's a great tool that's within SIFT
workstation, which is actually much faster than EnCase and
FTK called bulk_extractor.
This is right now a new tool
written by Simson Garfinkel and his team, and run
four to eight times faster for data and chain-based
extraction than EnCase or FTK. One of the reasons why,
it's multi-threaded. So those of you have
multi-course systems are gonna be really
seeing a benefit here. Finds stuff that a lot
of other tools miss.
It's gonna automatically
detect and decompress ZIP string data, PDF
extraction, if it discovers a hibernation file,
it'll also be able to extract the data from
the hibernation file. There's a ton of built
in-scanners, as a result of bulk extractor as well. It'll automatically pull
out email addresses, credit card info,
AES enscription keys, prefetch file
information, it'll decode BASE64 text decoding, GPS
and Garmin, enable JPEH's, domain names, phone
numbers, and a lot more. The easiest way to run
bulk extractor, by the way, if you go back to
my system here, if you wanted to, there is
a gooey, so for those of you who like gooeys, you can
run this through a gooey and basically invoke it by
just in beviewer, stands for bulk extractor viewer.
This brings up the overall
viewer for bulk extractor, very similar to if you've
used any other gooey tool, but you can actually use
tools, run bulk extractor, and it'll, you can point
it at an image file which has E01, AFF,
and raw image data pars and capabilities. You set the types of
scanners that you want down the right-hand
side, there's, you could lose alert
list files, you could find specific regex in
a specific directory, but this does a really
decent job of being able to extract
string-based data. Even though it's so much
faster EnCase or FTK, it's still a tool that
will take some time to run. It's not something that will
be done in five minutes.
So when you set this up to
run, make sure that you leave your workstation alone for
about a good day or so, but it still runs much
faster than what you'll be able to do from comparables
of the commercial side that's out there. Another huge thing
that's of this is automatically produces
histograms of certain datatypes. Earl search terms, credit card
numbers, telephone numbers, so you could actually
build a profile, maybe the same telephone number
is found in that disk image like eight hundred times. It'll list that same phone
number, even if it's in an email or hibernation file and
temporary internet file.
And makes it a lot easier
to be able to do scanning and saying, "Wow, that's a
number that is quite common "more than any other number
that we've seen here." Same thing for IP addresses,
earls, search terms, and a lot of other things
that it will concatenate everything together
and tell you how often that one string is actually
found in the overall image. This tool, keep your
eye on it, by the way, it is, release for this tools
happen quite frequently, in Simson Garfinkle and
his team are building new scanners routinely. Now if you have the base
done, you're working on a lot more plugins
that are building into the backend scanner for this. So it's quite an exciting
capability that's out there.
And you could run this from
the command line too as well. Just run bulk_extractor,
point it out of the directory, and typically, way I'll
use it is I'll point it at a regex file of a list
of regular expressions within the file, use the
-f option, and you point it at either your E01
image or your raw image and it'll be able to extract
of your data for you. One of the things I
definitely recommend, and make sure you
enabled the aes scanner, in case it's able to
detect any aes keys through your images using the
tool bulk_extractor overall. So bulk_extractor,
huge capability that's in the SIFT workstation.
Automatically compiled,
ready to go out the door. And then finally the sleuth kit. Now the sleuth kit
is a nice capability that is within the
SIFT workstation, it's been there
from the beginning, it has data layer,
metadata layer, file name extraction-based tools. The cheat sheet on the desktop
of your SIFT workstation is going to tie into this and
the great thing about it is it's gonna do a really good
job at being able to pars either MacNTFS, stat,
MacHFS, is what I mean.
SolarisUFS or EXT2,
EXT3 file system times. And I tend to use this,
especially when I'm doing scalpel-based forensics
that I'm looking for something very specific
through my disk image that others, or do verification
of different capabilities that I'm not quite sure I trust, so I potentially go
and do the sleuth kit to make sure I can look at
the raw data fairly quickly. So I do wanna do
one extra demo here that is a new capability
that's gonna be coming up in the next version of
the SIFT workstation and that is using new
tool rid by Joachim Metz, called libvshadow. And what I'm gonna
do is just show you how easy it is to
compile new data things in the SIFT workstation so if you wanted to
use this already, so this is a new tool
that Joachim Metz released from the Google team and to
be able to compile something that's in the SIFT
workstation, fairly simple, all you have to do is extract
it, go into the directory, in this case,
libvshadow directory, and what I'm gonna do in
here is do a file listing, we'll see there is a configure, and a make, let's
do makeinstall, and
what this will do is automatically just
go ahead and configure this tool set within
the SIFT workstation.
So if there is any other
tool that's out there, and you wanted to add it
to the SIFT workstation, all of your compilers,
pearl, Typeliner are already built into this,
so you can configure this and make it useful
for you back inside. So once this is done
compiling, what I'm gonna do is remember that Windows
7 image that I have located in my cases directory, (typing) here, if I go into Windows
7 32-bit nromanoff-c-drive, I actually have a Windows
7 image that I'm gonna be, that has volume shadow
copies enabled on. So once this is finished
compiling, what I'm gonna do is I'm gonna point
it at this file here, so I can be able to
get access to it. Now notice, in order to do this, the first thing I need to do
is get raw access to that file.
So I would need to do that
mouse ewf.Py, point at that first image, this case
is /mnt/ewf/ one, and then point it at the
mnt/ewf/ directory. Now this has already
been done for me, 'cause I did it
earlier, and that's for my Windows 7 32-bit
nromanoff-c-drive is currently located. So once this is all compiled, I should now be able to
see that there's two tools that have been created. Dshadow info, and vshadow mount.
So to be able to run this
tool against that image, I'll do bshadow info,
against my Windows 7 nromanoff-c-drive. And when I press return here, it'll be specific. Gotta remember to do that. Alright.
Now when I run it,
what it's gonna do is go through there,
and LB config basically reloads all the different
libraries and shows in my snapshots, there are
currently one, two, three, four snapshots and it talks about
where those different snapshots are currently found. One on April 4th,
March 31st, March 23rd, and back on March 15th. About one a week, approximately,
for this disk image. So to be able to
get access to these, what I'll end up doing
is I'm gonna create a new directory
called mount shadow.
And from the mount
shadow directory, I'll do mount vshadowmount,
against my image, Windows 7 nromanoff-c-drive,
and point it at my mount shadow directory. I press return, let
it crank through this, let it cook for a
second, and now seeding into the mount shadow
directory, and I should now see the four mount points. Now what we have here is,
instead of what we see before, is a single raw disk image. Each one of these is
actually a separate.
Notice our original
image was 25 gigabytes, each one of these is
a separate raw disk that we now have access to. So, to be able to mount these, I'll only have to do is
I'll make another directory, mount shadow one, two, three, and all we need to do is
mount-o, re-domain, loop back, show_sys_files, and I'll
see, I'll point it at vss2, and I'll mount that
at mnt/shadow2. See that's the one
that I potentially have interest in examining back
to that point in time. I did a mount.
Now I can see all
the files and folders from that earlier point in time. So what vshadow mount
is, again this capability could be the next version 2.14, So I'm gonna be releasing
in just a week or two, or you could just
download it now from if you do a search
online for libvshadow. You'd be able to download
it from the Google code site and also just follow
along with what I did. But this also provides
a good capability, saying that I can't keep
up to date consistently.
It releases every week. But this does show you
that you can get access to the different shadows
or different tools that are downloaded
and in this case to be able to get access
to different shadows that are potentially out there. So some really cool capabilities that are upcoming within
the SIFT workstation that allow you to pretty
much be able to handle any type of data
that's out there. Really easy capability to
get access to the raw data within each photo shadow
copy that has been created within the disk images.
So there's a lot
more things like this that are coming
out in the future, and with the SIFT 3G
folks, I am looking at trying to set up a
dedicated update site, so for some tools
like this and others, that we can automatically
have it deep down to your current stations,
so you don't have to upgrade your entire machine. You could just upgrade your
current one that you're at. And so I'm talking to folks
out there about how to do that with this current team
that we have in place. So for those of you
who are interested in helping out with
the SIFT workstation, please send me a note
at rlee@teams.Org.
Because I'm actually
looking for additional folks to do testing, and also
additional development that's out there to
be able to figure out the best way to be able
to keep this capability up to date and free
for some time to come. So as we close out
here, you basically should have a combined
Unix/Windows forensics lab for analysis,
cross compatibility for Linux and Windows,
all your tools configured, everything should be able
to run out out of the box, memory analysis, timeline
analysis, string extraction, everything to do with your
standard forensics tools, the only downside,
it's a lot more typing than most people are
usually familiar with. If you're interested in
the SIFT workstation, really becoming a master of it, highly recommend you coming
and taking Forensics 508, which is, we are all SIFT. It's the only tool
that we use in there.
But we use the SIFT
workstation, excuse me, Volatility Timelining
capability. We show you both extractors,
we show you the libvshadow, and other types of capabilities and things you could do
with the SIFT workstation. So you walk out of that class
almost really being a master of utilizing the SIFT. So question, when using
SIFT to store images to external media, which
file system do you recommend for destination drive? NTFS is wider access
but EXT3, EXT4 will seem to provide better performance.
I've seen NTFS 3G UTPOs
while imaging drive. That is true. Typically what I recommend
is a storage area network of some sort, and a lot of
those end up being Linux-based. The great thing about
EXT3, EXT4 base systems that you also can do the
chattr +i to be able to set, in that case, a mutable
bit against your evidence, make sure that nothing
could destroy your evidence.
Also I'm a big fan of
Linux-based file systems and it's towards your networks. Usually there's a
interface out there so everyone could
easily mount them via the remote stores anyway. For anything I sent (mumbles),
it's not a complete downside, but at the same time,
it can be remote and NFS mount
search area network that is NTFS case as well. It's fairly easy to do
but the only downside is you really have to be
on a gigabyte ethernet to be able to get the through
that you really need to make imaging examinations capable.
Local based machines if
you're downloading to a local hard drive, typically
having EXT3, EXT4 plugin for your Windows machine,
that's all that's necessary in order to have all of your
external media formatted that way. So I definitely
recognize that NTFS. Ends up being somewhat
of a more processing hog but some of the newer
capabilities that are out there definitely streamline
that a little bit. So I would need to see an
actual performance assessment to make a solid conclusion
of one method over the other.
So, it's a great question. If you're really concerned
about it, I would go with method that sits best with you. But I also try to push
people to thinking about storage area networks a lot
more for having people do evidence or processing,
so they're not constantly having to
manage external media attached to your
computer systems. So here's my email and
questions at the end.
Rlee@sans.Org. We'd be happy to answer
any additional questions that are out there. Before we close out,
any more questions? I don't see anymore
questions coming up. Just as a side note, we do have
the just released this week, the SANS DFIR poster
has been sent out as attached to being a
network security 2012 catalog so hopefully you all
have received that.
If not, I'm going to be posting
a blog article later today that's going to have the PDF
of the poster attached to it. So be on the lookout for the Digital Forensics and
Incident Response poster and also for those
of you in EE who I. Truly hope that I'll
see you in forensics, and for those of you
attending the summit here in the United
States next week, I'm actually flying
out to Austin tomorrow to start teaching Forensics
508 on day one on Wednesday of this week, so that's gonna
be leading up to the summit, which is next week on
the 26th and 27th of June in Austin, Texas. It's gonna be a great
time and I'm gonna have a lot of fun with I think
a lot of you that I've seen on here who are gonna
be attending that.
So, thank you. I appreciate your time. I hope to see you at
an upcoming conference. If not, please keep in touch
online and I appreciate your attendance this afternoon..
Tidak ada komentar:
Posting Komentar