A Django site.
December 4, 2009

Inside Security News
insecnews
is about »
» MS COFEE for live comp. forensics

It is all about the COFEE [1] that will keep you awake. In this case, ahead of the game. Microsoft's COFEE (Computer Online Forensics Evidence Extractor) [1] is out and about, making the rounds on the Internet underground (and overground, “freedom of speech” sites). This is what happens when you try to keep something secret, everyone wants it.

I understand the motives to keep it hush hush, but from what I hear the tool set is compromised of basic programs you can find on a Windows OS and at Microsoft online (old Sysinternals tool set, now part of Microsoft).

Will Anti-forensics kick in and destroy your acquisition? Well to be honest if the tools are the ones you find on a Windows OS, then any rootkit installed on the machine will feed any tool talking to the OS false data anyway. Nothing new there! Once again proving that usual computer forensics still will be required to extrapolate the information.

What about the volatile information lost after a shutdown, that has been captured by this tool set. That is why it is called volatile (it lives for a short period) and good luck in piecing things together after imaging the drive. It will provide valuable information that you would not have otherwise but how will it be proven in court is another matter altogether. It would not be a hard subject if everything was handed to you in a silver-platter-report every time.

[1] - http://wikileaks.org/wiki/Microsoft_COFEE_%28Computer_Online_Forensics_Evidence_Extractor%29_tool_and_documentation%2C_Sep_2009

October 20, 2009

Inside Security News
insecnews
is about »
» AccessData Corp Youtube Channel

It seems that towards the end of the summer AccessData Training Team has started to post videos of how to do certain things with FTK 3 on youtube ( http://www.youtube.com/profile?user=AccessDataCorp#g/u ).

Of interest :

FTK 3 Computer Forensics: Mac Analysis : http://www.youtube.com/watch?v=P2DCxtMqQyw
Showing you the developments in support of the Mac OS X files and HFS+ format and extended attributes (very useful!!! check http://www.youtube.com/watch?v=P2DCxtMqQyw#t=4m23s). It also demonstrates where to find the Mac user's password shadow file and password has and then use PRTK to attack the hash value. EXIF data for photos, etc are supported now too.

FTK 3 Computer Forensics: Field Mode : http://www.youtube.com/watch?v=mSHsn22YxeY&feature;=channel
Demonstrating on the fly analysis without doing the initial lengthly analysis, at least when not needed.

Links used:

AccessData youtube channel - http://www.youtube.com/profile?user=AccessDataCorp#g/u

FTK 3 Computer Forensics: Mac Analysis - http://www.youtube.com/watch?v=P2DCxtMqQyw

FTK 3 Computer Forensics: Field Mode - http://www.youtube.com/watch?v=mSHsn22YxeY&feature;=channel

FTK 3 Computer Forensics: Mac Analysis: Attributes B-tree @ 4m23s - http://www.youtube.com/watch?v=P2DCxtMqQyw#t=4m23s

May 5, 2009

Inside Security News
insecnews
is about »
» Infosec 2009

Infosec 2009 has come and gone. We met and networked with a lot of people and explained to many our research and projects. I can say it was a lot of fun overall. Certainly standing and talking to people all day can be very tiring. Especially over a period of three days. Don't forget the unpacking and packing! Finally we have some pictures to show.


We have Huw Read and Gareth Davies at stand K47 getting ready to welcome the visitors and any inquisitive minds.



Prof. Andrew Blyth at the stand making sure that all lollies and apples are in order for handing out with a complimentary pen.



Iain Sutherland and Huw Read were at hand for any further questions.



The Information Security Research Group in a group photo with Phil Zimmerman at Infosec 2009.



Exactly opposite from our stand was GData who had a "Back to the Future" like DeLorean on show.

October 7, 2008

Inside Security News
insecnews
is about »
» Google Chrome is here! ..any tips?!

Google Chrome, another Internet browser has arrived to provide another alternative to surfing the web. We think that it is just great to have different options and new technologies introduced into this field. Sure making the project open source will help drive it into different areas in the future but for now it is in beta mode. Let us look at some disadvantages associated with browser’s functionality. A valuable and helpful feature from the Google Chrome Options is the “Restore the pages that were last opened”.

However Google Chrome doesn’t allow you to get rid of the last tab just before you exit the Web Browser. In other words, hitting the close button, which is in the tab area, will exit the browser without totally closing that tab. What this means is that the tab will open again when the browser re-opens.This is the behaviour that you would expect to happen when you hit the close button on the browser and not that of the tab.

Furthermore, the “Clear Browsing Data” option will clear the browsing and download history logs, empty your cache, discard any cookies and clear any saved passwords but still wont get rid of this last tab left there in your browser.

So, the only option you are left with, to be on the safe side and keep the “Restore the pages that were last opened” option true, you need to navigate to another random webpage (i.e., google.com) manually then do a “Clear Browsing Data” and finally close your Chrome Browser. From a more technical point of view, the browser has a behaviour that could be taken advantage of in order to produce confusion to a user.

By creating a script that removes the files that start with the letter f from the userprofile\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache any web sites you are trying to access that you already have visited in the past will simply start coming up in a weird format (i.e, cached images are missing) and maybe completely inaccessible. The only way to solve this problem is to go to your browser and perform a “Clear Browsing Data”. This will solve the browsing problem but it will also get rid of data that you did not actually want to delete from your cache.

Closing the browser and re-opening it will not solve this problem either as the caching mechanism does not check to see if the cache files exist.

*Thanks goes to K.Xynos for his feedback on the article and light editing it.

September 15, 2008

Inside Security News
insecnews
is about »
» Gargoyle Investigator Forensic Pro - Evaluation

I have just checked out an evaluation version of ‘Gargoyle Investigator Forensic Pro Edition’ by WetStone Technologies[1,2] .

What does it do?
The product has several databases of hashes (like Known File Filter (KFF) but for malicious software) of well known malicious software and the files associated with them. Depending on how many files it finds, and their risk factor, it will increase the confidence rating that the set of files that make up the program exist on the system. This causes a number of problems because some programs share dlls and semi-legit programs (i.e., UPX) therefore presenting the investigator with a few false-positives. This is expected from such a product and people should not complain. The developers on the other hand could help with a bit of innovation to present a filtering option. None the less with the current layout the investigator has to know and go through each false-positive to reach any good examples and conclusions.

Conclusion
I think this program should only be used in conjunction with any other forensic tool sets and antiviruses an investigator is using. If the investigator wants to find out what tool set or set of malicious software that had been installed on the scanned machine then they should use it.

I will not go into any more detail about the product as the basics can be found on the Ineternet and WetStone’s website[2].

Links Used:

[1] WetStone Technologies, Inc.- Gargoyle Investigator Forensic Pro Edition : https://www.wetstonetech.com/cgi/shop.cgi?view,2
[2]WetStone Technologies, Inc.- http://www.wetstonetech.com/