Sunday, December 23, 2018

The malware did it, I swear!

A couple of months back, someone posted on the Forensic Focus forums raising the possibility that a hacker or malware was responsible for some child abuse images found on a relative's computer.  I responded at some length, but I also wanted to post here to lay out some of my thoughts on this defense.  For some background, please see Chad Steel's excellent article.  The defense seems to have been mostly unsuccessful but it is raised occasionally and appears to have been successful in a couple of early cases.  I hope here to point out some reasons why the defense should be avoided (absent clear evidence that it actually happened) and to give some ideas for refuting it.

As laid out in Steel's article, the defense is based primarily on the fact that it is technically possible that a hacker could plant contraband images, or that some malware could distribute them.  And it is technically possible.  It's also wildly improbable. Here are the issues:

Wednesday, December 19, 2018

MD5 should not be used in forensics (or anywhere else)

A few days ago, I drafted (but had not yet published) a post about using MD5 for validating or authenticating evidence in digital forensics.  MD5 has had security problems for twenty years, but it's still been used in forensics, although the trend has been toward SHA-1 (which has some problems of its own) and SHA-2.

After drafting the post, I discovered that the Scientific Working Group on Digital Evidence has released a draft endorsing the use of MD5 and SHA-1.  I wrote in to share my concerns, but I also reached out to some cryptographers via Twitter.  Dr. Marc Stevens, a cryptographer known for his expertise in attacking MD5 and other hash functions, released a series of tweets that was even more critical of MD5 than I anticipated and that was incredibly damning for any forensic expert who continues to rely on MD5.

Friday, November 30, 2018

Analyzing infected documents

Occasionally, users ask me to take a look at a document (usually .docx or .pdf) that they are unsure of.  It might be that the sender is someone known to them but they weren't expecting a report or an invoice, or perhaps they don't know the sender but the message seems legitimate.  As a part of our security awareness campaigns, I have repeatedly encouraged them to ask.  I'm glad they do.

Other times, it comes to my attention that a user has, or might have, opened a malicious attachment.  In these cases also I need to find out what I'm dealing with.  Is the document malicious?  What does it do if you open it (and Enable Content)?  Does it actually execute code or just link to a phishing site?

My favorite tool for analyzing these documents is https://www.hybrid-analysis.com.  This site makes it very easy to figure out if a document is malicious, analyze its behavior, and identify potential indicators of compromise.  The following is a quick walk-though the highlights some of the information that is provided when you analyze a document on the site.

Sunday, September 2, 2018

What is a server?


I have a new post up on my company webpage.  I've been meaning to post this for a while.  After the DNC was hacked in 2016, there were questions (mostly by people chasing one conspiracy theory or another) that the FBI made a mistake by not taking the DNC's server.  Not only is taking the server not a typical practice (especially where the owner is a victim and not a perpetrator), it would be extraordinarily difficult.  This post breaks down what a server actually is.  For readers who are working in IT, there's probably nothing new to see here.  For readers coming from a non-technical background, I hope this will prove interesting and informative.

The gist of my post is that, at one time, many servers were basically souped-up desktop computers.  This is generally not the case anymore.  The resources that ultimately make up a server may span several physical devices and each of those devices may support dozens of servers.  It's a many-to-many relationship.  Check out the post:

What is a server?

If you need a computer or mobile forensics consultant, I'm available: Trace Digital Forensics, LLC.

Monday, January 8, 2018

Consulting: Trace Digital Forensics, LLC

I haven't blogged here much recently.  A couple of years back I started a digital forensics consulting firm, Trace Digital Forensics, and have been doing most of my blogging over there.  I'm going to try to get back to posting some security, crypto and IT related content here and will cross-post some of the forensics content.

If you need a digital forensics consultant, email me.  I can handle most cases involving Windows, Mac, Android and iOS. I'm also working on an arrangement to subcontract for audio and video specialty work. I am open to working either side of a case and am happy to evaluate reports from opposing experts and/or recommend lines of questioning. 

Thursday, January 4, 2018

Safari Plugin Forensics - com.apple.Safari.plist

I'm posting this later than promised but this is a slightly revised version of what I submitted for Guidance Software's forensic bug bounty on BugCrowd.

In OS X 10.9, Apple started tracking which sites were configured to play Flash video in the file /Users/[user]/Libary/Safari/PlugInOrigins.plist. I originally discovered this while working on a case where a user had been browsing adult websites at work. The user's browser history (if I'm remembering this correctly) did not have any entries showing his visits to these sites but there was an entry in PlugInOrigins.plist showing that he had enabled Flash for one of them.  I eventually found a lot of other material to support the accusation and the user admitted what he had been up to.
As of OS X 10.10, the PluginOrigins.plist file is no longer used. The setting is now saved in /Users/[user]/Library/Preferences/com.apple.Safari.plist. 
The file is stored in binary xml format and can be converted with the cmd "plutil -convert xml1 com.apple.Safari.plist". A sample portion of this file is below. There is an entry for each configured site showing whether Flash should play, not play, or ask the user. It also tracks the last visited date and time. This artifact can be used to show whether a computer/account was used to visit a particular site. For example, the artifact in the file below would demonstrate that the computer was used to visit the HBO Now service on August 1st at 5:57 AM GMT.
 <key>com.macromedia.Flash Player.plugin</key>
    <dict>
        <key>PlugInDisallowPromptBeforeUseDialog</key>
        <true/>
        <key>PlugInFirstVisitPolicy</key>
        <string>PlugInPolicyBlock</string>
        <key>PlugInHostnamePolicies</key>
        <array>
            <dict>
                <key>PlugInHostname</key>
                <string>play.hbonow.com</string>
                <key>PlugInLastVisitedDate</key>
                <date>2017-08-01T05:57:45Z</date>
                <key>PlugInPageURL</key>
                <string>https://play.hbonow.com/</string>
                <key>PlugInPolicy</key>
                <string>PlugInPolicyAllowWithSecurityRestrictions</string>
                <key>PlugInRunUnsandboxed</key>
                <false/>
            </dict>
This file also contains artifacts for other plugins such as SilverLight, e.g.:
<key>com.microsoft.SilverlightPlugin</key>
   <dict>
        <key>PlugInDisallowPromptBeforeUseDialog</key>
        <true/>
        <key>PlugInFirstVisitPolicy</key>
        <string>PlugInPolicyBlock</string>
        <key>PlugInHostnamePolicies</key>
        <array>
            <dict>
                <key>PlugInHostname</key>
                <string>amazon.com</string>
                <key>PlugInLastVisitedDate</key>
                <date>2017-07-17T03:20:55Z</date>
                <key>PlugInPageURL</key>
                <string>https://www.amazon.com/Dawn-Planet-Apes-Andy-Serkis/</string>
                <key>PlugInPolicy</key>
                <string>PlugInPolicyAllowWithSecurityRestrictions</string>
                <key>PlugInRunUnsandboxed</key>
                <false/>
            </dict>
        </array>
Notice in this example that it shows the specific URL that was visited.


Understanding Scope in Go

As per my New Year's resolution, I've been learning to program in Go and reading  The Go Programming Language .   On page 141 of the...