Saturday, October 22, 2016

Presenting digital evidence

Testifying and/or writing a report such a critical part of a computer forensics experts job because even the greatest forensic expert's work is all for naught if the knowledge cannot get out of the expert's head. Without someway to convey the discoveries, to pass on the knowledge, there is no benefit from the work. Rather than a useful job, the expert is just carrying out their hobby: learning what they can for the sake of learning it. Testifying or producing a report is what makes that knowledge accessible to others.
Report writing is important because it documents the expert's job in a way that it is repeatable: able to be reproduced and peer reviewed. It records the details of the work such that the expert can remember them when months of other analysis has occured between the examination and when they finally testify about it. (Garnett, 2010) This report is what will remain over time to be accessed by clients, lawyers, future students, and even the expert themself.
Testifying is the most important because it is where the forensic examination yields its fruit. Laywers can present the findings, and deliver a report, but that very sterile presentation misses the social impact of testimony. Jurors or judges, they likely don't have the experience, training, or skill to truely process what they would read in the report on their own. The testifying expert is lending their presence, history, and experience behind the conclusions on the paper, their testimonty bolsters the argument from a lawyer. (Boundless, 2016)

Boundless. (2016, June 18). How to Incorporate Expert Testimony. Retrieved October 12, 2016, from Boundless Communications: https://www.boundless.com/communications/textbooks/boundless-communications-textbook/supporting-your-ideas-9/using-testimony-48/how-to-incorporate-expert-testimony-196-4203/
Garnett, B. (2010, August 25). Intro to Report Writing for Digital Forensics. SANS. https://digital-forensics.sans.org/blog/2010/08/25/intro-report-writing-digital-forensics/.

Confusion of terminology: exploit

From my experience, the term exploit could be very easily confusing between these four sets of actors. To a digital forensic expert, they are discussing the vector that was used to gain access to the system or how a limited user elevated to privileged access. (Govindavajhala & Appel, 2009) How did this file end up on the computer when all the user did was load a clean webpage with an ad? How did this driver get installed by the secretary?
For the potential jurors, how they process the word exploit is highly dependant on their background. Webster's Dictionary defines exploit as one noun and two verbs, but none of those three definitions will help the juror understand the connotations of a computer exploit. (Merriam Webster, 2016) To someone with a signals analysis background, exploit means to acquire intelligence from a signal or data stream. (mkroot, 2014) This is a miscommunication I have had myself talking with a vulnerability researcher in my early days of computer security, when I discussed exploiting the USB traffic between cell phone and workstation.
For folks with a more legal background, the lawyer and judge included, exploit can carry a much darker connotation. Often exploitation in legal discussions is a blanket for abuse, rape, and harassment. (Russell, 1984)
This potential issue, caused by the same vocabulary being overloaded as field-specific jargon, won't ever be able to be entirely eliminated. According to Crystal, a well educated English speaker might know between 15,000 and 23,000 words... words that will be used to convey all of the objects, ideas, emotions, and events of their entire life. (Crystal, 1987) With such a limited number of words, it is inevitable that they will be reused across fields or else the fields will use ultra-specialized words which are only accessible to the field practitioners, like the sciences use. Ultra-specialized words that are unaccessible to outsiders would fail to solve this problem too, as they must be comprehended by the outsiders that make up other jurors, judges, and lawyers.
The most significant way the issue can be reduced is for the presenter of the term to keep in mind the existance of other uses of it. That way they can be certain to address the potential conficts with the other context presented with the term, as well as clearly explain what they mean by it.

Crystal, D. (1987). How Many Words? English Today. No 12
Govindavajhala, S., & Appel, A. W. (2009). U.S. Patent Application No. 11/699,607. Identifying unauthorized privilege escalations
Merriam Webster. (2016). Exploit. http://www.merriam-webster.com/dictionary/exploit
mkroot. (2014). Sigint: definition, qualities, problems and limitations. https://blog.cyberwar.nl/2014/10/sigint-definition-intrinsic-qualities-problems-and-limitations-quotes-from-aid-wiebes-2001/
Russell, D. E. (1984). Sexual exploitation: Rape, child sexual abuse, and workplace harassment.

Data Gathering

There are many ways to accomplish hiding data on recordable media. Hiding data as random noise by encrypting it or using Steganography to embed the data within other data are two ways that get demonstrated often in media. (Provos & Honeyman, 2003) I will discuss two methods of hiding data which are based on the actual storage elements of the media itself. Our reading this week included a "Partial Overview of the Storage Media Ontology" (Dosis, Homem, & Popov, 2013) which describes the storage on a media: the physical space is logically split into partitions, data within partitions is mapped by a file system, and the file system maps chunks of data bytes to logical files.
The physical storage media breaks up stored data into sectors, typically 4096 or 512 bytes at a time. (Seagate, 2012) A sector is the smallest addressable allocation exposed to software programs. (DEW, 2002) File systems typically implement storage in clusters of sectors, rather than using sectors directly. (DEW, 2002) Each file system maps a collection of clusters to each file, resulting in a file consuming space equal the count of data bytes rounded up to the nearest multiple of cluster size. Each file system also records the true count of data bytes for the file. A careful eye will notice that this leaves a count of extra bytes, called slack space, which can be leveraged for secret storage. (Kaiwee, 2010) Small data can be stored in the slack space of a single file and larger amounts of data could be split across multiple slack spaces.
The second method of hiding information on a hard disk drive storage media depends on the fact that hard disk drives have seperate computing devices, Hard Disk Controllers (HDC), that sit between the system utilizing the stored information and the physical storage medium. (Holland & Vavaroutsos, 1994) The HDC contains the limits of storage capacity for the drive, which may not actually match the physical storage limits available. The ATA-4 standard allowed for a Host Protected Area, HPA, which is the space on the drive between the addressable capacity and the physical capacity. (Gupta, Hoeschele & Rogers, 2006) Someone hiding data in a Host Protected Area saves information to the highest addresses on a drive and then uses the SET MAX ADDRESS command to shrink the storage capacity to cap out before reaching that data. (Gupta, Hoeschele & Rogers, 2006) Normal disk operations, like with the BIOS or an operating system, do not see the HPA because the HDC reports that the storage capacity is only as large as the MAX ADDRESS that was set.

DEW. (2002). Hard Drive Clusters and File Allocation. DEW Associates Corporation. http://www.dewassoc.com/kbase/hard_drives/clusters.htm
Dosis, S., Homem, I., & Popov, O. (2013). Semantic representation and integration of digital evidence. Procedia Computer Science, 22, 1266-1275.
Gupta, M. R., Hoeschele, M. D., & Rogers, M. K. (2006). Hidden disk areas: HPA and DCO. International Journal of Digital Evidence, 5(1), 1-8.
Holland, A., & Vavaroutsos, P. G. (1994). U.S. Patent No. 5,367,669. Washington, DC: U.S. Patent and Trademark Office.
Kaiwee, C. (2010). Analysis of Hidden Data in NTFS File system.
Provos, N., & Honeyman, P. (2003). Hide and seek: An introduction to steganography. IEEE Security & Privacy, 1(3), 32-44.
Seagate. (2012). Desktop HDD Data Sheet. http://www.seagate.com/staticfiles/docs/pdf/datasheet/disc/desktop-hdd-data-sheet-ds1770-1-1212us.pdf

Preparations A through G were a complete failure

I agree that preparation for a digital search is the most critical step in a digital investigation. In 'Electronic crime scene investigation' the very first point called out for review is "First responders without the proper training and skills should not attempt to explore the contents of or to recover information from a computer or other electronic device other than to record what is visible on the display screen." (Ballou, 2010, pg x) This is called out so importantly because without the proper training, skill, and tools the collection of digital evidence is impossible: the lack of any of the three will result in destruction of the very evidence to be investigated. Acquiring and properly deploying those three things make up the preparation phase.
If only a partial preparation has occurred, say the correct tools are collected, but a properly trained responder was not able to be acquired, then those correct tools can used incorrectly which then throws off the whole investigation. Leach writes about an example where the proper tool, EnCase, may be used to examine a disk and file system evidence but to have set the wrong timezone for an evidence file. (2010) By botching the preparation phase and proceeding to Collection with an insufficiently skilled responder the evidence file was collected in a way that makes the data be examined incorrectly during the Examination phase. (Cisar, Maravic Cisar, & Bosnjak, 2014)
From a personal standpoint, I have written tools for performing network intrusion response. What is possible in the digital realm is virtually unlimited, given proper preparation. Without being prepared with the proper tools, or without the skill to use them, then some actions are just impossible. For instance, reconstructing recently deleted files (actually deleted, not just recycle binned) is quite possible with a tool that can read the raw disc data and is aware of the file system in use. Without a tool to access raw disc data, though, an investigator will not be able to do it. That is a fun tool to write, I helped with one.

Ballou, S. (2010). Electronic crime scene investigation: A guide for first responders. Diane Publishing.
Cisar, P., Maravic Cisar, S., & Bosnjak, S. (2014). Cybercrime and Digital Forensics–Technologies and Approaches. DAAAM International Scientific Book.
Leach, S. (2010). What Every Lawyer Needs to Know About Computer Forensic Evidence.

Cybercrime law - ECPA

The most important cybercrime law availabile to Law Enforcement right now is the Electronic Communications Privacy Act (ECPA) of 1986. This statute, along with amendments to it from the USA PATRIOT Act, provide law enforcement their modern wiretap powers. (OJP, 2013) Law enforcement would have been lost such access as communications moved off of the Plain Old Telephone Service, POTS, wires to digital Internet networks. (Frontier, n.d.) Due to changes in how data storage is used in the modern Internet compared to the expectations of the late 80s, the Department of Justice uses the ECPA to carry out warrantless retrieval of "abandoned" emails left on a server. (Reitman, 2012) Modern web-based email, starting with Google's GMail, provides storage capabilities measured in Gigabytes, which means a user can archive a lifetime of text email right in their mailboxes on the server without it ever being abandoned. (McCracken, 2014) Argued by some to be violating the protections of the 4th Amendment, accessing 180+ day old data without a warrant provides law enforcement a powerful tool for collecting stored data during investigations. (Reitman, 2012)

Frontier. (n.d.). What is POTS? The Connection. http://internet.frontier.com/resources/home-phone-information/what-is-pots/
McCracken, H. (2014, April 1). How Gmail Happened: The Inside Story of Its Launch 10 Years Ago. Time. http://time.com/43263/gmail-10th-anniversary/
OJP. (2013). Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22. Office of Justice Programs. https://it.ojp.gov/privacyliberty/authorities/statutes/1285
Reitman, R. (2012, December 6). Deep Dive: Updating the Electronic Communications Privacy Act. EFF. https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communications-privacy-act

Dangerous and getting worse: Ransomware Corporate Crime

Of all the ways that that corporate computer crime can occur, ransomware is the most damaging. This style of malicious attack can be delivered directly upon infection or after a system has been harvested for valuable data or utilized as a botnet node, allowing a final chance for an infected machine to be monetized. (Spring, 2016) Because it doesn't try to persist across reboots or maintain stealth over long periods of time, ransomware can work its destructive activity as soon as it lands on a system, even without Admin or root access. (Krebs, 2013) As such, typical separation of privilege defenses provide limited benefit because the files that are most at risk during a ransomware attack are those that the logged in user needs or creates. They have write access to their data, so malware they accidentally run does too.
Since the impact of ransomware is denial of service, it can target victims that require high availability requirements rather than the typical confidentiality requirements of companies and their intellectual property. This was demonstrated earlier this year when the Hospital industry was the target of an attack that ended up raking in a $17,000 decryption payout. (Gillum & Dishneau, 2016) Operations were interrupted for 10 days, days that put real human lives in danger. (Gillum & Dishneau, 2016)
Typical infections don't try encrypting all of the files on a target system, something that could interfere with the behavior of the malware itself. Instead they often limit the targeted files based upon file type hints form the file name: called the file extension. (Abrams, 2016 September) Just this month it was reported that a sample was found that includes the file extension of files encrypted by other ransomwares: Stampado. (Adams, 2016) This means that a victim could pay to decrypt their files just to learn that the decrypted version is still a locked up artifact of another attack. Some families, such as TorrentLocker, claim to be higher profile families like CryptoLocker which was of no relation. (Léveillé, 2014) Underhanded in dealing with victims, and underhanded in abusing others' brands.
Especially such underhanded dealings like Stampado demonstrate the absolute need for regular, off-system, backups. (Lennon, 2001) The off-system is important because the automatic backups of the operating system, such as Windows Shadow Copies, can and are deleted by most ransomware attacks. (Abrams, 2016 May) This style of attack, despite its increasing popularity and ease of payment, is not new, as demonstrated by the writings of Oswald, 2006, and Giri, Jyoti, & AVERT, also from 2006. All indications are that it will continue to get worse before it gets better, too. (Talos, 2016)

Abrams, L. (2016, September 15). Stampado: Taking Ransomware Scumbaggery to the Next Level. Bleeping Computer. http://www.bleepingcomputer.com/news/security/stampado-taking-ransomware-scumbaggery-to-the-next-level/
Abrams, L. (2016, May 9). Locky Ransomware Information, Help Guide, and FAQ. http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help
Gillum, J. & Dishneau, D. (2016, Mar 29). FBI probing virus behind outage at MedStar Health facilities. AP. http://bigstory.ap.org/article/cf41601903fd4cc492718c12b01d9d1c/fbi-probing-virus-behind-outage-medstar-health-facilities
Giri, B. N., Jyoti, N., & AVERT, M. (2006). The Emergence of Ransomware. AVAR 2006
Léveillé, M. (2014, December) TorrentLocker: Ransomware in a country near you. ESET. http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
Lennon, S. (2001, August). Backup Rotations - A Final Defense. SANS Institute.
Krebs, B. (2013, November 13). How To Avoid CryptoLocker Ransomware. Krebs on Security. http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware
TALOS. (2016). Ransomware: Past, Present, and Future. http://blog.talosintel.com/2016/04/ransomware.html
Spring, T. (2016, May 13). Cerber Ransomware on the Rise, Fueled by Dridex Botnets. ThreatPost. https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/
Oswald, E. (2006). Ransomware becoming a serious problem. BetaNews, July, 24, 2006.

Monday, September 12, 2016

Lower cost education, not cheaper

This is really cool!
At UMUC, we are committed to saving students time and money by reducing or eliminating the need to purchase textbooks and other course materials. Starting in fall 2016, most graduate textbooks will be replaced with no-cost electronic resources, also referred to as Open Educational Resourses (OERs). With the exception of some courses that require the use of specific software or content that cannot be accessed for free, students will not need to purchase any course materials. The Cybersecurity Programs NO longer use textbooks. None of the courses require them.

Sunday, September 11, 2016

Join me for another Semester

COURSE OUTCOMES 

At the end of this course, students should be able to:

  •  Identify the basic principles and tools used in computer forensics. 
  • Understand the main techniques used in data acquisition and analysis and in recovering image files. 
  • Critically evaluate the procedures in processing crime and incident scenes, especially on digital evidence controls, and in presenting digital evidence in court. 
  • Analyze the specific forensic techniques for Windows, Mac, Unix, and cell phone operating systems. 
  • Discuss the main issues and techniques associated with network forensics and malware investigation. 
  • Explain the issues, procedures and techniques used in contingency planning, cyber attack recovery, and business continuity planning and execution.
Interesting:
There are no textbooks in this course. Only Open Educational Resources (OERs) are being used.
Class starts tomorrow, so my posts here should start around the following Wednesday.

Time to learn Cyber Crime Investigation and Digital Forensics

Monday, August 29, 2016

One of these is not like the other one

A few weeks ago I was scrolling through Twitter and tossing out the occasional pointless comment, as is my wont, when I saw a comment that struck me as familiar with coding problems I've run into before...
I have had to try and work with Authenticode in the past. It is a bear! Things like security catalogs instead of just embedding the signature makes an already difficult thing to implement even harder. The APIs don't even work right on Windows XP... Microsoft invented the damn thing, if they can't implement it how can I be expected to? Anyway, since I was familiar with the problem, it was a good time to toss out a comment.
After tossing out that line I just continued reading Twitter until...

Well, this seemed like a big deal at the time.
It wasn't until the next day I noticed what the SwiftOnSecurity bump had done to my post views.
Something changed. Guess which day had the retweet
Wow. I wish I'd had that kind of visibility when I was doing less time-wastey things like running for United States Congress.

Sunday, May 1, 2016

Badware is short for Blocked Adware

Last week an article that I collaborated on was published. So far this has been the crowning achievement of my short time with Cisco, a short but amazing time. Malware analysis is my absolute passion and being able to turn software analysis into globally deployed protection in days is the best.

When I was presented with a strange piece of software I knew it would be another excellent chance to tear into the inner workings of a tool. I didn't know yet it would be the basis of an article to a professional Threat Intelligence blog. I really didn't know the splash it would make across digital media.

In no particular order I will list all of the references that I can find to that article (these links are not endorsement, nor disparagement, of the linked article!):

Non-English:
I was most touched by the brief shout out on the blog of Mary Ellen, @icanhaspii. Media is great, but recognition from a practitioner means far more to me than a big pile of media comment.

This being a personal blog nothing contained in this article should be construed as anything except my personal opinions. I do not speak for, nor represent, Cisco.

Updated Links:

A Post that sat as a draft for a very long time

A vulnerability that I have interacted with in the wild and have had to intentionally avoid myself is the venerable SQL injection. In a sentence, SQL injections are vulnerabilities where input is improperly combined with commands in a way where the input can be interpreted as SQL statements (Vacca, 2009). The obvious exploit for passing arbitrary commands to a database is to read additional data, which is available to attackers targeting a SQL injection. Additionally, if the running account has write access, it can also be used to corrupt the integrity of the database, even going so far as to erase data, as was captured in the classic XKCD comic about Little Bobby Tables (Munroe, 2007).
The danger from exposing a SQL injection goes far beyond letting users read extra data or destroy some, though. Halfond, Viegas, and Orso enumerate a whole set of possible attacker intentions that can be realized through SQL injections: database finger-printing, learning the database schema, extracting data, changing or inserting data, causing denial of service, avoiding detection, skipping traditional authentication, elevating privileges, and command execution (2006). Some of these can be really easy, such as finger-printing the database in use: when first stumbling on the injection an error may be dumped to output containing the database version, query ran, software name, operating system, and more. (Halfond et al., 2006)
In a Black Hat Briefing, Guimarães describes some of the really nasty and unexpected things that attackers can accomplish through SQL queries. MySQL can use the LOAD_FILE function to read an arbitrary file on disk, allowing the extraction of sensitive data that isn’t even in the targeted database (Guimarães, 2009). MS SQL Server and PostgresSQL also have commands that can be used to extract arbitrary files. MySQL allows for the INTO DUMPFILE clause to write to arbitrary files, as can the PostgresSQL lo_export() function (Guimarães, 2009).
Even though arbitrary read/write to the remote system is nearly enough to fully own the target, SQL injections can provide even more access. MS SQL Server allows the importing of user defined functions from DLLs with CREATE ASSEMBLY (Patel, 2010). Being able to load an executable into the remote database process, combined with the previously mentioned ability to write the desired executable to the system, is total access to the level of the database account. It literally allows you to run anything you can write. Finally taking the cake, MS SQL Server even provides an xp_cmdshell() stored procedure to provide raw shell command execution (Guimarães, 2009). Game over.

Guimarães, B. D. A. (2009). Advanced SQL injection to operating system full control. Black Hat Europe, white paper.
Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13-15). IEEE.
Munroe, R. (2007, October 10). Exploits of a Mom. XKCD. Retrieved from https://xkcd.com/327/
Patel, V. (2010, September 27). Creating User-Defined Functions in Microsoft SQL Server . Database Journal. Retrieved from http://www.databasejournal.com/features/mssql/article.php/3904491/Creating-User-Defined-Functions-in-Microsoft-SQL-Server.htm
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman