About Windows passwords, hashes and registry

Here is a great set of articles about Windows passwords schemes by 

Brendan Dolan:

Syskey and the Sam:

http://moyix.blogspot.com/2008/02/syskey-and-sam.html

Decrypting LSA Secrets:

http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html

Cached Domain Credentials:

http://moyix.blogspot.com/2008/02/cached-domain-credentials.html

Besides the articles, Brendan create a set of tools to use with Volativility that will allow to extract those password from a memory dump:

• hashdump: dump the LanMan and NT hashes from the registry (deobfuscated). 

• lsadump: dump the LSA secrets (decrypted) from the registry. 

• cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain. 
  

Enjoy

-CMM

Secure deleting a Macbook (pro) with OSX

Yesterday i was preparing my old Macbook Pro for selling, and after doing a backup i wanted to do a secure delete of all the hard disk content. So i started to search for a software or a solution (before using a live CD) and i found that the OSX include the option to do a secure delete in the "disk utility", best of all is that the cupertino boys have 3 different kinds of secure delete, with different levels of security, to prevent the file recovery.

Zero Out Data:

This method writes zeros over all of the data on the drive. This provide a decent level of file security,there are forensics utilities that in theory could retrieve some data however they are extremely expensive and time consuming and there are no documented cases of this actually taking place.

7 pass erase:

This method will write data over the disk seven times, and will take 7 times longer than Zero Out Data. This method is compliant with the D0D 5220.22-M specification, meaning that it is virtually impossible to retrieve the information.

35 pass erase:

If you are paranoid or you really need to protect some files, you can use this method that writes the entire disk 35 times... It is said that this method is really impossible to recover. Also this option will take ages to finish.

Well after checking the options, i went with the 7 pass erase method, and for a 150GB partition it took 7 hours to complete, now i had to do the same for the 100GB partition :(

Reference: http://danbenjamin.com/articles/2008/05/secure-erase-osx
-CMM

Oracle Forensics

Hi, this time i will post a brief entry about Oracle Forensics, when we talk about Oracle Forensics we are talking about David Litchfield, he researched and developed tools for analyzing Oracle from the forensic point of view.

Next Thursday he will participate in a Black Hat Webinar, where he specifically will talk about  Orablock:

"The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. "

You can register here.

Also he will publish a book about Oracle Forensics very soon, you can pre order it at amazon, the book is called "Oracle Forensics Using Quisix"

And if you want to check all his presentations and papers about the issue you can  go here.

There are few persons working in this field, and besides Litchfield we can refer to Paul M. Wright, author of the first Oracle Forensic Book, you can check his blog here.

Enjoy!

-CMM

Windows Prefetcher and forensic analysis

When doing Forensic analysis, many times you need to find if a user had run a binary on the analyzed system, there are some places where we can obtain information about application run s like entries in the "RunMRU" registry location (HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU), but today i will talk about the Prefetcher files.

The Prefetcher:

"It is a component of the Memory manager that speeds up the Windows boot process, and shortens the amount of time it takes to start up programs."

"Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications."

This feature was introduced with XP, and it's available in VISTA.

In short when you launch an application windows will create .pf file in the prefetch directory (%SYSTEMROOT%\Prefetch\), this file will contain information to speed up future application startups.

This file contains different information about the application, but at the end of the file we can find the path of the file image.

The name of the file is FILE-HASH.pf, the HASH is calculated with the path of the file image, so if the same binary is run from two different location, we will have two different prefetch files.

So now you can find if an application was run on the Windows system and you can have the MAC times of the prefetch file and the image file to add to the timeline analysis, also there is a counter of how many times the application was used.  (You can use Windows File Analyzer to get all this information)

This could be helpful when analyzing Malware on infected machines, the malware maybe is deleted but the prefetch entry is still available, or to find the executable of the malware analyzing all the prefetch files.

Maybe you are wondering how many files Windows will save? It's supposed to maintain 128 entries, any entry over 128 will be flushed, most frequently used applications will be preserved.

Do you know more places to find information about applications runs?

More info on Prefetch

A tool for analyzing Prefetch directory: Windows File Analyzer

-CMM

Explico - Network forensics

A great new tool for analyzing network traffic has been released, as stated in the Xplico web site:

"Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analisys Tool (NFAT)."

The goal of Xplico is extract from an internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analisys Tool (NFAT).

Website and more info: http://www.xplico.org/about

-CMM

Memoryze - Memory forensic tool

Jamie Butler presented at HITB 2008 the tool Memoryze, intended to aid incident responders find evil in live memory.  

"Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis."

Memoryze site

Here are some Use cases

-CMM

Displaying Windows cached DNS entries

This is a super fast post, here is an interesting command for checking the cached DNS entries in a Windows system:

c:>ipconfig /displaydns

slashdot.org
----------------------------------------
Nombre de registro . : slashdot.org
Tipo de registro . . : 1
Período de vida . . . : 2117
Longitud de datos . . : 4
Sección . . . . . . . : respuesta
Un registro (host). . : 216.34.181.45


This could be useful when analyzing malware or doing forensic analysis

CMM