Windows InstallTime vs InstallDate Registry Values

Posted on 31 May 2019 by [email protected]

This is just a quick post about two Registry Values InstallTime and InstallDate which are found under the following key:
SOFTWARE\Microsoft\Windows NT\CurrentVersion

The confusion happens when my students ask which one is correct? Continue reading

Posted in Forensics, Windows | Tagged , , , , , , | Comments Off on Windows InstallTime vs InstallDate Registry Values

Update: Hidden Prefetch Files Detection using New PECmd

Posted on 26 May 2019 by [email protected]

Before diving into this post, I wanted to say, that I have been teaching digital forensics for a long time by now, and in my Operating System Forensics class, I use Eric Zimmerman‘s tools a lot, and when I say “a lot”, I truly mean it! The course is not about tools, but when it comes to using a tool to form an understanding of what that session was about, then you’ll always find a tool from Eric there (plus others for sure)! This is one thing about how great Eric’s tools are, but for me, there is more than that! Me and my students from time to time find new things, new bugs, etc. I sometimes send Eric a message from inside class and share a sample with him. We most of the times, get the solution fixed while we’re still in class! That is one of the best things about this guy, how much he cares about his tools, and how much support he provides the community! That is why, I doubt you’ll get such support even from a commercial vendor. They will never be able to get back to you this quick.

What does all that mean here? Well, continuing the previous work “Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis” it means we just got a fix or a new feature added to PECmd :)
Continue reading

Posted in AntiX, ThreatHunting, Windows | Tagged , , , , , , , , | Comments Off on Update: Hidden Prefetch Files Detection using New PECmd

Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis

Posted on 26 May 2019 by [email protected]

While doing more experiments of running EXEs and Malicious EXEs from ADS and Stealthy ADS to continue my previous work “Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS“, and in order to create a forensic image and share it with the community as I mentioned here, I found some unusual findings!

When creating a forensic image, I also create a list of files and directories within that image, as seen in Figure 1, just for further checking and verification purposes. So, as usual, was doing the image to share and I noticed the following:

Figure 1: List of files found in a Forensic Image

Continue reading

Posted in AntiX, Forensics, ThreatHunting, Windows | Tagged , , , , , , , , | Comments Off on Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis

Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS

Posted on 24 May 2019 by [email protected]

One of my current students asked if using Stealth Alternate Data Streams (ADS), could bypass AVs? Therefore, I wanted to prove that for the student by doing a simple experiment. What was done is the following:
1. Turned off Windows Defender on my Windows System (used for testing)
2. Created a malicious reverse shell (reverse meterpreter) and copied it over to my Windows system. It was named rev.exe.

Contents of the directory I copied the rev.exe to:

3. Created a reverse shell listener (multi-handler) on my attacking system (Kali) and was waiting for the victim machine to connect back to it.

4. Used the commands we know to hide the reverse shell named “rev.exe” in LPT1.txt and then checked the contents of the temp directory (location of files) using FTK Imager
Continue reading

Posted in AntiX, Forensics, Malware, Metasploit, Windows | Tagged , , , , , , | Comments Off on Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS

Offensive Software Exploitation Course

Posted on 1 May 2019 by [email protected]

During this semester, which technically ends on Sunday 11:59 pm (5/5/2019), I taught this course at the college for a nice group of students. The course has nothing secret and no zero days were found LOL. But, still I think it was fun, but a fire hose of information to go over in a 5-weeks class! I might release the labs and I might not do that, not until the end of 2019. But anyway, just wanted to have it referred to here. Continue reading

Posted in Academia, Exploitation, Metasploit, PenTest, Security, Vulnerability | Tagged , , , , , , , , , , | Comments Off on Offensive Software Exploitation Course