Linux Forensics Workshop

Hello,

I’ve been invited by the Saudi Federation for Cyber Security and Programming (SAFCSP) to do a Linux Forensics workshop during their series of Cybersecurity Nights. My session will be next Thursday, May 14th, 2020 at 10:00 PM (KSA time) and will be 3:00 PM (EST). If you’re interested in Linux Forensics or have the will to learn, please download the files found here and join me then.

In Arabic:
قام الإتحاد السعودي للأمن السيبراني والبرمجة والدرونز بدعوتي لعقد ورشة عمل تخص التحقيقات الرقمية الجنائية في أنظمة التشغيل لينُكس. إن كنت مُهتم في ذلك، أرجوا أن تتابع البث المُباشر أو تقوم بحضور التسجيل من عبر مواقع الإتحاد.
ورشة العمل سوف تكون يوم الخميس القادم 14/5/2020 الساعة 10 مساءاً بتوقيت السعودية، والساعة 3 ظهراً في توقيت الولايات المتحدة. يمكن تحميل ملفات الورشة للمشاركة بشكل مُبشار معي من خلال هذا الرابط.

Thanks to SAFCSP for the invitation and see you on Thursday :)

Posted in Forensics, Investigations, Workshops | Tagged , , , , | Leave a comment

Investigating USB Drives using Mount Points Not Drive Letters

Yes, another excellent question came up by one of my students:
If a user mounts the volume to a mount point, what artifacts could we find for the USB?

Starting I think from Windows 8.1 or 10, a user could mount a volume into an empty directory. Which means, that a USB could be mounted to a directory and then the user accesses the content of the volume using that directory. A feature in the past was only seen on POSIX operating systems, such as Linux. The scenario I will be using for this experiment, is a user mounts a volume (USB) to a directory and also removes the drive letter. I will be using the C:\Mountpoint as the mount point for the USB.

Note(s) before you continue reading:
1. This post does not cover all USB artifacts (registry keys, registry values, events, etc), only the ones needed to answer the question above
2. The experiment in this post was repeated three times and they all led to the same results you will find below

PART#1 – SETUP
First as we can see in figure 1.1, the USB labeled FOR340USB has a drive letter E:, so let’s remove it.

Figure 1.1 – Drives Available
Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , , , | Leave a comment

No Drive Letter, No USB Evidence? Think Again!

This post is about a question asked:
If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry?

Short answer is, YES it will still be seen in Disk Management. But let’s assume you do not have access to the computer anymore, but you do have the registry files. In other words, you imaged the drive but missed imaging the USB for some reason.

Note(s) before you continue reading:
1. This post does not cover all USB artifacts (registry keys, registry values, events, etc), only the ones needed to answer the question above
2. The experiment in this post was repeated three times and they all led to the same results you will find below

I will be listing all the registry locations that we can still check and find entries that the USB was plugged into the system, but it’s not seen currently. Also, I won’t go over all the USB artifacts, there are so many posts out there and good books too (WR 2ED, WFA 4ED, etc). In this post, I will just focus on some might have not been used before and then just need to correlate them together. So, let’s say you start by loading your registry files into Registry Explorer or RegRipper (System, Software, and NTUSER), will use both here.
Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Leave a comment

Howto Setup and use the CuckooVM v2

This post should cover the basics of how to import and run a basic analysis using the Cuckoo VM which could be found here. I’m referring to this VM as CuckooVM version 2, since if you’ve been following, you already know that I have shared a previous version of this CuckooVM which I configured. Even if you do not do malware analysis or digital forensics and incident response, this VM could come handy and useful to you, so please do not skip just because you’re not working in those areas.

Now, in order to use the Cuckoo Sandbox which I think many of the online service providers today have their systems built around Cuckoo (no proof to this claim!), you will need a dedicated machine. The installation process itself is also not simple for some, but it could be a piece of cake to others (not saying it is for me!), so this VM could save you the trouble of:
1. Need to purchase or dedicate a whole machine for Cuckoo (it is worth though!)
2. Need to go through the installation process

Before moving forward, if any of the figures below is not clear, just click on it to enlarge it.

INTRODUCTION
The Cuckoo VM is running Cuckoo in what is called a “Nested Virtualization”. What that means, well first let’s check this general architecture as seen in figure 1.1.

Figure 1.1 – General Architecture
Continue reading

Posted in DFIR, Forensics, Investigations, Malware, Virtualization | Tagged , , , , , , | Leave a comment

Investigating Windows Systems (Book Review)

Hello,

We have a saying in Arabic “ان تأتي متآخراً، خيراً من أن لا تأتي أبدا” and in English “Better late, than never!”. This is my review to Harlan Carvey‘s last book titled “Investigating Windows Systems” which I should have wrote a long time ago (Sorry Harlan)!

If you have been reading for Harlan over the years (like I have), then this book is totally different than those. It is not about a specific Windows version and it is also definitely not about Windows Registry. You might be asking “Then why should I be interested and why is the title about Windows?” This is what I will explain in this post. A couple days ago, Harlan wrote a post about “Improving Your DFIR Skills” adding to another great post by Brett Shaver’s post titled “Want to improve in #DFIR? Study someone else’s case work.” discussing the same concept. I’m not going to repeat what they discuss in their posts, because I’m sure they are well written and share great ideas, I’m just going to explain how this is true from my experience as an instructor and how Harlan’s book is a good choice for you.
Continue reading

Posted in Books, Forensics, Investigations, Windows | Tagged , , , , , , , , , | Comments Off on Investigating Windows Systems (Book Review)