No Drive Letter, No USB Evidence? Think Again!

This post is about a question asked:
If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry?

Short answer is, YES it will still be seen in Disk Management. But let’s assume you do not have access to the computer anymore, but you do have the registry files. In other words, you imaged the drive but missed imaging the USB for some reason.

Note(s) before you continue reading:
1. This post does not cover all USB artifacts (registry keys, registry values, events, etc), only the ones needed to answer the question above
2. The experiment in this post was repeated three times and they all led to the same results you will find below

I will be listing all the registry locations that we can still check and find entries that the USB was plugged into the system, but it’s not seen currently. Also, I won’t go over all the USB artifacts, there are so many posts out there and good books too (WR 2ED, WFA 4ED, etc). In this post, I will just focus on some might have not been used before and then just need to correlate them together. So, let’s say you start by loading your registry files into Registry Explorer or RegRipper (System, Software, and NTUSER), will use both here.
Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Comments Off on No Drive Letter, No USB Evidence? Think Again!

Howto Setup and use the CuckooVM v2

This post should cover the basics of how to import and run a basic analysis using the Cuckoo VM which could be found here. I’m referring to this VM as CuckooVM version 2, since if you’ve been following, you already know that I have shared a previous version of this CuckooVM which I configured. Even if you do not do malware analysis or digital forensics and incident response, this VM could come handy and useful to you, so please do not skip just because you’re not working in those areas.

Now, in order to use the Cuckoo Sandbox which I think many of the online service providers today have their systems built around Cuckoo (no proof to this claim!), you will need a dedicated machine. The installation process itself is also not simple for some, but it could be a piece of cake to others (not saying it is for me!), so this VM could save you the trouble of:
1. Need to purchase or dedicate a whole machine for Cuckoo (it is worth though!)
2. Need to go through the installation process

Before moving forward, if any of the figures below is not clear, just click on it to enlarge it.

INTRODUCTION
The Cuckoo VM is running Cuckoo in what is called a “Nested Virtualization”. What that means, well first let’s check this general architecture as seen in figure 1.1.

Figure 1.1 – General Architecture
Continue reading

Posted in DFIR, Forensics, Investigations, Malware, Virtualization | Tagged , , , , , , | Comments Off on Howto Setup and use the CuckooVM v2

Investigating Windows Systems (Book Review)

Hello,

We have a saying in Arabic “ان تأتي متآخراً، خيراً من أن لا تأتي أبدا” and in English “Better late, than never!”. This is my review to Harlan Carvey‘s last book titled “Investigating Windows Systems” which I should have wrote a long time ago (Sorry Harlan)!

If you have been reading for Harlan over the years (like I have), then this book is totally different than those. It is not about a specific Windows version and it is also definitely not about Windows Registry. You might be asking “Then why should I be interested and why is the title about Windows?” This is what I will explain in this post. A couple days ago, Harlan wrote a post about “Improving Your DFIR Skills” adding to another great post by Brett Shaver’s post titled “Want to improve in #DFIR? Study someone else’s case work.” discussing the same concept. I’m not going to repeat what they discuss in their posts, because I’m sure they are well written and share great ideas, I’m just going to explain how this is true from my experience as an instructor and how Harlan’s book is a good choice for you.
Continue reading

Posted in Books, Forensics, Investigations, Windows | Tagged , , , , , , , , , | Comments Off on Investigating Windows Systems (Book Review)

Cuckoo VM for Malware Analysis

If you do not want to put some time in installing your own Cuckoo Sandbox for different reasons, then you could just download the Virtual Machine (VM) that I have prepared. What I’ve done is get Cuckoo to run in a VM, so you might be asking what does that mean? Well, it means that first Cuckoo is running in a VM and second that Cuckoo will be running its analysis within another VM. Yes, a VM in another VM or what is technically called “Nested Virtualization“. I used VMWare for my VM, but since I’ve exported it to OVA, then you should be good to just import and run.
Continue reading

Posted in Forensics, Malware, Research, ThreatHunting, Virtualization | Tagged , , , , , | Comments Off on Cuckoo VM for Malware Analysis

Acquiring Linux Memory using AVML and Using it with Volatility

This is another quick post going over the process to acquire memory from a Linux system, but instead of using LiME, I’m going to use AVML which stands for Acquire Volatile Memory for Linux, and could be found here. The tool has been developed by Brian Casewell for Microsoft and is a “userland volatile memory acquisition tool”.

AVML tries to acquire memory from the following memory sources:

    /dev/crash
    /proc/kcore
    /dev/mem

The installation is straight forward and well documented on the Github page. I used the build on Ubuntu, which is really just “copy & paste” no super power required there, thanks to Brian! One note is there are two builds, one will provide an upload feature to upload the images to Azure and the other build without that. The size is really small, mine with full features was 5.5MB. After finishing the build you will find the binary (at least on my system) under:

./target/x86_64-unknown-linux-musl/release/

Continue reading

Posted in DFIR, Forensics, Memory, Software/Tools | Tagged , , , , , , , | Comments Off on Acquiring Linux Memory using AVML and Using it with Volatility