A Day in the Life of a Cyber Tool Developer



Similar documents
TZWorks Windows Event Log Viewer (evtx_view) Users Guide

How To Use The Tzworks Eventlog Parser (Evtwalk) On A Pc Or Mac Or Mac (Windows) With A Microsoft Powerbook Or Ipad (Windows Xp) With An Ipad Or Ipa (Windows 2

EVTXtract. Recovering EVTX Records from Unallocated Space PRESENTED BY: Willi Ballenthin OCT 6, Mandiant Corporation. All rights reserved.

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

CHAD TILBURY.

2013 Open Source Digital Forensics Conference

Advanced Registry Forensics with Registry Decoder. Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference /03/2012

Automating the Computer Forensic Triage Process With MantaRay

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

TZWorks USB Storage Parser (usp) Users Guide

EnCase 7 - Basic + Intermediate Topics

Redline Users Guide. Version 1.12

Microsoft Windows PowerShell v2 For Administrators

Example of Standard API

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Windows 7 Forensic Analysis. H. Carvey Chief Forensics Scientist, ASI

Guide to Computer Forensics and Investigations, Second Edition

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Paraben s P2C 4.1. Release Notes

An automated timeline reconstruction approach for digital forensic investigations Christopher Hargreaves and Jonathan Patterson, DFRWS 2012

Adobe Developer Workshop Series

LoadRunner and Performance Center v11.52 Technical Awareness Webinar Training

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

M6310 USB Flash Drive Tester/Duplicator

Chapter 14 Analyzing Network Traffic. Ed Crowley

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Where is computer forensics used?

FreeForm Designer. Phone: Fax: POB 8792, Natanya, Israel Document2

CS3600 SYSTEMS AND NETWORKS

GoAnywhere Director to GoAnywhere MFT Upgrade Guide. Version: Publication Date: 07/09/2015

Backup & Recovery. 10 Suite PARAGON. Data Sheet. Automatization Features

Events Forensic Tools for Microsoft Windows

EnCase v7 Essential Training. Sherif Eldeeb

Forensics Book 2: Investigating Hard Disk and File and Operating Systems. Chapter 5: Windows Forensics II

DiskBoss. File & Disk Manager. Version 2.0. Dec Flexense Ltd. info@flexense.com. File Integrity Monitor

SecureDoc Disk Encryption Cryptographic Engine

Managing DICOM Image Metadata with Desktop Operating Systems Native User Interface

Computer Forensic Tools. Stefan Hager

Linux in Law Enforcement

Digital Forensics, ediscovery and Electronic Evidence

Paper Robert Bonham, Gregory A. Smith, SAS Institute Inc., Cary NC

Microsoft Vista: Serious Challenges for Digital Investigations

SysPatrol - Server Security Monitor

Release Notes LS Retail Data Director August 2011

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

PRODISC VER. Computer Forensics Family. User Manual. Version 4.8 9/06

Oracle BI EE 11g - Security Auditing

Is the Scanning of Computer Networks Dangerous?

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

The BSN Hardware and Software Platform: Enabling Easy Development of Body Sensor Network Applications

Internet Information TE Services 5.0. Training Division, NIC New Delhi

RECOVERING FROM SHAMOON

Waspmote IDE. User Guide

Network Licensing. White Paper 0-15Apr014ks(WP02_Network) Network Licensing with the CRYPTO-BOX. White Paper

Redline User Guide. Release 1.14

Improved metrics collection and correlation for the CERN cloud storage test framework

Symantec ediscovery Platform, powered by Clearwell

Audit TM. The Security Auditing Component of. Out-of-the-Box

Concepts of digital forensics

Java 7 Recipes. Freddy Guime. vk» (,\['«** g!p#« Carl Dea. Josh Juneau. John O'Conner

DoD Cyber Crime Center

Meister Going Beyond Maven

Digital Forensic Techniques

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

Vembu NetworkBackup v3.1.1 GA

Exchange Mailbox Protection Whitepaper

WhatsUp Event Analyst v10.x Quick Setup Guide

Windows OS File Systems

Incident Response and Computer Forensics

VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014

How To Install Powerpoint 6 On A Windows Server With A Powerpoint 2.5 (Powerpoint) And Powerpoint On A Microsoft Powerpoint 4.5 Powerpoint (Powerpoints) And A Powerpoints 2

MPI / ClusterTools Update and Plans

Gentran Integration Suite. Archiving and Purging. Version 4.2

Ans.: You can find your activation key for a Recover My Files by logging on to your account.

DiskPulse DISK CHANGE MONITOR

Digital Forensic Tool for Decision Making in Computer Security Domain

ILM et Archivage Les solutions IBM

Using Open Source Digital Forensics Software for Digital Archives Workshop

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

State of the art of Digital Forensic Techniques

Storage Management. in a Hybrid SSD/HDD File system

Acronis Disk Director 11 Advanced Server. Quick Start Guide

TRIFORCE ANJP. THE POWER TO PROVE sm USER S GUIDE USER S GUIDE TRIFORCE ANJP VERSION 3.10

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Mobile memory dumps, MSAB and MPE+ Data collection Information recovery Analysis and interpretation of results

Chapter 12 File Management

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security #RSAC

VMware vsphere Data Protection 6.0

Data Domain Profiling and Data Masking for Hadoop

Online Backup Client User Manual

IceWarp to IceWarp Server Migration

System Structures. Services Interface Structure

Operating Systems Forensics

Tutorial: Packaging your server build

Tivoli Monitoring for Databases: Microsoft SQL Server Agent

Memory Forensics & Security Analytics: Detecting Unknown Malware

Ball Aerospace s COSMOS Open Source Test System

Transcription:

A Day in the Life of a Cyber Tool Developer by Jonathan Tomczak jon@tzworks.net

Jonathan Tomczak ( Front Man ) Software Engineer w/ over 7 years experience working in software and web development Dave Tomczak ( Mad Scientist ) Principal Developer w/ over 30 years of experience working with DoD, Federal Agencies and Industry

Lacey Rescued Belgian Shepherd Female, 65 lbs. Under 2 years experience Good at catching moving objects

Develop Digital Forensics Tools - Live Collection (ntfscopy, ntfswalk, nx/nxx, ) - Artifact Analysis (yaru, evtx, sbag, jmp, usp, ) Develop Custom Security Solutions - System Monitoring

1. Tool Development Philosophy 2. Problems facing Forensic Investigators 3. Tool Automation 4. Demo Scripting an E-Discovery Solution 5. Rendering NTFS 6. Automating Extraction of NTFS 7. Demo Utilizing GENA in a Workflow 8. Summary

Code written in C/C++ Source code portable across Linux, Mac and Windows Handles 32 or 64 bit Operating Systems Archived in source control system so any version can be retrieved Libraries are designed as re-usable modules and can be leveraged into new or existing tools. Time to develop a new tool is much faster (1-2 months) Bug fix turnaround time is quicker and affects all tools using that module. Finished Tool(s) are registered to the US Copyright Office

Our in-house libraries are rather extensive and include Time Conversion Unicode Conversion Socket wrapper library Registry internals NTFS internals VMWare internals Threading Event log internals NT Kernel internals NT memory internals PE internals Crypto SQLite internals Etc TZWorks uses very few 3 rd party libraries FOX for GUI apps STL/C++ libraries C/C++ runtime libraries

All binaries (built for Windows and Mac) are signed with an X509 TZWorks code signing certificate that was issued by the Certificate Authority GlobalSign. As part of the post build process at TZWorks, all binaries are embedded with their own hash. This allows self validation to occur during runtime to ensure they have not been tampered with. Any mismatch of the computed hash with the embedded hash will report an error.

Needed for RE Category GUI CLI Ease of use View multiple things at once Control Speed Less System Resources Scripting Remote access x x x x x x x Both are needed for Artifact RE and Tool Development. Therefore, we build GUI Tools to help out in RE and CLI for the heavy lifting of processing the data

Use API calls & read docs CLI Tool1 Analyze raw data in Hex Editor Build a Viewer (Reconstruct data structures interleaved with raw hex dumps) CLI Tool2 Modular Library CLI Tool3 Modular Library Modular Library Modular Library

1. Started with the Windows Native API calls for NTFS reads/writes (Gary Nebbett s book) 2. Examined the raw NTFS images using a Hex Editor. 3. Built an NTFS Viewer (ntfs_view) to look at the internals of raw cluster data. This allowed us to view the known NTFS structures with the unknown data (by intermingling structured output with hex dumps). 4. Generated re-usable modules for Windows raw cluster reads and NTFS traversal and ported them to Linux and Mac. 5. Leveraged re-usable modules, was able to build ntfsdir, ntfscopy, wisp, jp, and any tool requiring access to locked down files.

How do we simplify the job for the analyst? - Rendering Intelligence out of data - Ease of Use - Automation - Live Extraction

- Currently massive amount of time just for data collection - Automatic processing of entire drives can be unrealistic - As hard disk drives get larger, less feasible to image and then process entire drive

- Processing a single hard disk drive image can easily take up to a few days. - Fully processing and analyzing every byte of data from numerous drives can take months - While it may be feasible to process all the information on a person of interest, it is not timely for an entire company in order to find accomplices, etc.

- Subject Matter Experts (SME)s are expensive: Training Experience Need to maintain a current state of knowledge on the ever changing state of technology - Due to sufficient lack of expert analysis, incriminating evidence can often be overlooked.

How do we simplify the job for the analyst?

usp will read the live registry hives and setup API log, parse out the relevant USB data, and combine the results into a report for quick analysis.

Windows Event Log Parser (evtwalk): Parsing USB events

usp evtwalk Point of Reference More Input! jmp lp sbag Timeline ntfswalk

Batch Script for Live Collection - Read specified raw artifacts from a live system - Parse the artifacts - Archive post processed results to a designated directory

Scripting an E-Discovery Solution

Windows $MFT and NTFS Metadata Extractor Tool (ntfswalk) $MFT extracted file Drive [dd image] Volume [dd image] Deleted Time range Extension Extract header Normal data Default csv Body file Source Filter Extract Results Drive [live system] Volume [live system] VMWare monolithic disk Name Inode range Normal data w/slack Extract cluster info Log2timeline File vice stdout Misc Options

*NEW* Windows $MFT and NTFS Metadata Extractor Tool (ntfswalk) $MFT extracted file Drive [dd image] Volume [dd image] Deleted Time range Inode range Name(s) Extension(s) Normal data Header Info Data w/slack Cluster info Default csv Body file Source Filter Extract Results Drive [live system] Volume [live system] VMWare monolithic disk Binary signature Binary pattern Directories Unalloc Clusters Ads/indx data All Data Hash Data Log2timeline File vice stdout Misc Options

ntfs_view ntfswalk ntfscopy GENA wisp ntfsdir

Select Directory to Analyze

Filtering Options Select Files to Add to Analysis Current Selected Files and Options

Utilizing GENA in a Workflow

Simplifying the job of the analyst - Intelligence from multiple sources (Data Correlation) - Render data so that it is easy to understand - Scriptability for automation - Live extraction of target systems Tool Development is unique to every shop - Create tools that work across multiple operating systems - Easy to maintain and straightforward to expand in capabilities - Cumulative knowledge of the Windows OS, allows short development times for new or custom tools.

Jonathan Tomczak www.tzworks.net jon@tzworks.net Office: +1-703-860-4539

1. Started with the Windows Native API calls for NTFS reads/writes (Gary Nebbett s book) 2. Examined the raw NTFS images using a Hex Editor. 3. Built an NTFS Viewer (ntfs_view) to look at the internals of raw cluster data. This allowed us to view the known NTFS structures with the unknown data (by intermingling structured output with hex dumps). 4. Generated re-usable modules for Windows raw cluster reads and NTFS traversal and ported them to Linux and Mac. 5. Leveraged re-usable modules, was able to build ntfsdir, ntfscopy, wisp, jp, and any tool requiring access to locked down files.

1. Started with the Windows API calls for Registry reads/writes. 2. Examined raw registry hives with a Hex Editor and reviewed available documentation 3. Iteratively built a Registry Viewer & companion cmdline version that didn t rely on Windows API calls (eg. yaru). Incorporated many capabilities in yaru to analyze and test internal structures in the Registry hive. Some options were stubbed out of the DFIR version of yaru (eg. the write capability). 4. Generated re-usable modules for Windows registry traversal and ported them to Linux and Mac. 5. Leveraged re-usable modules, was able to build sbag, cafae, usp, and other tools.

1. Skipped the Windows API calls for eventlog reads/writes and read the paper on Vista event log format by Andreas Schuster. 2. Examined the raw evtx files using a Hex Editor and compared them to the processed records from built-in Windows tools. 3. Built an EVTX Viewer (evtx_view) to look at the internals with just raw cluster data. Same theme as before 4. Generated re-usable modules for Windows raw evtx file parsing and ported them to Linux and Mac. 5. Leveraged re-usable modules, was able to build evtwalk and any tool requiring access to parsed data from evtx (or evt) files.