.: Sarah's Blog :.

Link Files Forensic Cheat Sheet

20/04/2012 12:56PM

I have created a one page 'cheat sheet' for Windows link file analysis. The information comes mostly of the link file paper written by Harry Parsonage who has kindly allowed me to use his wording for the cheat sheet. I hope to make a series of these on different forensics topics so if anyone has any suggestions please get in touch or add a comment to this post.

Click on the image below to get to the full size PDF.

Rabbit Vaccines

19/04/2012 05:00PM

Last month a new vaccine was released in the UK for rabbits called Nobivac Myxo-RHD. Normally rabbits need two vaccines every 6 months for Myxomatosis and RHD separately, however this new vaccine combines both vaccines together and only needs to be given every year, effectively quartering the cost of vaccines and reducing the stress the rabbits have when going to the vets. We have just taken our rabbits to have the vaccines so they can continue to enjoy grass and dandelions from the garden.

Steven nearly joked with the vet that he wasn’t sure about giving the bunnies a combined vaccine – it might give them bunny autism just like MMR did with kids (NOT)!!!! Jokes aside, the number of people on internet forums that seem to think they have just randomly poured the two separate vaccines into one and not tested it at all is absurd. According to the documentation all the side effects are: a slight raised temperature (normal after a live vaccine, the body is fighting it off to become immune) and small swelling of vaccine site.

What is very interesting is that Myxomatosis vaccines are illegal in Australia. They have such a big rabbit overpopulation problem in the wild, that they introduced Myxomatosis in the 1950s to try and kill them off. Because of the potential for the live virus in the vaccine to spread into the wild, this could result in wild rabbit Myxomatosis immunity causing the population to grow again. It’s a shame that many Australian pet rabbits have to needlessly die from the disease just because there are too many of their wild cousins about.

Long story short: Vaccinate your bunnies with the new combined vaccine!

Cinc Sentits

19/04/2012 02:21PM

Two weeks ago I went to Barcelona for a quick break. I’m a wee bit partial to fine dining and from December last year we decided to always eat at a Michelin starred restaurant (where possible) in whichever city we were holidaying in. For Barcelona, we picked Cinc Sentits for three reasons: firstly it wasn’t all fish based (Catalonia seems to be a bit obsessed with fish), secondly it wasn’t fully booked as you can only booked up to 2 weeks in advance and thirdly it was authentic Catalan cuisine. I don’t see the point in going to a fancy restaurant if they aren’t going to serve you food from the region, or at least hints of the area.

Cinc Sentits is very small and intimate. It means ‘five senses’ in Catalan and only serves tasting menus - the idea being to try lots of small courses to stimulate the senses. The menu is very simple; there is a long 8 course option, or the short 6 course option. Between Steven and my allergies, we could not eat much of the short option so had to go for the longer one, making the decision of what to eat very easy!

Spring vegetables, jamón cream, poached quail egg

Caramelized foie gras coca, thin pastry crust, glazed leeks, chive arrope

Chestnut velvet, smoked quail breast, sherry gelatine, black truffle

Bullit de peix & arròs sec, saffron allioli

Pyrenees veal cheek - 8 hours sous-vide, black truffle, celery sorbet

Raspberry sorbet, pistachio cake, vanilla bean cream

Chocolate, violet, lime, strawberry, red currant, blood orange

The sugars for the tea & coffee

Overall the food, service and ambiance, as expected, was amazing. Perhaps the only thing I was imagining more of was the “five senses” element. My taste buds and eyes loved it, but I thought we would get some more experimental stuff with sounds (such as Heston Blumenthal who plays crunching noises when eating crispy food) or finger food for the touch sense. Never mind, definitely recommended!

File tunnelling: weird creation timestamps

25/03/2012 06:40PM

File tunnelling is a little known Windows capability that stems back from MSDOS days. In MSDOS, a ‘safe save’ was done by saving a copy of the modified data to a temp file, deleting the original and then renaming the temp file to the original name whilst also retaining the original files metadata. Windows NT also does this on FAT and NTFS to ensure that 16-bit applications can do a safe save, and this is called file tunnelling. This effects all Windows OSes including XP and Windows7.

Unfortunately this ‘feature’ means that creations times for files are often not quite correct. Take figure 1. This is what you would expect to happen when you have a file A, and replace it with file B. File A has been deleted and file B renamed to file A. The new file A has the creation timestamp of File B, as it was this file in the first place.

Expected results when replacing a deleted file.

However, if the delete/replace happens in less than 15 seconds, then File A will retain its original creation date! This can be shown in Figure 2, where file B has again replaced file A, but instead of having file B’s creation timestamp, it now has file A’s creation timestamp.

Actual results when replacing a deleted file within 15 seconds of deletion.

According to the Windows support page, the following 4 actions can cause this effect:

delete(name)/create(name)
delete(name)/rename(source, name)
rename(name, newname)/create(name)
rename(name, newname)/rename(source, name)

The Windows support page also has useful information like how to change the default 15 seconds and to remove this feature completely - both require registry edits.

To test out file tunnelling I wrote a simple python script that will either rename FileA as a temp file, or delete FileA. In either case, FileB is then renamed to FileA. In all cases under 15 seconds, FileA’s creation time was kept, but over 15 seconds, FileB’s creation time was kept. As you can see from the command line output, with a 14.9 second delay the overwritten file got the original file's creation date, but at 15 seconds, it got the new file's creation date.

Command line output of Python script

Realistically, programs which automatically overwrite or replace files in this way will not take more than 15 seconds to do so and even slow humans take less time than this to rename a file. Therefore, it is likely that the original creation date will be maintained even if the file is overwritten regularly, and careful consideration of this must be taken when evaluating creation date timestamps for forensic investigations.

import time
import os

file1 = "file1"
file2 = "file2"
file_tmp = "file0"
wait_period = 20 # seconds between creating 1st and 2nd files

def run_test(rename_delay, rename=True):
    """ Parameters:
    rename_delay - the amount of seconds delay between deleting/renaming 
    1st file and renaming 2nd file as the 1st file. 
    rename - True if you want to rename 1st file as a temp file, or False if 
    you want to delete the first file."""
    
    # remove old files
    if os.path.exists(file1):
        os.remove(file1)
    if os.path.exists(file_tmp):
        os.remove(file_tmp)
        
    print "\nRunning test\n============"

    # create the original file
    with open(file1, 'w') as file_1:
        file_1.write('First file')
    print "File '{}' created at {}".format(file1, os.path.getctime(file1))
        
    # wait
    print "Waiting {} seconds".format(wait_period)
    time.sleep(wait_period)

    # create second file
    with open(file2, 'w') as file_2:
        file_2.write('Second file')
    print "File '{}' created at {}".format(file2, os.path.getctime(file2))
    
    if rename:
        # rename first file to tmp file
        os.rename(file1, file_tmp)
        print "File '{}' renamed to '{}'".format(file1, file_tmp)
    else:
        # or delete the 1st file
        os.remove(file1)
        print "File '{}' deleted".format(file1)
        
    # wait
    print "Waiting {} seconds".format(rename_delay)
    time.sleep(rename_delay)
    
    # rename second file as first file 
    os.rename(file2, file1)
    print "File '{}' renamed to '{}'".format(file2, file1)

    if rename:
        print "File '{}' created at {}".format(file_tmp, os.path.getctime(file_tmp))
    print "File '{}' created at {}".format(file1, os.path.getctime(file1))
    
run_test(0, True)
run_test(14, True)
run_test(14.9, False)
run_test(15, False)

Windows Shellbags Forensics

03/03/2012 03:48PM

There are many weird and wonderful registry entries that I have yet to know about that could contain useful forensics information. One of the most recent that I’ve learnt about are the shellbag entries. These keys are stored in the users ntuser.dat file, and store the viewing settings for users folders – e.g. the size, position and icon of a folder. Whilst folder sizes might not be useful, it does mean that every folder the user has visited at least once is stored in the registry; thereby giving a full account of all folders accessed, including network drives and removal storage drives. William Ballenthin gives a good account of how the shellbags are stored in the registry, and it’s pretty complicated...no simple way of getting the folder structures out.

Conveniently, he has also written a lovely Python script which can you download on his GitHub account that parses out the shellbag entries for you. I noticed that some of the stuff the Python script spits out is superfluous, and it also just prints out to screen. I therefore forked his script and removed some of the output and then made the script output to a CSV file with timestamps Excel would understand. You can download my version of the script on my GitHub account.

UK Digital Forensics Conferences 2012

05/02/2012 02:17PM

Last year I did a post with the symposiums and conferences I found relating to digital forensics for the coming year as I could not find an authoritative source. Here is the 2012 list. Please add any more conferences as a comment or email me and I'll add them in. I'm sure there will be at least one more entry from Napier Uni 's fantastic Cybercrime Symposium series!

Event	Date	Website	Location
Cyber Defence & Network Security	24 – 27 January	http://www.cdans.org/Event.aspx?id=598092	London, England
ACPO National Cyber Crime Conference	8 – 9 February	http://www.corporateitforum.com/activities-and-events/details/948-acpo-national-cyber-crime-conference	Sheffield, England
Cyber Security and Data Protection	10 Feb	http://cybersecurity.holyrood.com/	Edinburgh, Scotland
Information Security Executive Summit 2012	28 - 29 February	http://www.informationsecuritysummit.com/conference-programme.html	Richmond Upn Thames, Endland
e-crime congress	13 – 14 March	http://www.e-crimecongress.org/congress	London, England
11th European Security Conference & Exhibition	15 – 17 April	http://www.sourcesecurity.com/events/free-event-listing/11th-european-security-conference-and-exhibition-2012.html	London, England
InfoSecurity Europe	24 – 26 April	http://www.infosec.co.uk/	London, England
The 2nd International Conference on Cybercrime, Security and Digital Forensics	14-15 May	http://www.cyberforensics.org.uk/	London, England
National Informarion Security Conference	13 – 15 June	http://www.nisc.org.uk/	Cumbernauld, Scotland
CFET 2012 : Cybercrime Forensics Education & Training.	September (TBA)	http://www.canterbury.ac.uk/social-applied-sciences/computing/conferences/CFET2012/home.aspx	Canterbury, England
19th International Computer Security Symposium	30 Sept – 4 Oct	http://www.cosac.net/default.html	Naas, Ireland
The 7th International Conference for Internet Technology and Secured Transactions	10 – 12 December	http://www.icitst.org/	London, England

I shall be attending the ACPO National Cyber Crime Conference next week in Sheffield. See some of you there!

Thoughts on the UK Cyber Security Strategy

07/12/2011 09:29PM

In November the UK government released the “UK Cyber Security Strategy” which can be downloaded here. There are four main objectives which will be funded by £650million over 4 years under the “National Cyber Security Programme” (NCSP). The objectives are:

To tackle cybercrime and be of the most secure places to do e-business
To be more resilient to cybercrime
To help shape an "open, stable and vibrant cyberspace"
To have knowledge, skills and capacity to carry out all cyber security objectives

The paper goes on to describe cyberspace, what the current and emerging threats are and an expansion of the four objectives listed above. Finally, in "Annex A", is a table outlying the actual implementation of the objectives. This is perhaps the most interesting bit, so if you don’t feel like reading all 42 pages, just skip to the Annex.

I was at the Symposium on Security Risk, Cybercrime and Critical Infrastructure yesterday (more in a future post) and a number of speakers spoke about this paper and what their thoughts were on it. The thing that struck me first was the number of different organisations mentioned in the paper that would be created, involved, consulted or partnered with. The main section doesn’t really talk much of a person or group who will be in charge of the coordination of this multi-organisational effort, but tucked away in the Annex on the very last page is action 6: “put in place clear leadership of cyber across Government, with a dedicated minister and oversight at the highest levels of Government”. I think this merited a little bit more of a mention, but it will be interesting to see who this is and how they can steer the direction of the NCSP, as the gist seems to be about collaborating with the right groups to get the right information to the right people at the right times. The groups mentioned in the report are (in no particular order of importance, and perhaps I’ve missed some out):

Cabinet office

Office of Cyber Security and Information Assurance

National Crime Agency
The Serious Organised Crime Agency (SOCA)
GCHQ

Joint Cyber Unit

Ministry of Defence

Joint Forces Command
Defence Cyber Operations Group
Global Operations and Security Control Centre

Home office
Department for business, Innovation and Skills
Government ICT
Single Intelligence Account
United Nations

Group of Governmental Experts

European Commission
External Action service
Organisation for Security and Cooperation in Europe
Centre for the Protection of National Infrastructure (CPNI)
Government Office for Science
Metropolitan Police Central e-crime Unit
UK Council for child Internet Safety
National Fraud Intelligence Bureau
British Retail Consortium
The Technology Strategy Board
The Engineering and Physical Science research Council
UK Trade and Investment
Broadband Stakeholder Group
International Telecommunications Union

Now that’s a lot of organisations or subgroups! Another one of the problems I see is the lack of clear solutions to how they will educate the general public. It mentions quite frequently that 80% of the cybercrime today can be solved using antivirus/security software, keeping up to date with the news of cybercrime and being vigilant. It’s basically down to the individuals to do this – I think if the general public could follow this advice we won’t be in the state we are in now! It mentions that by March 2012 they will have conducted research how to educate people, including in higher education, but I don’t think they are doing or will do enough for the average middle aged non tech-savvy person like my parents, who certainly aren’t going to get much out of the dull getsafeonline.org which is currently all that really exists.

One of the things a speaker at yesterday’s conference said was that the paper lacks support for self started schemes by businesses and academia. It has plenty of Government funded initiatives, but doesn’t mention helping anything else. Businesses won’t use their own initiative if they don’t think they will get the support of the NCSP, and if the groups mentioned in the report are slow to collaborate then I see this proposal taking a very long time to get its feet off the ground.

Christmas Gift Wrapping

27/11/2011 04:36PM

I usually make my Christmas present wrapping paper themed, and this year's is very homemade and red. They look really nice and are very simple to do (and quite cheap if you have lots of arts & crafts material lying around).

My Christmas presents so far (I'm far too organised..)

A close-up of one of the presents.

For the very basic wrap you will need brown packaging wrapping paper and red ribbon. I then accessoried mine by adding Bakers twine (red and white string) with the red ribbon, and threading through a little wooden Christmas tree button. I added some red bobble-type things from Hobbycraft and stuck on some stencils of snowflakes using my snowflakes cutter. Finally, I stamped the person's name on the gift rather than using traditional tags.

The materials you will need (top left to bottom): bakers twine, snowflake stencil punch, red & white tags, red bobble decoration things and wooden buttons

My alphabet stamp set. I use the large ones for big presents, and the smaller stamps for small presents.

Kilimanjaro: Day 7

16/10/2011 04:27PM

Day 7: Another 5 hour walk down to the Mweke gate. The path turned hideously muddy and steep downhill, so the pace was very slow so we wouldn’t fall over and get absolutely covered in mud. Going downhill was more painful than uphill; your knees, toes, thighs ache with every steep, slippery step. We saw a lot of cute monkeys with very bushy tails, called Colobus monkeys.

Colobus monkey!

Finally, after what seemed like an eternity – the gate appeared. Many locals were along the path collecting twigs, logs and leaves. We registered our departure with the gatekeepers and then waited for Silvano to arrange a bus back. We expected a small bus like the one that took us to the gate, but Silvano managed to find one hell of a Jeep which ended up bumpier than Mr Bump in a ball pen.

The ride back to the hotel.

It was sad leaving the beautiful mountain behind, but to be honest all I was thinking out was a nice hot lunch at the hotel, and more importantly, a hot shower. Due to being a bit late getting to the gate, we arrived at the hotel with only 30mins left for lunch, so had to eat immediately or risk not getting any food until 7pm. So we exhaustedly sat and ate the buffet looking like total wrecks. We were both covered in dirt, our hair not washed for 7 days (I hadn’t even taken out my plaits I’d done one day 1) and our clothes brown. We sat next to 4 female middle-aged Canadians who had permed hair, beautiful manicured pink nails and plenty of make-up. One looked horrified to see our appearances. After asking a few questions they told us they hired a porter to bring a portable toilet with them, and would “pay someone” to put up their tents as one had “a bad knee”. Hmm, not sure they really prepared for this. One even commented at dinner when I had had a shower that I looked “more normal now”. Geez, thanks old lady.

After a wonderful shower and a change into fresh clothes we sat out in the gardens and discussed tipping of the porters with Taryn and Lorena. The company gave out a guide to roughly what they should all get, and we ended up giving $200 each towards the tip. Silvano, Abell, the chef and the assistant chef Hatibo gathered together to hand over the tip, and discuss how we thought the trip went. This was awkward, us Brits don’t like sharing feedback so openly! In all honesty, they were amazing. The team were a great bunch of people and Silvano was especially helpful when I felt really quite ill. It was sad leaving, but I don’t think I’ll be back trying to get to the peak. Camping is not my strong point, and altitude sickness is really quite horrible. However, Tanzania is an amazing country. I would definitely go back to do a safari.

Goodbye Kilimanjaro, asante sana kwa ukarimu wako!!

Kilimanjaro from the taxi ride back to the airport.

Unicode making malware easier

16/10/2011 04:09PM

I recently discovered a wonderful unicode character that makes the following text reverse called right-to-left-override. For example: print "Hello[U+202E]World", produces the output: Hello dlroW. I'm not sure of what legitimate reason you would use the unicode character, but several blogs have warned that it can be used by malware writers to get people to click on files. Most people are wary that .exe files might be harmful, but extensions like JPG and other images are generally not. You can 'trick' a user into thinking a file is a JPG by using this special unicode character. If you named your malware executable ClickHer[U+202E]gpj.exe for example, you'd end up with a file called ClickHerexe.jpg.

I had a go at making a simple executable (don't worry, it's just some ASCII art). In true malwaresque style, I have named it something enticing (see screenshot below). You can download the Python code to make the 'malware' here. Essentially I made a batch file, and then used Bat To Exe Convertor to change this into an exe file. I then opened this up into a hex editor, copied out the hex and then used Python to recreate the file with the dodgy name. I didn't have any luck just renaming the file, Windows was being awkward when I tried to paste in the unicode character. I know this is a very roundabout way of doing it, but I leant a bit about exe files and Python's hex capabilities. Python has a very easy way to convert pure hex into a file:

import binascii
hex = '4D5A90' # shrunk massively to be an example. 
# Note that the first two characters are 4D5A, which is MZ: the standard .exe header.

hb = binascii.a2b_hex(hex)
filename = u'EmmaWatsonS\u202Egpj.exe'	# unicode characters in Python start with \u

with open(filename, 'wb') as malware:
    malware.write(hb)

Note that Windows still thinks it is an application and not an image, so the tuned-in user should spot something is awry when the default icon is not of a JPG (and of course no mini preview of the image is available) but of an application.

Screenshot of my example executable disguised as a JPG.