It is a common task for a computer forensics investigator to boot a machine using boot-able media in the form of DVD or USB and there are countless options available. This tutorial is not intended to replace your favorite Helix CD or preferred method, but you may find this analysis interesting if you are a Windows expert performing a forensics analysis.

Windows PE (Pre-installation Environment) is a minimal Win32 based operating system, typically used for automating deployments by booting into PE via local or PXE boot methods and then imaging or running installations of various operating systems. Version 3.0 of PE included in the latest Windows Automated Installation Kit (AIK) is based on the Windows 7 kernel.

Getting Started

To get started, you need the AIK which can be downloaded from the Microsoft web site. After the installation, you will need to begin working on creating and customizing a WinPE image for your forensics boot disc/drive.

Make WinPE into WinFE

If you used WinPE as is and booted it up, it would mount available disks and may lead you in the wrong direction in terms of preserving evidence by changing the state of the drives. WinFE, which stands for Windows Forensics Environment, is based on a document written by Troy Larson, a Forensics Specialist at Microsoft. When this document was written, it was geared toward WinPE 2.1, so there are a few differences in some of the steps I will document in this post, which is intended for version 3.0.

The point of WinFE is that the PE environment boots without mounting physical disks. You can then use imaging tools to capture the disk or mount it in read-only mode to run some tools against the target OS immediately without modification to data in the environment, which in this case could be evidence.

Let’s get to it

CopyPE Command

Begin by launching the Deployment Tools Command Prompt (as an administrator). In the following examples, I am using c:\temp\winFE as the path where my PE image is processed, built, etc. The first step is to generate the basic structure and .wim file:

copype.cmd x86 c:\temp\winFE

This command will create the Windows PE customization working directory. The next step is to mount the default image file so that you can then make some necessary changes: including changing the registry settings to ensure disks are not mounted at bootup and to add any tools or software you need. AIK Version 3.0 includes dism.exe, which replaces peimg.exe, and can be used to mount and unmount images like imagex.exe:

Dism /Mount-Wim /WimFile:c:\temp\winFE\winpe.wim /index:1 /MountDir:c:\temp\winFE\mount

Mounting Image

This command mounts the PE image in the c:\temp\winfe\mount directory. If you navigate there, you’ll see a Windows directory which is the instance of PE that will boot when you finish the process. We need to make some registry changes to the PE registry to prevent mounting disks on start up.

• Open up the registry editor, highlight HKEY_LOCAL_MACHINE and click on File, Load Hive.
• Browse to the mounted PE image and in the Windows\System32\Config directory, choose the file SYSTEM (no extension).
• Choose a friendly name such as PE-System.

Now under HKEY_LOCAL_MACHINE there will be another hive called PE-System. Make the following changes in this hive:

• Add NoAutoMount key to \ControlSet001\Services\MountMgr\ with a DWORD value 1
• Add SanPolicy key to \ControlSet001\Services\partmgr\Parameters with a DWORD value 3

Unload the hive by selecting it and clicking on File, Unload Hive.

Branding

Now with our registry changes made, we can make any additional customizations prior to closing up the image. You can “brand” your forensics boot with custom wallpaper by adding winpe.bmp to the mount\Windows\System32 directory.

Required Tools

With the image mounted, anything you add to c:\temp\winFE\mount (or if you modified it, the directory you used for the mount) will be a part of the image and boot with your PE boot. For example, I like to create a Tools directory under mount, and in there place tools such as FTK Imager Lite, dd, and netcat. You can of course add any tools of your choice.

If you are familiar with Regripper, this would be a good place to have it as you can get some information from the registry before starting any imaging process. You can add a portable version of Perl, such as Strawberry Perl to the tools directory, and add the Regripper tools. I’ll show Regripper in an example later when booting WinFE.

For tools that require a CYGWIN environment, you can add use this portable version of CYGWIN and have this environment available in PE.

Custom Scripts

Being that this is a Windows environment, you can write some VBS/WMI scripts to gather some information as well. Since WMI is not added by default to the base WinPE image, you have to add this package:

dism.exe /image:c:\temp\winFE\mount /add-package
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-wmi.cab"

Adding WMI Package

I also added hta and scripting support:

dism.exe /image:c:\temp\winFE\mount /add-package
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-hta.cab"
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-scripting.cab"

Add Scripting and HTA packages

Here are two examples of some WMI queries you can use in your forensics boot:

• BIOS.vbs – Retrieves information about the system BIOS.
• disk.vbs – Retrieves information about disks.

Powershell?

A major issue I have with WinPE is Microsoft’s failure to provide a supported dotNet option. This removes any possibility of using powershell or creating custom applications with VB.Net. This leaves us with vbs/wmi/VB6 until dotNet support is available.

Finalize the Image

Once the registry changes are made and you’ve added all your tools and software into the mounted directory, you write and close the image:

Unmount the Image

Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount\ /Commit

Note that this isn’t final, you can always mount the image again, make changes, add new analysis software, etc. using the same steps above, then commit the changes and create a new ISO file.

Copy the resulting winpe.wim file (c:\temp\winfe) into ISO\Sources\boot.wim:

copy c:\temp\winfe\winpe.wim c:\temp\winfe\iso\sources\boot.wim /Y

Generate the ISO

With our image ready, it’s time to generate the ISO. First, we don’t want the usual “Hit any key to boot from CD message” as we don’t want to risk booting from the local disks. To eliminate this message, delete the file bootfix.bin from the ISO\boot directory (c:\temp\winFE\ISO\boot).

oscdimg -n -bc:\temp\winFE\etfsboot.com c:\temp\winFE\ISO c:\temp\winFE\forensics-boot.iso

This ISO file can now be burned to CD/DVD or used in a VM environment to test it out. If you intend to use a USB drive, you can prepare it by doing the following:

• In a command prompt, run diskpart
  • select disk # (the # should refer to the USB disk, use “list disk” to determine)
  • clean
  • create partition primary
  • select partition 1
  • active
  • format fs=fat32
  • assign
• Then, copy the contents of the ISO directory to the USB disk
  • xcopy c:\temp\winFE\iso\*.* /s /e /f e:\ (change e: to reflect the drive of your USB key)

Let’s Boot

Booting WinFE

Take your WinFE boot-ready device and boot a workstation, VM, or machine of your choice. I had a Windows XP VMWare instance which was my target device to investigate. I configured VMWare to use the ISO for the CD-ROM device and rebooted it.

At first glance, it will look just like Windows 7 booting. Remember, WinPE 3.0 is based on the Windows 7 kernel. When booted, your custom wallpaper configured earlier in the post will display with a command prompt and you will be in the \Windows\System32 directory. This directory is part of the PE operating system, not the target OS which we will analyze. Change to the root directory and will you will see any directories created (such as Tools) when we customized the PE.

Checking drives in Diskpart

We can double check that the registry key worked and did not mount our target drive. Run diskpart, then type “list vol”. You will see a Volume which is Offline and has no drive letter, perhaps more than one. These are drives we may want to mount read-only and analyze. My VM has a single 8GB drive which is Volume 1, so that is my target.

Set your disk to Read-only

Let’s get this mounted in read-only mode so we can poke around and get some preliminary information prior to imaging. In diskpart, select the target volume (select vol), then set it to readonly (att vol set readonly). Now we can double check with the “detail vol” command where ‘Read-only’ should specify ‘Yes’. We can mount this by assigning a drive letter (let’s assign letter=F). The F: drive is not available in read-only mode, preserving the evidence but giving access to the data that can be beneficial. In testing this process, try to write to the mounted drive (see screenshot for example). The message will come back “The media is write protected” if everything is set up properly.

Analyze This

Depending on how you customized your WinFE image, and what tools you added, you have many options to gather some information that can be useful prior to the potential time consuming imaging process. I mentioned RegRipper before, this tool can be used to get valuable information from the registry of our target. You could use other varieed tools to gather initial data or go straight to imaging software such as FTK Imager Lite. Here are some screenshots of the various tools running in WinFE:

RegRipper in WinPE w/ Strawberry Perl

FTK Imager Lite

CygWin in WinFE

VolumeDump from George M. Garner Jr's FAU

Finally

Ultimately, this was an exercise in reviewing ways that WinPE can be used for forensic purposes. It is another option to be aware of, and for those who are more apt to a Microsoft environment this may be your preferred boot method. Hopefully, Microsoft will create a dotNet cab file that can be added as a package to WinPE, as this would create further options for creating Win32 dotNet programs to run within the WinFE environment and opening up Powershell for scripting within WinPE.

UPDATES

16 April 2010 – Brett Shavers shared a link with us that includes a great instructional PDF and even a batch file to create the WinFE ISO for you.

Related Posts:

• Reactivating DECAF in Two Minutes
• Forensics: Beverages Aside, A Look at Incident Response Tools
• Regular or Decaf? Tool launched to combat COFEE
• Taxonomy of Forensics Geeks
• More COFEE Please, on Second Thought…

The misinformation on DECAF being shut down and a hoax is alarming and the quality of reporting on this security topic actually worse than usual. Earlier tonight we noticed this update from @slashdot on Twitter: “DECAF Was Just a Stunt, Now Over”, along with this: “Anti-COFEE tool taken down & d/l’ed copies disabled.”. Ok, fair enough, releasing DECAF was a stunt according to its two creators. We listened to this bizarre podcast where the developer was asked to take DECAF down. Finally we saw this train wreck of an article by Nick Eaton, the Microsoft Reporter over at the Seattle PI Blogs. So now we’re going to respond, because the incorrect DECAF as a big hoax story, a tool that supposedly never worked, is propagating through the Intertubes. DECAF was a working tool that can be easily re-enabled, because the shut down appears to only be a call back to decafme.org that is now disabled, but is easily spoofed, and we’ll demonstrate how.

The story is this, users visiting the http://www.decafme.org/ were treated to the screenshot shown below stating that DECAF “no longer works” because the release “was a stunt to raise awareness for…the need for better forensic tools”. The thought process isn’t terrible, DECAF is a simple, clearly quickly written, and unsophisticated Visual Basic 2005 application designed to show the simplicity of thwarting the COFEE forensics tool. You can also see where Microsoft and others have a problem with the application. The application is designed to detect the presence of the Microsoft released forensic tool (largely a wrapper around known utilities) called COFEE and be able to then execute certain actions as specific by the user.

We’ve covered both topics in full, and aside from being good security theater, both the COFEE leak and DECAF release are much ado about nothing:

• Regular or Decaf? Tool launched to combat COFEE
• More COFEE Please, on Second Thought…

Repent, and you shall be Saved

So things started out ok, a proof of concept tool to combat unreasonable hype, until crazy came to town. Users visiting the site are presented with this bizarre message about Jesus:

A message of peace.

How to Reactivate DECAF in Two Minutes

Remember that DECAF calls home when launched via HTTP to 208.68.237.165.

If it doesn’t receive this response, it crashes.

1.0.0|http://www.decafme.org/|

The crash returns this error:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

So not serving this page is what appears to be “the deactivation”, the URL does not return the right response, and the application crashes. To counter this we:

Set up a virtual host in Apache:

<VirtualHost *:80>
ServerName decafeme.org
ServerAlias www.decafeme.org
RewriteEngine On
RewriteRule ^.*$ /index.php [L]
DocumentRoot "/var/www/decafeme/
<Directory "/var/www/decafeme/">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
</VirtualHost>

Add this php file as ‘index.php’:

<?php
echo("1.0.0|http://www.decafme.org/|");
?>

Modify your hosts file by adding this entry (swapping out the IP for wherever you put the virtual host):

127.0.0.1 www.decafme.org

And we’re back to kicking off a set of processes when COFEE is detected on a system such as:

• Shutdown the system
• Kill selected processes
• Disable Network, USB, CD-ROM, ports, floppy
• Clear event viewer
• Erase Data

We verified this by performing all the steps above, re-running DECAF, and doing a system shutdown upon detection of COFEE.

Lockdown Settings

Reporting that is an Epic Fail

Looking at what sites were misreporting such as CrunchGear and Slashdot the story seems to all flow back to this Seattle pi blogs article by Nick Eaton. Nick reports that DECAF “is fake”, that numerous media outlets were “duped” and that we were all manipulated. Except whatever the two developers reasons were for creating DECAF, publicity stunt or tool release followed by threat of legal action and quick pull back, DECAF was released as a working tool that still works.

Nick goes on:

There was something suspicious about the DECAF Web site before it switched to spoof mode Friday morning. The developers posted an explanatory video, highlighted DECAF’s supposed features, promised pie-in-the-sky updates (such as the ability to send DECAF a text message to trigger “Lockdown Mode”) and appealed to expert developers for help in making better forensics tools. It all seemed a little too legitimate and focused for an anti-policing tool.

Then there is this podcast, devoid of actual information about COFEE and DECAF but that fills in the blanks with nonsense about child molesters and terrorists. In their defense, we’re told this show is usually pretty good, so we’ll call this a bad night.

So never let the facts get in the way of a good story.

DECAF vs. COFEE debate from the Developer (Video)

We couldn’t get through the whole thing, but here it is:

Finally

DECAF is not the most sophisticated piece of software, but it did work, and still works. COFEE is not used by legitimate forensic investigators. “But pedophiles will use DECAF to thwart law enforcement!”. We can all only hope that they do because the time they spend trying to get DECAF to work properly will be time spent away from committing felonies and hopefully it will give them a false sense of confidence such that they do not use more effective methods to hide their crimes like encryption. That would actually benefit investigators, as in “hey, this moron thought that having DECAF installed was going to stop us from being able to find out what he was up to”. The fact is bringing up wild child molester, pedophile, and terrorist scenarios is a cheap, dramatic tactic, designed to rile people up emotionally preventing us from having a dispassionate discussion about the facts of the situation.

If you have a serious computer crime to deal with, get a serious computer forensics investigator, who uses sets of real computer forensics tools based on the situation he or she is faced with.

But Microsoft may never build another COFEE, and transparency will stop! Be serious, part of the unnecessary nonsense generated around the leak of COFEE and all that followed was the inappropriate way it was originally released and marketed as “only for law enforcement”. Forensics tools must be well known, analyzed by experts, and their effects on target systems well documented. Thus releasing a closed source tool to a small community meant that COFEE could never be used seriously to present evidence in court. That is if it did anything novel, but it doesn’t, COFEE allows the user to run existing tools, system utilities, from a USB stick.

The promise of COFEE, how it was marketed, has sold a number of people on why its so important that it was leaked and subverted. Standardization of incident response tools (as in only a couple are used) would be a nice idea, but would be an effort faced with serious challenges because heterogeneous non-complex IT environments are a thing of the distant past. Having less skilled people “run a tool” that allows them to perform data capture is a nice idea, albeit even a little more dubious. What lawyer could not get evidence from a computer thrown out that’s collected by someone who doesn’t understand a computer? The reasons why it would be a positive is clear, forensic data would not be lost even if an investigator lacks computer forensics skills, and frankly there are not that many good computer forensic investigators to go around.

But COFEE does not deliver on either of these aspirations, as much as some might wish it does. And it was easily countered, meaning any bad actor could have done it. And tools aren’t evil, the people who use them are.

Now if you have time, have a read of an article about the evolving state of real forensics tools.

Update

12/23/2009 – SoldierX

The guys over at Soldierx.com have taken the next logical step and removed the phone home component (that now crashes) from the DECAF program and re-released it.

Note also per our original analysis that when COFEE is found, DECAF sends a request back to decafme.org as follows (our IP address is changed):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

It appears to basically be a tracking mechanism, however the SoldierX guys didn’t like that it was doing that from a privacy perspective, and removed that piece also.

DECAF developers have also posted new messages, including the newest one indicating that a version 2 is now on the way:

12/23/2009 – DECAFme.org

Well, with Christmas right around the corner we felt it was an opportunity for DECAF to bring an application back on the scene. DECAF v2 is in the kitchen cookin’ as we speak. As you know, DECAF v1 did do what it said it would do even though some people seemed to report it didn’t. Some might not use V2, some might. We really don’t care either way. If you are scared to use V2, thats ok; run it through a VM.

Now that we let the cat out the bag, be sure to keep checking back and look for V2 within the next few days. This is the start of something big…

12/21/2009

DECAF was not a spoof, it was a “stunt”. We have got an amazing amount of positive feedback. We have had MANY requests for the source code of DECAF but do not feel its release would promote a positive move.

We have not been able to settle with our buyer for DECAF and DECAFme.org. If there is anyone seriously interested in purchasing, send an email to mike@DECAFme.org. Serious inquiries only.

12/19/2009

With all the recent buzz about DECAF lately, there have been many requests for the visibility of DECAF source code. These have been from the early days of its release to the current “stunt” news. My purpose of DECAF is over. There are many out there who think we are feds cough John Young cough and some who think we are lunatic, religious nuts cough John Young cough. But then again we still have 95% of the other readers who encourage and compliment us. Oh ya.. and we finally heard that Microsoft seems to have finally broke the silence about the hype. I am not quite sure where they stand as I was expecting to hear from Richard Boscovich myself but didn’t. Anyhow, on to my point…

We have reason to believe DECAF source code and domain will be purchased this week by an unnamed buyer. We can’t be sure of the plans or really make sense of their motive but we are considering it. If this does happen, we will not be able to release the source to the community. Feel free to stay tuned as these next 48 hours pan out.

Related Posts:

• WinPE 3.0 & Forensics
• Forensics: Beverages Aside, A Look at Incident Response Tools
• Regular or Decaf? Tool launched to combat COFEE
• Taxonomy of Forensics Geeks
• More COFEE Please, on Second Thought…

In November, Microsoft’s forensics tool called COFEE (Computer Online Forensic Evidence Extractor) was leaked on torrents for download. The news coverage was much hype about nothing, as many free tools already out there exceed COFEE in features and functionality. However, that did not stop statements such as “now that COFEE has leaked, hackers can reverse engineer to see what it does.” Well, I can save them time and tell them it launches OS commands and sysinternals tools to collect information, using a simple method that law enforcement can easily launch from a thumb drive. I also hesitate to call it Microsoft’s tool, as I believe it has more development coming from The National White Collar Crime Center (NW3C.org) than from Microsoft. Ok, let’s move on to DECAF.

Then There Was DECAF

Just recently, with the COFEE hype behind us, a tool called Decaf was released to combat the use of COFEE. A VB.Net application which detects for the use of COFEE and then reacts by ways configurable by the user, such as shutting down the system, clearing event logs, or disabling the network, USB, CDROM, and more. The authors of Decaf shared my distaste for COFEE and its hype, and though the press coined them hackers, they informed me that they are developers who have a passion for security, forensics, privacy, and free flow of information online.

Let’s Talk Tools

I want to put aside the media hoopla of COFEE and DECAF and discuss some great tools for forensic analysis out there worth discussing. I want to try and focus on volatile data collection (grabbing important information from a live running system) but many of the tools mentioned can be used in offline analysis as well. If you are familiar with digital forensics, you most likely have used these tools in many cases, and if you are new to this area I hope this provides some groundwork for you to try some of these tools out.

The List

Before getting into it, I want to share this Excel spreadsheet that contains a good amount of various tools that can be used in the forensic analysis process. Any prices listed have either been found online or are estimates from VARs, but please check with the specific vendors for exact pricing. The tools discussed throughout the article are in this spreadsheet along with links to their respective websites. Also note this is Windows focused and this is by no means a complete list, but I feel its a good start for anyone interested in forensic analysis.

Don’t use a Sledgehammer to Hang a Picture – Use this comprehensive list of tools for reference

One last note before discussing the tools, it is important to know your situation and choose the right tool for the task at hand. You may grab the Helix CD, test it, and become very familiar with it where it becomes your tool of choice; but, know that it may not be suitable for all situations and you should have as many options as possible and be familiar with all that is available so you can be prepared with the right instruments. For instance, inserting the Helix CD may autorun the GUI menu system, then clicking through the menus to run acquisition tools generates many changes to the contents of memory, whereas a method to immediately run a memory acquisition tool would be less of an impact.

Frameworks

Let’s start by talking about what I refer to as forensics frameworks. These are programs or scripts that are wrappers to commands used to collect data. They organize a collection of common tools, handle the output of the tools, verify the tools are trusted, and provide some basic reporting. The Helix collection from e-fense includes several frameworks to choose from, including The Incident Response Collection Report (IRCR) by John McLeod, Windows Forensics Toolchest (WFT) by Foolmoon Software and more. Another popular framework is by Harlan Carvey, author of Windows Forensic Analysis (Syngress Publishing) and the Windows IR blog, called the Forensic Server Project (FSP) which uses a client (FRUC) that runs the collection of tools and sends the output to a listening server (FSU).

I’ve also written a framework based on collating various features from the tool sets mentioned above as well as including some of my own ideas. The common theme in these, as in COFEE, is that they collect data using a suite of tools including commands available with the OS (such as netstat, net, systeminfo), Sysinternal utilities (such as pslist, listdlls, handle), and well-known utilities available freely (such as fport, autorunsc, pmdump, etc).

Dealing with Memory

Any actions on a system generated by the operating system or the user constantly change the contents of memory. Thus if the first thing you do on a live system is running tools, you will be significantly modifying the memory contents. A good detailed primer on physical memory analysis by Mariusz Burdach can be found here. An important fact to note is the possible hardware methods available to collect the contents of memory without interacting with the operating system. The tools I list in the spreadsheet for this purpose are software based, thus their execution and their changes to memory will be in the image that is captured.

Acquisition

To acquire an image containing the contents of memory, start by looking at the following two tools: WinDD by Matthieu Suiche and MDD by ManTech International. Both provide a CLI tool that can be incorporated into your preferred framework which can be used to create an image of the contents of physical memory prior to running additional tools. WinDD will create a raw dump or a crash dump file which can be analyzed with standard debugging tools like WinDbg from Microsoft. A commercial tool with a nice price point from HBGary called FastDump Pro acquires memory and includes probing features for malware analysis. The folks at HBGary state that Fastdump has a lighter footprint than other tools and acquires the contents of all physical memory (a community version is available which works on 32-bit systems only).

Analysis

Memory analysis has come a long way since running “strings” against an image created from a memory dump. This presentation notes how strings can produce 50 to 80 megabytes of unusable text from a 512MB memory dump. One exciting project, founded by Aaron Walters, is The Volatility Framework, an amazing collection of tools written in Python and used for analyzing memory dumps. With it, you can extract very specific data from the memory dump files obtained using the tools mentioned earlier (MDD, WinDD, etc). The screenshot shows how volatility pulls the process list from a memory dump called mal.dmp. Notice the last process on the list is actually MDD.

Volatility Example

Volatility can extract the following information:

• Image date and time
• Running processes
• Open network sockets
• Open network connections
• DLLs loaded for each process
• Open files for each process
• Open registry handles for each process
• A process’ addressable memory
• OS kernel modules
• Mapping physical offsets to virtual addresses (strings to process)
• Virtual Address Descriptor information
• Scanning examples: processes, threads, sockets, connections,modules
• Extract executables from memory samples

The framework is open source, fully written in python, and also modular in the use of plugins. Michael Hale Ligh has produced some great plugins including malfind2 which helps detect hidden/injected code in usermode processes. Here are some more plugins, and here is a plugin that can help find TrueCrypt passphrases and suspicious processes.

Registry

You wouldn’t spend time poking around in the registry during live analysis (many CLI tools, such as autorunsc.exe, will pull pertinent information automatically from the registry), but I wanted to include this section to talk about another great tool out there. This one is also by Harlan Carvey and is called RegRipper. RegRipper is intended for use against offline registry hive files to extract information from the registry helpful to your analysis. For example, you can extract data from the registry to determine USB disks previously used on the system or wireless networks joined. The examples are numerous and the use of plugins to extract particular keys and values for information make the tool very extensible. Harlan and many others have written various plugins for RegRipper.

F-Response

F-Response

Disk Imaging

There are many options for disk imaging, both live and offline. Here are some of the
popular commercial suites:

• FTK
• EnCase
• ProDiscover
• X-Ways Forensics
• and more…

Choose the platforms that suit you as each package has its benefits, however I will go over a method that utilizes the freely available dd.exe with netcat. Yes, this is free, but this option may not suit you in many situations, such as attempting to image large disks in a certain time frame.

You need a computer which will have netcat listening and retrieve the disk image. On this machine, run netcat with the following options:

nc.exe -l -p 8888 -w 5 > diskimage.dd

The -l puts netcat in listen mode, -p specifies the port number (8888 in the example) and -w specifies the timeout for connects and final net reads. Be sure that if this host has a firewall enabled, the port you specify is open for incoming connections.

On the workstation which you are taking a disk image from, you need to have dd.exe and nc.exe, which can be stored on a CD (such as Helix) or a USB thumb drive for use. If you are imaging an entire disk, you need the physical drive number for the dd command. In this example, we are imaging the OS drive, which is physical drive 0, and sending to a listening netcat instance created in the previous step, which has an IP address of 192.168.100.25:

dd if=\\.\PHYSICALDRIVE0 conv=noerror bs=1024 | nc.exe 192.168.100.25 8888

The if parameter specifies the input file to be imaged, in this case it is PHYSICALDRIVE0. The conv=noerror parameters tells dd to continue processing after read errors and the bs=1024 specifies a buffer size of 1 megabyte. Since no output file is specified (of) we are piping to netcat and sending the data to the IP address listening on port 8888.

Evidence Handling

An excerpt from Government Computer News specifies that because digital data is easily altered and it is difficult to distinguish between original data and copies, extracting, securing and documenting digital evidence requires special attention. The guidelines lay out the following general principles for handling digital evidence:

1. The process of collecting digital evidence should not alter it or raise questions about its integrity.
2. Examination of digital evidence should be done by trained personnel.
3. All actions in processing the evidence should be documented and preserved for review.
4. Examination should be conducted on a copy of the original evidence. The original should be preserved intact.

The numbering above is not meant to signify priority, but rather for discussing each bullet point. Starting with number one, I’ve been a part of many discussions related to which tools are permissible in a court of law, and the answer is that evidence collected in a reliable manner and obtained legally is permissible. The reliable manner is where the tool becomes important. For example, if you are a hobbyist developer and wrote a tool to list processes with Visual Studio, you can be challenged on the accuracy of the processes running which you’ve collected. If you used pslist.exe from Sysinternals, verified the MD5 hash of the executable, and properly tagged, timestamped, labeled, and handled its output, you would have a better case in proving your process list is accurate and reliable.

Point number two specifies that trained personnel should be responsible for evidence examination. The point here is that systems administrators or related expertise on the operating system is not equivalent to “trained in forensic examinations”. Additionally, such internal IT resources may have difficulty being questioned and cross-examined in a court of law. One who is experienced specifically in digital forensics is better able to handle evidence and participate in the litigation.

Points three and four are related and involve documentation, and the processing and handling of the evidence. Every step taken in the analysis must be meticulously documented and timestamped. You should have a standard and repeatable process for this. A UK based firm has an editor type application called Forensic CaseNotes to assist in documenting and tracking your case notes. In addition to careful documentation, an examination and analysis should be performed on duplicates. It is not dramatic step to take the original hard disk, and one additional hard disk containing an untouched block by block copy, and seal them in plastic bags marked with time, date, who collected the drives, and identification numbers. A third hard disk with a block by block copy can be used for further examination.

Proof of preservation can be maintained with MD5 hashing. In the exercise where we acquired an image of the hard disk, we can obtain an MD5 hash of the image file created and log that in our case notes. If that image is tampered with, the MD5 hash will change and the evidence is not reliable and thus can be dismissed. Output logs from the various tools run during an analysis should be hashed as well.

Conclusion

There is no conclusion to learning about digital forensics as the world of analysis techniques evolves and continuously changes. New operating system releases (Windows 7 and 2008 R2), progress in anti-forensics technologies, and sophistication of malware and rootkits continue to challenge forensic investigators. My purpose for this primer is to hopefully detract the sensationalism of COFEE being released, and DECAF to counter it, and take a look at some great aspects of forensic tools that are out there and continue to grow.

Updates

The intention of this article was to reflect on some of the great tools out there that have been around and growing before any word of COFEE. I feel its important to understand what is available and how it works, but one thing I did not touch on was that the tools are a just a subset of the overall process, and it is the process you use in your investigation that is critical to your analysis. Harlan provides some good examples of this in his latest blog entry.

References

• Forensic Focus
• Volatile Systems
• Windows IR Blog
• Forensics Wiki

Related Posts:

• WinPE 3.0 & Forensics
• The “Aurora” IE Exploit Used Against Google in Action
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash

About a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of easily capturing volatile data from personal computers during evidence collection. A tool to counter COFEE, aptly named DECAF, has been released as an anti-forensics tool to prevent the use of COFEE for data collection.

“We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding,” one of the two hackers behind Decaf told The Register in explaining the objective of the project.

DECAF Details

DECAF is written in Visual Basic 2005 and consists of a single executable and an XML configuration file called decaf.exe.config which contains the application settings (an XML is also created in the user’s profile directory for each user’s specific settings).

When launched, it displays the user license agreement and asks for confirmation. When agreed, it writes the following registry entry:

Key: HKU\SOFTWARE\DECAFme
Value: AcceptedEULA
Data: true

The program then connects via HTTP to 208.68.237.165 to check the current version number and receives the following response: 1.0.0|http://www.decafme.org/|

If the application does not have a network connection, it will crash upon starting up with the following event:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

Decaf Menu

I produced this initially when I had my virtual host’s network interface disabled.

Starting the monitor puts the application in detection mode, looking for the presence of COFEE. It waits for the launch of runner.exe, the launcher in COFEE, and will perform an action based on the configuration settings. It appears the tool checks the MD5 hash of runner.exe (ab9e68c7e71ebb2d6a5b8d17e9bd6b33). In addition to detecting the launch of runner.exe, the tool performs a WMI query to detect the COFEE USB thumb drive. The WMI query used for this type of action is:

SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE TargetInstance ISA "Win32_DiskDrive"

And since the thumb drive has the COFEE label, finding its presence should not be an issue.

Notification finding COFEE

When COFEE is found, a notification is sent over to decafme.org (note I changed the rip field to invalid IP addresses):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

When clicking Simulate, it mimics what would happen if coffee is found, and the sim field is set to true:

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_051522PM-5&sim=true HTTP/1.1

The Configuration Menu

Lockdown Settings

In the configuration menu, there are checkboxes in the Monitor section to “Monitor USB” and “Monitor COFEE”. As discussed, these options enable checking for runner.exe and detection of the USB thumb drive. The Notification section contains options for notifying the user when detection occurs. The Actions section is the interesting part, especially editing the Lockdown Mode. Here, you can set what happens when detection occurs. Some of the options are:

• Shutdown the system
• Kill selected processes
• Disable Network, USB, CD-ROM, ports, floppy
• Clear event viewer
• Erase Data

The configuration settings are stored per user in an XML file located in:

%USERPROFILE%\local settings\application data\DECAFme.org\Decaf.exe_Url_5fokqfogt1qso5vyeabunvhsigozqvpo\1.0.2.0>

If the config for the user does not exist, the default in the launch directory is used.

Conclusion

When I first heard of the tool, I assumed it would also include detection of the default OS commands and Sysinternal utilities that COFEE typically runs, such as pslist.exe or tcpvcon.exe, however, in its current version this is not the case. An anti-forensics tool which expands into detecting the typical collection tools will affect investigations that use various toolkits (Helix, IRCR, etc), not just COFEE. However, as quoted by The Register, the DECAF brewer’s intentions are not to derail just any collection suite, but for law enforcement to expand beyond using what Microsoft provides them.

This version of decaf is still very bitter and has quite a ways to go in its development. The authors of Decaf are promising a more light-weight version or a windows service in the next release and text message and email triggers to enter lockdown mode remotely in future versions. However, Decaf provides a good example of how anti-forensic tools continue to evolve and can become serious roadblocks for digital forensic investigators.

Updates

The authors of Decaf have shut down the project and have said they are starting a forum for those interested in further discussing related matters. Considered a spoof, stunt, hoax, and many other names in the media, we have discussed the matter in the following post.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• WinPE 3.0 & Forensics
• March’s Patch Tuesday
• Press F1 for Help, pwned.

At 11:49am on October 17th an update was made to Bradford’s Facebook profile: “WHERE MY IHOP?”, a message to his pregnant girlfriend. This update was one minute before two men were robbed at gun point in the Farragut Houses in Brooklyn where Bradford lives. At the time of this robbery, the robbery he faced charges for, Bradford claims he was sitting at the computer at his father’s apartment in Harlem making this Facebook update despite his being identified by a witness at the Farragut Houses.

“If it wasn’t for Facebook I’d still be on Rikers Island.”
Rodney Bradford

So like any good defense attorney would, Reuland pointed out to Brooklyn District Attorney Lindsay Gerdes that his client could not possibly be in two places at the same time, and look, here is the evidence on Facebook that he was sitting at the computer at his father’s place. The DA subpoenaed Facebook to verify the location where the status update was made from, Facebook verified it, and the charges were dropped.

The Facebook Kids Facebook page.

Facebook Magic

The district attorney subpoenaed Facebook to verify that the status update had actually been typed from 
a computer located at 71 West 118th Street in Harlem.

Source: NY Times

“Facebook saved my son.” Ernestine Bradford

The above is interesting. It is interesting because there is no way Facebook could tell with certainty that an update was made from the computer at 71 West 118th Street. In fact they could only reasonably make such an educated guess through forensic evaluation of the computer in Harlem itself. They didn’t do that, they looked at their own information (likely some combination of site cookies read and web server logs) and decided that the update came from there. While IP (internet protocol) addresses used from the home are not technically static, they can remain the same assignment for days from an ISP providing cable, FIOS, or similar. So Facebook can say that the IP address of the party making the request to its web servers is the same as previous accesses and can approximate the geo-location of the IP. That assumes no use of a proxy or anonymizer.

Technologists Lurking in the NYT Comments

The comments from NY Times blog readers are telling. While some are ridiculous – he probably just used his phone to make the update (the phone browsers can usually be fingerprinted in the web server logs, the IP would show a phone network)- some are legitimate. Why couldn’t a friend have updated Facebook for him, maybe he used RDP to login (its built into Windows XP, just needs to be enabled), maybe VNC, maybe an SSH tunnel, and so on are all listed possibliities.

“This was just a very strong alibi…It reflects the pervasiveness that Web sites and social networking has on our lives.”
Bradford’s lawyer, Robert Reuland

The problem (for a non-technical user) with VNC or RDP is that they need to be installed on most phones, and the SSH tunnel while not complicated would not be a readily available option to a non-computer literate person. RDP is on Windows XP, but it would have to be enabled, and his lawyer is telling us that his client is not a computer guy. The friend updating Facebook? That’s low tech and easy, but for my money I don’t want to involve any extra parties, collusion makes crime harder.

The Perfect Crime

So now that I know I can invoke the Facebook defense, how do I want to approach it? Let’s say I decide I want to knock over a liquor store. I have my mask and so forth, but I also want to establish my alibi, that I was 30 miles away at my computer doing some social networking on Facebook. I could get in remotely from my mobile device (VNC, RDP, etc.) but I don’t want to be worrying about that while I’m emptying the register. As I mentioned before, my buddies can’t keep a secret, so I’m not letting them update Facebook either.

So I started with the following PHP script using curl (JD McCloud, python guru, is groaning at the desk next to me over the use of PHP). I fired up WebScarab, the great intercepting proxy from OWASP, the Open Web Application Security Project, and captured the full HTTP header that is part of a Facebook status update request. Snagging the request URL, Facebook cookies, and POST options sent with the request, I setup the PHP script below to essentially replay a Facebook status update request.

Note that I’ve removed the content specific to my profile. I don’t have the script logging in to Facebook. If I needed to I would have, but fortunately Facebook has a “Keep me logged in” radial button on its homepage, so I didn’t bother.

<?php

$ch = curl_init();
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)
 Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)");

curl_setopt($ch, CURLOPT_COOKIE, 'datr=; s_vsn_facebookpoc_1=; __utma=; __utmz=.utmccn=
(referral)|utmcsr=|utmcct=|utmcmd=; s_vsn_facebookpocads_1=; locale=en_US; __qca=; x-referer=; 
cur_max_lag=; lsd=; h_user=; __utmc=; c_user=; lxe=; lxr=; sid=; xs=; presence=');

curl_setopt($ch, CURLOPT_POSTFIELDS,'action=PROFILE_UPDATE&profile_id=&status=I said where are my 
pancakes!&target_id=&app_id=&&composer_id=&display_context=profile&post_form_id=&fb_dtsg=&
_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest&__a=1');

curl_setopt($ch, CURLOPT_URL, 'http://www.facebook.com:80/ajax/updatestatus.php');
curl_exec($ch);
?>

Now I just add a Scheduled Task (Programs > Accessories > System Tools > Scheduled Tasks) or use At to run the program at the time I’m scheduled to do the stick up, and I’m all set. Facebook will note dutifully that a status update request came to them using the FireFox browser from an IP roughly around where I claimed to be. As long as no one actually checks my PC…

Oh C’mon Now

Yes I know what you’re thinking. I said that accessing the PC remotely was probably too complex (in reality I have no idea) for Mr. Bradford, and now I’m pitching writing scripts. I agree, if you are not a computer person, this would be out of reach. So how about another approach?

CoSripter, now owned by IBM, is pretty non-technical. Download a Firefox plugin, record your activities as you login to Facebook and update your status, and save the script that is generated. And if a person can’t follow those instructions, they can always watch the video tutorial. Here is the script that is automatically generated as I go through a login and status update on Facebook:

    * go to “http://www.facebook.com/index.php”
    * pause 3600 seconds
    * enter your “e-mail address” into the “Email” textbox
    * enter your password into the “Keep me logged in Forgot your password?” textbox
    * click the “Login” button
    * click the “Profile” link
    * enter "I said where the hell are my pancakes" in the “What’s on your mind?” textbox
    * click the first “Share” button

Its fairly easy to see what we’re doing above, I’ve set up variable names for my e-mail and password, but even that is very straight forward, and its only if you want to protect your credentials. Since you have recorded everything that generates the script, you only have to do one manual change, the line “pause 3600 seconds”. Remember, my robbery is 30 miles away, so I’m running my script, but giving myself an hour to get myself over to the liquor store. At exactly one hour from the time I kicked this off in Firefox I’m grabbing twenties from the tray and Facebook is seeing an update from FireFox in their logs for user “me” with the status update above. Facebook dutifully reports that I couldn’t have committed the robbery, I was still wondering where my pancakes where.

Facebook et al. and the Law

As social networking has taken hold as a cultural phenomenon, so too will its use in the proceedings of the legal system. There have been other uses of Facebook and other social networking sites in legal proceedings that have a great deal more legitimacy. There is the jackass in Pennsylvania who checked his Facebook status during a robbery on the victim’s computer and left the page open. There’s the Indiana murder case where a MySpace description was used as character evidence. The things people write online can be used against them in employment or divorce cases.

But with all that said, nativity with social networking tools like Facebook must not be misinterpreted as an actual understanding of the way web applications and computers work. I hope Facebook with their technical understanding of the boundaries of their network responded to that subpoena with a voluminous explanation that what they were providing was in fact proof of very little, proof only that their web servers had received a request looking like this at a certain time. I hope that Robert Reuland is the only defense attorney who is able to pull a fast one (exactly what he is paid to do) presenting Facebook status updates as forensically sound and acceptable evidence of a person’s location. Finally, I hope Mr. Bradford gets his pancakes.

What’s your approach?

There are plenty of other ways to approach this, and thus go on a consequences free international crime spree thanks to Facebook. How are you going to approach it?

Update

Bradford hired a civil attorney, Herbert L. Schmell, who says that they’re “99.9 percent sure” that they will sue the city for a false arrest/imprisonment.

References

• His Facebook Status Now? ‘Charges Dropped’
• Facebook alibi saves jailed teen

Related Posts:

• The “Aurora” IE Exploit Used Against Google in Action
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash
• Forensics: Beverages Aside, A Look at Incident Response Tools

Related Posts:

• WinPE 3.0 & Forensics
• Microsoft IE 6 & 7 Zero-day (Aside)
• Microsoft Posts Advanced Notification for Out of Band Patch
• SMB Bug won’t be patched in January
• Reactivating DECAF in Two Minutes

The software is made up of three components or phases:

• The tool generation phase which is meant for the more tech-savvy forensics examiner to setup a profile which is exported to a USB disk. This is a simple decision making process of which tools and parameters should be setup to run from the USB drive.
• The data acquisition phase which is meant for the non-technical law enforcement folks who arrive on the scene to collect evidence. They use the USB disk configured in the tool generation phase which runs through a set of common tools to gather volatile data, such as running processes, etc and saves the output from each command.
• The report generation phase is once again meant for the tech-savvy.  It uses the same GUI console as the tool generation phase, but this time to view the reports which are generated from the output of the tools run from the USB disk.

I’ve been reading some of the news articles, blogs, and related comments on the issue of the software being leaked and how the hackers now have more ammunition, by seeing how COFEE works they can improve malicious code to avoid or misrepresent data.  However, COFEE is not very special.  Aside from being provided by Microsoft, it really doesn’t do much more than the other forensics toolkits out there.  For example, IRCR (Incident Response Collection Report) by John McLeod, the Windows Forensics Toolchest by Monty McDougal, Harlan Carvey’s FSP (Forensic Server Project) , and a forensics toolkit called PTN-FT that I’ve written myself, all operate on the same basis of providing a forensics framework which allows you to configure a list of commands used to collect volatile data and save the output for use in some reporting format or a format that can be uploaded to a database for analysis.

Microsoft provides a GUI for tool selection (see figure) whereas most toolkits use a config file or batch file to modify tool selection and parameters.  It appears even the configuration of the USB disk comes with an easy to use interface.  In addition to the tools preconfigured, you can add tools from your own collection.

One feature I found to be useful from COFEE is the random generation of the tool name.  While most toolkits out there will use tools from a good source (such as the Helix CD), Microsoft goes a step further in renaming the tools to random generated names, causing no doubt that the intended version of the tool is running. 

The output format is in XML and when loaded  into the GUI, gives a view to the information as seen in the figure on the left. As mentioned, this is not ground-breaking forensics technology as many toolkits give a nice view into the output data by framing it in HTML.

More of the same in terms of forensics toolkits, COFEE keeps hashes of the tools in a checksum file and also has multiple directories for OS specific tools (\winxp, \win2k03, etc). According to the documentation, it is not supported on Vista and Windows 7, but apparently a new version is planned for those operating systems.

Conclusion

The conclusion is that the excitement is not warranted.  There is nothing groundbreaking in COFEE that has not been seen in other toolkits.  It may even come short in some areas as I did not see any methods of memory dumps or capturing of the prefetch directory.  The excitement is rather because this piece of software has been difficult to obtain, even by law enforcement, and that both forensics experts and the anti-forensics communities has been curious to see what Microsoft themselves had to provide in this space.  Personally, I will pass on this cup of COFEE and continue using my own forensics framework along with the others I mentioned earlier.

Default tools & parameters launched by COFEE:

arp.exe ‐a  
at.exe    
autorunsc.exe    
getmac.exe    
handle.exe ‐a  
hostname.exe    
ipconfig.exe  /all  
msinfo32.exe  /report %OUTFILE%  
nbtstat.exe ‐n  
nbtstat.exe ‐A 127.0.0.1  
nbtstat.exe ‐S  
nbtstat.exe ‐c  
net.exe  share  
net.exe  use  
net.exe  file  
net.exe  user  
net.exe  accounts
net.exe  view  
net.exe  start  
net.exe  Session  
net.exe  localgroup administrators /domain  
net.exe  localgroup  
net.exe  localgroup administrators  
net.exe  group  
netdom.exe  query DC  
netstat.exe ‐ao  
netstat.exe ‐no  
openfiles.exe  /query/v  
psfile.exe    
pslist.exe    
pslist.exe ‐t  
psloggedon.exe    
psservice.exe    
pstat.exe    
psuptime.exe    
quser.exe    
route.exe  print  
sc.exe  query  
sc.exe  queryex  
sclist.exe    
showgrps.exe    
srvcheck  \127.0.0.1  
tasklist.exe  /svc  
whoami.exe   

Update – 11/10/09

There is speculation that the version released only has 45 commands and is therefore not the full “150 command” version that Microsoft reported releasing. The released version is 1.1.2 which corresponds to the version information in the documentation. The documentation does not list 150 discrete commands (really separate programs). Therefore the 150 command statement may be incorrect or may just be inflation of what’s there (for example treating ‘netstat + option’ as its own command).

Related Posts:

• WinPE 3.0 & Forensics
• The “Aurora” IE Exploit Used Against Google in Action
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash