tag:blogger.com,1999:blog-12388523157163513412024-03-16T03:34:06.165-04:00Mash That KeyMTK is a place to share data forensic tips learned throughout the course of loud keyboard banging.
PGP Key http://bit.ly/UckgPWCarloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-1238852315716351341.post-81391543300220228612022-08-05T19:46:00.001-04:002022-08-05T20:24:42.926-04:00Velociraptor Playground 2022-08-02<p> On Tuesday August 2nd, 2022, I created a playground consisting of 23 systems. Ten Window 10 machines, ten Windows 11 machines, one Velociraptor Server and one Server 2019 Windows machine, compromised with a persistent remote access trojan that communicated to an attacker machine hosted outside of the US. </p><p> I created a few questions that I felt would be interesting and posted them as a quasi CTF/Practice with instructions on Github.</p><p> I then made the Velociraptor server publicly accessible, tweeted about it, and stated that it would be available for three days. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJCbjRKCzYb-1SE27uB23SO-BpEwBre45GeH1DfUA4ythBOGms2yV6ZcMUjU7PJXbrBPccMBBLp_-smCy1P0bqcSQF2j1UUeFWB432OTBeMIzGw_mu3QzwzA0EgNpvMajWkHVQqQEGHdIelPQkhU8xEan9q5USkPyFfo5gw63qrVcPt7OdgQhznQXF/s598/tweet.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="548" data-original-width="598" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJCbjRKCzYb-1SE27uB23SO-BpEwBre45GeH1DfUA4ythBOGms2yV6ZcMUjU7PJXbrBPccMBBLp_-smCy1P0bqcSQF2j1UUeFWB432OTBeMIzGw_mu3QzwzA0EgNpvMajWkHVQqQEGHdIelPQkhU8xEan9q5USkPyFfo5gw63qrVcPt7OdgQhznQXF/w400-h366/tweet.JPG" width="400" /></a></div><br /><p> Interestingly enough and much to my surprise, many people took me up on the opportunity, requesting access to the server. Everyone that requested access got a chance to play around with the telemetry collected by the Velociraptor Server. The playground remained up for the promised three days and on Friday we did a walk through of many of the steps outlined in the instructions of the CTF. </p><p> Below is the walk through of the CTF/Practice questions, with a screenshot of the data. Prior to taking down the playground I used a custom created offline Velociraptor collector so that I could create a triage image of the compromised server. By the time that you read this, the infrastructure will no longer be up. Nevertheless you can follow along and find the evil by analyzing the triage image using your favorite tools of choice. </p><p> Download the triage image from <a href="https://drive.google.com/file/d/1VngA8wJeUycpcJ7dCFWfzFgWj8qOHUtC/view?usp=sharing" target="_blank">here</a>... </p><p> Watch the walk through <a href="https://youtu.be/DMj0pU6kYvg" target="_blank">here</a>...</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD65S0vECecToUDPZ1OuSCr9pAj_49WJBk5xkYPgXonpnTvNIZMNFvrjI41e2NiOvvV13Gw7CHKqbSV-_gJTEql3wbeaRM8LALVUDJGtNxxfSUDYFPdw_YMEXboTBgykJGIRv4OovM6P8PZ-1hCwV7BI9ZBqBv0T0XsWaRIjs9CR1eAqpQxH9gEWgu/s1554/6all.JPG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="944" data-original-width="1554" height="389" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD65S0vECecToUDPZ1OuSCr9pAj_49WJBk5xkYPgXonpnTvNIZMNFvrjI41e2NiOvvV13Gw7CHKqbSV-_gJTEql3wbeaRM8LALVUDJGtNxxfSUDYFPdw_YMEXboTBgykJGIRv4OovM6P8PZ-1hCwV7BI9ZBqBv0T0XsWaRIjs9CR1eAqpQxH9gEWgu/w640-h389/6all.JPG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div> <p></p><h2 dir="auto" style="background-color: white; border-bottom: 1px solid var(--color-border-muted); box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; line-height: 1.25; margin-bottom: 16px; margin-top: 24px; padding-bottom: 0.3em;">Incident Background</h2><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">The compromised client is a Server2019 Windows Machine. This server is in the AWS cloud, it is currently compromised with an active backdoor that has an <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">ESTABLISHED</code> connection to an attacker machine, which is also in the AWS cloud. The backdoor was created by us using the <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">sliver</code> C2 framework. All machines are owned and controlled by us. This is a practice playground. Although you are going to be hunting for malware, this is considered a SAFE playground and you will not (should not) get infected.</p><h2 dir="auto" style="background-color: white; border-bottom: 1px solid var(--color-border-muted); box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; line-height: 1.25; margin-bottom: 16px; margin-top: 24px; padding-bottom: 0.3em;"><a aria-hidden="true" class="anchor" href="https://github.com/CarlosCajigas/veloctf20220802/blob/main/Instructions.md#hunting-for-evil" id="user-content-hunting-for-evil" style="background-color: transparent; box-sizing: border-box; float: left; line-height: 1; margin-left: -20px; padding-right: 4px; text-decoration-line: none;"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"><path d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z" fill-rule="evenodd"></path></svg></a>Hunting for Evil</h2><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Objective:</span> Your goal is to find how the system was compromised.<br style="box-sizing: border-box;" />All of the artifacts that you need to get your answers have already been collected and you can read the collected data to find the answers. For example.</p><h3 dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px;"><a aria-hidden="true" class="anchor" href="https://github.com/CarlosCajigas/veloctf20220802/blob/main/Instructions.md#look-for-running-processes" id="user-content-look-for-running-processes" style="background-color: transparent; box-sizing: border-box; float: left; line-height: 1; margin-left: -20px; padding-right: 4px; text-decoration-line: none;"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"><path d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z" fill-rule="evenodd"></path></svg></a>Look for Running Processes</h3><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Objective:</span> Use the artifacts ability to check for unsigned binaries to find untrusted running processes.</p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Hunt Artifact:</span> <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">Windows.System.Pslist</code> Post process your artifact collection with the below notebook</p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Notebook:</span></p><div class="snippet-clipboard-content notranslate position-relative overflow-auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; overflow: auto; position: relative;"><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><code style="background: transparent; border-radius: 6px; border: 0px; box-sizing: border-box; display: inline; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;">SELECT Pid,Name,Exe, Hash.MD5 AS md5hash, Authenticode.Trusted AS signer
FROM source(artifact="Windows.System.Pslist")
WHERE signer =~ "untrusted"
</code></pre></div><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">And you get...</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-u6OaPxQ9u7b12OTbGZoEjemxuqHNh8pFy1-as3-PZeBNfRYu8Jfv1oQ7bJ0WsNTNzNjAHHcod_uSnWsoVNnHubHzWcuuYVYfTyiowAwJRhRMbrHue3WrHhFUVdoiEjPYzrCHL0Jkjm2TqqGxL6lwA3v3X1oRXdYpxJgUL1jLNkdzU0onCKYDmw6F/s923/1pslist.JPG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="106" data-original-width="923" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-u6OaPxQ9u7b12OTbGZoEjemxuqHNh8pFy1-as3-PZeBNfRYu8Jfv1oQ7bJ0WsNTNzNjAHHcod_uSnWsoVNnHubHzWcuuYVYfTyiowAwJRhRMbrHue3WrHhFUVdoiEjPYzrCHL0Jkjm2TqqGxL6lwA3v3X1oRXdYpxJgUL1jLNkdzU0onCKYDmw6F/w640-h74/1pslist.JPG" width="640" /></a></div><br /><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><br /></p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><br /></p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">As you can see there is one process that is untrusted that looks very suspicious. This is just the first artifact that you looked at. We recommend that you do more.</p><h3 dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px;"><a aria-hidden="true" class="anchor" href="https://github.com/CarlosCajigas/veloctf20220802/blob/main/Instructions.md#look-for-network-connections" id="user-content-look-for-network-connections" style="background-color: transparent; box-sizing: border-box; float: left; line-height: 1; margin-left: -20px; padding-right: 4px; text-decoration-line: none;"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"><path d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z" fill-rule="evenodd"></path></svg></a>Look for Network Connections</h3><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Objective:</span> Use the artifacts ability to check for established connection to see if the process has networking capabilities.</p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Hunt Artifact:</span> <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">Windows.System.Netstat</code> Post process your artifact collection with the below notebook</p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Notebook:</span></p><div class="snippet-clipboard-content notranslate position-relative overflow-auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; overflow: auto; position: relative;"><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><code style="background: transparent; border-radius: 6px; border: 0px; box-sizing: border-box; display: inline; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;">SELECT Timestamp,Pid,Name,Status,`Laddr.IP`,`Laddr.Port`,
geoip(ip=`Raddr.IP`,db='/velo/velo/public/GeoLite2-City.mmdb').country.names.en
AS Country,`Raddr.IP`,`Raddr.Port`,Fqdn
FROM source(artifact="Windows.Network.Netstat")
WHERE Status =~ "ESTAB"
AND NOT Country =~ "United States" </code></pre><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><span face="-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"" style="font-size: 16px; white-space: normal;">And you get... </span></pre><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXyR-qlfxEtvpXuojOOLoDDwOGMN7r-itJLvQ6lxdoNv7-Lar7XrSxnMgVxGigrAlTLrPWDVSmgX554__2Zl_8PZ0ZSEWP2wRKcRxHZwHEChVUIW9NQmV1olVmhfPClPA1UEewlPQpcIpgkBTwfqdV3lhe3JC46zu-zkpJP7u7IPGE0EtSevrq_V_l/s1056/2netstat.JPG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="94" data-original-width="1056" height="53" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXyR-qlfxEtvpXuojOOLoDDwOGMN7r-itJLvQ6lxdoNv7-Lar7XrSxnMgVxGigrAlTLrPWDVSmgX554__2Zl_8PZ0ZSEWP2wRKcRxHZwHEChVUIW9NQmV1olVmhfPClPA1UEewlPQpcIpgkBTwfqdV3lhe3JC46zu-zkpJP7u7IPGE0EtSevrq_V_l/w600-h53/2netstat.JPG" width="600" /></a></div><br /><span face="-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"" style="font-size: 16px; white-space: normal;"><br /></span></pre><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><h3 dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px; white-space: normal;">Did the attacker RDP to the system</h3><p dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; white-space: normal;"><span style="box-sizing: border-box; font-weight: 600;">Objective:</span> Use the artifact to examine RDP connections to the server. Look for 4624 LogonType 10</p><p dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; white-space: normal;"><span style="box-sizing: border-box; font-weight: 600;">Hunt Artifact:</span> <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">Windows.EventLogs.RDPAuth</code></p><p dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; white-space: normal;"><span style="box-sizing: border-box; font-weight: 600;">Notebook:</span></p><div class="snippet-clipboard-content notranslate position-relative overflow-auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; overflow: auto; position: relative; white-space: normal;"><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><code style="background: transparent; border-radius: 6px; border: 0px; box-sizing: border-box; display: inline; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;">SELECT EventTime,EventID,LogonType,UserName,SourceIP,
geoip(ip=SourceIP,db='/velo/velo/public/GeoLite2-City.mmdb').country.names.en AS Country,Description
FROM source(artifact="Windows.EventLogs.RDPAuth")
WHERE EventID = 4624
AND LogonType = 10
</code></pre></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqiFni-G0MkzjjEQ4Hq1Vv6qFJdnCg1WcA9YxmeG8uMjxqk9ulQanM4QMd9wgKUyUOFgxMDceOqvRmtjbJIpYzardh1O3IYqO8nd76TnIl2u3uVCupdRrlGfx2AvOI8zzw0mdGGveJiAPIhxWAE2Ql9U9pwxBgZ4l05AQ4A9g4kzeUEHF-v-NGN9Xy/s1038/4rdp.JPG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="225" data-original-width="1038" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqiFni-G0MkzjjEQ4Hq1Vv6qFJdnCg1WcA9YxmeG8uMjxqk9ulQanM4QMd9wgKUyUOFgxMDceOqvRmtjbJIpYzardh1O3IYqO8nd76TnIl2u3uVCupdRrlGfx2AvOI8zzw0mdGGveJiAPIhxWAE2Ql9U9pwxBgZ4l05AQ4A9g4kzeUEHF-v-NGN9Xy/w640-h138/4rdp.JPG" width="640" /></a></div><br /><h3 dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px; white-space: normal;"><br /></h3><h3 dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px; white-space: normal;"><br /></h3><h3 dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px; white-space: normal;"><a aria-hidden="true" class="anchor" href="https://github.com/CarlosCajigas/veloctf20220802/blob/main/Instructions.md#how-did-the-attacker-get-initial-access-to-the-server" id="user-content-how-did-the-attacker-get-initial-access-to-the-server" style="background-color: transparent; box-sizing: border-box; float: left; line-height: 1; margin-left: -20px; padding-right: 4px; text-decoration-line: none;"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"><path d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z" fill-rule="evenodd"></path></svg></a>How did the attacker get initial access to the server</h3><p dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; white-space: normal;"><span style="box-sizing: border-box; font-weight: 600;">Objective:</span> Use the artifact to examine logon attempts to the server. You will realize that this was a successful brute force attack with over 400 failed attempts and successful logons from the same IP</p><p dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; white-space: normal;"><span style="box-sizing: border-box; font-weight: 600;">Hunt Artifact:</span> <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">Windows.EventLogs.RDPAuth</code></p><p dir="auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; white-space: normal;"><span style="box-sizing: border-box; font-weight: 600;">Notebook:</span></p><div class="snippet-clipboard-content notranslate position-relative overflow-auto" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; overflow: auto; position: relative; white-space: normal;"><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><code style="background: transparent; border-radius: 6px; border: 0px; box-sizing: border-box; display: inline; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;">SELECT EventTime,EventID,UserName,SourceIP,
geoip(ip=SourceIP,db='/velo/velo/public/GeoLite2-City.mmdb').country.names.en AS Country,
count() AS Count
FROM source(artifact="Windows.EventLogs.RDPAuth")
WHERE EventID = 4624
OR EventID = 4625
GROUP BY EventID,SourceIP</code></pre></div></pre></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCd_ADK61jse9XR9HGRcdX2hV2LOcZFxKMoYbyuBXUunFKbOZnn2U2hnA8rHpFHcZNzwwL_qNGHlfpenKtGHD8Pp7dALtmwRtwm3dvPXkgCrrGimleKkOGL5P_mNZVMuQdkIdGRcbRhOE_xlnJldWQdBtaq7Jh3ZQupuCFZE1UVGG6iQ5OALMd2kVV/s1041/3rdp.JPG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="162" data-original-width="1041" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCd_ADK61jse9XR9HGRcdX2hV2LOcZFxKMoYbyuBXUunFKbOZnn2U2hnA8rHpFHcZNzwwL_qNGHlfpenKtGHD8Pp7dALtmwRtwm3dvPXkgCrrGimleKkOGL5P_mNZVMuQdkIdGRcbRhOE_xlnJldWQdBtaq7Jh3ZQupuCFZE1UVGG6iQ5OALMd2kVV/w640-h101/3rdp.JPG" width="640" /></a></div><br /><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><br /></p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><br /></p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><br /></p><h3 dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px;">When was the malware executed by the attacker</h3><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Objective:</span> Use a custom created artifact to get the execution time of the malware. The artifact named <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">Custom.Windows.EventLogs.SysmonProcessCreationID1</code> queries the Sysmon Event logs installed on the machine for process creation ID 1</p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Hunt Artifact:</span> <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">Custom.Windows.EventLogs.SysmonProcessCreationID1</code></p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Notebook:</span></p><div class="snippet-clipboard-content notranslate position-relative overflow-auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; overflow: auto; position: relative;"><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><code style="background: transparent; border-radius: 6px; border: 0px; box-sizing: border-box; display: inline; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;">SELECT * FROM source(artifact="Custom.Windows.EventLogs.SysmonProcessCreationID1")
WHERE image =~ "dllhost"</code></pre></div><h3 dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px;"><a aria-hidden="true" class="anchor" href="https://github.com/CarlosCajigas/veloctf20220802/blob/main/Instructions.md#does-the-malware-have-persistence" id="user-content-does-the-malware-have-persistence" style="background-color: transparent; box-sizing: border-box; float: left; line-height: 1; margin-left: -20px; padding-right: 4px; text-decoration-line: none;"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"><path d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z" fill-rule="evenodd"></path></svg></a>Does the malware have persistence</h3><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Objective:</span> Do analysis to determine persistence. Use a custom artifact to execute autoruns on the system.</p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Hunt Artifact:</span> <code style="background-color: var(--color-neutral-muted); border-radius: 6px; box-sizing: border-box; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">Custom.Windows.Sysinternals.Autoruns</code></p><p dir="auto" style="background-color: white; box-sizing: border-box; color: #24292f; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Notebook:</span></p><div class="snippet-clipboard-content notranslate position-relative overflow-auto" style="background-color: white; box-sizing: border-box; overflow: auto; position: relative;"><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; color: #24292f; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><code style="background: transparent; border-radius: 6px; border: 0px; box-sizing: border-box; display: inline; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;">SELECT count() AS Count, Time, Signer, Entry,Category,Profile,Description,`Image Path` AS ImagePath,`Launch String` AS LaunchString, Enabled,MD5
FROM source(artifact="Custom.Windows.Sysinternals.Autoruns")
WHERE Enabled
AND NOT Signer OR Signer =~ "Not verified"
GROUP BY ImagePath,LaunchString</code></pre><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; color: #24292f; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3gGpwJ24NF0-AVGBRdMy7juZRydw94TJBThySt5i0mPfy4xotNKgqVYIFMRqzGT7Wk0dqEyR4lFTVVAAa798lPMMNN4XwD18s2EoOuYwpI9KJWqT3q81X8Z0EYknXds74nmrkmlKXkiWoC3AdqzSgL8Nx4bvnM981ECG4n1eqAYOWch54okyOogv/s1397/5pers.JPG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="107" data-original-width="1397" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3gGpwJ24NF0-AVGBRdMy7juZRydw94TJBThySt5i0mPfy4xotNKgqVYIFMRqzGT7Wk0dqEyR4lFTVVAAa798lPMMNN4XwD18s2EoOuYwpI9KJWqT3q81X8Z0EYknXds74nmrkmlKXkiWoC3AdqzSgL8Nx4bvnM981ECG4n1eqAYOWch54okyOogv/w640-h50/5pers.JPG" width="640" /></a></div><br /><code style="background: transparent; border-radius: 6px; border: 0px; box-sizing: border-box; display: inline; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;"><br /></code></pre><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><span style="font-family: Times New Roman;"><span style="white-space: normal;"> There were a few more artifacts that were collected at the time of the practice scenario, but the ones above are the ones that contain the notebooks with most value. We are definitely planning on running another one of these in the future. </span></span></pre><pre class="notranslate" style="background-color: var(--color-canvas-subtle); border-radius: 6px; box-sizing: border-box; line-height: 1.45; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><span style="font-family: Times New Roman;"><span style="white-space: normal;"> If you though that this was interesting and you want to take part in the next one, please follow me on Twitter for updates on dates. @carlos_cajigas</span></span></pre></div>Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com0tag:blogger.com,1999:blog-1238852315716351341.post-68582291993654383682020-06-03T16:00:00.002-04:002023-10-12T08:21:13.243-04:00Installing a Velociraptor Server on Ubuntu 18.04<p class="MsoNormal" style="text-align: justify;"></p><p class="MsoNormal" style="text-align: justify;">Update on 2023/10/12. The Velociraptor project is still going stronger than ever, but this post is now old and outdated. </p><p class="MsoNormal" style="text-align: justify;">--- </p><p class="MsoNormal" style="text-align: justify;"> What if I were to tell you that
there is a free way to query one hundred hosts or more in a matter of 20 seconds,
and get visibility into the possibility of them being compromised.<span> </span>Would you believe me?<span> </span>But most importantly, would you take
advantage of it?<span> </span>Would you like to know
how to do it with Velociraptor?<span> </span>If the
answer to any of these questions was a “yes”, then you are reading the right
blog post.<span> </span></p><p class="MsoNormal" style="text-align: justify;"><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> Velociraptor from <a href="https://www.velocidex.com/" target="_blank">Velocidex </a>is a free open source
utility created by Mike Cohen, who is one of the lead developers for Rekall and
GRR.<span> </span>“With a solid architecture, a
library of customisable forensic artifacts and its own unique and flexible
query language, Velociraptor provides the next generation in endpoint
monitoring, digital forensic investigations and cyber incident response.” (Source: Velocidex).<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> Mike has many years of experience
making forensic utilities and we think that Velociraptor has been created with
the incident responder in mind.<span>
</span>Velociraptor allows you to query just about anything on the system and
also collect just about anything that you want.<span>
</span>It can scale to over 100 thousand hosts and the coolest thing is that you
can extend its usability by creating your own collection artifacts using the “The
Velociraptor Query Language” (VQL).<span> </span>VQL
is an expressive query language similar to SQL that allows you to quickly and
easily adapt Velociraptor to do what you want it to do without needing to
modify any of the source code or deploy additional software.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> Writing VQL queries is beyond the
scope of this post, but we can consider creating an article to help you get
started with VQL.<span> </span>The purpose of this
post is to talk about the process of standing up a Velociraptor server on Linux
machine, so that you can connect a single Windows machine to it.<span> </span>We hope that once you feel comfortable with
the steps described in this post you will be ready to graduate into using these
procedures to connect more clients to the server and even graduate into putting
your velociraptor server in the cloud.<span>
</span>Let’s get started.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><o:p> </o:p></p>
<p class="MsoNormal" style="text-align: justify;"><b><font size="4">What you need:</font><o:p></o:p></b></p>
<p class="MsoNormal" style="text-align: justify;"> In order to get started with
Velociraptor and to follow along with this post, you are going to need two
computers that can reach each other.<span> </span>In
other words, two systems that can ping each other or be on the same
subnet.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> One system will be a Linux
machine and the other will be a Windows machine.<span> </span>The Velociraptor server will be installed on
Ubuntu 18.04 and the Windows machine that we will connect to it, will be a
Windows 10 machine.<span> </span>For the purposes of
this article we will install each of these machines using the free
Virtualization software called VMWare Player.<span>
</span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><o:p> </o:p></p>
<p class="MsoNormal" style="text-align: justify;"><b><font size="4">Installing the Velociraptor
Sever:</font><o:p></o:p></b></p>
<p class="MsoNormal" style="text-align: justify;"> The first step in the process is
undoubtedly getting the Velociraptor server up and running and getting the web GUI
working.<span> </span>To accomplish that we went
ahead and started by creating a new virtual machine of Ubuntu 18.04 with the default
hardware configurations provided by VMWare Player.<span> Two </span>GB of memory is more than enough for this
test server, but feel free to increase it to improve performance. </p><div style="text-align: center;"><a href="https://1.bp.blogspot.com/-_PL_0NVC7tY/Xtf0HAjC-uI/AAAAAAAAVJk/mn1roeEWY_suK-nFpDXsijg9xwEhZojOQCK4BGAsYHg/pic1.JPG"><img border="0" data-original-height="229" data-original-width="276" height="266" src="https://1.bp.blogspot.com/-_PL_0NVC7tY/Xtf0HAjC-uI/AAAAAAAAVJk/mn1roeEWY_suK-nFpDXsijg9xwEhZojOQCK4BGAsYHg/w320-h266/pic1.JPG" width="320" /></a></div><p class="MsoNormal" style="text-align: justify;"> We created one user “ubuntu” with
a password of 1234 and gave the machine hostname "velo01". Yes, the password is short and weak, great
for a demo, but not secure as this is just a test. Do not make this a publicly routable machine. </p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: left;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-EkqJHmI8wA0/Xtf2apGLS0I/AAAAAAAAVKk/6ofkTjaX-YIN7CDFOturCyCHhgeAIxOjgCK4BGAsYHg/pic2.JPG" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="476" data-original-width="798" height="382" src="https://1.bp.blogspot.com/-EkqJHmI8wA0/Xtf2apGLS0I/AAAAAAAAVKk/6ofkTjaX-YIN7CDFOturCyCHhgeAIxOjgCK4BGAsYHg/w640-h382/pic2.JPG" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><br /></td></tr></tbody></table>
<p class="MsoNormal" style="text-align: left;"> Once the installation
completes.<span> </span>Log in to the Ubuntu machine
and open a terminal window.<span> </span>We will be
working from the terminal window during the installation of the Velociraptor
utility.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> Once the terminal window is open,
you should be in the home directory of the user of your machine, mine is user
“ubuntu”.<span> </span>Next, elevate privileges to
root with “sudo su”.<span> </span>This is what my
machine looks like at this moment.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-zGZuCAHYIK8/Xtf3MuvnmuI/AAAAAAAAVLo/VHYVRDQIskYitAZHKAy2KnRdPN-KgdeRgCK4BGAsYHg/pic3.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="98" data-original-width="334" height="94" src="https://1.bp.blogspot.com/-zGZuCAHYIK8/Xtf3MuvnmuI/AAAAAAAAVLo/VHYVRDQIskYitAZHKAy2KnRdPN-KgdeRgCK4BGAsYHg/w320-h94/pic3.JPG" width="320" /></a></div><div style="text-align: justify;"> The next step is to download the Velociraptor
Linux binary to the Ubuntu machine. The
easiest way to accomplish this is via the "wget" utility. Navigate to this <a href="https://github.com/velocidex/velociraptor/releases" target="_blank">link</a> which should contain
the latest release. As of this writing the latest release was
version 0.4.4. </div><p class="MsoNormal" style="text-align: justify;"><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: left;"><a href="https://1.bp.blogspot.com/-J45hLsLzw28/Xtf4I5c6JdI/AAAAAAAAVMQ/JTcV5GKhSrAO5PF0KI_dWYcKFpCzczeaACK4BGAsYHg/pic4.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="574" data-original-width="1227" height="301" src="https://1.bp.blogspot.com/-J45hLsLzw28/Xtf4I5c6JdI/AAAAAAAAVMQ/JTcV5GKhSrAO5PF0KI_dWYcKFpCzczeaACK4BGAsYHg/w640-h301/pic4.JPG" width="640" /></a></div><div style="text-align: justify;"> Copy the link address to the
Linux binary and paste it to the Ubuntu Terminal window.</div><p class="MsoNormal" style="text-align: justify;"><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-wO1sdhWyPS0/Xtf4TP_wIaI/AAAAAAAAVMc/kl5SZoJxgi4lSrtP8d1hUFe8x8aPMZBoACK4BGAsYHg/pic5.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="84" data-original-width="848" height="64" src="https://1.bp.blogspot.com/-wO1sdhWyPS0/Xtf4TP_wIaI/AAAAAAAAVMc/kl5SZoJxgi4lSrtP8d1hUFe8x8aPMZBoACK4BGAsYHg/w640-h64/pic5.JPG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-JK7IU8FYxxI/Xtf4WiX-asI/AAAAAAAAVMo/j7_XBVujz-sVi_KQD23-NoAaVoZVeT_lACK4BGAsYHg/pic6.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="236" data-original-width="850" height="178" src="https://1.bp.blogspot.com/-JK7IU8FYxxI/Xtf4WiX-asI/AAAAAAAAVMo/j7_XBVujz-sVi_KQD23-NoAaVoZVeT_lACK4BGAsYHg/w640-h178/pic6.JPG" width="640" /></a></div><p class="MsoNormal" style="text-align: justify;"> Once the binary is on our
machine. The next step in the process
would be to add executable permissions to our binary file to that we can well…
execute it. You can accomplish this via
the chmod +x command, like so.</p><p class="MsoNormal" style="text-align: justify;"><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><b><i># chmod +x
velociraptor-v0.4.4-linux-amd64</i></b><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-c8XBcisjrEk/Xtf44iMrJuI/AAAAAAAAVNE/YsN5S8sUXuYxr7ekOUv8ustWKMJ1igc0QCK4BGAsYHg/pic7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1920" height="360" src="https://1.bp.blogspot.com/-c8XBcisjrEk/Xtf44iMrJuI/AAAAAAAAVNE/YsN5S8sUXuYxr7ekOUv8ustWKMJ1igc0QCK4BGAsYHg/w640-h360/pic7.png" width="640" /></a></div><div style="text-align: justify;"> </div><div style="text-align: justify;"> Now that the Velociraptor binary
has executable permissions, we can now move into the process of installing Velociraptor. Velociraptor uses two separate locations to
store data. One location is used by the
“Data Store” and the other is for its logs.
In order to store both of these locations under one directory, we like
to create these two directories using these two commands below. Mkdir is the command to make a directory and
the -p is to create the parent directory in the event that it doesn’t already
exists. </div><p class="MsoNormal" style="text-align: justify;"><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><span lang="ES-PR"><b><i># mkdir -p /velo/velo<o:p></o:p></i></b></span></p>
<p class="MsoNormal" style="text-align: justify;"><span lang="ES-PR"><b><i># mkdir -p /velo/logs</i></b><o:p></o:p></span></p>
<p class="MsoNormal" style="text-align: justify;"> The “Data Store” will be stored
in “/velo/velo” and the logs will be stored in “/velo/logs”.<span> </span>The reason why we like to put these
directories under the “/velo” directory is simply for organization purposes.<span> </span>The location of the “Data Store” can be put
anywhere that you like.<span> </span>The “Data Store”
of Velociraptor is extremely important to Velociraptor as this location
collects information about its clients and whatever data Velociraptor monitors
from your clients, so remember it!<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ub5Nqw0JNFc/Xtf5y-8BXKI/AAAAAAAAVNo/TBIe3WTL9P0FJ4aCGaT63oTK-yXRVjMgQCK4BGAsYHg/pic8.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="106" data-original-width="518" height="81" src="https://1.bp.blogspot.com/-ub5Nqw0JNFc/Xtf5y-8BXKI/AAAAAAAAVNo/TBIe3WTL9P0FJ4aCGaT63oTK-yXRVjMgQCK4BGAsYHg/w400-h81/pic8.JPG" width="400" /></a></div><div style="text-align: justify;"> With the location of the “Data
Store” now defined, let’s move on to the next step which is to create the pair
of configuration files that Velociraptor needs. Velociraptor uses a pair of configuration
files that tell Velociraptor how to operate.
One configuration file is for the server and the other configuration
file is for the clients. The client
configuration file let the clients know the location of the velociraptor server
and also contains information on how to securely communicate with the Velociraptor
server. </div><p class="MsoNormal" style="text-align: justify;"><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> We can finally begin the process
of creating these configuration files by executing the Velociraptor executable
interactively like so.<o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><b><i>#
./velociraptor-v0.4.4-linux-amd64 config generate -i</i></b><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> Use arrows to move<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ewdDxXBov60/Xtf6xBecvuI/AAAAAAAAVOA/xa-s9a8wc_wAQnQqg-LJ0PCNu7M8gs96ACK4BGAsYHg/pic9.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="156" data-original-width="885" height="112" src="https://1.bp.blogspot.com/-ewdDxXBov60/Xtf6xBecvuI/AAAAAAAAVOA/xa-s9a8wc_wAQnQqg-LJ0PCNu7M8gs96ACK4BGAsYHg/w640-h112/pic9.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Press enter as we will in fact be
using a Linux server<o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> The next question is: Will you be
using the File Base “DataStore” or “MySQL”.<span>
</span>I have heard Mike mention that around after 10,000 clients you should
consider using “MySQL”. For now, we will just use FileBaseDataStore, press
enter.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-H9qvOMF9fhw/Xtf6-VjjzjI/AAAAAAAAVOM/b3YtmK6K7yIGQTAzRIwyb4Obt2GhjD0uwCK4BGAsYHg/pic10.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="183" data-original-width="898" height="130" src="https://1.bp.blogspot.com/-H9qvOMF9fhw/Xtf6-VjjzjI/AAAAAAAAVOM/b3YtmK6K7yIGQTAzRIwyb4Obt2GhjD0uwCK4BGAsYHg/w640-h130/pic10.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> The next question is:<span> </span>What is the path to the DataStore.<span> </span>I placed mine under “/velo/velo”.<span> </span>So I added that location there and pressed
enter.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-kuSFqm1PXaY/Xtf7G4HhvdI/AAAAAAAAVOg/IKiHHrGufFUwur1R0pKxemm6Bi2K0R5XwCK4BGAsYHg/pic11.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="411" data-original-width="903" height="292" src="https://1.bp.blogspot.com/-kuSFqm1PXaY/Xtf7G4HhvdI/AAAAAAAAVOg/IKiHHrGufFUwur1R0pKxemm6Bi2K0R5XwCK4BGAsYHg/w640-h292/pic11.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> The next question is:<span> </span>What kind of deployment will you need? Let us talk about the different options...<o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;">> <b>Self Signed SSL</b>.<span> </span><span> </span>In a
self-signed SSL deployment, communication between you, the user, and the
Velocirpator web GUI is established using TLS with self-signed certificates.<span> </span>When you use the browser to log into the
Velociraptor GUI, the communications are authenticated with basic Auth and the
GUI will bind to localhost only on port 8889 by default.<span> </span>This means that when you fire up the browser
to log into the GUI you must navigate to https://localhost:8889/.<span> </span>For the purposes of this test this will work
just fine and we will use this, but as you graduate from testing into other
forms of deployment the other two forms of deployment offer better
options.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;">> <b>Automatically provision
certificates with Lets Encrypt</b>.<span> </span>In this
type of deployment.<span> </span>You can assign a
domain during the Velociraptor installation and Velocirpator will automatically
uses the Letsencrypt protocol to obtain and manage its own certificates.<span> </span>This allows you to put a server in the cloud
that you can access by going to a domain that you control, but the GUI authentications
are still utilizing username and password authentications that you set up and
MFA cannot be used.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;">> <b>Authenticate users with Google
OAuth SSO</b>.<span> </span>In this type of Deployment,
the verification of the user’s identity is done via Google’s oauth mechanism
and you no longer need to assign a password to the users.<span> </span>Additionally, during this kind of deployment,
MFA can be used.<span> </span>This is where you
ultimately want to end up with, this type of deployment is sweet and the authentication
is seamless.<span> </span>As you can imagine, is does
take a little bit of set up, time and practice to get good with it.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> We will use Self Signed SSL
because we are just testing, it is fast, and it works.<span> </span>Press Enter<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-qD5q3iyT_ec/Xtf7eWj3K4I/AAAAAAAAVO4/Z666QygWy6QjM4e4IyMwkCVkiU05zJM6ACK4BGAsYHg/pic12.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="381" data-original-width="895" height="272" src="https://1.bp.blogspot.com/-qD5q3iyT_ec/Xtf7eWj3K4I/AAAAAAAAVO4/Z666QygWy6QjM4e4IyMwkCVkiU05zJM6ACK4BGAsYHg/w640-h272/pic12.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> The next question is:<span> </span>What is the port of the front end, leave it
default and press enter<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-fgVNrthJKv4/Xtf7oV8ma9I/AAAAAAAAVPE/KPPWy1N0ca8qsG0DGD8TtlcmmSufhcPuACK4BGAsYHg/pic13.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="969" height="274" src="https://1.bp.blogspot.com/-fgVNrthJKv4/Xtf7oV8ma9I/AAAAAAAAVPE/KPPWy1N0ca8qsG0DGD8TtlcmmSufhcPuACK4BGAsYHg/w640-h274/pic13.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> The next question is an Important
one:<span> </span>What is the DNS name of the front
end?<span> </span>In a self-signed deployment, you
can leave this default and it will bind to localhost, but I want to edit this
here and assign a DNS name so that our Windows client can resolve a DNS to an
IP just like if this were a cloud deployment.<span>
</span>This helps in practicing using DNS without having to assign a DNS to a
public IP address.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> We gave it a DNS of “velo01.com”
and pressed enter.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-lmpt8Ijjo4w/Xtf7zqLW70I/AAAAAAAAVPY/U_ms-1oYiVUVaDw2kw7SkNLv89Y4yEKagCK4BGAsYHg/pic14.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="417" data-original-width="902" height="296" src="https://1.bp.blogspot.com/-lmpt8Ijjo4w/Xtf7zqLW70I/AAAAAAAAVPY/U_ms-1oYiVUVaDw2kw7SkNLv89Y4yEKagCK4BGAsYHg/w640-h296/pic14.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Default port for the GUI, and a “no”
since we are not using google DNS.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8zAAjr3gdiw/Xtf7-aMuSAI/AAAAAAAAVPs/EgofQtHxD4sOKQgr9XgG3hNn5R8O7OCZQCK4BGAsYHg/pic15.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="474" data-original-width="906" height="334" src="https://1.bp.blogspot.com/-8zAAjr3gdiw/Xtf7-aMuSAI/AAAAAAAAVPs/EgofQtHxD4sOKQgr9XgG3hNn5R8O7OCZQCK4BGAsYHg/w640-h334/pic15.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> This is where you add your user’s
usernames to the GUI as well as their password.<span>
</span>I kept it simple with a username of carlos and a password of 1234.<span> </span>Again, not secure, this is just a demo…<span> </span>Press enter when you are done adding your
users.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-MOOBf2nGM3c/Xtf8F7tPESI/AAAAAAAAVP8/BRcaXmY6EWQdBNDAx-ymk0tWJX51acLVwCK4BGAsYHg/pic16.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="522" data-original-width="913" height="366" src="https://1.bp.blogspot.com/-MOOBf2nGM3c/Xtf8F7tPESI/AAAAAAAAVP8/BRcaXmY6EWQdBNDAx-ymk0tWJX51acLVwCK4BGAsYHg/w640-h366/pic16.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Location of the logs directory
and press enter<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-hqKaCI-K3UE/Xtf8L5lSUEI/AAAAAAAAVQI/qWlzSRqS4LUJZD75B1sCyRZ7Atu8tmOuQCK4BGAsYHg/pic17.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="584" data-original-width="910" height="410" src="https://1.bp.blogspot.com/-hqKaCI-K3UE/Xtf8L5lSUEI/AAAAAAAAVQI/qWlzSRqS4LUJZD75B1sCyRZ7Atu8tmOuQCK4BGAsYHg/w640-h410/pic17.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Finish by pressing enter to save
the client and server configuration files to your current directory<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-yG2Nk-Zaw84/Xtf8VBRXfbI/AAAAAAAAVQY/d4oyNe6Dq3UkEwxcsERJrMWcuOXsix7dwCK4BGAsYHg/pic18.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="131" data-original-width="701" height="120" src="https://1.bp.blogspot.com/-yG2Nk-Zaw84/Xtf8VBRXfbI/AAAAAAAAVQY/d4oyNe6Dq3UkEwxcsERJrMWcuOXsix7dwCK4BGAsYHg/w640-h120/pic18.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Our configuration is now
finished.<span> </span>We are now ready to install
Velociraptor to this Ubuntu machine.<span> </span>To
do that we should create Linux packages for both server and clients.<span> </span>To create Linux packages for the installation
of the server and Linux clients execute this command for the server..<o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><b><i>#
./velociraptor-v0.4.4-linux-amd64 -c server.config.yaml debian server</i></b><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;">And this command for the client..<o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><b><i>#
./velociraptor-v0.4.4-linux-amd64 -c server.config.yaml debian client</i></b><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> This will grab the server
configuration file and package it inside of the .deb file so that they can
easily be handled by a package installer like “dpkg”.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-lThTCvJpVEo/Xtf8iE4SGkI/AAAAAAAAVQk/jLFoZ6yIwKA5QqjNmQD-dBPt_4_Wf2_gACK4BGAsYHg/pic19.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="178" data-original-width="1074" height="106" src="https://1.bp.blogspot.com/-lThTCvJpVEo/Xtf8iE4SGkI/AAAAAAAAVQk/jLFoZ6yIwKA5QqjNmQD-dBPt_4_Wf2_gACK4BGAsYHg/w640-h106/pic19.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Since the server package is ready
for installation, let’s go ahead and install it with “dpkg”.<span> </span>Execute the below command to install the debian
server package on this Ubuntu machine.<span>
</span>This will get the Velociraptor utility persistently installed on the
machine and ready to allow us to log in using the previously created username
and password.<span> </span><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-660xrddSjEQ/Xtf8tzbRN7I/AAAAAAAAVQ4/83iCP5P-CCgMANB6AgFpjnVIVheRRlHKgCK4BGAsYHg/pic20.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="366" data-original-width="852" height="274" src="https://1.bp.blogspot.com/-660xrddSjEQ/Xtf8tzbRN7I/AAAAAAAAVQ4/83iCP5P-CCgMANB6AgFpjnVIVheRRlHKgCK4BGAsYHg/w640-h274/pic20.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> When the package is installed on
your Ubuntu machine, the installation process also creates a new user on your
machine called “velociraptor” that should be the “owner” of the directories
created during installation and used by the Velociraptor utility.<span> </span>This doesn’t always occur since the creation
of the directories and the installation of the package were done by user
“root”.<span> </span>My recommendation is to take a
quick peak at the “velo” directory to see who currently owns that
directory.<span> </span>To check the “/velo”
directory ownership run, ls -l on /velo and see…<o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><b><i># ls -l /velo/</i></b><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-mFSHdPMHRFc/Xtf889pOveI/AAAAAAAAVRQ/8FBxxFh3wdEvfxRSInJi0H5V6y0TSeJKwCK4BGAsYHg/pic21.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="152" data-original-width="703" height="138" src="https://1.bp.blogspot.com/-mFSHdPMHRFc/Xtf889pOveI/AAAAAAAAVRQ/8FBxxFh3wdEvfxRSInJi0H5V6y0TSeJKwCK4BGAsYHg/w640-h138/pic21.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Notice that the “logs” directory
is still owned by “root”.<span> </span>We can fix
this with the “chown” command.<span> </span>Do you
remember how we earlier recommended the “DataStore” and the “logs” directory
under one?<span> </span>It was also for this reason.<span> </span>Run the “chown” command in recursive mode on
the “velo” directory to fix ownership like so!<o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><span lang="ES-PR"><b><i># chown -R velociraptor:velociraptor /velo</i></b><o:p></o:p></span></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Q1ajTVwHyIg/Xtf9HPQ-F7I/AAAAAAAAVRo/LV5BEYTFg-8AXrKwyDmsPVzBsljkSsOugCK4BGAsYHg/pic22.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="179" data-original-width="763" height="150" src="https://1.bp.blogspot.com/-Q1ajTVwHyIg/Xtf9HPQ-F7I/AAAAAAAAVRo/LV5BEYTFg-8AXrKwyDmsPVzBsljkSsOugCK4BGAsYHg/w640-h150/pic22.JPG" width="640" /></a></div><p class="MsoNormal" style="text-align: center;"><br /></p>
<p class="MsoNormal" style="text-align: justify;"> All fixed now.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> We are now ready to log into the
GUI.<span> </span>We need to test the GUI and make
sure that it works, before we can deploy the configuration file to client
machines.<span> </span>You can log into the GUI of a self-signed
SSL deployment by navigating to <b><a href="https://localhost:8889/">https://localhost:8889/</a>.</b><span> </span>Open your browser on the Ubuntu server and navigate to that URL.<span> </span><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4LHSPLQFd1A/Xtf9abaEGiI/AAAAAAAAVSE/W1Tz6vS52C0HRBA62ygQAhz6Q_9VcCi1wCK4BGAsYHg/pic23.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="727" data-original-width="1137" height="410" src="https://1.bp.blogspot.com/-4LHSPLQFd1A/Xtf9abaEGiI/AAAAAAAAVSE/W1Tz6vS52C0HRBA62ygQAhz6Q_9VcCi1wCK4BGAsYHg/w640-h410/pic23.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> If you get the security warning,
you have done everything right so far.<span>
</span>This happens because the GUI is served over TLS with a self-signed
certificate and the browser is letting you know.<span> </span>This is normal.<span> </span>Accept the and continue to the Velociraptor
GUI.<span> </span>You should see a prompt asking you
for the username and password created during the velociraptor configuration
process.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-mRMlkigJna8/Xtf9iV36rEI/AAAAAAAAVSc/LzIcsmmnA7Urs7Q9TN-Nmii8sdfmf3gIQCK4BGAsYHg/pic24.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="538" data-original-width="1073" height="320" src="https://1.bp.blogspot.com/-mRMlkigJna8/Xtf9iV36rEI/AAAAAAAAVSc/LzIcsmmnA7Urs7Q9TN-Nmii8sdfmf3gIQCK4BGAsYHg/w640-h320/pic24.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Enter the username and password
created earlier and log in.<span>
</span>Congratulations.<span> </span>Marvel at the
beauty of Velociraptor!<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4rkEMgWpv2c/Xtf9qL0GD-I/AAAAAAAAVSw/PUKJwWxPm8QRwiEj6Uwyyg-Zx2rr7WG4ACK4BGAsYHg/pic25.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="820" data-original-width="937" height="560" src="https://1.bp.blogspot.com/-4rkEMgWpv2c/Xtf9qL0GD-I/AAAAAAAAVSw/PUKJwWxPm8QRwiEj6Uwyyg-Zx2rr7WG4ACK4BGAsYHg/w640-h560/pic25.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Awesome! You now have a Velociraptor server that is waiting for clients to connect to it.<span> </span>If you click on the “magnifying glass” you
can see the clients that are currently talking to your server.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-UM9GvWpQxVI/Xtf9yNK5dvI/AAAAAAAAVS8/nTNd2FwmJCAQAGMJOsTvgRyevC8LWKr5ACK4BGAsYHg/pic26.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="532" data-original-width="621" height="548" src="https://1.bp.blogspot.com/-UM9GvWpQxVI/Xtf9yNK5dvI/AAAAAAAAVS8/nTNd2FwmJCAQAGMJOsTvgRyevC8LWKr5ACK4BGAsYHg/w640-h548/pic26.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Unfortunately, there are no
clients talking to it.<span> </span>Lets us change
that.<span> </span>In order to get a client communicating
to your Velociraptor server you are going to have to extract the “client.config.yaml”
file from your Velociraptor server and get it over to the Windows machine, which
is our client in this demo.<span> </span>The client
machine needs to know how to communicate to the server and all the information
that it needs is stored there.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> We have tested Velociraptor so far
on Windows 7, Windows 10, Server 2012 and Server 2016 and the Velociraptor
client has worked perfectly on all versions.<span>
</span><span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> The easiest method of
installation that I have found so far has been installing the Velociraptor
client on a windows machine via the Windows MSI installation package.<span> </span>The MSI can be downloaded from <a href="https://github.com/Velocidex/velociraptor/releases/tag/v0.4.2" target="_blank">here</a>.<span> </span>As of this writing Mike has not made
the MSI for 0.4.4 accessible, but the MSI for version 0.4.2 should work for 0.4.4
as well, as you will see below.<span> </span>The
Velociraptor MSI is signed, which means that it should get treated as a trusted
executable and Windows Defender should allow the installation and should not
quarantine it.<span> </span>The MSI will install
Velociraptor as a service that starts at boot.<span>
</span>When the service starts, it attempts to load the configuration file from
the C:\Program Files\Velocirapror directory called velociraptor.config.yaml.<o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> This means that if the C:\Program
Files\Velocirapror directory doesn’t exist, you will need to create it.<span> </span>It also means that the client.config.yaml
configuration file needs to renamed to velociraptor.config.yaml after it has
been added the to the C:\Program Files\Velocirapror directory along with the
MSI.<span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"> It should look like this…<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-cbVygqX-0DU/Xtf-XEvThPI/AAAAAAAAVTs/W1gJP0EjzOkUjQiCf4JfQfKri-fBxrWRgCK4BGAsYHg/pic27.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="226" data-original-width="644" height="224" src="https://1.bp.blogspot.com/-cbVygqX-0DU/Xtf-XEvThPI/AAAAAAAAVTs/W1gJP0EjzOkUjQiCf4JfQfKri-fBxrWRgCK4BGAsYHg/w640-h224/pic27.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> OK.<span> </span>We are just one step away from getting this
Windows machine talking with the Velociraptor server, but in order to do that
we need to tell the Windows machine how to resolve the DNS name that we
assigned to Velociraptor.<span> </span>One easy way
to accomplish this is by editing the hosts file on the Windows machine located
on <b>C:\Windows\System32\drivers\etc\hosts</b>.<span>
</span><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-qV0heApgOBI/Xtf-k7nhojI/AAAAAAAAVUE/o_aSfcgtgp0Ywlrfn1wQK4AhvGSDAB6ZgCK4BGAsYHg/pic28.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="375" data-original-width="603" height="398" src="https://1.bp.blogspot.com/-qV0heApgOBI/Xtf-k7nhojI/AAAAAAAAVUE/o_aSfcgtgp0Ywlrfn1wQK4AhvGSDAB6ZgCK4BGAsYHg/w640-h398/pic28.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Finally, right click on the MSI
and select install.<span> </span><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-oxthTnhQEZQ/Xtf-q7XSQqI/AAAAAAAAVUc/y9__3dsGB94YiLmBUMt-PC-TEieYkaf_wCK4BGAsYHg/pic29.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="871" data-original-width="1196" height="466" src="https://1.bp.blogspot.com/-oxthTnhQEZQ/Xtf-q7XSQqI/AAAAAAAAVUc/y9__3dsGB94YiLmBUMt-PC-TEieYkaf_wCK4BGAsYHg/w640-h466/pic29.png" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> If everything worked your
directory should look like this.<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-zx40DYlkyBk/Xtf-x7A75DI/AAAAAAAAVUo/L_a0ovGgMSoBSwp5rFU108WxinTQFueUwCK4BGAsYHg/pic30.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="247" data-original-width="528" height="300" src="https://1.bp.blogspot.com/-zx40DYlkyBk/Xtf-x7A75DI/AAAAAAAAVUo/L_a0ovGgMSoBSwp5rFU108WxinTQFueUwCK4BGAsYHg/w640-h300/pic30.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> Even if your directory on the
windows machine looks like ours, nothing beats checking the Velociraptor server
to see if it worked.<span> </span>Go back to the
Velociraptor GUI and refresh the screen and boom!<span> </span>Success!<o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-jy1c_8uVhxY/Xtf-36j14eI/AAAAAAAAVU4/VbjlXI0DCgoJ1_TNEP8VicB0OgB7zNQkQCK4BGAsYHg/pic31.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="349" data-original-width="783" height="286" src="https://1.bp.blogspot.com/-jy1c_8uVhxY/Xtf-36j14eI/AAAAAAAAVU4/VbjlXI0DCgoJ1_TNEP8VicB0OgB7zNQkQCK4BGAsYHg/w640-h286/pic31.JPG" width="640" /></a></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"> You are now ready to query the client
machine or machines (plural!!!), using Velociraptor.<span> </span>This was just the first step needed to
connect a client to the Velociraptor server so that you can get visibility into
the hosts that are talking to the Velociraptor server.<span> </span>Continue to practice with the utility and you
will see that out of the box, it can do a lot.<span>
</span>Use it to query the running processes, established network connections,
and even installed services (like Velociraptor) on your client machines.<span> </span>The possibilities are endless.<span> </span><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Ov9Vz56n66A/XtgAjtJmUEI/AAAAAAAAVWE/Oo_P8ZkdIywLtqgz59buS275WQYgEkAvwCK4BGAsYHg/pic32.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="383" data-original-width="1180" height="208" src="https://1.bp.blogspot.com/-Ov9Vz56n66A/XtgAjtJmUEI/AAAAAAAAVWE/Oo_P8ZkdIywLtqgz59buS275WQYgEkAvwCK4BGAsYHg/w640-h208/pic32.JPG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: center;"><br /></div>
<p class="MsoNormal" style="text-align: justify;"><b><font size="4">Conclusion:</font><o:p></o:p></b></p>
<p class="MsoNormal" style="text-align: justify;"> Velociraptor is a very powerful
free utility that can give you visibility into the hosts or hosts withing your
organization.<span> </span>If the article and its
procedures helped you at all, we would like to hear from you.<span> </span>You can leave a comment and reach me on
twitter: @carlos_cajigas or email carlos at <a href="https://covertbitforensics.com/" target="_blank">CovertBitForensics.com</a><span> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-align: justify;"><b>About the Author:</b> Carlos brings
his deep forensic experience from the West Palm Beach Florida Police Department
where he served as a digital forensics detective, examiner, and instructor
specializing in computer crime investigations. Carlos shares his expertise in
his classes on how to directly target specific files and folders that can yield
the biggest amount of answers in the least amount of time - "That way you
can have answers within minutes rather than within hours," he says, when
he teaches the FOR500 and FOR508 courses for the <a href="https://www.sans.org/profiles/carlos-cajigas/" target="_blank">SANS Institute</a>.<span> </span>Carlos is currently the Managing Partner and
Chief Technical Officer of <a href="https://covertbitforensics.com/" target="_blank">Covert Bit Forensics</a>, a firm specializing in Digital
Forensic Investigations.</p>Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com4tag:blogger.com,1999:blog-1238852315716351341.post-75336629782969773432019-10-12T06:02:00.000-04:002020-02-07T13:33:27.327-04:00Use KAPE to collect data remotely and globally<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
If you have been following along with the amazing utility that KAPE is then you are aware that it is a game changer to the forensics community. KAPE, from Eric Zimmerman, makes it possible for a first responder to be able to collect anything from a compromised machine, and automatically process the collected data. This allows the first responder to go from nothing, to having a triage image and results that can quickly be analyzed. KAPE is able to accomplish this by giving you complete control of the data to acquire and process, through a series of targets and modules that you can select, edit, and even create. All of this functionality is available 100% for free.<br />
<br />
Well, if the benefits of using this utility for acquisition and processing are so apparent, can we then use KAPE to acquire data remotely from one or 100 machines? Allow me to tell you that the answer is an absolute YES! As a matter of fact, what if I were to tell you that you can use this utility to acquire data from a machine outside of your network, anywhere in the world, would you take advantage of it? Of course you would! I will show you how.<br />
<br />
Eric has even added functionality to send the acquired and processed data to an SFTP server. This means that KAPE can be used to collect and process anything from a machine and subsequently send the results to an SFTP server that you control. This receiving SFTP server can be set up locally in your organization or it can be publicly in the cloud. How cool is that!! <br />
<br />
The purpose of this article is to show you how to use KAPE, to collect data from a system or 100 systems and send the data from all of those systems to an SFTP server in the cloud. This will open up the possibilities to execute KAPE on a machine outside of your environment and still be able to send the data from that machine to the cloud server that you control. This can be useful, if you are in consulting and/or you are working with a client remotely. Send your client one command and done. Let’s get to it!<br />
<br />
<b><span style="font-size: large;">What we need:</span></b><br />
<br />
In order for us to be able to pull this off, and be able to acquire data from a machine and send it to an SFTP server where are going to need four things:<br />
1) KAPE<br />
KAPE can be downloaded from <a href="https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape" target="_blank">here</a><br />
2) A powershell script<br />
This powershell script is a very simple script containing the list of commands required to download and run KAPE.<br />
3) A web-server<br />
This web-server is going to host and serve KAPE. This can be a local web-server or a web-server in the cloud.<br />
4) An SFTP server<br />
This SFTP server will receive and store the data sent from KAPE. This can be a local SFTP server or an SFTP server in the cloud. It can be the same as the web-server.<br />
<br />
<b><span style="font-size: large;">Setting up the Environment: </span></b><br />
<br />
OK, with the “what we need” out of the way, let us now talk about how to actually do this. In this section I am going to go over each one of the elements of setting up this technique for data collection.<br />
<br />
1) KAPE<br />
The number one requirement for this technique to work is KAPE. Download KAPE and unzip it. Play with it and be sure that you know how to use it. This article assumes that you are familiar with KAPE and you know it works. We will not be talking about how to run KAPE as this is an article on how to use it remotely, not on how to run it. If you have created Targets and Modules for KAPE, add them. If you have an executable that is required for one of your modules, then add it to the BIN directory. Once your files are where you want them, you are going to ZIP it up. We will push this ZIP file to the web server in the cloud a little later.<br />
<br />
2) A powershell script<br />
The next step of this technique is an important one. This next step in the process is going to involve creating a powershell script that is going to hold the commands needed to download and run kape on the remote machine. Since the purpose of this article is getting KAPE to run remotely, we need to figure out a way to get KAPE to the remote machine before it can run. While speaking with my friend Mark Hallman about how to accomplish this he gave me the idea of hosting KAPE on a web-server and simply have the remote machine download and run it. That is exactly what this powershell script is going to do. It will download kape, unzip it, run it, send the data to the SFTP server, and then clean up. What we just talked about can be accomplished with the following lines.<br />
<br />
<b><i>Invoke-WebRequest -Uri http://10.10.10.10/KAPE.zip -OutFile .\KAPE.zip</i></b><br />
This command will download the previously zipped up KAPE.zip file, hosted on a web-server located at sample IP 10.10.10.10 and will be written to the current directory as KAPE.zip<br />
<br />
<b><i>Expand-Archive -Path .\KAPE.zip</i></b><br />
This commands expands the newly downloaded zip file<br />
<br />
<b><i>KAPE\KAPE\kape.exe --tsource C: --tdest C:\temp\kape\collect --tflush --target PowerShellConsole --scs 10.10.10.10 --scp 22 --scu user --scpw 12345678 --vhdx host --mdest C:\temp\kape\process --mflush --zm true --module NetworkDetails --mef csv --gui</i></b><br />
This command will run KAPE. This is a sample Kape execution. Kape will run your targets and modules of choice depending on what it is that you intend to capture and process. The acquired data is going to be sent to an SFTP server listening on port 22 at sample IP 10.10.10.10 with user “user” and password “12345678”. The KAPE command, server location, port, user, and password need to be changed to match the server that you created. This SFTP server can be the same as the web server that will serve the KAPE zip file downloaded by this powershell script. <br />
<br />
<b><i>Remove-Item .\KAPE\ -Recurse -Confirm:$false -Force</i></b><br />
This command removes the kape directory that was unzipped, the same directory that contained your KAPE executable and the targets and modules as well as your files in the BIN directory.<br />
<br />
<b><i>Remove-Item .\KAPE.zip</i></b><br />
This command removes the KAPE zip file that was downloaded by the Invoke-WebRequest at the beginning of the script.<br />
<br />
Folks, that is it. That is the entirety of the powershell script. Get these five commands all together on a text file. Save it with a ps1 file extension and your script is ready. Alternatively, you can download a sample script from my github <a href="https://github.com/CarlosCajigas/X1027_Get_DoKape_V0.1" target="_blank">here</a>.<br />
<br />
3) A web-server<br />
The next step of this technique is to set up a web-server to host the KAPE.zip file. This web-server can be hosted locally or publicly in the cloud. For the purposes of this article and for ease of use, I decided to host an ubuntu web-server in AWS. I installed apache on it and made sure that port 80 was publicly accessible. I then uploaded the KAPE.zip file and the X1027_Get_DoKape script to /var/www/html so that both could be publicly accessible.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://1.bp.blogspot.com/-ESNS-X1h0E8/XaGf49EimtI/AAAAAAAATAY/VV3_BzcNCVAG8gPvkacaKuikL6zlyUSFwCLcBGAsYHQ/s1600/1_webserver.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="155" data-original-width="856" height="113" src="https://1.bp.blogspot.com/-ESNS-X1h0E8/XaGf49EimtI/AAAAAAAATAY/VV3_BzcNCVAG8gPvkacaKuikL6zlyUSFwCLcBGAsYHQ/s640/1_webserver.PNG" width="640" /></a></div>
<br />
<br />
4) An SFTP server<br />
The last step is to set up an SFTP server, that can receive the data that KAPE will send to it. This requires a server with ssh listening on the port of your choice, traditionally port 22, but it doesn’t have to. For the purposes of this article I went ahead and used the same server from step 3. Now, a couple of things to keep in mind. Since this is an ssh server in the cloud, I created a new user with a very strong password and changed the ssh port from 22 to another port. If you are also going to use AWS, don't forget to edit the sshd_config file so that is can accept password authentication.<br />
<br />
That's it. That is all the setup that is required. We are now ready to test this.<br />
<br />
<b><span style="font-size: large;">The Test:</span></b><br />
<br />
Now that the environment has been set up, all you have to do is get the remote machine to run the powershell script. If you want to accomplish this task against 100 machines, one way to do this is to push the script to the remote machines via invoke-command. This requires powershell remoting to be enabled in your organization, and if it is, you are in luck.<br />
<br />
Prior to pushing the script to the remote machine, I like to test the invoke-command execution. One way that you can do this is by issuing the below command. This command connects to the remote machines and runs “hostname” to get a visual that the machines you wanted to talk to, are in fact responding.<br />
<br />
<b><i>Invoke-Command -ComputerName (Get-Content .\computers.txt) -Credential carlos -ScriptBlock {hostname}</i></b><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://1.bp.blogspot.com/-afK3ilN3uk4/XaGgXTeWNVI/AAAAAAAATAg/0R3OzexA3fsSmwp2maZWAyh6s9nltMVHwCLcBGAsYHQ/s1600/2_hostname.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="93" data-original-width="1125" height="52" src="https://1.bp.blogspot.com/-afK3ilN3uk4/XaGgXTeWNVI/AAAAAAAATAg/0R3OzexA3fsSmwp2maZWAyh6s9nltMVHwCLcBGAsYHQ/s640/2_hostname.PNG" width="640" /></a></div>
<br />
<br />
As you can see, we were able to communicate with two systems via the invoke-command execution. One was labeled FOR01 and the other was labeled FOR02. These are exactly the two hostnames inside of the computers.txt file.<br />
<br />
We are now ready to push the script over to the machines. This is an example of how to push the script using invoke-command.<br />
<br />
<b><i>Invoke-Command -ComputerName (Get-Content .\computers.txt) -Credential carlos .\X1027_Get_DoKape_V0.1.ps1</i></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-NiS6cbaZ-dk/XaGhHXC3maI/AAAAAAAATAo/-FrMWNaKAaY6HRwP4vdQ8vIcZxzROMAGACLcBGAsYHQ/s1600/3_kape.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="1121" height="394" src="https://1.bp.blogspot.com/-NiS6cbaZ-dk/XaGhHXC3maI/AAAAAAAATAo/-FrMWNaKAaY6HRwP4vdQ8vIcZxzROMAGACLcBGAsYHQ/s640/3_kape.PNG" width="640" /></a></div>
<br />
<br />
This command will push the powershell script named X1027_Get_DoKape_V0.1.ps1 to a list of hosts contained inside of “computers.txt” using credentials for user “carlos”. I ran this command against two machines named FOR01 and FOR02. Two minutes later the data was waiting for me on the SFTP server in AWS. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-6HZjOGP8fPM/XaGhepfWqBI/AAAAAAAATAw/b0mazHo1US8ige8MD1i4IaQQben5fmNqQCLcBGAsYHQ/s1600/4_collect.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="203" data-original-width="1247" height="104" src="https://1.bp.blogspot.com/-6HZjOGP8fPM/XaGhepfWqBI/AAAAAAAATAw/b0mazHo1US8ige8MD1i4IaQQben5fmNqQCLcBGAsYHQ/s640/4_collect.PNG" width="640" /></a></div>
<br />
<br />
All that is left to do now is to download the data from the SFTP server to your examination machine and begin your analysis.<br />
<br />
There is one more thing that I would like to talk about... Do you remember that we mentioned that this technique could be used globally as well? As this is a technique that is started by running a powershell script, we can actually host and download that powershell script on any web-server and it will do its job. As a demonstration of this capability I launched a Windows Server 2016 in AWS and connected to it via RDP.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://1.bp.blogspot.com/-WSAlYKIErCs/XaGhp0BYTdI/AAAAAAAATA0/voIyUcwxDH4zxVGCErYVGbVeJ9LMw3ocgCLcBGAsYHQ/s1600/5_aws.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="385" data-original-width="504" height="305" src="https://1.bp.blogspot.com/-WSAlYKIErCs/XaGhp0BYTdI/AAAAAAAATA0/voIyUcwxDH4zxVGCErYVGbVeJ9LMw3ocgCLcBGAsYHQ/s400/5_aws.PNG" width="400" /></a></div>
<br />
I then ran the below command on an Administrator prompt from the “Desktop” directory. This command will go to our web-server, download the script and start it. <br />
<div style="text-align: left;">
<b><i>PowerShell "Invoke-Expression (New-Object System.Net.WebClient).downloadstring('http://52.41.38.678/X1027_Get_DoKape_V0.1.ps1')"</i></b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-9MHwpYbqW5w/XaGiJz3rB7I/AAAAAAAATA8/5tA80oN5fgkdF8NqofT-Sa-iOHk3Mh7kwCLcBGAsYHQ/s1600/6_aws2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="651" data-original-width="998" height="416" src="https://1.bp.blogspot.com/-9MHwpYbqW5w/XaGiJz3rB7I/AAAAAAAATA8/5tA80oN5fgkdF8NqofT-Sa-iOHk3Mh7kwCLcBGAsYHQ/s640/6_aws2.PNG" width="640" /></a></div>
<br />
<br />
A few minutes later the data form the server was sitting in our “collection” server available to be analyzed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-0Lw7x_0ORhA/XaGiO64V4JI/AAAAAAAATBA/GKryGaNSzg4MpBCsQKokme1gb4QWVFQTQCLcBGAsYHQ/s1600/7_aws3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="142" data-original-width="1350" height="66" src="https://1.bp.blogspot.com/-0Lw7x_0ORhA/XaGiO64V4JI/AAAAAAAATBA/GKryGaNSzg4MpBCsQKokme1gb4QWVFQTQCLcBGAsYHQ/s640/7_aws3.PNG" width="640" /></a></div>
<br />
<br />
It should be noted that we ran this command from an CMD prompt, not even a powershell prompt. You can simply email this command to your client and it can be reused on as many systems as they like, anywhere in the world. I hope that you like that!<br />
<br />
<b><span style="font-size: large;">Conclusion: </span></b><br />
<br />
This is an amazingly powerful utility that is/will become the de-facto standard for triage acquisition and processing. I hope that you are able to use this technique during your acquisitions. If this procedure helped your investigation, we would like to hear from you. You can leave a comment or reach me on twitter: @carlos_cajigas<br />
<br />
<br />
<div>
<br /></div>
</div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com5tag:blogger.com,1999:blog-1238852315716351341.post-10880556352470247272015-12-05T14:45:00.000-04:002015-12-07T00:09:39.748-04:00Mounting the VMFS File System of an ESXi Server Using Linux<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> It won't
happen very often when you will find yourself holding in your hand a hard drive
that belonged to an ESXi server. These
servers usually house production machines that just don't get shutdown very
often. Why the decision has been made to
turn it off is one that I am sure was not made lightly. Whatever the scenario is, it is what it is. It wasn't your call, but the client decided
to shut down their ESXi server and subsequently shipped it to you for
analysis. Now you have the drive in your
hand and you have been tasked with extracting the Virtual Machines out of the
drive for analysis.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The
underlying file system of an ESXi server is the VMFS file system. It stands for Virtual Machine File
System. VMFS is Vmware, Inc.'s clustered
file system used by the company's flagship server visualization suite, vSphere.
It was developed to store virtual machine disk images, including snapshots. Multiple
servers can read/write the same file system simultaneously while individual
virtual machine files are locked (Source Wikipedia). <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> As of the
date of this writing, not all of the big forensic suites have the ability to
read this file system. And I can
understand why, as is extremely difficult for the commercial suites to offer
support for all available file systems. Fortunately
for us, it is very possible to read this file system using Linux. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The purpose
of this article is to go over the steps required to mount the VMFS file system
of the drive from an ESXi server.
Once access to the file system has been accomplished, we will acquire a
Virtual Machine stored on the drive. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b><span style="font-size: large;">Installing
the Tools:</span></b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> For you to
be able to accomplish the task, you will have to make sure that you have vmfs-tools
installed on your Linux examination machine.
You can get the package from the repositories by running $ <i>sudo apt-get
install vmfs-tools</i>. Vmfs-tools is
included by default in LosBuntu.
LosBuntu is our own Ubuntu 14.04 distribution that can be downloaded <a href="http://mashthatkey.blogspot.com/2015/01/mash-that-key-releases-losbuntu.html" target="_blank">here</a>. If you download and boot your machine with
LosBuntu, you will be able to follow along and have the exact same environment
described in this write-up. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b><span style="font-size: large;">The Test:</span></b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> To
illustrate the steps of mounting the partition containing the VMFS file system
on the drive, I will use a 2TB hard drive with ESXi 6.0 installed on it. This drive is from an ESXi server that I own. The ESXi server drive is currently housing
some virtual machines that we will be able to see, once the file system is
mounted. I booted an examination machine
with a live version on LosBuntu and connected the drive to the machine. LosBuntu’s default behavior is to never auto-mount
drives. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Now, fire up
the terminal and let's begin the first step of identifying the
drive. Usually the first step involves
running fdisk, so that we can identify which physical assignment was given to the
drive. Running $ <i>sudo fdisk –l</i> lists the
physical drives attached to the system, the flag -l tells fdisk to list the
partition table. Sudo gives fdisk
superuser privileges for the operations.
Press enter and type the root password (if needed, pw is "mtk").<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>$ sudo fdisk
-l</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-_7e9QsPJ0NE/VmMso3gku8I/AAAAAAAAIVQ/IHflhK73Xdg/s1600/vmfspic1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="http://3.bp.blogspot.com/-_7e9QsPJ0NE/VmMso3gku8I/AAAAAAAAIVQ/IHflhK73Xdg/s640/vmfspic1.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Not show on the screen is /dev/sda, which is
my first internal drive, therefore /dev/sdb should the drive of the ESXi server.
The output of fdisk give us a warning that /dev/sdb may have
been partitioned with GPT and fdisk was unable to read the partition
table. Fdisk is telling us to use parted, so let’s do that. The following
parted command will hopefully get us closer to what we need.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>$ sudo
parted /dev/sdb print</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-EluHDi_0DUU/VmMtRDpId8I/AAAAAAAAIVY/LgJ5QEE01LU/s1600/vmfspic2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="http://2.bp.blogspot.com/-EluHDi_0DUU/VmMtRDpId8I/AAAAAAAAIVY/LgJ5QEE01LU/s400/vmfspic2.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> From the
output, we can see that yes, it is indeed a GPT partitioned drive, containing multiple
partitions. The last displayed
partition, which is actually partition number three, looks to be the largest partition
of them all. Although parted was able to
read the partition table, it was unable to identify the file system contained
in partition three. We currently have a
strong suspicion that /dev/sdb is our target drive containing our target partition,
but it would be nice to have confirmation.
Let's run one more command.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>$ sudo blkid
-s TYPE /dev/sdb*</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Blkid is a command that has the ability to print or display block device attributes. The flag -s TYPE will print the file system
type of the partitions contained in /dev/sdb. We used an asterisk “*” after sdb so that
blkid can show us the file system types of all partitions located in physical
device sdb like sdb1, sdb2, sdb3 and so on.
<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-3zF9CDsFM8o/VmMt5Mpw6LI/AAAAAAAAIVg/TaxHw5L8BGc/s1600/vmfspic4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="http://4.bp.blogspot.com/-3zF9CDsFM8o/VmMt5Mpw6LI/AAAAAAAAIVg/TaxHw5L8BGc/s400/vmfspic4.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Finally, we
can now see that /dev/sdb3 is the partition that contains the VMFS volume. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> To mount the
file system we are going to have to call upon vmfs-fuse, which is one of the
commands contained within the vmfs-tools package built into LosBuntu. But before we call upon vmfs-fuse, we need to
create a directory to mount the VMFS volume.
Type $<i> sudo mkdir /mnt/vmfs</i> to create our mount point.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Mount the
VMFS file system contained in /dev/sdb3 to /mnt/vmfs with the below command<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>$ sudo
vmfs-fuse /dev/sdb3 /mnt/vmfs/</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b><br /></b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-mDckBvWvOQc/VmMuaQaY7rI/AAAAAAAAIVo/LRhzPpC3_l0/s1600/vmfspic5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="67" src="http://3.bp.blogspot.com/-mDckBvWvOQc/VmMuaQaY7rI/AAAAAAAAIVo/LRhzPpC3_l0/s400/vmfspic5.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: left;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> As you can
see, the execution of the command simply gave us our prompt back. As my friend Gene says. “You will not get a pat on the back telling you
that you ran your command correctly or that it ran successfully, so we need to
go check.” True and amusing at the same
time…<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Check the
contents of /mnt/vmfs by first elevating our privileges to root, with $ <i>sudo su</i>
and then by listing its contents with # <i>ls -l /mnt/vmfs</i>.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-GfUIJE3umJc/VmMuszGk58I/AAAAAAAAIVw/GBV6CGYSmW8/s1600/vmfspic6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="http://2.bp.blogspot.com/-GfUIJE3umJc/VmMuszGk58I/AAAAAAAAIVw/GBV6CGYSmW8/s400/vmfspic6.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Great! We can read the volume and we see that we have many directories belonging to Virtual Machines. From here
you can remain in the terminal and navigate to any of these directories, or you
can fire up nautilus and have a GUI to navigate. The following command will open nautilus at
the location of your mount point as root.
It is important to open nautilus as root so that your GUI can have the
necessary permissions to navigate the vmfs mount point that was created by
root. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b># nautilus
/mnt/vmfs</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-m6KIrDWVnTk/VmMvD0SdJfI/AAAAAAAAIV4/DSf4wudHHnE/s1600/vmfspic7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="http://4.bp.blogspot.com/-m6KIrDWVnTk/VmMvD0SdJfI/AAAAAAAAIV4/DSf4wudHHnE/s640/vmfspic7.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Insert
another drive to your examination machine and copy out any of the Virtual
Machines that are in scope. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Another
option would be to make a forensic image of the Virtual Machine. For example, we can navigate to the
Server2008R2DC01 directory, which houses the Domain Controller used on the
previous write-up about examining Security logs. Find that article <a href="http://mashthatkey.blogspot.com/2015/12/crafting-queries-and-extracting-data.html" target="_blank">here</a>.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-o9T9Nw70xow/VmMvVTe9JxI/AAAAAAAAIWA/iXp0MH79J9k/s1600/vmfspic8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="http://2.bp.blogspot.com/-o9T9Nw70xow/VmMvVTe9JxI/AAAAAAAAIWA/iXp0MH79J9k/s640/vmfspic8.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> In this specific
instance, this Virtual Machine does not contain snapshots. This means that the Server2008R2DC01-flat.vmdk
is the only virtual disk in this directory responsible for storing the data on
disk about this server. If the opposite
were true, you would have to collect all of the delta-snapshot.vmdk files to
put back together at a later time. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The </span><span style="font-family: "calibri" , sans-serif;">Server2008R2DC01-flat.vmdk </span><span style="font-family: "calibri" , sans-serif;">file is a raw representation of the disk.</span><span style="font-family: "calibri" , sans-serif;">
</span><span style="font-family: "calibri" , sans-serif;">It is not compressed and can be read and mounted directly.</span><span style="font-family: "calibri" , sans-serif;"> </span><span style="font-family: "calibri" , sans-serif;">The partition table can be read with the
sleuthkit tool mmls.</span><span style="font-family: "calibri" , sans-serif;"> </span><span style="font-family: "calibri" , sans-serif;">Mmls is a tool that
can display the partition layout of volumes. </span><span style="font-family: "calibri" , sans-serif;">Type the following into the terminal and
press enter.</span><span style="font-family: "calibri" , sans-serif;"> </span><span style="font-family: "calibri" , sans-serif;">The flag -a is to show
allocated volumes, and the flag -B is to include a column with the partition
sizes in bytes.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b># mmls -aB
Server2008R2DC01-flat.vmdk</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-rz2eU39l83M/VmMv2K7NAyI/AAAAAAAAIWI/n-fbVo_eJu4/s1600/vmfspic9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="http://1.bp.blogspot.com/-rz2eU39l83M/VmMv2K7NAyI/AAAAAAAAIWI/n-fbVo_eJu4/s640/vmfspic9.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> You can see
that the 50GB NTFS file system starts at sector offset 206848.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> If you want to
acquire this virtual disk in E01 format, add the flat-vmdk file to Guymager as
a special device and acquire it to another drive.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-Zurk1dYnuaE/VmMv_bvh75I/AAAAAAAAIWQ/EYoICKm2ih4/s1600/vmfspic10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="http://2.bp.blogspot.com/-Zurk1dYnuaE/VmMv_bvh75I/AAAAAAAAIWQ/EYoICKm2ih4/s640/vmfspic10.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">And there
you have it!<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b><span style="font-size: large;">Conclusion:</span></b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Using free
and open source tools you have been able to mount and acquire images of Virtual
Machines contained in the file system of a drive belonging to an ESXi server. </span><span style="font-family: "calibri" , sans-serif;">If this procedure helped your investigation, we would like to hear from you. You can leave a comment or reach me on twitter: @carlos_cajigas</span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com13tag:blogger.com,1999:blog-1238852315716351341.post-55829465580119590892015-12-02T08:07:00.001-04:002016-01-11T10:05:56.989-04:00Crafting Queries and Extracting Data from Event Logs using Microsoft Log Parser <div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> During a recent engagement, while hunting for
threats in a client's environment, I got tasked with having to analyze over a
terabyte worth of security (Security.evtx) event logs. A terabyte worth of logs amounts to, a lot of
logs. We are talking close to a thousand
logs, each containing approximately 400,000 events from dozens of Windows
servers, including multiple domain controllers.
Did I say, a lot of logs? <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Unfortunately, this wasn't the only task of
the engagement, so I needed to go through these logs and I needed to do it
quickly. I needed to do it quickly
because like in most engagements, time is against you.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> When you only have a few logs to look at, one
of my tools of choice on the Windows side is <a href="http://www.eventlogxp.com/" target="_blank">Event Log Explorer</a>. Event Log Explorer is great. It is a robust, popular, GUI tool with
excellent filtering capabilities. On the
Linux side, I have used Log2timeline to convert dozens of evtx files to CSV
and then filter the CSV file for the data that I was looking for. But this was another animal, a different
beast. This beast needed a tool that
could parse a very large amounts of logs and have the ability to filter for
specific events within the data. The
answer to the problem came in the form of a tiny tool simply called Log Parser.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Log Parser is a free tool designed by
Microsoft. You can download
the tool <a href="http://www.microsoft.com/en-us/download/details.aspx?id=24659" target="_blank">here</a>. According to the documentation from the site
the tool is described in this manner. “Log Parser is a powerful, versatile tool
that provides universal query access to text-based data such as log files, XML
files and CSV files.” That one-liner
perfectly sums up why the tool is so powerful, yet not as popular as other
tools. Log parser provides query access
to data. What does that mean? This means that if you want to parse data
with this tool you have to be somewhat comfortable with the Structured Query
Language (SQL). The tool will only cough
up data if it is fed SQL like queries.
The use of SQL like queries for filtering data is what gives the tool
its power and control, while at the same time becoming a stopping point and a
deal breaker for anyone not comfortable with SQL queries. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The purpose of this article is to attempt to
explain the basic queries required to get you started with the tool and in the
process show the power of the tool and how it helped me make small rocks out of big rocks. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b><span style="font-size: large;">Installing the Tools:</span></b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The tool is downloaded from <a href="http://www.microsoft.com/en-us/download/details.aspx?id=24659" target="_blank">here</a> in
the form of an msi. It installs using a
graphical installation, very much like many other tools. Once installed the tool runs from the command
line only. For the purposes of the
article, I will be using a security log extracted from a Windows Server 2008R2
Domain Controller that I own, and use for testing such as this. If you want to follow along, you can extract
the Security.evtx log from a similar server or even your Windows 7
machine. The log is located under
\Windows\System32\winevt\Logs.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b><span style="font-size: large;">The Test:</span></b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Log Parser is a command line only
utility. To get started open up a
command prompt and navigate to the Log Parser installation directory located
under C:\Program Files (x86)\Log Parser 2.2.
<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-Jfp9bWXkflk/Vl7MOJb3_wI/AAAAAAAAIQs/iQAymI4TiXA/s1600/LogParserPic1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="http://1.bp.blogspot.com/-Jfp9bWXkflk/Vl7MOJb3_wI/AAAAAAAAIQs/iQAymI4TiXA/s400/LogParserPic1.PNG" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The security log that I will be using for the
write-up is called LosDC.evtx. The log
contains exactly 5,731 entries. It is
not a large log, but it contains the data that we need to illustrate the usage
of the tool. I extracted the log and
placed it on my Windows 7 examination machine in a directory on the Desktop
called “Test.”<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-cIkqA7lCalc/Vl7MidIbplI/AAAAAAAAIQ0/46-a9oZWk7U/s1600/LogParserPic2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="http://4.bp.blogspot.com/-cIkqA7lCalc/Vl7MidIbplI/AAAAAAAAIQ0/46-a9oZWk7U/s400/LogParserPic2.PNG" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Now, the most basic SQL query that one can
run looks something like this. It is
called a select statement. “select *
from LosDC.evtx” The ‘select’, as you
suspected, selects data that matches your criteria from the columns in your log. In this instance we are not doing any
matching yet, we are simply telling the tool to select everything by using an
asterisk “*” from the LosDC.evtx log.
The tool needs to know what kind of file it is looking at. You tell the tool that is it reading data
from an event log with the -i:evt parameter, like so:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>LogParser.exe "select * from
C:\Users\carlos\Desktop\Test\LosDC.evtx" -i:evt</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/--YUCg9v98qY/Vl7MzAjnWaI/AAAAAAAAIQ8/7PDAsgCWm1I/s1600/LogParserPic3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="http://1.bp.blogspot.com/--YUCg9v98qY/Vl7MzAjnWaI/AAAAAAAAIQ8/7PDAsgCWm1I/s640/LogParserPic3.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> This query will send the first 10 lines of
the file to standard output. A lot of
data is going to be sent to the screen.
It is very difficult to make any use of this data at this point. The only positive that can come from this
command is that you can begin to see the names of the columns in the event log
like “TimeGenerated”, “EventID”, and so on.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> An easier way to see the columns in the event
log is by using the datagrid output feature, which sends the data to a GUI,
like so:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>LogParser.exe "select * from
C:\Users\carlos\Desktop\Test\LosDC.evtx" -i:evt -o:datagrid</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-OP4XQ4bMAMI/Vl7NI2BAPMI/AAAAAAAAIRE/dZO3UBCdB64/s1600/LogParserPic4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="http://3.bp.blogspot.com/-OP4XQ4bMAMI/Vl7NI2BAPMI/AAAAAAAAIRE/dZO3UBCdB64/s640/LogParserPic4.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Thanks to the GUI it is now easier to see the
TimeGenerated and EventID columns. Also,
I want to point out the “Strings” column, which contains data that is very
valuable to us. The majority of the
important data that we are after is going to be contained in this column. So let us take a closer look at it. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> If we build upon our last query and we now
replace the asterisk "*" with the name of a specific column, the tool will now send
the data matching our criteria to standard output, like so:</span><br />
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>LogParser.exe "select strings from
C:\Users\carlos\Desktop\Test\LosDC.evtx" -i:evt</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-4W9aDm-2ifw/Vl7Na8sfVpI/AAAAAAAAIRM/dWWjXBkZJl8/s1600/LogParserPic5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="http://3.bp.blogspot.com/-4W9aDm-2ifw/Vl7Na8sfVpI/AAAAAAAAIRM/dWWjXBkZJl8/s640/LogParserPic5.JPG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Notice that the tool is now displaying only
the information that is found in the strings column. The data is displayed in a delimited
format. The data is being delimited by
pipes. Field number 5 contains the
username of the account, field number 8 contains the Log-On type, and field
number 18 contains the source IP of the system that was used to authenticate
against the domain controller. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">You have probably seen this data displayed in
a prettier manner by Event Log Explorer.
<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-_6LcsCCz_7I/Vl7Np9vMykI/AAAAAAAAIRU/dH4A56EVaUE/s1600/LogParserPic6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="http://4.bp.blogspot.com/-_6LcsCCz_7I/Vl7Np9vMykI/AAAAAAAAIRU/dH4A56EVaUE/s400/LogParserPic6.JPG" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Yet, is in fact the same data, and Log Parser
has the ability to extract this data from hundreds of log files quickly and
efficiently. But to accomplish this we
have to continue adding to our query. In
my recent case I was looking for the username, the log-on type, and source IP of
all successful logins. As mentioned earlier,
this data was being stored in field 5, field 8, and field 18 of the Strings
column. To extract that data we need to craft
a query that could extract these specific fields from the Strings column. To accomplish that, we have to introduce a Log
Parser function called extract_token.
The extract_token function gives Log Parser the ability to extract data
from delimited columns like the Strings column. </span><br />
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span>
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> To extract the data from the fifth delimited field in the strings column
we need to add this to our query:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>extract_token(strings,5,'|') AS User</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Let me break this down, extract_token is the
function. We open parenthesis and inside
of the parenthesis we tell the function to go into the strings column and pull
out the fifth field that is delimited by a pipe “|” and then we close
parenthesis. “AS User” is used so that
once the data is pulled out of the Strings column, it is displayed in a new column with the new name of “User”. It is
like telling the function “Hey, display this as 'User'.” <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> To pull the data from the eighth field in the
Strings column, we use this function:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>extract_token(strings,8,'|') AS LogonType</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> And finally to pull the data from the
eighteenth field in the Strings column, we use this function:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>extract_token(strings,18,'|') AS SourceIP</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> We put it all together with the following
query:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>LogParser.exe "select TimeGenerated, EventID,
extract_token(strings,5,'|') AS User, extract_token(strings,8,'|') AS
LogonType, extract_token(strings,18,'|') AS SourceIP into
C:\Users\carlos\Desktop\Test<o:p></o:p></b></span></div>
<div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>\LosDC_4624_logons.csv from
C:\Users\carlos\Desktop\Test\LosDC.evtx where eventid in (4624)" -i:evt
-o:csv</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-Um6pXk44vLU/Vl7ORp27GLI/AAAAAAAAIRc/a8FaoDvzcIc/s1600/LogParserPic7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="126" src="http://2.bp.blogspot.com/-Um6pXk44vLU/Vl7ORp27GLI/AAAAAAAAIRc/a8FaoDvzcIc/s640/LogParserPic7.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The select statement is now selecting the TimeGenerated and EventID columns, followed by the three
extract_token functions to pull the data from the Strings column. Into is an optional clause that specifies
that the data be redirected to a file named
LosDC_4624_logons.csv in the Test directory. From specifies the file to be queried, which
is the LosDC.evtx log. Where is also an
optional clause which specifies data values to be displayed based on the
criteria described. The criteria
described in this query is 4624 events contained in the eventid column. The -o:csv is another output format like the
datagrid, except this one sends the data to a csv file rather than a GUI.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> This is an example of what you can gather
from the resulting CSV file. This is
what you would see if you were to sort the data in the CSV file by user.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-nI3z9_fk0T4/Vl7OkTdoiRI/AAAAAAAAIRk/YeYrqe4o0MM/s1600/LogParserPic8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="http://1.bp.blogspot.com/-nI3z9_fk0T4/Vl7OkTdoiRI/AAAAAAAAIRk/YeYrqe4o0MM/s640/LogParserPic8.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-3GgVuySvMAI/Vl7OqDxOYAI/AAAAAAAAIRs/ozQSG050rdI/s1600/LogParserPic9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="http://3.bp.blogspot.com/-3GgVuySvMAI/Vl7OqDxOYAI/AAAAAAAAIRs/ozQSG050rdI/s400/LogParserPic9.PNG" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Notice the times, and source IP that was used
by user “larry” when he used the RDP protocol (Logon Type 10) to remotely
log-in to his system. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Cool, Right?<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> I want to point out that this log only
contained 5731 entries and that the data redirected to the CSV file consisted of
1,418 lines. That data was parsed and
redirected in less than 0.2 seconds<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-2bLEzPdkR60/Vl7PVCsDe_I/AAAAAAAAIR0/lNDSQu0NJoA/s1600/LogParserPic10.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="http://1.bp.blogspot.com/-2bLEzPdkR60/Vl7PVCsDe_I/AAAAAAAAIR0/lNDSQu0NJoA/s400/LogParserPic10.PNG" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> That is another example of the power of
the tool. Keep in mind that when you are parsing gigabytes worth of logs, the resulting CSV files are going to
be enormous. Below is an explorer
screenshot displaying the amount of security event logs from one the servers in
my case (Server name has been removed to protect the innocent).<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-n0SsctyBQq4/Vl7PcseOxsI/AAAAAAAAIR8/34974b9HU-8/s1600/LogParserPic11.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="255" src="http://2.bp.blogspot.com/-n0SsctyBQq4/Vl7PcseOxsI/AAAAAAAAIR8/34974b9HU-8/s400/LogParserPic11.JPG" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The sample data from that server was
40GB. It was made up of 138 files each
with approximately 416,000 records in each log.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The tool parsed all of that that data in only
23 minutes.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-W_6dNJKmmH4/Vl7Pm8UWoMI/AAAAAAAAISE/0X1Npbrw924/s1600/LogParserPic12.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="80" src="http://1.bp.blogspot.com/-W_6dNJKmmH4/Vl7Pm8UWoMI/AAAAAAAAISE/0X1Npbrw924/s400/LogParserPic12.JPG" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> It searched 60 million records and created a CSV
file with over 700,000 lines. Although
you can certainly open a CSV file with 700,000 lines in Excel or LibreOffice Calc,
it is probably not a good idea. Don't
forget that you can search the CSV file directly from the command prompt with find. </span><span style="font-family: "calibri" , sans-serif;">Here is an example of searching the CSV
file for user "larry" to quickly see which machines user "larry" used to authenticate on the Domain. </span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-KheXUnwpuXQ/Vl7XBnCrtfI/AAAAAAAAISc/dZTWMHuaxSo/s1600/LogParserPic14.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="324" src="http://3.bp.blogspot.com/-KheXUnwpuXQ/Vl7XBnCrtfI/AAAAAAAAISc/dZTWMHuaxSo/s640/LogParserPic14.PNG" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif;"> And there you have it!</span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b><span style="font-size: large;">Conclusion:</span></b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<br />
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> This is a free and powerful tool that allows
you to query very large amounts of data for specific criteria contained within
the tables of your many event log files.
If this procedure helped your investigation, we would like to hear from
you. You can leave a comment or reach me
on twitter: @carlos_cajigas <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: "calibri" , sans-serif; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com6tag:blogger.com,1999:blog-1238852315716351341.post-3967705179467815462015-11-10T11:51:00.000-04:002016-03-23T16:05:59.295-04:00Creating a Virtual Machine of a Windows 10 Disk Image Using a Linux Live Distro<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> The
process of converting a full physical acquisition of a hard disk into a fully
functioning virtual machine (VM) has been covered many times. Probably, because interacting with a machine
the same way that your suspect did just prior to the machine being seized, is a
technique that in my opinion although underused is still very valuable. There are things that can be learned about
the habits of your suspect that may only be discovered by taking the time to look
at your seized data in a live manner.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> To
accomplish this, one tool that I still hear people talking about on the Windows
side is LiveView. At the time that I
tried using it, the tool required that a raw image of the disk be used. This meant taking the time to convert your
E01 to a raw image, which took time and wasted space. </span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Alternatives
to LiveView, are discussed in great detail by Jimmy Weg, on his blog
justaskweg.com. Jimmy even wrote an
article on going from a write blocked drive to a VM, which I found very useful.</span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNoSpacing" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Lucky
for us, going from a write blocked drive to a VM can also be accomplished in
Linux, and is something that I have discussed and covered previously. <o:p></o:p></span></div>
<div class="MsoNoSpacing" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><br /></span>
<span style="font-family: "calibri" , sans-serif;"> In
this article, I want to talk about booting a disk image of a Windows 10
machine. For the purposes of this
article I used a live Linux distribution of LosBuntu. LosBuntu is our own Ubuntu 14.04 distribution
that can be downloaded <a href="http://mashthatkey.blogspot.com/2015/01/mash-that-key-releases-losbuntu.html" target="_blank">here</a>. <o:p></o:p></span><br />
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; font-size: large;"><b>The
Plan:</b></span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> The
plan is to use a live version of LosBuntu and boot your machine from it. Whether you boot LosBuntu from a DVD or a
flash-drive, the process should be the same.
Select a machine that is powerful and has plenty of ram. Aside from the fact that LosBuntu already has
xmount installed on it, another benefit to using a live distribution is to
accomplish complete segregation. Any
malware that you catch or any action that you wished reversed can be dealt with
by simply shutting down the machine.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: large;"><b>Installing
the Tools:</b></span></span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> The
tools that we will be using during the process are xmount and VMware
Workstation Player 12 (VMware).
Xmount comes preinstalled in the
Live version of LosBuntu, but if you choose to install it yourself, find it
here https://pinguin.lu/pkgserver. VMware can be downloaded free <a href="https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0" target="_blank">here</a>. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> To
install VMware, issue the below command.
When prompted, enter the root password, which is “mtk” without the
quotes.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><b>$
sudo bash VMware-Player-12.0.1-3160714.x86_64.bundle</b></span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-2iSHTDQUgaU/VkIPUVaLgAI/AAAAAAAAIKY/eNpDxiyKDUQ/s1600/bootwinpic1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://3.bp.blogspot.com/-2iSHTDQUgaU/VkIPUVaLgAI/AAAAAAAAIKY/eNpDxiyKDUQ/s640/bootwinpic1.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Use
the VMware installer graphical user interface to complete the installation.</span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-RQXMBEzJB8k/VkIPen7n3wI/AAAAAAAAIKg/spVCQbNkuIU/s1600/bootwinpic2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://4.bp.blogspot.com/-RQXMBEzJB8k/VkIPen7n3wI/AAAAAAAAIKg/spVCQbNkuIU/s400/bootwinpic2.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: large;"><b>The
Test:</b></span></span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> To
illustrate the steps of converting a disk image of a Windows 10 machine to a
VM, I will be using a previously acquired disk image of a Windows 10 operating
system from a 512GB SSD that I use for testing.
<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-osqbhvPJaTo/VkIQAW87-MI/AAAAAAAAIKo/F2vOPbpQw3c/s1600/bootwinpic3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://2.bp.blogspot.com/-osqbhvPJaTo/VkIQAW87-MI/AAAAAAAAIKo/F2vOPbpQw3c/s400/bootwinpic3.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> </span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> The
acquisition of the disk was done using the E01 format with best compression and
4000mb chunks. The image compressed
down to about 33GB spanned into 8 different segments. Due to the compression, the disk image is
only occupying 33GB worth of space, rather than 512GB had we used the RAW format
during acquisition. That is a lot of
saved space, thanks to the compression! Great.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Let
us now turn our attention to the point of the write up, converting this E01 to
a virtual machine. To accomplish this
feat, we are going to summon the powers of xmount. Xmount is a very powerful tool written by Dan
Gillen. The tool that has the ability to
convert on-the-fly between multiple input and output hard disk image
types. In other words, xmount can take
our E01 image and convert it to a raw image (DD), on-the-fly, all while maintaining
the integrity of the data.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Xmount
can also turn a DD or an E01 into a VMDK (VMware virtual disk), and redirect
writes to a cache file. This makes it
for example, possible to use VMware to boot an Operating System contained in a
read-only DD or E01 image.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> For
us to pull off the trick of turning an E01 into a VM, we are going to pass
xmount the following instructions. Enter
this command into the terminal:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><b>$
sudo xmount --in ewf Win10.E?? --out vmdk --cache /mnt/cache/win10.cache
/mnt/vmdk/</b></span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Xmount
is the command to crossmount, --in ewf lets xmount know that we are passing it
an image using the E01 format, Win10.E?? is the E01 image. In this example we have more than one segment
so we must use “E??” as the file extension, to specify the segment files. --out vmdk tells xmount to convert the E01 to
a VMDK, --cache /mnt/cache/win10.cache is the name of the cache file that will
store all of the writes being written by the operating system, and /mnt/vmdk/
is a previously created mount point for the vmdk file. Sudo gives xmount superuser privileges for
the operations.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-ZV28e8AtFNM/VkIQVzRd7xI/AAAAAAAAIKw/DEKKMsQ3CkI/s1600/bootwinpic4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="30" src="https://4.bp.blogspot.com/-ZV28e8AtFNM/VkIQVzRd7xI/AAAAAAAAIKw/DEKKMsQ3CkI/s640/bootwinpic4.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> If
you received your prompt back without any errors, then it may be safe to assume
that you issued the correct command. At
this point, you now have the E01 converted to a vmdk, that is ready to be
opened in VMware. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Now,
fire up VMware and go through the process of creating a Windows 10 VM. This write up assumes that you know the
process, so we will not bore you with steps of how to set up a VM. If needed, a web search on the topic will
reveal multiple articles on accomplishing that specific task.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-Dfc_IWZJ4Dc/VkIQjtmFgyI/AAAAAAAAIK4/m3IuwhYebtU/s1600/bootwinpic5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://2.bp.blogspot.com/-Dfc_IWZJ4Dc/VkIQjtmFgyI/AAAAAAAAIK4/m3IuwhYebtU/s400/bootwinpic5.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-FAq6SF0j2Bk/VkIQpc9CrcI/AAAAAAAAILA/XPRv7jtvTTg/s1600/bootwinpic6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://3.bp.blogspot.com/-FAq6SF0j2Bk/VkIQpc9CrcI/AAAAAAAAILA/XPRv7jtvTTg/s400/bootwinpic6.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> As
you go through the process of creating your Windows 10 VM, I would recommend
that you give the VM 4GB of ram and 2 cores.
I would also recommend that you un-check the box labeled “connect at
power on” for your network adapter.
This is your call, but I choose not to allow suspect machines to connect
to the internet. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-EB3_rCri-L8/VkIQxkNSV4I/AAAAAAAAILI/XvHukuoWp44/s1600/bootwinpic7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://3.bp.blogspot.com/-EB3_rCri-L8/VkIQxkNSV4I/AAAAAAAAILI/XvHukuoWp44/s400/bootwinpic7.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Finish,
setting up your machine and get back to the home screen</span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-X6PARP0itVE/VkIQ-YKa90I/AAAAAAAAILQ/lstpORKtWMg/s1600/bootwinpic8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="331" src="https://1.bp.blogspot.com/-X6PARP0itVE/VkIQ-YKa90I/AAAAAAAAILQ/lstpORKtWMg/s400/bootwinpic8.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> We
are almost ready to fire up the machine.
But before we do that we have to do some final tweaks. An important one is adding the vmdk file to
the virtual machine. Click on “edit the
virtual machine settings” and remove the disk assigned to the VM.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-s7sezoAJeRg/VkIRF9EwToI/AAAAAAAAILY/F6KEy9OLaUc/s1600/bootwinpic9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://1.bp.blogspot.com/-s7sezoAJeRg/VkIRF9EwToI/AAAAAAAAILY/F6KEy9OLaUc/s400/bootwinpic9.png" width="257" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Add
the vmdk file that we previously mounted to /mnt/vmdk/</span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-kSzgaxfhRpk/VkIRQHOLg2I/AAAAAAAAILg/POYEOw60pw4/s1600/bootwinpic10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="382" src="https://3.bp.blogspot.com/-kSzgaxfhRpk/VkIRQHOLg2I/AAAAAAAAILg/POYEOw60pw4/s400/bootwinpic10.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-QYpwDkwxnI0/VkIRUmwMqTI/AAAAAAAAILo/uKZ-IOSD6M4/s1600/bootwinpic11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://2.bp.blogspot.com/-QYpwDkwxnI0/VkIRUmwMqTI/AAAAAAAAILo/uKZ-IOSD6M4/s400/bootwinpic11.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Lastly,
we need to edit the vmx configuration file so that VMware knows that it needs
to get ready to handle an image containing GPT/UEFI settings. This is a very important step. If you omit this step, you will likely get a
“no operating system found” error. Open
the vmx file with your favorite text editor and add a line at the bottom of the
file that reads <i>firmware = “efi”</i><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-stz513gh6lI/VkIRcEZ37fI/AAAAAAAAILw/HdQwleTiJDM/s1600/bootwinpic12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://4.bp.blogspot.com/-stz513gh6lI/VkIRcEZ37fI/AAAAAAAAILw/HdQwleTiJDM/s400/bootwinpic12.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> Once
this is done, go back to Vmware and start your VM. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-RhfcrBK6S-o/VkIRs_bQPvI/AAAAAAAAIL4/_cpfWsHLHkk/s1600/bootwinpic13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="448" src="https://1.bp.blogspot.com/-RhfcrBK6S-o/VkIRs_bQPvI/AAAAAAAAIL4/_cpfWsHLHkk/s640/bootwinpic13.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> If everything went according to plan, you
should now have a fully functioning VM, revealing all of the settings and
unique configurations issued by your suspect to his/her machine. Feel free to navigate to your hearts
content. Any edits that you make will be
written to the cache file and will survive reboots. If you need to edit the registry, go ahead,
the cache file will save the edits. Feel
free to take screen-shots or do anything that you need without having to worry
about changing the integrity of the image.
No changes will be made to the image as E01's are read-only files. When you are done with the machine, shut it
down. If you used LosBuntu as a live
distribution, then the OS on your internal drive will also be untouched. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;">And
there you have it.</span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><b><span style="font-size: large;">Conclusion:</span></b></span><o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<br />
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"> This
is a completely free and quick way to see your suspect's system in a live
manner, all while preserving the integrity of your data. If this procedure helped your investigation,
we would like to hear from you. You can
leave a comment or reach me on twitter: @carlos_cajigas </span><span style="font-family: "times new roman" , serif; mso-bidi-font-family: FreeSans;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com4tag:blogger.com,1999:blog-1238852315716351341.post-19247869662098068792015-04-28T17:21:00.000-04:002015-04-29T19:49:37.450-04:00Acquiring an Image of an Amazon EC2 Linux Instance<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">As
cloud services continue gaining popularity and become more affordable, more
people are learning about what is available and are increasingly opting-in to
the idea of having computers in the cloud.
This became evident during a recent conversation with my old friend JJ,
@jxor2378. I called JJ to get his
opinion on what an ideal password cracking rig would be? Without hesitation, JJ answered, “Why would
you invest in buying the hardware, when you can just rent it!” And he was right, for what I needed, using
cloud computing services was in fact a good match for me.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">It
is not like I didn't know about the concept of cloud computing, it was just
simply that because I hadn't had a need for it, I hadn't taken the time to do
my computing in the cloud just yet. By
that afternoon that changed. JJ
recommended that I play with Amazon's Elastic Compute Cloud, also known as
their EC2 service.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Paraphrased
from their website, </span><a href="http://aws.amazon.com/ec2/"><span style="font-family: "Calibri",sans-serif;">http://aws.amazon.com/ec2/</span></a><span style="font-family: "Calibri",sans-serif;">.
Amazon's EC2 is a service that provides resizable compute capacity,
designed to make cloud computing easier.
The web service interface allows you to obtain and configure capacity
with minimal friction, and complete control of your computing resources. You can quickly scale capacity, both up and
down, as your computing requirements change, and you only pay for capacity that
you actually use.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">That
last line is the neat thing about the service.
You only pay for what you use, and they even offer you a chance to try
their service for free. It only took a
few minutes to get an instance up and running.
Once I had access to the instance, I couldn't help but wonder how I
would go about analyzing it for forensic artifacts.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">In
this article we are going to go over the steps of how to acquire an image of a
Linux Ubuntu Server Amazon EC2 Instance.
For the purposes of this article I used a Live Linux Distribution of
LosBuntu. LosBuntu is our own Ubuntu
14.04 distribution that can be downloaded <a href="http://mashthatkey.blogspot.com/2015/01/mash-that-key-releases-losbuntu.html" target="_blank">here</a>. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif; font-size: 13.0pt;">Installing
the Tools:</span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">The
tools that we will be using during the process are ssh, dd and netcat. All of these tools come preinstalled in the
Live version of LosBuntu, so there is no need to install anything else.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif; font-size: 13.0pt;">The
Plan:</span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">The
plan is to go fire up an EC2 instance, remotely log-in to the instance and then
go through the steps of acquiring an image of the instance back to a remote
location of your choice. Let's get
started<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;"> </span><span style="font-family: Calibri, sans-serif;"> </span></div>
<b style="text-align: justify;"><span style="font-family: "Calibri",sans-serif; font-size: 13.0pt;">The
Test:</span></b><br />
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">To
set up your instance, you can use your current amazon username and password to
log in to </span><a href="http://aws.amazon.com/"><span style="font-family: "Calibri",sans-serif;">aws.amazon.com</span></a><span style="font-family: "Calibri",sans-serif;">. Once authenticated, navigate to the EC2
dashboard and click on create instance.
The instance that we will use for the test is the Ubuntu Server 14.04
LTS t2.micro instance that you can try for free.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-PNuB7yUaG2w/VT_wGBDWrOI/AAAAAAAAH2w/BeA0JP1f9ow/s1600/awspic1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-PNuB7yUaG2w/VT_wGBDWrOI/AAAAAAAAH2w/BeA0JP1f9ow/s1600/awspic1.png" height="70" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/--ihmp7x5CBQ/VT_wSdeauFI/AAAAAAAAH24/q994KQj8Fds/s1600/awspic2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/--ihmp7x5CBQ/VT_wSdeauFI/AAAAAAAAH24/q994KQj8Fds/s1600/awspic2.png" height="62" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;">For
added security purposes we created a public/private key pair that can be used
to securely SSH into the instance. Using
a key to SSH into a system offers a bit more security than a username and
password combination alone. I named the
key ec2key and downloaded the key.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-PUefS3OiFik/VT_wfcU-M-I/AAAAAAAAH3A/1mSxqwqmnnQ/s1600/awspic3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-PUefS3OiFik/VT_wfcU-M-I/AAAAAAAAH3A/1mSxqwqmnnQ/s1600/awspic3.png" height="185" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Once
you have downloaded the key, simply launch the instance with all of the
defaults. The service shines due to the
amount of customization that you can do to your instance, but that is beyond
the scope of this article. For now, all
defaults will work.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Once
you have your instance running, locate the “Connect” icon and click it.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/--wPPEriho68/VT_wwoYa4yI/AAAAAAAAH3I/OcmKk-jC8-c/s1600/awspic4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/--wPPEriho68/VT_wwoYa4yI/AAAAAAAAH3I/OcmKk-jC8-c/s1600/awspic4.png" height="156" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;">A
set of instructions on how to connect will appear on your screen, including the
username and public IP address of the instance.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-Jzo0VIMhVsA/VT_w5DJs3bI/AAAAAAAAH3Q/0esP8I_Owq8/s1600/awspic5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Jzo0VIMhVsA/VT_w5DJs3bI/AAAAAAAAH3Q/0esP8I_Owq8/s1600/awspic5.png" height="195" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">That's
it. That is all the information that is
needed to SSH into the instance. We
now have the information that we need, so let’s take care of some final
things. For the command on the
screenshot to work, you will need to make sure that, if your key is not in your
current working directory, you will need to provide the path to it. Also, the permissions of the key must be set
so no other users or groups can read it, the command <i>$ sudo chmod 400 yourkey.pem</i>
will take care of that requirement.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Now
type the below command to SSH into the server.
SSH is the remote login tool that will establish a secure encrypted connection
to the server, the “-i” is the option that points SSH to your identity file
(key), ubuntu is the username and @51.11.255.55 is the public IP of the instance. Remember to change the key to the name that
you provided and use the IP of your instance.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">$ ssh -i ec2key.pem </span></b><b><span style="font-family: "Calibri",sans-serif;"><span style="color: black;">ubuntu@52.11.255.55</span></span></b><b><span style="font-family: "Calibri",sans-serif;"><o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-25rgWw-wUmY/VT_xHb1z69I/AAAAAAAAH3Y/Bb273Zors5c/s1600/awspic6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-25rgWw-wUmY/VT_xHb1z69I/AAAAAAAAH3Y/Bb273Zors5c/s1600/awspic6.png" height="313" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;">We
are now logged-on to the EC2 instance.
From here you can remotely control the system and do whatever it is that
you intent to do with it. The
possibilities are endless, but there is one caveat... Since we set up the instance for remote
access using a key, anytime that we want to access the instance we are going to
have to pass it this key so that access can be granted. This means that if you, for example, want to
use Remote Desktop Protocol (RDP) to get a GUI on your screen, you may have to
do it by authenticating to the instance first using an SSH tunnel.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Which
is exactly what we are going to do to acquire the image of this instance. We are going to establish a second SSH
connection to a second remote server a pass the entire contents of the
instance's hard drive through an SSH tunnel.
This process can be accomplished by standing up a second EC2 instance
with enough space to store your image, or you can use an already publicly
accessible existing server that you control.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">If
you read the article titled “<a href="http://mashthatkey.blogspot.com/2014/12/analyzing-plain-text-log-files-using.html" target="_blank">Analyzing Plain Text Log Files Using Linux Ubuntu</a>”
then you may know that I like to run a publicly accessible server to transfer
data and serve files. So I took
advantage of the SSH access to this server that I control, and authenticated
back into it from the EC2 instance using an SSH tunnel.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">The
SSH tunnel consists of an encrypted tunnel created through the SSH protocol
connection that can be used to transfer unencrypted traffic over the network
through an encrypted channel. The
purpose here is to use the SSH tunnel to securely transfer the entire contents
of the hard drive using DD and Netcat through the tunnel, even though Netcat
itself does not use encryption. All of
the contents of the drive from the EC2 instance will travel encrypted through
the tunnel back to my forensic machine in my lab.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">You
do not need to go through the trouble of setting up a public server for
this. A second EC2 instance will also
work, but you will then have to transfer the now acquired image back to you. Accessing a server that you control kills two
birds with one stone.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Using
its own terminal window on the EC2 instance, type the below command set up the
SSH tunnel back to your server. SSH is
the command -p 5678 is to tell SSH to use a non-default port to connect to the
server you control, -N is used so SSH does not execute any remote commands,
which is useful when just forwarding ports, -L is to specify the port on the
local host that is to be forwarded to the given host and port on the remote
side. Secretuser is the user on my
server and 432.123.456.1 is the public IP of the server is that will be
receiving the data.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">$ ssh -p 5678 -N -L
4444:127.0.0.1:4444 secretuser@432.123.456.1<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">secretuser@432.123.456.1's
password:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">If
everything went well and you entered the password correctly, this shell window
is simply going to hang and will not show any output. From this point forward, any data that is
sent to localhost on port 4444 is going to be redirected to the server back in
my lab.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">On
that server you will now need to set up a netcat listening session with the
below command. Nc is the netcat command,
-l is to listen, -p is the port to listen on, and we are piping that data to pv
and redirecting it to a file titled ec2image.dd. Pv is a neat utility that will measure the
data that is passed through the pipe. A
visual of what data is coming in, helps in determining if things are going
according to plan.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">$ nc -l -p 4444 | pv
> ec2image.dd<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Finally,
on the EC2 instance run dd to image the instance’s hard drive and pipe it to
netcat using the below command. Remember
that you are piping to netcat on localhost to port 4444.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">$ sudo dd if=/dev/xvda
bs=4k | nc -w 3 127.0.0.1 4444<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">This is an illustration of how the data should flow.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-5IpYlJRP4Mg/VT_yT1-fKII/AAAAAAAAH3g/objSjytdoHY/s1600/Los%2BFlow%2BChart%2BV2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-5IpYlJRP4Mg/VT_yT1-fKII/AAAAAAAAH3g/objSjytdoHY/s1600/Los%2BFlow%2BChart%2BV2.jpg" height="316" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Calibri, sans-serif; text-align: justify;"># Image courtesy of Freddy Chid @fchidsey0144 </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Calibri, sans-serif; text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Calibri, sans-serif; text-align: justify;">After
about 30 minutes it had sent over 4GB of data to my server located many states
away from the EC2 instance.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">$ nc -l -p 4444 | pv
> ec2image.dd<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">4.39GB 0:32:28
[2.51MB/s] [ <=> ]<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">It
finished in less than an hour and transferred the entire 8GB (default)
bit-by-bit image of the hard drive from the instance.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">$ nc -l -p 4444 | pv
> ec2image.dd<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">8GB 0:57:30 [2.37MB/s]
[
<=> ]<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Speeds
will vary depending on bandwidth. In
reference to image verification, since this was a live acquisition, doing a
hash comparison at this point will not be of much value. At the very least, check and compare that the
size of your dd image matches the amount of bytes contained in /dev/xvda from
the instance. This can be accomplished
by comparing the output of fdisk -l /dev/svda against the size of the acquired
dd.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Check
the size of the hard drive on the instance:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">$ sudo fdisk -l
/dev/xvda<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">Disk /dev/xvda: 8589 MB,
8589934592 bytes<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Check
the size of the dd on your sever.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">$ ls -l<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">total 8388612<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif;">-rw-r--r-- 1 secretuser
secretgroup 8589934592 Apr 17 18:20 ec2image.dd<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">We
have a match. And there you have
it. You have acquired an image of an
Ubuntu 14.04 Server running on Amazon EC2.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri",sans-serif; font-size: 13.0pt;">Conclusion:</span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<br />
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;">Amazon
offers a full set of developer API tools for EC2 that might offer an easier way
of accomplishing this task. If in a
pinch, and if you have an evening to spare, know that at least you have this
option available to get the job done. If
this procedure helped your investigation, we would like to hear from you. You can leave a comment or reach me on
twitter: @carlos_cajigas<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri",sans-serif;"><br /></span></div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com3tag:blogger.com,1999:blog-1238852315716351341.post-21544713083903392582015-01-05T14:43:00.000-04:002018-01-10T13:52:03.814-04:00Mash That Key Releases LosBuntu<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<span style="font-size: large;"><b>Mash That Key Releases LosBuntu</b></span></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-hBv9MS_oITM/VrEGhZTTTmI/AAAAAAAAIfQ/yskq1D9xKDs/s1600/LosBuntuForSite2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="393" src="https://2.bp.blogspot.com/-hBv9MS_oITM/VrEGhZTTTmI/AAAAAAAAIfQ/yskq1D9xKDs/s640/LosBuntuForSite2.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<span style="font-size: large;"><b>What it
is...</b></span></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
LosBuntu
is a Live DVD Linux distribution (distro) that can be used to assist
in data forensic investigations. LosBuntu is the result of our
desire to have a bootable forensic distro with all of the tools and
features that we like, installed by us, controlled by us, and built
by us. LosBuntu was built using a clean installation of Linux Ubuntu
14.04 64 bit. Once the foundation was created, many open source
forensic tools were installed and tweaks were made to turn the
installation into LosBuntu. LosBuntu was then turned into a Live DVD
using the tool remastersys.</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
LosBuntu
has been tweaked to never automount media. Although it will boot a
computer without mounting its drives, it does not write block them
(LosBuntu may write to a pre-existing swap partition). The distro
was primarily designed for analyzing images and not booted computers.
Validated Linux distributions designed for acquisition have already
been released and should be used for that purpose. Remember to
always validate your results.
</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<span style="font-size: large;"><b>What it is not....</b></span></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
LosBuntu
is not better and should not be argued as better or worse than any other
distro. LosBuntu is simply another forensic distro. One that was
designed the way that we like it, and released to the public in an
attempt to give back to the forensic community. LosBuntu will save
you the time and trouble of having to install the tools listed
below.
</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<span style="font-size: large;"><b>One neat
usable feature...</b></span></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
Because
remastersys was used to turn LosBuntu into a Live DVD, you can re-use
remastersys to create your own live DVD distro. This means that you
can install LosBuntu to the hard drive, add just about any tool that
you wish to add, and then run remastersys to create a new version of
LosBuntu with any and all of the tools and tweaks you installed, in
essence, creating your very own version of LosBuntu. Change the
background, add or remove tools, do anything that you please.
LosBuntu was released to you so that you can use it, tweak it, and
improve it.
</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-U81u_2JWYSE/VrEH291TuvI/AAAAAAAAIfY/UUPyRlSdYnM/s1600/LosBuntuForSite3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="394" src="https://3.bp.blogspot.com/-U81u_2JWYSE/VrEH291TuvI/AAAAAAAAIfY/UUPyRlSdYnM/s640/LosBuntuForSite3.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
This is
the list of packages that we have added to LosBuntu:</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
7zip,
Abiword, Archivemount, Autopsy, Bkhive, Bleachbit, BTRFS-tools,
Bulkextractor, Chntpw, Chromium-browser, Clamtk, Dcfldd, Dconf, DFF,
Efw-tools, Exfat-fuse, Fileinfo, Filezila, Flashplugin-installer,
Foremost, FRED, Furiusisomount, Gddrescue, Gparted, Guymager,
Hexedit, Hfsprogs, Hfsutils, Jacksum, John, libbde-alpha-20141023,
libevt-alpha-20141229, libewf-20140427, libfuse-dev,
libfvde-experimental-20140907, libfwevt-experimental-20141026,
liblnk-alpha-20141026,
</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
libpff-experimental-20131028,
libsmraw-alpha-20141026, libvhdi-alpha-20141021,
libvmdk-alpha-20141021, libvshadow-alpha-20141023, Log2timeline,
Nautilus-open-terminal, Pasco,
</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
Python-TK,
Rar, Regripper plus plugins, Rifiuti2, Samdump2, Scalpel, SSH,
Testdisk, Truecrypt 7.1a,
</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
Vinetto,
VLC, Volatility, W3m, Wine, Wireshark, Xmount, Zenmap</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br />
UPDATE on 4/26/2015: Packages added<br />
aircrackng, bless, curl, lvm2, macchanger, nautilus-wipe, proxychains, pv, reaver, seahorse tools, sshfs, tor, traceroute, Volatility 2.4, whois, wifite<br />
<div>
<br />
UPDATE on 8/29/2015: Packages added<br />
recordmydesktop, libevtx, vmfs-tools, open-scsci, boot-up-manager<br />
<br />
UPDATE on 11/17/2015: Packages added<br />
hashcat, ntdsextract_1.3, lxde, libesedb, rdesktop<br />
<br />
UPDATE on 12/14/2015: Packages added<br />
nbd-client, gdebi-core, veracrypt<br />
<br />
UPDATE on 02/01/2016: Packages added<br />
hashid, git, hashcat2.0, newbackground, SMB Access<br />
<br />
UPDATE on 05/13/2016: Packages added<br />
mdadm, dmraid, dos2unix, libqcow, libfvde, TorBundle5.5.5<br />
<br />
UPDATE on 09/27/2016: Packages added<br />
xor.exe, plaso 1.5, ubuntu-zfs<br />
<br /></div>
The
distro is 2.4 GB in size. The password is “mtk”, without the
quotes. The MD5 of the ISO is 90bcdff015f81071283847b9b2916a38 LosBuntu_2018_01_04.iso</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br />
Download it from this link: <span style="color: blue;"><span style="color: blue;"><a href="https://drive.google.com/open?id=1LPbIvJtUNurf9KvY_lMYOZRJkI-6Tvdy" target="_blank">LosBuntu</a></span></span></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br />
Special
thanks go out to my old friends at the lab Mark B, Paul I, Pete M,
and John T. for the corny name, ideas, and testing. You guys are the
best in the State, keep doing what you do best.</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
If this
tool helped you during your investigation, we would definitely like
to hear from you. You can leave a comment or reach me on twitter:
@carlos_cajigas</div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br />
<span style="font-size: large;"><b>Useful Links:</b></span><br />
<span style="font-size: large;"><b><br /></b></span>
- LosBuntu used to analyze an MS12-020 RDP Crash Dump with Volatility.<br />
Link to - <span style="color: blue;"><a href="http://www.computersecuritystudent.com/FORENSICS/LosBuntu/lesson1/index.html" target="_blank"><span style="color: blue;"><span id="goog_917585374"></span>ComputerSecurityStudent</span><span id="goog_917585375"></span></a></span><br />
<br />
- LosBuntu used to mount and convert a VMDK virtual disk to raw, on-the-fly. <a href="https://www.youtube.com/watch?v=PIeC4BtSbRA" target="_blank"><span style="color: blue;">YouTubeVideo</span></a> <br />
<br />
- LosBuntu used for physical disk, image acquisitions using guymager. <span style="color: blue;"><a href="https://www.youtube.com/watch?v=yHr9fxccreQ" target="_blank"><span style="color: blue;">YouTubeVideo</span></a></span></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br />
- LosBuntu used to wipe and validate sterilization of physical disks. <span style="color: blue;"><span style="color: blue;"><a href="https://www.youtube.com/watch?v=wyWSxkzRQAE" target="_blank"><span style="color: blue;">YouTubeVideo</span></a></span></span><br />
<span style="color: blue;"><br /></span>
- LosBuntu used to Activate & Set Windows 7 Admin Password.<br />
Link to - <span style="color: blue;"><a href="http://www.computersecuritystudent.com/FORENSICS/LosBuntu/lesson2/index.html" target="_blank"><span style="color: blue;"><span id="goog_917585374"></span>ComputerSecurityStudent</span></a></span><br />
<br />
<br />
<br /></div>
<div align="JUSTIFY" class="western" style="margin-bottom: 0in;">
<br /></div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com0tag:blogger.com,1999:blog-1238852315716351341.post-14057811722184612632014-12-31T12:29:00.000-04:002016-04-05T18:13:55.123-04:00Analyzing Plain Text Log Files Using Linux Ubuntu<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> Analyzing
large amounts of plaint text log files for indications of wrong doing is not an
easy task, especially if it is something that you are not accustomed to doing
all the time. Fortunately getting decent
at it can be accomplished with a little bit of practice. There are many ways to go about analyzing
plaint text log files, but in my opinion a combination of a few built-in tools
under Linux and a BASH terminal can crunch results out of the data, very quickly.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> I
recently decided to stand up an SFTP server at home, so that I could store and
share files across my network. In order
to publicly access the server from the public internet, I created strong
passwords for my users, forwarded the ports on my router and went out for the
weekend. I accessed the server from the
outside and shared some data. From the
time that I fired it up to the time I returned, only 30 hours passed. I came back home to discover that the monitor
attached to my server was going crazy trying to keep up with showing me large
amounts of unauthorized log-in attempts.
It became evident that I was under attack, Oh my! <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> After
some time and a little bit of playing around, I was able to get the situation
under control. Once the matter was
resolved, I couldn't wait to get my hands on the server logs. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> In
this write-up, we go will over a few techniques that can be used to analyze plain
text log files for evidence and indications of wrong doing. I chose to use the logs from my SFTP server
so that we can see what a real attack looks like. In this instance, the logs are auth.log files
from a BSD install, recovered from the /var/log directory. Whether they are auth.log files, IIS, FTP,
Apache, Firewall, or even a list of credit cards and phone numbers, as long as
the logs are plain text files, the methodology followed in this write-up will
apply to all and should be repeatable.
For the purposes of the article I used a VMware Player Virtual Machine
with Ubuntu 14.04 installed on it. Let's
get started.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , sans-serif; font-size: 19px;">Installing the Tools:</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> The
tools that we will be using for the analysis are cat, head, grep, cut, sort,
and uniq. All of these tools come
preinstalled in a default installation of Ubuntu, so there is no need to
install anything else. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif"; font-size: 14.0pt;">The test:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> The
plan is to go through the process of preparing data for analysis and go through
the process of analyzing it. Let's set
up a working folder that we can use to store the working copy of the logs. Go to your desktop, right click on your
desktop and select “create new folder”, name it “Test”.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-WrBBJwMUOAc/VKQhR52yqII/AAAAAAAAGvA/s7iJ61XyPRo/s1600/aptlf_pic1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://3.bp.blogspot.com/-WrBBJwMUOAc/VKQhR52yqII/AAAAAAAAGvA/s7iJ61XyPRo/s1600/aptlf_pic1.png" width="200" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> This
will be the directory that we will use for our test. Once created, locate the log files that you
wish to analyze and place them in this directory. Tip: Do not mix logs from different systems
or different formats into one directory.
Also, if your logs are compressed (ex: zip, gzip), uncompress them prior
to analysis.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-dqdI17IYOVE/VKQhoXict2I/AAAAAAAAGvI/E3_KgwSIFAo/s1600/aptlf_pic2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://2.bp.blogspot.com/-dqdI17IYOVE/VKQhoXict2I/AAAAAAAAGvI/E3_KgwSIFAo/s1600/aptlf_pic2.png" width="282" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> Open
a Terminal Window. In Ubuntu you can
accomplish this by pressing Ctrl-Alt-T at the same time. Once the terminal window is open, we need to
navigate to the previously created Test folder on the desktop. Type the following into the terminal.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<b><span style="font-family: "calibri" , "sans-serif";">$ cd /home/carlos/Desktop/Test/<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif"; mso-fareast-font-family: "Times New Roman";"> Replace “carlos” with the name of
the user account you are currently logged on as. After doing so, press enter. Next, type ls -l followed by enter to list
the data (logs) inside of the Test directory.
The flag -l uses a long listing format.</span><span style="font-family: "calibri" , "sans-serif";"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-dXSAffhXMZo/VKQh1dBa-1I/AAAAAAAAGvQ/n5Ttc61yjfw/s1600/aptlf_pic3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="https://3.bp.blogspot.com/-dXSAffhXMZo/VKQh1dBa-1I/AAAAAAAAGvQ/n5Ttc61yjfw/s1600/aptlf_pic3.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> Notice
that inside of the Test directory, we have 8 log files. Use the size of the log (listed in bytes) as
a starting point to get an idea of how much data each one of the logs may
contain. As a rule, log files store data
in columns, often separated by a delimiter.
Some examples of delimiters can be commas, like in csv files, spaces or
even tabs. Taking a peak at the first
few lines of a log is one of the first things that we can do to get an idea of
the amount of columns in the log and the delimiter used. Some logs, like the IIS logs, contain a
header. This header indicates exactly
what each one of the columns is responsible for storing. This makes it easy to quickly identify which
column is storing the external IP, port, or whatever else you wish to find
inside of the logs. Let's take a look at
the first few lines stored inside of the log tilted auth.log.0. Type the following into the terminal and
press enter.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , "sans-serif";"><b>$
cat auth.log.0 | head</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> Cat
is the command that prints file data to standard output, auth.log.0 is the
filename of the log that we are reading with cat. The “|” is known as a pipe. A pipe is a technique in Linux for passing
information from one program process to another. Head is the command to list the first few
lines of a file. Explanation: What we
are doing with this command is using the tool cat so send the data contained in
the log to the terminal screen, but rather than sending all of the data in the
log, we are “piping” the data to the tool head, which is used to only display
the first few lines of the file, by default it only displays ten lines. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-0gHW4j4JvV0/VKQiApbaVhI/AAAAAAAAGvY/PMZLLct02O4/s1600/aptlf_pic4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="https://2.bp.blogspot.com/-0gHW4j4JvV0/VKQiApbaVhI/AAAAAAAAGvY/PMZLLct02O4/s1600/aptlf_pic4.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> As
you can see, this log contains multiple lines, and each one of the lines has
multiple columns. The columns account
for date, time, and even descriptions of authentication attempts and failures. We can also see that each one of these
columns is separated by a space, which can be used as a delimiter. Notice that some of the lines include the
strings “Invalid user” and “Failed password”.
Right away, we have identified two strings that we can use to search
across all logs for instances of either one of these strings. By searching for these strings across the
logs we should be able to identify instances of when a specific user and/or IP
attempted to authenticate against our server.
<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> Let's
use the “Invalid user” string as an example and build upon our previous
command. Type the following into the
terminal and press enter.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , "sans-serif";"><b>$
cat * | grep 'Invalid user' | head</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-Aakx67x4Vlk/VKQirIoCnyI/AAAAAAAAGvk/wpSfWtQ2IOE/s1600/aptlf_pic5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://4.bp.blogspot.com/-Aakx67x4Vlk/VKQirIoCnyI/AAAAAAAAGvk/wpSfWtQ2IOE/s1600/aptlf_pic5.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> Just
like in our previous command, cat is the command that prints the file data to
standard output. The asterisk “*” after
cat is used to tell cat to send every file in the current directory to standard
output. This means that cat was told to
send all of the data contained in all eight logs to the terminal screen, but
rather than print the data to the screen, all of the data was passed (piped)
over to grep so that grep can search the data for the string 'Invalid
user'. Grep is a very powerful string
searching tool that has many useful options and features worth learning. Lastly the data is once again piped to head so
that we can see the first ten lines of the output. This was done for display purposes only,
otherwise over 12,000 lines containing the string 'Invalid user' would have
been printed to the terminal, yikes!<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> Ok,
back to the task at hand. Look at the 10<sup>th</sup>
column of the output, the last column.
See the IP address of where the attempts are coming from? Lets say that you were interested in seeing
just that information from all of the logs and filter only for the tenth
column, which contains the IP addresses.
This is accomplished with the command cut. Let's continue to build on the command. Type the following and press enter.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , "sans-serif";"><b>$
cat * | grep 'Invalid user' | cut -d " " -f 10 | head</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-2S1gxARdUeM/VKQiyMfXtVI/AAAAAAAAGvs/Nl89b2UxapI/s1600/aptlf_pic6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="194" src="https://1.bp.blogspot.com/-2S1gxARdUeM/VKQiyMfXtVI/AAAAAAAAGvs/Nl89b2UxapI/s1600/aptlf_pic6.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> In
this command, after the data is searched for 'Invalid user' it is piped over to
cut so that it may print only the tenth column.
The flag -d tells cut to use a space as a delimiter. The space is put in between quotes so that cut
can understand it. The flag -f tells cut
to print the tenth column only. Head was
again used for display purposes only.
Next, let’s see all of the IP's in the logs by adding sort and uniq to
our command.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , "sans-serif";"><b>$
cat * | grep 'Invalid user' | cut -d " " -f 10 | sort | uniq</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-misn6eJJo6E/VKQi9-h6KlI/AAAAAAAAGv0/Qvodbk76cy0/s1600/aptlf_pic7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://1.bp.blogspot.com/-misn6eJJo6E/VKQi9-h6KlI/AAAAAAAAGv0/Qvodbk76cy0/s1600/aptlf_pic7.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> In
this command, head is dropped and sort and uniq are added. As you imagined, sort will sort the text, and
uniq is responsible for omitting repeated text.
This is nice, but it leaves us wanting more. If you wanted to see how many times each one
of these IP's attempted to authenticate against the server, the flag -c of uniq
will count each instance of the repeated text, like so. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: "calibri" , "sans-serif";"><b>$
cat * | grep 'Invalid user' | cut -d " " -f 10 | sort | uniq -c | sort -nr</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-OPcE_Qs8JLk/VKQjHZWlkVI/AAAAAAAAGv8/4gzoiF7l-1E/s1600/aptlf_pic8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://1.bp.blogspot.com/-OPcE_Qs8JLk/VKQjHZWlkVI/AAAAAAAAGv8/4gzoiF7l-1E/s1600/aptlf_pic8.png" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> In
this command, the instances of each IP found in the logs were counted by uniq
and then again sorted by sort. The flag
-n is to do a numeric sort and the flag -r is so that the text is shown in
reverse order. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> And
there you have it. Now we can see who
was most persistent at trying to get pictures of my dog from my SFTP server. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> Keep
practicing. Hopefully this helped you in
getting started with the basics of cat, grep, cut, sort, and uniq. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif"; font-size: 14.0pt;">Conclusion:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";"> This
is a quick and powerful way to search for specific patterns of text in a single
plain text file or in many files. If
this procedure helped your investigation, we would like to hear from you. You can leave a comment or reach me on
twitter: @carlos_cajigas <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";">Suggested
Reading:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";">-
Ready to dive to the next level of command line fun? Check out @jackcr ‘s article where he
implements the use of a for loop to look for strings inside of a memory
dump. Awesome! Find it <a href="http://blog.handlerdiaries.com/?p=589" target="_blank">here</a>.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<br />
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "calibri" , "sans-serif";">-
Check out Ken's blog and his experience with running a Linux SSH honeypot. Find it <a href="http://digiforensics.blogspot.com/2014/05/from-china-with-love-part-1.html" target="_blank">here</a>.<o:p></o:p></span><br />
<span style="font-family: "calibri" , "sans-serif";"><br /></span>
<span style="font-family: "calibri" , "sans-serif";"><br /></span>
<span style="font-family: "calibri" , "sans-serif";"><br /></span></div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com3tag:blogger.com,1999:blog-1238852315716351341.post-69748468799729707072014-10-02T17:28:00.000-04:002015-01-05T14:46:40.727-04:00Acquiring Images of Virtual Machines From An ESXi Server<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">ESXi is an enterprise level computer
virtualization product offered by VMWare, the makers of VMWare Player and
Workstation. ESXi can be used to
facilitate the centralized management of many different types of Windows, Unix,
and Linux systems. Unlike its cousins
Player and Workstation, ESXi runs directly on server hardware (bare metal)
without the need for an underlying operating system. Management of the ESXi server can and is
often done remotely. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">As this type of virtualized server
environment continues to gain even more popularity, you are bound to encounter
it more and more. It seems that we see
one of these in just about every case.
If you are in the DFIR world then you know that it is our responsibility
to get usable images out of these things.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">In this article we will go through
the process of acquiring a Linux Virtual Machine (VM) running on an ESXi
server. Since there is more than one way
of accomplishing this, we will talk about some of the options that are
available to us. We will talk about the
pros and cons of each so that you get to choose one when your time comes to
implement it. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri","sans-serif";">Tools:</span></b><span style="font-family: "Calibri","sans-serif";"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">For the purposes of this article,
all of the systems except for the ESXi server, were installed and ran using VMware
Player. Our host machine was an
examination computer with Ubuntu 13.10 installed to the hard drive. Except for the Windows VM, all of the tools
used in the article are free and are available for download.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri","sans-serif";">The test:</span></b><span style="font-family: "Calibri","sans-serif";"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">The first thing we need to do is get
ESXi up and running. VMware offers a
free version of their EXSi product that can be downloaded <a href="https://my.vmware.com/web/vmware/evalcenter?p=free-esxi5&lp=default">here</a>. To get the download, you are going to have to
create and account with them. Once you
have the ISO, go ahead and install it.
There are many tutorials online on how to do this. I don't want to go over the steps of
installing ESXi here due to the many resources available and how much longer it
would make the write up. We went ahead
and installed ESXi version 5.5 on an old laptop with a core 2 duo processor and
4GB of memory. It worked fine. ESXi was installed using all of the
defaults. Upon startup the ESXi server
was given an IP via DHCP. It was
assigned IP address 10.0.1.11<o:p></o:p></span><br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-V0sH1ZXh5pQ/VGTs8dKuAWI/AAAAAAAAGjM/EzeMnA24v9c/s1600/pic3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://2.bp.blogspot.com/-V0sH1ZXh5pQ/VGTs8dKuAWI/AAAAAAAAGjM/EzeMnA24v9c/s640/pic3.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: Calibri, sans-serif; text-indent: 35.45pt;">ESXi servers can be managed locally from the
command line or remotely from another host using the VMware vSphere Client,
which as of this writing only works on Windows hosts.</span><span style="font-family: Calibri, sans-serif; text-indent: 35.45pt;"> </span><span style="font-family: Calibri, sans-serif; text-indent: 35.45pt;">Using another VMware Player VM with Windows
7, we installed the vSphere client and logged in to the ESXi server.</span><span style="font-family: Calibri, sans-serif; text-indent: 35.45pt;"> </span><br />
<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-9yGWW9zCJV0/VGTuYfC-1RI/AAAAAAAAGjY/HIJ8aX_O6oM/s1600/pic2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="444" src="https://4.bp.blogspot.com/-9yGWW9zCJV0/VGTuYfC-1RI/AAAAAAAAGjY/HIJ8aX_O6oM/s640/pic2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">We went ahead and installed one VM
on the ESXi server. The VM on the server
is a fresh install of Ubuntu 14.04. We
named the VM, Ubuntu14_04. This will be
the VM that we will we use to go through the process of acquisition.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-zqRaYG_tc44/VGTuuF0CLvI/AAAAAAAAGjg/OykZ9JqTfKI/s1600/Pic5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="560" src="https://4.bp.blogspot.com/-zqRaYG_tc44/VGTuuF0CLvI/AAAAAAAAGjg/OykZ9JqTfKI/s640/Pic5.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">Now that we have an ESXi server up
and running and a VM to acquire, we need to determine what our best course of
action for acquisition is. This will be
decided by your conversation with the system administrator (sysadmin) and the
company's ability to be able to take the “server” off-line. In most situations these are production
environment servers that need to stay up to not disrupt the business. If you are lucky and find that the sysadmin
is willing to take the server off-line, then suspending the VM is probably the
better method of acquiring a VM out of the server. We will get to do this just a little later. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">For now, let's assume that the
server is a money making server that cannot be taken off-line. When encountered with this issue we have
conducted successful acquisitions by using a combination of SSH and an
externally available source to send the data to. For example, you can SSH into the server and use
the linux native tool dd, to acquire the virtual disks and send the acquisition
image to a mounted NFS share. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">Let's simulate this scenario by
using our previously created Ubuntu14_04 VM.
Notice that our last screenshot tells us that our Ubuntu VM was assigned
IP address 10.0.1.12. The command $ ssh
carlos@10.0.1.12 can be used to SSH into the VM. If you are following along, make sure that
your VM has an SSH server installed.
Once the key pairing has been created and the password has been entered
you will be given a command prompt just as if you were on a shell terminal on
the system. Notice that my prompt
changed to carlos@esxivm:~$ which is an indication that I am now inside of the
VM. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-6jJKxfAf5SI/VGTz8varcRI/AAAAAAAAGj4/HHiLvZ7KJm0/s1600/Pic6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="206" src="https://4.bp.blogspot.com/-6jJKxfAf5SI/VGTz8varcRI/AAAAAAAAGj4/HHiLvZ7KJm0/s640/Pic6.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif";">The next step is to mount the NFS
share that we will use to receive our acquisition image. To simulate this part, we used another VM and
the free version of the popular open source NAS solution called FreeNAS. The FreeNAS VM was assigned IP address
10.0.1.13. </span><span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Run
the below command to mount the NFS share to the Ubuntu VM. If you are following along make sure that
your Ubuntu VM has nfs-common installed.
<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">$ sudo mount -t nfs -o proto=tcp,port=2049 10.0.1.13:/mnt/vol1
/mnt/nfs/<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-mwFJRnkWU7k/VGT0ZXYymaI/AAAAAAAAGkI/bk2EKTcwM1k/s1600/pic7.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="64" src="https://1.bp.blogspot.com/-mwFJRnkWU7k/VGT0ZXYymaI/AAAAAAAAGkI/bk2EKTcwM1k/s640/pic7.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Mount
is the command to mount the share, -t tells mount which type of mount that it
is about to do, -o are the options that are passed to mount. Proto= tells mount to use tcp as a protocol,
this is done to ensure compatibility with other operating systems. Port=2049 tells it which port to use. 10.1.1.13:/mnt/vol1 is the IP of the FreeNAS
VM and the location of the share on the NAS.
/Mnt/nfs is a previously created mount point used to mount the NFS. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">We
are now ready to send the acquisition to the NFS using dd. We navigated to the share and kicked it off.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">$ sudo dd if=/dev/sda of=esxivm.dd bs=4096 conv=sync,noerror<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Hg78OapoQMM/VGT0Q8QzZBI/AAAAAAAAGkA/ZXHca9d_T0Q/s1600/pic8.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="110" src="https://3.bp.blogspot.com/-Hg78OapoQMM/VGT0Q8QzZBI/AAAAAAAAGkA/ZXHca9d_T0Q/s640/pic8.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">The
acquisition successfully completed. Mine
took a while as I piped the data wirelessly rather than through the wire. Speeds at your client location will vary
depending on bandwidth. In reference to
image verification, since this was a live acquisition, doing a hash comparison
at this point will not be of much value.
At the very least, check and compare that the size of your dd image
matches the amount of bytes contained in /dev/sda. This can be accomplished by comparing the
output of fdisk -l /dev/sda against the size of the dd.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-bl5hVZifYpM/VGT0kQLo6aI/AAAAAAAAGkQ/M3e5LkaU1Ig/s1600/pic9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="130" src="https://2.bp.blogspot.com/-bl5hVZifYpM/VGT0kQLo6aI/AAAAAAAAGkQ/M3e5LkaU1Ig/s640/pic9.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Great,
so now we have an image of our server sitting on a NAS and we need to bring it
back to our system. Well you have
options. If the image is too large to
pull it back over the wire, you can have the sysadmin locate another system close
to the NAS that has access to the NAS and also has USB 3.0. This can even be a Windows system. If this is not an option for you, and you
have no choice but to pull it back over the network, use your favorite ftp or
sfpt tool to access the NAS and bring the image back to your system. For the purposes of this article we used
FileZilla.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-04EwtOOhXrM/VGT0uuPTJmI/AAAAAAAAGkY/p3rEeEkmh-8/s1600/pic10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="262" src="https://1.bp.blogspot.com/-04EwtOOhXrM/VGT0uuPTJmI/AAAAAAAAGkY/p3rEeEkmh-8/s640/pic10.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">And
there you have it. You have successfully
acquired a live image out of a VM running on an ESXi server. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Now
let’s take some time and talk about another way of doing things. If you are lucky and the sysadmin said he is
good with taking the server off-line, then you are in luck and things just got
easier for you. Suspending the VM is also
a good way of collecting an image of that VM.
When you suspend a VM on ESXi, the current state of the VM is saved so
that it can later be loaded and reused.
Additionally, the VM's memory gets written to a .vmss file that contains
the entire memory allotted to the VM.
This, in essence, can be considered a simulated way of acquiring memory
from the VM. The point is that with one
click of a button you get the VM's memory and a current state of the VM's
virtual disk. The vmdk file will contain
the entire raw virtual disk. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-JDoSXFsW3s4/VGT02v4VcJI/AAAAAAAAGkg/TGaYvctdcWk/s1600/pic11.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="346" src="https://3.bp.blogspot.com/-JDoSXFsW3s4/VGT02v4VcJI/AAAAAAAAGkg/TGaYvctdcWk/s640/pic11.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Once
you have suspended the VM, the process of getting the data out of the server
can be accomplished just like in our first scenario. So let us first talk about the method which
involves the combination of SSH and the NFS share. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">If
the sysadmin allowed you to take their server off-line to suspend it, then he
may also be willing to give you the password so that you can SSH into the ESXi
server. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-i16JLeFQSfM/VGT0_GTMq4I/AAAAAAAAGko/6yiszfzo8a8/s1600/pic12.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="210" src="https://4.bp.blogspot.com/-i16JLeFQSfM/VGT0_GTMq4I/AAAAAAAAGko/6yiszfzo8a8/s640/pic12.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Once
you have SSH'ed into the sever, locate the VM directory by navigating to <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">/vmfs/volumes/datastore1. There, we located the directory for our
Ubuntu14_04 VM.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-2Gqell1p85Q/VGT1FSGUw6I/AAAAAAAAGkw/wE5LZHrF_DI/s1600/pic13.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="166" src="https://3.bp.blogspot.com/-2Gqell1p85Q/VGT1FSGUw6I/AAAAAAAAGkw/wE5LZHrF_DI/s640/pic13.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">The
Ubuntu14_04 directory contained the following files.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-H7uk0o0o664/VGT1MzQy3-I/AAAAAAAAGk4/-Lokn6mkYVY/s1600/pic14.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="222" src="https://3.bp.blogspot.com/-H7uk0o0o664/VGT1MzQy3-I/AAAAAAAAGk4/-Lokn6mkYVY/s640/pic14.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Ubuntu14_04-167f1682.vmss Is the memory file<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Ubuntu14_04-flat.vmdk Is the VM disk<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Those
are the main files that we need to get out of the server. If you had to go the mounted share route,
then the process of mounting the NFS goes like this.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;"># esxcfg-nas -a -o 10.0.1.13 -s /mnt/vol1 nas<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Esxcfg-nas
is the ESXi command to mount the share, -a is to add a share, -o is the address
of the host and -s /mnt/vol1 is the share directory to mount, finally nas is
the name that we are going to assign to the mounted NFS share. Be aware that unlike in Ubuntu, you do not
have to create a mount point, the NFS share will be created under
/vmfs/volumes.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-jlSB6sxqc5U/VGT1WXtBjfI/AAAAAAAAGlE/PGYCUPwqGy0/s1600/pic15.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="132" src="https://3.bp.blogspot.com/-jlSB6sxqc5U/VGT1WXtBjfI/AAAAAAAAGlE/PGYCUPwqGy0/s640/pic15.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Once
the NFS is mounted you can use the cp command to copy your files over to the
NFS. Upon completion, it would be a good
idea that you implement some way of validating that your data is a true
representation of the original. Hashing
the files on the server and comparing them to the ones on the NFS could be a
way.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-dssHwR3yzMA/VGT1bq3AF0I/AAAAAAAAGlM/-iAmoEB97b8/s1600/pic16.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="118" src="https://1.bp.blogspot.com/-dssHwR3yzMA/VGT1bq3AF0I/AAAAAAAAGlM/-iAmoEB97b8/s640/pic16.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">To get
the images out of the NAS, again, use your favorite ftp or sftp tool to
retrieve them. It should be noted that
we went over the process of mounting an NFS on ESXi, so that you could have
that as an option. If SSH is enabled on
the EXSi server don't forget that you can access it directly with scp or sftp
and drag the images back to your system.
FastSCP on the windows side also works well.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-vOtXvBRfqwc/VGT1jAuGDXI/AAAAAAAAGlU/gW6f7QsMiKY/s1600/pic17.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="380" src="https://2.bp.blogspot.com/-vOtXvBRfqwc/VGT1jAuGDXI/AAAAAAAAGlU/gW6f7QsMiKY/s640/pic17.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">To
disconnect the NFS from the server run $ esxcfg-nas -d nas. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">Conclusion</span></b><span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<br />
<div class="MsoNormal" style="text-align: justify; text-indent: 35.45pt;">
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;">There
are many available options of acquiring images out of these servers. Discussed above were only a couple of these
options. If this procedure helped your
investigation, we would like to hear from you.
You can leave a comment or reach me on twitter: @carlos_cajigas<o:p></o:p></span><br />
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;"><br /></span>
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;"><br /></span>
<span style="font-family: "Calibri","sans-serif"; mso-fareast-font-family: Calibri;"><br /></span></div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com2tag:blogger.com,1999:blog-1238852315716351341.post-84124636867522132422014-09-10T11:16:00.001-04:002015-01-24T21:50:23.572-04:00Using Curl to Retrieve VirusTotal Malware Reports in BASH<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"> If
you are in the DFIR world, there is a good chance that you often find yourself
either submitting suspicious files to VirusTotal (VT) for scanning, or
searching their database for suspicious hashes.</span><span style="font-family: Calibri, sans-serif;">
</span><span style="font-family: Calibri, sans-serif;">For these tasks and other neat features, VT offers a useful web
interface were you can accomplish this.</span><span style="font-family: Calibri, sans-serif;">
</span><span style="font-family: Calibri, sans-serif;">If submitting one file or searching one hash at a time is enough for
you, then their web interface should suffice for your needs.</span><span style="font-family: Calibri, sans-serif;"> </span><span style="font-family: Calibri, sans-serif;">Find the web interface at www.virustotal.com.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> If
you are looking for a little bit more functionality or the ability to scan a
set of suspicious hashes, you may want to look into using their public
API. VirusTotal's public API, among
other things, allows you to access malware scan reports without the need to use
their web interface. Access to their API
gives one the ability to build scripts that can have direct access to the
information generated and stored by them.
<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> To
have access to the API you need to join their community and get your own API
key. The key is free and getting one is
as simple as creating an account with them.
After joining their community you can locate your personal API key in
your community profile. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> In
this article we will go through the process of communicating with their API
form the Bourne-Again Shell (BASH) using the program curl. The chosen format to communicate with the API
is HTTP POST requests. We will discuss a
few curl commands, and once we become familiar with the commands, we will then
incorporate the commands into a script to automate the process. The command’s and the script were courtesy of
a tip that I got from my co-worker John Brown.
He gave me permission to talk about his tip and permission to publish
his script. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> BASH
is the default terminal shell in Ubuntu.
For the purposes of this article I used a VmWare Player Virtual Machine
with Ubuntu 14.04 installed on it. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"><span style="font-size: large;">Installing the tools:</span><b><o:p></o:p></b></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> All
of the tools that we will use are already included in Ubuntu by default. You will not need to download and install any
other tools. If you want to follow
along, make sure that you have your VT API key available. Also, we are going to need suspicious hashes. Feel free to use your own hashes, or copy
these two md5 hashes that I will use for the article, e4736f7f320f27cec9209ea02d6ac695
and 7f16d6f96912db0289f76ab1cde3420b. One of the hashes belongs to a fake antivirus
piece of malware that I use for testing, and the other one is a hash of a text
file that contains no malicious code.
One of the hashes will return hits the other one will not. Let's get started. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"><span style="font-size: large;">The test:</span><b><o:p></o:p></b></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> Open
a Terminal window, In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at
the same time or by going to the Dash Home and typing in “terminal”. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> In
order to communicate with the VT database to retrieve a file scan report we are
going to need two things. First we need
to know the URL to send the POST request to.
That URL will be “https://www.virustotal.com/vtapi/v2/file/report.” And second we will need to feed the curl
command some parameters, your API key and a resource. The API key will be the key that was given to
you upon joining the VT community and the resource will be the md5 hash of the
file in question.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Calibri","sans-serif";"> The
following curl command should satisfy all of those requirements.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Calibri","sans-serif";"><b>$ curl -s
-X POST 'https://www.virustotal.com/vtapi/v2/file/report' --form
apikey="c6e8f956YOURAPIKEY06a82eab47a0cb8cbYOURAPIKEY53aa118ba0db1faeb67"
--form resource="e4736f7f320f27cec9209ea02d6ac695"</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-5FYSXBJE874/VMRLAox_JFI/AAAAAAAAHSE/cCOhkgGqoUs/s1600/pic1_brush.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-5FYSXBJE874/VMRLAox_JFI/AAAAAAAAHSE/cCOhkgGqoUs/s1600/pic1_brush.png" height="54" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"> Curl</span><span style="font-family: Calibri, sans-serif;"> is the command that we will use to
send the POST request to the specific VT URL.
The -s tells curl to be silent, to not print the progress bar. The -X tells which request we want it to
send, which in this instance is a POST request.
--form apikey= will be your API key, and --form resource is the MD5 hash
of the aforementioned fake antivirus file.
These are my results.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-YtSJNJMxOf4/VGT_dKU979I/AAAAAAAAGls/l6LtX67BGCM/s1600/Pic2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="346" src="https://2.bp.blogspot.com/-YtSJNJMxOf4/VGT_dKU979I/AAAAAAAAGls/l6LtX67BGCM/s640/Pic2.png" width="640" /></a></div>
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"> It
looks like our </span><span style="font-family: Calibri, sans-serif;">fake
antivirus file’s hash was located in the database and the file had been
previously scanned by VT. L</span><span style="font-family: Calibri, sans-serif;">ots of data with positive hits was
returned. The scanned file report
currently contains no line breaks, so it was sent to our terminal window in a
format that is difficult to read. Let's
see if we can fix that. Notice that
results from each individual antivirus solution start after each combination of
a curly brace and a comma “},” Armed
with this information let’s add a new line character at the end of each one of
those lines to separate the output so that we can see it better. Run
the same command as above, but this time let’s pipe it to sed 's|\},|\}\n|g'</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Calibri","sans-serif";"><b>$ carlos@vm:~$
curl -s -X POST 'https://www.virustotal.com/vtapi/v2/file/report' --form
apikey="c6e8f9563e6YOURAPIKEY82eab47a0cb8cb9454824YOURAPIKEYba0db1faeb67"
--form resource="e4736f7f320f27cec9209ea02d6ac695" | sed
's|\},|\}\n|g'</b><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> The
sed command is changing our standard output by switching every }, for a }n which
is the curly brace followed by a newline.
The \ in the sed command is to escape the braces and the newlines so
that the sed command can interpret these characters as literal characters and
not as strings. These are my results.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ZwuW3umF2rk/VGT_k26k5nI/AAAAAAAAGl0/2k3-vwp_oSk/s1600/pic3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="340" src="https://1.bp.blogspot.com/-ZwuW3umF2rk/VGT_k26k5nI/AAAAAAAAGl0/2k3-vwp_oSk/s640/pic3.png" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"> We
can now start to see information that we can work with. From here you can redirect this data to a
file or continue using grep, sed, awk and/or any other command line magic that
you can throw at this output to continue editing it to your needs. Personally, I am interested in the bottom
area of the screen, the part that says "positives": 23,. This tells me that this hash was recognized
by 23 different antivirus engines on the VT database. This is the data that I may need to pay
attention to during an investigation. That
sed command was just an example of how to manipulate the output. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> The
next command will incorporate a combination of awk and sed pipes to filter the
output to a final set of data that we felt comfortable working with. We chose to filer the data with this
combination of awk and sed commands.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Calibri","sans-serif";"><b>$ carlos@vm:~$
curl -s -X POST 'https://www.virustotal.com/vtapi/v2/file/report' --form
apikey="c6e8f9563e63YOURAPIKEY2eab47a0cb8cb9454824YOURAPIKEYba0db1faeb67"
--form resource="e4736f7f320f27cec9209ea02d6ac695" | awk -F
'positives\":' '{print "VT Hits" $2}' | awk -F ' ' '{print
$1$2$3$6$7}' | sed 's|["}]||g'</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-YszNOxBAckE/VMRLPsPUZEI/AAAAAAAAHSM/x5geDklF3Xg/s1600/pic4_brush.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-YszNOxBAckE/VMRLPsPUZEI/AAAAAAAAHSM/x5geDklF3Xg/s1600/pic4_brush.png" height="52" width="640" /></a></div>
<span style="font-family: "Calibri","sans-serif";"><br /></span>
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"> The
first awk command use the "positives" string as a field delimiter and
tells it to print the string “VT Hits” followed by the second field, which is
the 23 instances of positive hits. The
second awk command uses a space as a delimiter and tells it to print the first,
second, third, sixth and seventh column to extract the string md5 and the md5
hash of the file from the output. The
last sed command is simply to remove any quotes and curly braces from the
resulting output. These are my results.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-eAvORV6_ack/VMRLXUTBe2I/AAAAAAAAHSU/e8F_SIADFqU/s1600/pic5_brush.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-eAvORV6_ack/VMRLXUTBe2I/AAAAAAAAHSU/e8F_SIADFqU/s1600/pic5_brush.png" height="68" width="640" /></a></div>
<span style="font-family: "Calibri","sans-serif";"><br /></span>
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;">VTHits23,md5:e4736f7f320f27cec9209ea02d6ac695</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> The
end result is that we get a string of data that tells us the amount of
antivirus solutions that recognize the file as being malicious plus the md5
hash of the file, so that we know which file is the suspicious file. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> If
by now you are thinking that was way too long of a command to remember, or even
wish to type again, then you are more like me.
For this reason, John has made a script available that automates this
exact process, and is extremely easy to use.
Find the script <a href="https://github.com/siftgrab/shellscripts/blob/master/grabVThash.sh" target="_blank">here</a>.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> After
making the script executable, run the script and give it a hash value as an
argument. It will use the same command as
above and will search the VT database for the hash that you fed it as an
argument. Run the script like this.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><b>$ carlos@vm:~$
./grabVThash.sh e4736f7f320f27cec9209ea02d6ac695</b><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> These
are my results.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-mEBg2zMXi9w/VGT_7W3rhqI/AAAAAAAAGmM/PvUdNLYEzAQ/s1600/pic6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="204" src="https://3.bp.blogspot.com/-mEBg2zMXi9w/VGT_7W3rhqI/AAAAAAAAGmM/PvUdNLYEzAQ/s640/pic6.png" width="640" /></a></div>
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"> Same
results as above. The script automates
the process of sending hash values to VT and sends the results to the
screen. It even has the ability to take
a file containing multiple hashes as its input.
It will send 4 hashes per minute to VT as this is a limitation set by VT
for its public access of the API. You
will need to add your API key to the script. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><span style="font-size: large;">Conclusion:</span><b><o:p></o:p></b></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> VT gives us access to its database by allowing us to build scripts that can have
direct access to the information generated and stored by them. The script that we published is just one of
many ways that we can add ease of access to the data stored by VT. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"> If this procedure helped your investigation,
we would like to hear from you. You can
leave a comment or reach me on twitter: @carlos_cajigas</span><br />
<span style="font-family: "Calibri","sans-serif";"><br /></span>
<span style="font-family: "Calibri","sans-serif";"><br /></span>
<span style="font-family: "Calibri","sans-serif";"><br /></span></div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com4tag:blogger.com,1999:blog-1238852315716351341.post-61012434748925265982014-07-03T23:14:00.001-04:002015-01-05T14:47:00.083-04:00Random Offset Hiding of TrueCrypt Containers<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Have you ever had to need to completely hide encrypted data and
know that if you had to, you could successfully deny its existence? Have you ever dreamed of hiding an encrypted
container in unpartitioned free space?
No... Neither have I, but we
stumbled across a neat little trick and wanted to share with you. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> While playing around with with the command line, we wanted to see
if one could use dd to consecutively write two individually created filesystems
to a thumb drive (without partitioning the drive). And if so, subsequently mount and use either
one of the filesystems to store and save files.
We learned that the answer is yes, so we decided to make one of the
filesystems an encrypted one.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><span style="font-size: 11pt;"> The process is a bit time consuming, but the end result is that
you will end up with a device that will contain a fully functioning, usable,
unencrypted filesystem followed by a completely hidden encrypted one. The second encrypted filesystem will reside
in the free space of the drive. Since
the device will not be partitioned, only the first filesystem will be seen by
the operating system. Without the
existence of a partition table, not even forensic software will be able to spot
the existence of the second encrypted filesystem, so </span><span style="font-size: 15px;">don't</span><span style="font-size: 11pt;"> forget its starting sector offset!<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> At the time that we tested this theory, the credibility of the
TrueCrypt software was still strong. For
that reason, we used TrueCrypt to encrypt the encrypted filesystem. If your are of the belief that TrueCrypt is
no no longer secure, then you are welcomed to use other tools. The process should be repeatable and you can
adjust it to your needs. For the
purposes of this article I used a VmWare Player Virtual Machine with Ubuntu
14.04 installed on it. Let's get
started. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 14.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Installing the tools:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><span style="font-size: 11pt;"> With the exception of TrueCrypt, all of the tools that we will use
are either included in Ubuntu by default, or can be downloaded from the Ubuntu
Software Center. TrueCrypt is still
available for download. Steve Gibson
@</span></span><span style="font-family: Calibri, sans-serif;"><span style="font-size: 15px;">SGgrc, the creator of SpinRite, s</span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt;">tores the latest version of TrueCrypt on his website. Find it </span><a href="https://www.grc.com/misc/truecrypt/truecrypt.htm" style="font-family: Calibri, sans-serif; font-size: 11pt;" target="_blank">here</a><span style="font-family: Calibri, sans-serif; font-size: 11pt;">. After download, if you want a bit of peace of mind, check
the hashes </span><span style="font-family: Calibri, sans-serif; font-size: 15px;">against</span><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> known file hashes independently stored on other sites, like this <a href="https://defuse.ca/truecrypt-7.1a-hashes.htm" target="_blank">one</a>. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The other tools that we will need to accomplish this scenario are
dd, and sleuthkit. Dd comes
pre-installed in Ubuntu, so lets install sleuthkit. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> We will install the tools form the command line. Open a Terminal window, In Ubuntu you can
accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash
Home and typing in “terminal”. Type the
following into the terminal to install sleuthkit from the apt-get
repositories. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div style="text-align: left;">
<b><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">$ sudo
apt-get install hexedit sleuthkit</span></b></div>
</div>
<div class="MsoNormal" style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: justify;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-ucGMmXADG-E/VGUAqjcYqSI/AAAAAAAAGmY/wp0cuA62AcA/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://3.bp.blogspot.com/-ucGMmXADG-E/VGUAqjcYqSI/AAAAAAAAGmY/wp0cuA62AcA/s400/1.png" width="400" /></a></div>
<br />
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> You will be prompted for your root password. Enter your root password and wait for the
program(s) to install. This procedure
will install sleuthkit version 3.2.3, which will work fine for what we
need. As of this writing the latest
version is 4.3.1. If you want to use the
latest, you have to compile it from source.
We can go over that a different day.
<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Now that you have the tools that we need, the next step is to
prepare a working folder for us to store our working copies of our data. Go to your desktop, right click on your
desktop and select “create new folder”, name it “Test”.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: justify;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-3RJGUgZSxdc/VGUBb-6YyHI/AAAAAAAAGmg/u1wABZHblhg/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://3.bp.blogspot.com/-3RJGUgZSxdc/VGUBb-6YyHI/AAAAAAAAGmg/u1wABZHblhg/s320/2.png" width="320" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt;"> Navigate to the previously created Test folder on the
desktop. We will use the CD command to
change directory into the desktop. Type
the following into the terminal.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div style="text-align: left;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><b>$ cd /home/carlos/Desktop/Test/</b><o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Replace “carlos” with
the name of the user account you are currently logged on as. After doing so, press enter. You should receive these results. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://1.bp.blogspot.com/-WVTacqtmsEo/VGUBy7EGgRI/AAAAAAAAGmo/g1EapG3u3SY/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="77" src="https://1.bp.blogspot.com/-WVTacqtmsEo/VGUBy7EGgRI/AAAAAAAAGmo/g1EapG3u3SY/s400/3.png" width="400" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt;"> This will be the directory were we will create our filesystems
and/or whatever data we plan on using as a working copy of a file. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 14.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">The test:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The first step in our process is to create the first filesystem
that will later be written to our drive.
It will be an unencrypted filesystem that you can use to store any
non-sensitive data, or any data for that matter. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Since two independent filesystems will be residing on our drive,
you will have to decide how large each of your filesystems will be. For the purposes of this article, I will be
using a 64MB thumb drive to store our filesystems. I chose a very tiny thumb
drive so that I could make the image available to you, if you wish to download
it. Find it <a href="https://drive.google.com/file/d/0B1yeH-AzonM5QVpZR1V4b1d6WVE/edit?usp=sharing" target="_blank">here</a>. Each of my filesystems will be 25MB in size. The password is "mtk". Continuing...<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> From the terminal, type the below command<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">$ dd if=/dev/urandom of=1st25mb_unencrypted.dd bs=512
count=50000<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Dd is a common Linux program whose primary purpose is the low
level copying and conversion of raw data.
The if= tells dd to read from file.
In this instance the file is /dev/urandom, which is an interface to the
kernel's random number generator. The
of= tells dd to write to a file, which will be a file called
1st25mb_unencrypted.dd. Bs is the block
size of data to be used, and count tells dd to write fifty thousand blocks of
512 bytes. The result is that we will
end up with a data chunk that contains exactly 50,000 blocks of 512 bytes. Multiply 50,000 by 512 and then divide it by
1024 and you will get 25MB. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> This should be the resulting data chunk. The ls -l command is the command to list
files with the -l argument that uses the long listing format.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://4.bp.blogspot.com/-6NfP0jeloJo/VGUCCwc_d6I/AAAAAAAAGm0/BBYeABxZI6A/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="https://4.bp.blogspot.com/-6NfP0jeloJo/VGUCCwc_d6I/AAAAAAAAGm0/BBYeABxZI6A/s640/4.png" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt;"> Once the data chunk has been created use the below command to
format the data chunk into a functioning Fat-16 filesystem with volume label
“MTK.” Fat-16 worked best for the data
chunk that we created. You can use a
different filesystem if you choose. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div style="text-align: left;">
<b><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">$ mkfs.vfat
-F 16 -n MTK -v 1st25mb_unencrypted.dd<o:p></o:p></span></b></div>
</div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Mkfs.vfat is the command to create an MS-DOS filesystem under
Linux, -F Specifies the type of file allocation tables used, -n sets the volume
name (label) of the filesystem and -v will give us verbose output. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://4.bp.blogspot.com/-8HtbalhMbgE/VGUCKbjitHI/AAAAAAAAGm8/jRaVF87CAV4/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://4.bp.blogspot.com/-8HtbalhMbgE/VGUCKbjitHI/AAAAAAAAGm8/jRaVF87CAV4/s640/5.png" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Success we have formated the data chunk. If you want to look at the filesystems
statistics of the data chunk, you can use the sleuthkit command fsstat, which
will provide just that. Type the below
command and press enter<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">$ fsstat
1st25mb_unencrypted.dd<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-nSEYeZQR7BQ/VGUCWAkVEfI/AAAAAAAAGnE/BCjl9DAuiYM/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://3.bp.blogspot.com/-nSEYeZQR7BQ/VGUCWAkVEfI/AAAAAAAAGnE/BCjl9DAuiYM/s640/6.png" width="498" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt;"> The next step is to create our encrypted filesystem using
TrueCrypt. There are many tutorials
online on how to do this. I don't want
to go over the steps of creating one here due to the many options available and
how much longer it would make the write up.
A good article on how to create a container can be found on the
<a href="http://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt" target="_blank">Howtogeek </a>site. I went ahead and created a 25mb container
using all the defaults and the password mtk (lowercase). I named the container 2nd25mb_encrypted.dd. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://4.bp.blogspot.com/-dgCYCjNPi8U/VGUDCiNm-cI/AAAAAAAAGnY/A5sSgRf3Qv8/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://4.bp.blogspot.com/-dgCYCjNPi8U/VGUDCiNm-cI/AAAAAAAAGnY/A5sSgRf3Qv8/s640/7.png" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> I also mounted the encrypted container and added a file titled
SecretFile.txt. You can use the same
article from Howtogeek for instructions on this. Once you have added a file to the container
use TrueCrypt to unmount it. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-5uFuEZAmyeA/VGUDLRoEA7I/AAAAAAAAGng/qWXpwemZoYM/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://3.bp.blogspot.com/-5uFuEZAmyeA/VGUDLRoEA7I/AAAAAAAAGng/qWXpwemZoYM/s400/8.png" width="400" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Now comes the fun part.
Find a thumb drive that we can write these filesystems to. I inserted my 64mb thumb drive to my VM and
ran the below command to identify it.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div style="text-align: left;">
<b><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">$ sudo fdisk
-l<o:p></o:p></span></b></div>
</div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Fdisk is a partition
table manipulator for Linux. The flag -l
tells fdisk to list the partition table.
Sudo gives fdisk superuser privileges for the operations. Press enter and type your root password (if
needed).<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-zG4Q2MTMMgc/VGUDYbsqDzI/AAAAAAAAGno/Esl_OuT8IGE/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="306" src="https://3.bp.blogspot.com/-zG4Q2MTMMgc/VGUDYbsqDzI/AAAAAAAAGno/Esl_OuT8IGE/s400/9.png" width="400" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt;"> Ubuntu assigned my 64mb
media as SDB. SDA is the internal
virtual HDD that Ubuntu is installed on. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> We finally get to write these filesystems to the media.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> The below command will write each filesystem consecutively to my
64MB thumb drive.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div style="text-align: left;">
<b><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">$ cat 1st25mb_unencrypted.dd
2nd25mb_encrypted.dd | sudo dd of=/dev/sdb<o:p></o:p></span></b></div>
</div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Cat is the command to concatenate (combine) the two chunks one
after the other. The “|” is known as a
pipe. A pipe is a technique in Linux for
passing information from one program process to another. Dd saw the two chunks that were passed to it
and wrote them contiguously to the 64MB thumb drive assigned as physical device
/dev/sdb. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://4.bp.blogspot.com/-G3oCr9Jqagk/VGUDqLREbGI/AAAAAAAAGnw/qwpF96vf6NQ/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="94" src="https://4.bp.blogspot.com/-G3oCr9Jqagk/VGUDqLREbGI/AAAAAAAAGnw/qwpF96vf6NQ/s640/10.png" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif";"><span style="font-size: 11pt;"> Our </span><span style="font-size: 15px;">thumb drive</span><span style="font-size: 11pt;"> is now ready for deployment and use. Both of the filesystems are now residing on the drive. If you insert this drive into a Windows machine this is what you
would see. Windows only recognized the unencrypted filesystem and assigned it logical letter (F). <o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-G6ZwOnhzZ5s/VGUDxMPeX7I/AAAAAAAAGn8/fRt6pReSTFY/s1600/11.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://3.bp.blogspot.com/-G6ZwOnhzZ5s/VGUDxMPeX7I/AAAAAAAAGn8/fRt6pReSTFY/s400/11.PNG" width="400" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> At this point the drive is fully functioning with a 25MB
filesystem that is capable of storing data.
Even the “MTK” volume label that we assigned is being recognized. To the untrained eye the drive looks
perfectly normal and if forced to show your files, only the non-sensitive data
would be seen. The trained eye or anyone
with a little knowhow will be able to see that a 64MB drive only contains a
25MB filesystem. Inspection of the free
space of the drive would only show noise and nothing else. Similar to the noise in the unallocated space
of the unencrypted filesystem, hence the reason why we chose /dev/urandom for
that data </span><span style="font-size: 15px;">chunk</span><span style="font-size: 11pt;">. You can picture them
scratching their heads, but that may be the extent of it. Have you ever heard of an examiner
segregating the free space of a drive into its own file to look for encrypted
containers and run brute force attacks?
If you have, please tell us about it in the comments.</span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 14.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Accessing the encrypted container:</span><br />
<span style="font-family: "Calibri","sans-serif"; font-size: 14.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> To access the encrypted container we are going to have to create a
loop device and then mount that loop with TrueCrypt. Because the free space of the drive contains an entire filesystem, that specific offset of the drive can then be
mounted as if it were a disk device.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Accomplish it with the below command.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div style="text-align: left;">
<b><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">$ sudo
losetup -o 25600000 /dev/loop0 /dev/sdb<o:p></o:p></span></b></div>
</div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Losetup is the command to set up and control loop devices, -o is
the argument to specify the offset to the encrypted container. This location has to be specified in
bytes. The container starts 25,600,000
bytes into the drive, which was the 50000 sectors of the unencrypted filesystem
times 512 bytes. /Dev/loop0 is the first
available loop mount and /dev/sdb is the 64MB thumb drive. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://1.bp.blogspot.com/-Y1NlKlNmfYk/VGUD7CnF9LI/AAAAAAAAGoE/eS5eXbzaRpc/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="61" src="https://1.bp.blogspot.com/-Y1NlKlNmfYk/VGUD7CnF9LI/AAAAAAAAGoE/eS5eXbzaRpc/s400/12.png" width="400" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt;"> Lastly we need to decrypt the loop mount and mount it to a
previously created directory using TrueCrypt.
This step can be accomplished with the below command.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div style="text-align: left;">
<b><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">$ sudo
truecrypt -t /dev/loop0 /mnt/tc/<o:p></o:p></span></b></div>
</div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> Truecrypt -t is to use the TrueCrypt program in text mode,
/dev/loop0 is the location of the loop and /mnt/tc is a previously created
mount point that I created using mkdir (no screenshot). <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://1.bp.blogspot.com/-F6EJT4pQmnA/VGUECgglqcI/AAAAAAAAGoM/Dtr7dr7_Tr4/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="https://1.bp.blogspot.com/-F6EJT4pQmnA/VGUECgglqcI/AAAAAAAAGoM/Dtr7dr7_Tr4/s400/14.png" width="400" /></a></div>
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> By running ls -l on /mnt/tc we can see that our previously created
file titled SecretFile.txt is now decrypted and available to us. The loop device was mounted in readwrite mode,
which means that any data that you add to this filesystem will be stored and
encrypted upon dismount. <o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 14.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Conclusion:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> This was a time consuming process of creating a hidden encrypted
container to store sensitive data. It
probably doesn't offer any more security than the already available methods
through TrueCrypt. It simply was an
exercise on how to manipulate data chunks and filesystems using the shell. <o:p></o:p></span><br />
<br />
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 15px;"> If this procedure helped your investigation, we would like to hear from you. You can leave a comment or reach me on twitter: @carlos_cajigas</span></span></div>
<div class="MsoNormal" style="text-align: justify;">
</div>
<div class="MsoNormal" style="text-align: justify;">
<br />
-----<br />
<br />
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 15px;">Update 07/10/14: Bored? Notice that the last screenshot above tells us that "SecretFile.txt" contains 11 bytes of data. Download the image, mount the encrypted container, and be the first one to tell us what data is stored in the "SecretFile.txt". Leave it in the comments section. Remember to share a tip.</span></span><br />
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 15px;">-----</span></span><br />
<span style="font-family: Calibri, sans-serif; font-size: 15px;"><br /></span>
<span style="font-family: Calibri, sans-serif; font-size: 15px;">Update 07/18/14: G</span><span style="font-family: Calibri, sans-serif; font-size: 15px;">erry Stephen found the data inside of the txt file. He went about finding the data using his preferred method and he even described his way. Go to the comments section to see his tip.</span><br />
<div>
<br />
<br />
<br /></div>
</div>
Carloshttp://www.blogger.com/profile/10204960193232380067noreply@blogger.com4