Monday, October 26, 2015

Some informal talks about EnCase

There are some informal talks about EnCase and its future. Looks like version 8 is delayed till further notice and v7.11 and more will roll out, while v6 will silently alive. Also feedback from trenches will be taken into account. Sounds like very reasonable actions after all that atrocities with v7.Again I'll try to push what I've said many times :

  • bring back conditions as it was in v6 in each screen
  • fixing user interface to be consistent and simple even rethink it, especially for enterprise version
  • add automatisation on simple script level, enscript is too complicated for ordinary user
  • add logging of user actions for performance monitoring and for legal issues
  • document the data structures, fix documentation
  • enhance cooperation with other products, like let lx01 or l01 formats for logical evidence files to free for other vendors to use it, do implementation in python to do RW access to logical evidence files
  • add libraries to interact with other scripting language, perl, ruby and python
  • document the sql data structures used in enterprise version
  • fix reporting and especially data exporting in case analyzer

The product portfolio is probably on change again with new titles for old products :) or new repackaging. Tableau devices are coming again in new shapes and with new functionalities what is really a nice touch.

Looks like that somebody take control of situation and instead of soviet style no-step-back policy we have now some strategic thinking and damage control. I suppose there is also some cultural changes based on hard lesson learned during disaster, also a lot of people left GuidanceSoftware since painful story with Encase v7 stared in 2011.  I suppose this is a good mark for anyone in industry to stop a little and start thinking what is going on and why. It is time to admit that even for digital forensic vendors some computer science common sense has to be applied.  There are some rumbling on the horizon and clear signs showing that traditional vendors has problems defining their role and product position.

Strangely BBC had a nice article on corporate problems   "VW and the never-ending cycle of corporate scandals" which well fits into what I mentioned above  about digital forensic vendors
To be honest I've never seen data or study on correlation (never been trying to hard to find it actually ) about IT sec problems and corporate polices, cultures etc. I suppose this type of data and intel should be in insurance companies profiling data for their clients.  Same think can be done for general IT problems, just remember "The Big Unknowns" in Verizon data breach reports since 2008.

Sunday, October 11, 2015

In last SANS NewsBites : there is scholarship for women in Cybersecuirty !

Just to post this, some of my colleagues are following blog, it is easier to blog news than to email it to all of them :)

SANS NewsBites Vol. 17 Num. 079 : Scholarships For Women in Cyber; 

TOP OF THE NEWS
 --Women's Cyber Talent Search Offers Scholarships For Intensive Hands
    On Training
(October 9, 2015)
As a step toward brining more talent into cybersecurity by closing the
gender gap, the National Center for Women in Technology and SANS are
providing more than $300,000 in scholarships for advanced hands-on
training in the most sought-after skills.  Women who demonstrate
aptitude for and basic skills in cybersecurity are eligible.  The
admissions process is now open and qualifying exams are being held from
today through October 30.
Schedule and qualifying site:
https://www.sans.org/cybertalent/immersion-academy/programs?#womens-academy
More on what is in the CyberAcademies
http://www.sans.org/cybertalent/immersion-academy/

Sunday, October 4, 2015

attack, defense, IT systems, people, thoughts

I always remember talk about attack and defense theory, in most simple form it says prepared defender has 3 to 1 advantage over attacker, or prepared defending force will destroy as many as 3 times forces which are attacking. That is war and blood proven theory but why it is not working like that in IT attack and defense ?

I love to think about it :)

It says prepared defending force, a joke if we are talking about current IT systems, government or business. Just check trough different reports about incidents, data breaches etc .. it shows clear sings of system being  neglected, not administered or deliberately ignored.
And still if you read about  people involved, titles and references a lot of certifications and buzzwords. A lot of certification around which will certified systems, tools, people ... a bit fishy since it's a very lucrative market.

My favorite thing is CISSP certification, very popular among people managing or directing IT systems,  but I have a wooden feeling about something designed by accountants for accounting auditing approach, not system engineering approach. A long exams of questions to provide out of textbooks and standard answers,  but nothing practicals and worst of it nothing creative or even scientific in method.  If you read  about it shows pure theory and standards, something what nice to have but gives you so beautiful false feeling of capabilities and knowledge. There is not much mentioning of practice or experience of real systems or effective analyses and such. It gives me image of someone using procedures without understanding why this procedures are there in first place and without clue how to create new procedures (it a politically correct saying knowing when to break old procedure because it does not make sense any more).

It always remembers me on Admiral Hyman Rickover and his attitude in project management, system management and control. It is a bit dinosaur approach but I still think it is worth of rethinking and putting into context of modern world. Implications of developing strategic nuclear  submarine fleet was essential for world survival during cold war, it actually was a key element in MAD triad approach which made mayor war senseless or no-winnable. There are some similarities in securing IT systems today, especially critical systems. From forums and conferences it is obvious that US DoD and rest of military is thinking about it, but for  non military I'm not sure.

It is worth of reading his papers and some additional materials on nuclear strategy, especially on quality control problems in early submarines and training and personal issues and think about long term implications. Lessons learned in that far away period are still valuable but it is not straightforward how to apply it.  I suppose simplification and lack of understanding of whole system and even not willing to understand your system are critical problems today something what is not possibly to solve trough current trends and practices. All this gives attacker from first paragraph a huge advantage.

8th October 2017
Very nice article "What's wrong with the CISSP talks about how certification can be misunderstood and implications of this misusage


TV interview from Bahrain

On this Friday a CDs with video materials arrived. This interview was completely unannounced event, it was done during and after opening ceremony of the CyberCrime training in Bahrain.  The fact I have to talk was a real shock. I was afraid of outcome and been watching my part of video with huge fear. Some previous  filming always cause me a bad memory. This one was not so bad at least my  answers, but I was so ugly on the screen .... Camera does not like oily skin and sunspots especially in strong artificial light. Answers and question was Ok, me mostly talking about need for education and concept of computer  hygiene being told  to everyone 

Wednesday, September 23, 2015

Yesterday a local branch of DT crashed

It was normal day without services since T-HT (local branch of Deutsche Telecom) crashed it is not yet officially announced what was root cause, but whatever was it was surely supported with poor state of system.
It was a frantic day for most of users since phones were off mobile and landlines both, most of the emergency services were cut off, bank networks, infrastructure. 
Looks like there are some side effects since other providers get some problems too, probaly side attacks etc. 

It is more for public concern since T-HT effectively is a monopoly on Croatian market. It nicely shows what incompetent politics, corruption, bad practices, low quality cause .. I forget to mention that we here have one of the most expensive and worst quality IT service in Europe. 
Whole story about  THT being sold looks like a selling Manhattan for a bottle of rum, and now bottle is empty. It is same colonial approach so typical for Balkan states.





Tuesday, September 15, 2015

FSEC2015 finished today

Today it was a vendor day. Yesterday I had my 30 minutes of hate presentation, today we were deep underground safe and among other vendors showing our products ... Beautiful things capable od doing everything in security, just as all others.
It was in students cafe, probably an ex dungeon, remember me on that utp korbach picture, There were some rumors about it has being used there. It was so dark that I've managed to spill my cola and create terrible disaster.

Other vendors had beautiful female team members we had our ladies just on movie presentation. I found that more humane approach  than forcing girls to be in smart  business dress and high stilettos for hours, its unfair since everyone else in team are having comfy sneakers. I simply can't imagine sysadmins wearing high heels even in most gender challenged situations.

FSEC2015 was Ok, a lot of different topics, almost from conspiracy theories, hate presentations (me), business audit models, open BSD improvements, secure coding and some good references in key note speaker about what computing science is, about grammar, proofs ... today in security business practically unknown science.




Sunday, September 13, 2015

Perfect autumn day

I'm just having a perfect day, in countryside. It  is magnificent day, sunny but mild, calm, beautiful golden light with that almost eternal bright quality Even got a bees and wasp buzzing around.

My few days of vacation is coming to end soon, I'm thinking about next things to do.
It will be busy time, looks like some business trips to be mixed in I don't know how it will be mixed with lectures and preparations. For my forensic lectures I decided to put stress on Linux and scripting in python,  with stress on theory introduced in books by Farmner and Venena also in Carrier book. I found that this computing theory thing is missing from my students. It is missing  also traditional digital forensics literature is not stressing it enough, there is not enough computers sconce making it look like pure heuristics.


I was too much thinking on digital forensics based on how law enforcement and legal see it, but not on how engineer and scientist have to see it. This was mistake but easy to correct.


For Linux there is plenty of material collected for last Linux forensics training I've done so a homework will be to put all that into one wrap suitable for students. Platform will be SANS workstation in virtual environment.

Also I think I'll add some additional graduation thesis tasks, especially in doing some CFE engine forensic modifications. If we manage target will be to design CFE agent with forensically sound rules and configurations for smartphones mainly for android.

Wednesday, September 9, 2015

Why I hate digital forensics ...

This  is actually a working title of one lecture I'm preparing for next Monday, on FSEC2015. about 30 minutes a hate story,  hopefully a passionate story :). We got invitation on very short notice in very busy period for us and title just pop up.
Actually there is a lot of thing worth mentioning and discussing in digital forensics loudly,
a lot of very good articles and talks recently about problems and things which are well know but not well enough spoken.
I was attending ERA conference in Riga recently where Stephen Mason out some unexpected questions but very logical about essence of admissibility and reliability of digital forensic tools.
In the same path but more technical is excellent NIST Workshop on Mobile Forensics.

I'll summarize and ask about definitions, meanings , community, tools, procedures, and other interesting questions worth hating what can fit into 30 minutes of fast talk.
Lecture will be about digital forensics and its

  • naming  real name has power, remember Lord of the Rings
  • tools and practices,
  • community, 
  • practitioners, 
  • standards and definitions,
  • trainings, certificates, curriculums
  • people using its results, 
  • sub-fields, 
  • relations with other computing science fields 

I've just uploaded draft on slideshare if anyone like to have pre-look and prepare ammunition. 




Sunday, August 30, 2015

Continuous training

Somehow I get tangled into continuous training session starting from 12th till 31st  August, spanning over weekends too and being spread from Middle East to back home.  Actually a horror to get trough
because it drains me down completely and re-position my beloved vacation. It also includes about month of preparation before.

For me the most interesting part was Linux forensic intro and preparation for it, this is  training which regrettably goes very seldom so I have to do humble, detailed preparation, check all examples and include recent developments.
Training was fun but very short on time, just 3 days planned but in reality even shorter,  Also it was exhausting for me as trainer and for students too.  There was huge amount of command line actions, what is so uncommon in today computing.
When we are talking about Linux and forensics it is about to cover:

  1. Student mindset about using computer
  2. Linux as working platform, from user view, over sysadmin view to system programmer view (and system programmer view is what is actually what forensic view is about)
  3. Linux as forensic workstation, tools and concepts 
  4. Linux as forensic target 
So it is huge task even just to mention things ...

Rest of the training is small Encase Forensic 1 and Forensic 2 class, almost private tutoring, it is also a challenge with ever changing Encase v7  you never know what will happen if you don't check all examples in exact combination of windows, patches, security software and Encase. 
As for annoying examples in v7.10.5 suddenly VDE refused to work, but it was still OK on v7.10.4 so you never know what will be exact situation, if you can not have a sterile dedicate classroom.







EnCase v7 and node sweep for hash suggestions

Just been trying to do node sweep for dll and process hash, to do some presence control it turns out in v7 you can't do normal check for list of hashes without enscript programming. Very frustrating since in v6 it was possible at least to find end nodes with required hash trough conditions.

In version 7 there are no conditions in sweep snapshot results also in case analyzer part restraints are so dumb organised that you can't do a list of hashes but one by one trough immensely dumb interface. It is frustrating since user interface is lame worst of it data are there but you can't get to it.. kinky and masohiticly perverted. Before I've been able to access data from infozoom but test licence is long gone so we are back on Enacse functionality.  Other patch was to print hash in console and do unix fgrep on the console output, it worked but is was awkward also.

Since I mentioned enscripting to solve my issue, examples which are provided in manuals are not complete. It is easy to do a sweep, and get dll and process hashes, but what is missing completely is how to compare it with existing hash sets in hash library.That will be  the elegant solution,  to create a has set add it into has lib and that find if collected process hash or dll hash belongs to set ... if you can find example :) :)

Also the idea of enscript programming is very outdated in sense of what kind of programming language enscript is, It is so low level access to encase internals, like using C code to do ls and cd command each time. Putting a "script" into name is also a bit perverted,  it is en-script .. encase scripting language, but as far from concept of scripting as can be. To be efficient and useful powerful simple scripting command is needed not C++/java language concepts.  Instead of endless low level object and classes meddling simple high level construct should be used.

Something like this, it is easy to read even for someone who does not know programming, if he is familiar with enacse enterprise concepts

do sweep on node1, node2 use systeminfo, snapshot
     when node in sweep
           if node process hash is in hashlib bookmark node, process, hash
           if node dll hash is in hashlib bookmark node dll hash

or whatever else familiar syntax , I've put a bit of this thoughts about standardization and basic case handling testing, comparing results in other earlier posts and forensic language issues.

Modern languages python, ruby, even perl or forgotten tclsh are powerful languages easy to extend and use,  almost platform independent. Python is the star at the moment so why not python .. don't know but there is a lot of work, oddly to communicate with python tools outside of encase and collect results, what is again a bit against the idea since scritping language is mentioned to be a glue layer among other modules exactly the opposite :) as it is used here.

Ages ago in late 1990s during my phd I was doing almost the same concept to merge two different tools, snmp and fuzzy data expert to interpret data collected from snmp. It was before python and shell was simple tcl functional extension able to code fuzzy rules into code as simple human readable statements. It can be done even for much more fuzzy concepts than forensics

When we are mentioning using programming in digital forensics it is very good idea to study in detail concepts and implementations of coroner toolkit and sleuthkit, since it depends on known and forensically sound system level library's and system calls,  If we are talking of using scripting language in digital forensics some checking on implementations on different platforms should be done or even better, creating a new forensically sound libraries or classes.  It is illustrated in earlier article about python scripting "Python training for forensics"  where some issues in ordinary IO mechanism is mentioned, which if we are strictly speaking about forensic (in sense of its rules and requests) should be done in basic IO level.  Almost similar discussion exists in V.Wenema book about digital forensics taking great care about cache issues on unix file system.






Friday, August 7, 2015

TD3 and linux

While I was preparing myself for linux training I've decided to connect TD3 over iscsi to SIFT 3.0 workstation as example. It takes about few minutes and some man page reading. Easy and simple and works.

Sans SIFT 3.0 workstation is Ubuntu based and open-iscsi package is not installed, so first thing to do is to install package. On Ubuntu wiki there is enough technical details.

> sudo apt‐get install open‐iscsi

That will add and configure iscsi subsystem on Sift, on TD3 iscsi should be enabled and restarted few times to get it running. It's common situation with TD3 and iscsi connection. Don't forget to take IP address of td3.

To do dummy check it is good idea to ping TD3 and see if we can reach it

>ping TD3IP

On Sift iscsi discovery will show if  we can reach isici targets

>sudo iscsiadm ‐m discovery ‐t st ‐p TD3IP

1. -m: determines the mode that iscsiadm executes in.
2. -t: specifies the type of discovery.
3. -p: option indicates the target IP address, in our case TD3

After that  we can login into TD3 and access sicis target

>  sudo iscsiadm ‐m node ‐‐login

If all is ok, message about success will be display and new disk is visible
dmesg command should who it also

>dmesg | grep sd

so we will have new local disk  on Sift, ready for use, already read only exported from TD3
any standard command should work, even mount

if we need to remove disk and its file systems we have tpo do umount first and than disconnect the disk session.

>sudo iscsiadm ‐m node ‐u 

Sunday, July 19, 2015

Exam to attend

This post I've started while just waiting for written exam to start at Algebra. Students will be here soon so, questions are easy so it shouldn't be any problems there. It was few days ago and left as another almost forgotten draft.

My lectures this year have not been satisfactory for me, somehow things are missing,
This run we haven't included any practicals with python, I decided to add it as mandatory both with basic linux tools and ideas It will be easy to do since I'm doing some crash 3 day linux forensics training. There is plenty of sources around, but what worries me that students don't know enough about operating systems especially UNIX like OSes to be easily taught into Linux in forensics.




Monday, July 6, 2015

Some EnCase v7 snapshot remarks

Last week I tried to prepare some dll/process hash control for remote nodes, idea was to list dll and proces hash trough snapshot and see if certain hashes are there.
I've done that plenty of times with v6 and I'll do it with v6 even now but my v6 licence is not valid any more, so have to do it in v7, it should be almost same ...
In fact it is not and it is a bit of nightmare ....

In theory after sweep all processes and dll are listed with its hash, so it should be easy to use condition or filter to  point to node name where hash is found. As for precaution since there is a hash set field in sweep view I've created hash sets from hash list and added that new has set to hash library. Fot this I've used Lance Mueler script with detailed instruitions.

Up to here all works fine, than surprises started. In "sweep analysis" there is no hash set info, you can check for hash value but "restriction" wizard is so awkwardly done that you have to add one by one hash value, it is nonsense since it take ages to load any set of hashes into ...
maybe it can be edited in source or by enscript but there is nothing in documentation ..
zero for that ... one essential functionality crippled but implementation


So what to try next ?

All data is also stored in L01 file related to sweep so it can be seen and analyzed trough Encase in theory. If you load that L01 file, in its record view you'll notice that hash value for process or dll is there but a hash set filed is empty ... god knows why. Form documentation I've got idea that I'll have info in that hahs set field if dll hash in in one of the sets in case library .. but nothing, probably a bug.

Also by some strange ideas in v7 there are no filters and no conditions for records view so you can't do search for values as in old v6. Again some very essential functionality is disabled and whole process crippled by inadequate interface.  Almost as someone was trying to sabotage product, In such form v7 is practically unusable without heavy enscripting, To be worse a lot of examples and explanation in documentation is missing too.

In despair I asked a few questions around but not much use of answers, just to check examples.
I've located the example from enscript programming for sweep dll and modified it minimally to node name, hash value and do same for present processes also. There was also one bitter disappoint,  dll object and process object has hash and has set info included but it is changed in v7 and changes are undocumented so nothing for elegant solution too.

At the end I decided to use simple fgrep from cygwin to find lines in console file which match hash
since the sweep enscript puts output into console.  iconv command was used to convert utf-16 console text files into utf-8 encoding which fgrep handles perfectly.

Here is code for small cygwin bash script
-------------------------------------------------------------------------------------------------------------------
#!/usr/bin/bash
#############################################
#fast and dirty for finding something in encase log files
#since a lot of things in encase v7 sweep does not work or it is not
#doumented
#based on cygwin fgrep utility
#Usage: uhh md5
#takes md5 file name as argument
################################################

#folder with encase logs for user
ENCASE="/cygdrive/c/Users/$USERNAME/Documents/EnCase/logs"

#there are Console[0-9].txt files
#in utf-16, so stardard grep breaks, solution is to use iconv
#iconv -f utf-16 -t utf-8
##################################################

#if no patern file exit 1
#patern file, plain md5 signitures

MD5="$1"
test -f "$MD5" || exit 1

#strange systax to avoid unix-dos path name troubles
for f in $(ls "$ENCASE")
do
echo $f
iconv -f utf-16 -t utf-8 "$ENCASE/$f"| fgrep -i -f "$MD5"
done
---------------------------------------------------------------------------------------------------------------

There are other ways to do similar thing, more elegant  but I was simply to tired to experiment more  

I forget to add modified example from Enscript manual, here it is


/*-------------------------------------------
DllListClass represents a list of all loaded libraries on a remote node. In order to retreive a list of DLLs, a valid
snapshot object is required. A snapshot object can be created in the following ways:

(1) BatchClass::GetConnection method
(2) ConnectionClass::ReadSnapshot method

Note that the ConnectionClass::SNAPDLL must be used when snapshot objects are created. Also, if ConnectionClass::SNAPHASH
is used, each DLL will have its hash value calculated.

See Also:
SnapshotClass
DllListClas
NodeClass


2015 added extension for hash value and
same for process class 

*/

/*
Example: Connect to a remote node and print out a list of all the DLLs loaded in memory.
*/
class MainClass {

  SafeClass Safe; //object to connect to SAFE
  RoleClass RoleRoot, //list of all roles for a given user
            Role; //role user choose to take
  NetworkClass SweepNet; //list of remote nodes to connect to
  String NetText, //textual list of remote nodes
         ClientReturnAddress, //for NODECLIENT connection options
         StatusBarName; //name to be displayed in the status bar
  int NumConnections, //number of SAFE connections to use
     ConnectOptions; // Connection Options: INDIRECT, CLIENTNODELOCAL, CLIENTNODESAFE, NODECLIENT


  MainClass() :
    Safe(),
    RoleRoot(),
    Role(),
    SweepNet(),
    NumConnections = 1,
    ConnectOptions = ConnectionClass::CLIENTNODESAFE,
    StatusBarName = "Example - Getting DLL Data"
  {
  }

  /**
  Entry point of the Enscript
  **/
  void Main(CaseClass c) {
    if (c) {
      SystemClass::ClearConsole();
      if (Safe.Logon(null) && ShowDiag() == SystemClass::OK) {
        Sweep();
        SystemClass::Message(0, "Success", String::Format("{0}: Completed Successfully!", StatusBarName));
      }
    }
    else
      SystemClass::Message(0, "Error", "Need an open case so that results of registry queries can be added!");
  }

  /**
  This method contains the logic we want to apply to each node on the network
  **/
  void Process(SnapshotClass snap) {
    Console.WriteLine("Processing Machine " + snap.Name());
    //in order for the DLL list to not be empty, the BatchClass
    //must have been constructed with the ConnectionClass::SNAPDLL or
    //ConnectionClass::SNAPHIDDEN


    //entrpy is on -1 how to do enteryp in sweep ?
    //also how to get hash in set
    Console.WriteLine("DLL Count = {0}", snap.DllListRoot().Count());
    forall (DllListClass p in snap.DllListRoot()) {
             //add to print hash value for dll and node name
           Console.WriteLine("DLL loaded: {0} {1} {2}", snap.Name(),p.Name(),p.HashValue() );
    }
    /* add proceses too */
    Console.WriteLine("Process Count = {0}", snap.ProcessRoot().Count());
    forall (ProcessClass p in snap.ProcessRoot()) {
       //add to print hash value for process  and node name
        Console.WriteLine("Process loaded: {0} {1} {2}", snap.Name(), p.Name(),p.HashValue() );
    }

  }

  /**
   Display dialogs
  **/
  int ShowDiag() {
    RoleRoot = Safe.RoleRoot();
    DialogClass diag();
    new NetTextDialogClass(diag, this);
    return diag.Wizard();
  }


  /**
    Code that gets connection and snapshot
  **/
  void ReadNetwork(BatchClass batch, SnapshotClass root) {
    String message,
           name;
    DateClass d();
    do {
      ConnectionClass conn;
      SnapshotClass ss(null);
      message = "";
      BatchClass::ConnectionTypes reply = batch.GetConnection(conn, ss, name, message, 0);
      if (reply == BatchClass::BATCHCONNECT) { //successfully connected to remote node
        Process(ss);
        SystemClass::StatusInc(1);
        root.Insert(ss);
      }
      else if (reply == BatchClass::BATCHERROR) { //could not connect to remote node. ss object will have the state of the node
        d.Now();
        Console.WriteLine("Could Not Connect To {0} SAFE Error Message: {1}", name, message);
        SystemClass::StatusInc(1);
        root.Insert(ss);
      }
      else if (reply == BatchClass::BATCHWAIT)
        SystemClass::Sleep(100);
      else if (reply == BatchClass::BATCHFATAL) {
        String err = SystemClass::LastError();
        Console.WriteLine("The SAFE is not responding: {0}. This Enscript will terminate.", err);
        return;
      }
    } while (reply != BatchClass::BATCHDONE);
  }

  /** Code that creates a batchclass
  **/
  void Sweep() {
    DateClass now;
    SnapshotClass newSnaps = new SnapshotClass(null, "Snapshot");
    BatchClass batch(Safe, Role, NumConnections, ConnectionClass::SNAPALL);
    if (batch.Add(SweepNet)) {
      batch.SetMode(ConnectionClass::Options::Convert(ConnectOptions), ClientReturnAddress);
      if (batch.Start()) {
        uint machines = batch.TotalMachines();
        Console.WriteLine("Scanning {0} using {1}", Plural("node", machines), Plural("connection", batch.ConnectionsUsed()));
        SystemClass::StatusRange(StatusBarName, machines);
        uint start;
        now.Now();
        start = now.GetUnix();
        ReadNetwork(batch, newSnaps);
        now.Now();
        Console.WriteLine("Scan completed in {0} seconds", (now.GetUnix() - start));
      }
      else {
        SystemClass::Message(0, "BatchClass error", SystemClass::LastError());
      }
    }
    else {
      SystemClass::Message(0, "BatchClass Error", "Unable to add any IPs to the sweep");
    }
  }

  String Plural(const String &str, uint n) {
    return String::Format("{0} {1}{2}", n, str, n == 1 ? "" : "s");
  }

  /**
   Turn a string of text into networkclass objects
  **/
  bool ParseText(String t) {
    SweepNet.Close();
    bool ret = false;
    while (t) {
      ret = true;
      int    end  = t.Find("\n");
      String line = end < 0 ? t : t.SubString(0, end);
      int    dash = line.Find("-");
      if (dash >= 0) {
        IPClass ip1(ExtractIP(line.SubString(0, dash))),
                ip2(ExtractIP(line.SubString(dash+1, -1)));
        if (ip1 && ip2) {
          NetworkClass n(SweepNet, "IP Range", NodeClass::SELECTED);
          n.SetStart(ip1);
          n.SetStop(ip2);
        }
        else
          NetworkClass n(SweepNet, line, NodeClass::SELECTED);
      }
      else if (line != "")  {
        NetworkClass n(SweepNet, line, NodeClass::SELECTED);
      }
      if (end >= 0)
        t.Delete(0, end+1);
      else
        break;
    }
    return ret;
  }

  /**
   Check for IPs in nettext
  **/
  String ExtractIP(const String &s) {
    String ret = s;
    ret.Trim(" ", String::TRIMSTART | String::TRIMEND);
    return ret.IsValidIPAddress() ? ret : "";
  }
}

/**
 Dialog to choose a role and enter nodes to sweep
**/
class NetTextDialogClass: DialogClass {

  MainClass Data;
  StaticTextClass SafeTextEdit;
  TreeEditClass Tree;
  StaticTextClass Help;
  StringEditClass NetTextEdit;

  NetTextDialogClass(DialogClass diag, MainClass d) :
    DialogClass(diag, String::Format("{0} Options", d.StatusBarName)),
    Data = d,
    SafeTextEdit(this, "", START, 15, 200, 100, 0),
    Tree(this, "Choose The Role You Want To Assume", NEXT, START, 200, 100, 0, d.RoleRoot, 0),
    Help(this, "Enter IP addresses or machine names on separate\n"
                 "lines. Enter ranges on separate lines and delimit\n"
                 "the start and stop address with a dash (\"-\").\n\n"
                 "Example:\n\n"
                 "\tlocalhost\n"
                 "\t192.168.5.5\n"
                 "\t192.168.0.16-192.168.0.64\n"
                 "\t192.168.1.1-192.168.3.255\n"
                 "\tfd00:0:1000:20:0:0:0:100\n",
                 START, NEXT, 200, 100, REQUIRED),
    NetTextEdit(this, "", NEXT, SAME, 200, 100, AUTOVSCROLL | MULTILINE | WANTRETURN, d.NetText, 9999, 0)
  {

  }

  virtual void Setup() {
    DialogClass::Setup();
    SafeTextEdit.SetText("SAFE:\t\t\t\t" + Data.Safe.Name() +
                         "\nUser:\t\t\t\t" + Data.Safe.UserName() +
                          "\n\nTotal Connections:\t\t" + Data.Safe.TotalConnections() +
                          "\nActive Connections:\t\t" + Data.Safe.ActiveConnections() +
                          "\nConnections To Use:\t\t" + Data.NumConnections +
                          "\n\nRemediation Allowed:\t\t" + (Data.Safe.RemediationAllowed() ? "Yes" : "No") +
                          "\nSnapshot Allowed:\t\t" + (Data.Safe.SnapshotAllowed() ? "Yes" : "No") +
                          "\n\nSAFE Version:\t\t\t" + Data.Safe.Version()
                          );
  }

  virtual void CheckControls() {
    DialogClass::CheckControls();
    EnableClose(Tree.GetValue().Parent());
  }

  virtual bool CanClose() {
    Output();
    bool ret = false;
    if (DialogClass::CanClose()) {
      Data.Role = RoleClass::TypeCast(Tree.GetValue());
      ret = Data.ParseText(Data.NetText);
      if (!ret)
        ErrorMessage("Please Enter a value in the IP List Text Area.");
    }
    return ret;
  }
}









Tuesday, June 23, 2015

Summer 2015 coming

It's 15C outside and heavy rain.. wonderful intro into glorious summer. I suppose it will be different summer, more in house and working one.

Since I'm feeling lazy and slow there is a set of unfinished posts here on the blog ...
"Problems with malware"  started 5/9/15
"Classification of digital forensic tools" started 5/1/15
"Tools and users woes" started  5/1/15
"Ransomware and some ideas" started  5/1/15
"Some post Riga conference thoughts" started  6/21/15
"Digital forensics and really big data" started  6/13/15
Hopefully this shameful list will force me to finish it ... to be honest I feel somehow restraint in writing. There are also some personal issues both with glorious 50th birthday coming 

Lecturing at Racunarstvo.hr slowly comes to end just two more lectures to go. I'm not satisfied this time, probably because I was not able to force myself to introduce new things into lecture. Somehow I feel I missed hearts & minds, probably to sleepy minds at lecture time 18:45 till 22:00.  I've introduced some points and discussions from ERA conferece as interesting live points in legal part.  The Bahrain training left some bouncing questions in my mind. It all remembers me on the old Science Fiction from Asimov and Stanislav Lem. The python lectures  was left out this time,  I was thinking to mix it up with practical command line linux issues like in B.J Grundy LinuxLeo guide.

NUIX is coming back to schedule to do preparations, actually to prepare it as part of our portfolio, but I feel I miss hardware for enough power to implement and test solutions.



Thursday, June 11, 2015

EnCase v7 and some indexing woes

EnCase v7 is deeply oriented to indexing as fundamental step in investigation and data analyses, but looks like bad luck which EnCase had in v6 with indexing continues also in v7. It turns out in first few sub-versions of v7 indexing was not implemented correctly and in real life of not much benefit, more horror source.

Things get better and in lastest version 7.9 and 7.10, Now  indexing is working more or less ok, but with still some peculiarities and not easy to digest features. I'll compile in this articles some notes, tips  which maybe can help.

One quite useful thing from indexed data is to get list of keywords, it can be very useful in password cracking and many other purposes. In version 6 it was possible ti dump this data trough enscript, but in version 7 now this is in passware tool interface. Even if you don't have passware kit, dump can be done, it will generate index.words.txt file which contains data from index file. Documentation is missing and no explanation what is what.But still from there it is possible to feed some dictionary attack tools etc, you'll need some regular expression tools to further extract useful data from it.

A huge issue is also lack of examples, per instance there are predefined patterns in indexing for finding email addresses, credit card numbers etc, but no examples.

There is no clue whatsoever how it works at all, Trying combinations you'll get no result or some confusing errors, there is only one small passus in support forum about but no details, results are erratic even in the latest version v7.10.5.

In ordinary indexing search it is possible to use wild  chars and patterns but again it can be quite erratic, I was positive there are some issues with our local language localisation, but never been able to reproduce it in satisfactory way.  Very confusing issue is globbing in indexing search and regexp search in raw search. Since it is possible to combine both of it t in same search,  using two different query syntax is often misleading.








Tuesday, June 2, 2015

ERA conference Riga June 2nd 2015

Today I've done presentation "Collecting and processing electronic evidence and the essential difference between evidence and “traditional” forms of evidence" on conference  "Planning and Justifying the Search and Seizure of Electronic Evidence"  . 

I think I pressed listeners to much since I've done two presentations in one, first setting the terms and definitions of digital evidence and digital forensics and second presenting trough slides how to use EnCase v7 in basic digital investigation.
Impression are good, almost same good feeling as after Bahrain last week, but still I can say that there is a lot of issues in relations among lawyers and computer science.
One exciting talk on the margin of conference, so interesting that I lost my way to hotel, 
was about data center data seizure. Extremely interesting question because of possible technical twists and volume of data. 

There was set of very interesting presentation, very advanced,  I was last one and going fast to keep schedule. 

Ian Walden:
  • Computer forensics and the presentation of electronic evidence in criminal cases and
  • Planning and justifying the search and seizure of electronic evidence in the Clouds


Stephen Mason:
  • Challenges of international investigations (search and seizure) and other trial considerations (methods of presentation, admissibility tests)


Federico Paesano:
  • Investigating money laundering with bitcoins and other virtual currencies: challenges and solutions


Thursday, May 28, 2015

CyberCrime training in Bahrain


I've just been one among trainers on the "Training Course on Combating CyberCrime", organised by Judicial and Legal Institute, Kingdom of Bahrain in cooperation with GPEN, Global Prosecutors E-Crime Network.  It was very interesting event, very successful and really high above usual, perfect organisation by our hosts, judges, prosecutors, police officers from all Arab gulf states, with immense interest and will to participate, 
Instead of pure "slide & lecture" scenario, it was full interaction, questions, answers, case comments with perfect simultaneous translation,  Language is always problem, not only pure mother tongue to mother tongue, but also more important in our situation technical language to legal language and tradition. 
I'm sure that training gets its purpose, interaction and cooperation among all participants was from start, that was the key goal, basically all definitions and answers were provided by participants, trainers were more moderators and ones who asked hard questions.
The discussion and events makes me think about terms we use and its meaning I think I should write one post on word Cyber which is often used this days

Sunday, May 10, 2015

Competition workshop

Recently I was involved in a digital forensic workshop for a competition agency.

It is an interesting issue because a great deal of work in competition enforcement agencies today is related to handling digital evidence. There are a lot of document on the international competition  network site which lively present the state of anti cartel practice. Each anti cartel agency has its own procedures and history but there is one common thing, introduction of digital evidence support. Some agencies are even completely moved to electronic documents while others are handling paper documents or being completely on the paper documentation. The process which leads to digitization and accepting digital evidence is not an easy one, it takes a lot of time and effort, and usually requires thinking about procedures and documentation workflow in the anti cartel agency. Such processes can take a long time and have a lot of mishaps.
I was involved in preparing a  raid simulation as the basic part of the workshop, very nice  operation with a lot of things to learn.  The result of workshop was a set of forms and blueprints which give the full planing capability for the agency. The idea was well tested from disaster recovery and business continuity practices. A simple approach where you create a set of procedures and documents which drive you through the whole event, it also gives a nice opportunity for role play approach and testing scenarios. I hope we did a good thing.
Later on DataFocus2015 Mr. Mislav Kršulović from Croatian Competition Agency did presentation about "Dawn raid in practice", To my great pleasure this state of art example from real life showed our workshop was very close to reality.

Students and Image Forensics

After a long wait, I finally have a candidate from Vsite who is interested in image forensics, a perfect challenge. There are a lot of talks about tools, applications and methods on how to use image forensics in our law enforcement community.

Digital image forensics is a big field running at a very fast pace. Our position is more towards practical application and tools for handling and comparing images rather than basic scientific work. Most of the practical problems in our local community are in the classification and recognition of  images extracted from mobiles devices, computers etc. It boils down to handling hashes and effectively working with a huge number of files. I believe we will have to tackle this part of the situation in order to propose or implement a solution which can automate such tasks. 

We will all have to discuss the possibilities in order to combine the fresh inquisitive mind of the students with the tools and realities of law enforcement, while at the same time getting some practical results.  My idea is to shape a practical part for a graduation thesis into practical tools or systems which have to be used in real life and also to be a proof of concepts for further work and expansion,

I really hope for some nice student work, useful tools and a few published articles.

I'll post about how events will go, can be interesting and inspiring too.



Wednesday, April 29, 2015

Articles for Mipro 2015 conference

Mipro is nice technical conference in Opatija, our mother company IN2 is a sponsor so we put set of articles about digital forensics and security. There are very strict reviewers but we managed to get trough. I wrote about experience in mobile forensics  professional training since 2012 under posh title "Concepts and methodology in mobile devices digital forensics education and training". It is about relating our experience with issues mentioned in Stephen Pearson and Richard Watson book : “DigitalTriage Forensics”, Syngress ,July 13, 2010,  ISBN-13: 978-1-59749-596-7, and  Gary C. Kessler presentation :“Is Mobile Device ForensicsReally "Forensics"?”,  NIST Mobile Forensics Workshop, Gaithersburg, MD, June 2014. Paper get a rough recension, a lot of requests for clarifying,  I suppose the subject was interesting. I'll add article when it will available trough official conference site.
 "Digital Triage Forensics" is my old favorite, I loved since I read it.  Book  address practical issues in putting whole organization into motion, not only mobile  forensics issues. Unfortunately tools used are outdated, plenty of new versions and changes come since 2010,  but everything else is still extremely useful, especially if you are working with military or police. 

Sunday, April 12, 2015

DataFoucs 2015 - 31 March 2015 - Zagreb, Croatia

I've been forgetting to put a few lines about DataFocus 2015 in Zagreb from the 31st March 2015.  It's the fourth and got the best reviews.  As far as I was concerned, I was to remain only on the margins of the conference and on the lunch actively trying to avoid any responsibilities and enjoy good food and interesting lectures. However, this was not meant to be. There were a lot of interesting talks and a lot of interesting tools, NUIX, Belkasoft, FTK, EnCase, Oxygen. At the end there were a lot of happy winners with the lotttery, especially among our Police Accademy students. 


Workshops were fully attended with people popping in at the last minute. My own small contribution was an unusual one. For such events with international lecturers something can go wrong, Murphy's law is always somewhere around, and there is always a backup plan for emergencies, This time, lecturers for first lecture at legal track "Legal and Investigative Aspects of Bitcoin" were unable to get to Zagreb on time, the day before DataFocus.  Since the subject was extremely interesting it was decided not to replace the lecture with the scheduled backup, but to replace the lecturer with apologies and hopefully some add-on value. As the task landed on me, I had to do my best in preparing for that lecture in one day. To make things worse my knowledge about Bitcon, at the time, was twopence worth. In short it was a long 24 hours, I even decline attending the VIP dinner the night before the conference because I was studying :) :)

The original material by Vaciago Giuseppe and Dal Checco Paolo was very good and concise but, to me, a lot of details seemed missing. So I used resources from the excellent online book "Mastering Bitcoin By: Andreas M. Antonopoulos".  The further I went through the book the more impressed and intrigued I got. The author of Bitcoin was really a genius in more than one field.  The lecture went well, my friend Blerim Krasniqi has taken some pictures of lecture, it all went well.







Tuesday, March 24, 2015

IT Risk Seminar, Zagreb March 2015

Left to right: Me and Jerko Burić
Last Thursday (19th of March 2015), I attended the local IT Risk Seminar together with my colleague Jerko Burić. As Jerko was giving his presentation on Cyberforensics I was networking and answering questions that came from insurance companies. Most questions were about how to raise awareness within different organizations regarding cyber risks and cyber and digital security.

As the initial post covering the goal of the event said: "The seminar is intended for IT Risk corporate sector, the IT sector and the insurance and banking and Croatian regions. The conference program is rich in speakers - top experts from the field of cyber security and IT security risks from the Croatian and Europe." It was an extremely interesting mix of presenters and attendees. It is not often that you find Digital Forensic experts in the same place as insurance companies and bank representatives.  I was rather surprised that there were only a few law enforcement agencies, but then again, this was targeting the insurance companies and forensic experts.

As I was aware of a local insurance company -which will remained unnamed- that has been working on fine-tuning a possible insurance policy covering Insurance for Cyber Crime for the last 4 years, it was interesting to see the presentation from the UK by Mike Shen. He really crunched down the numbers showing how much an actual incident would cost on all different levels, including the digital forensic related technical services. Only part of his presentation is available here.

The lectures from EUCert, our local Cert and law enforcement shows important development among all involved in the security investigation process. The key event was last year's Zeus malware outbursts, where all agencies involved were finally cooperating, from banks to clients and law enforcement agencies. Without which any policy would have been a failure!

The fun part of this event for me was when I was having a good laugh while witnessing the heated discussion panel. I can't remember being around people that got so fired up in public. Maybe I'm not supposed to mention this, but life is about being real. We have to give them credit for having the courage to sit together and discuss all this.

Conclusions from this event for me are that companies are now starting to see Digital and Cyber Security as a real threat.  If an insurance company intends to go into the deep and offer this insurance, covering the company's digital fortress, they'll have to take quite a lot into consideration, not only how to qualify a customer (like a health check) but how to insure the customer stayed healthy before they got hit. Just this idea and it's set up with an insurance company can give any engineer a good splitting headache. I believe it can be challenging to locate statistical information with regards to actual digital forensic incidents worldwide, as they are not all reported to one governing body. But, if there is a will there will be a way. Then again, facing business continuity plans and reality, we have to ask ourselves:  Which bank would go public saying they've been hacked, if they can keep it quite and deal with it as fast as possible?

Anyway, as a technical guy, it is best for me to leave the insurance policy set up to the insurance companies :) They'll know where to find me if they need detailed and outlined digital forensic processes and setups.




Saturday, February 7, 2015

Modern Cars and Digital Forensics

There is one article on EnCase blog, "The Car of the Future May be a Forensic Gold Mine"

Looks like a discussion about car and digital forensics started on CEIC 2014 which then spread to LinkedIn groups. Very interesting topic, also very frustrating since most of the current digital forensic tools are not up for the task. It is possible to extract data from cars but only partially, and by using available general purpose tools on forensically well know car subsystems, like GPS. There are plenty of examples of car GPS systems with other subsystems analyses as well as CAN analyses. This should provide a great improvement over early investigations with cruise system error related accidents and deaths. This story requires a lot of research, even though the case is still ongoing, due to the important fact that the relevant data was not extracted from the car systems, so we there is a serious problem there.
More recent story "BMW Fixes Software Flaw that Affected 2.2 Million Cars (February 2, 2015)"
published on SANS which shows the spread of the problem to almost the size of the fleet of mobile devices.

To be honest, modern car digital forensic more like scada system analyses than anything else. Even worse,  the car systems are not designed to be forensically reliable or even computationally safe. Car systems are designed to be reliable as old mechanical control systems in cars were before.  Electronics, communications and interacting electronic/computing systems makes this situation even worse. 
I would recommend that anyone dealing with car forensics or security should go to Nancy Leveson's page  and read few papers.




Sunday, January 18, 2015

RFOR is finishing at VISTE

Lecturing at this academic year is just about to  finish, it is exam time coming, time to wrap up and lessons learned not only for students but for teachers too.

As for the the first run of the Digital Forensics Basics (RFOR) on Vsite I have my doubts and fears if I done things as it is supposed to be.  Class was small 18 people, easy to work and enjoyable maybe a bit to much chance for lecturers ego trip sometimes.

Results are OK, but that can be misleading, I still feel we need more practical work with commercial tools. To add some practice work we added some python scripting, based on "Python Forensics" and some elements from "Violent Python", all trough SIFT workstation from SANS.

As we are at computer science and engineering school a lot of things are already known, so we'he been concentrated to general principles and ideas, not so much on the methods and tools.

My colleague  Darijo Puntarić was busy with laboratory exercises, as CCIE he added a lot of good stuff especially to network forensic part.





An article about law enforcement and high end computer skills

This one is posted at one of the sites I've read often, "Information Warfare: Scary Monsters Pursue The FBI"  title is a bit scary, actually shows the problem  if law enforcement has to  be about computer security issues. To be honest most of the organisation of any kind has this problem  if they are not from start based on computing technology.  Unfortunately even such powerful organizations as FBI or DOJ   somehow lack strategic approach and understanding of the problem. At first glance it is OK, found you re in trouble and there is someone who can help you .. cooperate use resources and prepare but for what and how,  results are showing this is missing. 

Monday, January 12, 2015

Digital Forensic Tools and parallelism - initial thoughts

Without going deep into any theoretical discussion it is quit obvious that digital forensic tasks are actually very well suited for parallel processing. The key issue is readonly access to data in most data intensive operations, but also in other parallelism can be applied too taking into account nature of digital forensic process and its dataprocessing steps:
  • acquisition, 
  • analyses and 
  • reporting. 
If we discuss different each step in forensic process we can see how parallelism can be used.
First data processing step in any digital forensics task is acquisition of data from device or media .

Device acquisition is serial task, since  without live access we have only one channel  the devices. Parallelism here is more question of device itself than forensic tool. As for example if we have more than one access channel to  device data  and we are in read only mode acquisition can be parallel too.
Key element is readonly access to data.

In other steps  like during analyses,  situation is just slightly different.  It is usually data extraction and reconstruction which results finally in data size reduction, Data which we are using in this step is under read-only access, while results of processing are written and maybe again read back into process.  This two modes of data access are well separated in analyses process. Each analyses task can go  in parallel with other tasks without corrupting data. In most situation this new result are actually metadata. Such metadata is much smaller than original data, and can be put back into analyses cycle if it is necessary. As it is shown for most of the analyses step parallelism also  can be used.

To illustrate this in more details we can discuss important forensic tasks indexing and  raw search.
Indexing is specific since it can generate almost same volume of data as the original data. It is also highly repetitive task, since it depends new recovered or unlocked documents to be indexed and data added to existing index structure. Operations are very disk intensive  but again can be done effectively in parallel, especially if index structure is stored in database way. It maybe sound strange but raw search is very close to index process, especially in phase of building index structure, in fact it is the same, simply said we have to extract raw data from disk and in that data find words which are indexed. Exactly the same as raw search do.  Conclusion again is the same parallelism can be used too, also parallelism is important for indexing and search tasks since it requires processing  huge amount of data .

Forensic data processing  usually generates metadata which presents a new logical view on the original data. Good examples are bookmarks, so much loved in digital forensics.

As for report creating again the same approach works, from data and bookmarks report is compiled, data is not changed in that process, so it can be parallelised too.

So what is conclusion ?
Parallelism is highly desirable in digital forensics, but we don't have tools which are very effective in using parallelism, This is something what is happening just now with various level of success for different vendors.
My opinion is that vendors are landlocked in their tools and the real advantage of parallelism is in type of forensic tools which can be fully automated and  can freely and easily cooperate, being scripted and capable of working standardised on the highly parallel computing infrastructure:)

I'll elaborate on this later, while talking about what such tools and systems have to be able to do and which already existing knowledge we have.









Monday, January 5, 2015

MS Windows, Python and Digital Forensics woes

Since Vista comes it turns out that it is impossible to compile and add into Python on windows essential libraries like libewf  It is very frustrating and senseless , but this is MS way of things ..
It boils down to undocumented features and behaviour of required low level windows calls and instrumentation. My colleague Jakob spend a lot of time to try and test all available compiling procedures but nothing worked in the end. It all worked once in 2009 and earlier but not today.
This event troubles us a because of planned training propositions, since we have to introduce additional unix topics  where tools work as it is supposed to work.