Wednesday, July 4, 2012

The Trouble with TypedUrlsTime

Recently there has been some information released on the new registry key found with Internet Explorer 10, that is found in the Windows 8 Operating system. Basically this key will keep track of when a site is typed into the browser bar within Internet Explorer 10. If you want to know more there has been previous research on this key.

My Initial research on Windows 8, which I mentioned this key is here.
Jason Hale did some research on it here.
Amanda Thomson also did some research here.

What am I showing you?
When I first looked into the keys I saw some interesting anti-forensic tactics that can be utilized by modification of the keys and their data. I will attempt to explain what I saw.
This is my default data set, which shows both the TypedUrls and TypedUrlsTime values from Regedit, as well as from a RegRipper Plugin that Jason Hale produced. 

Original TypedUrls Dataset

Original TypedUrlsTime Dataset

Original RegRipper Values

First Test: 
The first test that I did was to delete the Url3 key from the TypedUrls, I was interested to see the impact of the TypedUrlsTime key without the corresponding Key with the the TypedUrls. 

URL3 Deleted in TypedUrls

Url3 remains in the TypedUrlsTime

After I deleted the value from the TypedUrls key, I opened Internet Explorer 10, and went to a new website. This site populated in my Url1, shifting the previous url1 and url2 values down. Since the url3 value was missing, none of the other values increased. 
Adding a New TypedUrls to this
Looking at the TypedUrlsTime we can see that we still have 10 entries. If we look at the Data Value in Url4 we notice that it is the same value as it was previously. We also notice that the value in the previous version of Url3 is no longer retained. 

Values of TypedUrlsTime after addition of a new site. 

RegRipper Plugin Values

Second Test: 
Since we have identified the behavior with these two data sets if we delete a value from the TypedUrls, I was wondering what would happen if we deleted a value from the TypedUrlsTime and retain the corresponding key in the TypedUrls. I decided to delete the Url3 version that corresponded with my visit to Wired.com. 

Visiting Espn after deletion of TypedUrlsTime Key. 
Url4 corresponds to Wired.com, it is now 00. 

We can see that even though I deleted the value, when you type in a new address that is added to the TypedUrls keys it will recreate the the missing TypedUrlsTime value. Since the OS does not have the actual time that was visited to pass to this key, the value is now 00 00 00 00 00 00 00 00. Looking at the RegRipper data, we can see that the new visit to Wired happened Thu Jan 1 1970.

RegRipper Data.. 1970!!
As we can see from this data the TypedUrls key is the primary key in that if it is missing data is not parsed to the TypedUrlsTime keys, but if the TypedUrlsTime key is deleted then it is recreated with the default dataset. 

Third Test: 

We have seen how deletion of the keys impact each other, I decided to look and see what impact can happen if I would modify the names of the TypedUrls keys. 

Baseline Dataset

Baseline DataSet

I decided to switch the names of my Url1 and Url8 key, you can see the new values listed below.

Dataset after Url1 and Url8 change
Here is the RegRipper values right after I made the change in the registry. As we can see my ESPN visit according to the plugin happened on June 17th, while my SANS visit happened on July 4th. Looking at the report below we can see this. 

url1 and url8 dates messed up. 

From these I decided to visit a new website which will now increment my values so we can see the impact that this might have on the values in the registry values themselves. I made NO changes to the values in the TypedUrls. The only changes that were made were to the url1 and url8 in the TypedUrlsTimes that were shown in the previous example.

Visiting Mediacomcc.com

TypedUrlsTime after new site added. 

As we can see the modified url1 and url8 keys have incremented as they should, with url1 moving to url2 and url8 moving to url9. Looking at the RegRipper plugin we can see the evidence that something is incorrect. We can still see where according to the TypedUrlsTime value my ESPN and SANS visits are out of order. 

RegRipper Plugin Values after new site

The next test I did was to go and modify the values found in the TypedUrls. I will be modifing the values in TypedUrls found at url10 (google) and url3 (principal). I will leave alone the values in the TypedUrlsTime. 

After changing the Url3 and Url10 values. 

RegRipper after the change
After my changing the names between the Url3 and Url10, when I go to use the plugin I have convinced the Registry that I actually did visit Principal in June instead of just a few days ago. From within the Internet Explorer History tab the correct date that I originally viewed these sites show up. 


Closing Thoughts: 

The addition of TypedUrlsTime adds another layer to help with timeline analysis of internet activity to see when  user actually typed out the url to connect to. Though the ease of anti-forensic techniques to modify the the corresponding values between TypedUrls and TypedUrlsTime this Registry value may not be considered a very forensically sound and useful for investigation or timeline analysis when attempting to know what sites a user connected to by entering the url into the address bar. 


Please let me know if I have over looked another way to extract the correct values of when I might have typed the values into my web browser. 

**** Update 7/4/10 ****
My hives if you want to analyze them are here

I have used RegSlack in an attempt to pull back deleted files. I was unable to extract anything from the slack space. This was the only Deleted Key that was found.


### Deleted Key  ###

CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\MediaPlayer\Health\{E9B9E911-C122-4F81-9FBB-48D77FDA6481}
Offset: 0x7abb8 [Wed Jul  4 15:04:53 2012]
Number of values: 0

Recovered 1 keys and 0 values: #0 keys from allocated space.

Rejected 0 keys and 0 values.






Monday, July 2, 2012

DFIR SUMMIT - Through the Eyes of a Summit Noob


What Did I Learn?
When asked about our experience of the SANS DFIR Summit, (Slides are here) we all have different opinions and views on what we learned and what we experienced. We digest the material differently and come to different conclusions on what was taught and what happened. For me this is no different, I walked away from this conference with a lot of knowledge from different aspects of the Summit itself. The Summit also showed that the Community has a Strong representation of Women Forensic Specialist.

Technological Knowledge

This Summit appeared to focus heavily on Forensics Research with a heavy emphasis on Mac, Cloud and Registry Research. There were a few presentations that seemed to step slightly out of that scope which tied with personal development and relationship building.

The first morning keynote was presented by Detective Cindy Murphy, and it was a discussion on how the field is changing, there are different perceptions and how to bring them together to form a more complete vision of our future. She talked about having 6 “Monks” that lead her abilities to understand different aspects of the field, and how to keep key things in perspective. This allows me to also consider my “Monks” and how they impact my development and interests as I become more specialized in my career focus.

I next attended Alissa Torres presentation on Reasons Not to “Stay in Your Lane” which discussed that as forensic investigators we need to understand offensive and anti-forensics techniques so we can understand better what happened during a compromise. Alissa made good points on how different offensive techniques can be masked to appear like they were done by legitimate users and we need to be trained to understand how these tools can be used. From her session I realized that in order to analyze a breach or malware infection, it would be beneficial if I understood the tools and techniques used to cause the breach or the behavior of the malware. She also showed how different incident response tools could be used maliciously and how their use might be missed as a false positive.

I sat in the Panel Discussion on how to Build and Maintain a Digital Forensic Lab. This discussion jumped into the experience of different professionals that have faced the challenges of building out a lab in different environments and how they proceeded. It talked about the Capabilities and uniqueness that each lab could have as well as some concerns with them. Walking out of this presentation I had a few pages of notes on what it takes to get the conversation started with management to get a lab looked at, that the process of getting to the capabilities of a fully functional high end lab took time. You need to understand the business need for it, and show the company that the cost involved in the lab is a good investment. Until you can start showing the ROI value the needs within the lab will be limited and you will need to work diligently in building out your practice.

I also sat in Christopher Pogue’s Sniper Forensics v3: Hunt, this year. I was lucky to catch v2 last year at GFirst, and Chris did an excellent job building off of it. The high overview of this presentation is that with the amount of Data we look at in an investigation can be over burdening and time consuming. We need to learn to define a scope and focus on it. As we find other outlying information we can add that to our investigation and then expand the scope. Once we have found our primary targets in our scope we can then spread out and remove other machines that show the same indicators. This allows us to find infections that are not traditionally being picked up by known “malware detection” options.

The end of the first day there was the SANS 360 talks, there was a lot of good 6 minutes presentations in there that talked about different tools and resources for DFIR analysis. Corey Harrell gave a brief overview on different metadata behavior artifacts for finding fraudulent word documents. Cindy Murphy showed how to understand and use Child Victim Age Estimation based on proven training. Harlan Carvey and Alissa Torres both talked about the numerous artifacts that can be found in Windows 7 and the value of Registry, UserAssists, VSC and Shellbags.

Harlan Carvey started the second day of the event off with Windows 7 Forensics, and showing what has changed from previous versions and how this information can be used during investigations. The artifacts that he brought up in his talk are the same artifacts that analysts and investigators should be looking at and understanding during investigations. These artifacts go to show what the user did and the impact on the system. Harlan also touched on some artifacts in Windows 8 that I have also been researching.

I also attended Nick Harbour’s presentation on Anti-Incident Response techniques which showed how different techniques can be used to appear like normal behavior on a machine. Overall some of the same techniques as Alissa described, but Nick’s presentation covered a lot more in depth anti-incident techniques that he has encountered. Some of these techniques include Hiding from running process lists, hiding network connections, process injections and thread hijacking. Nick did an outstanding job presenting actionable anti-Incident Response techniques that we should be aware of.

My final presentation that I sat in was by Mike Viscuso, and it was a discussion on how the current Incident Response model is quickly moving to the state of not being maintainable. It is important at this time to understand that Mike is the CEO of CarbonBlack, an application that allows a more focused approach to this. Mike did a very good job of keeping CarbonBlack out of the presentation and I think he took a beating in doing so. According to NetDiligence, the average cost of Forensics analysis during a breach is around $200,000. An example that he used was the Citadel Package and the deployment cost.  For 5 breaches it would cost an attacker $3,500 but it would cost the Defender over $1,000,000. An attacker is able to do almost 1409 attacks with the Citadel Package before he would be at the $200,000 price tag our first breach cost to respond. It becomes a game of can we continue to afford to spend so much on Forensics, when there are options available to decrease the investigation. Mike talked about how we use Security Camera’s in the retail world to help isolate and detect points of interest to analyze. By adopting more of a Traditional approach with the correct tooling we can decrease the impact of the forensic cost.

Personal Knowledge:

What I learned personally from the conference is that being with like-minded people can help foster personal growth and understanding on a topic.

As a presenter I learned that being asked to speak is a great opportunity to share your knowledge, and at that point in time, your audience is there to hear you. As a presenter you need to remain calm, and collected. You need to make sure that you have the slides in your presentation to go longer on a talk, because until you get used to presenting that you will speed up, and end your talk earlier. I also realized that we are the hardest critics on our selves, but the support of the staff and fellow presenters are incredible.

I learned that I could go outside my comfort bubble, meet people that I admire and look up to as professionals and could carry on a conversation. I learned that my research is valuable, and at times I shoot for the moon in what I offer, for example when I presented a few weeks back on FileHistory, not only did I do a Webcast, I released a RegRipper tool to extract the data, and I released my research. I have learned that it is ok to have a core group of trusted individuals to share data, and that open communication is important.

The personal growth that I was able to achieve at this conference will help me in both my professional and educational growth because it has strengthen my convictions that this is where I want to be. This is the career I want, this is the community I want to be active in. 

A special Thank You to Rob Lee and the entire SANS staff for putting this together. It was an incredible event and one that I plan on coming back to.

** This was originally written for school. I was going to do something else for the blog, but thought it expressed what I was thinking very well. **