GREM Achievement Unlocked

I had been going through the SANS FOR610 Reverse Engineering Malware content OnDemand recently and last week I knocked out the GREM. I figured it would be a good time to post a few thoughts on it and talk about a few things that people can do to help prep for the course.

This was the first time in a while where I prepped for a GIAC exam without attending the course live. I was a bit worried about that with such a technical course but I ended up having a great experience. This was also the first time one of my courses has had the new style of OnDemand where the course was recorded in a professional studio instead of during a live class. The results were really nice and felt for intimate than I expected.

Every time a lab came up I would pause the course, work through the lab and then watch Lenny Zeltser’s walkthrough afterwards. He did a fantastic job of explaining things and going through the labs step by step. Even with dealing with advanced concepts, I never felt lost.

In a stroke of great timing, when I was about 75% through the course content I got a spear fishing email at work with an attachment. I checked it against virustotal.com and only 4/56 flagged it as malicious and there was no further information. I thought it would be a good chance to put my newly found skills to the test and examine the attachment. I fired up my two VMs and in a short amount of time I had a clear picture on what the malware was doing, had network based and host based IOCs and was walking through the code in a debugger examining how it was unpacking itself. It was great practice and a nice confirmation that what I had learned worked in the real world.

In prepping for the exam I had spoken to several friends who held the GREM certification. One of the biggest things someone can do to help prepare for the course is to get comfortable with assembly language and being able to watch/understand what the stack is doing within a debugger. The course teaches these things but if you’ve already been exposed to them you’ll feel a lot more comfortable and it will allow you to focus on learning other material.

Different people have different learning styles but this is one area where I think it’s really beneficial to watch someone walking through examples while they explain what’s going on. A fantastic free resource for getting exposed to Assembly Language is Vivek Ramachandran’s “Assembly Language Megaprimer for Linux” 11 part video series at SecurityTube.net (http://www.securitytube.net/groups?operation=view&groupId=5) or on YouTube (https://www.youtube.com/watch?v=K0g-twyhmQ4&list=PL6brsSrstzga43kcZRn6nbSi_GeXoZQhR). Vivek also has a cheap but not free “x86 Assembly Language and Shellcoding on Linux” series at PentesterAcademy.com which really helped me prepare for working on both Reverse Engineering and Exploit Development.

Overall I thought the FOR610 was a fantastic course and I got exactly what I wanted to get out of it.

How Long Do Truecrypt AES Keys Remain In Memory?

It’s been a bit since my last post and in that time I’ve been to two SANS conferences, Blackhat and Defcon. It’s been a great but busy few months.

A few weeks ago I was presenting at a local forensics meeting and was asked by an attendee if AES keys from Truecrypt remained in memory when the Truecrypt volume was dismounted. I replied that I was fairly certain they were flushed from memory when the volume was dismounted but that I hadn’t tested it. It’s a fairly simple thing to test so I made a mental note to test it when I had a chance.

I fired up a laptop running Truecrypt 7.2 on Windows 7. I used the new Magnet Forensics memory acquisition tool and acquired the memory on the laptop. I then mounted a Truecrypt volume on the laptop and then took a second memory image. Finally I dismounted the Truecrypt volume and immediately acquired the memory for a third time.

Obviously the first memory image didn’t have any Truecrypt AES keys since I hadn’t mounted the volume yet.
tc1

In the second memory image I used the Volatility “truecryptmaster” command to locate and display the Truecrypt AES key.

tc2

Finally for the big test I examined the third memory image which I acquired right after I dismounted the Truecrypt volume.

tc3

It appears as though the Truecrypt AES keys are indeed flushed from memory as soon as the volume is dismounted. I wanted to verify my findings using a different tool so I fired up Bulk Extractor and ran it on all three memory images. As you can see in the screenshot below the Truecrypt AES master key shown in the second Volatility examination is seen in the second memory image but not in the first or the third.

bulkExtractorVerify

This was a quick and simple experiment to verify what we thought was happening was actually happening.

A Quick Guide to Using Clutch 2.0 to Decrypt iOS Apps

A few days ago someone told me that they weren’t able to install Crackulous on their jailbroken iOS device and asked if I could recommend an alternative they could use to decrypt iOS apps. Since Crackulous was a GUI frontend for Clutch I recommended that they check out Clutch but when I went to find a good tutorial I could only find ones showing older versions of Clutch instead of the newer Clutch 2.0 RC2. It’s not quite as friendly as the older versions of Clutch but it works like a champ on my jailbroken iPhone 5S running 8.1.2.

The easiest way to get Clutch 2.0 RC2 on your jailbroken device is to add the iPhoneCake repository to cydia using the URL http://cydia.iphonecake.com . Once that repository is added you should be able to install Clutch 2.0 as show in the image below.

IMG_0001

Another option is downloading the sourcecode from the Clutch github repository at https://github.com/KJCracks/Clutch and compile it using Xcode with iOSOpenDev installed. Once Clutch2 was on my iOS device I used Putty to connect to it via SSH from my Windows system. I also could have used a terminal app on the iPhone itself and elevated my privileges to root.

 

 

 

Once I was connected I typed “Clutch2” which showed the following options:

Clutch1

Typing “Clutch2 –i” displayed all of the app store apps installed on the device:

clutch2

 

I decided to dump the third application (which I don’t want to display since I didn’t write the app) so I ran “Clutch2 –b <BundleID#>”. If I had wanted to dump the second app (WordPress) I would have typed “Clutch2 –b org.wordpress”. Clutch2 quickly generated the following output:

clutch3

 

The decrypted binary was placed under the /var/tmp/clutch directory. I used ifunbox to copy both the decrypted binary and the original binary (located in /var/mobile/Containers/Bundle/Application/xxxx) to my computer so I could compare the before and after results. Normally Mach-O executable files contain code for multiple arm architectures and you need to use the OSX command line tool “lipo” to extract the arm version that you would like to analyze but in this case the application only contained code for armv7 so that wasn’t necessary.

Below you can see where I ran file on an iOS app with multiple architectures (armv7s and armv7) and file on this application which only has one architecture.

mini

 

 

 

 

 

 

 

 

Once I confirmed that I wasn’t dealing with multiple architectures I used the strings command to extract the txt from both the original binary and the binary which Clutch2 produced. The original encrypted version is on the left and the post Clutch2 decrypted version is on the right.

compare

 

 

 

 

 

 

 

 

As you can see the decrypted version gives us quite a bit more information about what’s going on inside of the application and I can start to use the tricks I learned in the SANS SEC575 course to analyze the app and it’s behavior.

New Video Preview Utility to Help With Forensics Analysis

videoPreviewUtilityReportEarlier this week I walked into a friend’s office and he had just finished examining an iPhone using Cellebrite. The good news is that the acquisition went flawlessly. The bad news was that the device contained over 200 videos that he now needed to preview to see if any were relevant to his interests. As phones grow larger and larger (I have my 128GB iPhone sitting next to me as I type this) this is only going to become a bigger issue so I wanted to write a python script to try to help in situations like these.

The Video Preview Utility (for lack of a better name) utilizes the “Video Thumbnails Maker” tool to generate a sheet of evenly space thumbnail preview images for all video files in a directory. It copies all of those images to a subdirectory, creates an HTML file with all of the preview images and generates a log of all videos successfully processed and any videos where an error occurred. It’s a heck of a lot quicker to scroll down a HTML page looking for anything of interest than it is to click around in hundreds of videos.

Setup:
Note: These instructions cover Windows and assume Python 2.7.x is installed. No third party libraries were used.

Step 1 is to download and install Video Thumbnails Maker from http://www.suu-design.com/downloads.html. As I write this it’s the third program from the top on that page.

Step 2 is to add the directory where it installs to into your system’s path. The directory where it installed on my laptop was “C:\Users\Matt\AppData\Local\Video Thumbnails Maker”. Once you add it to your path and restart your machine it should be setup but you can check by opening up a command prompt and typing “VideoThumbnailsMaker.exe”. If the program starts then it’s in your path and our script will be able to find it no matter which directory you run it from.

Step 3 is to start Video Thumbnails Maker (this is the only time we will use it graphically), click on “environment” and deselect the “VTX (Video Thumbnails File)” Box. Leaving it selected wouldn’t hurt anything but it would place VTX files into your videos directory which aren’t needed.
pic1pic2

 

 

 

 

Once these steps are done you should be ready to run the script. Download videoPreviewUtility.py, unzip it, place it into a directory with your video files and run it. It will create a subdirectory with a name of the current date and time. It will then attempt to generate a video preview image for every .mov, .mp4, .avi and .wmv file in the directory. Adding additional file types or extension names should be as easy as adding another OR option on what is currently line number 24. As mentioned earlier, in addition to the preview images themselves it also generates an HTML report with all of the video previews and a log file with all successfully previewed videos and any which weren’t able to be previewed.

I’ll give this script some more testing with different types of dumps next week and will likely tweak it some but I wanted to get it up for anyone to play with. Friends don’t let friends watch 200+ videos!!!

Long Overdue 2015 Update

cc15badgeIt’s been an extremely busy start to the year but I wanted to make a quick post to talk about what I’ve been up to so far.

Last month I got to attend my first SANS DFIR specific event when I took the FOR508 with Rob Lee in Monterey. I’ve taken the 508 previously but this was a much needed refresher. As I’ve discussed in a few different articles the FOR408 focuses on analyzing activity on a Windows computer and the 508 builds upon that base to cover quickly triaging large numbers of systems remotely, a “greatest hits” of memory analysis, timeline automation and analysis, volume shadow copy analysis and covers deep dive artifact analysis on Windows systems like I’ve never seen covered anywhere else. The deep dive section may be things you don’t remember verbatim but the combination of being exposed to them and having the course books as a reference means you’ll quickly be able to analyze those artifacts when the time comes.

In addition to being my first DFIR specific conference, this was my first class with Rob Lee. He was funny, friendly and took the time to chat with students in class and online. Throughout the entire class Rob shared real world stories of exactly how what he was teaching us has been used out in the real world.

For the day 6 challenge Rob and the 572 instructor Phil Hagen tried something they had never tried before, they combined the classes! The data for the day six challenge for both classes is from the same event (508 students have the disk and memory artifacts and 572 students have the network artifacts) so their idea was that teams could work together with 508 students giving 572 students indicators to look for and 572 students helping answer what activity was going on. The plan worked flawlessly and everyone involved seemed to have a really good time. I was fortunate to have some brilliant individuals on my team and we won the challenge and the Lethal Forensicator coins 🙂

Monterey was a great time but as soon as I got back home it was back to the books. Back in December I answered the CactusCon call for papers with a proposal for my first ever public con talk. CactusCon called my bluff so this past Friday I gave a talk on “Getting Started with Memory Forensics”. There were approximately 40 people in the room for my talk and I received some great feedback afterwards. This was my first CactusCon and they did a fantastic job from start to finish. They had multiple tracks of talks, a Dave Kennedy keynote speech, a lockpick village and an area outside for attendees to solder the parts kits onto their badges. I had a great time and I’ve got nine months to come up with a good idea for a talk for the 2016 version.

That’s what’s been keeping me occupied so far this year. I’d say that now I can breathe a little but I doubt very seriously that it’s going to slow down.

2015 is Upon Us

I planned on doing a few blog posts in December but due to a few great December surprises I wasn’t online much. My month started off by taking a much needed relaxing week of vacation in San Diego with my wife. On the last day of our trip I got the type of email everyone hopes for: “I know this is last minute, but would you like to go to the SANS CDI conference in DC next week?”.

CDI was my first east coast SANS conference and it was well worth the trip. I got to spend a lot of time with some absolutely amazing people and it was truly one of the best weeks of my life. I’m not sure yet what conferences I’ll be going to in 2015 but I can’t wait to find out.

It was a great end to a fantastic year. I got the opportunity to attend several SANS trainings in person as well as online. Got a chance to attend some other penetration testing training. Got to attend my first Blackhat and Defcon thanks to the generosity of Don over at ethicalhacker.net and made some great friends with similar interests to mine.

I improved my knowledge and skills dramatically in 2014 but still have a lot of work to do in some areas including exploit development and reverse engineering. I’m also starting to play with things like using binwalk to analyze firmware and I just got a Riff Box to try to learn to JTAG mobile devices.

Thank you so much to everyone I’ve interacted with this year and hopefully 2015 will be even better.

New Network Forensics Challenge

Recently on the SANS DFIR mailing list one of the members announced he had put together a Network Forensics challenge for anyone who wanted to participate. The challenge is at http://blog.mywarwithentropy.com/2014/11/spy-hunter-holiday-challenge-2014.html where you can download a large pcap and a PDF with instructions.

I’ve only had a small amount of time to play with the pcap but it’s very well done and I’m looking forward to digging deeper into it.

SANS SEC575 Mobile Device Security and Ethical Hacking Review

IMG_1654I recently attended the SANS SEC575 Mobile Device Security and Ethical Hacking class in Las Vegas and I wanted to post some of my thoughts on the course.

Day One: Architecture and Management

Day one started off with a quick overview of mobile device issues that would be addressed in the course and a lab which has the students extract sensitive data from a network capture file with mobile device traffic. After that there are four “what you need to know” sections about iOS, Android, Blackberry and Windows Phone devices. The sections cover technical specifications, key points, protection mechanisms etc. These sections are well done and provide a solid foundation for the rest of the class.

The next section in the book covers building your own lab using devices, emulators and simulators. There are two exercises where you configure an Android emulator and interact with it using ADB commands. The labs throughout the entire course were very well done and helped reinforce the topics being taught.

The next portion of the book discussed Mobile Device Management (MDM) systems used for enforcing device policy settings. This section included an exercise that had you take a policy for a company and create a profile enforcing the rules of that policy using the iPhone Configuration Utility.

Mobile Malware was next up and we started off covering some basics, progressed to examining specific historical malware attacks and finished by discussing preventative measures to protect your devices. That concluded the class portion of day one but the day one book also has an Appendix on policies and practices as well as a section on miscellaneous topics.

Day Two: Security Controls and Platform Access

Day two begins with a lengthy section on mitigating the threat from stolen devices and includes an exercise where the students recover the swipe pattern from a locked Android. Backups, fingerprints and passcodes were all discussed as well.

Next up was a section on unlocking, rooting and jailbreaking iOS and Android devices. The section started off with general topics and then covered a specific iOS jailbreak and a root for an Android Nexus 7.

The next section was small but packed with great information on data storage and filesystems. Plist, SQLite and XML were all covered as were locations within the filesystem which could contain sensitive data. This section concluded with a lab where the students searched an iPhone backup to look for key pieces of information.

Most of the remainder of day two was spent covering capturing and analyzing mobile application network activity using tools such as Burp Suite, NetworkMiner and Wireshark. There were two well-done exercises in the afternoon which gave the students a chance to utilize these tools.

Tacked on to the end of the day two book was a section on Blackberry classic PIN cracking and backup access as well as a few other miscellaneous topics.

Day Three: Application Analysis

Day three brought 280 pages of hardcore application analysis and I loved every minute of it. Before I give an overview of the day’s content I would like to state that a majority of the class had little to no programming experience and still got a lot out of this section. You don’t need to be a programmer to go through the exercises you just need to understand the concepts taught and use analytical thinking.

The first section is on static application analysis (Android and iOS) and ends with an exercise analyzing an Android application.

The next section is on automating app analysis and has a lab where the student analyzes a piece of Android malware and then another where the student finds a vulnerability in an Android application that can be exploited.

Next up was a lengthy section on manipulating an application’s behavior which includes a lab on modifying Android applications.

The day ends with a short but awesome “App Analysis Walkthrough” where the author goes through the steps he took each day on a near real world analysis of an iOS application and a small section on filesystem monitoring.

By the end of the day your brain is cooked but you’ve learned quite a bit about analyzing mobile device applications in different ways.

Day Four: Penetration Testing Mobile – Part 1

Day’s four and five of this course are really interesting. Day’s one through three covered topics that were largely mobile device related but there is obviously a lot of crossover between mobile device hacking and traditional hacking and that is where day’s 4 and 5 come in.

Day four is a one day mini primer on Wireless hacking and it is FANTASTIC. It starts off with a section on wireless network scanning where it discusses topics like using monitor mode on Linux, Windows and OS X and intros a few basic tools. The first section ends with a lab where students use Kismet to figure out the SSID of a network which is hiding it.

Next up is a short but sweet section on mapping probe requests which includes a lab where the students generate a visual graph of client probe requests.

The next few sections progress through the different levels of encryption.

• On an open network with a captive portal? You’ll cover ways around it.
• On a WEP encrypted network? You’ll crack it in a lab.
• On a WPA-PSK encrypted network? You’ll discusses your options and you’ll crack one in a lab.
• Facing a WPA Enterprise network? You’ll discuss setting up your own modified RADIUS server to grab login credentials.

The day ends with a section and lab on mobile device fingerprinting.

I seriously couldn’t imagine a better one day walkthrough of wireless topics. For the small number of students who had attended the SANS SEC617 wireless or other in depth wireless courses it was a nice refresher but for everyone else it was a fantastic mini wireless course hidden within a course on Mobile Device Security.

Day Five: Penetration Testing Mobile – Part 2

What day four was to wireless day five was to web application type attacks. Day five covers network manipulation attacks like ARP spoofing, sidejacking attacks, SSL/TLS attacks, client side injection attacks, HTTP parameter tampering, XSS attacks and SQL injection.

While the tools the students use are web application testing standards like Burp Suite and SQLmap the labs have you attacking the transactions and infrastructure for mobile device applications you’re running in emulators.

Just like day four they did a fantastic job of boiling down what would have been a week’s worth of content into a day worth great overviews and hands on experience.

Day Six: Hand-on Mobile Security Event (Capture The Flag)

The CTF for day 6 of the 575 course uses the Netwars scoring engine and is very well done. Every student in class got a chance to practice the skills they had been exposed to over the past five days and it really seemed to help add to the learning process. There were the moments of frustration found in any CTF but everyone seemed to really enjoy the day.

Summary

The 575 was a very enjoyable class. There were some topics which I was already a little bit familiar with but now have a much better understanding of after a week of hands on learning and instruction from a world class expert.

The class was taught by Chris Crowley who did a great job teaching and entertaining. He seemed sincerely interested in helping students get what they wanted out of the class, had many sidebar conversations with students at break and after hours and spent the better part of one lunch period going over the previous day’s labs for a few students who wanted to see a walk through. I would take a class from Chris again in a heartbeat.

Giveway #2 Winner and Upcoming SANS course review

netwars-logoCongratulations to James Lieu for winning the paperback copy of “Hacking Exposed 7: Network Security Secrets & Solutions“.

Last week I attended the SANS SEC575 Mobile Device Security and Ethical Hacking course at Network Security 2014 in Las Vegas. It was an enjoyable class and I just finished the first draft of my index (the book for day #3 is close to 300 pages!). I plan on writing up a review of the course in the next few days.

In addition to the class I was able to spend time with some great people and participate in both nights of Core Netwars. Netwars would be fun no matter what but it was made even better by sitting with friendly and knowledgeable people. I ended up getting about half a dozen questions into level 3 and finished 14th on the alumni scoreboard. While I always feel like I could have done better Netwars is a great way to see the progress that I’ve made from year to year and I felt a lot more comfortable than I have in previous years.

Book Giveaway #2

hackingExposed7Congratulations to book giveaway #1 winner Matt Williams (@mattwilliams31) who won a paperback copy of Richard Bejtlich’s “The Practice of Network Security Monitoring: Understanding Incident Detection and Response“.

Book Giveaway #2 is for a paperback copy of “Hacking Exposed 7: Network Security Secrets & Solutions“.

Once again I’m limiting the book giveaways to U.S. residents only to keep the shipping costs down but I will do a giveaway later this year that will be open to everyone.

The drawing is open until 10/26/2014 so good luck!

a Rafflecopter giveaway