Getting started with GPU Password Cracking

Last year I decided to buy a desktop computer to keep in my home office to run VMs and eventually set up to crack passwords. I didn’t want to spend too much but I was able to find a new dell XPS on eBay with an i7 processor, 16GB of ram and 2TB of hard drive space for $700. I had used john the ripper to crack password hashes quite a few times but hadn’t messed with using a GPU to crack passwords.

A few weeks ago I decided to finally get the machine setup to use the GPU to crack passwords. I knew that ATI graphics cards tended to perform better than NVIDA cards but I had hoped that since the machine was a XPS the NVIDA graphics card in it would at least do a passable job. As I started doing some research I quickly realized that the NVIDA GX 620 currently in the machine wasn’t going to be able to crack passwords at a rate anywhere near that found in higher end cards so an upgrade was in order.

I did a little bit of reading and the ATI 7950 ($230 with a $20 rebate at newegg.com) seemed like a good option for the price. Unfortunately I knew the card would be quite a bit larger and need more power than the stock card so a new case and power supply were in order as well. I ended up grabbing an Azza 9000 case and 600 watt Corsair power supply. The total cost for the graphics card, case and power supply were just under $500 and hopefully I get back the $50 in rebates I sent off.

When the video card arrived it was instantly obvious that I made the right call by getting the bigger case as the 7950 dwarfed the gx 620.

gpu_pics

If I thought the video card was a big increase in size that was nothing compared to the monster that was the Azza 9000 case that arrived the next day. I wasn’t sure if that thing would fit through the door. I spent a few hours transferring the motherboard and installing all of the components into the new case but the process was relatively painless. When everything was said and done this is how it looked.

new_case

Once it was up and running I updated the video card drivers and installed the latest version of the password cracking program hashcat. I ran hashcat in benchmark mode to see what speeds I could expect for different password hash formats and was quite pleased with the results. AES and RIPEMD-160 TrueCrypt passwords were just under 78,000 guess a second and WPA/WPA2 handshake captures were cracked at a rate of 111,000 guesses a second. I tested a few different files and the real world results were very close to the listed benchmarks.

hashcat_speed

I’ll probably do a more in depth post on hashcat usage in the near future but right now I’m using the 15GB wordlist from crackstation (https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm). Hashcat also has some brute force and hybrid options.

If I had to do it all over again the only change I would make is getting a bigger power supply. The one I have now is perfect for the setup I have but if I ever decide to expand to a multi GPU motherboard in the future I’ll need more then 600 watts.

One unexpected side effect to this upgrade was that I backdoored myself into a new hobby. As soon as I was done testing the password cracking capabilities and the machine was sitting idle I wondered how it would perform mining crypto currencies. I’ve had a lot of fun researching the topic and trying different things and will probably write about that in my next post.

Some Basic Options When Dealing with TrueCrypt (aka Finally a Forensics Post)

I’ve recently been working on a presentation I’ll be giving in a few weeks on the topic of memory forensics. I’ve learned a ton while working on it and the old adage of “The best way to understand something is to teach in to others” has proven extremely beneficial to me.

One of the topics that required me to do some digging was on the subject of memory analysis as it relates to TrueCrypt. A few years ago I was asked to examine a system within an extremely short time frame. I looked at the software installed on the system and saw TrueCrypt. I didn’t know a ton back then but I knew enough to know that there was nothing quick about dealing with TrueCrypt.

I’m writing the post that I wish I would have had on that day a few years back. If you see TrueCrypt installed on a system and aren’t quite sure what to do with that bit of information, hopefully this quick overview and some of the resources I’ll mention help. I’m not going to cover using artifacts like prefetch files to determine if TrueCrypt is installed and how frequently it’s been used, we’ll just cover hunting for and dealing with the containers.

Locating TrueCrypt:

One of the things that makes locating TrueCrypt files difficult is their lack of a standard file signature that one would normally use to locate all of a particular file format. There is a free tool called “TCHunt” that will scan a drive or directory and look for files that may be TrueCrypt containers. TCHunt looks for miles that meet specific size requirements (file size divisible by 512 and at least a minimum size), doesn’t have the file header of a known common type and appears to contain a higher than average randomness of data which is a key indicator that the contents may be encrypted.

tchunt

 

 

 

For everything that TCHunt does it’s also amazingly quick. I ran it against a 750GB Hard drive which had over 500GB of data and the complete scan took around three minutes. The tool correctly identified all four TrueCrypt containers on the drive.

Cracking TrueCrypt:

Using Memory:

Ideally you have a memory dump which was acquired while the TrueCrypt container was mounted. In lieu of that the hiberfil.sys may have been written while the container was mounted. TrueCrypt no longer stores it’s password in memory but it does store encryption keys in memory while the container is mounted so the password doesn’t need to be re-entered every time a file is accessed. These keys can be located using tools like bulk extractor and are the key to unlocking the container.

Michael Hale Ligh wrote a great blog post on Volatility Labs earlier this year discussing identifying and acquiring these keys. In the post he references a 2011 blog post by Michael Weissbacher  where he outlines patching TrueCrypt to allow an examiner to use acquired AES keys to mount a TrueCrypt container without knowing the password. There are commercial tools such as passware and elcomsoft which will also allow an examiner to access a TrueCrypt container using keys acquired from a memory dump.

Without Memory:

If no useable memory dump is available and you still want to access a locked TrueCrypt container you’re hoping for quite a few things.

• The user used a short password
• The user stuck to the default settings (RIPEMD-160 and AES) when creating the TrueCrypt container
• You have access to a system with a powerful graphics card

Modern graphics cards (GPUs) can crack passwords at a MUCH faster rate than a computer processor (CPU) can. I recently upgraded to an ATI 7950 3GB model ($230 at Newegg) and I’m able to crack passwords on a TrueCrypt container created with default settings at a rate of 77,000 guesses per second. That sounds like a lot and it’s great for wordlists (I can go through the entire 14,000,000 word rockyou list in under three minutes) but when you start crunching the numbers on a brute forcing attempt you’ll quickly become discouraged.

If standard wordlists don’t crack the password there could be multiple causes. The user could have changed the default settings when creating the container or could have used a password not in your word lists. You could try generating custom wordlists or using your wordlists with different encryption options.

I threw one of the TrueCrypt containers TCHunt found at oclHashcat to try to crack the password. oclHashcat has multiple TrueCrypt encryption options but I tried the default RipeMD160 and AES option first.

hashcat1

It turns out that the password (123mango) was in the rockyou wordlist I was using so the password was cracked in under a minute.

hashcat2

 

 

 

 

 

 

I can’t overstate the value of having some good wordlists for times like these. Brute forcing a password 8 characters or longer is a road nobody wants to go down.

I’ve been using john the ripper for a few years but am just now starting to seriously delve into GPU password cracking so I’d love to hear any tips, techniques or stories you have on these topics.

Bash Script to Help With base64 and echo File Transfers

Recently I had remote access to a Linux terminal with an extremely limited command set and I wanted to place a full featured web shell on the box. My usual methods of netcat and wget weren’t available but someone much smarter than I (Craig Swan at SensePost) suggested I use base64 to encode the shell (to avoid any issues with foreign characters) copy each line, and paste each line on the target box as part of an echo statement which builds a copy of the file on the target box.

I thought the idea was great and it worked like a champ. I figured that this likely wasn’t the last time I would use this technique so I wrote a bash script to automate the process as much as possible.

base64 $1 > based.tmp
file_name=${1##*/}
[ -f based_output.txt ] && rm based_output.txt
prevar=’echo “‘
postvar='” >> ‘
cat based.tmp | while read line; do
echo $prevar$line$postvar$file_name >> based_output.txt
done

The code takes an input file and prepares that file for transfer. The command “64converter.sh webshell.php” would take the contents of webshell.php, encode it with base64, copy the encoded data to a temp file, go through that file line by line and  copy the contents of each line to an output file where it is turned into an echo >> webshell.php command. Below is a screenshot of the process.

Capture

 

The script speeds up the process a little bit and helps avoid typing errors. The contents of the based_output.txt file are ready to be pasted into the target’s terminal window. Once each of the echo commands has been run on the target machine the resulting file can be decoded with base64 and the webshell will have been successfully transferred.

It’s a very short and simple script but it was a good excuse for me to work on my bash.

Book Review: Red Team Field Manual

rtfmIt feels kind of weird to call this a “book review” when the book is under 100 pages and costs $9 on Amazon but the Red Team Field Manual is worth sharing.

I first heard about the book on a SANS mailing list a few weeks ago when a poster said that the book was awesome and not to be scared off by the Amazon reviews which are joke reviews written by the author’s friends. I went to read the reviews (some of them were pretty darn funny) and since the book was only $9 I ordered it. It may very well go down as the handiest $9 I’ve ever spent.

The book’s author originally wrote the book as a reference for members of his penetration testing red team and got permission from his employer to publish it. The book is just under 100 pages and is nothing but a well-organized list of handy pen-testing commands for Linux, Windows, networking, pen testing tools, databases etc.

  • Looking for some Linux commands to cover your tracks? Page 7
  • A little fuzzy on the exact netsh command to forward a port in Windows? Page 18 has you covered.
  • Want to use Powershell to run a command every four hours? Page 23

I’ve kept my copy in my backpack since the day it arrived and it will probably stay there for many years. If you’re at all interested in pen testing and the book sounds like something you could use it’s definitely worth the $9 to check it out.

Thoughts on the SANS 560 at Cybercon

woo hoo!!!

woo hoo!!!

As some of you know I’ve been on a SANS binge over the past 18 months at a pace that seemed on the brink of unsustainable at times. Some of the classes like the FOR 408 and FOR 585 were topics very relevant to my duties and interests. Some of the classes covered material that I don’t use much in my current daily life but I knew were big holes in my overall skill set. The SEC 503 squared away my packet analysis skills like I doubt any other course could have. I’ve greatly enjoyed every class I’ve ever taken but the classes were always to learn or refine my skills.

So after 18 months of being mature and taking the appropriate classes I rewarded myself by going the opposite route. I took a class that I knew would absolutely teach me new skills and help refine skills I already possessed but I primarily picked the SANS SEC 560 Network Penetration Testing and Ethical Hacking course because it just sounded like a heck of a lot of fun.

I’ve already been asked one question about my experience and I’ve been involved with some SEC 560 vs. SEC 504 discussions in the past so there are a few topics I wanted to discuss before I do a course summary.

Q: How Was Cybercon compared to a live conference?

A: I talked a little bit about my previous Cybercon experience here http://digitalforensicstips.com/2013/04/early-thoughts-on-cybercon/ and everything I said there remains true. The software used was different this time out but it still had zero issues and felt smooth.

At the last Cybercon I took the 414 CISSP prep course and there were literally zero issues. Twice a day we would pause to go take the practice tests and meet back up afterwards, everything was flawless. This time there were still no issues with instructor interaction but since students had to VPN into remote labs to perform the exercises a few of the students we’re having some issues. The SANS support stuff was extremely friendly and helpful and even ended up remoting into two students machines to get them configured. I can’t say enough good things about those guys.

So there were issues but when you have students with entirely different setups using VPN to connect to remote labs that’s not terribly surprising. Things change so this advice probably has a shelf life worse than sour cream but if I had a friend taking the next virtual 560 class I would advise them to setup the VPN connection on the Linux VM and a Windows system (for me it was my host OS) as soon as they get their disk. For me setup only took a few minutes each and I made sure that I could not only ping the target IP address SANS provided but also that my Windows host could ping my Linux VM (through the VPN) and vice versa (once I disabled my Windows firewall). I personally had zero connection issues during the class except for the occasional dropped connection on the Linux side which always corrected itself.

Connection issues aside the labs worked flawlessly 99% of the time. There was one lab where the second half required a Metasploit pivot from one box to another and for some reason the target box didn’t want to play nice. I haven’t checked to see if the issue is resolved yet but that was honestly the only issue we had the entire week. Once again kudos to the virtual support staff.

All of the above is necessary background but I haven’t actually answered the question yet so here goes.

If SANS was holding an event in my city and running an online course at the same time I would choose to go to the event in person. The opportunity to network on such a grand scale is well worth getting dressed each morning 🙂

If had had a choice to go to a fully funded trip to a SANS conference or take a course online I would go to the conference. Free trip and a conference, come on!

Unfortunately for me neither of the above two scenarios is likely. What is far more likely is the exact scenario I faced this month. SANS is holding an event this week in Scottsdale a little over two hours north of me. I attended last year and had an absolute blast. I saw this year’s conference was going to have the 560 and I was stoked. Later I saw that the week before the conference (last week) was an online version of 560 at Cybercon and I had to make a decision. I ended up choosing Cybercon and saved the money I would have spent driving there, spending six nights in a hotel and eating out.

My situation was about as pure of a decision as possible. I had been to a SANS Scottsdale and a Cybercon and both of them were offering the course I wanted within one week of each other. I viewed the decision as travel expenses vs. personal networking and nothing more. The quality of learning didn’t factor into my decision nor should it have. After two Cybercon experiences I can say I’m very satisfied with the training I’ve received.

One more thing to mention is cost savings isn’t the only advantage online students get. I love the mp3s as much as anybody but I’m a huge fan of video learning and online students get access to video recordings from the course for four months. At one point while the instructor was giving a very detailed description of rainbow table creation I had to go to the front door to sign for a package. Later that afternoon I was able to go to the video to see what I had missed. That’s pretty darn cool.

Earlier I cited the VPN connection as an issue for some people but it’s also one of the biggest perks. Most of the 560 students in Phoenix this week will play around on one network for a few days performing labs and then on another network for a few hours during the CTF and that will be it. Online students get access to both networks for four full months. That’s pretty darn cool. There are a few things on the CTF network that I plan on going back and playing with this week and I like having that opportunity.

Hopefully that does a decent job comparing the pros and the cons of the multiple formats.

The other topic I wanted to discuss was the amount of overlap between SEC 504 and SEC 560.

When I took SEC 504 in September of 2012 there was a really nice guy in class who had commented to me that he was enjoying the class but his previous class was the 560 and there was a lot of overlap. I knew this was a topic of interest (SANS even has a FAQ page on the subject) so I wanted to give my thoughts on it.

SEC 504 was my first ever facilitating gig and honestly I think it was my sixth choice. I lucked out. Only the SEC 401 would have been more appropriate for me at that point in my journey. The 504 was awesome. It introduces you to all sorts of different attacks, explains how they work and then spends a little bit of time discussing how to identify and prevent them. In addition to being the first block on the pen testing course chart the 504 is now (rightfully so) listed as the first block on the forensics course chart as well. That speaks volumes about the course’s usefulness.

While the 504 was exactly what it claims to be (a great overview on hacker techniques and exploits) the 560 is also exactly what it claims to be, a great overview on pen testing.

One stark contrast between the two courses is the coverage of Metasploit. In the 504 students are introduced to Metasploit, start it up, and fire it at vulnerable servers. It’s a great introduction and the students get a chance to play with it more during the day six CTF. In the 560 students get the same intro but then go way more in depth looking at the various sorts of modules, at integrating Metasploit with a database so it can use nmap or Nessus results to identify useful exploits, at different ways they can pivot from one machine on a network to another one etc. I have used Metasploit in multiple courses and practicing on my own but I definitely have a better understanding of it now.

I loved the 560 for a lot of the same reasons I loved the 408 Windows forensics course. The courses were very systematic and well laid out. Day one covers a lot of the legalities, best practices and some recon. Day two provides GREAT coverage on scanning so you can map out targets. Day three is using Metasploit and some other tools to get a foot hold on the network and move around. Day four is a great look at password attacks and covers both attacks over the network using tools like hydra and offline attacks using John the Ripper and Ophcrack. Day five was a little different but enjoyable. The first half of the day was wireless and the second half was web applications. I’ve already taken the 617 wireless hacking class and the 542 web application attack class so I would have preferred different content but the content was very well done and enjoyable. Just like the 504 day 6 is a capture the flag event.

The 504 and 560 are both 500 level SANS courses designed by Ed Skoudis with “hack” in the title so there are going to be some similarities. Once again I lucked out in that I went to the classes in the correct order. The 504 exposed me to a lot of techniques and the 560 helped me refine my use of the techniques and develop a game plan. If I had gone to the classes in opposite order (like the gentleman I spoke to had) then I likely would have had similar thoughts. I would have gone from a course which covered tools in depth to a course which covered them with less detail but exposed me to other attacks and techniques.

If you’ve taken the 504 and are interested in the 560 then go for it. The overlap is headed in the right direction. If you’ve taken the 560 and are considering the 504 then it may indeed be an awesome class for you but I would take a good look at your options and what you could get from each of them. If I was  recommending courses to a friend new to pen testing I would recommend both the 504 and the 560 but specify that they should be done in that order.

Kevin Fiscus is a great instructor with a gift for explaining difficult concepts in a way anyone can understand and I was able to take lessons learned from my 504 CTF (mainly to stay organized) and come in first in the 560 CTF. All in all it was a great week and I’m sure it won’t be my last online class or my last class with Kevin.

2014 Cybercon Here I Come

photo(5)

My box of books and swag for the 2014 SANS Cybercon showed up today so I’m pretty much like a kid on Christmas morning flipping through my new books. I signed up for the SEC 560 class (taught by Kevin Fiscus) and am looking forward to a great week.

SANS 2013 Holiday Hacking Challenge, 2013 Review and 2014 Goals

I just submitted my report for the SANS 2013 Holiday Hacking Challenge ( http://pen-testing.sans.org/holiday-challenge/2013 ) and it was a great way to end the year. I started my infosec studies in mid-2012 and while I was aware of the 2012 holiday challenge I was swamped with other obligations and didn’t have the time to participate. Every time I saw an update on twitter talking about the challenge I promised myself that I would give it a go in 2013.

The challenge this year requires the user to analyze a pcap file with over 170,000 records in it determine what attacks were leveraged, what defensive techniques were used, etc. It was a lot of fun to start sifting through the records reconstructing what occurred.

I took notes, created a timeline and wrote a report which answered all four questions. I absolutely would not have been able to do as thorough as job a few months ago so it was a great feeling to see how much I’ve improved my skills.

2013 Review

My 2013 goal was to cram in as much information as I possibly could an attempt to make sure that I had a good general overview of infosec. I ended up knocking out the following in chronological order.

  • Finishing up the Attack-Secure Penetration Testing Course
  • Taking the SANS SEC 401 and passing the GSEC
  • Taking the SANS FOR 408 and passing the GCFE
  • Reviewed the new course material for the FOR 508
  • Taking the SANS MGT 414 and passing the CISSP and GISP
  • Passed the CEH
  • Wrote a Python tool to analyze the iPhone application “Burner”
  • Taking the SANS SEC 542 and passing the GWAPT
  • Beta tested the new SANS FOR 585 Smart Phone Forensics Course (huge honor)
  • Taking SANS SEC 503 and passing the GCIA
  • Almost done reviewing the course material for the SEC 617

It was expensive, it was mentally draining and it was TOTALLY AWESOME. The experience was absolutely worth every penny and every hour.

I’m able to listen to the pauldotcom podcast and understand what’s being talked about, able to look at network flow reports and diagnose issues, able to fire up Linux and navigate around, able to quickly develop Python apps to solve problems and even able to look at network traffic at the packet level and know what I’m looking at. I know I’ve got a long way to go but I’m proud of the progress I’ve made.

I would also be remiss if I didn’t mention the fact that every time I’ve attended a conference I’ve met some amazing people that I keep in contact and I’ve also made some virtual friends online that I can’t wait to meet in person. My stable of security friends is growing monthly.

2014 Goals

While 2013 was packed full of classes and certs 2014 will be more about specific skills and projects. There will absolutely still be some classes (I’m already signed up for the SANS Penetration Testing SEC 560 course in February) but I’m more focused on a few particular topics.

Numbers 1 & 2:  Learning C and Assembly Language.

A lot of C looks very familiar from other languages that I’ve coded in (namely Python and PHP) but I never learned to program in C. I’m currently using some online tutorials and a book to work on my C and once I feel like I’ve got a good grasp on that then it’s moving on to assembly language.

Why oh why do I plan on subjecting myself to such pain? Because I know I need to in order to work on numbers 3 & 4.

Number 3: Learn Reverse Engineering

After I’m decent at C and Assembly I’m planning on going through the Practical Malware analysis book. I may try to attend a SANS FOR 610 course later in the year but I’d really like to good a good grasp on the subject first.

Number 4: Learn Exploit Development

There are a lot of great online tutorials for exploit dev (inc. Corelan) but after my C and ASM I’m going to try to start off by signing up for a Joe McCray exploit dev course. I’ve watched a few of his YouTube videos on the subject (http://www.youtube.com/watch?v=eNSWUAVxbzk and http://www.youtube.com/watch?v=uPaJHT0Vv7E ) and I really enjoyed his teaching style.

Number 5: Continue Improving my Python

I’ve gotten very comfortable with Python and have written multiple tools with it but I want to continue improving it. I’ve signed up for Vivek’s http://www.pentesteracademy.com  site and am currently working my way through his Python for Pentesting class. I will also make time to finally finish Violent Python. I love the book but it kept getting pushed aside for my courses and certs. I’d love to take the SANS 573 course at some point but we shall see.

Number 6: Continue to Improve my Linux skills

In 2013 I got comfortable in Linux. I can move around in it, run programs, solve basic problems etc. I even find myself using vi instead of gedit for simple tasks. I’ve still got A LOT of work to do on my Linux. I need to get more comfortable using sed, awk and other tools, making SSH second nature etc.

I know that I’ll never get my Linux skills to level of someone who is a sys admin for Linux boxes every day but I know I need to get better.

Number 7: Improve my Macintosh skills

This one is easy since they’re pretty much nonexistent 🙂 I don’t really have a specific plan for this one other than I recently purchased a Mac Mini and I’m going to make an effort to use that more instead of my Windows laptop.

Number 8: Get my CTF on

This is the only one on the list that isn’t my idea. I discussed my 2014 to-do list with someone MUCH more skilled than I and he loved my list but suggested that I try to work in some CTFs to reinforce my skills and have some fun.

The only CTF type activity I’ve done have been NetWars at a SANS conference but I’m going to keep an eye out for opportunities this year.

I have a few other minor ones but those are the big ones. I’d love to hear any thoughts or suggestions.

SANS 503 and GCIA Thoughts

I attended the SANS SEC 503 ‘Intrusion Detection In-Depth’ course at SANS Network Security two months ago and just took the GCIA certification exam yesterday so I thought I’d post a few thoughts on the class and the exam. It’s not a full review but if you have questions feel free to ask and I’ll do my best to answer them.

In the past people I respect greatly have told me that I should be able to look at raw tcpdump output and decipher what was going on. I thought this class would help me out quite a bit in this area and I was 100% correct. In fact late on the exam yesterday I caught myself smiling as I worked through a somewhat complicated problem which presented me with a bunch of hex and asked me what was going on. I assure you that I would not have been smiling if I had to answer that question two months ago.

I may have very well been the only student in class who had never held a networking job so in addition to learning low level packet skills I picked up a lot of knowledge about filters, improved my familiarity with Wireshark quite a bit and got a more in depth look at a lot of correlation and analysis topics that I learned about in SEC 401.

I had a harder time studying for this exam than any of the previous GIAC exams I’ve taken as I often felt mentally exhausted. It’s tough for me to know what percentage of that was from the material itself and what percentage was the 17 certifications in under two years pace I’ve been on but I still wanted to mention it.

I had heard that the GCIA was one of the more difficult SANS exams, saw that the passing score was only 67% and was honestly a little worried about the test. The practice exams drained me mentally but my scores were well above passing so I scheduled my test. I started the exam with a good score but on a slower than acceptable pace. My pace got quicker and quicker and I ended up finishing with a score of 92 and an hour left.

A few tips for anyone taking the GCIA exam:

  • I know I’m Mr. Index and I had a good one for this exam too but I used my index less on this test than I ever have before. You still absolutely need to make one (and make sure you include the packet header spreadsheet included on the course VM and a common port cheat sheet) but a lot of the questions required you to understand and apply concepts and analyze hex in addition to the normal syntax questions. Use lots of tabs on the books for this one my friends.
  • On the cover of my index I put what question I should be on at the one hour mark, two hour mark and three hour mark. I would recommend you do the same if you’re at all worried about time but don’t overreact if you’re behind pace early. I was 5 or 6 questions off the pace at the one hour mark but like I said earlier I ended up having an hour left at the end. You’ll end up performing the same sort of packet analysis repeatedly and will likely speed up quite a bit.

The 503 doesn’t have the sexiness of the hacking courses or the forensics courses but I enjoyed the class and it was a very important one for me as I really needed to work on my packet analysis skills. Next up on my to-do list is assembly language for reverse engineering and exploit development.

Review of the new SANS 585 Smartphone Forensics Course

I recently had the opportunity to beta test the soon to be released SANS 585 Smartphone Forensics course and I wanted to share some thoughts about the course content and the labs.

The course page on the SANS website (http://www.sans.org/event/for585-advanced-smartphone-mobile-device-forensics/course/advanced-smartphone-mobile-device-forensics) provides an accurate overview of each day’s topics so I’ll focus more on thoughts and opinions than lists.

Overview

The course starts with an overview of cellular technology and networks and quickly moves on to explore advanced topics. The jump from the basics into topics like wear leveling, garbage collection and so on is an earmark of a SANS forensics course, which is one of the reasons why I love these courses so much. The refresher of the basics is nice, but the integration of advanced issues – which is where many of us need the help – is nothing short of awesome. Throughout all five days, the course provides full-page examples that demonstrate the concepts explained within the content.

The initial section on parsing the contents of a SIM in hex is a smooth introduction into a course that delivers a healthy dose of hex each day.  It’s important to understand that the emphasis on hex is never “hex for the sake of using hex.”

Hex is used to locate and parse artifacts that commercial programs will not automatically parse and for digging for deleted artifacts not present in the tools’ reporting mechanisms. One lab shows a tool reporting six entries in an application. Analyzing the underlying sqlite database confirms that the table does indeed have six entries. You can then look at the sqlite database in hex to uncover how many messages were not picked up in the report. This course is full of tricks of the trade that can make huge differences in efficacy in real world settings.

Also, the labs are all incredible and the ‘answers’ sections at the back of each lab are perfect. They don’t just give an answer; they give detailed walkthroughs with plenty of screenshots. It’s another testament as to how meticulous, knowledgeable and detail-oriented the course – and its designers – are.

Day One

The core concepts section covers the basics and continues with the overview of smartphone handling and acquisition and a tool overview. The course moves on to using FTK imager to examine an SD card and to parsing SIM card data at the hex level. The first day ends with a section on general mobile device repair that provides an overview of resources, tools, and tips.

Day One’s appendix is a step-by-step guide to acquire data utilizing Cellebrite, XRY and Oxygen. Students who already perform mobile device forensics on a daily basis may not crack open this section of the book, but it contains great walkthroughs with plenty of pictures and is a great reference for those who are new to these tools.

Day Two

Day Two provides a detailed look at the Android file system, including where certain types of evidence may be located. While this section makes up the bulk of the day, the section at the end is where I’d like to share my observations.

The last part of Day Two starts off with a talk about malware and using Cellebrite PA to scan devices for malware. It also includes a few slides that introduce various Android spyware programs, available for purchase on the internet, and then show artifacts that these different applications could leave on a device. Mobile device spyware applications aren’t something that I look for on a regular basis, but this will be a fantastic resource for those times when I am in need of this information.

The appendix contains a guide to examining an image in Internet Evidence Finder and using XRY to parse a Samsung Kies backup.

Day Three

Day Three is for iOS devices and provides an in-depth look at the iOS file system and where certain types of evidence may be located. It also includes information on how to identify if a device has been jailbroken or wiped, how to recover data from third-party communication applications, and so on. In addition, there is some tool-specific content, including keyword searches and timeline generation.

Day Four

Day Four is split in half, with the first portion covering Blackberry devices and the second covering forensics on backup files.

The Blackberry device presentations are extremely in depth and include familiarization with Blackberry artifacts at the hex level.

Several of the 585 labs do a solid job of reinforcing the concept that an examiner should use multiple tools to examine a device. However, one of the Day Four labs takes it to the next level by having the student examine a Blackberry device using four different methods. The student is given a list of questions to answer, and every one of the four examination methods used in the lab will reveal artifacts that the other three do not.

Day Five

Day Five is a grab bag day that covers Windows mobile, Nokia & Symbian, knock-off devices and third party applications.

The Nokia & Symbian section does a great job covering the file system and artifacts down to the hex level. The next time I have a question concerning a device running these operating systems, this book will be the first thing I reach for.

The Windows Mobile forensics section covers several topics including Windows Mobile registry analysis and usage artifacts.

The knockoff section provides both a good overview of dealing with clones and some specific guidance and examples for artifact parsing.

The final section discuses different types of third party applications on iOS and Android devices and parsing these types of applications.

The Day Five appendix gives a step-by-step walkthrough for using a Cellebrite PA with CHINEX to examine a clone phone.

Conclusion

I’ve taken multiple mobile device forensics courses, including the SANS 563, and can say with the utmost confidence that this course is phenomenal. The books will be an invaluable desk reference the next time I’m poking around inside a file system, and the labs do a great job re-enforcing lessons taught in the course.

The topics covered in the course can be considered advanced but are also very practical. Topics such as parsing and searching devices not supported by commercial tools and digging in hex for deleted artifacts are extremely important and not incredibly intuitive to try to learn through trial and error.

In closing, this course is a much needed – and valuable addition – to the SANS forensics course lineup.

Thoughts on SANS Network Security 2013

I had six weeks between passing my GWAPT exam and attending SEC 503 at the SANS Network Security 2013 so for the first time in the past fourteen months I took a break from studying and certifications. I still spent some time setting up a VM and building a python web scrapping app but nothing worth blogging about.

For the second year in a row I was able to attend SANS Network Security in Las Vegas and for the second year in a row it was well worth it. I got back home last week and thought I’d type up a few quick thoughts on the conference since it’s been over a month since I’ve posted here.

In addition to seeing people that I wish I got to see more often I also got to meet some great new people that I look forward to talking more with in the future.

I (of course) attended the DFIR talk put on by Alissa Torres, Chad Tilbury, Lenny Zeltser and Rob Lee. It was a great talk and gave a sneak preview of each class and a nice overview of how they all fit together. That talk was followed by Jason Fossen’s talk “Windows Exploratory Surgery with Process Hacker”. The two main takeaways from this talk were:

  • He know more about Windows than I will ever know about anything
  • He is friggin hilarious

The only other night talk I got a chance to attend was John Strand’s talk covering tools on the ADHD distro including HoneyBadger and ReconNG. I’ve used ReconNG  few times but a few of the other tools were new to me and the talk as a whole was highly informative and obviously entertaining.

There were a few other night talks that I wanted to attend but Netwars was calling my name. I got a chance to play for about an hour last year and had a blast so I was looking forward to being able to play for two full nights. I did a lot better than I did last year but I also identified several areas where I need to improve my skills in 2014.

While all of the things above were awesome the main reason for attending any SANS conference is the class itself. This year I was in Mike Poor’s 503 class on intrusion detection and packet analysis.

I was excited to get a chance to attend Mike’s class as packet analysis is an area where I have a ton of room for improvement as I rarely deal with it on a day to day basis. I always put in a lot of after class studying and test prep but this class may set the record as there’s a lot for me to work on. I’ll definitely have another post or two on my study process.

Regarding the in class experience, Mike Poor is a fantastic instructor. He’s mellow, friendly, seems genuinely interested in his students leaves a very good impression.

Our teaching assistant was Judy Novak. I heard several “the legend of Judy Novak” stories from John Strand last year during my 504 class so it was cool to get to meet her. She is Knowledgeable, helpful, funny, sweet and just 100% awesome. She gave an extra session on “IDS evasion using Scapy” late one afternoon which was a cool bonus.

All in all it was a great experience and I can’t wait until I get a chance to go to another.