Well, this past week we wrapped up the SANS 2012 DFIR Summit in Austin, TX.  I think it's safe to say that a great time was had by all.  What was truly incredible was the time so many of us got to spend together in the week leading up to the Summit, while going through the wonderful training that SANS made available.

I got to see some people I haven't seen in a year (or more), as well as meet some in person that I've only known online.  And for the first time, I got to experience one of Harlan Carvey's presentations in person.  I'm not sure everyone's brains were awake enough quite yet for his keynote on day 2 of the Summit, but it really was a great talk, and he made some great points about things to consider when performing registry analysis on Win7.

Anyway, back to the point of all this.  I started out the Summit by eating at Stubbs BBQ with a dozen or so folks on my first day there, Wednesday the 20th.  Among these were Tom Yarrish, J. Michael Roberts and his wife Jennifer, Mike Pilkington, Jeremy Berger, and Alejandro Perez.  I recommended the serrano cheese spinach from having eaten at Stubbs once before, and it seemed to go over very well, which was good (I think everyone at my table ordered it); it could have gone so wrong.  ;D

As it turned out, my time there closed out the same; a very large group of us went to Stubbs for dinner on the last day of the Summit, and we had more good food and good times, with the likes of Cindy Murphy, Jen Krueger Favour, Kristinn Gudjonnson, and Shelly Giesbrecht.  I was scheduled to stay overnight and leave Thursday morning, but went ahead and left early to get back home and deal with the hail damage we sustained right before Summit.  That's a whole story in itself!

In between, we had a great opening keynote by Cindy Murphy, where she didn't talk about DFIR at all.  What?!  Might sound strange, but she did a great job, and we got to see Lee Whitfield with a parasol on an elephant.  No photo editing/alteration was involved, of course; that's just how Lee rolls...

Alissa Torres (Stay Outside Your Lane), Jeff Hamm (Carve Records Not Files), Chris Pogue (Sniper Forensics v3), and Hal Pomeranz (TrueCrypt Artifacts and Analysis) had just a few of the awesome presentations I attended.  Having two tracks made choosing difficult at times, unfortunately.  :(  In addition, Paul Henry did a SANS at Nite presentation on setting up a VMWare server on Mac Minis, and we had an awesome time at the SANS 360 Lightning Talks.  This was followed by an after-hours event sponsored by 21CT.  21CT, AccessData, VisibleRisk, JADsoftware, and Cellebrite all had a vendor presence at the Summit.

Also, SANS posted on twitter that all the presentations are available here.

I had the incredible honor of speaking at this year's Summit, and was able to close out the event by speaking at the end of the 2nd day.  Hopefully I "brought it!"  My talk was titled "Exfiltration Forensics in the Age of the Cloud" and was based on the idea of looking into host-side artifacts created by the client applications of cloud-based sync/backup services - namely Dropbox, SpiderOak, TeamDrive, ADrive, Carbonite and Mozy.  Dropbox was updating my work from last year, and the others were expanding on that base.  The idea was to show the risk that these services bring to a business (both internal and external), the types of artifacts that these applications introduce to a system, and what might be left behind after an uninstall.

I had a "cheatsheet" type of handout at my talk, which gave an overview of these artifacts.  I'm making that available online, along with a couple other spreadsheets, and a PDF of my presentation.  For the preso, I've included the notes along with the slides, so that there's a little more context for the bare bones of the slides.  Below is a download link to the 7zip archive.  It is encrypted, so please contact me for the passphrase.  I apologize for the inconvenience, but the reason is two-fold.  One, it gives me some idea who's interested in my research, and two (more importantly), it helps protect against the unscrupulous web scrapers that repost others' content as their own (which I've had happen before, unfortunately).

As a final note, I will be posting some of this over at ForensicArtifacts as a general resource for the larger community.  If you haven't been to ForensicArtifacts, you should check it out - it's a great community-driven site that hosts various artifacts and IOCs, and is a wonderful way to contribute without having to create an entire blog post.

Filename:   Cloud_Forensics_Research_Public.7z
Download:  https://www.box.com/s/a5b5c5b2f11f86f24c91
Hash:  a95ff597d1508db810df3a48a3313a4e (md5),   cd703fc9c60d599d53f2a9758cc49770c57ed069 (sha1)

PS: Since it's been several years, and much of the info has lost some usefulness (and just simplify, since people are still asking), here is the pass:  gcs^6k-'mhRy{dzC=)">+fVvtA!2*P

But you can bet your last penny that at some stage you will have to image them.  That is the problem I faced one wet weekend recently when I was required to image an HP behemoth resplendent with two sizable raid 5 arrays and two USB 1 ports.  All drive bays and ports were in use so I could not insert a new drive into the box to image it and I didn’t fancy imaging all the elderly SCSI raided hard drives separately.  I was permitted to shut down the server and had decided to boot the box to a forensic linux distro that had suitable HP Raid Controller drivers.

The problem I faced was USB1.  Obviously I needed to output my images somewhere and an external USB hard drive was an option.  But the maths didn’t add up – the maximum bandwidth of a USB1 port is 12 megabits per second (Mbps) which equates to 1.5 megabytes per second (MB/s) which equates to 5.4 Gigabytes per hour.  There were not going to be enough hours in this weekend to image both arrays on the server. 

What I did next I thought might be worth sharing with you.  I used dd to create a source image, netcat to pipe it to an onsite laptop across a network and ewfacquirestream to capture the dd image, hash it and write it into Encase evidence files. It can be carried out entirely at the command line.  Crucially I achieved an imaging speed of about 25 MB/s which is 1.46 gigabytes a minute or nearly 88 gigabytes an hour using gigabit network interface cards.  In testing I have achieved 39 gigabytes an hour using 10/100 NICS.

Method to image computers across a network I connected my onsite laptop and the server via Cat5E cables to a Netgear GS105 5 port gigabit switch.  I attached a 2TB external hard drive to my onsite laptop and booted both the server and my laptop to a DEFT 7 forensic linux distro. To configure Ethernet settings on both using Gigabit NICs (10/100/1000) if available Launch terminal and at prompt type sudo su At prompt type ifconfig to identify network cards At prompt type ifconfig eth0 192.168.0.100 on onsite laptop and ifconfig eth0 192.168.0.101 on machine to be imaged (these commands assume that you are pugged into eth0 – if there is more than one NIC on the computer to be imaged it might be eth1 or higher) Test connection by typing at prompt ping –c 5 192.168.0.100 or ping –c 5 192.168.0.101 as appropriate On on-site laptop Connect collection hard disk drive Launch terminal and at prompt type sudo su At prompt type fdisk –l to identify storage drive Create a folder to mount the storage drive to by typing mkdir /mnt/(name of your folder) Next mount the storage drive to your folder by typing mount /dev/(sdb2 or whatever) /mnt/(name of your folder) Now we create a netcat listener and a pipe to ewfacquirestream – at prompt type but donʼt press enter just yet nc –l 1234 | ewfacquirestream –c none –b 4096 –C case_number –D description –w –E evidence_number –e ʻRichard Drinkwaterʼ –t /mnt/(name of your folder)/(name of your evidence files)
[relevant switches –c compression type: none, fast or best; -b amount of sectors to read at once: 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or 32768; words in italics change to suit and use single quote marks (ʻ-- --ʼ) to group more than one word] On machine to be imaged At prompt type sudo su At prompt type fdisk –l to identify drive to be imaged Next we prepare to dd drive to be imaged and pipe to netcat – at prompt type dd if=/dev/sdb conv=noerror,sync bs=4096 | nc 192.168.0.100 1234 but donʼt press enter (if you are imaging a server with an HP Raid card the command might look something like dd if=/dev/cciss/c0d0 bs=4096 conv=noerror,sync | nc 192.168.0.100 1234) Start imaging process by Press enter within terminal on onsite laptop first to start netcat listener Then press enter within terminal on machine to be imaged to start dd When the acquisition completes ewfacquirestream outputs a MD5 hash calculated over data value to the terminal. Either photograph this value or copy and paste it to a text file on your collection hard disk drive.

 

Notes re imaging speed

In testing where the NICs are both gigabit speeds of over 40 Mb/s (144 GB/h) can be achieved. With 10/100 NICs up to 11 Mb/s (39.6 GB/h) can be expected. Compression and block size does affect imaging speed and if you have time it may be worth fine-tuning these settings. The settings shown in this post are probably a good starting point. To fine-tune, run the imaging process with the settings in this post. After 5 minutes or so if you are getting poor speeds stop the process and try adjusting the compression size on the onsite laptop (i.e. change from none to fast). Sometimes either doubling or halving the block size on both source and receiver machines can make a difference also.