Forensic Blogs

An aggregator for digital forensics blogs

by

Windows Store and Apps Analysis – MUS2019

Windows Store and Apps (APPX) Analysis

While attending the Magnet User Summit in Nashville, I had the opportunity to sit in on fascinating talks and labs. One of my favorites was the talk about Universal Windows Apps given by our very own Professor Yogesh Khatri and Jack Farley. As somebody who knew next to nothing about UWP apps, I was both impressed and surprised by Microsoft. Let’s talk about some of the highlights!

UWP Apps Pros and Cons

Firstly, what is a UWP app? The Universal Windows Platform is Microsoft’s vision for the future of Windows apps. This vision evolved to include the HoloLens and IoT devices in the equation for one SDK and one user experience. You may not think you use these, but the Windows 10 photo viewer, calculator, and settings menu are UWP apps.

The Microsoft Store securely delivers apps. This helps to ensure the integrity and authenticity of Windows apps. The app packages are also sandboxed, have very limited access to the win32 API, and no access to the registry or computer filesystem outside of their own container folder. That’s where Microsoft surprised me—sandboxing has been a hallmark of Mac App Store apps for years, and it’s great to see this essential security feature come to Windows.

You can manage permissions for these apps and these permissions are called “capabilities”. The apps are also all neatly organized into their own folders, each with a unique directory name. And this is where I am not at all surprised by Microsoft: there are FOUR different naming schemes for these apps and each scheme is used in a different place. This is the sort of confusing and complicated design choice that I would expect of the people who brought us… well, Windows. Further, to interact outside of their folder, they need to link to another process on the system called RuntimeBroker. This seems like a sloppy implementation since there will probably be numerous different RuntimeBrokers running at any given time.

App Use and Functionality 

As for what sorts of artifacts you can find in these container folders, if there is any internet functionality in the app, there will be cookies, history, and so on. There are also folders for files that are synced across Microsoft accounts and a cache for large files that the app can recreate but would rather not.

These apps function like mobile apps in that when they are inactive, they are suspended to conserve resources. The threads are stopped but the app stays in memory (unless Windows needs the memory for something else). Memory pages are stored in C:\swapfile.sys if they need to be set aside for a while. It’s possible that these pages will be compressed.

There was a lot more to talk about, too: what’s leftover after an app is uninstalled (lots of registry stuff!), how you can get lists of installed apps, and so on. The slides and tools from the presentation can be found at https://github.com/ydkhatri/Appx-Analysis if you want to learn more.

I am grateful to have had the opportunity to attend this talk and many others at the conference. Thank you to the LCDI and Magnet Forensics for making this possible!

 

Blog written by Champlain College first year Jessica Hunsberger

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Windows Store and Apps Analysis – MUS2019 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Using Memory Forensics Analysis to Guide Your Investigation

Introduction

I had the honor of attending the Magnet User Summit 2019 in Nashville on April 1-3. This was my first professional conference as a junior at Champlain College.  It was exciting to be able to correlate the presentations with the knowledge I’ve gathered in my courses. The conference was also a great networking space where I got to meet professionals in the digital forensics industry. I participated in various sessions, both lectures and labs. One of the sessions that I really appreciated was on Using Memory Forensics Analysis to Guide your Investigation by Aaron Sparling, Computer Forensic Examiner with Portland Police Bureau.

Memory analysis speeds up traditional forensic examinations and can drive the investigation. On a Windows system, memory includes physical memory (RAM) and system files such as pagefile.sys and hiberfil.sys. There are a lot of forensic artifacts that reside in memory which should not be ignored. Almost every process executed on a computer goes through RAM at some point. Not to mention that memory acquisition can be done in a fraction of the time compared to hard drive acquisition which usually takes hours.

Some of the analysis tools shared with us include: Bulk Extractor, Photorec, Scalpel, Volatility, Page_Brute.py and YARA. You can also use strings and GREP/REGEX. I had a bit of experience with all these tools except for Yara which was completely new to me. It is a tool that allows the analyst to write textual and/or binary patterns to hunt for malware or anything else they choose. Page-brute.py uses YARA rules to parse pagefile.sys within a command-line interface. Volatility is good for decompressing hiberfil.sys to .bin for faster analysis. It is extensible i.e. you can write your own plugins or modify existing plugins for your analysis.

Memory Forensics Lab

In addition to this lecture, I also took part in a lab on memory forensics run by Jamey Tubbs, Magnet’s Director of Training Operations and Curriculum Development. During this hour and a half lab, we were able to build a case/user profile from 2GB of RAM using Magnet Axiom Process and Examine. We found crucial artifacts such as user SID, browser search terms, their timestamps, and local file paths. Such information gives the investigator direction and speeds up the process once the hard drive is acquired.

Conclusion

The importance of preserving memory when dealing with a live system cannot be overstated. The conference was quite informative and a great first experience. It was also inspiring to see all the projects Magnet Forensics are working on and how beneficial their products have been to the industry both within the private sector and with law enforcement.  

 

Blog written by Champlain College junior Lavine Oluoch 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Using Memory Forensics Analysis to Guide Your Investigation appeared first on The Leahy Center for Digital Investigation.

by

Leveraging PowerShell & Python MUS 2019

Leveraging PowerShell & Python for Incident Response & Live Investigation With Chet Hosmer

Recently, I had the great opportunity to attend the 2019 Magnet User Summit hosted by Magnet Forensics in Nashville, Tennessee. Presenters at the Magnet User Summit dedicate their time to presenting new research, demonstrating new techniques, and teaching users in the fields of digital forensics and investigation. There were many great presentations and labs that I attended and learned so much from!

As someone who uses Windows PowerShell and Python for scripting, I took notice in a presentation called “Leveraging PowerShell & Python for Incident Response & Live Investigations” presented by Chet Hosmer, founder of Python Forensics. I was excited to find new ways to expand my knowledge of PowerShell and Python and increase my proficiency.

PowerShell and Python

Windows PowerShell is a command shell and scripting language created by Microsoft. It provides more features and functionalities than Windows basic command line. System and network administrators use PowerShell for automation and also forensic investigators. PowerShell excels at automation and acquiring evidence and artifacts from the system. It has recently been made available for other operating systems including Linux and OSX. Making it even more powerful and useful. Python is an object oriented scripting and programming language. It’s a simple language that’s easy for beginners but still powerful enough for the more experienced users. It’s been integrated into many popular tools for digital forensics, cybersecurity, and incident response.

One point that Hosmer highlighted is that Microsoft’s PowerShell really excells at evidence and artifact acquisition, while Python is good at analysis and examination of data. Therefore, combining these two programs would create a powerful platform for DFIR. To accomplish this, he has created two methods of integration between the two programs.

Image taken from Chet Hosmer

Integrating PowerShell and Python

The first method involves creating a Python script that would accept PowerShell parameters as input, launch PowerShell, and pass those parameters to a PowerShell script. That would then read, analyze and present the results. The second method begins with a PowerShell script. The PowerShell script would launch Python and run through the PowerShell scripts, piping its results to a Python script for it to analyze and organize the data. Both methods will work equally, but if one is more experienced in PowerShell, they may want to use the second method and vice versa. Using the ‘subprocess’ command in Python allows for variables to pass through a PowerShell script. PowerShell can input to Python using a standard pipe, like “| & $Python $Script”. Users can then use he piped data with “stdin” in Python.

With the rise of cloud infrastructure and international use, Hosmer also demonstrated that PowerShell is capable of interacting with and accessing Microsoft Azure logs. Azure is Microsoft’s cloud platform created for large businesses and enterprise. Cloud has become a large source of data and potential evidence for digital investigators, but is often harder to access and difficult to integrate into programs. In order to interact with azure, the user installs a PowerShell module called ‘AzureRM’  using the ‘Install-Module’ cmdlet in PowerShell. Once installed, PowerShell will have access to thousands of more powerful cmdlets dedicated to Azure.

Conclusion

Over my two days at Magnet User Summit, I met with many professionals and had a great time attending presentations on new technologies and techniques. I also learned how to use the tools created by Magnet and improve my forensics skills. While I really did learn a lot from the summit and had plenty of fun too. I am glad I got this great opportunity to learn and network with industry professionals. Thank you to both the Leahy Center for Digital Investigation and Magnet Forensics for giving me this great opportunity.

 

Blog written by Champlain College sophomore Chris Mathieson

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Leveraging PowerShell & Python MUS 2019 appeared first on The Leahy Center for Digital Investigation.