Forensic Blogs

An aggregator for digital forensics blogs

by

Windows IoT, Vulscan, and Other Problematic Programs

Introduction

Last time we touched base, we described our journey into starting our work at the LCDI and our growth as interns, as well as some of the things we learned so far. Today, however, we wanted to touch on a different subject. Many forget that the mistakes, accidents, hiccups, and small failures of any project are just as important as the successes. Sometimes they’re more important as their lessons are greater than those you learn miraculously getting something right the first try. Although we’d like you to think we’re hyper-intelligent computer networking wizards who are ahead of the game, we aren’t. We have made some blunders, a decent number of errors, and a handful of happy accidents on this quest—but we are all the better for it.

“I have some choice words for Windows IoT”

The first scans we ran were on a small network of Raspberry Pis which were all running different services. One of these services was a Windows machine, and the unexpected hassle of setting up such a device was grueling. The only Windows OS “optimized” to work on a Pi is Windows IoT Core, which is Microsoft’s crack at a lightweight Internet of Things (IoT) operating system. If you’ve never heard of it, it’s probably because Microsoft would rather not advertise it. The service is free to download, but is not, in fact, designed optimally.

After first burning Windows IoT to a microSD, we plugged the SD into the Pi and turned it on. Windows IoT failed to boot, not once, not twice, but so many times we lost count. Even after we followed instructions step-by-step from both Microsoft and other websites, it refused to cooperate. After about two hours of attempting to boot Windows IoT, reburning it to the SD, trying a different SD, and failing some more, Windows IoT booted successfully without us doing anything differently the next day.

Once we logged onto Windows IoT, we needed to set it up to work with SSH so that we could input commands to it from our workstations. We didn’t need Windows IoT for anything specific, we just needed some sort of Windows machine to secure a connection to. However, getting Windows IoT to establish SSH connections required another three hours of trial, error, and scratching heads. Finally, we turned the machine off, reburned the SD with another fresh copy of Windows IoT, turned it on, and lo and behold, it worked—again without us doing anything differently. This worked for about a week until one day, the password and SSH key randomly changed during a scan cycle.

The palpable frustration we experienced as a team cannot be understated. But the moral of the story is keep working at it. We didn’t necessarily have to use Windows IoT. In fact, we would have preferred we didn’t, after the problems it caused. But we got it to work, and that’s what really counts.

What’s the deal with Vulscan?

Vulscan is a plugin for Nmap that adds vulnerability database checking functionality. It’s designed to take advantage of Nmap (which, if you remember from last time, is the software we’re using to scan the network) and its more invasive functions to diagnose potential problems that may occur with the machine automatically. This service was the thing we were looking for; without it, a person would have to diagnose all vulnerabilities by looking at our reports, which are sometimes very long, and may not provide all the necessary information.

We set up Vulscan early, but ran into problems as it didn’t run due to how we set up Nmap. Once we figured out our mistake and got Vulscan working, it became clear that the script was not optimized. Because it uses Nmap’s scripts for parsing potential vulnerabilities, the best Vulscan can do is guess what vulnerabilities are present. And it will give you every single guess it has, even the ones it knows aren’t likely to be true.

This headache was compounded when we learned that Vulscan would not run in our own script. It turned out we were actually using a slightly different version of Nmap, called libNmap. This version of Nmap is designed to run in a Python script which meant Vulscan didn’t recognize it as Nmap. So, our choice was to either scrap the completed script we made, which worked as intended, putting us at least a week or two behind, or abandon Vulscan and stick with what we had.

Ultimately, we decided to ditch Vulscan rather than sacrifice the valuable time spent on our script. Although it contradicts the last anecdote, sometimes it’s better to cut your losses and stick with what works rather than fix what’s broken.

Conclusion

Now, I know that these stories may leave the reader on a sour note, and that was somewhat intentional. Our team experienced these major frustrations and it helps to understand them for the reasons I described above. I hope that if people in the future ever try to replicate this project, they heed the advice presented here.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Windows IoT, Vulscan, and Other Problematic Programs appeared first on The Leahy Center for Digital Investigation.

by

Windows Fall Creator Introduction

Pick Up Where I Left Off: Windows Innovative New Feature Coming Soon?

This spring, the Windows Fall Creator team will research a new Microsoft feature coming out over the next few months. The Windows Fall Creator/Redstone 4 update will provide users with the ability to continue right where they left off on other devices, as well as after power state changes. It is similar to Apple’s Auto Resume feature, except that it will be cross-platform enabled.

 

 

The Project

Before the release of the Windows Fall Creators Update, Pick Up Where I Left Off was discussed as a cross-platform version of Apple’s Handoff and Auto Resume features.   Our focus is on how it works, where the information is stored, and the security risks involved.  The official launch of “Pick Up Where I Left Off” has been delayed until the Windows Redstone 4 Update.  This update should be rolling out at some point this spring. While the Pick Up Where I Left Off feature isn’t available yet, pieces are through which we can start to see its functionality.

Our Procedure

We have researched and played around with the pieces of Pick Up Where I Left Off that are available.  After that, we joined the Windows Insider Program to get preview builds of the Redstone 4 update. This will allow us to test the actual feature before it’s released to the general public. We have created 4 virtual machines to run this preview build of Windows 10. These machines will be used to test different aspects of the feature. The following scenarios will be tested: the feature with only one person who uses the computer, the feature with two people who use the same computer, and one person who uses two different computers with the feature. After, we will test the feature out with cross-platform smartphones and a Microsoft Surface Pro.

Conclusion

The next step for our project will be researching the current Insider’s build for Windows 10. We will experiment using the new features it has to offer. After the Redstone 4 Update is released, we will experiment using the feature on that version of Windows.  By the end of this project, we hope to have an understanding of what Pick Up Where I Left Off is doing behind the scenes. We also hope to learn about its functionality and implications. Stay tuned for more updates to come and follow us on Twitter @ChampForensics,  Instagram @ChampForensics and Facebook @ChamplainLCDI.

References

Bowden, Z. (2015, October 30). Windows 10 Redstone: Continuum to be big focal point with new ‘Continuity-like’ features. Retrieved February 12, 2018, from https://www.onmsft.com/news/windows-10-redstone-continuum-to-be-big-focal-point-with-continuity-like-features

Bright, P. (2017, May 11). Microsoft reaches beyond Windows with Timeline and Pick Up Where I Left Off. Retrieved February 12, 2018, from https://arstechnica.com/information-technology/2017/05/timeline-and-cortana-make-windows-better-even-when-youre-not-using-it/

Brink, S. (2018, January 09). Turn On or Off Cortana Pick up where I left off in Windows 10. Retrieved February 12, 2018, from https://www.tenforums.com/tutorials/82752-turn-off-cortana-pick-up-where-i-left-off-windows-10-a.html

Brink, S.  (2017, April 11). Windows 10 help and support forum. Retrieved February 12, 2018, from https://www.tenforums.com/windows-10-news/81566-what-s-new-windows-10-creators-update.html

Hay, R. (2017, August 31). Cortana’s “Pick up where you left off” Feature is almost Windows Timeline Light. Retrieved February 12, 2018, from http://www.itprotoday.com/windows-10/cortanas-pick-where-you-left-feature-almost-windows-timeline-light

Martin, J. (2018, January 23). Microsoft is experimenting with some radical new features in Windows 10, including sets. Retrieved February 12, 2018, from https://www.techadvisor.co.uk/new-product/windows/windows-10-fall-creators-update-3496959/

TinsleyNET Admin. (2017, October 25). Windows 10 “Fall Creators Update” [Web log post]. Retrieved February 8, 2018, from https://www.tinsleynet.co.uk/2017/windows-10-1709/#more-1397

The post Windows Fall Creator Introduction appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis Update 1

Introduction

This project focuses on searching for artifacts left by common desktop applications. We will be analyzing each application within Windows 10. It is the second most popular version of windows. We began by generating data on virtual machines with the chosen applications. The next step is to use various forensic tools to extract information that could be of forensic interest. This includes any artifacts that could be relevant either for security or for use in a forensic investigation.

Analysis: Web App Security

In this project, we will be analyzing artifacts left by three different apps: Steam, Lastpass, and Fitbit.  Based on LastPass’s emphasis on security, we expect that it will yield the least amount of artifacts. Likewise, Steam is notorious for not keeping chatlogs on the user’s side, whether PC or on a mobile device. As such, it would make sense to assume that the amount of information stored on the host is minimal. But, Fitbit may save crucial information on the host for offline use of the app.

Choosing the Applications

In narrowing the list of possible applications down, there were many reasons why we chose each app. This includes its large number of users, how important it was that the application is secure, as well as for other traits based on the purpose of the app.

Steam

Application

The first app, Steam, is a gaming and social media platform common on PCs. It has a massive user base of over 125 million. Steam is well known for not retaining chat logs. Steam saves achievements on the servers rather than the host. Due to the large amount of information that the app could store on the host, our team chose it as a viable candidate. Our team is planning to look for artifacts related to in game actions as well as any action done on Steam (Wishlist, login info, Screenshots, etc). Our team will also be looking for any artifacts that have any personal information as well as information about friends of that user.     

Last Pass

Application

LastPass is a password manager that is available as a desktop and mobile app, as well as an extension on many browsers. The application is popular for its security, as well as the simple design. It has a user base of over 7 million people. LastPass can contain passwords for many websites, making it a target for attacks. It is also available without purchasing the subscription, making it even more popular.

Fitbit

Fitbit is a brand of fitness tracker. The device syncs using Bluetooth to a personalized account through a PC or mobile device. Fitbit has a user base of over 10 million people, and is popular among a variety of ages. The information is viewable online, on a mobile device, or through the desktop application. Fitbit logs movement and allows users to log other health information in the app. Fitbit then uses this information to display progress over time.

Conclusion

As of now, all teams have made excellent progress on analyzing the artifacts generated by the applications. We hope that the artifacts we generate will help us determine potential threats and dangers to the apps we are using. The results from the information our team has gathered are not finalized yet. But we are eager to share our results with you when they are.   

Like all members of the LCDI, we welcome and encourage feedback. To give us any feedback you have, use the comment section below.

You can read our past research into other applications here.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post Application Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.