vmforensics.org

I re-wrote my VFAE tool over the winter break.  It now does the following:

The application allows the user to conduct a quick triage of the operating system directory structure by outputing the results to a specific output file.  Additionally, it conducts a pre and post MD5 hash value of the VMDK itself if needed.  For specific file searching  purposes, it searches for any filetype within the off-line VMDK based on a passed in argument via the command-line.   Furthermore, you can extract the files that were found in the VMDK and output their contents to the “Extracted Files” directory as well as provide the MD5 hash of each file that was extracted.

Below is a listing of how to use the tool:

1.  vfae.exe -d c:\path\to\vmdk\location.vmdk
2.  vfae.exe -d c:\path\to\vmdk\location.vmdk -md5 [gets the MD5 hash value for the VMDK selected - for verification purposes]
3.  vfae.exe -d c:\path\to\vmdk\location.vmdk -s Windows\*.exe [Parses the off-line VMDK for executable files in the mounted Windows directory]
3a. vfae.exe -d c:\path\to\vmdk\location.vmdk -s Windows\temp\*.* [Searches for any files found in the Windows\temp directory]
4.  vfae.exe -d c:\path\to\vmdk\location.vmdk -s Windows\*.exe -e [Parses the off-line VMDK for executable files in the mounted Windows directory
and extracts the files that were found copying them to the Extracted Files\ directory on your machine.  The Extracted Files directory
is created in the directory where vfae.exe was run]
5.  vfae.exe -v [gets the current version of the application]
6.  vfae.exe -h [help or usuage functionality]

Of course, for more information, you can read the README.txt file at https://sourceforge.net/projects/vfae/files/.

Saw a well written tutorial on manually unpacking UPX packed binaries over at securityxploded.com.  The tutorial is goes over an introduction to packing, steps for upacking UPX and then fixing the import table.

Manual Unpacking of UPX Packed Binary File

I just wanted to reference an article I used to write a blog for Crucial Security  back in May, 2011.  It was an article (Ghost in the Machine – Digital Forensics Magazine) I co-authored with Eric Fiterman of Rogue Networks, Inc in Baltimore, MD.  If you would like to hear more about Eric, check him out at http://www.methodvue.com/ and https://www.youtube.com/watch?v=G_gJOuRSOeg.

The article for Crucial can be found here:  http://crucialsecurityblog.harris.com/2011/05/23/virtual-machine-files-essential-to-forensic-investigations/.

During this summer, I helped in analyze a sample base of poker clients for a talk that was given at Defcon 19.  Based on a survey conducted in 2010, the Poker Players Research, a market research company determined that there were 10 million people in America who play online poker for real money.   This constituted a six billion dollar a year industry. However, many people fail to understand what access your Poker client has on your operating system.In this blog, we will look at forensic breakdown of current online poker clients and what effect they may have on us as an end user.

While the poker client is not exactly a rootkit it does exhibit similar characteristics.  The online companies argue this is for player protection against cheating.  However, in doing this there is some invasion of privacy. During a sample analysis of Cake Poker, Bodog.eu Poker, and Ultimate Bet (UB) poker clients, it was found that all three exhibited a high level of reading and writing on your hard drive throughout runtime.

For example, during runtime analysis in a virtual environment, the memory contents of the executable were dumped for the Cake Poker client (version 2.0.1.3386).  The following list of function names were discovered hard-coded within the client most likely used to protect the client against potential modification:

EnemyWindowNames()
EnemyProcessNames()
EnemyProcessHashs()
EnemyDLLNames()
EnemyURLs ()

Additionally, the Cake Poker client examines the systems for programs or services it deems unauthorized for the Cake Poker network:

• OLLYDBG
• POKEREDGE
• POKERRNG
• WINHOLDEM
• OPENHOLDEM
• WINSCRAPE
• OPENSCRAPE
• pokertracker
• pokertrackerhud
• HoldemInspector
• HoldemInspector2
• HoldemManager
• HMHud

By reviewing the list above, it is apparent that if the running operating system contained any type of kernel debuggers, poker heads up displays (HUDS), or automated poker bots this information will be send back via SSL to the gaming servers.  Examination of the Bodog.eu poker client found that all network authentication between the client and the game servers occurred over 443/TCP but once logged in and poker gaming began, encrypted communication then moved to 8148/TCP likely representing a customized encrypted network protocol being used for all game play.  Furthermore, well known modifications and behavior have been documented by other online poker clients.  Such behavior includes modification to the Windows host-based firewall policies, which allows for automatically authorizing installed poker clients.  For example, forensic monitoring the windows registry yielded the following registry addition by the Cake poker client:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\Program Files\Cake Poker 2.0\PokerClient.exe“

Other behavior observed during analysis was the scanning of the windows process table.  For example, the Cake Poker client 2.0.1.3386 reads through each of your process after approximately 10-20 minutes of idle time.  This may vary from OS environment to OS environment but during testing it was found to read through each of the process in 4096 byte chunks.  This is most likely done to allow the poker client know if the process was normally created or not with regard to parent ID comparison.  Many of the more sophisticated clients have the ability to read the body and title bar text from every window you have open.  They do this by extracting the window handles (HWND), caption, class, style and location of the windows.  Additionally, they have the ability to detect mouse movements in order to determine human vs. automated movements.  This feature usually gives the online poker company information to make the determination on whether you are a human or a poker bot.  Examination of the Windows mouse event APIs makes this possible.   Each poker client is different, however most if not all contain some form of anti-bot detection that entails monitoring Internet Caches for URL history information.  Additionally, they also have the ability to monitor table conversation for lack of table talk and longevity of sessions.

Working at my desk on a network intrusion case and all of a sudden the room starts to shake harder and harder – it lasted about 10 seconds in all but turned out to be a 5.8 earthquake…epicenter was somewhere near lake anna in Virginia.

Just found a page that contains all the update Defcon slides that can be download – check it out here:  http://good.net/dl/k4r3lj/DEFCON19/

Worked on a defcon 19 presentation with a friend of mine – it focuses on the lack of security of the various poker websites as well as poker clients users download.  If anyone is interested, it can be downloaded here:

http://vmforensics.org/Defcon_Presentation-V11.ppt

Below is an outline of the presentation -

1. Preflop
2. Who We Are
3. What is Online Poker
4. Online Poker History
5. Current Events
6. Flop
7. Past Vulnerabilities
8. RNG
9. SuperUser
10. SSL
11. Account Compromise
12. Poker Bots
13. Turn
14. Poker Client=Rootkit
15. Online Poker Architecture
16. Web Application Vulnerabilities
17. Authentication Vulnerabilities
18. Attacking Supporting Infrastructure
19. River
20. Defenses – Application
21. Defenses – User
22. Next Steps in Research
23. Conclusion
24. Questions

You can also get a copy of the presentation from here:  http://good.net/dl/k4r3lj/DEFCON19/DEFCON-19-Fritschie-Witmer-F-On-the-River.pdf

A little plug for my buddy’s company…..

SeNet Computer Forensics Services is now up and running.  They host a number of forensic-based services which can be found below:

- whether financial databases were tampered with or not;
- whether covered data was compromised in a data security breach;
- what purpose a computer was primarily used for;
- whether a user possessed or disseminated a document or documents;
- if a specific file was ever printed;
- whether a user wiped a drive or a file;
- if web-based email accounts were used;
- if intentional deletion of materials occurred;
- whether or not USB keys or other remote media were used;
- what files were copied to the USB or remote media;
- whether a system was compromised or not;
- whether computer misuse has occurre;
- was intellectual property compromised.

Please contact Mr. Gus Fritschie (gus.fritschie@senet-int.com) to learn more about SeNet’s computer forensics capabilities.

Talked to a friend of mine who will teaching the Virtualization for incident responders course at Blackhat 2011 this year.   The class which looks to be extremely interesting will focus on addressing the forensic methodology of incidents that occur within virtual environment such as ESXi.  The course (called Virtualization for incident responders:principles and techniques for recovering evidence from virtualized systems and cloud environments) will be held from July 30-31 and August 1-2.  Below is the course outline:

• Virtualization Overview
• Problem Definition
• A changing forensic methodology and approach
• VMware Architecture and Portfolio
• Exercise: Suspending and preserving virtual machine state
• Exercise: Imaging and acquiring virtual partitions and LUNs
• Exercise: Data recovery in the VMware ESXi managed environment
• Exercise: Collecting evidence from VMware hosted products
• Exercise: Virtual disk re-assembly and re-construction
• Exercise: Data transfer operations and evidence removal for very large virtual disks
• Culminating Exercise Scenario: Collecting critical evidence in an insider-threat incident

To learn more about the course, check it out HERE.  Funny twitvideo about virtualization security found here – http://www.twitvid.com/J8GOO.

There is a good article on reading a windows registry key called shellbags which gives you an excellent means to prove the existence of files and folders along with user knowledge.  According to the website “Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted en  crypted volumes. Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system.”  The blog post is a good read – http://computer-forensics.sans.org/blog/2011/07/05/shellbags

Wanted to pass on a good blog post, just saw it last night….it discusses doing virtual forensics using the digital forensics framework…According to the website,

The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies.

Check it out at http://www.arxsys.fr/blog/post/7/

later…