Forensic Investigation: Examine Corrupt File Metadata

In this article, we will learn how we can examine a corrupt file with the help of Exiftool to get ahead in a forensic investigation.

Let’s understand a scenario

In this Scenario, a forensic investigator is stuck in a situation. He gets a suspicious folder, where no file has any kind of file extension.

Now, he has two options.

  1. Examine each file’s hexadecimal values to determine the file type. To know more about this option click here.
  2. Extract metadata of the file.

In this article, we will cover the second option. Extract metadata of the file.

Objective: Learn to use the Exiftool metadata extractor in a forensic investigation to examine corrupt files.

Table of Content

Introduction to ExifTool

  • File #1: app
  • File #2: data
  • File #3: file
  • File #4: lecture
  • File #5: manual
  • File #6: report
  • File #7: sales

Conclusion

Introduction to ExifTool

It is an open-source software to reading, writing, and manipulating [image, audio, video, and PDF metadata]. Which is developed by Phil Harvey. It is platform-independent based on Perl library plus a command-line application.

It supports different-different metadata formats including GPS, IPTC, EXIF, XMP, JFIF, ID3, etc. It also gets some maker notes of many digital cameras.

It is also available for Windows and macOS package, that does not require Perl setup. We just need to download and unzip the archives then double click on a file to load the software.

We can download this software from here.

File #1: app

The First file we got is app. Now, all we need to get its metadata drag and drop this corrupt file on the ExifTool .exe file. which name is ‘exiftool(-k).exe’ in the archive file which we just unzipped.

As we have captured a few interesting details in this screenshot which helps us in our forensic investigation.

File #2: data

The Second file we got is data. Repeat the previous step, to get metadata of this file drag and drop this corrupt file on the [exiftool(-k).exe] in the archive file which we just unzipped.

These are the few highlights of this file, which we captured for this investigation process.

File #3: file

The Third file we got is the file. Repeat the previous step, to get metadata of this file drag and drop this corrupt file on the [exiftool(-k).exe] in the archive file which we just unzipped.

Now, few more interesting details regarding this file.

As we have captured a few interesting details in these screenshots which helps us in our forensic investigation.

File #4: lecture

The fourth file we got is the lecture. Repeat the previous step, to get metadata of this file drag and drop this corrupt file on the [exiftool(-k).exe] in the archive file which we just unzipped.

These are the few highlights of this file, which we captured for this investigation process.

File #5: manual

The fifth file we got is the manual. Repeat the previous step, to get metadata of this file drag and drop this corrupt file on the [exiftool(-k).exe] in the archive file which we just unzipped.

As we have captured a few interesting details in this screenshot which helps us in forensic investigation.

File #6: report

The Second last file we got is the report. Repeat the above steps just drag and drop this corrupted file on to [exiftool(-k).exe] to get its metadata details.

These are the few highlights of this file, which we captured for this investigation process.

File #7: sales

The last file we got is sales. Repeat the above steps just drag and drop this corrupted file on to [exiftool(-k).exe] to get its metadata details.

As we have captured a few interesting details in this screenshot which helps us in our forensic investigation.

Conclusion

Overall Exiftool can become quite handy in these kinds of Forensic Investigation, where a Forensic Investigator doesn’t have any clue about the file types. This method can help him to proceed further in the Investigation.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

Broken 2020: 1 Vulnhub Walkthrough

Broken 2020 is a beginner level virtual machine created by EuSecinfo. There was no running of public exploits, no rabbit holes in the machine, however, there was a need for custom exploitation and a little bit of common sense.

Table of Content

  1. Reconnaissance
    1. Nmap and directory enumeration
    2. Locating a malicious script to gain shell access
  2. Exploitation
    1. Writing our own script to gain a reverse shell
  3. Post Exploitation
    1. Gaining Alice’s shell by modifying a python script
    2. Understanding the algorithm of the script’s working
  4. Snagging the flag
    1. Manipulating a script to read root flag

Let’s start

We detected the IP address of the vulnerable machine and ran nmap scan on it to begin with.

We could only find port 80 open.

We immediately scrolled to the website but didn’t find anything useful over there.

Next obvious step was to run directory enumeration. We used dirb for the purpose and found a directory “/cms”

It looked like an installation page of a CMS. We clicked install.

Upon clicking install, something vague happened and seemed like it was a trap.

Here we could see flag 1 and it is self-explanatory, our website got defaced by that installation of CMS.

However, since the website got defaced, some change in directories, new files, or some payload must have been executed or created. So we ran directory enumeration once more in the “/cms” directory.

A new directory called “/cc/” seemed to have been created by this installation. We head over there to see what had been created. As the page explains itself, it is a malicious script that is used to connect the server to a remote IP with a remote port! That means a ready-made shell. But let’s see what it actually does first by inputting a random IP and port.

Hence, it is searching for some script in the designated IP. Lets actually create a simple python server and see what script it is searching for.

So, it was asking for a shell script with a random system-generated name. So, we created a script with the specified name with a python reverse shellcode in it (Pentest Monkey python reverse shell). Make sure you also launch a netcat reverse listener on port 8888 in a new terminal window.

Upon inputting this python server’s IP and port we see a new status code in the website.

Meanwhile, on our other terminal, we saw a shell was obtained. We traversed to /home/alice directory and read our next flag. There was also a note left there that said that a script log.py was created to clear apache logs.

Upon inspecting log.py we saw that it was clearing out apache logs and creating a log file “clear.log” that was updated every time the machine cleared it.

Here is the catch: upon inspecting clear.log we found that the logs were being cleared after every 1 minute sharp. This could be due to a cron job. Since the script log.py is being run as alice we could gain Alice’s account access if we somehow manage to insert our reverse shellcode in log.py.

Now, log.py is not editable by www-data (the current user) but the directory is writable! So we replaced the log.py file with our own log.py file as below.

1: Create a log.py file in our own system with the code as used before:

2: Launch a python server

3. Rename the existing log.py in the VM’s session to log_new.py

4. Copy log.py using wget command and give execute permissions.

In a new terminal, start a netcat listener on the port specified in the payload. Here, 5555, and wait for a reverse shell.

Surely, we received Alice’s shell. Now we traversed through directories and found a /back directory with the backup folder. There we snagged our third flag!

Now, we saw a note.txt too which had a message saying “Please put the path of the website backup directory in path.txt and bot will do the rest.” That means those three scripts (backup.py, check.py and hack.sh) were doing something using the contents in path.txt.

Upon analyzing the three scripts we understood that the bot (scripts) are picking up the contents in the directory specified in “path.txt” and copying it in the current directory! That solved our purpose since we can just dump the contents of /root directory using this.

Hence, we input /root in path.txt with the command:

Echo “/root” > path.txt

After waiting for about a minute again, we easily saw the contents of the root directory and read the congratulatory flag!

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here

Defense Evasion: Hide Artifacts

Today, in this article, we will focus on various methods that are implemented by an attacker to evade their detection by hiding artifacts in the victim’s system in order to execute their malicious intent.

Table of Content

  • Introduction
  • Hiding Files and Directories
    • Using Command Prompt
  • Hiding System Users
    • Using Command Prompt
    • Using Registry Edit
  • Hiding File Systems
    • Over Command Prompt
    • Using Registry Edit
    • With Disk Management
  • NTFS File Attributes
    • Using Command Prompt
  • Detection

Introduction

An artifact can simply be defined as an important system file, which thus includes documentation, test plans, images and even some executable modules.

Operating Systems have a feature to hide these artifacts, in order to avoid disrupting user work environments and prevent users from changing files or features on the system. However, an attacker can abuse these functionalities in order to carry out his evil intents by hiding up these artifacts which thus provides a clear path to evade his detection.

Let’s try to understand the above statement by taking a simple example.

Suppose an attacker penetrates your machine and got a session enabled with that, which thus allows him to exploit your system. The very first thing that the attacker would do, is that he would create a hidden file and hide his payload, as by exploiting the operating system’s feature i.e. hiding artifacts. Once the attacker has his payload hidden, now he can carry that out for his malicious intent by tricking up the system administrator.

With that said, let’s have a look at the various approaches that the attackers take to evade their presence.

Hiding Files and Directories

Attackers may set files or directories to be hidden to evade detection mechanisms.

Let’s boot into our command prompt by running it as an administrator. Further, we’ll create up a folder over at our directory, as in our case I’ve done it as ignite at Desktop. The same can be confirmed by running the dir command.

 In order to hide the file which we have just created, simply run the following command:

Okay!! The file has been hidden now, but wait, let’s see how to unhide the same, simply run the following command:

Great!! From the below screenshot we can see that as we hit the “dir” command we got our file back over onto the Desktop.

Hiding Users

Adversaries may use hidden users to mask the presence of user accounts that they create. In this section, we will have a look at how users can be hidden.

Using Command Prompt

So let’s reboot into our command prompt and create a user as in our case we have named it as “ignite”. A user can be created by using the command: net user ignite /add

Now, that the user has been created we need to activate it, which can be done by running the command: net user ignite /active:yes

We will hide the user “ignite” by running the command:

To check the changes, we would simply restart our PC and notice that our user is no more visible on the sign-in page.

So, to unhide the user, simply re-run the command:

We’ll notice that our user “ignite” is again visible over at our sign-in page.

Using Registry Editor

This method can be lengthier as compared to the above one, but it’s always good to know. So, let’s explore this path and hide our user. 

Over at the Run Window, type “Regedit” in the search prompt

Once we enter the registry edit, just navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Now, that we have navigated to the path mentioned above let’s Right-click on Winlogon -> Select New and choose Key

After completing the above process, we will rename the new key created as “SpecialAccounts”.

Then, right-click on SpecialAccounts -> Select New and choose Key. We’ll rename this key as “UserList”.

We can see that we have created two new keys. One is “SpecialAccounts” under Winlogon and the second key is “UserList” under “SpecialAccounts”.

Over at the blank right-hand side, follow up as:

Right-click -> Select New -> Select DWORD (32-bit) Value as shown below

The new key created should be named as the user we are supposed to hide. In our case, we have named the new key as igniteas we are hiding this user.

Now, close your registry editor and restart your PC to see the changes. The user is now invisible.

In order to unhide the same user, we’ll just go back to our registry editor and navigate to

Then, we’ll double click on the ignite user and change the Value data from 0 to 1 and, hit enter

Again, restart your system to see the changes. Your user is back on the sign-in page.

Hiding File Systems

Adversaries may use a hidden file system to conceal malicious attacks from users and security tools. File systems provide a structure to store and access data from physical storage. So, lets’ deep dive and have a look at how the above is accomplished.

Method 1: Over Command Prompt

 Let’s say we have an E drive which we want to hide.

Open disk partition into your command prompt with as “diskpart”

Let’s now list all the volumes available there using “list volume”

As the volumes are over at our screen, let’s choose the volume which contains the drive that needs to be hidden. In our case, we select volume 3 by running the command: select volume 3

Great!! We’re almost there, now to hide the drive, simply run the command:

From the below screenshot we can see that Drive E is successfully hidden.

 

 Further, to unhide the drive simply run the command “assign letter e”.

Method 2: Using Registry Editor

For this method, we’ll go back into the registry editor as explained in the “Hidden User” section and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

After navigating to the above-mentioned path, Right-click over on Explorer -> Select New -> DWORD (32-bit) Value as shown below.

A new key will be created which needs to be renamed as “NoDrives”

Now, that our new key has been renamed as “NoDrives”, let’s double click on it and change the base from Hexadecimal to Decimal and give input to the Value Data field according to the drive which we wish to hide.

In our case, as we’re hiding the E drive, we will set the Value data to “16” as the decimal value of the alphabet E is 16. You can set it according to yours.

Reboot your system again, and check for the drives.

Great!! From the below screenshot you can see that our drive has been hidden now. 

To unhide the drive, navigate back to “Regedit” as explained above and move to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Right-click on “NoDrives” and just Delete it. Again, restart your system and see that the drive is again visible.

Method 3: Using Disk Management

Let’s open Disk Management by running the command “compmgmt.msc” in the Run Dialog Box as shown below.

We’ll select the drive which we want to hide and right-click on it.

Then select “Change Drive Letters and Paths”.

After completing the above step, we’ll select the drive and click on the “Remove” button.

Reboot your system and you’ll notice that the drive is now hidden. In our case, drive “E” is not visible as we can see below.

Let’s unhide the drive by going back to disk management. Double click on New Volume and, select “Change Drive Letter and Paths”. Click on the Add button and add the drive you wish to by selecting “Assign the following drive letter” option and press ok.

NTFS File Attributes

Adversaries may use NTFS file attributes to hide their malicious data to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains records for every file/directory on the system. Let’s explore how the above attack can be executed.

Boot up your Command Prompt again as an administrator in order to generate up a file with some data in it:

From the below image, we can see that our file has been created with the data we entered.

Now, let’s create another file inside file.txt but this time we’ll make it as hidden with

From the below screenshot we can see that the file “hidden” is not visible at all.

Go ahead and type the command: type file.txt:hidden and hit Enter. You will notice that the file is still not visible to us.

But how to check the contents?

Simply run the command as more < file.txt:hidden and you will be there again.

Detection

The following methods can be used to detect such type of attacks:

  • Monitoring processes, and command-line arguments for actions indicative of hidden artifacts.
  • Monitoring event and authentication logs for records of hidden artifacts being used.
  • Monitoring the file system and shell commands for hidden attribute usage.

Source

Author: Tanish Bugnait is a Cyber Security enthusiast and a security researcher. Contact here

Forensic Investigation: Windows Registry Analysis

In this article, we will learn how we can use RegRipper to analyze the windows registry in the forensic investigation environment.

Table of Content

Introduction to RegRipper

Creating a Registry Hives

SAM Hive

  • Analyzing Log: SAM
  • Analyzing Report: SAM

System Hive

  • Analyzing Log: System
  • Analyzing Report: System

Software Hive

  • Analyzing Log: Software
  • Analyzing Report: Software

Security Hive

  • Analyzing Log: Security
  • Analyzing Report: Security

Conclusion

Let’s begin the Forensic Investigation!!

Introduction to Regripper

RegRipper is an open-source tool, written in Perl. To extracting and parsing information like [keys, values, data] from the Registry and presenting it for analysis.

Its GUI version allows the analyst to select a hive to parse, an output file for the results. It also includes a command-line (CLI) tool called rip.

Rip can be pointed against a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT.

Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.

To learn more about RegRipper click here.

We can download RegRipper for windows from here.

Creating a Registry Hives

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the OS is started or user login.

Each time a new user logs on a computer, a new hive file is created for that user with a separate file for the user profile hive.

A user’s hive contains specific registry information about user’s application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key.

We can learn more about Registry Hives from here.

Use these commands to save a copy of these Registry Hives [SAM, System, Software, and Security].

After saving all these Hive files, we can launch the RegRipper software.

In the Hive file tab, we need to select the location where we saved our Registry hive file. In the Report file tab, select that location where we want our report and log file both saved. Then click on a rip button to get the report and log file.

Now let us learn about all this file information.

SAM Hive

SAM stands for the Security Account Manager is a database file in windows that stores user’s information. The user passwords are stored in a hashed format in a Registry hive either as an LM hash or as an NTLM hash. This file can be found in “%SystemRoot%/system32/config/SAM” and is mounted on HKLM/SAM.

In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key.

Now, open RegRipper and select the location of the Hive file and Report file. Then click on the Rip! Button to start the Investigation process.

After some time, it will showcase the message on the screen that our work for this investigation process is completed with zero plugins completed with errors.

It will create two files one with logs of the investigation and Second with a Report of the investigation.

Analyzing Log: SAM

Now check the log file with this command.

It will only tell about the environment of this hive file.

Analyzing Report: SAM

Secondly now its Report time. we can access this file with the following commands.

As we can see in the below screenshot it will tell about SAM version and User information.

Now, as we can see the main user account got spotted with its major details like.

Next, we have spotted Group Membership Information. With its group name Guests and its details.

Some more group membership information, the group’s name like Users, System Managed Accounts Group, and Administrators. Their details revel Lastwrite, Group Comment, and Its Users.

Lastly, RDP and some Analysis tips which would be handy for us in the Investigation.

System Hive

The system hive file consists of all basic information regarding the system information. Now, repeat the same steps for RegRipper and select the location of the Hive file and Report file. Then click on the Rip! Button to start the Investigation process.

After some time, it will showcase the message on the screen that our work for this investigation process is completed with zero plugins completed with errors. As we mentioned earlier it will create two files: Log and Report.

Analyzing Log: System

The first file is the log file regarding gathering information from that directory. After seeing the logs regarding system information.

Analyzing Report: System

we have opened its report with these commands.

The below screenshot tells about all the software installed with their default directory along with its path.

After that, we found out control set backups details in the victim’s system. Along with temp file details.

Now, this result is showing us about the HKLM [ HKEY_LOCAL_MACHINE] user’s BAM. It is a user-specific application.

Now it shows, Some device details, Computer name on diff-diff instances and crash control information.

Now the network media streaming devices connected with the system. In our case, it is from a Sony corporation. We can get along some interesting details with its hardware ID. It also gets some details regarding the connected USB devices no matter their currently connected or not.

After this, it will cover the hardware details along with NTFS disable the last access update. Like, ControlSet001\Control\Session Manager\Environment, Hardware details.

After this IP address and Domain name details with Hint. Analysis Tips and Mounted devices.

Now Finally in the System file, we got details regarding mounted devices details. It gets all details whether they are currently mounted or not.

Software Hive

Software Hive file consists, all the information regarding the software installed in this system.

Now, follow the previous steps for RegRipper and select the location of the Hive file and Report file. Then click on the Rip! Button to start the Investigation process.

After some time, it will showcase the message on the screen that our work for this investigation process is completed with zero plugins completed with errors.

Analyzing Log: Software

As usual, we opened the logfile first to check its log to understand through which file it is detecting to create an Investigation report for this file. Now run this command to view this file.

Analyzing Report: Software

Now we need to view the report file of the software hive file. So, run this command to get this file.

In this report, the first page shows details regarding AppInit DLLs values. AppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user-mode process on the system.

The next page shows us the details regarding application details and the App Paths subkeys.

After this, it will showcase all the drivers regarding Input and output devices installed in the victim’s system. It will show us Bluetooth driver details and the system doesn’t have a webcam in the system.

Last page of this report regarding the CLSID key. Where CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.

The CLSID key contains information used by the default COM handler to return information about a class when it is running. The CLSID is a 128-bit number, in hex, within a pair of curly braces.

Security Hive

Security hive helps us to understand the security measures of the victim’s system in the Forensic Investigation process.

Now, follow the previous steps for RegRipper and select the location of the Hive file and Report file. Then click on the Rip! Button to start the Investigation process.

After some time, it will showcase the message on the screen that our work for this investigation process is completed with zero plugins completed with errors.

Analyzing Log: Security

Now we checked its log file to deeply understand our Investigation report. Run these commands to view the log file in the command prompt.

Analyzing Report: Security

To view, the security hive file report follows this command.

This report page is all about the security hive file audit policy. An audit policy specifies account limits of one or multiple resources for a group of users.

This contains guidelines that establish policy limitations and workflows for processing breaches after they occur.

Where N means No audit, S means Success, and F means failure.

Conclusion

The Windows Registry is a hierarchical database that stores low-level settings for the operating system of Microsoft Windows and for programs choosing to use the registry. The register also offers access to counters for results in profiling systems. In other terms, on all models of Microsoft Windows operating systems, the registry or Windows registry contains information, settings, options, and other values for programs and hardware installed.

These details can be extracted with RegRipper to get a better result in the Forensic Investigation.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.