Implementing a Command Shell (ReactOS) into AChoir
Saturday, July 23, 2016 12:12:00 PMImplementing a Command Shell (ReactOS) into AChoir
Early on in my career, a dear friend of mine shared something he learned in a Time Management seminar with me:
The Big Rocks go in first.
It's the basic concept that when you have all different sizes of rocks to put in a container, the big rocks should go in first. Followed by successively smaller rocks to fill in the spaces.
As an Incident Responder and Analyst - I've found that lesson to be invaluable in my daily life. Especially when investigating complex incidents. First acquire everything that may be relevant (in a forensically sound manner), next look for the most obvious clues, and then follow the path the Evidence lays out for you. Finally, shine a light into the obscure places to see the hidden story - Lather, Rinse, Repeat.
As I coded AChoir, and laid out the roadmap, I thought in this same way: Get the most critical pieces done first, then go down the inevitable rabbit holes of making it ever more useful and reliable focusing on the unique requirements of Incident Responders.
Read More...
Agentless Remote Triage/Artifact Acquisition using AChoir, CIFS, and PsExec
Monday, July 11, 2016 08:25:00 PMAgentless Remote Triage/Artifact Acquisition using AChoir, CIFS, and PsExec.
I've spent much of my career trying to scrounge together free and open source tools to accomplish my job. When I couldn't find a tool I needed - I built one. I thank my grandfather for the lessons he taught me about making your own tools when you need to.
I don't recommend this as a career goal, since it very often sends me down rabbit holes - but I gotta say I have learned a lot. Necessity is, after-all, truly the Mother of Invention.
Where I am today in my career - I have access to some of the best tools! But my heart is still with the underfunded, overworked Incident Responder who just wants to get some useful telemetry from a machine that is "acting funny". That is why I created AChoir, and why I Open Sourced it.
Read More...
Coupla New Things
HTCIA Preso and AChoir v0.4003/19/2016
Wow, has it been that long since I've done an update? Shame on me...
This week I presented at HTCIA on creating Live Triage/Acquisition scripts/toolkits using FOSS tools and AChoir. This was my first introduction to this group and they are a warm and generous group. It was a real honor to speak to a group of folks who knew somuch more than I do. And to be welcomed by them.
My presentation slides are available Here or Here.
The other news is that I have added several more capabilities to AChoir since my last post. AChoir is now at Version v0.40.
Using AChoir (Video)
Saturday, January 30, 2016 11:12:00 PMUsing AChoir
This is my second AChoir video. It covers some of AChoir's basic concepts and functionality, and it shows a run of the default AChoir script.
Happy Hunting!
AChoir Basic Install (Video)
Sunday, January 24, 2016 06:00:00 PMInstalling AChoir
I've tried to make installing AChoir as simple as possible. But just in case... I put together this quick video on how to Install AChoir and run the initial toolkit builder script.
Happy Hunting!
DFIR 101: Mounting and Extracting Artifacts from E01 Files
Friday, January 8, 2016 11:41:00 PMAChoir and E01 Files
When I decided to write AChoir, one of my primary goals was to create a scripting language and framework with a standardized Input and Output paradigm. I wanted AChoir to work the same for both local and remote acquisition. By approaching AChoir in this way, I could use any forensic utility designed to gather and save artifacts from/to a local drive in different circumstances. I did this by relying on Windows drive letters. Now I know that this is a "No, Duh" statement, but it actually was something that I thought through, and which has made AChoir very flexible.
Read More...
OMENS 2.20
Saturday, December 26, 2015 09:55:00 PMOMENS v2.20 release
All I wanted to do was allow the edge-case of searching for an explicit question-mark(?), instead of always defaulting to a wildcard.
And that took me down the winding path, that I often seem to find myself on, every time I think I will make a simple change to OMENS. The road to refactoring and replumbing my code. OMENS has now grown to be over 8,000 lines of code. Quite a difference from the 100-line quick proof-of-concept it once was.
I've made a number of changes in the OMENS detection engine, and I've tested it quite a bit. But be forwarned - A lot of the code is new, and the signature wildcard paradigm has changed a bit. If you are using "*" or "?" in your signatures the new explicit search for "*", "?", and "\" is now "\*", "\?", and "\\" respectively. This will allow me more flexibility for additional meta-characters in the future.
You can download OMENS at all the usual places.
Happy Hunting!
Saucy Jack
Thursday, December 24, 2015 10:00:00 AMSaucy Jack - Glendora Continental
I know I talk a lot about music, but post very little about my band Saucy Jack.
It's really a privilege to play with these amazing musicians, who are really all about the music. There aren't a whole lot of pictures or videos of us even though we gig regularly. But recently a friend took some cell phone video that came out pretty great. Here it is for your viewing pleasure.
You can also find us on Facebook at: www.facebook.com/saucyjackla
New Blog Post
DFIR 101: Windows Forensic Weirdities
Thursday, November 26, 2015 12:40:00 PMWindows Forensic Weirdities
Anyone who has written any fairly complex software on any platform (I've written software on several platforms) knows that there are two things one must always deal with:
- 1. Error detection/correction and
- 2. Idiosyncrasies of the platform
Read More...
OMENS v2.14
OMENS v2.14 is completed and ready for download.
I use OMENS as both a defense and forensics analysis tool. I have been seeing a lot more use of PHP style escaping as an obfuscation technique, so I have added it to the other existing obfuscation detection and decoding routines that OMENS already employs.
I hope this helps all the hunters out there to better detect this evasion technique.
Happy Hunting!
AChoir Version v0.31
(MSVC and WinHTTP)10/24/2015
Achoir has come a long way in a very short time. And I want to thank everyone who has contributed to the many suggestions I have received on how to make it better.
Unfortunately I have been running into some problems using MingW and libcurl for some of the features I wanted to add. And I began spending more time trying to make things work, than doing actual coding.
So I have decided to move Achoir development over to Visual Studio/MSVC.
For a long time I resisted using MSVC because I felt that Open Source software should not use a paid compiler. Plus, I just really like MingW. But since the Community edition of Visual Studio and MSVC are free, there doesn't seem to be any real reason to not use them.
Dont' get me wrong - There is stuff I really don't like about MSVC - And I still really love MingW and libcurl, and will continue using them for OMENS. But for what AChoir needs to be able to do, MSVC has been a better tool.
YMMV
MSRP
Well... I'm back from Security Summer Camp 2015
(AKA - Black Hat/BSidesLV/defcon)First: A big THANK YOU, to everyone who came to my BSides talk on Windows Live Acquisition using free tools. Somehow my talk went faster than I expected - but that left time for some very lively discussion. I greatly appreciate the engagement and discussion that followed my talk!
If you would like to see my talk, you can watch the video here
I also released a new Open Source Live Acquisition Scripting tool/framework called
Achoir.
Which can be downloaded here
Looking forward to the feedback on both of these!
Happy Hunting!
I'll be presenting at BSidesLV 2015 this August
If you haven't been to a BSides conference, you owe it to yourself to check out one (or more) of these conferences. These are FREE, security community conferences - OF the hackers, FOR the hackers, and BY the hackers. Whether you are a total n00b, or been there - done that - and got the T-shirt, BSides is an amazing experience.
And don't be fooled by the price. These are top notch speakers presenting on fascinating and relevant security topics.
Did I mention that I really like BSides?I got my start speaking at BSides Las Vegas, as a mentee, and it holds a near and dear place in my heart. I am JAZZED to be speaking there again in August.
My presentation will be on my favorite FOSS tools for doing Live Acquisition on Windows. I've used these tools on dozens of DFIR investigations. I will also be releasing a new Open Source tool/framework for building and scripting Live Acquisition Toolkits.
I hope to see you there. Please come up and talk with me about DFIR, Infosec, Music, or whatever!
One Last Note: If you have security research you are doing, but have never spoken at a con before, PLEASE consider the BSidesLV mentor (Proving Ground) program. I can't say enough about how cool my experience was. Happy Hunting!
OMENS v2.13
OMENS v2.13 is completed and ready for
download.
Yeah... Try as I might, sometimes I make bugs.
OMENS 2.12 introduced an unusual bug that intermittently causes the Log Scan to RESTART
instead of RESUME. Funny as it sounds - I cleaned up the code in 2.12 to clear buffers
better... And in a wierd twist, that introduced this intermittent bug.
Anyway... That's a long-winded way of saying
OMENS 2.13 is a bug fix.
Happy Hunting!
OMENS v2.12
OMENS v2.12 is completed and ready for
download.
I've always positioned OMENS as a tool that can be used at all stages of the
intrusion lifecycle: As a monitoring tool to detect reconnaissance, A tool
to detect attack, and a tool to determine what happened and when (forensics)
after an intrusion has already taken place.
I recently used OMENS on a possible intrusion analysis. But it was on a customized
log file format that OMENS has never seen before. There were problems. Nothing
outrageous - but it irritated me.
I have packaged up all the bug fixes and additional checks into
OMENS 2.12.
Happy Hunting!
DFIR 101 - Parsing The Registry
It's been a spell... But, my latest DFIR 101 Blog Post is up. This one covers how to extract and parse the Windows registry when doing a live acquisition.
Hope you enjoy it.
Happy Hunting.
OMENS v2.11
OMENS v2.11 is completed and ready for download. I've gone through the code and changed the database routines to prevent some of the occasional hanging issues. I think I've squished that bug for good, but please let me know if you are still experiencing hangs with OMENS.
You can download OMENS v2.11 from here
DFIR 101
Well... My first Blog Post of 2015 is up. This year I'll be focusing my posts on DFIR 101 for Windows. I'll also be sticking to free tools that run on the Windows platform. I know the arguments for doing DFIR on Linux. They are decent arguments. But since this series of posts will be targeted at the beginner, I have decided to focus on Windows DFIR tools that run on Windows. I think you will be surprised at how many great tools are freely available!
In this first post I will cover the $MFT. What it is, and how to extract and parse it.
I hope you enjoy this series posts.
Happy Hunting.
Welcome to 2015
This year I am hoping I will have some time to write a few more blog posts. It's always hard for me to decide what I want to do with the small amount of spare time I have.
Right now I am imaging a drive, and so I have a few hours of time to fill.
I'd like to do more blog posts, and possibly a con presentation on DFIR 101 tools. I see a lot of information about artifacts, forensics, and DFIR tools - But nothing that really tells someone new to DFIR how and why to use a specific tool.
I have a few goto tools that I really like. I'll start with those, and then move on to some more obscure tools (if I get the time). I will try to limit my blog posts to Windows forensics tools that are free. This series of blog posts are not for the advanced investigator - so I will try to limit my blog posts to stuff that anyone can download and play with.
The first blog post I'll be working on is on parsing the $MFT.
Stay tuned for that post in the next couple weeks
OMENS v2.10 Beta
C'mon... Admit it...
You thought I'd dissapeared from the WeberNets. Or at least abandoned OMENS...
Neither could be further from the truth. I have been SWAMPED with DFIR work - And still found some time to take and pass the GCIH... In fact, I may be mentoring SANS Sec504 in 2015 if everything works out. But now I'm mostly caught-up with my work, and can get back to some of my projects.
Over the (2014) holiday season I had some time to add a new feature to OMENS. Now OMENS 2.10 can be configured to query the ShadowServer Bin Check Service database to see if any new or changed files are known-good binaries. ShadowServer is another amazing and free service. The ShadowServer Bin Check Service aggregates known-good hashes from several sources and makes them available via a simple HTTP query (JSON). I found this new feature critcal when my webserver binaries were updated recently, and I wanted to make sure the updates were legitimate.
When configured properly, OMENS can now use this great service to determine if a new or changed file is known to be good (even if it contains some questionable content).
Important Note: PLEASE check ShadowServers Terms Of Service before you configure this option. WE are very grateful for these free services and we ask that you use them in accordance with their Terms Of Service.
You can download OMENS v2.10 from here, but please remember this is still Beta. Caveat Emptor!
Disclaimer:
The views and opinions expressed here and throughout this web site are my own. They do not reflect the views or opinions of my employer, their clients, customers, or partners. I do not speak for them and they do not speak for me. The opinions and views expressed here represent my opinions at the time of writing, and can change without notice or warning.