Sleuth Kit support for the AFF4 Standard v1.0 Released

I am pleased to announce the availability of both a set of patches to the Sleuth Kit and an open source C/C++ implementation for reading AFF4 Standard v1.0 disk images. Last week the AFF4 Standard v1.0 was released by Bradley Schatz (Evimetry) and Michael Cohen (Google) .

Screen Shot 2016-10-24 at 3.48.55 pm

Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. These are enabled through next-generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontiguous images. The standard is the culmination of research spanning 6 years and 4 scientifically peer reviewed papers.

The release of these is a significant step forwards to the wider adoption of the format, enabling a large portion of the open source forensic toolchain to access AFF4 forensic images, and commercial implementers the ability to support reading the format by integration of a single unencumbered library.

The patches to the SleuthKit were contributed by Schatz Forensic (Evimetry), while the C/C++ library was originally developed by Michael Cohen (Google), with AFF4 Standard v1.0 support added by Schatz Forensic.

This release follows the release last week of the AFF4 Standard v.1.0 and a Python reference implementation (reader), and the release of Evimetry Community Edition, a freely licensed subset of the AFF4-based forensic tool.

For more information on the AFF4, attend the webcast “AFF4: The New Standard in Forensic Image Format, and Why You Should Care”, given by Bradley Schatz, in association with SANS, on 17 April 2017.

Implementers and interested parties are invited to join the AFF4 working group at aff4@googlegroups.com .


Introducing Evimetry Community Edition

Evimetry Community Edition provides a subset of the Evimetry system for free. The purpose of this is to grow the AFF4 ecosystem, firstly by providing a pain free path for Evimetry licensees to provide AFF4 images to non-licensees. Secondly, we wanted to provide practitioners, researchers and educators a freely available implementation of the AFF4 standard v1.0 which can be used to gain familiarity with the format. Schatz Forensic, the creators of Evimetry, drove the standardisation effort behind the AFF4 Standard v1.0.

With the Community Licenced Evimetry Controller, you can create Linear AFF4 Images on your Windows based analysis system, verify the integrity of AFF4 images, and convert between AFF4, E01/EWF and Raw images. You can also mount AFF4 images as virtual disks and analyse with your preferred forensic tools.

Using the Community Licenced Evimetry Filesystem Bridge, you can access entire repositories of AFF4 images as virtual raw files, enabling straightforward consumption with your existing forensic toolkit.

The release of Evimetry Community Edition coincides with the release by Schatz Forensic of open source implementations of the AFF4 format, patches to the Sleuth Kit supporting AFF4 images, and the release of the AFF4 Standard v1.0.

To gain access to the initial release of Evimetry Community Edition, email us at info@evimetry.com .


AFF4 Standard v1.0 Released

Today marks the release of the Advanced Forensic Format 4 (AFF4) Standard v1.0.

Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. These are enabled through next-generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontiguous images. The standard is the culmination of research spanning 8 years and 4 scientifically peer reviewed papers.

Bradley Schatz (Evimetry) and Michael Cohen (Google) have collaborated to make freely available:
a set of canonical reference images which serve as ground truth for the format; and
• an explanatory specification document describing the format in detail; and
• a Python AFF4  reference implementation capable of reading the format.

This release of a standard specification for the file format is a milestone towards the wider adoption of the format, providing implementers an unambiguous and straightforward path to implementation. The release of the AFF4 Standard coincides with the limited release of Evimetry Community Edition, a freely licensed subset of the AFF4 based forensic tool, and in the coming days, a C++ implementation and patches to the Sleuth Kit, and support for Volatility and Rekall.

The standard specification and reference images are available at [1], the python implementation at [2], and aff4.org [3] becoming the central point of publication.

Implementers and interested parties are invited to join the AFF4 Working Group mailing list [4], and/or contact Bradley Schatz or Michael Cohen.

Contact:
Bradley Schatz ( bradley@evimetry.com )
Michael Cohen (scudette@google.com )

[1] https://github.com/aff4
[2] https://github.com/google/aff4
[3] http://www.aff4.org/
[4] https://groups.google.com/d/forum/aff4-wg


AFF4: The new standard in forensic imaging and why you should care

At this year’s Open Source Digital Forensics Conference (OSDFCon 2016) I presented an update on the AFF4 standardisation effort. For the conference we unveiled a significant milestone: support for consuming Evimetry produced AFF4 forensic images with the Sleuth Kit.

While users of Evimetry are able to exploit the benefits afforded by AFF4 seamlessly with their regular forensic tools, we believe that native support for the format across both opensource and commercial tools will accelerate forensic workflow even further.

The screenshot below demonstrates a non-linear partial physical image (containing only the allocated blocks from the target disk) being interpreted by the SleuthKit.

Screen Shot 2016-10-24 at 3.48.55 pm

We will be releasing patches for libaff4 (C++) and Sleuth Kit shortly.

My slides for the seminar are below.


Accelerating forensic and incident response workflow: AusCERT 2016 Slides

Existing forensic image formats are a bottleneck in the multi-core era: The slides from my recent presentation on accelerating forensic & incident response workflow at the AusCERT 2016 Conference. This summarises the research behind Evimetry Wirespeed.


CFP: Digital Investigation Special Issue on Volatile Memory Analysis

The Journal of Digital Investigation is currently calling for papers for a Special Issue on Volatile Memory Analysis. The Guest Editors of this issue are Michael Cohen (Google) and Bradley Schatz (Schatz Forensic).

We would welcome any novel research into aspects of Volatile Memory Analysis. Submissions are due 31 August 2016.

Memory analysis is a hot research topic with wide applications on many fronts – from malware detection and analysis, to recovery of encryption keys, to user activity reconstruction. As advanced contemporary malware increasingly reduces its on-disk footprint, and adopts increasingly sophisticated host detection subversion mechanisms, memory analysis is currently mainstreaming as a valuable technique for detection and response.

While memory analysis presents many new opportunities, it also presents new complications and challenges, ranging from reliance on undocumented program internals, to atomicity of acquisition methodologies. As memory analysis becomes the status quo methodology the use of directed anti-forensics is also becoming prevalent.

This special issue of the Journal of Digital Investigation invites original research papers that report on state-of-the-art and recent advancements in this rapidly expanding area of enquiry, with a particular emphasis on novel techniques and practical applications for the forensic and incident response community.

Topics of interest include but are not limited to:

  • Malware detection in memory
  • Live memory analysis
  • Live system introspection
  • Memory acquisition
  • Memory analysis of large systems
  • Userspace and application specific memory analysis
  • Cryptographic analysis, key recovery
  • Execution history analysis
  • Data fusion between memory/disk/network

Deadline for submissions is 31 August 2016.


Live Partial Acquisition with Evimetry Wirespeed and EnCase

The Evimetry Wirespeed system enables remote live analysis using your existing forensic toolkit. In doing so, a partial physical image is created. Analysis activity drives the partial acquisition process, which in-turn results in an increasingly complete physical disk image. Acquisition may be incrementally widened to categories of evidence, such as Windows Registries, Log Files, Office documents, Allocated, and all of disk.

An important aspect in balancing live analysis with bulk acquisition is interactive latency (liveness). Unlike any other forensic system, live analysis activities are prioritised over bulk activities, enabling effective live analysis with minimal perceptual delay.

A video demonstrating liveness in partial live acquisition using Evimetry Wirespeed & EnCase  is available on the Evimetry Website. This blog post summarises the salient parts of the video:

@1:08 Partial acquisition of triage artifacts

A partial acquisition of a 240GB SSD1, collecting Page Files, Swap files, Windows Registry Files, Log Files, and Windows Access Traces, is started.

This causes acquisition of volume metadata, followed by filesystem metadata, and then the content data blocks corresponding to these categories. This acquisition completes in 17s and has stored 2.3GiB in the forensic image2.

 

vlcsnap-2016-05-17-16h20m11s675

@2:01 Virtual disk sharing

The active partial image is shared as a virtual disk, and mounted in windows as the F: drive. Windows explorer is then used to browse the F: drive, into the F:\Videos\Videos1\ folder. All access of the blocks of the virtual disk come from the forensic image, as the filesystem metadata has already been acquired.

vlcsnap-2016-05-17-16h21m38s145

On traversing to the F:\Videos\Videos1\Videos\ folder, thumbnails are generated by explorer and shown. As the content for these has not yet been acquired, the underlying blocks are loaded from the suspect drive, stored in the partial image, and then passed on to windows via the iSCSI virtual disk emulator. From there windows explorer renders the thumbnails.

@2:37 Third party application access

The file Mario1_500_HQ_512kb.mp4 is accessed, which contains a mario runthrough video from archive.org. This causes the video to be played using VLC.

The purpose of this is to create an interactive acquisition load on the target drive (recalling that the content of this file have not yet been acquired).

vlcsnap-2016-05-17-16h22m15s984

@3:03 Virtual disk access using EnCase.

The virtual disk is loaded into EnCase3, which scans the volume metadata, and filesystem metadata (in this case parsing the MFT).

The volume metadata and MFT are loaded from the partial image. Interactive performance of the video is unaffected, with no glitches or pauses.

vlcsnap-2016-05-17-16h22m42s893

@4:40 Interactive analysis with EnCase

Within EnCase, the files are filtered down to JPEG files, and the view shifted to Gallery. All of the pictures displayed on the gallery are loaded from the suspect hard drive, and stored in the partial image on their way to EnCase. At this stage only VLC and Encase are competing for access to the target device, and interactive performance of the video is unaffected. There are no glitches or pauses, and load and display of the pictures in EnCase is snappy.

vlcsnap-2016-05-17-16h23m09s312

@5:08 Acquisition scope widened to all of Allocated

A successive partial acquisition operation is started, widening scope to all allocated files. This will only read blocks of files on the target device that aren’t already in the image (a significant portion of the video, and the pictures that were viewed in the gallery are already present in the image, in addition to the volume and filesystem metadata, system logs, registries, etc).

vlcsnap-2016-05-17-16h23m29s895

@5:48 Gallery browsing under high acquisition load

The gallery is scrubbed to a random point, causing acquisition and display of a number of as yet un-accessed images. While this interactive process is competing with the video and the batch acquisition (and proceeding at 238 MB/s), interactive latency has increased but still acceptable.

vlcsnap-2016-05-17-16h24m12s765

@6:00 Single file browsing under high acquisition load

Encase is switched to the Table browser, and random pictures browsed. Interactive latency for single file access is snappy.

vlcsnap-2016-05-17-16h24m40s584

@8:08 Video runthrough completes

Acquisition of 61GiB has completed when the video completes playing.

vlcsnap-2016-05-17-16h32m32s507

@ finish

At the point where this screencast ends, acquisition of allocated space is still underway. The analyst needn’t wait for its completion, as a partial forensic image may be completed at any time, with the resulting image still accessible using regular forensic tools. With the volume & filesystem metadata, and the file content that has been acquired to that point, forensic tools will still be able to interpret the disk. Blocks that were not acquired simply show up as unknown data.

Conclusion

This blog post summarised the most important parts of the video, the purpose of which was to demonstrate:

  • The incremental nature of partial acquisition using Evimetry Wirespeed;
  • The ease of human-in-the-loop live analysis in driving forward partial acquisition;
  • The performance of the Evimetry Wirespeed system.

 


 

1 around 50% full, content including a Windows OS folder heirarchy (no user profiles), random data, and multiple copies of the GovDocs corpus, and videos downloaded from archive.org.
2 We note that this dataset actually doesn’t have any page files or swap files in it.
3 EnCase is a trademark of Guidance Software and has no affiliation with Schatz Forensic.


Introducing Evimetry: digital forensics at wire speed

Digital forensics is full of waiting. Waiting for acquisitions to complete. Waiting for images to process. Waiting for flights and waiting in data centres.

We set out to remove this wait.

In November 2014, Schatz Forensic quietly opened a beta program for a new forensic tool aimed at speeding forensic workflow. The innovative system accelerates acquisition and processing of evidence and closes the gap between acquisition and analysis.

A long beta program has allowed us to listen to our testers, and target the pain points in their forensic process. Practitioners love the faster acquisitions and processing, and cutting hours of wait time from cases. Incident responders are excited by travel-free remote live analysis, and rapid partial imaging of high value artefacts.

Today marks the general availability release of Evimetry Wirespeed. If you are ready for a more efficient workflow and less waiting, visit http://evimetry.com or contact us.


Was the firewall blocking traffic? Identifying active firewall rules using registry analysis.

I came across this question recently in relation to claims that access to a Windows 8 host via Windows Remote Desktop Protocol was blocked by the firewall configuration. This post describes my research into the registry artefacts related to answering the question, and provides a patch to RegRipper to assist in analysis.

Theory of operation

Windows 8 uses the same firewall configuration entries used by Windows 7. Windows ships with a number of firewall rules enabled, and these may be added to or modified by the user, for example using the windows firewall control panel applet.

image

Rules are scoped by Profile, which is either Public, Private, or Domain. Note that I am going to refer to these are a “Network Category” herein, for reasons that will become apparent. These Network Categories (profiles) are associated with particular networks: for example, in the window capture below you can see that my home wireless connection is a “Private network”. For a “Private Network”, firewall rules with a value of “Private” will be applied.

image

The firewall rules are stored in the registry at HKLM\System\CurrentlControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\.

image

The value of the rule above for “RemoteDesktop-UserMode-In-TCP” is

v2.20|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|

Comparing this the applet above, we can see that this corresponds to the disabled RemoteDesktop-UserMode-In-TCP rule. Looking for the second TCP related RDP, I found the following rule with the key name “{6AFE835E-629E-48DA-A87E-AB6C367D2BB7}”, which corresponds to the similar rule that is enabled for both Private and Domain.

v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|

Observation: Identifying the Category

Existing theory around mapping active networks from the registry is generally accepted: network profiles are stored in HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\. The RegRipper networklist plugin interprets the contents of this registry sub tree.

What my review of the current literature didn’t reveal is how to identify whether a Network Profile is configured as “Private”, “Public”, or “Domain”. Hence, I started looking for automated ways configuring a network in such a manner, from which I hoped to identify the relevant registry keys.

The  documentation for the PowerShell “Set-NetConnectionProfile” command lists the following parameters for the “-NetworkCategory” arguments:

Specifies an array of category types of a network. You cannot set the DomainAuthenticated type by using this cmdlet. The server automatically sets the value of DomainAuthenticated when the network is authenticated to a domain controller. The acceptable values for this parameter are:
– Public
– Private

I opened up powershell and issued the following command.

PS C:\Users\bradley.SCHATZFORENSIC> Set-NetConnectionProfile -interfacealias “WiFi 3″ -NetworkCategory Public

On running this, we see the Network and Sharing Centre applet immediately updated to indicate that the network was now a Public Network.

image

Examination of the associated profile shows a registry key called Category. Based on the naming of the powershell argument “NetworkCategory”, I hypothesised that the Category key might contain the value of relevance. In this instance it was set to a value of 0.

image

I opened then issued the following command.

PS C:\Users\bradley.SCHATZFORENSIC> Set-NetConnectionProfile -interfacealias “WiFi 3″ –NetworkCategory Private

On running this, I saw the Network and Sharing Centre applet immediately update to indicate that the network was now a Private Network.

image

Refreshing the registry viewer, the value of the Category key was now 1.

image

I undertook the above for three iterations and observed the same changes every time. I additionally attempted to undertake a Remote Desktop session while both settings were in place. The outcomes were consistent with the description of the above Firewall Rules. When the network was configured as private, I was unable to establish a connection, and when it was configured as public, I was able to establish a Remote Desktop session.

Hypothesis formulation

At this point my hypothesis was that the value of the Category key corresponded to the Network Category of a network profile. That is:

0 == Public

1 == Private

Of course, this hypothesis could be wrong: what if what I was observing was just one of many configurations occurring as a result of the powershell command?

Accordingly, I undertook an experiment to confirm both these interpretations of the values, and their application of the corresponding firewall rules.

Testing

I manually edited only the Category key of corresponding Network Profile and set it to 0. I restarted the Windows Firewall Service, at which point, I saw the Network and Sharing Centre applet immediately update to indicate that the network was now a Public Network. I attempted to establish a Remote Desktop session, which failed.

I then manually edited the Category key and set it to 1. I restarted the Windows Firewall Service, at which point, I saw the Network and Sharing Centre applet immediately update to indicate that the network was now a Private Network. I attempted to establish a Remote Desktop session, which succeeded.

I undertook the preceding experiment 3 times and received the same result each time.

 

Automation

I modified the networklist.pl plugin of RegRipper to interpret the Category key per the above theory. A third value of the “Category” key was observed: the value of 2. Based on context in which it came up I have inferred that it refers to a Network Category of Domain. I have not tested this.

Conclusions

I didn’t undertake an exhaustive literature review in regard to the above research, so it may well be that this registry artefact has already been treated elsewhere. Please do let me know if I have missed any prior work that you are aware of.

The updated networklist.pl script is currently in my GitHub branch of RegRipper.

I encourage you to validate this new version of networklist.pl against your own registry and let me know if it is consistent with your running configuration, or not.

 

UPDATE: Harlan Carvey has merged this patch into the main RegRipper development tree at GitHub.


Zone Identifier Internals

The “Zone.Identifier” file is a common artefact observed when undertaking forensic examinations of Windows systems. More correctly, this isn’t a file. Rather, it is an Alternate Data Stream (ADS), attached to content downloaded from the internet by Internet Explorer. The stream’s purpose: to record the source of the file so that judgements about its level of trust can later on be made by the Windows OS, particularly when running downloaded executable files.

Raymond Chen describes using windows API’s to access this, and points to further background on this artefact.