Wednesday, May 28, 2014

PowerShell - Timestamp Manipulation

PowerShell is more powerful than most people want it to be, but its value to help efficient system administration can not be questioned.  I'm not sure why would anyone needs to use PowerShell to manipulate file time stamps, but I wanted to see its effects.  We talk about timestomp utility that someone might use to manipulate timestamps, but now armed with PowerShell that utility is not needed in skilled hands.  PowerShell is used by network administrators to manage local systems, so seeing the usage of PowerShell will not trigger any potential indicator of "wrong doing".  ( In incident response, press F7 to see the command history, doskey /h will not show PowerShell commands )
 
Get-ChildItem
    Directory: C:\testing
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         5/29/2014  12:37 AM          7 test.txt

Thus, entering the following command will add 5 hours to the last write time of every txt file in a directory.  Not just hours, but days, milliseconds, years, months, minutes, or ticks can also be added to file objects.

Get-ChildItem -filter *.txt|foreach { $_.LastWriteTime=($_.LastWriteTime).AddHours(5)}
PS C:\testing> dir
    Directory: C:\testing
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         5/29/2014   5:37 AM          7 test.txt

Just as a curiosity, I wanted to see if this additional 5 hours will replicate into all attributes in the MFT record and surprisingly it does not.  The filename attribute retains the original time stamp, so only the standard information attribute is updated by the above PowerShell command.


Good to know. I hope ...











Sunday, May 11, 2014

Powershell search for file type performance

Many times, you will need to search for specific file types by searching large drives.  While on small drives performance might not be an issue, on large drives it is important to get the job right in a shortest amount of time.

In this test, I looked at three ways to search for an imaginary file type of ttt.
1. -include
2. -filter
3. where-object

The result shows -filter is a much better choice for locating specific file types and most likely to search other objects as well.

Details

measure-command{Get-ChildItem -path c:\windows\  -include *.ttt -recurse  -ea Silentlycontinue}

Seconds           : 33
Milliseconds      : 118
Ticks             : 331181986
TotalDays         : 0.000383312483796296
TotalHours        : 0.00919949961111111
TotalMinutes      : 0.551969976666667
TotalSeconds      : 33.1181986
TotalMilliseconds : 33118.1986

measure-command{Get-ChildItem -path c:\windows -filter *.ttt -recurse  -ea Silentlycontinue }

Seconds           : 6
Milliseconds      : 790
Ticks             : 67907668
TotalDays         : 7.8596837962963E-05
TotalHours        : 0.00188632411111111
TotalMinutes      : 0.113179446666667
TotalSeconds      : 6.7907668
TotalMilliseconds : 6790.7668

measure-command{Get-ChildItem -path c:\windows  -recurse  -ea Silentlycontinue | Where-Object {$
_.Extension -eq ".ttt"}}

Seconds           : 34
Milliseconds      : 210
Ticks             : 342106565
TotalDays         : 0.000395956672453704
TotalHours        : 0.00950296013888889
TotalMinutes      : 0.570177608333333
TotalSeconds      : 34.2106565
TotalMilliseconds : 34210.6565

Graphical View


Note: Each command was run three times to ensure reliability of findings.

Saturday, May 10, 2014

Zero day methodology

Why do we need to wait until something happens to us or until someone else reports a problem in order to react?  It is a bad methodology to teach for the next generation of cybersecurity professionals.  Critical thinking is essential in battling the unknown.  There is really no unknown methods of compromising systems, only lack of interest to find out how legitimate methods can be used against us.

For example, we need to deploy the old Art of War methodology of knowing ourselves and knowing our enemy.  Our enemy is the youtube generation that gets its education from watching someone else and only learning what that presenter wants them to learn.  In the evolution of a cybersecurity professional, there are three phases:

1. Awareness: What    --  This is the phase that every one knows from the news and some intrigued enough to start learning about it.

2. Training: How   --  In this phase is where the youtube generation start getting the idea on how to do things, but do not understand enough to be valuable, only dangerous.

3. Education: Why  --  This is the phase where an interested and trained person can become very valuable if educated enough and asked enough why question along the way.

Let me give you an example:

What is a trained incident responder or forensic investigator taught to do in a case of an incident?  Preserve evidence by collecting volatile data.  The better trained might also remember what the OOV stands for and not just run a script that was given to him/her 5 minutes before.  ( Order Of Volatility ) So, that might include the opening of the terminal or CMD.EXE.  Some might even learn about the concept of BYOC ( Bring Your Own Code ) because we should not trust anything on the compromised system.  We might also know that Microsoft protects CMD.EXE and it is harder these days to replace it with a malicious version.  But only those that are educated in this field would dig further into what can be done with CMD.EXE.  Can a malicious user do something while the incident responders trying to collect and preserve evidence?  Have you ever looked at the help of CMD.EXE?

Short example from the CMD.EXE help:
If /D was NOT specified on the command line, then when CMD.EXE starts, it looks for the following REG_SZ/REG_EXPAND_SZ registry variables, and if either or both are present, they are executed first.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
        and/or
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Some thirteen year old might read this one night and might ask the question about how to use this and what is possible with this value.  Go ahead and create this value and assign notepad.exe to it.  Notepad.exe will run every time you launch CMD.EXE.  That means that someone can write a short script to delete or modify any relevant data area that might contain valuable artifacts for investigations.


So, now what if someone would create a simple script file with the following entries and would modify the registry to launch when CMD.EXE is executed?

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\SkyDrive /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths /f
reg delete "HKCU\Software\Microsoft\Internet Explorer\TypedURLs" /f

This would not be a malware detectable by protection mechanisms in place, it is a settings that might be set by the network administrator as part of the policy.  This could be a simple AutoIt script received in email or on a thumb drive.  The main point is, the very act of opening CMD.EXE would eliminate artifacts by the first responder action that might be interpreted by the analyst as a intentional data elimination by the suspect. Identifying false positives and eliminating false negatives can only be done by a well educated professional and not by a "bootcamp junky" or a paper certificate holder.

Those in the cybersecurity field are forced to learn every day not just by reading published documents, but thinking like their adversary.  The best education one can receive is the methodology development that enables the person to monitor, evaluate, and analyze systems without help from an outside source.  This can be achieved by knowing the basics - reading and thinking.

I was once ( CEIC 2008 ) lucky to listen to astronaut James A. Lovell when he was talking about his ordeal aboard Apollo 13.  He was in a sophisticated machinery that was nothing without electricity and his education of the basics like constellations and star positions allowed him to steer the not so smart machinery back toward earth.  That was not luck or training or awareness, that was his education in action!  That was his and might be the world's first zero day incident response.


PowerShell performance testing

We all remember LogParser as an amazing little tool that "could" and after Vista, it could not.  So, what other alternatives we have these days?  That question triggered me to look into "wevtutil" since its documentation talks about the possibilities of running queries, exporting, archiving, and clearing logs.  

We can clear a single log by wevtutil cl Security, but we have many logs on systems to manage.  It is also possible in an event of system compromise to clear all the logs by the intruder.  So, how would one clear all logs in a simple and easy step?  Use ProwerShell most likely or a DOS for loop might suffice.

I wanted to look at PowerShell and its capability to do this task.  It can actually do this very easily by a single line of command:


wevtutil el | Foreach-Object {wevtutil cl "$_"}
The el parameter enumerates all logs on the system, so that output can be used to send each log name to wevtutil to clear each log.  

It is nice, but I also wanted to know how many of these logs I have on my system.  So, PowerShell was the natural choice for this task.  A few minutes of search on the Internet revealed that there are many ways to count objects in PowerShell.  This is where the true investigator gene triggered in my head and wanted to find out their differences.  

Digital Forensics is partially a field of inductive reasoning where each step of the reasoning needs to be reliable and scientifically tested in order to come to a reliable conclusion.  It will never be as reliable as deductive logic, but well tested methodologies can make it as reliable as the latest knowledge allows us.  


One benefit of education is the ability to test tools and make heuristic decisions when using them.  In some cases, we might even determine a suspect education level and sophistication of attacks that we might be facing if we could capture and analyze the code he/she uses in reconnaissance.  After all, we need to connect a human to a technical action in order to call this field a science.

But that is enough.

I decided to test three methods of counting.  I needed a large set of objects to iterate through in order to see a trend.  I decided to count the number directory entries on my system drive.  That should be large enough to see any emerging trend.  I have stopped all unnecessary services on my system to create  stable environment and to establish a baseline.  I will be monitoring one process, but wanted to make sure nothing interferes with my system while testing.  I ran PowerShell as an administrator and ran each command three times with a little pause in between each command.  

I was not surprised about the similarity of the I/O operations since in each case the directory objects needed to be accessed, but the memory utilization did surprise me in the third case.  It seems like the third method gathers all file objects before counting them at the end.  The first two methods seem to pick up an object increment a counter and then drop the object while the third method picks up all objects and hangs on to them before determine their count.

The commands I tested:
I.   Get-ChildItem -recurse -EA SilentlyContinue|measure
II.  Get-ChildItem -recurse -EA SilentlyContinue|foreach-object { $count++}
III. (Get-ChildItem -recurse -EA SilentlyContinue).count
      $count

Note: the -EA SilentlyContinue parameter was used to suppress error messages since there are some directories that not even an administrator can access.  I first ran a few tests without this parameter, but the errors were annoying, so I decided to add the parameter later on.  It is the part of the scientific method to evaluate and to adjust procedures along the way.


It might never be interesting in an actual investigation, but in order to develop a pattern recognition skill, this type of exercises can develop investigators that are not just logical thinkers, but problem solvers who will not just pick up the first tool he/she finds and treat it like an IT person would just to get the job done, but ensures the best and most reliable methods in investigations.  By the way, all three tools did find the same amount of directory entries and they did compete the task in the same amount of time.  

References:
http://technet.microsoft.com/en-us/library/cc732848.aspx
http://technet.microsoft.com/en-us/library/ee176841.aspx