Forensic Focus Review: Guidance Software EnCase Training Computer Forensics I Course in Slough, U.K.

Scar de Courcier

During the first week of December 2014, Guidance Software ran a computer forensics training course at its Slough offices in the UK, with the aim of helping forensic practitioners to understand and use EnCase as part of their investigations. 

Background

The course was developed by Guidance Software with a view to introducing new digital forensics practitioners to the field. The students are usually new IT security professionals, law enforcement agents and forensic investigators, and many have minimal training in computing.  Computer Forensics I is available both in person at one of Guidance Software's training centres, or online via their OnDemand solution, which provides live remote classes for students around the world.

Underestimate the Power of EnCase® and Volatile Data You Must Not

Jamey Tubbs

BOTs, BOTs, BOTs

While investigating a recent Java BOT I found some items that you might also find helpful in your battle against the dark side. (Yes, I will continue to make Star Wars quotes and puns throughout this blog). I enjoyed the investigation so much that I added it to one of our class lessons in the Host Intrusion Methodology and Investigations course at Guidance Software.

I could not have completed this task without the help of James Habben, a great friend of mine and fellow instructor at Guidance Software. When I use the word “I” in this blog, sometimes it is the royal “I,” meaning “we.” Thanks, James.

The first thing I did was take a snapshot of the volatile data using EnCase Version 7, and I saw that port 1000 was being held open by javaw.exe.

A little Google search resulted in the following information: “’"javaw.exe’ belongs to Java from Sun Microsystems, Inc. The javaw.exe command is identical to java.exe, except that with javaw.exe there is no associated console window.” This would be perfect for malware attempting to spawn a Java process and yet not display a console window while doing so.


Prior to examining the RAM, a quick “wookie” (WIKI) search tells us a little more data about the way Java works: Java executable files can be found in the form of .jar files. (http://en.wikipedia.org/wiki/JAR_%28file_format%29) “An executable Java program can be packaged in a JAR file, along with any libraries the program uses. JAR files are fundamental archive files, built on the ZIP file format and have the .jar file extension.”

So we ask ourselves, “What is the next step”? {Yoda voice} Truly wonderful, the mind of the RAM is…

A look at the process memory is warranted. I decided a simple search in the process memory of the Javaw.exe for the .jar filename was a longshot, but who knows? As seen in the image below, you can view the name of the .jar file along with the path to the file. (Server_1392852684035.jar)



This is all fine and good, but it does not help me track down the command-and-control server in charge of my little bot. Where then do we start to find that little nugget of information? Let’s look in the Server_1392852684035.jar file.

If you remember from my earlier quote of the “Wookie”-pedia, .jar files employ the .zip file format, so we can use WINRAR or WINZIP to unzip it as seen in the image below.


As you can also see there is a config.txt file located inside, which is where we would expect to find our configuration information for the death star inside R2D2… Sorry, I mean the configuration information for the BOT inside the .jar file. (I made a pun about a robot when talking about a BOT, get it?)

I went back to the process memory and searched for the Server_1392852684035.jar file and found something else very interesting. As you can see in the image below, just above the Server_1392852684035.jar file name there is a string of Unicode characters that looked a little strange to me.


Sure enough, it was 960 bytes long and that also struck a chord. Let’s take a look at the contents of the config.txt file. And as you can see, the 960 bytes represented in Unicode in RAM are the same as the 480 bytes of the config.txt file represented in ASCII.



What would you do at this point? Just before the contents of the config file in RAM is the text “AES/ECB/PKCS5Padding,” highlighted in yellow. I knew AES was the acronym for Advanced Encryption Standard and this might help in some small way, so I asked my friend Google what AES/ECB/PKCS5Padding was.

I found the following in the very first hit, which was entitled Cipher (Java Platform SE 7 ) - Oracle Documentation: Every implementation of the Java platform is required to support the following standard Cipher transformations with the key sizes in parentheses:
  • AES/CBC/NoPadding (128)
  • AES/CBC/PKCS5Padding (128)
  • AES/ECB/NoPadding (128)
  • AES/ECB/PKCS5Padding (128)
  • DES/CBC/NoPadding (56)
  • DES/CBC/PKCS5Padding (56)
  • DES/ECB/NoPadding (56)
  • DES/ECB/PKCS5Padding (56)
  • DESede/CBC/NoPadding (168)
  • DESede/CBC/PKCS5Padding (168)
  • DESede/ECB/NoPadding (168)
  • DESede/ECB/PKCS5Padding (168)
  • RSA/ECB/PKCS1Padding (1024, 2048)
  • RSA/ECB/OAEPWithSHA-1AndMGF1Padding (1024, 2048)
  • RSA/ECB/OAEPWithSHA-256AndMGF1Padding (1024, 2048)
I highlighted the text above in yellow—that was really helpful to me. I was dealing with 128-bit AES encryption. I now knew I was looking for a 16-byte string of characters to use as the key. 1 byte = 8 bits, so 128 bits divided by 8 = 16 bytes. (I bet Darth Vader wished he had encrypted the Death Star plans much better.)

So, going back to look one more time at the image showing the contents of the config.txt file in RAM, you will see a 16-byte key just in front of the 960 Unicode bytes that make were loaded into the process memory from the config.txt file. What would the chances be that those 16 bytes (highlighted in orange in the image), “15af8sd4s1c5s511”, would be the key to unlocking the config.txt?

As it turned out, when I decrypted the file with the key the contents were still unreadable and I lost a little hope. Did I do something wrong? Was it the correct key? What was going on? (If you’re thinking I’m going to make a Star Wars pun quoting General Tarkin, “Evacuate in our moment of triumph? I think you overestimate their chances,” then you would be wrong and, as Darth Vader would say, “I find your lack of faith disturbing.”)

As it happens, I discovered that it was doubly encrypted with a second 16-byte key,which I also found in RAM and simply put into the decryption engine using Cryptool 2.0. I found the IP address of the command-and-control server was 172.21.12.121 with a password of 1234, and it utilized ports 1000 and 1001 to send and receive data.

We go into more detail in our class called Host Intrusion Methodology and Investigation on this exact bot and the decryption methodology used in this blog post.


My decryption engine built in Cryptool 2.0 is shown in the image below. In one of the best quotes of the Star Wars Film Episode IV - A New Hope coming from an intercom in the Death Star control room: “Stand by…….stand by….”. Here is the decryption model in Cryptool 2.0


To sum up, I’d like to say, when dealing with malware, volatile data is an absolute must. Imagine that we had not obtained the volatile data… Where would we have started? Of course, when someone lays it out like it this--play by the numbers--everything seems just a bit easier.

Comments? Ideas? I welcome your input in the comments section below.

Jamey Tubbs is a Director of Professional Development and Training at Guidance Software. He previously served as a CID Special Agent in the U.S. Army Criminal Investigation Command.

EnCase and Python – Automating Windows Phone 8 Analysis

James Habben

Roll Call


You may have read my introductory post about using Python scripts with encase. You may have also read my part 2 follow-up, which put a GUI on top of Didier Stevens’ pdf-parser. Did you also read Kevin Breen’s post? He wrote about using EnScript to call out to David Kovar’s analyzemft script using EnScript. Then Chip wrote a post about sending data out to get parsed by parser-usnjrnl.

EnCase and NetClean Collaborate to Increase Investigator Efficiency

Johann Hofmann

We started working with Guidance Software in the USA and spoke to the company’s Product Manager Ken Mizota about how this made customers much more efficient.

”After looking at the capability of NetClean Analyze, we became very interested in working closely with NetClean. By allowing our tools to work together, we will be giving our customers valuable assistance,” says Mizota.

Guidance Software’s EnCase® tool is used for collecting, processing and analyzing forensic data. Because it’s an open platform, the company works with multiple suppliers of complementary products that use data from EnCase. But a software application that analyzes and categorizes images in as sophisticated a way as NetClean Analyze does is extremely valuable, he says.

”We’re seeing that it really solves problems for criminal investigators. They gain in efficiency and save time, which they really appreciate.”

Guidance Software’s customers typically use a large number of tools in their investigations, so it’s important that they are interoperable.

”Our aim is to make our customers’ lives easier, and without tools like NetClean Analyze and EnCase, investigators are not able to efficiently analyze and categorize the large volumes involved. They need the right tools for the job.”

Ken Mizota envisages several other applications for Analyze in the future.

”The great thing about NetClean Analyze is that it can also be used in other types of investigations involving images, which represent an increasingly important component.”

As examples, he mentions harassment cases or employee misuse of corporate resources for collecting pornographic images.

to NetClean Analyze Product Manager Johann Hofmann, the main benefit of the alliance is that the forensic community now stands to gain a more seamless workflow between IT forensics and investigations of still and video images.

”We have a whole lot to learn from Guidance Software, which has been regarded as the gold standard in IT forensics for years. And with NetClean Analyze now emergent as the leader in technology for processing still and video images, we will be building a standard together.”

Guidance Software’s EnCase solution is used for digital investigations conducted by corporations and law-enforcement organizations worldwide. A total of 40,000 licenses are in use by corporate customers such as Symantec, General Electric, Coca-Cola and Pfizer, and the EnCase servlet is estimated to be deployed on over 20 million endpoints worldwide.

The “Shellshock” BASH Vulnerability and EnCase Products

Ken Basore

We know that our customers are concerned about the “Shellshock” BASH vulnerability and whether it affects our EnCase software, our Tableau hardware products, or any of our corporate systems. This is a legitimate concern, and because we have the utmost concern for your organizational and data security, we want to give you all the information you need regarding it. Below we address one by one the key areas that you may be wondering about.