Category Archives: Forensics

[ Walkthrough : SANS 2015 CDI DFIR Challenge ]

Sorry that we haven’t been able to write anything interesting for the last few months.

I thought of publishing this first thing right after the competition had ended but Real Life gets the better of most of us. I totally forgotten about this as i was busy helping NUSGreyhats with their CTF and with my own personal stuff. It was lying on the draft folder collecting virtual dust just like my entry for SANS HolidayHackChallenge. 🙁
I don’t remember whether did i submit my answers for this challenge. 🙁

Below is my walkthrough for SANSCDI Forensic Challenge and i hope the process of solving the questions might be useful to someone out there. The entire challenge consists of 3 parts.

[ NTUSER.DAT CHALLENGE ]
In Part 1, we were given a link, http://dfir.to/EVIDENCE1 to download the data.
I have attached the file here incase the link is gone. Vibranium-NTUSER
On the page, we were asked the following questions.

1. What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?
2. How many times did the vibranium account run excel.exe on the nromanoff system?
3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)

On Windows XP, there is actually the ACMru key located in the following registry key:
ntuser.dat\Software\Microsoft\Search Assistant\ACMru
This key stores the search terms that have been typed into a Windows search dialog box.
The following subkeys define where the search term was used:
5001 – List of terms used for the Internet Search Assistant
5603 – List of terms used for the Windows XP files and folders search
5604 – List of terms used in the “word or phrase in a file” search
5647 – List of terms used in the “for computers or people” search

Unfortunately on Windows Vista, it did not include a registry key for user searches.
However on Windows 7, the history of search terms using Windows Search can be found in the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
The WordWheelQuery subkey records information about user searches.

There are many great registry tools out there. But for this particular challenge, i will be using Windows Registry Recovery.

Challenge.0x0001

As we can see from the above image, the very first entry in the MRUListEx is “01 00 00 00.”
This simply means that the entry “1” is the most recently searched item.

In this particular case, we can see that the value for the first entry is “alloy” and that’s our answer.
Challenge.0x0002

Moving on to the 2nd question, 2. How many times did the vibranium account run excel.exe on the nromanoff system?
For this particular question, we are required to check the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Challenge.0x0003

As we can see, the entries are all encoded using Rot13, the value we should be looking at is:
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
After decoding, the value will be:
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\EXCEL.EXE

The number of times EXCEL.EXE was executed can be found at offset 0x04 in the UserAssist entry.
In this instance, the value is 4, which means that EXCEL.EXE was executed four times and that is our answer. 😀

Next we are asked, 3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)
For this particular question, we need to check the following registry key.
NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

Challenge.0x0004

As we can see from the image above, the most recent typed url is “http://199.73.28.114:53/” and that is the answer.

[ SYSTEM and SOFTWARE CHALLENGE ]
In Part 2, we were given a link, http://dfir.to/EVIDENCE2 to download the data.
I have attached the file here incase the link is gone. SOFTWARE-SYSTEM-HIVES.zip
On the page, we were asked the following questions.

1. The Windows Registry shows evidence of one USB device connecting to the nromanoff system. What is the serial number for this device?
2. What was the volume letter assigned to this USB device? (Enter just the letter for the volume.)
3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)

For the 1st question, there are many different methods to find out the answer. So i will go through 2 of the common methods.
The first method that i will be using is to check the following registry:
SYSTEM\ControlSet001\Enum\USBSTOR

As we can see from the image below, the serial number of the usb device is “AA951D0000007252”
Challenge.0x0001

For the 2nd method, we can check the following registry:
SYSTEM\MountedDevices

As you can see from the below image, we found out usb device and also the volume letter, “E” assigned to it. We have found the answer to question #2 too.
Challenge.0x0002

Moving to question #3, 3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)
We need to check the following registry key:
SOFTWARE\Microsoft\Windows Portable Devices\Devices

Challenge.0x0003

Once again, we found out the volume name for the usb device, “SECRETPLANS”

[ MEMORY ANALYSIS CHALLENGE ]
In Part 3, we were given a link, http://dfir.to/EVIDENCE3 to download the data.
I have attached the file here incase the link is gone. memory-raw.zip
On the page, we were asked the following questions.

1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

For this particular challenge, we were given a memory dump file. The best way to solve this is to use Volatility
As i am unsure of the profile to use, i used the imageinfo option to see what profiles should i use.
volatility-2.5.standalone.exe -f memory-raw.img imageinfo

As we can see from the image below, we can use the following profile. Win7SP0x86, Win7SP1x86
Challenge.0x0001

The first question, 1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
The option that we should be using is “netscan” and the command is
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img netscan

The returned results should look like the following image.
Challenge.0x0002

However, we are suppose to look for the remote IP address that spinlock.exe connected to.
We can see that spinlock.exe (PID 1328) is connected to “199.73.28.114” and that is our answer.
Challenge.0x0003

For the 2nd question, 2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
We should check the following registry key in order to know the name of the user who is logged into Romanoff.
HKEY_CURRENT_USER\Volatile Environment

The option that we will be using for volatility is “printkey -K ‘Volatile Environment'”
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img printkey -K “Volatile Environment”

As we can in the image below, the username is “vibranium”
Challenge.0x0004

Hooray, we are moving to the last question of this challenge.
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

This is fairly straight forward, according to https://technet.microsoft.com/en-us/library/bb457123.aspx.
“ntoskrnl.exe” is the first to load, we know that the process”System” will be process we should be checking

Using “pslist” option,
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img pslist

As we can see in the image below, the time for “System” is 2012-04-04 11:47:29 UTC+0000 and that is our answer to the last question.
Challenge.0x0005

I hope that the entire walkthrough is simple enough to follow and do on your own.

Happy Reversing
Jacob Soo

[ Super Funday Mini Series : LINE Forensic Artifacts – Android Edition ]

This is the 2nd article in the “Super Funday Mini Series” about recovering forensics artifacts from mobile applications for your digital forensics investigations.

Today, i’ll be covering about LINE Forensic Artifacts – Android Edition.
However, as i was writing this. I think lots more information could be uncovered if i were to reverse the application.
LINE (version 4.7.1 is the version which i did my testing on) is a cross-platform application that allows users to do voice call, send messages and share images with their contacts using Windows, iOS, Android, Blackberry, Nokia Asha, MAC OSX and Windows Phone devices.

[ Tool Used ]

[ Why are LINE Artifacts Important to Your Mobile Forensics Investigations? ]
Much like other IM (Instant Messaging) applications, LINE contacts, messages, and attachments are valuable to forensics investigators who are looking to recover evidence for a variety of different investigation types. Whether you’re analyzing the mobile device of a suspect or a victim, these chat artifacts can contain valuable information to help solve a case.

In order to gain access to the more important LINE artifacts, forensics investigators must root or get a physical acquisition of the Android device.
Some of the more important LINE artifacts in Android can be found at:

The “naver_line” file is a relatively simple SQLite database with 25 tables:

Inside the “contacts” table, each contact are given a unique identifier, “m_id”.
This table will include the contact’s name in addressbook, message status, timestamps, and other details.
Chat history in Line are kept under “chat_history” table. This table contains the messages along with timestamps and other relevant data.
Included in this table is message content, timestamps for sent and received messages, status, state (whether the message has been delivered, read, etc.) and attachments (if applicable).

If you start a “Private Chat”, it will also be stored unencrypted in “chat_history” like the image shown below.
LINE.003

Image 0 : Screenshot of “Private Chat” entry in LINE’s “naver_line” DB

However, the “Private Chat” entry will reside in that table for 1 minute before it’s being removed after the receiver reads the message.
In my experiment, i notice that the timer to remove the message will end a few seconds earlier than the timer on the sender’s end.
So what this means is that after the receiver starts reading the message, it will sync back to LINE’s server. LINE’s server will inform the sender and the timer will begin.

What is interesting is that it is not deleted after 1 minute. The entry is removed but not permanently until some time later.
I extracted out the DB and still managed to recover the “Private Chat” message as shown below:
LINE.004

Image 1 : Screenshot of “deleted messages” which are not “deleted” immediately in LINE

The deletion of the “Private Chat” are controlled by the “Parameter” column in “chat_history” table.

If you were to view the “naver_line” DB, you will also notice that a typical private message is easily identified when you search for a user’s ID followed by “+private” as shown below
+private
or in my case
ua7e104955a98f119841feb96da47a0ef+private
followed by “1415376903” which is the timestamp of the message in Epoch timestamp

All messages appear together in the “chat_history” table, which can be challenging to sift through if multiple conversations occurred at the same time. To analyze these conversations properly, forensics investigators need to refer to both chat_id, which will identify who the conversation was with, and from_mid, which will indicate which party sent or received the message. Additionally, the “read_count” & “sent_count” column will indicate how many people were given message and how many had read the message.

The “naver_line_private_chat” SQLite database contains the following 3 tables:

A typical entry will look like this.
LINE.002

Image 2 : Screenshot of “naver_line_private_chat” in LINE

Another interesting DB is “line_general_key_value”, there is a “key_value_blob” table containing “PRIVATE_CHAT_PRIVATE_KEY” & “PRIVATE_CHAT_PUBLIC_KEY”
Probably need to fully reverse this application to see where this was used.

Even though there is an option to remove all the chat messages under
“Settings” -> “Privacy” -> “Clear Chat Messages”
It seems like it didn’t “Vacuum” the SQLite Database as required. Thus forensics investigators are still able to retrieve some valuable information from the Databases.

[ Timeline of LINE’s user ]
Another interesting artifact could be found under the following location:
/storage/sdcard0/Android/data/jp.naver.line.android/storage/obse/post/
Inside this folder, there are many files with random filenames.
These files contain the “messages” that a LINE user wrote under “Timeline”.
I have not reversed the application yet to fully understand what the struct will look like.

While this week’s blogpost seems not too comprehensive.
I do hope this “Super Funday Mini-Series” will be sufficient for others to pick up and further expand on the information that i’ve shared today.
Hopefully, i will find time to reverse this application and “find out the truth” on other parts which i didn’t cover today.

Happy Reversing,
Jacob Soo

[ Super Funday Mini Series : Viber Forensic Artifacts – Android Edition ]

This is the start of a series of blog posts about recovering forensics artifacts from mobile applications for your digital forensics investigations.
This series will be my tribute to LookOut Security for all the help they rendered, all the people there are very nice to me, especially Tim Strazzere, Marc Rogers, tamakikusu and Caleb Fenton. Thanks a lot.

Today, i’ll be talking about Viber Forensic Artifacts – Android Edition.
Viber (version 5.0.2.12 is the version which i did my testing on) is a cross-platform application that allows users to do voice call, send messages and share images with their contacts using Windows, iOS, Android, Blackberry, Symbian and Windows Phone devices.

[ Tool Used ]

[ Why are Viber Artifacts Important to Your Mobile Forensics Investigations? ]
Currently, smartphones are used worldwide by billions of people to communicate and keep updated with the latest news.
Smartphone users spend the majority of their time on their devices sending emails, surfing the web, updating their social network status and/or chatting with others using various applications.

As such, it’s getting important for people working in the field of #DFIR to investigate mobile applications such as the likes of Viber as part of the source for evidence, and the ability to recover data from this application will potentially become important to their investigations since Viber is widely used as shown by the numbers of installs indicated in Google Play Store.
viber.005

Image 0 : Screenshot of stats

For Android, most Viber artifacts relevant to forensic investigations are stored within SQLite databases, similar to other smartphone chat applications.
In order to gain access to the more important Viber artifacts, investigators must root or get a physical acquisition of the Android device.

Some of the more important Viber artifacts in Android can be found at:

These databases store details on the Viber user’s contacts, messages and attachments sent and received through the Viber application.

[ The Artifacts About The Viber User ]
Often in times during forensics investigation, we want to gather as much information about the user as possible. Information such as email used, phonenumber, contacts, activated SIM serial.
Viber stores information about:

We can cross verify some of the information with the .userdata file found in the location below.

[ The Key Artifacts That Need to Be Found When Investigating Viber ]
While doing mobile forensics, there are some key artifacts that we need to find in order to gain more insight about the Viber user.

1) Viber Contacts

Viber stores user contacts within the “viber_data“, SQLite database.

There are several tables in the SQLite database such as the following:

In a table called “phonebookcontact“, this list contains valuable information for all the Viber user’s contacts.
The table contains the following columns for each contact in the table.
_id, native_id, display_name, phonetic_name, phone_label, low_display_name, starred, viber, viber_out, contact_lookup_key, contact_hash_version, has_number, has_name, native_photo_id, recently_joined_date, joined_date, numbers_name, deleted, flags.
viber.001

Image 1 : Screenshot of viber_data SQLite DB

Right now, i have not determine how “contact_lookup_key” and “contact_hash” are generated and what is the purpose of these columns.

Another interesting table, “calls“, is useful for investigators to know whether that Viber user made or receive any calls. The calls are not limited to Viber to Viber users. It also contain information on Viber Out.

The table consists of these columns:

Some of the findings i made are:

  • The values in “duration” is measured in seconds
  • The timestamp in all the tables are in Epoch timestamp.
  • The values in “viber_call_type” means the following:
    * 1 – viber user to viber user call type
    * 2 – viber out call type

2) Viber Messages

Given that Viber is a IM with call capability, it’s likely that the most valuable evidence will be found in the conversation(s).
Earlier on, we mentioned that there is another SQLite database, viber_messages.
This DB comprises of the following tables:
android_metadata, conversations, group_conversations_extras, kvdata, messages, messages_calls, participants, participants_info, public_messages_extras, purchase, sqlite_sequence, stickers, stickers_packages

The particular table(s) which we are more interested in are “conversations“, “messages“, “participants“, “participants_info

All messages appear together in the “messages” table, which can be a uphill and challenging task if we were to sift through several conversations that could have occurred simultaneously.
To analyze these conversations, we need to always refer to “conversation_id” and “group_id“, which will help us in identify who the conversation was with
Additionally, if want to know whether the Viber user has read a given message (a value of 0 means read while 1 means unread) in the “read” column.

In the “participants_info” table, we can gather information on who are the friends of this Viber user and possibly the Geo-location if they had enabled that.

3) Viber Attachments

Viber also supports the transfer of photos. Photos – sent from either the camera or gallery – are stored on the mobile device.
It is also worth noting an attachment can include a “description” entered by the sender of the attachment. The “description” might or might not contain important information.

We can find out the exact location of all these photos in the “extra_uri” column in the “messages” table.
viber.002

Image 2 : Screenshot of attachments location in Viber

[ Recovering Clear Message History ]
There is a “Clear Message History” in Viber for users to delete all the messages.
While this may appear true if you use SQLite Browser to view the SQLite DB as shown here.
viber.003

Image 3 : Screenshot of deleted messages in Viber

However, if you were to open the SQLite DB with Notepad++ or any other hex editor, you may see this instead.
viber.004

Image 4 : Screenshot of “deleted messages” which are not “deleted” in Viber

As you can see, we managed to get back the supposedly “Deleted Messages”. 😀
While this might not be those super advanced articles. I do hope this “Super Funday Mini-Series” will be sufficient for others to pick up and learn more stuff about mobile forensics.

Happy Reversing,
Jacob Soo

[ Forensics Walk-through: DFIRCON EAST Smartphone Forensics Challenge ]

Today I was asked by a good friend of mine on whether there could be 2 answer(s) to the last question in DFIRCON EAST Smartphone Forensics Challenge.

Being the curious cat, i downloaded the Challenge and have a quick look and decided to write this out while i’m at it. It seems like we are given an iOS backup folder and an Android .apk file.

[ Tools Used ]
iPhone Backup Browser – https://code.google.com/p/iphonebackupbrowser/
SQLite Database Browser – http://sqlitebrowser.org/
pList Editor – http://www.icopybot.com/plist-editor.htm or use the default viewer in Mac
Cerbero Profiler – http://cerbero.io/profiler/

Let’s go through the question(s) and load the iOS backup folder using iPhone Backup Browser as shown here.
DFIR.001

[ 1st Question ]
1. What third-party applications have been granted access to device camera photos?
Ok, if you have done iOS forensics before. It’s always good to do a quick check of the TCC SQLite3 database.
You might be asking “What is TCC SQLite3 database”?
Well, this SQLite3 database is used to control what permissions iOS apps have.
TCC.db is located at the following location on your phone.
/root/var/mobile/Library/TCC/TCC.db
Likewise this file also exists on a Mac.
~/Library/Application Support/com.apple.TCC/TCC.db

Incase, you have “accidentally” allowed more permissions than you wanted. You can use tccutil to reset the permissions instead of “tampering” the SQLite3 file.

So using SQLite DB Browser on TCC.db, we can immediately see the permissions granted to which applications.
DFIR.002

So for this particular question, Facebookand Dropbox were both granted permissions to access the device camera photos.

[ 2nd Question ]
2. What third-party applications have been granted access to the device address book?
Actually if you had looked at TCC.db, you will notice that the answer to this question is “Waze” as shown here.
DFIR.003

[ 3rd Question ]
3. Which websites were visited that requested the iPhone’s geolocation information for optimal browsing and were granted access?
Ok, now if you want to find out which website(s) requested this. The first thing to look for is GeolocationSites.plist
In this case, if you use iPhone Backup Browser to extract out the file. It should be located here:
iOS backup\Liz Lemon’s iPhone\System\Library\WebKit\GeolocationSites.plist
Using pList Editor or the default one on a Mac, you should see something like this.

Based on the returned results, we know that both “https://m.stubhub.com” and “http://m.simplyhired.com” are the website(s) that request geolocation and were granted access.

[ 4th Question ]
4. What permissions does the application MysteryApp.apk NOT have on the device?
Naise, now we have moved on to the Android .apk file.
Let’s extract out the Android.manifest file and we should have something like this.
DFIR.004
And if we do a quick check against the options that we were given:

  • Record audio
  • Read contacts
  • Send SMS
  • Record video
  • Mount & unmount files

We can quickly eliminate and know that that the permission that “MysteryApp.apk” don’t have is “Record video

[ 5th Question ]
5. What is the SHA1 digest value associated with the classes.dex file for the MysteryApp.apk application?
This is the question which my good friend asked about.
To me, if it’s SHA1 of classes.dex. The answer is definitely “0C3A720EB61D736E21561E9AA96066A4771F0F70
My friend was actually talking about the SHA-1 Signature found in the Dex header.
But the answer was saying “SHA1 (value within file)” so i’m not sure whether the original question implied the wrong thing or the answer was weird?

[ 6th Question ]
6. What foreign language word(s) are found within the MysteryApp.apk application?
We were given these options:

  • запись аудио – Record audio
  • mesajlaşma – Messaging
  • 未接来电 – Missed Calls
  • 連絡 – Contacts
  • None of the above

For this particular, you can use Cerbero Profiler and immediately you will know that the only foreign language found is “Chinese”.
Doing a quick check, we will see this.
DFIR.005
Thus we know the correct answer to this is “未接来电 – Missed Calls“.

After doing a speed-run on this, I really regretted not taking part in DFIRCON EAST Smartphone Forensics Challenge in the first place. xDDD

I do hope this quick walk-through will be sufficient for others to pick up and learn more stuff about mobile forensics.

Happy Reversing,
Jacob Soo