DFIR

A SANS 2021 Report: Securing Cell Phones

Very Interesting paper regarding our cell phones security, how the adversaries are evolving in this field and how little we spend securing our devices. It tries to bring some light to a subject that is being a real concern, which is how to secure our cell phones and why it’s so important. Also predicts very accurately the fact that we are gonna have to start getting focused on securing the mobile devices, since it’s the future.

You can read this paper here.

Standard
DFIR

The Who, What, Where, When, Why and How of Effective Threat Hunting

Excellent paper from Robert M. Lee and Rob Lee about what it is Threat Hunting, when you should implement it, how to make it more effective; whom should be taking care of this role, in which part of your organization should be located, among other things.

Highly recommended if you’re interested on the Intelligence methodologies and implementing this practice on your company’s maturity model.

You can find this paper at the SANS DFIR community here.

Standard
DFIR

Intel Driven Defense – Recommended reading

Great paper about the CND and Cyber Kill Chain, a short explanation (around 14 pages) on the intelligence process from both sides of the equation: “The Adversary” and “The Defenders”. How to take advantage of every piece of information and correlate it with it’s spot on the chain, developing a better reactive and proactive plan.

You can find it here.

Standard
DFIR

Forensics: Browser Forensics 101

(Yeah, not today…)

Hello there! (I know, Obi-Wan would it be proud!)

Today I bring to you some basic procedures that might help you to research possible IOCs, evidence or resources to be analyzed on your intelligence cycle. All of this in the context of well known Internet Browsers (Chrome, Firefox, Edge, etc).

In my experience so far, trying to gather as much information as possible from a Browser, I use a free tool called Sqlite Browser (https://sqlitebrowser.org/dl/):

This very intuitive and easy-to-use software, lets you browse the common local databases that this browsers creates to store your historical information, such as downloads, urls, searches, logs, in a timeline.

You can achieve this exploring the usual common paths for this browsers:

C:\Users\USERNAME\AppData\Local\Microsoft\Edge\User Data\Default

C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

C:\Users\USERNAME\AppData\Roaming\Mozilla\Firefox\Profiles\PROFILEID


Before touching anything at all, the golden rule in forensics is “Never use the original, always make a copy”. So what we are going to do is hash the original file, make a copy of this file and hash that copy too, this way we could rest sure is an exact match.

In windows you can achieve that using Powershell:

Once you have that copy with the exact match as a proof, you can start working on it.


–Open the Sqlite DB browser and click on “Open Database Read Only”:

If you ask Why Read Only? is because you want to extract information from here without affecting it’s integrity. I know it’s a copy, but still ¡It’s a good habit! Make sure you select “All Files(*)

Here you will see all the tables on the file:

I dare to say almost every table can give you a lot of information, I will not go deep on every one of these, but as an example, you can check the Downloads history, with the right time and place (URL in this case…).

–Go to the second tab “Browse Data” and on ‘Table’ select Downloads:

(I had to make it in two pictures since it’s too long, with too many columns)

From this columns you can get dates, urls, sizes, the exact time it took to download, the mime types and much more.

Something that it’s important to say, is that the times are displayed on Epoch/Unix, so you can use an online converter like: https://www.epochconverter.com/ to read it in human format.

–Switch to other tables like “urls” and you will see different columns/information like :

–Another interesting table is “Keyword_Search_Terms”, as it’s name says, it represents all your searches on search engines :

–If we decide to explore/switch to a different file, another one very useful can be Bookmarks or Cookies. Some of the columns with information that you might find here:

Take your time to explore all the different files that you can find on this browser’s default paths, just remember to follow the first part, never play with an original file, you might corrupt the data.


Now, let’s say you want to find out if someone used the built-in feature of the browser to clear/delete history, caché and/or downloads. Here’s something you can use to, not just confirm if this has been done, but also to know which “period” or “range” in the history has been deleted:

->Close Chrome (As an example) and then open the following path:
C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

->Find a file called “Preferences” , right click on it and “Open with”  Notepad, Notepad++, Sublime, Wordpad or any other text editor:

-> Open Find on your editor (Usually CTRL + depending on your layout), and search for ‘clear_data’

->If the browser history has been cleared, you should see something like:

Pay attention to the number after Time period and check the table below to know what range of time was select for whom deleted the information.

-> You can compare here the user’s choice vs the values that you might find:


Hopefully this will be useful for you, this are just some tips that might help you with your investigation, hobby, CTF.

Regards my friends!

~Escaflowne~

Standard