Category: computer forensics

Mining Ports for Malware

I recently wrote a script that runs croned and port scans all of our servers daily.  It saves the output and diffs it compared to the previous days and emails me as new ports open up.

I think this will be a good way to detect new services and potential malware infection, but what about machines that are already infected?

To fix that I wrote in a function that parses the output for known malware ports.  The only problem is that I cant find a definitive list of known malware ports.  Does anyone know of such a resource?

Loaded C:\WINNT\system32\KERNEL32.dll differs from file image

I have recently been updating my Windows Forensics First Responder script and have noticed a number of servers reporting the following when using Sysinternals/Microsoft’s listdlls.exe.

*** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image:
*** File timestamp:         Wed Apr 18 12:25:36 2007
*** Loaded image timestamp: Wed Apr 18 12:25:37 2007
*** 0x77e40000  0x102000  5.02.3790.4062  C:\WINNT\system32\KERNEL32.dll

Now I can think of lots of malicious reasons why this would be.  In fact I recently wrote on one of these reasons.   But I cant think of any legitimate reasons.

I’m not one to jump to conclusions without having evaluated all possibilities but my research is turning up almost nothing.

Can anyone think of a legitimate reason why windows would load kernel32.dll and then something alter it as its going into memory?

Thanks guys.

More on Heartland

Many experts continue to speculate on why it took so long for Heartland to identify and disclose the breach. According to the Storefront Backtalk report, the payment processor revealed the breach was first discovered in late October or early November, whereas previous statements indicated that it was only in the fall. The company has had two outside forensics teams and the Secret Service working on the problem for more than two months, and yet the “sniffer” software used to collect the data was located only last week.

Continue reading

Conn. Teacher Cleared of Felony Endangerment in Pop-Up Case

The case against Connecticut substitute teacher Julie Amero has finally
come to a close.  Prosecutors dropped the felony charges against her,
but the agreement called for a guilty plea to a misdemeanor charge of
disorderly conduct and surrender of her state teaching credential.
Amero had previously been convicted of endangering minors and faced 40
years in prison.  Prosecutors alleged that in 2004 she had surfed to
dubious websites that displayed pornographic pop-ups on a computer in
the classroom; when security specialists caught wind of the case, they
pushed to examine the computer in question and found that the school
district had inadequate anti-malware protection on that computer and the
pop-ups were not Amero’s fault.

This is easily one of the most frustrating InfoSec stories of recent years.  In case you are unaware, some poor substitute teacher in Conn was using a computer in a classroom when a flood of pornographic pop-ups (induced by malware) came on the screen.  She found herself in court facing Child Endangerment charges and up to 40 years in prison.

This highlights how scary our legal system can get.  If you have no idea what a case is about do not try to render a verdict.  Defer it to another judge, a jury or call in some experts.  For gods sake, don’t sentence someone for not doing anything wrong.

Building a Forensics Computer

Forensics ComputerAt work it is fairly common for hard drives to die, machines to become infected with a virus, trojan or worm and the occasional compromise. It just happens when you have so many machines; the odds are against you.

For this reason I wanted to build a machine specifically for forensics purposes, similar to the Forensic Recovery of Evidence Device (FRED) systems put out by Digital Intelligence.

The first time I saw the FRED it just made sense.

  • Empty removable drive bays for the drive you want to image, analyze or restore.
  • Conveniently accessible ports for every imaginable type of peripheral.
  • A large storage disk for storing images of drives, case files and VMWare images, etc.
  • And of course, load it with every imaginable forensic and security tool you could ever need.

Here are the parts and reason for their selection:

Multi-function Panel
I used the SunBeamTech 20-in-1 5.25 Multi-function Panel. This little unit is awesome! It occupies one 5.25″ drive slot and contains USB, Firewire, SATA, Composite Video, Audio Jacks, a -TON- of card readers, two internal thermometers that display their respective temperatures on an LCD display on the front and two fan speeds controllers. This unit has a LOT of cables that really clutter up the interior of the computer. If your totally anal you may be able to zip and twist tie them up, but man; it is a LOT of cables.

5.25″ Storage Drawer
I use this to store adapters screws for the drive trays. As well as a couple of my commonly used adapters; the 2.5″ Laptop hard drive to 3.5″ IDE hard drive converter and the dual PS2 to USB.

Hardware Write Blocker

If you want your evidence to be admissible in court a write blocker is going to be a necessity. This ensures that the data isn’t altered in anyway (inadvertently or otherwise) during your investigation. I went with the MyKey NoWrite FPU. It comes recommended from the forensic’s community and is accredited for forensic investigation. It also supports both IDE and SATA and is relative inexpensive compared to other write blockers.

Removable Drive Bays

I have 3 SATA and 2 IDE. These particular removable drive bays have built in silent fans, with a nice digital temperature readout.

10 Bay ATX Case

I went with the Aerocool Masstige, mainly because it had all of the 5.25″ bays I needed in a mid-tower-ish size. Anything else with that many bays was a beast of a full-tower. It also turned out to be a strange coincidence that this case looks strikingly similar to the one used on the FRED.

Power Supply

You’re going to need a great deal of juice to power all of these drives and devices. I went with a 500w PSU.

SATA Controller Card

I used a generic PCI IDE/SATA combo. Anything will do.

FireWire/USB Controller Card
Once again, I purchased a generic PCI card for this purpose. The one I got has one firewire and one usb port on the inside. On the outside it has 2 firewire and 4 usb ports. In my case, most of those ports were taken up by my multifunction panel.

Be sure to use a modern motherboard with about 4+ PCI slots. These will fill quick as you add device capabilities.

The more RAM the better. If you plan on doing viral research or virtual honey nets you will want to run VMWare. The more virtual machines you have running the more RAM you need.

Hard Drive(s)
Drive images, case files, evidence collection bin; you will be using the storage on this machine for many many purposes. It would be best to run a large RAID5 array in addition to your boot drive. Your array will be fairly static as far as physical drive additions and subtractions so its not necessary for it to be in removable drive bays, however keeping your OS drive in the bays is a good idea so you can switch OS by swapping in a new drive.

Once you put all of these pieces together you will have a very useful multipurpose machine. You will find that it will come in handy for so much more than forensic analysis.

The software I chose to install and why, will be outlined in a later article.