Tuesday, July 16, 2019

Trace Labs Global Remote 2 CTF

On July 13, Over 200 persons (which including myself) participated in Trace Labs's Global Remote 2 for missing persons. This was my first CTF for cyber security or intelligence and it was enjoyable.

Update (2019/07/18): @raebaker put together a great overview of how the CTF works, the dashboard, and the overall feel during the CTF. You can view his write up on Medium: Finding Missing People with Trace Labs CTF.

For the CTF, I used Buscador OS as my primary method of researching each case. Buscador OS provided many tools built in and provided already configured browsers (Chrome, Firefox, Tor) to conduct different types of research. I mainly did research by hand instead of using the tools due to my lack of knowledge on both techniques and experience at the tools.

The book Open Source Intelligence Techniques by Michael Bazzell (site) provides good information for OSINT researching. Some of the tools are no longer available from the website but are shown in the book. You can read information about the tools from the IntelTechniques Forum post.

Tools Used

Spiderfoot - an automation OSINT tool

Spiderfoot provides a wide range of OSINT modules built within a python framework. It uses a full list of modules

Module List from Spiderfoot (subset)
Someone could run any or all of the modules. I find it generally works better with location research on domains, companies, and other research materials then actual people. It has a lite Google and Bing search tool; however, searching each actual site yields more information for this CTF.

Sherlock - Locate UserNames across Social Media

Sherlock was not preinstalled in Buscador OS. I did use it through the docker image with the provided information on the Github page. This tool was very interesting but limited as well. You give it a username say "hunchly" and it will attempt every social media site within its list for the same username. This can local username used by one person at different sites.

I did find this one was very hit or miss. It does provide a quick way to check other sites without having to query them directly and provided a very easy to use python script to perform the task.

Skiptracer - OSINT scraping framework

Skiptracer provides a way to search for phone, email, screen names, real names, addresses, ip, hostname, and breach credentials. I find that for searching persons is useful only in the US then internationally.

Some other team members used this more then I did. I did take a look at the tool and see how it worked. Knowing a few pieces of information may yield more through this command line, questioned driven tool.

Thoughts on the CTF

It is staggering the number of missing persons around the world. Some of these stories really hit home when you watch or read news information about a missing person leading to want to find information about this person.

During this CTF, my team had minors, cold cases, international and domestic cases. Each one of these presented its own challenges when locating information on a missing persons. I enjoyed the learning curve which was very high and demanding. The community was responsive to questions about tools and information about OSINT in general; they were also responsive to the information about cases after the end of the CTF. 

The over all experience was well worth it. I only wish I could have completed on in person and really worked to figure out the processes to directly help in support of missing persons. 

Monday, July 1, 2019

DFIR OS Tsurugi

There are plenty of DFIR OS out in the wild. SANS's SIFT workstation, Sumuri Paladin, and Digital Evidence & Forensics Toolkit (DEFT) are probably the best well known ones. In my previous college class, I was shown an OS called Tsurugi. Tsurugi can be downloaded from their main page at https://tsurugi-linux.org. It is named after a legenary Japanese double-bladed sword used by ancient monks which might be something similar to the image below.

The OS comes in three different types based on Ubuntu 16LTS:

BENTO is the live DFIR distribution similar to Sumuri Paladin and the like. This gives a full set of DFIR tools and write blocker. TSURUGI Acquire provides a light weight version of LAB version for acquiring forensic images. TSUGRI Linux [LAB] provides a complete DFIR suite that can be installed on a computer or VM.

I have yet to really test out BENTO but I did perform a capture with TSURGI Acquire. It used Guymager as the imaging software. The imaging process was straightforward using the tool and with the write blocker in place, it is easy to ensure nothing is written back to the source hard drive. 

This shows the main screen of Guymager when you load it up. The screenshot is from the Guymager site.

I installed the LAB version inside of VirtualBox 6.0 using a red install icon on the desktop which starts up a graphical installer. It also requires you unblock the proper drive to install the Linux version to. Installation was average for wizard installation process for Linux. During the installation, I set to autolog me on. Probably should configure it to not ask for the password when running stuff as 'su' since this is only a lab computer similar to how SIFT works.

After installation, you get the main screen:

From here, all the tools are located under the application menu. 

The menu is catatorized by the type of tool (some tools appear in more then one menu). The full list of tools are located here: https://tsurugi-linux.org/documentation_tsurugi_linux_tools_listing.php#

The major issue that I've had with the system is running 'apt' to update the system. I found that if you end up running apt or similar updates in the system it breaks some of the python modules. I recommend people keep a snapshot after installation in case stuff breaks. 

Other then the update problem, I find it works really well for running any CLI or GUI tool that is provided. The conky window on the right adds notable stats when you are working in the box as a quick reference and works well. I have not had a chance to use all the tools, but it runs similar to other Ubuntu 16 LTS operation systems.

Sunday, May 19, 2019

Problems with Sift Workstation on Qubes OS 4.0

For a while now, I have had issues with Sift Workstation in Qubes OS VM. You can read about my issue on the sift-cli github: teamdfir/sift#357

The sources.list file after I run the sift install/upgrade is as follows:

$ cat /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu xenial universe
deb http://archive.canonical.com/ubuntu xenial partner
deb http://archive.ubuntu.com/ubuntu xenial-security multiverse
deb http://archive.ubuntu.com/ubuntu xenial-updates main universe multiverse restricted
deb http://qubes.3isec.org/4.0 xenial main
deb http://archive.ubuntu.com/ubuntu xenial multiverse

Notice the first line. It should be 'main universe' instead it happens to be just 'universe'. This is wrong and you will get failures.

For some reason, I did not consider usig a 'custom' repo file for this missing configuration. Created a new file located at: /etc/apt/sources.list.d/ubuntu-mail.list

It contained one line: deb http://archive.ubuntu.com/ubuntu xenial main

Then, I ran the 'sift update' command again with everything working as intended.

Wednesday, May 8, 2019

Hardware for a Digital Library


I decided to go with the large format e-Reader, Onyx Boox NotePro. My reasoning is it was nearly half the cost of the 2-in-1. Using it over the last couple of weeks, I find it easy to take notes on and read. There have been a few instances where I ended up stuck with the UI not responding the way I anticipated but might have been more user error with a new device then then device itself.


A while back I talked about maintaining a digital library. A personal library might have blog posts, digital books, and digital notes. A good resource when looking for digital information is DFIR Training webpage. However, having this information would only be useful to carry around.

I currently started my Master's at Champlain College Online in DFIR. During this process, I realized that I required a digital library because I travel for work. I do already have a Pixel 2 XL, Razer Blade Stealth (mid-2017, gray), and a Kobo AuraONE. Each of these devices are useful; however, none of these truly solve my problem. The screen on my Pixel is good for reading in short burst and research many topics but reading PDF or any detailed images (such as the SANS.org cheat sheets) is horrible. Razer Blade Stealth is a bit large in some situations. I realize it is a great  ultra book. Reading on it has the same issue as the Pixel. For e-readers, I swear by the Kobo Aura ONE (sadly has been discontinued). It is a great reader in most cases. However, it does not read textbooks or larger PDFs properly. I also have one of the smaller storage devices.

What chooses did I look at? I was looking at a 2-in-1 computer or pro e-reader.

For 2-in-1 computer, the standard is Microsoft Surface Pro 6 which provides a nice tablet for those running Windows. I am not in love with the keyboard. It does work well, has a nice screen, and works well for note taking. However, I am a Linux user normal (running Qubes OS 4). The Surface does not play well with Linux from what I can tell. Next, I also looked at the Lenovo X-1 Tablet which is bigger then the Surface. It also does not work 100% (probably 90%) with Linux. It is cheaper then the Surface; however, according to some reviewers, the trackpad is just 'ok'. Lastly, I also looked at the Eve V, crowd-sourced tablet which like the X-1, it comes with a keyboard and stylus while remaining cheaper then the Surface. Eve V, though, still has some issues with completing orders and hardware problems out of the box (< 5%).

For e-readers, there two main companies Sony and Onyx which make professional e-readers. Sony e-readers ONLY read PDFs which was a killer for me. Onyx has several which run full version Android which include the Google Play Store or whatever apps you choose to side-load.

In the end, I went with the Onyx BOOX NotePro. It was less then half the cost of the 2-in-1 computers while providing a good note taking and reading experience (not nearly as good as the Kobo AuraONE). It maybe a bit heavier then the Sony products but it's fairly light and even lighter then the Razer Blade Stealth. In the short time that I have had it, I find it reads PDFs really well and the epub experience is fairly good. The main drawback is that the reader turns completely off after about 30 mins of inactivity -- great for battery life but hard on shorter burst of reading throughout the day.

Monday, May 6, 2019

Life Lessons Learned

response to Windows Incident Response: Lessons From Time In The Industry (05 May 2019)

I am probably going to echo many of things Harlan Carvey, author of Windows Forensic Analysis Toolkit and Window Registry Forensics. There is two statements which apply to any person working in any field: "Pick an area of interest." and "specialize in something."

First, I agree with picking an area of interest that you enjoy. This can be a large informational area, such Information Technology or Law. I think these interest areas can be broad allowing for learning a wide range of topics. Understanding topics near or around your choose specialization leads a person to be better verse when a problem moves across topics.

Secondly, choose a specialization. I started telling this to people a few years ago after I realized I had been 'stuck' in what I consider 'Tier 1' jobs. I remain stuck due to the generalization of knowledge that I have from System Administration to Network Administration to some programming to even cloud solutions. However, I have noticed that it does not matter how much you know or how spread-out your knowledge is, but how you apply a limited subset of informational chucks.  Specialization does not mean you never learn other skills but will provide the bulk of knowledge for employers to higher you on.

It really does not matter how many certifications you have if you do not have the experience nor if your certifications do not improve over the years. As with 'Tier 1' jobs, I also consider certifications in tiers. So what do I mean by tiers? I use the terms similarly to how IT jobs are labeled: tier 1 (beginner), tier 2 (intermediate), tier 3 (expert/advanced). Here are some examples:

  • Tier 1: CompTIA A+/Net+/Sec+, Cisco Certified Network Associate, LPIC-1: System Administrator, SANS GSEC, Cyber First Reponder
  • Tier 2: Cisco Certified Network Professional, ISC(2) CCSP/SSCP/CSSIP, LPIC-2: Linux Engineer, SANS GNFA/GCFA
  • Tier 3: Cisco Certified Internetwork Expert, LPIC-3 series
These is not an extensive list. As you progress through your career, you need to move up into different tiers for your choose specialization, then get other certifications you might want to attempt. Just do not try to specialize at everything and too many random certifications will get you passed over by employers.

Saturday, January 26, 2019

To be or not to be Examiner's Notes

This is in response to Rob Merriott's blog MS Word and OneNote should NEVER be used for Contemporaneous Notes.

I have no where near the experience that Rob has or anyone else he is quotes in the article. I am going to take this from an of young/in-experience investigators. This page consist of my own interpretation and opinion and not of my work or anyone else in the community.

Contemproaneous Notes? What?

As defined by Merrian-Webster's dictionary: contemproaneous means existing, occuring, or originating during the same time. In short, examiners create contemporaneous notes during an investigation. The second problem with the phrase "contemporaneous notes" is notes. Everyone has taken notes at some point in their life; however, note taking during an investigation is changes to something else.

Investigators need to take notes of any relative information or thoughts related to cross-referencing information or similar. I would keep the notes highly objective and fact related.

Note-taking Applications

As noted in Rob's article, most note-taking applications do not allow immutable, unchangeable, notes after written. MS Word, LibreOffice's Writer, MS One Note, Notepad, Evernote, and plenty of others provide a wide range of features such as online/offline support, spell-checking, Cloud saving, collaboration, and some permission and restriction tables.

I agree with the article that none of these are infallible either by accident or maliciously. Someone could break into your computer or online account to delete/change your documentation without your knowledge. Normal notebooks have similar problems if someone was to steal, modify, or remove pages which you did not know till days or months later.

In either case, protecting investigation notes should be on the top of the list. As stated in the article, an investigator not having the notes might only minor problems for case; however, longer termed credibility problems could happen.

Note protection

How does one protect their digital or physical notes? Investigators might want to place physical notes secure in a fire-proof box or off-site in a protected location (bank, archival company, etc). Digital notes should be similar. If using a word processor or local not taking application, encryption is mandatory with backups. Also, I would consider using some offline log book to record changes to the notes (listing note title, date, time, and reason of change) or some other record keeping method.

Also, I have not used Rob's Forensic Notes but I find using this or a similar tool would simplify the process. I find typing much easier then trying to write a ton of documentation out and then trying to decipher it like the lost language of Atlantis makes for poor notes for most people today. 

I do not think digital notes need to be fully immutable; I do think proper auditing and change management should be a the center of whatever digital application an investigator employs. This would provide both the initial script and allow addition details as the investigator continues the investigation.

Friday, December 7, 2018

Problems with Cisco Certifications

The last few months, I have been trying to pass two different Cisco certification: CCNA and CCNA Collaboration. Most people who have attempted Cisco exams find they are difficult (bare in-mind that 'test' banks or kits are another issue).

Study Materials

I usually grab the official Cisco press books and start from there. Virtualization labs and equipment are nice if you can get them or have the time to configure them.  I travel for work and I usually do not have time to setup these labs but the books and practice tests are usually good enough.

Certification Tests

I passed the CCNA 200-125 exam barely; however, it covered nearly 2000 pages of material and I had 4 to 5 labs. One of the labs on Layer two with trunk ports did not work completely. I had some issues with an strange error on one of the ports. I have not managed to figure out what the error was nor have I seen it on any switches which I have configured.

As for the CCNA Collaboration 210-060, I have failed it two times. I did not find the exam extremely challenging because it was mainly a "fact check" examine. If that was the case, why did I fail it? Simple: the official materials did not have all the information tested on the exam. Even the list of recommended study materials on the certification exam site did not have all the information required to pass the exam. Basically, if you did not use one of these 'test' banks, then you have a high chance of failing.

The Pearson IT Certification prep practice exams do help prepare for the exam. However, they listed the passing score of 800 and not 860. This causes both confusing and possible first time failure when using the practice tests to gauge passing score.

Frustration and Third Retest

I am very frustrated at failing the exam (by 65 and 15 points respectfully for each attempt). The first exam had a large number of Cisco Unity and IM/Presence where the second exam seemed to be more balanced. I find that neither exam had much for CME CLI but some test takers said they had a fair portion of questions from CME CLI.

So, if there is any extra materials out there, let me know. I plan to retest again at the end of the month. I guess Cisco says "everything is on the test" and throw out the exam topics.