Saturday, January 26, 2019

To be or not to be Examiner's Notes

This is in response to Rob Merriott's blog MS Word and OneNote should NEVER be used for Contemporaneous Notes.

I have no where near the experience that Rob has or anyone else he is quotes in the article. I am going to take this from an of young/in-experience investigators. This page consist of my own interpretation and opinion and not of my work or anyone else in the community.

Contemproaneous Notes? What?

As defined by Merrian-Webster's dictionary: contemproaneous means existing, occuring, or originating during the same time. In short, examiners create contemporaneous notes during an investigation. The second problem with the phrase "contemporaneous notes" is notes. Everyone has taken notes at some point in their life; however, note taking during an investigation is changes to something else.

Investigators need to take notes of any relative information or thoughts related to cross-referencing information or similar. I would keep the notes highly objective and fact related.

Note-taking Applications

As noted in Rob's article, most note-taking applications do not allow immutable, unchangeable, notes after written. MS Word, LibreOffice's Writer, MS One Note, Notepad, Evernote, and plenty of others provide a wide range of features such as online/offline support, spell-checking, Cloud saving, collaboration, and some permission and restriction tables.

I agree with the article that none of these are infallible either by accident or maliciously. Someone could break into your computer or online account to delete/change your documentation without your knowledge. Normal notebooks have similar problems if someone was to steal, modify, or remove pages which you did not know till days or months later.

In either case, protecting investigation notes should be on the top of the list. As stated in the article, an investigator not having the notes might only minor problems for case; however, longer termed credibility problems could happen.

Note protection

How does one protect their digital or physical notes? Investigators might want to place physical notes secure in a fire-proof box or off-site in a protected location (bank, archival company, etc). Digital notes should be similar. If using a word processor or local not taking application, encryption is mandatory with backups. Also, I would consider using some offline log book to record changes to the notes (listing note title, date, time, and reason of change) or some other record keeping method.

Also, I have not used Rob's Forensic Notes but I find using this or a similar tool would simplify the process. I find typing much easier then trying to write a ton of documentation out and then trying to decipher it like the lost language of Atlantis makes for poor notes for most people today. 

I do not think digital notes need to be fully immutable; I do think proper auditing and change management should be a the center of whatever digital application an investigator employs. This would provide both the initial script and allow addition details as the investigator continues the investigation.

Friday, December 7, 2018

Problems with Cisco Certifications

The last few months, I have been trying to pass two different Cisco certification: CCNA and CCNA Collaboration. Most people who have attempted Cisco exams find they are difficult (bare in-mind that 'test' banks or kits are another issue).

Study Materials

I usually grab the official Cisco press books and start from there. Virtualization labs and equipment are nice if you can get them or have the time to configure them.  I travel for work and I usually do not have time to setup these labs but the books and practice tests are usually good enough.

Certification Tests

I passed the CCNA 200-125 exam barely; however, it covered nearly 2000 pages of material and I had 4 to 5 labs. One of the labs on Layer two with trunk ports did not work completely. I had some issues with an strange error on one of the ports. I have not managed to figure out what the error was nor have I seen it on any switches which I have configured.

As for the CCNA Collaboration 210-060, I have failed it two times. I did not find the exam extremely challenging because it was mainly a "fact check" examine. If that was the case, why did I fail it? Simple: the official materials did not have all the information tested on the exam. Even the list of recommended study materials on the certification exam site did not have all the information required to pass the exam. Basically, if you did not use one of these 'test' banks, then you have a high chance of failing.

The Pearson IT Certification prep practice exams do help prepare for the exam. However, they listed the passing score of 800 and not 860. This causes both confusing and possible first time failure when using the practice tests to gauge passing score.

Frustration and Third Retest

I am very frustrated at failing the exam (by 65 and 15 points respectfully for each attempt). The first exam had a large number of Cisco Unity and IM/Presence where the second exam seemed to be more balanced. I find that neither exam had much for CME CLI but some test takers said they had a fair portion of questions from CME CLI.

So, if there is any extra materials out there, let me know. I plan to retest again at the end of the month. I guess Cisco says "everything is on the test" and throw out the exam topics.

Monday, November 19, 2018

Maintaining a Digital Library

@xme posted an interesting dilemma on the SANS ISC InfoSec Forums contained within the post titled The Challenge of Managing Your Digital Library.  He asked what seems like a simple question: "How do you manage your digital library on a daily basis?"

Before I get into that question, let me point out something about data creation. If you look at how much data is generated per day, per week, or per year, you find out it is a lot of data. There is plenty of generated data through InfoSec community. I have two lists in Inoreader providing plenty of reading information (RSS Links below):

Each one of these lists contains over 100 posts over the past two weeks. I am not stating all the posts in each of these feeds are perfect (or even put into the proper groups); however, it is just a small slice of information posted around the net dealing with two very hot topics.

How does someone manage all this information? One of the biggest problems, I personally have is how to always have access to it. Cloud services do provide a quick method of accessing the information as long as you secure it properly or trust the provider directly. With security being a major issue with cloud services, what can be used instead? Instead of using cloud providers, a personal cloud could be setup between at least one server at home and one offsite. 

I have issues in certain jobs where accesses any cloud provider was strictly prohibited either by a company rule, firewall/proxy configuration, or no usable data services. I have considered creating a Electron app to contain everything through a NoSQL database (CouchDB). This could even sync to another outside database when required. However, this makes everything self-hosted and maintained and thus would have implantation issues.

Today, I need to really look at how to manage all the data, unlike xme, I am horrible at storing and retrieving data.

Friday, November 9, 2018

UMLinux and Malware Analysis

While reading Forensic Discovery by Dan Famer and Wietse Venema, I ran across some thing called ReVirt for performing malware analysis. I pulled up the 2002 paper written by George W. Dunlap, Samuel T. King, Sukru Cina, Murtaza A. Basrai, and Peter M. Chen titled ReVirt: Enabling Intrustion Analysis through Virtual-Machine Logging and Replay.

In the paper, the authors exclaim that ReVirt solves two problems: improving the integrity of the logger being used and improving the completeness of the logger to capture data. The method of protecting the host computer is through the usage of UMLinux OS-on-OS structure. I have not seen this type of Linux before, so I took a examine of the SourceForge page (linked above).

In the basic sense, UMLinux provides a secure way to run Linux kernel and operating system on a Linux system in User-Mode. Linux provides two 'modes' to execute processes: kernel and user. Kernel being the most privileged mode normally reserved for kernel and system processes while user mode is the least privileged hosting all user-created processes. This separation provides a clear security boundary to protect a system. A more in-depth article is on Linux Journal: "Kernel Mode Linux".

Why is running UMLinux in user-mode important? The primary reason that even if a rogue process managed to escape the virtualization process, it would be contained within a normal user privilege level instead of full administration/root access. UMLinux project site provides instructions of running Linux kernel 2.6.x through a virtual machine on the command line. Note: No virtualization software needs to be installed.

ReVirt uses UMLinux as a loadable kernel in the below architecture diagram:
This produces a secure environment (at least according to the paper) to run and test untrusted applications. ReVirt also logs all actions performed by system calls within the VMM (virtual machine monitor) and it can actually rewind and replay any set of instructions. Providing this capability allows system administrators and malware analysts ability to closely examine the untrusted application.

ReVirt major abilities are really interesting, but how does that apply to current technology? One of the newish types of environment created for malware analysis is REMnux. You can learn REMnux in SANS Institute's Reverse-Engineering Malware training. REMnux provides a full suite of tools created to work on malware. ReVirt specifically deals with the virtualization of a system to work on untrusted application. In contrast, REMnux provides some virtualization technology (VMWare and Docker) but a ton of tools for analyst of application specifically malware. 

Something to think about though. REMnux is suppose to be put on to an untrusted system in a untrusted network zone. Docker is coming to the space to run application within secure and clean environment. In the meantime, ReVirt and REMnux each provide a way to accomplish similar tasks and they are different; I wonder if REMnux could benefit from something from ReVirt. Joining these two together probably can even a new way to exam applications and malware analysis.

Monday, October 29, 2018

Network Fuzzing through Mutiny Fuzzing Framework

Network Fuzzing through Mutiny Fuzzing Framework

Fuzzing provides a way to test for vulnerabilities through generating random data to push into an application. This can be used to test desktop applications, network applications, and just about anything else. I have seen plenty of other types of fuzzers for non-network applications. Mutiny Fuzzing Framework provides a easy to use network fuzzer.

Per the website, it allows to replay PCAPs through a mutational fuzzer. What the hell is a mutational fuzzer? It changes (or mutates) the specified data packets for every request send to a host. This mutation maybe applied to a legitimate, captured traffic stream, but it might also be applied to a generated package stream based on what the user needs. 

The video showing how it works with a simple python script, but the computer generated voice is hard to follow. There is plenty of documentation and source code on Github at Cisco-Talos/mutiny-fuzzer repo.

Wednesday, October 24, 2018

Forensics Workstation/Lab (pt 3. Hypervisor Installation)

Forensics Workstation/Lab (pt 3. Hypervisor Installation)

Part 1: Overview
Part 2: pfSense

For the hypervisor, I am using the following configuration:
  • Arch Linux (with default kernel)
  • i3wm - improved tiling wm - Arch Wiki
    • rofi - generic popup menu
    • i3status - notifications
    • i3bar - status bar
  • Oracle VirtualBox - type 2 hypervisor
  • aura (optional) - 3rd party package manager
I have been using Arch Linux for years and due to its small size, I am using it as the base operating system for the hypervisor. Also, I am installing the bare minimum software and customization for it because I do not need much to run in the base system (that's what the VM's are doing). 

Oracle VirtualBox is the best choice for an open source virtual machine manager. It is a type-2 hypervisor--meaning it runs within an operating system instead of directly on the machine (think VMWare eSXI or ZEN). The problem with type-1 hypervisors is the management of the VMs. You really need a second computer to setup, configure, and manage the VMs where as type-2, you can manage them directly on the system they are running.

The i3wm desktop is interesting piece of software. I usually stuck to XFCE4 (though, I have been using gnome a bit as well lately) and i3wm is completely different. i3wm takes little resources to run and provides a text based configuration files for whatever configuration you need. Also, it can be ran completely through shortcuts. One word of caution, dragging windows around does not work, you have to use the shortcut keys to arrange and management your application windows.

Aura has been my go-to package manager for a while now. Although, not required, I usually have it installed anyway. It provides more ways to manage packages from official repos and Arch Linux User Repo (AUR).


Installing Arch Linux is not hard but will take a while to get everything up and running. I am not going to go through a whole base installation for Arch Linux here. There are two good resources for installing Arch Linux:
  1. Installation Guide
  2. General Recommendations (post install)


I plan to do encryption on the computer at some point. I just need to find something usable for Arch. I do not think LUKS will work in this scenario. 


Here is the partition that I used. It's using LVM (no encryption -- yet). Most of the space is given to the /data partition and I attempted to minimize the space for each mount location. 

For the partition format types, see this screenshot:
This how I choose to setup the partition based on how xfs and reiserfs work; of course, the default ext4 would work if you wanted to simplify the partitioning. 


For software packages, remember KISS. I installed the following packages:
  • Package Groups
    • base
    • i3
  • Official Packages
    • rofi
    • networkmanager
    • network-manager-applet
    • iwd (replaces wpa_supplicant for NetworkManager)
    • firefox
    • nano
    • refind-efi
    • reflector
    • termite
    • virtualbox
    • virtualbox-ext-oracle
    • virtualbox-guest-iso
    • virtual-box-host-modules-arch
  • AUR Packages (optional)
    • aura-bin
      • This provides access to AUR packages as well as extra features not in Pacman. Read more on the Github Project page here.
    • reflector-timer
      • This creates a timer and service files to run reflector once per week automatically with a simple configuration file.
      • before you build this package, you will need the following packages installed:
        • binutils
        • fakeroot
    • rofi-dmenu
      • Provides automatically symlinking rofi to /usr/bin/dmenu.
For the package groups and official packages, those can be installed when doing pacstrap during the install stage of the Installation Guide. 

For the AUR packages, you need to first install the aura-bin package. To install this package perform the following setups:
  • From a terminal run the command: git clone
  • Change directory into the 'aura-bin' folder.
  • Run the command: makepkg -irs --clean
    This will package up the application and install it in one setup.
  • You may remove the folder after installation.
Installation of AUR packages uses the '-A' flag instead of the normal pacman '-S' flag for official packages. You can read about aura options from Aura Readme on github.


Enable and start the following services:
  • iwd.service
  • NetworkManager.service
  • reflector-timer.timer


I am use the newer iwd service instead of wpa_supplicant. To enable NetworkManager to work with iwd, you need to create the file /etc/NetworkManager/conf.d/wifi_backend.conf with the following configuration:


Note: "device" must be replaced with the name of your device, where in my case it is "wlp1s0". If you do not replace "device", NetworkManager will appear to not see your wifi card and give the status of "device not ready" when looking at the NM Applet. 


After you install the virtualbox packages, ensure the computer is restarted at least once or load the virtualbox modules manually (see Virtualbox Documentation).

File Storage

To better organize the files on the system, all of the VM files are located within the '/data' folder/partition. I have the following layout.

|-- ISOs
|-- VMs
    |-- Arch Linux
    |-- Kali Linux (Live CD)
    |-- Sift Workstation
    |-- paladin (Live CD)
    |-- pfSense
|-- share
    |-- forensics
    |-- personal
    |-- pfsense

The folders are self explanatory. For the /data/share, these are used to seperate each different type of VM. This can be loaded either Read Only or Read/Write while providing a method to pass information between different VMs. 

Monday, October 22, 2018

Forensic Workstation/Lab (pt. 2 pfsense)

Forensic Workstation/Lab (pt 2. pfsense)

Part 1 can be found here.

pfsense probably is the most well-known used used open-sourced Linux firewall appliance in used today. It provides an easy to use web page GUI and installation is extremely easy. However, someone could run iptables, ufw, or something else on choose your favor of Linux for a highly customized firewall solution without the GUI and pre-configured system.

Downloading and Installation

pfsense Comunity Edition is downloaded directly from the website:

Then choosing the following options:

In Oracle VM VirtualBox Manager, create a new VM with the following settings:
  • name: pfSense
  • Type: BSD
  • Version: FreeBSD (64-bit)
  • Memory: 1024 MB (default)
  • Hard Drive: 7 GB
  • Network:
    • Adapter 1
      • Enabled
      • Attached to: Bridged Adapter
      • Name: <choose your PHY network adapter name>
      • Advanced > Promiscuous Mode > Allow VMs (needed?)
    • Adapter 2
      • Enabled
      • Attached to: Internal Network
      • Name: corp
    • Adapter 3
      • Enabled
      • Attached to: Internal Network
      • Name: untrusted
    • Adapter 4
      • Enabled
      • Attached to: Internal Network
      • Name: semi-trust
  • Storage:
    • Controller > CD/DVD Rom > Load pfSense ISO
After creating the VM, start the VM (Right Click > Start > Normal Start). Let the VM boot into the installer.

When the installer starts, follow these options:
  1. Accept the Copyright statement.
  2. Choose Install option and select OK.
  3. Keymap Selection: Continue with default keymap
    (Note: "US" is the default).
  4. Partitioning: Auto (UFS)
    (Note: I did not see a need to do some custom setup here but you can do custom partition by either directly in the shell or Manually).
  5. After a few minutes, the installation completed. 
  6. Manual Configuration: No
  7. In the VM Window, at the bottom of the screen, there is a set of icons, right click the "CD" icon and choose "Remove disk from virtual drive." If you get the force unmount prompt, hit "Yes"
  8. Complete: Reboot
After first boot, it will enter set of prompts:
  1. Should VLANs be setup now [y|n]? n
  2. Enter the WAN interface name or 'a' for auto-detection: a
  3. Do you want to proceed [y|n]? y
Next, I went ahead and setup the other interfaces. Select OPT 1 from the menu and you should see the following interfaces:
If these are missing then you need to modify your VM network settings as noted above before continuing.

Skip the VLAN configuration again.

Follow the prompts to setting the following settings per interface:
  • WAN - em0
  • LAN - em1
  • OPT1 (Option 1) - em2
  • OPT2 (Option 2) - em3
This sets each interface from Virtualbox to an interface for pfSense. Next, set the IP addresses, choose OPT 2 from the menu. Choose 3 different networks (one per interface):
  • em1 -
  • em2 -
  • em3 -
You can create smaller networks or different networks. I choose to use a 24-bit mask to make it easy and spacing the 3-rd octet out so I know exactly which network has what VMs on it.

Do not enable DHCP on any of the LANs. Apparently, in 2.4.4, there is a parse error and it will not take the configuration. 

Do not revert the webConfigurator to HTTP per the prompt that pops up. 

You will have the following interface configurations:
Now, it is time to configure it through the web interface.

Web Interface Configurations

Caveat: As soon as you configure a LAN IP Address, the web configuration can only be access from the LAN network and not the WAN network for security reasons. There are two things that can be done:
  1. Install and Configure the primary VM on the LAN (corp) network to provide access to the web configuration page.
  2. Download any Live Distro CD/DVD which has an interface and a web browser in it such as KALI, Linux Mint, Ubuntu, or others; then, setup a VM on the LAN (corp) to boot the Live Distro and provide the web browser access.
For this configuration, I am using Linux Mint Debian Edition. I set a manually IP address of on the box (remember no DHCP configured yet on the LAN).

Use the default login: admin/pfsense

After logon, the pfSense Step wizard automatically starts. Keep the defaults except change the password at Step 6.

DNS Resolver

To Configure, go to Services > DNS Resolver > General Settings

Then, I change Network Interfaces by selecting all LAN, OPT1, and OPT2 IPV4 and IPV6 interfaces.

Then, I set the Outgoing Network Interfaces to only WAN.

Next, go to Setup > General Settings and uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN". This ensures pfSense uses the root DNS servers for all requests instead of the local network.

DHCP Server

To Configure, go to Services > DHCP Server.

Enable DHCP server on all interfaces. I set the range to 172.16.X.20 - 30 for each interface.


Next, I added rules to ensure each network could not reach each other isolating the networks.




Other Considerations

This is just a basic configuration. You could add changes to the LAN where only VLAN traffic was allowed out to further protect personal data. There are tons of security configurations within pfSense which can also be explored depending on how locked down the box needs to be.