Sunday, May 19, 2019

Problems with Sift Workstation on Qubes OS 4.0

For a while now, I have had issues with Sift Workstation in Qubes OS VM. You can read about my issue on the sift-cli github: teamdfir/sift#357

The sources.list file after I run the sift install/upgrade is as follows:

$ cat /etc/apt/sources.list
deb xenial universe
deb xenial partner
deb xenial-security multiverse
deb xenial-updates main universe multiverse restricted
deb xenial main
deb xenial multiverse

Notice the first line. It should be 'main universe' instead it happens to be just 'universe'. This is wrong and you will get failures.

For some reason, I did not consider usig a 'custom' repo file for this missing configuration. Created a new file located at: /etc/apt/sources.list.d/ubuntu-mail.list

It contained one line: deb xenial main

Then, I ran the 'sift update' command again with everything working as intended.

Wednesday, May 8, 2019

Hardware for a Digital Library


I decided to go with the large format e-Reader, Onyx Boox NotePro. My reasoning is it was nearly half the cost of the 2-in-1. Using it over the last couple of weeks, I find it easy to take notes on and read. There have been a few instances where I ended up stuck with the UI not responding the way I anticipated but might have been more user error with a new device then then device itself.


A while back I talked about maintaining a digital library. A personal library might have blog posts, digital books, and digital notes. A good resource when looking for digital information is DFIR Training webpage. However, having this information would only be useful to carry around.

I currently started my Master's at Champlain College Online in DFIR. During this process, I realized that I required a digital library because I travel for work. I do already have a Pixel 2 XL, Razer Blade Stealth (mid-2017, gray), and a Kobo AuraONE. Each of these devices are useful; however, none of these truly solve my problem. The screen on my Pixel is good for reading in short burst and research many topics but reading PDF or any detailed images (such as the cheat sheets) is horrible. Razer Blade Stealth is a bit large in some situations. I realize it is a great  ultra book. Reading on it has the same issue as the Pixel. For e-readers, I swear by the Kobo Aura ONE (sadly has been discontinued). It is a great reader in most cases. However, it does not read textbooks or larger PDFs properly. I also have one of the smaller storage devices.

What chooses did I look at? I was looking at a 2-in-1 computer or pro e-reader.

For 2-in-1 computer, the standard is Microsoft Surface Pro 6 which provides a nice tablet for those running Windows. I am not in love with the keyboard. It does work well, has a nice screen, and works well for note taking. However, I am a Linux user normal (running Qubes OS 4). The Surface does not play well with Linux from what I can tell. Next, I also looked at the Lenovo X-1 Tablet which is bigger then the Surface. It also does not work 100% (probably 90%) with Linux. It is cheaper then the Surface; however, according to some reviewers, the trackpad is just 'ok'. Lastly, I also looked at the Eve V, crowd-sourced tablet which like the X-1, it comes with a keyboard and stylus while remaining cheaper then the Surface. Eve V, though, still has some issues with completing orders and hardware problems out of the box (< 5%).

For e-readers, there two main companies Sony and Onyx which make professional e-readers. Sony e-readers ONLY read PDFs which was a killer for me. Onyx has several which run full version Android which include the Google Play Store or whatever apps you choose to side-load.

In the end, I went with the Onyx BOOX NotePro. It was less then half the cost of the 2-in-1 computers while providing a good note taking and reading experience (not nearly as good as the Kobo AuraONE). It maybe a bit heavier then the Sony products but it's fairly light and even lighter then the Razer Blade Stealth. In the short time that I have had it, I find it reads PDFs really well and the epub experience is fairly good. The main drawback is that the reader turns completely off after about 30 mins of inactivity -- great for battery life but hard on shorter burst of reading throughout the day.

Monday, May 6, 2019

Life Lessons Learned

response to Windows Incident Response: Lessons From Time In The Industry (05 May 2019)

I am probably going to echo many of things Harlan Carvey, author of Windows Forensic Analysis Toolkit and Window Registry Forensics. There is two statements which apply to any person working in any field: "Pick an area of interest." and "specialize in something."

First, I agree with picking an area of interest that you enjoy. This can be a large informational area, such Information Technology or Law. I think these interest areas can be broad allowing for learning a wide range of topics. Understanding topics near or around your choose specialization leads a person to be better verse when a problem moves across topics.

Secondly, choose a specialization. I started telling this to people a few years ago after I realized I had been 'stuck' in what I consider 'Tier 1' jobs. I remain stuck due to the generalization of knowledge that I have from System Administration to Network Administration to some programming to even cloud solutions. However, I have noticed that it does not matter how much you know or how spread-out your knowledge is, but how you apply a limited subset of informational chucks.  Specialization does not mean you never learn other skills but will provide the bulk of knowledge for employers to higher you on.

It really does not matter how many certifications you have if you do not have the experience nor if your certifications do not improve over the years. As with 'Tier 1' jobs, I also consider certifications in tiers. So what do I mean by tiers? I use the terms similarly to how IT jobs are labeled: tier 1 (beginner), tier 2 (intermediate), tier 3 (expert/advanced). Here are some examples:

  • Tier 1: CompTIA A+/Net+/Sec+, Cisco Certified Network Associate, LPIC-1: System Administrator, SANS GSEC, Cyber First Reponder
  • Tier 2: Cisco Certified Network Professional, ISC(2) CCSP/SSCP/CSSIP, LPIC-2: Linux Engineer, SANS GNFA/GCFA
  • Tier 3: Cisco Certified Internetwork Expert, LPIC-3 series
These is not an extensive list. As you progress through your career, you need to move up into different tiers for your choose specialization, then get other certifications you might want to attempt. Just do not try to specialize at everything and too many random certifications will get you passed over by employers.

Saturday, January 26, 2019

To be or not to be Examiner's Notes

This is in response to Rob Merriott's blog MS Word and OneNote should NEVER be used for Contemporaneous Notes.

I have no where near the experience that Rob has or anyone else he is quotes in the article. I am going to take this from an of young/in-experience investigators. This page consist of my own interpretation and opinion and not of my work or anyone else in the community.

Contemproaneous Notes? What?

As defined by Merrian-Webster's dictionary: contemproaneous means existing, occuring, or originating during the same time. In short, examiners create contemporaneous notes during an investigation. The second problem with the phrase "contemporaneous notes" is notes. Everyone has taken notes at some point in their life; however, note taking during an investigation is changes to something else.

Investigators need to take notes of any relative information or thoughts related to cross-referencing information or similar. I would keep the notes highly objective and fact related.

Note-taking Applications

As noted in Rob's article, most note-taking applications do not allow immutable, unchangeable, notes after written. MS Word, LibreOffice's Writer, MS One Note, Notepad, Evernote, and plenty of others provide a wide range of features such as online/offline support, spell-checking, Cloud saving, collaboration, and some permission and restriction tables.

I agree with the article that none of these are infallible either by accident or maliciously. Someone could break into your computer or online account to delete/change your documentation without your knowledge. Normal notebooks have similar problems if someone was to steal, modify, or remove pages which you did not know till days or months later.

In either case, protecting investigation notes should be on the top of the list. As stated in the article, an investigator not having the notes might only minor problems for case; however, longer termed credibility problems could happen.

Note protection

How does one protect their digital or physical notes? Investigators might want to place physical notes secure in a fire-proof box or off-site in a protected location (bank, archival company, etc). Digital notes should be similar. If using a word processor or local not taking application, encryption is mandatory with backups. Also, I would consider using some offline log book to record changes to the notes (listing note title, date, time, and reason of change) or some other record keeping method.

Also, I have not used Rob's Forensic Notes but I find using this or a similar tool would simplify the process. I find typing much easier then trying to write a ton of documentation out and then trying to decipher it like the lost language of Atlantis makes for poor notes for most people today. 

I do not think digital notes need to be fully immutable; I do think proper auditing and change management should be a the center of whatever digital application an investigator employs. This would provide both the initial script and allow addition details as the investigator continues the investigation.

Friday, December 7, 2018

Problems with Cisco Certifications

The last few months, I have been trying to pass two different Cisco certification: CCNA and CCNA Collaboration. Most people who have attempted Cisco exams find they are difficult (bare in-mind that 'test' banks or kits are another issue).

Study Materials

I usually grab the official Cisco press books and start from there. Virtualization labs and equipment are nice if you can get them or have the time to configure them.  I travel for work and I usually do not have time to setup these labs but the books and practice tests are usually good enough.

Certification Tests

I passed the CCNA 200-125 exam barely; however, it covered nearly 2000 pages of material and I had 4 to 5 labs. One of the labs on Layer two with trunk ports did not work completely. I had some issues with an strange error on one of the ports. I have not managed to figure out what the error was nor have I seen it on any switches which I have configured.

As for the CCNA Collaboration 210-060, I have failed it two times. I did not find the exam extremely challenging because it was mainly a "fact check" examine. If that was the case, why did I fail it? Simple: the official materials did not have all the information tested on the exam. Even the list of recommended study materials on the certification exam site did not have all the information required to pass the exam. Basically, if you did not use one of these 'test' banks, then you have a high chance of failing.

The Pearson IT Certification prep practice exams do help prepare for the exam. However, they listed the passing score of 800 and not 860. This causes both confusing and possible first time failure when using the practice tests to gauge passing score.

Frustration and Third Retest

I am very frustrated at failing the exam (by 65 and 15 points respectfully for each attempt). The first exam had a large number of Cisco Unity and IM/Presence where the second exam seemed to be more balanced. I find that neither exam had much for CME CLI but some test takers said they had a fair portion of questions from CME CLI.

So, if there is any extra materials out there, let me know. I plan to retest again at the end of the month. I guess Cisco says "everything is on the test" and throw out the exam topics.

Monday, November 19, 2018

Maintaining a Digital Library

@xme posted an interesting dilemma on the SANS ISC InfoSec Forums contained within the post titled The Challenge of Managing Your Digital Library.  He asked what seems like a simple question: "How do you manage your digital library on a daily basis?"

Before I get into that question, let me point out something about data creation. If you look at how much data is generated per day, per week, or per year, you find out it is a lot of data. There is plenty of generated data through InfoSec community. I have two lists in Inoreader providing plenty of reading information (RSS Links below):

Each one of these lists contains over 100 posts over the past two weeks. I am not stating all the posts in each of these feeds are perfect (or even put into the proper groups); however, it is just a small slice of information posted around the net dealing with two very hot topics.

How does someone manage all this information? One of the biggest problems, I personally have is how to always have access to it. Cloud services do provide a quick method of accessing the information as long as you secure it properly or trust the provider directly. With security being a major issue with cloud services, what can be used instead? Instead of using cloud providers, a personal cloud could be setup between at least one server at home and one offsite. 

I have issues in certain jobs where accesses any cloud provider was strictly prohibited either by a company rule, firewall/proxy configuration, or no usable data services. I have considered creating a Electron app to contain everything through a NoSQL database (CouchDB). This could even sync to another outside database when required. However, this makes everything self-hosted and maintained and thus would have implantation issues.

Today, I need to really look at how to manage all the data, unlike xme, I am horrible at storing and retrieving data.

Friday, November 9, 2018

UMLinux and Malware Analysis

While reading Forensic Discovery by Dan Famer and Wietse Venema, I ran across some thing called ReVirt for performing malware analysis. I pulled up the 2002 paper written by George W. Dunlap, Samuel T. King, Sukru Cina, Murtaza A. Basrai, and Peter M. Chen titled ReVirt: Enabling Intrustion Analysis through Virtual-Machine Logging and Replay.

In the paper, the authors exclaim that ReVirt solves two problems: improving the integrity of the logger being used and improving the completeness of the logger to capture data. The method of protecting the host computer is through the usage of UMLinux OS-on-OS structure. I have not seen this type of Linux before, so I took a examine of the SourceForge page (linked above).

In the basic sense, UMLinux provides a secure way to run Linux kernel and operating system on a Linux system in User-Mode. Linux provides two 'modes' to execute processes: kernel and user. Kernel being the most privileged mode normally reserved for kernel and system processes while user mode is the least privileged hosting all user-created processes. This separation provides a clear security boundary to protect a system. A more in-depth article is on Linux Journal: "Kernel Mode Linux".

Why is running UMLinux in user-mode important? The primary reason that even if a rogue process managed to escape the virtualization process, it would be contained within a normal user privilege level instead of full administration/root access. UMLinux project site provides instructions of running Linux kernel 2.6.x through a virtual machine on the command line. Note: No virtualization software needs to be installed.

ReVirt uses UMLinux as a loadable kernel in the below architecture diagram:
This produces a secure environment (at least according to the paper) to run and test untrusted applications. ReVirt also logs all actions performed by system calls within the VMM (virtual machine monitor) and it can actually rewind and replay any set of instructions. Providing this capability allows system administrators and malware analysts ability to closely examine the untrusted application.

ReVirt major abilities are really interesting, but how does that apply to current technology? One of the newish types of environment created for malware analysis is REMnux. You can learn REMnux in SANS Institute's Reverse-Engineering Malware training. REMnux provides a full suite of tools created to work on malware. ReVirt specifically deals with the virtualization of a system to work on untrusted application. In contrast, REMnux provides some virtualization technology (VMWare and Docker) but a ton of tools for analyst of application specifically malware. 

Something to think about though. REMnux is suppose to be put on to an untrusted system in a untrusted network zone. Docker is coming to the space to run application within secure and clean environment. In the meantime, ReVirt and REMnux each provide a way to accomplish similar tasks and they are different; I wonder if REMnux could benefit from something from ReVirt. Joining these two together probably can even a new way to exam applications and malware analysis.