I used the command line:

logparser -i:EVT -o:CSV "SELECT * FROM e:\directory\*.*" > c:\output.csv

Haven’t figured out how to recursively pass through multiple directories.

Ric

Things you’ll need prior.

1. Purchase a domain of your choosing
2. Static home IP
3. Install Ubuntu 11.10 Server

DOMAIN

Within your domain host you should locate where you can make edits to the DNS.

After locating this area we need to add a subdomain.

The subdomain should be mail.example.com. Obviously select your domain name.

Edit the mail.example.com subdomain DNS.

Make the DNS A record point to the static IP of you email server.  Make the MX (mail exchange) record point to mail.example.com with a value of 10.

This could take some time to populate throughout their servers.

INSTALL UBUNTU SERVER

For the most part the install of Ubuntu Server was default and selecting the packages differed.  I only installed OpenSSH and LAMP.

If you install the mail server it uses dovecot and I perfer courier.

After installing ubuntu server I then installed ubuntu-dekstop:

sudo apt-get install -y ubuntu-desktop

Its much easier to install the configuration files and follow along in the GUI.

After installing the ubuntu-desktop reboot and follow this walk through:  http://www.pixelinx.com/2010/10/creating-a-mail-server-on-ubuntu-using-postfix-courier-ssltls-spamassassin-clamav-and-amavis

***TYPO*** When you get to 15-content-filter-mode its actually 15-content_filter_mode

After your completed there are some additional changes and additions to be made.

I added to the following lines to /etc/postfix/main.cf.

Locate the relayhost.  The reason for this is to use an existing email account on your domain to send email out.

relayhost = [smtp.1and1.com]:587

Locate the #Encrypted authentication (SASL) and add the following:

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous

smtp_sasl_tls_security_options = noanonymous

Save /etc/postfix/main.cf

We need to add the relayhost login and password so that we can send mail through a SMTP server.  The reason for using a host is that often home email servers get placed on an email blacklist and your email are lost.  Its the host problem to ensure there email server dont end up on those lists.  Change to your domain and port.  The email address is normally used to authenticate through the relay.  This email address and password can be set up through your domain.

echo [smtp.1and1.com]:587 mail@example.com:password” > /etc/postfix/sasl_passwd

postmap /etc/postfix/sasl_passwd

After this I added an additional user to the mysql database mail.

Login to MySQL.

mysql -u root -p
USE mail;
INSERT INTO `user` (`email`, `password`, `name`, `quota`, `enabled`) VALUES ('USER@example.com‘, ENCRYPT(’changeme‘), ‘Administrator‘, NULL, 1);
exit;

Send this USER email from another source.  This will populate the folders required to login.

INSTALL SQUIRRELMAIL

apt-get install -y squirrelmail squirrelmail-locales php-pear php5-cli

SETUP APACHE

cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail
ln -s /etc/apache2/sites-available/squirrelmail /etc/apache2/sites-enabled/500-squirrelmail
a2ensite squirrelmail
apache2ctl -t
/etc/init.d/amavis start

SETUP SSL FOR APACHE (http://www.tc.umn.edu/~brams006/selfsign.html) and (http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html)

openssl genrsa -des3 -out /etc/ssl/server.key 4096
openssl req -new -key /etc/ssl/server.key -out /etc/ssl/server.csr
openssl x509 -req -days 3650 -in /etc/ssl/server.csr -signkey /etc/ssl/server.key -out /etc/ssl/server.crt
openssl rsa -in /etc/ssl/server.key -out /etc/ssl/server.key.insecure
mv /etc/ssl/server.key /etc/ssl/server.key.secure
mv /etc/ssl/server.key.insecure /etc/ssl/server.key
mkdir /etc/apache2/ssl
cp /etc/ssl/server.key /etc/apache2/ssl
cp /etc/ssl/server.crt /etc/apache2/ssl
a2enmod ssl
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
echo "ServerName localhost" >> /etc/apache2/apache2.conf
/etc/init.d/apache2 restart

EDIT HOSTS

nano /etc/host

127.0.0.1    localhost localhost.localdomain mail
127.0.1.1    mail
173.72.XXX.XXX    mail.example.com

SQUIRRELMAIL

cd /usr/share/squirrelmail/plugins/
wget "http://www.squirrelmail.org/plugins/secure_login-1.4-1.2.8.tar.gz"
tar xzvf secure_login-1.4-1.2.8.tar.gz
cd secure_login/
cp config.sample.php config.php
nano config.php
modify; $change_back_to_http_after_login = 1;
to; $change_back_to_http_after_login = 0;

EDIT SQUIRRELMAIL

squirrelmail-configure
D
courier
8
Locate secure_login and enter the number to enable.
S
Q

APACHE EDITS (https://help.ubuntu.com/community/EnablingUseOfApacheHtaccessFiles)

nano /vetc/apache2/sites-available/default

Find;

<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None

Modify;

AllowOverride All

Same for:

nano /vetc/apache2/sites-available/default-ssl

cd /var/www

nano .htaccess

ADD:

# This allows you to redirect index.html to a specific subfolder
Redirect /index.html https://mail.example.com/squirrelmail/

Try logging into your email server:

http://mail.example.com

You should see the cert error and must accept the cert.

After that you should be able to login.

Might be able to add some additional configuration from here. http://flurdy.com/docs/postfix/

UPDATE 120319;

Recenting added the change_sqlpass plugin and that took and little figuring out.  The screen will go blank and forces you to re-login with new password.

The config.php should have the following settings:

$csp_dsn = 'mysql://root:password@localhost/mail’;
$lookup_password_query = ‘SELECT count(*) FROM user WHERE email = “%1″ AND password = %4′;
$password_update_queries = array(’UPDATE user SET password = %4 WHERE email = “%1″‘);
$force_change_password_check_query = ”;
$password_encryption = ‘MYSQLENCRYPT’;
$csp_salt_static = ‘LEFT(password, 2)’;
$csp_secure_port = 0;
$csp_non_standard_http_port = 0;
$min_password_length = 8;
$max_password_length = 0;
$include_digit_in_password = 1;
$include_uppercase_letter_in_password = 1;
$include_lowercase_letter_in_password = 1;
$include_nonalphanumeric_in_password = 0;
$csp_delimiter = ‘@’;
$csp_debug = 0;

***ENSURE BIOS BOOTS FROM CD/DVD***

1.  Attached a storage device to a target system that will be used to store your forensic image.

2.  I attached a 100GB hard drive to take a 60GB operating system hard drive.

3. Set the bios to boot from cd/dvd.

4. Started winFE. Since we told diskpart_steps.txt to load automatically it should have opened up.

5. Move the windows out of the way so that you can still see the command behind the command prompt.

6. Issue commands listed in the document.  We are locking the target device down to readonly.

diskpart

list disk

list vol

7.  The target volume on my system is Volume 1 & 2.  Volume 1 is the System Reserve partition from Win7. Volume 2 is the OS partition.

8.  Time to make your storage drive active.list disk

sel disk 1

list disk

9. If your storage drive is already formatted than you should see a partition.

det disk

10. Ensure the storage disk is selected. Select the partition. Set it online and assign a drive letter.

sel disk 1

sel part 1

onl vol

assign letter z

11.  Should see your evidence drive.

list vol

12. Minimize the notepad++ window.

13. Select Forensic folder on PStart and start FTK Imager.

14. Should be able to image the device from here if your familiar with FTK Imager.

15. Additional programs to consider installing on winFE.  Its your winFE and justify what you need.  ***THE MORE YOU ADD IN MY EXPERIENCE THE LONGER IT TAKES TO BOOT***Explorer++Portable

WinRAR Portable

IrfanView Portable

VLC Portable

Mozilla Firefox Portable

Filezilla Portable

Putty Portable

OpenOffice Portable

SumatraPDF Portable

GOOD LUCK.

***WHILE TESTING ENSURE BIOS IS SET TO BOOT CD/DVD***

***ON REAL TARGETED SYSTEMS IT IS A GOOD PRACTICE TO DISCONNECT THE HARD DRIVE BEFORE CHANGING THE BIOS***

1.  Edit the existing image.

Dism /Mount-Wim /WimFile:c:\winFE\winpe.wim /index:1 /MountDir:c:\winFE\mount

2. Should be able to see the mounted image here.  Minus the PStart menu…we’ll get to that later.

3.  I would recommend creating a text document that runs through the diskpart commands prior to mucking around with the target system.  This step by step process will aid in preparing the storage drive as writable.  If you remember prior we told WinFE through registry entries NoAutoMount.  The SetPolicy change I suspect is for ensuring all drives are offline.  We will get that to auto load when the disc is booted.  First things first.

4. Lets get the menu system up and running.  Download PStart.

5. I had a spare 2GB SD lying around and decided to use that and install PStart to.  Reasoning was my attempt at keeping things in order.  No other purpose other than that.

6. The winFE disc when booted will be “X:\” so we will have to make sure when we install the programs we give it the right drive letter to run from.

7. I installed PStart to my 2GB SD device.  If you have a thumb drive that is fine too or use your OS c:\.  Additionally if you don’t have any issues with permissions you could just install right to c:\winFE\mount\ -or- c:\winFE\mount\program files -or- c:\winFE\mount\

8. I decided to change the drive letter of my 2GB SD to “x:\” just like the winFE disk.  This can be done under computer management.

9. There should be two files in the directory.

10. Lets download Notepad++ portable and install to get it working in our winFE and PStart.

11. Install notepad++ and copy the contents to the winFE tools area.  Optional would be the install to the \program files area.

12. Start PStart by executing the .exe file.  The window will appear but of course your menu screen will be blank.  Right click in the blank area and select add group…

13.  Call it Office or whatever.

14.  Right click on the Office folder and select Add file…

15. Locate  Notepad++Portable.exe under c:\winFE\mount\tools\Notepad++Portable or where ever you installed it on the mounted winFE image and select open.  ***NOTE THE MORE STUFF YOU ADD THE LONGER IT WILL TAKE TO BOOT***

16.  Change the application path to x:\<where ever its installed in the winFE directory structure> –> OK

The icon shouldn’t appear because x:\ doesnt exist yet until winFE is run.  Sometime a folder icon doesn’t appear also and that can be downloaded as well and added later.

17. This step can be repeated to add additional programs. If the purpose for winFE is to take forensic images it would be good to install FTK Imager to the winFE tools area.  Remember to copy c:\windows\system32\oledlg.dll to c:\winFE\mount\windows\system32\ (Props to Brett Shavers)

18. Let make PStart automatic and diskpart_steps.txt file in number 3 open automatically using Notepad++ when winFE starts.

19. Locate the file c:\winFE\mount\windows\system32\startnet.cmd

20. Edit the file with notepad or like program.  Add the following lines:

wpeinit
@echo off
start x:\PStart\PStart.exe
start x:\tools\Notepad++Portable\Notepad++Portable.exe x:\tools\diskpart_steps.txt

21. “@echo off” doesn’t show the preceding commands on screen.

22. “start x:\PStart\Pstart.exe” will execute the program to run and move on to the next command.  Make should you PStart location is correct under c:\winFE\mount.

23. “start x:\tools\Notepad++Portable\Notepad++Portable.exe x:\tools\diskpart_steps.txt” will execute notepad++ and load x:\tools\diskpart_steps.txt inside.

24. Many automated other programs maybe run from this locations

25. If you’ve finished adding additional programs lets complete the image.  Make sure you exit out of any programs that are accessing c:\winFE.

dism /unmount-wim /mountdir:c:\winFE\mount /commit

26. Copy the boot image over.

copy c:\winfe\winpe.wim c:\winfe\iso\sources\boot.wim /Y

27. I had an issue where oscdimg.exe could not be located.  I case you come across this also its found under \program files\windows aik\tools\x86

oscdimg -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFE.iso

Received an error because the image exceeds the allowable space for a CD but not DVD.  Change the command to:

***NOTE XX increment your .iso files created.***

oscdimg -m -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFEXX.iso

28. Boot using VMware etc or burn to DVD for testing.

1. Download Windows AIK iso.  This file will aid in providing necessary files to create the winFE.

2. Mount Windows AIK file KB3AIK_EN.iso.

a. Use a .iso mounter like Virtual Clone drive. After installing right-click on the icon.

b.  Mount the downloaded KB3AIK_EN.iso file.

3. Open the contents, locate StartCD.exe and execute.

4. Install Windows AIK Setup.

5. Default installation path.

6. Open Administrator command prompt.  Right click command prompt and run as administrator.

7. Change directory in the PRTools area.

cd “c:\Program Files\Windows AIK\Tools\PETools”

8. Copy the necessary files to your winFE creation area.

copype x86 c:\winFE

9. Mount the bootable area.

Dism /Mount-Wim /WimFile:c:\winFE\winpe.wim /index:1 /MountDir:c:\winFE\mount

10. Should see the mount area is populated.

11. Time to mod the registry so that the disc will not automount onboard drives.  Open regedit.  Start –> regedit.exe –> <enter>.

12.  Highlight HKLM

13. Select File –> Load Hive …

14.  Locate c:\winFE\mount\Windows\System32\config\system –> Open

15.  Name it “winFE”

16. Under HKLM should be winFE

17. Locate the following key HKLM\winFE\ControlSet001\Services\mountmgr –> Right click right panel and select New –> DWORD.

18. Name it NoAutoMount = 1

19.  Modify HKLM\winFE\ControlSet001\Services\partmgr\parameters\sanpolicy = 3

20. Highlight winFE

21. Select File –> Unload Hive…  Confirm  Close

22. Modify the wallpaper if you like.  Name the BMP winpe.bmp and overwrite existing under c:\winFE\mount\Windows\System32

23. Add directory tools under c:\winFE\mount\

24. Drop tools like RegRipper, Cygwin, FTK Imager Lite, NetCat, Winrar unplugged, IrfanView, etc in this location.

25. Add VBS scripting capability:

dism.exe /image:c:\winFE\mount /add-package /packagepath:”c:\Program Files\Windows AIK\Tools\PETools\x86\winpe_fps\winpe-wmi.cab”

26. (Hint use the arrow up key in the keyboard and change wmi to hta) Add HTA:

dism.exe /image:c:\winFE\mount /add-package /packagepath:”c:\Program Files\Windows AIK\Tools\PETools\x86\winpe_fps\winpe-hta.cab”

27. Add scripting:

dism.exe /image:c:\winFE\mount /add-package /packagepath:”c:\Program Files\Windows AIK\Tools\PETools\x86\winpe_fps\winpe-scripting.cab”

28. Add .vbs scripts (props: http://praetorianprefect.com/archives/2010/04/winpe-3-0-forensics/) under tools.

29. Add driver packs that way what ever system you come across should boot and see the onboard drives without issue. I extracted them to my c:\

dism.exe /image:c:\winFE\mount /add-driver /driver:c:\DP_MassStorage_wnt6-x86_1110 /recurse

30.  I ran the following driver packs.

a. DP_CardReaders_wnt6-x86_11041

b. DP_Chipset_wnt6-x86_11051

c.  DP_LAN_wnt6-x86_1109

d.  DP_MassStorage_wnt6-x86_1110

e. DP_WLAN_wnt6-x86_1104

31. Closing the image.  ***Make sure you close all related windows linked to c:\winFE***  If you dont the image will not close properly.

32. Make sure your not in the command prompt c:\winFE area when you issue the command.

cd c:\

dism /unmount-wim /mountdir:c:\winFE\mount /commit

33.  Should get a successful completion.

34.  Copy file

copy c:\winfe\winpe.wim c:\winfe\iso\sources\boot.wim /Y

35. Remove bootfix.bin so that you are not prompted to hit any key to boot from disc.  This would be bad if we forgot and booted the operating system.

del /f /q c:\winFE\ISO\boot\bootfix.bin

36. Create ISO

oscdimg -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFE.iso

37. Should have your .iso file here:

38. Dont forget to test it out…through vmware or live test system before using it within production.

39. To add additional tools, drivers, scripts etc start at step 9 and follow until creating the .iso.

1. Needed to boot an encrypted hard disk drive (HDD) into VMware and collect volatile information from the running system.
2. Did not have admin privileges to remove bitlocker. (Couldn’t get either, Army regulations and all.)
3. HDD was encrypted with bitlocker.
4. Was able to obtain the bitlocker key though.

Software Required:

VMware Workstation

Liveview

Operating system installation disk

Work Around:

1. HDD was in an evidence file format called disk dump (dd). Flat file which was an exact copy of the original HDD bitlocker and all.

2.  Start liveview.

3. Liveview opened.  If your using the non-law enforcement version you will be missing the ability to blank out the passwords.  The operating system I’m looking at was Vista Enterprise. Pointed liveview at the image file.  Redirected the configuration files out to the drive and generate the config files.  Select Start.

4. Config files should have been generated.

5. Double click on the .vmx file.  This should open VMware config editor.  Select edit virtual machine settings.

6.  Settings windows should appear.

7. If your going to sniff the network traffic might want to add a network device as host only.

8.  Install the operating system installation CD or .iso file within the CD/DVD.  Add a new CD/DVD and place the bitlocker_recovery_tools_vistax86.iso within the device.  The files contained are used to decrypt the drive.

Additionally add a new virtual HDD that is greater than the size of the operating system HDD.

Ensure the bitlocker HDD is 0:0.  New HDD is 0:1. Operating System DVD is 1:0. Bitlocker tools CD is 1:1 within advance settings.

9. Should look similar to this.

10. Boot into the BIOS.  Boot from CD.

11. Boot from DVD.  Press any key before the time out.

12. Select next to arrive at the “Repair  your computer” and select.

13.  Manual input the bitlocker key, select next, select finish and it should prompt that the drive is accessible.

14. The drive with the operating system should appear.  Select Next.

15.  Select command prompt.

16. type diskpart <enter> –> list volume <enter>.  Note the operating system drive letter.

17. type list disk <enter>.  Note the extra HDD we added.  We need to partition and format that drive.

18. type select disk=1 <enter>

19. type create partition primary <enter>

20. type assign letter=G (or what ever available drive letter is next) <enter>

21. type select partition=1 <enter>

22. type format fs=ntfs label=”decrypted” quick <enter>

23. type list volume <enter> and you should see the new HDD.

24. type exit <enter>

25.  Change over to the bitlocker CD tools.

26. type repair-bde.exe d: g: -RecoveryPassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx <enter>.  It will begin decrypting the entire contents of the operating system encrypted drive to our newly created HDD.

repair-bde.exe <input drive> <output drive>  -RecoveryPassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx <enter>

27. Forgot…make the new HDD active.

28. Close command prompt and select shutdown.

Edit the configuration .vmx file.

Remove the primary HDD 0:0.

29.   Make our new HDD 0:0 in advance settings. Remove bitlocker tools CD.

30. Should appear similar to this.

31. Boot to the operating system DVD again to fix the MBR.

Select Next –> Repair your computer –> Repair and restart.

32. Following message may occur.  Reboot to operating system DVD.

33. Select Next. Select Repair your computer. Select Next for the recognized operating system. Select Startup Repair. Select Finish.

34.  The system should boot.

35. Now to get admin privileges.  If you have the LE version of liveview than you should be able to get in no problem because the passwords are blanked out.  If not, utilize http://www.pogostick.net/~pnh/ntpasswd/ bootable .iso file to blank out the passwords.  Additionally you could also use https://www.pinguin.lu/index.php.

Now the disk is unencrypted and you have admin privileges to run your volatile scripts or malware testing.

This is assuming you know how to install Windows 7 or already have it installed on the system.  I’m using a virtual environment to display this how to.

If your starting fresh on the installation only install Windows 7 on half the drive.

If the operating system takes up the entire system hard drive than Right-Click on the volume to shrink and select Shrink Volume…

It will query the system hard drive to determine how much it can be shrunk.

Try to get at least half, if not get what you can and select Shrink.

At this point your ready to install Truecyrpt.

Double Click on the executable.

Accept the license –> Accept

Install –> Next

Install

Wait

Done –> OK

If you want to read, otherwise –> No

Finish

Select the truecrypt icon.

Locate the Create Volume button.

Select the Create Volume button.

Select –> Next

Normal –> Next

Windows system –> Next

Multi –> Next

Yes

Yes –> Next

1 –> Next

No –> Next

Next

Next

Enter password –> Next

yes

Next

Next

Next

Ok

Burn Disc

Verify the disk was burned correctly.

Verified –> next

If your paranoid you can select one of the other options –> Next

test

Ok

yes

Enter password<enter>

Windows should load.

Encrypt

Ok

get some coffee…beer…whatever

Ok

Finish

Install Ubuntu

This is assuming you have downloaded the Ubuntu Alternate .iso file and burned to CD for installation.
Ubuntu distro displayed is 11.04 alternate.  Alternate because it gives you the ability to encrypt LVMs.
Insert Ubuntu CD into CD/DVD drive.
Restart computer and boot from CD/DVD.

Engrish <enter>

Install

Engrish

US

No

USA

USA

Wait

Wait

The network is not required –> Yes
If the system is hooked up to a network another screen will display.

Think of a computer name

Which ever your in

manual

Select free space

Create

Creating the /boot area –> continue

Primary

beginning

Select Mount Point

select /boot

Done

Select free space

Create

All –> continue

Primary

Use as:

LVM

Done

Encrypt

yes

Create

Select lvm (use space bar) –> Continue

***IMPORTANT step to remember /dev/sda3 (99MB; ext4) is the /boot partition ***

Done

yes

Finish

password

Again

Configure LVM

Yes

Create

volumegrp01 –> continue

Select crypt

Create logical volume

<enter>

volum01 –> Continue

This will be your swap space. 2 times your total RAM (1024MB x 2 = 2048MB) or (8192MB x 2 = 16384MB) etc –> <continue>

Create another

<enter>

volume02 –> continue

This will be root / so use all –> continue

finish

highlight swap space area

Use as

swap area

Done

highlight root /

Ext4

Mount point

/

Done

Finish

yes

wait

wait

enter your name

enter login

password

again

No (the whole thing is encrypted)

wait

wait

No

enter your /boot device /dev/sda3 –> continue

wait

remove cd –> continue

esc

2 (the 100MB is the Windows 7 reserve)

enter

encrypt password

login –> reboot to see if Windows still works

truecrypt password

awesome

Installing the software hasn’t changed much from v6.  Couple additional directories and the removal of Backup.  Backup is now located within the Case area.

The introduction front end has changed.

Selecting New Case shows additional options within Case Options.  The Case Info area populates additional information within the Report.  The three options None, Basic, and Forensic vary in content amount.

Basic input options.

Forensic input options are extensively more.

Creating a Case front end.

Adding Evidence button can be used via the menu bar or front end.  The additional options of Add Local Device… etc are not in operation within the Preview Version.

Adding evidence is relatively the same as v6.  The v7 Preview Version came with an evidence file and cert.  The cert works per specific dongle.

The Case area directory structure has changed and we can see the Backup moved.

After evidence is add the following screen should appear and verify the evidence.

After verified, hashs match within the Fields view.  Also notice Processing Status shows unprocessed.

It becomes necessary to process the evidence to recover folders, process compressed files, etc.  The Process Evidence button is located under the Add Evidence area tab.  Appears to take over for the once known Search tab.

After evidence is processed the status will change.

Viewing the evidence is conducted by clicking on the evidence under the name column or using the Viewing tab to switch to Entry.

Entry view goes back towards the traditional view of EnCase.

Noticed the right-click option have disappeared.

They have been moved to the side button area in the menu bar.

Gallery view hasn’t changed.

Viewing the registry and other compound files is still done via view file structure.

Registry view.

Bookmarking can be accomplished by using the Decode tab and selecting the appropriate view and a right-click.

Viewing email has changed with different views.  After processing the evidence, switching to the Records tab allows the different email views.

After digging into the email .PST inbox you can follow email message conversations by using the Find Related tab.

Selecting Show Related Messages populates the conversations that match based on your first selection.

Report tab has also seem some changes and looks pretty good.

Take a look at the Preview Manual of additional information.

Also the Release Notes have some nice details if interested.

–Ric

Right to it…I’ve rolled the script into an executable.  The idea behind the script is to have it located on a thumb drive or any external media that is compliant with Windows.  The executable can be extracted with your favorite compression program to take a look at the guts.

The script simply uses existing programs that were designed with collecting volatile data in mind.  Hopefully I’m still within the using agreements but if not I’m sure someone will let me know.

When the program starts it lets you know how much RAM there is on the system.  Ensure your running with administrator level privileges.  If you want to collect the RAM it will use windd32.exe or windd64.exe.  These version are the community versions.

If you select yes to imaging RAM it will be placed on the root of the system you ran the executable from.

If you select no it will continue and ask whether you wish to collect volatile data from the system.

Should you select no which could be the case because you only wanted to collect RAM than the program will end.  If you select yes the rest of the script runs automated.

The script will count down the item it is collecting.  Speed depends on the system.

The list of items will indicate the information it is collecting or you can view it within the start_VS.cmd file.

Some of the information you could say was not that volatile and still remains on the hard drive which is true.  I like the ability to get to the important information quickly to make an assessment without waiting on the full forensic exam.

If you find I am not collecting something of value, I can most certainly add it.  Just let me know.

After completion the log contents will be compressed and remain on the drive you ran the executable from.  The volatile_snapshot directory will be removed.

The compressed log file is named <computername>_<time&date>.7z.

Extract the file and begin viewing the contents using the .REPORT.html

More on going through the file and its contents later.

File: Volatile Snapshot V2

This sparks the debate “re-image or not to re-image” after infection.  Re-imaging a system is time consuming, cost ineffective and a loss of revenue and work product.  The positive side of re-imaging is that you have thoroughly removed the suspect chance your anti-virus product is not fully cleaning after infection.

The question might boil down to how lucky do you feel?

The recommendations of leading industry organizations have not completely sided one way or the other.  The US-CERT http://www.us-cert.gov/reading_room/trojan-recovery.pdf document indicates in paragraph 5 “If the previous step failed to clean your computer, the most effective option is to wipe or format the hard drive and reinstall the operating system.”   The previous steps are to run an anti-virus program on the infected system using a live compact disc.  This is far from coming out and recommending re-imaging all the time after an infection.

The open source ClamWin Free Antivirus software (http://www.clamwin.com/content/view/146/27/)  does go as far as to say in one of its step that should be taken after an infection is to “Perform a clean install of Windows – a format of the drive *should* be completed.”

The National Institute of Standards and Technology (NIST) Special Publication 800-83 (http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf) Guide to Malware Incident Prevention and Handling states “Because rebuilding a host is typically more resource-intensive than other eradication methods, it should be performed only when no other eradication method or combination of methods is sufficient.”

I recently came across a virus on a system and by using time and date analysis from log entries I was able to narrow down the virus to a file, specifically a compressed file with no extension.  It turned out the file was from a java drive-by-download.  The system had a current anti-virus solution, McAfee.  After hashing the file I wanted to find out why McAfee didn’t catch it.  Virustotal.com has McAfee within its depository of anti-virus scanning programs.  I hashed the suspicious compressed file and searched the Virustotal.com database to see if it had been scanned previously.  The following were the results:

It turns out that McAfee doesn’t catch it.  I also noted the submission date and it was quite recent.  I wasn’t shock so much as to learn that McAfee didn’t catch it but how much more does McAfee miss or for that matter the rest of the anti-virus solutions available to the public.

In searching for documentation about anti-virus solutions success rates I discovered Mandiant’s report called M-Trends the Advance Persistent Threat (APT) (http://www.mandiant.com/products/services/m-trends).  In it Mandiant states “When MANDIANT discovers new APT malware, we scan it with the anti-virus and antimalware programs that most organizations use. Of the samples we discovered and examined, only 24% of all the APT malware was detected by security software.”  That was enlightening to say the least that 76% of malicious software gets passed anti-virus solutions.

I than decided to test this claim.  While surfing the internet for anti-virus solutions I came across a pretty convincing Fake Anti-Virus (FakeAV) ad.  Now the image is clearly from the web browser Firefox but the window appears to be from a Windows Explorer environment.  This obviously is to confuse the less sinister minds that are not in the know as to malware coder’s intentions.  The screen starts out appearing to scan my computer for viruses, when it really is not, and conveniently discovers numerous infection denoted by the fake Windows Security Alert.

If the user clicks “remove all” a download windows appears and if the user clicks on the “X” to close the window the download window appears also.  This is with Firefox web browser, with Windows Internet Explorer the option to run the program appears in the download window.

After saving the file I would have expected my anti-virus solution (Norton End Point Security) to alert me that I had download malicious software.  Think again, I got nothing, no alerts.  My sinister mind is thinking this very well could not be legitimate software.

So I decided to hash the executable and see if Virustotal.com had any info on this file.  Turns out there was no information in their database.

So the next course of action was to upload the executable to see if other anti-virus solutions catch it.  Come to find out 23 out of 40 anti-virus solutions recognize this executable as FakeAV malicious software.  Some particular vendors I would have thought should have picked this up, but didn’t were ClamAV, McAfee and Microsoft.  Norton Anti-virus is not a part of the listed software tools within Virustotal.com but it to did not recognize this as malicious.

We’ve established that anti-virus solutions detect only a fraction of the malicious software that is out in the wild.

Now back to the question, of the malicious software that it does detect will it clean, delete, and/or remove all of the malicious software installed or registry changes that the software makes.  So I conveniently have my own personally built trojan.  Prior to installing the malicious program, InCtrl5 was run on the malicious software to record all the changes made without the anti-virus product installed and the report saved for comparison.  I than made sure McAfee was up-to-date on its virus definition and launched the malicious program within VMWare.  First the McAfee firewall asked if it could access the internet and I authorized it to do so.  After being infected I started a full scan.

It’s not my purpose to just pick on McAfee anti-virus solution.  I also picked on Norton.  That being said, is it the anti-virus solutions fault for not finding all malicious software.  The answer is emphatically no.  Anti-virus solutions are only as good as you and I make them.  This is evident by Mandiant’s test that they only caught 24% of malicious software.  My example above reference the FakeAV I received, it’s your responsibility to help your anti-virus solution out by submitting the executable sample for testing.  The anti-virus vendors will write new code into their virus signatures to catch those malicious programs.  Remember anti-virus programs are tools and you just don’t have one tool in your tool box.

The scan detected 57 issues and 8 were already quarantined.

After manually removing all the items two appear as not removed which are slimftpd and radmin.

After a reboot McAfee discovered that we had told it to remove slimftpd and it again confirmed its removal.

Let see what wasn’t removed.  Since I made the trojan I conveniently know the backdoors created.  My trojan installed RAdmin but McAfee reported that it was not able to remove it.  I set the RAdmin port as 136 which appears operational.  The point here is that its removal wasn’t automatic.

Additional unseen issues actually deal with the Windows operating system default programs.  It’s difficult to determine what else was added or removed to include registry changes.  Here we see additional accounts were created.  Which ones are legitimate? “_” is the default created administrator account with the name changed. “Guest” is default.  “HelpDesk” is not default.  “HelpAssistant” is default.  Further detailed inspection reveals the HelpDesk account was added to admin privileges.  Checking the default account HelpAssistant, low and behold that account was also changed with admin privileges.

Noticing also that port 3389 was open on the system.  What program uses that port, Remote Desktop?  These accounts could be used to access the system with admin privileges.  Additionally port 25 appears open and is an open SPAM relay.  There are numerous registry changes that were made to include delayed starting actions.  Now McAfee caught a majority of the items and removed them but not all.

So the point is made that even though anti-virus solutions say that they have cleaned the system of a malicious program it is probably true minus the items that were missed.  The program hopefully does not go as far as to say that the system is free of malicious programs because this is probably not true.

The above point is to emphasize that if a system does become infected with any virus it is imperative that the system be re-imaged to ensure the system is cleaned with a known good operational load, patched, and returned to service.

Ric

Update 12 Nov 2010

Received a response back from Symantec.  Note the Developer Notes at the bottom.

Update 19 Nov 2010

Additional regulation findings of interest.  Thanks Dave Baker, Mitre.org

SANS.org Incident Handling Small to Medium Enterprise (http://www.sans.org/reading_room/whitepapers/incident/incident-handling-smes-small-medium-enterprises_32764)

para 2.4 Eradication “Once the cause has been determined, the system can be rebuilt from a known good backup copy of the system. If no backup can be found, then the system must be reinstalled from scratch (including the OS!).”

para 2.5 Recovery “In the recovery phase, operations return to normal. The system has either been rebuilt from scratch or rebuilt from a backup, and it is ready to be validated for production. This includes verifying the system is secure and will not fall prey to the same or similar attacks once it has been put online.”