Saturday, December 5, 2015

Acquiring a forensic image of Acer Iconia W3 Windows tablet


I recently got an Acer Iconia W3 tablet for analysis which was password protected. These are the steps I took to acquire an image of the tablet.


The tablet W3-810 runs an Intel Atom CPU and has Windows 8.1 preloaded. It comes with 32GB or 64 GB internal storage. Although it runs smooth, the downside is that it has only one micro-USB port. This makes it difficult to connect peripherals. 

After getting any handheld device, my first instinct is to always check Cellebrite UFED or Oxygen Forensic Suite for compatibility. Why waste time on researching, when there is ready made solution. Unfortunately, there was no support in both the software. UFED had some Acer tablets but they were Android models. 

So to boot the tablet from external media we need a micro usb to otg adapter and a USB hub so that we can connect our bootable usb, or an external CD drive and keyboard.


The regular bootable mediums such as Hiren's boot CD or other Windows bootable disks failed. Upon researching more I knew that it is because of UEFI enabled on the tablet.  Even though I disable SecureBoot, as shown in this video, it was unable to boot from these boot CDs.

Then I got a Ubuntu 14.10 EFI enabled iso image and tried booting with it. I moved one step forward to the GRUB screen. But again, it was not booting the OS. Then after some more researching, the issue was the EFI was enabled for only 64bit systems. So I needed to find a 32bit EFI enabled disk for booting. 


Turns out WinPE environment has  a 32bit EFI enabled iso readily available. So I built a winpe iso and again tried to boot the tablet from it with SecureBoot disabled. Finally, I succeeded in getting a command prompt in the environment. 

Then I copied the SAM file from the Windows installation of the tablet. Using Hashcat the password was cracked successfully. After getting the password, I got FTK Imager on a USB drive, logged onto Windows and imaged the disk.

One thing to note is that the storage in the tablet is an eMMC chip. So getting deleted contents might be a bit difficult. 

Wednesday, December 2, 2015

jIIr Triage Practical Event - Prefetch $MFT IDS Writeup




Corey Harrel recently posted a triage challenge on his Journey Into Incident Response (jIIr) blog here: http://journeyintoir.blogspot.in/2015/11/triage-practical-malware-event-prefetch.html

This writeup provides answers to the questions he provided there and how I analyzed the evidence files.


The evidence provided for investigation are the following:

  • PCAP for generating the IDS alerts in Security Onion. 
  • Prefetch files from the system in AD1 format.
  • $MFT  and the file hash list from the system.

Corey was also kind enough to provide a document helping to setup Security Onion for replaying the PCAP and also FTK imager. 

So starting out with the IDS, after replaying the PCAP the SGUIL IDS generated the following alert.

Fig. 1. Security Onion IDS alert

From the packet data it can be seen that HawkEye Keylogger data exfiltration is being done.  For the actual timestamps we can look at the packet capture in Wireshark applying filter for the IP 107.180.21.230. As we can see in Fig. 2, the first connection was made at 2015-08-15 05:34:20 UTC.

Fig. 2. Wireshark 

Also the FTP communication is interesting. 


Fig. 3. FTP communication

And the file being transferred was the following.

Fig. 4. File transfer

So to know which process was communicating, let us take a look at the prefetch files provided. Sorting by their timestamps, we can quickly notice that "OVERDUE%20INVOICE%20DOCUMENTS-BB3C03FD.pf" is suspicious and has timestamp just a few seconds before the network alert. 

Using Nirsoft Prefetch Viewer, the path of the executable can be known to be "\DEVICE\HARDDISKVOLUME1\USERS\LAB\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\TSFMVXQM\OVERDUE%20INVOICE%20DOCUMENTS%20FOR%20PAYMENT%20082015[1].EXE"

It is clear that this was executed from the Temporary Internet Files folder of IE. It is most likely a phishing attempt which can be told from the documents name and also its location.

For parsing the $MFT I used MFT Parser GUI from RedWolf Computer Forensics. Sorting by timestamps and looking around our suspicious timestamp, we can notice that there are many internet artifacts created which also include Yahoo mail as shown in Fig. 5. This is also a strong indication of likely phishing attempt. 

Fig. 5. MFT Parser


Checking the file hash  from VirusTotal gives a strong indication that this is a known malware.


Also the FTP IP address looks suspicious from VirusTotal output.



Conclusion: 

1. This is a confirmed malware event as it can be identified from the reports above.
2. Hawkeye keylogger which has gained notoriety in the blackhat world is the malware.
3. This type of data can pose a lot of risk to any organization. Sensitive data such as passwords for banks, company resources and others can be captured. They can also have botnet capabilities. 
4. As explained above, the most likely event would be that a user received an email claiming to be a document and he/she was tricked into opening it. This can be confirmed by creating a timeline of Web History using IEF or any other tools. 




I really enjoyed doing the challenge. I hope Corey provides many more like this which can be very useful for beginners like me.