Wednesday, November 11, 2009

In The News

The Register is reporting that bot masters have hidden a control channel in the Google cloud via AppEngine. Interesting article, take a read. The article also points out that both Facebook and Twitter accounts have been seen being leveraged as control mechanisms. Quoted from the article:

And that may be another reason why black hats are flocking to the cloud.

"Going to a company as big as Google and saying 'Can we get an image of that server,' that's a pretty high barrier," he said.

I'd suggest that that would have to do with the implementation. Cloud is being sold as the next big thing...but what is it? Well, it depends on who you're talking to.

Something else that's been making its rounds is spilled COFEE...Dark Reading picked it up, as well. Folks, the only reason this is getting the press it is, is because this was originally released only to law enforcement. Other than that, it's really not that big of a deal. Hogfly weighed in on this, as well...he apparently felt so strongly about this...dude, his last post was in August! ;-)

FTK 3 has "explicit image detection" capabilities (PDF here). This looks to be very useful for finding images, but I'm not sure that that's really the issue at hand these days...I may be wrong. I mean, I thought that it wasn't so much a matter for LE to find the images (although the coolness factor might be that in the video, Erika Lee uses the term "trained", implying a neural network of some kind...), but it was more a matter of addressing the Trojan Defense. I mean, once you find the images, you have to then demonstrate that the user in question intentionally downloaded and viewed them, and possibly shared them. This is were browser/web history, P2P, and Registry analysis come into play. Know anyone who knows anything about "Registry analysis"?

Speaking of which...

I ran across this AP article regarding the "Trojan Defense" hosted at the Fox News site. This is an interesting article to me, because this is something I've been discussing with LE for a number of years now. One of the key aspects of the analysis performed can be seen here:

A technician found child porn in the PC folder that stores images viewed online.

For most examiners, this refers to the browser cache; for IE, the Temporary Internet Files subfolders. Now, I'm not about to disparage any analysts skills or capabilities...all I'm going to do is point some things out. First, those TIF subfolders aren't created by IE, they're created by the use of the WinInet APIs, which IE uses. Now, this means that another app that uses the same APIs would also create the subfolders, and if it were running in the context of the logged on user, the folders would be created in the user's TIF directory.

Where did I get this? Well, I got a little help from my buddy Robert "Van" Hensing...check out his blog post from 2006. This was valuable to me, as I had conducted an exam for a customer, and one of the oddities I found was that the Default User's web history (I was using ProDiscover in my examination, and there's an extremely useful function to search for and parse web history...) had been populated. I tracked that back to a copy of wget.exe running with privileges elevated to System level...but I digress.

So, it's entirely possible to get just about anything on a system and make it look like the user did it. Why do that? Perhaps to discredit the user or law enforcement...I don't know, I'm not this guy.

My point is that we can't simply look at the folder the files are located in and their date/time stamps, and think we've got it wrapped up. There are a number of other places on the system that we can look...Prefetch folder, Registry, etc...in order to answer the question of did a Trojan do it? before it's asked.

10 comments:

Forensics said...

The locating of issues is easy enough, the actual grading e.g. categorisation of pornographic material from pictures of trees/cars/houses etc is a very time intensive process, one which unfortunately takes far too much of an investigators time, especially when you consider the volume of cases involving indecent pornography.

H. Carvey said...

Understood...but on a system with, say, 20,000 images, how many does one actually have to categorize? Would it be enough to meet the federal statute? Or how about just 100? Would the time be better spent figuring out whether or not a Trojan really did it, or tying the images to a specific user account?

Forensics said...

Well for one "customer" (in the UK) it is 10000 images, so it takes a while.

JM said...

I have also seen where HTML email from the desktop client ends up in the TIF directory. That really confused me the first time I saw it.

H. Carvey said...

JM...interesting. Can you elaborate?

H. Carvey said...

JM...interesting. Can you elaborate?

JM said...

Using IEHV from NirSoft, I was reviewing the history files and found *a lot* of local file browsing in the user temp folders, the contents of which were all emails (and the temp folder resembled the name of the email client itself "xpgrpwise" along with the internal email domain and post office of the user).

I confess that I committed a cardinal sin and didn't really pursue it much further, simply assuming, er "concluding" that the local client was using the "IE engine" to render HTML email. (In my defense, I was really just testing the iehv tool and had no investigation that would require verification at the time. Still - I should've run it to ground.)

Now it seems more logical that the client was probably just using the WinInet APIs. And this time I will at least attempt to verify that. :-)

JM said...

Bingo. Using procexp, I see the wininet.dll file loaded by the email client, and see the system calls via procmon.

Another successful day of learning. :-)

Jimmy_Weg said...

Understood...but on a system with, say, 20,000 images, how many does one actually have to categorize?

20,000 images are nothing! I probably can view that many thumbs and categorize them properly in about an hour. I've had a case with one million, but that's another story :-). It's really not a matter of "how many are enough?" Regardless of the fact that one or five can be an offense, the idea, after all, is to protect children. We send all c-p to NCMEC for the database and stopping short, in any but an extreme case, is unacceptable. We can, however, provide the images to the case agent or an analyst for review.

The EID feature is an add-on that is not free unless you buy an extended subscription. I find that disappointing in an expensive tool. A similar feature comes with XWF. That said, I rarely use it; I can't take a chance of missing anything, and these tools are imperfect.

First, those TIF subfolders aren't created by IE, they're created by the use of the WinInet APIs, which IE uses.

You got me here, so please forgive my ignorance of the subject. Would it follow, then, that it's almost always the API or the function of some library or the like that does something and not the app? Of course, absent any indication of infection, it's a matter of what's in the folders and how it got there. Perhaps too many cases are founded on evidence that lends itself to the trojan defense.

H. Carvey said...

Jimmy,

Would it follow, then, that it's almost always the API or the function of some library or the like that does something and not the app?

No, that's not a blanket statement you can use. It's apparently the case...but only in this cases, as far as I know.

For instance, when a PE file is launched, if you "watch" it with ProcMon, you'll see the Image File Execution Options Registry key checked. This isn't a function of the PE file itself...this is a function of how the OS manages the launching of the PE file. However, with MRU lists, those are, in most cases, a function of the app...how/if they're written, how they're maintained, etc.

Perhaps too many cases are founded on evidence that lends itself to the trojan defense.

I think that the first instances of the use of the defense were more of "..this stuff is so technical, they'll never prove otherwise.."; now, it might be more of a gamble on how good the examiners for both sides are.

The interesting thing about your statement, though, is that there is evidence that may lend itself very well to the Trojan Defense...but at the same time, there's other information available that can lend a greater level of context and granularity to that evidence.