±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 31812
New Yesterday: 11 Visitors: 112

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News   Forums   Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Detailed Case Study Involving Evidence Tampering

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Detailed Case Study Involving Evidence Tampering

Post Posted: Sat Oct 01, 2016 3:39 pm

We just made some updates to a detailed case study on the Arsenal website at:

ArsenalExperts.com/Cas...ies/Odatv/

Teachers and students may find this case study particularly interesting. We hope to add another “gallery” soon focused on reverse engineering all the RATs, as well as offering the RATs themselves. Suggestions on what you would like to see next are welcome!

Thanks,

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed  

ArsenalConsulting
Member
 
 
  

Re: Detailed Case Study Involving Evidence Tampering

Post Posted: Tue Jan 10, 2017 3:34 pm

Just published a new gallery ("The Documents") on the case study. You can now see 11 documents, crucial to indictments of the Odatv defendants, which were placed covertly on two journalists computers.

We are still working on the RAT gallery because it has become a bigger project than I expected. (What's new?)

- ArsenalConsulting
We just made some updates to a detailed case study on the Arsenal website at:

ArsenalExperts.com/Cas...ies/Odatv/

Teachers and students may find this case study particularly interesting. We hope to add another “gallery” soon focused on reverse engineering all the RATs, as well as offering the RATs themselves. Suggestions on what you would like to see next are welcome!

Thanks,

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed
 

ArsenalConsulting
Member
 
 
  

Re: Detailed Case Study Involving Evidence Tampering

Post Posted: Wed Jan 11, 2017 5:08 am

Mark Smile , with all due respect, I have rarely seen such a complex setup/site (though the contents are extremely interesting).

I mean, it is nice looking and "modern" (whatever that means) and surely you guys over at Arsenal spent a lot of time making it so Smile , but it is not like you are selling hip products to millennials Shocked (again with all due respect to both hip products and millennials).

IMHO for the rest of the people (particularly dinosaurs interested in forensics) a .zip or .7z containing a .pdf with the text and all the attachments/documents would be more practical than the current set of zillion single files, with a single link to each of them on its own page or "horizontal sliding tab".

Maybe you could add an archive that could be easier to manage when offline or even print on paper? Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Detailed Case Study Involving Evidence Tampering

Post Posted: Wed Jan 11, 2017 5:49 am

I'm not much of a design guy... I push the content to our web guy and let him do his thing. If I or one of my other employees were responsible for designing the case study you would probably never use the web again.

The case study is a project that is not just "alive" but quite active. The best thing to print (for now) is the associated Digital Forensics Magazine article mentioned under Additional Resources. With that said, I agree with you - the option to archive and/or print the case study would be useful. You have just put it in our queue. There is a lot in the queue (in part because this is a pro bono case and it has to be juggled with casework that keeps us in business) but I'm confident we'll get archiving and printing addressed.

- jaclaz
Mark Smile , with all due respect, I have rarely seen such a complex setup/site (though the contents are extremely interesting).

I mean, it is nice looking and "modern" (whatever that means) and surely you guys over at Arsenal spent a lot of time making it so Smile , but it is not like you are selling hip products to millennials Shocked (again with all due respect to both hip products and millennials).

IMHO for the rest of the people (particularly dinosaurs interested in forensics) a .zip or .7z containing a .pdf with the text and all the attachments/documents would be more practical than the current set of zillion single files, with a single link to each of them on its own page or "horizontal sliding tab".

Maybe you could add an archive that could be easier to manage when offline or even print on paper? Question

jaclaz
 

ArsenalConsulting
Member
 
 
  

Re: Detailed Case Study Involving Evidence Tampering

Post Posted: Wed Jan 11, 2017 5:59 am

It would be nice to see the NTFS object ID values of incriminating files, because these values contain timestamps. So, even if eight NTFS timestamps (SN+FN) were altered, we could restore the approximate timestamp related to a file creation event.

Also, this case reminds me of idea that every byte is important. You used the $LogFile to obtain important indicators, while several "write blocking" acquisition products simply wipe that file on unclean volumes...  

thefuf
Senior Member
 
 
  

Re: Detailed Case Study Involving Evidence Tampering

Post Posted: Wed Jan 11, 2017 6:28 am

- thefuf
It would be nice to see the NTFS object ID values of incriminating files, because these values contain timestamps. So, even if eight NTFS timestamps (SN+FN) were altered, we could restore the approximate timestamp related to a file creation event.


NTFS ObjectIDs are awesome... and in our opinion under utilized. To help address that, we have recently added INDX record recovery (and ObjectID output) to our tool that exploits Windows hibernation files.

Unfortunately, in this particular case, ObjectIDs are not very useful. Theoretically, they might be useful on the computer that was attacked remotely... but they would not have been useful (in addressing your comment) on the computer that was attacked locally, even if ObjectIDs had been assigned. Basically, the host OS (with an accurate date/time) on the computer attacked remotely was interacting with NTFS, but the host OS (with an accurate date/time) on the computer attacked locally was not interacting with NTFS - the attacker computer's host OS with backdated date/time was. This is all irrelevant in this case though, because these files were never interacted with in a way that would generate ObjectIDs.

You can see the absence of ObjectIDs on the computer attacked locally here:

arsenalexperts.com/Cas...e-MFT.xlsx

Thank you for digging into this case! It's definitely worth the time. Wink

Mark  

ArsenalConsulting
Member
 
 
  

Re: Detailed Case Study Involving Evidence Tampering

Post Posted: Wed Jan 11, 2017 6:45 am

- ArsenalConsulting
- thefuf
It would be nice to see the NTFS object ID values of incriminating files, because these values contain timestamps. So, even if eight NTFS timestamps (SN+FN) were altered, we could restore the approximate timestamp related to a file creation event.


NTFS ObjectIDs are awesome... and in our opinion under utilized. To help address that, we have recently added INDX record recovery (and ObjectID output) to our tool that exploits Windows hibernation files.

Unfortunately, in this particular case, ObjectIDs are not very useful. Theoretically, they might be useful on the computer that was attacked remotely... but they would not have been useful (in addressing your comment) on the computer that was attacked locally, even if ObjectIDs had been assigned. Basically, the host OS (with an accurate date/time) on the computer attacked remotely was interacting with NTFS, but the host OS (with an accurate date/time) on the computer attacked locally was not interacting with NTFS - the attacker computer's host OS with backdated date/time was. This is all irrelevant in this case though, because these files were never interacted with in a way that would generate ObjectIDs.

You can see the absence of ObjectIDs on the computer attacked locally here:

arsenalexperts.com/Cas...e-MFT.xlsx

Thank you for digging into this case! It's definitely worth the time. Wink

Mark


Well, the absence of NTFS object IDs is an artifact too: "Links to files on removable media are not maintained" (source).  

thefuf
Senior Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 2
Go to page 1, 2  Next