Detailed Case Study...
 
Notifications
Clear all

Detailed Case Study Involving Evidence Tampering

9 Posts
3 Users
0 Likes
1,302 Views
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

We just made some updates to a detailed case study on the Arsenal website at

https://ArsenalExperts.com/Case-Studies/Odatv/

Teachers and students may find this case study particularly interesting. We hope to add another “gallery” soon focused on reverse engineering all the RATs, as well as offering the RATs themselves. Suggestions on what you would like to see next are welcome!

Thanks,

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

 
Posted : 02/10/2016 2:39 am
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

Just published a new gallery ("The Documents") on the case study. You can now see 11 documents, crucial to indictments of the Odatv defendants, which were placed covertly on two journalists computers.

We are still working on the RAT gallery because it has become a bigger project than I expected. (What's new?)

We just made some updates to a detailed case study on the Arsenal website at

https://ArsenalExperts.com/Case-Studies/Odatv/

Teachers and students may find this case study particularly interesting. We hope to add another “gallery” soon focused on reverse engineering all the RATs, as well as offering the RATs themselves. Suggestions on what you would like to see next are welcome!

Thanks,

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

 
Posted : 11/01/2017 2:34 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Mark ) , with all due respect, I have rarely seen such a complex setup/site (though the contents are extremely interesting).

I mean, it is nice looking and "modern" (whatever that means) and surely you guys over at Arsenal spent a lot of time making it so ) , but it is not like you are selling hip products to millennials 😯 (again with all due respect to both hip products and millennials).

IMHO for the rest of the people (particularly dinosaurs interested in forensics) a .zip or .7z containing a .pdf with the text and all the attachments/documents would be more practical than the current set of zillion single files, with a single link to each of them on its own page or "horizontal sliding tab".

Maybe you could add an archive that could be easier to manage when offline or even print on paper? ?

jaclaz

 
Posted : 11/01/2017 4:08 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

I'm not much of a design guy… I push the content to our web guy and let him do his thing. If I or one of my other employees were responsible for designing the case study you would probably never use the web again.

The case study is a project that is not just "alive" but quite active. The best thing to print (for now) is the associated Digital Forensics Magazine article mentioned under Additional Resources. With that said, I agree with you - the option to archive and/or print the case study would be useful. You have just put it in our queue. There is a lot in the queue (in part because this is a pro bono case and it has to be juggled with casework that keeps us in business) but I'm confident we'll get archiving and printing addressed.

Mark ) , with all due respect, I have rarely seen such a complex setup/site (though the contents are extremely interesting).

I mean, it is nice looking and "modern" (whatever that means) and surely you guys over at Arsenal spent a lot of time making it so ) , but it is not like you are selling hip products to millennials 😯 (again with all due respect to both hip products and millennials).

IMHO for the rest of the people (particularly dinosaurs interested in forensics) a .zip or .7z containing a .pdf with the text and all the attachments/documents would be more practical than the current set of zillion single files, with a single link to each of them on its own page or "horizontal sliding tab".

Maybe you could add an archive that could be easier to manage when offline or even print on paper? ?

jaclaz

 
Posted : 11/01/2017 4:49 pm
(@thefuf)
Posts: 262
Reputable Member
 

It would be nice to see the NTFS object ID values of incriminating files, because these values contain timestamps. So, even if eight NTFS timestamps (SN+FN) were altered, we could restore the approximate timestamp related to a file creation event.

Also, this case reminds me of idea that every byte is important. You used the $LogFile to obtain important indicators, while several "write blocking" acquisition products simply wipe that file on unclean volumes…

 
Posted : 11/01/2017 4:59 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

It would be nice to see the NTFS object ID values of incriminating files, because these values contain timestamps. So, even if eight NTFS timestamps (SN+FN) were altered, we could restore the approximate timestamp related to a file creation event.

NTFS ObjectIDs are awesome… and in our opinion under utilized. To help address that, we have recently added INDX record recovery (and ObjectID output) to our tool that exploits Windows hibernation files.

Unfortunately, in this particular case, ObjectIDs are not very useful. Theoretically, they might be useful on the computer that was attacked remotely… but they would not have been useful (in addressing your comment) on the computer that was attacked locally, even if ObjectIDs had been assigned. Basically, the host OS (with an accurate date/time) on the computer attacked remotely was interacting with NTFS, but the host OS (with an accurate date/time) on the computer attacked locally was not interacting with NTFS - the attacker computer's host OS with backdated date/time was. This is all irrelevant in this case though, because these files were never interacted with in a way that would generate ObjectIDs.

You can see the absence of ObjectIDs on the computer attacked locally here

https://arsenalexperts.com/Case-Studies/Odatv/persistent/resources/slideshow/Pehlivan-Odatv-Computer-Critical-Docs-Cr-and-Del-from-Partition-2-021111-per-Active-MFT.xlsx

Thank you for digging into this case! It's definitely worth the time. 😉

Mark

 
Posted : 11/01/2017 5:28 pm
(@thefuf)
Posts: 262
Reputable Member
 

It would be nice to see the NTFS object ID values of incriminating files, because these values contain timestamps. So, even if eight NTFS timestamps (SN+FN) were altered, we could restore the approximate timestamp related to a file creation event.

NTFS ObjectIDs are awesome… and in our opinion under utilized. To help address that, we have recently added INDX record recovery (and ObjectID output) to our tool that exploits Windows hibernation files.

Unfortunately, in this particular case, ObjectIDs are not very useful. Theoretically, they might be useful on the computer that was attacked remotely… but they would not have been useful (in addressing your comment) on the computer that was attacked locally, even if ObjectIDs had been assigned. Basically, the host OS (with an accurate date/time) on the computer attacked remotely was interacting with NTFS, but the host OS (with an accurate date/time) on the computer attacked locally was not interacting with NTFS - the attacker computer's host OS with backdated date/time was. This is all irrelevant in this case though, because these files were never interacted with in a way that would generate ObjectIDs.

You can see the absence of ObjectIDs on the computer attacked locally here

https://arsenalexperts.com/Case-Studies/Odatv/persistent/resources/slideshow/Pehlivan-Odatv-Computer-Critical-Docs-Cr-and-Del-from-Partition-2-021111-per-Active-MFT.xlsx

Thank you for digging into this case! It's definitely worth the time. 😉

Mark

Well, the absence of NTFS object IDs is an artifact too "Links to files on removable media are not maintained" (source).

 
Posted : 11/01/2017 5:45 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

Well, the absence of NTFS object IDs is an artifact too "Links to files on removable media are not maintained" (source).

Agreed, and you have just referred to one possibility for why that might be. The absence of ObjectIDs is also one data point amongst many that helps define the relationship a particular computer (or to be more specific maybe we should say "host OS") did or did not have with a particular file.

Mark

 
Posted : 11/01/2017 5:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm not much of a design guy… I push the content to our web guy and let him do his thing. If I or one of my other employees were responsible for designing the case study you would probably never use the web again.

I don't know, as always beauty is in the eye of the beholder, I may actually like it. roll

Anyway thanks for understanding and putting the request in the queue. )

When and if you have time, point your web guy to here wink
http//tiffzhang.com/startup/index.html?s=208585626425
as an example of how all sites are nowadays, and an example of what they shouldn't look like (anymore).

jaclaz

 
Posted : 11/01/2017 7:09 pm
Share: