NIST Hacking case

[Joel Fernandez]

The students in my course will be working through the following NIST Hacking case as their first assignment. This is a good intro to anyone that wants to jump in head-first into forensics. Feel free to ask questions, work through issues, ask about tools, etc here ! My students will also be using bulk_extractor to scan the NIST image. No question is too novice ! Be sure to search this forum first. 

NIST Case : http://www.cfreds.nist.gov/Hacking_Case.html

Bulk_Extractor : https://github.com/simsong/bulk_extractor

[Greg Reichelt]

I am having issues putting the dd files which are split back togeather.  Anyone know of a porgram to do this easily?

Greg

Sent from my Kindle Fire

---

From: Joel Fernandez <joelfer...@gmail.com>
Sent: Tue Sep 04 00:04:01 CDT 2012
To: cyfo...@googlegroups.com
Subject: NIST Hacking case

The students in my course will be working through the following NIST Hacking case as their first assignment. This is a good intro to anyone that wants to jump in head-first into forensics. Feel free to ask questions, work through issues, ask about tools, etc here ! My students will also be using bulk_extractor to scan the NIST image. No question is too novice ! Be sure to search this forum first. 

NIST Case : http://www.cfreds.nist.gov/Hacking_Case.html

Bulk_Extractor : https://github.com/simsong/bulk_extractor

--
You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/DgS81_U-JpoJ.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Joel Fernandez]

This is from last semester : 

Just wanted to let you know that I was having trouble with liveview.  Since it requires ancient versions of VMWare, it doesn't play well with the modern versions.  I *was* able to convert the DD images to a VMDK using the qemu tool in linux.  The rough process is as follows:

combine the dd files: cat SCHART.00[12345678] > SCHART.IMG

convert the IMG file to VMDK: qemu-img convert SCHARDT.IMG -O vmdk SCHARDT.vmdk

import the vmdk into VMWare ( I had to create a new VM, then replace the default VMDK file with my SCHART.vmdk file

[Moshe Caplan]

I just finished writing a CyFor module on this topic. It discusses how to combine multiple parts of an image file and how to build a VM from the image. It uses the same tool (qemu-img) that Joel mentioned above.

If you want to provide feedback I'd love to hear it.

BTW: I know the sound is very slightly off in parts of the video. I considered making a new one, but didn't think it was necessary.

https://sites.google.com/a/isis.poly.edu/cyfor/modules/building-a-vm-from-a-dd-image 

Moshe

[Joel Fernandez]

This was great work Moshe. 

--

You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/4d5N_lCPDA8J.

[Darwin Yip]

Are both enCase image and DD image the same, but just different format?

Also, I'm stuck on how to find the hash of the image. Is it given by BE or have to calculate that?

[Joel Fernandez]

Same image sep format

--
You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/oMdDzkW4420J.

[Joel Fernandez]

Concatenation the dd then hash it. 

On Sep 7, 2012, at 7:59 PM, Darwin Yip <dre...@gmail.com> wrote:

[Matthew Bretan]

I'm having trouble getting SANS SIFT workstation working on my Mountain Lion OSX device.  The VirtualBox is able to run the image, but when I go into the settings, on the bottom it says that I have an invalid setting, but it doesn't say which setting is invalid.  I also can't change any of the setting until I fix this which means that I can't share folders between the host and image.  I've tried all the recommendations that I could find on Google, but none of those seemed to have worked...

Any other suggestions?

On Tuesday, September 4, 2012 1:04:01 AM UTC-4, Joel Fernandez wrote:

[Joel Fernandez]

I will be in front of a mac late tonight and can try it. 

--
You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/7-a0zcYkMXsJ.

[Darwin Yip]

Is it possible that answers I get differ from the one in the website?

For example, I am getting AMD PCNET Family PCI Ethernet Adapter, while the website indicates Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface) and Compaq WL110 Wireless LAN PC Card.

[Joel Fernandez]

You should get the same answers. Can you show how you're doing it?

On Sep 8, 2012, at 7:12 PM, Darwin Yip <dre...@gmail.com> wrote:

Is it possible that answers I get differ from the one in the website?

For example, I am getting AMD PCNET Family PCI Ethernet Adapter, while the website indicates Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface) and Compaq WL110 Wireless LAN PC Card.

--

You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/PPqMamVieEQJ.

[Darwin Yip]

I'm viewing the information through the Device Manage, under Network Adapters of the image OS.

[Joel Fernandez]

Matthew, what version of OS do you have 4.what? Virtual box has issues with later versions of OS X. 

On Sat, Sep 8, 2012 at 11:25 AM, Matthew Bretan <matt....@gmail.com> wrote:

--
You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/7-a0zcYkMXsJ.

[Joel Fernandez]

can you post a screenshot of what you're looking at? So i'm assuming you were successful in converting this into a VM?

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/gD2IMVxk7NQJ.

[Darwin Yip]

Yes I've converted the image to vmdk.

[Moshe Caplan]

Hey,

I'm coming in kind of late to this discussion, but here are my brief ideas off the top of my head.

I'll try to look at these issues more in detail soon.

@Matthew: Are you using the prebuilt-VM or the iso provided by SANS? From your post it sounds like the VM although I'm not sure. If you are using the VM I would suggest downloading the SIFT iso instead, creating a new VM and installing SIFT from the iso. It'll take longer, but may do better with compatibility issues. However, if your problem has to do with a mac / VirtualBox compatibility issue this probably won't help.

@Darwin: If you have booted the suspect machine in a VM then when you look at some of the hardware settings you may be seeing the hardware settings of your host computer, or the "virtualized" hardware VMWare has given the OS. For example, when I booted the suspect machine in a VM and checked some system settings, for "Computer Manufacturer I saw VMWare Inc."

Moshe

[Joel Fernandez]

I think you're right on both counts Moshe. I've downloaded the SIFT VM and will be trying to replicate Matthew's issue. Darwin's seems strange and i'd like to replicate that as well. With tools like OSForensics, i'm able to see the correct Network cards. 

--

You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

[Moshe Caplan]

If it's any help here's a replication of Darwin's issue. (I can't see his attached screenshot for some reason so this may already be in the thread.) The screenshot is part of the output of the "systeminfo" command. It was executed from the VM I built of the suspect image. Specifically notice things like the "System Manufacturer"

[Joel Fernandez]

i have mountain lion, downloaded the sift vmdk and had no problem. I'm using fusion though. can you take a screenshot of the problem? when it prompted you for your admin password did you put it? 

[Joel Fernandez]

Matthew. I installed vbox and ran the sift vm with no problems (not the ISO). I'm running OS X 10.8.1

We can work through it together tomorrow evening if you like. 

On Saturday, September 8, 2012 11:25:02 AM UTC-4, Matthew Bretan wrote:

[Darwin Yip]

I'm almost done except for a couple of problems.

I can't use tools like OSForensics because the browser of the VM keeps crashing. With this same problem I can't get an antivirus either.

Also, the file Showletter[1].htm is non-existent in my VM.

Lastly, how do I do 30?

[Nitin Jami]

I am trying to get the Hash of the image, it gives me a different one from that of correct answers. 

I tried in Linux : for i in `ls SCHARDT.00*`; do cat $i > SCHARDT.IMG; done

                       md5sum SCHARDT.IMG

In windows : copy /b SCHARDT.00* SCHARDT.IMG

                   md5sum SCHARDT.IMG (copied to linux and checked)

The hash I am getting is : fa18a9ec253c5e1d2f8c3292f0024b9f

On Tuesday, September 4, 2012 1:04:01 AM UTC-4, Joel Fernandez wrote:

[Moshe Caplan]

Try taking the hash of each individual file and check if they match the hashes published on  http://www.cfreds.nist.gov/images/hacking-dd/SCHARDT.LOG 

Maybe one of the files has an error.

Otherwise I was able to obtain the correct hash by first using "cat" to combine all the files into one and then hashing it.

--
You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/O0q_UX8v4RkJ.

[Nitin Jami]

All the files have different hashes, in fact the log mentions the size of each file to be around 1301248, but the size of each file I have downloaded are 665600. Which is like half the size mentioned in log.

[Moshe Caplan]

Each of the files should be about 635 MB. You may have just gotten corrupted files. I would suggest downloading the files again.

See the screenshot below from when I downloaded the files and obtained the correct hashes.

[Nitin Jami]

Thanks, I was planning to download it again. 

[Jim]

I combined the dd files and I'm trying to use it as a disk image for virtual box, but vbox gives an error saying it cannot get the storage format of the medium.  Is this a valid approach?  Would you know if the combined dd files can be a valid storage format or how to adjust it?

If that approach won't work, I've been tediously doing "less" to search for the answers.

[Moshe Caplan]

See this CyFor module:  https://sites.google.com/a/isis.poly.edu/cyfor/modules/building-a-vm-from-a-dd-image 

VBox cannot read a raw image, but you can convert the raw image into a VBox compatible virtual hard drive format.

Also, see earlier posts in this thread, where others ran into the same problem.

--
You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/6z0BMNlmR5AJ.

[Jim]

Nevermind -- solved.  It worked as *.hdd format.

[Jim]

Thanks. I just renamed it to end in *.hdd.

[Moshe Caplan]

With this approach were you actually able to boot up the VM and see the suspect's desktop?

Are you saying that all you did was combine the raw files, rename the combined file with a .hdd extension, and make a new VBox machine with this file as its harddrive?

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/_HmKtcyyic8J.

[Jim]

yes, exactly.

[Joel Fernandez]

You can do 30 with OSForensics or autopsy. Have you tried building a new Windows VM with a fresh version of Windows?  A good working windows forensic vm will come in handy. If you look on the resources tab of the course page/my.poly (only for students) you'll see a way to get free windows licenses. 

--

You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/PcTRoIFCMugJ.

[HT]

Hi, I found the MD5Sum and it was the same as in the answers, but how do I figure out if the acquisition and verification hash match?

[Moshe Caplan]

I had the same question as it doesn't appear that they provided an "acquisition" hash. However, since the answers provided their hash I took that as the acquisition hash.

[Mandy Galante]

I thought the hashes in the "Notes" were the acquisition hashes? If not, what are they for?

[Greg Reichelt]

That's exactly what I thought!  Good question.

Greg

--

You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/KCUE2ir4SwYJ.

[Moshe Caplan]

The notes don't include an acquisition hash for the entire image. They include hashes only for each of the eight parts. However, the hash given in the solution is for a hash of the entire image (once you've combined all eight parts.)