NW3C - Validation - COFEE v1.1.2 - Runner & NW3C Profiles PDF

COFEE v1.1.
2 Runner & NW3C Profiles

Validation Study
9/29/2009
Written and Tested By:

Justin Wykes, CFCE
Computer Crime Specialist, NW3C
Additional Testing By:

Mark Bowser, CFCE
Computer Crime Specialist, NW3C
NW3C
NW3C,Inc.,d/b/atheNationalWhiteCollarCrimeCenter,isa501c3nonprofitcorporationunderthe
UnitedStatesInternalRevenueTaxcode,incorporatedintheCommonwealthofVirginia.NW3Chas
morethana30yearhistoryinservingState,Local,andTribalLawEnforcement.
NW3Csnocostmembership,training,andservicesareextendedtoallLawEnforcement,regulatory
andprosecutorialagencies.NW3CisgovernedbyaBoardofDirectorselectedfrommemberlaw
enforcementagencies.TheBoardestablishesstrategicdirectioninaccordancewiththeNW3Ccorporate
bylaws,grantconditions,andotherappropriateguidelines,suchasapplicableOfficeofManagement
andBudget(OMB)circularsandtheOJPFinancialGuide.
WhatNW3CDoes
NW3Csprimaryareaofservicetojusticeagenciesistraining,andsince1996hasbeenthenations
leadingproviderofnocostInvestigativeandForensicsComputerCrimeandDigitalEvidencetrainingto
State,Local,andTribalLawEnforcement.Throughacombinationoftrainingandcriticalsupport
services,NW3Cequipsstateandlocallawenforcementagencieswithskillsandresourcestheyneedto
tackleemergingeconomicandcybercrimeproblems.
Forthegeneralpublic,NW3Cprovidesinformationandresearchsotheytoomaybecomeproactivein
thepreventionofeconomicandcybercrime.VictimsofcrimescanrelyonNW3Ctohelpthemregister
Internetcrimecomplaintsthroughtheirwebsiteatwww.ic3.govandnotifytheappropriateauthorities
atlocal,state,andfederallevelspromptly,accurately,andsecurely.
Acongressionallyfundednonprofitorganization,NW3Chasbeencontinuouslyfundedforthepast28
yearsinsupportofstateandlocalenforcementefforts.NW3Cisanationalprogramwithapresencein
all50states.
MembershipinNW3Cisfreeandopentofederal,state,localandinternationallawenforcement;
regulatoryandprosecutionagencies;aswellasdulyconstitutedpermanenttaskforces.Neither
individualsnorprivatecompaniesareeligibleformembership.
This project was supported by Grant No. 2008-CE-CX-0001 awarded by the Bureau of Justice Assistance. The
Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of
Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, and the
Office for Victims of Crime. Points of view or opinions in this document are those of the author and do not represent
the official position or policies of the United States Department of Justice.
TableofContents
TableofContents...........................................................................................................................................i
Introduction..................................................................................................................................................1
PurposeandScope........................................................................................................................................1
TestResultSummary....................................................................................................................................1
TestAssertions..............................................................................................................................................2
TestingEnvironment.....................................................................................................................................2
TestComputer..........................................................................................................................................2
SupportSoftwareUsed.............................................................................................................................4
AdditionalInformation..............................................................................................................................4
TestResults...................................................................................................................................................5
ReportNotes...............................................................................................................................................51
AdditionalReferences.................................................................................................................................51
Glossary.......................................................................................................................................................51
Introduction
ThepurposeofthisreportistodocumentthevalidationofComputerOnlineForensicEvidence
Extractors(COFEE)generatedthumbdriveswhichwerecreatedusingthetwoNW3Ccollectionprofiles:
NW3CVolatileDataandNW3CIncidentResponse.
ToolTested:
Version:
RunEnvironments:
Supplier:
ComputerOnlineForensicEvidenceExtractor
1.1.2
WindowsXPServicePack2andWindowsXPServicePack3
Microsoft&NW3C
PurposeandScope
Thisvalidationstudywasconducted,inconjunctionwiththevalidationstudytitledCOFEEGUI
CONSOLE,toverifythattheCOFEEsuitefunctionsproperly.Thisdocumentfocusesonthevalidation
oftheCOFEEgeneratedthumbdrives.
COFEEsprimarypurposeistocreateathumbdrivewhichcontainsapredeterminedsetofapplications
whicharesettorunonasuspectslivemachine.UponconnectingaCOFEEgeneratedthumbdrivetoa
suspectsmachine,theinvestigatorexecutesrunner.exe(aprogramlocatedonthethumbdrive)which,
inturn,executesalloftheprogramsspecifiedbyCOFEE,andstoresthedatacollectedonthe
investigatorsthumbdrive.
TheprogramsplacedonthegeneratedthumbdrivesareidentifiedbyaprofileloadedintoCOFEE.
Whileanyusercancreatetheirownprofile,thisvalidationstudywillfocusonlyontheprofilescreated
byNW3C:NW3CVolatileDataandNW3CIncidentResponse.
Thisvalidationstudywasconductedtoensurethatwhenrunner.exeisexecuted:alloftheprograms
identifiedbytheprofileareexecuted,thatthecollecteddataisstoredontheinvestigatorsthumbdrive,
thatnoapplicationswererunfromthesuspectsmachine,andthatnounacceptablewritesweremade
tothesuspectsmachine.
COFEEiscurrentlyonlysupportedontheMicrosoftWindowsXPoperatingsystem.Nootheroperating
systemwastestedduringthisvalidationstudy.
TestResultSummary
OverallResult
TestingconductedonRunnerandtheNW3Cprofilesverifiedthatboththerunner.exeapplication,as
wellastheselectedprograms,functionedasexpectedandarewellwithinacceptablepracticesfordata
collectiononalivesystem.
NW3CVolatileDataProfile
Therewerenowritestothesuspectdrivesfilesystemusingthisprofile.
TherewereupdatesmadetotheWindowsRegistryonthesuspectsmachine,howevernoneofthe
registryupdateswereofobviousforensicvalue.Forspecificinformationonwhatkeyswerewrittento,
seeTestResults.
NW3CIncidentResponseProfile
Thisprofilecausedthreewritestothesuspectdrivesfilesystem.Allthreewriteswerecausedbythe
programhandle.exeandweremadetothefilePROCEXP100.sys.Thereferencetothefile
PROCEXP100.sysishardcodedintohandle.exe,aproductofSysinternals,andassuchitisnotpossible
torestrainhandle.exefromwritingtothisfile.However,thisfileisspecificallywrittenaspartofthe
Sysinternalstoolsetandisnotofevidentiaryinterest.
TherewerealsoupdatesmadetotheWindowsRegistryonthesuspectsmachine,howevernoneofthe
registryupdateswereofobviousforensicvalue.Forspecificinformationonwhatkeyswerewrittento,
seeTestResults.
DuringthetestingoftheIncidentResponseProfile,onetest(RunnerTest012)felloutsideofnormal
parameters.Duringthistest,handle.exedidnotwritetothefilePROCEXP100.sys,oranyregistryentries
relatedtoPROCEXP100.Thisanomalyoccurredduringonlyonetest,andasitcausedevenfewerwrites,
doesnotaffecttheoveralloutcomeofthisvalidation.
TestAssertions
ThefollowingassertionswerebaseduponthelistedfeaturesofCOFEE,aswellasadherencetoaccepted
forensicpracticesonalivemachine.
1.
2.
3.
4.
5.
Allprogramsidentifiedintheprofilewereexecuted.
Resultsofthetoolswereproperlystoredontheinvestigatorsthumbdrive.
Executingrunner.exedidnotcauseanydirectwritestothesuspectdrive(filesystem).
Executingrunner.exedidnotcauseanydirectwritestothesuspectdrive(registry).
Thetoolsexecutedwererunfromthethumbdrive,notfromthesuspectsmachine.
TestingEnvironment
TestComputer
1. Gateway600YG2Laptop(Abe)
a. SerialNumber:0029567634
b. IntelPentium4Mobile2.00GHz
c. 512MBRAM
d. PATA2.5HardDrive
2
2.
3.
4.
5.
6.
i. IBMIC25N030ATCS04030GBHardDrive
ii. SerialNumber:DAH4W0AB
iii. Contained1PrimaryPartitionwhichwasreportedat27.94GB
e. IntegratedNetworkCard
DellLatitudeD820Laptop(Eli)
a. IntelCentrinoDuoT25002.00GHz
b. 2GBRAM
c. SATA2.5HardDrive
i. SeagateMomentus60GB5400RPM
ii. SerialNumber:5PJ3J3FR
d. IntegratedNetworkCard
DellLatitudeD820Laptop(Jenny)
a. IntelCentrinoDuoT25002.00GHz
b. 2GBRAM
c. SATA2.5HardDrive
i. SeagateMomentus60GB5400RPM
ii. SerialNumber:5PJ31XJM
d. IntegratedNetworkCard
DigitalIntelligenceForensicRecoveryofEvidenceDevice(FRED)Tower(Jim)
a. SerialNumber:F0039002127
b. IntelPentium42.4GHz
c. 1GBRAM
d. PATA3.5HardDrive
i. MaxtorDiamondMaxPlus980GB
ii. SerialNumber:Y2B7HYVE
Gateway600YG2Laptop(Pat)
a. SerialNumber:0029567607
b. IntelPentium4Mobile2.00GHz
c. 512MBRAM
d. PATA2.5HardDrive
i. IBMIC25N030ATCS04030GB
ii. SerialNumber:DAH4VJNB
DigitalIntelligenceForensicRecoveryofEvidenceDevice(FRED)Tower(Paul)
a. SerialNumber:F0039002132
b. IntelPentium42.4GHz
c. 1GBRAM
3
d. PATA3.5HardDrive
i. MaxtorDiamondMaxPlus980GB
ii. SerialNumber:Y2B7KF6E
SupportSoftwareUsed
1. ProcessMonitorwasusedtorecordallprocessesandwritesmadeduringthetestingofthe
generatedthumbdrives.ProcessMonitorisafreeWindowsSysinternalstoolwrittenbyMark
RussinovichandBryceCogswell.Thissoftwarewasdownloadedfrom:
http://technet.microsoft.com/enus/sysinternals/bb896645.aspx
2. MicrosoftExcel2007wasusedforanalysisofthelogfilescreatedbyProcessMonitor.Thecopy
ofMicrosoftOfficeusedislicensedtoNW3C.
AdditionalInformation
Theoperatingsystemwasnotlistedinthedescriptionsaboveastheywereauniquepartoftesting.
WhileallthemachineswererunningWindowsXP,theywerenotallrunningonthesameservicepack.
Theservicepackusedonanygiventestwillbelistedonthespecifictestpage.
TestResults
Thissectioncontainsdetailsonalltestsconductedduringthevalidationstudy.
TestResultsReportKey
TestResultsReportKey
TestName: 0001
Date: 23July2009
Description: TodetermineifXYZdoesABC
TesterName:
JShmoe
TestMachine: Dave1
AssertionsTested: XYZdoesA
XYZdoesB
XYZdoesC
UniqueSetup
NonUniversalStuff.Newpartitionscheme,etc.Couldalsoincludeprehash
Information:
values,etc.
AsExpected
ResultsBy
XYZdoesA
Assertion:
AsExpected
XYZdoesB
AnomaliesDetected
XYZdoesC
TesterNotes:
AnyadditionalinformationthetesterwantstoaddprobablyinParagraphform.
Couldincludehashinformation.
OverallSuccess:
AsExpectedorAnomaliesDetected
TestResults
TestName: RunnerTest001
Date: 26August2009
Description: RunningaCOFEEgeneratedthumbdrivewiththeNW3CVolatileDataProfile(SP3)
TesterName:
JWykes
TestMachine: Abe
AssertionsTested:
1. Allprogramsidentifiedintheprofilewereexecuted.
2. Resultsofthetoolswereproperlystoredontheinvestigatorsthumb
drive.
3. Executingrunner.exedidnotcauseanydirectwritestothesuspectdrive
(FileSystem).
(Registry).
5. Thetoolsexecutedwererunfromthethumbdrive,notfromthesuspects
machine.
UniqueSetup
SystemwasloadedwithMicrosoftWindowsXPServicePack3.
Information:
1GBPNYAttachThumbDrivewiththeNW3CVolatileDataprofileloaded,as
wellasProcessMonitor.
InternalID#:VOL3
DriveSN#9VQRE66HNQD8RB16
AsExpected
1. Allprogramsidentifiedintheprofilewere
ResultsBy
Assertion:
executed.
2. Resultsofthetoolswereproperlystoredonthe AsExpected
AsExpected
3. Executingrunner.exedidnotcauseanydirect
writestothesuspectdrive(FileSystem).
AnomalyDetected
writestothesuspectdrive(Registry).
AsExpected
5. Thetoolsexecutedwererunfromthethumb
drive,notfromthesuspectsmachine.
TesterNotes:
Thethumbdrivewasfirstconnectedtothemachineafterthesystemhadfinished
bootingtoWindows.Afterthethumbdrivedriversfinishedloading,thetester
navigatedtothethumbdriveandstartedProcessMonitor.
OnceProcessMonitorloaded,andhadbeguncapturingdata,thetesternavigated
tothethumbdriveandranrunner.exe.
StartTime:9:42am
EndTime:9:43am
Immediatelyafterthecompletionofrunner,thetesterstoppedtheProcess
Monitorcaptureandsavedthelogfiletothethumbdrive.Thelogfilewas
examinedlaterfortestingoftheassertionslistedabove.Theresultsofthe
analysisaredetailedbelow:
Assertion1:
Anexaminationofthethumbdrivesfilesystemindicatedthatalloftheprograms
associatedwiththeNW3CVolatileDataprofileweresuccessfullycopiedtothe
6
disk.
AnexaminationoftheProcessMonitorlogsindicatesthatalloftheprograms
associatedwiththeNW3CVolatileDataprofileweresuccessfullyrunduringthe
testingperiod.
Assertion2:
Anexaminationofthecontentsofthethumbdriveindicatesthatrunner.exe
successfullysavedtheoutputfilesonthethumbdrive,andintheappropriate
directories.
Assertion3:
AnexaminationoftheProcessMonitorlogsindicatesthattherewerenodirect
writesmadetothesuspectdrivebyRunneroranyofitsprocesses(toincludeall
oftheprogramswithintheselectedprofile).Thistestwasdonebyfilteringthe
ProcessMonitorlogresultstoshowonlyFilesysteminformation,andsearching
foranyWriteFileoperation.
Assertion4:
AnexaminationoftheProcessMonitorlogsindicatesthattherewere135total
writes/updates/deletionsmadetotheregistrybyRunneranditsprocesses(to
includealloftheprogramswithintheselectedprofile).Theseresultswillalso
includeattemptstochangethatwerenotallowed(i.e.,anattempttodeleteakey
thatdoesntexist).ThistestwasdonebyfilteringtheProcessMonitorlogresults
toshowonlyRegistryinformation,andsearchingforanyRegSetValue,
RegDeleteValue,orRegDeleteKeyoperation.Forsimplicitiessake,anychange
madetotheregistrywillbelistedasawritebelow.
Therewere105writesmadetotheregistrykeybelow.Thebreakdownofthe
programsthatupdatedthisregistrykeyisasfollows:ipconfig.exe(8),nbtstat.exe
(0),net.exe(8),netstat.exe(16),pslist.exe(2),psloggedon.exe(0),quser.exe(1),
sclist.exe(1),showgrps.exe(1),systeminfo.exe(8),whoami.exe(0),cmd.exe(52),
andrunner.exe(8).
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Inadditiontoanywriteslistedabove,netstat.exealsomadetwowritestothe
followingregistrykey:
HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\
TrapPollTimeMilliSecs
Inadditiontoanywriteslistedabove,ipconfig.exealsomadetwowritestothe
HKLM\SOFTWARE\Microsoft\ESENT\Process\7644\DEBUG\Trace Level
Inadditiontoanywriteslistedabove,ipconfig.exemadeonewritetoeachofthe
followingregistrykeys:
7
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Tracing\Microsoft\eappcfg\Active
Tracing\Microsoft\eappcfg\ControlFlags
Tracing\Microsoft\eappcfg\LogSessionName
Tracing\Microsoft\eappcfg\traceIdentifier\BitNames
Tracing\Microsoft\eappcfg\traceIdentifier\Guid
Tracing\Microsoft\eappprxy\Active
Tracing\Microsoft\eappprxy\ControlFlags
Tracing\Microsoft\eappprxy\LogSessionName
Tracing\Microsoft\eappprxy\traceIdentifier\BitNames
Tracing\Microsoft\eappprxy\traceIdentifier\Guid
Tracing\Microsoft\QUtil\Active
Tracing\Microsoft\QUtil\ControlFlags
Tracing\Microsoft\QUtil\LogSessionName
Tracing\Microsoft\QUtil\traceIdentifier\BitNames
Tracing\Microsoft\QUtil\traceIdentifier\Guid
HKLM\System\CurrentControlSet\Services\Eventlog\
Application\ESENT\CategoryCount
Application\ESENT\CategoryMessageFile
Application\ESENT\EventMessageFile
Application\ESENT\TypesSupported
Inadditiontoanywriteslistedabove,pslist.exealsomadetwowritestoeachof
thefollowingregistrykeys:
HKLM\System\CurrentControlSet\Services\PerfOS\
Performance\Error Count
HKLM\System\CurrentControlSet\Services\PerfProc\
OverallSuccess:
Assertion5:
AnexaminationoftheProcessMonitorlogsindicatesthattheprogramsrunas
partoftheprofilewererunfromthethumbdrive,andnotfromthesuspects
harddrive.
AdditionalTesterNotes:
Whiletherewereseveralwritestothesystemsregistry,theregistrykeys
modifiedwerenotofanyevidentiaryconcern,inaddition,themodificationswere
aresultofrunningthesetoolsonalivemachine,andcouldnotbeavoided.In
addition,duetothenatureoftheregistry,determiningiftheregistrychanges
wereactuallywrittentothedriveisdifficult.
Whiletherewereslightchangestotheregistry,thewriteswereunavoidablein
attemptingtoretrievethedesiredinformation,andassuch,theoverallratingfor
thistestwillbelistedAsExpected.
AsExpected
Date:
26August2009
Description: RunningaCOFEEgeneratedthumbdrivewiththeNW3CIncidentResponseProfile(SP3)
TesterName:
JWykes
TestMachine:
Abe
Assertions
Tested:
2. Resultsofthetoolswereproperlystoredontheinvestigatorsthumbdrive.
3. Executingrunner.exedidnotcauseanydirectwritestothesuspectdrives
FileSystem.
Registry.
machine.
UniqueSetup
Information:
1GBPNYAttachThumbDrivewiththeNW3CIncidentResponseprofileloaded,
aswellasProcessMonitor.
InternalID#:IR3
DriveSN#FDVRWBUS3LJO20CP
AsExpected
ResultsBy
Assertion:
executed.
AnomalyDetected
AnomalyDetected
AsExpected
TesterNotes:
OnceProcessMonitorloaded,andhadbeguncapturingdata,thetesternavigatedto
thethumbdriveandranrunner.exe.
StartTime:9:21am
EndTime:9:26am
Immediatelyafterthecompletionofrunner,thetesterstoppedtheProcessMonitor
captureandsavedthelogfiletothethumbdrive.Thelogfilewasexaminedlaterfor
testingoftheassertionslistedabove.Theresultsoftheanalysisaredetailedbelow:
Assertion1:
associatedwiththeNW3CIncidentResponseprofileweresuccessfullycopiedtothe
disk.
associatedwiththeNW3CIncidentResponseprofileweresuccessfullyrunduringthe
testingperiod.
10

Assertion2:
directories.
Assertion3:
AnexaminationoftheProcessMonitorlogsindicatesthattherewerethreedirect
writesmadetothesuspectsharddrive.ThistestwasdonebyfilteringtheProcess
Monitorlogresultstoshowonlyfilesysteminformation,andsearchingforany
WriteFileoperation.Theresultsindicatethattheprogramhandle.exemadethree
writestothefileC:\WINDOWS\system32\drivers\PROCEXP100.sys
AreferencetothefilePROCEXP100.sysishardcodedwithinhandle.exe,andassuch
itappearsthatitisnotpossibletorestrainhandle.exefromwritingtothisfile.
However,thisfileisspecificallywrittenaspartoftheSysinternalstoolandwouldnot
beofevidentiaryinterest.
Assertion4:
includealloftheprogramswithintheselectedprofile).Theseresultswillalsoinclude
attemptstochangethatwerenotallowed(i.e.,anattempttodeleteakeythat
doesntexist).ThistestwasdonebyfilteringtheProcessMonitorlogresultstoshow
onlyRegistryinformation,andsearchingforanyRegSetValue,RegDeleteValue,or
RegDeleteKeyoperation.Forsimplicitiessake,anychangemadetotheregistrywill
belistedasawritebelow.
programsthatupdatedthisregistrykeyisasfollows:arp.exe(8),at.exe(0),
autorunsc.exe(8),getmac.exe(8),handle.exe(0),hostname.exe(8),ipconfig.exe(8),
msinfo32.exe(8),nbtstat.exe(0),net.exe(9),netdom.exe(0),netstat.exe(16),
openfiles.exe(1),psfile.exe(0),pslist.exe(2),psloggedon.exe(0),psservice.exe(1),
pstat.exe(0),psuptime.exe(8),quser.exe(1),route.exe(0),sc.exe(2),sclist.exe(1),
showgrps.exe(1),srvcheck.exe(0),tasklist.exe(8),whoami.exe(0),cmd.exe(133),
andrunner.exe(8).
Inadditiontoanywriteslistedabove,arp.exealsomadeonewritetothefollowing
registrykey:
HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\
Parameters\TrapPollTimeMilliSecs
Inadditiontoanywriteslistedabove,autorunsc.exealsomadeonewritetoeachof
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{3c4fbd00-9243-11de-9ad6-00e0b8534d66}\BaseClass
11
{923d6cc2-90ab-11de-9ad0-806d6172696f}\BaseClass
{923d6cc3-90ab-11de-9ad0-806d6172696f}\BaseClass
{c64021c7-90aa-11de-a515-806d6172696f}\BaseClass
Inadditiontoanywriteslistedabove,handle.exealsomadeonewritetoeachofthe
HKLM\System\CurrentControlSet\Services\PROCEXP100
HKLM\System\CurrentControlSet\Services\PROCEXP100\Enum
HKLM\System\CurrentControlSet\Services\PROCEXP100\ErrorControl
HKLM\System\CurrentControlSet\Services\PROCEXP100\ImagePath
HKLM\System\CurrentControlSet\Services\PROCEXP100\Start
HKLM\System\CurrentControlSet\Services\PROCEXP100\Type
Inadditiontoanywriteslistedabove,ipconfig.exealsomadeonewritetoeachofthe
12
HKLM\System\CurrentControlSet\Services\Eventlog\Application\
ESENT\CategoryCount
ESENT\CategoryMessageFile
ESENT\EventMessageFile
ESENT\TypesSupported
Inadditiontoanywriteslistedabove,pslist.exemadetwowritestoeachofthe
HKLM\System\CurrentControlSet\Services\PerfOS\Performance\Error Count
HKLM\System\CurrentControlSet\Services\PerfProc\Performance\Error Count
Assertion5:
AnexaminationoftheProcessMonitorlogsindicatesthattheprogramsrunaspart
oftheprofilewererunfromthethumbdrive,andnotfromthesuspectsharddrive.
Whiletherewereseveralwritestothesystemsregistry,theregistrykeysmodified
werenotofanyevidentiaryconcern,inaddition,themodificationswerearesultof
runningthesetoolsonalivemachine,andcouldnotbeavoided.Inaddition,dueto
thenatureoftheregistry,determiningiftheregistrychangeswereactuallywrittento
thedriveisdifficult.
Whiletherewereslightchangestothedriveandregistry,thewriteswereeither
specifictoaprogramrun(handle.exe)orwereunavoidableinattemptingtoretrieve
thedesiredinformation,theoverallratingforthistestwillbelistedAsExpected.
OverallSuccess: AsExpected
13

Date: 26August2009
TesterName:
MBowser
TestMachine: Eli
AssertionsTested:
drive.
(FileSystem).
(Registry).
machine.
UniqueSetup
Information:
InternalID#:VOL2
DriveSN#02KDC41B09G1H205
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
AnomalyDetected
AsExpected
TesterNotes:
StartTime:10:07am
EndTime:10:08am
Assertion1:
disk.
14
testingperiod.
Assertion2:
directories.
Assertion3:
Assertion4:
andrunner.exe(8).
15
OverallSuccess:
Assertion5:
AnexaminationoftheProcessMonitorlogsindicatethattheprogramsrunaspart
oftheprofilewererunfromthethumbdrive,andnotfromthesuspectshard
drive.
AsExpected
16
Date:
26August2009
TesterName:
MBowser
TestMachine:
Eli
Assertions
Tested:
FileSystem.
Registry.
machine.
UniqueSetup
Information:
InternalID#:IR2
DriveSN#4311RZBJVSAHWWDV
AsExpected
ResultsBy
Assertion:
executed.
AnomalyDetected
AnomalyDetected
AsExpected
TesterNotes:
StartTime:9:55am
EndTime:9:57am
Assertion1:
disk.
testingperiod.
17

Assertion2:
directories.
Assertion3:
WriteFileoperation.Theresultsindicatethattheprogramhandle.exemadethree
writestothefileC:\WINDOWS\system32\drivers\PROCEXP100.sys
AreferencetothefilePROCEXP100.sysishardcodedwithinhandle.exe,andassuch
itappearsthatitisnotpossibletorestrainhandle.exefromwritingtothisfile.
However,thisfileisspecificallywrittenaspartoftheSysinternalstoolandwouldnot
beofevidentiaryinterest.
Assertion4:
onlyRegistryinformation,andsearchingforanyRegSetValue,RegDeleteValue,
orRegDeleteKeyoperation.Forsimplicitiessake,anychangemadetotheregistry
willbelistedasawritebelow.
andrunner.exe(8).
registrykey:
{44596dc1-923f-11de-9e16-806d6172696f}\BaseClass
18
{dfb5a3d0-9247-11de-9e17-0015c5a7cb2f}\BaseClass
{feaef4c4-616a-11de-93cb-806d6172696f}\BaseClass
Inadditiontoanywriteslistedabove,handle.exealsomadeonewritetoeachofthe
ESENT\CategoryCount
HKLM\System\CurrentControlSet\Services\PerfProc\Performance\
Error Count
19
Assertion5:
AnexaminationoftheProcessMonitorlogsindicatethattheprogramsrunaspartof
theprofilewererunfromthethumbdrive,andnotfromthesuspectsharddrive.
thenatureoftheregistry,determiningiftheregistrychangeswereactuallywritten
tothedriveisdifficult.
specifictoaprogramrun(handle.exe)orwereunavoidableinattemptingtoretrieve
thedesiredinformation,theoverallratingforthistestwillbelistedAsExpected.
20
Date: 26August2009
TesterName:
JWykes
TestMachine: Jenny
AssertionsTested:
drive.
(FileSystem).
(Registry).
machine.
UniqueSetup
Information:
InternalID#:VOL2
DriveSN#02KDC41B09G1H205
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
AnomalyDetected
AsExpected
TesterNotes:
StartTime:9:14am
EndTime:9:15am
Assertion1:
disk.
21
testingperiod.
Assertion2:
directories.
Assertion3:
Assertion4:
andrunner.exe(8).
22
Assertion5:
drive.
23
OverallSuccess:
AsExpected
24
Date:
26August2009
TesterName:
JWykes
TestMachine:
Jenny
AssertionsTested:
drive.
FileSystem.
Registry.
machine.
UniqueSetup
Information:
1GBPNYAttachThumbDrivewiththeNW3CIncidentResponseprofile
loaded,aswellasProcessMonitor.
InternalID#:IR2
DriveSN#4311RZBJVSAHWWDV
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
2. Resultsofthetoolswereproperlystoredon
theinvestigatorsthumbdrive.
3. Executingrunner.exedidnotcauseanydirect AnomalyDetected
5. Thetoolsexecutedwererunfromthethumb AsExpected
TesterNotes:
StartTime:9:01am
EndTime:9:03am
examinedlaterfortestingoftheassertionslistedabove.Theresultsoftheanalysis
aredetailedbelow:
Assertion1:
associatedwiththeNW3CIncidentResponseprofileweresuccessfullycopiedto
thedisk.
25
associatedwiththeNW3CIncidentResponseprofileweresuccessfullyrunduring
thetestingperiod.
Assertion2:
directories.
Assertion3:
WriteFileoperation.Theresultsindicatethattheprogramhandle.exemade
threewritestothefileC:\WINDOWS\system32\drivers\PROCEXP100.sys
AreferencetothefilePROCEXP100.sysishardcodedwithinhandle.exe,andas
suchitappearsthatitisnotpossibletorestrainhandle.exefromwritingtothisfile.
However,thisfileisspecificallywrittenaspartoftheSysinternalstoolandwould
notbeofevidentiaryinterest.
Assertion4:
autorunsc.exe(8),getmac.exe(8),handle.exe(0),hostname.exe(8),ipconfig.exe
(8),msinfo32.exe(8),nbtstat.exe(0),net.exe(9),netdom.exe(0),netstat.exe(16),
pstat.exe(0),psuptime.exe(8),quser.exe(1),route.exe(0),sc.exe(2),sclist.exe
(1),showgrps.exe(1),srvcheck.exe(0),tasklist.exe(8),whoami.exe(0),cmd.exe
(133),andrunner.exe(8).
registrykey:
Inadditiontoanywriteslistedabove,autorunsc.exealsomadeonewritetoeach
ofthefollowingregistrykeys:
26
{4961381b-90f6-11de-919c-806d6172696f}\BaseClass
{843fd392-9240-11de-91a3-0015c5aa5641}\BaseClass
{feaef4c4-616a-11de-93cb-806d6172696f}\BaseClass
Inadditiontoanywriteslistedabove,handle.exealsomadeonewritetoeachof
Inadditiontoanywriteslistedabove,ipconfig.exealsomadeonewritetoeachof
27
ESENT\CategoryCount
HKLM\System\CurrentControlSet\Services\PerfProc\Performance\Error
Count
OverallSuccess:
Assertion5:
AnexaminationoftheProcessMonitorlogsindicatesthattheprogramsrunaspart
drive.
runningthesetoolsonalivemachine,andcouldnotbeavoided.Inaddition,due
tothenatureoftheregistry,determiningiftheregistrychangeswereactually
writtentothedriveisdifficult.
specifictoaprogramrun(handle.exe)orwereunavoidableinattemptingto
retrievethedesiredinformation,theoverallratingforthistestwillbelistedAs
Expected.
AsExpected
28
Date: 26August2009
TesterName:
JWykes
TestMachine: Jim
AssertionsTested:
drive.
(FileSystem).
(Registry).
machine.
UniqueSetup
Information:
InternalID#:VOL1
DriveSN#0XRVIMHLKSVVY0X8
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
AnomalyDetected
AsExpected
TesterNotes:
StartTime:8:31am
EndTime:8:33am
Assertion1:
disk.
29
testingperiod.
Assertion2:
directories.
Assertion3:
Assertion4:
andrunner.exe(8).
30
31
OverallSuccess:
Assertion5:
drive.
AsExpected
32
Date:
26August2009
TesterName:
JWykes
TestMachine:
Jim
AssertionsTested:
drive.
FileSystem.
Registry.
machine.
UniqueSetup
Information:
InternalID#:IR1
DriveSN#FAV3RW6Q0RP0L3M7
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
5. Thetoolsexecutedwererunfromthethumb AsExpected
TesterNotes:
StartTime:8:43am
EndTime:8:51am
aredetailedbelow:
Assertion1:
thedisk.
33
thetestingperiod.
Assertion2:
directories.
Assertion3:
Assertion4:
registrykey:
34
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
\
{02bb35ea-1621-11da-840f-806d6172696f}\BaseClass
\
{02bb35eb-1621-11da-840f-806d6172696f}\BaseClass
\
{02bb35ec-1621-11da-840f-806d6172696f}\BaseClass
\
{a958b38f-9106-11de-b151-000d6137076a}\BaseClass
35
ESENT\CategoryCount
HKLM\System\CurrentControlSet\Services\PerfOS\Performance\Error
Count
HKLM\System\CurrentControlSet\Services\PerfProc\Performance\Error
Count
Assertion5:
drive.
werenotofanyevidentiaryconcern;inaddition,themodificationswerearesultof
36
OverallSuccess:
Expected.
AsExpected
37
Date: 26August2009
TesterName:
MBowser
TestMachine: Pat
AssertionsTested:
drive.
(FileSystem).
(Registry).
machine.
UniqueSetup
Information:
InternalID#:VOL3
DriveSN#9VQRE66HNQD8RB
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
AnomalyDetected
AsExpected
TesterNotes:
StartTime:10:31am
EndTime:10:32am
Assertion1:
disk.
38
testingperiod.
Assertion2:
directories.
Assertion3:
Assertion4:
andrunner.exe(8).
39
OverallSuccess:
Assertion5:
drive.
modifiedwerenotofanyevidentiaryconcern;inaddition,themodificationswere
AsExpected
40
Date:
26August2009
TesterName:
MBowser
TestMachine:
Pat
AssertionsTested:
drive.
FileSystem.
Registry.
machine.
UniqueSetup
Information:
InternalID#:IR3
DriveSN#FDVRWBU53LJO20CP
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
AsExpected
TesterNotes:
StartTime:10:39am
EndTime:10:43am
aredetailedbelow:
Assertion1:
thedisk.
41
thetestingperiod.
Assertion2:
directories.
Assertion3:
Assertion4:
writes/updates/deletionsweremadetotheregistrybyRunneranditsprocesses
(toincludealloftheprogramswithintheselectedprofile).Theseresultswillalso
registrykey:
42
\
{ab7c3e54-924c-11de-83b1-00e0b8534ba4}\BaseClass
\
{e727fc90-921e-11de-b2a5-806d6172696f}\BaseClass
\
\
ESENT\CategoryCount
43
HKLM\System\CurrentControlSet\Services\PerfOS\Performance\Error
Count
Error Count
OverallSuccess:
Assertion5:
drive.
Expected.
AsExpected
44
Date: 26August2009
TesterName:
MBowser
TestMachine: Paul
AssertionsTested:
drive.
(FileSystem).
(Registry).
machine.
UniqueSetup
Information:
InternalID#:VOL1
DriveSN#0XRVIMHLKSVVY0X8
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
AnomalyDetected
AsExpected
TesterNotes:
StartTime:9:43am
EndTime:9:44am
Assertion1:
disk.
45
testingperiod.
Assertion2:
directories.
Assertion3:
Assertion4:
andrunner.exe(8).
46
OverallSuccess:
Assertion5:
drive.
modifiedwerenotofanyevidentiaryconcern;inaddition,themodificationswere
AsExpected
47
Date:
26August2009
TesterName:
MBowser
TestMachine:
Paul
Assertions
Tested:
FileSystem.
Registry.
machine.
UniqueSetup
Information:
InternalID#:IR1
DriveSN#FAV3RW6Q0RP0L3M7
AsExpected
ResultsBy
Assertion:
executed.
AsExpected
AnomalyDetected
AsExpected
TesterNotes:
StartTime:9:24am
EndTime:9:26am
Assertion1:
disk.
testingperiod.
48

Assertion2:
directories.
Assertion3:
writesmadetothesuspectdrivebyRunneroranyofitsprocesses(toincludeallof
theprogramswithintheselectedprofile).ThistestwasdonebyfilteringtheProcess
MonitorlogresultstoshowonlyFilesysteminformation,andsearchingforany
WriteFileoperation.
Assertion4:
onlyRegistryinformation,andsearchingforanyRegSetValue,RegDeleteValue,
orRegDeleteKeyoperation.Forsimplicitiessake,anychangemadetotheregistry
willbelistedasawritebelow.
andrunner.exe(8).
registrykey:
{02bb35ea-1621-11da-840f-806d6172696f}\BaseClass
{02bb35eb-1621-11da-840f-806d6172696f}\BaseClass
{02bb35ec-1621-11da-840f-806d6172696f}\BaseClass
49
{c583de36-925c-11de-b154-000d6119d38a}\BaseClass
ESENT\CategoryCount
Error Count
Assertion5:
AnexaminationoftheProcessMonitorlogsindicatethattheprogramsrunaspartof
theprofilewererunfromthethumbdrive,andnotfromthesuspectsharddrive.
thenatureoftheregistry,determiningiftheregistrychangeswereactuallywritten
tothedriveisdifficult.
attemptingtoretrievethedesiredinformation,andassuch,theoverallratingforthis
testwillbelistedAsExpected.
50
ReportNotes
ThisvalidationwasconductedtotestthefunctionalityofthetwoNW3Cprofilesastheywouldrunona
suspectssystem.ThisisnotavalidationofthefullCOFEEsuite.
AdditionalReferences
LeoDorrendorf,Z.G.(2007).CryptanalysisoftheWindowsRandomNumberGenerator.TheHebrew
UniversityofJerusalem.
Bowser,M&Wykes,J.(2009).COFEEGUICONSOLE.NationalWhiteCollarCrimeCenter.
Glossary
Entropy:Randomdatamouseposition,processorstatistics,localtime,etc.collectedbyan
applicationoroperatingsystemforuseincryptography.
FileSystem:Inrelationtothisdocument,filesystemreferstoactivefilesonthesuspectssystem.
IncidentResponse:Theactionsandapproachestakentoanetworksecuritybreach(suchasasystem
beinghacked).
Registry:Theregistryconsistsofanumberofseparatehivefileswhichstorevarioustypesof
information.Whenasystemispoweredon,theoperatingsystemcombinesthesehivefilesinRAMto
createtheregistry.Whenchangesaremadetotheregistry,thechangesaremadetotheregistrythatis
locatedinRAM.Thepointatwhichthesechangesareactuallywrittentothehivefilesonthediskvaries
dependinguponanumberoffactors;thereforeitisdifficulttodetermineifanyofthechangesmadeto
theregistrybytheprofilesdiscussedinthisreportwouldactuallyaffectthedatastoredonthesuspects
harddrive.Forexample,iftheinvestigatorremovespowerfromthesuspectsmachine(bypullingthe
powercord)immediatelyafterrunningtheVolatileDataprofile,itispossiblethatnoneofthechanges
madetotheregistrywouldhaveactuallybeenstoredtothesuspectsdisk.
VolatileData:Anydatathatislostwhenpowerisremovedfromthesystem.
WindowsRandomNumberGenerator:Apseudorandomnumbergenerator(PRNG)thatusescollected
entropyfromaWindowsmachinetoestablishcryptographickeys.EachWindowsprocesshasitsown
copyofaWRNGinstance.EntropycollectedisusedtogenerateanRC4keythatisstoredinitsinternal
stateforrandomnumbergeneration.EachinstanceoftheWRNGuseseightRC4streams.Entropy
collectionoccurswhenanRC4streamisinitializedoritreachesthe16KBthreshold.Theentire3584
bytesofcollectedentropyarehashedtoproducean80bytedigestwhichisthenfedintoanRC4
algorithmasakey.Thekeyisusedtoencryptthecleartextcontainedinthe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seedregistrykey.Thiskey
containsthelatestseededvalueobtainedfromWindowsentropysourcesandisusedbyallinstancesof
theWRNGrunonthemachine.Theresultisanother80bytedigestthatisagainfedintoanRC4
51
algorithmthatisusedtoencrypta256byteentropysourcereadfromaWindowsdevicedriver.The
resultofthefinalencryptionisusedasakeyfortheRC4instancethatisusedintheWRNGinternal
state.(LeoDorrendorf,2007)
52

NW3C - Validation - COFEE v1.1.2 - Runner & NW3C Profiles PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NW3C - Validation - COFEE v1.1.2 - Runner & NW3C Profiles PDF

Uploaded by

Copyright:

Available Formats

COFEE v1.1.

2 Runner & NW3C Profiles

Written and Tested By:

Additional Testing By:

You might also like