I woke up this morning feeling like I had run a marathon. I was working on my third cup of coffee as I walked into class 15 minutes late. Thankfully I had not fallen behind. This was day 2 of a four day course. I woke up late, didn’t get a workout in and made it to class late. A great start.
Today we looked at several different aspects of the EnCase Enterprise product. First of was the snapshot ability. This affords the examiner to take, well, a snaphot of a system with processes (hidden ones too), applications and DLLs that are loaded for starters. Next we tackled application descriptors and machine profiles. Now the app descriptors provide the examiner a quick way to look for rogue proggies. One example would be if an employee had loaded netcat on a system and renamed it “innocent.exe”. You get the idea. The app descriptor matches the hash of the file to known good and bad if the examiner has loaded a hash library. Innocent no more. One example of this is the machine profiles. These are hashes of a known good install for the Windows family, some linux distros as well as Solaris. There are a few others that are available out of the box. Very cool stuff. Now the third topic that we tackled today was the process analysis and remediation aspects of the product.This allows you to piece apart everything you ever wanted to know about a process. A search of the registry can be run looking for autoruns for example. This is great for a simple reason. This permits an investigator to bastion against the favourite refrain “it must have been a trojan”. This allows for a search to refute such an arguement, or substaniate it. As well, the remediation portion allows corporations to remove applications or stop processes. Making this product viable for a virus response an the like. The remediation portion of the product is not available for police or government agencies for obvious reasons.
Now, while I was killing time at lunch I came to a realization. I run several applications from my USB drive. I have a a full office suite to go, basically. So, while I was running firefox and surfing the news one of the instructors came in and showed us an app called GDrive. The interesting part was that this app gives a user the ability to treat their gmail account as a hard drive. There was little in the way of artifacts left behind. Then I realized that I had a plugin for my portable firefox called gSpace. This does essentially the same thing as GDrive. There is a twist. There are no artifacts left behind. I ran EnCase against the system that I was using. No trace. Now portable firefox on the other hand leaves a trail a mile wide. It wrote to the $MFT pagefile.sys and had pointers to it in C:\WINDOWS\PREFETCH. Now from a corporate security perspective this is rather scary. A nefarious type could come into the office with a USB drive preloaded with firefox and the gSpace plugin. Next thing you know the corporate secrets are flying out the door. When finished the ne’er do well could simply flush the USB drive in the restroom. The only trace being that there had been an instance of portable firefox.