Monday, January 13, 2025

Autopsy Hardening Guide: Part 2

This is part one of a two part series on hardening an Autopsy Multi-user Cluster. The Autopsy documentation states, "A multi-user deployment must be in a private network to ensure that only authorized users can access data. Remote sites should connect to central services via a VPN." This does not mean we should not harden Autopsy further. In this series, we will go over some additional steps that can be taken to make an Autopsy Multi-user Cluster more secure. Setting Up Multi-user Cluster documentation. It is recommended to read Part 1 along with this guide.

ActiveMQ

We are going to start from the Configuring Authentication section of Install and Configure ActiveMQ. Actually, we are just going to throw it out. This is because passwords are stored in plain text. Instead, I am going to show you how to setup encrypted passwords and change the password on the web-console.

Broker Security using Simple Authentication Plugin ( Encrypted Password)

Step1: Add the following elements in conf/activemq.xml to setup Encryption method, Encryption Key, and Properties file.

  <!-- Allows us to use encrypted system properties as variables in this configuration file -->
  <bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
    <property name="algorithm" value="PBEWithMD5AndDES" />
    <property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD" />
  </bean>
                                                                     
  <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
    <property name="config" ref="environmentVariablesConfiguration" />
  </bean>  
    
  <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
      <constructor-arg ref="configurationEncryptor" /> 
      <property name="location" value="file:${activemq.conf}/credentials-enc.properties"/> 
  </bean> 

In the preceding command snippet, you could notice the configurationEncryptor is pointing to credentials-enc.properties.

This file should be used to pass the encrypted username and password to the ActiveMQ broker configuration. The entries in this file could be referenced into the activemq configuration file activemq.xml.

We need to pass the Secret key which is used to encrypt the password as an environment variable. We will do that in Step 5.

Next Step is to encrypt the passwords.

Step2: To add the password into credentials-enc.properties file, we must encrypt the password using ActiveMQ encrypt command.

activemq.bat encrypt --password mysecretkey --input c0mp!ex@01

where password is a secret used by the encryptor and input is the password you want to encrypt.

After encrypting all the passwords, you need to add it to the credentials-enc.properties file.

Step3: Add the encrypted passwords into credentials-enc.properties file.

activemq.username=system
activemq.password=ENC(sD3S95bFWIhMDmuKejdOl7Oea2LYkolwiPjzDtBY6Fc=)
guest.password=ENC(cNryOPepZzOgJnlcq/i+gBPgpte3Z5kIqXiwAK1yMfA=)
user.password=ENC(AbBRIYkG9/bibk6ojMeYwLgGk68fsMOAPLlAdu2CWNg=)
autopsy.password=ENC(V0Lwgh2SFXZlTSoFT4Y9pQWFYfle6T/RSUWNhN2ksQU=)

Here we have configured four usernames and its passwords

  1. activemq.username and activemq.password for default system account ( this account is used by the web console to access the broker resources )
  2. guest.password is for guest privileged account
  3. user.password is for user privileged account
  4. autopsy.password is for autopsy privileged account

Step4: Add the following Simple authentication plugin into activemq.xml file right after the <broker> tag starts

      <plugins>
        <!-- Configure authentication; Username, passwords and groups -->
        <simpleAuthenticationPlugin>
            <users>
                <authenticationUser username="system" password="${activemq.password}"
                    groups="users,admins"/>
                <authenticationUser username="user" password="${user.password}"
                    groups="users"/>
                <authenticationUser username="autopsy" password="${autopsy.password}"
                    groups="users"/>
                <authenticationUser username="guest" password="${guest.password}"
                    groups="guests"/>
            </users>
        </simpleAuthenticationPlugin>
      </plugins>

Step5: Run Active-MQ using Encrypted Passwords

To run the Active-MQ broker with encrypted password configuration, follow the following steps:

  1. Set environment variable for encryption

setx \m ACTIVEMQ_ENCRYPTION_PASSWORD <secret>

  1. Start the ActiveMQ service

  2. Reset the environment variable for encryption

REG delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /F /V ACTIVEMQ_ENCRYPTION_PASSWORD

Secure the console by encrypting the web-console username and password

By default, web console user credentials are stored in jetty-realm.properties.

It will have a clear text username and password as shown below:

# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: admin, admin
user: user, user

Now we need to encrypt this password for better security. This is how you need to do that.

  1. Download Jetty from https://www.eclipse.org/jetty/download.html

  2. Unzip and Untar the downloaded package into the desired location on your server. Finally, you will get a directory like this
    jetty-distribution-9.4.10.v20180503 ( Version might change )

  3. cd to that directory and you need to execute the encryption command

java -cp lib/jetty-util-9.4.10.v20180503.jar org.eclipse.jetty.util.security.Password adminuser admin
2018-05-22 02:48:41.398:INFO::main: Logging initialized @179ms to org.eclipse.jetty.util.log.StdErrLog
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk

Here adminuser is the salt which is used to encrypt the password not the actual username and admin is the password.

The last line contains our encrypted password.

CRYPT:adpexzg3FUZAk

Now, Copy this password to jetty-realm.properties and replace the clear text password. Do the same with the user account.

# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: CRYPT:adpexzg3FUZAk, admin
user: user, user

Start/Restart your ActiveMQ instance.

Conclusion

In the second part, we secured ActiveMQ by encrypting the passwords so they are not in plain text. We also went further by encrypting and changing the password for the web-console. I hope you enjoyed these guides and they aid you in making your Autopsy Multi-user Cluster a little more secure.

Monday, January 6, 2025

Autopsy Hardening Guide: Part 1

PostgreSQL/Solr

This is part one of a two part series on hardening an Autopsy Multi-user Cluster. The Autopsy documentation states, "A multi-user deployment must be in a private network to ensure that only authorized users can access data. Remote sites should connect to central services via a VPN." This does not mean we should not harden Autopsy further. In this series, we will go over some additional steps that can be taken to make an Autopsy Multi-user Cluster more secure. Setting Up Multi-user Cluster documentation.

PostgreSQL

I am not going to dive into PosgreSQL but I do want to point out that the configuration guide does suggest setting your subnet mask rules in pg_hba.conf


# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records.  In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.



# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     scram-sha-256
# IPv4 local connections:
host    all             all             127.0.0.1/32            scram-sha-256
# IPv6 local connections:
host    all             all             ::1/128                 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     all                                     scram-sha-256
#host    replication     all             127.0.0.1/32            scram-sha-256
#host    replication     all             ::1/128                 scram-sha-256
host	all		all		10.10.192.0/24		scram-sha-256

Solr

There are a couple of things that can be done to make Solr more secure. In the Prerequisites section in Install and Configure Solr there is a link to a pre-packaged Autopsy version of Solr. The problem is, this package has the Log4J vulnerability. We will need to update that first.

  1. Download the pre-packaged Autopsy version of Solr and unzip into a directory of you choice.
  2. Do the same with the latest version of solr-8.11.4.
  3. Copy \bin\solr.in.cmd, \bin\nssm.exe, and the directory \server\solr from the pre-packaged Autopsy version to solr-8.11.4.

From here we can continue the setup until we get to Testing.

The Solr admin panel does not have a password. Basiclly, anyone can navigate to the the panel in a web browser and access it. To fix this, we need to create a username and password. To do this, we are going to use the Online Solr password encryption tool. In the Solr password entry, enter in the password that you want. You will notice when you type, the credentials in the the JSON example update.

We will create a file called security.json with the following contents. Copy the credentials line from the online tool and replace the credentials line in security.json. Notice I also changed the user name from the default solr to solrautopsy.

{
"authentication":{ 
   "blockUnknown": false, 
   "class":"solr.BasicAuthPlugin",
   "credentials":{"solrautopsy":"FK9YcX8lIJtMgBibl2OlHhIxG3pChPOdeNQCARn0zHo= c3hxODdydmQ0YmJtaHVuMw=="}, 
   "realm":"My Solr users", 
   "forwardCredentials": false
   "":{"v":0}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"core-admin-read",
      "role":"admin"}], 
   "user-role":{"solr":"admin"} 
}}

Next we need to update Solr with the following command:

cd <Solr_path>\server\scripts\cloud-scripts
zkcli.bat -zkhost localhost:9983 -cmd putfile /security.json <path_to_security.json>

Restart the Solr service and continue on to Testing

Conclusion

In the first post, we updated postgreSQL configuration to only allow connections from certain subnets. We also removed the Log4J vulnerability and made Solr more secure by changing the admin panel username and adding a password. In the next post, we will look at ActiveMQ.

Friday, January 3, 2025

OneDrive Evolution Update

 OneDrive Evolution has been updated to v24.235.1121.0001. OneDrive Evolution now holds data on 549 version of OneDrive. You can find the lates information at OneDrive Evolution.

Thursday, January 2, 2025

DFIR_Toolbar

For this post I thought I'd do something fun. I've been toying around with an idea for a toolbar. The idea came from a BlueHat IL talk Ulf Frisk gave in 2019. I found it interesting how Ulf could queue up commands for his demo. Ulf was nice enough to give me a copy. The original toolbar was a .hta file. I suited his needs for the talk but I wanted something more configurable and extendable.

I decided to make a toolbar in python that can be pretty much anything you want it to be. The menus are created with a configuration file and commands can be added through plugins. The two plugings included at this time are to launch a browser and copy what ever text you choose. It acts as a true toolbar, taking space at the top of the screen and not allowing applications to go over the top of it or behind.

Here is a list of websites that is included in the default config:
https://br0k3nlab.com/LoFP/
https://www.loldrivers.io/
https://gtfobins.github.io/
https://lolbas-project.github.io/
https://lots-project.com/
https://filesec.io/
https://malapi.io/
https://hijacklibs.net/
https://wadcoms.github.io/
https://www.loobins.io/
https://lolapps-project.github.io/
https://www.bootloaders.io/
https://cloud.google.com/blog/topics/threat-intelligence/bring-your-own-land-novel-red-teaming-technique/
https://lothardware.com.tr/
https://wtfbins.wtf/
https://lofl-project.github.io/
https://persistence-info.github.io/
https://github.com/WithSecureLabs/lolcerts
https://boostsecurityio.github.io/lotp/
https://lolbins-ctidriven.vercel.app/
https://lolesxi-project.github.io/LOLESXi/
https://lolrmm.io/
https://lolad-project.github.io/
https://beercow.github.io/LOLCloud-Project.github.io/index.html
https://attack.mitre.org/
https://d3fend.mitre.org/
https://github.com/rabobank-cdc/DeTTECT
https://atlas.mitre.org/matrices/ATLAS
https://unprotect.it/
https://github.com/MBCProject/mbc-markdown
https://github.com/palantir/alerting-detection-strategy-framework
https://mitre-attack.github.io/attack-navigator/
https://center-for-threat-informed-defense.github.io/attack-flow/ui/
https://www.vergiliusproject.com/
http://terminus.rewolf.pl/terminus/
https://any.run/
https://analyze.intezer.com/
https://iris-h.services/pages/dashboard#/pages/dashboard
https://tria.ge/
https://www.hybrid-analysis.com/
https://www.joesandbox.com/
https://app.threat.zone/scan
https://valkyrie.comodo.com/
https://www.filescan.io/scan
https://intelligence.gatewatcher.com/
https://labs.inquest.net/dfi
https://manalyzer.org/
https://threatpoint.checkpoint.com/ThreatPortal/emulation
https://www.virustotal.com/gui/home/upload
https://yomi.yoroi.company/upload
https://virus.exchange/
https://virusshare.com/
https://www.virussign.com/malware-scan/
https://malpedia.caad.fkie.fraunhofer.de/library
https://app.malcore.io/
https://hash.cymru.com/
https://crxaminer.tech/
https://lookyloo.circl.lu/capture
https://dfir.blog/unfurl/
https://urlquery.net/
https://urlscan.io/
https://sigconverter.io/
https://uncoder.io/
https://yarahq.github.io/
https://yaratoolkit.securitybreak.io/
https://start.me/p/7kj9X5/03-incident-response
https://start.me/p/ekq7Al/digital-forensics
https://start.me/p/BnmK5m/digital-forensics-incdident-respons
https://start.me/p/xbwgd0/sans-dfir-2022
https://start.me/p/AD57Rr/dfir-jedi
https://start.me/p/DPYPMz/the-ultimate-osint-collection
https://start.me/p/wMrA5z/cyber-threat-intelligence
https://start.me/p/jj0B26/dfir
https://start.me/p/OmxDbb/digital-forensics
https://start.me/p/q6mw4Q/forensics
https://start.me/p/wMmkPz/cyber-security
https://msportals.io/
https://cmd.ms
https://attackrulemap.netlify.app/
https://vulnerability.circl.lu
https://strontic.github.io/xcyclopedia/intro
https://www.kqlsearch.com/
https://gchq.github.io/CyberChef/
https://explainshell.com/
https://dogbolt.org/
https://dfiq.org/
https://iocparser.com/
https://wigle.net/

For the copy menu, I have included Andrew Rathbun's DFIRRegex

Menus that you use the most can also be configured to tear away so they are always available. I would really love your thoughts and ideas to make this into something useful for all. Here is a quick demo of what the toolbar can currently do.

DFIR_Toolbar can be found here.

Wednesday, January 1, 2025

Happy New Year!

Was a little lazy today. Not a good way to start the year. But nonetheless, I’ve decided to take The Zeltser Challenge. I can only go up from here. Hopefully, I can come up with meaningful content for the rest of the year. Time will tell. See you tomorrow. 

Thursday, November 21, 2024

What Is Lyman

Lyman’s purpose is to aid in the creation of .cstruct files. These files help to parse OneDrive logs into their components which can lead to better log decryption. By focusing on the data rather than trying to learn how to construct these files, it becomes easier to extract data that otherwise might be missed or misinterpreted.

But what does that mean?

By the nature of the way ODL files are parsed, they don't always decrypt properly. This is because the parameters of the log are extracted using a regex looking for ascii charaters. The example below shows a parameter that is not being decrypted. This is due to the regex incluiding a E at the end of the parameter when it should not be included.

How does Lyman help?

OneDriveExplorer has a lesser known feature that can aid in handling issues such as this through the use of cstruct "mapping" files. The downside to this is you need to know the ODL file structure, find what you're looking for and figure out how to write one of these files. This is where Lyman comes in. Let's walk through our log entry and get it to parse properly.

First thing we'll do is launch Lyman. You should see a screen like the one below.

Next we want to click ...

And select the log file we want to look at.













The next steps are used to find the log entry in question. As a not, the first match will populate so it may notbee the same exact entry you were looking at. This involves selecting the Code_File, Function, and the Flags.











Then finally we can select search.












With any luck, there should be data populated in Lyman.

To begin, click the add button twice and set the dropdowns to int32 and char. In the entry boxes put size1 and data1[size1] and click the green check mark.















The parsed data will populate in the right pane.

We will continue this process until all the data is parsed.

Fill out the rest of the form then select File -> Export cstruct
































This will create the cstruct file in the directory Lyman was ran from. Copy this file into OneDriveExplorer’s cstructs folder.












Now when we run OneDriveExplorer again, the log entry will decrypt properly.

Conclusion

This is where Lyman becomes invaluable. Lyman manages all these complexities, allowing users to focus on finding data rather than deciphering the intricacies of the log file format. By using Lyman, a more robust solution for parsing OneDrive logs can be developed, contributing back to the ODEFiles repository Beercow/ODEFiles (github.com).

Lyman can be downloaded from (github.com)

Thursday, September 5, 2024

Cracking OneDrive's Personal Vault

Sometimes in digital forensics there is a need to gain access to encrypted data sources. This can come in many forms including zip files, TrueCrypt/VeraCrypt, KeePass and BitLocker. OneDrive's Personal Vault is no exception. It is important to gain access to these encrypted containers because they can contain information that is important to our investigation.

What is Personal Vault?

According to Microsoft, "Personal Vault is a protected area in OneDrive where you can store your most important or sensitive files and photos without sacrificing the convenience of anywhere access." Personal Vault adds an extra layer of security by using Two-Factor Authentication (2FA). When accessed form the Windows client, Personal Vault is stored on the system in a BitLocker encrypted vhdx. It should be noted that Personal Vault is only available for OneDrive Personal.

Digging Deeper

What had caught my eye was that Microsoft is storing the data on a Windows device in a BitLocker encrypted vhdx. So where is this file located? The vhdx file is stored in a hidden folder at the root of the system drive. c:\OneDriveTemp\<SID>\<GUID>.vhdx

So now that we found the vhdx file, what can we do with it? We know it's protected by BitLocker so let's see what we can find out. The first thing I did was mount the vhdx and assign it a drive letter. This way, I could work with manage-bde to find out more information about the disk.

Now we can open up an administrative command prompt and start investigating the drive. The first command I used was manage-bde -status. This command provides information about BitLocker-capable volumes. This is the information for our Personal Vault.

Volume F: [Label Unknown]
[Data Volume]

    Size:                 Unknown GB
    BitLocker Version:    2.0
    Conversion Status:    Unknown
    Percentage Encrypted: Unknown%
    Encryption Method:    XTS-AES 128
    Protection Status:    Unknown
    Lock Status:          Locked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        External Key

Interesting! So, it appears the volume is protected by an external key. Let's take a closer look at this with the following command manage-bde -protectors -get f:. And our results look like this:

BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume F: [Label Unknown]
All Key Protectors

   External Key:
     ID: {08F750D7-0483-4F0E-847B-174119BD2896}
     External Key File Name:
       08F750D7-0483-4F0E-847B-174119BD2896.BEK

Let's see if we can get this external key.

manage-bde -protectors -get f: -sek d:\Projects\PersonalVaultBEK
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

ERROR: The operation cannot be performed because the volume is locked.

Seems we hit a road block. We cannot save the key because the volume is locked.

Looking at it from an Unlocked Perspective

The next thing we will try is to unassign the drive letter, dismount and unlock the Personal Vault with OneDrive.

So now the Personal Vault is unlocked. What's interesting is that there is not a drive letter associated with the Personal Vault. Inside our OneDrive folder, there is a Personal Vault.lnk file. When the vault is locked, double clicking it will run through the steps of unlocking the vault. After the vault is unlocked, double clicking it will bring us to the vault. We'll take a look at the lnk file to see how the vhdx is being referenced.

Here is the output from LECmd.

The lnk file is pointing to a Personal Vault folder in my OneDrive. When I ran a directory listing this folder was not present. This is because the folder is hidden. If we run dir again, looking for hidden files/folders, we can see that the folder is actually a junction.

Next thing we'll do is go to an administrative command prompt and assign the volume a letter so we can look at it with manage-bde again.

Let's run manage-bde -status and see what we have. And here is the information returned for our Persona Vault.

Volume E: [OneDrive Personal Vault]
[Data Volume]

    Size:                 1024.00 GB
    BitLocker Version:    2.0
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        External Key

So far so good! Let's run manage-bde -protectors -get e: to list the protectors.

BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume E: [OneDrive Personal Vault]
All Key Protectors

    External Key:
      ID: {08F750D7-0483-4F0E-847B-174119BD2896}
      External Key File Name:
        08F750D7-0483-4F0E-847B-174119BD2896.BEK

We see the same external key again. Let's see if we can save the key this time.

manage-bde -protectors -get e: -sek d:\Projects\PersonalVaultBEK
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume E: [OneDrive Personal Vault]
All Key Protectors

    External Key:
      ID: {08F750D7-0483-4F0E-847B-174119BD2896}
      External Key File Name:
        08F750D7-0483-4F0E-847B-174119BD2896.BEK

    Saved to directory d:\Projects\PersonalVaultBEK

Success! The BEK file is created as a hidden file. We'll do a quick directory listing to confirm it is there.

Using The BEK File to Gain Access

Now we will test if the BEK file will unlock the Personal Vault vhdx. Again, we will mount the vhdx by double clicking on it and assigning a drive letter. If we double click the drive, we will be prompted to "Load key from USB drive".

We'll open a command prompt again and use manage-bde to unlock the drive with the key we save.

And with that, the vault is unlocked and we can see the contents.

Conclusion

There is a way to get the encryption key for OneDrive's Persona Vault but certain criterial needs to be met. We have to have administrative access and the vault has to be unlocked. It may not be ideal but it is the best method I have come up with so far. There is also a script you can download to automate the process of saving the key. That script can be found here.