MALoney (It's in the name)

Monday, January 6, 2025

Autopsy Hardening Guide: Part 1

PostgreSQL/Solr

This is part one of a two part series on hardening an Autopsy Multi-user Cluster. The Autopsy documentation states, "A multi-user deployment must be in a private network to ensure that only authorized users can access data. Remote sites should connect to central services via a VPN." This does not mean we should not harden Autopsy further. In this series, we will go over some additional steps that can be taken to make an Autopsy Multi-user Cluster more secure. Setting Up Multi-user Cluster documentation.

PostgreSQL

I am not going to dive into PosgreSQL but I do want to point out that the configuration guide does suggest setting your subnet mask rules in pg_hba.conf


# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records.  In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.



# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     scram-sha-256
# IPv4 local connections:
host    all             all             127.0.0.1/32            scram-sha-256
# IPv6 local connections:
host    all             all             ::1/128                 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     all                                     scram-sha-256
#host    replication     all             127.0.0.1/32            scram-sha-256
#host    replication     all             ::1/128                 scram-sha-256
host	all		all		10.10.192.0/24		scram-sha-256

Solr

There are a couple of things that can be done to make Solr more secure. In the Prerequisites section in Install and Configure Solr there is a link to a pre-packaged Autopsy version of Solr. The problem is, this package has the Log4J vulnerability. We will need to update that first.

Download the pre-packaged Autopsy version of Solr and unzip into a directory of you choice.
Do the same with the latest version of solr-8.11.4.
Copy \bin\solr.in.cmd, \bin\nssm.exe, and the directory \server\solr from the pre-packaged Autopsy version to solr-8.11.4.

From here we can continue the setup until we get to Testing.

The Solr admin panel does not have a password. Basiclly, anyone can navigate to the the panel in a web browser and access it. To fix this, we need to create a username and password. To do this, we are going to use the Online Solr password encryption tool. In the Solr password entry, enter in the password that you want. You will notice when you type, the credentials in the the JSON example update.

We will create a file called security.json with the following contents. Copy the credentials line from the online tool and replace the credentials line in security.json. Notice I also changed the user name from the default solr to solrautopsy.

{
"authentication":{ 
   "blockUnknown": false, 
   "class":"solr.BasicAuthPlugin",
   "credentials":{"solrautopsy":"FK9YcX8lIJtMgBibl2OlHhIxG3pChPOdeNQCARn0zHo= c3hxODdydmQ0YmJtaHVuMw=="}, 
   "realm":"My Solr users", 
   "forwardCredentials": false
   "":{"v":0}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"core-admin-read",
      "role":"admin"}], 
   "user-role":{"solr":"admin"} 
}}

Next we need to update Solr with the following command:

cd <Solr_path>\server\scripts\cloud-scripts
zkcli.bat -zkhost localhost:9983 -cmd putfile /security.json <path_to_security.json>

Restart the Solr service and continue on to Testing

Conclusion

In the first post, we updated postgreSQL configuration to only allow connections from certain subnets. We also removed the Log4J vulnerability and made Solr more secure by changing the admin panel username and adding a password. In the next post, we will look at ActiveMQ.

Friday, January 3, 2025

OneDrive Evolution Update

OneDrive Evolution has been updated to v24.235.1121.0001. OneDrive Evolution now holds data on 549 version of OneDrive. You can find the lates information at OneDrive Evolution.

Thursday, January 2, 2025

DFIR_Toolbar

For this post I thought I'd do something fun. I've been toying around with an idea for a toolbar. The idea came from a BlueHat IL talk Ulf Frisk gave in 2019. I found it interesting how Ulf could queue up commands for his demo. Ulf was nice enough to give me a copy. The original toolbar was a .hta file. I suited his needs for the talk but I wanted something more configurable and extendable.

I decided to make a toolbar in python that can be pretty much anything you want it to be. The menus are created with a configuration file and commands can be added through plugins. The two plugings included at this time are to launch a browser and copy what ever text you choose. It acts as a true toolbar, taking space at the top of the screen and not allowing applications to go over the top of it or behind.

For the copy menu, I have included Andrew Rathbun's DFIRRegex

Menus that you use the most can also be configured to tear away so they are always available. I would really love your thoughts and ideas to make this into something useful for all. Here is a quick demo of what the toolbar can currently do.

DFIR_Toolbar can be found here.

Wednesday, January 1, 2025

Happy New Year!

Was a little lazy today. Not a good way to start the year. But nonetheless, I’ve decided to take The Zeltser Challenge. I can only go up from here. Hopefully, I can come up with meaningful content for the rest of the year. Time will tell. See you tomorrow.

Thursday, November 21, 2024

What Is Lyman

Lyman’s purpose is to aid in the creation of .cstruct files. These files help to parse OneDrive logs into their components which can lead to better log decryption. By focusing on the data rather than trying to learn how to construct these files, it becomes easier to extract data that otherwise might be missed or misinterpreted.

But what does that mean?

By the nature of the way ODL files are parsed, they don't always decrypt properly. This is because the parameters of the log are extracted using a regex looking for ascii charaters. The example below shows a parameter that is not being decrypted. This is due to the regex incluiding a E at the end of the parameter when it should not be included.

How does Lyman help?

OneDriveExplorer has a lesser known feature that can aid in handling issues such as this through the use of cstruct "mapping" files. The downside to this is you need to know the ODL file structure, find what you're looking for and figure out how to write one of these files. This is where Lyman comes in. Let's walk through our log entry and get it to parse properly.

First thing we'll do is launch Lyman. You should see a screen like the one below.

Next we want to click ...

And select the log file we want to look at.

The next steps are used to find the log entry in question. As a not, the first match will populate so it may notbee the same exact entry you were looking at. This involves selecting the Code_File, Function, and the Flags.

Then finally we can select search.

With any luck, there should be data populated in Lyman.

To begin, click the add button twice and set the dropdowns to int32 and char. In the entry boxes put size1 and data1[size1] and click the green check mark.

The parsed data will populate in the right pane.

We will continue this process until all the data is parsed.

Fill out the rest of the form then select File -> Export cstruct

This will create the cstruct file in the directory Lyman was ran from. Copy this file into OneDriveExplorer’s cstructs folder.

Now when we run OneDriveExplorer again, the log entry will decrypt properly.

Conclusion

This is where Lyman becomes invaluable. Lyman manages all these complexities, allowing users to focus on finding data rather than deciphering the intricacies of the log file format. By using Lyman, a more robust solution for parsing OneDrive logs can be developed, contributing back to the ODEFiles repository Beercow/ODEFiles (github.com).

Lyman can be downloaded from (github.com)

Thursday, September 5, 2024

Cracking OneDrive's Personal Vault

Sometimes in digital forensics there is a need to gain access to encrypted data sources. This can come in many forms including zip files, TrueCrypt/VeraCrypt, KeePass and BitLocker. OneDrive's Personal Vault is no exception. It is important to gain access to these encrypted containers because they can contain information that is important to our investigation.

What is Personal Vault?

According to Microsoft, "Personal Vault is a protected area in OneDrive where you can store your most important or sensitive files and photos without sacrificing the convenience of anywhere access." Personal Vault adds an extra layer of security by using Two-Factor Authentication (2FA). When accessed form the Windows client, Personal Vault is stored on the system in a BitLocker encrypted vhdx. It should be noted that Personal Vault is only available for OneDrive Personal.

Digging Deeper

What had caught my eye was that Microsoft is storing the data on a Windows device in a BitLocker encrypted vhdx. So where is this file located? The vhdx file is stored in a hidden folder at the root of the system drive. c:\OneDriveTemp\<SID>\<GUID>.vhdx

So now that we found the vhdx file, what can we do with it? We know it's protected by BitLocker so let's see what we can find out. The first thing I did was mount the vhdx and assign it a drive letter. This way, I could work with manage-bde to find out more information about the disk.

Now we can open up an administrative command prompt and start investigating the drive. The first command I used was manage-bde -status. This command provides information about BitLocker-capable volumes. This is the information for our Personal Vault.

Volume F: [Label Unknown]
[Data Volume]

    Size:                 Unknown GB
    BitLocker Version:    2.0
    Conversion Status:    Unknown
    Percentage Encrypted: Unknown%
    Encryption Method:    XTS-AES 128
    Protection Status:    Unknown
    Lock Status:          Locked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        External Key

Interesting! So, it appears the volume is protected by an external key. Let's take a closer look at this with the following command manage-bde -protectors -get f:. And our results look like this:

BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume F: [Label Unknown]
All Key Protectors

   External Key:
     ID: {08F750D7-0483-4F0E-847B-174119BD2896}
     External Key File Name:
       08F750D7-0483-4F0E-847B-174119BD2896.BEK

Let's see if we can get this external key.

manage-bde -protectors -get f: -sek d:\Projects\PersonalVaultBEK
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

ERROR: The operation cannot be performed because the volume is locked.

Seems we hit a road block. We cannot save the key because the volume is locked.

Looking at it from an Unlocked Perspective

The next thing we will try is to unassign the drive letter, dismount and unlock the Personal Vault with OneDrive.

So now the Personal Vault is unlocked. What's interesting is that there is not a drive letter associated with the Personal Vault. Inside our OneDrive folder, there is a Personal Vault.lnk file. When the vault is locked, double clicking it will run through the steps of unlocking the vault. After the vault is unlocked, double clicking it will bring us to the vault. We'll take a look at the lnk file to see how the vhdx is being referenced.

Here is the output from LECmd.

The lnk file is pointing to a Personal Vault folder in my OneDrive. When I ran a directory listing this folder was not present. This is because the folder is hidden. If we run dir again, looking for hidden files/folders, we can see that the folder is actually a junction.

Next thing we'll do is go to an administrative command prompt and assign the volume a letter so we can look at it with manage-bde again.

Let's run manage-bde -status and see what we have. And here is the information returned for our Persona Vault.

Volume E: [OneDrive Personal Vault]
[Data Volume]

    Size:                 1024.00 GB
    BitLocker Version:    2.0
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        External Key

So far so good! Let's run manage-bde -protectors -get e: to list the protectors.

BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume E: [OneDrive Personal Vault]
All Key Protectors

    External Key:
      ID: {08F750D7-0483-4F0E-847B-174119BD2896}
      External Key File Name:
        08F750D7-0483-4F0E-847B-174119BD2896.BEK

We see the same external key again. Let's see if we can save the key this time.

manage-bde -protectors -get e: -sek d:\Projects\PersonalVaultBEK
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume E: [OneDrive Personal Vault]
All Key Protectors

    External Key:
      ID: {08F750D7-0483-4F0E-847B-174119BD2896}
      External Key File Name:
        08F750D7-0483-4F0E-847B-174119BD2896.BEK

    Saved to directory d:\Projects\PersonalVaultBEK

Success! The BEK file is created as a hidden file. We'll do a quick directory listing to confirm it is there.

Using The BEK File to Gain Access

Now we will test if the BEK file will unlock the Personal Vault vhdx. Again, we will mount the vhdx by double clicking on it and assigning a drive letter. If we double click the drive, we will be prompted to "Load key from USB drive".

We'll open a command prompt again and use manage-bde to unlock the drive with the key we save.

And with that, the vault is unlocked and we can see the contents.

Conclusion

There is a way to get the encryption key for OneDrive's Persona Vault but certain criterial needs to be met. We have to have administrative access and the vault has to be unlocked. It may not be ideal but it is the best method I have come up with so far. There is also a script you can download to automate the process of saving the key. That script can be found here.

Friday, March 22, 2024

OneDriveExplorer v2024.03.22 released

This version of OneDriveExplorer (ODE) is a major update with quite a few GUI improvements and data processing. The first thing you will notice is ODE now has a breadcrumb viewer for another navigation option. You can now double click the folders in the center pane to open that folder.

The CStructs pane has also been cleaned up for a more consistent look between themes.

Along with GUI updates, there are new data sources that have been added to bring more relevant information to your investigations.

od_GraphMetadata_Records

ODE now includes data from the od_GraphMetadata_Records table. The od_GraphMetadata_Records table resides in the SyncEngineDatabase.db. One of the features of this table is that it stores information on who created and who modified the file last.

od_GraphMetadata_Records also can have information on video/image files such as audio format, bit rate, height and width.

If file policies are applied, ODE can populate them from the od_GraphMetadata_Records table.

od_HydrationData

The od_HydrationData table was added to SyncEngineDatabase.db sinse version 21 of the schema. It records the first time a file is downloaded (hydrated) from the cloud to the device. I preformed some test to see what would cause this table to populate. The following was observed.

First time file is hydrated (opened) if the status is Available when online.

Does not get removed from the table when Free up space is performed.
Always keep on this device does not populate the table.

If status is Always keep on this divice, opening does not populate the table.

The hydration time can be found in the Details pane.

filter_delete_info

The filter_delete_info table resides in the SafeDelete.db. Not entirely sure what causes this table to populate but it appears to be when an application is responsible for deleting files rather than the user just deleting them. One thing to note is the table contains what process was responsible for deleting the file. This information can be found in the Deleted items in ODE.

Another thing that was add, when adding the system recycle bin, ODE combines data points together to eliminate double entries and also indicates which files are still available on the system.

Personal Vault log decryption

Added to ODE is the ability to decode personal vault logs. This gives us more insight on what is happening with the files inside the vault. One thing to note, if the vault is open, ODE can see the files inside. As an example, here is what data we get from the logs without decrypting the personal vault logs. ODE was able to correlate 188 logs to the user's personal vault.

In order to decrypt the vault logs, we need to issue the following command.

OneDrive. exe /outputkeystorevault

What this command does is outputs the vault key to the EncryptionKeyStoreCopy folder.

With the vault.keystore file, ODE can decrypt any of the logs that pertain to the personal vault. ODE now displays 203 correlated logs for the personal vault.

The latest version of OneDriveExplorer can be found here.

Pages

Monday, January 6, 2025

Autopsy Hardening Guide: Part 1

PostgreSQL/Solr

PostgreSQL

Solr

Conclusion

Friday, January 3, 2025

OneDrive Evolution Update

Thursday, January 2, 2025

DFIR_Toolbar

Wednesday, January 1, 2025

Happy New Year!

Thursday, November 21, 2024

What Is Lyman

But what does that mean?

How does Lyman help?

Conclusion

Thursday, September 5, 2024

Cracking OneDrive's Personal Vault

What is Personal Vault?

Digging Deeper

Looking at it from an Unlocked Perspective

Using The BEK File to Gain Access

Conclusion

Friday, March 22, 2024

OneDriveExplorer v2024.03.22 released

od_GraphMetadata_Records

od_HydrationData

filter_delete_info

Personal Vault log decryption