Hey Guys,
I'm working on a case where I made a disk image of a computer encrypted with Symantec Desktop Encryption. Now, I can boot the disk image in a VM, and using the user password I'm able to unlock the disk and get a windows session (without admin privileges).
The problem is, I'm unable to perform a image of the logical unencrypted partition because I have no means to get admin privileges (we dont have the admin password), and I also cant find a tool to unlock the partition for file browsing or anything else. I dont want to exploit the OS for privilege escalation, and the decryption process using Symantec Desktop Encryption is slow AF (90+ hours for 1TB).
Any advice on a way to unlock the disk for logical image of unencrypted partition?
Bitlocker is way easier to work ahaha.
(sorry for the bad english)
↧
General Discussion: Mount PGP Encrypted disk image (SymantecDesktopEncryption)?
↧
General Discussion: Help!! Network forensics: WireShark: detecting an intrusion
look for ARP and MAC flooding in the network, as they are common in intrusions.
Loads of ICMP packets are also common in recon of private network though ping scans.
↧
↧
Mobile Phone Forensics: Cellebrite PA supports Remote Desktop Access
What is the “Coronavirus” you speak of? Beer malware?
↧
General Discussion: Coronavirus and working
hi all, how is everyone coping?
I just wanted to get some thoughts on how everyone is working in the 'lock down' in the UK, as we deal with IIOC we can not work from home so are currently having to travel into the office?
What are others doing in similar situations?
↧
General Discussion: Mount PGP Encrypted disk image (SymantecDesktopEncryption)?
Excuse me, I don't understand.
You can boot (in the VM) to the actual Windows (which EXACT version) which is in the disk image?
How (EXACTLY) are you logging in? Do you have a user (non-admin) login/password?
IF this is the case, this non-admin user must have *some* access to the volume, does it not?
jaclaz
↧
↧
Mobile Phone Forensics: Ufed 4PC not reading iPhone data
What version of UFED ?
↧
General Discussion: Split large PST items in smaller parts.
As well all know, there are many solution are available to divide PST items, when you are searching for Outlook PST Splitter tool to split large PST items into smaller parts from 2GB to 30GB. It is fully capable to divide entire data items of PST files like, year, date, size and folder option. You can also split PST items by date and time range.
Highlighting features of Outlook PST Splitter tool:
• Split PST items by date, year, size and folder.
• Split large PST items by message filter option from to, cc, Bcc, and Subject.
• Supports all windows and Outlook versions.
Read more;-https://www.kdetools.com/pst-splitter/
↧
General Discussion: Mount PGP Encrypted disk image (SymantecDesktopEncryption)?
jaclaz wrote:
Excuse me, I don't understand.
You can boot (in the VM) to the actual Windows (which EXACT version) which is in the disk image?
How (EXACTLY) are you logging in? Do you have a user (non-admin) login/password?
IF this is the case, this non-admin user must have *some* access to the volume, does it not?
jaclaz
I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.
↧
Mobile Phone Forensics: Cellebrite PA supports Remote Desktop Access
Good morning ErminM,
Sounds like RDP is what you've decided to use to get some work done. I've linked to a good blog post written by our own
Ghennadii Konev about working remotely that is posted on the MSAB website (See below).
I see that Mike from MSAB has already offered, but feel free to reach out if you'd like to receive a demo license of XRY and XAMN. Its supports RDP at no additional charge.
Cool thing is - We can set it up... remotely!<img src="images/smiles/icon_cool.gif" alt="Cool" title="Cool" />
Stay Safe.
Here is the blog post: https://www.msab.com/2020/03/20/staying-productive-during-the-covid-19-crisis/
Greg Masterson
Technical Sales Engineer
MSAB
Email: greg.masterson@msab.com
Twitter: MSAB_Greg
↧
↧
General Discussion: Linux Malware Analysis
How do you know the system is compromised with malware? You must have been provided some information to work from. I'd acquire the memory check for anomalies, look for suspicious modules, hidden modules, dump them and analyse, any suspicious hooking, are there other rootkits active etc. Then you have the obvious, check running processes and if you find something that jumps out, work backwards and dig deeper into associated artefacts. There's a lot that can be done with memory and i'd be looking there first.
↧
General Discussion: Mount PGP Encrypted disk image (SymantecDesktopEncryption)?
doublezero wrote:
I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.
So (if I get it right now) the machine/install has:
1) an user (without admin privileges) for which you know the password
2) an admin user (for which you know the password) BUT that isdisabled
3) ANOTHER admin user, active but for which you DO NOT know the password.
What I would suggest you to try is to by-pass the password.
If it wasn't (I believe it is) the latest-latest Windows 10 (and 64-bit), good ol' Passpass would have done, but I don't think that the patch codes for latish version have been published.
But Kon-Boot (Commercial, but affordable) should be able to do that (but it has to be seen if it works on this PGP encrypted image):
https://www.piotrbania.com/all/kon-boot/
Please understand how the idea is to by-pass (NOT reset, NOT change) the password (actually its check), so - if it works - the system is not modified.
jaclaz
↧
General Discussion: Forensic Images Sharing
chienchat wrote:
To this end, I would like ask all the fellow practitioners if you have any other thoughts on keeping the business runs.
Many thanks.I have a solution for you <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
Amazon AWS has SFTP server available. We are using this service for quite a long time for our customers in the US. Europe is a bit different (mandatory GDPR and a different mindset with regards to data privacy), there we have SFTP servers in our own data center.
Your customers can upload (password protected) images to AWS and you fetch them from there and analyse at home.
https://aws.amazon.com/sftp/
regards, Robin
↧
General Discussion: Forensic Images Sharing
Bunnysniper wrote:
chienchat wrote:
To this end, I would like ask all the fellow practitioners if you have any other thoughts on keeping the business runs.
Many thanks.I have a solution for you <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
Amazon AWS has SFTP server available. We are using this service for quite a long time for our customers in the US. Europe is a bit different (mandatory GDPR and a different mindset with regards to data privacy), there we have SFTP servers in our own data center.
Your customers can upload (password protected) images to AWS and you fetch them from there and analyse at home.
https://aws.amazon.com/sftp/
regards, Robin
Thank you very much for the information, Robin!
I will definitely have a look at AWS service and propose it to our managment.
Take care!
YAN
↧
↧
General Discussion: Mount PGP Encrypted disk image (SymantecDesktopEncryption)?
jaclaz wrote:
doublezero wrote:
I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.
So (if I get it right now) the machine/install has:
1) an user (without admin privileges) for which you know the password
2) an admin user (for which you know the password) BUT that isdisabled
3) ANOTHER admin user, active but for which you DO NOT know the password.
What I would suggest you to try is to by-pass the password.
If it wasn't (I believe it is) the latest-latest Windows 10 (and 64-bit), good ol' Passpass would have done, but I don't think that the patch codes for latish version have been published.
But Kon-Boot (Commercial, but affordable) should be able to do that (but it has to be seen if it works on this PGP encrypted image):
https://www.piotrbania.com/all/kon-boot/
Please understand how the idea is to by-pass (NOT reset, NOT change) the password (actually its check), so - if it works - the system is not modified.
jaclaz
Thank you jaclaz! Unfortunately, konboot wont work with disk encryption.
I have one copy of the disk being decrypted. 2 Days, 25% done, and with decryption speed decreasing. I'm fucked ahaha
↧
Mobile Phone Forensics: Ufed 4PC not reading iPhone data
Just in case (long shot mode) have you tried different USB ports?
I've inexplicably found occasionally a port on a machine (even a new one) will "sort of" work but very quickly present problems and basically stop working (to the extent of, for example, plugging in a USB stick, copying files, but then it quickly grinding to a halt and becoming unresponsive). Even with the correct/up-to-date drivers etc.
Might be worth a quick double-check that the same thing doesn't happen on the rear ports (if using the front ones) or vice versa (or on different controller blocks on the back). Can't help to double check with a different lightning cable too just in case.
↧
General Discussion: Assignment
I wonder <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" /> why exactly this:
jaclaz wrote:
I wonder <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" /> why exactly this:
Nab11 wrote:
You will not be given guidance on the functionality of the tool – this is for you to research. An ability to research unknown software is a key skill to develop as a forensic analyst.
is part of the instructions for the assignment.
jaclazis part of the instructions for the assignment. <img src="images/smiles/icon_razz.gif" alt="Razz" title="Razz" />
↧
General Discussion: Assignment
Alright
Thank You so much for your time and advice
Iwill revert back to you if ever I'm in diffiulty
Thank You
↧
↧
General Discussion: Hidden files on USB Drive... how?
From what I have seen, the " .device_info_*** " files appear from devices that have been connected to Samsung Smart TV.
↧
General Discussion: Hidden files on USB Drive... how?
jaclaz wrote:
Which filesystem is the volume?
jaclaz
exFat
↧
General Discussion: Hidden files on USB Drive... how?
@Rich2005
JFYI :
https://www.jitbit.com/alexblog/198-chinese-magical-hard-drive/
@Suai
How (exactly) are you seeing these files in FTK?
I mean, does it just find the file, or it finds the file with the corresponding filesystem file metadata (name/path/dates)?
Do the files appear "directly" inside the "support" directory or do they appear inside a (possibly unnamed) subdirectory?
Mind you pure theory.
Let's say that to simplify, you have a device 11 sectors in real size. that "wrap arounds" the last 10 sectors, for a total (fake) capacity of 41 sectors i.e.:
where:
Sectors 0-10 = sectors 0-10
Sectors 11-20 = sectors 1-10
Sectors 21-30 = sectors 1-10
Sectors 31-40 = sectors 1-10
Now, if you write files to it (for the sake of the example let's say that all files are 1 sector in size or less) what happens?:
File 1 goes to sector 1
File 2 goes to sector 2
...
File 10 goes to sector 10
File 11 goes to sector 1, (thus overwriting the actual file contents BUT leaving the File 1 entry in the filesystem)
Fie 12 goes to sector 2, (thus overwriting the actual file contents BUT leaving the File 2 entry in the filesystem)
Now, what happens if you delete the entry for File 1? (you delete the file from the OS)
Sector 1 seems free, but it actually contains File 11 (and File 11 is still indexed in the FAT), and when you delete the File 11 both sectors 1 and 11 seem free but sector 1 still contains File 1. (this is the case Rich2005 suggested, deleted files).
But it has to be seen how the device is exposed to the Windows Explorer, it may well be that Windows explorer cannot see the file even if it is there, due to this (or that) little trick.
JFYI. here is a similar discussion (but for FAT32):
https://www.forensicfocus.com/Forums/viewtopic/t=16785/
And this happens for files, how would the same thing behave for directories?
Directories in exFAT are rather complex, and there is a bitmap allocation:
http://www.ntfs.com/exfat-directory-structure.htm#generic-directory-entry-temp
https://www.researchgate.net/publication/324744750_Forensic_Analysis_of_the_exFAT_artefacts
It is entirely possible that a minor change in (say) "benign Primary entry" is enough to:
1) have the data not visible in the "normal" OS/Explorer
2) have it visible in FTK
3) throw a fit in Linux (as a side note, more often than not Linux programs related to MS formats (which are largely mis- or under-documented) are "more realist than the king")
jaclaz
↧