This year's Holiday Hack Challenge was just as invigorating and challenging event as usual. Santa and the Elves decided that due to all the cyber shenanigans which have occurred over the years that holding a hacking conference would be a great way to keep everyone safe. The name of this conference is KringleCon and it involved an entire virtual world, complete with a virtual character who can move around and interact with CranberryPi terminals, as well as ventilation shafts, kiosks and door code panels (Figure 1). This challenge was tough as it required knowledge of a vast spectrum of knowledge in computer administration, web services, code cracking, and web servers. Additionally, skills in programming and debugging in languages such as JavaScript, PowerShell, Python, shell scripting, and data analysis. While I have decent amount of knowledge with many of these skills, I wasn't going to be able to complete the challenge in time to submit a report to the Counter Hack team by January 14, 2019 due to a later start than last year. So I recruited a good friend of mine whom I've worked with in the past, who is probably one of the most skilled computer experts and programmers I know. My friend and I worked over the last few days to finish the last four challenges/objectives to submit a report before the deadline. The result is approximately 81 pages (a few typos and errors but nothing serious) for our report describing how to finish the 2018 SANS Holiday Hack Challenge. Below is our report embedded for review. Overall, I found the competition very different from the 2017 version and as it was more of an open-world one the flow of the contest was a bit confusing until I spent a good chunk of time (about an hour) of really exploring and understanding the world, and how we could really navigate around and interact in any order a competitor chooses. This proved to be a really fantastic choice by the Counter Hack team, and upon completing the competition with a solid tying together, I'm pleased to say this was an even better experience than last year. I'm continuously humbled by the organization, skills, and efforts of Ed Skoudis and his team. As usual it was a fun experience and the team did a phenomenal job. I'd like to extend a personal acknowledgement to Jevan Gray for his ability to quickly understand and dissect code and assemble solutions. I doubt I could have accomplished this before the deadline without his knowledge and expertise. Thank you again Jevan!
0 Comments
In 2008 Flo Rida had a song "Low" featuring T-Pain with a line "Boots with da fur" which my family loved belting out whenever we heard this song on the radio. This blog article has nothing to do with getting your club on. Rather, DFIR (Digital Forensics and Incident Response) pronounced Dee-FUR just reminded me of it. DFIR has a significant place in competitions for cybersecurity. Many of the California and National competitions are composed of a large portion of digital forensics, so having the right tools for the job makes all the difference. Some bright students I've been mentoring have asked, "What OS do you recommend for DFIR?" My default response is typically Kali Linux, but I wanted to take a deeper look into SANS' SIFT workstation.
If you found yourself accidentally, or intentionally, reading my earlier blog postings, you'll note that many of these high school and middle school competitions require that the competitors use Open Source and freely available software. This was another reason why this was a great opportunity to revisit and try out SANS' SIFT Workstation. This Ubuntu distribution based on Debian Linux was developed, and is maintained, by a formidable training group, SANS,' very own Rob T Lee. It features automatic updates, and a plethora of free and often updated tools one can use for Digital Forensics and Incident Response. Learning to use these tools is for other blog postings, this blog discusses getting the most recent version of a great DFIR tool installed and working on this OS build. There are a lot of DFIR tools and Operating Systems available for use A small sampling of them includes Linux
Get your SIFTv3 workstation image/installation and update/upgrade it I'll assume you're familiar with obtaining a virtual image of SIFT and getting it installed. I'll use VirtualBox for my blog, as it's free and feature-rich. You can download a pre-configured SIFT workstation as a Virtual Machine in OVA format at https://digital-forensics.sans.org/community/downloads under the section "Download SIFT Workstation VM Appliance". After you get your workstation up and running (there are other tutorials for that) then update it through it's built in update or open a shell/terminal window and type sudo apt-get update && upgrade to get the build to update. After this, there are only a few other steps to install the required Java version to support TSK and Autopsy 4+. Installing testdisk for photorec functionality Note that I did not find this necessary for versions 4.6 or 4.7 of autopsy, however, it can't hurt for you to test. Enter into a shell the command: sudo apt-get install testdisk Installing Java to support TSK/Autopsy 4+ After you've updated the Operating System and verified that you have installed testdisk, check to see if Java's version is 1.8 or higher by typing in the shell/terminal: javac -version Your output should show something like javac 1.8.0_171 . Ensure it starts with at least version 1.8.0. If not, then add Java's repository to update sources by typing the command: sudo add-apt-repository ppa:webupd8team/java then update your local repository with command: sudo apt-get update and finally install the Java 8 installer with the command: sudo apt-get install oracle-java8-installer When installation completes (it may take one-five minutes or more) then check your Java version again with command and copy the installation path that appears next to Java version 1.8. javac -version Often times you'll have more than one version of Java installed, so another command is required to check which version is the primary one and also show us the file path where it is located. Check this with the command sudo update-alternatives --config java to show a list of Java installations on the system. Check that 1.8 shows the default/primary version with an * in it's row and copy down the path to Java 1.8 as you'll need to add that path to your environmental variables. Type the command sudo nano /etc/environment to open up the nano text editor, and add the JAVA_HOME line below (with your path) as a new line in the /etc/environment file. *Note that you only need to include the path up to /java-8/oracle. JAVA_HOME="/usr/lib/jvm/java-8-oracle" Press CTRL+X to exit, and when asked save the changes. Reload your environmental variables with command source /etc/environment then verify the variable shows the correct path by running the command echo $JAVA_HOME. *Note: These installation instructions comes from the article https://medium.com/coderscorner/installing-oracle-java-8-in-ubuntu-16-10-845507b13343 which you can visit for more details. Getting and Installing the latest version of The Sleuth Kit and Autopsy Visit https://github.com/sleuthkit/sleuthkit/releases and download the latest version of the .deb package, typically named something like sleuthkit-java_4.6.1-1_amd64.deb. Then install this Debian package of sleuth kit by running the command sudo apt install ./sleuthkit-java_4.6.1-1_amd64.deb. Now that we have the latest version of The Sleuth Kit, go download the latest version of Autopsy. It will typically be released in a zip file at https://github.com/sleuthkit/autopsy/releases and be named something like autopsy-4.7.0.zip. Create a directory for Autopsy wherever you prefer mkdir autopsy-4.7.0 and then unzip the file you downloaded there unzip autopsy-4.7.0.zip Finally, run the setup script in that directory sudo sh unix_setup.sh If everything is in order, you'll have a working version of Autopsy and The Sleuth Kit. You may run Autopsy by changing to the ‘bin’ directory in the autopsy folder you created and then typing the command ./autopsy Summary With a recent working version of The Sleuth Kit and Autopsy on SIFTv3 you have many of the tools competitions require for DFIR tasks. There are many things you won't be able to do without additional work, for example extracting specific registry keys and values from forensic images or other tasks. Fortunately Autopsy includes a modular framework which supports both Java and Python, and the community has created many of these tools for us check these out at https://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules Today's digital forensic investigators benefit greatly by the ease with which the tools and maintenance of them can be done by an opearting system such as SANS' SIFT Workstation. Combined with great open source tools like The Sleuth Kit and Autopsy the hardest part is now learning how to investigate. For example discovering where you need to look, and what information you need to look for as well as how to get it. I found one great resource shared by a student at Cal Poly's California Cyber Innovation Challenge website which discusses analyzing Windows 7-10 and Android operating systems. The papers here contain great tutorials and basic training. Visit the Cal Poly California Cyber Innovation Challenge site and review their awesome site and the downloadable material at https://cci.calpoly.edu/events/ccichttps://cci.calpoly.edu/events/ccic/2018-df-downloads Happy hunting and many thanks to Cal Poly, The Sleuth Kit and Autopsy developers and SANS Digital Forensics! Below I present my report on the 2017 Holiday Hack Challenge. It's in PDF, because, well I put a lot of effort into the report to make it pretty and readable for the SANS folks. The challenge was a lot of fun, and I highly encourage anyone even remotely interested to give it a crack, it will always keep you learning. Happy Hacking and best wishes! |
AuthorI am a Doctoral Scholar at Colorado Technical University and a graduate of the Cyber Security Operations and Leadership program from the University of San Diego. I work in cybersecurity, and have accumulated twenty years in the IT industry. There are few IT roles I have not performed, which gives me great insights into making sense of all the IT confusion. Archives
February 2022
Categories
All
|