Description: This is the first video in a series of videos on Digital Forensics.
The technique used in this video is not new. It is a very loud way of gaining access to a Windows box and will leave behind lots of evidence. This video only covers gaining access - the following video will show a forensic examination of the computer.
Sorry for the lack of sound - I am in work and can't use the microphone.
Please leave comments, good or bad, so I can improve the quality of the forthcoming videos.
Tags: hacking , forensics , bypass , windows , evidence ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Wow, thanks a lot man. It will be a great series of videos.
thanks and look forward to see many videos on this topic.
Hey,
Thanks for the video. Please post more videos related to Forensics.If possible please post a video on how to bypass a mac osx snow leopard password login screen.
Thanks for the comments, everyone!
@utkarsh_shah - I don't know how to perform this task on a Mac, I'm afraid. Maybe someone else around here knows.
@5hark5ter - Thanks, Don't worry about it , but keep posting the videos. :)
@5hark5ter - Thanks, Don't worry about it , but keep posting the videos. :)
<rant>Seems to be a problem with the sound.......... Perhaps I'm speaking out of turn but videos where folk type painfully slow and don't speak are nearly as big a turn off as those crappy ones with Hip hop/rock music in them.
If you're making a video, make it worth watching and BLOODY WELL SPEAK!!!
</rant>
@Blackmarketeer - sorry, I made the video at my desk in work, so could use the mic. Don't worry, fella. Next video will have sound.
And is my typing really that slow? :)
@5hark5ter :Great !! Thank you for the video.If Possible Please start Forensics Mega-primer.That would be very helpful for us. Hope to see some videos...
Thank you.
Gopi Kiran.
No 5hark5ter, you're typing is fine. It's just I'm partially sighted and struggle to follow some of the text examples. Yours is pretty good as it was in enough HD for me to see it. Some are not as good as yours :-)
It was not meant as a personal insult, just a general 'frustration' thing. Sorry for any offence.
Barry
@4dm1n - I'm working on material for a few videos in this series, so hopefully there'll be plenty of content for you.
@Blackmarketeer - Hey listen, no offence taken at all. I was only fooling around. It wasn't possible for me to record voice for this video. The next video will definitely have sound. You'll just have to try and cope with my Welsh accent.
Ah. Welsh accent. Mmm. Let me see you type again...... ;-)
@5hark5ter I was thrilled to receive your tweet about the video post. Just came back home and saw the first video, and I think its an excellent start.
All accents are welcome (none can be heavier than mine :) ) and I really look forward to learning from you in this series. I have always been inquisitive about Forensics but never really could take it up.
I would really encourage you to make this video series long and as technical as you want. We at SecurityTube, love hardcore tech stuff!
It will be more than excellent if you can go for a long and good megaprimer, not too much videos available on youtube about forensics.
@Vivek - thanks very much for your encouragement! I am really looking forward to putting this series together.
@m0ei - I'm working on a new episode already. I think I'll need to sit down and do a bit of planning, and then I'll put out a series of videos.
@5hark5ter : Thank u..Good to hear that you planning for the series... :)
nice, i'll be glad to watch them all.
btw i meant 'Securitytube' not 'youtube.
Hello 5hark5ter, if I can make a recomendation: Please use larger text, 24 point should do. It was kind of hard to read it in full screen for a bit there. I do agree that a voice over would be nice though.
Great video 5hark5ter !! really nice to know that you will make other videos !! Goodluck friend .
nice one bro.keep coming videos.
very nice effort !! waiting for more videos in this series eagerly \m/
Thanks everyone for your comments. Really appreciate you taking the time.
I will be remaking this video tomorrow night (Thursday, GMT), so hopefully it should be up with you then or Friday morning.
And this one will have my lovely voice on it! Apologies to everyone for the small text - didn't really plan this video out too well!
Just out of curiosity...what was the SFCDisable DWORD value on that target box? I'm suspecting it won't be "0" will it.
With the advent of SFC/WFP and being enabled by default, that shouldn't work anymore (unless it's disabled). utilman.exe is in the hit list of protected files (sfclist.dll), and if windows can't replace the non-recognised version with a known good version (ie..can't find the good copy) it simply refuses to execute when windows+U is pressed.
I've been checking/re-checking this for the last couple of hours and even after logging on with valid credentials, it still refuses to run utilman from the shortcut keys. Interestingly Windows Start button says that a new program was installed, highlighted the path through Start to Accessibility and there's Utilman...with the cmd.exe icon. Clicking it opens a cmd prompt. Windblows fun and games huh? That's what makes forensics fun on a daily basis :-)
Hi shrnz. Are you a forensic examiner too? Which side of the world are you on?
I'll be honest and say I wasn't even aware of SFC/WFP, so thanks for letting me know!
Is the SFC/WFP entry there from the word go? Reason I ask is I've examined the Win7 operating system I installed for this exercise and couldn't find that entry. This is a bog-standard installation of Win7 with no patches.
Or am I just being dumb...?
Oh and thanks for the comment!
Not a lot of playing with Win7 as yet, as I haven't had too many cases where Win7 was involved (I'm in a large network environment still running older OS's for the clients)
You might find the Windows File Protection setting under gpedit.msc, which I think is still available in Win7 Pro and above(?) You're running Ultimate, so you should have gpedit. Now that you have asked the question, it's going to bug me until I find the answer...Once I have located a Win7 instance :-)
Personally, if I have a HDD image file, I just mount it under Linux in read-only mode, and hammer away at it with foremost, regripper, log2timeline...etc, etc. The only time I've had to fire up a captured drive image was when it was encrypted, or it was a RAID set (yes..I could have used MIP, but it was a stoopid RAID6 setup and not recognised by MIP)
The only dumb question is the one you don't ask..and we are dealing with MS randomness...so anything could happen!
Greetings from New Zealand :-)
To all, the video has been remade with sound and submitted, so should be up soon.
@srhnz - Again, being totally honest, I've fallen into the trap of being a point-and-click examiner, relying on mainly EnCase to do my examinations. I work in law enforcement. I do use other programs to aid my examinations, but the majority of it is done on EnCase.
I would REALLY appreciate it if you could give me a list of the programs you use so that I could try them out. Always looking to better my skills.
And hello from Wales!
Have you used Helix? I used to work in a data forensics company and Helix was a linux distro (like backtrack) that they used to compliment Encase. I do have to say though, Encase is amazing in what it can do.
OK...time to remove foot from mouth...and I'm quite astounded that this is still allowed to happen! Just tested it on Ultimate 64bit..straight in! Gobsmacked!!
Don't even have to use Win+U...click the nice little button on the lower left on the login screen..Ironically named "Ease of Access"
My apologies to 5hark5ter. I shall go and sit quietly in the corner.
*still gobsmacked*
Anyhoo..5har5ster, in response to your query about the toolkit, there is a myriad of open source tools out there, and some of them are getting very good at being more user friendly. A lot of people think open source forensics = TSK and Autopsy, but there is so much more out there.
Take your pick from Helix, PTK, DFF, and my personal favorite the SANS SIFT. The SIFT is more a collection of tools as opposed from a single tool, and comes in VM and live CD + installer flavours. Most open source kits will come with TSK+Autopsy, regripper, log2timeline, etc, etc. The thing I like most about open source (apart from the price) is they make you think about where this information is coming from...the actual mechanics of what the tool is doing and where it's going. The ability to look at source code for the tools and see how it's doing it's magic is a great learning resource.
For live forensics, Helix is brilliant...even down to creating a log file of all your activities. This allows you to get on with the task, and being able to concentrate on minimizing your footprints on the running system (as much as one can).
PS...Just tested Win7 Home Prem...and the utilman bypass works there too :-0
@srhnz - Ha ha! Absolutely NO need for apologies. Like you said previously, chalk it up to 'MS Randomness'. I originally wanted to perform the attack on an XP machine, however it didn't work on the version I had. Ridiculous.
Thanks so much for the list of software. I totally forgot about the SIFT Workstation. I've got that, plus an old copy of Helix. I do agree with GTKlondike in that EnCase is great, however at the moment I simply can't afford to buy it!
Funny that you say it wouldn't work on an XP machine...'cos I think it was from SP2 that WFP/SFC was enabled by default, hence I thought they (MS) had permanently fixed that issue. They obviously have bought it back, but the reason for doing so is beyond me.
Looking forward to your next vid.
Vivek...I don't suppose there's a "pm" feature here so the likes of 5hark5ter can stop clogging up the screen with our general chit-chat is there?
:-)
@srhnz - thanks! It'll be up on Saturday. Also, in case you're interested, the SIFT workstation 2.1 was released today.
Very interested!!...Timing couldn't be better as I have to rebuild the analyst machine :-)
And when I said 'the likes of 5hark5ter'...I did mean '5hark5ter and me clogging up the screen..'
Just as another aside, chntpwd (on BT) also works well to blank the password on an existing account on Win7. Didn't like me disabling syskey, but no problems blanking the existing accounts passwords. Didn't even seem to notice the CRC for the SAM file had changed like XP used to do. Good to see these old "hacks" still work :-)
Cheers.