Sunday, October 29, 2017

Moving Files From Inoperable Computers With Wiebetech Forensic Ultradock

Full disclosure:  I do not get kickbacks for mentioning anything in my blog.  If I ever do, then I will specifically say so.  I just happen to like the devices that I mention and feel that they may help others.

At work, I used a Wiebetech Forensic Ultradock to look at some files on some drives.  It was incredibly easy to use.  When you open the computer cases, unplugged of course, being very careful, you just note the type of connection cables that are plugged into the hard drive, disconnect them to remove the hard drive, remove the hard drive, and use the same connection cables that come with the dock.  Everything is well labeled on the dock.  Then you plug the dock into your laptop/Desktop computer with the appropriate cable via a USB port.  Plug the dock into a wall socket using the power cord, and the dock should display info about the drive.  When you flip the switch, you should be able to browse the files on the docked hard drive on your laptop/Desktop computer just like you can with an external drive.

Regarding taking apart laptops/towers:  If you feel unsure, simply take it slow, and take pictures as you go along so that you'll remember how everything is assembled, so you can reassemble it later.  Many devices are taken apart on YouTube, so you can see tutorials about how to do so on there, or simply Google it.  Even if your specific model isn't on Google/YouTube, many computers are usually similar, so understanding what things are, inside the case, isn't difficult.

I have some old computers at home where I have some photos stored.  I made backups, but a couple of moves later, and I have no idea where the backups are.  I've wanted to get those photos for quite some time, but I've been working on other things.

My spouse recently took SANS FOR 500.  I can't look at his books-it's against the licensing.  (I hope to be able to save enough and take this course as a work-study, later.)  I don't think that SANS can be opposed to me using the equipment provided in the class, though-ie the Wiebetech Forensic Ultradock.

I looked on Amazon for the same model of Wiebetech Forensic Ultradock, in case others are interested.  It is ~$280 as of this writing.  The version I'm using is FUDv5.5 in case this link doesn't work in the future.

https://www.amazon.com/CRU-31350-3109-0000-WiebeTech-Forensic-UltraDock/dp/B0167NDLOU

Looking for older versions-looks like they can be purchased for around ~$55.

https://www.amazon.com/WiebeTech-Forensic-UltraDock-V4-controller/dp/B002MF68HA/ref=sr_1_2?s=electronics&ie=UTF8&qid=1509300870&sr=1-2&keywords=WiebeTech+Forensic+UltraDock

I did not check to see if the connection cables were included with those prices.  Also, one should probably make sure that the dock will work with their OS and with the device that they want to retrieve files from.

You can find documentation, the device, and other parts on this site:

https://www.cru-inc.com/products/wiebetech/forensic-ultradock-v5-5/

Fortunately, my spouse's dock works just fine with my MacBook Pro.  It also works with Windows 10.  Also, note:  Be very careful.  If your old docked device was compromised by malware, you could still be at risk.  This forensic dock, according to the manual provides write blocked access to the docked device, however, you can still copy files from the docked device to your computer.  If you run those files, and they are infected, you have a chance to infect your computer with malware if the malware is compatible with the OS of your current device.

The most trouble I had was taking apart the laptop and old towers that I was interested in getting the photos off of.  Every one of them had a different case style.  The most difficult one was the Compaq.  It's case was a little bent.  None of them were difficult though.

I was laughing at the specs on an on Compaq that was running Miserable Edition.  At the time, it was awesome.  Now it's ancient.  It could probably still run some retro games just fine.  Since I now have the files off of it, I might tinker with it later.

The old towers were all in my garage, so they were dusty, had a couple of crickets, and had some spiderwebs inside.  So be aware, no matter how clean you are, if things are in storage or a garage, you may find some surprises.

It was interesting seeing the change in technology over time.  The hard drives from the towers were clunky and only 40GB.  My older laptop had a 500 GB hard drive.  I might get a case and make an external drive out of the 500GB hard drive.

I showed my children the inside of the computers and explained to them the dangers of taking them apart.  I also explained that I was very careful, and that I had taken computers apart before to troubleshoot problems, and add hard drives and memory.  They seemed to like looking at the inside of each of the computers. :)  It was a fun, family activity.

Have fun :)




Friday, October 27, 2017

Ubuntu Bootable USB Drive

Create an Ubuntu Bootable USB with an ISO with dd

1.  Start Ubuntu on a host machine or VM.  I used VMWare Workstation and a guest Ubuntu ISO.
2.  apt-get install gparted
3.  plug in an empty USB
4.  See which /dev directory that the USB is attached to.  Usually like /dev/sdb.  Can do this by typing dmesg | tail -n 10.  The output should show the name, size, and directory of the USB
5.  sudo gparted ; enter password if it is set.
6.  Select the correct device from the dropdown on the right.
7.  On the menu, choose Partition.  If the drive isn't empty, delete what is on the drive by clicking on "Delete".  This will permanently delete the info, so keep this in mind.  Click on the green checkmark icon to apply the changes to the drive.
8.  If/when the drive is empty, select "New". A popup should appear.  Choose ext4 for the File system.  Click OK.  Click on the green checkmark icon to apply the changes to the drive.
9.  Exit the program.
10.  Download the Ubuntu ISO
11.  dd if=/pathandname/of/Ubuntu.ISO of=/dev/devname bs=4MB

Create an Ubuntu Bootable USB with an ISO with unetbootin

1.  Start Ubuntu on a host machine or VM.  I used VMWare Workstation and a guest Ubuntu ISO.
2.  apt-get install gparted && apt-get install unetbootin
3.  plug in an empty USB
4.  See which /dev directory that the USB is attached to.  Usually like /dev/sdb.  Can do this by typing dmesg | tail -n 10.  The output should show the name, size, and directory of the USB
5.  sudo gparted ; enter password if it is set.
6.  Select the correct device from the dropdown on the right.
7.  On the menu, choose Partition.  If the drive isn't empty, delete what is on the drive by clicking on "Delete".  This will permanently delete the info, so keep this in mind.  Click on the green checkmark icon to apply the changes to the drive.
8.  If/when the drive is empty, select "New". A popup should appear.  Choose ext4 for the File system.  Click OK.  Click on the green checkmark icon to apply the changes to the drive.
9.  Exit the program.
10.  Download the Ubuntu ISO
11.  Mount the device mount /dev/sdX /mnt
12.  sudo unetbootin
13.  Either A)  Select Ubuntu from the OS dropdown and the version of Ubuntu from the dropdown at the top of the screen and select USB at the bottom of the screen and the directory of the USB from the elevator bar, then click OK
Or B) Select your Ubuntu ISO in the elevator bar at the bottom of the screen and select USB at the bottom of the screen and the directory of the USB from the elevator bar, then click OK.

DOS Bootable USB Drive With Samsung Magician Secure Erase

I've never had to create a bootable drive before.  I'm not exactly a hardware person either.  I wanted to erase an SSD drive.  I've read a little bit of forensics and how if drives aren't properly handled, some information can still be retrieved.  I wanted to make sure that the information on this particular drive was either not accessible to get or completely erased.  I prefer the latter, but realize that sometimes that may not be possible.

So I did some research.  SSD drives cannot be erased in the same way as the old spinning platter drives.  The spinning platter disc drives could simply be overwritten by flipping all of the bits on the drives to 0s.  The way in which SSD drives work, the user is only presented with sort of a window of data that the controller shows them, not every single section on the drive.  So theoretically, some information can still be on the drive, even if all the bits on one part are overwritten with 0s.  Not sure how great the following websites are, but I found them helpful.

The tech behind SSD is explained here:

https://computer.howstuffworks.com/solid-state-drive.htm

The difference between SSDs and Spinning Platter hard drives:

https://www.extremetech.com/extreme/210492-extremetech-explains-how-do-ssds-work

SSDs can be reset using a Secure Erase command that is in most of the SSDs produced since 2001.  According to the following Q&A, it's not exactly an erase; it's more of a reset.

Secure Erase Q & A  - this is a doc file.

My device isn't that old, so it should support that command.  My device is a Samsung EVO 850.  There is a utility by Samsung called Magician that works with certain devices-this model being one of them.  I figure that the manufacturer knows its drive better than anyone, so it seems safer to use the manufacturer's own utility even though there are other options like linux hdparm.  My drive is no longer in the laptop that it was originally in.

The manual for Magician says that it can't erase a drive that is connected in any manner other than the motherboard, but it says that one can create a bootable USB drive that has secure erase on it to delete the SSD.

Download - Samsung Magician Consumer Magician Installation Guide

I installed Magician on a Windows device.  I tried docking the drive on a Wiebetech Forensic Ultradock to see if I could make a bootable USB drive.  Magician wouldn't give me the option to create a bootable USB drive because it didn't detect the drive.  (Windows detected the drive just find. I could peruse the directory structure in Windows Explorer.  It was like browsing a USB drive.

So I did more research.

I found this:

https://us.community.samsung.com/t5/Others/How-to-use-Secure-Erase-on-an-SSD-when-you-only-have-one-SATA/td-p/103566

I didn't use Rufus, like in the directions in the website above.  I used Ubuntu, a FreeDOS ISO downloaded from the FreeDOS website, gparted, and the native dd command to create a bootable DOS drive.

1.  Start Ubuntu on a host machine or VM.  I used VMWare Workstation and a guest Ubuntu ISO.
2.  apt-get install gparted
3.  plug in an empty USB
4.  See which /dev directory that the USB is attached to.  Usually like /dev/sdb.  Can do this by typing dmesg | tail -n 10.  The output should show the name, size, and directory of the USB
5.  sudo gparted ; enter password if it is set.
6.  Select the correct device from the dropdown on the right.
7.  On the menu, choose Partition.  If the drive isn't empty, delete what is on the drive by clicking on "Delete".  This will permanently delete the info, so keep this in mind.  Click on the green checkmark icon to apply the changes to the drive.
8.  If/when the drive is empty, select "New". A popup should appear.  Make the size of the drive 4096 KB (4 MB).  Choose NTFS for the File system.  Click OK.  Click on the green checkmark icon to apply the changes to the drive.
9.  Exit the program.
10.  Download the FreeDos ISO
11.  dd if=/pathandname/of/FreeDos.ISO of=/dev/devname bs=4MB

I then had a bootable DOS USB.

I then followed the directions on the following website from steps 2 down.

https://us.community.samsung.com/t5/Others/How-to-use-Secure-Erase-on-an-SSD-when-you-only-have-one-SATA/td-p/103566

I hooked up the SSD drive to the SATA port of an old tower Desktop computer.  I plugged in the USB and it booted from DOS.  (It asks to install DOS to the hard drive, but you just choose the language, and then exit to DOS.  It doesn't install DOS.)

When the DOS prompt appeared, I typed in "serase" and pressed enter. (It is whatever the name of the secure erase bat file is, if serase doesn't work for you.  In case you changed the name of the bat file for some reason.)

It should bring up a pseudo-GUI.  Magician should detect the drive if it was connected properly.  Then it will give you the option to secure erase the drive.  Follow the on-screen directions.  It's weird because it doesn't take long to erase at all.

Then I exited to DOS, and typed shutdown.  I now have an erased SSD drive.

I'm not exactly sure how the different versions of secure erase works.  From what I understand there are a couple of versions- secure erase and enhanced secure erase.  For my needs, whatever Samsung Magician did is probably fine, but for any business purpose the drives should probably be secure erased and destroyed if they have PII on them because even secure erase is no guarantee that everything is off the drive.  I'm not sure if secure erase meets the legal requirements for HIPPA, PCI, or other laws.  Companies should consult their compliance advisors and/or legal team to determine this.

Wednesday, October 25, 2017

DerbyCon Door Key Challenge-Solution

I've been so busy I completely forgot to post these solutions.

You start out with a double-sided card with grey and green letters and numbers.  If you look at the front of the card, you'll notice that the legible words are the green letters.



If you look at the back of the card, you'll notice that these are hexadecimal characters.  One of my fav online tools helped to solve this one.



Solving the green ones gives a rotational cipher.  SLNHJF. KLYIF JVBUALYOHJR. JVT.

Using a rotational cipher solver, one of many that can be found online, you get the url of a website: DERBYLEGACY.COUNTERHACK.COM




Visiting the website, you are asked to create an account.  After creating an account, you are greeted with the following screen...


The first question clue was the following:


The solution was to find the item that matches the slip of paper.  There was a SANS Pen Test Blog posting with a piece of paper that looked similar to that.  Googling Python Reverse Shell and SANS Pen Test Blog Python Reverse Shell showed a blog posting.  At the bottom of the completed paper, it says, "Featuring SEC573".   

https://pen-testing.sans.org/blog/2017/01/31/pen-test-poster-white-board-python-python-reverse-shell

Another option is to search for the photo using TinEye.  TinEye is like a search engine of pictures on the Internet.  It can find photos similar to the one that you upload, and it displays the closest matches. It's great for ctf questions involving pictures.


The next one asks which SANS Pen Test Challenge Coin was created, but never released.


This one can be found by looking at the Pen Testing Blog post detailing the Pen Testing coins backstory.  



There's also a hint about a SANS poster.  The following poster shows a coin that no-one has.  It's a coin for SEC562.  flag{sec562}



The next question is simple.  Simply visit https://www.holidayhackchallenge.com and right-click and select view source.  Look for an ascii Santa with the flag.  flag{santa}


For the next challenge question, I downloaded the image and used Tineye, as I mentioned earlier to find a similar picture online.  The answer is flag{Bryce Galbraith}.




In the next question you can view the hex of the file using a hex editor like Bless or xxd or you can use the strings command.  The title is : Introduction to Reverse Engineering for Pen Testers.  The speaker is Stephen Sims.


I used Wireshark to look at the following pcap.  Then I clicked on Statistics>Protocol Hierarchy, highlighted HTTP, and Right-Clicked and chose Apply As Filter>Selected.  After that, I simply looked for a POST message, Right-Clicked and chose Follow TCP Stream.  If you look through the requests and responses, you'll see a password in clear text.


The code in the next question prints the flag.  It's backwards in the bottom of the code.  flag{pyWars}


Google the next one.  https://www.sans.org/netwars/cybercity  flag{SCADA}


Do a WhoIs lookup to find the first one.  Look on https://www.sans.org to see where he is teaching next.  Google the last one.  flag{edwardskoudissec560washingtonpost}

The next one is easy if you use the strings command.  flag{counterhack&sans}

Unfortunately, the challenge isn't still up as far as I can tell.  These may help others solve similar challenge questions, though.
Have fun!