Monday, December 28, 2015

Block Building Checklist

It is important to understand how artifacts are created that you use during an investigation. Thus I wanted to provide my block building checklist to help others recreate the process. I will walk through the commands used to prepare the blocks for distribution and how to build the block libraries with the removal of a whitelist.

Block Preparation

I have used Windows, Linux and Mac OS X over the course of this project. I recommend using the operating system that your most comfortable with for downloading and unpacking the torrents. The best performance will come from using solid state drives during the block building steps. The more available memory during whitelisting the better. A lot less system resources are necessary when just doing hash searches and comparisons during block hunting.

We saw this command previously in the Block Hunting post with a new option. The -x option disables parsers so that bulk_extractor only generates the block sector hashes reducing the necessary generation time.

bulk_extractor -x accts -x aes -x base64 -x elf -x email -x exif -x find -x gps -x gzip -x hiberfile -x httplogs -x json -x kml -x msxml -x net -x pdf -x rar -x sqlite -x vcard -x windirs -x winlnk -x winpe -x winprefetch -x zip -e hashdb -o VxShare199_Out -S hashdb_mode=import -S hashdb_import_repository_name=VxShare199 -S hashdb_block_size=512 -S hashdb_import_sector_size=512 -R VirusShare_00199

The following steps help with the reduction of disk storage requirements and reporting cleanliness for the sector block hash database.  It is also a similar process for migrating from hashdb version one to two.  One improvement that I need to make is to use JSON instead of DFXML that was released at OSDFCon2015 by Bruce Allen.  

We need to export the sector block hashes out of the database so that the suggested modifications can be made to the flat file output.   

hashdb export VxShare199_Out/hashdb.hdb VxShare199.out

·      hashdb – executed application
·      export – export sector block hashes as a dfxml file
·      VxShare185_Out/ - relative folder path to the hashdb
·      hashdb.hdb – default hashdb name created by bulk_extractor
·      VxShare199.out – flat file output in dfxml format

Copy the first two lines of the VxShare199.out file into a new VxShare199.tmp flat file.

head -n 2 VxShare199.out > VxShare199.tmp

Start copying the contents of VxShare199.out file at line twenty-two that are appended to the existing VxShare199.tmp file. The below image indicates what lines will be removed by this command. The line count may vary depending on the operating system or the version of bulk_extractor and hashdb installed.

tail -n +22 VxShare199.out >> VxShare199.tmp

The sed command will read the VxShare199.tmp file than remove the path and beginning of the file name prior to writing into the new VxShare199.dfxml file. The highlighted text in the image below indicates what will be removed. 

sed 's/VirusShare_00199\/VirusShare\_//g' VxShare199.tmp > VxShare199.dfxml

Create an empty hashdb with the sector size of 512 using the -p option. The default size is 4096 if no option is provided.

hashdb create -p 512 VxShare199

Import the processed VxShare199.dfxml file into the newly created VxShare199 hashdb database.

hashdb import VxShare199 VxShare199.dfxml

I compress and upload the hashdb database for distribution saving these steps for everyone.

Building Block Libraries

The links to these previously generated hashdb databases can be found at the following link.

Create an empty hashdb called FileBlock.VxShare for the collection.

hashdb create -p 512 FileBlock.VxShare

Add the VxShare199 database to the FileBlock.VxShare database.  This step will need to be repeated for each database. Upkeep is easier when you keep the completely built FileBlock.VxShare database for ongoing additions of new sector hashes.

hashdb add VxShare199 FileBlock.VxShare

Download the sector hashes of the NSRL from the following link. 

Create an empty hashdb called FileBlock.NSRL for the NSRL collection.

hashdb create -p 512 FileBlock.NSRL                 

The NSRL block hashes are stored in a tab delimited flat file format.  The import_tab option is used to import each file that are split by the first character of the hash value, 0-9 and A-F.  I also keep a copy of the built FileBlock.NSRL for future updates too.

hashdb import_tab FileBlock.NSRL

Remove NSRL Blocks

Create an empty hashdb called FileBlock.Info for the removal of the whitelist.

hashdb create -p 512 FileBlock.Info

This command will remove the NSRL sector hashes from the collection creating the final FileBlock.Info database for block hunting.

hashdb subtract FileBlock.VxShare FileBlock.NSRL FileBlock.Info

The initial build is machine time intensive but once done the maintenance is a walk in the park.

Happy Block Hunting!!
John Lukach


Sunday, December 13, 2015

Critical Stack Intel Feed Consumption

Critical Stack provides a free threat intelligence aggregation feed through their Intel Market for consumption by the Bro network security monitoring platform. This is a fantastic service that is provided for free!! Special thanks to those who have contributed their feeds for all to take advantage of the benefits!! Installation is beyond the scope of this post as it is super easy with decent documentation available on their website. The feed updates run roughly hourly by default into a tab delimited file available on disk.

My goal was to make the IP address, domain and hash values accessible through a web interface for consumption by other tools in your security stack. Additionally, I didn’t want to create another database structure but be able to read the values into memory for comparison on script restarts. Decided to use Twisted Python by Twisted Matrix Labs to create the web server. Twisted is an event-driven networking engine written in Python. The script provides a basic foundation without entering into the format debate between STIX and JSON.  Kept it simple...

Twisted Python Installation

The following installation steps work on Ubuntu 14.04 as that is my preference.

1.     apt-get install build-essential python-setuptools python-dev python-pip
2.     pip install service_identity
3.     wget
4.     bzip2 -d Twisted-15.5.0.tar.bz2
5.     tar -xvf Twisted-15.5.0.tar
6.     cd Twisted-15.5.0/
7.     python install

The PIP package installation allows for the future usage of SSL and SSH capabilities in Twisted. Script

The default installation file and path containing the Critical Stack Intel Feed artifacts.

The field separator on each line that gets loaded into the Python list in memory.

The output that gets displayed on the dynamically generated web page based on user input.

The port that the web server runs on for the end-user to access the web page. Usage

The script can be used after execution by browsing to the website with an IP address, domain or hash value provided in the path.  If the result returns FOUND that means it is part of the Critical Stack Intel Feed as shown in Example 1.  Example 2 depicts the results if the comparison does not find a matching value.

Example 1:

Result 1: - FOUND

Example 2:

Result 2:


Feel free to change the code to meet your needs and really appreciate any contributions back to the DFIR community.

Happy Coding!!
John Lukach


Updated 12/15/2015

· displays the feed that an IP address, domain, or hash originated.
·      Upstart configuration file for running the Twisted Python script at startup.
·      Crontab configuration that restarts the script hourly after Critical Stack Intel updates.