I apologize to those in my talk (and throughout the rest of the cons last week) that asked about availability of the tools I describe in my talk. I stated that they should’ve been in the Metasploit trunk on the day of my Black Hat USA talk this past Wednesday, backed by assurances from Rapid7 that it would be there. Apparently I was talking to someone at Rapid7 that was unable to make those assurances, so it looks like I’ll be starting over the process of getting it available in the main distribution today. Edit: It’s in now.  If you svn update metasploit, enum_drives and imager will be in “modules/post/windows/gather” and nbd_server will be in “modules/post/windows/manage”.

In the meantime, you can drop the following files into your own copy of Metasploit to use the tools introduced in my talk today:

  • enum_drives.rb – Enumerates physical disks and logical volumes for use in the other two modules
  • imager.rb – Images physical/logical drives over a meterpreter shell. Options are similar to those that forensics folk use in dd
  • nbd_server.rb – Maps a remote physical/logical drive to a local network block device server.  You can then mount and/or use any forensics tools you’d like on it.

Also, here are the final slides as I presented them, and the whitepaper that I originally submitted with my talk proposal:

Video of both the Black Hat USA and DefCon versions of the talk will be available at some point.


This is just a quick post to remind readers that I will be in Vegas for Black Hat and DEFCON this week, and I’m looking forward to meeting as many of you as possible. I will be giving a talk at both Black Hat and DEFCON:

  • Wednesday, August 3rd, 3:15 PM – Black Hat USA 2011 – Track 7
  • Friday, August 5th, 3:00 PM – DEFCON 19 – Track 2

My talk is entitled “Covert Post-Exploitation Forensics With Metasploit”, and I’ll be talking about a set of Metasploit Post-modules that I have developed for performing forensic analysis of machines over a meterpreter connection. With these modules, penetration testers (as well as other roles) will be able to run currently-available/popular forensic tools on remote drives in the same way that forensic examiners currently use them on local drives. Through some protocol trickery and using Railgun to pipe the Windows API over meterpreter, you can essentially make a local block device that maps to the victim’s. I’ll have some discussion, including a basic introduction to disk/file-system forensics for penetration testers, a demo, and some time for questions and discussion.

The presentation and tools will be available on the disc, as well as “latest” versions on here as soon as I can manage to put them on here after my talk. The modules ought to be available in the Metasploit SVN soon as well.

I’ll also be actively attending/prowling around the conference, so feel free to track me down to talk shop about breaking things, forensics, etc. I have lots of fun stories that aren’t appropriate for the blog/twitter.


I will also be bringing 20 of the challenge coins we normally hand out at the end of the Advanced Forensics class at the Mississippi State University National Forensics Training Center. If you want one, track me down at Black Hat or DEFCON and offer me something cool/interesting for one ;) :

Double Secret Edit:

I also have fun 0-day for Tiny Tower on all IOS devices (iPhone, iPad, iPod Touch), which I will disclose to attendees for the price of one drink and a handshake Non-Disclosure Agreement (negotiable). You’re not going to be hacking the Gibson with this one anytime soon, but it’s *fun*.


The reviewers at Black Hat have notified me that my submission has been accepted and I will be speaking at BlackHat USA 2011 in Las Vegas this year. As you can imagine, I’m thrilled, as I was not able to attend BlackHat or Defcon last year. I’m looking forward to being there as a speaker this time, interacting with all the great folks I met two years ago there, and anyone new I meet.

The title of my talk is “Covert Post-Exploitation Forensics With Metasploit”, which will be accompanied by the release of a set of meterpreter scripts and a white-paper that details how they can be used. The abstract of my work has been posted on the Briefings page at the USA 2011 site:

In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the”subject” (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit.


In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.

The associated scripts and more information will be released with the conference proceedings, and here on this site at the time of my talk (probably also a coordinated release into the Metasploit trunk, but I haven’t talked to those guys about it yet.).

At this point, you’ll have to take my word for it, but I assure you this isn’t a typical “Yet Another Metasploit Talk”. I would hope that the submission reviewers at Black Hat would not have accepted it if they felt this was the case. What I’m demonstrating is a way to use a whole suite of useful and mature tools in a penetration test (or other scenario) through Metasploit.

Assuming I’m not scheduled to present at the same time as Barnaby Jack, Dan Kaminsky, or the like, I’d definitely recommend showing up, as I think it’ll be a very fun talk and demonstration. See you at Caesars Palace!


EDIT: I have found some clarification about the “controller cards”, seemingly confirming what I have posted, and have added thoughts to the end of this post

Today, on the Wired Threat Level blog, there is a story that covers Sony’s allegations that George Hotz (“geohot”), who they are suing for DMCA violations involving a PlayStation 3 jailbreak, sabotaged hard drives provided for discovery, and skipped town.

Skipping town to South America is not in my area of expertise, so I’m not commenting on whether or not that is happening, but forensic acquisition and analysis of hard drives happens to be my current bread-and-butter. The Wired article states that, regarding the hard drives, Sony claims that Hotz provided the hard drives in a non-functional state. This includes a link to a PDF from the case’s filings which includes the exact wording of Sony’s complaint on page 22:

Despite Judge Spero’s orders, Hotz continues to frustrate all attempts to complete jurisdictional discovery.  In yet another attempt to avoid his deposition and a limited inspection of his impounded hard drives, on March 17, 2011, Hotz filed a motion for protective order on issues already decided by Judge Spero.  (Docket No. 100.)  On the same day, TIG discovered that prior to delivery, Hotz had removed integral components from his impounded hard drives, rendering them completely non-functional.  Bricker Decl., ¶21, Exh. S.  When SCEA echoed TIG’s request that the components of the hard drives be delivered immediately, Hotz’s counsel responded that Hotz was in South America.

Hotz’s attorney’s quote to Wired in response to this was the following:

They didn’t have the controller card attached. That’s it

The attorney, I assume, does not have an extensive technical background, and likely gave this comment off the cuff (or as “off the cuff” as any attorney will allow themselves to be). Therefore, this is going to take some interpretation. The first question is what do they mean by “controller card”. When it comes to hard drives, two things come to my mind:

  • The interface between the chipset of the motherboard and the hard drive. For most motherboards the SATA or IDE interface is integrated into the board. If it’s an older computer that an end-user has added a SATA drive to, a SATA “controller card”, in the literal “card” sense, may be slotted into the motherboard to interface with the newer drive.
  • The circuit board attached to the drive that handles ATA commmunications on one side, and interacts with drive’s electrical and mechanical internals on the other side. To illustrate, it’s the part facing the camera in this image:

The Underside of a Hard Drive

The latter is what I assume is meant, for the following reasons:

  • It’s something that could be removed from a drive, as the filing states
  • Controller cards in the sense of a slotted card on a motherboard aren’t very common right now. Most computers have the interface they need on the motherboard.
  • Even if it was a SATA, IDE, or even SCSI controller card meant to be slotted into a motherboard, not providing this card would not render the drive unreadable to a well-outfitted forensics lab that TIG (the third party forensic examiner Sony is using) would have.

Now, I do not support Sony’s lawsuit against George Hotz, but it seems to me that if he did remove those controller boards from the drives, this is a case of needlessly antagonizing the opposing counsel, examiners, and the judge. I really don’t think it’s a good idea to intentionally do this when providing evidence under a court order.

Those boards don’t just fall off, and the absence of them is not something that is as easy to overcome as Hotz’s attorney implies. To read a drive that has had this board removed, you would need an identical board. Those who do data recovery in cases where this board has been damaged know that extreme care needs to be taken in finding a replacement. Even drives of the same model and capacity can have different revisions of these boards, and it’s crucial to get a match. Even a forensics firm such as TIG is not likely to maintain a stockpile of various controller boards from drives, as it would be prohibitively expensive to buy and file “one of everything”. The absence of the board (not just the failure of it) makes it even more difficult, as it may or may not be possible to determine the right revision of the board to use to replace it, without the original to compare.

While I disagree with the basis of the lawsuit and support the opening of electronic devices (all of my and my spouse’s Apple iPods, iPhones, and iPads are jailbroken), if this is the method being used to stall the plaintiff and case progress, I see that as being in bad form for Hotz, and a bigger issue than his attorney lets on. Hopefully not. Don’t make it hard for me to like you, geohot! Take the high road.

EDIT: I found the exhibit with the discussion of the missing hard drive parts at Groklaw:

This pretty much confirms the above with the following quotes from an examiner at TIG:

This controller card is  installed at the factory and not normally removed or handled by an end user.

We took the drives out of our evidence locker and the evidence bag to image them in their current encrypted state as stated in the order and agreed to on our phone call yesterday.   We have determined that the controller cards which are screwed onto the hard drives were removed prior to them being given to us.   Therefore we are unable to operate the hard drives in their current state.  Keep in mind that we need two days to image these drives as we have to image two 1TB drives.

It’s difficult to imagine a reason Hotz would have had to remove the circuit boards from the drives he was ordered to turn over. It will be very interesting to see why he did this. From my position, I can’t see this as being productive for anything other than antagonizing the opposing party and, more importantly, the judge.


The results are in for the sixth Network Forensics Puzzle contest, and I won first place!  You can see my writeup, along with many of the other winner’s entries, at the forensicscontest.com blog:

Big thanks to everyone who put this contest together, as well as the prize sponsors for making it well worth my time to put in an entry.

I wrote a tool for my entry, pcapline.py, which generates an HTML report for a pcap file that an investigator can use to navigate around the various conversations and inspect the data being sent back and forth.  Here are some of the features I describe in my writeup:

  • HTML reports that allow for easy navigation/importing into a larger report
  • Generates a summary of flows between hosts on the network
  • Flows are broken up by segments representing parts of the conversation
  • Segments are dissected, carved, hashed. Currently, Pcapline supports HTTP GET requests and responses and the malware file transfers seen in challenge #6

While pcapline is developed and tuned for answering the questions from this challenge, it’s still a very useful starting point for examining other packet data as well.  You can view the report generated by pcapline here:

(NOTE: Files and data are carved out that some signature-based IPS will detect as being malicious.  I observed this on one computer where Sophos blocked access to this site on that computer after clicking the wrong link in this report.  You’re not likely in any danger, as pcapline renames things in such a way that they shouldn’t be executed or viewed in their native formats, but do take care)

Here’s the script itself.  It’s a slightly newer version than the one on forensicscontest.com .  I fixed a couple of places where it was generating terrible HTML that non-firefox browsers choked on.



Today was officially my first day at my new job.  I’ve taken a full-time position at Mississippi State University’s National Forensics Training Center.  The NFTC is a really great program we have in the Computer Science & Engineering department, that has a handful of primary tasks:

  • Training law enforcement agents to respond to and investigate crimes involving digital evidence
  • Giving wounded veterans digital forensic training, to give them a useful skill set and experience as they transition to other roles and jobs
  • Providing equipment for “Mini-Labs” throughout the state of Mississippi to distribute the case-load of digital forensic investigation here

The training provided by the NFTC is free for the students that qualify for it.

Now that I am working at the NFTC, I will be wearing many hats:

  • I will be updating the curriculum for classes we are currently teaching, and developing material for new classes (I am especially excited about adding a network forensics course later this year)
  • I will be teaching the courses that we have developed to law enforcement and veterans, in our teaching lab at MSU, and wherever else we travel to teach our classes
  • I will be working to build up a research focus at the NFTC, using our time between classes to develop and publish new digital forensic techniques and tools, free for use by our students and the digital forensics community as a whole.

I’m very excited about bringing my background with security, vulnerability assessment, and penetration testing to the forensics field in this job, and I’m looking forward to publishing more of our efforts in this area.  I will be blogging about forensics more often here, although it will always have a slant that will be interesting to security professionals.  We’ll also be unveiling a new NFTC website soon that will have better information about upcoming classes, and forensics news, whitepapers, and tools that will be of use to those outside of the community of our students too.


Today, results were posted for Sherri Davidoff and Jonathan Ham’s third network forensics puzzle contest. The puzzles, hosted at forensicscontest.com, are meant to encourage the development of network forensic tools that might be integrated into SANS training and toolkits. Puzzle #3 involved pulling information from an Apple TV device’s network traffic.

I participated in this contest and wrote a small Python script that generates a .CSV summary of Apple TV activity on a network and extracts .plist files from that traffic. It was a lot of fun to tinker around with, and it looks like I just managed to land in the list of finalists. You can check out the finalist entries, including mine, at the following links:

These competitions are fun to participate in, and I’m hoping that I’ll have time to finish up my entry for Puzzle #4 before the deadline.


My phone has been blowing up most of the day about this. To sum it up: On the evening of the 18th, a script kiddie that was involved in a previous post on this site (“Perl Hacking is Dead”), XXxxImmortalxxXX, contacted me and began to brag about hacking a hospital’s HVAC system. Upon further googling, it became apparent that XXxxImmortalxxXX was lying to me, and that it was the leader of the group Immortal had joined that allegedly carried out the attack. This attacker went by the name of “GhostExodus”.

As most of my readers here know, my research area is control systems/SCADA, specifically human-machine interface (HMI) software. Being involved in a field that involves elements of our critical infrastructure, I know how serious an incident involving a hospital’s HVAC system can be. Screenshots taken by the attacker showed an HMI that gave the user control over many elements of the hospital, including pumps and chillers in the operating room. Messing around with a system like this can seriously impact the health and safety of the patients.

I spent a large amount of time that weekend gathering up information on GhostExodus, and his hacker group, the “Electronik Tribulation Army”. Monday, I met with my major professor at Mississippi State University’s Critical Infrastructure Protection Center, where I work as a Ph.D. research assistant. I presented the information I had found, and we contacted the Texas attorney general’s office and the Jackson, MS FBI office, where we already had contacts. For the rest of the week, I cooperated with the FBI by sharing the information that I had found. GhostExodus was picked up by the FBI on Friday night.

I plan on sharing more, because there’s a huge amount of interesting data, images, and video involved with this case. The alleged attacker uploaded many videos of his actions to Youtube and other sites, and when I put it all together into a coherent lecture, it should be pretty informative and entertaining. Until then, there’s plenty of media coverage of the arrest:

Google News shows over 170 related stories.

The best and most accurate thing to read, however, is the criminal complaint against “Jesse William McGraw”. I have been informed that this is part of public record, however I have taken the liberty of editing out SSNs, DLs, VINs and such on this copy:

(Edit: moved it offsite, because it was chewing bandwidth a lot more bandwidth than you’d expect.  You can read it online or download it from the above link)

If you’re reading the above, I’m “CW-1″.

I plan on keeping you updated on further developments and more information as this progresses. There will also likely be some very interesting multi-media talks and lectures I can give on this, so if you want me to take the show on the road, get in touch.

For now, though, I’ve had a long day, and I shall rest :)


Marcus J. Carey has uploaded videos from January 8th’s DojoSec event to his Vimeo account here.  I just watched Dale Beauchamp’s talk, “Practitioner’s Guide to Capturing and Analysis of RAM”, and enjoyed it.  It’s definitely worth watching, especially if you’re coming at this from the perspective of an incident handler.  He presents a few Windows memory imaging tools that can be run on a live-and-logged-in system, but a lot of the analysis also applies if you’re dealing with images created by msramdmp in a cold boot attack.

Dale Beauchamp – DojoSec January 2009 from Marcus J. Carey on Vimeo.


Tommorow at 8:00AM, I will be giving a lecture to the CSE 4273/6273 Computer Crime and Forensics class here at Mississippi State University.  I was asked to speak on the topic of “Linux Filesystems”, and I have chosen to focus on the ext2 and ext3 filesystem data structures.  The class is using the excellent “File System Forensic Analysis” by Brian Carrier as its textbook, so it’s a great opportunity to cover the chapters on ext2/3 (chapters 14 & 15).

It’s a 50-minute class, and pretty strictly so, since the Information and Computer Security class is held immediately afterwards :) .  Due to the limited time I have, I’ve scaled back my coverage of these two chapters to what you see in the following slides.  I’m focusing on the basic data structures used by “extx” to point at files and metadata, such as the superblock, group descriptor tables, and inodes.  I’ve included an example of finding a file on a filesystem using only dd piped through xxd and less, and some discussion of what a forensic examiner or someone tasked with data recovery should be on the look-out for.

Unfortunately with this PDF version of the slides, you won’t see the slick Keynote animations I’ve worked into my lecture.  I’m considering expanding the detail and coverage of this, and recording the slideshow as a video with narration for this site:


Edit: Wow, that filter really killed the screenshots, uploaded the full-res version

© 2012 McGrew Security Suffusion theme by Sayontan Sinha