Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

TechCrunch

16 Apple Security Advances to Take Note of in 2016
TechCrunch
Apple has long been known for providing an exceptional user experience. But many might not realize that over the past few years, they've been pushing the infosec envelope, by making advanced security options accessible to everyday users. While not all ...

 

iPads. (credit: Andrew Cunningham)

A woman whose husband died has spent months trying to gain access to his Apple account, according to a Canadian Broadcasting Corporation report today. Apple initially told the woman that she would have to provide a will and death certificate, but once she provided those documents the company reportedly asked for something else—a court order.

There are good privacy and security reasons for Apple to impose strict controls on account access, but in this case, the company seems to have acknowledged it went too far by demanding a court order. After CBC got involved, Apple relented and will apparently allow the widow, 72-year-old Peggy Bush of Victoria, BC, to get access to her late husband's Apple ID.

"After [CBC News] contacted Apple, it did reach out to the Bush family and apologize for what it called a 'misunderstanding,' offering to help the family solve the problem—without a court order," the report said. "At the time of publication, it was working with Donna Bush to do that."

Read 11 remaining paragraphs | Comments

 

In previous diaries I have talked about using volatility, in this diary I will talk about other plugins .

1-MBR parser:

mbrparser plugin will scans for and parses potential Master Boot Records (MBRs) in the memory image.

vol.py --profile=Win7SP1x86 -f win7SP1.bin mbrparser

">

Volatility Foundation Volatility Framework 2.5

***************************************************************************

Potential MBR at physical offset: 0x600

Disk Signature: fd-04-bb-b7

Bootcode md5: 40b32fa4b4f6aae1c2c47c02a27b873e

Bootcode (FULL) md5: 0e8ac4f7d364af5e54b96b561712aa30

Disassembly of Bootable Code:

0000000600: 33c0 XOR AX, AX

0000000602: 8ed0 MOV SS, AX

0000000604: bc007c MOV SP, 0x7c00

As you can see the mbrparser will show the disk signature ,the bootcode md5 hash and it will disassemble the Bootable code.

2-MFT parser

mftparser plugin scans for potential Master File Table (MFT) entries in memory (using FILE and BAAD signatures) and prints out information for certain attributes, currently: $FILE_NAME ( $FN ), $STANDARD_INFORMATION ( $SI ), $FN and $SI attributes from the $ATTRIBUTE_LIST ,">

Vol.py --profile=Win7SP1x86 -f win7SP1.bin mftparser ">

$STANDARD_INFORMATION

Creation Modified MFT Altered Access Date Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2009-07-14 04:52:30 UTC+0000 2009-07-14 04:52:31 UTC+0000 2011-03-04 17:18:43 UTC+0000 2009-07-14 04:52:31 UTC+0000 Content not indexed

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\User Account Pictures\DEFAUL~1

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\User Account Pictures\Default Pictures

***************************************************************************

***************************************************************************

MFT entry found at offset 0x160c00

Attribute: In Use Directory

Record Number: 295

Link count: 1

$STANDARD_INFORMATION

Creation Modified MFT Altered Access Date Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2009-07-14 02:37:05 UTC+0000 2009-07-14 02:04:54 UTC+0000 2011-03-04 17:18:43 UTC+0000 2009-07-14 02:37:05 UTC+0000 Unknown Type

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\Vault

***************************************************************************

***************************************************************************

MFT entry found at offset 0x2a9000

Attribute: In Use File

Record Number: 18536

Link count: 2

$STANDARD_INFORMATION

Creation Modified MFT Altered Access Date Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2010-11-20 21:29:06 UTC+0000 2010-11-20 21:29:06 UTC+0000 2011-03-04 17:16:41 UTC+0000 2010-11-20 21:29:06 UTC+0000 Archive

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 dnscmmc.dll

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 Windows\System32\dnscmmc.dll

$DATA

$OBJECT_ID

Object ID: 40000000-0000-0000-00b0-010000000000

Birth Volume ID: 00aa0100-0000-0000-00aa-010000000000

Birth Object ID: 311bcb11-0900-ada0-ffff-ffff82794711

Birth Domain ID: 00000000-0000-0000-0000-000000000000

3- Userassists

">

vol.py --profile=Win7SP1x86 -f win7SP1.bin userassist --output-file=userassist.txt

">

----------------------------

Registry: \??\C:\Users\Daniel\ntuser.dat

Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count

Last updated: 2013-10-15 18:48:57 UTC+0000

Subkeys:

Values:

REG_BINARY %windir%\system32\mspaint.exe :

Count: 10

Focus Count: 12

Time Focused: 0:03:40.594000

Last updated: 2013-10-15 18:46:16 UTC+0000

Raw Data:

0x00000000 00 00 00 00 0a 00 00 00 0c 00 00 00 be 5b 03 00 .............[..

0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................

0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................

0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 10 f1 72 d4 ..............r.

0x00000040 d6 c9 ce 01 00 00 00 00 ........

Here is a sample output of userassist plugin ,the count entry shows the number of times that mspaint.exe has been executed

">

vol.py --profile=Win7SP1x86 -f win7SP1.bin shellbags --output-file=shellbags.txt

">

***************************************************************************

Registry: \??\C:\Users\Daniel\ntuser.dat

Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop

Last updated: 2013-10-15 18:45:30 UTC+0000

Value File Name Modified Date Create Date Access Date File Attr Unicode Name

------------------------- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ------------

ItemPos1024x768x96(1) GZIP-1~1.12- 2013-10-06 16:33:54 UTC+0000 2013-10-06 16:33:54 UTC+0000 2013-10-06 16:33:54 UTC+0000 DIR gzip-1.3.12-1-bin

ItemPos1024x768x96(1) PROCES~1.31- 2013-10-15 18:13:28 UTC+0000 2013-10-15 18:13:28 UTC+0000 2013-10-15 18:13:28 UTC+0000 DIR processhacker-2.31-bin

ItemPos1024x768x96(1) SYSINT~1 2011-03-04 14:39:26 UTC+0000 2011-03-04 14:39:26 UTC+0000 2011-03-04 14:39:26 UTC+0000 NI, DIR SysinternalsSuite

ItemPos1024x768x96(1) TRUECR~1 2013-10-06 16:38:34 UTC+0000 2013-10-05 01:33:00 UTC+0000 2013-10-06 16:38:34 UTC+0000 DIR TrueCrypt

ItemPos1024x768x96(1) nasm.lnk 2013-10-06 16:33:06 UTC+0000 2013-10-06 16:33:06 UTC+0000 2013-10-06 16:33:06 UTC+0000 ARC nasm.lnk

ItemPos1024x768x96(1) PROCES~1.ZIP 2013-10-15 18:13:08 UTC+0000 2013-10-15 18:13:18 UTC+0000 2013-10-15 18:13:18 UTC+0000 ARC, NI processhacker-2.31-bin.zip

ItemPos1024x768x96(1) TRUECR~1.ZIP 2013-10-05 01:32:24 UTC+0000 2013-10-05 01:32:30 UTC+0000 2013-10-05 01:32:30 UTC+0000 ARC, NI TrueCrypt 7.1a Source.zip

ItemPos1024x768x96(1) WINSDK~1.EXE 2013-10-06 16:11:04 UTC+0000 2013-10-06 16:11:40 UTC+0000 2013-10-06 16:11:40 UTC+0000 ARC, NI winsdk_web.exe

ItemPos1024x768x96(1) VMWARE~1.LNK 2013-10-15 18:45:08 UTC+0000 2013-10-06 19:16:02 UTC+0000 2013-10-15 18:45:08 UTC+0000 ARC VMware Shared Folders.lnk

*************************

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

Security Intelligence (blog)

The Pick of 2016 Security Conferences
Security Intelligence (blog)
InfoSec World will take place in Florida in April, featuring seven conference tracks as well as a CISO Leadership Summit, IT Audit Management Summit and Risk Management Summit. It features speakers from both technology vendors and enterprises, with the ...

 

The Register

KeysForge will give you printable key blueprints using a photo of a lock
The Register
University of Colorado infosec assistant professor Eric Wustrow and two colleagues revealed the work at the Chaos Communications Congress in Hamburg last month. "We made an automatically generating 3D model program [which] takes a single picture of ...

 
Advanced Electron Forum v1.0.9 CSRF
 
Advanced Electron Forum v1.0.9 Persistent XSS
 
Advanced Electron Forum v1.0.9 RFI / CSRF
 
Internet Storm Center Infocon Status