Monday, 8 November 2021

Install BIND9 DNS on ubuntu 20.04 server step by step

 Install BIND9 DNS on ubuntu 20.04 server steps 


1) lsb_release -a


2) vi /etc/hosts

127.0.0.1       localhost

192.168.32.50     dc.faceitnet.com.au dc



3) vi /etc/hostname

dc



4) vi /etc/cloud/cloud.cfg

preserve_hostname: true

5) reboot


6) vi /etc/resolv.conf

nameserver 192.168.32.50

nameserver 127.0.0.53

options edns0

search faceitnet.com.au



7) apt-get install bind9 bind9utils bind9-doc -y

cd /etc/bind/

cp named.conf.local named.conf.local.back

cp db.local db.fwd.faceitnet.com.au

cp db.local db.rev.faceitnet.com.au

mkdir /etc/bind/zones

mv db.fwd.faceitnet.com.au zones

mv db.rev.faceitnet.com.au zones


8) vi named.conf.local


Zone "faceitnet.com.au" IN {

Type master;

file "/etc/bind/zones/db.fwd.faceitnet.com.au";

allow-update {none;};

};


Zone "168.192.in-addr.arpa" IN {

type master;

file "/etc/bind/zones/db.rev.faceitnet.com.au";

allow-update {none;};

};




9) vi named.conf.options


acl "Trusted" {

        192.168.32.50;   # Name Server

};


options {

        directory "/var/cache/bind";


        // If there is a firewall between you and nameservers you want

        // to talk to, you may need to fix the firewall to allow multiple

        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113


        // If your ISP provided one or more IP addresses for stable

        // nameservers, you probably want to use them as forwarders.

        // Uncomment the following block, and insert the addresses replacing

        // the all-0's placeholder.


        recursion yes;                  # enables resursive queries

        allow-recursion { Trusted; };  # allows recursive queries from "trusted" clients

        listen-on { 192.168.32.50; };    # ns1 private IP address - listen on private network only

        allow-transfer { none; };      # disable zone transfers by default


        forwarders {

                8.8.8.8;

                8.8.4.4;

        };


        // forwarders {

        //      0.0.0.0;

        // };


        //========================================================================

        // If BIND logs error messages about the root key being expired,

        // you will need to update your keys.  See https://www.isc.org/bind-keys

        //========================================================================

        dnssec-validation auto;


        auth-nxdomain no;    # conform to RFC1035

        listen-on-v6 { any; };

};                         




10) cd zones

 vi db.fwd.faceitnet.com.au


;

; BIND data file for local loopback interface

;

$TTL    604800

@       IN      SOA     dc.faceitnet.com.au. root.dc.faceitnet.com.au. (

                        6

                        604800

                        86400

                        2419200

                        604800 )

;

@       IN      NS      localhost.

@       IN      A       127.0.0.1

@       IN      AAAA    ::1


;Name Server Information

        IN      NS      dc.faceitnet.com.au.

;Name Server A records

dc.faceitnet.com.au.      IN      A       192.168.32.50




11) Now open reverse file db.rev.faceitnet.com.au


 vi db.rev.faceitnet.com.au



;

; BIND data file for local loopback interface

;

$TTL    604800

@       IN      SOA     dc.faceitnet.com.au. root.dc.faceitnet.com.au. (

                        5

                        604800

                        86400

                        2419200

                        604800 )

;

@       IN      NS      localhost.

@       IN      A       127.0.0.1

@       IN      AAAA    ::1



;Name Server Information


        IN      NS     dc.faceitnet.com.au.


;PTR records from ip last two part


32.50      IN      PTR    dc.faceitnet.com.au.




12) root@ns1:/etc/bind/zones# service bind9 restart

13) root@ns1:/etc/bind/zones# service bind9 status

root@ns1:/etc/bind/zones# named-checkzone 168.192.in-addr.arpa db.fwd.faceitnet.com.au

root@ns1:/etc/bind/zones# named-checkzone 168.192.in-addr.arpa db.rev.faceitnet.com.au


Thursday, 7 October 2021

Prefetch Digital forensics

Subscribe to " FACEITNET " Youtube channel for more interesting videos 


Abstract

Digital forensics is one of the major counterparts in protecting and understanding cyber-attacks today. There are various ways to understand and identify cyber incidents. As we all know Microsoft plays a major role in Operating System usage today. The company uses many ways to improve the performance of Windows. One of the many ways is Prefetch files. Microsoft OS prefetches files that the system expects the user will need and loads them into memory making the "fetch" of the files faster and more efficient to decrease the start-up times of the applications. 

like many any other file in an operating system especially in windows, prefetch can be seen from a digital forensic perspective for further investigations.  It’s important to understand why Prefetch files.  In this report, I am going to analyze Prefetch files and how it could help in Digital forensics artifacts and the limitation of the files. This is not just another research report, but this will have some technical findings too.  For this analysis prepose I have used Windows 10, Windows Server 2019 operating systems, and some freely available prefetch analysis tools as well. 

Understanding prefetch files will help the forensic examiner, Prefetch files exist under the prefetch folder in the windows operating system installation directory. The importance of a prefetch file is that it can provide much information about what the user was doing even if the user is smart to cover the track. Prefetch files will provide a lot of useful information to the forensic investigator such as the last date used, application files stored information, how many times the application was used, and many other details

Introduction

Software developers and operating system designers have always been interested in speeding up the start-up times of operating systems and their application software.

The word Prefetch explains it clearly, Prefetch means grep the information in advance. In IT Prefetching means loading the required files or resources before they are required, to reduce the waiting time. This is how Microsoft Operating Systems faster the boot time or load time of applications by making cache files Have you ever thought about how your computer loads the files and websites you were reading just before your computer has gone to reboot unexpectedly? It is because your browser made a cached all the files you have used, Prefetch works exactly the same, it makes a cache of all your application files, boot files, and other files to use later. 

The prefetch files are temporary files and are stored in the system folder under the prefetch drive. This folder stores the frequently used files in your system. These prefetch files can be used to collect timestamps and other resources utilized when the file executes. The following information could be pulled out from the prefetch files.

1. Run Count - Number of times the application has been run
2. Resources loaded – Name of the executable 
3. Version 
4. Timestamp
5. The files and directories that were referenced during the application start-up
6. Hash of the executable path.
7. Last Run Time 

Prefetch files are used to learn the application behavior, such as whether the application is executed automatically or not. Furthermore, this will help forensic analysis to do a forensic investigation. Prefetch has been around since Windows XP. In Windows XP, Vista, and 7 the number of prefetch files are limited to 128 whereas in Windows 8 and above it is up to 1024.

Prefetch files are one of the best artifacts for forensics investigators to analyze the application behavior and to see when the file was executed and who executed it. Also, it will give the application location and the connected files. Locard’s exchange principle, any interactions, or contacts between two entities will result in the exchange of material. whenever a program runs the operating system will create data within the system, this data may exist for short time, or some data may be available until the system reboots. Even some other artifacts will be there after the reboot as well. Whatever the type there will be always some artifacts for forensic investigation

Technical Analysis

What is inside the prefetch file? The ultimate purpose of the prefetch file is to reduce the application or system boot time. This means every prefetch file will have data related to the application it belongs to in an instruction format. Prefetch file has standard naming as well in the following format, which itself metadata for forensic investigation. The naming has the following standard Application name, 8 character hash of the application location, and the file extension .pf

As mentioned in the introduction section apart from the above-given information prefetch files has the run count, a timestamp of the creation time, and the executable's last run time. Further to this basic static information prefetch folder has a large number of instructions for the commonly used programs to use at the start-up. 

When users launch an application or boot the system for the very first time in Microsoft systems windows cache manager traces the data and other library information needed for the application during the loading or starting uptime. This traced data from the memory will be then saved in the prefetch file with an appropriate name, now if the user launches the application again, firstly the prefetch file will be read and load the necessary libraries and application dependencies into memory before the application request and load them, this way Microsoft reduce the load time of application and boot process of the Microsoft Operating systems. 

Prefetch files help applications and programs to find the piece of data it needs at the time of start-up from the hard disk without waiting at the time on loading. Today program files used a huge amount of memory and files than before, so advance fetching those files will help the application to load faster. These files are very valuable in the digital forensic investigation also. 

Prefetch file Inspection. 

Prefetch files are found in c:\Windows\prefetch path and each file in the prefetch folder has a .pf extension. Each Prefetch file has a naming convention such as the application name-hash value.pf, The hash value was calculated using multiple information such as 
1) Full path for the file
2) Path converted to Unicode strings 
3) Path then converted to the Device path 
4) Hashing value applied
5) Finally, prefetch file name generated. 

Let’s have a look at a Prefetch file, before initiating the forensic analysis of the prefetch record as a forensic examiner you should check whether the prefetching process is enabled.

We will check the status of prefetching, Let's go to the registry editor and confirm the status, 

Computer \HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session \Manager \Memory Management \PrefetchParameters
The value of the EnablePrefetcher is set as 3 by default as shown in the image below. You can change the EnablePrefetcher values according to your prefetching needs.  The options provide us with to customize EnablePrefetcher are explained below




 

0: Prefetching Disabled
1: Application Prefetching Enabled
2: Boot Prefetching Enabled
3: Application and Boot both Enabled

The prefetch files are saved under %SystemRoot%\Prefetch (C:\Windows\Prefetch).

Forensic Analysis of Prefetch Files

Since we understand well about the prefetch files and the reason why Microsoft has prefetch files. But we all know things we do to improve the standards and performances have been used by unethical or hackers to get more benefits in a negative way. Prefetch files are nothing exception to this. At the same time, Prefetch files are one of the fantastic artifacts for forensics investigation. It has massive metadata. 

In this technical analysis, I am going to use some tools to understand what we can get from the prefetch files. For these purposes I firstly used the WinPrefetch View tool, to read and understand the prefetch files stored in my computer. WinPrefetch deals with any variant of the Windows operating system, beginning from Windows XP to Windows 10. Windows 10 prefetch files (*.pf) is a bit of a different file format compared to previous versions.  At first glance, you'll spot no textual strings inside. 

Analyzing Prefetch

Although by simply viewing the prefetch files we can get some basic information, you need to parse the file to get more information it got. There are a number of programs capable of parsing these files and most of them work well in GUI 

 


Let's take a look at that CISCO Webex collaboration application. I have circled it in the screenshot above. We can see where the path to the .exe is, the number of times it has been run, and the last time it was run. This could all be critical information in a forensic investigation. Also, note in the lower pane that it lists every file used by the program with a path to the files.
If we click on the "Last Run Time" tab to sort by time, we can recreate a timeline of events that took place on that system.

 
Calculating the original path of the application from the hash provided in the prefetch file is relatively easy, but can be time-consuming. Depending on the version of Windows the file was taken from, a different hashing function is used

The exact location of the application executable file is as important as any timestamp metadata. Most experienced malware analysis or investigators can understand the added importance of a known file running from a temp folder against a legitimate location like, as the Windows system32 driver location.

The information we have on the filename would be quite valuable, the contents of a prefetch file have a massive amount of information for forensic. Prefetch data is extremely useful for detecting the unauthorized use of malicious software on a computer system. The prefetch file can expose when and from where the malware was executed and where the malware was run from. This is critical information for malware analysis and digital forensic, confirming the source of the malicious unauthorized files and how they reached on the system, which can be used in a security incident response, investigation, or litigation.

It's just a rule of that there is a delta time in between the time that prefetch processes monitoring the execution and the time the timestamp is actually updated of course all of this does assume that an attacker hasn't covered his or her tracks by deleting previous prefetch files which is the common anti-forensics technique.  if that's happened the prefetch files may be able to be carved from unallocated space using a file carving program. if the prefetch files have been securely wiped look for prefetch evidence that would indicate a file wiper was executed in this case we actually see a prefetch file for SDelete which could have been used for that purpose if that happened the attacker would potentially leave evidence of that deletion even if he or she tries to securely delete the prefetch file. whatever wiper has been used a new prefetch file would be immediately created it's kind of a catch 22 situation because what wipes evidence of execution for the file wiper itself will create a prefetch file.

Let's see the calculator prefetch file and understand it. 

let's start taking a look at the output so starting at the very top we have the file system timestamps for the prefetch file itself which is nothing new because this is exactly what we were looking at with windows explorer.

 


below that we have the executable name the hash the file size and the version then we have the total run count which can be extremely valuable to in this case we have the last runtime and then we have other runtimes where we can have up to seven additional timestamps for a total of the last eight times of execution because remember with Windows 8 and later, we get that information. 

Also with this tool PECmd.exe, we can find the malware execution via Directories referenced and we will be able to see the red highlighter /TEMP file. This tells us that the file name or application name also we can find the tiles running out of the Program data path. 



Reverse Engineering and Disassembly

Let’s deep dive into Prefetch to understand the how prefetch files are created and saved on a system. working. A Windows core component named ntkrnlpa.exe, a kernel process, is
responsible for creating, reading, writing, and executing prefetch files based on the instructions from the Windows Cache Manager. Prefetch called many functions at the time of an application launch Following are some of the functions called in prefetch files
PfSnBeginAppLaunch
PfPrefetchRequestVerify
PfGenerateTrace
[!]PfCalculateProcessHash
PfSnScanCommandLine
ntkrnlpa.exe is a huge file and it calls hundreds of functions The process of this goes as like this.

Starting Point
PfProcessCreateNotification
PfSnBeginAppLaunch
PfSnGetPrefetchInstructions

So how does the prefetch file helps in forensic? To answer this, when an activity occurred via the last execution time you can find what activity has taken place? Then via the counter value, we can identify how frequently this activity was performed. Also, prefetch files will give the path. For example, let’s say a prefetched executable has been executed x times calculator.exe By verifying the prefetch file, you can see the file path of the files that were executed.

In addition to this full directory path listed in the prefetch file discloses the user accounts. An investigation may show that there was a temporary account created to performing the criminal activity. This will answer the question “ who” in forensic investigation. Also, the full path will show the file, program, or the application was launched from external storage or internal storage? With the last execution, the time investigator can match the time stamp USBStor registry key to get the serial number of the external storage device as well. 

Even If cyber-criminal modifies the SIA and FNA timestamps in the MFT but the entries in the prefetch will not change. Following are some examples of forensic in Windows prefetch files.

1. Prefetch files can confirm that a criminal ran a clean-up program like sDelete.
2. If a program Is been deleted, a Prefetch file still exists to provide evidence of previous existence and execution.
3. Forensic investigators can decide the exact path of malware and when it was first/last run. 
4. With other basic timeline analyses, forensic investigators could identify any additional malware component.
5. By doing log analysis from different log sources and using a Prefetch file’s creation timestamp and last run timestamp as reference points, an investigator might be able to correlate the information and identify the initial vector of an attack.

Limitations 

Prefetch files are a very good source of evidence to decide the existence and execution of suspicious files on a system. However, it is just another one of the many Windows artifacts that help investigators to understand what a user was doing on a system at a point in time. But keep in mind all the Windows artifacts must be analyzed and examined to see the bigger picture of a cyber security breathing incident. 

Also, you need to understand it monitors the first 10 seconds of application startup, and even in the new generation SSDs it has been identified to 2 to 3 seconds. Prefetching process on the system could be disabled by users or disabled by the default setting on SSDs running Windows 7 or Windows 8 Operating System. This will create the absence of the Prefetching files on the system for forensic analysis. 

Another big limitation of these prefetch files is they are temporary files and the system could delete or overwrite the prefetch files, which may hide the artifacts in forensic. Also, there is no relationship between the application action and the crime in the digital forensic examination. 

Though we get much useful information still as mentioned above there are limitations to use the prefetch as it will not show how the incident was initiated. We still need to work with other forensic techniques to finalize and confirm the incidents. 

Conclusion
In this report, i initiated a study that to explore the potential of prefetch files.  As prefetch is relating to a forensic investigation. I was able to find much interesting information. Prefetch will keep a counter as we found above and keep on updating it every time it runs the application. For a forensic investigation, having information about the first created time, Last modified time and number of times will give you the complete detail of the application. Further, it gives the full path and depending directories as well. 

Arranging the prefetch in time order will also give a clear picture of what happened when an incident occurred. Will give a clear picture of what happened in the order. With the help of further registry, memory, and storage forensic will give the complete picture with evidence to conclude the incident. 

Reference 


1. OTW (2016). Digital Forensics, Part 6: Analyzing Windows Pre-fetch Files for Evidence. [online] hackers-arise. Available at: https://www.hackers-arise.com/post/2016/11/02/digital-forensics-part-6-analyzing-windows-pre-fetch-files-for-evidence.

2. Magnet Forensics. (2014). Forensic Analysis of Prefetch files in Windows. [online] Available at: https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/.

3. B, M. (2016). Windows Wednesday: Prefetch Files. [online] Medium. Available at: https://bromiley.medium.com/windows-wednesday-prefetch-files-683f6ab5b9db.

4. Forensic Focus. (2019). Hunting For Attackers’ Tactics And Techniques With Prefetch Files. [online] Available at: https://www.forensicfocus.com/articles/hunting-for-attackers-tactics-and-techniques-with-prefetch-files/.

5. Rocha, L. (2016). Digital Forensics – Prefetch Artifacts. [online] Count Upon Security. Available at: https://countuponsecurity.com/2016/05/16/digital-forensics-prefetch-artifacts/ [Accessed 26 Sep. 2021].
6. Ch, R. and el (2020). Forensic Investigation : Prefetch File. [online] Hacking Articles. Available at: https://www.hackingarticles.in/forensic-investigation-prefetch-file/.
7. Infosec Resources. (n.d.). Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files. [online] Available at: https://resources.infosecinstitute.com/topic/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/.

8. www.sans.org. (n.d.). SANS Digital Forensics and Incident Response Blog | Device Profiling With Windows Prefetch | SANS Institute. [online] Available at: http://sans.org/blog/device-profiling-with-windows-prefetch/ [Accessed 26 Sep. 2021].

9. GitHub. 2021. libscca/Windows Prefetch File (PF) format.asciidoc at main · libyal/libscca. [online] Available at: <https://github.com/libyal/libscca/blob/main/documentation/Windows%20Prefetch%20File%20(PF)%20format.asciidoc> [Accessed 26 September 2021].

10. https://www.researchgate.net/. 2021. Exploring the limits of prefetching. [ONLINE] Available at: https://www.researchgate.net/publication/220497769_Exploring_the_limits_of_prefetching. [Accessed 20 September 2021]. 


Wednesday, 15 September 2021

3. Prevent Windows from Storing LAN Manager Hash using GPO

Subscribe to " FACEITNET " Youtube channel for more interesting videos 


4. Control Access to Command Prompt using GPO

Subscribe to " FACEITNET " Youtube channel for more interesting videos 


2 .How to Block USB or Removable Devices using Group Policy

Subscribe to " FACEITNET " Youtube channel for more interesting videos 


How to Disable File Download in Internet Explorer using Group Policy

Subscribe to " FACEITNET " Youtube channel for more interesting videos 


Configure common wallpaper using GPO

Subscribe to " FACEITNET " Youtube channel for more interesting videos 

Group Policies are the easiest method administrators can use to configure computer and user settings on their networks using Active Directory Domain Services (AD DS). As long as computers are joined to your domain and your users log in with domain credentials, you can set Group Policies that will reduce help desk tickets and costs, and control all configurations. All the while keeping your user base happy and secure.

Configure common wallpaper using GPO

As you would have seen in many large enterprises, every computer in the organization will have same wallpaper. How did they configure all the computers with common wallpaper? Have they manually configured this on each and every computer? The answer is no. Then how did they configure it?

The simple answer is GPO. Yes using GPO we can easily assign a common wallpaper to each and every computers in the domain. Let’s see how to configure a common wallpaper using GPO. 

To configure a common wallpaper you must have a picture and that should be in a shared folder with read and write permission to every users.

1.       Create a folder and share it first.

  

2.       Now assign the full permission to everyone


3.       Go to Group policy manager in your domain controller. 

 


4.        Create a new group Policy by right clicking on the Group Policy Object.

 

5.       Right click on the newly created Group policy and go to edit expand User Configuration, expand Administrative Templates, expand Desktop, and then click Desktop. In the details pane, double-click Desktop Wallpaper.


6.     Now enable the policy and give the wallpaper name with the full shared path. Confirm the path by accessing via run. Then apply and ok on the wallpaper GPO screen.


 

7.     Now you need to apply the newly created policy to a specific OU or if it’s for all the users then apply under the domain. To apply the policy under the domain simply click on the policy and drag it where ever you would like to apply and drop it there, the new policy is now lined to that specific OU.


8.      On the client machine wait for the policy to get updated. The users may have to log off and login once to see the changed desktop wallpaper. If not then you can use gpupdate /force command in the cmd as well.

9.      You can verify if the policy is been applied or not by entering gpresult /r in command prompt.



Most common and important other GPOs .

1.       Disable Windows Update using Group Policy

2.       Disable File Download in Internet Explorer using Group Policy

3.       Block USB or Removable Devices using Group Policy

4.       Prevent Windows from Storing LAN Manager Hash

5.       Control Access to Command Prompt

6.       Disable Forced System Restarts

7.       Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives

8.       Restrict Software Installations

9.       Disable Guest Account

10.   Set Minimum Password Length to Higher Limits

11.   Set Maximum Password Age to Lower Limits

12.   Restrict Access to Control Panel and Settings

13.   Install application using GPO

14.   Automatic drive mapping.

15.   Folder Redirection.

 

Thursday, 9 September 2021

Most Frequently Used UNIX / Linux Commands

Subscribe to " FACEITNET " YouTube channel for more interesting videos 

Ubuntu one of the most popular operating systems with an extensive user-base around the world, Below, you will find the 40 best Ubuntu terminal commands our experts have handpicked in an aim to skyrocket your Ubuntu system experience
ls presents to you the contents of a particular directory – both files and directories

vim :Vim is a text editor. The most simple commands allow you to open and close documents as well as saving them

Install Vim on Ubuntu/Debian:

If you're using Ubuntu or Debian use apt-get to install Vim:

sudo apt-get install vim

Install Vim on CentOS/Fedora:

If you're using CentOS or Fedora, use yum to install Vim:

sudo yum install vim

pwd Print working directory command in Linux

mkdir create directories from within the terminal. Make Directory)



ifconfig The ifconfig command will give you the list of all the network interfaces along with the IP addresses, MAC addresses and other information about the interface.

if the tool ifconfig is not installed then you can install using the below commons 


ifconfig 

sudo: Super User ( sudo apt-get update ) | Command to escalate privileges in Linux



less The less command is used when the output printed by any command is larger than the screen space and needs scrolling. The less command allows use to break down the output and scroll through it with the use of the enter or space keys.


wget – Direct download files from the internet, wget command is one of the handiest command-line utilities available



cd – Linux command to navigate through directories




tar – Command to extract and compress files in Linux

To compress 


To uncompress
 


grep (global regular expression print.) – Search for a string within an output

grep 'two' /~Download/sample1.doc



ps – Display active process


ssh – Secure Shell command in Linux


df – Display disk filesystem information


rm – Delete files or directories


mv – Move or rename files in Linux

cp – Similar usage as mv but for copying files in Linux


cat – Display file contents on the terminal


clear – Clear the terminal display





chmod – Command to change file permissions


wget – Direct download files from the internet


passwd – Create or update passwords for existing users

Http vs Https