Search the Community

In certain investigations, it may arise that you need to find the following: What process was using the camera or microphone? When was the last session? How long was that session? Using the contents of the following reg keys, you can to determine when and how long a process had access to privacy protected resources. These resources include the microphone, webcam, bluetooth, location, contacts and more. For this blog, I will focus on the microphone and webcam as an example. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\ Below is an example of the typical entries in the webcam directory. There are several entries including Microsoft and non-Microsoft applications Microsoft applications are stored in as child keys but non-Microsoft applications (which are of the most interest) are stored in the NonPackaged child key. Within the NonPackaged directory, you can see that the name of the keys are the full path of an executable with # replacing \. Each entry has two values, LastUsedTimeStart and LastUsedTimeStop, with the timestamps in FILETIME format. From the example above, you are able to determine, Zoom.exe had access to my webcam for 27.2 minutes (between 2020/06/01 04:30:52 UTC and 2020/06/01 04:58:04 UTC). Whether you are looking at what processes had access to a webcam or even trying to prove long a user’s conversation may have been, this is a great source of information. Testing RAT-like behaviour I needed to test if this also applied to more malicious methods of accessing the microphone. I used a meterpreter post-exploit module to record audio from Windows VM. As soon as I ran the recording command, a new entry was populated from where my meterpreter shell was executed. Pretty cool! Monitoring If we wanted to track all sessions (not just the last), it is easy with Sysmon. If you are running something like the Swift on Security configuration, you will need to add an inclusion line for event id 12,13 and 14 (Registry modification): <TargetObject condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\</TargetObject> <!-- When a process accesses bluetooth, location, webcam, microphone etc, the timestamps of last access are updated here. HKLM and HCKU --> After updating your configuration, a Sysmon event will now be created when the registry keys are created or updated. Below is the LastUsedTime key being updated for Skype.exe accessing my microphone in the Sysmon event log. The timestamp in the log are still in hex which needs to be coverted to decimal then to a human readable timestamp, however the timestamp of the event itself is also very accurate. Conclusion What spurred this off is when I came across this page in the settings, and it got me thinking on where this data is stored. It will be interesting if there are other places that track historical sessions without the use of monitoring. This would be more valuable to forensic analysts that don’t always have nice logs. Further research also could be done to identify which device the process is accessing (front camera, USB camera etc). I would also like to explore if this method catches more covert RAT malware. Thanks for reading, Source Zach

Pentru cei ce lucreaza in domeniu sau pentru curiosi :) 1: Username (Alias) http://namechk.com/ http://knowem.com/ http://www.namecheckr.com/ http://checkusernames.com/ http://usersherlock.com/ https://www.usersearch.org/ 2: Archives https://archive.org/index.php https://www.archive-it.org/ http://aad.archives.gov/aad/series-list.jsp?cat=GS29 3: Social Networks http://www.yasni.com/ http://socialmention.com/ http://www.whostalkin.com/ http://www.linkedin.com/ http://www.formspring.me/ http://foursquare.com/ https://about.me/ https://profiles.google.com/ http://blogger.com https://twitter.com/ http://www.facebook.com/ https://deviantart.com http://xanga.com/ http://tumblr.com/ http://myspace.com/ http://www.photobucket.com/ http://www.quora.com/ http://www.stumbleupon.com/ http://www.reddit.com http://www.digg.com http://www.plixi.com http://pulse.yahoo.com/ http://www.flickr.com/ 4: Phone Numbers http://www.freecellphonedirectorylookup.com http://www.numberway.com/ http://www.fonefinder.net http://www.whitepages.com/reverse-lookup http://www.anywho.com/reverse-lookup http://www.yellowpages.com/reversephonelookup http://www.spydialer.com/ http://www.intelius.com/reverse-phone-lookup.html 5: IP Addresses http://www.infosniper.net/ http://ip-lookup.net/ https://www.whatismyip.com/ip-whois-lookup/ http://whatstheirip.com http://getthierip.com 6: Skype Resolvers http://skypegrab.net/resolver.php http://www.skresolver.com/index.php http://resolvethem.com/ https://www.hanzresolver.com/skype2 https://skype-resolver.org/ http://mostwantedhf.info/ http://orcahub.com/skyperesolver.php https://booter.xyz/skype-resolver/ http://cstress.net/skype-resolver/ http://iskyperesolve.com/ https://ddosclub.com/skype-resolver/index.php 7: Database Search http://skidbase.io/ 8: WHOIS/Website https://www.whois.net/ http://whois.icann.org/en https://who.is/ http://www.whois.com/whois http://www.whois.com/ http://www.statsinfinity.com/ 9: Images http://www.tineye.com/ http://saucenao.com/ http://www.photobucket.com/ https://images.google.com/?gws_rd=ssl 10: IP2Skype http://skypegrab.net/ip2skype.php https://resolvethem.com/ip2skype.php http://www.skresolver.com/ip-to-skype.php http://mostwantedhf.info/ip2skype.php https://www.hanzresolver.com/ip2skype http://skype2ip.ninja/ip2skype.php https://pkresolver.nl/ip2skype.php http://www.chromeresolver.info/IP2Skype.php 11: Email2Skype http://mostwantedhf.info/email.php http://www.skresolver.com/email-to-skype.php https://www.hanzresolver.com/emaillookup https://resolvethem.com/email.php http://freetool.tk/email2skype.php http://skypegrab.net/email2skype.php 12: Skype2Lan http://www.skresolver.com/skype-to-lan.php 13: Skype2Email http://skypegrab.net/skype2email.php https://pkresolver.nl/skype2email.php 14: MAC Address Lookup http://www.coffer.com/mac_find/ http://www.whatsmyip.org/mac-address-lookup/ http://www.macvendorlookup.com/ http://macaddresslookup.org/ http://aruljohn.com/mac.pl 15: Lat/Long http://www.latlong.net/ http://itouchmap.com/latlong.html http://stevemorse.org/jcal/latlon.php 16: EXIF Data http://regex.info/exif.cgi http://exif-viewer.com/ http://metapicz.com/#landing http://www.verexif.com/en/ http://www.findexif.com/ http://www.prodraw.net/online-tool/exif-viewer.php http://exifdata.com/ 17: IP Logger http://grabify.link/ http://blasze.com/ 18: Other http://wink.com/ http://www.abika.com/ http://www.freeality.com/ http://radaris.com/ http://twoogel.com/ http://www.spokeo.com/ http://www.pipl.com/ http://wink.com/ http://www.peekyou.com/ http://yoname.com/ https://www.linkedin.com/ http://search.yahoo.com/ https://google.com/ https://bing.com/ https://reddit.com/ http://www.yellowpagesgoesgreen.org/ http://aad.archives.gov/aad/series-list.jsp?cat=GS29 http://www.numberway.com/uk/ https://www.vinelink.com/vinelink/initMap.do http://www.jailbase.com/en/sources/fl-lcso/ http://publicrecords.onlinesearches.com/ https://www.Intelius.com/ http://www.zoominfo.com/s/#search http://skipease.com/ https://www.advancedbackgroundchecks.com http://www.PublicRecordsNow.com

Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tool. Download: Mobius Forensic Toolkit - Summary [savannah]

SkypeFreak A Cross Platform Forensic Framework for Skype Fully Open Source Written in Python 2.7 Supports Windows, Linux and OS X Will be ported to Ruby and PHP soon Won't work with alternative accounts using Microsoft and Facebook What is this all about? This is a small idea of mine. A full open source forensic framework for Skype. I love to analyze applications and explore how things work behind the scenes. The main goal of this application is to aid in forensic investigations. What is so special in this? Actually there are many other tools which could the same thing, but I thought writing a open source tool to help people understand what is really going on and anyone can customize this according their needs. Will there be a big Forensic framework? Yes me, Hood3dRob1n and Nick Knight are planning a full fledged forensic framework including most famous applications such as Firefox, Google Chrome, Safari, Opera, etc. This will be available in Python, Ruby and PHP. Conclusion None of the application you use today are safe. They often log what all you do. Do not use this application without any kind of permissions because it would result in violation of privacy. The author takes no responsibility of any kind of damage you cause. Please use this for educational purposes only. Download: .zip | .tar.gz Author: https://twitter.com/OsandaMalith SkypeFreak by OsandaMalith