Even though you are the only person using a computer, you are not the only one writing to your disk drive! Surprisingly your disk drive contains a lot of juicy information that can reveal a lot of secrets and history about what you did in the past. There are also places where data can be deliberately hidden by malicious software, and it would be great to know what those are!

1. SESSION ID:SESSION ID:
#RSAC
Paula Januszkiewicz
Adventures in Underland: What System
Stores on the Disk Without Telling You
PDAC-W02
CEO, Security Expert, Penetration Tester & Trainer, MVP
CQURE
@paulacqure | paula@cqure.us

2. #RSAC

3. #RSAC

4. #RSAC

5. #RSAC
Agenda

6. #RSAC
Cache That Reveals A Bit…
Leftovers
“Juicy” Places

7. #RSAC
Demo: Secret spree
+ all the secrets all around

8. #RSAC
Disk Content – Activity History
Logs
Security Log, RDP Operational Log, Application Logs
Windows Explorer
Profile, NTUSER
Run dialog, Recent documents
Most Recently Used (MRU), Management Console (MMC)
Remote Desktop connections
Prefetch files
Automatic Destinations (LNK)

9. #RSAC
Demo: Investigation Mode
Where we can find the user / process activity?

10. #RSAC
Agenda

11. #RSAC
HKLMSECURITYCache
HKLMSECURITYPolicySecrets
HKLMSECURITYPolicySecrets
BootKey
Class names for keys from HKLMSYSTEMCCSControlLsa

12. #RSAC
Cached Logons: It used to be like this…
The encryption algorithm is RC4.
The hash is used to verify authentication is calculated as follows:
DCC1 = MD4(MD4(Unicode(password)) .
LowerUnicode(username))
is
DCC1 = MD4(hashNTLM . LowerUnicode(username))
Before the attacks facilitated by pass-the-hash, we can only rejoice the
"salting" by the username.
There are a number pre-computed tables for users as Administrator
facilitating attacks on these hashes.

13. #RSAC
Cached Logons: Now it is like this!
The encryption algorithm is AES128.
The hash is used to verify authentication is calculated as follows:
MSDCC2 = PBKDF2(HMAC-SHA1, Iterations,
DCC1, LowerUnicode(username))
with DCC 1 calculated in the same way as for 2003 / XP.
There is actually not much of a difference with XP / 2003!
No additional salting.
PBKDF2 introduced a new variable: the number of iterations
SHA1 with the same salt as before (username).

14. #RSAC
Cached Logons: Iterations
The number of iterations in PBKDF2, it is configurable
through the registry:
HKEY_LOCAL_MACHINESECURITYCache
DWORD (32) NL$IterationCount
If the number is less than 10240, it is a multiplier by
1024 (20 therefore gives 20480 iterations)
If the number is greater than 10240, it is the number
of iterations (rounded to 1024)

15. #RSAC
Demo: Cached Credentials
+ getting access to user’s secrets

16. #RSAC
Classic Data Protection API
Based on the following components:
Password, data blob, entropy
Is not prone to password resets!
Protects from outsiders when being in offline access
Effectively protects users data
Stores the password history
You need to be able to get access to some of your passwords
from the past
Conclusion:OS greatlyhelps usto protectsecrets

17. #RSAC
Demo: Cached Credentials
+ getting access to user’s secrets

18. #RSAC
Demo: IISWasKey
+ sniffing the disk

19. #RSAC
Apply What You Have Learned Today
Next week you should:
Become familiar with disk tracing tools and techniques
In the first three months following this presentation you should:
Implement credentials hygiene and scoping
Implement BitLocker is an absolute prevention (warning: firewire)
Within six months you should:
Implement Sysmon or similar solution to trace what runs, for example what
registry keys where changed

20. SESSION ID:SESSION ID:
#RSAC