CPT-Graphs-directed-weighted-ex1.svg

IIS 7.5 WCF Error: Could not find a base address that matches…

Error

I received the following error while trying to run a WCF application built in Visual Studio 2013 running on a Windows 8 IIS 7.5 server.

Could not find a base address that matches scheme http for 
the endpoint with binding MetadataExchangeHttpBinding. 
Registered base address schemes are [https].

IIS Error

Solution

In this instance, my mex statement was wrong, I needed to make it mexHttpsBinding instead of mexHttpBinding. For other cases, double check that your bindings are correct. I was converting everything to HTTPS and had forgotten to change the mex binding to reflect the change.

<endpoint address="mex" binding="mexHttpsBinding" 
contract="IMetadataExchange" />
CPT-Graphs-directed-weighted-ex1.svg

IIS 7.5 WCF Error: The … does not have a Binding with the None MessageVersion.

Error

I received the following error while trying to run a WCF application built in Visual Studio 2013 running on a Windows 8 IIS 7.5 server.

The … does not have a Binding with the None MessageVersion. ‘System.ServiceModel.Description.WebHttpBehavior’ is only intended for use with WebHttpBinding or similar bindings.

Solution

With help from http://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx and http://stackoverflow.com/questions/7585363/why-does-my-wcf-service-give-the-message-does-not-have-a-binding-with-the-none, I edited my web.config file and added/changed it to include the bolded text. Basically, I was confusing SOAP and REST calls. The below is utilized for REST only, SOAP requires the basicHttpBindings.


<system.serviceModel>
<services>
<service name="XOM.REIT.CNC.ClusterNotificationCenter" behaviorConfiguration="DefaultBehavior">
        <endpoint address="" binding="webHttpBinding" bindingConfiguration="secureHttpBinding" contract="XOM.REIT.CNC.IClusterNotificationCenter" behaviorConfiguration="DefaultEndpointBehavior"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://localhost:30022/"/>
</baseAddresses>
</host>
</service>
</services>
<bindings>
      <webHttpBinding>
        <binding name="secureHttpBinding">
          <security mode="Transport">
            <transport clientCredentialType="None"/>
          </security>
        </binding>
      </webHttpBinding>
    </bindings>
<behaviors>
<serviceBehaviors>
<behavior name="DefaultBehavior">
            <serviceMetadata httpsGetEnabled="true"/>
            <serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="DefaultEndpointBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>

CPT-Graphs-directed-weighted-ex1.svg

IIS 7.5 Detailed Error: HTTP Error 404.3 – Not Found

Error

I received the following error while trying to run a WCF application built in Visual Studio 2013 running on a Windows 8 IIS 7.5 server.

HTTP Error 404.3 - Not Found
The page you are requesting cannot be served because of the extension 
configuration. If the page is a script, add a handler. 
If the file should be downloaded, add a MIME map.
 IIS 7.5 Error

Solution

My problem was that WCF wasn’t enabled in the IIS server. To fix this, I ran the following commands in an administrator command prompt.

C:\> DISM /Online /Enable-Feature /FeatureName:WCF-HTTP-Activation
C:\> DISM /Online /Enable-Feature /FeatureName:WCF-HTTP-Activation45

Credit is due to http://stackoverflow.com/questions/11460142/cannot-serve-wcf-services-in-iis-on-windows-8.

CPT-Graphs-directed-weighted-ex1.svg

BSOD Windows 8.1

So even after a fresh install, I was still getting Blue Screens of Death (BSOD). I only started receiving these issues after I upgraded to Windows 8.1 from 8. So I narrowed my speculations down to driver issues. This post describes the steps I took to analyzing the BSOD and my conclusion/solution.

Analyzing a Blue Screen

Screenshot (37)

I received the pictured blue screen consistently on my machine. Looking at the error I noticed the “CRITICAL_STRUCTURE_CORRUPTION.” Search results for the error greatly varied… and weren’t particularly helpful.

Okay, so I then chose to look at the Window Event Logs. For Windows 8.1, you can get to the event viewer by clicking the bottom left start icon on the lower left of the desktop view and selecting the tool or by searching for it.

In the Windows Logs->System log there was an error that listed a memory dump created after the computer recovered from one of the many blue screens. I deduced that this dump may have some clues to what caused the problem.

EventViewer

Next, I decided to use windbg. This is a debug tool for analyzing Windows that can be used to read the memory dump file. You can download the standalone tool from here.

After installing the tool, I accessed the executable at <INSTALL DIRECTORY>\Windows Kits\8.1\Debuggers\x64\windbg.exe (x86\windbg.exe for 32 bit machines). With the tool running, I opened the memory dump file path found in the earlier viewed event.

Open

This tool spit out some information found in the dump file.

dump

Hmmm… it wasn’t so helpful, basically said there is a problem most likely due to ntkrnlmp.exe or in other words some kernel activity. I needed a symbol table to make sense of some of there references in the dump file.

I entered the following command in the prompt at the bottom of the dump report window to download the latest symbols:

.sympath SRV*<LOCATION TO DOWNLOAD eg f:/Temp>*http://msdl.microsoft.com/download/symbols

I selected Debug->restart to rerun the debug on the memory dump file with new symbols. I then received the following results pictured below.

after

Still doesn’t help much in describing what is causing the blue screens. To further investigate, I clicked on the analyze link. This expanded the analysis results.

analyze

Okay, so I can definitely now see that there was a memory issue by the reference to a bad stack… but I don’t know what caused it. Clicking on the link under MODULE_NAME didn’t provide much.

lmvm

Well, I then did a search on lmvm Unknown Module. After looking through the results, I found a couple posts that mentioned conflicts between some of the Intel drivers and Windows 8.1.

Conclusion/Solution

I have an Intel motherboard and Intel drivers. I became suspicious…

Naturally, I decided to uninstall the Intel HD and network drivers from “Programs and Features.”

No blue screens as of yet. Make sure by default Windows is not set to update drivers automatically. I consider it solved… for now. I await new drivers from Intel.

CPT-Graphs-directed-weighted-ex1.svg

Intel RAID 5 on Windows 8.1

I upgraded by Windows 8 to Windows 8.1 a couple of months ago and since the change I was getting blue screens (of death…) consistently.

This issue was do to a piece of memory that was incorrectly over written, my RAID drivers were also failing. There really wasn’t anything important on my Windows partition so I decided to delete the partition and reinstall Windows 8.1 as a fix. There are helpful debugger tools to deal with this along with memory tests but it was just as easy for me to delete and start over.

The following instructions apply to an Intel Motherboard.

Enabling RAID (I already had my RAID setup, so I didn’t need to perform these steps since it is configured on the hardware level.)

  1. Turn on the computer and during the first screen that  flashes the manufacturer name (the screen before the Windows logo) enter the BIOS menu. The screen flashes quickly and for those who don’t know how to enter this screen, it’s normally a F key. The manufacturer screen normally has on it a list of  key options, just look for the one that will get you to the BIOS configuration (Don’t worry if you miss it, just keep shutting down the machine and turning it back on until you get it). For me, the Intel key was “F2”.
  2. Under the configuration tab in the BIOS, set the “Chipset SATA Mode” to RAID. Directions on how to change values are displayed on the right hand side of the screen.
  3. Save changes and exit the BIOS screen (ESC key).
2014-02-01 09.43.41
BIOS Configuration Tab

Configuring RAID Volumes (Once again I already had this setup.)

  1. Reboot the computer. There should now be an additional screen that appears between manufacturer screens when you start the machine up. This lists all your RAID volumes.
  2. Quickly, press CTRL-I to get to the RAID configuration utility while the screen is up. This was actually tricky for me, I had to make multiple attempts. For some reason, I could not get this to work on my bluetooth keyboard but it worked with another keyboard… some bug. Even with a different keyboard, I basically held down CTRL and went crazy pressing “i” over and over and over again.
  3. In this window you can create RAIDS! Choose option 1 to create your volumes or look at the other available options for different functions.
  4. My settings consist of two bootable RAID 5 volumes across my three ~4TB (3.6TB actual) hard drives. One with 125GB and the other with 7.1TB. The screenshot below shows my setup for your reference. Depending on your setup (RAID 5 requires at least 3 hard drives), you may want to do some research into RAID and your options. I chose 5 because it is supported by my motherboard and provides mirroring/striping. So it optimizes parallel communications and provides redundancy. In the case that one of my hard drives fails, I won’t loose anything. If two hard drives fail… I’m screwed. Basically, you have some protection from failure but still replace bad hard drives ASAP.

2014-02-01 10.22.15

Install Windows

Intel Raid Driver I Used

  1. Download the Intel RAID drivers from their website and put them on a USB device. The screenshot above shows the driver I downloaded. Keep the USB plugged in during the following steps.
  2. I had a DVD with a Windows 8.1 ISO burned to it. This was placed into the computer before I shut it down. I then turned the computer on and again during the manufacturer/first screen, I hit the “F10” key to select from where to boot. Most of the time, by default you boot from the Windows partition on your hard drive. However, this time, I wanted to boot from my install DVD containing Windows 8.1.
  3. It took awhile to load the Windows menu, but once it did, I chose to “Install.”
  4. The next few screens deal with entering your license key and junk.
  5. Once I was prompted for Default or Advanced setup. I chose Advanced. This was because I needed to mess with the partitions.
  6. The next screen will show the existing partitions but we have RAID going on and to make the install aware of this, we need to provide the drivers. In the current window, look for and select “Load driver.”
  7. I pointed the device to my USB to search for drivers. Once it found my Intel RAID driver, I selected it and clicked “Next.”
  8. After a few minutes, you will be returned to the partition window and you should see you RAIDs correctly.
  9. Format a new partition for your Windows (I deleted the previous). In my setup, I have 8 TB of hard drive space. I dedicated 124 GB to my Windows partition and the remainder to a partition I call “cabinet.” This is where I store my documents, media, etc. Windows does have a problem with creating a partition greater than 2TB. These drives must use GPT. This page discusses more on GPT. If this is what you plan to do, don’t partition the larger now, wait to use the Windows disk utility described in the link.
  10. Continue and let Windows install. Was completed, install drivers as needed. Intel has a tool that helps with this process.
2014-02-01 01.13.18
Driver Selection
2014-02-01 01.13.21
Partition Window

There you have it!

CPT-Graphs-directed-weighted-ex1.svg

BitLocker Enable Pin Windows 8

So from my earlier post, I choose to enable BitLocker encryption. For the more paranoid users, there may be a desire to intensify security.

After I went through the excruciating long wait for my drives to finish encrypting, I wanted to enable pin authentication on startup. I thought this would automatically be enabled but for me it wasn’t.

The process for this was super easy but a simple search did not render any useful documentation so I figured I would just post how to do it.

The first part of the process required editing the Windows Group Policy. Group policies are awesome, definitely worth exploring! “Group Policy provides the centralized management and configuration of operating systems, applications, and users’ settings in an Active Directory environment” (Wikipedia).

In Windows 8, simple search or type “group policy” on the startup page. Select “Edit group policy.”

Find Group Policy

From the tree on the left of the policy window, go to:

Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives

Group Policy

 

Open the setting, “Require additional authentication at startup.”

Addition BitLocker Security

The only change I made was to enable the authentication setting, I kept all default settings. Be aware, this may not be ideal for users who do not have TPM because the machine might expect a USB key which is a pain to require for each startup. TPM stands for Trusted Platform Module and version 1.2 can be found on most Windows systems older than 2011.

After changing the group policy, force your computer to update by running the command:

gpupdate

Lastly, go into BitLocker management and edit the startup setting from the “Change how drive is unlocked at startup” option. Add a pin or whatever else to beef up your security.

BitLocker Menu

Complete.

CPT-Graphs-directed-weighted-ex1.svg

Hard Drive Encryption

On a totally different encryption tangent, I need to encrypt my hard drives. Kind of ashamed that they aren’t encrypted already… I studied the field of cyber-security. However, for a basic home server it didn’t seem as pertinent to encrypt my drives.

I’m not going crazy or anything with confidential data. However, something really cool with hard drive encryption is that in most cases (strong password utilized, best practices, etc.), if the user is not logged into the computer at the time of seizure, it can be close to impossible (at the moment of writing this) for forensics to decrypt the data. True, there are tools that are part of the FTK toolkit like PRTK that can be used to attempt to decrypt your hard drive. Now correct me if I’m wrong, but if your password is over 12 characters long and includes different characters, numbers, symbols and all that jazz, the decryption attempt will take forever! The investigators are likely to be long gone before anything is returned (the cracking system would also have to be amazing and last just as long).

There are primarily two types of encryption, hardware and software encryption. I prefer the idea of hardware encryption, it encrypts data at the lowest level and tends to be more secure. If someone has access to your environment with a software encryption scheme there is a greater likelihood they will be able to obtain the key through brute force. A simple reference site for an explanation of encryption and the differences can be found here. One uses the computers resources to encrypt while the other relies on the hardware to encrypt data on its own dedicated processor. There really isn’t much difference between performance, problem is not all hard drives come with a dedicated processor for encryption.

My environment consists of three 4 TB hard drives in a RAID5 array that are currently partitioned into two drives. One drive contains Windows 8 and the other is for storage.

The hard drives I'm currently using.
The hard drives I’m currently using.

So my options, hardware or software encrypt. I’ve already been using the drives for quite some time, I don’t really want to lose the data already stored on the devices. There are some issues I foresee with hardware encryption and a RAID system. Is it even possible with RAID? I have to concern myself with how encryption will affect the stripping and mirroring of data. It all depends on the drive and in my case, its easy, my hard drives don’t even include the capability to hardware encrypt so on to software encryption.

For software encryption, BitLocker and TrueCrypt are two free solutions that I am familiar with and could consider using. I could also look at converting my entire system into a NAS (FreeBSD and FreeNAS can setup a software based RAID and they include encryption capabilities) but… I’ll save that for another day.

BitLocker is already made available on Windows 8 Enterprise and Ultimate, but is it better than TrueCrypt? According to Tomshardware.com, both encryption tools are almost identical in performance. Bottom line, Microsoft’s BitLocker apparently has a few advantages via Intel’s new AES extensions. Despite this, TrueCrypt gives is compatible with non-Windows environments and it allows users to create “secret” partitions. These partitions are totally hidden and are only accessible from the TrueCrypt passphrase screen.

Mmm I think I’ll explore both options. BitLocker is quite easy to setup. From the start screen, type in BitLocker and there it is!

Finding BitLocker

Select to turn on BitLocker and follow the wizard instructions. It’ll take a couple restarts to get things going followed by a long, long wait.

BitLocker

Easy Sauce!

TrueCrypt is slightly different. The install demonstrated was performed on a MacBook Pro with Mavericks installed.

I couldn’t encrypt the working hard drive because it was in use, kind of defeats the purpose of what I was attempting however, I was able to create a hidden/secret partition. So I’m just going with that.

After starting up TrueCrypt, select to “Create Volume.”

TrueCrypt Main Menu

Follow the wizard directions to “Create an encrypted file container.”

Encrypted File Container

Following, select “Hidden TrueCrypt volume.”

Hidden Drive

Select a file location for the TrueCrypt volume. This volume will appear as a file which can then be mounted by the TrueCrypt software. Once mounted, it can be accessed just like another filesystem with directory trees, files, etc.

Choose whatever encryption algorithm works for your environment, testing is always a good idea.

Outer Volume Encryption Options

The Outer Volume Format window is slightly peculiar, you just mouse around the window a lot to create a random key sequence.

Outer Volume Format

After selecting, “Format,” the outer volume for the hidden/secret partition will be created. This volume contains the hidden and can act as a decoy. The wizard continues with the hidden volume creation.

Screen Shot 2014-01-02 at 6.57.22 PM

It’s basically identical to the earlier, outer volume process.

Now to access the two volumes, open TrueCrypt and mount the file you created. You can either enter in the password for the hidden or decoy volume depending on which on you want to access.

TrueCrypt Password Prompt

So why this outer volume/hidden volume setup? Say, somehow, someone knew you had the TrueCrypt volume and they were forcing you to provide the password. Well, thank goodness you have a decoy! They’ll think they’re getting the goods when really you are only supplying them with decoy files, while the hidden ones lay secretly nestled inside the decoy undetected.

Wow, what a long post but there you have it, the joys of encryption!

CPT-Graphs-directed-weighted-ex1.svg

LIVECAP Project v1.0

There are currently tools made available, such as Windows Forensic Toolchest, which automate a live Windows forensic investigation. However, these tools are private and require a purchasing fee. The Livecap project, started by Francis Mensah, is an open source Windows forensic tool alternative. The tool was entirely developed as a contribution towards anyone interested in the open source forensic community. The tool is publicly available on Google (http://code.google.com/p/livecap-project/).

The Livecap project is a forensic framework intended to simplify the task of forensic live capture. It is designed to automate the live forensic investigation and provide a formatted HTML report of the findings.

Picture1

 All that the user needs to do is specify the source of the tools that will be used in addition to a few configuration details and Livecap does the rest. Livecap adheres to standard forensic practices such as not doing anything that can tamper with forensic evidence on the victim workstation from which information is being captured. Through the use of client/server architecture Livecap transfers all its data from the victim workstation to the forensic workstation via a TCP/IP connection. Where this approach is not feasible the tool also supports other storage means including mounted remote drive and attached USB storage. It is, however, recommended the client/server TCP/IP connection be used with the client being run from a CD ROM on the victim workstation. This guarantees the least interference with forensic evidence.

CPT-Graphs-directed-weighted-ex1.svg

Best Practices: Windows Live Analysis

There are some instances where a computer cannot be powered off for an investigation. For these circumstances a live incident response is performed. Another advantage to live investigations is that volatile and non-volatile data can be analyzed. The victim machine is the target of these investigations. These best practices are tool specific to Windows machines; however some of the commands will work in other environments.

1.  In performing a digital forensic live incident response investigation it is important to setup the environment correctly. A disk or network drive needs to be created containing executables to the tools that will be used to uncover evidence. Recommended tools include:

    • Sysinternals Suite (http://technet.microsoft.com/en-us/sysinternals) – This contains numerous forensic tools.
    • FPort (http://www.scanwith.com/Fport_download.htm) – This tool enumerates ports and executables running on the ports.
    • UserDump (http://www.microsoft.com/en-us/download/details.aspx?id=4060, Contained in User Mode Process Dumper) – Is used to create memory dumps for specific processes.
    • NetCat (http://nmap.org/ncat) – Create TCP channels between devices that can be used to pass information.

Warning: The reason only executables are used in an investigation is because software installers will write into memory. If incriminating data was deleted, there is still a chance of uncovering it because it is not removed from disk. The only way to completely get rid of data is to overwrite it. There is a chance that software installers will overwrite such data and therefore are not to be used. This is also why live investigations do not involve any type of information writes to the victim machine’s disk (Jones, Bejtlich and Rose).

2.  Since data cannot be written to disk, it is best to map a network drive or use Netcat to transfer information between analyzing machine and the victim machine.

Warning: All files created or tools used need to include a checksum for validation against fraud. A checksum is basically the value of a file hash. If one character in the code or file is changed, the hash will produce a different checksum. This helps validate content. A specific application version will have a unique checksum different from all other versions of the software. A good tool to use to create checksums is File Checksum Integrity Verifier (http://support.microsoft.com/kb/841290).

3.  The first step in the investigation is to retrieve the time and date on the victim machine. It is helpful to have this information when an investigation is carried over multiple devices. Time and date should be compared to a trustworthy server.

Warning: This is very important for time sensitive evidence to be presented in a case (Jones, Bejtlich and Rose).

4.  Current network connections are to be analyzed next to see if there are any unusual connections established to the computer or ports listening. Netstat –an, is a native command that can be used to see these connections. This command also shows all open ports.

Warning: Look for established connections that are not authorized or that are communicating with unfamiliar IP addresses. Ports higher than 515, are not ports normally opened by the operating system and should be flagged as suspicious (Jones, Bejtlich and Rose).

5.  FPort is used to see the executables running on open ports. Unknown processes accessing a port should be flagged as suspicious and analyzed.

6.  On machines older than Windows 2003, NetBIOS were used to label a machine instead of the IP address in a connection record found in the event log. In order to validate the machines identity as unique, the command nbtstat –c can be used.

Warning: Hackers could change the name of BIOS, perform an attack and then change it back to another name. The logs would then show the changed name and not the current, leading investigators to a dead end. This is why it is important to check for a unique NetBIOS name (Jones, Bejtlich and Rose).

7.  It is also important to check the user currently logged into a machine remotely and locally. The Sysinternal tool, PSLoggedOn can perform a check.

Warning: A non-authorized user may be logged in or hijacking an account remotely (Jones, Bejtlich and Rose).

8.  The internal routing table should be examined to ensure a hacker or process has not manipulated the traffic from a device. Netstat –rn can be used to view the routing table. Unfamiliar routes or connections should be flagged as suspicious and used to formulate a hypothesis.

9.  The Sysinternals tool, PsList, can be used to view running processes. Process flagged earlier can be viewed. It should be noted that if another process was found started around the same time as the suspicious process, it should also be flagged. The two processes might have been started by the same attack or service.

10.  The Sysinternals tool, PsService, is used to look at running services. Services that do not contain descriptions are not obvious services maintained by the operating system and are suspicious.

Warning: Services are used to hide attacking programs and should be analyzed carefully (Jones, Bejtlich and Rose).

11.  Scheduled Jobs on a Windows machine can be viewed with the at command. An attacker with the right privileges can schedule malicious jobs to run at designated times.

Warning: A hacker can run a job at odd times, such as 2:00 AM, which would likely go unannounced to most users (Jones, Bejtlich and Rose).

12.  Examining opened files may relay information more relevant to an investigation. The Sysinternals tool, PsFile, is used to look at all remotely opened files that cannot be immediately viewed on the victim machine.

13.  Process dumps are important in reviewing the actions of a process. The tool, UserDump, can be used to create a dump file of a suspicious process.

1

14.  Following, the Sysinternal tool strings can be used to pull out any words sentences found in the dump file. This material can be reviewed to gain an understanding of what actions a process or executable performs.


2

15.  After the volatile information is analyzed, non-volatile information can be examined. This includes all logs, incriminating files stored on the system, internet history, stored emails or any other physical file on disk. Manual investigation can be used to review this material.

16.  When performing a live response investigation, it is import to be paranoid and research anything that is not obviously a familiar service, process, file or activity.

 

CPT-Graphs-directed-weighted-ex1.svg

Overview of Basic Windows Live Investigation Tools

These are tools I have used for a live investigation of a target Windows machine and I recommend to other users. These tools are open source and provide clean GUI or command line executable.

Sysinternals Suite contains numerous forensic tools for a Windows environment. A few helpful tools for a live investigation include:

    • PSLoggedOn – Check the users currently logged into a machine remotely and locally, a non-authorized user may be logged in or hijacking an account remotely and this tool will display the account.
    • PsList – View running processes,  if a process was found started around the same time as the suspicious process, it should also be flagged as suspicious  The two processes might have been started by the same attack or service.
    • PsService – Look at running services, services that do not contain descriptions are not obvious services maintained by the operating system and are suspicious.
    • PsFile – View all remotely opened files that cannot be immediately seen on the victim machine.
    • Strings – Used to pull out any words sentences found in a target file.

FPort is a tool that enumerates ports and executables running on the ports. Unknown processes accessing a port should be flagged as suspicious and analyzed.

UserDump  is a tool used to create memory dumps for specific processes. Process dumps are important in reviewing the actions of a process. After the dump file is created the Sysinternal tool strings can be used to pull out any words sentences found in the dump file. This material can be reviewed to gain an understanding of what actions a process or executable performs.