SlideShare a Scribd company logo

Leveraging NTFS Timeline Forensics during the Analysis of Malware

Download as PPTX, PDF
T
tmugherini

Video of this talk can be found at mms://boston.naisg.org/media/201101Forensics.wmv

Technology
1 of 37
Leveraging NTFS Timeline Forensics in the Analysis of Malware Tim Mugherini NAISG Boston January 20, 2011
About Me Caveat: I Am Not An Expert!
Some Context “Facts do not cease to exist because they are ignored.” - Aldous Huxley
Being Prepared What’s in your Incident Response Toolkit? Malware is becoming more sophisticated. A deeper understanding of computer systems is needed. File system forensics techniques are well documented but seem underutilized. Analysis of the Master File Table (MFT) of the NTFS file system can be used to help establish a timeline and location of changes to the system.
Incident Response Where does Malware Analysis Fit In? Preparation: Incident Handling Procedures, Training, Toolkits, Jump Bags, Detection & Defense Mechanisms Detection & Analysis: Detect the type, extent, and magnitude of the incident. Identify the malware characteristics. Containment, Eradication, & Recovery: Prevent the malware from spreading and causing further system damage. Once complete, removing the malware and restoring functionality and data affected by the infection. Post-Incident: Review incident and lessons learned. Apply this to your preparation for the next incident. Retain evidence. Reference: National Institute of Standards and Technology (2005). SP800-83: Guide to Malware Incident Prevention and Handling. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
Malware Analysis Where does File Forensics Fit In? Static: Analyze without executing code ,[object Object]
Code Analysis, Reverse Engineering (i.e. Decompiling, Disassembling)Dynamic: Analyze the code while it runs ,[object Object]
Network Packet AnalysisIdeally you want to do both!
NTFS Master File Table 101 “Facts do not 'speak for themselves', they are read in the light of theory” - Stephen Jay Gould
Everything is a File Overview of NTFS and the Master File Table NTFS: “New Technologies File System” Default file system of all modern versions of Windows. The Master File Table (MFT) is the heart of the NTFS file system. It contains the metadata about all the files and directories on the file system. Everything is a file in NTFS, including the MFT. Each file and directory has at least one entry in the MFT. Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining space being used by attributes. The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created (note: but they can be re-allocated). Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
0x46494c45 What FILE Information can be extracted? MFT Header contains a record number for each entry, sequence number (times reused), and parent record number (location). Standard_Information attributes are best known. Many of these attributes (MACE/MACb times, Flags) are displayed in explorer.exe when viewing the properties of a file or folder. File_Name attributes contain the file name and additional MACE/MACb times (more on this in a bit). Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
Standard_Informaton Attributes The Good, The Bad, The WTF The Good The behavior of Windows on Standard_Informstion MACE times is well known The Bad Standard_Information MACE times can easily be manipulated (i.e. Metasploit Timestomp or Unix Touch) OK … WTF Did you know file Access Times are disabled by default in Windows Vista/7? HKLMYSTEMurrentControlSetontrolileSystemtfsDisableLastAccessUpdate=1
Powershell: Friend or Foe? Manipulation of Standard_Information Dates. Reference: Hull, David (2009). Touch on Windows via Powershell. Retrieved from http://trustedsignal.blogspot.com/2008/08/touch-on-windows-via-powershell.html
Don’t Be Duped File_Name Attributes are not Easily Manipulated File_Name Attributes initially mirror the Standard_Info Creation date They do not typically get updated the way Standard_Information Values do unless the file is moved or renamed. Consequently, it is more difficult to manipulate File_Name Attributes (note: I did not say impossible, more on this later). All Attribute Times need to be analyzed when using MFT Analysis. Some Work has been done cataloging the behavioral changes of File_Name Time attributes Reference: Hull, David (2010) Digital Forensics: Detecting time stamp manipulation. Retrieved from http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
Thank You Rob MFT Attribute Behavior Reference: Lee, Rob, T. (2010) Windows 7 MFT Entry Timestamp Properties. Retrieved from http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties
Intro to Our Malware Sample “It is easier to believe a lie that one has heard a thousand times than to believe a fact that no one has heard before.” – Author Unknown
Rogue AV Prerequisites There Are None Up to date Windows 7 OS – No Problem! No Local Admin rights – No Problem! Existing Antivirus w/ current sigs – No Problem! Windows Firewall hardened with GPO – No Problem! IE 8 in Medium/High security mode – No Problem! UAC enabled – No Problem! But what features do you get with your install, you ask?
Rogue AV Feature Set Replaces Existing Antivirus without Interaction
Rogue AV Feature Set Places Bogus Malicious Files on Your File System
Rogue AV Feature Set Provides Protection Sopranos Style
Rogue AV Feature Set Confused? Live Support Chat can Assist
Rogue AV Feature Set Protects Against Analysis by Your IT Practitioner
Analysis of Our Sample “Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passion, they cannot alter the state of facts and evidence.” - John Adams
Down the Rabbit Hole Summary of the Rogue File/Process File Name: ISe6d_2229.exeFile Type: Windows 32 bit Portable ExecutableMD5: 699ebebcac9aaeff67bee94571e373a1SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2File size: 3590656 bytesFirst seen on Virus Total: 2010-11-14 01:20:29 Last seen: 2010-11-16 15:52:22 http://www.virustotal.com/file-scan/report.html?id=19f7bd2c7a74caa586232abefb22aeea224ba14c7d599c89561fba34f33bdf22-1289922742 My Write-Up http://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html
Grabbing the MFT FTK Imager Lite: Exporting the MFT
Parsing the MFT analyzeMFT: Parse & Export Records.
Analyzing the MFT Based on the Facts, Find the Infection Locations
Leveraging the Results “We can have facts without thinking but we cannot have thinking without facts.” - John Dewey
Using Information from the MFT Prefetch Parser: Parsing the Prefetch Folder SETUP_2229[1].EXE-11C68EE8.pf     SERSUSERNAME%PPDATAOCALICROSOFTINDOWSEMPORARY INTERNET FILESONTENT.IE54KYBRHHETUP_2229[1].EXETASKKILL.EXE-8F5B2253.pf SERSUSERNAME%PPDATAOCALICROSOFTINDOWSEMPORARY INTERNET FILESONTENT.IE54KYBRHHNPRICE=85[1].HTMRUNDLL32.EXE-80EAA685.pfROGRAMDATA6DB66SE6D_2229.EXE
Using Information from the MFT Exporting the Windows Registry Hives Most live in the %SystemRoot%ystem32onfig directory (except HKCU & HKU which are located in the user profiles) Tools such as RegRipper & Windows Registry Recovery can be used to perform further analysis based on facts discovered [HKEY_CURRENT_USERoftwareicrosoftindowsurrentVersionun] "Internet Security Suite“="quot;C:ProgramDatae6db66ISe6d_2229.exequot; /s /d“ Reference: Microsoft MSDN (2010). Registry Hives. Retrieved from http://msdn.microsoft.com/en-us/library/ms724877%28VS.85%29.aspx
Using Information from the MFT Recovering Deleted Files with VSS FTK Imager has the ability to export files if not overwritten Microsoft Volume Shadow Copy Service (VSS) is another option however. mklink /d C:hadow_copy1 ?LOBALROOTevicearddiskVolumeShadowCopy1 Reference: Mugherini, Timothy (2010) Forensics Analysis: Windows Shadow Copies. Retrieved from http://securitybraindump.blogspot.com/2010/06/forensics-analysis-windows-shadow.html
Using Information from the MFT Hashes Are Your Friend. Once suspect files are found, export their hashes and leverage online resources. NIST National Software Reference Library SANS ISC Hash Database Team Cymru Malware Hash Registry FTK Imager and other Windows Tools can hash files but what if you want to hash all files on a drive or volume? http://md5deep.sourceforge.net/ Md5deep.exe. –r C:> hash_drive.txt
The Trouble with Facts… “The trouble with facts is that there are so many of them.” - Samuel McChord Crothers
File_Name Attributes Can Change Manipulating File_Name Attributes
Hope Is Not Lost How can we Detect Attribute Manipulation? Some Possibilities Recent Documents and Programs (if not disabled) System Events (i.e. System Time Change) Prefetch Differences Differences between $SI and $FN attributes $FNA MACE Times have USEC/Microseconds = 00 New Features in analyzeMFT.py (v 1.5) Now Reports useconds for all time attributes -a (anomaly detection) adds two columns: std-fn-shift: Y = $FN create time is after the $SI create time Usec-zero: Y = $SI create time has usec = 0
Summary An Answer to a Question, Might be Another Question This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response. It is something you can add to your Incident Response and Malware Analysis toolkit. It may be necessary to correlate and verify your results with other methods and tools. Tools such as Log2Timeline are available to create Super Timelines making it even easier to create a timeline of malicious activity on a system.
Go Forth and Prosper Additional Resources and Tools Additional Resources Lenny Zeltser: Combating Malicious Software NIST Special Publication 800-81: Computer Security Incident Handling Guide NIST Special Publication 800-83: Guide to Malware Incident Prevention and Handling NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response Reversing Malware Blog SANS Computer Forensics & Incident Response Blog SANS Reading Room (Too Many Great Papers to Mention: Check Forensics, Incident Response, and Malware Analysis Categories) Windows Incident Response Blog Books Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley. Carvey, Harlen (2009). Windows Forensic Analysis DVD Toolkit, Second Edition. Syngress. Tools AnalyzeMFT FTK Imager Lite MD5Deep Prefetch Parser RegRipper Windows Registry Recovery

Recommended

Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsMalla Reddy Donapati
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Linux Forensics
Linux ForensicsLinux Forensics
Linux ForensicsSantosh Khadsare
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 

Recommended

Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsMalla Reddy Donapati
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Linux Forensics
Linux ForensicsLinux Forensics
Linux ForensicsSantosh Khadsare
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systemsprimeteacher32
 
NTFS and Inode
NTFS and InodeNTFS and Inode
NTFS and InodeAmit Seal Ami
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Examining Linux File Structures
Examining Linux File StructuresExamining Linux File Structures
Examining Linux File Structuresprimeteacher32
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
File system
File systemFile system
File systemHarleen Johal
 
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849marangburu42
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 

More Related Content

What's hot

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Examining Linux File Structures
Examining Linux File StructuresExamining Linux File Structures
Examining Linux File Structuresprimeteacher32
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849marangburu42
 

What's hot (20)

Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
NTFS and Inode
NTFS and InodeNTFS and Inode
NTFS and Inode
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Examining Linux File Structures
Examining Linux File StructuresExamining Linux File Structures
Examining Linux File Structures
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
File system
File systemFile system
File system
 
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849
 

Viewers also liked

Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...Wayne Huang
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
Forensic Analysis and Discovery System
Forensic Analysis and Discovery SystemForensic Analysis and Discovery System
Forensic Analysis and Discovery SystemAzri Hafiz
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 

Viewers also liked (17)

Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
Forensic Analysis and Discovery System
Forensic Analysis and Discovery SystemForensic Analysis and Discovery System
Forensic Analysis and Discovery System
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
Investigating Malware using Memory Forensics
Investigating Malware using Memory ForensicsInvestigating Malware using Memory Forensics
Investigating Malware using Memory Forensics
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 

Similar to Leveraging NTFS Timeline Forensics during the Analysis of Malware

Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]Phil Huggins FBCS CITP
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on LinuxAnton Chuvakin
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
16. Computer Systems Basic Software 2
16. Computer Systems Basic Software 216. Computer Systems Basic Software 2
16. Computer Systems Basic Software 2New Era University
 

Similar to Leveraging NTFS Timeline Forensics during the Analysis of Malware (20)

Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
Operating system
Operating systemOperating system
Operating system
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion Investigation
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Operating system
Operating systemOperating system
Operating system
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Flexor Muscle Exercise
Flexor Muscle ExerciseFlexor Muscle Exercise
Flexor Muscle Exercise
 
16. Computer Systems Basic Software 2
16. Computer Systems Basic Software 216. Computer Systems Basic Software 2
16. Computer Systems Basic Software 2
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Leveraging NTFS Timeline Forensics during the Analysis of Malware

  • 1. Leveraging NTFS Timeline Forensics in the Analysis of Malware Tim Mugherini NAISG Boston January 20, 2011
  • 2. About Me Caveat: I Am Not An Expert!
  • 3. Some Context “Facts do not cease to exist because they are ignored.” - Aldous Huxley
  • 4. Being Prepared What’s in your Incident Response Toolkit? Malware is becoming more sophisticated. A deeper understanding of computer systems is needed. File system forensics techniques are well documented but seem underutilized. Analysis of the Master File Table (MFT) of the NTFS file system can be used to help establish a timeline and location of changes to the system.
  • 5. Incident Response Where does Malware Analysis Fit In? Preparation: Incident Handling Procedures, Training, Toolkits, Jump Bags, Detection & Defense Mechanisms Detection & Analysis: Detect the type, extent, and magnitude of the incident. Identify the malware characteristics. Containment, Eradication, & Recovery: Prevent the malware from spreading and causing further system damage. Once complete, removing the malware and restoring functionality and data affected by the infection. Post-Incident: Review incident and lessons learned. Apply this to your preparation for the next incident. Retain evidence. Reference: National Institute of Standards and Technology (2005). SP800-83: Guide to Malware Incident Prevention and Handling. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
  • 6.
  • 7.
  • 8. Network Packet AnalysisIdeally you want to do both!
  • 9. NTFS Master File Table 101 “Facts do not 'speak for themselves', they are read in the light of theory” - Stephen Jay Gould
  • 10. Everything is a File Overview of NTFS and the Master File Table NTFS: “New Technologies File System” Default file system of all modern versions of Windows. The Master File Table (MFT) is the heart of the NTFS file system. It contains the metadata about all the files and directories on the file system. Everything is a file in NTFS, including the MFT. Each file and directory has at least one entry in the MFT. Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining space being used by attributes. The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created (note: but they can be re-allocated). Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
  • 11. 0x46494c45 What FILE Information can be extracted? MFT Header contains a record number for each entry, sequence number (times reused), and parent record number (location). Standard_Information attributes are best known. Many of these attributes (MACE/MACb times, Flags) are displayed in explorer.exe when viewing the properties of a file or folder. File_Name attributes contain the file name and additional MACE/MACb times (more on this in a bit). Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
  • 12. Standard_Informaton Attributes The Good, The Bad, The WTF The Good The behavior of Windows on Standard_Informstion MACE times is well known The Bad Standard_Information MACE times can easily be manipulated (i.e. Metasploit Timestomp or Unix Touch) OK … WTF Did you know file Access Times are disabled by default in Windows Vista/7? HKLMYSTEMurrentControlSetontrolileSystemtfsDisableLastAccessUpdate=1
  • 13. Powershell: Friend or Foe? Manipulation of Standard_Information Dates. Reference: Hull, David (2009). Touch on Windows via Powershell. Retrieved from http://trustedsignal.blogspot.com/2008/08/touch-on-windows-via-powershell.html
  • 14. Don’t Be Duped File_Name Attributes are not Easily Manipulated File_Name Attributes initially mirror the Standard_Info Creation date They do not typically get updated the way Standard_Information Values do unless the file is moved or renamed. Consequently, it is more difficult to manipulate File_Name Attributes (note: I did not say impossible, more on this later). All Attribute Times need to be analyzed when using MFT Analysis. Some Work has been done cataloging the behavioral changes of File_Name Time attributes Reference: Hull, David (2010) Digital Forensics: Detecting time stamp manipulation. Retrieved from http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
  • 15. Thank You Rob MFT Attribute Behavior Reference: Lee, Rob, T. (2010) Windows 7 MFT Entry Timestamp Properties. Retrieved from http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties
  • 16. Intro to Our Malware Sample “It is easier to believe a lie that one has heard a thousand times than to believe a fact that no one has heard before.” – Author Unknown
  • 17. Rogue AV Prerequisites There Are None Up to date Windows 7 OS – No Problem! No Local Admin rights – No Problem! Existing Antivirus w/ current sigs – No Problem! Windows Firewall hardened with GPO – No Problem! IE 8 in Medium/High security mode – No Problem! UAC enabled – No Problem! But what features do you get with your install, you ask?
  • 18. Rogue AV Feature Set Replaces Existing Antivirus without Interaction
  • 19. Rogue AV Feature Set Places Bogus Malicious Files on Your File System
  • 20. Rogue AV Feature Set Provides Protection Sopranos Style
  • 21. Rogue AV Feature Set Confused? Live Support Chat can Assist
  • 22. Rogue AV Feature Set Protects Against Analysis by Your IT Practitioner
  • 23. Analysis of Our Sample “Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passion, they cannot alter the state of facts and evidence.” - John Adams
  • 24. Down the Rabbit Hole Summary of the Rogue File/Process File Name: ISe6d_2229.exeFile Type: Windows 32 bit Portable ExecutableMD5: 699ebebcac9aaeff67bee94571e373a1SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2File size: 3590656 bytesFirst seen on Virus Total: 2010-11-14 01:20:29 Last seen: 2010-11-16 15:52:22 http://www.virustotal.com/file-scan/report.html?id=19f7bd2c7a74caa586232abefb22aeea224ba14c7d599c89561fba34f33bdf22-1289922742 My Write-Up http://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html
  • 25. Grabbing the MFT FTK Imager Lite: Exporting the MFT
  • 26. Parsing the MFT analyzeMFT: Parse & Export Records.
  • 27. Analyzing the MFT Based on the Facts, Find the Infection Locations
  • 28. Leveraging the Results “We can have facts without thinking but we cannot have thinking without facts.” - John Dewey
  • 29. Using Information from the MFT Prefetch Parser: Parsing the Prefetch Folder SETUP_2229[1].EXE-11C68EE8.pf     SERSUSERNAME%PPDATAOCALICROSOFTINDOWSEMPORARY INTERNET FILESONTENT.IE54KYBRHHETUP_2229[1].EXETASKKILL.EXE-8F5B2253.pf SERSUSERNAME%PPDATAOCALICROSOFTINDOWSEMPORARY INTERNET FILESONTENT.IE54KYBRHHNPRICE=85[1].HTMRUNDLL32.EXE-80EAA685.pfROGRAMDATA6DB66SE6D_2229.EXE
  • 30. Using Information from the MFT Exporting the Windows Registry Hives Most live in the %SystemRoot%ystem32onfig directory (except HKCU & HKU which are located in the user profiles) Tools such as RegRipper & Windows Registry Recovery can be used to perform further analysis based on facts discovered [HKEY_CURRENT_USERoftwareicrosoftindowsurrentVersionun] "Internet Security Suite“="quot;C:ProgramDatae6db66ISe6d_2229.exequot; /s /d“ Reference: Microsoft MSDN (2010). Registry Hives. Retrieved from http://msdn.microsoft.com/en-us/library/ms724877%28VS.85%29.aspx
  • 31. Using Information from the MFT Recovering Deleted Files with VSS FTK Imager has the ability to export files if not overwritten Microsoft Volume Shadow Copy Service (VSS) is another option however. mklink /d C:hadow_copy1 ?LOBALROOTevicearddiskVolumeShadowCopy1 Reference: Mugherini, Timothy (2010) Forensics Analysis: Windows Shadow Copies. Retrieved from http://securitybraindump.blogspot.com/2010/06/forensics-analysis-windows-shadow.html
  • 32. Using Information from the MFT Hashes Are Your Friend. Once suspect files are found, export their hashes and leverage online resources. NIST National Software Reference Library SANS ISC Hash Database Team Cymru Malware Hash Registry FTK Imager and other Windows Tools can hash files but what if you want to hash all files on a drive or volume? http://md5deep.sourceforge.net/ Md5deep.exe. –r C:> hash_drive.txt
  • 33. The Trouble with Facts… “The trouble with facts is that there are so many of them.” - Samuel McChord Crothers
  • 34. File_Name Attributes Can Change Manipulating File_Name Attributes
  • 35. Hope Is Not Lost How can we Detect Attribute Manipulation? Some Possibilities Recent Documents and Programs (if not disabled) System Events (i.e. System Time Change) Prefetch Differences Differences between $SI and $FN attributes $FNA MACE Times have USEC/Microseconds = 00 New Features in analyzeMFT.py (v 1.5) Now Reports useconds for all time attributes -a (anomaly detection) adds two columns: std-fn-shift: Y = $FN create time is after the $SI create time Usec-zero: Y = $SI create time has usec = 0
  • 36. Summary An Answer to a Question, Might be Another Question This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response. It is something you can add to your Incident Response and Malware Analysis toolkit. It may be necessary to correlate and verify your results with other methods and tools. Tools such as Log2Timeline are available to create Super Timelines making it even easier to create a timeline of malicious activity on a system.
  • 37. Go Forth and Prosper Additional Resources and Tools Additional Resources Lenny Zeltser: Combating Malicious Software NIST Special Publication 800-81: Computer Security Incident Handling Guide NIST Special Publication 800-83: Guide to Malware Incident Prevention and Handling NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response Reversing Malware Blog SANS Computer Forensics & Incident Response Blog SANS Reading Room (Too Many Great Papers to Mention: Check Forensics, Incident Response, and Malware Analysis Categories) Windows Incident Response Blog Books Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley. Carvey, Harlen (2009). Windows Forensic Analysis DVD Toolkit, Second Edition. Syngress. Tools AnalyzeMFT FTK Imager Lite MD5Deep Prefetch Parser RegRipper Windows Registry Recovery
  • 39. Internet Control Message Protocol Feel Free to Ping Me Tim Mugherini http://securitybraindump.blogspot.com tmugherini@gmail.com @bug_bear Irc://freenode (as Bugbear)