CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 7 Lecture

Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Quiz #2

Any questions before the quiz?

New Material for this week

Restore Points & Volume Shadow Copy USB Device Forensics File Carving Using Foremost Data extraction from Memory Dumps using Volatility

Restore Points

Restore Points (XP) created by default every 24 hours so user can restore his system to a previous state if something goes wrong (boot to last known good state), kept 90 days by default Contain copies of all system files & registry entries changed since last restore point Found in C:\System Volume Information\_restore{GUID}\RP###\ Change.log (binary) file maps generic restore point filenames back to their original paths Rp.log last 8 bytes are Windows FILETIME for restore point creation date Snapshot subfolder contains copies of changed registry keys for all hives (only accessible by System on a live host)

Change.log Analysis

Mandiant Restore Point Analyzer

Parses Change.log to map generic restore point filenames back to original paths

Registry Analysis Across Multiple Restore Points

RipXP.pl by Harlan Carvey allows comparison of specified registry hives across multiple restore points Any time registry entries are relevant to a case (almost always), you want to check the same values in all restore points

Volume Shadow copy Service (VSS)

Vista/7 version of Restore Points, but much more pervasive Tracks all (aggregate) changes made to the filesystem since last Shadow Copy Literally allows entire filesystem or individual files or folders to be rolled back to a previous state Offline filesystem can be mounted as it existed at a previous date, including unallocated space Only takes a snapshot periodically, not continually. Enabled by default. Typically limited to 15% of volume size

Volume Snapshot Creation

Manually Every 24 hours (Vista) Every 7 Days (Win7) Before a Windows Update Unsigned Driver Installation An application that calls the Snapshot API

Volume Shadow copy Service (VSS)

Currently the best way to examine shadow copies is from a Vista/Win7 system Mount drive or image read-only using FTK Imager (this should work, but apparently doesnt. I expect it to be fixed sometime see Harlans note) To list available shadows on drive C: vssadmin list shadows /for=c: To mount Shadow Copy #: mklink /D C:\<some directory> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\ Should see the response: symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

If you cant make VSS work with a mounted image, or dont have a Win7 analysis station
Reported to work: Fallback is to use Liveview to convert image so its mountable in VMWare Then add to an existing Win7 Vmware GuestOS Power on VM, and examine mounted image as though it were a physically connected disk Also reported to work: Copy image to new dd-style flat file & convert to VHD using vhdtool.exe (this will change the image file). Attach to Win7 (read only) using disk manager. Supposedly EnCase PDE works for mounting also

Shadow Volume Imaging

Once youve run the mklink command, you should be able to image the mounted shadow copy just like any other disk

Timelining

Once youve extracted a number of artifacts relating to your case, and narrowed your focus to events known to have happened around certain specific times, timelining techniques are a really great way to find other artifacts related to that case

Why?

Virtually anything you do on a live system will update something somewhere. By finding every timestamp on the system, and looking specifically at the objects that were in some way in use at a time in question, you have a much better chance of figuring our exactly what was going on at that time. The more unusual the activity going on during the timeframe of interest, or the more quickly you can examine the system, the more artifacts you will be able to link directly to the activity in question using this technique.

USB Device Forensics

Uniquely identify specific USB devices Link them to specific systems & user IDs Identify times when devices were attached and removed

Where to find USB forensic data

The Registry (including restore points)

System Software NTUSER.DAT

Setupapi.log Event Logs

USB Device & Activity Information

Vendor Model Version Capacity Serial Number (most, but not all) Last Drive Letter Volume Name (filesystem)

Volume Serial Number (filesystem) First Use First Use Since Last Reboot Last Use Other usage timestamps may be in restore points

USB Registry Keys & Values

HKLM\System\CurrentControlSet\Enum\USBS TOR

Subkey named Disk&Ven_<vendor name>&Prod_<product name>&Rev_<product version> Product name text may contain capacity and even color Under this subkey is another named with the devices unique serial number if any If the device has no serial number (non-standard conformant), Windows will create one with an & as the second character. Under the serial number key is a value named ParentIdPrefix (Vista/7 only, used to link to other data)

USB Serial Numbers

Note: USB device serial numbers are not part of the data area of the device, and so are not necessarily captured when the device is imaged This information can be examined live using the MS tool UVCView (part of the Windows Driver Development Kit)

USB Registry Keys & Values

HKLM\System\CurrentControlSet\Enum\ USB

Subkey named Vid_<Vendor ID>&&Pid_<Product ID> Under this subkey is another named with the devices unique serial number if any, which links the entry to the same serial number under the USBSTOR key Last write time of the serial number key is first time device was connected following its last reboot

USB Registry Keys & Values

HKLM\System\MountedDevices

Value under this named \DosDevices\<Drive Letter>\

This Value contains ParentIdPrefix (XP) or serial number (Vista/7) value in unicode for the last device to use this drive letter

One or more other values here named \??\Volume{<GUID>}

Also contains ParentIdPrefix (XP) or serial number (Vista/7) value in unicode. GUID can be used to link to a specific user

USB Registry Keys & Values (Vista/Win7)

HKLM\Software\Microsoft\Windows Portable Devices\Devices

Subkey under this has a long name ending #<serial number># Value under this subkey named FriendlyName contains Volume Name, On Vista only (Not Win7) it ends with the drive letter in parenthesis

USB Registry Keys & Values

HKU\<SID>\Software\Microsoft\Wi ndows\CurrentVersion\Explorer\Mou ntPoints2

Subkey under this named {<GUID>} Last write time for this subkey is the last time the device was connected by the specified user.

USB Registry Keys & Values

HKLM\System\CurrentControlSet\Contro l\DeviceClasses\{53f56307-b6bf-11d094f2-00a0c91efb8b}

Subkey named ##?#USBSTOR#Disk&Ven_<Vendor Name>&Prod_<Product Name>&Rev_<Version>#<Serial Number>#{53f56307-b6bf-11d0-94f200a0c91efb8b}

Last write time of this subkey is first time device was connected following the last reboot

When was USB device first connected?

Plug and Play Log Files

XP - %windir%\setupapi.log Vista/7 %windir%\inf\setupapi.dev.log

Times in log are in the local timezone for the host Look for first entry for device serial number

USB Analysis Tools

USBDeviceForensics by Woanware Windows USB Storage Parser (usp) by TZWorks LLC Several regripper plugins Not all of these return the same amount of data youll get by examining the specified structures manually

File Carving

Can be done by hand if youre patient and understand the format of the file type youre attempting to carve. Simply identify the clusters you want to carve out, then do export contents for each, one-byone until finished. Identifying the beginning of the file relies on there being a signature or magic number of some type Identifying how much data to extract will rely on an embedded length specifier of some kind, or on a file footer You normally want to carve only from unallocated space, to avoid incorporating data from unrelated allocated files into your results

File Carving Utilities

List at http://www.forensicswiki.org/wiki/Tools:Data_R ecovery#Carving For EnCase users I highly recommend the jcCarveFiles EnScript. More basic carving functionality is built-in SIFT Kit (Honestly, I havent used these much. I do most carving with EnCase. However usage is quite straightforward)

FTK Forensic Suite also has extensive carving capabilities, which Ive used in passing NFI Defraser Specifically designed to carve multimedia fragments (Ive used this. It works great)

Foremost Scalpel

File Carving Step-by-Step with Foremost First Keyword Search -> Extract Unallocated

Extract Unallocated

By default, this will concatenate all unallocated clusters into the file /forensics/<case name>/<image name>/output/<flat image name><sector offset>-<number of sectors>ntfs.unalloc

Run Foremost

foremost o <output folder> -i <unallocated file path> Once its completed, examine the results using tools such as exiftool, or whatever is appropriate for the filetype in question Its also possible to customize foremost by editing /etc/foremost.conf to add more headers, footers, & max file sizes. Unfortunately, you cant specify an offset & format for an internal file length Scalpel doesnt support this either

Audit.txt File in Foremost Output Folder

Names of Carved Executables

Product Names of Carved DLLs

Titles of Carved HTML Pages

Data Extraction From Memory Images

I discussed how to identify malware using memory image analysis with Memoryze/Auditviewer in week 4 Now Id like to spend a little time on memory artifact extraction using the Volatility framework

Volatility 2.2 & numerous plugins are included in the 1.4 SIFT Kit 2.3, with extensions for MacOS & Linux, is due out by end of 2012

What can we get out of memory? (A better question is what cant we?)

Everything passes through memory

Accounts & Passwords (including crypto keys) Log events (EVT log files are memory mapped) Registry hives (these are memory mapped as well)

Often its simpler, easier, & quicker to get memory than to do any other form of acquisition

Tool Download Locations

Main Tool Current version https://www.volatilesystems.com/default/ volatility or svn checkout http://volatility.googlecode.com/svn/trun k/ volatility-read-only Various contributed plugins & extensions http://www.forensicswiki.org/wiki/List_of_ Volatility_Plugins Python (required language support) http://www.python.org or http://www.cygwin.com

Memory Image Extraction

Volatility requires a dd-style flat image of the subject systems memory Capture the image with EnCase Enterprise, Winen (6.13 or above absolutely required), or freeware tools

Plugins in New Volatility 2.2 #1

apihooks atoms atomscan bioskbd callbacks clipboard cmdscan connections connscan consoles crashinfo deskscan devicetree dlldump dlllist driverirp driverscan envars eventhooks evtlogs filescan gahti gditimers gdt getservicesids getsids

Detect API hooks in process and kernel memory Print session and window station atom tables Pool scanner for _RTL_ATOM_TABLE Reads the keyboard buffer from Real Mode memory [BIOS Password] Print system-wide notification routines Extract the contents of the windows clipboard Extract command history by scanning for _COMMAND_HISTORY Print list of open connections [Windows XP and 2003 Only] [like netstat] Scan Physical memory for _TCPT_OBJECT objects (tcp connections) Extract command history by scanning for _CONSOLE_INFORMATION Dump crash-dump information Poolscaner for tagDESKTOP (desktops) Show device tree Dump DLLs from a process address space Print list of loaded dlls for each process Driver IRP hook detection Scan for driver objects _DRIVER_OBJECT Display process environment variables Print details on windows event hooks Extract Windows Event Logs (XP/2003 only) Scan Physical memory for _FILE_OBJECT pool allocations Dump the USER handle type information Print installed GDI timers and callbacks Display Global Descriptor Table Get the names of services in the Registry and return Calculated SID Print the SIDs owning each process [useful]

Plugins in New Volatility 2.2 #2

handles hashdump hibinfo hivedump hivelist hivescan idt imagecopy imageinfo impscan kdbgscan kpcrscan ldrmodules lsadump malfind memdump memmap messagehooks moddump modscan modules mutantscan patcher printkey procexedump procmemdump pslist

Print list of open handles for each process Dumps passwords hashes (LM/NTLM) from memory Dump hibernation file information [convert hiberfile to memdump] Prints out a hive [in text format] Print list of registry hives. Scan Physical memory for _CMHIVE objects (registry hives) Display Interrupt Descriptor Table Copies a physical address space out as a raw DD image Identify information for the image [OS version, etc.] Scan for calls to imported functions Search for and dump potential KDBG values Search for and dump potential KPCR values Detect unlinked DLLs Dump (decrypted) LSA secrets from the registry Find hidden and injected code Dump the addressable memory for a process [for string searching] Print the memory map List desktop and thread window message hooks Dump a kernel driver to an executable file sample Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects Print list of loaded modules [from in-memory list] Scan for mutant objects _KMUTANT [some known malicious] Patches memory based on page scans Print a registry key, and its subkeys and values [including hardware] Dump a process to an executable file sample Dump a process to an executable memory sample Print all running processes by following the EPROCESS lists

Plugins in New Volatility 2.2 #3

psscan pstree psxview Raw2dmp screenshot sessions Shimcache sockets Sockscan ssdt strings svcscan Symlinkscan thrdscan threads timers Userassist Userhandles Vaddump vadinfo vadtree vadwalk volshell windows wintree wndscan yarascan

Scan Physical memory for _EPROCESS pool allocations [includes exited] Print process list as a tree Find hidden processes with various process listings Converts a physical memory sample to a windbg crash dump Save a pseudo-screenshot based on GDI windows List details on _MM_SESSION_SPACE (user logon sessions) Parses the Application Compatibility Shim Cache registry key Print list of open sockets Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) Display SSDT entries [can detect syscall hooks by syscall module ownership] Match physical offsets to virtual addresses (may take a while, VERY verbose) Scan for Windows services Scan for symbolic link objects Scan physical memory for _ETHREAD objects Investigate _ETHREAD and _KTHREADs Print kernel timers and associated module DPCs Print userassist registry keys and information Dump the USER handle tables Dumps out the vad sections to a file Dump the VAD info See: The VAD tree: A processWalk the VAD tree and display in tree format Walk the VAD tree eye view of physical memory Shell in the memory image for details (link in notes) Print Desktop Windows (verbose details) Print Z-Order Desktop Windows Tree Pool scanner for tagWINDOWSTATION (window stations) Scan process or kernel memory with Yara signatures

Usage Scenarios

Malware Infection Use Volatility to identify backdoors, hidden processes Compromised System Use Volatility to identify hidden rootkit components (including kernel mode rootkits), backdoors Other Use Volatility to extract memory specific to a given process to simplify string analysis, to extract passwords or hashes, or to remotely identify hardware by BIOS information.

Example

VM compromised using Metasploit MS08-067 exploit, & shell pushed back to attacker Note that these actions write nothing to the disk Victim VM memory subsequently imaged using winen

Volatility [1.3] Analysis Commands

python volatility datetime -f Phy*

Returned current date/time when memory was dumped Returned offset value of 44548104

python volatility hivescan -f Phy*

python volatility hivelist -f Phy* -o 44548104

Returned System hive address 0xe1035b60

python volatility printkey -f Phy* -o 0xe1035b60 "ControlSet001\Services\{439FE547-3C35-4A24BD37-3FCFD1FBB1C9}\Parameters\Tcpip

Returned values & subkeys under specified key

Volatility [1.3] Analysis Commands (2)

python volatility connections -f Phy*

Listed connections from in-memory tables

Scanned for connections by signature Listed sockets from in-memory tables

python volatility connscan2 -f Phy*

python volatility sockets -f Phy*

python volatility sockscan2 -f Phy*

Scanned for sockets by signature

Listed DLLs loaded by specified process #

python volatility dlllist -f Phy* -p 1008

datetime[1.3]
$ python volatility datetime -f Phy* Image local date and time: Mon Apr 13 15:00:11 2009

hivescan[1.3]
$ python volatility hivescan -f Phy* Offset (hex) 44548104 0x2a7c008 . . . .

Hivelist [1.3]
$ python volatility hivelist -f Phy* -o 44548104 Address Name . . 0xe1357b60 \WINDOWS\system32\config\SAM 0xe145cb60 \WINDOWS\system32\config\SECURITY 0xe1035b60 \WINDOWS\system32\config\system . .

Hashdump [1.3]
$ python volatility hashdump -f Phy* -y 0xe1035b60 -s 0xe1357b60 Administrator:500:8d37d083696254e52468a840fdf3374f:4126fa040b 35a2f0c2b113c05f51b198::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931 b73c59d7e0c089c0::: HelpAssistant:1000:981136602258cd6dfef5703cd6838b40:0c2ef0943c e6895efb76af4e2301c7f4::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ef5 5ec8fb9ccdfadfbf4722570d636ba::: soc:1003:8d37d083696254e52468a840fdf3374f:4126fa040b35a2f0c2 b113c05f51b198::: hacker:1004:c8e739baa8f9e065500ff6021117719e:aaff7f168e6fc07d9 f0cc581372d18ec::: hacker1:1005:94ceed382acd38ec500ff6021117719e:141994e4786f43 1541be4cd8e93ef31d::: Note that several of these hashes are easily crackable via the online ophcrack demo

Printkey [1.3]
$ python volatility printkey -f Phy* -o 0xe1035b60 "ControlSet001\Services\{439FE547-3C35-4A24-BD373FCFD1FBB1C9}\Parameters\Tcpip" Key name: Tcpip (Stable) Last updated: Mon Apr 13 15:52:05 2009

Subkeys:
Values: REG_DWORD EnableDHCP : 1 (Stable) REG_MULTI_SZ IPAddress : [u'0.0.0.0', u'', u''] (Stable) REG_MULTI_SZ SubnetMask : [u'0.0.0.0', u'', u''] (Stable) REG_MULTI_SZ DefaultGateway : [u'', u''] (Stable) REG_SZ DhcpIPAddress : 192.168.1.150 (Stable) . .

Connections [1.3]
$ python volatility connections -f Phy*
Local Address Remote Address Pid 192.168.1.150:1151 192.168.1.151:4444 1008

We also tested this after the connection had dropped, & were able to recover the defunct connection object using connscan2, but in this instance could not find the defunct socket using sockscan2

Sockets [1.3]
$ python volatility sockets -f Phy* Pid Port Proto Create Time . . 1008 1151 6 Mon Apr 13 20:56:19 2009 . .

Dlllist [1.3]
$ python volatility dlllist -f Phy* -p 1008 svchost.exe pid: 1008 Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs Service Pack 2 Base Size Path . . C:\WINDOWS\system32\metsrv.dll . .

0x10000000

0x17000

Registry Examination

All registry hives are memory mapped, including the hardware hives, which are dynamically generated Volatility 1.3 had a hack to rip.pl to support -r <filename>@<hex offset>. It essentially substituted a different API under the hood. A volatility plugin, reglist, was added in version 1.4, but doesnt show up in 2.0, which is current. This is actually a complete port of regripper to python. You can use the hivedump plugin to extract all the keys and values for manual examination

RegRipper

Regripper is a set of Perl scripts produced by Harlan Carvey (author of Windows Forensic Analysis) to parse through various registry keys and return information of forensic import A modified version has been adapted to extract the same info from the inmemory copies of the registry hives (but it only runs under Linux) Its installed on the SIFT Kit as volrip.pl

Fixing volrip.pl

When the SANS people installed volrip.pl on the 1.2 SIFT Kit, they made two mistakes, which cause it to fail. You have to change two lines in usr/local/bin/volrip.pl to get it to work.

my $plugindir = '/usr/local/src/regripper/plugins'; Should be my $plugindir = '/usr/local/src/regripper/plugins/'; require "rrplugins/".$plugins{$i}."\.pl"; Should be require "/usr/local/src/regripper/plugins/".$plugins{$i}."\.pl";

Fixed in 1.3, gone in 1.4 (Ill complain again)

Using volrip.pl
The volatility hivelist -o 34786144 -f exemplar12.vmem output was:
Address Name 0xe179e008 [no name] 0xe1a58b60 \Documents and Settings\foo\NTUSER.DAT 0xe1548008 [no name] 0xe1535820 \Documents and Settings\LocalService\NTUSER.DAT 0xe1095820 [no name] 0xe107e820 \Documents and Settings\NetworkService\NTUSER.DAT 0xe13a3008 \WINDOWS\system32\config\software 0xe1397300 \WINDOWS\system32\config\default 0xe13a0b60 \WINDOWS\system32\config\SECURITY 0xe1362b60 \WINDOWS\system32\config\SAM 0xe11c2008 [no name] 0xe1018388 \WINDOWS\system32\config\system 0xe1008b60 [no name]

So to examine all hives in memory

volatility hivedump -i 0xe179e008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1018388 -f system volatility hivedump -i 0xe1548008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1a58b60 f ntuser volatility hivedump -i 0xe1095820 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1535820 f ntuser volrip.pl -r exemplar12_2.vmem@0xe107e820 f ntuser volrip.pl -r exemplar12_2.vmem@0xe13a3008 f software volrip.pl -r exemplar12_2.vmem@0xe1397300 f ntuser volrip.pl -r exemplar12_2.vmem@0xe13a0b60 f security volrip.pl -r exemplar12_2.vmem@0xe1362b60 f sam volatility hivedump -i 0xe11c2008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1018388 f system volatility hivedump -i 0xe1008b60 -v -f exemplar12_2.vmem

Other things to do with Volatility

Extract in-memory copies of .EVT logs

Identify & dump VAD table for services.exe. Examine resultant files. Three should have .EVT content (XP), but all events may not be present. There are new downloadable plugins for 2.0 that extract timeline data, including .EVT records & some registry keys. See notes.

There are test plugins available to extract CMD shell history

Volatility 2.0 Setup (briefly)

Download from http://code.google.com/p/volatility/down loads/detail?name=volatility2.0.tar.gz&can=2&q= Extract in SIFT Kit using tar xvzf <filename> Run as python vol.py rather than simply volatility. All prerequisites should be installed already. Note that available commands are different, as are some arguments to old commands/plugins.

Reading for next week

Neither text covers next weeks topic. Harlan excludes it because its too large for proper treatment in a chapter, and I cant find a decent dedicated book on Browser Forensics. If you like, you can skim the linked pages on the Forensics Wikis IE page:

http://www.forensicswiki.org/wiki/Internet_ Explorer

Next weeks lecture will cover

Internet Explorer Browser Forensics

61

Questions?

62