1

CNS 320 COMPUTER FORENSICS & INCIDENT

RESPONSE

Week 7 Lecture

Copyright © 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Quiz #2

Any questions before the quiz?

New Material for this week Restore Points & Volume Shadow Copy USB Device Forensics File Carving Using Foremost Data extraction from Memory Dumps

using Volatility

Restore Points Restore Points (XP) created by default every 24 hours

so user can restore his system to a previous state if something goes wrong (boot to last known good state), kept 90 days by default

Contain copies of all system files & registry entries changed since last restore point

Found in C:\System Volume Information\_restore{GUID}\RP###\

Change.log (binary) file maps generic restore point filenames back to their original paths

Rp.log – last 8 bytes are Windows FILETIME for restore point creation date

Snapshot subfolder contains copies of changed registry keys for all hives (only accessible by System on a live host)

Change.log Analysis

Mandiant Restore Point Analyzer Parses Change.log to map generic

restore point filenames back to original paths

Registry Analysis Across Multiple Restore Points

RipXP.pl by Harlan Carvey allows comparison of specified registry hives across multiple restore points

Any time registry entries are relevant to a case (almost always), you want to check the same values in all restore points

Volume Shadow copy Service (VSS) Vista/7 version of Restore Points, but much

more pervasive Tracks all (aggregate) changes made to the

filesystem since last Shadow Copy Literally allows entire filesystem or individual

files or folders to be ‘rolled back’ to a previous state

Offline filesystem can be mounted as it existed at a previous date, including unallocated space

Only takes a snapshot periodically, not continually. Enabled by default.

Typically limited to 15% of volume size

Volume Snapshot Creation

Manually Every 24 hours (Vista) Every 7 Days (Win7) Before a Windows Update Unsigned Driver Installation An application that calls the

Snapshot API

Volume Shadow copy Service (VSS) Currently the best way to examine shadow copies is from

a Vista/Win7 system Mount drive or image read-only using FTK Imager (this

should work, but apparently doesn’t. I expect it to be fixed sometime – see Harlan’s note)

To list available shadows on drive C: “vssadmin list shadows /for=c:”

To mount Shadow Copy #: “mklink /D C:\<some directory> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\”

Should see the response: “symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy1\”

If you can’t make VSS work with a mounted image, or don’t have a Win7 analysis station…

Reported to work: Fallback is to use Liveview to convert image so

it’s mountable in VMWare Then add to an existing Win7 Vmware GuestOS Power on VM, and examine mounted image as

though it were a physically connected diskAlso reported to work: Copy image to new dd-style flat file & convert

to VHD using vhdtool.exe (this will change the image file). Attach to Win7 (read only) using disk manager.

Supposedly EnCase PDE works for mounting also

Shadow Volume Imaging

Once you’ve run the mklink command, you should be able to image the mounted shadow copy just like any other disk

Timelining

Once you’ve extracted a number of artifacts relating to your case, and narrowed your focus to events known to have happened around certain specific times, timelining techniques are a really great way to find other artifacts related to that case

Why? Virtually anything you do on a live system will

update something somewhere. By finding every timestamp on the system, and

looking specifically at the objects that were in some way in use at a time in question, you have a much better chance of figuring our exactly what was going on at that time.

The more unusual the activity going on during the timeframe of interest, or the more quickly you can examine the system, the more artifacts you will be able to link directly to the activity in question using this technique.

USB Device Forensics

Uniquely identify specific USB devices

Link them to specific systems & user IDs

Identify times when devices were attached and removed

Where to find USB forensic data

The Registry (including restore points) System Software NTUSER.DAT

Setupapi.log Event Logs

USB Device & Activity Information

Vendor Model Version Capacity Serial Number (most,

but not all) Last Drive Letter Volume Name

(filesystem)

Volume Serial Number (filesystem)

First Use First Use Since Last

Reboot Last Use Other usage

timestamps may be in restore points

USB Registry Keys & Values HKLM\System\CurrentControlSet\Enum\

USBSTOR Subkey named “Disk&Ven_<vendor

name>&Prod_<product name>&Rev_<product version>

Product name text may contain capacity and even color

Under this subkey is another named with the device’s unique serial number if any

If the device has no serial number (non-standard conformant), Windows will create one with an ‘&’ as the second character.

Under the serial number key is a value named ParentIdPrefix (Vista/7 only, used to link to other data)

USB Serial Numbers

Note: USB device serial numbers are not part of the data area of the device, and so are not necessarily captured when the device is imaged

This information can be examined live using the MS tool UVCView (part of the Windows Driver Development Kit)

USB Registry Keys & Values HKLM\System\CurrentControlSet\Enum\

USB Subkey named Vid_<Vendor

ID>&&Pid_<Product ID> Under this subkey is another named with

the device’s unique serial number if any, which links the entry to the same serial number under the USBSTOR key

Last write time of the serial number key is first time device was connected following it’s last reboot

USB Registry Keys & Values HKLM\System\MountedDevices

Value under this named “\DosDevices\<Drive Letter>\”

This Value contains ParentIdPrefix (XP) or serial number (Vista/7) value in unicode for the last device to use this drive letter

One or more other values here named \??\Volume{<GUID>}

Also contains ParentIdPrefix (XP) or serial number (Vista/7) value in unicode. GUID can be used to link to a specific user

USB Registry Keys & Values (Vista/Win7)

HKLM\Software\Microsoft\Windows Portable Devices\Devices Subkey under this has a long name

ending #<serial number># Value under this subkey named

FriendlyName contains Volume Name, On Vista only (Not Win7) it ends with the drive letter in parenthesis

USB Registry Keys & Values

HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Subkey under this named {<GUID>} Last write time for this subkey is the

last time the device was connected by the specified user.

USB Registry Keys & Values HKLM\System\CurrentControlSet\

Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Subkey named ##?

#USBSTOR#Disk&Ven_<Vendor Name>&Prod_<Product Name>&Rev_<Version>#<Serial Number>#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Last write time of this subkey is first time device was connected following the last reboot

When was USB device first connected?

Plug and Play Log Files XP - %windir%\setupapi.log Vista/7 - %windir%\inf\setupapi.dev.log

Times in log are in the local timezone for the host

Look for first entry for device serial number

USB Analysis Tools

USBDeviceForensics by Woanware Windows USB Storage Parser (usp)

by TZWorks LLC Several regripper plugins Not all of these return the same

amount of data you’ll get by examining the specified structures manually

File Carving Can be done by hand if you’re patient and

understand the format of the file type you’re attempting to carve.

Simply identify the clusters you want to carve out, then do ‘export contents’ for each, one-by-one until finished.

Identifying the beginning of the file relies on there being a signature or magic number of some type

Identifying how much data to extract will rely on an embedded length specifier of some kind, or on a file footer

You normally want to carve only from unallocated space, to avoid incorporating data from unrelated allocated files into your results

File Carving Utilities List at

http://www.forensicswiki.org/wiki/Tools:Data_Recovery#Carving

For EnCase users I highly recommend the jcCarveFiles EnScript. More basic carving functionality is built-in

SIFT Kit (Honestly, I haven’t used these much. I do most carving with EnCase. However usage is quite straightforward) Foremost Scalpel

FTK Forensic Suite also has extensive carving capabilities, which I’ve used in passing

NFI Defraser – Specifically designed to carve multimedia fragments (I’ve used this. It works great)

File Carving Step-by-Step with ForemostFirst – Keyword Search -> Extract Unallocated

Extract Unallocated By default, this will concatenate all

unallocated clusters into the file /forensics/<case name>/<image name>/output/<flat image name>-<sector offset>-<number of sectors>-ntfs.unalloc

Run Foremost foremost –o <output folder> -i

<unallocated file path> Once it’s completed, examine the results

using tools such as exiftool, or whatever is appropriate for the filetype in question

It’s also possible to customize foremost by editing /etc/foremost.conf to add more headers, footers, & max file sizes.

Unfortunately, you can’t specify an offset & format for an internal file length

Scalpel doesn’t support this either

Audit.txt File in Foremost Output Folder

Names of Carved Executables

Product Names of Carved DLLs

Titles of Carved HTML Pages

Data Extraction From Memory Images

I discussed how to identify malware using memory image analysis with Memoryze/Auditviewer in week 4

Now I’d like to spend a little time on memory artifact extraction using the Volatility framework Volatility 2.2 & numerous plugins are

included in the 1.4 SIFT Kit 2.3, with extensions for MacOS & Linux, is

due out by end of 2012

What can we get out of memory?(A better question is what can’t we?)

Everything passes through memory Accounts & Passwords (including crypto keys) Log events (EVT log files are memory

mapped) Registry hives (these are memory mapped as

well)

Often it’s simpler, easier, & quicker to get memory than to do any other form of acquisition

Tool Download Locations Main Tool Current version -

https://www.volatilesystems.com/default/volatility or svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only

Various contributed plugins & extensions - http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins

Python (required language support) - http://www.python.org or http://www.cygwin.com

Memory Image Extraction

Volatility requires a dd-style flat image of the subject system’s memory

Capture the image with EnCase Enterprise, Winen (6.13 or above absolutely required), or freeware tools

Plugins in New Volatility 2.2 #1 apihooks Detect API hooks in process and kernel memory atoms Print session and window station atom tables atomscan Pool scanner for _RTL_ATOM_TABLE bioskbd Reads the keyboard buffer from Real Mode memory [BIOS Password] callbacks Print system-wide notification routines clipboard Extract the contents of the windows clipboard cmdscan Extract command history by scanning for _COMMAND_HISTORY connections Print list of open connections [Windows XP and 2003 Only] [like

netstat] connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections) consoles Extract command history by scanning for _CONSOLE_INFORMATION crashinfo Dump crash-dump information deskscan Poolscaner for tagDESKTOP (desktops) devicetree Show device tree dlldump Dump DLLs from a process address space dlllist Print list of loaded dlls for each process driverirp Driver IRP hook detection driverscan Scan for driver objects _DRIVER_OBJECT envars Display process environment variables eventhooks Print details on windows event hooks evtlogs Extract Windows Event Logs (XP/2003 only) filescan Scan Physical memory for _FILE_OBJECT pool allocations gahti Dump the USER handle type information gditimers Print installed GDI timers and callbacks gdt Display Global Descriptor Table getservicesids Get the names of services in the Registry and return Calculated SID getsids Print the SIDs owning each process [useful]

Plugins in New Volatility 2.2 #2 handles Print list of open handles for each process hashdump Dumps passwords hashes (LM/NTLM) from memory hibinfo Dump hibernation file information [convert hiberfile to memdump] hivedump Prints out a hive [in text format] hivelist Print list of registry hives. hivescan Scan Physical memory for _CMHIVE objects (registry hives) idt Display Interrupt Descriptor Table imagecopy Copies a physical address space out as a raw DD image imageinfo Identify information for the image [OS version, etc.] impscan Scan for calls to imported functions kdbgscan Search for and dump potential KDBG values kpcrscan Search for and dump potential KPCR values ldrmodules Detect unlinked DLLs lsadump Dump (decrypted) LSA secrets from the registry malfind Find hidden and injected code memdump Dump the addressable memory for a process [for string searching] memmap Print the memory map messagehooks List desktop and thread window message hooks moddump Dump a kernel driver to an executable file sample modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects modules Print list of loaded modules [from in-memory list] mutantscan Scan for mutant objects _KMUTANT [some known malicious] patcher Patches memory based on page scans printkey Print a registry key, and its subkeys and values [including hardware] procexedump Dump a process to an executable file sample procmemdump Dump a process to an executable memory sample pslist Print all running processes by following the EPROCESS lists

psscan Scan Physical memory for _EPROCESS pool allocations [includes exited] pstree Print process list as a tree psxview Find hidden processes with various process listings Raw2dmp Converts a physical memory sample to a windbg crash dump screenshot Save a pseudo-screenshot based on GDI windows sessions List details on _MM_SESSION_SPACE (user logon sessions) Shimcache Parses the Application Compatibility Shim Cache registry key sockets Print list of open sockets Sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) ssdt Display SSDT entries [can detect syscall hooks by syscall module ownership] strings Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan Scan for Windows services Symlinkscan Scan for symbolic link objects thrdscan Scan physical memory for _ETHREAD objects threads Investigate _ETHREAD and _KTHREADs timers Print kernel timers and associated module DPCs Userassist Print userassist registry keys and information Userhandles Dump the USER handle tables Vaddump Dumps out the vad sections to a file vadinfo Dump the VAD info vadtree Walk the VAD tree and display in tree format vadwalk Walk the VAD tree volshell Shell in the memory image windows Print Desktop Windows (verbose details) wintree Print Z-Order Desktop Windows Tree wndscan Pool scanner for tagWINDOWSTATION (window stations) yarascan Scan process or kernel memory with Yara signatures

Plugins in New Volatility 2.2 #3

See: “The VAD tree: A process-eye view of physical memory” for details (link in notes)

Usage Scenarios Malware Infection – Use Volatility to

identify backdoors, hidden processes Compromised System – Use Volatility to

identify hidden rootkit components (including kernel mode rootkits), backdoors

Other – Use Volatility to extract memory specific to a given process to simplify string analysis, to extract passwords or hashes, or to remotely identify hardware by BIOS information.

Example

VM compromised using Metasploit MS08-067 exploit, & shell pushed back to attacker

Note that these actions write nothing to the disk

Victim VM memory subsequently imaged using winen

Volatility [1.3] Analysis Commands python volatility datetime -f Phy*

Returned current date/time when memory was dumped python volatility hivescan -f Phy*

Returned offset value of 44548104 python volatility hivelist -f Phy* -o 44548104

Returned System hive address 0xe1035b60 python volatility printkey -f Phy* -o 0xe1035b60

"ControlSet001\Services\{439FE547-3C35-4A24-BD37-3FCFD1FBB1C9}\Parameters\Tcpip“ Returned values & subkeys under specified key

Volatility [1.3] Analysis Commands (2) python volatility connections -f Phy*

Listed connections from in-memory tables python volatility connscan2 -f Phy*

Scanned for connections by signature python volatility sockets -f Phy*

Listed sockets from in-memory tables python volatility sockscan2 -f Phy*

Scanned for sockets by signature python volatility dlllist -f Phy* -p 1008

Listed DLLs loaded by specified process #

datetime[1.3]

$ python volatility datetime -f Phy*Image local date and time: Mon Apr 13 15:00:11 2009

hivescan[1.3]$ python volatility hivescan -f Phy*Offset (hex)44548104 0x2a7c008

.

.

.

.

Hivelist [1.3]$ python volatility hivelist -f Phy* -o 44548104Address Name

.

.

0xe1357b60 \WINDOWS\system32\config\SAM0xe145cb60 \WINDOWS\system32\config\SECURITY0xe1035b60 \WINDOWS\system32\config\system

.

.

Hashdump [1.3]$ python volatility hashdump -f Phy* -y 0xe1035b60 -s 0xe1357b60Administrator:500:8d37d083696254e52468a840fdf3374f:4126fa040b3

5a2f0c2b113c05f51b198:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931

b73c59d7e0c089c0:::HelpAssistant:1000:981136602258cd6dfef5703cd6838b40:0c2ef0943c

e6895efb76af4e2301c7f4:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ef55

ec8fb9ccdfadfbf4722570d636ba:::soc:1003:8d37d083696254e52468a840fdf3374f:4126fa040b35a2f0c2b

113c05f51b198:::hacker:1004:c8e739baa8f9e065500ff6021117719e:aaff7f168e6fc07d9f

0cc581372d18ec:::hacker1:1005:94ceed382acd38ec500ff6021117719e:141994e4786f431

541be4cd8e93ef31d::: Note that several of these hashes are easily crackable via the online

ophcrack demo

Printkey [1.3]$ python volatility printkey -f Phy* -o 0xe1035b60

"ControlSet001\Services\{439FE547-3C35-4A24-BD37-3FCFD1FBB1C9}\Parameters\Tcpip"

Key name: Tcpip (Stable)Last updated: Mon Apr 13 15:52:05 2009

Subkeys:

Values:REG_DWORD EnableDHCP : 1 (Stable)REG_MULTI_SZ IPAddress : [u'0.0.0.0', u'', u''] (Stable)REG_MULTI_SZ SubnetMask : [u'0.0.0.0', u'', u''] (Stable)REG_MULTI_SZ DefaultGateway : [u'', u''] (Stable)REG_SZ DhcpIPAddress : 192.168.1.150 (Stable)

.

.

Connections [1.3]$ python volatility connections -f Phy*

Local Address Remote Address Pid192.168.1.150:1151 192.168.1.151:4444

1008

We also tested this after the connection had dropped, & were able to recover the defunct connection object using connscan2, but in this instance could not find the defunct socket using sockscan2

Sockets [1.3]

$ python volatility sockets -f Phy*Pid Port Proto Create Time..1008 1151 6 Mon Apr 13 20:56:19

2009..

Dlllist [1.3]$ python volatility dlllist -f Phy* -p 1008svchost.exe pid: 1008Command line : C:\WINDOWS\System32\svchost.exe -k netsvcsService Pack 2

Base Size Path..

0x10000000 0x17000 C:\WINDOWS\system32\metsrv.dll

.

.

Registry Examination All registry hives are memory mapped, including

the hardware hives, which are dynamically generated

Volatility 1.3 had a hack to rip.pl to support ‘-r <filename>@<hex offset>’. It essentially substituted a different API under the hood.

A volatility plugin, reglist, was added in version 1.4, but doesn’t show up in 2.0, which is current. This is actually a complete port of regripper to python.

You can use the hivedump plugin to extract all the keys and values for manual examination

RegRipper Regripper is a set of Perl scripts produced

by Harlan Carvey (author of Windows Forensic Analysis) to parse through various registry keys and return information of forensic import

A modified version has been adapted to extract the same info from the in-memory copies of the registry hives (but it only runs under Linux) It’s installed on the SIFT Kit as volrip.pl

Fixing volrip.pl When the SANS people installed volrip.pl on the

1.2 SIFT Kit, they made two mistakes, which cause it to fail.

You have to change two lines in usr/local/bin/volrip.pl to get it to work. my $plugindir = '/usr/local/src/regripper/plugins';

Should bemy $plugindir = '/usr/local/src/regripper/plugins/';

require "rrplugins/".$plugins{$i}."\.pl";Should be

require "/usr/local/src/regripper/plugins/".$plugins{$i}."\.pl";

Fixed in 1.3, gone in 1.4 (I’ll complain again)

Using volrip.plThe ‘volatility hivelist -o 34786144 -f exemplar12.vmem’

output was:Address Name0xe179e008 [no name]0xe1a58b60 \Documents and Settings\foo\NTUSER.DAT0xe1548008 [no name]0xe1535820 \Documents and Settings\LocalService\NTUSER.DAT0xe1095820 [no name]0xe107e820 \Documents and Settings\NetworkService\

NTUSER.DAT0xe13a3008 \WINDOWS\system32\config\software0xe1397300 \WINDOWS\system32\config\default0xe13a0b60 \WINDOWS\system32\config\SECURITY0xe1362b60 \WINDOWS\system32\config\SAM0xe11c2008 [no name]0xe1018388 \WINDOWS\system32\config\system0xe1008b60 [no name]

So to examine all hives in memory…

volatility hivedump -i 0xe179e008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1018388 -f system volatility hivedump -i 0xe1548008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1a58b60 –f ntuser volatility hivedump -i 0xe1095820 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1535820 –f ntuser volrip.pl -r exemplar12_2.vmem@0xe107e820 –f ntuser volrip.pl -r exemplar12_2.vmem@0xe13a3008 –f software volrip.pl -r exemplar12_2.vmem@0xe1397300 –f ntuser volrip.pl -r exemplar12_2.vmem@0xe13a0b60 –f security volrip.pl -r exemplar12_2.vmem@0xe1362b60 –f sam volatility hivedump -i 0xe11c2008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1018388 –f system volatility hivedump -i 0xe1008b60 -v -f exemplar12_2.vmem

Other things to do with Volatility Extract in-memory copies of .EVT logs

Identify & dump VAD table for services.exe. Examine resultant files. Three should have .EVT content (XP), but all events may not be present.

There are new downloadable plugins for 2.0 that extract timeline data, including .EVT records & some registry keys. See notes.

There are test plugins available to extract CMD shell history

Volatility 2.0 Setup (briefly) Download from

http://code.google.com/p/volatility/downloads/detail?name=volatility-2.0.tar.gz&can=2&q=

Extract in SIFT Kit using ‘tar xvzf <filename>’

Run as ‘python vol.py’ rather than simply ‘volatility’. All prerequisites should be installed already. Note that available commands are different, as are some arguments to old commands/plugins.

Reading for next week

Neither text covers next week’s topic. Harlan excludes it because it’s too large for proper treatment in a chapter, and I can’t find a decent dedicated book on Browser Forensics. If you like, you can skim the linked pages on the Forensics Wiki’s IE page: http://www.forensicswiki.org/wiki/

Internet_Explorer

Next week’s lecture will cover Internet Explorer Browser Forensics

61

62

Questions?