CNS 320 Week7 Lecture
description
Transcript of CNS 320 Week7 Lecture
1
CNS 320 COMPUTER FORENSICS & INCIDENT
RESPONSE
Week 7 Lecture
Copyright © 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Quiz #2
Any questions before the quiz?
New Material for this week Restore Points & Volume Shadow Copy USB Device Forensics File Carving Using Foremost Data extraction from Memory Dumps
using Volatility
Restore Points Restore Points (XP) created by default every 24 hours
so user can restore his system to a previous state if something goes wrong (boot to last known good state), kept 90 days by default
Contain copies of all system files & registry entries changed since last restore point
Found in C:\System Volume Information\_restore{GUID}\RP###\
Change.log (binary) file maps generic restore point filenames back to their original paths
Rp.log – last 8 bytes are Windows FILETIME for restore point creation date
Snapshot subfolder contains copies of changed registry keys for all hives (only accessible by System on a live host)
Change.log Analysis
Mandiant Restore Point Analyzer Parses Change.log to map generic
restore point filenames back to original paths
Registry Analysis Across Multiple Restore Points
RipXP.pl by Harlan Carvey allows comparison of specified registry hives across multiple restore points
Any time registry entries are relevant to a case (almost always), you want to check the same values in all restore points
Volume Shadow copy Service (VSS) Vista/7 version of Restore Points, but much
more pervasive Tracks all (aggregate) changes made to the
filesystem since last Shadow Copy Literally allows entire filesystem or individual
files or folders to be ‘rolled back’ to a previous state
Offline filesystem can be mounted as it existed at a previous date, including unallocated space
Only takes a snapshot periodically, not continually. Enabled by default.
Typically limited to 15% of volume size
Volume Snapshot Creation
Manually Every 24 hours (Vista) Every 7 Days (Win7) Before a Windows Update Unsigned Driver Installation An application that calls the
Snapshot API
Volume Shadow copy Service (VSS) Currently the best way to examine shadow copies is from
a Vista/Win7 system Mount drive or image read-only using FTK Imager (this
should work, but apparently doesn’t. I expect it to be fixed sometime – see Harlan’s note)
To list available shadows on drive C: “vssadmin list shadows /for=c:”
To mount Shadow Copy #: “mklink /D C:\<some directory> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\”
Should see the response: “symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy1\”
If you can’t make VSS work with a mounted image, or don’t have a Win7 analysis station…
Reported to work: Fallback is to use Liveview to convert image so
it’s mountable in VMWare Then add to an existing Win7 Vmware GuestOS Power on VM, and examine mounted image as
though it were a physically connected diskAlso reported to work: Copy image to new dd-style flat file & convert
to VHD using vhdtool.exe (this will change the image file). Attach to Win7 (read only) using disk manager.
Supposedly EnCase PDE works for mounting also
Shadow Volume Imaging
Once you’ve run the mklink command, you should be able to image the mounted shadow copy just like any other disk
Timelining
Once you’ve extracted a number of artifacts relating to your case, and narrowed your focus to events known to have happened around certain specific times, timelining techniques are a really great way to find other artifacts related to that case
Why? Virtually anything you do on a live system will
update something somewhere. By finding every timestamp on the system, and
looking specifically at the objects that were in some way in use at a time in question, you have a much better chance of figuring our exactly what was going on at that time.
The more unusual the activity going on during the timeframe of interest, or the more quickly you can examine the system, the more artifacts you will be able to link directly to the activity in question using this technique.
USB Device Forensics
Uniquely identify specific USB devices
Link them to specific systems & user IDs
Identify times when devices were attached and removed
Where to find USB forensic data
The Registry (including restore points) System Software NTUSER.DAT
Setupapi.log Event Logs
USB Device & Activity Information
Vendor Model Version Capacity Serial Number (most,
but not all) Last Drive Letter Volume Name
(filesystem)
Volume Serial Number (filesystem)
First Use First Use Since Last
Reboot Last Use Other usage
timestamps may be in restore points
USB Registry Keys & Values HKLM\System\CurrentControlSet\Enum\
USBSTOR Subkey named “Disk&Ven_<vendor
name>&Prod_<product name>&Rev_<product version>
Product name text may contain capacity and even color
Under this subkey is another named with the device’s unique serial number if any
If the device has no serial number (non-standard conformant), Windows will create one with an ‘&’ as the second character.
Under the serial number key is a value named ParentIdPrefix (Vista/7 only, used to link to other data)
USB Serial Numbers
Note: USB device serial numbers are not part of the data area of the device, and so are not necessarily captured when the device is imaged
This information can be examined live using the MS tool UVCView (part of the Windows Driver Development Kit)
USB Registry Keys & Values HKLM\System\CurrentControlSet\Enum\
USB Subkey named Vid_<Vendor
ID>&&Pid_<Product ID> Under this subkey is another named with
the device’s unique serial number if any, which links the entry to the same serial number under the USBSTOR key
Last write time of the serial number key is first time device was connected following it’s last reboot
USB Registry Keys & Values HKLM\System\MountedDevices
Value under this named “\DosDevices\<Drive Letter>\”
This Value contains ParentIdPrefix (XP) or serial number (Vista/7) value in unicode for the last device to use this drive letter
One or more other values here named \??\Volume{<GUID>}
Also contains ParentIdPrefix (XP) or serial number (Vista/7) value in unicode. GUID can be used to link to a specific user
USB Registry Keys & Values (Vista/Win7)
HKLM\Software\Microsoft\Windows Portable Devices\Devices Subkey under this has a long name
ending #<serial number># Value under this subkey named
FriendlyName contains Volume Name, On Vista only (Not Win7) it ends with the drive letter in parenthesis
USB Registry Keys & Values
HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Subkey under this named {<GUID>} Last write time for this subkey is the
last time the device was connected by the specified user.
USB Registry Keys & Values HKLM\System\CurrentControlSet\
Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Subkey named ##?
#USBSTOR#Disk&Ven_<Vendor Name>&Prod_<Product Name>&Rev_<Version>#<Serial Number>#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Last write time of this subkey is first time device was connected following the last reboot
When was USB device first connected?
Plug and Play Log Files XP - %windir%\setupapi.log Vista/7 - %windir%\inf\setupapi.dev.log
Times in log are in the local timezone for the host
Look for first entry for device serial number
USB Analysis Tools
USBDeviceForensics by Woanware Windows USB Storage Parser (usp)
by TZWorks LLC Several regripper plugins Not all of these return the same
amount of data you’ll get by examining the specified structures manually
File Carving Can be done by hand if you’re patient and
understand the format of the file type you’re attempting to carve.
Simply identify the clusters you want to carve out, then do ‘export contents’ for each, one-by-one until finished.
Identifying the beginning of the file relies on there being a signature or magic number of some type
Identifying how much data to extract will rely on an embedded length specifier of some kind, or on a file footer
You normally want to carve only from unallocated space, to avoid incorporating data from unrelated allocated files into your results
File Carving Utilities List at
http://www.forensicswiki.org/wiki/Tools:Data_Recovery#Carving
For EnCase users I highly recommend the jcCarveFiles EnScript. More basic carving functionality is built-in
SIFT Kit (Honestly, I haven’t used these much. I do most carving with EnCase. However usage is quite straightforward) Foremost Scalpel
FTK Forensic Suite also has extensive carving capabilities, which I’ve used in passing
NFI Defraser – Specifically designed to carve multimedia fragments (I’ve used this. It works great)
File Carving Step-by-Step with ForemostFirst – Keyword Search -> Extract Unallocated
Extract Unallocated By default, this will concatenate all
unallocated clusters into the file /forensics/<case name>/<image name>/output/<flat image name>-<sector offset>-<number of sectors>-ntfs.unalloc
Run Foremost foremost –o <output folder> -i
<unallocated file path> Once it’s completed, examine the results
using tools such as exiftool, or whatever is appropriate for the filetype in question
It’s also possible to customize foremost by editing /etc/foremost.conf to add more headers, footers, & max file sizes.
Unfortunately, you can’t specify an offset & format for an internal file length
Scalpel doesn’t support this either
Audit.txt File in Foremost Output Folder
Names of Carved Executables
Product Names of Carved DLLs
Titles of Carved HTML Pages
Data Extraction From Memory Images
I discussed how to identify malware using memory image analysis with Memoryze/Auditviewer in week 4
Now I’d like to spend a little time on memory artifact extraction using the Volatility framework Volatility 2.2 & numerous plugins are
included in the 1.4 SIFT Kit 2.3, with extensions for MacOS & Linux, is
due out by end of 2012
What can we get out of memory?(A better question is what can’t we?)
Everything passes through memory Accounts & Passwords (including crypto keys) Log events (EVT log files are memory
mapped) Registry hives (these are memory mapped as
well)
Often it’s simpler, easier, & quicker to get memory than to do any other form of acquisition
Tool Download Locations Main Tool Current version -
https://www.volatilesystems.com/default/volatility or svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
Various contributed plugins & extensions - http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins
Python (required language support) - http://www.python.org or http://www.cygwin.com
Memory Image Extraction
Volatility requires a dd-style flat image of the subject system’s memory
Capture the image with EnCase Enterprise, Winen (6.13 or above absolutely required), or freeware tools
Plugins in New Volatility 2.2 #1 apihooks Detect API hooks in process and kernel memory atoms Print session and window station atom tables atomscan Pool scanner for _RTL_ATOM_TABLE bioskbd Reads the keyboard buffer from Real Mode memory [BIOS Password] callbacks Print system-wide notification routines clipboard Extract the contents of the windows clipboard cmdscan Extract command history by scanning for _COMMAND_HISTORY connections Print list of open connections [Windows XP and 2003 Only] [like
netstat] connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections) consoles Extract command history by scanning for _CONSOLE_INFORMATION crashinfo Dump crash-dump information deskscan Poolscaner for tagDESKTOP (desktops) devicetree Show device tree dlldump Dump DLLs from a process address space dlllist Print list of loaded dlls for each process driverirp Driver IRP hook detection driverscan Scan for driver objects _DRIVER_OBJECT envars Display process environment variables eventhooks Print details on windows event hooks evtlogs Extract Windows Event Logs (XP/2003 only) filescan Scan Physical memory for _FILE_OBJECT pool allocations gahti Dump the USER handle type information gditimers Print installed GDI timers and callbacks gdt Display Global Descriptor Table getservicesids Get the names of services in the Registry and return Calculated SID getsids Print the SIDs owning each process [useful]
Plugins in New Volatility 2.2 #2 handles Print list of open handles for each process hashdump Dumps passwords hashes (LM/NTLM) from memory hibinfo Dump hibernation file information [convert hiberfile to memdump] hivedump Prints out a hive [in text format] hivelist Print list of registry hives. hivescan Scan Physical memory for _CMHIVE objects (registry hives) idt Display Interrupt Descriptor Table imagecopy Copies a physical address space out as a raw DD image imageinfo Identify information for the image [OS version, etc.] impscan Scan for calls to imported functions kdbgscan Search for and dump potential KDBG values kpcrscan Search for and dump potential KPCR values ldrmodules Detect unlinked DLLs lsadump Dump (decrypted) LSA secrets from the registry malfind Find hidden and injected code memdump Dump the addressable memory for a process [for string searching] memmap Print the memory map messagehooks List desktop and thread window message hooks moddump Dump a kernel driver to an executable file sample modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects modules Print list of loaded modules [from in-memory list] mutantscan Scan for mutant objects _KMUTANT [some known malicious] patcher Patches memory based on page scans printkey Print a registry key, and its subkeys and values [including hardware] procexedump Dump a process to an executable file sample procmemdump Dump a process to an executable memory sample pslist Print all running processes by following the EPROCESS lists
psscan Scan Physical memory for _EPROCESS pool allocations [includes exited] pstree Print process list as a tree psxview Find hidden processes with various process listings Raw2dmp Converts a physical memory sample to a windbg crash dump screenshot Save a pseudo-screenshot based on GDI windows sessions List details on _MM_SESSION_SPACE (user logon sessions) Shimcache Parses the Application Compatibility Shim Cache registry key sockets Print list of open sockets Sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) ssdt Display SSDT entries [can detect syscall hooks by syscall module ownership] strings Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan Scan for Windows services Symlinkscan Scan for symbolic link objects thrdscan Scan physical memory for _ETHREAD objects threads Investigate _ETHREAD and _KTHREADs timers Print kernel timers and associated module DPCs Userassist Print userassist registry keys and information Userhandles Dump the USER handle tables Vaddump Dumps out the vad sections to a file vadinfo Dump the VAD info vadtree Walk the VAD tree and display in tree format vadwalk Walk the VAD tree volshell Shell in the memory image windows Print Desktop Windows (verbose details) wintree Print Z-Order Desktop Windows Tree wndscan Pool scanner for tagWINDOWSTATION (window stations) yarascan Scan process or kernel memory with Yara signatures
Plugins in New Volatility 2.2 #3
See: “The VAD tree: A process-eye view of physical memory” for details (link in notes)
Usage Scenarios Malware Infection – Use Volatility to
identify backdoors, hidden processes Compromised System – Use Volatility to
identify hidden rootkit components (including kernel mode rootkits), backdoors
Other – Use Volatility to extract memory specific to a given process to simplify string analysis, to extract passwords or hashes, or to remotely identify hardware by BIOS information.
Example
VM compromised using Metasploit MS08-067 exploit, & shell pushed back to attacker
Note that these actions write nothing to the disk
Victim VM memory subsequently imaged using winen
Volatility [1.3] Analysis Commands python volatility datetime -f Phy*
Returned current date/time when memory was dumped python volatility hivescan -f Phy*
Returned offset value of 44548104 python volatility hivelist -f Phy* -o 44548104
Returned System hive address 0xe1035b60 python volatility printkey -f Phy* -o 0xe1035b60
"ControlSet001\Services\{439FE547-3C35-4A24-BD37-3FCFD1FBB1C9}\Parameters\Tcpip“ Returned values & subkeys under specified key
Volatility [1.3] Analysis Commands (2) python volatility connections -f Phy*
Listed connections from in-memory tables python volatility connscan2 -f Phy*
Scanned for connections by signature python volatility sockets -f Phy*
Listed sockets from in-memory tables python volatility sockscan2 -f Phy*
Scanned for sockets by signature python volatility dlllist -f Phy* -p 1008
Listed DLLs loaded by specified process #
datetime[1.3]
$ python volatility datetime -f Phy*Image local date and time: Mon Apr 13 15:00:11 2009
hivescan[1.3]$ python volatility hivescan -f Phy*Offset (hex)44548104 0x2a7c008
.
.
.
.
Hivelist [1.3]$ python volatility hivelist -f Phy* -o 44548104Address Name
.
.
0xe1357b60 \WINDOWS\system32\config\SAM0xe145cb60 \WINDOWS\system32\config\SECURITY0xe1035b60 \WINDOWS\system32\config\system
.
.
Hashdump [1.3]$ python volatility hashdump -f Phy* -y 0xe1035b60 -s 0xe1357b60Administrator:500:8d37d083696254e52468a840fdf3374f:4126fa040b3
5a2f0c2b113c05f51b198:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931
b73c59d7e0c089c0:::HelpAssistant:1000:981136602258cd6dfef5703cd6838b40:0c2ef0943c
e6895efb76af4e2301c7f4:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ef55
ec8fb9ccdfadfbf4722570d636ba:::soc:1003:8d37d083696254e52468a840fdf3374f:4126fa040b35a2f0c2b
113c05f51b198:::hacker:1004:c8e739baa8f9e065500ff6021117719e:aaff7f168e6fc07d9f
0cc581372d18ec:::hacker1:1005:94ceed382acd38ec500ff6021117719e:141994e4786f431
541be4cd8e93ef31d::: Note that several of these hashes are easily crackable via the online
ophcrack demo
Printkey [1.3]$ python volatility printkey -f Phy* -o 0xe1035b60
"ControlSet001\Services\{439FE547-3C35-4A24-BD37-3FCFD1FBB1C9}\Parameters\Tcpip"
Key name: Tcpip (Stable)Last updated: Mon Apr 13 15:52:05 2009
Subkeys:
Values:REG_DWORD EnableDHCP : 1 (Stable)REG_MULTI_SZ IPAddress : [u'0.0.0.0', u'', u''] (Stable)REG_MULTI_SZ SubnetMask : [u'0.0.0.0', u'', u''] (Stable)REG_MULTI_SZ DefaultGateway : [u'', u''] (Stable)REG_SZ DhcpIPAddress : 192.168.1.150 (Stable)
.
.
Connections [1.3]$ python volatility connections -f Phy*
Local Address Remote Address Pid192.168.1.150:1151 192.168.1.151:4444
1008
We also tested this after the connection had dropped, & were able to recover the defunct connection object using connscan2, but in this instance could not find the defunct socket using sockscan2
Sockets [1.3]
$ python volatility sockets -f Phy*Pid Port Proto Create Time..1008 1151 6 Mon Apr 13 20:56:19
2009..
Dlllist [1.3]$ python volatility dlllist -f Phy* -p 1008svchost.exe pid: 1008Command line : C:\WINDOWS\System32\svchost.exe -k netsvcsService Pack 2
Base Size Path..
0x10000000 0x17000 C:\WINDOWS\system32\metsrv.dll
.
.
Registry Examination All registry hives are memory mapped, including
the hardware hives, which are dynamically generated
Volatility 1.3 had a hack to rip.pl to support ‘-r <filename>@<hex offset>’. It essentially substituted a different API under the hood.
A volatility plugin, reglist, was added in version 1.4, but doesn’t show up in 2.0, which is current. This is actually a complete port of regripper to python.
You can use the hivedump plugin to extract all the keys and values for manual examination
RegRipper Regripper is a set of Perl scripts produced
by Harlan Carvey (author of Windows Forensic Analysis) to parse through various registry keys and return information of forensic import
A modified version has been adapted to extract the same info from the in-memory copies of the registry hives (but it only runs under Linux) It’s installed on the SIFT Kit as volrip.pl
Fixing volrip.pl When the SANS people installed volrip.pl on the
1.2 SIFT Kit, they made two mistakes, which cause it to fail.
You have to change two lines in usr/local/bin/volrip.pl to get it to work. my $plugindir = '/usr/local/src/regripper/plugins';
Should bemy $plugindir = '/usr/local/src/regripper/plugins/';
require "rrplugins/".$plugins{$i}."\.pl";Should be
require "/usr/local/src/regripper/plugins/".$plugins{$i}."\.pl";
Fixed in 1.3, gone in 1.4 (I’ll complain again)
Using volrip.plThe ‘volatility hivelist -o 34786144 -f exemplar12.vmem’
output was:Address Name0xe179e008 [no name]0xe1a58b60 \Documents and Settings\foo\NTUSER.DAT0xe1548008 [no name]0xe1535820 \Documents and Settings\LocalService\NTUSER.DAT0xe1095820 [no name]0xe107e820 \Documents and Settings\NetworkService\
NTUSER.DAT0xe13a3008 \WINDOWS\system32\config\software0xe1397300 \WINDOWS\system32\config\default0xe13a0b60 \WINDOWS\system32\config\SECURITY0xe1362b60 \WINDOWS\system32\config\SAM0xe11c2008 [no name]0xe1018388 \WINDOWS\system32\config\system0xe1008b60 [no name]
So to examine all hives in memory…
volatility hivedump -i 0xe179e008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1018388 -f system volatility hivedump -i 0xe1548008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1a58b60 –f ntuser volatility hivedump -i 0xe1095820 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1535820 –f ntuser volrip.pl -r exemplar12_2.vmem@0xe107e820 –f ntuser volrip.pl -r exemplar12_2.vmem@0xe13a3008 –f software volrip.pl -r exemplar12_2.vmem@0xe1397300 –f ntuser volrip.pl -r exemplar12_2.vmem@0xe13a0b60 –f security volrip.pl -r exemplar12_2.vmem@0xe1362b60 –f sam volatility hivedump -i 0xe11c2008 -v -f exemplar12_2.vmem volrip.pl -r exemplar12_2.vmem@0xe1018388 –f system volatility hivedump -i 0xe1008b60 -v -f exemplar12_2.vmem
Other things to do with Volatility Extract in-memory copies of .EVT logs
Identify & dump VAD table for services.exe. Examine resultant files. Three should have .EVT content (XP), but all events may not be present.
There are new downloadable plugins for 2.0 that extract timeline data, including .EVT records & some registry keys. See notes.
There are test plugins available to extract CMD shell history
Volatility 2.0 Setup (briefly) Download from
http://code.google.com/p/volatility/downloads/detail?name=volatility-2.0.tar.gz&can=2&q=
Extract in SIFT Kit using ‘tar xvzf <filename>’
Run as ‘python vol.py’ rather than simply ‘volatility’. All prerequisites should be installed already. Note that available commands are different, as are some arguments to old commands/plugins.
Reading for next week
Neither text covers next week’s topic. Harlan excludes it because it’s too large for proper treatment in a chapter, and I can’t find a decent dedicated book on Browser Forensics. If you like, you can skim the linked pages on the Forensics Wiki’s IE page: http://www.forensicswiki.org/wiki/
Internet_Explorer
Next week’s lecture will cover Internet Explorer Browser Forensics
61
62
Questions?