3. Some Context “Facts do not cease to exist because they are ignored.” - Aldous Huxley
4. Being Prepared What’s in your Incident Response Toolkit? Malware is becoming more sophisticated. A deeper understanding of computer systems is needed. File system forensics techniques are well documented but seem underutilized. Analysis of the Master File Table (MFT) of the NTFS file system can be used to help establish a timeline and location of changes to the system.
5. Incident Response Where does Malware Analysis Fit In? Preparation: Incident Handling Procedures, Training, Toolkits, Jump Bags, Detection & Defense Mechanisms Detection & Analysis: Detect the type, extent, and magnitude of the incident. Identify the malware characteristics. Containment, Eradication, & Recovery: Prevent the malware from spreading and causing further system damage. Once complete, removing the malware and restoring functionality and data affected by the infection. Post-Incident: Review incident and lessons learned. Apply this to your preparation for the next incident. Retain evidence. Reference: National Institute of Standards and Technology (2005). SP800-83: Guide to Malware Incident Prevention and Handling. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
9. NTFS Master File Table 101 “Facts do not 'speak for themselves', they are read in the light of theory” - Stephen Jay Gould
10. Everything is a File Overview of NTFS and the Master File Table NTFS: “New Technologies File System” Default file system of all modern versions of Windows. The Master File Table (MFT) is the heart of the NTFS file system. It contains the metadata about all the files and directories on the file system. Everything is a file in NTFS, including the MFT. Each file and directory has at least one entry in the MFT. Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining space being used by attributes. The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created (note: but they can be re-allocated). Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
11. 0x46494c45 What FILE Information can be extracted? MFT Header contains a record number for each entry, sequence number (times reused), and parent record number (location). Standard_Information attributes are best known. Many of these attributes (MACE/MACb times, Flags) are displayed in explorer.exe when viewing the properties of a file or folder. File_Name attributes contain the file name and additional MACE/MACb times (more on this in a bit). Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
12. Standard_Informaton Attributes The Good, The Bad, The WTF The Good The behavior of Windows on Standard_Informstion MACE times is well known The Bad Standard_Information MACE times can easily be manipulated (i.e. Metasploit Timestomp or Unix Touch) OK … WTF Did you know file Access Times are disabled by default in Windows Vista/7? HKLMYSTEMurrentControlSetontrolileSystemtfsDisableLastAccessUpdate=1
13. Powershell: Friend or Foe? Manipulation of Standard_Information Dates. Reference: Hull, David (2009). Touch on Windows via Powershell. Retrieved from http://trustedsignal.blogspot.com/2008/08/touch-on-windows-via-powershell.html
14. Don’t Be Duped File_Name Attributes are not Easily Manipulated File_Name Attributes initially mirror the Standard_Info Creation date They do not typically get updated the way Standard_Information Values do unless the file is moved or renamed. Consequently, it is more difficult to manipulate File_Name Attributes (note: I did not say impossible, more on this later). All Attribute Times need to be analyzed when using MFT Analysis. Some Work has been done cataloging the behavioral changes of File_Name Time attributes Reference: Hull, David (2010) Digital Forensics: Detecting time stamp manipulation. Retrieved from http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
15. Thank You Rob MFT Attribute Behavior Reference: Lee, Rob, T. (2010) Windows 7 MFT Entry Timestamp Properties. Retrieved from http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties
16. Intro to Our Malware Sample “It is easier to believe a lie that one has heard a thousand times than to believe a fact that no one has heard before.” – Author Unknown
17. Rogue AV Prerequisites There Are None Up to date Windows 7 OS – No Problem! No Local Admin rights – No Problem! Existing Antivirus w/ current sigs – No Problem! Windows Firewall hardened with GPO – No Problem! IE 8 in Medium/High security mode – No Problem! UAC enabled – No Problem! But what features do you get with your install, you ask?
18. Rogue AV Feature Set Replaces Existing Antivirus without Interaction
19. Rogue AV Feature Set Places Bogus Malicious Files on Your File System
22. Rogue AV Feature Set Protects Against Analysis by Your IT Practitioner
23. Analysis of Our Sample “Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passion, they cannot alter the state of facts and evidence.” - John Adams
24. Down the Rabbit Hole Summary of the Rogue File/Process File Name: ISe6d_2229.exeFile Type: Windows 32 bit Portable ExecutableMD5: 699ebebcac9aaeff67bee94571e373a1SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2File size: 3590656 bytesFirst seen on Virus Total: 2010-11-14 01:20:29 Last seen: 2010-11-16 15:52:22 http://www.virustotal.com/file-scan/report.html?id=19f7bd2c7a74caa586232abefb22aeea224ba14c7d599c89561fba34f33bdf22-1289922742 My Write-Up http://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html
28. Leveraging the Results “We can have facts without thinking but we cannot have thinking without facts.” - John Dewey
29. Using Information from the MFT Prefetch Parser: Parsing the Prefetch Folder SETUP_2229[1].EXE-11C68EE8.pf SERSUSERNAME%PPDATAOCALICROSOFTINDOWSEMPORARY INTERNET FILESONTENT.IE54KYBRHHETUP_2229[1].EXETASKKILL.EXE-8F5B2253.pf SERSUSERNAME%PPDATAOCALICROSOFTINDOWSEMPORARY INTERNET FILESONTENT.IE54KYBRHHNPRICE=85[1].HTMRUNDLL32.EXE-80EAA685.pfROGRAMDATA6DB66SE6D_2229.EXE
30. Using Information from the MFT Exporting the Windows Registry Hives Most live in the %SystemRoot%ystem32onfig directory (except HKCU & HKU which are located in the user profiles) Tools such as RegRipper & Windows Registry Recovery can be used to perform further analysis based on facts discovered [HKEY_CURRENT_USERoftwareicrosoftindowsurrentVersionun] "Internet Security Suite“="quot;C:ProgramDatae6db66ISe6d_2229.exequot; /s /d“ Reference: Microsoft MSDN (2010). Registry Hives. Retrieved from http://msdn.microsoft.com/en-us/library/ms724877%28VS.85%29.aspx
31. Using Information from the MFT Recovering Deleted Files with VSS FTK Imager has the ability to export files if not overwritten Microsoft Volume Shadow Copy Service (VSS) is another option however. mklink /d C:hadow_copy1 ?LOBALROOTevicearddiskVolumeShadowCopy1 Reference: Mugherini, Timothy (2010) Forensics Analysis: Windows Shadow Copies. Retrieved from http://securitybraindump.blogspot.com/2010/06/forensics-analysis-windows-shadow.html
32. Using Information from the MFT Hashes Are Your Friend. Once suspect files are found, export their hashes and leverage online resources. NIST National Software Reference Library SANS ISC Hash Database Team Cymru Malware Hash Registry FTK Imager and other Windows Tools can hash files but what if you want to hash all files on a drive or volume? http://md5deep.sourceforge.net/ Md5deep.exe. –r C:> hash_drive.txt
33. The Trouble with Facts… “The trouble with facts is that there are so many of them.” - Samuel McChord Crothers
35. Hope Is Not Lost How can we Detect Attribute Manipulation? Some Possibilities Recent Documents and Programs (if not disabled) System Events (i.e. System Time Change) Prefetch Differences Differences between $SI and $FN attributes $FNA MACE Times have USEC/Microseconds = 00 New Features in analyzeMFT.py (v 1.5) Now Reports useconds for all time attributes -a (anomaly detection) adds two columns: std-fn-shift: Y = $FN create time is after the $SI create time Usec-zero: Y = $SI create time has usec = 0
36. Summary An Answer to a Question, Might be Another Question This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response. It is something you can add to your Incident Response and Malware Analysis toolkit. It may be necessary to correlate and verify your results with other methods and tools. Tools such as Log2Timeline are available to create Super Timelines making it even easier to create a timeline of malicious activity on a system.
37. Go Forth and Prosper Additional Resources and Tools Additional Resources Lenny Zeltser: Combating Malicious Software NIST Special Publication 800-81: Computer Security Incident Handling Guide NIST Special Publication 800-83: Guide to Malware Incident Prevention and Handling NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response Reversing Malware Blog SANS Computer Forensics & Incident Response Blog SANS Reading Room (Too Many Great Papers to Mention: Check Forensics, Incident Response, and Malware Analysis Categories) Windows Incident Response Blog Books Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley. Carvey, Harlen (2009). Windows Forensic Analysis DVD Toolkit, Second Edition. Syngress. Tools AnalyzeMFT FTK Imager Lite MD5Deep Prefetch Parser RegRipper Windows Registry Recovery
39. Internet Control Message Protocol Feel Free to Ping Me Tim Mugherini http://securitybraindump.blogspot.com tmugherini@gmail.com @bug_bear Irc://freenode (as Bugbear)