Leveraging NTFS Timeline Forensics during the Analysis of Malware

Uploaded on

Video of this talk can be found at mms://boston.naisg.org/media/201101Forensics.wmv

Video of this talk can be found at mms://boston.naisg.org/media/201101Forensics.wmv

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Leveraging NTFS Timeline Forensics in the Analysis of Malware
    Tim Mugherini
    NAISG Boston
    January 20, 2011
  • 2. About Me
    Caveat: I Am Not An Expert!
  • 3. Some Context
    “Facts do not cease to exist because they are ignored.” - Aldous Huxley
  • 4. Being Prepared
    What’s in your Incident Response Toolkit?
    Malware is becoming more sophisticated.
    A deeper understanding of computer systems is needed.
    File system forensics techniques are well documented but seem underutilized.
    Analysis of the Master File Table (MFT) of the NTFS file system can be used to help establish a timeline and location of changes to the system.
  • 5. Incident Response
    Where does Malware Analysis Fit In?
    Preparation: Incident Handling Procedures, Training, Toolkits, Jump Bags, Detection & Defense Mechanisms
    Detection & Analysis: Detect the type, extent, and magnitude of the incident. Identify the malware characteristics.
    Containment, Eradication, & Recovery: Prevent the malware from spreading and causing further system damage. Once complete, removing the malware and restoring functionality and data affected by the infection.
    Post-Incident: Review incident and lessons learned. Apply this to your preparation for the next incident. Retain evidence.
    Reference: National Institute of Standards and Technology (2005). SP800-83: Guide to Malware Incident Prevention and Handling. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
  • 6. Malware Analysis
    Where does File Forensics Fit In?
    Static: Analyze without executing code
    • File Analysis (i.e. location, date and times, strings, hashes)
    • 7. Code Analysis, Reverse Engineering (i.e. Decompiling, Disassembling)
    Dynamic: Analyze the code while it runs
    • Behavioral Analysis: (i.e. processes, network connections, strings in memory)
    • 8. Network Packet Analysis
    Ideally you want to do both!
  • 9. NTFS Master File Table 101
    “Facts do not 'speak for themselves', they are read in the light of theory” - Stephen Jay Gould
  • 10. Everything is a File
    Overview of NTFS and the Master File Table
    NTFS: “New Technologies File System” Default file system of all modern versions of Windows.
    The Master File Table (MFT) is the heart of the NTFS file system. It contains the metadata about all the files and directories on the file system.
    Everything is a file in NTFS, including the MFT.
    Each file and directory has at least one entry in the MFT.
    Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining space being used by attributes.
    The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created (even when deleted).
    Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
  • 11. 0x46494c45
    What FILE Information can be extracted?
    MFT Header contains a record number for each entry, sequence number (times reused), and parent record number (location).
    Standard_Information attributes are best known. Many of these attributes (MACE/MACb times, Flags) are displayed in explorer.exe when viewing the properties of a file or folder.
    File_Name attributes contain the file name and additional MACE/MACb times (more on this in a bit).
    Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
  • 12. Standard_Informaton Attributes
    The Good, The Bad, The WTF
    The Good
    The behavior of Windows on Standard_Informstion MACE times is well known
    The Bad
    Standard_Information MACE times can easily be manipulated (i.e. Metasploit Timestomp or Unix Touch)
    OK … WTF
    Did you know file Access Times are disabled by default in Windows Vista/7?
  • 13. Powershell: Friend or Foe?
    Manipulation of Standard_Information Dates.
    Reference: Hull, David (2009). Touch on Windows via Powershell. Retrieved from http://trustedsignal.blogspot.com/2008/08/touch-on-windows-via-powershell.html
  • 14. Don’t Be Duped
    File_Name Attributes are not Easily Manipulated
    File_Name Attributes initially mirror the Standard_Info Creation date
    They do not typically get updated the way Standard_Information Values do unless the file is moved or renamed.
    Consequently, it is more difficult to manipulate File_Name Attributes (note: I did not say impossible, more on this later).
    All Attribute Times need to be analyzed when using MFT Analysis.
    Some Work has been done cataloging the behavioral changes of File_Name Time attributes
    Reference: Hull, David (2010) Digital Forensics: Detecting time stamp manipulation. Retrieved from http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
  • 15. Thank You Rob
    MFT Attribute Behavior
    Reference: Lee, Rob, T. (2010) Windows 7 MFT Entry Timestamp Properties. Retrieved from http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties
  • 16. Intro to Our Malware Sample
    “It is easier to believe a lie that one has heard a thousand times than to believe a fact that no one has heard before.” – Author Unknown
  • 17. Rogue AV Prerequisites
    There Are None
    Up to date Windows 7 OS – No Problem!
    No Local Admin rights – No Problem!
    Existing Antivirus w/ current sigs – No Problem!
    Windows Firewall hardened with GPO – No Problem!
    IE 8 in Medium/High security mode – No Problem!
    UAC enabled – No Problem!
    But what features do you get with your install, you ask?
  • 18. Rogue AV Feature Set
    Replaces Existing Antivirus without Interaction
  • 19. Rogue AV Feature Set
    Places Bogus Malicious Files on Your File System
  • 20. Rogue AV Feature Set
    Provides Protection Sopranos Style
  • 21. Rogue AV Feature Set
    Confused? Live Support Chat can Assist
  • 22. Rogue AV Feature Set
    Protects Against Analysis by Your IT Practitioner
  • 23. Analysis of Our Sample
    “Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passion, they cannot alter the state of facts and evidence.” - John Adams
  • 24. Down the Rabbit Hole
    Summary of the Rogue File/Process
    File Name: ISe6d_2229.exeFile Type: Windows 32 bit Portable ExecutableMD5: 699ebebcac9aaeff67bee94571e373a1SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2File size: 3590656 bytesFirst seen on Virus Total: 2010-11-14 01:20:29
    Last seen: 2010-11-16 15:52:22
    My Write-Up
  • 25. Grabbing the MFT
    FTK Imager Lite: Exporting the MFT
  • 26. Parsing the MFT
    analyzeMFT: Parse & Export Records.
  • 27. Analyzing the MFT
    Based on the Facts, Find the Infection Locations
  • 28. Leveraging the Results
    “We can have facts without thinking but we cannot have thinking without facts.” - John Dewey
  • 29. Using Information from the MFT
    Prefetch Parser: Parsing the Prefetch Folder
  • 30. Using Information from the MFT
    Exporting the Windows Registry Hives
    Most live in the %SystemRoot%System32Config directory (except HKCU & HKU which are located in the user profiles)
    Tools such as RegRipper & Windows Registry Recovery can be used to perform further analysis based on facts discovered
    "Internet Security Suite“=""C:ProgramDatae6db66ISe6d_2229.exe" /s /d“
    Reference: Microsoft MSDN (2010). Registry Hives. Retrieved from http://msdn.microsoft.com/en-us/library/ms724877%28VS.85%29.aspx
  • 31. Using Information from the MFT
    Recovering Deleted Files with VSS
    FTK Imager has the ability to export files if not overwritten
    Microsoft Volume Shadow Copy Service (VSS) is another option however.
    mklink /d C:shadow_copy1 ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1
    Reference: Mugherini, Timothy (2010) Forensics Analysis: Windows Shadow Copies. Retrieved from http://securitybraindump.blogspot.com/2010/06/forensics-analysis-windows-shadow.html
  • 32. Using Information from the MFT
    Hashes Are Your Friend.
    Once suspect files are found, export their hashes and leverage online resources.
    NIST National Software Reference Library
    SANS ISC Hash Database
    Team Cymru Malware Hash Registry
    FTK Imager and other Windows Tools can hash files but what if you want to hash all files on a drive or volume?
    Md5deep.exe. –r C: > hash_drive.txt
  • 33. The Trouble with Facts…
    “The trouble with facts is that there are so many of them.” - Samuel McChord Crothers
  • 34. File_Name Attributes Can Change
    Manipulating File_Name Attributes
  • 35. Hope Is Not Lost
    How can we Detect Attribute Manipulation?
    Some Possibilities
    Recent Documents and Programs (if not disabled)
    System Events (i.e. System Time Change)
    Prefetch Differences
    Differences between $SI and $FN attributes
    $FNA MACE Times have USEC/Microseconds = 00
    New Features in analyzeMFT.py (v 1.5)
    Now Reports useconds for all time attributes
    -a (anomaly detection) adds two columns:
    std-fn-shift: Y = $FN create time is after the $SI create time
    Usec-zero: Y = $SI create time has usec = 0
  • 36. Summary
    An Answer to a Question, Might be Another Question
    This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response.
    It is something you can add to your Incident Response and Malware Analysis toolkit.
    It may be necessary to correlate and verify your results with other methods and tools. Tools such as Log2Timeline are available to create Super Timelines making it even easier to create a timeline of malicious activity on a system.
  • 37. Go Forth and Prosper
    Additional Resources and Tools
    Additional Resources
    Lenny Zeltser: Combating Malicious Software
    NIST Special Publication 800-81: Computer Security Incident Handling Guide
    NIST Special Publication 800-83: Guide to Malware Incident Prevention and Handling
    NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response
    Reversing Malware Blog
    SANS Computer Forensics & Incident Response Blog
    SANS Reading Room (Too Many Great Papers to Mention: Check Forensics, Incident Response, and Malware Analysis Categories)
    Windows Incident Response Blog
    Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.
    Carvey, Harlen (2009). Windows Forensic Analysis DVD Toolkit, Second Edition. Syngress.
    FTK Imager Lite
    Prefetch Parser
    Windows Registry Recovery
  • 38. Questions
    Please Be Gentle
  • 39. Internet Control Message Protocol
    Feel Free to Ping Me
    Tim Mugherini
    Irc://freenode (as Bugbear)