SlideShare a Scribd company logo

44CON London 2015: NTFS Analysis with PowerForensics

Download as PPTX, PDF
Jared Atkinson
Jared Atkinson

This workshop was given by Jared Atkinson on September 11th 2015 at 44CON London. The purpose of this workshop was to introduce participants to NTFS Internals and PowerForensics, an open source PowerShell digital forensics platform.

1 of 87
NTFS Analysis with PowerShell Jared Atkinson Veris Group’s Adaptive Threat Division
@jaredcatkinson ○Jared Atkinson □Hunt Capability Lead for Adaptive Threat Division ○ Leads the service line responsible for proactive detection and response to advanced threats in Fortune 100 commercial environments □Adjunct Lecturer at Utica College □Developer of PowerForensics, Uproot IDS, and WMIEventing □Researcher of forensic artifact file formats ○ Makes really cool posters :-) □History ○ U.S. Air Force Hunt (2011 - 2015) ○ GCFA, GREM, and more
Intro to PowerShell “Microsoft’s [Digital Forensic] platform” -obscuresec with some liberties…
What is PowerShell ○Task-based command-line shell and scripting language ○Built on the .NET Framework □Cmdlets for performing common system administration tasks □Consistent design □Powerful object manipulation capabilities □Extensible interface ○ Independent software vendors and enterprise developers can build custom tools and utilities to administer their software. □Full access to the Windows API
Response PowerForensics Old Dog, New Tricks Detection Investigation
Requirements ○Centralized forensic toolset ○Forensically sound □Parse raw disk structures □Don’t alter NTFS timestamps ○Can execute on a live host ○Operationally fast □Collect forensic data in seconds or minutes ○Modular capabilities □Cmdlets perform discrete tasks and can be tied together for more complicated tasks ○Capable of working remotely □At the proof of concept stage
Forensically Sound? “A forensically sound duplicate is obtained in a manner that does not materially alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented, and should be justified to the extent applicable.” - Richard Bejtlich and Harlan Carvey
Forensics Toolbox
Fast?!?
Understanding Modules Extensibility for the win!
Download PowerForensics http://download.powerforensics.invoke-ir.com OR https://www.github.com/Invoke-IR/PowerForensics
Unblock-File ○ PowerShell v3 gives us Unblock-File Unblock-File -Path "$env:UserProfileDownloadsPowerForensics-master.zip" ○Can also “Unblock” via the file’s properties dialog □Best to Unblock the zip before extraction ○Unblocking will remove the Zone.Identifier Alternate Data Stream
PSModulePath ○ PSModulePath ○ Naming Convention More details: https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx
Import-Module Import-Module -Name PowerForensics Get-Command -Module PowerForensics
PowerForensics Install Demo
Invoke-DD ○One Cmdlet to rule them all □Underlying API is basis for all of PowerForensics ○Allows raw access to Physical Drive or Logical Volume □Uses Platform Invoke to call CreateFile Windows API □Opens a file handle to .PHYSICALDRIVEX or Logical Volume □Reads from file handle via FileStream object □Warning: Must read in Sector increments (BlockSize must be a multiple of 512) $InFile = ‘.PHYSICALDRIVE0’ Invoke-DD –InFile $InFile –Offset 0 –BlockSize 512 –Count 1
Invoke-DD Demo
Boot Sectors Where the action begins…
Master Boot Record ○1st Sector of the Disk □Also referred to as the Boot Sector ○Boot Code □Locate Partition Table □Find 1st “Bootable” partition □Determine partition Logical Cluster Number □Pass execution to first sector of partition (Volume Boot Record) ○Partition Table □Space for 4 partitions by default □“Extended Partitions” allow for additional partitions above 4
Get-MBR ○Cmdlet to parse the MBR and return MasterBootRecord objects ○Use WMI to list available Devices: $Devices = Get-WmiObject –Class Win32_DiskDrive ○Run Get-MBR against one of the returned drives: Get-MBR –Path $Devices[0].DeviceID
Boot Kits ○Attackers can alter MBR Boot Code □ Code runs in Ring 0 (before the OS Loads) ○Set-MasterBootRecord □Proof of concept written by Matt Graeber (@mattifestation) □Allows a user with administrator privilege to overwrite the Master Boot Record with arbitrary code ○Get-MBR takes known Boot Code into account and detects any changes (tampering)
MBR Bootkit Demo
MBR Boot Code (Pre Infection)
MBR Boot Code (Post Infection)
MBR Boot Code (Post Infection)
GUID Partition Table ○Replacement Boot Sector format for MBR □UEFI compliant devices must support GPT □Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility ○Alternative to Legacy Master Boot Record □Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility □Allows for increased partition sizes (2 TiB -> 8 ZiB) □Supports many primary partitions (MBR supports 4) □Creates Primary and Backup partition table for redundancy
Get-GPT ○Cmdlet to parse the GPT and return GuidPartitionTable objects ○Use WMI to list available Devices: Get-WmiObject –Class Win32_DiskDrive ○Run Get-GPT against one of the returned drives: Get-GPT –Path .PHYSICALDRIVE1 ○Warning: Get-GPT will error if device is MBR formatted ○If Get-MBR is run against a GPT formatted device, then Get- MBR will return the information about the Protective MBR
Get-BootSector ○Format agnostic Cmdlet to parse Boot Sectors (MBR or GPT) ○Use WMI to list available Devices: Get-WmiObject –Class Win32_DiskDrive ○Run Get-BootSector against one of the returned drives: Get-BootSector –Path .PHYSICALDRIVE0 Get-Bootsector –Path .PHYSICALDRIVE1
○Format agnostic Cmdlet to return MBR/GPT PartitionTable objects ○MBR formatted device Get-PartitionTable –Path .PHYSICALDRIVE2 ○GPT formatted device Get-PartitionTable –Path .PHYSICALDRIVE1 Get-PartitionTable
NTFS System Files
NTFS System Files # Filename # Filename 0 $MFT 8 $BadClus 1 $MFTMirr 9 $Secure 2 $LogFile 10 $UpCase 3 $Volume 11 $Extend 4 $AttrDef $ObjId 5 Root Directory (.) $Quota 6 $Bitmap $Reparse 7 $Boot $UsnJrnl
Volume Boot Record $Boot (7) ○1st Sector of partition □Location of partition is pointed to by the Partition table (MBR of GPT) ○Loads the BOOTMGR Loader ○Defines partition attributes □ Bytes per Sector □Sectors per Cluster □Total Sectors □Location of MFT □Size of MFT Record □Size of INDX Structure
Get-VolumeBootRecord ○Cmdlet to parse the VBR and return VolumeBootRecord objects ○Execute Cmdlet with “VolumeName” parameter $VBR = Get-VolumeBootRecord –VolumeName .C: ○Often useful to pair with low level cmdlets like Invoke-DD
Master File Table $MFT (0) ○NTFS file table □First file present on NTFS partition □Contains at least one entry for every file, on an NTFS Volume, including itself □As files are added the MFT grows □When files are deleted, the MFT marks the file’s record as unallocated so a new file can take its place ○Each record contains file metadata □MACB Timestamps □File name details (name, path, hard links) □Location of Data
Get-FileRecord ○Cmdlet to parse the MFT and return FileRecord objects ○Three different ways to use: 1) Get all MFT Records $mft = Get-FileRecord -VolumeName .C: 2) Get a FileRecord by path Get-FileRecord –Path C:Windowsnotepad.exe 3) Get a FileRecord by Record Number/Index value Get-FileRecord -VolumeName .C: -Index 0
Temporal Funneling ○Large amounts of data may not be relevant to our case □Temporal Funneling/Pivoting allows analysts to reduce noise & focus on artifacts associated with the investigation $mft = Get-FileRecord $start = New-Object DateTime(2015,08,21,13,05,00) $end = New-Object DateTime(2015,08,21,14,05,00) $mft | ? {($_.BornTime -gt $start) –and ($_.BornTime –lt $end)}
Temporal Funneling Demo
MFT Attributes Typ e Name Typ e Name 0x10 $STANDARD_INFORMATION 0x90 $INDEX_ROOT 0x20 $ATTRIBUTE_LIST 0xA0 $INDEX_ALLOCATION 0x30 $FILE_NAME 0xB0 $BITMAP 0x40 $OBJECT_ID 0xC0 $REPARSE_POINT 0x50 $SECURITY_DESCRIPTOR 0xD0 $EA_INFORMATION 0x60 $VOLUME_NAME 0xE0 $EA 0x70 $VOLUME_INFORMATION 0xF0 $PROPERTY_SET 0x80 $DATA 0x100 $LOGGED_UTILITY_STREAM
Recover Deleted File Demo
Access SAM Hive Demo
Get-ContentRaw ○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk □Finds the file’s MFT Record and the main $DATA Stream □Outputs the contents of the file to Standard Out ○Different Encoding Options □ASCII □Unicode □Bytes Get-ContentRaw –Path C:Windowssystem32configSAM
Copy-FileRaw ○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk □Finds the file’s MFT Record and the main $DATA Stream □Creates a copy of the specified file without accessing the file itself $Path = C:Windowssystem32configSAM $Destination = C:tempSAM Copy-FileRaw –Path $Path –Destination $Destination
Alternate Data Streams ○NTFS allows files to store data in multiple “$DATA” attributes □These additional $DATA attributes are commonly referred to as Alternate Data Streams (ADS) ○Attackers have found ways to hide and even execute malware from ADS □Windows legitimately uses ADS to identify files downloaded from the internet (Zone.Identifier) ○PowerShell added ADS compatibility to many cmdlets, but did not add the ability to recursively list all files with ADS
Get- AlternateDataStream ○Cmdlet to easily find and list Alternate Data Streams on NTFS ○Use cases: 1) List all Alternate Data Streams $ads = Get-AlternateDataStream 2) List files downloaded via Internet Explorer $ads | Where-Object {$_.StreamName –eq ‘Zone.Identifier’} 3) List Alternate Data Streams for a specific file Get-AlternateDataStream –Path ‘C:$Extend$UsnJrnl’ 4) List Alternate Data Streams not created by the Internet Explorer $asd | Where-Object {$_.StreamName –ne ‘Zone.Identifier’}
Alternate Data Streams Demo
Get-ChildItemRaw ○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION attributes to output a directory’s contents □Lists system and hidden files □Output object has a RecordNumber parameter Get-ChildItemRaw Get-ChildItemRaw –Path C:Windows
Get-ChildItemRaw Demo
Get-FileRecordIndex ○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION attributes and returns a file’s MFT Record Number □Starts with the root directory’s MFT entry (index 5) and works through the tree until the requested files index can be found □Can be teamed with Get-FileRecord $rnumber = Get-FileRecordIndex –Path C:Windowsnotepad.exe Get-FileRecord –VolumeName .C: -Index $rnumber
Get-FileRecordIndex Demo
$UsnJrnl ○NTFS Change Journaling □Keeps track of changes to files or directories in a volume □Changes are documented with the filename, timestamp of change, and description of change □Can be leveraged by backup utilities (ex Volume Shadow Service) ○Two named data streams: □$MAX: UsnJrnl metadata (first entry number, maximum size of journal, etc.) □$J: Contains the actual Journal entries
$UsnJrnl Reasons BASIC_INFO_CHANGE INDEXABLE_CHANGE CLOSE NAMED_DATA_EXTEND COMPRESSION_CHANGE NAMED_DATA_OVERWRITE DATA_EXTEND NAMED_DATA_TRUNCATION DATA_OVERWRITE OBJECT_ID_CHANGE DATA_TRUNCATION RENAME_NEW_NAME EA_CHANGE RENAME_OLD_NAME ENCRYPTION_CHANGE REPARSE_POINT_CHANGE FILE_CREATE SECURITY_CHANGE FILE_DELETE STREAM_CHANGE HARD_LINK_CHANGE
Get-UsnJrnlInformation ○Cmdlet to parse the UsnJrnl’s $MAX Data Stream ○Returns Metadata about the UsnJrnl Get-UsnJrnlInformation –VolumeName .C:
Get-UsnJrnl ○Cmdlet to parse the UsnJrnl’s $J Data Stream ○Use Cases: □Get all UsnJrnl Entries $usn = Get-UsnJrnl –VolumeName .C: □Get the most recent UsnJrnl entry for C:temphelloworld.txt $r = Get-FileRecord –Path C:temphelloworld.txt $usn = $r.Attribute[0].UpdateSequenceNumber Get-UsnJrnl –VolumeName .C: -USN $usn
File Creation & Modification Demo
UsnJrnl ADS Demo
Artifacts
Prefetch
Get-Prefetch ○Cmdlet to parse the Windows Prefetch binary file format ○Use Cases: □Get all Prefetch objects from files in the “WindowsPrefetch” directory Get-Prefetch –VolumeName .C: □Get the Prefetch object from the file specified by the Path parameter Get-Prefetch –Path C:WindowsPrefetchCMD.EXE-01C678D0.pf □Another option is looking for .pf file operations in the UsnJrnl Get-UsnJrnl | ? {$_.FileName –like “*.pf”}
Prefetch Demo
Get- ScheduledJobRaw ○Cmdlet to parse the Scheduled (At) Job binary file format ○Use Cases: □Get all ScheduledJob objects from files in the “WindowsTasks” directory Get-ScheduledJobRaw –VolumeName .C: □Get the ScheduledJob object from the file specified by the Path parameter Get-ScheduledJobRaw -Path C:WindowsTasksAt1.job
Moving Forward ○More artifacts!! □Registry support □ESE database support ○Organic Remoting (more robust) ○Support for alternate file systems □Windows: FAT12, FAT16, FAT32, exFAT □Linux: Ext2, Ext3, Ext4 □Mac: HFS+ ○Online documentation (Open API) ○WMI Provider with Events ○Community Involvement!!!
@jaredcatkinson https://github.com/Invoke-IR/PowerForensics https://github.com/Invoke-IR/PowerForensics_Source Any questions?
Extra Slides!!!
$Volume (3) ○File containing metadata about its partition/volume ○Made up of two special attributes $VOLUME_NAME and $VOLUME_INFORMATION □Two cmdlets: Get-VolumeName and Get- VolumeInformation Get-VolumeName –VolumeName .C: Get-VolumeInformation –VolumeName .C:
$AttrDef (4) ○System file that contains details about all file attributes available to the volume Get-AttrDef –VolumeName .C:
$Bitmap (6) $BadClus (8) ○NTFS has two files to tell the File System what Clusters can be used ○File contents are bit fields where each bit represents a specific cluster □$Bitmap: Each bit represents whether the associated cluster is allocated by the file system □$BadClus: Each bit represents whether the associated cluster is corrupted or not
Get-Bitmap Get-BadClus ○Cmdlet to parse bit fields contained within their respective files ($BITMAP and $BADCLUS) ○Use cases: □Parse the $BITMAP file to determine if the specified cluster is allocated Get-Bitmap –VolumeName .C: -Cluster 1000 □Parse the $BADCLUS file to report on any clusters that have been marked as corrupt by the file system Get-BadClus –VolumeName .C:

Recommended

YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
Brendan Gregg
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
Paul V. Novarese
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
Adrian Huang
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uring
ShapeBlue
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 

Recommended

YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
Brendan Gregg
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
Paul V. Novarese
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
Adrian Huang
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uring
ShapeBlue
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
Opersys inc.
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
Adrian Huang
 
YOW2021 Computing Performance
YOW2021 Computing PerformanceYOW2021 Computing Performance
YOW2021 Computing Performance
Brendan Gregg
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new Platforms
Linaro
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
EDB
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
David Pasek
 
Subdomain Takeover
Subdomain TakeoverSubdomain Takeover
Subdomain Takeover
AkshayPandurangi
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
neexemil
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
Adrian Huang
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
Brendan Gregg
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Deploying CloudStack with Ceph
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with Ceph
ShapeBlue
 
Nginx Essential
Nginx EssentialNginx Essential
Nginx Essential
Gong Haibing
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
n|u - The Open Security Community
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
 
Deft
DeftDeft
Deft
saddamhusain hadimani
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
RajKumar Rampelli
 

More Related Content

What's hot

Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
Opersys inc.
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
Adrian Huang
 
YOW2021 Computing Performance
YOW2021 Computing PerformanceYOW2021 Computing Performance
YOW2021 Computing Performance
Brendan Gregg
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new Platforms
Linaro
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
EDB
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
David Pasek
 
Subdomain Takeover
Subdomain TakeoverSubdomain Takeover
Subdomain Takeover
AkshayPandurangi
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
neexemil
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
Adrian Huang
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
Brendan Gregg
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Deploying CloudStack with Ceph
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with Ceph
ShapeBlue
 
Nginx Essential
Nginx EssentialNginx Essential
Nginx Essential
Gong Haibing
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
n|u - The Open Security Community
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
 

What's hot (20)

Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
 
YOW2021 Computing Performance
YOW2021 Computing PerformanceYOW2021 Computing Performance
YOW2021 Computing Performance
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new Platforms
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
 
Subdomain Takeover
Subdomain TakeoverSubdomain Takeover
Subdomain Takeover
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Deploying CloudStack with Ceph
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with Ceph
 
Nginx Essential
Nginx EssentialNginx Essential
Nginx Essential
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 

Similar to 44CON London 2015: NTFS Analysis with PowerForensics

Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
RajKumar Rampelli
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
Dheryta Jaisinghani
 
Hadoop HDFS Concepts
Hadoop HDFS ConceptsHadoop HDFS Concepts
Hadoop HDFS Concepts
ProTechSkills Training
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
Sneha Inguva
 
Hadoop HDFS Concepts
Hadoop HDFS ConceptsHadoop HDFS Concepts
Hadoop HDFS Concepts
tutorialvillage
 
Configuring+Disks+and+Filsystems-pdf.pdf
Configuring+Disks+and+Filsystems-pdf.pdfConfiguring+Disks+and+Filsystems-pdf.pdf
Configuring+Disks+and+Filsystems-pdf.pdf
VikrantSChohaan
 
17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards
Denis Ristic
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UKZephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
HARDWARIO
 
File management
File managementFile management
File management
Mohammed Sikander
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
Melissa Moore
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of Technology
Nugroho Gito
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
MuhammadShoaibHussai2
 

Similar to 44CON London 2015: NTFS Analysis with PowerForensics (20)

Deft
DeftDeft
Deft
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
 
When ACLs Attack
When ACLs AttackWhen ACLs Attack
When ACLs Attack
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
 
Hadoop HDFS Concepts
Hadoop HDFS ConceptsHadoop HDFS Concepts
Hadoop HDFS Concepts
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
 
Hadoop HDFS Concepts
Hadoop HDFS ConceptsHadoop HDFS Concepts
Hadoop HDFS Concepts
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Configuring+Disks+and+Filsystems-pdf.pdf
Configuring+Disks+and+Filsystems-pdf.pdfConfiguring+Disks+and+Filsystems-pdf.pdf
Configuring+Disks+and+Filsystems-pdf.pdf
 
17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UKZephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
 
File management
File managementFile management
File management
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Hta w22
Hta w22Hta w22
Hta w22
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of Technology
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
 

More from Jared Atkinson

Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are You
Jared Atkinson
 
Mapping Detection Coverage
Mapping Detection CoverageMapping Detection Coverage
Mapping Detection Coverage
Jared Atkinson
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
Jared Atkinson
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
Jared Atkinson
 
Automated, Collection, and Enrichment (ACE)
Automated, Collection, and Enrichment (ACE)Automated, Collection, and Enrichment (ACE)
Automated, Collection, and Enrichment (ACE)
Jared Atkinson
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
Jared Atkinson
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
Jared Atkinson
 

More from Jared Atkinson (7)

Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are You
 
Mapping Detection Coverage
Mapping Detection CoverageMapping Detection Coverage
Mapping Detection Coverage
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Automated, Collection, and Enrichment (ACE)
Automated, Collection, and Enrichment (ACE)Automated, Collection, and Enrichment (ACE)
Automated, Collection, and Enrichment (ACE)
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
 

Recently uploaded

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 

Recently uploaded (20)

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 

44CON London 2015: NTFS Analysis with PowerForensics

  • 1. NTFS Analysis with PowerShell Jared Atkinson Veris Group’s Adaptive Threat Division
  • 2. @jaredcatkinson ○Jared Atkinson □Hunt Capability Lead for Adaptive Threat Division ○ Leads the service line responsible for proactive detection and response to advanced threats in Fortune 100 commercial environments □Adjunct Lecturer at Utica College □Developer of PowerForensics, Uproot IDS, and WMIEventing □Researcher of forensic artifact file formats ○ Makes really cool posters :-) □History ○ U.S. Air Force Hunt (2011 - 2015) ○ GCFA, GREM, and more
  • 3. Intro to PowerShell “Microsoft’s [Digital Forensic] platform” -obscuresec with some liberties…
  • 4. What is PowerShell ○Task-based command-line shell and scripting language ○Built on the .NET Framework □Cmdlets for performing common system administration tasks □Consistent design □Powerful object manipulation capabilities □Extensible interface ○ Independent software vendors and enterprise developers can build custom tools and utilities to administer their software. □Full access to the Windows API
  • 5. Response PowerForensics Old Dog, New Tricks Detection Investigation
  • 6. Requirements ○Centralized forensic toolset ○Forensically sound □Parse raw disk structures □Don’t alter NTFS timestamps ○Can execute on a live host ○Operationally fast □Collect forensic data in seconds or minutes ○Modular capabilities □Cmdlets perform discrete tasks and can be tied together for more complicated tasks ○Capable of working remotely □At the proof of concept stage
  • 7. Forensically Sound? “A forensically sound duplicate is obtained in a manner that does not materially alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented, and should be justified to the extent applicable.” - Richard Bejtlich and Harlan Carvey
  • 9.
  • 10.
  • 11.
  • 12.
  • 16. Unblock-File ○ PowerShell v3 gives us Unblock-File Unblock-File -Path "$env:UserProfileDownloadsPowerForensics-master.zip" ○Can also “Unblock” via the file’s properties dialog □Best to Unblock the zip before extraction ○Unblocking will remove the Zone.Identifier Alternate Data Stream
  • 17. PSModulePath ○ PSModulePath ○ Naming Convention More details: https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx
  • 20. Invoke-DD ○One Cmdlet to rule them all □Underlying API is basis for all of PowerForensics ○Allows raw access to Physical Drive or Logical Volume □Uses Platform Invoke to call CreateFile Windows API □Opens a file handle to .PHYSICALDRIVEX or Logical Volume □Reads from file handle via FileStream object □Warning: Must read in Sector increments (BlockSize must be a multiple of 512) $InFile = ‘.PHYSICALDRIVE0’ Invoke-DD –InFile $InFile –Offset 0 –BlockSize 512 –Count 1
  • 22. Boot Sectors Where the action begins…
  • 23. Master Boot Record ○1st Sector of the Disk □Also referred to as the Boot Sector ○Boot Code □Locate Partition Table □Find 1st “Bootable” partition □Determine partition Logical Cluster Number □Pass execution to first sector of partition (Volume Boot Record) ○Partition Table □Space for 4 partitions by default □“Extended Partitions” allow for additional partitions above 4
  • 24.
  • 25. Get-MBR ○Cmdlet to parse the MBR and return MasterBootRecord objects ○Use WMI to list available Devices: $Devices = Get-WmiObject –Class Win32_DiskDrive ○Run Get-MBR against one of the returned drives: Get-MBR –Path $Devices[0].DeviceID
  • 26. Boot Kits ○Attackers can alter MBR Boot Code □ Code runs in Ring 0 (before the OS Loads) ○Set-MasterBootRecord □Proof of concept written by Matt Graeber (@mattifestation) □Allows a user with administrator privilege to overwrite the Master Boot Record with arbitrary code ○Get-MBR takes known Boot Code into account and detects any changes (tampering)
  • 28. MBR Boot Code (Pre Infection)
  • 29. MBR Boot Code (Post Infection)
  • 30. MBR Boot Code (Post Infection)
  • 31. GUID Partition Table ○Replacement Boot Sector format for MBR □UEFI compliant devices must support GPT □Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility ○Alternative to Legacy Master Boot Record □Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility □Allows for increased partition sizes (2 TiB -> 8 ZiB) □Supports many primary partitions (MBR supports 4) □Creates Primary and Backup partition table for redundancy
  • 32.
  • 33. Get-GPT ○Cmdlet to parse the GPT and return GuidPartitionTable objects ○Use WMI to list available Devices: Get-WmiObject –Class Win32_DiskDrive ○Run Get-GPT against one of the returned drives: Get-GPT –Path .PHYSICALDRIVE1 ○Warning: Get-GPT will error if device is MBR formatted ○If Get-MBR is run against a GPT formatted device, then Get- MBR will return the information about the Protective MBR
  • 34. Get-BootSector ○Format agnostic Cmdlet to parse Boot Sectors (MBR or GPT) ○Use WMI to list available Devices: Get-WmiObject –Class Win32_DiskDrive ○Run Get-BootSector against one of the returned drives: Get-BootSector –Path .PHYSICALDRIVE0 Get-Bootsector –Path .PHYSICALDRIVE1
  • 35. ○Format agnostic Cmdlet to return MBR/GPT PartitionTable objects ○MBR formatted device Get-PartitionTable –Path .PHYSICALDRIVE2 ○GPT formatted device Get-PartitionTable –Path .PHYSICALDRIVE1 Get-PartitionTable
  • 37. NTFS System Files # Filename # Filename 0 $MFT 8 $BadClus 1 $MFTMirr 9 $Secure 2 $LogFile 10 $UpCase 3 $Volume 11 $Extend 4 $AttrDef $ObjId 5 Root Directory (.) $Quota 6 $Bitmap $Reparse 7 $Boot $UsnJrnl
  • 38. Volume Boot Record $Boot (7) ○1st Sector of partition □Location of partition is pointed to by the Partition table (MBR of GPT) ○Loads the BOOTMGR Loader ○Defines partition attributes □ Bytes per Sector □Sectors per Cluster □Total Sectors □Location of MFT □Size of MFT Record □Size of INDX Structure
  • 39.
  • 40. Get-VolumeBootRecord ○Cmdlet to parse the VBR and return VolumeBootRecord objects ○Execute Cmdlet with “VolumeName” parameter $VBR = Get-VolumeBootRecord –VolumeName .C: ○Often useful to pair with low level cmdlets like Invoke-DD
  • 41. Master File Table $MFT (0) ○NTFS file table □First file present on NTFS partition □Contains at least one entry for every file, on an NTFS Volume, including itself □As files are added the MFT grows □When files are deleted, the MFT marks the file’s record as unallocated so a new file can take its place ○Each record contains file metadata □MACB Timestamps □File name details (name, path, hard links) □Location of Data
  • 42.
  • 43. Get-FileRecord ○Cmdlet to parse the MFT and return FileRecord objects ○Three different ways to use: 1) Get all MFT Records $mft = Get-FileRecord -VolumeName .C: 2) Get a FileRecord by path Get-FileRecord –Path C:Windowsnotepad.exe 3) Get a FileRecord by Record Number/Index value Get-FileRecord -VolumeName .C: -Index 0
  • 44. Temporal Funneling ○Large amounts of data may not be relevant to our case □Temporal Funneling/Pivoting allows analysts to reduce noise & focus on artifacts associated with the investigation $mft = Get-FileRecord $start = New-Object DateTime(2015,08,21,13,05,00) $end = New-Object DateTime(2015,08,21,14,05,00) $mft | ? {($_.BornTime -gt $start) –and ($_.BornTime –lt $end)}
  • 46. MFT Attributes Typ e Name Typ e Name 0x10 $STANDARD_INFORMATION 0x90 $INDEX_ROOT 0x20 $ATTRIBUTE_LIST 0xA0 $INDEX_ALLOCATION 0x30 $FILE_NAME 0xB0 $BITMAP 0x40 $OBJECT_ID 0xC0 $REPARSE_POINT 0x50 $SECURITY_DESCRIPTOR 0xD0 $EA_INFORMATION 0x60 $VOLUME_NAME 0xE0 $EA 0x70 $VOLUME_INFORMATION 0xF0 $PROPERTY_SET 0x80 $DATA 0x100 $LOGGED_UTILITY_STREAM
  • 47.
  • 48.
  • 49.
  • 50.
  • 53. Get-ContentRaw ○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk □Finds the file’s MFT Record and the main $DATA Stream □Outputs the contents of the file to Standard Out ○Different Encoding Options □ASCII □Unicode □Bytes Get-ContentRaw –Path C:Windowssystem32configSAM
  • 54. Copy-FileRaw ○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk □Finds the file’s MFT Record and the main $DATA Stream □Creates a copy of the specified file without accessing the file itself $Path = C:Windowssystem32configSAM $Destination = C:tempSAM Copy-FileRaw –Path $Path –Destination $Destination
  • 55. Alternate Data Streams ○NTFS allows files to store data in multiple “$DATA” attributes □These additional $DATA attributes are commonly referred to as Alternate Data Streams (ADS) ○Attackers have found ways to hide and even execute malware from ADS □Windows legitimately uses ADS to identify files downloaded from the internet (Zone.Identifier) ○PowerShell added ADS compatibility to many cmdlets, but did not add the ability to recursively list all files with ADS
  • 56. Get- AlternateDataStream ○Cmdlet to easily find and list Alternate Data Streams on NTFS ○Use cases: 1) List all Alternate Data Streams $ads = Get-AlternateDataStream 2) List files downloaded via Internet Explorer $ads | Where-Object {$_.StreamName –eq ‘Zone.Identifier’} 3) List Alternate Data Streams for a specific file Get-AlternateDataStream –Path ‘C:$Extend$UsnJrnl’ 4) List Alternate Data Streams not created by the Internet Explorer $asd | Where-Object {$_.StreamName –ne ‘Zone.Identifier’}
  • 58.
  • 59.
  • 60. Get-ChildItemRaw ○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION attributes to output a directory’s contents □Lists system and hidden files □Output object has a RecordNumber parameter Get-ChildItemRaw Get-ChildItemRaw –Path C:Windows
  • 62. Get-FileRecordIndex ○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION attributes and returns a file’s MFT Record Number □Starts with the root directory’s MFT entry (index 5) and works through the tree until the requested files index can be found □Can be teamed with Get-FileRecord $rnumber = Get-FileRecordIndex –Path C:Windowsnotepad.exe Get-FileRecord –VolumeName .C: -Index $rnumber
  • 64. $UsnJrnl ○NTFS Change Journaling □Keeps track of changes to files or directories in a volume □Changes are documented with the filename, timestamp of change, and description of change □Can be leveraged by backup utilities (ex Volume Shadow Service) ○Two named data streams: □$MAX: UsnJrnl metadata (first entry number, maximum size of journal, etc.) □$J: Contains the actual Journal entries
  • 65. $UsnJrnl Reasons BASIC_INFO_CHANGE INDEXABLE_CHANGE CLOSE NAMED_DATA_EXTEND COMPRESSION_CHANGE NAMED_DATA_OVERWRITE DATA_EXTEND NAMED_DATA_TRUNCATION DATA_OVERWRITE OBJECT_ID_CHANGE DATA_TRUNCATION RENAME_NEW_NAME EA_CHANGE RENAME_OLD_NAME ENCRYPTION_CHANGE REPARSE_POINT_CHANGE FILE_CREATE SECURITY_CHANGE FILE_DELETE STREAM_CHANGE HARD_LINK_CHANGE
  • 66.
  • 67. Get-UsnJrnlInformation ○Cmdlet to parse the UsnJrnl’s $MAX Data Stream ○Returns Metadata about the UsnJrnl Get-UsnJrnlInformation –VolumeName .C:
  • 68.
  • 69. Get-UsnJrnl ○Cmdlet to parse the UsnJrnl’s $J Data Stream ○Use Cases: □Get all UsnJrnl Entries $usn = Get-UsnJrnl –VolumeName .C: □Get the most recent UsnJrnl entry for C:temphelloworld.txt $r = Get-FileRecord –Path C:temphelloworld.txt $usn = $r.Attribute[0].UpdateSequenceNumber Get-UsnJrnl –VolumeName .C: -USN $usn
  • 70. File Creation & Modification Demo
  • 74.
  • 75. Get-Prefetch ○Cmdlet to parse the Windows Prefetch binary file format ○Use Cases: □Get all Prefetch objects from files in the “WindowsPrefetch” directory Get-Prefetch –VolumeName .C: □Get the Prefetch object from the file specified by the Path parameter Get-Prefetch –Path C:WindowsPrefetchCMD.EXE-01C678D0.pf □Another option is looking for .pf file operations in the UsnJrnl Get-UsnJrnl | ? {$_.FileName –like “*.pf”}
  • 77. Get- ScheduledJobRaw ○Cmdlet to parse the Scheduled (At) Job binary file format ○Use Cases: □Get all ScheduledJob objects from files in the “WindowsTasks” directory Get-ScheduledJobRaw –VolumeName .C: □Get the ScheduledJob object from the file specified by the Path parameter Get-ScheduledJobRaw -Path C:WindowsTasksAt1.job
  • 78. Moving Forward ○More artifacts!! □Registry support □ESE database support ○Organic Remoting (more robust) ○Support for alternate file systems □Windows: FAT12, FAT16, FAT32, exFAT □Linux: Ext2, Ext3, Ext4 □Mac: HFS+ ○Online documentation (Open API) ○WMI Provider with Events ○Community Involvement!!!
  • 81. $Volume (3) ○File containing metadata about its partition/volume ○Made up of two special attributes $VOLUME_NAME and $VOLUME_INFORMATION □Two cmdlets: Get-VolumeName and Get- VolumeInformation Get-VolumeName –VolumeName .C: Get-VolumeInformation –VolumeName .C:
  • 82.
  • 83.
  • 84. $AttrDef (4) ○System file that contains details about all file attributes available to the volume Get-AttrDef –VolumeName .C:
  • 85.
  • 86. $Bitmap (6) $BadClus (8) ○NTFS has two files to tell the File System what Clusters can be used ○File contents are bit fields where each bit represents a specific cluster □$Bitmap: Each bit represents whether the associated cluster is allocated by the file system □$BadClus: Each bit represents whether the associated cluster is corrupted or not
  • 87. Get-Bitmap Get-BadClus ○Cmdlet to parse bit fields contained within their respective files ($BITMAP and $BADCLUS) ○Use cases: □Parse the $BITMAP file to determine if the specified cluster is allocated Get-Bitmap –VolumeName .C: -Cluster 1000 □Parse the $BADCLUS file to report on any clusters that have been marked as corrupt by the file system Get-BadClus –VolumeName .C: