Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leveraging NTFS Timeline Forensics during the Analysis of Malware

6,829 views

Published on

Video of this talk can be found at mms://boston.naisg.org/media/201101Forensics.wmv

Published in: Technology
  • Be the first to comment

Leveraging NTFS Timeline Forensics during the Analysis of Malware

  1. 1. Leveraging NTFS Timeline Forensics in the Analysis of Malware<br />Tim Mugherini<br />NAISG Boston<br />January 20, 2011<br />
  2. 2. About Me<br />Caveat: I Am Not An Expert!<br />
  3. 3. Some Context<br />“Facts do not cease to exist because they are ignored.” - Aldous Huxley<br />
  4. 4. Being Prepared<br />What’s in your Incident Response Toolkit?<br />Malware is becoming more sophisticated.<br />A deeper understanding of computer systems is needed.<br />File system forensics techniques are well documented but seem underutilized.<br />Analysis of the Master File Table (MFT) of the NTFS file system can be used to help establish a timeline and location of changes to the system.<br />
  5. 5. Incident Response<br />Where does Malware Analysis Fit In?<br />Preparation: Incident Handling Procedures, Training, Toolkits, Jump Bags, Detection & Defense Mechanisms<br />Detection & Analysis: Detect the type, extent, and magnitude of the incident. Identify the malware characteristics.<br />Containment, Eradication, & Recovery: Prevent the malware from spreading and causing further system damage. Once complete, removing the malware and restoring functionality and data affected by the infection. <br />Post-Incident: Review incident and lessons learned. Apply this to your preparation for the next incident. Retain evidence.<br />Reference: National Institute of Standards and Technology (2005). SP800-83: Guide to Malware Incident Prevention and Handling. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf<br />
  6. 6. Malware Analysis<br />Where does File Forensics Fit In?<br />Static: Analyze without executing code<br /><ul><li>File Analysis (i.e. location, date and times, strings, hashes)
  7. 7. Code Analysis, Reverse Engineering (i.e. Decompiling, Disassembling)</li></ul>Dynamic: Analyze the code while it runs<br /><ul><li>Behavioral Analysis: (i.e. processes, network connections, strings in memory)
  8. 8. Network Packet Analysis</li></ul>Ideally you want to do both!<br />
  9. 9. NTFS Master File Table 101<br />“Facts do not 'speak for themselves', they are read in the light of theory” - Stephen Jay Gould<br />
  10. 10. Everything is a File<br />Overview of NTFS and the Master File Table<br />NTFS: “New Technologies File System” Default file system of all modern versions of Windows.<br />The Master File Table (MFT) is the heart of the NTFS file system. It contains the metadata about all the files and directories on the file system.<br />Everything is a file in NTFS, including the MFT.<br />Each file and directory has at least one entry in the MFT.<br />Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining space being used by attributes.<br />The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created (even when deleted).<br />Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.<br />
  11. 11. 0x46494c45<br />What FILE Information can be extracted?<br />MFT Header contains a record number for each entry, sequence number (times reused), and parent record number (location).<br />Standard_Information attributes are best known. Many of these attributes (MACE/MACb times, Flags) are displayed in explorer.exe when viewing the properties of a file or folder.<br />File_Name attributes contain the file name and additional MACE/MACb times (more on this in a bit).<br />Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.<br />
  12. 12. Standard_Informaton Attributes <br />The Good, The Bad, The WTF<br />The Good<br />The behavior of Windows on Standard_Informstion MACE times is well known<br />The Bad<br />Standard_Information MACE times can easily be manipulated (i.e. Metasploit Timestomp or Unix Touch)<br />OK … WTF<br />Did you know file Access Times are disabled by default in Windows Vista/7?<br />HKLMSYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate=1<br />
  13. 13. Powershell: Friend or Foe? <br />Manipulation of Standard_Information Dates. <br />Reference: Hull, David (2009). Touch on Windows via Powershell. Retrieved from http://trustedsignal.blogspot.com/2008/08/touch-on-windows-via-powershell.html<br />
  14. 14. Don’t Be Duped<br />File_Name Attributes are not Easily Manipulated<br />File_Name Attributes initially mirror the Standard_Info Creation date<br />They do not typically get updated the way Standard_Information Values do unless the file is moved or renamed.<br />Consequently, it is more difficult to manipulate File_Name Attributes (note: I did not say impossible, more on this later). <br />All Attribute Times need to be analyzed when using MFT Analysis.<br />Some Work has been done cataloging the behavioral changes of File_Name Time attributes<br />Reference: Hull, David (2010) Digital Forensics: Detecting time stamp manipulation. Retrieved from http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation<br />
  15. 15. Thank You Rob<br />MFT Attribute Behavior<br />Reference: Lee, Rob, T. (2010) Windows 7 MFT Entry Timestamp Properties. Retrieved from http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties <br />
  16. 16. Intro to Our Malware Sample<br />“It is easier to believe a lie that one has heard a thousand times than to believe a fact that no one has heard before.” – Author Unknown<br />
  17. 17. Rogue AV Prerequisites <br />There Are None<br />Up to date Windows 7 OS – No Problem!<br />No Local Admin rights – No Problem!<br />Existing Antivirus w/ current sigs – No Problem!<br />Windows Firewall hardened with GPO – No Problem!<br />IE 8 in Medium/High security mode – No Problem!<br />UAC enabled – No Problem!<br />But what features do you get with your install, you ask?<br />
  18. 18. Rogue AV Feature Set<br />Replaces Existing Antivirus without Interaction <br />
  19. 19. Rogue AV Feature Set<br />Places Bogus Malicious Files on Your File System<br />
  20. 20. Rogue AV Feature Set<br />Provides Protection Sopranos Style<br />
  21. 21. Rogue AV Feature Set<br />Confused? Live Support Chat can Assist<br />
  22. 22. Rogue AV Feature Set<br />Protects Against Analysis by Your IT Practitioner<br />
  23. 23. Analysis of Our Sample<br />“Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passion, they cannot alter the state of facts and evidence.” - John Adams<br />
  24. 24. Down the Rabbit Hole<br />Summary of the Rogue File/Process<br />File Name: ISe6d_2229.exeFile Type: Windows 32 bit Portable ExecutableMD5: 699ebebcac9aaeff67bee94571e373a1SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2File size: 3590656 bytesFirst seen on Virus Total: 2010-11-14 01:20:29<br />Last seen: 2010-11-16 15:52:22<br />http://www.virustotal.com/file-scan/report.html?id=19f7bd2c7a74caa586232abefb22aeea224ba14c7d599c89561fba34f33bdf22-1289922742<br />My Write-Up<br />http://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html<br />
  25. 25. Grabbing the MFT<br />FTK Imager Lite: Exporting the MFT<br />
  26. 26. Parsing the MFT<br />analyzeMFT: Parse & Export Records.<br />
  27. 27. Analyzing the MFT<br />Based on the Facts, Find the Infection Locations<br />
  28. 28. Leveraging the Results <br />“We can have facts without thinking but we cannot have thinking without facts.” - John Dewey<br />
  29. 29. Using Information from the MFT<br />Prefetch Parser: Parsing the Prefetch Folder<br />SETUP_2229[1].EXE-11C68EE8.pf     USERS%USERNAME%APPDATALOCALMICROSOFTWINDOWSTEMPORARY INTERNET FILESCONTENT.IE5G4KYBRHHSETUP_2229[1].EXETASKKILL.EXE-8F5B2253.pf USERS%USERNAME%APPDATALOCALMICROSOFTWINDOWSTEMPORARY INTERNET FILESCONTENT.IE5G4KYBRHHANPRICE=85[1].HTMRUNDLL32.EXE-80EAA685.pfPROGRAMDATAE6DB66ISE6D_2229.EXE<br />
  30. 30. Using Information from the MFT<br />Exporting the Windows Registry Hives<br />Most live in the %SystemRoot%System32Config directory (except HKCU & HKU which are located in the user profiles)<br />Tools such as RegRipper & Windows Registry Recovery can be used to perform further analysis based on facts discovered<br />[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]<br />"Internet Security Suite“=""C:ProgramDatae6db66ISe6d_2229.exe" /s /d“<br />Reference: Microsoft MSDN (2010). Registry Hives. Retrieved from http://msdn.microsoft.com/en-us/library/ms724877%28VS.85%29.aspx<br />
  31. 31. Using Information from the MFT<br />Recovering Deleted Files with VSS<br />FTK Imager has the ability to export files if not overwritten<br />Microsoft Volume Shadow Copy Service (VSS) is another option however.<br />mklink /d C:shadow_copy1 ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1 <br />Reference: Mugherini, Timothy (2010) Forensics Analysis: Windows Shadow Copies. Retrieved from http://securitybraindump.blogspot.com/2010/06/forensics-analysis-windows-shadow.html<br />
  32. 32. Using Information from the MFT<br />Hashes Are Your Friend.<br />Once suspect files are found, export their hashes and leverage online resources.<br />NIST National Software Reference Library<br />SANS ISC Hash Database<br />Team Cymru Malware Hash Registry <br />FTK Imager and other Windows Tools can hash files but what if you want to hash all files on a drive or volume?<br />http://md5deep.sourceforge.net/<br />Md5deep.exe. –r C: > hash_drive.txt<br />
  33. 33. The Trouble with Facts…<br />“The trouble with facts is that there are so many of them.” - Samuel McChord Crothers<br />
  34. 34. File_Name Attributes Can Change<br />Manipulating File_Name Attributes<br />
  35. 35. Hope Is Not Lost<br />How can we Detect Attribute Manipulation?<br />Some Possibilities<br />Recent Documents and Programs (if not disabled)<br />System Events (i.e. System Time Change)<br />Prefetch Differences<br />Differences between $SI and $FN attributes <br />$FNA MACE Times have USEC/Microseconds = 00<br />New Features in analyzeMFT.py (v 1.5) <br />Now Reports useconds for all time attributes<br />-a (anomaly detection) adds two columns:<br />std-fn-shift: Y = $FN create time is after the $SI create time<br />Usec-zero: Y = $SI create time has usec = 0<br />
  36. 36. Summary<br />An Answer to a Question, Might be Another Question<br />This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response.<br />It is something you can add to your Incident Response and Malware Analysis toolkit.<br />It may be necessary to correlate and verify your results with other methods and tools. Tools such as Log2Timeline are available to create Super Timelines making it even easier to create a timeline of malicious activity on a system.<br />
  37. 37. Go Forth and Prosper<br />Additional Resources and Tools<br />Additional Resources<br />Lenny Zeltser: Combating Malicious Software<br />NIST Special Publication 800-81: Computer Security Incident Handling Guide<br />NIST Special Publication 800-83: Guide to Malware Incident Prevention and Handling<br />NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response <br />Reversing Malware Blog<br />SANS Computer Forensics & Incident Response Blog<br />SANS Reading Room (Too Many Great Papers to Mention: Check Forensics, Incident Response, and Malware Analysis Categories)<br />Windows Incident Response Blog<br />Books<br />Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.<br />Carvey, Harlen (2009). Windows Forensic Analysis DVD Toolkit, Second Edition. Syngress.<br />Tools<br />AnalyzeMFT<br />FTK Imager Lite<br />MD5Deep<br />Prefetch Parser<br />RegRipper<br />Windows Registry Recovery<br />
  38. 38. Questions<br />Please Be Gentle<br />
  39. 39. Internet Control Message Protocol<br />Feel Free to Ping Me<br />Tim Mugherini<br />http://securitybraindump.blogspot.com<br />tmugherini@gmail.com<br />@bug_bear<br />Irc://freenode (as Bugbear)<br />

×