Successfully reported this slideshow.

Leveraging NTFS Timeline Forensics during the Analysis of Malware

6,468 views

Published on

Video of this talk can be found at mms://boston.naisg.org/media/201101Forensics.wmv

Published in: Technology
  • Be the first to comment

Leveraging NTFS Timeline Forensics during the Analysis of Malware

  1. 1. Leveraging NTFS Timeline Forensics in the Analysis of Malware<br />Tim Mugherini<br />NAISG Boston<br />January 20, 2011<br />
  2. 2. About Me<br />Caveat: I Am Not An Expert!<br />
  3. 3. Some Context<br />“Facts do not cease to exist because they are ignored.” - Aldous Huxley<br />
  4. 4. Being Prepared<br />What’s in your Incident Response Toolkit?<br />Malware is becoming more sophisticated.<br />A deeper understanding of computer systems is needed.<br />File system forensics techniques are well documented but seem underutilized.<br />Analysis of the Master File Table (MFT) of the NTFS file system can be used to help establish a timeline and location of changes to the system.<br />
  5. 5. Incident Response<br />Where does Malware Analysis Fit In?<br />Preparation: Incident Handling Procedures, Training, Toolkits, Jump Bags, Detection & Defense Mechanisms<br />Detection & Analysis: Detect the type, extent, and magnitude of the incident. Identify the malware characteristics.<br />Containment, Eradication, & Recovery: Prevent the malware from spreading and causing further system damage. Once complete, removing the malware and restoring functionality and data affected by the infection. <br />Post-Incident: Review incident and lessons learned. Apply this to your preparation for the next incident. Retain evidence.<br />Reference: National Institute of Standards and Technology (2005). SP800-83: Guide to Malware Incident Prevention and Handling. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf<br />
  6. 6. Malware Analysis<br />Where does File Forensics Fit In?<br />Static: Analyze without executing code<br /><ul><li>File Analysis (i.e. location, date and times, strings, hashes)
  7. 7. Code Analysis, Reverse Engineering (i.e. Decompiling, Disassembling)</li></ul>Dynamic: Analyze the code while it runs<br /><ul><li>Behavioral Analysis: (i.e. processes, network connections, strings in memory)
  8. 8. Network Packet Analysis</li></ul>Ideally you want to do both!<br />
  9. 9. NTFS Master File Table 101<br />“Facts do not 'speak for themselves', they are read in the light of theory” - Stephen Jay Gould<br />
  10. 10. Everything is a File<br />Overview of NTFS and the Master File Table<br />NTFS: “New Technologies File System” Default file system of all modern versions of Windows.<br />The Master File Table (MFT) is the heart of the NTFS file system. It contains the metadata about all the files and directories on the file system.<br />Everything is a file in NTFS, including the MFT.<br />Each file and directory has at least one entry in the MFT.<br />Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining space being used by attributes.<br />The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created (even when deleted).<br />Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.<br />
  11. 11. 0x46494c45<br />What FILE Information can be extracted?<br />MFT Header contains a record number for each entry, sequence number (times reused), and parent record number (location).<br />Standard_Information attributes are best known. Many of these attributes (MACE/MACb times, Flags) are displayed in explorer.exe when viewing the properties of a file or folder.<br />File_Name attributes contain the file name and additional MACE/MACb times (more on this in a bit).<br />Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.<br />
  12. 12. Standard_Informaton Attributes <br />The Good, The Bad, The WTF<br />The Good<br />The behavior of Windows on Standard_Informstion MACE times is well known<br />The Bad<br />Standard_Information MACE times can easily be manipulated (i.e. Metasploit Timestomp or Unix Touch)<br />OK … WTF<br />Did you know file Access Times are disabled by default in Windows Vista/7?<br />HKLMSYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate=1<br />
  13. 13. Powershell: Friend or Foe? <br />Manipulation of Standard_Information Dates. <br />Reference: Hull, David (2009). Touch on Windows via Powershell. Retrieved from http://trustedsignal.blogspot.com/2008/08/touch-on-windows-via-powershell.html<br />
  14. 14. Don’t Be Duped<br />File_Name Attributes are not Easily Manipulated<br />File_Name Attributes initially mirror the Standard_Info Creation date<br />They do not typically get updated the way Standard_Information Values do unless the file is moved or renamed.<br />Consequently, it is more difficult to manipulate File_Name Attributes (note: I did not say impossible, more on this later). <br />All Attribute Times need to be analyzed when using MFT Analysis.<br />Some Work has been done cataloging the behavioral changes of File_Name Time attributes<br />Reference: Hull, David (2010) Digital Forensics: Detecting time stamp manipulation. Retrieved from http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation<br />
  15. 15. Thank You Rob<br />MFT Attribute Behavior<br />Reference: Lee, Rob, T. (2010) Windows 7 MFT Entry Timestamp Properties. Retrieved from http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties <br />
  16. 16. Intro to Our Malware Sample<br />“It is easier to believe a lie that one has heard a thousand times than to believe a fact that no one has heard before.” – Author Unknown<br />
  17. 17. Rogue AV Prerequisites <br />There Are None<br />Up to date Windows 7 OS – No Problem!<br />No Local Admin rights – No Problem!<br />Existing Antivirus w/ current sigs – No Problem!<br />Windows Firewall hardened with GPO – No Problem!<br />IE 8 in Medium/High security mode – No Problem!<br />UAC enabled – No Problem!<br />But what features do you get with your install, you ask?<br />
  18. 18. Rogue AV Feature Set<br />Replaces Existing Antivirus without Interaction <br />
  19. 19. Rogue AV Feature Set<br />Places Bogus Malicious Files on Your File System<br />
  20. 20. Rogue AV Feature Set<br />Provides Protection Sopranos Style<br />
  21. 21. Rogue AV Feature Set<br />Confused? Live Support Chat can Assist<br />
  22. 22. Rogue AV Feature Set<br />Protects Against Analysis by Your IT Practitioner<br />
  23. 23. Analysis of Our Sample<br />“Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passion, they cannot alter the state of facts and evidence.” - John Adams<br />
  24. 24. Down the Rabbit Hole<br />Summary of the Rogue File/Process<br />File Name: ISe6d_2229.exeFile Type: Windows 32 bit Portable ExecutableMD5: 699ebebcac9aaeff67bee94571e373a1SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2File size: 3590656 bytesFirst seen on Virus Total: 2010-11-14 01:20:29<br />Last seen: 2010-11-16 15:52:22<br />http://www.virustotal.com/file-scan/report.html?id=19f7bd2c7a74caa586232abefb22aeea224ba14c7d599c89561fba34f33bdf22-1289922742<br />My Write-Up<br />http://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html<br />
  25. 25. Grabbing the MFT<br />FTK Imager Lite: Exporting the MFT<br />
  26. 26. Parsing the MFT<br />analyzeMFT: Parse & Export Records.<br />
  27. 27. Analyzing the MFT<br />Based on the Facts, Find the Infection Locations<br />
  28. 28. Leveraging the Results <br />“We can have facts without thinking but we cannot have thinking without facts.” - John Dewey<br />
  29. 29. Using Information from the MFT<br />Prefetch Parser: Parsing the Prefetch Folder<br />SETUP_2229[1].EXE-11C68EE8.pf     USERS%USERNAME%APPDATALOCALMICROSOFTWINDOWSTEMPORARY INTERNET FILESCONTENT.IE5G4KYBRHHSETUP_2229[1].EXETASKKILL.EXE-8F5B2253.pf USERS%USERNAME%APPDATALOCALMICROSOFTWINDOWSTEMPORARY INTERNET FILESCONTENT.IE5G4KYBRHHANPRICE=85[1].HTMRUNDLL32.EXE-80EAA685.pfPROGRAMDATAE6DB66ISE6D_2229.EXE<br />
  30. 30. Using Information from the MFT<br />Exporting the Windows Registry Hives<br />Most live in the %SystemRoot%System32Config directory (except HKCU & HKU which are located in the user profiles)<br />Tools such as RegRipper & Windows Registry Recovery can be used to perform further analysis based on facts discovered<br />[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]<br />"Internet Security Suite“=""C:ProgramDatae6db66ISe6d_2229.exe" /s /d“<br />Reference: Microsoft MSDN (2010). Registry Hives. Retrieved from http://msdn.microsoft.com/en-us/library/ms724877%28VS.85%29.aspx<br />
  31. 31. Using Information from the MFT<br />Recovering Deleted Files with VSS<br />FTK Imager has the ability to export files if not overwritten<br />Microsoft Volume Shadow Copy Service (VSS) is another option however.<br />mklink /d C:shadow_copy1 ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1 <br />Reference: Mugherini, Timothy (2010) Forensics Analysis: Windows Shadow Copies. Retrieved from http://securitybraindump.blogspot.com/2010/06/forensics-analysis-windows-shadow.html<br />
  32. 32. Using Information from the MFT<br />Hashes Are Your Friend.<br />Once suspect files are found, export their hashes and leverage online resources.<br />NIST National Software Reference Library<br />SANS ISC Hash Database<br />Team Cymru Malware Hash Registry <br />FTK Imager and other Windows Tools can hash files but what if you want to hash all files on a drive or volume?<br />http://md5deep.sourceforge.net/<br />Md5deep.exe. –r C: > hash_drive.txt<br />
  33. 33. The Trouble with Facts…<br />“The trouble with facts is that there are so many of them.” - Samuel McChord Crothers<br />
  34. 34. File_Name Attributes Can Change<br />Manipulating File_Name Attributes<br />
  35. 35. Hope Is Not Lost<br />How can we Detect Attribute Manipulation?<br />Some Possibilities<br />Recent Documents and Programs (if not disabled)<br />System Events (i.e. System Time Change)<br />Prefetch Differences<br />Differences between $SI and $FN attributes <br />$FNA MACE Times have USEC/Microseconds = 00<br />New Features in analyzeMFT.py (v 1.5) <br />Now Reports useconds for all time attributes<br />-a (anomaly detection) adds two columns:<br />std-fn-shift: Y = $FN create time is after the $SI create time<br />Usec-zero: Y = $SI create time has usec = 0<br />
  36. 36. Summary<br />An Answer to a Question, Might be Another Question<br />This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response.<br />It is something you can add to your Incident Response and Malware Analysis toolkit.<br />It may be necessary to correlate and verify your results with other methods and tools. Tools such as Log2Timeline are available to create Super Timelines making it even easier to create a timeline of malicious activity on a system.<br />
  37. 37. Go Forth and Prosper<br />Additional Resources and Tools<br />Additional Resources<br />Lenny Zeltser: Combating Malicious Software<br />NIST Special Publication 800-81: Computer Security Incident Handling Guide<br />NIST Special Publication 800-83: Guide to Malware Incident Prevention and Handling<br />NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response <br />Reversing Malware Blog<br />SANS Computer Forensics & Incident Response Blog<br />SANS Reading Room (Too Many Great Papers to Mention: Check Forensics, Incident Response, and Malware Analysis Categories)<br />Windows Incident Response Blog<br />Books<br />Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.<br />Carvey, Harlen (2009). Windows Forensic Analysis DVD Toolkit, Second Edition. Syngress.<br />Tools<br />AnalyzeMFT<br />FTK Imager Lite<br />MD5Deep<br />Prefetch Parser<br />RegRipper<br />Windows Registry Recovery<br />
  38. 38. Questions<br />Please Be Gentle<br />
  39. 39. Internet Control Message Protocol<br />Feel Free to Ping Me<br />Tim Mugherini<br />http://securitybraindump.blogspot.com<br />tmugherini@gmail.com<br />@bug_bear<br />Irc://freenode (as Bugbear)<br />

×