Sunday, 29 April 2012

Forensic Timeline for beginners - Part 1

Up until this point the tutorials have been fairly basic and definitely at the beginner level. Although this next post will also be at a beginner level we will start to dive a little deeper into the technology and some of the tools we have at hand to begin creating our forensic timelines. One of the areas I'm interested in is how to create a forensic timeline from a live system as well as an offline system, where an offline copy of the computer is provided as a hard drive. So throughout this tutorial the tools and the techniques I use will be ones that work for both offline and live analysis with a view to scripting our techniques within batch files and other scripting languages.

To begin with, and if you're interested in following along with this tutorial, I've grabbed a copy of a compromised workstation which has kindly been provided by the ForensicKB blog. Everything you'll need to get started is available here

The first step of creating a forensic timeline varies greatly and may depend much on the initial information you've been provided. Harlan Carvey, author of the Windows Forensic Analysis Toolkit books, recommends creating a timeline based on the 'minimalist approach' which allows the analyst to build their timeline layer by layer. Other analysts prefer the 'kitchen sink' type method, as Harlan describes, where an analyst dumps as much information as possible into the forensic timeline. As we'll be using many of Harlan's tools we'll be building our timeline by layers but still providing a large amount of information in our initial timeline dump. Lets start with generating an output file for the file system meta data.

For the majority of this tutorial we'll be using the timeline tools provided by Harlan here.

The are a number of ways we can do this and I'm going to go through two for the purpose of this tutorial. The first method, although not my chosen method, is using FTK Imager to provide a directory listing of our acquired image. Using the downloaded image we can automatically load this into FTK Imager which hopefully we have some familiarity with after our previous introduction.

Select the File menu  and then select 'Add Evidence Item'. Next select 'Image File' press next and locate the image file you download above by selecting the browse button. Once you've selected your image press the 'Finish' button. By now you should see your forensic image and the contents of the drive listed underneath the Evidence Tree (expand the nodes to see the directories).

Highlight WinXP2.E01 underneath the evidence tree and then select the File menu again. Select the option 'Export Directory Listing' and save the output file to a location of your choice on your computer. On my computer this took five seconds to produce the output.

Now the reason why this method is not my chosen method is because although I can use this tool on a live system, to provide a directory listing, I'm unable to run it remotely on a live system automatically via a batch script. There are options however to script FTK Imager on a local forensic image which you should keep in mind when you have a hard drive to conduct investigations upon. There are additional tools that can assist running FTK against remote drives such as F-Response tools but these do come at a cost and I do not have experience in using those tools.

At this point I'd like to deviate slightly and walk through a second feature of FTK that we'll be using later in the tutorial. FTK has an ability to mount a drive to a drive letter on your computer. As we have a local image of the workstation we are investigating we can now mount this drive to a drive letter on our computer. What does this achieve? Well by doing this it allows us to run some of the timeline scripts later down the track against our mounted drive. To mount the drive within FTK select the File menu and then Image Mounting. If not already listed point the image location to your image file. See the following settings for assistance with mounting your own drive.

Lets move on and discuss the second method we have for producing a directing listing of our file system meta data.

The second method we have of producing our directory listing is using The Sleuth Kit toolset, or TSK for short, available here. In particular we'll be using the fls component to create our output file or more specifically our bodyfile. After you've downloaded the tools extract them to a location of your choice and navigate to the folder location using command prompt. Running the following command to produce your output file.

 fls -i ewf -r -p -m C:/ "<Path-To-Image>\WinXP2.E01" > bodyfile.txt  

The command is used because the image downloaded is in encase format and we've asked the output to recurse on directory entries (-r), display full path for each file (-p) and display output in mactime input format with dir/ as the actual mount point of the image (-m). In this case for the -m option we've selected C:/ as the root of our path.

The format of the bodyfile must be converted to TLN format before we can include this within our timeline. Fortunately Harlan has provided us with the tools to do this for us very easily. He has also provided the tools we need to convert FTK directory listing output.

Run the following command from command prompt to convert the bodyfile to TLN. In regards to the following command the -s is the computer name.

 bodyfile.exe -f <Path-To-Bodyfile>\bodyfile.txt -s REG-OIP81M2WC8 > events.txt  

In this case we've sent our output to the events file. We'll send a number of sources to this events file before converting it to our final timeline csv file.

As we've mounted our image in the prior steps we can now run other timeline tools to add event sources to our events file. Lets walk through some of the other events of interest. As we mounted our drive earlier using FTK we can run our commands against the mounted drive to add to our events file. In the following examples you'll notice that we output to the events file using '>>' which means that we want to append our command output to the contents already within the events file. In doing this we are able to add additional events to our file instead of overwriting what is already there if we used a single '>'.

Using the following commands to generate more events into your events file

Windows event logs

 evtparse.exe -d <MountLetter>:\WINDOWS\system32\ config -t >> events.txt  

Prefetch files

 pref.exe -d "<MountLetter>:\WINDOWS\Prefetch" -s REG-OIP81M2WC8 -t >> events.txt  

At this point we have an initial events file which includes file system meta data, windows event logs and windows prefetch files.

If we track back at this point to the initial case description it mentions that the user noticed that the computer was responding in an unusual manner and that support had seen a number of active connections via the windows netstat command. What we need to identify is how those connections are created and which process could potentially be creating them.

There are a number of ways malware maintains persistence such as, but not limited to, the following:
  • Registry keys
  • Services
  • DLL Search order hijacking
  • Rootkits
  • Scheduled tasks
We can gather a large amount of this information from the registry keys stored within the system and add those events to our timeline. Although we have a number of areas that we could begin to investigate already I believe we might have some quick wins by first looking at these areas of persistence. If we're lucky enough to find something abnormal in the persistent locations this will assist us with clipping our timeline to more specific information.

At this point we need to move onto RegRipper to gather this information and add it to our timeline. In Part 2 of this tutorial I'll be discussing how we do that and will provide further information on which RegRipper plugins we can use to gather this information.

I hope you've enjoyed Part 1 of the tutorial.

Thursday, 12 April 2012

Registry Hives explained

So I thought before I got started on my next tutorial on how to use RegRipper, against our image taken with FTKImager, that I'd briefly discuss windows registry for windows 2000, XP and 2003.

Windows registry files are stored in the %SystemRoot%\System32\Config directory. The files are named with a variety of extensions for each.
  • Software
  • System
  • Sam
  • Security
  • Default
  • UserDiff
The extensions for each hive determine the information contained within them. As highlighted on the microsoft support page the break down of the extensions is as follows

NoneA complete copy of the hive data.
.altA backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.
.logA transaction log of changes to the keys and value entries in the hive.
.savA backup copy of a hive.
The following table shows the hives and their supporting files as they were explained above

Registry HiveSupporting files
HKEY_CURRENT_CONFIGSystem, System.alt, System.log, System.sav
HKEY_CURRENT_USERNtuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SecuritySecurity, Security.log, Security.sav
HKEY_LOCAL_MACHINE\SoftwareSoftware, Software.log, Software.sav
HKEY_LOCAL_MACHINE\SystemSystem, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULTDefault, Default.log, Default.sav

Based on the above lets take a look at the %SystemRoot%\System32\Config directory that we've extracted from our image taken in the previous post.

As you can see from the image to the left we can start to understand which hives we will be most interested in from an incident response perspective.

In the next tutorial we'll go about opening some of these hives with regripper and seeing what information we can gather. As mentioned in my previous post currently we're working with a default windows xp installation. No malware has currently been installed. Once we're familiar with the tools we can attempt to run some malware and see whether or not we can see clear indications of it based on the knowledge we've gained learning the tools.

The information I've provided today has been gained from the following microsoft page and its an amazing source of information should you need any thing further.

Please let me know if there are any tools you're interested in hearing about too and we can begin to look at some of them over the next few weeks.

Monday, 9 April 2012

First time FTKImager tutorial

Welcome everyone to my first blog. Its been a goal of mine to improve my skills with Incident Response and Ethical hacking and this will be the first of many posts as I begin that process.

For this entry I've decided to focus on FTK Imager. I've never used this software until today but felt it was a good place to start as it leads into many other tools that I'm keen to use.

Currently my lab is running from VM workstation. I've created one Windows XP SP3 contained in a host only network with the ip address range of  10.10.10.x. I've also installed Ubuntu 11.10 which is currently operating squid proxy. This VM has two interfaces and proxies connections out through my local network. With a limitation on hardware this is currently my best method of containment. I've also configured the SANS SIFT virtual machine which I'll be using in later posts.

The long term plan is to run some live malware in my labs and then use tools that I've learnt along the way to investigate what actions the malware has actioned. In this case this is a clean install of Windows and currently there is no malware located on the machine.

So I began by downloading FTK Imager and installing it on my local computer. I've then grabbed a copy and placed it on a USB drive and connected it to my Windows XP virtual machine. This machine currently only has a 10gb hard drive for ease of imaging now and in the future.

Once the USB drive was connected I ran the FTKImager.exe application. Once the application loads I select the option to Create Disk Image.

 I selected Physical Drive as I wanted to grab the whole drive. There may be cases where you might want to grab only the Logical Drive or certain other content. If you're ever unsure you're best to take the Phyical Drive. I don't believe I've ever met an investigator that complained that they had too much information to deal with an incident which is why the physical drive is always the best.
The virtual machine only has one hard drive which is the first one listed in the screenshot. Select this option and press next
There are a number of image type outputs and for this case I selected Raw (dd). I've read a number of articles and they recommend this one as providing the most flexibility which is something that I want as I may use a number of tools so the flexibility should allow me to use any tool I'd like to learn.
The following step involves adding some information or meta data to the final image. Regardless of what purpose you are creating this image I find that you're best to be as descriptive as possible in this section. You never know when you'll come back to an image or want a reason for why it was taken and this information should be able to provide you those details.
Finally select the image destination. In this case I've connected one of my larger hard drives with enough room to store the 10 gb hard image.
Once you press finish the image creation process will begin. As my drive wasn't too large the process only took around 18 minutes but obviously depending on the size of your hard drive it may take much longer.
When the imaging is complete you're provided with the verification results and the hashes.
In my next tutorial I'll begin by using the SANS SIFT virtual machine to open this image and begin investigating it with tools such as RegRipper and The Sleuth Kit. Once i've become familiar with these basics I'll begin by running live malware and we'll begin to investigate what has occured.