Friday, 29 June 2012

Timelines for Live Response

Life has been incredibly busy of late and maybe its just this time of year but trying to find time to write on my blog is proving to be increasingly difficult. I'll attempt to provide my readers with something new as often as possible.

I'd mentioned in some of my previous posts that I'm interested in methods to script the work we have completed previously and in particular conducting investigations of live machines rather than offline analysis which for many analysts I'm sure do not always have this flexiblity. My methods use open source or freely available tools as I do not have access to other more advanced forensics tools which some of you may use.

Here is a summary of the tools i'll be using in this tutorial
In order to start your batch script create a new text file and rename the file extension from .txt to .bat. This is the most simple approach to scripting and all we need at this point to demonstrate our ability to create a timeline from a live system. I've created a new directory on my computer and within that directory I've created a folder for tools that we'll be using. For now I'll add my base script to the root of this new folder I've created. Finally I've created an output folder in the same folder to store the output of the scripts once executed.
  • Root
    • Tools
      •  hob
      •  rr
      •  tln
      •  tsk
    • Output
To start my script I want to create a bodyfile using TSK. I'd tried to initially complete this task using FTKImager however from what I've seen you can only use the command line to create a directory listing when you have an offline image. You can also use FTK Imager to create an image of remote machine if you combine it with a tool such as F-Response. As I mentioned above I do not have access to tools such as those so we'll make use of the tools we have available. Using TSK and in particular the file named fls lets see how we can create a directory listing.

.\tools\tsk\fls -r -m C:/ \\.\C: > .\output\tsk-bodyfile.txt
.\tools\tln\bodyfile.exe -f output\tsk-bodyfile.txt -s %COMPUTERNAME% >> output\events.txt

The above command executes FLS and requests that FLS create a bodyfile of the C drive using -m to have the file in mactime, -r to recurse on directory entries. This command will take a number of minutes to execute and may take considerable time the larger the hard drive size is that you're investigating. The second command executes the timeline bodyfile tool which will convert our body file in our initial events file.

Its debatable whether the next step should actually be completed first as the more tools we execute the more chance we have of losing information and prefetch files. I'd also like to add at this point that if its possible you should send the output back to a usb drive connected to the local workstation or send to a network location. This will also allow us to maintain as much forensic information on the investigated workstation as possible. In my case i'll be creating a script that pipes the output directly to the machine i'm investigating and purely for demonstration purposes.

I run the pref tool from the WFAT timeline tools to dump the prefetch files from the windows prefetch folder. In this case my windows install location is C:\Winnt however it may be different in your circumstances. 

.\tools\tln\pref.exe -d C:\WINNT\prefetch -t -s %COMPUTERNAME% >> .\output\events.txt

In order to conduct any activities on the registry using RegRipper or other tools we'll need to work on an offline copy of the hives rather than the live hives. I found a tool that allows me to do this called HoboCopy. HoboCopy allows me to copy the live system folders to a directory of my choice. HoboCopy mentions on its website that it can do this by creating a Volume Shadow Copy (VSS) snapshot and then copying the file from VSS. To get a copy of the system hives I execute the following commands:

.\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output default
.\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output SAM
.\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output SECURITY
.\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output SOFTWARE
.\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output SYSTEM

To gather a copy of the user hives firstly we need to understand which accounts are actually on the system. I created a FOR loop that loops through the "Documents and Settings" folder and for each folder it discovers it uses hobocopy to grab a copy of the dat file. Again if you're using windows 7 you may wish to modify this to the users folder instead. The code is as follows.

FOR /F "tokens=*" %%G IN ('dir /b ^"C:\Documents and Settings\*^"') DO .\tools\hob\hobocopy.exe "c:\Documents and Settings\%%G" .\output\hives\%%G NTUSER.DAT

At this point we have a copy of each of our hive files that we'd like to investigate. I now want to run regripper against each of the hives that i've collected

FOR /F "tokens=*" %%G IN ('dir /b ^"C:\Documents and Settings\*^"') DO (
 .\tools\rr\rip.exe -r .\output\hives\%%G\NTUSER.DAT -f ntuser >> output\rr-ntuser-%%G.txt
 .\tools\tln\regtime.exe -r .\output\hives\%%G\NTUSER.DAT -u %%G -s %COMPUTERNAME%>> output\events.txt
 .\tools\rr\rip.exe -r .\output\hives\%%G\NTUSER.DAT -p userassist_tln -u %%G >> output\events.txt
 .\tools\rr\rip.exe -r .\output\hives\%%G\NTUSER.DAT -p autorun >> output\rr-autorun.txt

I decided to add in both the timeline output as well as the standard output as it can be useful to review both. Currently the method we are using is the "kitchen sink" type method to timelining which on any normal computer will provide us with a huge amount of information that we most likely are not interested in all of it. Its up to us an analyst to clip this data to something more meaningful to our investigation. At this point all i'm showing is how to collect the information however you may want to exclude or add certain commands for your own benefit and to clip that data to something more meaningful to your investigation.

The next step we wish to conduct is to run regripper against our system hives and we can do so by using the following commands

.\tools\rr\rip.exe -r .\output\default -f default >> .\output\rr-default.txt
.\tools\rr\rip.exe -r .\output\SAM -f SAM >> .\output\rr-sam.txt
.\tools\rr\rip.exe -r .\output\SECURITY -f SECURITY >> .\output\rr-security.txt
.\tools\rr\rip.exe -r .\output\Software -f SOFTWARE >> .\output\rr-software.txt
.\tools\rr\rip.exe -r .\output\System -f SYSTEM >> .\output\rr-system.txt

The above creates individual output  files and so you'll also want to run output to add to our events file.

.\tools\tln\regtime.exe -m HKLM\default -r .\output\default >> output\events.txt
.\tools\tln\regtime.exe -m HKLM\Sam -r .\output\sam >> output\events.txt
.\tools\tln\regtime.exe -m HKLM\Security -r .\output\security >> output\events.txt
.\tools\tln\regtime.exe -m HKLM\Software -r .\output\software >> output\events.txt
.\tools\tln\regtime.exe -m HKLM\System -r .\output\system >> output\events.txt


Unfortunately the above is going to add a large amount of noise to our output and events file so you'll need to decide what is beneficial to your investigation. Finally we run the parse command and parse our events file out to the CSV file that we'll use for our investigation.

.\tools\tln\parse.exe -f .\output\events.txt -c > .\output\timeline.csv

The parse command does offer us a -r option which allows us to specify a range of dates. This may allow us to clip our data considerably however we obviously need to have a strong understanding of when our incident may have occured.

We now have our batch file which can be modified to be run against a remote system using tools such as PsExec provided within Microsoft SysInternals. It would require some modification for this to be possible however its a simple task to achieve. This script would copy our required tools and folder structure to the remote computer and then execute our script to begin running. Finally the script could zip the output files and copy the files back to our investigation system.

If this script is combined within many of the other common forensics tools it would provide a strong foundation for live response and providing some degree of assurance that a machine was either infected or clean. At this point I believe being able to execute regripper against a live machine is beneficial however whether the timeline component of this script is beneficial i'm not sure. In terms of live response there are most likely many better ways to investigate the state of the system which potentially require less work to analyse than the above.

I hope this is of benefit to some of you.