Monday, 21 January 2013

SANS Forensic Artifact 7: Last Visited MRU

Welcome to 2013. I was fortunate to have some free time towards the end of last year which allowed me to catch up on some of my side projects such as the Malware Domain List script. Overall I had a great response from the community in regards to this script. I think a number of features and improvements could be made to it for added functionality and usability so I'll aim to get back to it at some stage soon.

Yesterday I found myself sitting in front of some ISA web proxy logs that were stored in the W3C format. My first thought is that I'd used Log Parser to do some initial analysis however I wondered what quick wins I might have if I tested my MDL parser over the log file. Surprisingly there were no errors and the tool ran successfully the first time. While I'd need to do some further testing to confirm that it discovered all the URLs it took me less than five minutes to run and provided me with some instant results. Although in this instance none were significant in terms of pivot points it was certainly worth the small effort I put in to achieve a result.

Harlan has recently asked "How well do you know what your tools do for you?" for which he's received a variety of responses. It's a great question and one of the reasons I'm doing the SANS artifact blog series is to understand my tools and the underlying dataset. One way to know your tools is to code your tools. In order to code your tool you'll need to have at least a basic understanding of underlying data set / artifact and most likely view and understand its raw format. Once you understand the data set I think its also beneficial to put some thought into potential pivot points for that data set. If you need to analyse that artifact in the future what could assist you with identifying quick wins in your investigation. In saying that I'll attempt to identify pivot points in the SANS artifacts I write about from this point onwards in the hope that it will assist myself or others in the future.

For anyone that is not I aware I've created a Twitter account @sploited which you may wish to follow. There are a number of interesting conversations on Twitter and I encourage people to get involved. In saying that lets move on with the artifact. SANS lists the following information within the poster.

Description:
Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application.

Example: 
Notepad.exe was last run using the
C:\Users\<Username>\Desktop folder
Location:
XP NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Win7 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Interpretation:
Tracks the application executables used to open OpenSaveMRU and the last file path used.

We've previously covered the SANS Forensic Artifact 1: Open/Save MRU and this artifact is really a continuation of where we finished with Artifact 1. As per the description listed this key tracks the executable that was used to open the files identified in the OpenSaveMRU key. I decided to go back to my original theory of creating two text files again (although I only really needed one) that I'd open through the Open/Save window. Once again to ease my investigation I created a quick script that I could use to parse my live ntuser.dat file and compare results. At this point I'm using an older Windows XP test machine for this analysis. The script is as follows


 FOR /F "tokens=*" %%G IN ('dir /b ^"C:\Documents and Settings\*^"') DO .\tools\hob\hobocopy.exe "c:\Documents and Settings\%%G" .\hives\%%G NTUSER.DAT  
 ::***************************************  
 ::Parse ntuser.dat using RegRipper  
 ::***************************************  
 FOR /F "tokens=*" %%G IN ('dir /b ^"C:\Documents and Settings\*^"') DO (  
      .\tools\rr\rip.exe -r .\hives\%%G\NTUSER.DAT -f ntuser >> output\rr-ntuser-%%G.txt  
 )  

I created two files in C:\temp\SANS LastVistedMRU named SANS LastVisitedMRU Test File *.txt where * is the number 1 and 2. I ran the script above to dump my hive and analyse with RegRipper. As expected I received the following results.


The above results have been clipped just to show the necessary artifacts. I decided to do a word search of the RegRipper output for both the folder name and the text file name. What I found interesting was the affect that I'd had on other artifacts in the registry just by doing the small amount of actions on this system. Listed below is the output of that search

 comdlg32 v.20110901  
 (NTUSER.DAT) Gets contents of user's ComDlg32 key  
 comdlg32 v.20110901  
 Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32  
 LastWrite Time Thu Mar 15 01:18:21 2012 (UTC)  
  MRUList = aygdxjewvoqtursfplicnmkbh  
  a -> EXE: notepad.exe  
   -> Last Dir: C:\temp\SANS LastVistedMRU  
 OpenSaveMRU\*  
 LastWrite Time: Mon Jan 21 23:44:27 2013 Z  
  MRUList = edagchijfb  
  e -> C:\temp\SANS LastVistedMRU\SANS LastVisitedMRU Test File 2.txt  
  d -> C:\temp\SANS LastVistedMRU\SANS LastVisitedMRU Test File 1.txt  
 OpenSaveMRU\txt  
 LastWrite Time: Mon Jan 21 23:44:27 2013 Z  
  MRUList = gbifhadcje  
  g -> C:\temp\SANS LastVistedMRU\SANS LastVisitedMRU Test File 2.txt  
  b -> C:\temp\SANS LastVistedMRU\SANS LastVisitedMRU Test File 1.txt  
  Recentdocs v.20100405  
 (NTUSER.DAT) Gets contents of user's RecentDocs key  
 RecentDocs  
 **All values printed in MRUList\MRUListEx order.  
 Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs  
 LastWrite Time Mon Jan 21 23:51:22 2013 (UTC)  
  87 = SANS LastVistedMRU  
  18 = SANS LastVisitedMRU Test File 2.txt  
  85 = SANS LastVisitedMRU Test File 1.txt  
 Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt  
 LastWrite Time Mon Jan 21 23:51:22 2013 (UTC)  
 MRUListEx = 6,2,3,4,5,7,1,8  
  6 = SANS LastVisitedMRU Test File 2.txt  
  2 = SANS LastVisitedMRU Test File 1.txt  
 Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder  
 LastWrite Time Mon Jan 21 23:51:22 2013 (UTC)  
 MRUListEx = 1,0,9,8,6,7,4,3  
  1 = SANS LastVistedMRU   

Again I've clipped the results to the artifacts of interest. Recently Harlan posted about an Analysis Matrix where he discusses adding event categories to artifacts so that we can add additional context to our investigation or additionally assist with clipping our timelines so they only contain artifacts which relate to a particular category. This got me thinking about creating a "matrix" or "mapping" of the affect that events have on other artifacts within a system. Harlan additional mentions that the presence or the lack of an artifact can be an artifact in itself. To explain I thought I'd look at the incident above where I've completed the following actions:
  1. Created a new folder on my workstation
  2. Created two (2) new text files
  3. Opened notepad
  4. File -> Open and opened the two files created in step 2.
In this particular instance the following artifacts have been created / modified

# File Open/Save (# is the appropriate file extension)
    ->  Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
    ->  Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
    ->  Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\#
    ->  Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    ->  Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.#
    ->  Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    ->  UserAssist - UEME_RUNPIDL:%csidl2%\Accessories\Notepad.lnk
    ->  B...  C:/Documents and Settings/username/Start Menu/Programs/Accessories/Notepad.lnk
    ->  B... C:/Documents and Settings/username/Recent/SANS LastVistedMRU.lnk 
    ->  NOTEPAD.EXE-3328480B.pf last run (1068)
    ->  M... .//Software/Microsoft/Notepad

By no means is the list above a definitive list and I also believe that it needs some further thought in order to shape it into something usable such as the SANS Forensic Poster.

I put some thought in to how you might automate the discovery of potential pivot points with this category however again it is most likely determined by the incident at hand. For example you might want to understand whether any of the files opened / saved contained a keyword such as credit card number or other sensitive business knowledge. There are a number of ways of doing this however when reviewing just the output above you may do something like the following:
  1. Create a script that parses the output above identifying files or directories
  2. Based on the files found above automatically conduct keyword search across each of the files
  3. Conduct an md5 search of the files identified to see whether a match is found for a file provided by your customer
  4. Produce an output file containing the files discovered that contained the keyword so you can review at a later stage

The advantage is that you're only analysing a subset of data which could mean that you'll have results much sooner. Of course you could do this across a complete forensic image but that might take hours before you achieve results. Something such as the above would certainly be
      a) fairly simple to create and
      b) require minimal effort to execute quickly
      c) identify pivot points for additional analysis and
      d) potentially clip your timeline to something more manageable.

Its not going to work in every scenario but what you're trying to do is to identify quick wins with minimal effort.


[1] http://computer-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru/
[2] http://windowsir.blogspot.com.au/2013/01/there-are-four-lights-analysis-matrix.html