CNIT 121: 12 Investigating Windows Systems (Part 3)
1 like1,107 views
The document provides an overview of various computer forensics techniques used to investigate Windows system artifacts, including interactive sessions, lnk files, jump lists, and memory forensics. It details how evidence can be gathered from deleted files, memory dumps, and processes, along with methods used for detecting malicious activity such as process injection and hooking. Additionally, it covers persistence mechanisms for malware and various defenses in Windows against such attacks.
CNIT 121: 12 Investigating Windows Systems (Part 3)
- 1. CNIT 121: Computer Forensics 12 Investigating Windows Systems (Part 3)
- 3. Other Artifacts of Interactive Sessions
- 4. Interactive Sessions • For the purposes of this section, includes • Login with user at the console • Remote Desktop sessions • Screen sharing (via VNC or similar software)
- 5. LNK Files • Shortcuts to files • Serve as extensions to Windows Explorer • Windows automatically creates LNKs for every opened file • To populate "Recent Files" • Separate list in each user profile
- 6. Where the LNK Files Are
- 7. Evidence in LNK Files
- 8. Timeline • LNK files can show just what a user did • Which files were accessed, and in what order
- 9. Jump Lists • Right-click a taskbar icon to show recently used items • Word shows recent Word files, etc.
- 10. Where Jump Lists are Stored • Not human-readable, you need tools • JumpLister for Windows 7-8 • JLECmd for Windows 10 (link Ch 12t)
- 11. The Recycle Bin • Located in $Recycle.Bin • Contains files deleted from the hard disk • But not if deleted from removable drives • Or from the Command Prompt • Or with Shift+Delete
- 12. Rifiuti2 Tool • Link Ch 12u
- 13. Memory Forensics
- 14. Evidence in RAM
- 15. Types of Memory • Physical (RAM chips) • Page file • Data moved out of RAM onto the hard disk • %SYSTEMDRIVE%pagefile.sys
- 16. Crash Dumps • Can be produced when Windows crashes with the "Blue-Screen of Death" • Three levels • Kernel Memory Dump (default) • Small Memory Dump (Minidump) • Complete Memory Dump
- 17. Crash Dump Storage • %LOCALAPPDATA%Crashdumps • Complete Memory Dump is most useful type • But it's rarely turned on
- 18. Hibernation Files • Saves the full contents of RAM on disk • %SYSTEMDRIVE%Hiberfil.sys • It's compressed and includes metadata • Link Ch 8t • Volatility can parse it
- 19. Running Processes • Volatility can recover
- 21. Handles • Used to access files, devices, and more from software • Can help when analyzing malware • Mutants or Mutexes are used for inter-process communication • To lock a resource so no other process changes it while it's in use • Used by malware to prevent re-infection
- 22. Handles for Zeus • Mutant _AVIRA_2108 is a fingerprint of Zeus • Link Ch 12u
- 24. Sections • Each process has a virtual address space • Including RAM and some disk space in the pagefile • The OS swaps data in and out of physical memory • Virtual Address Descriptor (VAD) tree • A kernel data structure that shows how memory is used by each process (link Ch 12v)
- 25. Memory Map for Notepad
- 26. DLLs for Notepad
- 27. Detecting Malicious DLLs • Check for valid digital signatures • Known-good or -bad hash values • Evidence of process-tampering attacks • Malware loading a DLL surreptitiously or running code in memory
- 28. Other Memory Artifacts • Network connections • Loaded drivers • Runs in kernel, with elevated privileges • Console command history • Strings in memory • Credentials
- 29. Pagefile Analysis • Has no intrinsic structure • Can search for strings • Be careful: antivirus and host-based intrusion detection systems leaves signatures in the pagefile • Suspicious IP addresses, domain names, and malware filenames • Windows can clear the pagefile on shutdown, but this is not its default setting
- 30. Analyzing Common In- Memory Attacks • Process injection • Hooking
- 31. Process Injection • A malicious injecting process causes a legitimate process (injected) to load and execute malicious code • In-memory attack • Disk files do not change • Injected process has no evidence indicating which process was responsible for the injection
- 32. Methods of Process Injection • Use Windows APIs (requires Administrator or SYSTEM privileges) • Force target process to load a malicious DLL from disk • Directly write malicious code to target process's memory and invoke a remote thread to execute it
- 33. Process Replacement • Malware launches a legitimate executable in a suspended state • Then overwrite process memory with malicious code • Unsuspend it to execute
- 35. Detecting Malicious Injection • Memory sections with Execute, Read and Write permissions • Processes that don't match corresponding disk files • Links Ch 12w, 12x
- 36. Finding Persistence Mechanisms • The injecting process needs a persistence mechanism to survive reboots • So it maybe found in • Auto-run keys, DLL load-order hijacking, etc.
- 37. Hooking • Allows code within running processes to intercept, modify, and view events such as function calls and data they return • Windows provides many API mechanisms to do this • Used by legitimate programs • Antivirus, host-based intrusion detection systems, application inventory software
- 38. Malicious Hooking • Rootkits use hooking to hide files, processes, registry keys, or network connections • Keyloggers may use SetWindowsHookEx to cause a malicious DLL function to be called whenever a keyboard event occurs • Or use GetAsyncKeyState to constantly check the up/down state of keys
- 39. Types of Hooks • Manipulate a process's Import Address Table • So it calls malicious functions instead of legitimate system functions • Hook kernel structures such as the Interrupt Descriptor Table (IDT) and System Service Dispatch Table (SSDT) • Prevented on modern Windows systems by Kernel Patch Protection (KPP)
- 40. Zeus Hook • The next slide shows the output of "apihooks" (a Volatility plugin) • On a system infected with Zeus • Shows an inline hook to the HttpSendRequestA function imported from WinInet.dll within the process space of lsass.exe
- 42. Memory Analysis Tools • Acquisition tools • FTK Imager • DumpIt • Memoryze and Redline • Analysis tools • Memoryze and Redline • Volatility
- 44. Alternative Persistence Mechanisms • Startup folders • Recurring tasks • System binary modification • The sticky keys attack • DLL load-order hijacking
- 45. Startup Folders • Any program or shortcut in this folder is launched • On startup or login
- 46. Recurring Tasks • Use "at" or "schtasks" commands • To make a task that recurs at regular times or days of the week • Future and recurring scheduled tasks persist as .job files in %SYSTEMROOT%Tasks
- 47. System Binary Modification • Modify existing Windows binary • Typically one automatically loaded on bootup or login • Add malicious code • Time-stomp • Will change MD5 hash and break signature, but not all legitimate binaries are signed
- 48. Careful Modifications • Changes that cause Windows to crash or impair user experience will limit the attacker's ability to persist • Attackers are more likely to replace noncritical executables or libraries
- 49. Defenses • Windows File Protection in older versions of Windows (XP, 2000) • Easily bypassed by a local Administrator • Replaced by Windows Resource Protection (WRP) in Windows Vista and later • Requires TrustedInstaller permissions to alter WFP-governed resources • More resistant to tampering
- 50. The Sticky Keys Attack • Targets sethc.exe • A file that provides accessibility features • Replace sethc.exe with cmd.exe • Press Shift key five times before logon • A command shell opens with SYSTEM privileges • Even works during a Remote Desktop Protocol session
- 51. • No longer works on Vista and later versions • But there's another way to get the same result The Sticky Keys Attack
- 52. DLL Load-Order Hijacking • DLLs are loaded when a program launches • But DLLs might be in many different folders • "KnownDLLs" registry key lists known system DLLs and ensures that they are always loaded from %systemroot%System32
- 54. Unknown DLL Search Order
- 55. DLL Load-Order Hijacking Works When: • ntshrui.dll is loaded by Windows Explorer and is vulnerable • A malicious ntshrui.dll in %systemroot% will launch when Explorer does