Leveraging NTFS Timeline Forensics during the Analysis of Malware

Leveraging NTFS Timeline Forensics in the Analysis of MalwareTim MugheriniNAISG BostonJanuary 20, 2011

About MeCaveat: I Am Not An Expert!

Some Context“Facts do not cease to exist because they are ignored.” - Aldous Huxley

Being PreparedWhat’s in your Incident Response Toolkit?Malware is becoming more sophisticated.A deeper understanding of computer systems is needed.File system forensics techniques are well documented but seem underutilized.Analysis of the Master File Table (MFT) of the NTFS file system can be used to help establish a timeline and location of changes to the system.

Incident ResponseWhere does Malware Analysis Fit In?Preparation: Incident Handling Procedures, Training, Toolkits, Jump Bags, Detection & Defense MechanismsDetection & Analysis: Detect the type, extent, and magnitude of the incident. Identify the malware characteristics.Containment, Eradication, & Recovery: Prevent the malware from spreading and causing further system damage. Once complete, removing the malware and restoring functionality and data affected by the infection. Post-Incident: Review incident and lessons learned. Apply this to your preparation for the next incident. Retain evidence.Reference: National Institute of Standards and Technology (2005). SP800-83: Guide to Malware Incident Prevention and Handling. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf

Malware AnalysisWhere does File Forensics Fit In?Static: Analyze without executing codeFile Analysis (i.e. location, date and times, strings, hashes)

Code Analysis, Reverse Engineering (i.e. Decompiling, Disassembling)Dynamic: Analyze the code while it runsBehavioral Analysis: (i.e. processes, network connections, strings in memory)

Network Packet AnalysisIdeally you want to do both!

NTFS Master File Table 101“Facts do not 'speak for themselves', they are read in the light of theory” - Stephen Jay Gould

Everything is a FileOverview of NTFS and the Master File TableNTFS: “New Technologies File System” Default file system of all modern versions of Windows.The Master File Table (MFT) is the heart of the NTFS file system. It contains the metadata about all the files and directories on the file system.Everything is a file in NTFS, including the MFT.Each file and directory has at least one entry in the MFT.Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining space being used by attributes.The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created (note: but they can be re-allocated).Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.

0x46494c45What FILE Information can be extracted?MFT Header contains a record number for each entry, sequence number (times reused), and parent record number (location).Standard_Information attributes are best known. Many of these attributes (MACE/MACb times, Flags) are displayed in explorer.exe when viewing the properties of a file or folder.File_Name attributes contain the file name and additional MACE/MACb times (more on this in a bit).Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.

Standard_Informaton Attributes The Good, The Bad, The WTFThe GoodThe behavior of Windows on Standard_Informstion MACE times is well knownThe BadStandard_Information MACE times can easily be manipulated (i.e. Metasploit Timestomp or Unix Touch)OK … WTFDid you know file Access Times are disabled by default in Windows Vista/7?HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate=1

Powershell: Friend or Foe? Manipulation of Standard_Information Dates. Reference: Hull, David (2009). Touch on Windows via Powershell. Retrieved from http://trustedsignal.blogspot.com/2008/08/touch-on-windows-via-powershell.html

Don’t Be DupedFile_Name Attributes are not Easily ManipulatedFile_Name Attributes initially mirror the Standard_Info Creation dateThey do not typically get updated the way Standard_Information Values do unless the file is moved or renamed.Consequently, it is more difficult to manipulate File_Name Attributes (note: I did not say impossible, more on this later). All Attribute Times need to be analyzed when using MFT Analysis.Some Work has been done cataloging the behavioral changes of File_Name Time attributesReference: Hull, David (2010) Digital Forensics: Detecting time stamp manipulation. Retrieved from http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation

Thank You RobMFT Attribute BehaviorReference: Lee, Rob, T. (2010) Windows 7 MFT Entry Timestamp Properties. Retrieved from http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties

Intro to Our Malware Sample“It is easier to believe a lie that one has heard a thousand times than to believe a fact that no one has heard before.” – Author Unknown

Rogue AV Prerequisites There Are NoneUp to date Windows 7 OS – No Problem!No Local Admin rights – No Problem!Existing Antivirus w/ current sigs – No Problem!Windows Firewall hardened with GPO – No Problem!IE 8 in Medium/High security mode – No Problem!UAC enabled – No Problem!But what features do you get with your install, you ask?

Rogue AV Feature SetReplaces Existing Antivirus without Interaction

Rogue AV Feature SetPlaces Bogus Malicious Files on Your File System

Rogue AV Feature SetProvides Protection Sopranos Style

Rogue AV Feature SetConfused? Live Support Chat can Assist

Rogue AV Feature SetProtects Against Analysis by Your IT Practitioner

Analysis of Our Sample“Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passion, they cannot alter the state of facts and evidence.” - John Adams

Down the Rabbit HoleSummary of the Rogue File/ProcessFile Name: ISe6d_2229.exeFile Type: Windows 32 bit Portable ExecutableMD5: 699ebebcac9aaeff67bee94571e373a1SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2File size: 3590656 bytesFirst seen on Virus Total: 2010-11-14 01:20:29Last seen: 2010-11-16 15:52:22http://www.virustotal.com/file-scan/report.html?id=19f7bd2c7a74caa586232abefb22aeea224ba14c7d599c89561fba34f33bdf22-1289922742My Write-Uphttp://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html

Grabbing the MFTFTK Imager Lite: Exporting the MFT

Parsing the MFTanalyzeMFT: Parse & Export Records.

Analyzing the MFTBased on the Facts, Find the Infection Locations

Leveraging the Results “We can have facts without thinking but we cannot have thinking without facts.” - John Dewey

Using Information from the MFTPrefetch Parser: Parsing the Prefetch FolderSETUP_2229[1].EXE-11C68EE8.pf \USERS\%USERNAME%\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\G4KYBRHH\SETUP_2229[1].EXETASKKILL.EXE-8F5B2253.pf \USERS\%USERNAME%\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\G4KYBRHH\ANPRICE=85[1].HTMRUNDLL32.EXE-80EAA685.pf\PROGRAMDATA\E6DB66\ISE6D_2229.EXE

Using Information from the MFTExporting the Windows Registry HivesMost live in the %SystemRoot%\System32\Config directory (except HKCU & HKU which are located in the user profiles)Tools such as RegRipper & Windows Registry Recovery can be used to perform further analysis based on facts discovered[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"Internet Security Suite“="\"C:\\ProgramData\\e6db66\\ISe6d_2229.exe\" /s /d“Reference: Microsoft MSDN (2010). Registry Hives. Retrieved from http://msdn.microsoft.com/en-us/library/ms724877%28VS.85%29.aspx

Using Information from the MFTRecovering Deleted Files with VSSFTK Imager has the ability to export files if not overwrittenMicrosoft Volume Shadow Copy Service (VSS) is another option however.mklink /d C:\shadow_copy1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ Reference: Mugherini, Timothy (2010) Forensics Analysis: Windows Shadow Copies. Retrieved from http://securitybraindump.blogspot.com/2010/06/forensics-analysis-windows-shadow.html

Using Information from the MFTHashes Are Your Friend.Once suspect files are found, export their hashes and leverage online resources.NIST National Software Reference LibrarySANS ISC Hash DatabaseTeam Cymru Malware Hash Registry FTK Imager and other Windows Tools can hash files but what if you want to hash all files on a drive or volume?http://md5deep.sourceforge.net/Md5deep.exe. –r C:\ > hash_drive.txt

The Trouble with Facts…“The trouble with facts is that there are so many of them.” - Samuel McChord Crothers

File_Name Attributes Can ChangeManipulating File_Name Attributes

Hope Is Not LostHow can we Detect Attribute Manipulation?Some PossibilitiesRecent Documents and Programs (if not disabled)System Events (i.e. System Time Change)Prefetch DifferencesDifferences between $SI and $FN attributes $FNA MACE Times have USEC/Microseconds = 00New Features in analyzeMFT.py (v 1.5) Now Reports useconds for all time attributes-a (anomaly detection) adds two columns:std-fn-shift: Y = $FN create time is after the $SI create timeUsec-zero: Y = $SI create time has usec = 0

SummaryAn Answer to a Question, Might be Another QuestionThis is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response.It is something you can add to your Incident Response and Malware Analysis toolkit.It may be necessary to correlate and verify your results with other methods and tools. Tools such as Log2Timeline are available to create Super Timelines making it even easier to create a timeline of malicious activity on a system.

Go Forth and ProsperAdditional Resources and ToolsAdditional ResourcesLenny Zeltser: Combating Malicious SoftwareNIST Special Publication 800-81: Computer Security Incident Handling GuideNIST Special Publication 800-83: Guide to Malware Incident Prevention and HandlingNIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response Reversing Malware BlogSANS Computer Forensics & Incident Response BlogSANS Reading Room (Too Many Great Papers to Mention: Check Forensics, Incident Response, and Malware Analysis Categories)Windows Incident Response BlogBooksCarrier, Brian (2005). File System Forensic Analysis. Addison Wesley.Carvey, Harlen (2009). Windows Forensic Analysis DVD Toolkit, Second Edition. Syngress.ToolsAnalyzeMFTFTK Imager LiteMD5DeepPrefetch ParserRegRipperWindows Registry Recovery

Leveraging NTFS Timeline Forensics during the Analysis of Malware

More Related Content

What's hot (20)

Viewers also liked (17)

Similar to Leveraging NTFS Timeline Forensics during the Analysis of Malware (20)

Recently uploaded (20)

Leveraging NTFS Timeline Forensics during the Analysis of Malware