I am back from vacation! I am back from teaching MFIRE in Paris! What fun I have been having! Now, it is back to the grind.
A lot of times in class I get asked about tools and specific parameters to obtain data. What I hope to do with the next few posts is show off some basic tools to help an analyst out in conducting IR.
Step One: Memory
I really like the percentage bar, this way I know if I have time to grab a cup of coffee or not. I generally do not need to give FastDump any additional parameters to run. Just where I want the memory dump saved to.
An issue with FastDump is that is does not work on all architectures and Operating Systems. It does NOT support 64-bit anything, nor does it support Vista, 2003, or 2008. And its limit is 4GB. So what is a girl to do?
A lot of times in class I get asked about tools and specific parameters to obtain data. What I hope to do with the next few posts is show off some basic tools to help an analyst out in conducting IR.
- First Response/Triage (explaining each tool I use.. this isn't exhaustive in steps but it covers a good chunk)
- Memory Forensics
- Local/Remote Acquisition
So let's get started! What is the malware you ask? Psh! What fun is it if I tell you that?! :P
The first scenario is running tools from local (say USB) but dumping to a share somewhere else (mapped as Z:\).
The first scenario is running tools from local (say USB) but dumping to a share somewhere else (mapped as Z:\).
Step One: Memory
Following order of volatility we want to grab memory first. Memory forensics is the way forward, it uncovers things which the OS nicely forgets (generally because a rootkit tells it to!) as well as just an all around amazing resource. I am not saying you will always need the memory dump-- I am saying you will kick yourself if you need it and do not have it :)
I will use FastDump Community Edition from HBGary (edit: thanks for the catch!). It is pretty straightforward:
I will use FastDump Community Edition from HBGary (edit: thanks for the catch!). It is pretty straightforward:
An issue with FastDump is that is does not work on all architectures and Operating Systems. It does NOT support 64-bit anything, nor does it support Vista, 2003, or 2008. And its limit is 4GB. So what is a girl to do?
DumpIT is another tool I like to use and give to sysadmins who don't fully understand what the heck is going on. It's really easy, double click and go :) The only downfall being it saves the memdump wherever you have the executable (you cannot redirect). For this scenario then, I simply have to execute DumpIt from the share (heck all your tools can be run from the share rather than on a USB or CD/DVD)... we will get to total remoteness later.
Step Two:Master File Table
Another artifact I find very useful is the MFT (master file table). What is this you may ask? Remember the card catalog? You young whipper snappers hush now.. and Google it! For every NTFS file, there is an entry in the MFT for it. Even deleted files are possibly still in the MFT (it's marked as free and can be overwritten at any time!). For more information about MFT see the Microsoft Page about it. Mike Spohn over at malware-hunters.net has a great tool called MFTDump which can be used to parse the MFT file of a machine, but first we need to grab the MFT file! The $MFT is one of those persnickety files which does not like to simply be copied and pasted, you need something to extract the file. For us we in this scenario we will use FGET.
FGET is a free tool from HBGary which can grab files which cannot be simply be copied out (think system files or files in use by the OS). Its pretty powerful tool, I will quickly go over some useful switches, but read their FAQ for more!
Step Two:Master File Table
Another artifact I find very useful is the MFT (master file table). What is this you may ask? Remember the card catalog? You young whipper snappers hush now.. and Google it! For every NTFS file, there is an entry in the MFT for it. Even deleted files are possibly still in the MFT (it's marked as free and can be overwritten at any time!). For more information about MFT see the Microsoft Page about it. Mike Spohn over at malware-hunters.net has a great tool called MFTDump which can be used to parse the MFT file of a machine, but first we need to grab the MFT file! The $MFT is one of those persnickety files which does not like to simply be copied and pasted, you need something to extract the file. For us we in this scenario we will use FGET.
FGET is a free tool from HBGary which can grab files which cannot be simply be copied out (think system files or files in use by the OS). Its pretty powerful tool, I will quickly go over some useful switches, but read their FAQ for more!
- If you only give -scan switch, by default FGET grabs
- Full user list + ntuser.dat files
- Prefetch directory
- Everything in Windows\System32\config directory \
- If running local, to extract a file it would be the following
fget.exe -extract (file_to_be_extracted) (location_to_dump_file)
- To do the same thing remotely:
fget.exe -scan (IP) -extract
- If you have a lot of computers that need a file pulled you can pass a list of IPs with the -list argument with each IP on a new line. Note you do not give a save location when dealing with multiple machines, FGET separates each one into its own folder for you (how nice). Note for things to work remotely you need to ensure your permissions are set correctly! Check the FAQ!
Step Three:Prefetch and System32\Config Contents
Just to make life difficult (and sometimes tools do not work the way you want them too so it is always good to have a backup!) I will use a different tool to parse out prefetch files as well as registry hives and windows logs. Robocopy is included in the Windows Server 2003 Resource Kit Tools. A short description of each is as follows:
Just to make life difficult (and sometimes tools do not work the way you want them too so it is always good to have a backup!) I will use a different tool to parse out prefetch files as well as registry hives and windows logs. Robocopy is included in the Windows Server 2003 Resource Kit Tools. A short description of each is as follows:
- Prefetch - the last 128 unique applications ran on your machine. It was designed to help program load faster by saving specific data about an application (such as dll used). You opened up Adobe Acrobat? It shows up in the Prefetch. You run a IR Triage tool? Chances are it will show up in your prefetch (Hence you want to grab this early). Prefetch is not turned on by default in Server editions of Windows, it is however in Windows 7.
- Registry - How does one describe the registry? It stores configurations and settings used in all aspects of the OS. This includes a plethora of things, like what starts at run time, how one connects to the internet, and even how deleting a file works. It is dangerous to go alone! Here take this.
- Windows Logs - Another piece of information on the OS which you may not always need, but good to grab just in case. These files contain log-in success/failures, services starting/stopping, sometimes crashes (good indicator of BOF), among many other things. Sometimes Windows Logs are not on the local machine, but saved off to a syslog of some sorts, so make sure you find out.
The switch /TS means to preserve source file timestamps while /FP means to include the full path in output.
We will analyse these prefetch files using another tool from malware-hunters.net called PFDump next posting.
The next tool I will show is FTKImagerLite. Yes its GUI, I know this... but hey sometimes you gotta make do with what you have (and its pretty kickass anyways). The nice thing about Lite is that it does not perform any installation onto the disk-- but just make sure you document! Below is a quick video showing you how to extract the files from a live system (its pretty straightforward, I just feel this post is getting quite long so I figured a video would do)
Edit: I noticed after watching this I missed something... anyone know what it is and why I should go back and grab it?
So... what is to stop you from using FTKImager from grabbing all the above mentioned files? Nothing really. I just want to show you multiple tools and their syntax. Like I mentioned above, sometimes tools do not work according to plan so it is always good to have a backup. And whats to stop you from scripting this? Nothing!
We have grabbed 5 things... will that be enough to crack the case?? Stay tuned!
2 comments:
Really nice post, I'll be checking your blog for the rest of the series. Just a quick PSA, there might be a typo in the paragraph before the first photo, HBary should probably be HBGary. Looking forward to more post.
I always learn new things. Awesome post.
Post a Comment