Triage IR... Because Sometimes we WANT a Firehose

So yesterday we talked about a decent amount of goodies, but we definitely could have grabbed more. What you ask? Well, here are some:

• AutoRun Locations: Because malware like to maintain persistence, it generally has a few places where it like to hide to do so.
• Processes: List all processes running on the machine at that given time. If it is not rootkit'ed (is that a word?) the offending process may show up here. Or... you see iexplore running, but not IExplorer window... strange :)
• Network Activity: Looking at the network connections happening right now at the machine
• Internet History: Just like it sounds, very useful if we think the user got hit by a driveby download or they are doing some browsing they shouldn't be. 
• Services

OK-- a bit more detail on each:

AutoRun Locations
 Not all malware is created equal. Some malware is trickier than others. Regardless of how APT a piece of malware is, it still needs to do two things: talk to something and maintain persistence. I am sure there is malware that has broken these two rules... but in general, 99% of the time- they hold true. 

Now there are certain places (favourites, oldies but goodies) that malware likes to place itself in some form or another so it survives a reboot, or is started when a certain program is executed (think internet browsing, mail, etc). AutoRuns by SysInternals/Microsoft covers a good portion of these locations. Just keep in mind it doesn't cover all (like DLL Hijacking).

Note: if you add the /accepteula switch when running the command line SysInternal Tools the popup will not show up on the victim machine. Every little helps!

We will be using the command-line version of autoruns, aptly called autorunsc. There are alot of switches you can use. I like the have the following:

-a displays all entries (you can specify individual entries as well)
-c Output in CSV format
-v verifiy digital signatures

Processes
If you look at your task manager right now (go ahead I dare you) you will see a good amount of running applications on your system right now. Now what happens if you saw evilProcess.exe running? You would PANIC and FREAK OUT right? Malware is not always that nice and spells it out for you, but looking at the processes can help give you an indication of malicious activity, and what spawned it (Parent Process Ids or PPIDs).

I will use PsList, yet another amazing tool from SysInternals (if I could, I would get a tattoo of a heart with the phrase 'sysinternals' because that's how much I love the suite of tools). Again I recommend going to the tools webpage to see all the parameters you can give it, here are a few goodies:

-t displays in 'tree' mode. A more visual representation on who spawned who
-x (cannot be run with the -t, so this would be a separate command) displays thread and memory information as well

Network Activity
Why do you have a listening port on TCP port 6666? I don't know! You wouldn't know unless you A) checked what your network connections are and B) RESEARCH. Of course your your organization has a proxy you would see a lot of traffic going there (and then you have to go grab proxy logs!) 

Now you could use netstat, but in the spirit of trying to keep from using local commands, we will use cports by NirSoft. This is also GUI but can be used in command-line. You can basically decide how you want the output file to be formatted (comma delimited, tab-delimited, HTML, XML). I like CSV, so my output would be:

cports.exe /scomma (outputLocation) 

 Internet History
"I swear I did not click on the link to the bulldog eating the watermelon... I do not even access the internet..."
Looking at a users browsing history can be a good method of finding out HOW the malware got on a system. This includes looking at browser cache as well as simply observing domains and IPs visited. Regardless of which browser used, its a bit difficult to look at these files in notepad. They are formatted in a certain way. I will quickly cover IE and Mozilla. 
Internet Explorer - Pasco 
Pasco is a free tool from McAfee for parsing the index.dat file into something a bit more legible. Its parameters are quite simple. 

Usage:
pasco [options]
-d Undelete Activity Records
-t Field Delimiter (TAB by default)

Where are index.dat files? Well it depends which OS you are looking at. You can get a great list here. The command I ran for my XP machine was:

pasco.exe C:\Documents and Settings\Administrator\Local Settings\History.IE5\index.dat > (locationToSaveTheOutput)

Don't forget to grab the 'All Users' index.dat. Malware likes to put itself there as well.  

Mozilla
Mozilla stores its information in a database under a profile (the default profile name is... default), so naturally we need a tool which can parse thru it and return us legible data. I recommend MozillaHistoryViewer from NirSoft.  And YES, there is a command line available! Just like IE, these db files are located in different areas based on OS. You can go to MozillaZine for a good list of locations.

Services
Remember how I said malware likes to maintain persistence? Well malware can register itself as a service and set itself to autostart (or it creates a scheduled task which then starts the service). We will use a tool from (wait for it....) SysInternals called PsService. The one paramater I would add is the 'config' switch which also dumps the configuration of a service (how does it start?)

Just For Shens...

• I grabbed the Temp folder for 'All Users' as well as the 'Administrator' user (who was logged on at the time). Malware likes to put itself in the Temp folder (its world readable/writeable by default). I may not find anything... but I'd rather have it before my admin wipes the box. (I did this using FTKImager Lite).
• A student reminded me about DOSKEY for trying to list all the commands run while performing IR. This is SO useful if you are trying to remember all the switches you used, and sometimes you have many more tools in your arsenal you are running. Right before I ran UnixDate (which I do at the start/end of my analysis) I ran the following:

doskey /HISTORY > E:\Output\CommandsRun.txt

This gave me the following output for all commands I ran in that session (command window). Pretty useful!

So now we have a large chunk of data to parse thru... Could I have grabbed more? Sure. Could I have scripted this? Absolutely! Will what we extracted be enough to find badness??

Triage/IR

I am back from vacation! I am back from teaching MFIRE in Paris! What fun I have been having! Now, it is back to the grind.

A lot of times in class I get asked about tools and specific parameters to obtain data. What I hope to do with the next few posts is show off some basic tools to help an analyst out in conducting IR.

• First Response/Triage (explaining each tool I use.. this isn't exhaustive in steps but it covers a good chunk)
• Memory Forensics
• Local/Remote Acquisition

So let's get started! What is the malware you ask? Psh! What fun is it if I tell you that?! :P

The first scenario is running tools from local (say USB) but dumping to a share somewhere else (mapped as Z:\). 

Step One: Memory

 Following order of volatility we want to grab memory first. Memory forensics is the way forward, it uncovers things which the OS nicely forgets (generally because a rootkit tells it to!) as well as just an all around amazing resource. I am not saying you will always need the memory dump-- I am saying you will kick yourself if you need it and do not have it :)

I will use FastDump Community Edition from HBGary (edit: thanks for the catch!). It is pretty straightforward:

I really like the percentage bar, this way I know if I have time to grab a cup of coffee or not. I generally do not need to give FastDump any additional parameters to run. Just where I want the memory dump saved to.

An issue with FastDump is that is does not work on all architectures and Operating Systems. It does  NOT support 64-bit anything, nor does it support Vista, 2003, or 2008. And its limit is 4GB. So what is a girl to do? 

DumpIT is another tool I like to use and give to sysadmins who don't fully understand what the heck is going on. It's really easy, double click and go :) The only downfall being it saves the memdump wherever you have the executable (you cannot redirect). For this scenario then, I simply have to execute DumpIt from the share (heck all your tools can be run from the share rather than on a USB or CD/DVD)... we will get to total remoteness later.

Step Two:Master File Table
Another artifact I find very useful is the MFT (master file table). What is this you may ask? Remember the card catalog? You young whipper snappers hush now.. and Google it! For every NTFS file, there is an entry in the MFT for it. Even deleted files are possibly still in the MFT (it's marked as free and can be overwritten at any time!). For more information about MFT see the Microsoft Page about it. Mike Spohn over at malware-hunters.net has a great tool called MFTDump which can be used to parse the MFT file of a machine, but first we need to grab the MFT file! The $MFT is one of those persnickety files which does not like to simply be copied and pasted, you need something to extract the file. For us we in this scenario we will use FGET.

FGET is a free tool from HBGary which can grab files which cannot be simply be copied out (think system files or files in use by the OS). Its pretty powerful tool, I will quickly go over some useful switches, but read their FAQ for more!

• If you only give -scan switch, by default FGET grabs
• Full user list + ntuser.dat files
• Prefetch directory
• Everything in Windows\System32\config directory \
• If running local, to extract a file it would be the following

fget.exe -extract (file_to_be_extracted) (location_to_dump_file)

• To do the same thing remotely:

fget.exe -scan (IP) -extract (file_to_be_extracted) (location_to_dump_file)

• If you have a lot of computers that need a file pulled you can pass a list of IPs with the -list argument with each IP on a new line. Note you do not give a save location when dealing with multiple machines, FGET separates each one into its own folder for you (how nice). Note for things to work remotely you need to ensure your permissions are set correctly! Check the FAQ!

 Step Three:Prefetch and System32\Config Contents
Just to make life difficult (and sometimes tools do not work the way you want them too so it is always good to have a backup!) I will use a different tool to parse out prefetch files as well as registry hives and windows logs. Robocopy is included in the Windows Server 2003 Resource Kit Tools. A short description of each is as follows:

• Prefetch - the last 128 unique applications ran on your machine. It was designed to help program load faster by saving specific data about an application (such as dll used). You opened up Adobe Acrobat? It shows up in the Prefetch. You run a IR Triage tool? Chances are it will show up in your prefetch (Hence you want to grab this early).  Prefetch is not turned on by default in Server editions of Windows, it is however in Windows 7. 
• Registry - How does one describe the registry? It stores configurations and settings used in all aspects of the OS. This includes a plethora of things, like what starts at run time, how one connects to the internet, and even how deleting a file works. It is dangerous to go alone! Here take this. 
• Windows Logs - Another piece of information on the OS which you may not always need, but good to grab just in case. These files contain log-in success/failures, services starting/stopping, sometimes crashes (good indicator of BOF), among many other things. Sometimes Windows Logs are not on the local machine, but saved off to a syslog of some sorts, so make sure you find out. 

The switch /TS means to preserve source file timestamps while /FP means to include the full path in output. 

We will analyse these prefetch files using another tool from malware-hunters.net called PFDump next posting. 

The next tool I will show is FTKImagerLite. Yes its GUI, I know this... but hey sometimes you gotta make do with what you have (and its pretty kickass anyways). The nice thing about Lite is that it does not perform any installation onto the disk-- but just make sure you document! Below is a quick video showing you how to extract the files from a live system (its pretty straightforward, I just feel this post is getting quite long so I figured a video would do)

 Edit: I noticed after watching this I missed something... anyone know what it is and why I should go back and grab it? 

So... what is to stop you from using FTKImager from grabbing all the above mentioned files? Nothing really. I just want to show you multiple tools and their syntax. Like I mentioned above, sometimes tools do not work according to plan so it is always good to have a backup. And whats to stop you from scripting this? Nothing!

We have grabbed 5 things... will that be enough to crack the case?? Stay tuned!

Crawling Out of the Rabbit Hole...

Did everyone miss me? :P

Things have been... how do you say, absolutely crazy at work. This has affected my blogging dear readers, but I am sure you have been keeping yourselves busy. One thing I know I am eagerly looking to catch up on is the Month of Volatility Plugins which conludes this week at OMFW in Herndon. Volatility 2.2 will be officially released (you can already grab it for testing and bug finding) as well as all these additional goodies! I can't wait to go thru all the new plugins and see how they will drastically change my investigations, and hopeully update some classroom material to add the content.

If anyone performs memory analysis, and doesn't have the couple thousand dollars for HB Gary.... Volatility is where it is at.