Leveraging NTFS Timeline Forensics during the Analysis of Malware

Leveraging NTFS Timeline

Forensics in the Analysis of

Malware

Tim MugheriniNAISG Boston

January 20, 2011

About MeCaveat: I Am Not An Expert!

Some Context

“Facts do not cease to exist because they are ignored.” - Aldous Huxley

Being Prepared

• Malware is becoming more sophisticated.

• A deeper understanding of computer systems is needed.

• File system forensics techniques are well documented but seem underutilized.

• Analysis of the Master File Table (MFT) of the NTFS file system can be used to help establish a timeline and location of changes to the system.

What’s in your Incident Response Toolkit?

Incident Response

• Preparation: Incident Handling Procedures, Training, Toolkits, Jump Bags, Detection & Defense Mechanisms

• Detection & Analysis: Detect the type, extent, and magnitude of the incident. Identify the malware characteristics.

• Containment, Eradication, & Recovery: Prevent the malware from spreading and causing further system damage. Once complete, removing the malware and restoring functionality and data affected by the infection.

• Post-Incident: Review incident and lessons learned. Apply this to your preparation for the next incident. Retain evidence.

Reference: National Institute of Standards and Technology (2005). SP800-83: Guide to Malware Incident Prevention and Handling. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf

Where does Malware Analysis Fit In?

Malware Analysis

Static: Analyze without executing code• File Analysis (i.e. location, date and times, strings,

hashes)• Code Analysis, Reverse Engineering (i.e. Decompiling,

Disassembling)

Dynamic: Analyze the code while it runs• Behavioral Analysis: (i.e. processes, network

connections, strings in memory)• Network Packet Analysis

Ideally you want to do both!

Where does File Forensics Fit In?

NTFS Master File Table 101

“Facts do not 'speak for themselves', they are read in the light of theory” - Stephen Jay Gould

• NTFS: “New Technologies File System” Default file system of all modern versions of Windows.

• The Master File Table (MFT) is the heart of the NTFS file system. It contains the metadata about all the files and directories on the file system.

• Everything is a file in NTFS, including the MFT.• Each file and directory has at least one entry in the MFT.• Each MFT entry is 1024 bytes in size (defined in boot sector)

with the first 42 bytes containing 12 defined fields and the remaining space being used by attributes.

• The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created (note: but they can be re-allocated).

Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.

Everything is a FileOverview of NTFS and the Master File Table

0x46494c45What FILE Information can be extracted?

MFT Entry Header $Standard_Information Attrib $File_Name Attrib $Data Atrrib

• Signature: FILE/BADD• Record Number• Record Type: File/Folder• Flags: Active/In-Active• Sequence Number• Other Data Fields

• Flags: Read Only, Hidden, System, Archive, etc..

• Std_Info Modification Time • Std _Info Access Time• Std_Info Creation (born) Time• Std_Info Entry Time

• Flags: POSIX, WIN32, DOS• FN File Name• Parent Record Number• FN_Info Modification Time• FN_Info Access Time• FN_Info Creation (born) Time• FN_Info Entry Time*Note: May have up to four entries of each MACE record

• File Data (if under 700 Bytes) or Index to Non-resident attribute

• MFT Header contains a record number for each entry, sequence number (times reused), and parent record number (location).

• Standard_Information attributes are best known. Many of these attributes (MACE/MACb times, Flags) are displayed in explorer.exe when viewing the properties of a file or folder.

• File_Name attributes contain the file name and additional MACE/MACb times (more on this in a bit).

Reference: Carrier, Brian (2005). File System Forensic Analysis. Addison Wesley.

Standard_Informaton Attributes The Good, The Bad, The WTF

The GoodThe behavior of Windows on Standard_Informstion MACE times is well knownThe BadStandard_Information MACE times can easily be manipulated (i.e. Metasploit Timestomp or Unix Touch)OK … WTFDid you know file Access Times are disabled by default in Windows Vista/7?HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate=1

Powershell: Friend or Foe? Manipulation of Standard_Information Dates.

Reference: Hull, David (2009). Touch on Windows via Powershell. Retrieved from http://trustedsignal.blogspot.com/2008/08/touch-on-windows-via-powershell.html

Don’t Be DupedFile_Name Attributes are not Easily Manipulated

• File_Name Attributes initially mirror the Standard_Info Creation date

• They do not typically get updated the way Standard_Information Values do unless the file is moved or renamed.

• Consequently, it is more difficult to manipulate File_Name Attributes (note: I did not say impossible, more on this later).

• All Attribute Times need to be analyzed when using MFT Analysis.

• Some Work has been done cataloging the behavioral changes of File_Name Time attributes

Reference: Hull, David (2010) Digital Forensics: Detecting time stamp manipulation. Retrieved from http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation

Reference: Lee, Rob, T. (2010) Windows 7 MFT Entry Timestamp Properties. Retrieved from http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties

Thank You RobMFT Attribute Behavior

Intro to Our Malware Sample

“It is easier to believe a lie that one has heard a thousand times than to believe a fact that no one has heard before.” – Author Unknown

Rogue AV Prerequisites There Are None

• Up to date Windows 7 OS – No Problem!• No Local Admin rights – No Problem!• Existing Antivirus w/ current sigs – No Problem!• Windows Firewall hardened with GPO – No Problem!• IE 8 in Medium/High security mode – No Problem!• UAC enabled – No Problem!

But what features do you get with your install, you ask?

Rogue AV Feature SetReplaces Existing Antivirus without Interaction

Rogue AV Feature SetPlaces Bogus Malicious Files on Your File System

Rogue AV Feature SetProvides Protection Sopranos Style

Rogue AV Feature SetConfused? Live Support Chat can Assist

Rogue AV Feature SetProtects Against Analysis by Your IT Practitioner

Analysis of Our Sample

“Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passion, they cannot alter the state of facts and evidence.” - John Adams

Down the Rabbit HoleSummary of the Rogue File/Process

File Name: ISe6d_2229.exeFile Type: Windows 32 bit Portable ExecutableMD5: 699ebebcac9aaeff67bee94571e373a1SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2File size: 3590656 bytesFirst seen on Virus Total: 2010-11-14 01:20:29Last seen: 2010-11-16 15:52:22http://www.virustotal.com/file-scan/report.html?id=19f7bd2c7a74caa586232abefb22aeea224ba14c7d599c89561fba34f33bdf22-1289922742

My Write-Uphttp://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html

Grabbing the MFTFTK Imager Lite: Exporting the MFT

Parsing the MFTanalyzeMFT: Parse & Export Records.

Analyzing the MFTBased on the Facts, Find the Infection Locations

Leveraging the Results

“We can have facts without thinking but we cannot have thinking without facts.” - John Dewey

Using Information from the MFTPrefetch Parser: Parsing the Prefetch Folder

SETUP_2229[1].EXE-11C68EE8.pf \USERS\%USERNAME%\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\G4KYBRHH\SETUP_2229[1].EXE

TASKKILL.EXE-8F5B2253.pf \USERS\%USERNAME%\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\G4KYBRHH\ANPRICE=85[1].HTM

RUNDLL32.EXE-80EAA685.pf\PROGRAMDATA\E6DB66\ISE6D_2229.EXE

Record File Times Run UTC Time

SETUP_2229[1].EXE-11C68EE8.pf SETUP_2229[1].EXE 1 Sat Nov 13

01:16:53 2010

TASKKILL.EXE-8F5B2253.pf TASKKILL.EXE 1 Sat Nov 13

01:16:53 2010RUNDLL32.EXE-80EAA685.pf RUNDLL32.EXE 1 Sat Nov 13

01:17:16 2010

Using Information from the MFTExporting the Windows Registry Hives

Registry hive Supporting filesHKEY_CURRENT_CONFIG System, System.alt, System.log, System.savHKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.logHKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.savHKEY_LOCAL_MACHINE\Security Security, Security.log, Security.savHKEY_LOCAL_MACHINE\Software Software, Software.log, Software.savHKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.savHKEY_USERS\.DEFAULT Default, Default.log, Default.sav

• Most live in the %SystemRoot%\System32\Config directory (except HKCU & HKU which are located in the user profiles)

• Tools such as RegRipper & Windows Registry Recovery can be used to perform further analysis based on facts discovered

Reference: Microsoft MSDN (2010). Registry Hives. Retrieved from http://msdn.microsoft.com/en-us/library/ms724877%28VS.85%29.aspx

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"Internet Security Suite“="\"C:\\ProgramData\\e6db66\\ISe6d_2229.exe\" /s /d“

Using Information from the MFTRecovering Deleted Files with VSS

• FTK Imager has the ability to export files if not overwritten• Microsoft Volume Shadow Copy Service (VSS) is another

option however.

mklink /d C:\shadow_copy1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Reference: Mugherini, Timothy (2010) Forensics Analysis: Windows Shadow Copies. Retrieved from http://securitybraindump.blogspot.com/2010/06/forensics-analysis-windows-shadow.html

Using Information from the MFTHashes Are Your Friend.

Once suspect files are found, export their hashes and leverage online resources.

NIST National Software Reference LibrarySANS ISC Hash DatabaseTeam Cymru Malware Hash Registry

FTK Imager and other Windows Tools can hash files but what if you want to hash all files on a drive or volume?

http://md5deep.sourceforge.net/

Md5deep.exe. –r C:\ > hash_drive.txt

The Trouble with Facts…

“The trouble with facts is that there are so many of them.” - Samuel McChord Crothers

File_Name Attributes Can ChangeManipulating File_Name Attributes

Some Possibilities• Recent Documents and Programs (if not disabled)• System Events (i.e. System Time Change)• Prefetch Differences• Differences between $SI and $FN attributes • $FNA MACE Times have USEC/Microseconds = 00

How can we Detect Attribute Manipulation?

Hope Is Not Lost

New Features in analyzeMFT.py (v 1.5) • Now Reports useconds for all time attributes• -a (anomaly detection) adds two columns:

– std-fn-shift: Y = $FN create time is after the $SI create time– Usec-zero: Y = $SI create time has usec = 0

• This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response.

• It is something you can add to your Incident Response and Malware Analysis toolkit.

• It may be necessary to correlate and verify your results with other methods and tools. Tools such as Log2Timeline are available to create Super Timelines making it even easier to create a timeline of malicious activity on a system.

An Answer to a Question, Might be Another Question

Summary

Go Forth and ProsperAdditional Resources and Tools

Additional ResourcesLenny Zeltser: Combating Malicious SoftwareNIST Special Publication 800-81: Computer Security Incident Handling GuideNIST Special Publication 800-83: Guide to Malware Incident Prevention and HandlingNIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response Reversing Malware BlogSANS Computer Forensics & Incident Response BlogSANS Reading Room (Too Many Great Papers to Mention: Check Forensics, Incident Response, and Malware Analysis Categories)Windows Incident Response Blog

BooksCarrier, Brian (2005). File System Forensic Analysis. Addison Wesley.Carvey, Harlen (2009). Windows Forensic Analysis DVD Toolkit, Second Edition. Syngress.

ToolsAnalyzeMFTFTK Imager LiteMD5DeepPrefetch ParserRegRipperWindows Registry Recovery

QuestionsPlease Be Gentle

Internet Control Message Protocol

Tim Mugherinihttp://[email protected]@bug_bearIrc://freenode (as Bugbear)

Feel Free to Ping Me