Last week, playing with a forensics challenge left by Jack Crook (@jackcr) in the GCIH LinkedIn group, I upgraded Volatility to version 2.3_alpha. In this challenge, the author had included the RAM dump and the disk timeline of each one of the affected computers, and a capture file of the network traffic. However, reviewing the novelties included in this Alpha version I saw a couple of them quite interesting: mbrparser and mftparser.
Mftparser, as indicated in the Volatility webpage, scans and analyzes entries in the Master File Table (MFT). The plugin scans the memory dump for possible MFT entries and prints out information for certain attributes. For more information see OMFW 2012: Reconstructing the MBR and MFT from Memory.
Despite having the timeline, I decided to try the new plugin and compare the output with the one we had been provided. The output can be displayed in a tabular format or, and here is where it gets powerful, in the body format of Sleuthkit (with option –output=body).
mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f ENG-USTXHOU-148/memdump.bin mftparser –output=body Volatile Systems Volatility Framework 2.3_alpha Scanning for MFT entries and building directory, this can take a while (FN) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273| 1353971273|1353971273 (SI) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273| 1353971273|1353971273 (FN) 0x12d588|WINDOWS\Prefetch\NET.EXE-01A53C2F.pf|11727|---a-------I---|0|0|424|1353971273| 1353971273|1353971273|1353971273 (FN) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306| 1353971306|1353971306 (SI) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306| 1353971306|1353971306 (FN) 0x2bbee0|(Null)|11728|---------------|0|0|432|0|0|0|0 (FN) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353971306|1353971306| 1353971306|1353971306 (SI) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353980005|1353980005| 1353980005|1353971306 (FN) 0x311000|WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf|11728|---a-------I---|0|0|480|1353971306|13 53971306|1353971306|1353971306 (FN) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971435|1353971435| 1353971435|1353971435 (SI) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971493|1353971493| 1353971493|1353971435 [...]
Then you just have to run mactime (included on Sleuthkit) on this file and you get a system timeline from the RAM dump.
mbelda@audit:~/Forensics/jackcr-challenge$ mactime -b ENG-USTXHOU-148/body.txt > ENG-USTXHOU-148/body_mactime.txt
I find this especially useful when, for reasons of size or availability, we can not have a disk image to get the information about the creation or access times of certain files.
Here’s an example. Thanks to searching for strings (strings command with the IP showed with the command connscan) directly on the RAM dump, we find a mail received by the user is that contains a link to a suspicious executable file:
mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f
ENG-USTXHOU-148/memdump.bin connscan
Volatile Systems Volatility Framework 2.3_alpha
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x01f60850 0.0.0.0:0 1.0.0.0:0 36569092
0x01ffa850 172.16.150.20:1291 58.64.132.141:80 1024
0x0201f850 172.16.150.20:1292 172.16.150.10:445 4
0x02084e68 172.16.150.20:1281 172.16.150.10:389 628
0x020f8988 172.16.150.20:2862 172.16.150.10:135 696
0x02201008 172.16.150.20:1280 172.16.150.10:389 628
0x18615850 172.16.150.20:1292 172.16.150.10:445 4
0x189e8850 172.16.150.20:1291 58.64.132.141:80 1024
0x18a97008 172.16.150.20:1280 172.16.150.10:389 628
0x18b8e850 0.0.0.0:0 1.0.0.0:0 36569092
0x18dce988 172.16.150.20:2862 172.16.150.10:135 696
mbelda@audit:~/Forensics/jackcr-challenge$ strings ENG-USTXHOU-148/memdump.bin >
ENG-USTXHOU-148/strings.txt
mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/strings.txt
[…]
Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
Mon, 26 Nov 2012 15:00:07 -0500
Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
From: "Security Department" <isd@petro-markets.info>
To: <amirs@petro-market.org>, <callb@petro-market.org>,
<wrightd@petro-market.org>
Subject: Immediate Action
Date: Mon, 26 Nov 2012 14:59:38 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Return-Path: isd@petro-markets.info
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
This is a multi-part message in MIME format.
------=_NextPart_000_0015_01CDCBE6.A7B92DE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus. This is critical and must be done ASAP! Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions. Failure =
to install this anti-virus may result in loosing your job!
Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
Regards,
The IS Department
------=_NextPart_000_0015_01CDCBE6.A7B92DE0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18702">
[…]
Running the iehistory plugin (also new in this version 2.3 of Volatility) we could confirm that the user clicked the link:
mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f ENG-USTXHOU-148/memdump.bin iehistory Volatile Systems Volatility Framework 2.3_alpha ************************************************** Process: 284 explorer.exe Cache type "URL " at 0x2895000 Record length: 0x100 Location: Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe Last modified: 2012-11-26 23:01:53 Last accessed: 2012-11-26 23:01:53 File Offset: 0x100, Data Offset: 0x0, Data Length: 0xa8
But it would be thanks to the timeline created by the plugin mftparser that we could confirm he did not only clicked the link but also that the file was downloaded and executed, and thus the system compromised.
mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/body_mactime.txt
[…]
Mon Nov 26 2012 23:01:54 472 mac. --------------- 0 0 10117 Documents and Settings\
callb\Local Settings\Temp
352 macb ---a-------I--- 0 0 11721 System Volume Information\
_restore{68B1E438-DDF2-48EE-
BFAF-9C59BEF8C439}\RP26\
A0008032.sys
504 macb ---a-------I--- 0 0 11722 WINDOWS\Prefetch\
SYMANTEC-1.43-1[2].
EXE-3793B625.pf
504 macb ---a-------I--- 0 0 11722 WINDOWS\Prefetch\SYMANT~1.PF
584 mac. --------------- 0 0 3420 WINDOWS\system32\CatRoot2
824 .a.. --------------- 0 0 3432 WINDOWS\system32\CatRoot2\
{F750E~1
344 mac. ---a----------- 0 0 6996 WINDOWS\system32\CatRoot2\
tmp.edb
352 .a.. ---a----------- 0 0 8499 WINDOWS\system32\CatRoot2\
edb00095.log
344 .ac. -h------------- 0 0 8610 WINDOWS\system32\6to4ex.dll
336 mac. ---a----------- 0 0 8611 WINDOWS\system32\CatRoot2\
edb.log
472 mac. -----------I--- 0 0 8823 System Volume Information\
_restore{68B1E438-DDF2-48EE-
BFAF-9C59BEF8C439}\RP26
Mon Nov 26 2012 23:01:55 352 m.c. ---a-----c----- 0 0 10219 WINDOWS\system32\dllcache\
beep.sys
344 mac. ---a----------- 0 0 206 WINDOWS\system32\drivers\
beep.sys
416 .a.. ---a----------- 0 0 3438 WINDOWS\system32\CatRoot2\
{F750E6C3-38EE-11D1-85E5-
00C04FC295EE}\TIMEST~1
416 .a.. ---a----------- 0 0 3439 WINDOWS\system32\CatRoot\
{F750E6C3-38EE-11D1-85E5-
00C04FC295EE}\TIMEST~1
576 .a.. -h------------- 0 0 45 WINDOWS\inf
344 mac. ---a----------- 0 0 7161 WINDOWS\system32\wbem\Logs\
wbemess.log
352 .a.. ---a----------- 0 0 8071 WINDOWS\inf\syssetup.inf
568 ..c. -hs--------I--- 0 0 8835 Documents and Settings\callb\
IETLDC~1
344 m.c. -hsa-------I--- 0 0 8836 Documents and Settings\callb\
IETldCache\index.dat
344 .a.. --s------------ 0 0 9481 WINDOWS\system32\config\
systemprofile\Application Data\
Microsoft\SystemCertificates\My\
CTLs
344 .a.. --s------------ 0 0 9482 WINDOWS\system32\config\
systemprofile\Application Data\
Microsoft\SystemCertificates\My\
CRLs
472 .a.. --s------------ 0 0 9483 WINDOWS\system32\config\
systemprofile\Application Data\
Microsoft\SystemCertificates\
My\CERTIF~1
Mon Nov 26 2012 23:01:56 352 macb ---a-------I--- 0 0 10216 System Volume Information\
_restore{68B1E438-DDF2-48EE-
BFAF-9C59BEF8C439}\RP26\
A0008033.PNF
360 mac. ---a----------- 0 0 3355 WINDOWS\inf\syssetup.PNF
Mon Nov 26 2012 23:01:59 352 .ac. ---a-----c----- 0 0 10219 WINDOWS\system32\dllcache\
beep.sys
352 macb ---a-------I--- 0 0 11705 System Volume Information\
_restore{68B1E438-DDF2-
48EE-BFAF-9C59BEF8C439}\
RP26\A0008034.sys
936 mac. rhs------c----- 0 0 71 WINDOWS\system32\dllcache
Mon Nov 26 2012 23:02:07 352 .a.. ---a----------- 0 0 23813 WINDOWS\system32\racpldlg.dll
Mon Nov 26 2012 23:03:10 472 macb --------------- 0 0 7556 WINDOWS\webui
Mon Nov 26 2012 23:03:21 488 macb ---a-------I--- 0 0 11706 WINDOWS\Prefetch\
IPCONFIG.EXE-2395F30B.pf
488 macb ---a-------I--- 0 0 11706 WINDOWS\Prefetch\IPCONF~1.PF
352 .a.. ---a----------- 0 0 24145 WINDOWS\system32\ipconfig.exe
Mon Nov 26 2012 23:03:55 376 mac. ---a----------- 0 0 3436 WINDOWS\system32\CatRoot2\
{F750E6C3-38EE-11D1-85E5-
00C04FC295EE}\catdb
Mon Nov 26 2012 23:04:14 352 .a.. ---a----------- 0 0 23351 WINDOWS\system32\drivers\
fastfat.sys
Mon Nov 26 2012 23:04:24 336 mac. ---a----------- 0 0 9790 WINDOWS\system32\CatRoot2\
edb.chk
Mon Nov 26 2012 23:06:34 504 macb ---a----------- 0 0 11710 WINDOWS\ps.exe
472 m.c. --------------- 0 0 28 WINDOWS
Mon Nov 26 2012 23:06:35 504 m.c. ---a----------- 0 0 11710 WINDOWS\ps.exe
Mon Nov 26 2012 23:06:47 416 macb ---a----------- 0 0 11719 WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:48 416 mac. ---a----------- 0 0 11719 WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:52 440 macb ---a----------- 0 0 11723 WINDOWS\webui\ra.exe
Mon Nov 26 2012 23:06:56 344 macb ---a----------- 0 0 11724 WINDOWS\webui\sl.exe
Mon Nov 26 2012 23:06:59 368 macb ---a----------- 0 0 11725 WINDOWS\webui\wc.exe
288 m... ---a----------- 0 0 11739 WINDOWS\system32\wc.exe
Mon Nov 26 2012 23:07:31 352 .a.. --------------- 0 0 11470 WINDOWS\system32\iertutil.dll
344 .a.. ---a----------- 0 0 11498 WINDOWS\system32\urlmon.dll
344 .a.. ---a----------- 0 0 11502 WINDOWS\system32\wininet.dll
488 mac. ---a-------I--- 0 0 11706 WINDOWS\Prefetch\IPCONF~1.PF
352 macb ---a----------- 0 0 11726 WINDOWS\webui\netuse.dll
[...]
The other highlighted files are those that Dropper creates when executed in order to compromise the PC. If anyone wants to see the final report of the challenge, follow the link below provided by Bryan Nolen (@BryanNolen) at Volatility page.
