Last week, playing with a forensics challenge left by Jack Crook (@jackcr) in the GCIH LinkedIn group, I upgraded Volatility to version 2.3_alpha. In this challenge, the author had included the RAM dump and the disk timeline of each one of the affected computers, and a capture file of the network traffic. However, reviewing the novelties included in this Alpha version I saw a couple of them quite interesting: mbrparser and mftparser.
Mftparser, as indicated in the Volatility webpage, scans and analyzes entries in the Master File Table (MFT). The plugin scans the memory dump for possible MFT entries and prints out information for certain attributes. For more information see OMFW 2012: Reconstructing the MBR and MFT from Memory.
Despite having the timeline, I decided to try the new plugin and compare the output with the one we had been provided. The output can be displayed in a tabular format or, and here is where it gets powerful, in the body format of Sleuthkit (with option –output=body).
mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f ENG-USTXHOU-148/memdump.bin mftparser –output=body Volatile Systems Volatility Framework 2.3_alpha Scanning for MFT entries and building directory, this can take a while (FN) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273| 1353971273|1353971273 (SI) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273| 1353971273|1353971273 (FN) 0x12d588|WINDOWS\Prefetch\NET.EXE-01A53C2F.pf|11727|---a-------I---|0|0|424|1353971273| 1353971273|1353971273|1353971273 (FN) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306| 1353971306|1353971306 (SI) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306| 1353971306|1353971306 (FN) 0x2bbee0|(Null)|11728|---------------|0|0|432|0|0|0|0 (FN) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353971306|1353971306| 1353971306|1353971306 (SI) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353980005|1353980005| 1353980005|1353971306 (FN) 0x311000|WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf|11728|---a-------I---|0|0|480|1353971306|13 53971306|1353971306|1353971306 (FN) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971435|1353971435| 1353971435|1353971435 (SI) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971493|1353971493| 1353971493|1353971435 [...]
Then you just have to run mactime (included on Sleuthkit) on this file and you get a system timeline from the RAM dump.
mbelda@audit:~/Forensics/jackcr-challenge$ mactime -b ENG-USTXHOU-148/body.txt > ENG-USTXHOU-148/body_mactime.txt
I find this especially useful when, for reasons of size or availability, we can not have a disk image to get the information about the creation or access times of certain files.
Here’s an example. Thanks to searching for strings (strings command with the IP showed with the command connscan) directly on the RAM dump, we find a mail received by the user is that contains a link to a suspicious executable file:
mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f ENG-USTXHOU-148/memdump.bin connscan Volatile Systems Volatility Framework 2.3_alpha Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x01f60850 0.0.0.0:0 1.0.0.0:0 36569092 0x01ffa850 172.16.150.20:1291 58.64.132.141:80 1024 0x0201f850 172.16.150.20:1292 172.16.150.10:445 4 0x02084e68 172.16.150.20:1281 172.16.150.10:389 628 0x020f8988 172.16.150.20:2862 172.16.150.10:135 696 0x02201008 172.16.150.20:1280 172.16.150.10:389 628 0x18615850 172.16.150.20:1292 172.16.150.10:445 4 0x189e8850 172.16.150.20:1291 58.64.132.141:80 1024 0x18a97008 172.16.150.20:1280 172.16.150.10:389 628 0x18b8e850 0.0.0.0:0 1.0.0.0:0 36569092 0x18dce988 172.16.150.20:2862 172.16.150.10:135 696 mbelda@audit:~/Forensics/jackcr-challenge$ strings ENG-USTXHOU-148/memdump.bin > ENG-USTXHOU-148/strings.txt mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/strings.txt […] Received: from d0793h (d0793h.petro-markets.info [58.64.132.141]) by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842; Mon, 26 Nov 2012 15:00:07 -0500 Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h> From: "Security Department" <isd@petro-markets.info> To: <amirs@petro-market.org>, <callb@petro-market.org>, <wrightd@petro-market.org> Subject: Immediate Action Date: Mon, 26 Nov 2012 14:59:38 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 Return-Path: isd@petro-markets.info X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10] This is a multi-part message in MIME format. ------=_NextPart_000_0015_01CDCBE6.A7B92DE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Attn: Immediate Action is Required!! The IS department is requiring that all associates update to the new = version of anti-virus. This is critical and must be done ASAP! Failure = to update anti-virus may result in negative actions. Please download the new anti-virus and follow the instructions. Failure = to install this anti-virus may result in loosing your job! Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe Regards, The IS Department ------=_NextPart_000_0015_01CDCBE6.A7B92DE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18702"> […]
Running the iehistory plugin (also new in this version 2.3 of Volatility) we could confirm that the user clicked the link:
mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f ENG-USTXHOU-148/memdump.bin iehistory Volatile Systems Volatility Framework 2.3_alpha ************************************************** Process: 284 explorer.exe Cache type "URL " at 0x2895000 Record length: 0x100 Location: Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe Last modified: 2012-11-26 23:01:53 Last accessed: 2012-11-26 23:01:53 File Offset: 0x100, Data Offset: 0x0, Data Length: 0xa8
But it would be thanks to the timeline created by the plugin mftparser that we could confirm he did not only clicked the link but also that the file was downloaded and executed, and thus the system compromised.
mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/body_mactime.txt […] Mon Nov 26 2012 23:01:54 472 mac. --------------- 0 0 10117 Documents and Settings\ callb\Local Settings\Temp 352 macb ---a-------I--- 0 0 11721 System Volume Information\ _restore{68B1E438-DDF2-48EE- BFAF-9C59BEF8C439}\RP26\ A0008032.sys 504 macb ---a-------I--- 0 0 11722 WINDOWS\Prefetch\ SYMANTEC-1.43-1[2]. EXE-3793B625.pf 504 macb ---a-------I--- 0 0 11722 WINDOWS\Prefetch\SYMANT~1.PF 584 mac. --------------- 0 0 3420 WINDOWS\system32\CatRoot2 824 .a.. --------------- 0 0 3432 WINDOWS\system32\CatRoot2\ {F750E~1 344 mac. ---a----------- 0 0 6996 WINDOWS\system32\CatRoot2\ tmp.edb 352 .a.. ---a----------- 0 0 8499 WINDOWS\system32\CatRoot2\ edb00095.log 344 .ac. -h------------- 0 0 8610 WINDOWS\system32\6to4ex.dll 336 mac. ---a----------- 0 0 8611 WINDOWS\system32\CatRoot2\ edb.log 472 mac. -----------I--- 0 0 8823 System Volume Information\ _restore{68B1E438-DDF2-48EE- BFAF-9C59BEF8C439}\RP26 Mon Nov 26 2012 23:01:55 352 m.c. ---a-----c----- 0 0 10219 WINDOWS\system32\dllcache\ beep.sys 344 mac. ---a----------- 0 0 206 WINDOWS\system32\drivers\ beep.sys 416 .a.. ---a----------- 0 0 3438 WINDOWS\system32\CatRoot2\ {F750E6C3-38EE-11D1-85E5- 00C04FC295EE}\TIMEST~1 416 .a.. ---a----------- 0 0 3439 WINDOWS\system32\CatRoot\ {F750E6C3-38EE-11D1-85E5- 00C04FC295EE}\TIMEST~1 576 .a.. -h------------- 0 0 45 WINDOWS\inf 344 mac. ---a----------- 0 0 7161 WINDOWS\system32\wbem\Logs\ wbemess.log 352 .a.. ---a----------- 0 0 8071 WINDOWS\inf\syssetup.inf 568 ..c. -hs--------I--- 0 0 8835 Documents and Settings\callb\ IETLDC~1 344 m.c. -hsa-------I--- 0 0 8836 Documents and Settings\callb\ IETldCache\index.dat 344 .a.. --s------------ 0 0 9481 WINDOWS\system32\config\ systemprofile\Application Data\ Microsoft\SystemCertificates\My\ CTLs 344 .a.. --s------------ 0 0 9482 WINDOWS\system32\config\ systemprofile\Application Data\ Microsoft\SystemCertificates\My\ CRLs 472 .a.. --s------------ 0 0 9483 WINDOWS\system32\config\ systemprofile\Application Data\ Microsoft\SystemCertificates\ My\CERTIF~1 Mon Nov 26 2012 23:01:56 352 macb ---a-------I--- 0 0 10216 System Volume Information\ _restore{68B1E438-DDF2-48EE- BFAF-9C59BEF8C439}\RP26\ A0008033.PNF 360 mac. ---a----------- 0 0 3355 WINDOWS\inf\syssetup.PNF Mon Nov 26 2012 23:01:59 352 .ac. ---a-----c----- 0 0 10219 WINDOWS\system32\dllcache\ beep.sys 352 macb ---a-------I--- 0 0 11705 System Volume Information\ _restore{68B1E438-DDF2- 48EE-BFAF-9C59BEF8C439}\ RP26\A0008034.sys 936 mac. rhs------c----- 0 0 71 WINDOWS\system32\dllcache Mon Nov 26 2012 23:02:07 352 .a.. ---a----------- 0 0 23813 WINDOWS\system32\racpldlg.dll Mon Nov 26 2012 23:03:10 472 macb --------------- 0 0 7556 WINDOWS\webui Mon Nov 26 2012 23:03:21 488 macb ---a-------I--- 0 0 11706 WINDOWS\Prefetch\ IPCONFIG.EXE-2395F30B.pf 488 macb ---a-------I--- 0 0 11706 WINDOWS\Prefetch\IPCONF~1.PF 352 .a.. ---a----------- 0 0 24145 WINDOWS\system32\ipconfig.exe Mon Nov 26 2012 23:03:55 376 mac. ---a----------- 0 0 3436 WINDOWS\system32\CatRoot2\ {F750E6C3-38EE-11D1-85E5- 00C04FC295EE}\catdb Mon Nov 26 2012 23:04:14 352 .a.. ---a----------- 0 0 23351 WINDOWS\system32\drivers\ fastfat.sys Mon Nov 26 2012 23:04:24 336 mac. ---a----------- 0 0 9790 WINDOWS\system32\CatRoot2\ edb.chk Mon Nov 26 2012 23:06:34 504 macb ---a----------- 0 0 11710 WINDOWS\ps.exe 472 m.c. --------------- 0 0 28 WINDOWS Mon Nov 26 2012 23:06:35 504 m.c. ---a----------- 0 0 11710 WINDOWS\ps.exe Mon Nov 26 2012 23:06:47 416 macb ---a----------- 0 0 11719 WINDOWS\webui\gs.exe Mon Nov 26 2012 23:06:48 416 mac. ---a----------- 0 0 11719 WINDOWS\webui\gs.exe Mon Nov 26 2012 23:06:52 440 macb ---a----------- 0 0 11723 WINDOWS\webui\ra.exe Mon Nov 26 2012 23:06:56 344 macb ---a----------- 0 0 11724 WINDOWS\webui\sl.exe Mon Nov 26 2012 23:06:59 368 macb ---a----------- 0 0 11725 WINDOWS\webui\wc.exe 288 m... ---a----------- 0 0 11739 WINDOWS\system32\wc.exe Mon Nov 26 2012 23:07:31 352 .a.. --------------- 0 0 11470 WINDOWS\system32\iertutil.dll 344 .a.. ---a----------- 0 0 11498 WINDOWS\system32\urlmon.dll 344 .a.. ---a----------- 0 0 11502 WINDOWS\system32\wininet.dll 488 mac. ---a-------I--- 0 0 11706 WINDOWS\Prefetch\IPCONF~1.PF 352 macb ---a----------- 0 0 11726 WINDOWS\webui\netuse.dll [...]
The other highlighted files are those that Dropper creates when executed in order to compromise the PC. If anyone wants to see the final report of the challenge, follow the link below provided by Bryan Nolen (@BryanNolen) at Volatility page.