New MFTParser plugin in the alpha version of Volatility

Last week, playing with a forensics challenge left by Jack Crook (@jackcr) in the GCIH LinkedIn group, I upgraded Volatility to version 2.3_alpha. In this challenge, the author had included the RAM dump and the disk timeline of each one of the affected computers, and a capture file of the network traffic. However, reviewing the novelties included in this Alpha version I saw a couple of them quite interesting: mbrparser and mftparser.

Mftparser, as indicated in the Volatility webpage, scans and analyzes entries in the Master File Table (MFT). The plugin scans the memory dump for possible MFT entries and prints out information for certain attributes. For more information see OMFW 2012: Reconstructing the MBR and MFT from Memory.

Despite having the timeline, I decided to try the new plugin and compare the output with the one we had been provided. The output can be displayed in a tabular format or, and here is where it gets powerful, in the body format of Sleuthkit (with option –output=body).

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin mftparser –output=body
Volatile Systems Volatility Framework 2.3_alpha

Scanning for MFT entries and building directory, this can take a while
(FN) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
  1353971273|1353971273
(SI) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
  1353971273|1353971273
(FN) 0x12d588|WINDOWS\Prefetch\NET.EXE-01A53C2F.pf|11727|---a-------I---|0|0|424|1353971273|
  1353971273|1353971273|1353971273
(FN) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
  1353971306|1353971306
(SI) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
  1353971306|1353971306
(FN) 0x2bbee0|(Null)|11728|---------------|0|0|432|0|0|0|0
(FN) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353971306|1353971306|
  1353971306|1353971306
(SI) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353980005|1353980005|
  1353980005|1353971306
(FN) 0x311000|WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf|11728|---a-------I---|0|0|480|1353971306|13
  53971306|1353971306|1353971306
(FN) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971435|1353971435|
  1353971435|1353971435
(SI) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971493|1353971493|
  1353971493|1353971435
[...]

Then you just have to run mactime (included on Sleuthkit) on this file and you get a system timeline from the RAM dump.

mbelda@audit:~/Forensics/jackcr-challenge$ mactime -b  ENG-USTXHOU-148/body.txt >  
  ENG-USTXHOU-148/body_mactime.txt

I find this especially useful when, for reasons of size or availability, we can not have a disk image to get the information about the creation or access times of certain files.

Here’s an example. Thanks to searching for strings (strings command with the IP showed with the command connscan) directly on the RAM dump, we find a mail received by the user is that contains a link to a suspicious executable file:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin connscan

Volatile Systems Volatility Framework 2.3_alpha
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x01f60850 0.0.0.0:0                 1.0.0.0:0                 36569092
0x01ffa850 172.16.150.20:1291        58.64.132.141:80          1024
0x0201f850 172.16.150.20:1292        172.16.150.10:445         4
0x02084e68 172.16.150.20:1281        172.16.150.10:389         628
0x020f8988 172.16.150.20:2862        172.16.150.10:135         696
0x02201008 172.16.150.20:1280        172.16.150.10:389         628
0x18615850 172.16.150.20:1292        172.16.150.10:445         4
0x189e8850 172.16.150.20:1291        58.64.132.141:80          1024
0x18a97008 172.16.150.20:1280        172.16.150.10:389         628
0x18b8e850 0.0.0.0:0                 1.0.0.0:0                 36569092
0x18dce988 172.16.150.20:2862        172.16.150.10:135         696

mbelda@audit:~/Forensics/jackcr-challenge$ strings ENG-USTXHOU-148/memdump.bin > 
  ENG-USTXHOU-148/strings.txt
mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/strings.txt

[…]

Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
        by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
        Mon, 26 Nov 2012 15:00:07 -0500
Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
From: "Security Department" <isd@petro-markets.info>
To: <amirs@petro-market.org>, <callb@petro-market.org>,
        <wrightd@petro-market.org>
Subject: Immediate Action
Date: Mon, 26 Nov 2012 14:59:38 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Return-Path: isd@petro-markets.info
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
This is a multi-part message in MIME format.
------=_NextPart_000_0015_01CDCBE6.A7B92DE0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus.  This is critical and must be done ASAP!  Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions.  Failure =
to install this anti-virus may result in loosing your job!
Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
Regards,
The IS Department
------=_NextPart_000_0015_01CDCBE6.A7B92DE0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18702">
[…]

Running the iehistory plugin (also new in this version 2.3 of Volatility) we could confirm that the user clicked the link:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin iehistory

Volatile Systems Volatility Framework 2.3_alpha
**************************************************
Process: 284 explorer.exe
Cache type "URL " at 0x2895000
Record length: 0x100
Location: Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe
Last modified: 2012-11-26 23:01:53 
Last accessed: 2012-11-26 23:01:53 
File Offset: 0x100, Data Offset: 0x0, Data Length: 0xa8

But it would be thanks to the timeline created by the plugin mftparser that we could confirm he did not only clicked the link but also that the file was downloaded and executed, and thus the system compromised.

mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/body_mactime.txt
[…]
Mon Nov 26 2012 23:01:54      472 mac. --------------- 0  0  10117    Documents and Settings\
                                                                       callb\Local Settings\Temp
                              352 macb ---a-------I--- 0  0  11721    System Volume Information\
                                                                       _restore{68B1E438-DDF2-48EE-
                                                                       BFAF-9C59BEF8C439}\RP26\
                                                                       A0008032.sys
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\
                                                                       SYMANTEC-1.43-1[2].
                                                                       EXE-3793B625.pf
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\SYMANT~1.PF
                              584 mac. --------------- 0  0  3420     WINDOWS\system32\CatRoot2
                              824 .a.. --------------- 0  0  3432     WINDOWS\system32\CatRoot2\
                                                                       {F750E~1
                              344 mac. ---a----------- 0  0  6996     WINDOWS\system32\CatRoot2\
                                                                       tmp.edb
                              352 .a.. ---a----------- 0  0  8499     WINDOWS\system32\CatRoot2\
                                                                       edb00095.log
                              344 .ac. -h------------- 0  0  8610     WINDOWS\system32\6to4ex.dll
                              336 mac. ---a----------- 0  0  8611     WINDOWS\system32\CatRoot2\
                                                                       edb.log
                              472 mac. -----------I--- 0  0  8823     System Volume Information\
                                                                       _restore{68B1E438-DDF2-48EE-
                                                                       BFAF-9C59BEF8C439}\RP26
Mon Nov 26 2012 23:01:55      352 m.c. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                                                                       beep.sys
                              344 mac. ---a----------- 0  0  206      WINDOWS\system32\drivers\
                                                                       beep.sys
                              416 .a.. ---a----------- 0  0  3438     WINDOWS\system32\CatRoot2\
                                                                       {F750E6C3-38EE-11D1-85E5-
                                                                       00C04FC295EE}\TIMEST~1
                              416 .a.. ---a----------- 0  0  3439     WINDOWS\system32\CatRoot\
                                                                       {F750E6C3-38EE-11D1-85E5-
                                                                       00C04FC295EE}\TIMEST~1
                              576 .a.. -h------------- 0  0  45       WINDOWS\inf
                              344 mac. ---a----------- 0  0  7161     WINDOWS\system32\wbem\Logs\
                                                                       wbemess.log
                              352 .a.. ---a----------- 0  0  8071     WINDOWS\inf\syssetup.inf
                              568 ..c. -hs--------I--- 0  0  8835     Documents and Settings\callb\
                                                                       IETLDC~1
                              344 m.c. -hsa-------I--- 0  0  8836     Documents and Settings\callb\
                                                                       IETldCache\index.dat
                              344 .a.. --s------------ 0  0  9481     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                                                                       Microsoft\SystemCertificates\My\
                                                                       CTLs
                              344 .a.. --s------------ 0  0  9482     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                                                                       Microsoft\SystemCertificates\My\
                                                                       CRLs
                              472 .a.. --s------------ 0  0  9483     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                                                                       Microsoft\SystemCertificates\
                                                                       My\CERTIF~1
Mon Nov 26 2012 23:01:56      352 macb ---a-------I--- 0  0  10216    System Volume Information\
                                                                       _restore{68B1E438-DDF2-48EE-
                                                                       BFAF-9C59BEF8C439}\RP26\
                                                                       A0008033.PNF
                              360 mac. ---a----------- 0  0  3355     WINDOWS\inf\syssetup.PNF
Mon Nov 26 2012 23:01:59      352 .ac. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                                                                       beep.sys
                              352 macb ---a-------I--- 0  0  11705    System Volume Information\
                                                                       _restore{68B1E438-DDF2-
                                                                       48EE-BFAF-9C59BEF8C439}\
                                                                       RP26\A0008034.sys
                              936 mac. rhs------c----- 0  0  71       WINDOWS\system32\dllcache
Mon Nov 26 2012 23:02:07      352 .a.. ---a----------- 0  0  23813    WINDOWS\system32\racpldlg.dll
Mon Nov 26 2012 23:03:10      472 macb --------------- 0  0  7556     WINDOWS\webui
Mon Nov 26 2012 23:03:21      488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\
                                                                       IPCONFIG.EXE-2395F30B.pf
                              488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 .a.. ---a----------- 0  0  24145    WINDOWS\system32\ipconfig.exe
Mon Nov 26 2012 23:03:55      376 mac. ---a----------- 0  0  3436     WINDOWS\system32\CatRoot2\
                                                                       {F750E6C3-38EE-11D1-85E5-
                                                                       00C04FC295EE}\catdb
Mon Nov 26 2012 23:04:14      352 .a.. ---a----------- 0  0  23351    WINDOWS\system32\drivers\
                                                                       fastfat.sys
Mon Nov 26 2012 23:04:24      336 mac. ---a----------- 0  0  9790     WINDOWS\system32\CatRoot2\
                                                                       edb.chk
Mon Nov 26 2012 23:06:34      504 macb ---a----------- 0  0  11710    WINDOWS\ps.exe
                              472 m.c. --------------- 0  0  28       WINDOWS
Mon Nov 26 2012 23:06:35      504 m.c. ---a----------- 0  0  11710    WINDOWS\ps.exe
Mon Nov 26 2012 23:06:47      416 macb ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:48      416 mac. ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:52      440 macb ---a----------- 0  0  11723    WINDOWS\webui\ra.exe
Mon Nov 26 2012 23:06:56      344 macb ---a----------- 0  0  11724    WINDOWS\webui\sl.exe
Mon Nov 26 2012 23:06:59      368 macb ---a----------- 0  0  11725    WINDOWS\webui\wc.exe
                              288 m... ---a----------- 0  0  11739    WINDOWS\system32\wc.exe
Mon Nov 26 2012 23:07:31      352 .a.. --------------- 0  0  11470    WINDOWS\system32\iertutil.dll
                              344 .a.. ---a----------- 0  0  11498    WINDOWS\system32\urlmon.dll
                              344 .a.. ---a----------- 0  0  11502    WINDOWS\system32\wininet.dll
                              488 mac. ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 macb ---a----------- 0  0  11726    WINDOWS\webui\netuse.dll
[...]

The other highlighted files are those that Dropper creates when executed in order to compromise the PC. If anyone wants to see the final report of the challenge, follow the link below provided by Bryan Nolen (@BryanNolen) at Volatility page.

@Jackcr Forensics Challenge.