Lesson 2 of 6
In Progress

Sample Forensic Analysis Methodology

When conducting forensic analysis, it is important to understand the goals of the analysis. Clearly defined goals ensure an efficient, reliable and reproducible methodology is used.

The following is a description of these goals:

·    Determine if unauthorized access to the system occurred

·    Obtain the earliest evidence of compromise

·    Find all malware on the system

·    Determine how the malware was configured

·    Determine what files were created or modified by the intruder

·    Determine if registry entries were created or modified by the intruder

·    Obtain a list of account(s), if any, which were used by the intruder

·    Determining if the intruder connected to any other systems

·    Find signs of data harvesting and/or data theft

·    Gather and record data to create a timeline of the attacker’s activities on the system.

Forensic Analysis Process

1.1.     Working Copies Of Evidence

Original evidence must always be preserved in a forensically sound manner. Also, analysis must always be performed in a forensically-sound copy of the original devices and never the original device itself.

1.2.     Record System Information     

The below system information is important to record if it is available.

  • Size of the Hard Drive
  • Serial Number of the Hard Drive
  • File System (FAT, NTFS, etc)
  • Number of Files
  • Number of Folders
  • Number of Deleted Files Recovered
  • Identify the IP addresses assigned by reviewing:
    • \HKLM\SYSTEM\CurrentControlSet\Servicess\Tcpip\Parameters\Interfaces\*\DhcpIP
  • Identify the DHCP server for the system by reviewing:
    • \HKLM\SYSTEM\CurrentControlSet\Servicess\Tcpip\Parameters\Intrerfaces\*\DhcpNameServer
  • Identify the Operating System by reviewing:
    • \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • Record the Computer Name by reviewing:
    • \HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

1.3.     Last Shutdown

Recording the last shutdown helps to prove the integrity of the image.

XP/Vista/Windows7

  • \HKLM\SYSTEM\CurrentControlSet\Control\Windows\ShutdownTime

1.4.     Hash’s and hash sets

Many forensic tools use hash signatures to identify notable files or to exclude known (benign) ones; acquired data is hashed and compared to pre-compiled lists such as the Reference Data Set (RDS) from the National Software Reference Library.

1.5.     Windows Registry Files

Windows registry files will contain a lot of useful information during your investigation. Most malware stays persistent by the use of registry either by installing its self as a service or utilize auto start locations in the registry. You can also examine the registry to track users actions and track binary execution.

Export the below registry files from the forensic images for later review.

XP/Vista/Windows7

  • \%SYSTEMROOT%\system32\config\default
  • \%SYSTEMROOT%\system32\config\SAM
  • \%SYSTEMROOT%\system32\config\security
  • \%SYSTEMROOT%\system32\config\software
  • \%SYSTEMROOT%\system32\config\system\
  • \%USERPROFILE%\ntuser.dat (for every user profile)

Vista/Windows7

  • \%SYSTEMROOT%\system32\config\components
  • USRCLASS.dat for each user profile located in \%USERPROFILE%\AppData\Local\Microsoft\Windows\usrclass.dat

1.6.     Windows Event Logs

Microsoft provides the below description of what each event log contains.

“Application Logs. Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn’t necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service.

Security-related events. These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful.

System events. System events are logged by Windows and Windows system services, and are classified as error, warning, or information.”

XP

  • \%SYSTEMROOT%\system32\config\AppEvent.evt
  • \%SYSTEMROOT%\system32\config\SecEvent.evt
  • \%SYSTEMROOT%\system32\config\SysEvent.evt

Vista/Windows 7

Windows Vista and Windows 7 have fifty six event logs, The file list of the event logs is in Appendix A.

All the logs are located in the directory, \%SYSTEMROOT%\Windows\System32\winevt\Logs\

1.7.     The Scheduled Tasks Log

The scheduled task file (at.exe) is a very common technique that malware uses to launch itself.

XP/Vista/Windows7

·    \%SYSTEMROOT%\Tasks\schedlgu.txt

1.8.     Evidence of Binary Execution

There are a number of places you can examine for evidence of an executed binary. Some of these area’s are outlined below. Basically, you are looking for anything suspicious.

User Activity Registry Keys

XP/Vista/Windows7

Common user activity registry keys (NTUSER):

  • \Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count    
  • \Software\Microsoft\Windows\ShellNoRoam\MUICache
  • \Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • \Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • \Software\Microsoft\Internet Explorer\TypedURLs
  • \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Windows Prefetch

Prefetch files are created when applications are executed and contain the following information about the executable;

  • Name of the executable
  • DLLs used by that executable
  • How many times the executable has been run
  • Last time the program was run.

XP/Vista/Windows7

  • \%SYSTEMROOT%\Windows\Prefetch

Vista/Windows7

In addition to prefetch files, Vista and Windows 7 also use “superfetch” technology which is designed to hold more information about the executable.

The supefetch files typically start with “AG” and have a .db extension but are not a database file.

  • They are located in \%SystemRoot%\Windows\Prefetch.

1.9.     Review Browser History

Review the cache/History and temporary files of installed internet browser for;

  • FTP Activity
  • Activity to known storage sites
  • Beaconing activity to known C2’s
  • Downloaded binaries
  • Malicious URL activity
  • Web based email

1.9.1.     Internet Explorer Browser Activity File Locations

XP

  • History: \%USERPROFILE%\Local Settings\History\History.IE5\
  • Cache: \%USERPROFILE%\Local Settings\History\History.IE5\
  • Cookies: \%USERPROFILE%\Local Settings\History\History.IE5\Cookies\
  • Favorites: \%USERPROFILE%\Local Settings\History\History.IE5\Favorites

Vista/Windows 7

Vista and Windows 7 implement what is called “Protected Mode” within Internet Explorer. The goal is run the browser with low privileges to prevent malicious files to cause harm to the operating system. This does not apply to all browser activities and therefore there are two folder directories. One directory is for “regular” browser activities and another for “low privilege” activities.

  • History: \%USERPROFILE%\AppData\ Local\Microsoft\Windows\History\ History.IE5
  • History Low: \%USERPROFILE%\AppData\Local\Microsoft\Windows\History\ Low\ History.IE5
  • Cache: \%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
  • Cache Low: \%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\low\Content.IE5
  • Cookies: \%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies
  • Favorites: \%USERPROFILE%\Favorites

1.9.2.        FireFox 3.x Browser Activity File Locations

Firefox 3.x uses a SQLite databases to store history, cookies and bookmark data. There are some databases that are not normally parsed out by forensic tools like EnCase and FTK. A open source program called SQLite Database Browser (http://sqlitebrowser.sourceforge.net/) can be used to manually parse through the databases.

XP

  • Cache: \%USERPROFILE%\Local Settings\Application\Data\Mozilla\Firefox\ Profiles\(profile folder)\Cache
  • History/Downloads/Bookmarks/Cookies: %UserProfile%/Application Data\Mozilla\Firefox\Profiles\(profile folder)

Vista/Windows7

  • Cache: \%USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\(profile folder)\Cache
  • History/Downloads/Bookmarks/Cookies: \%USERPROFILE%\AppData\Roaming\ Mozilla\Firefox\Profiles\(profile folder)

1.9.3.        Google Chrome Browser Activity File Locations

Google Chrome is similar to Firefox 3.x in that it uses SQLite database files to store user data, except the structure of the databases is different. There are some databases that are not normally parsed out by forensic tools like EnCase and FTK. A open source program called SQLite Database Browser (http://sqlitebrowser.sourceforge.net/) can be used to manually parse through the databases.

XP

  • Profile: \%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default

Vista/Windows7

  • Profile: \%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default

1.10. Record The Earliest Evidence Of Compromise

By using the methods laid out in this methodology, you should record the earliest evidence of system compromise.

1.11. Show Relevant Timeframes Of Intruder Activity

Start looking for any files or activity (registry, event logs, browser history, etc..) that are in the same timeframe range of the earliest compromise, other known malware or indicators.

1.12. Look for Residue of Data Harvesting

Review for the use of compression and extract the contents of suspicious archives for any potential data exfiltration.

Common archive/compressions are;

  • tgz
  • rar
  • jar
  • z
  • gz
  • zip
  • arj
  • lzh
  • packed files
  • self-extracting archives

1.13. Review the Pagefile

Windows implementation of virtual memory is to save contents of memory onto the hard drive. These memory contents are stored in the “pagefile.sys”. It is important to search the pagefile for evidence of data exfiltration and “hacker” commands.

1.14. Search Recycle Bin for Suspicious Data

XP

INFO and INFO2 files are files that record information about files moved into the Recycle bin in Windows operating systems. The INFO and INFO2 files contain the original location of files before they were deleted and the date and time of deletion. When the Recycle Bin is emptied, this file is deleted. It may be possible to recover deleted INFO or INFO2 files. When files are sent to the recycle bin, they are renamed using the following naming convention:

D%DriveLetter%_%IndexNumber%_%FileExtension%.

Vista/Windows7

When a file is “soft” deleted in Vista it is moved to the recycle bin located in C:\$Recycle.Bin. The file will be placed in a folder named by the user’s SID and renamed to $R followed by six random characters and then the original file extension. A second file is then created with the same exact name of the first except that it is a $I at the beginning. This file is similar to what you would see in a windows XP info2 record and contains the original filename, original size, and the date and time the file was deleted. When the Recycle Bin is emptied, this file is deleted. It may be possible to recover deleted $I or $R files. 

Advanced Forensic Analysis   

The following subsections provide an abbreviated outline of the steps that can be performed when deeper analysis is needed

1.15. Memory Analysis

Pulling the below information from memory dumps can identify possible malware files or activity. The most common tools to do this are volatility and HBGary.

  • Listing of the files associated with each running process
  • Pulling strings from memory dump to look decoded shell commands
  • Exporting a process running in memory to a file.

1.16. Keyword Searches

Create case specific keywords using information you gained over the course of the investigation. Examples of such keywords can be, the suspected malware filenames, malicious URL, malicious IP addresses, or common intrusion commands (cmd.exe, nbtstat, ipconfig, nslookup, telnet etc…) 

1.17.        Additional Log Files

Some additional log files that may contain system activity are below.

XP/Vista/Windows 7

  • MRT.log: Microsofts Malicous Software Removal Tool, this log will show the results of the scan and is located in C:\windowsdebug\.
  • Symantec Virus Scan Logs: Check these logs to see if any files you expect to see on the system have been removed. They are located in %AllUsersProfile%\ Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs.
  • $LogFile: Contains a log of metadata changes to the system. Sometime deleted/old MFT records can be found here.

Vista/Windows 7

  • CBS.log: Excerpt from http://support.microsoft.com/kb/928228

“The SFC.exe program performs the following operations:

  • It verifies that non-configurable Windows Vista system files have not changed. Also, it verifies that these files match the operating system’s definition of which files are expected to be installed on the computer.
  • It repairs non-configurable Windows Vista system files, when it is possible.”

This log could be helpful in identifying false positives or in identifying system files that have been changed. The location of the file is in %WinDir%\Logs\Cbs\cbs.log

  • $USNJRNL: Located in the $Extend folder and enabled by Vista and Windows7 by default, this file is part of windows transactional system. Filenames, date stamps and MFT record numbers can be found in this file in Unicode format.

1.18. Restore Points and Volume Shadow Copy

XP Restore Points

Located in %Root%\System Volume Information\(_restore{GUID})\(Restore Points)

The restore points are folders named in a format similar to RP01, RP02, RP03 etc…In each folder there will be backed up files and log file named “rp.log” that contains information about the particular restore point.

Vista/Windows 7 Volume Shadow Copy

The volume shadow copy is a similar to XP’s System Restore Points in that it automatically backs up user data and system files. The biggest difference from a forensic standpoint is the amount of data that it backs up compared to restore points. Restore points only backup key system files and registry while volume shadow copy purpose is to restore any file, directory or even the whole volume to a earlier state.

The following is a guideline for our most current method of extracting data from volume shadow copies.

If you know the administrator password, you can skip steps 2-5.

For steps 7-9, more detail can be found at the SAN’s computer forensics blog, http://blogs.sans.org/computer-forensics/2008/10/10/shadow-forensics/.

  1. Using EnCase PDE, liveview 0.7b, and VMWare create the VMWare VMX files for the mounted image. Do not load up the VMWare at this point, as adjustments need to be made to the configuration file.
  2. Open the VMX file you just created in notepad and add the following line to it;
    1. bios.bootDelay = “5000”
  3. Double click the VMX file to open VMWare, but do not start up the machine. Change the settings of the DVD drive to point to the following file “pw_and_reg_editor.iso”
  4. Now start the machine, the bootDelay command you created in step two should give you five seconds to hit F2 and enter the BIOS. Once you are in the BIOS, you need to make sure it is set to boot from the CD.
  5. Restart the machine, and it should boot to the pw_and_reg_editor program. Follow the menu items to clear the administrative password.
  6. Log onto the machine as the administrator using the known password or the blank password created in Step 5.
  7. Next you need to obtain a list of the volume shadows, do this by executing the below command in a command shell with administrator rights.
    1. C:> vssadmin list shadows /for=C:
  8. From the output of step 7, select one of the “Shadow Copy Volume” names that you would like to examine. Then create a symbolic link using the mklink command and pointing it at a directory followed by the device name of the shadow copy volume you wish to parse.
    1. C:> mklink /d C:shadow_copy21 \?GLOBALROOTDeviceHarddiskVolumeShadowCopy21
  9. You should now have the volume mounted in the folder specified in the above command. For the case of this example the folder is “C:\shadow_copy21”.
  10. From here you can try different tools in order to image the folder, DD, FTK Imager Lite, Winacq or any other light footprint program. As for a storage drive, I think the best method is to just attach a external drive to the host, although you could also work with shared folders.

Possible problems:

  • If you are going to utilize a shared folder or network connection as your storage drive then you may have to adjust or disable any firewall protection.


 Windows Event Logs

\%SystemRoot%\Windows\System32\winevt\Logs\Application.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\DFS Replication.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\HardwareEvents.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Internet Explorer.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Key Management Service.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\ODiag.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\OSession.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Security.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\Setup.evtx
\%SystemRoot%\Windows\System32\winevt\Logs\System.evtx

Common Autostart Locations

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Classes\Exefile\Shell\Open\command HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

%USERPROFILE%\Start Menu\Programs\Startup

%ALLUSERSPROFILE%\Start Menu\Programs\Startup