9 01 2012
When trying to learn about forensics i’m sometimes curious about what I can do at my house that’s fun and also provides a nice learning experience. A person can only review so many pre-compiled images online.
I figured the next best thing was to compromise systems in my lab and then go back and do forensics on them. This will provide a decent “real world” example. The attack methods aren’t anything sophisticated but the forensic principals would appear similar.
Round 1: Backtrack 5 vs. Windows 7
Scenario: Infected USB drive left in the parking lot so an employee would pick it up, and then go ahead and install a malicious program on their workstation.
Upon arriving to the system I had my trusty USB drive where I have Backtrack 5-RC1 and a myriad of forensic tools on the root of it. I also had my WiebeTECH USB write blocker.
Before I inserted the USB drive I fired up Helix3 Pro Image Receiver on my Macbook Pro. Once the listener was setup and running with their default settings I proceeded to connect the USB drive into the Windows 7×64 system.
Once inside the system I fired up Helix Pro from my USB drive and proceeded to transfer the Volatile Data (choosing txt file format) and also proceeded to do a Memory dump and transferring that as well.
Once the volatile data and memory were pulled I proceeded to acquire Prefetch, Reg Hives, NTUSER.dat, etc. using FTK Imager 2.9 Lite version.
Once I had the Hives, Prefetch and ntuser.dat I pull a bunch of stuff using some Command line FU. Actually, it’s very little FU, and more looking around the internet and making it into one large batch file.
Here are some of the commands I pull. Copy all of that, toss it in a txt file and save it as you_pick.bat. I run this from my USB drive. The only issue I see with using this in the “real world” is that you will more than likely need to configure this batch file to output into some other directory if you’re using a write blocker or something like that. I’ll leave those items to you. I’ve made it pretty generic. Oh yeah, and it’s pretty messy, but it gets the job done.
PAUSE
mkdir forensic_grab
cd forensic_grab
echo %DATE% %TIME% > date_time.txt
wmic timezone list brief /format:CSV > time_zone.txt
mkdir misc
cd misc
ver > ver.txt
net start > net_start.txt
net user > net_user.txt
net use > net_use.txt
ipconfig /allcompartments /all > all.txt
type %windir%\System32\drivers\etc\hosts > etc_hosts.txt
type %windir%\System32\drivers\etc\networks > networks.txt
cd ..
PAUSE
Echo Starting logging
Echo.
mkdir logging
cd logging
wmic nicconfig get description,IPAddress,MACaddress /format:CSV > network_card.txt
wmic process list status /format:CSV > proc_list.txt
wmic qfe list /format:CSV > patches.txt
wmic process list memory /format:CSV > mem_proc_list.txt
wmic job list brief /format:CSV > list_jobs.txt
wmic netclient list brief /format:CSV > netclient.txt
wmic useraccount list /format:CSV > useract.txt
wmic startup list brief /format:CSV > startup.txt
wmic nteventlog get name /format:CSV > eventlog.txt
wmic ntdomain list brief /format:CSV > ntdomain.txt
wmic service list config /format:CSV > serv_list_cfg.txt
cd ..
Echo Starting Firewall
Echo.
PAUSE
mkdir firewall
cd firewall
copy %windir%\System32\Logfiles\Firewall\*.log
netsh firewall show state > fw_state.txt
netsh firewall show config > fw_config.txt
netsh dump > fw_dumpdump.txt
route print > route_print.txt
arp -A > arp_print.txt
netstat -ano > netstat.txt
cd ..
mkdir event_logs
cd event_logs
copy %windir%\System32\Winevt\Logs\*.evtx
cd ..\..\
PAUSE
Echo Tool time
handle.exe /accepteula > forensic_grab\logging\handle_output.txt
gplist > forensic_grab\group_policy.txt
listdlls.exe > forensic_grab\list_dlls.txt
logonsessions.exe /accepteula > forensic_grab\logging\logonsessions.txt
pslist.exe /accepteula > forensic_grab\logging\pslist.txt
psloggedon.exe /accepteula > forensic_grab\logging\psloggedon.txt
tasklist > forensic_grab\logging\tasklist.txt
tcpvcon.exe -a /accepteula > forensic_grab\logging\tcpvcon.txt
uptime.exe > forensic_grab\logging\uptime.txt
WinAudit.exe /o CSV /f winaudit.txt /l forensic_grab\logging /E
echo.
:finish
Here is an example:
Here is the mem_proc.txt output example. I removed my hostname, which is why you see that white space in the picture.
OK…. Now that I have pretty much all of my volatile data I proceed to grab the $MFT by way of TSK – mmls and icat. I execute icat on the offset (-o 2048), which is my starting sector of the drive.
I got this information from Mark Hallman’s log2timeline.pdf that he gave at Sleuthkit & Open Digital Forensics Conference 2011.
In his slides Mark says,
“This method, vs. using fls gives you both the $FILENAME and $STDINFO timestamps.
icat -i raw -f ntfs -o 63 image.dd 0 > image.mft
-i image type
-f file system type
-o file system starting offset in sectors”
Once I acquire the $MFT I move it on over to my SIFT Workstation and create a timeline using log2timeline – Yes, I just realized I spelled it, “timelive” instead of “timeline”.
I’m no expert with using log2timeline so any comments would be more than welcome – Thanks…
These are some of the locations I went to read up on log2timeline:
- http://log2timeline.net/
- http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking
- http://blog.kiddaland.net/tag/sleuthkit/
- http://blogs.sans.org/computer-forensics/files/2011/12/cheat-sheet-digital-forensics-incident-response-timeline-log2timeline.jpg
- log2timeline MAN pages
Before I pull up the CSV file I will do some quick grep commands to see if something pops out.
#cat timeline.csv | grep “.exe” | sort | uniq >> exe.txt
Then I run a python script I made with the help of my brother.
#python2.7 exe_parse.py
CODE:
import re
f = open(‘exe.txt’, ‘r’)
#creates an array. this will hold all of the data you import
listOne = []
regex = re.findall(r’\b\w+[0-9a-zA-Z].exe\b’, f.read())
#for every result from ‘regex’, we will do the following
for x in regex:
#if the item (x) is not currently in listOne, we will append it (add it)
#.lower() makes all of the letters lowercase
if x.lower() not in listOne:
listOne.append(x.lower())
#now we are not in the ‘for’ loop anymore. now that all of the files are in there
#we can sort the list alphabetically with the ‘.sort()’ function
listOne.sort()
doc = open(‘parsed_exe_output.txt’, ‘w’)
#for every item (x) in listOne, we write it…… the ‘\n’ prints a new line
for x in listOne:
doc.write(x + ‘\n’)
#best to close those documents we opened
f.close()
doc.close()
It will output parsed_exe_output.txt, which looks like this, which could be parsed/grep’d/awk’d even further:
mxdwgc.exe
narrator.exe
nbtstat.exe
nc.exe
ndadmin.exe
net.exe
net1.exe
netbtugc.exe
netcfg.exe
netfxrepair.exe
netfxsbs10.exe
netiougc.exe
netplwiz-exe
As you can see it’s much easier to spot potentially bad/”odd” .exe files. It could be easily change to look for .ps1, .py, etc. as well.
Now that we know netcat was executed I will open up the actual $MFT timeline I created above and search for “nc.exe”.
Bam! There we go. Now I have something to work with and a relative timeframe.
Now I am going to work backwards and see if I might be able to find something else that’s interesting.
I didn’t see much else in the time line that stuck out except this entry here that has to do with USBStor.
Now it’s off to the SYSTEM Hive to check USBStor:
So the USBStor shows a SanDisk U3 Cruzer USB thumbdrive was connected.
After seeing that there was a USB attached to the system I decided to go take a look at the ntuser.dat file and see what I could come up with.
I did some searches for “13:4″ so I could get close to the time frame when the USB drive was inserted into the system.
I looked in the:
UserAssist
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
I noticed E:\program.exe was executed at 13:48:34 (13 +9hrs) = 22:38:34.
What caught my eye here was the fact that it says, “E:\”. While I was reviewing my volatile data I noticed that the only drive listed was “C:\”. This would seem like a USB drive was inserted, a program was executed, and the USB was taken out before the “forensics” guys showed up.
Now we cross reference this with the log2time csv file from above and we notice that nc.exe was placed in C:\Windows\System32 right after program.exe was executed.
Question: Was it uploaded via a remote connection?
Question: Was it placed there when the file was executed?
And now when I go back and check the output from running SysInternals:
Command Line = nc.exe -L -p 333 -e cmd.exe
Base Size Version Path
0×00400000 0×00013000 4.0.30319.1 C:\Windows\system32\nc.exe
0x77b80000 0×00180000 6.1.7601.17514 C:\Windows\SysWOW64\ntdll.dll
0×76540000 0×00110000 6.1.7601.17651 C:\Windows\syswow64\kernel32.dll
0x761a0000 0×00046000 6.1.7601.17651 C:\Windows\syswow64\KERNELBASE.dll
0x74ad0000 0×00007000 6.1.7600.16385 C:\Windows\system32\WSOCK32.dll
0×75740000 0×00035000 6.1.7601.17514 C:\Windows\syswow64\WS2_32.dll
0×76490000 0x000ac000 7.0.8638.16385 C:\Windows\syswow64\msvcrt.dll
0x761f0000 0x000f0000 6.1.7601.17514 C:\Windows\syswow64\RPCRT4.dll
0x756e0000 0×00060000 6.1.7601.17514 C:\Windows\syswow64\SspiCli.dll
0x756d0000 0x0000c000 6.1.7600.16385 C:\Windows\syswow64\CRYPTBASE.dll
0x75b30000 0×00019000 6.1.7600.16385 C:\Windows\SysWOW64\sechost.dll
0x77b50000 0×00006000 6.1.7600.16385 C:\Windows\syswow64\NSI.dll
0x74ac0000 0×00010000 6.1.7601.17514 C:\Windows\system32\NLAapi.dll
0x74ab0000 0×00010000 6.1.7600.16385 C:\Windows\system32\napinsp.dll
0x74a90000 0×00012000 6.1.7600.16385 C:\Windows\system32\pnrpnsp.dll
0x74a80000 0x0000d000 6.1.7601.17514 C:\Windows\system32\wshbth.dll
0x74a40000 0x0003c000 6.1.7601.17514 C:\Windows\System32\mswsock.dll
0x75a30000 0×00100000 6.1.7601.17514 C:\Windows\syswow64\user32.dll
0x75cc0000 0×00090000 6.1.7601.17514 C:\Windows\syswow64\GDI32.dll
0×75780000 0x0000a000 6.1.7600.16385 C:\Windows\syswow64\LPK.dll
0x762e0000 0x0009d000 1.626.7601.17514 C:\Windows\syswow64\USP10.dll
0×76100000 0x000a0000 6.1.7601.17514 C:\Windows\syswow64\ADVAPI32.dll
0×77520000 0×00060000 6.1.7601.17514 C:\Windows\system32\IMM32.DLL
0×75890000 0x000cc000 6.1.7600.16385 C:\Windows\syswow64\MSCTF.dll
0x749f0000 0×00044000 6.1.7601.17570 C:\Windows\system32\DNSAPI.dll
0x749e0000 0×00008000 6.1.7600.16385 C:\Windows\System32\winrnr.dll
0x749d0000 0×00006000 6.1.7600.16385 C:\Windows\system32\rasadhlp.dll
0x749c0000 0×00005000 6.1.7600.16385 C:\Windows\System32\wshtcpip.dll
PID: 712 -
Source Address: 0.0.0.0:333
Remote Address: 0.0.0.0:0
Socket State: Listen
Executable:
I also find program.exe, which matches the file that was executed from the USB Drive. It is PID 1716 and 1856, which is why I assume there is a (2) in the Userassist reg key? (Please correct me if I am wrong). I’m assuming it was ran twice?
program.exe 1716 1684 8 4 101 66360 62264 7652 7268 0:00:00.078 0:00:00.031 0:00:00.109 0:00:00.000 4932 4644 2 3 27196
PID: 1716 – program.exe
Path: \Device\HarddiskVolume2\program.exe
Used Memory: 7,268KB
Modules (Dynamic Libraries):
Base: Size: Version: Path:
PID: 1856 – program.exe
Path:
Used Memory: 0KB
Modules (Dynamic Libraries):
Base: Size: Version: Path:
Conclusion:
I wasn’t able to pull any network data (configured my lab wrong), but in the end here is what I did:
I used Backtrack 5 and the Social Engineering Toolkit to build a malicious files called, “program.exe”. Once it was created I tossed it on a thumb drive called, “CLASSIFIED” and executed the program.exe file on the Windows 7 machine. After executing the program.exe file it set-up at reverse meterpreter shell back to the Backtrack box where I proceeded to drop nc.exe into C:\Windows\System32\, and then opened up a listener on port 333.
The only other thing I did was actually execute the “download” command via the meterpreter session and downloaded “work.txt” inside C:\Users\My Username\Documents\work.txt but I couldn’t find any artifacts of this. Maybe someone can offer some advice as to where you can find this information. That would be great.
Hopefully you learned something from this. I know did. I am going to continue these and use different attack methods to see what kind of artifacts are created. I will use a Web Site attack method next time. The only thing I will change is using a Windows 7 x86 instead of x64 so I can use Volatility and look at memory. The latest version of Volatility doesn’t support the Windows 7×64 profile.
Thanks!
Tweet
Looks good. I’ll need to read it over a few times to fully understand everything. I really need to learn more about security.
Nice post. I find simulating attacks against test systems and then examining for artifacts a great way to learn as well. You might be able to see how the attack unfolded better by adding more artifacts to your timelines. The post mentioned you were interested in program execution (prefetch files and userassist key) so both of those artifacts can be added to your timeline (prefetch and ntuser plugins). Other artifacts could be added as well. Just a thought.
@Corey – Thanks for your reply. I will look into playing with those plugins. I didn’t realize that. That’s actually the first time I used log2timeline so I appreciate your feedback (reading about it now). I might also add that i’m a big fan of your blog. Thanks!