21 07 2012
Answering How to Questions – Part I
sysforensics | How to, The Sleuth Kit
So I was looking at Google Analytic’s at some of the search queries that bring people to my blog and noticed a huge list of “How to” questions.
I thought it would be neat to sort all of them and answer each of the questions. Some of them were quite funny, but I guess at the same time they are relevant to DFIR.
I can’t answer…and I quote, “how do I know if my wife is cheating on me forensics”. I wont touch those questions. I’m afraid that if I answer it wrong I might cause a divorce 
I will attempt to answer the more traditional questions (copy/pasted directly from my Analytic’s page). It will simply take me too long to go into a ton of details for each question, so your friend Google will need to be called upon.
I’m going to simply go down the line so they wont be in any order.
Feel free to provide more information in the comments section. Simply put “Question # – Your additional information.”
If it grows and we get some good content ill move it all over to the forensicwiki site.
Let’s get started
1. “How could i use computer forensics to find out if someone hacked my password on my computer”
What kind of password? Is it your computer logon password? Is it your Gmail password, etc.? Let’s assume for a bit that someone in your house/work stole your computer logon password. Maybe you even think they are logging into your computer while you’re not around.
Some of the items you can check are:
*Internet Browsing History, Cookies, etc.
*File Download History
*Last Visited MRU
*Prefetch files
*Windows Event logs
*UserAssist
*MSFT Office recent files
*Recycle Bin
*USB connections
*RDP sessions if you have it enabled
2. “how did i get the zeus v2 malware on my pc”
Honestly, I have no idea how you did. It was more than likely downloaded via the web while you were browsing, or it was opened in an email. Let’s just assume that’s the case since it more than likely is/was.
*Extract your $MFT and take a look
*Prefetch files
*Browser History
*UserAssist
*Open/Save MRU
*E-mail Attachments (depends on what you’re using for a mail client)
*Firewall rule modifications (EventCode 5031 and 5447)
Here are a few blog posts I did on Zeus that will give you some more artifact locations:
3. “how do i get the mactimes command?”
I’m going to assume you’re talking about mactime the tool included with The Sleuth Kit? If so, it’s preinstalled on SANS SIFT Kit, DEFT 7.1, and I’m pretty sure it’s installed on Backtrack and some other Linux hacking/forensic distros.
Here is an example from one of my posts.
Simply type, mactime into a SIFT terminal and you will get the various command arguments, etc. listed out for you.
4. “how does fls know what types of files systems are on an image” and “how does mmls find the partition table”
You can also look at the source code like I did here: sleuthkit-4.0.0b1\tools\vstools\mmls.cpp or fstools\fls.cpp – This will give you a very good overview of how this information is extracted and made usable for you. It will show you the “guts”.
Look at the TSK_IMG_TYPE, INFO, TSK_FS_TYPE_ENUM, TSK_FS_INFO, TSK_FS_DIR_WALK, etc. classes on the link above.
5. “how exe pe packers work”
If you take your program (malicious or not) and run it through a packer it’s going to (usually) compress your exe file and it’s also going to encrypt it, which is why you tend to get a bunch of gibberish when you run strings, BinText, or some other tool against a packed exe file looking for usable information. Check out some of the malware posts I did and you will see the before/after of a packed/unpacked exe file.
So when the packed program is run the unpacking routine is executed, which then leads to the decrypting of the exe and it is also uncompressed.
6. “how find gmail password in memory”
Here is a post I did on how to recover Gmail passwords in memory. I haven’t tested it in awhile so hopefully it still works. If it doesn’t let me know so I can go back and do some more research.
You can grep for the following information if you have a memory dump. See the link above for Hotmail and Yahoo:
Gmail:
GET /mail?gxlu=gmail123&zx=1327833361930 HTTP/1.1
continue=http%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&rm=false&dsh=5396061135614979233<mpl=default<mpl=default&scc=1&GALX=-ELjIRn4GYQ&pstMsg=1&dnConn=&checkConnection=youtube%3A3354%3A0&checkedDomains=youtube&timeStmp=&secTok=&Email=gmail123&Passwd=password123&signIn=Sign+in&rmShown=1
7. “how good is sleuthkit?”
It’s awesome. Just download it and start using it. Pick up Brian Carrier’s book, File System Forensics as well.
8. “how hackers use the sleuth kit”
Honestly i’m not sure since I am not a hacker, but if I was I would use it for some of the following:
*Test my tools and see what evidence they leave behind
*Recover data from a HDD I stole, image I dumped, etc.
*Build timelines of system events
*Test timestomping tools
*etc.
9. “how rescue file using tsk”
Here is a blog post I did that will show you how to
use tsk_recover and icat. You can also look at scalpel. I use this
config file along with some other custom ones
10. “how to analyze malicious mbr files”
I’m no expert, but I did do a
post on MBR malware.
It will show you how to extract the MBR, and give you an idea on what tools you could use to look at it. It also provides a few good links to some scripts written by some smart people.
11. “how to analyse the forensic images for malware”
This is sort of a loaded question. This goes back to framing your requirements. What are you looking for? Are you looking for a specific piece of malware? If so, check online, and see if someone has done an analysis of it. If so, you should be able to build some Indicators of Compromise (IOCs) and validate whether or not your image has this piece of malware on it. IOCs can/will change so don’t use this as a 100% validation, but it’s pretty darn good.
In all seriousness you need to know what you’re looking for before you start looking at a forensic image. What did the user say was happening? What lead you to believe there might be malware on the image? Is there weird network traffic? Etc.?
These question should be answered the best they can before you start digging into an image looking for something “bad”. I’ve seen computers that have more viruses than a Navy port in South East Asia so it helps to have some context.
In either case (in no specific order):
*Make a copy of the original image
*Rip the registry looking for keys malware tends to enjoy
*Analyze the $MFT
*Check the MBR
*Run something like GMER on it
*Run some Anti-virus tools against the image
*Mandiant has some nice free tools
*IOCs
Hopefully that will get you started. I would start with GMER and Anti-virus tools first. It might be something simple. But remember the Navy analogy. There might be more so it helps to have an idea what you’re looking for.
12. “how to backtrack 5 get prefetch”
Mount your forensics image within Backtrack if you have an image. If not, you can boot the computer with the Backtrack Live distro (make sure it’s read only and doesn’t auto mount). Navigate to C:\Windows\Prefetch on the mounted image and either look at them on that machine, or copy them off to a USB drive and analyze them someplace else.
Prefetch could be disabled or not enabled depending on what version of Windows you’re looking at. You can check the registry for this.
13. “how to copy nc.exe on client machine and execute”
I guess you can do this a few ways. social engineering, compromise the machine and then upload it, drive by download, infected USB, etc.
I sort of did a post
here about it, but I didn’t provide the method I used to upload nc.exe. I used a USB to compromise the machine, once it connected back to me I uploaded nc.exe to the box as a persistence mechanism. Netcat doesn’t scale well so I don’t suggest using it if you’re trying to do something crazy and wild.
I did this so I could see the forensic artifacts. It wasn’t trying to be “leet”. I’m not sure leet and nc.exe go together anyway these days. It’s a nice tool for sure, but based off the question I assume you’re curious about compromising a box.
Happing hacking….
14. “how to create a volatile data collection script using dumpit”
You don’t create one. You use triage-ir, which is the best one that I know of. It uses dumpit along with lots of other goodies.
http://code.google.com/p/triage-ir/downloads/list
15. “how to dump zeus executable to file with volatility”
You use one of the following commands within volatility: procmemdump or procexedump
procmemdump dumps a process’s exe and includes the slack space. procexedump doesn’t inclue the slack space.
16. “how to export $mft” and “how to extract the mft from an image using icat from sleuth kit” and “how to extract windows 7 mft”
You can watch my youtube video showing you how to do this
here.
This is an example if you don’t want to watch the video:
icat -i raw -f ntfs -o 2048 /mnt/meh.dd 0 > meh.mft
17. “how to find malware in memory”
I use Volatility for memory analysis.
Here are a couple posts I did on malware where I use Volatility.
18. “how to extract .vmem using volatility”
I am going to assume you mean, “how do I analyze .vmem using volatility”, because you don’t actually extract a .vmem file with volatility.
simply run, vol.py imageinfo -f meh.vmem – Let’s assume it comes back with Win7SP1x86 as your profile. Then you would do vol.py –profile=Win7SP1x86 -f meh.vmem malfind, or whatever you want.
19. “how to get img file into sift workstation”
If you have a Virtual SIFT instance you can either copy it into the window via VMWare tools, create a shared folder within VMWare and mount the image that way, you can plug in a USB device and mount it that way, you could mount it over a network share, etc. There are lots of ways to do it.
20. “how to make forensic copy of infected system”
*dd command
*FTK Imager
*Helix
*etc.
I usually use dd or FTK imager. If I need to make an image over the network I will use Helix, but you could use dd with netcat just as easily. There are lots of ways to get an image. Find a couple you like and stick with them.
—————Break—————
I think this is it for today. I will release these in blocks of 20-25 until I am complete. There are a lot of duplicates, so I need to weed through all of them and find the unique questions.
Feel free to add something and please let me know if I missed something, or made a mistake. I don’t want to provide wrong information.
Enjoy!
Tweet
$MFT, DEFT, fls, icat, mactime, MBR, OpenMRU, Prefetch Files, SaveMRU, SIFT, The Sleuth Kit, tsk_recover, UserAssist, Zeus Malware
Good post, but I would suggest that the gap hasn’t been completely bridged. For example, in one instance, you state:
*Extract your $MFT and take a look
Take a look…for what?
You go on to include:
*Prefetch files
*Browser History
*UserAssist
Similar to the above, there’s no context. In short, if someone isn’t familiar with the artifact, (a) they aren’t going to know how to find it, and (b) they aren’t going to know what to look for.
I think having “how to” articles is a great way to share information within the community…everyone seems to want to know how someone else did something, but few want to share how they went about doing it. This is a great way to get the ball rolling…but I think maybe biting off a little less, and expanding/expounding upon one or two of the topic areas might be more useful.
I look forward to seeing more posts like this in the future.
Harlan,
Thanks for the feedback. I guess my intention was more of a “here’s something to get you started, now go do a bit of research”, but yeah, I see your point. I’ll go back over some questions and try and add some more details before I move on to “Part II”.
Thanks again.
Patrick