Sunday, July 19, 2009

More Perl-y goodness

I've uploaded a new script (handle.pl) to the files section of the Win4n6 Yahoo group...this is a script I wrote this morning to process the output of "handle -a" (collected during live response), based on a couple of things mentioned by Kris Harms and Pete Silberman (both of Mandiant) during the SANS Forensic Summit.

The script extracts, parses, and lists all entries for "pid:", which is something Kris mentioned during his presentation is a means of collecting the same information (ie, process listing) using a disparate means (ie, different API calls). After completing this iteration of the script, I figured that the next version will include additional processing of other items.

The script also processes the output for mutants and displays them all based on the "frequency of least occurrence". Pete mentioned that malware is (should be) the least frequent thing to occur on a system, and malware authors are using mutexes to ensure that infected systems are not continually infected over and over again. Many times, these mutexes are random names, whereas they usually appear as easily readable strings in most cases.

So, during live response, should the responder opt to run "handle -a > handle.log" as part of a batch file, the resulting output of the command (ie, handle.log) can be quickly and easily parsed using scripts like this. Also, this acts as a force-multiplier, in that the knowledge developed by a few is made easily available to many. Seriously...how often do you hear someone say, "...find interesting or suspicious processes..." with no mention of what constitutes "interesting" or "suspicious"?

Thoughts?

Addendum, 20090720: I've updated the handle.pl Perl script to include include some disparity checking in processes (searches for PIDs vs process/thread handles), etc. I see this script as being extremely useful and very valuable for performing some automated parsing and analysis of collected data, as codifying the "rules" for initial processing of the data allows for the use of automation as a force multiplier and error reduction technique. I can also see how it would be useful to add Least Frequency of Occurrence (LFO) checking for other (Event, Device, File, Key) handles, as well as process listing disparity checking against the output of other process listing tools (ie, pslist, tlist, etc.)

3 comments:

Unknown said...

I being thinking for a while now that we should start to rip live data before shutting down and performing an image of said computer. However, my question is, and maybe the answers are out there already. Can we do live rips of data and have it hold up in court.

jah said...

Sounds like handle.pl could be very useful. handle.exe sure is useful, but sifting through it can take a while! Is there anywhere one can get hold of your script if not a member of the Win4n6 group?

H. Carvey said...

Luke,

Can we do live rips of data and have it hold up in court.

Let me answer that with a question...why can't you?

JAH,

For right now, the script is up on the Group. I don't have any other place to put it at the moment.

Thanks,