Monday, January 04, 2010

Browser Stuff

Many times during an examination, we'll take a look at the user's browser activity. That might include starting by getting the contents of the TypedURLs Registry key (I see that as a first step in a lot of analysis plans) and parsing an index.dat file or two; however, one thing that I rarely see in an analysis process, in case notes, or in a report is, the first thing I did was determine the default browser, as well as any other browsers that may have been installed and used.

When exploring user activity via the browser, the analyst needs to be sure to:

1. Check to see what the default browser is...yes, there's an app a RegRipper plugin for that. But keep in mind, this value can change. If the user doesn't uncheck one box in the default browser dialog that appears, they will be asked every time if they want to make the browser their default, so the question will be asked each time and they can go back and forth.

2. Determine what other browsers may be installed; don't assume that someone's only going to use Firefox. Strike that...don't assume anything. Find out. Any easy way to do this is to check the file associations for .htm(l) and .asp(x) files, as well as just see what software is installed.

3. Other places to check (these are included in RegRipper plugins, by the way...) include the user UserAssist keys (what've they been launching), the Uninstall key (for software installations), and which MSIs have been run on the system.

Many of these are quick checks...several folks who've used RegRipper have said that the tool has reduced Registry analysis from days to minutes, and thanks to the plugins, been more comprehensive than previous processes. So adding these checks to your analysis plan doesn't correlate to a significant increase in the time it takes to conduct your analysis.

One area that I rarely see discussed in browser analysis is the bookmarks file. For Firefox, the bookmarks.html file include ADD_DATE and LAST_MODIFIED entries for folders, and ADD_DATE and LAST_VISIT entries for the URLs. For IE, you'd look for the Favorites folder, which contains InternetShortcut/.url files which also include timestamps, in addition to the file MAC times themselves.

It seems to me that including this information in a timeline...should the investigation necessitate doing so...might be a source of some valuable data. For example, let's say you found an entry of interest in the user's Internet history; would it add some additional (and perhaps significant) context to the overall investigation to know that the web site was in the user's bookmarks/Favorites?

Commercial tools like ProDiscover make it very easy to populate the IE Internet History view from an image rather than just a single user. But keep in mind that it isn't IE that populates the Internet history artifacts for the user; it's the use of the WinInet APIs. What that means is that any application or tool that uses the WinInet APIs may leave similar artifacts, which is why, during some engagements, some of us have seen an Internet history for the Default User populated. In one particular instance, wget.exe was found to have been launched using System-level privileges, and the tool was found to use the WinInet APIs so we found clear artifacts of the use in the Default User's Internet history. In that particular case, the intruder used SQL injection to gain access to the MS SQL Server, and ran commands to create an FTP script file, which was then launched via ftp.exe. The script downloaded wget.exe, which the intruder verified was on the system, and then used to download additional software.

Another aspect of browser analysis (specifically for IE) is to look for Browser Helper Objects, or "BHOs". From a forensic analysis perspective, some BHOs have been known to be spyware, or worse; Symantec identified BHOs as a common loading point for malware.

This article discusses how to prevent BHOs from loading with the Explorer process, and only loading with IE.

On Firefox, Add-ons may be of interest. Here's a Symantec article that talks about BHOs (IE) and XPCOM (Mozilla).

My point is that sometimes just looking at the user's Internet browsing history may not be enough to really get a solid picture of what's going on. The existence of a particular web site that has been bookmarked or added to the user's Favorites may add valuable context to the examination. BHOs are loaded when the user starts IE, so any action taken by the BHO will be done in the user's context, and therefore will populate the user's Internet history.

So how might you use this in a real-world investigation? Well, if the user has their browser configured to delete the history when the browser is closed, or uses another tool to do so, you may find something of value in the bookmarks. Even if the history hasn't been deleted, you will be able to associate some artifacts with specific user activity.

What about the Trojan Defense? Well, with a comprehensive and thorough malware detection process, you might also include a specific check for BHOs or addons to the browser, further closing the door on that issue.

Resources
Firefox 3 Forensics
FoxAnalysis
Firefox Forensics (Machor Software - also Windows and Google Chrome Forensics)
NirSoft Browser Tools
WBF Tool

Addendum, 8 Jan
Opera Files - global history is kept in global.dat, entries have a format that looks similar to IE Favorites .url files:

Webpage Title - Something
http(s)://www.somewebsite.com/page
(possible *nix epoch timestamp)

11 comments:

Ken Pryor said...

Very interesting and helpful post, Harlan. Thanks for the post!
KP

H. Carvey said...

I hope you find it helpful...

Jimmy_Weg said...

Many times during an examination, we'll take a look at the user's browser activity. That might include starting by getting the contents of the TypedURLs Registry key...

I think that you mentioned this key as an example to drive a point home, but, since you did, I'll point out that the TypedURLS is a questionable indicator of intent. I review it, but rarely, if ever, cite it in a report as evidence. The problem is that the key can be populated by actions other than typing and pasting. I'll anticipate your question, so I'll say that there was some research cited on this key on the Digital Detective Forum, and I validated the findings at the time, but can't recall the more esoteric events that can populate this key. I can try to go back and find that thread.

It would be wise to check for artifacts of every browser, default or otherwise. That point seems implicit in your message.

...so we found clear artifacts of the use in the Default User's Internet history.

This is a very interesting and useful pointer. I'd be interested to see the index records that documented this finding. In most of our cases, I'd say that the index records that reflect web site visits and file accesses are records of activity that were effetced with MSIE. Perhaps something else could mimic that behavior? Any index record attributed to the "Default" user should be explored further.

Darren said...

Extracting the Registry Files is the first thing I do, then whilst other processes are running, I use access data registry viewer, and some custom summary reports I've created, to extract keys of interest. It really helps to start building a picture, and give you an oversight of what you are dealing with, and very quickly too. I also use regripper to confirm findings. There are lots of keys with really good information, too many to start listing. One good one is the "number of days to keep browser history". If it's only one day, don't expect to see too much, but if it's 90 days, there should be lots to look through.

My biggest gripe would be having to process each file separately. It would be so much easier to point regripper to a folder with all the registry files in it, and have it produce reports based on the keys I choose. I know it can be done with individual files. Perhaps rather than focussing on getting regripper to work on mounted images, you could get it to process all registry files in a folder. Shouldn't be too hard, probably easier than the mounted image scenario.

Or perhaps I should start reading the regripper code to see if I can create this functionality...

Mark Woan said...

For Google Chrome: http://www.woanware.co.uk/chromeforensics/, includes the ability to extract thumbnails etc.

H. Carvey said...

Thanks all, for your comments...

...I'll point out that the TypedURLS is a questionable indicator of intent.

Agreed. However, when I've reviewed what others have done, or said that they've done, this is one of the first things I see mentioned.

It would be wise to check for artifacts of every browser, default or otherwise.

Particularly if I'm seeing a reference to other browsers in, say, the MUICache key, and that the user launched the Add/Remove Programs Control Panel applet (seen via the UserAssist key entries)...

My biggest gripe would be having to process each file separately.

At the moment, you can do this quite easily with rip.pl/.exe, in a batch file. This is what Paul Stutz has done. I am adding this capability to the next version of RegRipper, as well.

Jimmy_Weg said...

Harlan, is it possible to show us a sample of the Default account's index records that display the activity that you noted? Sorry for asking again, but this interests me. Thanks.

H. Carvey said...

Jimmy,

I don't have an actual sample available, as this is something I've been repeating for a while now, based on Robert "Van" Hensing's assistance on an old case. If you look at Robert's post, it's dated 2006. Sorry.

hogfly said...

I had an older blog post on this showing the activity - http://forensicir.blogspot.com/search?q=analyzing+an+intrusion

Here's a very recent example.
Default User Cache below. This is from a compromise where the system was remotely exploited and code execution was done under SYSTEM privs using "default user" profile. I see this more often than I'd care to admit..

Produced with iecacheview.

E001[6].exe ftp://into.imzone.in/E001.exe 12/29/2009 4:16:28 PM N/A N/A 172 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\E001[6].exe Yes
A028[31].exe ftp://into.imzone.in/A028.exe 12/29/2009 4:16:24 PM N/A N/A 197 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\A028[31].exe Yes
M001[2].exe ftp://into.imzone.in/M001.exe 12/29/2009 4:15:40 PM N/A N/A 16 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\M001[2].exe Yes
J002[2].exe ftp://into.imzone.in/J002.exe 12/29/2009 4:15:37 PM N/A N/A 19 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\J002[2].exe Yes
J001[2].exe ftp://into.imzone.in/J001.exe 12/29/2009 4:15:34 PM N/A N/A 20 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\J001[2].exe Yes
H001[2].exe ftp://into.imzone.in/H001.exe 12/29/2009 4:15:30 PM N/A N/A 29 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\H001[2].exe Yes
Q[1].exe ftp://into.imzone.in/Q.exe 12/29/2009 4:09:44 PM N/A N/A 4 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\Q[1].exe No
P001[1].exe ftp://into.imzone.in/P001.exe 12/29/2009 4:09:40 PM N/A N/A 6 0 I9U5K1A7 F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\I9U5K1A7\P001[1].exe Yes

Unknown said...

Harlan,

I'm new to RegRipper and am just starting to get acquainted with it. You indicate above that there's a plugin that helps determine the default browser. It's not clear to me which plugin applies. Can you please clarify that point? (Forgive me if I'm missing something; I've looked through the documentation and the plugin list, and the required plugin is eluding me).

Thanks.

H. Carvey said...

Gregory,

It's a plugin I've written for myself.

RegRipper is freely available, and anyone can write plugins for it. In fact, someone a while back wrote a plugin generator that, for a very limited subset of plugins, would allow you to select a key or value and automatically generate a plugin to retrieve data.

Also, I have stated time and time again that if someone needs a plugin that's not yet available, send me a concise request and a sample plugin, and I can turn one around (generally) pretty quickly. I've actually had some folks send me a request, and state in the email that they were not sending me a sample hive.

I tried to access your profile in order to get an email address to send you the plugin, but I couldn't.