Tuesday, January 26, 2010


David Kovar has written a tool, in Python, to parse the NTFS $MFT, called analyzeMFT. The tool can be downloaded from this site. I've been using Mark Menz's MFTRipper to parse this data, and having other tools to do this sort of thing available can only be a good thing.

MS article on NTFS $MFT
Lance's article on Detecting Timestamp Changing Utilities

Windows 7 XP Mode

One of the interesting aspects of Windows 7, from both a usability and a digital forensics point of view is the addition of XP Mode. In short, if you have a system whose processor supports hardware virtualization (be sure to check that out!!), you can install a Windows XP SP3 virtual machine into VPC on Windows 7, and run tools that may not run (or run quite as well) on Windows 7. This sort of thing could be very useful from an analyst's perspective...with just one platform, you can run tools that don't rely on the Windows API to parse some data sources, and at the same time, you can run other tools that do require the Windows API, and even a specific version.

So, while this can be very useful, there's the question of virtualization and how it affects what the analyst needs to look for when examining a system. Diane Barrett has discussed artifacts left when someone uses Moka5 or MojoPak in presentations, and we're all aware of other virtualization tools and platforms out there...but with XP Mode, it's built into the OS shell.

The key to all this, from a digital forensics perspective, is going to be in determining where the artifacts of interest exist.

XP Mode Resources
Tony Bradley's article
LifeHacker article

AV, Symantec and the Google Thang
Symantec posted something on the Trojan.Hydraq Incident, indicating that it is associated with the Google issue that popped up recently.

Something I find concerning about their write-up is the description of the artifacts. They mention that the Trojan is a DLL and installs as a Windows service with the name "RaS[4 random characters]". Well, that's easy enough to search for across the enterprise...look for any service name that starts with "RaS". The problem is, this isn't the whole story. If the executable file is a DLL, that would indicate that it installs "under" something else, like SvcHost. This would mean that there are other artifacts; specifically, if someone finds a service with the specified name, then they should look at the Parameters subkey for the ServiceDll value...what happens if the name of the file changes from what's listed in the write-up? How about checking the SvcHost key in the Software hive?

Symantec isn't the only one who doesn't provide a great deal of useful information to folks, either. The MMPC has a write-up on rootkits, and mentions Trojan:W32/AproposMedia...here's their write-up on that one. Googling, I find that EmsiSoft, makers of the a-squared AV product, have something a bit more substantial.

Didier Stevens has posted about restoring SafeMode with a .reg file, adding a bit more to his info about a virus that deletes the SafeBoot key, tricks to restore SafeBoot, and protecting the SafeBoot key from being deleted. While not an end-all, be-all security approach, it is a good idea to take a look at this and consider making it part of your system setup. After all, where would you be if you didn't have access to a bit of safety net like SafeBoot?

Safe Mode Boot Options
Safe Mode Boot options for XP (here're the options for Windows 2000)

Interesting Request
I received an interesting request in my email this morning...someone wanted to use one of my Perl scripts in part of their courseware, and was asking if it was okay to do so. I appreciate when people do that, but I didn't recognize the script: sweep.pl. I followed the link provided in the email and downloaded the script...it's a port scanner/banner grabbing script I wrote in 1998! I wouldn't call my skillz 'l33t in any sense, even now...but back then, maybe imaginative. After all, I was doing stuff back then to see if I could, and to see if I really understood the mechanics of what was going on.

No comments: