How'd you do that??
One thing I've found to be very true about the community is that folks love to see how other analysts have done things. This is very helpful to know when it comes to writing articles or giving presentations.
Frank Boldewin recently posted CSI:Internet Episode 3: A trip into RAM, which provides an excellent walk-through on how he collected the contents of physical memory from a live Windows system, and then used Volatility (including the malfind, volshell, apihooks plugins) to locate malware. Frank's article is well worth a look, as it is an excellent read.
Advice
Need advice or input on getting started in DFIR work? Corey recently posted links to various articles and posts (including my own), and provided some considerable (and excellent) advice of his own. Even if you're already in the field, this is an excellent source of advice.
HowTos
I posted a quick-and-dirty blog post recently on how to create mini-timelines, and received a comment asking for more of these types of posts. I've considered writing "HowTo" posts in the past, but quickly found myself running short on topics. I'm considering posting more of these, but like I said...I'm kind of running short of topics.
Windows 8
I recently installed the available developer build of Windows 8 into VirtualBox (running on 64-bit Windows 7) using these instructions. So far, so good. During the setup, I opted to use the .vhd disk format (rather than the VirtualBox .vdi, or .vmdk) so that I could later add the .vhd file to a Windows system to see what things look like. I installed the OS, poked around a bit, and then shut the VM down and opened the .vhd file in FTK Imager. The Registry hives that I looked at (NTUSER.DAT) appear to follow the same format as previous versions; as Windows 8 is running in a VM, I won't be able to see things like wireless connectivity, etc. It also appears that Windows 8 uses Jump Lists (good thing I wrote that code to parse those bad boys, eh?); I'll definitely have to take a closer look at them, that's for sure. Looking at the Jump List files in the FTK Imager hex view, I see the file signature for the OLE/compound document binary format file, as well as the "Root Entry" and "DestList" stream names.
From the TwitterVerse, it seems that I'm not the only one moving along these lines...moyix has taken the first steps toward adding Win8 support to Volatility (see it working here).
APT
I know, I know...no one wants to hear about the "Advanced Persistent Treat" anymore. However, it appears that there was an APT Summit in DC this past summer, and RSA recently published an overview document of the findings from the summit. The PDF doc is 3 pages long, and pretty interesting read.
Windows Post-Exploitation
Thanks to Chad Tilbury, I was directed to this page (at pentestmonkey.net) which discusses various means of getting from Local Admin to Domain Admin once a system has been compromised. Looking for artifacts of these approaches can provide indications of what the intruder may have been up to.
I enjoy reading the How Tos posts and I can see them being a great reference. The VSC post will come in handy when I need to examine VSCs but don't have access (or want to use) Encase while the file extension analysis post can help identify the different areas to track down what program opens a certain file. Thanks for taking the time to put these together.
ReplyDelete> I'm kind of running short of topics.
If you are looking for content then one idea might be the different options to get a program in a forensic image to run on a computer. There are times when files can't be viewed without the native application so knowing different methods to try might be helpful.
Corey,
ReplyDeleteThanks for the comment.
...different options to get a program in a forensic image to run on a computer.
Beyond the previous HowTo post on file extension analysis, and maybe downloading the right version of the application (determined via Registry analysis), what else would you suggest? Is this a problem you've seen a lot, or have seen that others have encountered?
Again, thanks.
Sometimes I come across this issue with financial applications. They store data across multiple databases (mdb files) but the data can't be understood without the native program to pull the information together. The steps I try to get the program to run on my computer are: locate a demo version, mount the image and launch the program through Explorer, and attempt to boot image virutally to run the program. I'm not sure if there's a way to do a manual install using the information from the image.
ReplyDelete