Friday, August 10, 2018

Gaps and Up-Hill Battles

I've been thinking about writing a RegRipper plugin that looks for settings that indicate certain functionality in Windows has been disabled, such as maintaining JumpLists, as well as MRUs in the Registry.

Hold on for a segue...

David Cowen recently requested input via his blog, regarding the use of anti-forensics tools seen in the wild.  A little more than two years ago, Kevin S. wrote this really awesome blog post regarding the evolution of the Samas/Samsam ransomware, and I know you're going to ask, "great, but what does this have to do with anti-forensics tools?"  Well, about half way down the post, you'll see where Kevin mentions that one of the early variants of Samas included a copy of sdelete in one of its resource sections.

As usual, Brett made some very poignant comments, in this case regarding seeing anti- or counter-forensics tools in the wild; specifically, just having the program on a system doesn't mean it was used, and with limited visibility, it's difficult to see how it was used.

Now, coming back around...

What constitutes counter-forensics efforts, particularly when it comes to user intent?  Do we really know the difference between user intent and operating system/application functionality?  Maybe more importantly, do we know that there is such a thing?

I've seen too many times where leaps (assumptions, speculation) have been made without first fully examining the available data, or even just looking a little bit closer.  Back in the days of XP, an issue I ran into was an empty Recycle Bin for a user, which might have been a bad thing, particularly following a legal hold.  So, an analyst would preview an image, find an empty Recycle Bin, and assume that the user had emptied it, following the legal hold announcement.  But wait...what was the NukeOnDelete setting?  Wait...the what?  Yes, with this functionality enabled, the user would delete a file as they normally would, but the file would not appear in the Recycle Bin. 

Other functionality that's similar to this includes, did the user clear the IE history, or was it the result of the regularly scheduled purge?  Did the user delete files and run defrag after a legal hold order, or was defrag run automatically by the OS?

Skipping ahead to modern times, what happens if you get a "violation of acceptable use policies" case, or a harassment case, or any other case where user activity is a (or the) central focus of your examination, and the user has no JumpLists.  Yes, the automatic JumpLists folder is empty.  Does that seem possible?  Or did the user suspect someone would be looking at their system, and purposely delete them?  Well, did you check if the tracking of JumpLists had been disabled via the Registry?

My point is that there is functionality within Windows to disable the recording and maintenance of various artifacts that analysts use to do their jobs.  This functionality can be enabled or disabled through the Registry.  As such, if an analyst does not find what they expect to find (i.e., files in the Recycle Bin, RecentDocs populated, etc.) then it's a good idea to check for the settings.

Oh, and yes, I did write the plugin, the current iteration of which is called disablemru.pl.  I'll keep adding to it as more information becomes available.

No comments: