VIDEO
HIGHLIGHT
Log InSign up
Lab week day 2 File systems, Widows Registry 07 30 54 35, 02 34 42 02 51 00
SummaryTranscriptChat

Lab week day 2 File systems, Widows Registry 07 30 54 35, 02 34 42 02 51 00

Understanding NTFS and File Metadata

Introduction to File Systems

  • The session begins with a brief introduction, confirming the recording and streaming setup for the discussion on file systems.
  • The focus is on understanding file systems through an example, specifically NTFS, which is widely used in workstations and servers.

Exploring File Metadata

  • Discussion of file metadata includes directory names, timestamps, sizes, attributes, owners, and ACLs (Access Control Lists), highlighting differences between NTFS and other file systems like EXT.
  • Two types of data are identified: metadata (information about files) and content (actual data within files), emphasizing their importance in forensic analysis.

Forensic Analysis Context

  • In law enforcement forensics, two elements are crucial: possession of illegal content (file content) and knowledge of that possession. This dual requirement impacts legal outcomes.
  • Metadata can provide insights into user activity around specific times, aiding investigations by linking file names or locations to potential knowledge of illicit content.

Importance of Metadata in Incident Response

  • During incident response scenarios, metadata often holds more significance than actual file content; it helps trace activities over time.
  • Specific attention is given to compressed files created by attackers for evidence of exfiltrated data and executables used as tools for malware analysis.

Master File Table (MFT)

  • The MFT is introduced as a critical component of NTFS that stores all metadata for files and directories. Accessing this requires raw disk access rather than standard Windows API calls.
  • Each file or directory must have at least one MFT record; however, records can be reused if marked unallocated or deleted to manage space efficiently.

Fragmentation and Record Limits

  • More than one MFT record may exist per file due to fragmentation when a single record cannot accommodate all necessary information. Each MFT record has a size limit of 1,024 bytes.
  • An example illustrates how an MFT record contains essential metadata about a specific executable (calc.exe), including its entry header details.

Understanding Entry Headers

  • Every MFT record features an entry header that provides standard information such as the header string indicating the type of record.
  • Historical context is provided regarding earlier versions of NTFS where different identifiers were used in entry headers compared to current standards.

Sequence Numbers in MFT Records

  • Each MFT record includes a sequence number tracking how many times it has been utilized. This number starts at one but can increase significantly based on usage patterns.

Understanding File System Attributes in NTFS

Overview of File Statuses

  • The four possible statuses for a file or directory include whether it is a record, deleted file, or deleted directory. Additionally, flags such as hidden and archive are relevant.

Record Entry Header Details

  • The record entry header's size varies by version: pre-2000 NT 3.51 uses 48 bytes while subsequent versions use 56 bytes (hex 5.6). This header points to the first attribute of the file.

Key Attributes in NTFS

  • Important attributes include:
  • Standard Information Attribute: Tracks file timestamps.
  • File Name Attribute: Contains the actual name and additional data useful for forensic examination.
  • Data itself: Represents the content of the file (e.g., images, text).

Timestamps and Their Significance

  • The standard information attribute includes primary MACE timestamps: modified, accessed, created, and entry modified. These timestamps also contain security IDs and flags but are primarily focused on time tracking.
  • Notably, these timestamps can be modified via Windows API calls using tools like setMace; this access is not inherently malicious but allows legitimate updates.

Differentiating Time Stamps

  • The file name attribute contains its own set of timestamps (created, modified), which differ from standard information timestamps because they cannot be updated through user-level tools without deeper system access.
  • This limitation makes it harder for attackers to modify these times without causing noticeable system issues.

Additional File Name Attributes

  • There are various reasons for additional file name attributes:
  • DOS-compatible names (8.3 format).
  • Case-sensitive names exist but are rare.

Updating Timestamps Automatically

  • A question arises about how timestamps update if inaccessible to the operating system. Moving files between directories can trigger updates due to internal processes that do not require direct API calls.
  • Specific actions like moving files across volumes typically update all relevant timestamps except for last modified times due to recreation during movement.

Copying Attributes Across Media

  • When transferring files to removable media formatted with different systems (like XFAT), certain attributes may not carry over since they rely on NTFS-specific structures that do not exist in other formats.

Recovery of Deleted Files in NTFS

Understanding MFT Records and File Recovery

  • Deleted files in the Master File Table (MFT) are not immediately overwritten, allowing potential recovery.
  • When a file is deleted, its record becomes available for reuse, but the actual data remains until overwritten by new files.
  • Forensic examiners can recover deleted files as long as the data has not been overwritten, utilizing both metadata and addressing information.

Importance of Timestamps in Forensics

  • Timestamps can be altered using tools like setMACE; thus, context and corroborating evidence are crucial for accuracy.
  • A single timestamp lacks reliability; multiple corroborating timestamps enhance investigative credibility.
  • Example: If a backdoor file (Rasmond.dll) matches creation times with legitimate system files, it complicates detection.

Techniques Used by Attackers

  • Attackers may manipulate file creation dates to blend malicious files with legitimate ones created during system setup.
  • This technique makes it challenging to identify suspicious files based solely on standard information timestamps.

Limitations of Last Access Time

  • The last access time is often not updated in modern operating systems, limiting its usefulness in investigations.
  • Some timestamps may be preserved when copying from removable media or archives, complicating date relevance.

Data Attributes in NTFS

  • Data attributes exist only for files; directories do not have data attributes since they don't contain data themselves.
  • Data can be resident (fitting within an MFT record of 1,024 bytes), optimizing space usage for small files.

Understanding File Attributes and Data Management in NTFS

The Role of Resident and Non-Resident Attributes

  • Smart attackers create small files that may remain resident, but these files won't be overwritten immediately upon deletion since the MFT (Master File Table) record isn't overwritten until reused.
  • A web shell could potentially be created using small files, although this technique is not commonly observed among attackers.
  • Non-resident attributes store data outside the MFT, containing pointers to where the actual data resides on the disk rather than including it directly within the MFT.

Fragmentation and Pointer Management

  • If a file initially created as resident becomes too large, it transitions to non-resident status, requiring pointer usage for data retrieval.
  • For forensic analysis, acquiring the entire MFT can facilitate faster analysis compared to enumerating over it with tools. This allows examiners to extract relevant data efficiently.

Analyzing MFT Records

  • Each MFT record begins with a specific header (FIL E0), which is consistent across records making them easier to identify during analysis.
  • The hexadecimal representation of headers indicates their size; for instance, hex 30 corresponds to a decimal value of 56 bytes indicating header length.

Extracting File Information

  • Attributes within an MFT record are dynamic; they can be added or removed based on file requirements. Understanding these structures is crucial for effective forensic examination.
  • The presence of duplicate timestamps in file attributes highlights how metadata can provide insights into file history and changes.

Tools for Forensic Analysis

  • Manual extraction of data from the MFT requires knowledge of its structure; alternatively, utilities like "MFT to CSV" can automate this process by identifying resident data streams.
  • Alternate data streams allow multiple named streams associated with a single file. These streams can contain hidden information that standard access methods might overlook.

Hidden Data Streams and Their Implications

  • Named data streams enable legitimate uses but also present opportunities for hiding malicious content without affecting primary file operations.
  • Awareness of alternate data streams is essential in forensic investigations as they may conceal critical evidence within seemingly innocuous files.

Can Alternate Data Streams Be Hidden?

Understanding Alternate Data Streams

  • The discussion begins with the ability to hide pointers or content in alternate data streams, which can be either resident or non-resident. These streams function as separate files without associated timestamps.
  • It is noted that alternate data streams do not impact other data and behave like a data attribute. Internet Explorer used these streams for storing favorite icons, and forensic tools can detect them.
  • A specific example of the zone.identifier stream is provided, which indicates the origin of downloaded files (e.g., internet vs. removable media). This stream triggers security warnings when executing potentially harmful files.
  • Users can manually edit the zone.identifier to bypass security prompts. The speaker recounts an experience where a backdoor was hidden in an alternate data stream, evading antivirus detection due to its location in a critical system folder.
  • Modern Windows versions prevent executables from running directly from alternate data streams but still allow for hiding other types of data, raising concerns about potential misuse in forensic investigations.

Forensic Implications of Alternate Data Streams

  • The speaker emphasizes that while detecting alternate data streams may seem straightforward, lack of awareness can pose challenges during forensic analysis.
  • Current forensic tools are capable of inspecting named data streams effectively; however, understanding their existence and behavior is crucial for accurate analysis.

What Are Index Attributes?

Characteristics of Index Attributes

  • Index attributes are exclusive to directories and can also be resident or non-resident. They help manage file names within directories that exceed available space in the Master File Table (MFT).
  • In forensic imaging tools like FTK Imager, index attributes appear as $I30 files. These attributes point to chunks of directory information stored on disk.
  • When directories cannot be resident, they utilize an index root attribute that organizes directory entries into 4,096-byte chunks on disk.

Importance in Forensic Analysis

  • The index attribute tracks comprehensive file information beyond just names; it includes file sizes and timestamps useful for corroborating evidence during investigations.
  • Investigators may find valuable context by examining unallocated spaces for index files when conducting thorough forensic analyses rather than relying solely on live response tools.
  • Searching through unallocated space may yield additional insights into file activities and behaviors relevant to ongoing cases involving malicious software or hidden contraband.

Understanding File Management in NTFS

The Structure of File Management

  • The concept of file management in NTFS is introduced, emphasizing that files are indexed based on their sequence numbers rather than a simple A to Z order.
  • When a directory is created, it receives a unique sequence number (starting from one), which helps track its associated files.
  • Upon deletion of a directory, the sequence number increments, marking the directory as deleted while leaving its contained files' sequence numbers unchanged.
  • Deleted files retain their original parent directory's MFT record but cannot be accurately placed back into any directory due to mismatched sequence numbers.
  • Forensic tools may categorize these orphaned files differently; for instance, FDK Imager lists them as orphan files while other tools might classify them as lost files.

Challenges with Orphan Files

  • The inability to update the sequence numbers of deleted files complicates their recovery and organization within forensic investigations.
  • Virtualization techniques may be necessary to manage these orphaned files effectively since they still reference their original directories despite being marked as deleted.

Index Attributes and Data Parsing

  • Index attributes can appear messy when viewed in raw data formats like Hexavir but can be parsed using specialized tools that reveal structured data objects.
  • Transitioning into practical applications, lab exercises will focus on understanding the NTFS system more deeply.

Investigating Suspicious Files

Analyzing File Creation Times

  • Discussion begins regarding suspicious file activity between specific timestamps (441 and 446.59), particularly focusing on an add-ins folder where multiple suspicious files were found.

Identifying Potential Threats

  • Sorting by file creation time reveals three suspicious executables located within the add-ins folder, indicating potential malicious activity.
  • Some identified files appear legitimate upon further investigation; however, others raise concerns due to their presence in an unusual location (add-ins folder).

Contextualizing Findings

  • The presence of executable and text files in the add-ins folder is atypical for standard Windows systems, suggesting they warrant closer scrutiny for security purposes.

Conclusion of Analysis

  • Final observations confirm that certain older-looking files were indeed created during the specified timeframe (440 and 447), reinforcing suspicions about unauthorized activities.

File Analysis Techniques

Understanding File Column Management

  • Users can manage file columns by right-clicking to add or remove them, which helps in organizing data effectively.
  • The speaker prefers using the "file name created" column for clarity, as other time-related columns are deemed unpredictable.

Investigating MD5 Hashes

  • The speaker discusses using VirusTotal for analyzing files associated with suspicious MD5 hashes, noting that it provides valuable information about potential threats.
  • When searching for specific files like wce.exe, users can find detection details and community descriptions based on the MD5 hash.

Risks of Using VirusTotal

  • Caution is advised against uploading entire files to VirusTotal due to privacy concerns; uploaded files may reveal sensitive company information if they contain identifiable data.
  • Historical context is provided regarding the RSA breach, illustrating how sharing malware with antivirus vendors led to unintentional disclosure of corporate identity.

Monitoring Threat Intelligence

  • Attackers may monitor VirusTotal uploads; thus, revealing knowledge of a threat could prompt attackers to alter their tactics.

Analyzing Prefetch Files and Last Modified Times

  • Discussion includes identifying missing Windows add-ins from prefetch analysis, emphasizing the importance of tracking file presence on the system.
  • The last modified time of directories can indicate when an attacker was active in creating or deleting files within that directory.

Extracting Information from MFT Files

  • To access contents like wce.txt, one must examine the Master File Table (MFT), often requiring a hex editor for detailed analysis.
  • The size of MFT entries can be substantial; understanding offsets and attributes is crucial for effective forensic investigation.

Navigating Hexadecimal Data

  • Searching through UTF format data requires familiarity with hexadecimal representation and character encoding to locate specific file attributes efficiently.

Understanding File Attributes and NTLM Hashes

File Name Attribute and Data Structure

  • The file name attribute includes dates and times, but the speaker lacks a suitable editor to demonstrate its functionality.
  • The physical size of the data attribute is indicated as hex 80, with the starting point for the attribute at 18.
  • The logical size of the attribute is noted as 65 bytes, which contains actual file data that can be saved in various formats like TXT.

NTLM Hashes and Password Security

  • An example of an NTLM hash is provided, revealing that it corresponds to the password "password," highlighting its vulnerability.
  • NTLM hashes are weak against rainbow table attacks, making them easy targets for credential theft.
  • Modern methods for obtaining passwords have evolved beyond NTLM; tools like Windows Credential Editor (WCE) are now less effective.

Exploring Windows Registry Changes

Overview of Windows Registry

  • The Windows Registry serves as a configuration database tracking system-wide settings, user preferences, and security configurations.
  • Changes made in Windows 7 introduced "big data" structures to accommodate more information in the registry.

Forensic Implications

  • The introduction of big data broke many forensic tools due to their inability to read new structures; this went unnoticed for years.
  • AppCompatCache was discovered as a valuable resource for incident response, maintaining records of executable files even after deletion.

Registry Organization and Access

  • The registry consists of high-level files organized hierarchically; these files are loaded into memory upon system startup.
  • Key components stored on disk include system hives such as SYSTEM, SOFTWARE, SECURITY, and SAM located in system32/config.

Understanding User Data Management in Windows

Overview of User Data Storage

  • The relationship between current and last good versions of software is not strictly one-to-one, indicating variations in user data management.
  • Multi-user systems require individual user hives, with each user having a unique user.dat file located under their username directory (e.g., user/Jeff/user.dat).

Registry Structure and User Preferences

  • User settings are stored in the registry under HKEY_USERS, specifically linked to the user's Security Identifier (SID), which includes files like user.dat.
  • The registry tracks various user preferences, such as window size and format upon reopening, which can be crucial for understanding user behavior.

Shellbags and Forensic Insights

  • Shellbags provide insights into how windows were used by users or attackers, revealing what directories were accessed without detailing specific files.
  • Analyzing shellbags can help investigators understand an attacker's interests based on the folders they had open during their activity.

Anatomy of a Registry Key

  • Registry keys consist of names and values; for example, HKEY_LOCAL_MACHINE/System/ControlSet001/Control/CrashControl contains multiple values including Minidump.Deer.
  • Modifications to registry keys do not specify which value was changed; thus, it complicates time-lining efforts since only the key's last modified timestamp is available.

Persistence Mechanisms in Malware

  • Investigators focus on persistence mechanisms that allow attackers to regain access after system reboots through methods like auto runs.
  • Auto runs can include services or traditional run keys that ensure malware starts automatically when Windows boots up.

Redline's Persistence Audit Feature

  • Redline offers a combined audit view that integrates service audits, registry audits, and file system audits for easier analysis of potential persistence threats.
  • This feature allows investigators to quickly assess if malicious files remain on disk while checking their digital signatures and known hashes.

Understanding Windows Registry and File Persistence

Overview of Windows Registry Analysis

  • The speaker provides a snapshot of the Windows registry, detailing persistence types, file paths, and registry paths for forensic analysis.
  • An MD5 checksum is highlighted as a valuable tool for verifying file integrity without needing multiple audits; it also includes timestamps for files.
  • A signed file is defined as one that has an associated signature from either a self-signed source or a certificate authority (CA), which helps verify its legitimacy.

Certificate Authority and Security Implications

  • The process by which Windows checks signatures against CA certificates is explained, emphasizing potential vulnerabilities if a CA is breached.
  • Techniques such as code injection into signed binaries are discussed, indicating that even signed files can be compromised.

Importance of the Windows Registry in Forensics

  • The complexity and versatility of the Windows registry are acknowledged; extensive courses exist to cover its details due to its significance in forensic investigations.
  • Lab 3 will involve practical exercises on registry analysis and persistence views to enhance understanding.

Practical Application: Identifying Persistent Threats

Strategies for Analyzing Persistence

  • The speaker suggests using existing audit data to identify persistent threats quickly, exemplified by recognizing Netcat's presence in the system.
  • Sorting methods are discussed for analyzing files based on their attributes; however, limitations arise when dealing with numerous items without clear indicators.

Timeframe Pivoting Technique

  • Utilizing timeframes around known attacker activity allows analysts to filter through persistent modifications effectively.
  • Identification of NC.exe (Netcat executable) demonstrates how pivoting can reveal malicious software linked to specific attack timelines.

Recap of Attack Progression Indicators

  • The functionality of HKEY local machine software is explained; it executes keys upon user login, highlighting potential unauthorized entries like netcat.exe.
  • A timeline recap illustrates the sequence of events during an attack, including Google logins and subsequent use of tools like WGet and RAR.exe.

Analysis of User Behavior and Threat Indicators

Understanding User Tools and Compromise Indicators

  • Most users do not utilize WinRAR, suggesting that alerts on the creation of roaming WinRAR files can serve as a strong indicator of compromise during threat hunting.
  • The presence of WCE (Windows Credential Editor) and netcat being created indicates potential malicious activity. Notably, these files were time-stomped or modified, hinting at attempts to obscure their creation.
  • A command was executed using Netcat to connect to winterfell.org on port 80, establishing an open connection with an IP address previously identified in web browser reviews.

Internal Reconnaissance Activities

  • The attacker is engaged in internal reconnaissance, evidenced by the execution of WCE and the creation of a file named WCE.txt, which contains Windows credential outputs sourced from the Master File Table (MFT).
  • Although a recursive directory listing file (C.txt) was mentioned, it was not available for review. Other tools like RAR.exe were also noted as part of this reconnaissance effort.

Analysis of Command Usage

  • CMD.exe's frequent legitimate use complicates tracking its usage timeline; however, some accessed files were identified, including install win.bat.

Summary of Findings

  • Key insights include understanding how the attacker gained access and identifying their toolset. However, clarity is still needed regarding the initial compromise mechanism linked to a PDF document titled "troop movement."

Conclusion and Next Steps

  • The session aims to provide exposure to forensic analysis practices rather than making participants experts in memory or registry analysis. Further exploration into memory artifacts will occur in subsequent discussions.
  • Participants are encouraged to join remote sessions via Microsoft Teams for continued learning while addressing logistical issues such as audio quality. Assistance with tidying up post-session activities is appreciated.
Video description

video3