Hacking Exposed Computer Forensics Blog

Hello Reader,
            Yesterday we reviewed the timestomp tool and showed how simple MFT analysis can defeat it. Today we are going to go into the newest version of setmace v1006 which not only can modify the STDINFO timestamps but the FILENAME timestamps as well. I'm not sure how widely known setmace is but I will tell you that its very good at what it does as we'll see in the screenshots below. Prior versions of setmace did some tricks with file moving to reset the FILENAME timestamps but in version v1006 it actually modifies the physical disk itself leaving very few traces of its actions. Setmace will work on NTFS and FAT file systems.

Things to understand

What it does
Setmace will access the underlying physical disk and modify the $MFT directly changing the timestamps you specify (STDINFO or FILENAME or both) or cloning them from another file. Since this is direct physical disk access there are no $logfile or USN entries that show these changes.

What it does not do
It does not change the MFT record number, sequence number or find other artifacts pointing to it. That does not mean that future versions couldn't be modified to further obfuscate the original timestamps.

Capabilities by OS

Windows XP
On a Windows XP system setmace can reset timestamps on a file on any volume as XP's security model did not restrict access to the physical disk. Further since Windows XP does not have a USN Journal by default the only way to prove the original timestamps of a file will either be through the $Logfile or shell items pointing to the file.

Windows Vista/7/8
On a Windows Vista/7/8 system setmace cannot access the physical disk of any system volume, but it can access the physical disk of non system volumes. In my virtual environment I created two additional partitions one which i ran setmace from and the other where i stored the files whose timestamps i reset.

What does it look like?

What indicators are left?

• Shell Items contain timestamps, compare them to the MFT to determine if MFT creation date is different. Examples of Shell item containers include
• LNK Files
• Shell bags
• Jumplists
• Other registry keys being identified but that I don't have in front of me :) Sounds like a good post for next week.
• MFT entry and sequence numbers, is the file outside the range that it should be in to be created at that time? 
• Registry MRUs
• System restore points
• Vista/7/8 - Shadow copies - Compare MFTs
• XP - Restore Points  - Parse LNK files for shell items
• Any activity taken place through the filesystem driver prior to the timestamps change will still be in the $logfile and USN
• Prefetch of the setmace execution

Now having said this, not every analyst will think of these things. This will require an additional  steps in your process to look for these kinds of indicators and likely won't be the first thing you check for. Setmace will modify timestamps but it doesn't eliminate any of the IOCs/Artifacts you are already looking for.

I am going to be looking deeper into setmace to see what other artifacts of execution exist, I'll follow up on this on a later blogpost. Until then get some rest, these anti-forensic tools will only get better and you will have to do get better as well to keep up.

Hello Reader,
              Yesterday we went through detecting system clock changes on Windows 7, today we are going to talk about timestamp changing using two different utilities, timestomp and setmace.  Why two timestamp changing tools? They have two different approaches, timestomp and its variants use a Win32 API call to change timestamps that allow them to adjust STDINFO attribute timestamps but not FILENAME attribute timestamps within the MFT. setmace on the other hand can change both and its use is currently not detectable by comparing the STDINFO and FILENAME timestamps. Let's get into it. None of the information in this post is new but I hope to frame it in such a way that it is easy to understand and approach if you don't have a low level understanding of MFT operations.

Initially I was going to cover both tools in this post, but there are enough details and new gotchas between the two to justify taking the time to split this between two posts. Today we will cover timestomp running through meterpeter on a compromised xp host.

Timestomp

Timestomp and other timestamp modification programs that work like it make use of the win32 api to reset timestamps located in the STDINFO MFT attribute for a file. STDINFO contains the timestamps shown to you within explorer and most non forensic file utilities. This method of timestamp modification has a simple detection mechanism that has been a staple for IR and forensic investigators to detect.

Step 1. Grab the MFT from the file system
Step 2. Parse the MFT (I used our ANJP tool)
Step 3. Compare the STDINFO creation/modification and access times to the FILENAME creation/modification and access times.

If the times in step 3 do not equal you have a file with a possibly altered timestamp.

Step 4. Validate your assumptions and make sure the file wasn't distributed by a vendor with a bad timestamp.

Here is an example, we created a file called 'test.txt'. We then used timestomp to reset the timestamp of that file to 0 which in timestomp terms is 1601-01-01 and the STDINFO creation dates look as follows:



When you look at the FILENAME attribute of the same file you will find the original timestamps:

So the comparison here is pretty obvious, not only because without the possibility of time travel there is no computer file being created in 1601 (Oh man, Time travel forensics!) but also because this file named:


is user created and not part of a system package or other vendor delivered weirdness that you can find. In my testing I found a lot of 0 date FILENAME attribute files within the system32 directory which surprised me.

Let's not stop here though, let's talk about why these things exist. When a file is created in NTFS the first thing that is created is a File record. This file record maintains the basic header needed for NTFS to be able to reference and find the file. The second thing created is the STDINFO or standard information attribute which contains metadata about the file, MAC timestamps, etc..., but not the name of the file itself. Instead the name of the file and an additional set of timestamps is kept in a separate attribute called FILENAME.

The first FILENAME attribute will contain the 8.3 version of the files name (so called because it allows 8 characters in the name and 3 in the extension). If the file name is longer than 8 characters in the name or 3 in the extension then a second FILENAME attribute will be created that will store it and another set of timestamps. There can be even more FILENAME attributes but I haven't found any documentation yet that states all the possible mechanisms that generate additional ones. If you have please leave a comment and let me know.

Tomorrow we will show how setmace works and how using journal forensics we can overcome what is a very effective methods with some limitations on newer platforms.

Hello Reader,
           Let's talk about system clock changes which is one of the areas not covered by this weeks Sunday Funday winning answer. Often times when creating fraudulent documents a suspect will change the date of the system in order to make the document appear to be generated at an earlier time. If you've done these cases on Windows XP you've probably read Steve Bunting's old blog regarding this, http://www.stevebunting.org/udpd4n6/forensics/timechange.htm. However the event ids and sources have changed since XP and since this challenge focuses on Windows 7 I thought it would be useful to show what clock changes now look like.

Windows 7 has a lot more logging turned on by default, as such clock time change events are logged. The entry will be found in the 'Security' event log and the source will be 'Microsoft Windows security auditing'. The task category is 'Security State Change' and the Event ID is 4616. Here is an example:


You can see that the event records the previous and new times, in this case my clock was 9 minutes behind and I set it forward. If the clock were to be changed back you would see the new time be earlier than the previous time.

If you wanted to quickly determine if a user had changed the system clock recently this is the best place to quick filter for Event ID 4616. The security log for a workstation on my system goes back two months and there would be additional copies of it in the shadow copies and possible freesspace if you can recover event log entries from freespace.

So that is a pretty simple way to detect when the system clock for the entire system is changed, pretty easy huh? Tomorrow we will going into individual files timestamps being altered.

Hello Reader,
                       Another Sunday Funday behind us and a another challenger who came with a great writeup full of testing and description. This weeks winner Andy Dove is now a two time Sunday Funday winner and brought some good testing this week. I plan to spend this week delving into the host based artifacts outside of Office that Andy didn't cover.

The Challenge:
An employee has been terminated after a lengthy workplace investigation. After being terminated the employee has come back with a lawyer stating that a word document on their work computer will exonerate them and that they are suing for discrimination.  The document appears to be a memo written by the employee's manager to the ex employee with derogatory language toward their race. The employee's manager has stated that they never wrote the document and they believe it be fraudlent.

If the employee was issued a Windows 7 system with Microsoft Word 2007 what would you do to determine:

• Which system the document with authored on
• Who was the author
• What was the last author
• If the time stamps have been altered

The Winning Answer:
Two Time Winner Andy Dove!

1. Created a file in Word 2007
2. Copied it onto a FAT32 formatted SD Card.
3. Copied onto a different user account.
4. Edited the file on the new account.
5. Edited the file again and changed the Author using MS Word.

Hello Reader,
          It's Sunday Funday time again!Let's switch up these contests to something a little more internal investigation focused, these fraud cases are more common than you may think!

The Prize:

• A signed copy of the new book

The Challenge:
An employee has been terminated after a lengthy workplace investigation. After being terminated the employee has come back with a lawyer stating that a word document on their work computer will exonerate them and that they are suing for discrimination.  The document appears to be a memo written by the employee's manager to the ex employee with derogatory language toward their race. The employee's manager has stated that they never wrote the document and they believe it be fraudlent.

If the employee was issued a Windows 7 system with Microsoft Word 2007 what would you do to determine:

• Which system the document with authored on
• Who was the author
• What was the last author
• If the time stamps have been altered

Hello Reader,
       It's Saturday! Time to rock out with your dongle out as we get down to some forensic goodness.

1. We had the third and final IR roundtable on the forensic lunch yesterday, watch it here http://www.youtube.com/watch?v=7UZnJ5m5aLc and make sure to tune in live next week 11/1/2013 at noon central.This week we covered the end of the IR lifecycle with remediation, how to communicate with teams during an IR and more.

2. If you use both Encase and IEF make sure to read this post on creating logical evidence files from the data recovered by IEF so it can be brought in directly, http://www.forensicfocus.com/News/article/sid=2108/.

3. Lance Mueller has a good post up listing out those tools he makes use of and establishing a hierarchy of tools in his arsenal, http://www.forensickb.com/2013/10/what-tier-2-tier-3-tools-do-you-load-on.html, its a good way to think about the tools you use and please comment on Lance's post if you use any additional tools.

4. I read the cyb3rcrim3 blog but only really include it here with it involves an interesting civil case, this week we have a winner http://cyb3rcrim3.blogspot.com/2013/10/the-contractor-login-and-computer.html. This case involves a dispute between a contract developer and his client and the rash steps he took when he didn't receive payment, namely locking his client out of the system he developed for them. This is a good read with many implications for those of you freelancing out there to remind you not to give in to that bad idea.

5. If you are doing IR and want to be able to search for possible exploits to known ports/errors within logs on systems you are triaging Corey has a new custom Google search for you called Vulnerability Search http://journeyintoir.blogspot.com/2013/10/re-introducing-vulnerability-search.html.

6. Lastly this week a short article from DFI News talking about ways to become a more credible witness, http://www.dfinews.com/articles/2013/10/gain-credibility-courtroom, I'll want to talk about this more next week :)

Stay tuned for another Sunday Funday tomorrow!

Hello Reader,
            After getting our stock XP VM license up and activated I did some testing today with the svchost key found here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost The purpose of my testing was to determine what would be required to enable persistence using the Service Host facility. This came about after this weeks Sunday Funday answer and Harlan Carvey's follow on question. After doing my testing this is what I can say.

1. The svchost key determines grouping for which services will run under which svchost process, but it does not attempt to call out to the path for any executable. Instead svchost is looking into the services key found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to find the information needed to find and execute the service. 

Result: Svchost on its own is not a persistence mechanism

2. You cannot create just a stub service in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and expect it to run from svchost. The service must be correctly registered and seen by services in order for svchost to execute it. 

Result: Currently I do not see a way to half create an executable service that will not be listed in services, this requires more testing to find what the criteria is for a executable service.

3. You cannot append a ; to the ImagePath key and get a second command to execute, for instance I appended the following: ; %SystemRoot%\system32\test.bat to the ImagePath value for DHCP found in the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\ImagePath which was only met with a service that failed to start.

Result: Currently I do not see a way to load a second program within a legitimate service stub, this also needs further test

So there you are, I am going to play with this a bit more and bad guys can still use the method Harlan Carvey documented on the secure works blog to hide as a legit service. Otherwise my testing just lead to execution failures and dead ends, which is good for the analyst! 

Did you find something different? Leave a comment or email me dcowen@g-cpartners.com

Hello Reader,
              Harlan Carvey had a question from this weeks answer:

"I have a question about the description of the SvcHost key, particularly when compared to what's listed here:
http://support.microsoft.com/kb/314056

I'm not sure that the SvcHost is, in itself, a persistence mechanism, as without the service existing beneath the Services key, the entry is just a place holder."

The description in the winning entry for this key was:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

This registry key contains a list of processes that should be run as services under the svchost.exe program.  These will be automatically loaded by the operating system so this is a prime target for malware executables."

The description from the MSDN documentation states:

"The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service"

From looking at the key within my system it would appear as though the service is added to a group that is tored as a  keyvalue under svchost. What I don't know and what I want to test is can you add an item to the grouping list without also defining it as a service separately or will it execute whatever is named that in the local path.  I will test this and let you know tomorrow!

Hello Reader,
           It was very much worth extending the contest for another day, I received several good submissions this time and the anonymous winner below was the best of those. 
         
The Challenge:
List and explain all of the methods of persistence for malware available in Windows 7 that is written to the file system/registry.

The Winning Answer:
Anonymous

Hello Reader,
            This Sunday Funday saw ... no submissions. Here was the challenge:

The Challenge:
List and explain all of the methods of persistence for malware available in Windows 7 that is written to the file system/registry.

I was a little surprised as I didn't think the question was that difficult but maybe all of you didn't have time to respond. With that in mind I'm going to give you another 24 hours and try to give this a bit more visibility to respond and win before I post the answers tomorrow.

Good luck Reader!

Hello Reader,
          It's Sunday Funday time again! Last week you worked against a Linux challenge that proved to be quite difficult. This week let's switch it to a Windows IR based challenge that should be more accessible to more of you.

The Prize:

• A signed copy of the new book

The Challenge:
List and explain all of the methods of persistence for malware available in Windows 7 that is written to the file system/registry.

Good luck! This may seem like a simple copy and paste job at first, but the winner will be the one who can explain the persistence mechanisms best.

Hello Reader,
       It's Saturday and time for another set of links to to make you think. I am actually writing this on Friday this week so there may be some links that won't make it until next week.

1. This week we had a bit of a last minute forensic lunch, so its just Matthew and I this week. We talked about perl development, tsk for perl, developing a research and testing plan and more: http://www.youtube.com/watch?v=pSU4LI54ZtY

2. Didier Stevens has released another updated tool, http://blog.didierstevens.com/2013/10/14/update-xorsearch-version-1-9-1/, that searches a file or binary for known dictionaries for 32bit and brute force for less. Why is this useful outside of malware reversing? Think of how many artifacts we found that end up being xor encoded, using a known word of a website, document, etc.. you can then search strange files looking to see if they are xor encoded for privacy and storing history.

3. Looking to make forensic test images but don't have the time to do it manualy? There is a great article over on forensic focus, http://articles.forensicfocus.com/2013/10/18/forge-computer-forensic-test-image-generator/, detailing a new tool called ForGe developed by Hannu Visti that automates the creation of forensic test images. The tool isn't perfect, yet, as it really is meant to manipulate single files around a forensic image but it can certainly create some interesting scenarios and provide some great challenges. I'll have to try it one Sunday!

4. Lance Mueller has put up a really cool Enscript to take the hashes created within Encase and look them up on virustotal creating a bookmark for those that return a score http://www.forensickb.com/2013/10/vtbookmark.html This could help many of you when trying to quickly triage a system for known malware but without having to work with extracted data and risking infection.

5. There is a great webinar scheduled for Oct 24th by Alissa Torres on the SANS site with an introduction to the different tools that are in use in the industry for creating dumps of physical memory, https://www.sans.org/webcasts/dumping-dark-gaining-insight-memory-acquisition-tools-techniques-97260, SANS is no longer requiring Java so not many reasons not to give it a watch.

6. Want to have a more portable version of WinFE, check out this nice video tutorial on Mini-WinFe https://www.youtube.com/watch?feature=player_embedded&v=IJ3OBTysVbI

Thanks for stopping by, make sure to come back for tomorrow's Sunday Funday!

Hello Reader,
   Pretty hectic travel schedule this week with my little ones so no real time to organize a proper forensic lunch. Instead Matthew and I did a last minute lunch to discuss our research, tools we are using in development, creating a testing plan and opportunities in forensics.

I hope you enjoy it and tune in again next week for a full forensic lunch!