- 1 Announcements
- 2 Episode Media
- 3 Guest Segment: Eric Smith and Chris Nickerson on PTES
- 4 Guest Interview: Kevin Fiscus of NWN Corporation
- 5 Special Guest Tech Segment: Tim Mugherini presents NTFS MFT Timelines and malware analysis
- 5.1 Leveraging NTFS Master File Table Timelines in the Analysis of Malware
- 5.2 Everything is a File: Overview of the NTFS Master File Table
- 5.3 Loving the Hex: Overview of NTFS Master File Table Attributes
- 5.4 The Sleuth Kit: FTW
- 5.5 Stop: A Quick Side Note on File Deletion
- 5.6 Practical Use: Exporting and Parsing the $MFT
- 5.7 Anti-Forensics: Manipulating of the $MFT Times
- 5.8 Coming to a Lab Near You: Super Timelines
- 5.9 Summary
- 6 Stories For Discussion
PaulDotCom Security Weekly - Episode 236 for Thursday March 24th, 2011.
- SOURCE Boston on April 20 - 22- Paul and Larry will be there to hang out, talk security and drink beer.
- Born To Run (and Hack) - Don't forget to sign up for Hacker run! Team Pesce is training in April for Purple Stride on May 15th.
- SANS Classes
- DerbyCon : Louisville, Kentucky – September 30th to October 2, 2011 with an illustrious list of speakers including a special appearance by Wasted Strand!
- Sign up now for the Late Breaking Computers Attack Vectors webcast - now with more spice - featuring Carlos Perez on March 30th at 14:00 EDT (2PM).
Guest Segment: Eric Smith and Chris Nickerson on PTES
PTES is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. Security evaluations).
Guest Interview: Kevin Fiscus of NWN Corporation
Kevin is a security architect and consultant with 2 decades of experience in information technology and a decade in compliance, which we won't hold against him. He is currently the Director of NWN Corporation's Security Technology, Assessment and Response (STAR) Team
- How did you get your start in Information Security?
- We tried to get to this during the ShmooCon episode, but our good friend Free Scotch kept interrupting - What is the NWN STAR team? What kind of work does the NWN STAR team specialize in?
- You're developing a methodology for risk assessments - tell us about that.
- You've done assessments and forensics work for Universities, Police Departments and Hospitals. Do you have a good war story to share from that trifecta of possible FAIL?
Special Guest Tech Segment: Tim Mugherini presents NTFS MFT Timelines and malware analysis
If you like the information below, you'll love Tim's blog!
Leveraging NTFS Master File Table Timelines in the Analysis of Malware
What’s in your Incident Response Toolkit?
Malware authors are becoming more sophisticated. File system forensics techniques are well documented but seem underutilized during the static analysis of Malware. Timeline analysis of the NTFS Master File Table can be used to help establish a timeline and location of changes to the system, even when timestamps have been manipulated. Consequently, such techniques can be invaluable during Incident Response.
Everything is a File: Overview of the NTFS Master File Table
NTFS: “New Technologies File System”
Default file system of all modern versions of Windows. Version 3.1 is the current version on Windows XP and above. The Master File Table ($MFT) is the heart of the NTFS file system and contains the metadata about all the files and directories on the file system. Each file and directory has at least one entry in the $MFT.
By default, Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining unstructured space being used by attributes. It is these attributes that can be useful during analysis but only if we understand the effects of the operating system, software, and user behavior on these values.
There are some limitations. The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created. But an entry will be re-allocated for use if the file has been deleted. Upon file deletion, the entry’s “in-use” flag is set to 0x00 and the entry will become available. Entries are reused in sequential order and once re-allocated, the attribute data is overwritten.
Loving the Hex: Overview of NTFS Master File Table Attributes
The $STANDARD_INFORMATION ($SI) attribute has a type identifier of 16. There are four 64-bit (MACE) timestamps in this attribute that represent the number of one-hundred nanoseconds since January 1, 1601 UTC. Many of the values stored in the $SI attribute are displayed in explorer.exe when viewing the properties of a file or folder.
The $FILE_NAME ($FN) attribute has a type identifier of 48 and contains the file name (encoded in UTF-16 Unicode), parent directory reference, and additional MACE timestamps. Rob T. Lee has done a fair amount of work on cataloging the differences in behavioral changes of both the $SI and $FN time attributes. So if the behavior of $MFT time attributes are known, we can use them to assist in identifying malicious files.
The Sleuth Kit: FTW
The Sleuth Kit (TSK) is a collection of forensic command line tools for *nix and windows, and can analyze most common file systems. Let’s search a dd (raw) image for a suspected malicious file called malicious.dll with the TSK tool “fls”.
# fls -f ntfs -r Image001.dd | grep malicious.dll ++ r/r 1618-128-1: malicious.dll
This returns the $MFT record number which is 1618. Using “icat” we can now carve the $MFT entry out.
# icat -f ntfs Image001.dd 0 | dd bs=1024 skip=1618 count=1 | xxd
I have shortened the output to display just the entry header and marked up some attributes of interest.
Now we can view specific attributes for this entry by specifying the type. For example, to view $SI (type=16) for entry 1618 (offset 56 as defined by bytes 20-21 above).
# icat -f ntfs Image001.dd 1618-16 | xxd
The first thirty two bytes represent the creation, modified, entry, and accessed times (8 bytes each). Note three of these attributes appear to be the same (February 11, 2010 7:30 AM). The entry date is different, however (March 2, 2011 7:15 AM). This is the date the #MFT entry was created and is usually the same as the creation (born) date (an exception would be in a soft delete of a file). Bytes 32-35 represent the attribute flags outlined earlier (i.e. read only, archived, etc...). Similarly, to view $FN (type=48) for entry 1618.
# icat -f ntfs Image001.dd 1618-48 | xxd
Bytes 0-7 of the $FN time attribute, are the parent reference (or in this case the system32 folder). The next 32 bytes are the first four $FN Time values which match the $SI Entry date. The last 28 bytes in the above example represent the file name.
Stop: A Quick Side Note on File Deletion
If a file is recycled then the file name will change to $<random >.ext, and its location will be in .\Recycle.Bin\<USER_SID>\ folder. The $MFT record will still be marked active until the recycle bin is emptied and the $SI Entry Date will represent the date the file was moved to the recycle bin even after removed from the Recycle Bin. If a hard delete of the file occurred. Then the $MFT record is immediately marked inactive and the file name and all time attributes remain unchanged (until over written by a new entry).
Practical Use: Exporting and Parsing the $MFT
While using TSK is useful to view a $MFT entry for a specific file, it might be useful to parse all entries into a friendlier format for further analysis. If you have identified a malicious file, doing so could help identify all other files and folders associated with the time of compromise. First we must carve out the entire $MFT from a volume or image with “icat”.
sudo icat Image001.dd 0 > MFTOut.csv
Once, we have the $MFT we can use David Kovar’s analyzeMFT.py to parse every record into csv format.
analyzeMFT.py -f MFT -o MFTOut.csv –a
The following is an example of rogue AV (ISe6d_2229.exe) I discovered on a user’s Windows 7 laptop. By parsing the $MFT I was able to discover the other file locations associated with the time of infection. The following output was sorted by the $FN Entry Time (note: times are in UTC by default).
In this case I used this information to identify the prefetch file associated with the infection and used prefetch parser to parse the contents and obtain the location of the payload for dynamic analysis.
Anti-Forensics: Manipulating of the $MFT Times
It is possible to manipulate the $SI timestamps. Vinnie Liu demonstrated this with the Metasploit Timestomp project in 2005. The following, is an example of doing the same with Windows PowerShell.
Let’s use the TSK “istat” tool to obtain the metadata of our malicious file in a visually friendlier way.
# istat –f ntfs ntfs1.dd 1618
If the $SI Entry Modified date mirrors the creation date, then the above output might indicate possible timestamp tampering (an exception would be file deletion). Additionally, the $FN Attributes initially mirror the $SI Creation date. They can change but it is more difficult to manipulate $FN Attributes but not impossible. Changing the system time prior to file creation would certainly get you there but there would still be indicators of the initial compromise. Thus changing the time attributes post file creation would be ideal. Changing the system time, altering the $SI attributes, and then leveraging some of the behavioral effects on the $FN Time attributes (i.e. moving and renaming the files) would change all the time attributes. This could still be detectable, however. New Features in analyzeMFT.py (v 1.5 and above) not only look for differences between $SI and $FN Time attributes but also look for usec abnormalities.
• -a (anomaly detection) adds two columns: • std-fn-shift: Y = $FN create time is after the $SI create time • Usec-zero: Y = $SI create time has usec = 0
The following examples demonstrate both abnormalities.
Coming to a Lab Near You: Super Timelines
$MFT $FN Attributes + Super Timelines = WIN
Utilities such as Log2Timeline (http://log2timeline.net) and the Sleuth Kit Mactime (http://wiki.sleuthkit.org/index.php?title=Mactime) allows for the creation of a Super Timeline by leveraging the bodyfile format (http://wiki.sleuthkit.org/index.php?title=Body_file). Multiple timeline sources (i.e. event logs, registry, prefetch etc...) can be combined for complete forensic picture of an incident or compromise.
To date this has not been possible with both the $SI and $FN attributes from the $MFT however. Mark McKinnon (http://redwolfcomputerforensics.com) was kind enough to let me check out his MFT_Parser utility which does support this functionality. The full file path for each $MFT entry is listed as is both the $SI and $FN time attributes. This is very useful for detecting stomping while looking at super timeline. Dave Hull has a great post on the subject here http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/ .
Mark as released this utility for Windows as beta for PDC listeners (*nix and mac support is also on its way). The Windows version can be found here:
The syntax for the cli is as follows:
mft_parser_cl.exe <$MFT File> <SQLLite DB> <BodyFile> <Drive Letter>
For Example: mft_parser_cl.exe $MFT pdc001 MFTOut C would output everything on the volume in the following formats:
|C:/Windows/System32/ malicious.dll|1618|-/-rwxrwxrwx|0|0|0|1299068121|1265891400|1265891400|1265891400 |C:FN/Windows/System32/malicious.dll|1618|-/-rwxrwxrwx|0|0|0|1299068105|1299068105|1299068105|1299068105
IR and Malware Analysis WIN!
This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response. It is something you can add to your Incident Response and Malware Analysis toolkit.
Stories For Discussion
- Comodogate - [Larry] - Here's a little bit different take to some of the other things that we'll likely talk about… 1. the false SSL certs will only work if someone up stream from you controls DNS. NO, that would NEVER happen! I can think a bunch of ways for that to happen, from arp poisoning, to spoofing, to, well, controlling the upstream DNS. Can you say Nation State? 2. The only think preventing someone else (nation state or otherwise), from issuing their own fraudulent certs, is, apparently one oly needs to compromise a single RA account (user/pw pair)….wow, not much barrier to entry there.
- Thank you Carlos! - Meterpreter Resource files] - [Larry] - now I can run a bunch of stuff all at once from meterpreter. This will start making some post exploitation info gathering easier. Carlos, how will this be affected with the change from meterpreter scripts to modules? I'm assuming that we'll just be able to use the standard Metasploit resource files?
- Github "Social Coding.. Err Compromise" - [Larry] - I was following some tweets last night between @indi303 and @flashmanbahadur, and had one of those why didn't I think of that moments. Use Github to search for Private Keys in social coding projects. Yeah. How about Amazon S3 and other API keys and secrets. Yeah, those are there too. Now, instead of spending our hard earned cash for our botnet and applications, we'll use yours - hard earned dollars that is.
- Wrights law? - [Larry] - Yay, exploit packs for CANVAS with 11 unreleased, unpatched SCADA attacks. Wrights law? now there are "readily" available tools for these type of exploits. Now, will people listen?
- All your tokens are B-long 2 us - [Larry] - RSA gets compromised. Stuff that allegedly gets stolen “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
- Comodo - Compromised isn't a big deal? - [pauldotcom] - I'm sorry, if your are CA, compromises are bad. We've seen a lot of security companies fall lately, but a CA just should not happen. It doesn't matter the extend, compromising CA certificates is really bad, as if we don't already have enough problems with SSL. The last thing we need is someone signing their own certs. This doesn't make a difference for regular people, they ignore SSL and certificates anyhow. What this gives attackers is a chance to get high value targets, and get into places where people pay attention to security, like RSA, ohhh did I type that out loud?
- Nearly two-thirds of schools suffer two breaches or more per year - [pauldotcom] - Wow, this is just scary. As if the situation in schools is not difficult enough, under-staffed IT in k-12 schools don't give a priority to security. Sad, just sad, the big problem here is there really is no money for security, or depending on your perspective, no motivation for better security on systems. Except, the students
- I <3 SNMP - [pauldotcom] - Such a long and hackable history associated with SNMP. I can remember years ago using Solaris and Linux remote overflows for SNMP. So many penetration tests SNMP has provided access to information, such as MAC addresses, routing tables, and passwords. The management protocols are great for targets, as they are usually on every device. Also, the more devices you have, the more insecure the configuration tends to be in favor of usability. SNMP has suffered as a result. The other thing I love is that its usually a mis-configuration that leads to compromise, which again shows that organizations with strong operational skillz will be winning more often that those who are poorly organized.
- Pastbin Enumeration - [pauldotcom] - Doing recon is so much fun! There are so many sources for attackers, and so many ways to leak information. Its so difficult to defend against. My tips for you the defenders are to do recon yourselves and see what has been published. At least you can try to anticipate the attacks that will occur based on the information that is public.