CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 4 Lecture

Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Quiz 1

Any questions from last week before the quiz?

Technical Material for this week

Missing slide from week 2 Malware Identification Using Memory Analysis Windows Event Logs Application Metadata Thumbnails

Missing week 2 slide: DATA Attributes

Normally hold file content data NTFS Files may have more than one Those after the 1st are referred to as Alternate Data Streams They have a short header before the file data, containing the streams identifier/name Feature added primarily for Mac support, and poorly supported until Win7 Used maliciously for data hiding
4

Windows Malware Identification & Analysis Procedures & Tools

Overview

Suspicious host identified via anomalous network traffic, AV logs, or other security alerts Memory & disk images extracted from host
Memory images can be extracted directly using various tools

EnCase Enterprise or LiveResponse (commercial, via network) Moonsols Dumpit ManTech Mdd Mandiant Memoryze AcessData FTK Imager

Memory images can also be extracted from hibernation files or via firewire using tools such as Inception Offending process typically identified by searching for strings related to original alert Auditviewer also has heuristics to highlight certain suspicious behaviors or characteristics

Memory image examined using Memoryze/Auditviewer.

Files relating to offending process extracted from disk image Static & dynamic analysis of malicious binaries done in VM using various tools, if necessary
6

Run Auditviewer/Memoryze (select Configure Memoryze as initial option)

Specify Output Folder

Specify UnErased Image File

Select all Analysis Options

10

No Process or Driver Acquisition

11

Select all Process Enumeration Options

12

Select all Driver Enumeration options

13

Select all Hook Enumeration Options

14

When Processing Completes, the Memory Image Browser will Open

Suspicious Behavior Heuristics

Processes with possible injected DLLs displayed in red (several false positive mechanisms & doesnt catch all methods) Malware rating Index (MRI) Rules cause numeric ranking to be displayed

16

MRI Rules

17

Process Username Verification

18

Argument Verification

19

Process Path Verification

20

Suspicious Handles

Suspicious Imports

22

Heuristic Report on EnCase Enterprise Servlet

23

Searching

24

Search Results

25

Other Information Per process

Handles

Files, Folders, processes, Reg keys, Semaphores, Mutexes, Events, Memory Sections

Memory Sections DLLs Strings Network ports

26

Driver Information

Drivers Enumerated by Scanning

Root Drivers All Drivers

Drivers Enumerated by Walking List

Driver information includes all associated strings

27

Hooks

System Service Descriptor (SSD) Table Hooks Interrupt Descriptor Table Hooks Driver IRP Hooks

Keystroke Logger Detection

28

Other AuditViewer Functionality

Similar functionality to Red Curtain also rolled into Auditviewer, but requires the application to be run on target host rather than on a memory image.

29

Other Methods of Malware Detection

Known Good Hash Elimination (NSRL, FileAdvisor) Red Curtain Rule-Based Analysis Upload to VirusTotal.com Manually examine persistence mechanisms for suspicious patterns Search for suspicious file/folder names among binaries associated with running processes or scheduled jobs Manual examination of binaries associated with running processes or scheduled jobs
30

Windows Event Logs

NT/2K/XP/2K3

.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others

Vista/7/2K8

.evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Logs can be sent to a remote log collector

File locations can be changed in the registry

Event Log (.evt) File Header Structure (first 48 bytes of a valid Event Log file )

Offset Size 0 4 bytes 4 16 20 24 28 32 40 44 4 bytes 4 bytes 4 bytes 4 4 4 4 bytes bytes bytes bytes

4 bytes

Description Size of the record; for an .evt file header, the size is 0x30 (48) bytes. Event record sizes are 56 bytes Magic number (LfLe) Offset within the .evt file of the oldest event record Offset within the .evt file to the next event record to be written ID of the next event record ID of the oldest event record Maximum size of the .evt file (from the Registry) Retention time of event records (from the Registry) Size of the record (repeat of DWORD at offset 0)

Event Log (.evt) Record Header Structure (First 56 bytes of Event Record)

Offset 0 4 8 12 16 20

Size 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes

24 26 28 30 32 36 40 44 48 52

2 bytes 2 2 2 4 4 4 bytes bytes bytes bytes bytes bytes

4 bytes 4 bytes 4 bytes

Description Length of the event record, or size of the record in bytes Reserved; magic number LfLe Record number Time generated; measured in UNIX time, or the number of seconds elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time (UTC) Time written; measured in UNIX time, or the number of second elapsed since 00:00:00 1 Jan 1970, in UTC Event ID, which is specific to the event source and uniquely identifies the event; the event ID is used along with the source name to locate the appropriate description string within the message file for the event source Event type (0x01 = Error; 0x10 = Failure; 0x08 = Success; 0x04 = Information; 0x02 = Warning) Number of strings Event category Reserved flags Closing record number String offset; offset to the description strings within this event record Length of the user Security Identifier (SID); size of the user SID in bytes (if 0, no user SID is provided) Offset to the user SID within this event record Data length; length of the binary data associated with this event record Offset to the data

Data Stored for a Given Event is Dependant on the Event Type

Typically stored as a list of nullterminated strings

EVTX Record Structure (Less useful because of binary encoding)

Offset 0x00 Type char[4] Meaning Magic, const 0x2a, 0x2a, 0x00, 0x00 (two asterisks followed by two

0x04 0x08

uint32

0x10 var. var.

Length1 (whole record's size, from the magic string to the trailing length indicator) int64 NumLogRecord (record number, relative to the log channel. The log channel may consist of several log files which are consecutively written to) FILETIME TimeCreated char[] BinXmlStream (complex binary structure) uint32 Length2

null bytes)

NumLogRecord & TimeCreated values also included in BinXmlStream This is less useful because the various event strings are binary encoded and so wont be found in normal searching

Great Windows Security Event Reference

http://www.ultimatewindowssecurit y.com/securitylog/encyclopedia/def ault.aspx

demo

Useful Windows Event Log Tools

Event Log Explorer (commercial, but free for private use. 3.4 supports evtx) FixEvt Lsevt (Carvey) Available in the extras of Windows Forensic Analysis PsLogList (Sysinternals) Evtx_parser (Schuster) Grokevt (Linux only, but can parse events out of unallocated space)

Windows Event Log Types

Security (most useful for forensics, but dont ignore the others)

Access control & security settings Audit & group policy Services, system components, drivers, resources, etc. Software events unrelated to the OS Custom application logs

System

Application

Custom

Event Types

Error Warning Information Success Audit Failure Audit

Security Event Categories

Account Logon Stored on system that authorized login Account Mgmt Changes to accounts Directory Service Attempted access of AD objects Logon Events Instances of logon/logoff for local system Object Access Access to objects specified in ACLs Policy Change Change to user rights, or audit or trust policies Privilege Use Instances of accounts exercising user rights Process Tracking Process start/end, handles, acess to objects System Events System start/shutdown, security log manipulation

Changes from NT/2K/XP/2K3 to Vista/7/2K8

Event IDs were changed

Where theres a direct one-to-one mapping, new ID usually (but not always!) = Old ID + 4096 Some groups of old event IDs were collapsed to a single new event ID

528,540 (Successful Logon) -> 4624 529-537,539 (Login Failure) -> 4625 672 (auth ticket granted) -> 4768 (requested), 4772 (failed) 673 (service ticket granted) -> 4769 (requested), 4773 (failed)

Some old IDs were broken out into multiple new IDs

A significant number of new events and log files were added. Logging capabilities & defaults are generally somewhat better on Vista/7/2K8 than previously.

Configurable Security Logging

See Administrative Tools\Local Security Policy, and examine Audit Policy

These settings are stored in the registrys Security hive, and can be extracted using regripper. Non-Domain Workstations have most settings disabled by default Non-Domain Servers arent much better Recommended baseline is to log Success/Failure for most categories, Failure for Privilege Use, and none for Process Tracking Windows 2K8 adds more categories of log Some events (672, 673) can be found on the authenticating domain controller for domain workstations

Account Logon Security Events (logged on authenticating system)

672/4768,4772 673/4769,4773 674/4770 675/4771 676/4768 677 678/4774 679/4775 680/4776 681/4776 4777

Authentication Ticket Granted Service Ticket Granted Ticket Granted Renewed Pre-authentication failed Authentication Ticket Request Failed Service Ticket Request Failed Account Mapped for Logon by The name: %2 could not be mapped for logon by: %1 - Account Used for Logon by - The logon to account: %2 by: %1 from workstation: %3 failed. - The domain controller failed to validate the credentials for an account

Event ID 672: Authentication Ticket Granted (initial user authentication to domain)

Data Fields:

Also logged when a computer authenticates to domain, such as on boot. These events have hostname$ for User Name.

User Name: %1 Supplied Realm Name: %2 User ID: %3 Service Name: %4 Service ID: %5 Ticket Options: %6 Result Code: (For an explanation of result/failure codes see the chart on event ID 675) Ticket Encryption Type: %8 Pre-Authentication Type: %9 Client Address: %10 (source from which user authenticated) Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13

Event ID 673: Service Ticket Granted (domain access to another host)

Data Fields:

User Name: %1 User Domain: %2 Service Name: %3

(computer name of the server the user accessed )

Service ID: %4 Ticket Options: %5 Ticket Encryption Type: %6 Client Address: %7 (IP from which user authenticated) Failure Code: %8 Logon GUID: %9 Transited Services: %10

Logon/Logoff Security Events (logged on local system)

528/4624 529/4625 530/4625 531/4625 532/4625 533/4625 534 /4625 type at this 535/4625 536/4625 537/4625 538/4634 539/4625 540/4624 551/4647 552/4648 576/4672 682/4778 683/4779 4646 4649 4650 4651 4652 4653 4654 4655

Successful Logon Logon Failure - Unknown user name or bad password Logon Failure - Account logon time restriction violation Logon Failure - Account currently disabled Logon Failure - The specified user account has expired Logon Failure - User not allowed to logon at this computer Logon Failure - The user has not been granted the requested logon machine Logon Failure - The specified account's password has expired Logon Failure - The NetLogon component is not active Logon failure - The logon attempt failed for other reasons. User Logoff Logon Failure - Account locked out Successful Network Logon User initiated logoff Logon attempt using explicit credentials Special privileges assigned to new logon Session reconnected to winstation Session disconnected from winstation IKE DoS-prevention mode started. A replay attack was detected An IPsec Main Mode security association was established An IPsec Main Mode security association was established An IPsec Main Mode negotiation failed An IPsec Main Mode negotiation failed An IPsec Quick Mode negotiation failed An IPsec Main Mode security association ended

More Logon/Logoff Security Events (logged on local system)

4675 4800 4801 4802 4803 4964 4976 4977 4978 4979 4980 4981 4982 4983 4984 5451 5452 5453 5632 5633 6272 6273 6274 6275 6276 6277 6278 6279 6280

SIDs were filtered The workstation was locked The workstation was unlocked The screen saver was invoked The screen saver was dismissed Special groups have been assigned to a new logon During Main Mode negotiation, IPsec received an invalid negotiation packet. During Quick Mode negotiation, IPsec received an invalid negotiation packet. During Extended Mode negotiation, IPsec received an invalid negotiation packet. IPsec Main Mode and Extended Mode security associations were established. IPsec Main Mode and Extended Mode security associations were established IPsec Main Mode and Extended Mode security associations were established IPsec Main Mode and Extended Mode security associations were established An IPsec Extended Mode negotiation failed An IPsec Extended Mode negotiation failed An IPsec Quick Mode security association was established An IPsec Quick Mode security association ended An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started A request was made to authenticate to a wireless network A request was made to authenticate to a wired network Network Policy Server granted access to a user Network Policy Server denied access to a user Network Policy Server discarded the request for a user Network Policy Server discarded the accounting request for a user Network Policy Server quarantined a user Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy Network Policy Server granted full access to a user because the host met the defined health policy Network Policy Server locked the user account due to repeated failed authentication attempts Network Policy Server unlocked the user account

Logon Types

2 3 4 5 7 8 9 10 11

Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10. Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon - Never logged by 528 on W2k and forward. See event 540) Batch (i.e. scheduled task) Service (Service startup) Unlock (i.e. unnattended workstation with password protected screen saver) NetworkCleartext (Logon with credentials sent in clear text. Most often indicates a logon to IIS with "basic authentication") NewCredentials RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

Kerberos Failure Codes

1 0x1 Client's entry in database has expired 2 0x2 Server's entry in database has expired 3 0x3 Requested protocol version # not supported 4 0x4 Client's key encrypted in old master key 5 0x5 Server's key encrypted in old master key 6 0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not replicated to DC yet (common) 7 0x7 Server not found in Kerberos database New computer account has not replicated yet or computer is pre-w2k (common) 8 0x8 Multiple principal entries in database 9 0x9 The client or server has a null key administrator should reset the password on the account 10 0xA Ticket not eligible for postdating 11 0xB Requested start time is later than end time 12 0xC KDC policy rejects request Workstation/logon time restriction (common) 13 0xD KDC cannot accommodate requested option 14 0xE KDC has no support for encryption type 15 0xF KDC has no support for checksum type 16 0x10 KDC has no support for padata type 17 0x11 KDC has no support for transited type 18 0x12 Clients credentials have been revoked Account disabled, expired, or locked out. (common) 19 0x13 Credentials for server have been revoked 20 0x14 TGT has been revoked 21 0x15 Client not yet valid - try again later 22 0x16 Server not yet valid - try again later 23 0x17 Password has expired The users password has expired. (common) 24 0x18 Pre-authentication information was invalid Usually means bad password (common) 25 0x19 Additional pre-authentication required*

More Kerberos Failure Codes

31 32 33 33 34 35 36 37 38 39 40 41 42 44 45 46 47 48 49 50 60 61

0x1F Integrity check on decrypted field failed 0x20 Ticket expired Frequently logged by computer accounts 0x21 Ticket not yet valid 0x21 Ticket not yet valid 0x22 Request is a replay 0x23 The ticket isn't for us 0x24 Ticket and authenticator don't match 0x25 Clock skew too great Workstations clock too far out of sync with the DCs (common) 0x26 Incorrect net address IP address change? 0x27 Protocol version mismatch 0x28 Invalid msg type 0x29 Message stream modified 0x2A Message out of order 0x2C Specified version of key is not available 0x2D Service key not available 0x2E Mutual authentication failed may be a memory allocation failure 0x2F Incorrect message direction 0x30 Alternative authentication method required* 0x31 Incorrect sequence number in message 0x32 Inappropriate type of checksum in message 0x3C Generic error (description in e-text) 0x3D Field is too long for this implementation

NTLM Error Codes

Decimal Hex 3221225572 C0000064 3221225578 C000006A 3221226036 C0000234 3221225586 C0000072 3221225583 C000006F 3221225584 C0000070 3221225875 C0000193 3221225585 C0000071 3221226020 C0000224

3221226021 C0000225

Reason user name does not exist user name is correct but the password is wrong user is currently locked out account is currently disabled user tried to logon outside his day of week or time of day restrictions workstation restriction account expiration expired password user is required to change password at next logon evidently a bug in Windows and not a risk

Useful Well Known Account SIDs

LOCAL_SYSTEM IUSR LOCAL_SERVICE NETWORK_SERVICE Local Administrator Local Guest

S-1-5-18 S-1-5-17 S-1-5-19 S-1-5-20 S-1-5-*-500 S-1-5-*-501

Event Log Security Events

516/4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits 517/1102 The audit log was cleared (specifies clearing user) 1100 The event logging service has shut down 1101 Audit events have been dropped by the transport. 1104 The security Log is now full 1105 Event log automatic backup 1108 The event logging service encountered an error

Other Security Events of Particular Interest

512/4608 513/4609 520/4616 592/4688 593/4689 560/4656 564/4660 567/4657,4653 Windows NT is starting up Windows is shutting down The system time was changed A new process has been created A process has exited Object Open (accessed) Object Deleted Object Access Attempt (permissions exercised: read, write, delete, ) 601/4697 Attempt to install service 602/4698,4699,4700,4701,4702 - Scheduled Task created 4618 A monitored security event pattern has occurred Various account management events

Example Scenario: Domain user logs in to workstation and maps network file share

Domain user (Kerberos authentication, Win2K3 server environment) logs in to workstation and maps a network file share to a file server Events Logged:

Workstation

Domain Controller 672 authentication ticket granted

528 successful logon 673 673 540 538 673

File Server

service ticket granted (workstation) service ticket granted (domain controller) - Successful Network Logon User Logoff service ticket granted (file server)

540 - Successful Network Logon 538 User Logoff

Events of Particular Interest in Sysevt.evt

7034 7035

Service Crashed Unexpectedly Service sent a Stop/Start control 7036 Service Started or Stopped 7040 Start Type Changed (boot/manual/disabled) 20001 - Plug and Play driver install attempted (Vista/Win7 only, contains unique device ID)

Events of Interest in Appevt.evt

1033 1034 11707 11708 11724

Installation Complete (success/fail) Application Deinstall complete (success/fail) Install Successful Install Failed Deinstall Successful

No log entry is created for failure to install due to lack of admin rights.

In Win7, application install information is logged to Setup.evtx.

Wireless Network Logging in Win7

WLAN-Autoconfig.evtx Event IDs

11000 Wireless Network Association Started 8001 Successful connection to wireless network 8002 Failed connection to wireless network

These events record the BSSID (Wireless MAC) of the associated AP, potentially enabling geolocation of the event.

Windows Text Logs

%windir%\Setuplog.txt - records information during Windows setup %windir%\Setupact.log - actions that occurred during graphical portion of Windows setup process %windor%\Setupapi.log - device, service pack, and hotfix installations (including plug and play devices) %windir%\debug\Netsetup.log workgroup & domain membership changes %windir%\schedlgu.txt Task Scheduler Log (Unicode) %windir%\pfirewall.log Windows firewall log (doesnt exist by default) %windir%\debug\Mrt.log - Malicious Software Removal Tool install, update & scan results %windir%\logs\cbs\Cbs.log Vista/2K8 package manager %WinDir%\System32\LogFiles\* - IIS (note that these entries have text timestamps in GMT) C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwatson32.log program crashes (can sometimes flag exploitation)

Text Log Examination

Mandiant Highlighter is an excellent tool for review of text logs

Free from Mandiant Histogram view shows line length distribution within file. This can immediately pinpoint anomalies, as in IIS logs Allows graphical highlighting & hit counts of search results Allows lines matching specified patterns to be eliminated from vies Can parse timestamps and plot events on a timeline

Application Metadata

Many different file types contain assorted metadata values

JPG images (example: iPhone Geolocation) MS Office Documents (doc, docx, xls, xlsx, etc.) PDF Documents Portable Executables (exe, sys, dll)

Some document formats support embedded files - these may in turn contain metadata Best generic & well-maintained tool for extraction is Phil Harveys exiftool

Office Default Metadata Values

Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date Creation date Last save time Total editing time Number of pages Number of words Number of characters

Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes Number of hidden Slides Number of multimedia clips Hyperlink base Number of characters (with spaces)

Old Office Metadata

Old Office versions (I believe 2K3 and previous) stored the last ten account names to update the document. These can be extracted the documents OLE metadata stream using Pinpoint Metaviewer. Also in early Word 97 and previous, the MAC address of the system used to create a document was stored.

Std part of systems GUID

Manual Examination of New (XML) Office Files (docx, xlsx, pptx)

Unzip the file Result will be a folder Examine the file docProps\app.xml under that extracted folder Metadata values will be encoded in XML

PDF Metadata

Typical XMP PDF Metadata Tags

Author Copyright CreationDate Creator (application name) Keywords Marked (boolean value) ModDate PDFVersion Producer (application name) Subject Title Trapped

The official XMP specification defines only Keywords, PDFVersion, Producer and Trapped. The other tags are included because they have been observed in PDF files

Metadata in JPG Images

Newer digital cameras & phones often geotag images with GPS coordinates Can also potentially identify the specific camera that took a picture Lots of data about specific camera settings at the time the picture was taken Can sometimes identify photo editing software used to alter the image Some images carry an internal thumbnail which can be extracted

Typical Metadata in a Portable Executable File (exe/sys/dll)

Machine Type Time Stamp (compiled) PE Type Linker Version Code Size Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask

File Flags File OS Object File Type (app/dll) File Subtype Language Code Character Set Company Name File Description File Version Internal Name Legal Copyright Original Filename Product Name Product Version Product Date

Metadata Extraction Tools

Exiftool (Phil Harvey)

Free Immensely capable multiformat extraction

Thumbnails

Mechanism for creating and storing thumbnail images of pictures & first pages of documents for use in folder previews

Pre-Vista: Thumbs.db Vista+: Thumbcache

Pre-Vista: Thumbs.db

Populated in any folder which has been at one time set to show thumbnails of included images & documents Hidden file, not viewed by most users and not cleaned out when files are removed from the folder Uses OLE compound document format (similar to Office 2K3 and previous) to store:

thumbnail picture of original image or first page of document last modification time original filename

Thumbs.db Analysis

Binary format is a mess. Sector based, devised in the days of floppy disks. Free Tool: Mitec Windows File Analyzer Another one: Vinetto (open source python script also does Vista thumbcache) Format is also parsed directly by EnCase and FTK

Vista+: Thumbcache

Single, centrally stored file for each user

Located in <profile>\AppData\Local\Microsoft\Windows\Explorer All created when a folder is switched to thumbnail mode or views pictures in a slideshow Even stores thumbnails for pictures/docs/media on removable media, network shares, or encrypted containers Numbered files store actual images, linking to files is done by idx file. Purpose of sr file not yet determined

Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large) Thumbcache_idx.db Thumbcache_sr.db

Reading Assignment for Next Week

The remaining sections in Chapter 4 of the Carvey book Chapters 3 (Volume Shadow Copies) & 7 (Timeline Analysis) in the Carvey book I didnt assign chapter 6 for this week, but I probably should have. You might want to scan through that briefly

73

Questions?

74