Disk forensics
-
Upload
chiawei-wang -
Category
Software
-
view
477 -
download
1
Transcript of Disk forensics
Disk ForensicsChiawei Wang
2015.10.28
Today we will go through …
• Disk forensics on (toward Windows platform)• NTFS Filesystem
• Registry
• The tools used• The Sleuth Kit
• Autopsy (GUI wrapper of TSK)
• samdump2/pwdump
• The disk image used• WinXP_Course.img, created by QEMU raw image
2
Starting from the Source: Disk
• Given a disk image, where is the targeted (NTFS) partition?
• Master Boot Record (MBR)• The sector 0 of the disk
• Offsets to the partition table
3
Primary Partition # Offset (bytes)
1 0x1BE
2 0x1CE
3 0x1DE
4 0x1EE
• The interested NTFS partition starts from the 63th sector
Inspect into the Partition Table
4
+0x00 Bootable
0x00 Do not use for booting
0x80 Bootable
+0x00 Partition Type
0x00 Empty
0x07 NTFS
0x83 Linux Native
0x82 Linux Swap
Etc. Etc. +0x08 Starting Sector
Sector Offset Hex Dump
+0x0C Size in Sectors
TSK for Disk Partitions
• mmls <image/device>• Display the partition layout of a volume system
5
Autopsy for Disk Partitions
6
Autopsy for Disk Partitions
7
12
3
45
Autopsy for Disk Partitions
8
6
7
Few Tips Before Digging into NTFS
• The basic unit used by NTFS is called Cluster
• The key item for the NTFS forensics is called MFT, Master File Table
9
NTFS Boot Sector @ 63th Sector
10
+0x03 OEM ID = “NTFS”
+0x54 Bootstrap Code[426]
+0x0B Bytes per Sec
+0x0C Sec per Cluster
NTFS Boot Sector @ 63th Sector
11
+0x03 OEM ID = “NTFS”
+0x54 Bootstrap Code[426]
+0x0B Bytes per Sec
+0x0C Sec per Cluster
+0x30 Cluster No. of MFT
Locate the MFT
• Bytes per Sector = 0x0200
• Sectors per Cluster = 0x04
• 1 cluster = 2048 bytes = 4 sectors
• Cluster No. of MFT = 0x03E5A7
• MFT Sector =
BaseSector + MFTClusterNo * SecPerCluster =
63 + (0x03E5A7 * 4) = 1021479
12
MBRNTFSBoot
RecordMFT ~
Sector # (Dec)0 63 1021479
0x1C6: Starting Sector
0x30: MFT Cluster No.
Master File Table, MFT
• The core of NTFS
• The KEY ITEM for the forensics investigation.• Each single file or directory has its corresponding MTF
entry
• Entry Size
13
File: 2|0xF6| = 210 = 1024 BytesDirectory: 2 Cluster = 4096 Bytes
MFT Entry
• Entry format
• The first few entries are pre-defined (partially listed)
14
Carrier B. (2005, March 17). File System Forensic Analysis. Addison Wesley Professional
MFT Entry # Name Description
0 $MFT Self-reference
1 $MFTMirr Backup of $MFT
…
5 . Root directory
6 $Bitmap Cluster in used / free
7 $Boot Boot record
8 $BadCluster Cluster with bad sectors
…
Tsk for MFT Entry Info.
• istat -o <volume_offset> <image> <MFT_entry#>
15
Autopsy for MFT Entry Info.
16
Attribute of MFT Entry
• Attribute header
• Attribute types (partially listed)
17
Type # Name Description
0x10 Standard Information access mode, timestamp, link count
0x30 File Name file name
0x80 Data file data
0x90 Index Root used for directory
…
Type # Length of attributeNon-resident
Length of name
Offset to name Flags Attribute ID
0 4 8 9 10 12 14 16
File Name Attribute
• A MFT entry may have two File Name attribute• Long name & Short name
• e.g. Program Files & PROGRA~1
18
DATA Attribute
• Resident• The data content is stored in the MTF entry
• Most likely a file < 700 Bytes
• Non-resident• The data content is stored in other clusters represented by the “Run
List” recording the clusters.
• e.g. istat on a file with non-resident data
19
Run List
Autopsy for Data Inspection
20
• C:\boot.ini (MFT entry# 3605)
TSK for Data Inspection
• C:\boot.ini (MFT entry# 3605)
• icat -o <volume_offset> <image> <MFT entry#>
21
Autopsy for Raw Cluster Inspection
22
TSK for Raw Cluster Inspection
• blkstat -o <volume_offset> <image> <cluster_no>
• blkcat –o <volume_offset> <image> <cluster_no>
23
Autopsy –MTF entry# File name
24
TSK –MTF entry# File name• Known MFT entry#
• ffind -o <volume_offset> <image> <MFT_entry#>
• Known file name• ifind –o <volume_offset> <image> -n <fname>
25
Autopsy – Cluster No File name
26
TSK – Cluster No File name
• Known Cluster No• ifind -o <volume_offset> <image> -d <cluster_no>
27
Why Not Just Autopsy ?
• Knowing the underlying commands gives the flexibility to customize your forensics process.
28
Practice – Which file is broken ?
• Oh my gosh, the 408,052 sector of seems like broken. Iwanna figure out which file got shot. Submit your key inBAMBOOFOX{FULL_PATH_FILE_NAME}
• Hint:
Remove drive letter and replace “\” with “/”
e.g. C:\aaa\bbb\ccc.txt /aaa/bbb/ccc.txt
29
Now the basic is introduced
• Time to consider some forensics scenario• Alternate Data Stream
• Deleted File Recovery
• Timestamp Forge
• Advanced• $BadClus Forge
• Slack
30
Alternate Data Stream
• ADS allow more than one data stream to be associated with a filename.
• Alternate streams are not listed in Windows Explorer, and the size is not included in the associated file's size.
31
How do NTFS Store ADS ?
• Recall the attribute header
• Generally, a file is named by the “File Name” attribute.
• A “Data” attribute with a name specified can be distinguished.• E.g. istat on ADS-included file
32
Type # Length of attribute Non-resident
Length of name
Offset to name Flags Attribute
ID
0 4 8 9 10 12 14 16
Create and Read ADS data
33
• The ADS can be created/retrieved by filename:ads_name
Practice – Find ADS
• Read the ADS data as the key to submit in BAMBOOFOX{ADS_DATA}
34
What Happened to Deleted File ?
• Recall the MFT entry
35
MFT_Entry_Header{
…+0x16 Flags…
}
Flag value Description
0x00 Deleted File Entry
0x01 File Entry
0x02 Deleted Dir Entry
0x03 Dir Entry
Hope of Deleted File
• The content is not erased but simply tag the MFT entry unallocated.
• NTFS reuse free MFT entry# backward.• A file with the shorter lifetime are harder to be
recovered.
36
Autopsy – List Deleted File
37
TSK – List Deleted File
• fls -o <volume_offset> <image> -d <DIR_MFT_entry#>
• Recursive traversal• fls -o <volume_offset> <image> -r -d <DIR_MFT_entry#>
38
Practice – Recover Deleted Data
• Find the key
39
Timestamp Forge
• Suppose that a malware infects a system and drops some files pretending to be the system built-in one• A naïve approach is to check the timestamp of files in
system directory.
• BUT! NTFS has some glitches.
• When a file is cut-and-paste to replace another file, the timestamp of the replaced one is inherited.
40
Two Timestamp as a Chance
• There are actually two timestamps in MFT entries • “Standard Information” attribute
• “File Name” attribute
41S. H. Mahant and B. B. Meshram, “NTFS Deleted Files Recovery: Forensics View,” International Journal of Computer Science and Information Technology & Security, 2012
The Commonly Seen is Not True
• Windows Explorer and most disk viewer tools show the timestamp in “Standard Information”.
• Now you have something more powerful. Look inside the attributes of MFT entries.
42
Practice – Find the disguised file
• Help!! I got hacked on 27 Oct. 2015 at 03:04 PM• TA made a typo...囧rz
• Please fix the prefix word BAMOOFOX to BAMBOOFOX when you find the key
• Hint:• VMWare is handy
43
Advanced Disk Forensics Task
• $BadClus Forge• Modify the $BadClus metafile to mark certain clusters as
broken to hide the secret data.
• Slack• The remnant space after the cluster allocation is used to
hide the secret data.
44
Registry
• The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the Registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the Registry.https://en.wikipedia.org/wiki/Windows_Registry
45
First View of Registry
46
Key
Value Name Type Value Data
Registry Root Keys
Name Abbreviation Description
HKEY_CLASSES_ROOT HKCR File name extension associations
HKEY_CURRENT_USER HKCU Currently logged-in user settings and profiles
HKEY_LOCAL_MACHINE HKLM System-wide hardware settings and OS configuration
HKEY_USER HKU Per-user settings and profiles
HKEY_CURRENT_CONFIG HKCC Hardware information gathered during boot time
47
Where Are They ?
• Basically, registry is an in-memory database. Only certain keys have physical disk files called Hive file
• Hive parser can be used against these files to perform offline forensics task
48
Registry Key Hive File
HKEY_USERS \Documents and Settings\User Profile\NTUSER.DAT
HKEY_USERS/.DEFAULT \WINDOWS\system32\config\default
HKEY_LOCAL_MACHINE/SAM \WINDOWS\system32\config\SAM
HKEY_LOCAL_MACHINE/SECURITY \WINDOWS\system32\config\SECURITY
HKEY_LOCAL_MACHINE/SOFTWARE \WINDOWS\system32\config\software
HKEY_LOCAL_MACHINE/SYSTEM \WINDOWS\system32\config\system
Forensics on Registry
• System startup operation
• Recent operation
• Shell Injection
• User account
49
System Startup Operation
• HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run
• HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnceEx
• HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\RunServices
• HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\RunServicesOnce
50
Recent Operation
• Most Recently Used (*MRU)• e.g.
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
• Recent*• e.g.
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
• Browser• e.g.
• HKCU\Software\Microsoft\Internet Explorer\TypedURLs\
• HKCU\Software\Microsoft\Internet Explorer\TypedURLs\
51
Shell Injection
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = Explorer.exe %system%\system32.exe (injected by Kwbot malware)
• HKCR\<XXX_FILE>\shell\open\command
52
User Account
• The user account and the hashed password can be found in the SAM hive.
• Windows further obfuscates SAM hive with the syskey(bootkey) composed by the permutation of
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG
53
Extract the Hashed Password
• Two Hive is required• SYSTEM, for syskey(bootkey) extraction
• SAM, for password hash extraction
• Tools available• samdump2 SYSTEM_HIVE SAM_HIVE
• Pwdump SYSTEM_HIVE SAM_HIVE
54
Practice – Reveal admin password
• Get the admin’s password as the key to submit in BAMBOOFOX{ADMIN_PASSWD}
55