DR FAT
-
Upload
john-laycock -
Category
Internet
-
view
585 -
download
0
Transcript of DR FAT
![Page 1: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/1.jpg)
© Fidelis Cybersecurity. All rights reserved.
Deductive Reasoning: File Analysis Techniques
BsidesDC October 2015
![Page 2: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/2.jpg)
Product Demo
Get comfortable: Over the next 2 hours we will take a step by step walk in great detail through the entire Fidelis Cybersecurity product line.
You can expect:
1. Graphs on the current APT threatscape2. Diagrams of best deployment practices3. Kill Chain optimization of your current infrastructure for
synergy4. Pricing and Availability.
![Page 3: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/3.jpg)
Product Demo
![Page 4: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/4.jpg)
Introduction
John Laycock:
• B.S. Mechanical Engineering from Northern Illinois University
• Cognitech/Ocean Systems Forensic Video Analyst• Government Contractor
DC3 – DCFL Forensic Examiner/DCISE/NCIJTF• General Dynamics/Fidelis Commercial Forensics Team• Fidelis Threat Research Team
John LaycockSystems, Threat ResearchEmail: [email protected]
![Page 5: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/5.jpg)
Introduction
Chris Rogers
• Army Intel Sigint / Humint• Government Contractor
• Department of State• NIPC• US CERT• DC3 Forensic Examiner / Intrusions
• Bank of America Chris RogersSenior Analyst, Threat ResearchEmail: [email protected]
![Page 6: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/6.jpg)
Deductive Reasoning
“There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can't unravel the thousand and first.”
-Sir Arthur Conan Doyle The Sign of Four
![Page 7: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/7.jpg)
Deductive Reasoning
“There is a strong family resemblance about malicious files, and if you have all the details of a thousand at your finger ends, it is odd if you can't infer the thousand and first.”
-Sir Arthur Conan Doyle The Sign of Four
![Page 8: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/8.jpg)
DisclaimerThis is an introductory level talk to folks that do not necessarily do malware analysis on a daily basis. Many of the things you are about to see are not what would be considered forensically sound. These are quick, down and dirty tools to help you evaluate if a file is malicious. Many of the concepts we will be showing you are from a high level view. You can refer to some of the references in the appendix to drill down into these concepts in more detail.
TL:DR This is an intro to a deep topic. We’re showing some basic concepts that may or may not be forensically sound.
![Page 9: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/9.jpg)
What is Malware? s Malware?
Variety of evil logic.
Crimeware BOTNET Randsomware Hijackers Keyloggers Adware Spyware Scumware Rootkits
Trojans Worms Viri Backdoors
![Page 10: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/10.jpg)
What isn’t Malware? Malware
It is not magic.
![Page 11: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/11.jpg)
The specific what… specific what
Computers are just tools that translate binary instructions into cool stuff like cat pictures and movies to the latest Zombie FPS.
Bad guys and shady marketers take full advantage of the user friendly nature to deploy their collection of bits to your computer.
![Page 12: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/12.jpg)
What’s the vector victor?
• Downloader• Exploit Kit• E-mail• Web• Portable Media
![Page 13: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/13.jpg)
How is this still a thing?• User Friendlyitus
• Compatabilibuddy
• Legacy Code
![Page 14: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/14.jpg)
Pwned!End results are generally the same. System is pwned and attacker profits in some way.
![Page 15: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/15.jpg)
Application in Security & IR
If it looks like malware and smells like malware… it’s probably not the dancing cat screen saver that was advertised.
![Page 16: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/16.jpg)
Application in Security & IRMAC Times
- General Rules of thumb- How to debunk “Timestomping” or The secret hidden times
![Page 17: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/17.jpg)
Application in Security & IR
NTFS
Master File Table (MFT) - Information about every file on an NTFS volume is stored in the Master File Table. Information such as Modified, Access, Created (MAC) times for the file are stored here.
![Page 18: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/18.jpg)
Application in Security & IR
NTFS MAC Times
On the surface, all appears well. Let’s take a closer look…
![Page 19: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/19.jpg)
Application in Security & IR
The MFT is found under the root directory of the volume and can be hidden as a system file. You can use a tool like FTK Imager Lite to copy this file out for analysis.
NTFS MAC Times
![Page 20: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/20.jpg)
Application in Security & IR
NTFS MAC Times
Using MFTDump, you can export a csv of the $MFT and use Excel to sort through the MAC times looking for anomalies. In this case the Standard Info create time field does not match the File Name create time field this is evidence of time stomping.
![Page 21: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/21.jpg)
Application in Security & IR
File System Locations
Malicious files can be found anywhere on your system. Sometimes they are visible and sometimes they like to hide. However, there are a number of commonly used directories that you can look through for anything that appears out of the ordinary.
![Page 22: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/22.jpg)
Application in Security & IR
File System Locations
In this case the two irevil files are located under c:\Windows\system32.
![Page 23: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/23.jpg)
Application in Security & IRFile system locations
Some common locations:
C:\
C:\Windows
C:\Windows\System32\
C:\Program Files\<directory>\*
C:\Program Files (x86)\<directory>\*
C:\Documents and Settings\{username}\Local Settings\Temp (XP)
C:\Users\{Username}\AppData\Local\Temp
![Page 24: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/24.jpg)
Application in Security & IR
Registry
Getting malware onto a system is only the first step. The bad guys need to be able to restart their files if the system is rebooted. Persistence is the key to surviving a reboot. This can be accomplished by making entries in the registry.
![Page 25: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/25.jpg)
Application in Security & IRRegistry
To review the registry on your system you can use Regedit.
This shows irevil.exe is set to run on startup.
![Page 26: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/26.jpg)
Application in Security & IRFinding Registry time stamps
Use regedit to export the registry.
![Page 27: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/27.jpg)
Application in Security & IRFinding Registry time stamps
Save as a text file.
![Page 28: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/28.jpg)
Application in Security & IRFinding Registry time stamps
Open in notepad.
Alternatively you can use FTK Imager to export the registry hive and use a tool like RegRipper.
![Page 29: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/29.jpg)
Application in Security & IRCommon Registry Keys
![Page 30: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/30.jpg)
Application in Security & IRCommon Registry Keys
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Try using regedit to look through some of these registry locations:
![Page 31: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/31.jpg)
Application in Security & IRCommon Registry Keys
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
Windows 7 64-bit
[HKLM\software\wow6432node\microsoft\windows\currentversion\run]
Consider using a tool like Autorunsc.exe from Microsoft Sysinternals.
![Page 32: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/32.jpg)
Application in Security & IRPrefetch
The prefetch folder contains a list of commonly run programs on your system to help speed up loading times. These files are stored as .pf files in C:\Windows\Prefetch.
- Date/Time file first executed- Last time of execution- Number of times run
![Page 33: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/33.jpg)
Application in Security & IRTask Scheduler
This can be used to help persist malware on a system and to schedule it to run at various intervals.
Look for schedlgu.txt commonly found in C:\Windows\C:\Windows\Tasks
You can also look for HKLM\SOFTWARE\Microsoft\SchedulingAgent
![Page 34: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/34.jpg)
Application in Security & IRTask Scheduler
The ScheduLgU.txt file is essentially a log file showing lists of jobs scheduled and if they’ve run properly.
![Page 35: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/35.jpg)
Application in Security & IRTask Scheduler
This is the irevil.job file found under c:\Windows\Tasks.
![Page 36: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/36.jpg)
Heuristics and Tools
• DR Fat
Toolkit
Heuristics and Tools
![Page 37: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/37.jpg)
Tools
• DR Fat
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
Heuristics and Tools
![Page 38: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/38.jpg)
Tools
• DR Fat
The Internet
Heuristics and Tools
![Page 39: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/39.jpg)
Tools
• DR Fat
Heuristics and Tools
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
![Page 40: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/40.jpg)
Tools
• DR Fat
Hex Editor
Heuristics and Tools
![Page 41: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/41.jpg)
Tools
• DR Fat
Heuristics and Tools
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
![Page 42: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/42.jpg)
Tools
• DR Fat
Entropy Analyzer
Heuristics and Tools
![Page 43: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/43.jpg)
Tools
• DR Fat
Shannon Formula:
Patterns and Stuff What The Freq??
4.18 7.99
Heuristics and Tools
![Page 44: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/44.jpg)
Tools
• DR Fat
Heuristics and Tools
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
![Page 45: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/45.jpg)
Tools
• DR Fat
Hashing Tool
CRC32: 968A8A16
MD5: 31e6002b21c489fbbdb0f88ddc02603e
SHA1: 524584aa63b9cb95b72ab5ae64522a0d48d857b2
SHA256:
a326d9b72e6905304de30fa02fd3a087506c99486f5094e8a5c7cc7a5f84e059
Ssdeep:
24576:v2UnOxz4461D69+Twrijj9Ig6sIw7ag38YaXag:v2cIZbuHqsd7agvaV
Authentihash: 53e70adbf1277fe98a4bc7830a173327398b6196dfb9231b53275544e2980f30 Imphash: 884310b1928934402ea6fec1dbd3cf5e
Heuristics and Tools
![Page 46: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/46.jpg)
Tools
• DR Fat
Heuristics and Tools
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
![Page 47: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/47.jpg)
Tools
• DR Fat
Analyzers
Heuristics and Tools
![Page 48: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/48.jpg)
Tools
• DR Fat
PE Information tool
Heuristics and Tools
![Page 49: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/49.jpg)
Heuristics and ToolsFilenames
![Page 50: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/50.jpg)
Heuristics and ToolsFilenames
• Svvvtxys.exe
• Scvhost.exe
• Explorerer.exe
• БадФиле.exe
• 邪恶的计划 .exe
![Page 51: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/51.jpg)
Heuristics and ToolsFilenamesHash
![Page 52: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/52.jpg)
Heuristics and ToolsHash
VirusTotal
TotalHash
MD5: 31e6002b21c489fbbdb0f88ddc02603e
![Page 53: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/53.jpg)
Heuristics and ToolsFilenamesHashType
![Page 54: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/54.jpg)
Heuristics and ToolsType
![Page 55: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/55.jpg)
Heuristics and ToolsFilenamesHashTypeSize
![Page 56: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/56.jpg)
Heuristics and ToolsSize
PDFs <50k
Word Docs > 2MB and only one page of text
PPT >2MB and only two slides
![Page 57: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/57.jpg)
Heuristics and ToolsFilenamesHashTypeSizeBreakdown
![Page 58: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/58.jpg)
Heuristics and ToolsBreakdown
![Page 59: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/59.jpg)
Heuristics and ToolsBreakdown
![Page 60: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/60.jpg)
Heuristics and ToolsFilenamesHashTypeSizeBreakdownTime
![Page 61: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/61.jpg)
Heuristics and ToolsTime
![Page 62: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/62.jpg)
Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMeta
![Page 63: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/63.jpg)
Heuristics and ToolsMeta
![Page 64: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/64.jpg)
Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMetaEntropy
![Page 65: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/65.jpg)
Stuff
• DR Fat
Heuristics and ToolsEntropy
![Page 66: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/66.jpg)
Stuff
• DR Fat
Heuristics and ToolsEntropy
![Page 67: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/67.jpg)
Stuff
• DR Fat
Heuristics and ToolsEntropy
![Page 68: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/68.jpg)
Stuff
• DR Fat
Heuristics and ToolsEntropy
![Page 69: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/69.jpg)
Stuff
• DR Fat
Heuristics and ToolsEntropy
![Page 70: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/70.jpg)
Stuff
• DR Fat
Heuristics and ToolsEntropy
![Page 71: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/71.jpg)
Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMetaEntropy
![Page 72: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/72.jpg)
Why dynamics sometimes aren’t
1. Virtual Detection2. Sandbox Detection3. Debugger Checking4. Weird Dependencies5. Time Checks6. Missing Components7. Unusual URL Response during execution
![Page 73: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/73.jpg)
He Laterally just said that
“Laterals work goodly, they is not for every play though.”
-Unnamed ex-Giants receiver
![Page 74: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/74.jpg)
Tales from the field
• Not your average melting point. • A PNG in the butt.
![Page 75: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/75.jpg)
The world beyond Windows1. ELF hunting2. Other stuff
![Page 76: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/76.jpg)
In Conclusion
Static indicators that we talked about are clues.
• Some clues are key indicators
• Some clues are circumstantial
A final fitting Doyle/Holmes quote:
“The more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.”
![Page 77: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/77.jpg)
AppendixThe following are a series of links to references and tools we have found useful. Many are beyond the scope of a short talk but we have included them for future reference.
1. Sans Memory Forensics Poster http://digital-forensics.sans.org/media/Poster-2015-Memory-Forensics2.pdf
2. Sans Windows Forensic Analysis Poster http://digital-forensics.sans.org/media/poster-windows-forensics-2015.pdf
3. Fidelis Threat Advisories http://www.fidelissecurity.com/resources/threat-advisory
4. MFTDUMP v1.3.0http://malware-hunters.net/wp-content/downloads/MFTDump_V.1.3.0.zip
5. NTFS Documentationhttp://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf
![Page 78: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/78.jpg)
Appendix7. Sysinternals - Autorunsc http://technet.microsoft.com/en-us/sysinternals/bb963902 8. Many ways of malware persistence (that you were always afraid to ask) http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html 9. Common Autostart Locations - http://gladiator-antivirus.com/forum/index.php?showtopic=24610 10. FTK Imager Lite - http://accessdata.com/product-download/digital-forensics/ftk-imager-lite-version-3.1.1 11. Suspicious File Locations - http://www.malicious-streams.com/resources/articles/DGMW1_Suspicious_FS_Geography.html 12. Windows Scheduler - http://what-when-how.com/windows-forensic-analysis/file-analysis-windows-forensic-analysis-part-4/ 13. Windows Prefetch - http://forensicswiki.org/wiki/Prefetch
![Page 79: DR FAT](https://reader031.fdocuments.in/reader031/viewer/2022011722/58eca80c1a28abac548b4665/html5/thumbnails/79.jpg)
Appendix14. Notes on Linux/Xor.DDoS. http://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html 15. Time Stomping is for Suckers. http://thedigitalstandard.blogspot.com/2011/02/time-stomping-is-for-suckers.html