Every forensic analyst, during his experience, perfects his own workflow for the acquisition of forensic images.
Today I want to propose my own workflow for acquisition of physical disks on Microsoft Windows systems
Continue…Microsoft has released, on its GitHub repository, an interesting Linux porting of ProcDump from Sysinternals suite.
Santoku is a bootable linux distribution focused on mobile forensics, analysis, and security.
It comes with pre-installed platform SDKs, drivers and utilities and allows auto detection and setup of new connected mobile devices.
Santoku Linux is a free and open community project sponsored by NowSecure who provide core team members, and some tools for inclusion in the platform (ex. AFLogical OSE).
Santoku disk image is build on top of a Lubuntu distro.
It can be booted from USB/CD and can run both in VirtualBox or VMWare Player.
Santoku Linux 0.5 is a 64-bit OS and will only work with 64-bit hardware and software
The ISO is available through SourceForge as both a full 2.5GB .iso download as well as a torrent of the .iso.
Additionally, instead of downloading the full .iso you can download Lubuntu (14.04 64-bit) and update your OS with the new Santoku packages.
Download Lubuntu 14.04 64-bit: (HTTP | Torrent)
Download this build script directly on your Lubuntu install, rename it to just .sh extension and make it executable.
Open a terminal and run the script.
About Volatility i have written a lot of tutorials, now let’s try to use this information in a real context extracting the password hashes from a windows memory dump, in 4 simple steps.
First, we need to identify the correct profile of the system:
[email protected]:~# volatility imageinfo -f test.elf
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/root/test.elf)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80001a4a110L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001a4bd00L
KPCR for CPU 1 : 0xfffff880009c5000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2017-11-03 09:22:45 UTC+0000
Image local date and time : 2017-11-03 10:22:45 +0100
With the correct profile, we can use the “hivelist’ plugin in order to extract the list of registry hive in the memory dump:
[email protected]:~# volatility -f test.elf hivelist --profile=Win2008R2SP1x64_23418
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
0xfffff8a000610010 0x00000001178a6010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000e55010 0x000000010df7e010 \SystemRoot\System32\Config\SECURITY
0xfffff8a000e77010 0x000000010d067010 \SystemRoot\System32\Config\SAM
0xfffff8a000ec8410 0x000000010c552410 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a000ed8010 0x000000010c967010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a0016a5010 0x00000000dadb3010 \??\C:\Users\GuestUser\ntuser.dat
0xfffff8a00178b010 0x00000000dac4f010 \??\C:\Users\GuestUser\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a001d4e010 0x00000000d1d08010 \??\C:\System Volume Information\Syscache.hve
0xfffff8a004314410 0x0000000116368410 \SystemRoot\System32\Config\DEFAULT
0xfffff8a008d69010 0x000000009ec82010 \??\C:\Windows\System32\config\COMPONENTS
0xfffff8a00000f010 0x0000000115010010 [no name]
0xfffff8a000025010 0x000000011501c010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053010 0x000000000224b010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a00058e010 0x0000000117ad6010 \Device\HarddiskVolume1\Boot\BCD
Now, with the virtual offset of SYSTEM and SAM, we can extract the hashes:
[email protected]:~# volatility -f test.elf --profile=Win2008R2SP1x64_23418 hashdump -y 0xfffff8a000025010 -s 0xfffff8a000e77010 > hashes.txt
Volatility Foundation Volatility Framework 2.6
[email protected]:~# cat hashes.txt
GuestUser:500:a6f0811ff51b73310f0fc711893a3278:5f4dcc3b5aa765d61d8327deb882cf99:::
Administrator:501:aad3b435b51404eeaad3b435b51404ee:297abf4cd76aabcb1e1155bac050671e:::
sshd:1005:aad3b435b51404eeaad3b435b51404ee:d7d95a53fca45b1ce8e3f51d880d27f1:::
Finally, we can process the hash using a local tool (like HashCat) or using a online tool like HashKiller:
Yep, GuestUser uses a really strong password!
Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process.
Let’s analyze the main keys…
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
MRU is the abbreviation for most-recently-used.
This key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes (Open/Save dialog box).
For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser are maintained.
Documents that are opened or saved via Microsoft Office programs are not maintained.
Whenever a new entry is added to OpenSaveMRU key, registry value is created or updated in
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
This key correlates to the previous OpenSaveMRU key to provide extra information: each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it.
The list of files recently opened directly from Windows Explorer are stored into
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
This key corresponds to %USERPROFILE%Recent (My Recent Documents) and contains local or network files that are recently opened and only the filename in binary form is stored.
The list of entries executed using the Start>Run command in mantained in this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
If a file is executed via Run command, it will leaves traces in the previous two keys OpenSaveMRU and RecentDocs.
Deleting the subkeys in RunMRU does not remove the history list in Run command box immediately.
By using Windows “Recent Opened Documents” Clear List feature via Control Panel>Taskbar and Start Menu, an attacker can remove the Run command history list.
In fact, executing the Clear List function will remove the following registry keys and their subkeys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU HKCU\Software\Microsoft\Internet Explorer\TypedURLs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
This key contains two GUID subkeys: each subkey maintains a list of system objects such as program, shortcut, and control panel applets that a user has accessed.
Registry values under these subkeys are weakly encrypted using ROT-13 algorithm which basically substitutes a character with another character 13 position away from it in the ASCII table.
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
This key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer address bar: the key will only show links that are fully typed, automatically completed while typing, or links that are selected from the list of stored URLs in IE address bar.
Websites that are accessed via IE Favorites are not recorded, and if the user clears the URL history using Clear History via IE Internet Options menu, this key will be completely removed.
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
This key maintains the configuration of Windows virtual memory: the paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.
This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns (by default, windows will not clear the paging file).
During a forensic analysis you should check this value before shutting down a suspect computer!
HKCU\Software\Microsoft\Search Assistant\ACMru
This key contains recent search terms using Windows default search.
There may be up to four subkeys:
All programs listed in Control Panel>Add/Remove Programs correspond to one subkey into this key:
HKLM\SOFTWARE\Microsoft\Windows\Current\Version\Uninstall
Subkeys usually contains these two common registry values:
Other possible useful registry values may exist, which include information on install date, install source and application version.
The list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices is contained into
HKLM\SYSTEM\MountedDevices
This key lists any volume that is mounted and assigned a drive letter, including USB storage devices and external DVD/CDROM drives.
From the listed registry values, value’s name that starts with “DosDevices” and ends with the associated drive letter, contains information regarding that particular mounted device.
Similar informations are contained also in
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPCVolume
which is located under the respective device GUID subkey and in the binary registry value named Data.
This key is a point of interest during a forensic analysis: the key records shares on remote systems such C$, Temp$, etc.
The existence of ProcDump indicates the dumping of credentials within lsass.exe address space. Sc.exe indicates the adding of persistence such as Run keys or services. The presence of .rar files may indicate data exfiltration.
The history of recent mapped network drives is store into
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
In addition, permanent subkey (unless manually removed from registry) regarding mapped network drive is also created in
HKCU\Software\Microsoft\Windows\Current\VersionExplorer\MountPoints2
and the subkey is named in the form of ##servername#sharedfolder.
The key:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
contains addition information about list of mounted USB storage devices, including external memory cards.
When used in conjunction with two previous keys will provide evidential information.
There are different keys related to automatic run of programs.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This first key usually contains programs or components paths that are automatically run during system startup without requiring user interaction: malware usually leaves trace in this key to be persistent whenever system reboots.
These keys identifies programs that run only once, at startup and can be assigned to a specific user account or to the machine:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Can control automatic startup of services.
They can be assigned to a specific user account or to a computer:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce
This key contains command that is automatically executed each time cmd.exe is run:
HKLM\SOFTWARE\Microsoft\Command Processor HKCU\Software\Microsoft\Command Processor
Modification to this key requires administrative privilege.
Usually malware exploits this feature to load itself without user’s knowledge.
This key has a registry value named Shell with default data Explorer.exe.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Malware appends the malware executable file to the default value’s data to stay persistence across system reboots and logins (modification to this key requires administrative privilege).
This key contains list of Windows services:
HKLM\SYSTEM\CurrentControlSet\Services
Each subkey represents a service and contains service’s information such as startup configuration and executable image path.
For more information about malware persistence techniques, please refer to my previous article:
https://www.andreafortuna.org/cybersecurity/malware-persistence-techniques/
This key allows administrator to map an executable filename to a different debugger source, allowing user to debug a program using a different program:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Modification to this key requires administrative privilege.
This feature could be exploited to launch a completely different program under the cover of the initial program.
This key contains instruction to execute any .exe extension file:
HKCR\exe\fileshell\opencommand
Normally, this key contains one default value with data “%1” %*, but if the value’s data is changed to something similar to somefilename.exe “%1” %* , investigator should suspect some other hidden program is invoked automatically when the actual .exe file is executed.
Malware normally modify this value to load itself covertly
This technique apply to other similar keys, including:
HKEY_CLASSES_ROOT\batfile\shell\open\command HKEY_CLASSES_ROOT\comfile\shell\open\command
Protected Storage is a service used by Microsoft products to provide a secure area to store private information.
Information that could be stored in Protected Storage includes for example Internet Explorer AutoComplete strings and passwords, Microsoft Outlook and Outlook Express accounts’ passwords.
Windows Protected Storage is maintained under this key:
HKCU\Software\Microsoft\Protected Storage System Provider
Registry Editor hides these registry keys from users viewing, including administrator.
There are tools that allow examiner to view the decrypted Protected Storage on a live system, such as Protected Storage PassView and PStoreView.
In addition, these artifacts provide program information regarding the file path, size, and hash depending on the OS version.
During a forensic analysis, especially during timeline analysis, you deal with MAC timestamps, so it’s important to know and understand the concept of time resolution.
The MAC(b) times are derived from file system metadata and they stand for:
The (b) is in parentheses because not all file systems record a birth time.
Into two attributes, $STANDARD_INFO and $FILE_NAME:
$STANDARD_INFO ($SI) stores file metadata such as flags, the file SID, the file owner and a set of MAC(b) timestamps.
$STANDARD_INFO is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps.
The $File_Name attribute contains forensically interesting bits, such as MACB times, file name, file length and more.
Timestamps are only updated with the attribute is changed.
Files can have either one or two $File_Name attributes depending on how long the file name is:
There are general rules when it comes to files being moved, copied, accessed or created.
Each operation alters different metadata, here a table of time rules related to $STANDARD_INFORMATION:
While examining the $FILE_NAME timestamps the rules are pretty different:
Tool such as timestomp allow attackers to backdate a file to an arbitrary time in order to trying to hide it in system32 or other similar directories.
So, during analysis you can use analyzeMFT.py in order to check if the $FILE_NAME time occurs after the $STANDARD_INFORMATION Creation Time.
If this anomaly occurs, it is likely that an attacker has been alterated timestamps in $STANDARD_INFO using timestomp.