I'm Your MAC(b)Daddy

Video thumbnail (Frame 0) Video thumbnail (Frame 1862) Video thumbnail (Frame 6352) Video thumbnail (Frame 8868) Video thumbnail (Frame 15661) Video thumbnail (Frame 16433) Video thumbnail (Frame 17349) Video thumbnail (Frame 18709) Video thumbnail (Frame 21207) Video thumbnail (Frame 23692) Video thumbnail (Frame 24692) Video thumbnail (Frame 30029) Video thumbnail (Frame 31373) Video thumbnail (Frame 32765) Video thumbnail (Frame 35157) Video thumbnail (Frame 36297) Video thumbnail (Frame 37223) Video thumbnail (Frame 38284) Video thumbnail (Frame 39807) Video thumbnail (Frame 41906) Video thumbnail (Frame 43641) Video thumbnail (Frame 44695) Video thumbnail (Frame 46026) Video thumbnail (Frame 48494) Video thumbnail (Frame 50254) Video thumbnail (Frame 52668) Video thumbnail (Frame 53442) Video thumbnail (Frame 54209) Video thumbnail (Frame 58948)
Video in TIB AV-Portal: I'm Your MAC(b)Daddy

Formal Metadata

I'm Your MAC(b)Daddy
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The field of Computer Forensics moves more and more in the direction of rapid response and live system analysis every day. As breaches and attacks become more and more sophisticated the responders need to continually re-examine their arsenal for new tactics and faster ways to process large amounts of data. Timelines and super-timelines have been around for a number of years but new software and techniques brings them back into play for Incident Response and live analysis instead of static postmortem forensics. Add in identification of anti-forensics techniques and you gain a whole new view on forensic timelines. Grayson Lenik is a Security Consultant at Trustwave and a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years of System Administration experience including 6 years with American Express/IBM Global Services at one of the largest data centers in the world. Prior to his career in IT he was an Aviation Electronics Technician in the United States Navy forward deployed on board the USS Kitty Hawk and USS Independence. Grayson is a Microsoft Certified Systems Engineer (MCSE), a GIAC Certified Forensic Analyst (GCFA) and a Qualified Security Assessor (QSA). He is working towards the CISSP certification and a Bachelor's in Information Security. Grayson authors the computer forensics blog "An Eye on Forensics".

Related Material

Video is accompanying material for the following resource
Web crawler Computer file Digitizing Multiplication sign Bit Timestamp Shareware Timestamp Process (computing) Personal digital assistant Hacker (term) Blog System programming Authorization Information security Table (information) Computer forensics Form (programming)
Greatest element Presentation of a group Code Multiplication sign View (database) File format Set (mathematics) Unicode Tracing (software) Timestamp Malware User profile Blog Different (Kate Ryan album) Kernel (computing) Personal digital assistant File system Flag Electronic visual display Process (computing) Information Physical system Thumbnail Proof theory Scripting language Presentation of a group Service (economics) Mapping View (database) File format Digitizing Computer file Open source Metadata Attribute grammar Digital signal Complete metric space Windows Registry Virtual machine Proof theory System programming Thumbnail Text editor Data logger Right angle Quicksort Physical system Row (database) Dialer Directed graph Windows Registry Point (geometry) Service (economics) Table (information) Computer file Virtual machine Login Focus (optics) Event horizon Metadata Attribute grammar 2 (number) Frequency Root Hacker (term) String (computer science) Gastropod shell Energy level Utility software Directed graph Multiplication sign Standard deviation Information Inheritance (object-oriented programming) Code Line (geometry) Timestamp Frame problem Kernel (computing) Event horizon Personal digital assistant Enumerated type String (computer science) Electronic visual display Table (information) Window
Standard deviation Suite (music) Multiplication sign File format Function (mathematics) Mereology Usability Medical imaging Heegaard splitting Graphical user interface Different (Kate Ryan album) Core dump File system Recursion Logic gate Physical system File format Computer file Sampling (statistics) Physicalism Windows Registry Fluid statics Website Right angle Freeware Physical system Resultant Spacetime Point (geometry) Windows Registry Slide rule Computer file Open source Computer-generated imagery Time travel Virtual machine Device driver Directory service Product (business) 2 (number) Number Root Utility software Directed graph Software development kit Dependent and independent variables Physical law Core dump Software Personal digital assistant Function (mathematics) Electronic visual display
Scripting language Server (computing) Service (economics) Touchscreen Computer file File format Multiplication sign File format Sampling (statistics) Virtual machine Principle of maximum entropy Function (mathematics) Mereology Function (mathematics) Core dump Software development kit Physical system
Windows Registry Scripting language Inheritance (object-oriented programming) Computer file Ripping Dependent and independent variables Information overload Multiplication sign Set (mathematics) Login Entire function Event horizon Root Blog Graph (mathematics) File system Utility software Information Process (computing) output Information security Software development kit Physical system Window Scripting language Module (mathematics) Presentation of a group Standard deviation Dependent and independent variables Graph (mathematics) Information Weight Information overload Regulärer Ausdruck <Textverarbeitung> Timestamp Windows Registry Symbol table Process (computing) Event horizon Software Personal digital assistant Revision control Utility software Configuration space Modul <Datentyp> Information security Window
Context awareness Presentation of a group Scripting language Multiplication sign File format Set (mathematics) Function (mathematics) Commercial Orbital Transportation Services Timestamp Medical imaging Malware Semiconductor memory Personal digital assistant Physical system Proof theory Scripting language Presentation of a group Software bug File format Binary code Menu (computing) Attribute grammar Bit Digital signal Regulärer Ausdruck <Textverarbeitung> Flow separation Windows Registry Data management Right angle Physical system Slide rule Server (computing) Computer file Ripping Virtual machine Tangible user interface Shareware Attribute grammar 2 (number) String (computer science) Utility software Slide rule Validity (statistics) Information Server (computing) Weight Line (geometry) Binary file Timestamp Uniform resource locator Kernel (computing) Personal digital assistant Key (cryptography) Table (information)
Standard deviation Slide rule Default (computer science) Standard deviation Inheritance (object-oriented programming) Touchscreen Information Computer file Key (cryptography) Line (geometry) Multiplication sign Set (mathematics) Attribute grammar Function (mathematics) Timestamp Attribute grammar 2 (number) Timestamp Data management Malware Different (Kate Ryan album) Function (mathematics) File system Physical system
Windows Registry Laptop Functional (mathematics) Inheritance (object-oriented programming) Computer file Multiplication sign Computer-generated imagery Login Tracing (software) Shareware Number Timestamp Revision control Medical imaging Blog String (computer science) Inheritance (object-oriented programming) Twin prime Computer file Sampling (statistics) Lattice (order) Line (geometry) Timestamp Windows Registry Shareware Event horizon Function (mathematics) String (computer science) Blog Revision control Near-ring Window
Medical imaging Inheritance (object-oriented programming) Information String (computer science) Multiplication sign Computer-generated imagery Maxima and minima Shareware Timestamp
Medical imaging Touchscreen Computer file Personal digital assistant File system Right angle Data compression Shareware
Medical imaging Open source Computer file Structural load Core dump Right angle Shareware Product (business)
Computer file Inheritance (object-oriented programming) Virtual machine Set (mathematics) Entire function User profile Virtual memory Software Root File system Configuration space Right angle Information security Window Physical system Spacetime
Windows Registry Computer file Inheritance (object-oriented programming) Personal digital assistant Multiplication sign Core dump Function (mathematics) Regulärer Ausdruck <Textverarbeitung> Shareware
Trail Service (economics) Inheritance (object-oriented programming) Computer file Multiplication sign Content (media) Line (geometry) Directory service Personal digital assistant Semiconductor memory String (computer science) Right angle Recursive descent parser
Windows Registry Computer file Inheritance (object-oriented programming)
Computer file Inheritance (object-oriented programming) String (computer science)
NP-hard Medical imaging Greatest element Dependent and independent variables Touchscreen Personal digital assistant Set (mathematics) Website Bit Client (computing) Timestamp
Malware Service (economics) Inheritance (object-oriented programming) Computer file Multiplication sign Hecke operator Timestamp
Installation art Stapeldatei Service (economics) Computer file Multiplication sign System administrator Function (mathematics) Line (geometry) Timestamp 2 (number) Malware Average Personal digital assistant Semiconductor memory String (computer science) Cuboid Right angle Recursive descent parser
Goodness of fit Standard deviation Service (economics) Computer file Information Right angle Timestamp Attribute grammar Recursive descent parser
Standard deviation Multiplication sign Function (mathematics) Timestamp Malware Blog Different (Kate Ryan album) Personal digital assistant File system Process (computing) Information Thumbnail Parsing Trail Real number Computer file Attribute grammar Windows Registry Fluid statics Malware Right angle Quicksort Figurate number Information security Freeware Physical system Computer forensics Row (database) Web page Windows Registry Inheritance (object-oriented programming) Dependent and independent variables Line (geometry) Real number Computer-generated imagery Virtual machine Maxima and minima Mathematical analysis Shareware Software Graph (mathematics) Authorization Router (computing) Metropolitan area network Software development kit Newton's law of universal gravitation Dependent and independent variables Graph (mathematics) Event horizon Function (mathematics) Blog Revision control Greatest common divisor Window
Multiplication sign View (database) Hard disk drive Line (geometry) Template (C++)
I am the author of the digital forensics blog and I on forensics which I will wholeheartedly admit that I have not done a very good job of updating lately there's been a lot of talks going and
we've been kind of insanely busy I'm a certified forensic analyst I've been an mcse since the NT four days and i am a qsa here's the agenda for the talk we're going to go over what Mack times are where they're stored what a forensic timeline is why it's useful why do it the way that I do it and then a little bit about actually doing it the way that I do it a new tool that's come out recently that's that's really just made the way that I do it almost entirely automated and then we're going to get into a little bit of time stamp alteration and time stomping and the reason we're going to do that is because we've done a lot of cases in the spider labs where hackers have been using time stamp alteration to hide malware so we're going to show you how to defeat time stamp alteration if we have time I'm going to try to do some demos where I'm actually going to run through creating a timeline a super timeline extracting the master file table and parsing it and showing you guys what some of these modified timestamps will look like we'll go through some of the tools that I'm going to use and then we'll do the conclusion so Mac B times
what do they stand for the mac b times are derived from the file system metadata and they stand for modified accessed changed which in this case move to the mft has been modified and birth which is the file creation time the B is in parentheses because not all the file systems that we that we work on record a birth timestamp for the purposes of the presentation I'm focusing on ntfs it's still the most common that we that we're seeing and we're seeing this a lot of investigations so where the timestamps are stored they're stored in two places they're both located in the master file table the first is the dollar standard info attribute or the SI attribute it stores the file metadata like flags and syd and data about data the final owner and one set of Mac beat Tom stands this is the timestamp is collected by window Explorer when you sort by date or by utilities like fls and map time and time stomp all the other utilities related to the display of timestamps this is where they pull them from the stock is standard info and that did come straight from from one of the technet blogs I've got it referenced down there at the bottom if you want to read it the second attribute is the dollar file name at root attribute or dollar FN contains the file name in Unicode and another set of Mac be timestamps so it doesn't contain nearly as much information as si the important thing there is that it contains a second set of Mac timestamps so the difference standard info can be modified by user level processes like time stopped or any other editor Perl scripts things like that dialer file name can only be modified by the system kernel there are no known utilities that can accomplish this anti forensic or not there's nothing out there right now at least not that I know if it's possible maybe somebody in the room knows what is a forensic timeline forensic timeline is a string of digital events that's sorted into a format that can be easily read and interpreted by human being extremely useful in breach investigations it can contain events from a single source like just the file system or log files registry hives event logs just about anything that you can think of that records some kind of time stamp in the file system can be dumped into a super timeline and it's really the only way I know if you get that sort of 30,000 foot view of what happened on a particular host around a specific time so you generate some keywords you generate some leads maybe you've identified these malicious software and you great so it happened at three p.m. on a friday well what else was happening on that machine at three o'clock on Friday generate a timeline bump it up make it a super timeline add some logs and all of a sudden you can get an amazing picture of everything that was happening on that machine so why is it useful they are
infinitely useful at pinpointing all or most intruder to a given point in time it's also an excellent place to actually generate an initial case leads and keywords if you have an idea of what time frame you might be looking at for a breach you can just kind of go straight to that period look at that day or that you know those few hours at a time line periods of intruder activity will stick out like a sore thumb if you once you start using timelines and actually going through them you'll see executable births and dll births in the middle of you know the day where there's no there's no nothing else going on pretty obvious what's going on there where you see that and identifying a starting point of intrusion is absolutely invaluable to finding other pieces of malware and kind of more of the total activity that took place on the system right so you see maybe you see some enumeration tools and 15 minutes later you see some unknown executable and you can go ahead and pull that that other executable out there and start looking at what it does and what it is so when you actually add in the registry timeline info you get a more complete picture of code being dropped services being installed you can even in some cases you see hacker activity or intruder activity where they've moved the window and that actually leaves what are called shell bags in the register so you can actually tell you've got proof that there's an interactive session going on so it's pretty amazing what you can actually see inside of some of these timelines in some cases you see definitive proof of the user ID that was that was used to compromise the system you might see the NT user got that file or some other files in a particular user profile get updated so I only get to why
we do it my way right everybody's seen some of the forensic suites that are out there or probably have that will sort stuff in the timelines and you can do some of this stuff it's very limited my ways fast it's super easy and it's extremely easy to search whether you're a more comfortable command line or the certs product of the fine command it's amazing how searchable it is so instead of doing your traditional shotgun forensics where you're looking for anything bad you can use your scalpel and go after what you're actually looking for and what do you want to find and it's great more or less there's really only one piece of this that I detailed it's not free aggressive this is open source stuff I can generate a timeline including full file system data on all the registry hives search it for keywords identify altered files before any of the GUI based utilities have even loaded an image or verified it sorry to all of you n case users you're slow a few minutes here if I've got time and i think i will i'm going to show you guys how i'm actually doing this stuff so the first piece of this doing it my way is the is the command fls this is open source it's available as part of the sleuth kit which is a flea debt free download flea download from sleuth kit org highly recommend going out there and checking it out I've got the command here or a sample command f LS dash m name your mount point this could be slashed for root this could be a d.c dollar whatever you want it really doesn't matter you're just labeling your you're just labeling your drive here designate file system and it supports I think 16 different file systems not just ntfs recursively you want to search and then you're going to point it at either a physical drive by name so that could be replaced with physical drive seven physical drive to whatever you have it plugged in or you can point it a drive letter you get varying results by pointing at a drive letter and I haven't figured out why but through simplicity here I just pointed it at like a Z drive and then you out put it with the greater than to an actual body file in this case I just called it FS body five so and I've got a little detail here about what these command is actually doing dash n is just out put it in a standard format in this case it's time machine format dash C names the mount point and again I said there could be D could be law could be root could be whatever you're working on dash f designate the file system type decks are you display everything recursively and then point it out at a logical device and then that the greater than dumps it out to whatever kind of file you want to call it and doesn't matter whatever you want now here's one of the interesting pieces in the piece that's not free you can actually do this while you're on site using F response F response will actually let you using a some magic and I scuzzy it will actually let you mount a local draw or a machine over the network as a local read-only drive on your investigative machine it's pretty amazing piece of software and it is very very worth it I don't know if Matt's here he may actually be here from F response no that's too bad but it's great software and I highly recommend it it is like I said the only piece of this that's not free you can obviously also do this against a previously gathered image but F response let you do it while you're on site instead of sitting there reading a book waiting for an image to finish fls can also be running into the static image or a post-mortem image and you just point it same same things slightly different with a little offset their fls dash mne name your name your device and you do have to add an offset sometimes where the actual file system starts sometimes it will pick it up by itself sometimes you have to have the offset dash are so it's recursive again and then you just point it at wherever your image is sitting so there's your path to image and that could be you know on a USB drive or on your local driver wherever your evidence sits and then again just spit it out to the body file that sector offset can be you can be found with the MLS tool which is also free and part of the solute get very very easy to use you can also do this against a split image if you could have you know a hundred different 0010 two three four files you just go Joe 01 space 00 2003 and it works the same way again the offsets there so here's what a
body file looks like and it's admittedly ugly it's not user friendly at all you'd actually have to know how many seconds from 1969 or 1970 is what this what these numbers here at designate for each time stamp so obviously that's not something that you're going to want to look at and try to use but something interesting to look at here on this slide is this I have it highlighted in red here you have this I net manager executable and we're going to see that here again in just a second so turning fls output into
something that's actually useful and human readable is done with the mac time perl script it's also available as part of the sleuth kit and here's your here's a sample command again pearl mac time PL dash D dash be pointed at your body file and again just out put it out to a CSV file the dash D is going to output it in a common delimited format so it's really really easy to use with Excel or OpenOffice or command line you can search it do whatever you want and then dash be just designates your path to the body file and you're outputting it to a timeline FS timeline so this is probably
not going to show up very well and I apologize it's hard to catch what a timeline looks like in Excel but obviously once you've got it full screen on your own machine it's pretty easy to use and control f is extremely effective when you're when you're actually looking at this stuff in in Excel so if you could see what I've got up here on the screen is actually some intruder activity that I pulled from from from a real case and you've actually you can actually see the attacker doing some painting and trace routing and then actually installing a service and there's some there's some folders showing up here like wind system 32 mem dump and then immediately followed by a whole bunch of pearl p2x TMP files pretty scary stuff not something that you would normally see on a little POS register or back-of-house server so kind of a cool example there so there's your
there's your standard file system timeline which can be incredibly useful but you start adding information to it and you really get a much larger picture of what's going on so call it a super timeline when you start adding more information to it right I add like to add the registry times and I don't usually add a lot else you really get data overload extremely quick but that being said sometimes not finding a lot adding everything you can can be very useful so obviously just gotta use your best judgment there so you can actually add the registry Mac times their recorded more or less the same way as the file system timelines and you can do that with reg time reg time is actually not was not publicly available until fairly recently it's a pro script written by Harlan Carvey and is actually included in the sands incident response and forensics tool kit and he's also made it available fairly recently on reg Ripper net so it is out there you just really have to kind of look for now we also get to log to timeline which has just about rendered me completely obsolete in the last three weeks great utility was written by Kristen gun Jensen it adds in at the windows event logs dr. Watson logs I as logs there's 32 different modules there's probably 40 by now it's been two weeks since I looked just about anything that has timestamps in it it will parse it and dump it out into a body file for you it's amazing so thanks a lot Kristen I'm probably going to lose my job we'll talk more about it here in a few minutes but it's really good stuff it's a little difficult to get it working the first time but really really worth it so the
process you extract the registry hives from system root windows system32 config and the NT user data files for each of your respective users XP see documents and settings its user name and in Windows 7 it's under C users username and then it's a very simple pro command again pearl reg time T L dash M you're going to name your hive name and again this is just more for so you know which hive you're looking at in the timeline so hklm Sam security software system and that HG user you can actually add the name of the user who's NT user that file you're actually parsing which is pretty cool really really easy obviously to tell which user was doing when you do that so here's adding it to the body file pearl wrench time PL m same command recursively and then you pointed at that actual hi file see cases registry Sam in this case and then you append it to that body file and this is kind of important notice there's um there's two greater than symbols there use one and you truncate your whole file so it's kind of important to make sure that you append and not truncate all the work you just did using a single will crush the data and I always make up always make a copy of the body file before you start messing around us just good practice just in case because it happens you repeat that for each of the high files that you want to add the NT user data files you want to add and you run mac time again and that's pretty much it mac time that PL pointed at your body file spit it out to a super timeline here's a nice example of what
the what what it actually looks like in in text when you actually do a grep search against this and it's actually got a really nice format and remember i told you we were going to see that I net manager again there's a several time stamps here and you see one in 2003 which is really odd because this machine was even built until two thousand seven but we're going to see that here in just a second on the next slide we'll explain that then you also see some other interesting files there you see two paths system32 inet manager and system32 inet serve with the same executable name definitely kind of odd so that's
alteration that's that's actually a live example of it there's couple interesting things there there's two separate locations right that I just talked about since system 32 and it's also an inet serve and the binary in system32 is actually memory dumping malware the date on the binary doesn't fit the rest of the system timeline like I said the server that this image came from originally wasn't even built until 2007 and I've got a highlight there you see Sunday November 16 2003 and you see that's actually the modified and the birthday you see the two timestamps the M and the B is modified and birth right so how do we find out if this is just some kind of anomaly or if this has actually been forcibly altered it's actually easier than it sounds but before we do that let's talk about the Vincent Lou who actually created the utility called time stop and this is a little bit older interview but this is pretty is pretty common what he has to say about forensics people in general so mr. Lu said but forensic people don't know how good or bad their tools are and they're going to court based on evidence gathered with those tools you should test the validity of tools you're using before you go to court and that's what we've done and guess what these tools can be fooled and proving it right well i agree i suppose tools can be fooled that's not that hard good investigators can't be fooled I mean if you see something like this you gotta dig further right you can't just rely on the output of one single thing you gotta go verify this stuff another quote from him says for any case that relies on digital forensic evidence Lou says it would be a cakewalk to come in and blow the case up I can take any machine and make it look guilty or not guilty whatever I want yeah I beg the differ he's wrong so here's proving him wrong and we're actually going to do we're going to defeat timestamp alteration or at least show you how you can figure it out right so here's where that second set of timestamps in the master file table comes in dollar file name right it's not accessible to anything that the system kernel as of the writing of this presentation there is nothing known and changed these attributes on the system short of extracting it modifying it and putting it back on a live system so it's not feasible it could be done that it there would be the indicate there would it would be any mess but I guarantee or I can almost guarantee that the machine won't even work again if you tried to do that so how do we get to these attributes and make some sense out of them the mft because it's a disaster if you look at it in raw format this is harlan Carvey to the rescue again he's written a script called mft PL it's also available on reg ripper net and this script parses out all the data for both sets of file stamps and dumps it out into a human readable format this great tool and it's fast so you rip the mft with again another little pro command here pearl mft PL pointed at your master file table and dumped it out to a text file and that's all there is to it that outputs a text file that contains all the attributes stored in the standard info and the file name and it dumps them out and it's real easily searchable I'll show you in a couple minutes so a little bit more grip foo and we've got what we need strings that file out or anything else that you want to look to actually read through it grep dash C six dash I and look for that executable that we know is bad i net manager dot exe great the c6 is context to context switch for grep it shows six lines of context surrounding that search it and it's ignoring case for this search not much
really to it it's too bad that's cut off over here on this screen this is the output of mft that that particular search the mft there and you can see file names highlighted here in blue that's the file where we're looking for inet manager dot exe and this is the standard info attribute see vine pointed out over here get the FN inet manager dot exe over there so this one appears the standard info and this one down here is the file name attribute and you can see there's some definitive differences there right standard info which can be modified you've got to timestamps that have been dunked back to November 16 2003 that same set of file time stamps from the file name attribute shows the actual time that this file is created and modified which is july 21st 2010 so
i just told you everything that's on this slide so i'm just going to skip it except that you see there that there's definitive evidence of time stamp alterations right i mean you've got a set of time stamps that are obviously right they fit to your timeline and the other set just flat doesn't so this is definitive evidence of time alteration and we're actually seeing this a lot the second second set of timestamps just blows a way to use a time stall but I really kind of makes it look silly if you ask me we're encountering this all the time I would say almost weekly we're seeing different pieces of malware that are employing this technology that are they're actually employing time stopping so it is out there and we're see in fact there's a couple of key loggers out there that do it by default when they install they'll actually pull the date the system was built and stomp their own executables back to that or they'll move it back one year so here we are back to
log do timeline so I'm going to tell you guys how to make all of this stuff that I just told you completely obsolete again thanks Kristen are really appreciated the latest version of the log to timeline is added functionality that automates just about everything I just talked about and more here's a sample a sample command I'm not going to read that out to you can go play with the log to timeline by downloading it version 60 will run on windows with some finagling look for a blog post in the very near future from chris Pogue on exactly how to get it working if he doesn't already written it it'll automatically parks registry hives event logs mft I is logs just about anything you can think of it actually logs with a time stamp it'll do it automatically you don't even have to really point it at a particular file it actually does magic number searches so it'll automatically identify an EDT or an EV TX and parse it for you the way that it knows how is it's a pretty amazing tool and I'm actually looking forward to meeting Kristen and thanking him for writing it's really awesome so it's demo time already wow I'm Way ahead so we're going to create a super time line from a post-mortem image that I have loaded on my laptop and use fls reg time and Mac time we're going to a string search and look for some malicious files and we're going to verify the timestamp of that probably only take a couple of minutes and then while there's more the one command is running will do i'll show you how to actually extract the mft and the registry hive is a really easy way so let me shrink this
wrong button I did cheat just a little
bit I already have my command prompt all
open is it going to be big enough for everybody to see yeah it's cutting off a
big chunk of it isn't it that'll be all
right so I have an image on here that I've already have already scrubbed any data out of so that there's some not actually holding anyone's private information and I've actually already moved down the Hyde's and stuff because it's a little time consuming and I don't want to bore you with all the details but i will show you how i did it here so the first step here hey wow this is cool
i can actually move my stuff off screen
so you can't see it alright so the first
step is to actually generate a body file that was the fls commander NFL s dash mne you name it c colon c-cold backsplash whatever whatever you want to do whatever makes sense to you name the file system is ntfs look at it recursively and in this case i already have my image right here in this seat have conf older so i can just say a demo image demo do one this is an end case image it's the only thing i like about in case is their compression so there you go in case users a little something for you so this takes a couple of minutes to run while that's running yep
i forgot to direct it out to a body farm mmm sorry about that demo fail anybody got a drink I'll just redo it here hang on fls dash M C dash F ntfs dash are for recursive and pointed at at demo do one dump it out to a body file FS body right ok so that's going to take a couple of minutes to run the way I usually extract all these files is with the ftk imager which is another open source product
it's really really easy you just add the image file in here with ftk and once that loads up which doesn't take long you can just browse right through it here so this is read-only you what's that I need to scoot over thank you but
better so here you go you've got your entire file system and here's the root of the drive that'll show you the the mft right here and you just right-click and export so it's insanely easy to get get ahold of this stuff and then obviously for your system hives and stuff same place they are on every Windows machine windows system32 config voila there you go there's your Sam your security your software hives all that and then the ante user got dat files are in there in there user profile spaces in c documents and settings or NC users so that's really easy and the the body file
is now done as well so the next step is going to be to actually turn it into a super timeline right is that what i said i was going to do yeah super timeline so
like i said i've already got these registry hives ripped out and they're in this sea DEFCON thing here so i've also modified my path so that this stuff runs natively which is kind of seating as well but it makes it a lot easier to use so your unread time against the the particular hive that you want to see here in this case I'm just going to do probably two of them here we'll just do there we'll just do the Sam file just for a demo here reg time VL dash mne name which hive you're going to do pointed it the path that you're going to for the registry hive dump it out to super body and notice I've got the two greater thans there right so we're going to append so there you go now you got a super body file right there once you've added everything that you want to add to the super body you just run mac timing hempstead against just just like you would a regular timeline and again this runs very very quickly Mac time not PL dash D dash B dash D is the output it into csv dash be pointed at a body file in this case we're going to do the super body and let that run for a second looks
like it I suppose I got to redirect it out huh super timeline dot CSV right and there you go now in our directory here we're gonna have a super time line and I should probably look at that and make sure that it's actually got some content
tagged it does and then again we're going to talk about how easily searchable a body file is right so we're going to look do strings of that of the super timeline just so you can take a look at it and in this case we're going to grip out something that I know is actually on here called rdp service this is another memory dumper that I found on this case oh did I blow up my demo hang on Oh hang on take a look here what if I got going on sorry I kind of lost track of
where it was so I've got my got my body file oh that's what I did I didn't depend the I didn't offend the registry
stuff too I didn't make a copy of the body file first so let's do that real quick come back
right so here's my FS body my copy yet i pasted it i'm going to rename it super body and i'm going to pend that stuff to it sorry about that it happens especially when you're on stage alright
so now we've got the originals we've got the original body file their renamed a super body and now we're going to append that Sam stuff into super body and it moves very very quickly so now we're going to take a look at that body file and with strings and grew up again and look for that look I've got to turn it into a timeline okay they'll take just a second and run through all that stuff anybody know any good jokes well this is running sure
the better too far over now
come back here there we go how much does
it need to be shrunk it's kind of hard for me to see the screens better
okay that's the bottom of it so this usually takes I don't know maybe two or three minutes it really doesn't take very long it's pretty fast again if you were trying to sort this out with this with X ways or any case you might have sorted it out and you'd have one set of time stamps by now so this is a this weighs a lot faster and again this can be done while you're sitting there at a customer site pulling these images if you're using F response without affecting it in any without affecting the image in any way because you're completely set read-only so you really a great tool I really like f response and it's one of the only ways that I know of to actually get a little bit more efficiency out of an on-site I've actually seen forensic people pull up set an image go in and pull out a book instead of working and I don't know about anybody else that's in here that does forensics for a living but we build a lot of money per hour so I don't think clients like to see you sitting there reading a book
it should be just about done
there we go all right so now let's take a look at what the minute what's in that body file again you can pull this open with excel if you want and search through it but it's a heck of a lot faster to do it this way so take a look at the super timeline CSV again we're going to just use a simple grep command to look for a piece of known malware that I know is in here and so here's our DP service and there's one hit and again we're looking at a 2003 time stamp and then lo and behold the very next hit is a prefetch hit so that was the last time that this thing was run is actually a 2010 which is really odd and then we've also got it down at the bottom we've got an access and a create time in 2010 but the modified and birth time are both in 2003 which is a pretty odd to say the least so again we're going to look at the mft here and I've already ripped the mft i think i think i've already got it
set nope I don't good I get to do it
okay so mft IPL really easy this is probably the easiest one of the whole batch pointed at the mft and output it to a text file and this takes like I don't have 60 seconds maybe and then as soon as that's done we'll be able to pull those two timestamps out of out of there and look at that our DP service this is the rdp service was actually a memory dumping malware that was this from a live case and we actually see when we see this malware we see this same time stamping or time stomping just about every single time that we found it and it's actually got it's actually done with with pearl during the install there's a couple of lines in the pearl installer for this malware that that turns around and and screws up these timestamps pretty bad but it's pretty slick you know your average run-of-the-mill sysadmin is going to go looking for new stuff on a box right when they when they think they've got Malware they're going to go looking for everything that just happened in the last six weeks right this will completely burn that down it find it so alright so now we've got a text file of the mft and we're gonna do the same thing we're just going to use strings to look at that mft text and grip dash i get to get some contacts there c6 and we're looking for that we know we're looking for rdp service again and it's going to run through that mft file and it'll pop up here in just a second I hope with some hits and there
we go so we've got actually got two hits for rdp service right remember that prefetch entry from earlier here's the prefetch entry a pretty good idea right those those timestamps match right we've got jun 14 2010 and jun 14 2010 well here's the actual executable right here RTP service exe here's the standard info attributes and there's that februari 12 2003 that's obviously wrong because here's your file name attribute and that
one can't be altered jun 14 2010 right
this is time stomping and like i said this the look and feel of this is pretty easy to do you've been pretty well blow this open within a couple of minutes and it really makes time stop and feel sort
of silly so there's a demo real quick Oh
lost my page
over there there we go so here's some of
the tools that we used here right and where you can find them all and this is all going to be up on my blog as well I on forensics so that you if you want to go and download all this stuff you can go it's out there so tools used in the credit to their creators reg time doc pol and mft this is harlan Carvey stuff he wrote windows forensic analysis windows registry forensics and he's got the supporting blog for windows incident response great blog Harlan's always got new stuff out there and he's pretty opinionated but he's could got everybody that I hear people chuckling they must know Harlan fls and Mac time these were written by Brian carrier the author of file system forensic analysis and the AA and the creator of the sleuth kit available for free out there log to Timeline this is Kristen gun Johnson I'm pretty sure I'm torturing his name GCF a gold paper is where this came from mastering super timelines with log to timeline and he's also got a blog I are in forensics talk blog cattle and net the original mac daddy was written by Rob Lee and was absorbed into Mac time by Brian carrier and it's really only fair to mention Rob since he is the original mac daddy great tool just a really a slightly different output for Mac Daddy it's also good for I'm actually form ax instead of just windows machines and a special thanks to Chris Polk CP beefcake he's right over here in front row for teaching me a sniper forensics methodology I don't know if you guys have ever been on his blog or have looked at his methodology for this stuff it's fantastic it's it's really the way that I learned how to do computer forensics and just I love it i can't imagine sitting there and waiting while all this stuff is running while sitting on my thumbs so he's always got the time to mentor me even while using have time to mentor me so thanks man i appreciate real world anti forensics write this stuff is happening it's we're seeing it at least once a month and usually more frequently than that in the course of real-world investigations we regularly encounter malware and attackers that are using these techniques to try to obfuscate their trail and as they start using these tools more regularly if you're an investigator you need to have tools you'd be better armed and you need to be better prepared to recognize these things and not just go hunt that's an anomaly this is easy enough to prove figure it out use this stuff and and you know blow this stuff away instead of just doing oh we had an anomaly it's not right to do your homework there everything leaves trace evidence somewhere right this is Locard's exchange principle the father of modern forensics know how your tools work not just what they do make you a better investigator and remember that the tools do not make the investigator it's the investigators use of the tools that make them effective right I have a miter saw and a biscuit joiner and a router at home i am not a finished carpenter I'm a forensic analyst so be aware that these tactics on use if you guys are doing forensics and you're you suspect malware and you see you're seeing stuff that just doesn't fit give it a shot it's not that tough and get some pretty amazing results out of this stuff alright so
anybody have any questions any questions no all right go ahead a graphical view of the timeline there are there is stuff out there there's excel templates and stuff that I've seen people dump it into but it's kind of a pain to make it all fit and if you actually look at a time line as a CSV it's not just a handful of entries I mean it's literally four hundred and fifty thousand entries for your standard hard drive so okay and we'll do a QA later so thank you guys very much for coming I really appreciate it thanks guys