I'm Your MAC(b)Daddy
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40568 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Information securityComputer forensicsForm (programming)System programmingTimestampMetadataPhysical systemMultiplication signPresentation of a groupFocus (optics)Computer fileTable (information)Attribute grammarElectronic visual displayProcess (computing)Kernel (computing)UnicodeDigital signalString (computer science)File formatEvent horizonDirected graphView (database)Open sourceWindows RegistryBlogVirtual machineInformationProof theoryPersonal digital assistantThumbnailService (economics)CodeComputer-generated imageryGraphical user interfaceStandard deviationFunction (mathematics)Core dumpDirectory serviceBlogDigitizingProcess (computing)AuthorizationRow (database)CASE <Informatik>Set (mathematics)BitFlagEvent horizonComputer fileOpen sourceFile formatFile systemTimestampUser profileVirtual memoryPhysicalismMultiplication signSharewareString (computer science)InformationKernel (computing)ResultantSampling (statistics)Hacker (term)Attribute grammarWeb crawlerRecursionWordDifferent (Kate Ryan album)RootMetadataElectronic visual displayMereologyUtility softwareQuicksortPhysical systemLoginSuite (music)Standard deviationDirectory serviceGastropod shellCoprocessorLevel (video gaming)Medical imagingTable (information)Windows Registry2 (number)Complete metric spaceEnumerated typeProof theoryGreatest elementService (economics)FrequencyPoint (geometry)MalwareCodeFrame problemThumbnailWindowView (database)Directed graphVirtual machineInheritance (object-oriented programming)Line (geometry)Data loggerTracing (software)FreewareSoftware development kitDialerText editorScripting languageProduct (business)Right anglePresentation of a groupLecture/Conference
07:54
Computer-generated imageryPhysical systemFluid staticsFile formatFunction (mathematics)InformationWindows RegistryScripting languageUtility softwareDependent and independent variablesGraph (mathematics)Information overloadBlogEvent horizonRevision controloutputModul <Datentyp>Presentation of a groupEntire functionInheritance (object-oriented programming)Information securityProcess (computing)WindowCASE <Informatik>Dependent and independent variablesPhysical systemSoftwareGraph (mathematics)Multiplication signPoint (geometry)Windows RegistryComputer fileNumber2 (number)Symbol tableSpacetimeWeightRippingFile systemHeegaard splittingSet (mathematics)MereologyTimestampDevice driverRecursionProcess (computing)LoginEvent horizonWindowModule (mathematics)Software development kitScripting languageWebsiteRegulärer Ausdruck <Textverarbeitung>Utility softwareRootPhysical lawInformation overloadStandard deviationInformationConfiguration spaceCore dumpVirtual machineServer (computing)Function (mathematics)File formatMedical imagingSlide rulePrinciple of maximum entropyService (economics)TouchscreenSampling (statistics)Time travelLogic gateInformation securityUsabilityOffice suiteOpen setReading (process)Storage area networkKey (cryptography)Data managementVirtual memorySystem callComputer animation
15:40
Key (cryptography)Windows RegistryFile formatMenu (computing)SharewareBinary filePhysical systemServer (computing)Software bugSlide ruleTimestampTangible user interfaceDigital signalCommercial Orbital Transportation ServicesPresentation of a groupAttribute grammarScripting languageProof theoryPersonal digital assistantInheritance (object-oriented programming)Line (geometry)Function (mathematics)Standard deviationRevision controlEvent horizonBlogComputer-generated imageryString (computer science)Computer fileTwin primeVirtual machineComputer fileAttribute grammarMultiplication signMedical imagingDifferent (Kate Ryan album)Server (computing)Set (mathematics)Utility softwareTimestampData managementSlide ruleMalwareBinary codeScripting language2 (number)Table (information)File formatTouchscreenCASE <Informatik>Presentation of a groupContext awarenessLaptopString (computer science)Kernel (computing)Line (geometry)SharewareLattice (order)NumberWindows RegistryBitLoginValidity (statistics)Tracing (software)Functional (mathematics)WeightNear-ringRevision controlBlogRippingWindowRegulärer Ausdruck <Textverarbeitung>Sampling (statistics)WritingInformationDefault (computer science)Uniform resource locatorPhysical systemRaw image formatRight angleFile systemStandard deviationKey (cryptography)Semiconductor memoryFunction (mathematics)DigitizingFlow separationOptical disc driveEvent horizonParsingPoint (geometry)Inheritance (object-oriented programming)Extremwertstatistik
23:26
Computer-generated imageryInheritance (object-oriented programming)TimestampSharewareString (computer science)Maxima and minimaBitMultiplication signTouchscreenInformationMedical imagingOpen setLecture/ConferenceMeeting/Interview
24:14
Computer fileSharewareMedical imagingFile systemRight angleCASE <Informatik>TouchscreenData compressionLecture/Conference
24:49
Open sourceSharewareComputer fileCore dumpRight angleMedical imagingProduct (business)Point (geometry)Recursion
25:31
Physical systemSoftwareInformation securityVirtual machineSpacetimeSet (mathematics)Configuration spaceComputer fileEntire functionRootVirtual memoryStructural loadWindowUser profileMedical imagingFile systemRight angle
26:32
Inheritance (object-oriented programming)Right angleMultiplication signComputer fileService (economics)CASE <Informatik>Recursive descent parserWindows RegistryFunction (mathematics)String (computer science)Line (geometry)Core dumpRegulärer Ausdruck <Textverarbeitung>Directory serviceSharewareSemiconductor memoryPoint (geometry)Cheat <Computerspiel>2 (number)NumberLecture/Conference
29:05
TrailWindows RegistryComputer fileInheritance (object-oriented programming)Computer animation
29:48
Inheritance (object-oriented programming)String (computer science)Computer fileGoodness of fit
30:44
TouchscreenNP-hardDependent and independent variablesTimestampGreatest elementWebsiteSet (mathematics)Client (computing)BitMedical imagingCASE <Informatik>Read-only memoryLecture/Conference
32:20
Multiplication signMalwareService (economics)TimestampComputer fileHecke operatorInheritance (object-oriented programming)
33:30
Goodness of fitTimestampStandard deviationAttribute grammarComputer fileService (economics)Installation artContext awareness2 (number)Multiplication signPoint (geometry)InformationQuicksortMalwareStapeldateiLine (geometry)CASE <Informatik>Right angleFunction (mathematics)Semiconductor memoryString (computer science)System administratorCuboidRecursive descent parserAverage
35:54
Maxima and minimaSharewareTimestampComputer-generated imageryFluid staticsInformation securityPhysical systemWindows RegistrySoftwareProcess (computing)Newton's law of universal gravitationComputer fileInheritance (object-oriented programming)Line (geometry)Function (mathematics)InformationStandard deviationAttribute grammarRevision controlEvent horizonParsingBlogMathematical analysisDependent and independent variablesGraph (mathematics)Real numberMalwareTrailPersonal digital assistantReal numberWeb pageGraph (mathematics)BlogDependent and independent variablesMultiplication signComputer forensicsMalwareWindowThumbnailRouter (computing)Row (database)Right angleAuthorizationDifferent (Kate Ryan album)Virtual machineFile systemGreatest common divisorFreewareFigurate numberMetropolitan area networkWindows RegistrySoftware development kitFunction (mathematics)Software bugCharge carrierTracing (software)Inheritance (object-oriented programming)TrailPlastikkarteLecture/ConferenceComputer animation
39:18
Multiplication signTemplate (C++)Line (geometry)View (database)Hard disk driveMultilateration
Transcript: English(auto-generated)
00:00
I am the author of the digital forensics blog and ion forensics which I will wholeheartedly admit that I have not done a very good job of updating lately. There's been a lot of talks going and we've been kind of insanely busy. I'm a certified forensic analyst. I've been in MCSE since the NT4 days and I am a QSA. Here's the agenda for the talk. We're going to go over what MAC times are, where
00:23
they're stored, what a forensic timeline is, why it's useful, why do it the way that I do it, and then a little bit about actually doing it the way that I do it. A new tool that's come out recently that's really just made the way that I do it almost entirely automated. And then we're going to get into a
00:42
little bit of time stamp alteration and time stomping. And the reason we're going to do that is because we've done a lot of cases in the spider labs where hackers have been using time stamp alteration to hide malware. So we're going to show you how to defeat time stamp alteration. If we have time, I'm going to try to do some demos where I'm actually
01:01
going to run through creating a timeline, a super timeline, extracting the master file table and parsing it and showing you guys what some of these modified time stamps look like. We'll go through some of the tools that I'm going to use and then we'll do the conclusion. So MACB times, what do they stand for? The MACB times are derived from the
01:20
file system metadata and they stand for modified access changed, which in this case means the MFT has been modified and birth, which is the file creation time. The B is in parentheses because not all the file systems that we work on record a birth time stamp. For the purposes of the presentation, I'm focusing on NTFS. This is still the most
01:42
common that we're seeing and we're seeing this in a lot of investigations. So where the time stamps are stored. They're stored in two places. They're both located in the master file table. The first is the dollar standard info attribute or the SI attribute. It stores the file metadata like flags and
02:01
SID and data about data. The file owner and one set of MACB time stamps. This is the time stamp that's collected by Windows Explorer when you sort by date or by utilities like FLS and map time and time stamp. All the other utilities related to the display of time stamps. This is where they pull them from, the standard info. And that did come
02:23
straight from one of the TechNet blogs. I've got it referenced down there at the bottom if you want to read it. The second attribute is the dollar file name attribute or dollar FN contains the file name in Unicode and another set of MACB time stamps. So it doesn't contain nearly as much information as SI. The important thing there is that it
02:44
contains a second set of MAC time stamps. So the difference, standard info can be modified by user level processors like time stamp or any other editor, pearl scripts, things like that. Dollar file name can only be modified by the system kernel. There are no known utilities
03:03
that can accomplish this. Anti forensic or not. There's nothing out there right now. At least not that I know of. It's possible. Maybe somebody in the room knows. What is a forensic timeline? Forensic timeline is a string of digital events that's sorted into a format that can be easily read and interpreted by a human being. Extremely useful in
03:23
breach investigations. It can contain events from a single source like just the file system or log files, registry hives, event logs. Just about anything that you can think of that records some kind of time stamp in the file system can be dumped into a super timeline. And it's really
03:42
the only way I know of to get that sort of 30,000 foot view of what happened on a particular host around a specific time. So you generate some key words. You generate some leads. Maybe you've identified malicious software. Great. So it happened at 3 p.m. on a Friday. What else was
04:01
happening on that machine at 3 o'clock on Friday? Generate a timeline, bump it up, make it a super timeline, add some logs and all of a sudden you can get an amazing picture of everything that was happening on that machine. So why is it useful? They are infinitely useful at pinpointing all or most intruder activity at a given point in time. It's
04:22
also an excellent place to actually generate initial case leads and key words. If you have an idea of what time frame you might be looking at for a breach, you can just kind of go straight to that period and look at that day or that, you know, those few hours in a timeline. Periods of intruder activity will stick out like a sore thumb. Once you start
04:42
using timelines and actually going through them, you'll see executable births and DLL births in the middle of, you know, the day where there's nothing else going on. Pretty obvious what's going on there when you see that. And identifying a starting point of intrusion is absolutely invaluable to finding other pieces of malware and kind of
05:03
more of the total activity that took place on the system. Right? So you see maybe you see some enumeration tools and 15 minutes later you see some unknown executable. And you can go ahead and pull that other executable out there and start looking at what it does and what it is. So when
05:21
you actually add in a registry timeline info, you get a more complete picture of code being dropped, services being installed. You can even in some cases you see hacker activity or intruder activity where they've moved a window and that actually leaves what are called shell bags in the directory. So it's pretty amazing what you can actually see
05:42
inside of some of these timelines. In some cases you see definitive proof of the user ID that was used to compromise the system. You might see the NT user dot dat file or some other files in a particular user profile. So now we get to why we do it my way. Everybody's seen some of
06:01
the forensic suites that are out there or probably have that sort stuff in the timelines and you can do some of this stuff. It's very limited. My way is fast. It's super easy and it's extremely easy to search. Whether you're more comfortable with the command line or the search prompt or the find command, it's amazing how searchable it is.
06:22
So instead of doing your traditional shotgun forensics where you're looking for anything bad, you can use your scalpel and go after what you're actually looking for and what you want to find. And it's free more or less. There's really only one piece of this that I detail that's not free. The rest of this is open source stuff. I can generate a
06:40
timeline including full file system data on all of the registry hives and search it for keywords, identify altered files before any of the GUI based utilities have even loaded an image or verified it. Sorry to all of you NCASE users. You're slow. In a few minutes here if I've got time and I think I will, I'm going to show you guys how I'm
07:01
actually doing this stuff. So the first piece of this, doing it my way, is the command FLS. This is open source. It's available as part of the sleuth kit, which is a free download, a flea download from sleuthkit.org. I highly recommend going out there and checking it out. I've got
07:20
the command here or a sample command FLS-M. Name your mount point. This could be slash for root. This could be a D, C dollar, whatever you want. It really doesn't matter. You're just labeling your drive here. Designate file system and it supports I think 16 different file systems, not just NTFS. Recursively you want to search and then you're
07:42
going to point it at either a physical drive by name, so that could be replaced with physical drive 7, physical drive 2, whatever you have it plugged in, or you can point it at a drive letter. You get varying results by pointing it at a drive letter. I haven't figured out why, but for simplicity here I just pointed it at like a Z drive. And then
08:02
you output it with the greater than to an actual body file. In this case I just called it FS body file. And I've got a little detail here about what this command is actually doing. Dash M is just output it in a standard format. In this case it's time machine format. Dash C names the mount point, and again I said there could be D, could be
08:21
VAR, could be root, could be whatever you're working on. Dash F, designate the file system type. Dash R, you display everything recursively and then point it out at a logical device. And then that greater than dumps it out to whatever kind of file you want to call it. It doesn't matter. Whatever you want. Now here's one of the interesting pieces and the piece that's not free. You can actually do
08:42
this while you're on site using F response. F response will actually let you, using some magic and iSCSI, it will actually let you mount a local draw or a machine over the network as a local read only drive on your investigative machine. It's a pretty amazing piece of
09:02
software and it is very, very worth it. I don't know if Matt's here. He may actually be here from F response. No? That's too bad. But it's great software and I highly recommend it. It is like I said the only piece of this that's not free. You can obviously also do this against a previously gathered image. But F response lets you do it while you're on
09:22
site instead of sitting there reading a book waiting for an image to finish. FLS can also be run against a static image or a postmortem image and you just point it. Same thing, slightly different with a little offset there. FLS dash M, name your device and you do have to add an offset sometimes where the actual
09:43
file system starts. Sometimes it will pick it up by itself. Sometimes you have to add the offset. Dash R so it's recursive again and then you just point it at wherever your image is sitting. So there's your half to image and that can be on a USB drive or on your local drive or wherever your evidence sits. And
10:00
then again just spit it out to the body file. That sector offset can be found with the MMLS tool which is also free and part of the sleuth kit. Very, very easy to use. You can also do this against a split image. You could have 100 different 001, 002, 3, 4 files. You just go 001 space 002, 003 and it works
10:23
the same way. Again the offset's there. So here's what a body file looks like and it's admittedly ugly. It's not user friendly at all. You'd actually have to know how many seconds from 1969 or 1970 is what these numbers here designate for each time stamp. So
10:43
obviously that's not something that you're going to want to look at and try to use. But something interesting to look at here on this slide is this I have it highlighted in red here. You have this INET manager executable. And we're going to see that here again in just a second. So turning FLS output into something that's actually useful in
11:02
human readable is done with the Mac time pearl script. It's also available as part of the sleuth kit. And here's a sample command again. Pearl Mac time dot PL dash D dash B pointed at your body file and again just output it out to a CSV file. The dash D is going to output it in a
11:20
common delimited format so it's really, really easy to use with excel or open office or command line. You can search it, do whatever you want. And then dash B just designates your path to the body file and you're outputting it to a timeline, FS timeline. So this is probably not going to show up very well and I apologize. It's hard to catch what a timeline looks like in
11:41
excel. But obviously once you've got it full screen on your own machine, it's pretty easy to use. And control F is extremely effective when you're actually looking at this stuff in excel. So if you could see what I've got up here on the screen is actually some intruder activity that I pulled from a real case. And you can actually
12:03
see the attacker doing some pinging and trace routing and then actually installing a service and there's some folders showing up here like wind system 32 mem dump. And then immediately followed by a whole bunch of pearl P2X TMP files.
12:20
Pretty scary stuff, not something that you would normally see on a little POS register or back of house server. So kind of a cool example there. So there's your standard file system timeline which can be incredibly useful. But you start adding information to it and you really get a much larger picture of what's going on. So call it a
12:41
super timeline when you start adding more information to it. I like to add the registry times and I don't usually add a lot else. You really get data overload extremely quickly. But that being said, sometimes you're not finding a lot, adding everything you can can be very useful. So obviously you've just got to use your best judgment there. So you can actually add the
13:03
registry Mac times. They're recorded more or less the same way as the file system timelines and you can do that with reg time. Reg time is actually not, was not publicly available until fairly recently. It's a pro script written by Carvey and is actually included in the sans incident response and forensics toolkit and he's
13:22
also made it available fairly recently on regripper.net. So it is out there. You just really have to kind of look for it. Now we also get to log two timeline which has just about rendered me completely obsolete in the last three weeks. It's a great utility. It was written by Kristin Gunjenson. It adds in
13:42
Windows event logs, Dr. Watson logs, IIS logs. There's 32 different modules. There's probably 40 by now. It's been two weeks since I looked. Just about anything that has time stamps in it, it will parse it and dump it out into a body file for you. It's amazing. So thanks a lot, Kristin. I'm probably going to lose my job. We'll talk
14:02
more about it here in a few minutes. But it's really good stuff. It's a little difficult to get it working the first time but really, really worth it. So the process. You extract the registry hives from system root, Windows system 32 config and the NT user dot dat files for each of your respective users. XP, C documents and settings, it's username
14:22
and in Windows 7 it's under C user's username. And then it's a very simple Perl command again. Perl regtime dot PL dash M. You're going to name your hive name. And again, this is just more for so you know which hive you're looking at in the timeline. So hklm sam, security,
14:40
software, system. And that H key user you can actually add the name of the user who's NT user dat file you're actually parsing. Which is pretty cool. Really, really easy obviously to tell which user was doing what when you do that. So here's adding it to the body file.
15:01
Perl regtime dot PL dash M, same command, recursively. And then you point it at that actual hive file. C case is registry sam in this case. And then you append it to that body file. And this is kind of important. Notice there's two greater than symbols there. Use one and you truncate your whole file. So it's kind of
15:21
important to make sure that you append and not truncate all the work you just did. Using a single will crush the data and always make a copy of the body file before you start messing around. It's just good practice. Just in case. Because it happens. Repeat that for each of the NT user dot dat files you want to add and you
15:41
run Mac time again. And that's pretty much it. Mac time dot PL, point it at your body file, spit it out to a super timeline. Here's a nice example of what it actually looks like in text when you actually do a grep search against this. And it's actually got a really nice format. And
16:01
remember I told you we were going to see that iNet manager again? There's several time stamps here. And you see one in 2003 which is really odd because this machine wasn't even built until 2007. But we're going to see that here in just a second on the next slide. We'll explain that. Then you'll also see some other interesting files there. You see two paths. System 32 iNet
16:22
manager and system 32 iNet serve with the same executable name. Definitely kind of odd. So that's alteration. That's actually a live example of it. There's a couple interesting things there. There's two separate locations that I just talked about in system 32 and it's also an iNet serve. And
16:40
the binary in system 32 is actually memory dumping malware. The date on the binary doesn't fit the rest of the system timeline. Like I said, the server that this image came from originally wasn't even built until 2007. And I've got a highlight there. You see Sunday, November 16th, 2003. And you see that's actually the modified and the birth date. You
17:03
see the two time stamps, the M and the B is modified and birth. So how do we find out if this is just some kind of anomaly or if this has actually been forcibly altered? It's actually easier than it sounds. But before we do that, let's talk about Vincent Liu who
17:20
actually created the utility called time stop. And this is a little bit older interview, but this is pretty common what he has to say about forensics people in general. So Mr. Liu said, but forensic people don't know how good or bad their tools are. And they're going to court based on evidence gathered with those tools. You should test the validity
17:41
of tools you're using before you go to court. And that's what we've done. And guess what? These tools can be fooled and we've proven it, right? Well, I agree, I suppose. Tools can be fooled. That's not that hard. Good investigators can't be fooled. I mean, if you see something like this, you've got to dig further, right? You can't just rely on the output of one single thing. You've got to go verify this stuff.
18:02
Another quote from him says, for any case that relies on digital forensic evidence, Liu says, it would be a cakewalk to come in and blow the case up. I can take any machine and make it look guilty or not guilty. Whatever I want. Yeah. I beg to differ. He's wrong. So here's proving him wrong. We're actually going to do, we're going to
18:21
defeat time stamp alteration or at least show you how you can figure it out, right? So here's where that second set of time stamps in the master file table comes in. Dollar file name, right? It's not accessible to anything but the system kernel. As of the writing of this presentation, there is nothing known that can change these attributes on the system short of extracting it, modifying it and putting it back on a
18:43
live system. So it's not feasible. It could be done, but there would be, it would be a mess. I guarantee, or I can almost guarantee that the machine wouldn't even work again if you tried to do that. So how do we get to these attributes and make some sense out of the MFT because it's a
19:02
unreadable format. This is Harlan Carvey to the rescue again. He's written a script called MFT.PL. It's also available on red ripper.net. And this script parses out all the data for both sets of file stamps and dumps it out into a human readable format. It's a great tool. And it's fast. So you rip the MFT with again another little pearl command here. Pearl MFT.PL pointed at
19:23
your master file table and dump it out to a text file. And that's all there is to it. It outputs a text file that contains all the attributes stored in the standard info and the file name. And it dumps them out and it's really easily searchable. I'll show you in a couple minutes. So a little bit more grep foo and we've got what we need. Strings that file out or anything
19:43
else that you want to look to actually read through it. Grep-C6-I and look for that executable that we know is bad. The C6 is context. It's a context switch for grep. It shows six lines of context surrounding that search hit and it's ignoring case for this search. Not much really to it. It's
20:03
too bad that's cut off over here on this screen. This is the output of MFT. That particular search in the MFT there. And you can see file names highlighted here in blue. That's the file we were looking for. INET manager.EXE. And this
20:22
is the standard info attribute. See if I can point it out over here. Get the FN INET manager .EXE over there. This one is the standard info and this one down here is the file name attribute. You can see there's some definitive differences there, right? Standard info which can be modified. You've got two time stamps that have
20:41
been dumped back to November 16th, 2003. That same set of file time stamps from the file name attribute shows the actual time that this file was created and modified which is July 21st, 2010. So I just told you everything that's on this slide. I'm just going to skip it. Except that you
21:02
see there that there's definitive evidence of time stamp alteration. You've got a set of time stamps that are obviously right. They fit your time line and the other set just flat doesn't. So this is definitive evidence of time alteration. We're actually seeing this a lot. The second set of time stamps just blows away to use a
21:21
time stamp. It really makes it look silly if you ask me. We're encountering this all the time. I would say almost weekly we're seeing different pieces of malware that are employing this technology. That are actually employing time stomping. So it is out there. In fact there's a couple of key loggers out there that do it by
21:41
default when they install. They'll actually pull the date the system was built and stomp their own executables back to that or they'll move it back one year. So here we are back to log to time line. So I'm going to tell you guys how to make all of this stuff that I just told you completely obsolete. Again thanks Kristen. I
22:00
really appreciate it. The latest version of log to time line is added functionality that automates just about everything I just talked about and more. Here's a sample. A sample command. I'm not going to read that out to you. You can go play with log to time line by downloading it. Version 6.0 will run on Windows with some finagling. Look for a blog post in the
22:21
very near future from Chris on exactly how to get it working if he doesn't have already written it. It will automatically parse registry hives, event logs, MFT, IIS logs, just about anything you can think of that actually logs with a time stamp. It will do it automatically. You don't even have to really point it at a
22:40
particular file. It actually does magic number searches. So it will automatically identify an EVT or EVTX and parse it for you the way it knows how. It's a pretty amazing tool. I'm actually looking forward to meeting Kristen and thanking him for writing. It's really awesome. So it's demo time already. Wow, I'm way ahead. So we're going to create a super
23:02
time line from a post mortem image that I have loaded on my laptop. We use FLS, reg time and Mac time. We're going to do a string search and look for some malicious files and verify the time stamp of that. Probably only take a couple of minutes. And then while the one command is running, we'll do I'll show you how to actually extract
23:22
the MFT and the registry hives a really easy way. So let me shrink this. Wrong button. I did cheat just a little bit. I already have my command prompt all open. Is that going to be big enough for everybody to see? Yeah, it's
23:45
cutting off a big chunk of it, isn't it? That will be all right. So I have an image on here that I've already scrubbed any data out of so that I'm not actually divulging anyone's private information. And I've actually already ripped
24:02
out the hives and stuff because it's a little time consuming. And I don't want to bore you with all the details. But I will show you how I did it here. So the first step here. Hey, wow, this is cool. I can actually move my stuff off screen so you can't see it. All right. So the first step is to actually generate a body
24:21
file. And that was the FLS command, FLS-M. You name it, C colon, C colon, back splash, whatever you want to do. Whatever makes sense to you. Name the file system. It's NTFS. Look at it recursively. And in this case I already have my image right here in this C defcon folder. So I can just say demo image. Demo dot E01. This is an encase image. It's the only thing I like
24:41
about encase is their compression. So there you go, encase users. A little something for you. So this takes a couple of minutes to run. While that's running, I forgot to direct it out to a body file. Sorry about that. Demo fail. Anybody
25:01
got a drink? I'll just redo it here. FLS-MC-F NTFS-R for recursive and point it at demo dot E01. Dump it
25:21
out to a body file. So that's going to take a couple of minutes to run. The way I usually extract all these files is with the FTK imager, which is another open source product. It's really, really easy. You just add the image file in here with FTK. And once that loads up,
25:44
which doesn't take long, you can just browse right through it here. So this is read only. What's that? I need to shoot it over. Thank you. Is that better? So here you go. You've got your entire file system. And here's the root of the drive that will show you
26:02
the MFT right here. And you just right click and export. So it's insanely easy to get a hold of this stuff. And then obviously for your system hives and stuff, same place they are on every Windows machine, Windows system 32, config. Voila, there you go. There's your Sam, your security,
26:23
your software hives, all that. And then the NT user dot dat files are in their user profile spaces, NC documents and settings or NC users. So that's really easy. And the body file is now done as well. So the next step is going to be to actually turn it into a super timeline, right? Is
26:43
that what I said I was going to do? Yeah. Super timeline. So like I said, I've already got these registry hives ripped out and they're in this C Def Con thing here. So I've also modified my path so that this stuff runs natively, which is kind of cheating as well. But it makes it a lot easier to use. So you're going to run reg time
27:02
against the particular hive that you want to see here. In this case I'm just going to do probably two of them here. We'll just do the Sam file just for a demo here. Reg time dot PL dash M, name which hive you're going to do. Point it at the path that you're going to for the registry hive. Dump it
27:21
out to a super body. And notice I've got the two greater thans there, right, so we're going to append. So there you go. Now you've got a super body file right there. Once you've added everything that you want to add to the super body, you just run Mac time against it again, just like you would a regular timeline. And
27:45
PL dash D dash B dash D is the outputted into CSV dash B, point it at a body file. In this case we're going to do the super body. And let that run for a second. I suppose I ought to redirect it out. Super timeline dot CSV. And
28:06
there you go. Now in our directory here we're going to have a super timeline. And I should probably look at that and make sure that it's actually got some content in it. It does. And then again we're going to talk about how easily searchable a body file is, right. So you're
28:22
going to do strings of that, of the super timeline, just so you can take a look at it. And in this case we're going to grip out something that I know is actually on here called RDP service, which is another memory number that I found on this case. Uh-oh. Did I blow up my
28:42
demo? Hang on. Oh, hang on. Let me take a look
29:04
here. What have I got going on? Sorry, I kind of lost track of where I was. So I've got my body file. Oh, that's what I did. I didn't append the registry stuff to, I didn't make a copy of the body file first. So let's do that
29:22
real quick. So here's my FS body. I'm going to paste it. I'm going to rename it super body. And then I'm going to append that stuff to it. Sorry
29:42
about that. It happens. Especially when you're on stage. All right. So now we've got the original body file there, renamed to super body. And now we're going to append that SAM stuff into super body. And it moves very, very quickly. So now we're going to take a look at that body
30:01
file. And with strings and grep again and look for that. I've got to turn it into a timeline. Okay,
30:25
that will take just a second to run through all that stuff. Anybody know any good jokes? Sure.
30:47
Better? Too far over now? There we go. How
31:04
much does it need to be shrunk? It's kind of hard for me to see the screens. Better? Okay. That's the bottom of it. So this usually takes, I don't know, maybe two or three minutes. It really doesn't take very long. It's pretty fast. Again, if
31:21
you were trying to sort this out with x ways or n case, you might have sorted it out and you'd have one set of time stamps by now. So this weighs a lot faster. And again, this can be done while you're sitting there at a customer site pulling these images if you're using F response
31:42
without affecting the image in any way. Because you're completely set read only. It's really a great tool. I really like F response. It's one of the only ways that I know of to actually get a little bit more efficiency out of an on site. I've actually seen forensic people pull up, set an
32:01
image going and pull out a book instead of working. And I don't know about anybody else that's in here that does forensics for a living, but we bill a lot of money per hour. So I don't think clients like to see you sitting there reading a book. Should be
32:28
just about done. There we go. All right. So now let's take a look at what's in that body file. Again, you can pull this open with excel if you want and search through it, but it's a heck of a lot
32:41
faster to do it this way. So take a look at the super timeline dot csv. Again, we're going to just use a simple grep command to look for a piece of known malware that I know is in here. And so here's RDP service and there's one hit. And again, we're
33:03
looking at a 2003 time stamp. And then lo and behold, the very next hit is a prefetch hit. So that was the last time that this thing was run is actually in 2010, which is really odd. And then we've also got down at the bottom we've got an access and a create time in 2010, but the modified and birthed time are both in 2003, which
33:22
is pretty odd, to say the least. So again, we're going to look at the MFT here. And I've already ripped the MFT, I think. I think I've already got it set. Nope, I don't. Good. I get to do it. Okay. So MFT.pl, really easy. This is probably the
33:40
easiest one of the whole batch. Point it at the MFT and output it to a text file. And this takes like, I don't know, 60 seconds maybe. And then as soon as that's done, we'll be able to pull those two timestamps out of there and look at that RDP service. This RDP service was actually a memory dumping malware that was just from a live
34:01
case. And we actually see, when we see this malware, we see this same time stamping or time stomping just about every single time that we found it. And it's actually done with Perl during the install. There's a couple of lines in the Perl installer for this malware that turns around and screws up these timestamps pretty bad.
34:23
But it's pretty slick. You know, your average run of the mill sysadmin is going to go looking for new stuff on a box, right, when they think they've got malware. They're going to go looking for everything that just happened in the last six weeks, right? This will completely burn that down. They won't find it. All right. So now we've got a
34:40
text file of the MFT and we're going to do the same thing. We're just going to use strings to look at that MFT.text and grep-i, get some context there, C6. And we know we're looking for RDP service again. And it's going to run through that MFT file
35:04
and it will pop up here in just a second, I hope, with some hits. And there we go. So we've actually got two hits for RDP service, right? Remember that prefetch entry from earlier? Here's the prefetch entry. Pretty good idea, right? Those timestamps match, right? We've got June 14th,
35:21
2010 and June 14th, 2010. Well, here's the actual executable right here, RDP service.exe. Here's the standard info attributes and there's that February 12th, 2003 that's obviously wrong because here's your file name attribute and that one can't be altered. June 14th, 2010, right? This is
35:43
time-stomping. And like I said, the look and feel of this is pretty easy to do. You can pretty well blow this open within a couple of minutes and it really makes time-stomping feel sort of silly. So there's our demo real quick. Uh-oh, lost my page. Are
36:07
we there? There we go. So here's some of the tools that we used here, right, and where you can find them all. And this is all going to be up on my blog as well, Ion Forensics. So if you want to go and download all this stuff, you can go. It's
36:22
available on Windows. And I'm going to give you credit to their creators. Regtime.pl and MFT. This is Harlan Carvey's stuff. He wrote Windows forensic analysis, Windows registry forensics, and he's got the supporting blog for Windows incident response. Great blog. Harlan's always got new stuff out there. And he's pretty opinionated, but he's a good guy. Everybody, I hear
36:42
people chuckling. They must know Harlan. FLS and MacTime. These were written by Brian Carrier, the author of file system forensic analysis and the creator of the sleuth kit. Available for free out there. Log2 timeline. This is Kristin Gunjenson. I'm pretty sure I'm torturing his name. GCFA gold paper is where
37:00
this came from. Mastering super timelines with Log2 timeline. And he's also got a blog, IR and forensics talk. Blog.kitaland.net. The original MacDaddy was written by Rob Lee and was absorbed into MacTime by Brian Carrier. And it's really only fair to mention Rob since he is the original MacDaddy. Great tool. Just a slightly
37:23
different output for MacDaddy. It's also good for Macs instead of just Windows machines. And a special thanks to Chris Pogue, CP beefcake. He's right over here in the front row. For teaching me his sniper forensics methodology. I don't know if you guys have ever been on his blog or have looked at his methodology for this stuff. It's
37:41
fantastic. It's really the way that I learned how to do computer forensics. I love it. I can't imagine sitting there and waiting while all this stuff is running while sitting on my thumbs. So he's always got the time to mentor me even though he doesn't have the time to mentor me. So thanks, man. I appreciate it. Real world anti forensics. This stuff
38:01
is happening. We're seeing it at least once a month and usually more frequently than that. In the course of real world investigations, we regularly encounter malware and attackers that are using these techniques to try to obfuscate their trail. And as they start using these tools more regularly, if you're an investigator, you need to have the tools. You need to be better armed and
38:21
you need to be better prepared to recognize these things and not just go, huh, that's an anomaly. This is easy enough to prove. Figure it out. Use this stuff. And you know, blow this stuff away instead of just going, oh, we had an anomaly. It's not right. Do your homework there. Everything leaves trace evidence somewhere. This is low cards exchange
38:42
principle, the father of modern forensics. Know how your tools work, not just what they do. Make you a better investigator. And remember that the tools do not make the investigator. It's the investigator's use of the tools that make them effective. I have a miter saw and a biscuit joiner and a router at home. I am not a Finnish carpenter. I am a
39:02
forensic analyst. So be aware that these tactics are in use. If you guys are doing forensics and you suspect malware and you're seeing stuff that just doesn't fit, give it a shot. It's not that tough. And get some pretty amazing results out of this stuff. All right. So anybody have any questions? Any questions? No. All right. Go ahead.
39:33
A graphical view of the timeline. There is stuff out there. There's Excel templates and stuff that I've seen people dump it into. But it's kind of a
39:40
pain to make it all fit. And if you actually look at a timeline, as a CSV, it's not just a handful of entries. I mean, it's literally 450,000 entries for your standard hard drive. Okay. And we'll do a Q&A later. So thank you guys very much for coming. I really appreciate it. Thanks, guys.