44con london 2015: ntfs analysis with powerforensics
TRANSCRIPT
NTFS Analysis with PowerShellJared Atkinson
Veris Group’s Adaptive Threat Division
@jaredcatkinson
○Jared Atkinson□Hunt Capability Lead for Adaptive Threat
Division○Leads the service line responsible for proactive
detection and response to advanced threats in Fortune 100 commercial environments
□Adjunct Lecturer at Utica College□Developer of PowerForensics, Uproot IDS,
and WMIEventing□Researcher of forensic artifact file formats
○Makes really cool posters :-)□History
○U.S. Air Force Hunt (2011 - 2015)○GCFA, GREM, and more
Intro to PowerShell“Microsoft’s [Digital Forensic] platform”
-obscuresec with some liberties…
What is PowerShell○Task-based command-line shell and
scripting language ○Built on the .NET Framework
□Cmdlets for performing common system administration tasks
□Consistent design□Powerful object manipulation capabilities□Extensible interface
○Independent software vendors and enterprise developers can build custom tools and utilities to administer their software.
□Full access to the Windows API
Response
PowerForensicsOld Dog, New Tricks
Detection Investigation
Requirements○Centralized forensic toolset○Forensically sound
□Parse raw disk structures□Don’t alter NTFS timestamps
○Can execute on a live host○Operationally fast
□Collect forensic data in seconds or minutes○Modular capabilities
□Cmdlets perform discrete tasks and can be tied together for more complicated tasks
○Capable of working remotely□At the proof of concept stage
Forensically Sound?
“A forensically sound duplicate is obtained in a manner that does not materially alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented, and should be justified to the extent
applicable.” - Richard Bejtlich and Harlan Carvey
Forensics Toolbox
Fast?!?
Understanding ModulesExtensibility for the win!
Download PowerForensics
http://download.powerforensics.invoke-ir.comOR
https://www.github.com/Invoke-IR/PowerForensics
Unblock-File
○PowerShell v3 gives us Unblock-FileUnblock-File -Path "$env:UserProfile\Downloads\PowerForensics-
master.zip"
○Can also “Unblock” via the file’s properties dialog
□Best to Unblock the zip before extraction
○Unblocking will remove the Zone.Identifier Alternate Data Stream
PSModulePath○PSModulePath
○Naming Convention
More details: https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx
Import-Module
Import-Module -Name PowerForensics Get-Command -Module PowerForensics
PowerForensics Install Demo
Invoke-DD○One Cmdlet to rule them all
□Underlying API is basis for all of PowerForensics○Allows raw access to Physical Drive or Logical Volume□Uses Platform Invoke to call CreateFile Windows API
□Opens a file handle to \\.\PHYSICALDRIVEX or Logical Volume
□Reads from file handle via FileStream object□Warning: Must read in Sector increments (BlockSize must be a multiple of 512)
$InFile = ‘\\.\PHYSICALDRIVE0’Invoke-DD –InFile $InFile –Offset 0 –BlockSize 512 –
Count 1
Invoke-DD Demo
Boot SectorsWhere the action begins…
Master Boot Record
○1st Sector of the Disk□Also referred to as the Boot Sector
○Boot Code□Locate Partition Table□Find 1st “Bootable” partition□Determine partition Logical Cluster Number□Pass execution to first sector of partition (Volume Boot Record)
○Partition Table□Space for 4 partitions by default□“Extended Partitions” allow for additional partitions above 4
Get-MBR○Cmdlet to parse the MBR and return MasterBootRecord
objects○Use WMI to list available Devices:
$Devices = Get-WmiObject –Class Win32_DiskDrive
○Run Get-MBR against one of the returned drives:Get-MBR –Path $Devices[0].DeviceID
Boot Kits○Attackers can alter MBR Boot Code
□ Code runs in Ring 0 (before the OS Loads)○Set-MasterBootRecord
□Proof of concept written by Matt Graeber (@mattifestation)
□Allows a user with administrator privilege to overwrite the Master Boot Record with arbitrary code
○Get-MBR takes known Boot Code into account and detects any changes (tampering)
MBR Bootkit Demo
MBR Boot Code
(Pre Infection)
MBR Boot Code (Post
Infection)
MBR Boot Code (Post
Infection)
GUID Partition Table
○Replacement Boot Sector format for MBR□UEFI compliant devices must support GPT□Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility
○Alternative to Legacy Master Boot Record□Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility
□Allows for increased partition sizes (2 TiB -> 8 ZiB)
□Supports many primary partitions (MBR supports 4)
□Creates Primary and Backup partition table for redundancy
Get-GPT○Cmdlet to parse the GPT and return GuidPartitionTable
objects○Use WMI to list available Devices:
Get-WmiObject –Class Win32_DiskDrive○Run Get-GPT against one of the returned drives:
Get-GPT –Path \\.\PHYSICALDRIVE1○Warning: Get-GPT will error if device is MBR formatted○If Get-MBR is run against a GPT formatted device,
then Get-MBR will return the information about the Protective MBR
Get-BootSector○Format agnostic Cmdlet to parse Boot Sectors (MBR or
GPT)○Use WMI to list available Devices:
Get-WmiObject –Class Win32_DiskDrive○Run Get-BootSector against one of the returned
drives:Get-BootSector –Path \\.\PHYSICALDRIVE0 Get-Bootsector –Path \\.\PHYSICALDRIVE1
○Format agnostic Cmdlet to return MBR/GPT PartitionTable objects
○MBR formatted deviceGet-PartitionTable –Path \\.\PHYSICALDRIVE2
○GPT formatted deviceGet-PartitionTable –Path \\.\PHYSICALDRIVE1
Get-PartitionTable
NTFS System Files
NTFS System Files
# Filename # Filename0 $MFT 8 $BadClus1 $MFTMirr 9 $Secure2 $LogFile 10 $UpCase3 $Volume 11 $Extend4 $AttrDef $ObjId5 Root Directory (.) $Quota6 $Bitmap $Reparse7 $Boot $UsnJrnl
Volume Boot Record
$Boot (7)○1st Sector of partition
□Location of partition is pointed to by the Partition table (MBR of GPT)
○Loads the BOOTMGR Loader○Defines partition attributes
□ Bytes per Sector□Sectors per Cluster□Total Sectors□Location of MFT□Size of MFT Record□Size of INDX Structure
Get-VolumeBootRecord
○Cmdlet to parse the VBR and return VolumeBootRecord objects○Execute Cmdlet with “VolumeName” parameter$VBR = Get-VolumeBootRecord –VolumeName \\.\C:
○Often useful to pair with low level cmdlets like Invoke-DD
Master File Table
$MFT (0)○NTFS file table
□First file present on NTFS partition□Contains at least one entry for every file, on an NTFS Volume, including itself
□As files are added the MFT grows□When files are deleted, the MFT marks the file’s record as unallocated so a new file can take its place
○Each record contains file metadata□MACB Timestamps□File name details (name, path, hard links)□Location of Data
Get-FileRecord○Cmdlet to parse the MFT and return FileRecord
objects○Three different ways to use:
1) Get all MFT Records$mft = Get-FileRecord -VolumeName \\.\C:
2) Get a FileRecord by pathGet-FileRecord –Path C:\Windows\
notepad.exe 3) Get a FileRecord by Record Number/Index value
Get-FileRecord -VolumeName \\.\C: -Index 0
Temporal Funneling
○Large amounts of data may not be relevant to our case□Temporal Funneling/Pivoting allows analysts to reduce noise & focus on artifacts associated with the investigation
$mft = Get-FileRecord$start = New-Object DateTime(2015,08,21,13,05,00) $end = New-Object DateTime(2015,08,21,14,05,00) $mft | ? {($_.BornTime -gt $start) –and ($_.BornTime –lt $end)}
Temporal Funneling Demo
MFT Attributes
Type
Name Type
Name
0x10 $STANDARD_INFORMATION
0x90 $INDEX_ROOT
0x20 $ATTRIBUTE_LIST 0xA0 $INDEX_ALLOCATION0x30 $FILE_NAME 0xB0 $BITMAP0x40 $OBJECT_ID 0xC0 $REPARSE_POINT0x50 $SECURITY_DESCRIPTOR 0xD0 $EA_INFORMATION0x60 $VOLUME_NAME 0xE0 $EA0x70 $VOLUME_INFORMATION 0xF0 $PROPERTY_SET0x80 $DATA 0x100 $LOGGED_UTILITY_STREAM
Recover Deleted File Demo
Access SAM Hive Demo
Get-ContentRaw
○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk□Finds the file’s MFT Record and the main $DATA Stream
□Outputs the contents of the file to Standard Out○Different Encoding Options
□ASCII □Unicode □Bytes
Get-ContentRaw –Path C:\Windows\system32\config\SAM
Copy-FileRaw○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk□Finds the file’s MFT Record and the main $DATA Stream
□Creates a copy of the specified file without accessing the file itself$Path = C:\Windows\system32\config\SAM$Destination = C:\temp\SAMCopy-FileRaw –Path $Path –Destination
$Destination
Alternate Data Streams
○NTFS allows files to store data in multiple “$DATA” attributes□These additional $DATA attributes are commonly referred to as Alternate Data Streams (ADS)
○Attackers have found ways to hide and even execute malware from ADS□Windows legitimately uses ADS to identify files downloaded from the internet (Zone.Identifier)
○PowerShell added ADS compatibility to many cmdlets, but did not add the ability to recursively list all files with ADS
Get-AlternateDataStrea
m○Cmdlet to easily find and list Alternate Data Streams on NTFS
○Use cases:1) List all Alternate Data Streams $ads = Get-AlternateDataStream2) List files downloaded via Internet Explorer
$ads | Where-Object {$_.StreamName –eq ‘Zone.Identifier’}
3) List Alternate Data Streams for a specific fileGet-AlternateDataStream –Path ‘C:\$Extend\
$UsnJrnl’
4) List Alternate Data Streams not created by the Internet Explorer
$asd | Where-Object {$_.StreamName –ne ‘Zone.Identifier’}
Alternate Data Streams Demo
Get-ChildItemRaw○Cmdlet to parse $INDEX_ROOT and
$INDEX_ALLOCATION attributes to output a directory’s contents□Lists system and hidden files□Output object has a RecordNumber parameter
Get-ChildItemRawGet-ChildItemRaw –Path C:\Windows\
Get-ChildItemRaw Demo
Get-FileRecordIndex
○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION attributes and returns a file’s MFT Record Number□Starts with the root directory’s MFT entry (index 5) and works through the tree until the requested files index can be found
□Can be teamed with Get-FileRecord$rnumber = Get-FileRecordIndex –Path C:\Windows\
notepad.exeGet-FileRecord –VolumeName \\.\C: -Index $rnumber
Get-FileRecordIndex Demo
$UsnJrnl○NTFS Change Journaling
□Keeps track of changes to files or directories in a volume
□Changes are documented with the filename, timestamp of change, and description of change
□Can be leveraged by backup utilities (ex Volume Shadow Service)
○Two named data streams:□$MAX: UsnJrnl metadata (first entry number, maximum size of journal, etc.)
□$J: Contains the actual Journal entries
$UsnJrnl Reasons
BASIC_INFO_CHANGE INDEXABLE_CHANGECLOSE NAMED_DATA_EXTEND
COMPRESSION_CHANGE NAMED_DATA_OVERWRITEDATA_EXTEND NAMED_DATA_TRUNCATION
DATA_OVERWRITE OBJECT_ID_CHANGEDATA_TRUNCATION RENAME_NEW_NAME
EA_CHANGE RENAME_OLD_NAMEENCRYPTION_CHANGE REPARSE_POINT_CHANGE
FILE_CREATE SECURITY_CHANGEFILE_DELETE STREAM_CHANGE
HARD_LINK_CHANGE
Get-UsnJrnlInformation
○Cmdlet to parse the UsnJrnl’s $MAX Data Stream
○Returns Metadata about the UsnJrnlGet-UsnJrnlInformation –VolumeName \\.\C:
Get-UsnJrnl○Cmdlet to parse the UsnJrnl’s $J Data Stream○Use Cases:
□Get all UsnJrnl Entries$usn = Get-UsnJrnl –VolumeName \\.\C:
□Get the most recent UsnJrnl entry for C:\temp\helloworld.txt$r = Get-FileRecord –Path C:\temp\
helloworld.txt$usn = $r.Attribute[0].UpdateSequenceNumberGet-UsnJrnl –VolumeName \\.\C: -USN $usn
File Creation & Modification Demo
UsnJrnl ADS Demo
Artifacts
Prefetch
Get-Prefetch○Cmdlet to parse the Windows Prefetch binary file format
○Use Cases:□Get all Prefetch objects from files in the “\Windows\Prefetch” directory
Get-Prefetch –VolumeName \\.\C:□Get the Prefetch object from the file specified by the Path
parameterGet-Prefetch –Path C:\Windows\Prefetch\CMD.EXE-
01C678D0.pf□Another option is looking for .pf file operations in the UsnJrnl
Get-UsnJrnl | ? {$_.FileName –like “*.pf”}
Prefetch Demo
Get-ScheduledJobRaw
○Cmdlet to parse the Scheduled (At) Job binary file format○Use Cases:
□Get all ScheduledJob objects from files in the “\Windows\Tasks” directory
Get-ScheduledJobRaw –VolumeName \\.\C:□Get the ScheduledJob object from the file specified by the Path
parameterGet-ScheduledJobRaw -Path C:\Windows\Tasks\At1.job
Moving Forward○More artifacts!!
□Registry support□ESE database support
○Organic Remoting (more robust)○Support for alternate file systems
□Windows: FAT12, FAT16, FAT32, exFAT□Linux: Ext2, Ext3, Ext4□Mac: HFS+
○Online documentation (Open API)○WMI Provider with Events○Community Involvement!!!
@jaredcatkinsonhttps://github.com/Invoke-IR/PowerForensics
https://github.com/Invoke-IR/PowerForensics_Source
Any questions?
Extra Slides!!!
$Volume (3)○File containing metadata about its partition/volume○Made up of two special attributes $VOLUME_NAME and $VOLUME_INFORMATION□Two cmdlets: Get-VolumeName and Get-VolumeInformation
Get-VolumeName –VolumeName \\.\C:
Get-VolumeInformation –VolumeName \\.\C:
$AttrDef (4)○System file that contains details about all file attributes available to the volumeGet-AttrDef –VolumeName \\.\C:
$Bitmap (6)$BadClus (8)
○NTFS has two files to tell the File System what Clusters can be used
○File contents are bit fields where each bit represents a specific cluster□$Bitmap: Each bit represents whether the associated cluster is allocated by the file system
□$BadClus: Each bit represents whether the associated cluster is corrupted or not
Get-BitmapGet-BadClus
○Cmdlet to parse bit fields contained within their respective files ($BITMAP and $BADCLUS)
○Use cases:□Parse the $BITMAP file to determine if the specified cluster is allocated
Get-Bitmap –VolumeName \\.\C: -Cluster 1000
□Parse the $BADCLUS file to report on any clusters that have been marked as corrupt by the file system
Get-BadClus –VolumeName \\.\C: