44con london 2015: ntfs analysis with powerforensics

87
NTFS Analysis with PowerShell Jared Atkinson Veris Group’s Adaptive Threat Division

Upload: jared-atkinson

Post on 14-Feb-2017

1.530 views

Category:

Technology


25 download

TRANSCRIPT

Page 1: 44CON London 2015: NTFS Analysis with PowerForensics

NTFS Analysis with PowerShellJared Atkinson

Veris Group’s Adaptive Threat Division

Page 2: 44CON London 2015: NTFS Analysis with PowerForensics

@jaredcatkinson

○Jared Atkinson□Hunt Capability Lead for Adaptive Threat

Division○Leads the service line responsible for proactive

detection and response to advanced threats in Fortune 100 commercial environments

□Adjunct Lecturer at Utica College□Developer of PowerForensics, Uproot IDS,

and WMIEventing□Researcher of forensic artifact file formats

○Makes really cool posters :-)□History

○U.S. Air Force Hunt (2011 - 2015)○GCFA, GREM, and more

Page 3: 44CON London 2015: NTFS Analysis with PowerForensics

Intro to PowerShell“Microsoft’s [Digital Forensic] platform”

-obscuresec with some liberties…

Page 4: 44CON London 2015: NTFS Analysis with PowerForensics

What is PowerShell○Task-based command-line shell and

scripting language ○Built on the .NET Framework

□Cmdlets for performing common system administration tasks

□Consistent design□Powerful object manipulation capabilities□Extensible interface

○Independent software vendors and enterprise developers can build custom tools and utilities to administer their software.

□Full access to the Windows API

Page 5: 44CON London 2015: NTFS Analysis with PowerForensics

Response

PowerForensicsOld Dog, New Tricks

Detection Investigation

Page 6: 44CON London 2015: NTFS Analysis with PowerForensics

Requirements○Centralized forensic toolset○Forensically sound

□Parse raw disk structures□Don’t alter NTFS timestamps

○Can execute on a live host○Operationally fast

□Collect forensic data in seconds or minutes○Modular capabilities

□Cmdlets perform discrete tasks and can be tied together for more complicated tasks

○Capable of working remotely□At the proof of concept stage

Page 7: 44CON London 2015: NTFS Analysis with PowerForensics

Forensically Sound?

“A forensically sound duplicate is obtained in a manner that does not materially alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented, and should be justified to the extent

applicable.” - Richard Bejtlich and Harlan Carvey

Page 8: 44CON London 2015: NTFS Analysis with PowerForensics

Forensics Toolbox

Page 9: 44CON London 2015: NTFS Analysis with PowerForensics
Page 10: 44CON London 2015: NTFS Analysis with PowerForensics
Page 11: 44CON London 2015: NTFS Analysis with PowerForensics
Page 12: 44CON London 2015: NTFS Analysis with PowerForensics
Page 13: 44CON London 2015: NTFS Analysis with PowerForensics

Fast?!?

Page 14: 44CON London 2015: NTFS Analysis with PowerForensics

Understanding ModulesExtensibility for the win!

Page 15: 44CON London 2015: NTFS Analysis with PowerForensics

Download PowerForensics

http://download.powerforensics.invoke-ir.comOR

https://www.github.com/Invoke-IR/PowerForensics

Page 16: 44CON London 2015: NTFS Analysis with PowerForensics

Unblock-File

○PowerShell v3 gives us Unblock-FileUnblock-File -Path "$env:UserProfile\Downloads\PowerForensics-

master.zip"

○Can also “Unblock” via the file’s properties dialog

□Best to Unblock the zip before extraction

○Unblocking will remove the Zone.Identifier Alternate Data Stream

Page 17: 44CON London 2015: NTFS Analysis with PowerForensics

PSModulePath○PSModulePath

○Naming Convention

More details: https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx

Page 18: 44CON London 2015: NTFS Analysis with PowerForensics

Import-Module

Import-Module -Name PowerForensics Get-Command -Module PowerForensics

Page 19: 44CON London 2015: NTFS Analysis with PowerForensics

PowerForensics Install Demo

Page 20: 44CON London 2015: NTFS Analysis with PowerForensics

Invoke-DD○One Cmdlet to rule them all

□Underlying API is basis for all of PowerForensics○Allows raw access to Physical Drive or Logical Volume□Uses Platform Invoke to call CreateFile Windows API

□Opens a file handle to \\.\PHYSICALDRIVEX or Logical Volume

□Reads from file handle via FileStream object□Warning: Must read in Sector increments (BlockSize must be a multiple of 512)

$InFile = ‘\\.\PHYSICALDRIVE0’Invoke-DD –InFile $InFile –Offset 0 –BlockSize 512 –

Count 1

Page 21: 44CON London 2015: NTFS Analysis with PowerForensics

Invoke-DD Demo

Page 22: 44CON London 2015: NTFS Analysis with PowerForensics

Boot SectorsWhere the action begins…

Page 23: 44CON London 2015: NTFS Analysis with PowerForensics

Master Boot Record

○1st Sector of the Disk□Also referred to as the Boot Sector

○Boot Code□Locate Partition Table□Find 1st “Bootable” partition□Determine partition Logical Cluster Number□Pass execution to first sector of partition (Volume Boot Record)

○Partition Table□Space for 4 partitions by default□“Extended Partitions” allow for additional partitions above 4

Page 24: 44CON London 2015: NTFS Analysis with PowerForensics
Page 25: 44CON London 2015: NTFS Analysis with PowerForensics

Get-MBR○Cmdlet to parse the MBR and return MasterBootRecord

objects○Use WMI to list available Devices:

$Devices = Get-WmiObject –Class Win32_DiskDrive

○Run Get-MBR against one of the returned drives:Get-MBR –Path $Devices[0].DeviceID

Page 26: 44CON London 2015: NTFS Analysis with PowerForensics

Boot Kits○Attackers can alter MBR Boot Code

□ Code runs in Ring 0 (before the OS Loads)○Set-MasterBootRecord

□Proof of concept written by Matt Graeber (@mattifestation)

□Allows a user with administrator privilege to overwrite the Master Boot Record with arbitrary code

○Get-MBR takes known Boot Code into account and detects any changes (tampering)

Page 27: 44CON London 2015: NTFS Analysis with PowerForensics

MBR Bootkit Demo

Page 28: 44CON London 2015: NTFS Analysis with PowerForensics

MBR Boot Code

(Pre Infection)

Page 29: 44CON London 2015: NTFS Analysis with PowerForensics

MBR Boot Code (Post

Infection)

Page 30: 44CON London 2015: NTFS Analysis with PowerForensics

MBR Boot Code (Post

Infection)

Page 31: 44CON London 2015: NTFS Analysis with PowerForensics

GUID Partition Table

○Replacement Boot Sector format for MBR□UEFI compliant devices must support GPT□Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility

○Alternative to Legacy Master Boot Record□Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility

□Allows for increased partition sizes (2 TiB -> 8 ZiB)

□Supports many primary partitions (MBR supports 4)

□Creates Primary and Backup partition table for redundancy

Page 32: 44CON London 2015: NTFS Analysis with PowerForensics
Page 33: 44CON London 2015: NTFS Analysis with PowerForensics

Get-GPT○Cmdlet to parse the GPT and return GuidPartitionTable

objects○Use WMI to list available Devices:

Get-WmiObject –Class Win32_DiskDrive○Run Get-GPT against one of the returned drives:

Get-GPT –Path \\.\PHYSICALDRIVE1○Warning: Get-GPT will error if device is MBR formatted○If Get-MBR is run against a GPT formatted device,

then Get-MBR will return the information about the Protective MBR

Page 34: 44CON London 2015: NTFS Analysis with PowerForensics

Get-BootSector○Format agnostic Cmdlet to parse Boot Sectors (MBR or

GPT)○Use WMI to list available Devices:

Get-WmiObject –Class Win32_DiskDrive○Run Get-BootSector against one of the returned

drives:Get-BootSector –Path \\.\PHYSICALDRIVE0 Get-Bootsector –Path \\.\PHYSICALDRIVE1

Page 35: 44CON London 2015: NTFS Analysis with PowerForensics

○Format agnostic Cmdlet to return MBR/GPT PartitionTable objects

○MBR formatted deviceGet-PartitionTable –Path \\.\PHYSICALDRIVE2

○GPT formatted deviceGet-PartitionTable –Path \\.\PHYSICALDRIVE1

Get-PartitionTable

Page 36: 44CON London 2015: NTFS Analysis with PowerForensics

NTFS System Files

Page 37: 44CON London 2015: NTFS Analysis with PowerForensics

NTFS System Files

# Filename # Filename0 $MFT 8 $BadClus1 $MFTMirr 9 $Secure2 $LogFile 10 $UpCase3 $Volume 11 $Extend4 $AttrDef $ObjId5 Root Directory (.) $Quota6 $Bitmap $Reparse7 $Boot $UsnJrnl

Page 38: 44CON London 2015: NTFS Analysis with PowerForensics

Volume Boot Record

$Boot (7)○1st Sector of partition

□Location of partition is pointed to by the Partition table (MBR of GPT)

○Loads the BOOTMGR Loader○Defines partition attributes

□ Bytes per Sector□Sectors per Cluster□Total Sectors□Location of MFT□Size of MFT Record□Size of INDX Structure

Page 39: 44CON London 2015: NTFS Analysis with PowerForensics
Page 40: 44CON London 2015: NTFS Analysis with PowerForensics

Get-VolumeBootRecord

○Cmdlet to parse the VBR and return VolumeBootRecord objects○Execute Cmdlet with “VolumeName” parameter$VBR = Get-VolumeBootRecord –VolumeName \\.\C:

○Often useful to pair with low level cmdlets like Invoke-DD

Page 41: 44CON London 2015: NTFS Analysis with PowerForensics

Master File Table

$MFT (0)○NTFS file table

□First file present on NTFS partition□Contains at least one entry for every file, on an NTFS Volume, including itself

□As files are added the MFT grows□When files are deleted, the MFT marks the file’s record as unallocated so a new file can take its place

○Each record contains file metadata□MACB Timestamps□File name details (name, path, hard links)□Location of Data

Page 42: 44CON London 2015: NTFS Analysis with PowerForensics
Page 43: 44CON London 2015: NTFS Analysis with PowerForensics

Get-FileRecord○Cmdlet to parse the MFT and return FileRecord

objects○Three different ways to use:

1) Get all MFT Records$mft = Get-FileRecord -VolumeName \\.\C:

2) Get a FileRecord by pathGet-FileRecord –Path C:\Windows\

notepad.exe 3) Get a FileRecord by Record Number/Index value

Get-FileRecord -VolumeName \\.\C: -Index 0

Page 44: 44CON London 2015: NTFS Analysis with PowerForensics

Temporal Funneling

○Large amounts of data may not be relevant to our case□Temporal Funneling/Pivoting allows analysts to reduce noise & focus on artifacts associated with the investigation

$mft = Get-FileRecord$start = New-Object DateTime(2015,08,21,13,05,00) $end = New-Object DateTime(2015,08,21,14,05,00) $mft | ? {($_.BornTime -gt $start) –and ($_.BornTime –lt $end)}

Page 45: 44CON London 2015: NTFS Analysis with PowerForensics

Temporal Funneling Demo

Page 46: 44CON London 2015: NTFS Analysis with PowerForensics

MFT Attributes

Type

Name Type

Name

0x10 $STANDARD_INFORMATION

0x90 $INDEX_ROOT

0x20 $ATTRIBUTE_LIST 0xA0 $INDEX_ALLOCATION0x30 $FILE_NAME 0xB0 $BITMAP0x40 $OBJECT_ID 0xC0 $REPARSE_POINT0x50 $SECURITY_DESCRIPTOR 0xD0 $EA_INFORMATION0x60 $VOLUME_NAME 0xE0 $EA0x70 $VOLUME_INFORMATION 0xF0 $PROPERTY_SET0x80 $DATA 0x100 $LOGGED_UTILITY_STREAM

Page 47: 44CON London 2015: NTFS Analysis with PowerForensics
Page 48: 44CON London 2015: NTFS Analysis with PowerForensics
Page 49: 44CON London 2015: NTFS Analysis with PowerForensics
Page 50: 44CON London 2015: NTFS Analysis with PowerForensics
Page 51: 44CON London 2015: NTFS Analysis with PowerForensics

Recover Deleted File Demo

Page 52: 44CON London 2015: NTFS Analysis with PowerForensics

Access SAM Hive Demo

Page 53: 44CON London 2015: NTFS Analysis with PowerForensics

Get-ContentRaw

○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk□Finds the file’s MFT Record and the main $DATA Stream

□Outputs the contents of the file to Standard Out○Different Encoding Options

□ASCII □Unicode □Bytes

Get-ContentRaw –Path C:\Windows\system32\config\SAM

Page 54: 44CON London 2015: NTFS Analysis with PowerForensics

Copy-FileRaw○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk□Finds the file’s MFT Record and the main $DATA Stream

□Creates a copy of the specified file without accessing the file itself$Path = C:\Windows\system32\config\SAM$Destination = C:\temp\SAMCopy-FileRaw –Path $Path –Destination

$Destination

Page 55: 44CON London 2015: NTFS Analysis with PowerForensics

Alternate Data Streams

○NTFS allows files to store data in multiple “$DATA” attributes□These additional $DATA attributes are commonly referred to as Alternate Data Streams (ADS)

○Attackers have found ways to hide and even execute malware from ADS□Windows legitimately uses ADS to identify files downloaded from the internet (Zone.Identifier)

○PowerShell added ADS compatibility to many cmdlets, but did not add the ability to recursively list all files with ADS

Page 56: 44CON London 2015: NTFS Analysis with PowerForensics

Get-AlternateDataStrea

m○Cmdlet to easily find and list Alternate Data Streams on NTFS

○Use cases:1) List all Alternate Data Streams $ads = Get-AlternateDataStream2) List files downloaded via Internet Explorer

$ads | Where-Object {$_.StreamName –eq ‘Zone.Identifier’}

3) List Alternate Data Streams for a specific fileGet-AlternateDataStream –Path ‘C:\$Extend\

$UsnJrnl’

4) List Alternate Data Streams not created by the Internet Explorer

$asd | Where-Object {$_.StreamName –ne ‘Zone.Identifier’}

Page 57: 44CON London 2015: NTFS Analysis with PowerForensics

Alternate Data Streams Demo

Page 58: 44CON London 2015: NTFS Analysis with PowerForensics
Page 59: 44CON London 2015: NTFS Analysis with PowerForensics
Page 60: 44CON London 2015: NTFS Analysis with PowerForensics

Get-ChildItemRaw○Cmdlet to parse $INDEX_ROOT and

$INDEX_ALLOCATION attributes to output a directory’s contents□Lists system and hidden files□Output object has a RecordNumber parameter

Get-ChildItemRawGet-ChildItemRaw –Path C:\Windows\

Page 61: 44CON London 2015: NTFS Analysis with PowerForensics

Get-ChildItemRaw Demo

Page 62: 44CON London 2015: NTFS Analysis with PowerForensics

Get-FileRecordIndex

○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION attributes and returns a file’s MFT Record Number□Starts with the root directory’s MFT entry (index 5) and works through the tree until the requested files index can be found

□Can be teamed with Get-FileRecord$rnumber = Get-FileRecordIndex –Path C:\Windows\

notepad.exeGet-FileRecord –VolumeName \\.\C: -Index $rnumber

Page 63: 44CON London 2015: NTFS Analysis with PowerForensics

Get-FileRecordIndex Demo

Page 64: 44CON London 2015: NTFS Analysis with PowerForensics

$UsnJrnl○NTFS Change Journaling

□Keeps track of changes to files or directories in a volume

□Changes are documented with the filename, timestamp of change, and description of change

□Can be leveraged by backup utilities (ex Volume Shadow Service)

○Two named data streams:□$MAX: UsnJrnl metadata (first entry number, maximum size of journal, etc.)

□$J: Contains the actual Journal entries

Page 65: 44CON London 2015: NTFS Analysis with PowerForensics

$UsnJrnl Reasons

BASIC_INFO_CHANGE INDEXABLE_CHANGECLOSE NAMED_DATA_EXTEND

COMPRESSION_CHANGE NAMED_DATA_OVERWRITEDATA_EXTEND NAMED_DATA_TRUNCATION

DATA_OVERWRITE OBJECT_ID_CHANGEDATA_TRUNCATION RENAME_NEW_NAME

EA_CHANGE RENAME_OLD_NAMEENCRYPTION_CHANGE REPARSE_POINT_CHANGE

FILE_CREATE SECURITY_CHANGEFILE_DELETE STREAM_CHANGE

HARD_LINK_CHANGE

Page 66: 44CON London 2015: NTFS Analysis with PowerForensics
Page 67: 44CON London 2015: NTFS Analysis with PowerForensics

Get-UsnJrnlInformation

○Cmdlet to parse the UsnJrnl’s $MAX Data Stream

○Returns Metadata about the UsnJrnlGet-UsnJrnlInformation –VolumeName \\.\C:

Page 68: 44CON London 2015: NTFS Analysis with PowerForensics
Page 69: 44CON London 2015: NTFS Analysis with PowerForensics

Get-UsnJrnl○Cmdlet to parse the UsnJrnl’s $J Data Stream○Use Cases:

□Get all UsnJrnl Entries$usn = Get-UsnJrnl –VolumeName \\.\C:

□Get the most recent UsnJrnl entry for C:\temp\helloworld.txt$r = Get-FileRecord –Path C:\temp\

helloworld.txt$usn = $r.Attribute[0].UpdateSequenceNumberGet-UsnJrnl –VolumeName \\.\C: -USN $usn

Page 70: 44CON London 2015: NTFS Analysis with PowerForensics

File Creation & Modification Demo

Page 71: 44CON London 2015: NTFS Analysis with PowerForensics

UsnJrnl ADS Demo

Page 72: 44CON London 2015: NTFS Analysis with PowerForensics

Artifacts

Page 73: 44CON London 2015: NTFS Analysis with PowerForensics

Prefetch

Page 74: 44CON London 2015: NTFS Analysis with PowerForensics
Page 75: 44CON London 2015: NTFS Analysis with PowerForensics

Get-Prefetch○Cmdlet to parse the Windows Prefetch binary file format

○Use Cases:□Get all Prefetch objects from files in the “\Windows\Prefetch” directory

Get-Prefetch –VolumeName \\.\C:□Get the Prefetch object from the file specified by the Path

parameterGet-Prefetch –Path C:\Windows\Prefetch\CMD.EXE-

01C678D0.pf□Another option is looking for .pf file operations in the UsnJrnl

Get-UsnJrnl | ? {$_.FileName –like “*.pf”}

Page 76: 44CON London 2015: NTFS Analysis with PowerForensics

Prefetch Demo

Page 77: 44CON London 2015: NTFS Analysis with PowerForensics

Get-ScheduledJobRaw

○Cmdlet to parse the Scheduled (At) Job binary file format○Use Cases:

□Get all ScheduledJob objects from files in the “\Windows\Tasks” directory

Get-ScheduledJobRaw –VolumeName \\.\C:□Get the ScheduledJob object from the file specified by the Path

parameterGet-ScheduledJobRaw -Path C:\Windows\Tasks\At1.job

Page 78: 44CON London 2015: NTFS Analysis with PowerForensics

Moving Forward○More artifacts!!

□Registry support□ESE database support

○Organic Remoting (more robust)○Support for alternate file systems

□Windows: FAT12, FAT16, FAT32, exFAT□Linux: Ext2, Ext3, Ext4□Mac: HFS+

○Online documentation (Open API)○WMI Provider with Events○Community Involvement!!!

Page 79: 44CON London 2015: NTFS Analysis with PowerForensics

@jaredcatkinsonhttps://github.com/Invoke-IR/PowerForensics

https://github.com/Invoke-IR/PowerForensics_Source

Any questions?

Page 80: 44CON London 2015: NTFS Analysis with PowerForensics

Extra Slides!!!

Page 81: 44CON London 2015: NTFS Analysis with PowerForensics

$Volume (3)○File containing metadata about its partition/volume○Made up of two special attributes $VOLUME_NAME and $VOLUME_INFORMATION□Two cmdlets: Get-VolumeName and Get-VolumeInformation

Get-VolumeName –VolumeName \\.\C:

Get-VolumeInformation –VolumeName \\.\C:

Page 82: 44CON London 2015: NTFS Analysis with PowerForensics
Page 83: 44CON London 2015: NTFS Analysis with PowerForensics
Page 84: 44CON London 2015: NTFS Analysis with PowerForensics

$AttrDef (4)○System file that contains details about all file attributes available to the volumeGet-AttrDef –VolumeName \\.\C:

Page 85: 44CON London 2015: NTFS Analysis with PowerForensics
Page 86: 44CON London 2015: NTFS Analysis with PowerForensics

$Bitmap (6)$BadClus (8)

○NTFS has two files to tell the File System what Clusters can be used

○File contents are bit fields where each bit represents a specific cluster□$Bitmap: Each bit represents whether the associated cluster is allocated by the file system

□$BadClus: Each bit represents whether the associated cluster is corrupted or not

Page 87: 44CON London 2015: NTFS Analysis with PowerForensics

Get-BitmapGet-BadClus

○Cmdlet to parse bit fields contained within their respective files ($BITMAP and $BADCLUS)

○Use cases:□Parse the $BITMAP file to determine if the specified cluster is allocated

Get-Bitmap –VolumeName \\.\C: -Cluster 1000

□Parse the $BADCLUS file to report on any clusters that have been marked as corrupt by the file system

Get-BadClus –VolumeName \\.\C: