msra 2011 windows7 forensics-troyla

Microsoft Confidential

Summit 2011


Troy Larson, Principal Forensics Program ManagerNetwork Security—Investigations March 29, 2011

If a Bear Breaks into Your Computer, and No One Is There to

See It, Does It Leave A Clue? Incident Response, Forensics, and

Looking for Bear Tracks.


About This Presentation

OverviewSome forensic fundamentals.

Dissecting Windows 7 for malware, compromise and intrusions.


What is Digital Forensics?

The identification, preservation, collection, analysis, examination, . . . , and presentation of digital data in a reliable manner.

To collect admissible evidence.Authentication.

Complete.

To answer questions about data or files.Metadata.

Context.

To determine what has occurred on a system.


Digital Forensics in the Enterprise

At least two general types of forensics work:Content focused.

Find email, documents, graphics, or other types of files that match some criteria.

eDiscovery and litigation support.

Activity focused.

Determine what somebody or something did on a computer system.

Unauthorized activity.

Malware.

Compromise or intrusion.


Digital Forensics in the Enterprise

When trust is questioned.

Can this _______ still be trusted?


Forensics from XP to Vista• Changed location of boot sector.• BitLocker, unlocking, imaging,

preservation.• EXFAT. Transactional NTFS.• Event Logging changed.• New format-.evtx.• New system for collecting and

displaying events.• New security event numbering.• New directory tree for account

profiles.• Symbolic links. “Virtual” folders.• “Virtual” registries.• Volume Shadow Copies and

difference files.• User Account Control.• Enforced Signed Drivers x64.

• Hard links. WinSxS.*• Default settings-NTFS,

change journal.• Recycle Bin, no info2.• Built in volume and disk

wiping.• SuperFetch & prefetch files.• Profile based

thumbcaches.*• Office file format

changes .docx, .pptx, .xlsx.• New Office files—InfoPath,

Grove, OneNote.• EFS encrypted pagefile.• Windows 2008 Hyper-V.• Built in Defender.


Forensics from Vista to Windows 7• Changed volume header for

BitLocker volumes.• Updated BitLocker, multiple

volumes, Smartcard keys, not backwardly compatible.

• BitLocker To Go.• Virtual Hard drives—Boot

from, mount as “Disks.” • Virtual PC—integrated into

the OS.• XP Mode.• Flash Media Enhancements.• Libraries, Sticky Notes, Jump

Lists.• Service and Driver triggers.• Fewer Services on default

startup.

• I.E. 8, InPrivate Browsing, Tab and Session Recovery.

• Changes in Volume Shadow Copy behavior.

• New registry-like files.• Different WebDAV.• More x64 clients. X64

Windows 2008 R2 (server).

• Changes in Hyper-V.• Office 2010 file format

changes—OneNote.• Thumbnail Cache.• Virtual Servers, thin

clients.• Direct Access (IPSec).• Windows Search.


Forensics in Incident Response

When trust is questioned.

Can this system still be trusted?



Incident response immediate goals:Technical assessment—what happened, when, how, etc.?

Risk assessment—what systems or data at risk?

Containment.

Incident Response end goals:Remediation.

Compliance.

Prevention.

Prosecution or litigation.



Fvevol.sys

File Systems

Partition & Volume Managers

Applications

OS Artifacts

Disk

RAM

Processes

Services

Drivers

Ports

Network


Forensics in Incident ResponseDigital vivisection —collecting “live” data from a Windows system to determine what happened, when, and how.

Memory dump.

Processes.

Services.

Drivers.

Logged on users.

Ports.

System reports on itself.


Forensics in Incident ResponseDigital autopsy—dissecting an offline Windows system to determine what happened, when, and how.

File systems and file metadata.

File signatures.

Registry.

Shell: links, jump lists.

Wininet.

Prefetch.

Shadow Copies.

Event and other logs.


Forensics in Incident ResponseDigital forensics heuristics.

Any action on a computer changes something.Memory—programs, drivers, data, etc.

Media—files and metadata.

This includes the actions of incident responders.

Not all changes persist, and those that do don’t have to persist forever.

Data preservation should generally follow the order of volatility.

There are rules governing the ways things work on any platform.

Win32 APIs, NTFS, Security, etc.

These rules generate artifacts—indicators of compromise.


Forensics in Incident Response.


Forensics in Incident ResponseDigital forensics practical heuristics.

Compare memory dump to Windows own self-reporting.

Compare memory dump and self-reports to on disk sources.

Identify unknown files, mismatched files, and packed executables.

Examine ASEPs for unexpected items.

Examine Shell and Wininet data for indicators and correlations.

Examine prefetch files for program launches and dependencies.

Difference shadow copies to identify hidden files and infection times.

Review event and other logs, particularly those reporting on states of applications and system.



Memory dumpsSometimes, it is easy.

All Microsoft code should have symbols.*

8d793000 8d79d000 nsiproxy (private pdb symbols) C:\Debuggers\sym\nsiproxy.pdb\C05F47CD56124B77BD71E3DFB669D4FF1\nsiproxy.pdb8d79d000 8d79e680 msvmmouf (private pdb symbols) C:\Debuggers\sym\msvmmouf.pdb\1234775836E14C2B869818BF740FE8DE1\msvmmouf.pdb8d79f000 8d7a9000 mssmbios (private pdb symbols) C:\Debuggers\sym\mssmbios.pdb\B9453B9B745D45DE974BA45D910B78481\mssmbios.pdb8d7a9000 8d7ab980 mrxnet (no symbols) 8d7ac000 8d7b0d80 mrxcls (no symbols) 8d7b1000 8d7bd000 discache (private pdb symbols) C:\Debuggers\sym\discache.pdb\1F3066C30EA34CC381D3006454C11BD11\discache.pdb8d7bd000 8d7ca000 CompositeBus (private pdb symbols) C:\Debuggers\sym\CompositeBus.pdb\F0E80E78F49541FDB4CF0AEB667653381\CompositeBus.pdb8d7ca000 8d7dc000 AgileVpn (private pdb symbols) C:\Debuggers\sym\AgileVpn.pdb\F9ABC733237047E898B7404203D52EDE1\AgileVpn.pdb8d7dc000 8d7f4000 rasl2tp (private pdb symbols) C:\Debuggers\sym\rasl2tp.pdb\6F6760EF4A3149DC9C430CE8A37585B12\rasl2tp.pdb

http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf

http://www.reconstructer.org/papers/Hunting%20rootkits%20with%20Windbg.pdf

http://www.reconstructer.org/papers/Hunting%20rootkits%20with%20Windbg.pdf



Compare memory dumps to self-reported information.


Forensics in Incident ResponseCompare memory dumps and self-reported information to on disk sources.


Forensics in Incident ResponseMemory dumps and self-reported information should be examined for the unknown.

Unknown processes.

Unknown services.

Unknown drivers.

Unknown ports.

Etc.

Which unfortunately begs the question, what is unknown?

Good to build familiarity.

Baseline.



To the media:Identify and exclude known good files.

Industry standard: MD5 hash values of the operating system and application files.



Known good file hashes?http://www.nsrl.nist.gov/

Make as needed, based on standard load images, patched and updated as needed.

Pre-incident shadow copies. (Technically, not “known good,” but good enough to use for finding new, potentially bad files.)

http://www.nsrl.nist.gov/

http://www.nsrl.nist.gov/


Forensics in Incident ResponseRecovery and scan of all files.

Undelete.

Check the file signatures for all files to identify mismatched signatures.

Also known as a file signature/extension comparison.

Scan for binaries with “packed” code.


Forensics in Incident ResponseUsing file system date and time information:

Follow an event of interest (this is the starting point).

Sort on created dates and times. This is when files came to exist on the media.

Sort on last modified dates and times. This is when files where last written to.

Sort on entry modified (NTFS) for any changes in metadata or named streams.

Correlate—for each important finding, examine contemporaneous events. Especially important on exploits and downloaders.

Cross check date and time of significant files by comparing date and time from standard attributes to those in the name attribute.

Corroborate event times with corresponding events. E.g., event logs, internal metadata, shadow copies.

Build a time line.


Forensics in Incident ResponseExamine the registry for ASEPS:

Auto-start Extensibility Points.

http://www.usenix.org/event/lisa04/tech/full_papers/wang/wang.pdf

Autoruns, either online or offline.

http://technet.microsoft.com/en-us/sysinternals/bb963902







When user activity may have contributed to the infection or compromise:

Registry “MRU” lists.




Registry, UserAssist.

Ntuser.dat.

Usrclass.dat.




Shell artifacts: Link files (also known as shortcuts).




Shell artifacts:

A malformed link file.



The link points to a file, ~wtr4141.tmp, which is this:




Shell artifacts:

Jump lists.




Shell artifacts: Jump lists.



Wininet: Internet history.Can expose browser exploit URLs and downloads.

Can indicate intruder downloads.First appearance of intruder tools in the history and cache for the Default account.

Multiple data sources:Internet history files (index.dat), and all fragments or deleted history files.

Browser cache folders.

Recovery files.

Jump lists.



Cache folders



Recovery folders



Recover file



Records of programs being run, and their dependencies, are found in prefetch files.

\Windows\Prefetch

The existence of a prefetch file indicates that the application named by the prefetch file was run.

The creation date of a prefetch file can indicate when the named application was first run.

The modification date of a prefetch file can indicate when the named application was last run.

Prefetch file internals show last launch time, number of times run, and files called during launch.



Prefetch internals parsed.


Forensics in Incident ResponseShadow copies.

Snapshot of a volume at point in time.

Can show files added, modified, or deleted over time.


Forensics in Incident ResponseShadow copies.

Can be mounted as volumes, for scanning.

The command string below will mount expose each shadow copy on a volume as a symbolic link.

This command will follow each symbolic link and produce a file list of all files in the shadow copy.

for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for /f "tokens=4 delims=\" %g in ("%f") do @mklink /d %SYSTEMDRIVE%\%g %f\

for /f "tokens=1" %f in ('dir C:\ /B /A:D ^| findstr HarddiskVolumeShadowCopy') do @dir C:\%f /B /O:N /S > E:\%f-fileList.txt



Differencing shadow copies file lists makes malware files stand out:


Forensics in Incident ResponseEvents and other logs.

Often not the best entry point into an investigation.

System event log can show problems impacting system components.

Unexpected shutdowns

Port reassignment.

Application logs can show problems impacting various applications.

Unexpected terminations.

Errors and failures.

Value of the security event log depends on auditing policy settings.

Can be noisy.


Forensics in Incident ResponseEvents and other logs.


Q&A

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

msra 2011 windows7 forensics-troyla

Technology

digital forensics

new system

new format

types of files

new office filesinfopath

difference files

computer system

new directory tree