tag:blogger.com,1999:blog-4433447547049590462024-03-17T20:03:42.051-07:00Invoke-IRLearn Digital Forensics and Incident Response techniques utilizing Windows PowerShellAnonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-443344754704959046.post-76152538291913174172016-08-18T12:16:00.002-07:002016-08-18T12:16:22.814-07:00Installing PowerShell on OSXToday, Microsoft announced the open sourcing of PowerShell. Not only does this mean that we (the community) can contribute to PowerShell in the form of issues and pull requests, but PowerShell is now available for OSX and *nix!<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
PowerShell is now available on macOS & Linux and is open sourced!<br />
My blog: <a href="https://t.co/xN6GCCnE9G">https://t.co/xN6GCCnE9G</a><br />
<br />
Mic drop!</div>
— jsnover (@jsnover) <a href="https://twitter.com/jsnover/status/766292764543770624">August 18, 2016</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>As an owner of numerous Apple products (and a perpetual PowerShell fanboy), I quickly jumped on the bandwagon and installed PowerShell on my Macbook Pro. This post walks through installing PowerShell on OSX and configuring the OSX terminal to provide a familiar PowerShell user experience.<br />
<br />
First things first, let us take a journey to the <a href="https://github.com/PowerShell/PowerShell"><span style="color: blue;">PowerShell</span></a> project on github.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidTU4xn_Z40zQ2_1Iwcr4_QJy_MTXjOLUG69RQ5fLCosBP_-1BhDyHxUU512UJTw2EYOVyDdPR_U0gVa7GxmTcIlqWLsz3i5_JDYj7qEBFM77hZDeACzjMKqzBjwQEmPLcRiTlZ6SNBno/s1600/Screenshot+2016-08-18+12.57.34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidTU4xn_Z40zQ2_1Iwcr4_QJy_MTXjOLUG69RQ5fLCosBP_-1BhDyHxUU512UJTw2EYOVyDdPR_U0gVa7GxmTcIlqWLsz3i5_JDYj7qEBFM77hZDeACzjMKqzBjwQEmPLcRiTlZ6SNBno/s400/Screenshot+2016-08-18+12.57.34.png" width="400" /></a></div>
<br />
From this page, you can view the source code, check out issues, and check out releases. You have the option of downloading the source and compiling it, but the PowerShell team has already done this for you. By visiting the "Releases" page, you will be presented with a list of PowerShell releases. To download the latest and greatest version, look for the the "Latest release" tag which as of this posting is v6.0.0-alpha.9.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy-kP0tMJzDG_5IG2QyFtYpIt9LpCMvNRwtMk4_944Xzq-L-HP1mD08zqr_BXSvSQdcIsgAG5r4E0w8Zf4bnzn0sHCXb98NvsnrBqyVeViCoynjD8sQKcSVfiLCR07bmO7Yvo34Y-hBTw/s1600/Screenshot+2016-08-18+12.57.58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy-kP0tMJzDG_5IG2QyFtYpIt9LpCMvNRwtMk4_944Xzq-L-HP1mD08zqr_BXSvSQdcIsgAG5r4E0w8Zf4bnzn0sHCXb98NvsnrBqyVeViCoynjD8sQKcSVfiLCR07bmO7Yvo34Y-hBTw/s400/Screenshot+2016-08-18+12.57.58.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Once you identify your desired release, scroll down to the release's download section and click on the .pkg (or Apple Software Package).<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoRW7QakbBj-YaTF9wsA8R0fQ_-ER-m4xUuZoGu3sXDvmcsICphruXzDUz-W9VNxvmDeydqPwjxX6Lsl3JuMeFH6Cu-kld3pC084LpOx39Dk7yvFWxrQLecnJWxk8VwCfrQ0YKswCtKsw/s1600/Screenshot+2016-08-18+12.58.08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoRW7QakbBj-YaTF9wsA8R0fQ_-ER-m4xUuZoGu3sXDvmcsICphruXzDUz-W9VNxvmDeydqPwjxX6Lsl3JuMeFH6Cu-kld3pC084LpOx39Dk7yvFWxrQLecnJWxk8VwCfrQ0YKswCtKsw/s400/Screenshot+2016-08-18+12.58.08.png" width="400" /></a></div>
<br />
From there, it installs like any other internet application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixxRpVXeRCNoWRq-_ez2jK02JJgkBbttsl44YFYcP1vyz1IaRy_v61uiifbCw5uqZIBHQEMgV6XomK0dnSwP4e3Jj0n9u3JQq6kKaeQRGP6mqmLdS6uCnn6DaIMfjUsWZWr8DlU-_yrH0/s1600/Screenshot+2016-08-18+14.17.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixxRpVXeRCNoWRq-_ez2jK02JJgkBbttsl44YFYcP1vyz1IaRy_v61uiifbCw5uqZIBHQEMgV6XomK0dnSwP4e3Jj0n9u3JQq6kKaeQRGP6mqmLdS6uCnn6DaIMfjUsWZWr8DlU-_yrH0/s400/Screenshot+2016-08-18+14.17.49.png" width="400" /></a></div>
<br />
NOTE: If your security settings do not allow installation of applications from "non-identified developers", you will have to allow the installation of PowerShell via the Security & Privacy settings menu.<br />
<br />
Congratulations! You have installed PowerShell on your Mac! You can now open up the Terminal App, execute /usr/local/bin/powershell <span style="background-color: white;">(or type powershell)</span> and start running PowerShell commands just like on Windows. After a couple hours of using PowerShell in the OSX Terminal, I found the Terminal settings to not be ideal for PowerShell (particularly the syntax highlighting). I decided to create a custom PowerShell profile to create the same familiar experience that I am used to on Windows. To do this open the Terminal preferences menu by selecting Terminal > Preferences.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0JB5AEz6HgTJQN29vW4Bg5lD89NhLqb4KaLBrZlr_BR_m5X5FxNHO6IB0ME99wV7lCorUmFO37_d_AcScUsFYdqzNtilhjMC0gxxLgvvR6uCcFmxQ_P7OeVrig1ZluqgGOAz_2my-OwM/s1600/Screenshot+2016-08-18+14.25.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0JB5AEz6HgTJQN29vW4Bg5lD89NhLqb4KaLBrZlr_BR_m5X5FxNHO6IB0ME99wV7lCorUmFO37_d_AcScUsFYdqzNtilhjMC0gxxLgvvR6uCcFmxQ_P7OeVrig1ZluqgGOAz_2my-OwM/s320/Screenshot+2016-08-18+14.25.49.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We want to create a custom Terminal profile for PowerShell. In the Preferences menu, select "Profiles" and click on the + symbol in the bottom right corner. First things first, lets set our background and text colors. I chose White, Magnesium, and Cantaloupe for my Text, Bold Text, and Selection colors respectively (trying to mirror powershell.exe as much as possible).</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7MS0b-XQUELM4FImgqVnkTF-78qz2tYo3XYO_sj6uPqiCvKdKdLHK2xBhJsO0p5_AmCqMhCfDNVto1jig9HxBSdu1qn6dGfvvVTSJXo-Qy8y96TaLZK5uL8nU4hRSgEkphc2M2KQNRJY/s1600/Screenshot+2016-08-18+13.24.17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7MS0b-XQUELM4FImgqVnkTF-78qz2tYo3XYO_sj6uPqiCvKdKdLHK2xBhJsO0p5_AmCqMhCfDNVto1jig9HxBSdu1qn6dGfvvVTSJXo-Qy8y96TaLZK5uL8nU4hRSgEkphc2M2KQNRJY/s400/Screenshot+2016-08-18+13.24.17.png" width="400" /></a></div>
<br />
For the Background color I selected a custom color based on Windows powershell.exe blue. You can set the color by choosing the RGB Sliders option with Hex 0x001845.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEholm2fCBYyQBya4oOXNHu_jcTAhSzfgG8ZG1QUpLWfvOq3pAm3jTZ7786mbZmZxGSdLCRnhgfPwZ_ilzbA1ibfl6gbgwjCbl1NUvV5_Q0GAPmzyGXzlG2_2wY8rVEuApYLgMlEO4HjI2U/s1600/Screenshot+2016-08-18+13.23.57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEholm2fCBYyQBya4oOXNHu_jcTAhSzfgG8ZG1QUpLWfvOq3pAm3jTZ7786mbZmZxGSdLCRnhgfPwZ_ilzbA1ibfl6gbgwjCbl1NUvV5_Q0GAPmzyGXzlG2_2wY8rVEuApYLgMlEO4HjI2U/s320/Screenshot+2016-08-18+13.23.57.png" width="255" /></a></div>
<br />
Next, I want to set this profile to automatically run PowerShell upon the Terminal starting. To do this visit the profile's "Shell" tab and enter a "Run command" of /usr/local/bin/powershell.<br />
<br />
The last optional step is to set the PowerShell as the default Terminal profile<span style="background-color: white;">, assuming you always want to use PowerShell like I do.</span> This will cause the Terminal app to always start with the PowerShell profile set.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNbb_cHvCsE5IH9xMwfYDvqpp2atUgsOF4UVWL19cEa5fV9Nqbw0UezxnsbK8VFJE79o2GIw7NqM1G49TezzLXNnvySMtC0HtlJxBv1vmO2Giy2zM9eu96FkrnEr7HY0IYaE66Gd7NAEg/s1600/Screenshot+2016-08-18+14.21.00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNbb_cHvCsE5IH9xMwfYDvqpp2atUgsOF4UVWL19cEa5fV9Nqbw0UezxnsbK8VFJE79o2GIw7NqM1G49TezzLXNnvySMtC0HtlJxBv1vmO2Giy2zM9eu96FkrnEr7HY0IYaE66Gd7NAEg/s400/Screenshot+2016-08-18+14.21.00.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Open a new Terminal window, and you will hopefully have a fairly familiar experience!</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmbN4XWdtscRUFTvk8k88D2mGjg_tpHl_hYQHv8Vs205r44F48JpeQOKTczBVfre7P4Ump0M9PSwHRswl_Q3AEqk4mPVb32otXLB7P8voGJYoCWIfLdnoIJUhbdq9iQccuxz9g3q-LS5E/s1600/Screenshot+2016-08-18+13.17.30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="434" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmbN4XWdtscRUFTvk8k88D2mGjg_tpHl_hYQHv8Vs205r44F48JpeQOKTczBVfre7P4Ump0M9PSwHRswl_Q3AEqk4mPVb32otXLB7P8voGJYoCWIfLdnoIJUhbdq9iQccuxz9g3q-LS5E/s640/Screenshot+2016-08-18+13.17.30.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com117tag:blogger.com,1999:blog-443344754704959046.post-40039707399648444992016-04-01T10:45:00.000-07:002016-04-07T13:14:53.455-07:00Forensic Friday: Get-ForensicRunKey<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[This article is a continuation of my Forensic Friday series. Every Friday I will provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://forensic4cast.com/forensic-4cast-awards/"><span style="color: blue;">Vote for PowerForensics</span></a> for the Forensic 4:cast Awards' Open Source Digital Forensic Software of the Year!
</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now back to your regularly scheduled programming! Yesterday, Vijay (@vakasapu on Twitter) asked if we are taking feature requests (specifically regarding autoruns like features) for PowerForensics. </span><br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://twitter.com/jaredcatkinson">@jaredcatkinson</a> <a href="https://twitter.com/mattifestation">@mattifestation</a> are you taking requests for new features? If so, would be great to have an autoruns equivalent module.</span></div>
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">— Vijay (@vakasapu) <a href="https://twitter.com/vakasapu/status/715678358064009216">March 31, 2016</a></span></blockquote>
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let me start by saying that we are very interested in community involvement! If you have ideas to make PowerForensics better, please let me know via email (jared@invoke-ir.com) or <span style="color: blue;"><a href="https://github.com/Invoke-IR/PowerForensics/issues">github</a></span>. While PowerForensics does not currently support the extensive list of Auto Start Extensibility Points (ASEP), we do currently support a few of the more common auto start locations. This week I want to introduce <b>Get-ForensicRunKey </b>which parses the registry for entries in the numerous system and user based "run" keys. This cmdlet is built on top of PowerForensics' MFT and Registry Parser, so all of this data is gathered from a live system without relying on the Window's API.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 21.3333px; line-height: 1.38; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 21.3333px; line-height: 1.38; white-space: pre-wrap;">Common Use</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">By default, this cmdlet parses the system SOFTWARE hive and all NTUSER.DAT hives on the system’s C: volume, but can be pointed at any logical volume. Individual hives (including exported hives) can be parsed using the -HivePath parameter in order to perform offline analysis. I’ve listed a few examples below.</span></div>
<b style="font-weight: normal;"><br />
</b> <br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Parse system and user hives for Run Key Persistence:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicRunKey</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-VolumeName</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #9900ff; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C: </span><span style="background-color: transparent; font-family: "consolas"; font-size: 14.6667px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: #999999;">|</span></span><span style="background-color: transparent; color: #9900ff; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: blue; font-family: "consolas"; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;">Format-List</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxSdnrQbsEgWON2FsdXwIaCH63K6NoFBqxMRrEOULunfXoklqWNAtaH7k80hyphenhypheniJdtD0v2ivZzCqaEPz0zVMJDnkQaXaOLAHPIjhYR4A7EKhUSNZ7PDITjlRdcsKwfdsQK9m-kofUz9uS0/s1600/Screenshot+2016-04-01+10.24.19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxSdnrQbsEgWON2FsdXwIaCH63K6NoFBqxMRrEOULunfXoklqWNAtaH7k80hyphenhypheniJdtD0v2ivZzCqaEPz0zVMJDnkQaXaOLAHPIjhYR4A7EKhUSNZ7PDITjlRdcsKwfdsQK9m-kofUz9uS0/s640/Screenshot+2016-04-01+10.24.19.png" width="640" /></a></div>
<b style="font-weight: normal;"><br />
</b> <br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Parse the system SOFTWARE hive for Run Key persistence:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicRunKey</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-HivePath</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #a61c00; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">‘C:\Windows\System32\config\SOFTWARE’ </span><span style="background-color: transparent; font-family: "consolas"; font-size: 14.6667px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: #999999;">|</span></span><span style="background-color: transparent; color: #a61c00; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: blue; font-family: "consolas"; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;">Format-List</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyfFKVKdUMSp9cRe90n5zfAR3ooTCnvml6WabsClnO96FfrgB1T_L-3dlx0x-G9XvVXOsL_HypgPi8fgPhhHj4LIeLQh1YjzFEDimkMizJ8RTl0SDERWTg5ldg2IHUVlAfpVXTHvPz8a4/s1600/Screenshot+2016-04-01+10.22.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyfFKVKdUMSp9cRe90n5zfAR3ooTCnvml6WabsClnO96FfrgB1T_L-3dlx0x-G9XvVXOsL_HypgPi8fgPhhHj4LIeLQh1YjzFEDimkMizJ8RTl0SDERWTg5ldg2IHUVlAfpVXTHvPz8a4/s640/Screenshot+2016-04-01+10.22.49.png" width="640" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com12tag:blogger.com,1999:blog-443344754704959046.post-42172816966850049602016-03-04T07:52:00.001-08:002016-03-04T07:52:42.879-08:00Forensic Friday: Get-ForensicChildItem<span style="background-color: white; font-family: arial; font-size: 14.6667px; font-style: italic; line-height: 20.24px; white-space: pre-wrap;">[This is a continuation of my Forensic Friday series. Every Friday I provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]</span><br />
<span style="background-color: white; font-family: arial; font-size: 14.6667px; font-style: italic; line-height: 20.24px; white-space: pre-wrap;"><br /></span>
<span id="docs-internal-guid-01c374ef-4253-6bf9-ebd4-0c8108a8af00"><span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Welcome to another edition of Forensic Friday. I've been incredibly busy this week, but I want to touch on a very useful cmdlet called </span><span style="background-color: white; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicChildItem</span><span style="background-color: white; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">. Those with a PowerShell background can probably guess what </span><span style="font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicChildItem </span><span style="font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">does. For those that are new to PowerShell </span><span style="font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-ChildItem</span><span style="font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> is the cmdlet that is used for directory listings (among other things). </span><span style="font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicChildItem</span><span style="font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> performs the same task, but without the Windows API. It parses the Master File Table (MFT) to find the entry for the target directory and outputs a list of files the directory contains</span><span style="background-color: white; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">.</span></span></span><br />
<br />
<span id="docs-internal-guid-01c374ef-4254-5fa7-98a3-300458321a94"><span style="font-family: Arial; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">To understand what is happening it’s important to know that NTFS treats directories just like any other file. This means that directories each have an entry in the MFT. All NTFS does to differentiate a directory file from a data file is flip a bit in a flag field and adds special </span><a href="https://flatcap.org/linux-ntfs/ntfs/attributes/index_root.html" style="text-decoration: none;"><span style="color: blue; font-family: Arial; font-size: 14.6667px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">$INDEX_ROOT</span></a><span style="font-family: Arial; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://flatcap.org/linux-ntfs/ntfs/attributes/index_allocation.html" style="text-decoration: none;"><span style="color: blue; font-family: Arial; font-size: 14.6667px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">$INDEX_ALLOCATION</span></a><span style="font-family: Arial; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> attributes to the directory file’s MFT entry. </span><span style="font-family: Arial; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicChildItem </span><span style="font-family: Arial; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">parses these attributes to return the contents of a directory (including System and Hidden files).</span></span><br />
<span style="font-family: arial;"><span style="background-color: white; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: arial; font-size: large;"><span style="background-color: white; line-height: 20.24px; white-space: pre-wrap;">Common Use</span></span><br />
<div style="text-align: center;">
<span style="background-color: white; color: blue; font-family: consolas; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<span style="font-family: arial;"><span style="background-color: white; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;">List all children of a directory (example targets the root of the C: volume):</span></span><br />
<span style="font-family: arial;"><span style="background-color: white; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;"><br /></span></span>
<div style="text-align: center;">
<span style="background-color: white; color: blue; font-family: consolas; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicChildItem</span><span style="background-color: white; color: #312c21; font-family: consolas; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #073763; font-family: consolas; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">-Path</span><span style="background-color: white; color: #312c21; font-family: consolas; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #9900ff; font-family: consolas; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">C:\</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcGoARhClQGjb79OX9FJY_56lWZd8-0w24pJbuD0RzbbYs5ZBOLlBHslJeuIb3MeU2Ko1oz8ytdDu97FMHBYiRKCEUp5rjQb87c22u_XkSK8oPhQjE5Klk-lkS54dmMeX4kJ8g2ycRGYs/s1600/Screenshot+2016-03-04+05.18.16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcGoARhClQGjb79OX9FJY_56lWZd8-0w24pJbuD0RzbbYs5ZBOLlBHslJeuIb3MeU2Ko1oz8ytdDu97FMHBYiRKCEUp5rjQb87c22u_XkSK8oPhQjE5Klk-lkS54dmMeX4kJ8g2ycRGYs/s640/Screenshot+2016-03-04+05.18.16.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
List the children of the current working directory (example uses the C:\temp directory):</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white; color: blue; font-family: consolas; font-size: 14.6667px; white-space: pre-wrap;">Get-ForensicChildItem</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6_tNvSz9C0w1GT5JCPRWLP1oyL2eKmxMMPNhlRzu8ncBOIbrrSGl783_yj4iJ8UT6koPyrLon1FOY4nKPwX-s5PkNNE4bEWHUwyFYsl2OL9izm1IFDcnQcvAu9JJXFcpsL1WHbKv5JKE/s1600/Screenshot+2016-03-04+05.20.05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6_tNvSz9C0w1GT5JCPRWLP1oyL2eKmxMMPNhlRzu8ncBOIbrrSGl783_yj4iJ8UT6koPyrLon1FOY4nKPwX-s5PkNNE4bEWHUwyFYsl2OL9izm1IFDcnQcvAu9JJXFcpsL1WHbKv5JKE/s640/Screenshot+2016-03-04+05.20.05.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white; color: blue; font-family: consolas; font-size: 14.6667px; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
Return an MFT entry for every file in a directory (example uses the root directory of the C: volume):</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: blue; font-family: consolas; font-size: 14.6667px; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white; font-family: consolas; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="color: blue; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">Get-ForensicChildItem</span><span style="color: #312c21; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"> </span><span style="color: #073763; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">-Path</span><span style="color: #312c21; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"> </span><span style="font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="color: #9900ff;">C:\ </span><span style="color: #999999;">|</span><span style="color: #9900ff;"> </span></span></span></span><span style="background-color: white; color: blue; font-family: consolas; font-size: 14.6667px; white-space: pre-wrap;">Get-ForensicFileRecord</span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqIEheEEz5aRZe-S-2zFACGqOviXDkVFOrZmmILYLLSGyvBoDl1cuvbqDkQn__qTmeWTkDeN2XguZ1u6hLvyLYzpmOlemd73eiOTmE8XonBwaylsGNetQbZLvUcWwSrFbVAwVWBVNkUlI/s1600/Screenshot+2016-03-04+05.31.26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqIEheEEz5aRZe-S-2zFACGqOviXDkVFOrZmmILYLLSGyvBoDl1cuvbqDkQn__qTmeWTkDeN2XguZ1u6hLvyLYzpmOlemd73eiOTmE8XonBwaylsGNetQbZLvUcWwSrFbVAwVWBVNkUlI/s640/Screenshot+2016-03-04+05.31.26.png" width="632" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="background-color: white; color: #9900ff; font-family: consolas; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span></span>
<br />Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com23tag:blogger.com,1999:blog-443344754704959046.post-52292969325723121522016-02-26T04:14:00.001-08:002016-02-26T04:14:50.917-08:00Forensic Friday: Get-ForensicMftSlack<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[This is a continuation of my Forensic Friday series. Every Friday I provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]</span></div>
<b id="docs-internal-guid-0f07af58-1c05-89fc-35ac-6e229787c945" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Happy Friday and welcome to another installment of my Forensic Friday series. This week we are going to cover PowerForensics’ </span><span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicMftSlack,</span><span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> a cmdlet that returns Master File Table (MFT) slack space. For those not familiar with the concept of slack space, it is simply defined as unused space on the disk. MFT slack is specifically the unused portion of a Master File Table record entry. By default, the Master File Table is composed of records that represent a partitions files and directories. Each MFT record has a set number of bytes reserved for it on the hard drive, typically 1024 bytes (the number of bytes reserved for the MFT record entry can be found in the Volume Boot Record). When a MFT record entry does not use all of the bytes that have been allocated to it, the remaining bytes are referred to as MFT slack space, an area on disk that attackers have been known to hide their tools.</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Lets use PowerForensics to provide a specific example of MFT slack space. We start by using Get-ForensicFileRecord to get a specific FileRecord object (MFT record entry). Each FileRecord object has an AllocatedSize and a RealSize parameter. AllocatedSize represents the number of bytes that have been reserved for this particular MFT file entry, while RealSize represents the number of bytes that are actually being used by the entry.</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrOD2Vbbn2u6P_QELZHEwczLgRbZ74jf_ysO-62CVVxlRaLBLLbvRO-bOEf39PqnqilXEuzSIW3ZA6ZdICCjFdr-S9K0PthF3aZdxhjThQ2VIcpuidQ3HJhwFWYm3byJZ9Ym2o7d-CmKE/s1600/Screenshot+2016-02-26+00.24.52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrOD2Vbbn2u6P_QELZHEwczLgRbZ74jf_ysO-62CVVxlRaLBLLbvRO-bOEf39PqnqilXEuzSIW3ZA6ZdICCjFdr-S9K0PthF3aZdxhjThQ2VIcpuidQ3HJhwFWYm3byJZ9Ym2o7d-CmKE/s640/Screenshot+2016-02-26+00.24.52.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<div style="text-align: left;">
<span id="docs-internal-guid-0f07af58-1c05-d82c-63dd-191a6020a559"><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Below you can see a hex dump of the MFT File Record. You can see the FILE0 signature and a couple human readable strings (such as “access.log”).</span></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2xY1btZcUhOPzuVG3m1npJWgbB-6VLoIEEKNZtvwAkh4GOQ7z12g5dqwLULvyv13vqrEfI7RgkgO5PZRQqVmysmfddfZT4I4eNaa2oPv8v5PzqqT3vVEj4WMCFgTUz_OnkwYd8sHOzhA/s1600/Screenshot+2016-02-26+00.26.38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2xY1btZcUhOPzuVG3m1npJWgbB-6VLoIEEKNZtvwAkh4GOQ7z12g5dqwLULvyv13vqrEfI7RgkgO5PZRQqVmysmfddfZT4I4eNaa2oPv8v5PzqqT3vVEj4WMCFgTUz_OnkwYd8sHOzhA/s640/Screenshot+2016-02-26+00.26.38.png" width="494" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: left;">
<span id="docs-internal-guid-0f07af58-1c06-1662-7d6a-9c82770e5cb2"><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Now if we compare the output of </span><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicMftSlack</span><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">, we see the same data that is at the bottom of the previous picture. This is the slack space! Sometimes slack space can contain contents of deleted files or file system structures. </span></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq_QD64i2N8UrvwmrKNrDxDpRqBLsBGMau7LpxSCMQ_kwk5UrqX6lfoX9JF-xZBR0siZEpzNul6dAOnSq4EWIqzjLXuslIpzarT6XtWIxvYFIL3fD8GF0TGIWO_qrHYY4oijtq7mZFKvo/s1600/Screenshot+2016-02-25+23.43.40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="516" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq_QD64i2N8UrvwmrKNrDxDpRqBLsBGMau7LpxSCMQ_kwk5UrqX6lfoX9JF-xZBR0siZEpzNul6dAOnSq4EWIqzjLXuslIpzarT6XtWIxvYFIL3fD8GF0TGIWO_qrHYY4oijtq7mZFKvo/s640/Screenshot+2016-02-25+23.43.40.png" width="640" /></a></div>
<br />
<div style="text-align: left;">
<span id="docs-internal-guid-0f07af58-1c06-5c83-8765-b4f045d2c439"><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">The image below shows that the difference between AllocatedSize and RealSize is the same as the number of bytes returned by </span><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicMftSlack</span><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">.</span></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn2avp0NA5SVN09uk2kNjvsVskEbNwpIizWGDcxWczrn6EgKdBDTlnQIbarA5cmHEyJ9sQjTigLxyVysx6seFRMwT8ACvl82TF4Bsu-V-LQXkCH0LWi7omEhD6Kfi5BW-mwGLsYvyl4-k/s1600/Screenshot+2016-02-25+23.45.34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn2avp0NA5SVN09uk2kNjvsVskEbNwpIizWGDcxWczrn6EgKdBDTlnQIbarA5cmHEyJ9sQjTigLxyVysx6seFRMwT8ACvl82TF4Bsu-V-LQXkCH0LWi7omEhD6Kfi5BW-mwGLsYvyl4-k/s640/Screenshot+2016-02-25+23.45.34.png" width="640" /></a></div>
<br />
<h3 style="text-align: left;">
Common Use</h3>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Parse all Master File Table slack space for a given volume (Example using volume “C:”):</span></div>
<span id="docs-internal-guid-0f07af58-1c06-c855-d6c8-b982f4e5c0d7"><br /><span style="color: red; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">$bytes</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #999999; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">=</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: blue; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicMftSlack</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #073763; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">-VolumeName</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">C:</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj19-BDI3CxiRJobHsb6e77pe9sSE5BWoKt2ZaEj7bEE2LEMdLo-IDbTbA3NuJRuNznwqCVnmzL15QJb604t9hfu2UnfMHJGnXvBHZY-lBT7CIRWDOivRDDqadsbStoua2zOSNlPRR3_Xw/s1600/Screenshot+2016-02-26+00.06.34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj19-BDI3CxiRJobHsb6e77pe9sSE5BWoKt2ZaEj7bEE2LEMdLo-IDbTbA3NuJRuNznwqCVnmzL15QJb604t9hfu2UnfMHJGnXvBHZY-lBT7CIRWDOivRDDqadsbStoua2zOSNlPRR3_Xw/s640/Screenshot+2016-02-26+00.06.34.png" width="640" /></a></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Parse MFT record based on Index/Record Number (Example with Index 0 on Volume N:):</span></div>
<span id="docs-internal-guid-0f07af58-1c07-03ef-3457-ba92b2a85952"><br /><span style="color: blue; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicMftSlack</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> -VolumeName </span><span style="color: #9900ff; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">N:</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #073763; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">-Index</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">0 </span><span style="color: #cccccc; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="color: #9900ff; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: blue; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Format-Hex</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGfss9a2cddw03jjvvXYsIcGYV0dY12YNyINrtLj2OvQ0pe_BE-4gqRreGc5c0H50lK30Zax9-Vc-nQSdtI7c3ltIPIyEteHTP4u42obFnIzynBeB4zHH4tyMEonS19ccEmMQztgLqsvA/s1600/Screenshot+2016-02-26+00.09.40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGfss9a2cddw03jjvvXYsIcGYV0dY12YNyINrtLj2OvQ0pe_BE-4gqRreGc5c0H50lK30Zax9-Vc-nQSdtI7c3ltIPIyEteHTP4u42obFnIzynBeB4zHH4tyMEonS19ccEmMQztgLqsvA/s640/Screenshot+2016-02-26+00.09.40.png" width="640" /></a></div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com31tag:blogger.com,1999:blog-443344754704959046.post-49363315101892256482016-02-19T05:04:00.000-08:002016-02-19T05:04:04.104-08:00Forensic Friday: Invoke-ForensicDD<div class="separator" style="clear: both; text-align: justify;">
<span id="docs-internal-guid-91854472-f665-14fd-4b19-8f51a8e9e042"><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">[This is a continuation of my Forensic Friday series. Every Friday I provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Happy Forensic Friday! This week I am taking us back to the basics with </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Invoke-ForensicDD</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Pretty much every Forensicator/Incident Responder has used the Unix dd utility during their day, but I figured it’d be pretty cool to have a PowerShell implementation. This cmdlet provides read only access to the physical disk or logical volume, and returns the requested data as a byte array.</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<b id="docs-internal-guid-f72e80b4-f6a0-4fe2-c8dd-30e025ab7df9" style="font-weight: normal;"><br /></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">For a practical example of </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Invoke-ForensicDD</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, check out my </span><a href="http://www.invoke-ir.com/2016/02/copying-locked-files-with-powerforensics_5.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Copying Locked Files with PowerForensics</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> post. Not only does this show leveraging </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Invoke-ForensicDD </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">to copy a locked file, the post also shows how PowerForensics builds on this functionality to provide more user friendly APIs.</span><br />
<span style="color: #312c21; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="color: #312c21; font-family: "arial"; font-size: large; vertical-align: baseline; white-space: pre-wrap;">Common Use</span><br />
<span style="color: #312c21; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Like the unix dd utility, </span><span style="color: #312c21; font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Invoke-ForensicDD</span><span style="color: #312c21; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> has an -InFile parameter that should be used to point at the physical drive (\\.\PHYSICALDRIVE0) or logical volume (\\.\C:). An optional -OutFile parameter directs the output to a file instead of PowerShell’s output stream. The -Offset, -BlockSize, and -Count parameters provide instructions regarding what data to return (-Offset and -BlockSize must be divisible by the physical disk’s sector size, typically 512 bytes). Like Unix’s dd, -BlockSize represents the number of bytes to read at one time while -Count represents the number of BlockSize chunks to read. By default, -Offset has a value of 0 (the beginning of the file) and -BlockSize has a value of 512 (the smallest number of bytes that can be read at once).</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<b style="font-weight: normal;"><br /></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This example reads 512 bytes from the beginning of the physical disk (\\.\PHYSICALDRIVE0) and passes the output to </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Format-Hex</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div style="text-align: center;">
<span style="color: blue; font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;">Invoke-ForensicDD</span><span style="font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #073763; font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;">-InFile</span><span style="font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;">\\.\PHYSICALDRIVE0 </span><span style="color: #073763; font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;">-Count</span><span style="font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;">1 </span><span style="color: #cccccc; font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="color: #9900ff; font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: blue; font-family: "consolas"; font-size: 13.3333px; vertical-align: baseline; white-space: pre-wrap;">Format-Hex</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvRT_TJUjS1qTDRU1XhZJkmimDLmdOJEpSZ6ypMGK32Mfs_5DrO1-O8eixUrVoh-Lr4TG_GCI0vPfDJECSa7thHBz7G4WVJvAH1qYeqE8-3NgpLls5siDRWrAmXjCVqA3wfnAPnxH3ePQ/s1600/Screenshot+2016-02-18+16.56.32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvRT_TJUjS1qTDRU1XhZJkmimDLmdOJEpSZ6ypMGK32Mfs_5DrO1-O8eixUrVoh-Lr4TG_GCI0vPfDJECSa7thHBz7G4WVJvAH1qYeqE8-3NgpLls5siDRWrAmXjCVqA3wfnAPnxH3ePQ/s640/Screenshot+2016-02-18+16.56.32.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Read the first 512 bytes from the logical volume (\\.\C:) and write output to C:\evidence\VBR:</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span id="docs-internal-guid-f72e80b4-f6a0-9459-5ffb-7167d301e0d4"><br /></span></div>
<div style="text-align: center;">
<span style="color: blue; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">Invoke-ForensicDD</span><span style="font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #073763; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">-InFile</span><span style="font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">\\.\C: </span><span style="color: #073763; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">-OutFile</span><span style="font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">C:\evidence\VBR </span><span style="color: #073763; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">-Offset</span><span style="font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">0 </span><span style="color: #073763; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">-BlockSize</span><span style="font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">512 </span><span style="color: #073763; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">-Count</span><span style="font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #9900ff; font-family: "consolas"; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">1</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI_47S67JaajE5mv98Ni0iG3F37d7b5tPXiawaSTaDnJzUnFBiktuiyPE2RRH8bpOkmNBqwqtRho7QhTtipU4Y_yAkVBSUBcPKc9mzxC_wDA6hDPGDsyBAghQlICEdNbXY3_mpfiJLy1A/s1600/Screenshot+2016-02-16+20.37.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI_47S67JaajE5mv98Ni0iG3F37d7b5tPXiawaSTaDnJzUnFBiktuiyPE2RRH8bpOkmNBqwqtRho7QhTtipU4Y_yAkVBSUBcPKc9mzxC_wDA6hDPGDsyBAghQlICEdNbXY3_mpfiJLy1A/s640/Screenshot+2016-02-16+20.37.03.png" width="640" /></a></div>
<br />Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com253tag:blogger.com,1999:blog-443344754704959046.post-866185537113169852016-02-18T10:14:00.001-08:002016-02-18T15:12:27.407-08:00Installing PowerForensics<div style="clear: both; text-align: left;">
<span id="docs-internal-guid-805e89e1-f58f-2ee9-d7c8-eecf9920b3c6"><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">If you are following my Forensic Friday </span><a href="http://www.invoke-ir.com/search/label/Forensic%20Friday" style="text-decoration: none;"><span style="color: blue; font-family: "arial"; font-size: 14.6667px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">posts</span></a><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">, you probably know that I am making a concerted effort to write about my projects more frequently. PowerForensics has been the main focus of my blogging thus far in 2016, but I have not released a post describing how to "install" it. The rest of this post provides walkthroughs of installing PowerForensics from either the PowerShell Gallery or Github and why you would choose one method over the other.</span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<h3 style="clear: both; text-align: left;">
Method 1: <a href="https://www.powershellgallery.com/packages/PowerForensics"><span style="color: blue;">PowerShell Gallery</span></a></h3>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">By far, the easiest way to install a PowerShell module is from the PowerShell Gallery. For anyone unfamiliar with the PowerShell Gallery, is described as "the </span><span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">central repository for PowerShell content" meaning PowerShell community members can host their code (modules, DSC resources, and scripts) on the Gallery. The major caveat with PowerShell Gallery is that the necessary cmdlets are only available in Window Management Framework (WMF) 5.</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span id="docs-internal-guid-805e89e1-f58f-5893-77d0-2128367e8ac2"><br /><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">The image below shows the PowerForensics project page which includes details about the module such as the current version, release notes, and installation instructions.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3elqjmdL8i-Z-R3FzZwrghdnuyOId5IINuFB-CSmDJo8OLgdHn42YI_YKtWEAPgcRdJXbVbNUk_HpHzShs0R5UfManEp0WwCD8x0H3X17W80sQ-OnRSnlQJuebtk9Ur98i4IL0TFGpIg/s1600/Screenshot+2016-02-17+08.09.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "times" , "times new roman" , serif;"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3elqjmdL8i-Z-R3FzZwrghdnuyOId5IINuFB-CSmDJo8OLgdHn42YI_YKtWEAPgcRdJXbVbNUk_HpHzShs0R5UfManEp0WwCD8x0H3X17W80sQ-OnRSnlQJuebtk9Ur98i4IL0TFGpIg/s640/Screenshot+2016-02-17+08.09.15.png" width="640" /></span></a></div>
<div>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<br />
<div style="text-align: justify;">
<span id="docs-internal-guid-805e89e1-f58f-959f-3070-cfb9566d9f23"><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">To locate a module from the command line, use the </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Find-Module</span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> cmdlet with a keyword. In the example below, I search for any module whose name contains the word "Forensic". This query shows me that there are two modules </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">PowerForensics</span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">PowerForensicsv2 </span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">(PowerForensicsv2 is the PowerShell v2 compliant version of PowerForensics). </span></span></div>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcqCAQXwjIoBQcJHdfWFFIOaTrumM7evVZxe1zHIDGk6V3fa0EfW6hU3Y5frp_wAZYXhbaLQpVEVqg_t_n4okdFNHnB9wEdSzp8x4xFFUcrhX7iNYh_wejH2XGfnuFANMiH3V16Mh-95k/s1600/Screenshot+2016-02-18+09.54.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "times" , "times new roman" , serif;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcqCAQXwjIoBQcJHdfWFFIOaTrumM7evVZxe1zHIDGk6V3fa0EfW6hU3Y5frp_wAZYXhbaLQpVEVqg_t_n4okdFNHnB9wEdSzp8x4xFFUcrhX7iNYh_wejH2XGfnuFANMiH3V16Mh-95k/s640/Screenshot+2016-02-18+09.54.03.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span id="docs-internal-guid-805e89e1-f58f-c218-6173-1df7259355d0"><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Once you have located the desired package, use </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Install-Module</span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> to download and install it (notice that I used the command from the Install section of the PowerShell Gallery project page). </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Install-Module </span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">will prompt you to make sure you know that you are downloading a module from the internet to which you should select "A". By default, the module will be installed in the </span><span style="font-family: "arial"; font-size: 14.6667px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">%ProgramFiles%\WindowsPowerShell\Modules</span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">directory, which makes it available for all users. If you want the module to be accessible to only the current user you can specify </span><span style="font-family: "arial"; font-size: 14.6667px; font-style: italic; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">-Scope CurrentUser</span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> with </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Install-Module </span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">and it will be installed in the </span><span style="font-family: "arial"; font-size: 14.6667px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">%UserProfile%\Documents\WindowsPowerShell\Modules</span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">directory.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikoLXB4pFKxWiAOpD2ni2cNGGvpICV-CFfMBVg_TJ-fxarvh-ThSi3qI_0HbTdNAu8R3Jp5hl0IXDJyB0CUh2Ql3ovtJODr06TghPAmhBYu1hLDt2axUHjzeECvtppDXlfN8b7JjmACRg/s1600/Screenshot+2016-02-17+08.08.44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="font-family: "times" , "times new roman" , serif;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikoLXB4pFKxWiAOpD2ni2cNGGvpICV-CFfMBVg_TJ-fxarvh-ThSi3qI_0HbTdNAu8R3Jp5hl0IXDJyB0CUh2Ql3ovtJODr06TghPAmhBYu1hLDt2axUHjzeECvtppDXlfN8b7JjmACRg/s640/Screenshot+2016-02-17+08.08.44.png" width="640" /></span></a><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span id="docs-internal-guid-805e89e1-f58f-f09e-e997-656601387766"><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Once PowerForensics is installed, we can use </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Import-Module </span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">to load the module into our current session and </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-Command,</span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> with the -Module parameter, to list the cmdlets exposed by the module.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXP1cwHuZledSTLjG5A4VaSxA2ryJqBzlBiwp7h5IURGSqHx0o8w6616iPBBLgRgSYs-Ersn7lC3XKAd7UdbBpefnF7SXEk2iG8dVEsf_3d4UaN5i3ZJqqwTmgGPjzYrdRf9aFue6b558/s1600/Screenshot+2016-02-18+09.33.48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXP1cwHuZledSTLjG5A4VaSxA2ryJqBzlBiwp7h5IURGSqHx0o8w6616iPBBLgRgSYs-Ersn7lC3XKAd7UdbBpefnF7SXEk2iG8dVEsf_3d4UaN5i3ZJqqwTmgGPjzYrdRf9aFue6b558/s640/Screenshot+2016-02-18+09.33.48.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3>
Method 2: <a href="https://github.com/Invoke-IR/PowerForensics/releases"><span style="color: blue;">Github</span></a></h3>
<div style="text-align: justify;">
<span id="docs-internal-guid-805e89e1-f590-2998-4907-ec2662b93923"><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">G</span><a href="https://github.com/Invoke-IR/PowerForensics/releases" style="text-decoration: none;"><span style="color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">i</span></a><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">t</span><a href="https://github.com/Invoke-IR/PowerForensics/releases" style="text-decoration: none;"><span style="color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">h</span></a><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">u</span><a href="https://github.com/Invoke-IR/PowerForensics/releases" style="text-decoration: none;"><span style="color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">b</span></a><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span><a href="https://github.com/Invoke-IR/PowerForensics/releases" style="text-decoration: none;"><span style="color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">i</span></a><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">s</span><a href="https://github.com/Invoke-IR/PowerForensics/releases" style="text-decoration: none;"><span style="color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> </span></a><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">a popular code distribution site and also another way to download PowerForensics. Each major release contains three zip files; PowerForensics.zip, PowerForensicsv2.zip, and Source code. (Same as above, PowerForensicsv2 is the PowerShell v2.0 compliant version)</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6Qcu5PzmXN4fT6fWDdIR8E6IxNqTvdN8QJOiMDnN3XHyBWZ59crABK-EKeaoE4_wClBsU3F-HOKPpkerygWSZva5usCyykB2VMa4cM0fy4X6gkrf2ULcJ_98EVK6I-53ZCTpTcgQ5dhA/s1600/Screenshot+2016-02-17+07.56.24.png" imageanchor="1" style="font-family: times, 'times new roman', serif; margin-left: 1em; margin-right: 1em; text-align: left;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6Qcu5PzmXN4fT6fWDdIR8E6IxNqTvdN8QJOiMDnN3XHyBWZ59crABK-EKeaoE4_wClBsU3F-HOKPpkerygWSZva5usCyykB2VMa4cM0fy4X6gkrf2ULcJ_98EVK6I-53ZCTpTcgQ5dhA/s640/Screenshot+2016-02-17+07.56.24.png" width="640" /></a><br />
<br />
<span id="docs-internal-guid-805e89e1-f590-6cf9-98a3-6963b34d5603"><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">If you downloaded PowerForensics with Internet Explorer, you must “Unblock” the files. This can be accomplished by right clicking on the file and selecting properties. From the properties menu, check the </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Unblock </span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">box and click </span><span style="font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Apply</span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">. </span></span><br />
<span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">This step is necessary because Internet Explorer adds an Alternate Data Stream (ADS) named </span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">Zone.Identifier to all files downloaded through the browser. The Zone.Identifier indicates what <a href="https://msdn.microsoft.com/en-us/library/ms537183.aspx"><span style="color: blue;">security zone</span></a> the file was downloaded from. PowerShell requires user interaction for all files downloaded from the internet, so unblocking allows us to skip this tedious step.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb-Dh3ceF53ShLE9HVJjlx8a6UwkfaaYveCJxl5K0ivyMbRdeAGDTqs4EFCniM2T3rlWTGacgdvw1E0KkypguAQ72kratasnKPZSRCZykyRBHxhLuJooyVr5L7DRLI93XrbXzWOX9gxew/s1600/Screenshot+2016-02-18+11.21.20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="482" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb-Dh3ceF53ShLE9HVJjlx8a6UwkfaaYveCJxl5K0ivyMbRdeAGDTqs4EFCniM2T3rlWTGacgdvw1E0KkypguAQ72kratasnKPZSRCZykyRBHxhLuJooyVr5L7DRLI93XrbXzWOX9gxew/s640/Screenshot+2016-02-18+11.21.20.png" width="640" /></a></div>
<br />
<span id="docs-internal-guid-805e89e1-f590-b4c9-4189-3424c7d4b6b3"><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">To finish installing PowerForensics, unzip the module into a directory in the PSModulePath like C:\Program Files\WindowsPowerShell\Modules\ import and go! For more information about PSModulePath check out this </span><a href="https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx" style="text-decoration: none;"><span style="color: blue; font-family: "arial"; font-size: 14.6667px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">article</span></a><span style="font-family: "arial"; font-size: 12px; vertical-align: baseline; white-space: pre-wrap;">.</span></span><br />
<span style="font-family: "arial"; font-size: 14.6667px; text-align: justify; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh18G_AHSDn9DJWjjUcYRLZpklBWLt8Cs40CZYVx4_PyYU1kHOU2BmaSTlMXavvVh27ahEh0Ha2-PXzhrmRB3nhPp-68cgR7_vBqCsKUBrJ4S_YPeNS0KiNLLUS8Lz8CraUQ6cr6kh_AFg/s1600/Screenshot+2016-02-18+11.26.31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="620" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh18G_AHSDn9DJWjjUcYRLZpklBWLt8Cs40CZYVx4_PyYU1kHOU2BmaSTlMXavvVh27ahEh0Ha2-PXzhrmRB3nhPp-68cgR7_vBqCsKUBrJ4S_YPeNS0KiNLLUS8Lz8CraUQ6cr6kh_AFg/s640/Screenshot+2016-02-18+11.26.31.png" width="640" /></a></div>
<span style="font-family: "arial"; font-size: 14.6667px; text-align: justify; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span id="docs-internal-guid-805e89e1-f591-545f-fbc3-7fe611c07757"><span style="background-color: white; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"><span style="color: #333333;">You are now ready to use the PowerForensics PowerShell module! Subscribe to </span><a href="http://feeds.feedburner.com/Invoke-ir"><span style="color: blue;">Invoke-IR</span></a><span style="color: #333333;"> to make sure you get the latest PowerForensics tricks and tips.</span></span></span><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com17tag:blogger.com,1999:blog-443344754704959046.post-90928606679379322512016-02-12T04:37:00.000-08:002016-02-16T17:54:12.201-08:00Forensic Friday: Get-ForensicUsnJrnl<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[This article is a continuation of my Forensic Friday series. Every Friday I will provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]</span><br />
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Welcome back to Forensic Friday! This week I want to highlight the </span><span style="background-color: white; color: black; font-family: "arial"; font-size: 14.6667px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicUsnJrnl </span><span style="background-color: white; color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">cmdlet, which parses the $UsnJrnl file or NTFS change journal.The UsnJrnl is responsible for keeping track of file system operations such as file creation, deletion, and truncation. During an investigation I highly recommend inspecting the $UsnJrnl as it provides extremely detailed context about what has transpired on the file system. For example, this is especially helpful in providing details about a deleted and otherwise unrecoverable file.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<h3>
Common Use</h3>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">By default, this cmdlet parses the $UsnJrnl file (\$Extend\$UsnJrnl) on the system’s C: volume, but can be pointed at any logical volume. An exported $UsnJrnl file can be parsed using the -Path parameter in order to perform offline analysis. I’ve listed a few examples below. The -Usn parameter tells </span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicUsnJrnl</span><span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"> to parse and return a single entry. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Parse a volume’s UsnJrnl & store in $usn variable (Example using volume “C:”):</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: red; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$usn</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #999999; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">=</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicUsnJrnl</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-VolumeName</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #9900ff; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C:</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFsLzvDwdnE7Q1sOe21HYcuXG2qGLZP7I9l4iXdb82WfaMGKsEBsOf6GTIr8kibn_xMpaH5OvAKP5snv-MebqnepZ4Z3-TYjOF88Dhp0YlKvtzwPWfW7bif_lqhoIuWRJ6idM4P_ujXs8/s1600/Screenshot+2016-02-16+20.49.39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFsLzvDwdnE7Q1sOe21HYcuXG2qGLZP7I9l4iXdb82WfaMGKsEBsOf6GTIr8kibn_xMpaH5OvAKP5snv-MebqnepZ4Z3-TYjOF88Dhp0YlKvtzwPWfW7bif_lqhoIuWRJ6idM4P_ujXs8/s640/Screenshot+2016-02-16+20.49.39.png" width="640" /></a></div>
<span style="background-color: transparent; color: #9900ff; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Parse $UsnJrnl file based on path & store in $usn variable (Example path C:\$Extend\$UsnJrnl):</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: red; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$usn</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #999999; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">=</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicUsnJrnl</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-Path</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #a61c00; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">‘C:\$Extend\$UsnJrnl’</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJyYVdhvRsvvnel9soTTPOreHcQofyGOJRAjKiOApGkIlcGCWOjdd1HsKkKO0Lw0z0wrCK1INRAs3L-fAqOWGtoqCGCpN4PjIXpQtuStqBfAMegsVK6apB1l9f1FiVlt-CJWkXoHOiXlQ/s1600/Screenshot+2016-02-16+20.51.27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJyYVdhvRsvvnel9soTTPOreHcQofyGOJRAjKiOApGkIlcGCWOjdd1HsKkKO0Lw0z0wrCK1INRAs3L-fAqOWGtoqCGCpN4PjIXpQtuStqBfAMegsVK6apB1l9f1FiVlt-CJWkXoHOiXlQ/s640/Screenshot+2016-02-16+20.51.27.png" width="640" /></a></div>
<div style="text-align: center;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Parse $UsnJrnl entry based on Update Sequence Number (Example with Usn #1189553536):</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: blue; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicUsnJrnl</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> -VolumeName </span><span style="background-color: transparent; color: #9900ff; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C:</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-Usn</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #9900ff; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1189553536</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidMRAmRF9qwDNwmYQvlZL14IV401be2nTxRah9KLRuS2BVWafHZ4AO4Z11WpjyF-5onVtr2SUcUF001YcFTMvaIclqWa1DXDtIBO-lObGDxP9TTcVs9FXB8HBhELG-3ORJvGcCIF42-Qo/s1600/Screenshot+2016-02-16+20.53.24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidMRAmRF9qwDNwmYQvlZL14IV401be2nTxRah9KLRuS2BVWafHZ4AO4Z11WpjyF-5onVtr2SUcUF001YcFTMvaIclqWa1DXDtIBO-lObGDxP9TTcVs9FXB8HBhELG-3ORJvGcCIF42-Qo/s640/Screenshot+2016-02-16+20.53.24.png" width="640" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<br /><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com2tag:blogger.com,1999:blog-443344754704959046.post-17283614233080409802016-02-05T11:41:00.001-08:002016-02-17T04:49:00.531-08:00Forensic Friday: Get-ForensicFileRecord<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[This is the first article in my Forensic Friday series. Every Friday I will provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Lets start with </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicFileRecord</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, the PowerForensics cmdlet I tend to use the most. This cmdlet parses the Master File Table (MFT) of an NTFS formatted volume (more formats are in the works). This function provides the base for all other NTFS based PowerForensics cmdlets and allows an analyst to perform a variety of different tasks (finding files, recovering deleted files, detecting timestomping, etc). As always, please leave any questions or comments about this post below, maybe you’ll inspire the next Forensic Friday post!</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<h3 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Common Use</h3>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">By default, this cmdlet parses the $MFT file on the system’s C: volume but can be pointed at any logical volume. The -Index and -Path parameters tell </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicFileRecord</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to parse and return a single MFT File Record. Lastly, an exported $MFT file can be parsed using the -MftPath parameter in order to perform offline analysis. I’ve listed a few examples below.</span></div>
<b style="font-weight: normal;"><br /></b>
<span style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;">Parse a volume’s Master File Table and store in $mft variable (Example using volume “C:”):</span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: red; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$mft</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #999999; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">=</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicFileRecord</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-VolumeName</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #9900ff; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix9vbnCd2xalvvC6S0Em8RMP7M8XttEpkffpmEGPAM-R39cfb8D3TswpnL4CS0wUeCZ7RUw1P8jqAjoPFXzZxAid27pPbyAe-ZkRN1iVPwoHPo6GmwAhLennNAtvWdtshNrEoANGpOjxM/s1600/Screenshot+2016-02-17+07.45.19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix9vbnCd2xalvvC6S0Em8RMP7M8XttEpkffpmEGPAM-R39cfb8D3TswpnL4CS0wUeCZ7RUw1P8jqAjoPFXzZxAid27pPbyAe-ZkRN1iVPwoHPo6GmwAhLennNAtvWdtshNrEoANGpOjxM/s640/Screenshot+2016-02-17+07.45.19.png" width="640" /></a></div>
<div style="text-align: center;">
<span style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;"><br /></span></div>
<span style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;">Parse MFT record based on Index/Record Number (Example with Index 0):</span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicFileRecord</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-Index</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #9900ff; font-family: "consolas"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN9M7cuK2NJroxI3zzCP0CmujTwmyFkNv4NGBywh1Uj33EQQJ9BfBe8X23YE9GooZ32u09FtXTZqTWYb-4HKjzt2W_L2WHu0KIRsjaTtoub_qddU-XkYs5rcVtvG8vXj447Tx53arNJqQ/s1600/Screenshot+2016-02-17+07.45.40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN9M7cuK2NJroxI3zzCP0CmujTwmyFkNv4NGBywh1Uj33EQQJ9BfBe8X23YE9GooZ32u09FtXTZqTWYb-4HKjzt2W_L2WHu0KIRsjaTtoub_qddU-XkYs5rcVtvG8vXj447Tx53arNJqQ/s640/Screenshot+2016-02-17+07.45.40.png" width="640" /></a></div>
<div style="text-align: center;">
<span style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;"><br /></span></div>
<span style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;">Parse MFT record based on file path (Example with C:\Windows\System32\config\SAM):</span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: blue; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicFileRecord</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-Path</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #9900ff; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C:\Windows\System32\config\SAM</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN0kxkj4SgrOsMjuYF_1iN9aq2h68ePHBrjBPnA1lrLAaB1PCttDrwzEChExwbZ7KHlzfKn-j3Bib-3KKjKISULFVc-7QWI5NckO37mHYwmsS145lj5jHlz9o8dlNtv0Iyk-Y1ERzaGZ4/s1600/Screenshot+2016-02-17+07.46.10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN0kxkj4SgrOsMjuYF_1iN9aq2h68ePHBrjBPnA1lrLAaB1PCttDrwzEChExwbZ7KHlzfKn-j3Bib-3KKjKISULFVc-7QWI5NckO37mHYwmsS145lj5jHlz9o8dlNtv0Iyk-Y1ERzaGZ4/s640/Screenshot+2016-02-17+07.46.10.png" width="640" /></a></div>
<div style="text-align: center;">
<span style="background-color: transparent; color: blue; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: black; font-size: 14.6667px; line-height: 20.24px;"><br /></span></span></div>
<span style="background-color: transparent; color: blue; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: black; font-size: 14.6667px; line-height: 20.24px;">Parse an exported Master File Table (Example for C:\evidence\MFT):</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: blue; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: red; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline;">$mft</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline;"> </span><span style="color: #999999; font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline;">=</span><span style="font-family: "consolas"; font-size: 14.6667px; vertical-align: baseline;"> </span>Get-ForensicFileRecord</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #073763; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-MftPath</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #9900ff; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C:\evidence\MFT</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiImQKC2ayfSLHe-0HtVe4vV0c9mtwKlO5TNno3INxTRjP51HmY3Ckb8bzcksTXatqHEg0cS7zTFh6WaM_TBgYc40xht63iMtE6tl8dsOTgrOPS5a6dJxmCXW0CTDTOegPeZVdGgsYSIW8/s1600/Screenshot+2016-02-17+07.47.29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiImQKC2ayfSLHe-0HtVe4vV0c9mtwKlO5TNno3INxTRjP51HmY3Ckb8bzcksTXatqHEg0cS7zTFh6WaM_TBgYc40xht63iMtE6tl8dsOTgrOPS5a6dJxmCXW0CTDTOegPeZVdGgsYSIW8/s640/Screenshot+2016-02-17+07.47.29.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com2tag:blogger.com,1999:blog-443344754704959046.post-4341742709084546322016-02-05T11:33:00.000-08:002016-02-12T10:08:35.417-08:00Copying Locked Files with PowerForensics<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: italic; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">[Cmdlets referenced in this article must be run with Local Administrator or equivalent permissions]</span></div>
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Every Forensicator or Incident Responder has run into the dreaded ‘locked file’ at least once (probably A LOT more than once). Whether it is the Master File Table, UsnJrnl, or a Registry Hive, it seems that juicy forensic data is always contained in one of these locked files. One of my favorite</span><span style="background-color: transparent; color: #b4a7d6; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">PowerForensics features is the ability to find a file’s data on disk and access it directly, bypassing file system restrictions such as permissions and file locking. This feature is a key component of PowerForensics, forming the base on which all artifact parsing is built. The image below shows what happens when I try to use PowerShell’s Copy-Item cmdlet to make a copy of the SAM hive… I receive a “file in use” error.</span></div>
<span id="docs-internal-guid-6429c4c5-a389-3d7e-eea7-56bab261949c" style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-01-31 12.33.12.png" height="80" src="https://lh4.googleusercontent.com/TCSW9f7OlRy46vM6yS7NXobZV57QxVT4goaYh0iyoTeeSBRW7EKxGXITaqenC6iECWvtA2fZ-q1dzXqQ0ZzzOGArWnxmpdIO8h-qJvago8ci49eRhwB0Oo5XHUDMTMMYTvOsKfJQ" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">This post looks at three methods to copy a locked file with PowerForensics. For us to properly understand what is happening under the hood for each of these methods we must start by viewing the SAM hive’s Master File Table Entry (File Record). Get-ForensicFileRecord is PowerForensics’ cmdlet for parsing the Master File Table. In the image below we are using the Path parameter to look at the single entry for the SAM hive.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-01-31 12.35.57.png" height="464" src="https://lh5.googleusercontent.com/0dM4CtS8xgxOe5K-dMpWZmCi3Pl6VlJZ-dA13Y-3V1S6EeYld02AUXQ925vZc3P7NGVVuKp8lc8AnoxUZGtgZHtNCf2XgUYsCj6kz-E5alOzbwBHRQvnw4rmImcqB2xlDszrEwJD" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Get-ForensicFileRecord returns a FileRecord object representing a </span><a href="https://raw.githubusercontent.com/Invoke-IR/ForensicPosters/master/Posters/0_MFT.png" style="color: black; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Master File Table entry</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">. NTFS files store their content in two ways, </span><a href="https://raw.githubusercontent.com/Invoke-IR/ForensicPosters/master/Posters/0x80_%24DATA.png" style="color: black; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">resident</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"> or </span><a href="https://raw.githubusercontent.com/Invoke-IR/ForensicPosters/master/Posters/0xXX_NonResident.png" style="color: black; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">nonresident</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">. If the data is resident, it is stored within the 1024 byte Master File Table Record which typically means it is less than 600 bytes. In most cases, the data is nonresident meaning it is stored elsewhere on the hard drive. In the case of nonresident file data, the Master File Table Record’s ‘DATA’ attribute contains pointers to the actual contents. In the following image we see that the SAM file’s contents are of the nonresident type, and we are able to drill in enough to see that the Data Runs are those pointers I talked about before.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-01-31 12.39.33.png" height="324" src="https://lh4.googleusercontent.com/EJKL0vER08Wlc6lxykIUjU_p4fCn2ba1i7_JcZld8sVvf4qm_WLY1I2-8YyMe0Syd8NntDM8S9wtMdB0zVWC3c4bDUK6CEVpTAOb1jDHFr6Jkyp9P4gdiMehNgCzixuMkfY87ki1" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">According to the Data Runs the SAM hive is a fragmented file that is made up of 2 clusters starting at cluster 9720724 and 14 clusters starting at cluster 12006058. The rest of this article explains three different methods that leverage this information to access the SAM hive’s content and copy it to a non-locked file that can be analyzed offline.</span></div>
<h3 dir="ltr" style="background-color: white; font-family: 'Open Sans', sans-serif; font-size: 19px; line-height: 1.38; margin: 16pt 0px 4pt; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: #434343; font-family: "arial"; font-size: 18.6667px; font-weight: 400; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Method 1: Invoke-ForensicDD</span></h3>
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Invoke-ForensicDD is my best effort at porting the classic unix disk duplicator (dd) utility to PowerShell. We can use this cmdlet to copy the bytes that represent the SAM hive without accessing the SAM hive (the file) directly.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 09.22.56.png" height="441" src="https://lh5.googleusercontent.com/h33tLoH5_wyNhRVj_gu7P6NwNyJwmywja2pgz9RgGvPcWnpW6z45xY-PAca6YhMbbl6zqDPx4dvvT629WYUX3PKVq5n6xjT9ldIly_9Dl4klnwGnlA8C5Fj1bd5GUH1_kgOIq7wk" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Now that we have the VBR we know that this volume is formatted with 4096 bytes per cluster. Next, let’s revisit the SAM Hive’s DataRun property. Remember that in this case we are dealing with a fragmented file which is why we see two DataRun entries.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 12.24.09.png" height="184" src="https://lh6.googleusercontent.com/EfvXAmzKkR1fBxtY_cOBVQJf1EMEh88hjSBHylM6cppjq2iWOlfe6lWkJeheEpGS4TAa0kESTxp0Y9_iDFFfBeKypdSb8n3yRDk-WR39um8rvrWQLt6rETegSCr9RRUlxILUl8x0" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">The first fragment starts at cluster 9720724 and is 2 clusters in length and the second fragment starts at cluster 12006058 and is 14 clusters in length. With this information we can use Invoke-ForensicDD to copy both fragments to a file.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Before we use Invoke-ForensicDD, let’s look check out its cmdlet help for usage instructions.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 12.10.41.png" height="320" src="https://lh5.googleusercontent.com/hQSlL8ABHX_zeJut2rF4J-wenHZhNt7a-1nkFT92NJPkkNO9jl2q00sMi1F4hXuZ3XWW4cNdbCousQV00fpa5qdiextnLC4bH9x19ykOWNjTeSoZNtG35-GvEyXgWMxhwlrNTt5K" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">According to the help, we must provide an InFile (the file, volume, or disk to read from), an optional OutFile (the file to output the data to), an Offset (location to start reading from), BlockSize (the number of bytes to read at one time), and a Count (the number of “Blocks” to read). Since we are dealing with a fragmented file we will need to issue the command once per fragment (twice total in this example). We will be reading from the \\.\C: logical volume (InFile), and will output to C:\evidence\SAM_copy1 (OutFile). Our Offset and BlockSize parameters are derived from each DataRun. The offset will equal </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: italic; font-weight: 700; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">DataRun.StartCluster * VolumeBootRecord.BytesPerCluster</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"> or in the case of fragment 1 </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: italic; font-weight: 700; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">9720724 * 4096</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">. The BlockSize will be </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: italic; font-weight: 700; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">DataRun.ClusterLength * VolumeBootRecord.BytesPerCluster</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"> or for fragment 1 </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: italic; font-weight: 700; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">2 * 4096</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">. For these examples we will set Count to 1. In the image below you can see Invoke-ForensicDD is used twice, once for each fragment, to copy the SAM Hive to the evidence directory. </span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: italic; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">NOTE: In the picture below, I store a lot of information in variables. This was done to make the image easier to follow and is not 100% necessary.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 12.27.53.png" height="142" src="https://lh3.googleusercontent.com/ixyHrIis4yF9RlND2HIJSXWwrR6uKt0znKeS8yd96DJSrbpFmC4Dy1jn5HLFyqkv_0nVEdclqmlzCxpyiOsBidGGoD1bDQfGRF8fgQnHQGAFgakLOQGwj1XYkHrP_vcWLOCY85LN" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Now we can open SAM_copy1 in our favorite Registry viewer.</span></div>
<h3 dir="ltr" style="background-color: white; font-family: 'Open Sans', sans-serif; font-size: 19px; line-height: 1.38; margin: 16pt 0px 4pt; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: #434343; font-family: "arial"; font-size: 18.6667px; font-weight: 400; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Method 2: CopyFile Method</span></h3>
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Without realizing it we already have another method set up. The PowerForensics.Ntfs.FileRecord object has CopyFile method built in. CopyFile understands the major concepts of how data is referenced in the Master File Table, so concepts like resident vs. nonresident data and fragmentation are made transparent to the user. The image below pipes our save FileRecord object into the Get-Member cmdlet which outputs a list of methods and properties that make up a FileRecord object (remember that $r is stored the result of Get-ForensicFileRecord from earlier).</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-01 11.04.55.png" height="535" src="https://lh5.googleusercontent.com/mYRFCJGuMFJmCgT0gmHSAnX-aUxN1C-U-nw9_9EHlfKpwpR9POeI0M75J2nT4hFF51H8mCrwmuz0oq7YJG1P_hbzWWE-xaqLMe0pKyld8AwmWMZIFaRJFQYCruQ11K6LiYi83-m7" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="624" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">You may have noticed that the CopyFile method was the very first method in the list and that it has multiple overloads or ways to call it. To get a better view of the method overloads, and thus what arguments the method is expecting, we can call the method without parentheses as seen in the next image.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 09.14.21.png" height="131" src="https://lh6.googleusercontent.com/GRHSjXOU3YvXZ3PbSjsk8Gq0FWAoEMIKDcRhKsNG4sqp5VGueawvXu4Je8CfbiADPV9VzBxPMvabsEgpFAkzIRzuk-nBlrz9vgyiIYFHqbvguME4op5znw9HkLwV_7IOoP986M9n" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">It appears that there are two ways to call CopyFile. We will be focusing on the first overload since we are dealing with the main “data stream”. If we wanted to copy a specific “data stream”, often referred to as an Alternate Data Stream, we would use the second overload. Now all we have to do is execute the method with a destination path (C:\evidence\SAM_copy2) and we end up with a perfect copy of the SAM hive.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: italic; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">NOTE: PowerShell requires strings to be enclosed in quotes when passing it to a method.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 09.31.44.png" height="270" src="https://lh6.googleusercontent.com/OEQIhhbCa6aRT1gR1rHvzlfKarh6I2PSntsBTKmBAXP1JAA4zpm0LvIjXQ7TLVQUb8xYSvgPEpIICQyvOJUT6084kUvHgv76EjacyYrJx9th_ewHccdS7pYZE97loQX6oVX4tjAr" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="640" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">There you have it, we now have SAM_copy2 in the C:\evidence directory. Looks like method 2 was successful.</span></div>
<h3 dir="ltr" style="background-color: white; font-family: 'Open Sans', sans-serif; font-size: 19px; line-height: 1.38; margin: 16pt 0px 4pt; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: #434343; font-family: "arial"; font-size: 18.6667px; font-weight: 400; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Method 3: Copy-ForensicFile</span></h3>
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">The third method provides even one more layer of abstraction to the user. The Copy-ForensicFile cmdlet requires a Path and a Destination and will do all of the work for you. In the image below, I show Copy-ForensicFile being used to copy the SAM hive to C:\evidence\SAM_copy3. </span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 09.33.03.png" height="168" src="https://lh6.googleusercontent.com/ZLfcPMh8yta-QLOa2qDeH7k8TTCznfjnrBCqmV9-mPKvhqYtSX9-FTYQMzTUuVwE_B08DVeglcmExygBxdZiObhz8vu2mzmNSlXGru9Q-wM2gVjw49Zn61ZVBUy_bTbetZbI9ax8" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="624" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Once again, it looks like our copy was successful. We have what we assume are three identical files that were copied using three different techniques. To check to make sure all three files are the same we run them through PowerShell’s Get-FileHash as seen below.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 09.33.43.png" height="92" src="https://lh6.googleusercontent.com/nQBPTvvlD2zoOM-3A9SbIvt6Q3dNkD4cTkut7IcqpPTCuMWMqOf6JkeC0AX4x4XD6XqvYUzCIemNqF1uFGufOVxsHWLXsLpYKkplvQXycJsF7HGIZU8TqiYppXCPU66C5VMxLM6h" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="624" /></span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Looks like all three files are identical. Now that we have copied the SAM hive we can use </span><a href="http://binaryforay.blogspot.com/2015/02/introducing-registry-explorer.html" style="color: black; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Eric Zimmerman’s Registry Explorer</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"> to view them.</span></div>
<span style="background: rgb(255 , 255 , 255); border: none; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span><span style="background-color: white; color: #312c21; font-family: "open sans" , sans-serif; font-size: 13px;"></span>
<br />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><img alt="Screenshot 2016-02-02 12.52.07.png" height="309" src="https://lh6.googleusercontent.com/OJda1V4M1rTWe9o6-dpDHfed9fgOji8PCKE1qt-9FRm7Ka37hrfkn71Us1da0r5HiEeMeO88xaen5J0Gfy8P6S1SQvkOKDeJ-dSJ0OLsnSPCgUX5gRPNMUo2afLSDTGOhBs8RFU6" style="border: none; margin: 0px; outline: none; padding: 0px; transform: rotate(0rad); vertical-align: baseline;" width="425" /></span></div>
<br style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px;" />
<div dir="ltr" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 13px; line-height: 1.38; margin: 0pt 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline; white-space: pre-wrap;">Looks like it opened successfully! As you might have guessed each of the three techniques build off each other. The beauty of having three different methods is the granularity of control that each gives you. Method 1 allows you to copy any arbitrary bytes from a hard drive, but may require a bit more “forensic” knowledge to know what bytes are important. Method 3 requires very little background knowledge but will accomplish the task that it is meant to accomplish. One of the cooler concepts behind PowerForensics is that this single tool can leverage each of these techniques to accomplish the next step in the analysis chain. If you want to parse the SAM hive that can be accomplished via Get-ForensicRegistryKey and Get-ForensicRegistryValue which uses the same code in the background as Copy-ForensicFile with the exception of creating an output file. Stay tuned for many more articles and blog posts on different PowerForensics capabilities and use cases.</span></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com8tag:blogger.com,1999:blog-443344754704959046.post-35222939455568027392015-06-29T07:02:00.002-07:002016-02-18T10:57:13.374-08:00On the Forensic Trail - Guid Partition Table (GPT)<br />
<div class="separator" style="clear: both;">
<i>[This is the 3rd in a multi-part series titled "On the Forensic Trail". My goal with this series is to introduce my PowerShell Forensics module called PowerForensics, and the forensic artifacts that it parses. <span style="background-color: white;">This post covers the Guid Partition Table (GPT),</span><span style="background-color: white;"> </span></i><i>an alternative hard disk partitioning scheme to the Master Boot Record, and how to use PowerForensics to inspect it.</i><i>]</i></div>
<div class="separator" style="clear: both;">
<i><br /></i></div>
<div class="" style="clear: both;">
<i>For help with downloading/installing PowerForensics please visit the <span style="color: blue;"><a href="http://www.invoke-ir.com/2016/02/installing-powerforensics.html">Installing PowerForensics</a> </span><span style="color: blue;">article</span>.</i></div>
<div class="" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1x-QN9avKRHSNOkMoP0bRKw94evTZkaYeX4NNciNai5oatoneHsxB-ilMHP5AoTLwOy6YkS01aouo5-uD9dAklR9Ep3z9sWQkjPZGOpmp8aWajrJvvDIJhseicp8KYW3UGZ_5DYEAQF8/s1600/1B_GPT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1x-QN9avKRHSNOkMoP0bRKw94evTZkaYeX4NNciNai5oatoneHsxB-ilMHP5AoTLwOy6YkS01aouo5-uD9dAklR9Ep3z9sWQkjPZGOpmp8aWajrJvvDIJhseicp8KYW3UGZ_5DYEAQF8/s640/1B_GPT.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">As United Extensible Firmware Interface (UEFI) begins to replace legacy BIOS firmware interfaces, we will see the rise of the Guid Partition Table (GPT) as a replacement for the Master Boot Record. The UEFI Specification requires that all compliant firmware supports the GPT partitioning scheme, so GPT will begin to become more common as UEFI is implemented by vendors. That being said, the GPT partitioning scheme is not unique to UEFI, as it is also supported by many modern BIOS systems.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">This post explores the Guid Partition Table data structure, and focuses on how PowerForensics can be used with it.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: yellow;"><br /></span></div>
<strong><span style="font-size: x-large;">Advantages of GPT</span></strong><br />
<span style="background-color: white;">The GUID Partition Table provides a number of advantages over the legacy Master Boot Record disk layout. Three of the main advantages of the GPT disk layout are listed below:</span><br />
<span style="background-color: yellow;"><br /></span><span style="background-color: white;">1) Logical Block Addresses (LBAs) are 64 bits (rather than 32 bits) increasing the maximum partition size from 2 TiB to 8 ZiB. </span><br />
<span style="background-color: white;">2) GPT supports many partitions (rather than just four primary partitions). </span><br />
<span style="background-color: white;">3) Provides both a primary and backup partition table for redundancy. Two GPT Header structures are stored on the device: the primary and the backup. The primary GPT Header must be located in LBA 1 (i.e., the second logical block), and the backup GPT Header must be located in the last LBA of the device. </span><br />
<span style="background-color: yellow;"><br /></span><span style="font-size: x-large;"><b style="background-color: white;">GPT Data Structure</b></span><br />
<span style="font-size: large;"><b>Protective MBR</b></span><br />
<span style="background-color: white;">When a disk is formatted with a GPT disk layout, a Protective MBR is located at Logical Block Address (LBA) 0. The Protective MBR is used to provide compatibility with legacy tools that do not understand the GPT format. </span><span style="background-color: white;">The Protective MBR is functionally equivalent to a normal or "Legacy" MBR, but only has one partition. The first/only partition will be of type 0xEE (EFI_GPT_DISK) and reserves the entire disk starting at LBA 1 for the formal Guid Partition Table structure. </span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">It is worth noting that the MBR Boot Code (the first 440 bytes) is not executed by UEFI Firmware. </span><br />
<span style="background-color: yellow;"><br /></span>
<br />
<ul></ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqJ909IG_Wj4_S9ZA-uIbCeQBcv-90yM_yhBh-PSb1R6tH8rfYufr-QRoGsFH4FVvn9Dfdj3rtkuGSOzot6XuTpdF00tN1uCN_oLSQbKYkKrHXxdf9RRburS_jLHTmkdRbFl4e9fK-Dmg/s1600/ProtectiveMBR.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqJ909IG_Wj4_S9ZA-uIbCeQBcv-90yM_yhBh-PSb1R6tH8rfYufr-QRoGsFH4FVvn9Dfdj3rtkuGSOzot6XuTpdF00tN1uCN_oLSQbKYkKrHXxdf9RRburS_jLHTmkdRbFl4e9fK-Dmg/s640/ProtectiveMBR.PNG" width="363" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
In the example below, the Get-MBR cmdlet is used to display the MBR Partition Table of a GPT formatted disk. The output shows that there is one EFI_GPT_DISK partition that starts at LBA 1 (the sector immediately following the Protective MBR) and ends at LBA 4294967295 (or 0xFFFFFFFF which represents the entire disk).</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqQdml9e7Qvaf3yoGQ7TaK9UIUl-ZE0c0yBW5QKmOCpGgX5O4HMpAOwSxb_7A5v8aVXunjDPLohzjghcQsE6s1cnvn9tJDTT7O83YzKEjIOOn1nBkmwY1AOSTyTt9ABKM4JVqjwfb4hMI/s1600/Capture.PNG" imageanchor="1"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqQdml9e7Qvaf3yoGQ7TaK9UIUl-ZE0c0yBW5QKmOCpGgX5O4HMpAOwSxb_7A5v8aVXunjDPLohzjghcQsE6s1cnvn9tJDTT7O83YzKEjIOOn1nBkmwY1AOSTyTt9ABKM4JVqjwfb4hMI/s640/Capture.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<strong><span style="font-size: x-large;">Guid Partition Table</span></strong><br />
The formal Guid Partition Table begins at LBA 1 where the GPT Header is found.<br />
<br />
<span style="font-size: large;"><b>GPT Header</b></span><br />
<span style="background-color: white;">The GPT Header describes the logical layout of the disk as a whole. The</span><span style="background-color: white;"> </span><span style="background-color: white;">location of the GPT Header</span><span style="background-color: white;"> is described by the </span><span style="background-color: white;">MyLBA value</span><span style="background-color: white;"> and should always be 1, while the AlternateLBA value points to the backup GPT and will always be the last sector on disk. It contains the DiskGUID, which is used to uniquely identify the disk, and CRC32 values which are used by firmware to detect corruption of the GPT itself. </span><span style="background-color: white;">If the GPT is corrupted, the original GPT will be replaced with the backup GPT. The FirstUsableLBA and LastUsableLBA values define the portion of the disk that is not reserved by the GPT and therefore can be used by the partitions. Lastly, the header provides us with details about the Partition Array itself. The PartitionEntryLBA value points to the start of the array, and its overall size can be derived from the NumberOfPartitionEntries and SizeOfPartitionEntry value.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUWYeVHqZbYd0zDw9UjrwTbghL2xpK4rMc8K801_hkUgAd1fc-7INKfKR75JtUD7doaskjG1GnIBo1KolpHow8r-7Ow0PvGgYwM26Y_BP_GsIKf6cPRZ-IMHzaHo_K9UZBDk8jUOU2Mfg/s1600/GPTHeader.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUWYeVHqZbYd0zDw9UjrwTbghL2xpK4rMc8K801_hkUgAd1fc-7INKfKR75JtUD7doaskjG1GnIBo1KolpHow8r-7Ow0PvGgYwM26Y_BP_GsIKf6cPRZ-IMHzaHo_K9UZBDk8jUOU2Mfg/s640/GPTHeader.PNG" width="640" /></a></div>
<strong><br /></strong>
<strong><span style="font-size: large;">Partition Array</span></strong><br />
<span style="background-color: white;">The GPT Header points to the Partition Array via the PartitionEntryLBA value. The size and number of partitions are defined in the GPT Header (The number of partitions value may not correspond with the number of actual partitions, but rather the space reserved for partition entries). </span><br />
<span style="background-color: yellow;"><br /></span>
<span style="background-color: white;">Each partition contains two GUIDs, one representing the type of partition (<a href="https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs"><span style="color: blue;">see this table to interpret</span></a>) and the second is used to uniquely identify the partition. The StartingLBA and EndingLBA values to describe the location and size of the partition. Lastly, 64 bits are reserved for attribute flags, and 72 bytes are reserved for a null terminated name string.</span><br />
<strong><br /></strong>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheylZRHJoNbynYPdz4uEbWmU3QaHtlHZIsqpDXCTOtPnb3Et9z7NpN9HpqQED4azAVg-TttSVnDJUeQRdwekQhisPeEyU4fL3tJucUUwS_czkmKPhaq0VXIU108uzGyAvn5_VL3lrQbCc/s1600/PartitionArray.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheylZRHJoNbynYPdz4uEbWmU3QaHtlHZIsqpDXCTOtPnb3Et9z7NpN9HpqQED4azAVg-TttSVnDJUeQRdwekQhisPeEyU4fL3tJucUUwS_czkmKPhaq0VXIU108uzGyAvn5_VL3lrQbCc/s640/PartitionArray.PNG" width="640" /></a></div>
<br />
<strong><span style="font-size: x-large;">PowerForensics Cmdlets</span></strong><br />
PowerForensics currently has three cmdlets that deal specifically with the GPT (Get-GPT, Get-BootSector, and Get-PartitionTable). This portion of the post will explain the cmdlets and go through a few example use cases.<br />
<br />
<div class="" style="clear: both;">
<span style="font-size: large;"><b>Get-GPT</b></span></div>
<div class="separator" style="clear: both;">
Get-GPT is a cmdlet that parses the GUID Partition Table data structure contained within the first few sector of the device specified. Get-GPT requires the use of the -Path parameter which takes the <a href="https://msdn.microsoft.com/en-us/library/aa365247(v=vs.85).aspx#win32_device_namespaces"><span style="color: blue;">Win32 Device Namespace</span></a> (ex. \\.\PHYSICALDRIVE1) for the device from which the GPT should be parsed.</div>
<div class="separator" style="clear: both;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHhcDMx8yrUMkDHJvN3r-XxhyphenhyphenG0HbAm9k2LXTdLnzf-7xoc6OaYZK6S8z-EQKKh67s9XQATPYhPWAU3ykA3ANUNX2G0IomoKeX3tB4Jctl0ougIMeAzZJiOI2gJDzUTNz5ZK48KaLU9Fc/s1600/Capture.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHhcDMx8yrUMkDHJvN3r-XxhyphenhyphenG0HbAm9k2LXTdLnzf-7xoc6OaYZK6S8z-EQKKh67s9XQATPYhPWAU3ykA3ANUNX2G0IomoKeX3tB4Jctl0ougIMeAzZJiOI2gJDzUTNz5ZK48KaLU9Fc/s640/Capture.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8000001907349px;"><span style="font-size: 12.8000001907349px;">In this example, Get-GPT is executed against \\.\PHYSICALDRIVE1 and returns a GuidPartitionTable object.</span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifx6thmsDRTDDR3vHjaoPQ1ZlusPx6TrYECun77RHoe6gToKmOreSfSiYm6AsE1HMlrypR3lWhrBF5otrczfYCY5C5xjppeOz6e2_7mtlbcEnm3VwVqexkYCKi91AcV5UgKODeIuODmdw/s1600/Get-GPT_Fail.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifx6thmsDRTDDR3vHjaoPQ1ZlusPx6TrYECun77RHoe6gToKmOreSfSiYm6AsE1HMlrypR3lWhrBF5otrczfYCY5C5xjppeOz6e2_7mtlbcEnm3VwVqexkYCKi91AcV5UgKODeIuODmdw/s640/Get-GPT_Fail.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8000001907349px;"><span style="text-align: left;"><span style="font-size: x-small;">If Get-GPT is run against a disk formatted with a Master Boot Record, it will throw an error prompting you to use Get-MBR instead.</span></span></td></tr>
</tbody></table>
<b>InvokeIR.PowerForensics.GuidPartitionTable Object</b><br />
Get-GPT outputs an InvokeIR.PowerForensics.GuidPartitionTable object. This object contains 11 readonly properties (property descriptions provided by the UEFI Specification):<br />
<br />
<div class="separator" style="clear: both;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTi9xnQ9GV6J133jvVRFORfpgVfFfKCXwMop4-p2QPnz6tDMlsCYTU16YVwR_61TCYArXubf7h-yqnZlpOETqgndGU1tR2BD6Gx0Z5AYQcVUQmPpYlI63yeOhKdBQndAAO2KR6qCXbNEk/s1600/GPTObject.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTi9xnQ9GV6J133jvVRFORfpgVfFfKCXwMop4-p2QPnz6tDMlsCYTU16YVwR_61TCYArXubf7h-yqnZlpOETqgndGU1tR2BD6Gx0Z5AYQcVUQmPpYlI63yeOhKdBQndAAO2KR6qCXbNEk/s640/GPTObject.PNG" width="640" /></a></div>
<div class="separator" style="clear: both;">
<span style="background-color: yellow;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">1) Revision - The revision number for this header.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">2) HeaderSize - Size in bytes of the GPT Header. Must be greater than or equal to 92 and must be less than or equal to the logical block size.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">3) MyLBA - The LBA that contains this data structure.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">4) AlternateLBA - LBA address of the alternate (backup) GPT Header. </span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">5) FirstUsableLBA - The first usable logical block that may be used by a partition described by a GUID Partition Entry.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">6) LastUsableLBA - The last usable logical block that may be used by a partition described by a GUID Partition Entry.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">7) DiskGUID - GUID that can be used to uniquely identify the disk.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">8) PartitionEntryLBA - The starting LBA of the GUID Partition Array.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">9) NumberOfPartitionEntries - The number of Partition Entries in the GUID Partition Array.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">10) SizeOfPartitionEntry - The size, in bytes, of each the GUID Partition Entry structures in the GUID Partition Array.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">11) PartitionTable - An array of InvokeIR.PowerForensics.GuidPartitionEntry objects.</span></div>
<div>
<br /></div>
<div class="" style="clear: both;">
<span style="font-size: large;"><b>Get-BootSector</b></span><br />
<span style="background-color: white;">The Get-BootSector cmdlet provides an alternative to the Get-MBR and Get-GPT cmdlets. Get-BootSector reviews the hard drive's first sector and determines if the disk is formatted using the Master Boot Record or Guid Partition Table partitioning scheme. Once the partitioning scheme is determined, Get-BootSector acts just as Get-MBR or Get-GPT would respectively.</span><br />
<span style="background-color: white;"><br />NOTE: Since making Get-BootSector, I rarely use the Get-MBR or Get-GPT cmdlets, but have kept them in the module in case anyone finds a reason for them.</span><br />
<span style="background-color: yellow;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY_C_ntOOWBeoY6wLkH593kcHPicDEl9ow2twekeIsy6FpgpLxhlRfCNbw3aDhRGUlTF4HfBJ0tS29RPMxbe6EXBtA4vppDu1dEDdk7BytKp055Jy6hxRWnS66l2DZvQRp8XEVfAAdU3Q/s1600/Capture1.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY_C_ntOOWBeoY6wLkH593kcHPicDEl9ow2twekeIsy6FpgpLxhlRfCNbw3aDhRGUlTF4HfBJ0tS29RPMxbe6EXBtA4vppDu1dEDdk7BytKp055Jy6hxRWnS66l2DZvQRp8XEVfAAdU3Q/s640/Capture1.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8000001907349px;"><span style="font-size: x-small;">Here Get-BootSector running against a disk formatted using the GPT partitioning scheme. The cmdlet returns an InvokeIR.PowerForensics.GuidPartitionTable object.</span></td></tr>
</tbody></table>
<div class="" style="clear: both;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2SmaYTgufQj9Yr5_OhY7TwY0jp3cxEpj3ugaKkKR4PQvs7DMPiGOgzDBc9_Zz4clrVGU0nTHvZgFCZOgmaJR-34jURW6t-Od0t5W3WQYCuZ5sI3iKqpgEbzozQBg-NqNEiqmiswqRvEM/s1600/Get-BootSector_MBR.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2SmaYTgufQj9Yr5_OhY7TwY0jp3cxEpj3ugaKkKR4PQvs7DMPiGOgzDBc9_Zz4clrVGU0nTHvZgFCZOgmaJR-34jURW6t-Od0t5W3WQYCuZ5sI3iKqpgEbzozQBg-NqNEiqmiswqRvEM/s640/Get-BootSector_MBR.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8000001907349px;"><span style="font-size: x-small;">When Get-BootSector targets an MBR formatted disk it returns an InvokeIR.PowerForensics.MasterBootRecord object.</span></td></tr>
</tbody></table>
</div>
<div class="" style="clear: both;">
<b style="font-size: x-large;">Ge</b><b style="font-size: x-large;">t-PartitionTable</b></div>
<div class="" style="clear: both;">
<div class="separator" style="clear: both;">
Like Get-BootSector, Get-PartitionTable determines the type of boot sector (Master Boot Record or Guid PartitionTable) and returns the correct partition object (InvokeIR.PowerForensics.PartitionEntry or InvokeIR.PowerForensics.GuidPartitionTableEntry). </div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGAgzQBPVdAwOAfD4HLUrpzhGIzKMfua9r6o_7O0vv9pBm1I5OJAGP5Wen4pRZDtRZP_QMm-GR1-aPeF6yxtUMYCTeQ0_8-WbzxNHZvANk5MyT4-ZVmB9EFAGDZeS2p1y1IHo1faQrP-M/s1600/Get-PartitionTable_MBR.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGAgzQBPVdAwOAfD4HLUrpzhGIzKMfua9r6o_7O0vv9pBm1I5OJAGP5Wen4pRZDtRZP_QMm-GR1-aPeF6yxtUMYCTeQ0_8-WbzxNHZvANk5MyT4-ZVmB9EFAGDZeS2p1y1IHo1faQrP-M/s640/Get-PartitionTable_MBR.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8000001907349px;"><span style="font-size: x-small;">As a reminder, this is an example of Get-PartitionTable being run against an MBR formatted disk and returning an PartitionEntry object.</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both;">
<span style="text-align: center;">In this example, Get-PartitionTable is run against a GPT formatted hard drive disk (\\.\PHYSICALDISK1). The cmdlet returns an array of GuidPartitionTableEntry Objects.</span></div>
<div class="separator" style="clear: both;">
<span style="text-align: center;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHoE544ShwN0dzoHS6i-Y92pdfLGTMaK0CawK4FZC6OLfPl4iWOlm3ieKonzGAdRf9x6mfwSScmLBSW6y2qDp9nssHPv-V_A-CFUQC4QrKmLKK4QuDMFKSDlnS4tIez3Y5mKVEHhfj3qs/s1600/Get-PartitionTable_GPT.PNG" imageanchor="1"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHoE544ShwN0dzoHS6i-Y92pdfLGTMaK0CawK4FZC6OLfPl4iWOlm3ieKonzGAdRf9x6mfwSScmLBSW6y2qDp9nssHPv-V_A-CFUQC4QrKmLKK4QuDMFKSDlnS4tIez3Y5mKVEHhfj3qs/s640/Get-PartitionTable_GPT.PNG" width="640" /></a></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
<b>InvokeIR.PowerForensics.GuidPartitionTableEntry Object</b></div>
<div class="separator" style="clear: both;">
When Get-PartitionTable is run against a GPT formatted disk, the cmdlet outputs an InvokeIR.PowerForensics.GuidPartitionTableEntry object. The GuidPartitionTableEntry object is made up of 6 readonly properties (property descriptions provided by the UEFI Specification):</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnH5NdOoeLqs8FruUWjIVDSExKlavCGBpyzj0QIyZ3hPsq8iIT2zsDv08lOYuMU_iotDMv_ClzeLTJhw8sAndBE4LsNhVGlS4W-ZfG3pOlyfpvDt4Gu3LwUd1Pqy45DBAwqKMt_OWqVmc/s1600/GPTPartitionObject.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnH5NdOoeLqs8FruUWjIVDSExKlavCGBpyzj0QIyZ3hPsq8iIT2zsDv08lOYuMU_iotDMv_ClzeLTJhw8sAndBE4LsNhVGlS4W-ZfG3pOlyfpvDt4Gu3LwUd1Pqy45DBAwqKMt_OWqVmc/s640/GPTPartitionObject.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">1) PartitionTypeGUID - Unique ID that defines the purpose and type of this Partition. A value of zero defines that this partition entry is not being used.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">2) UniquePartitionGUID - GUID that is unique for every partition entry.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">3) StartingLBA - Starting LBA of the partition defined by this entry.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">4) EndingLBA - Ending LBA of the partition defined by this entry.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">5) Attributes - Flag value representing the partition's attributes.</span></div>
<div class="separator" style="clear: both;">
<span style="background-color: white;">6) PartitionName - Null-terminated string containing a human-readable name of the partition. </span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-size: x-large;"><strong>References</strong></span></div>
<div class="separator" style="clear: both;">
<span style="color: blue; font-size: small;"><a href="http://www.uefi.org/sites/default/files/resources/2_4_Errata_B.pdf">UEFI Specification</a></span></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com0tag:blogger.com,1999:blog-443344754704959046.post-28886758573883117122015-05-01T07:18:00.000-07:002016-02-18T10:57:45.883-08:00On the Forensic Trail - Master Boot Record (MBR)<div class="separator" style="clear: both;">
<i><br />
</i></div>
<div class="separator" style="clear: both;">
<i><br />
</i></div>
<div class="separator" style="clear: both;">
<i>[This is the 2nd in a multi-part series titled "On the Forensic Trail". My goal with this series is to introduce my PowerShell Forensics module called PowerForensics, and the forensic artifacts that it parses. This post covers the Master Boot Record, a disk structure that describes the logical layout of the disk in the form of partitions, and how to use PowerForensics to inspect it.]</i></div>
<div class="separator" style="clear: both;">
<i><br />
</i></div>
<div class="separator" style="clear: both;">
<i>For help with downloading/installing PowerForensics please visit the <span style="color: blue;"><a href="http://www.invoke-ir.com/2016/02/installing-powerforensics.html">Installing PowerForensics</a> </span>article.</i></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxc4_m2uV8EjNK9H48tQ33-Z1ZZU8B0gOpFe1EgWOhyphenhyphen-7SQoWBBFttp5z6MnYIR73bzZcjhyOrYpvBK1_XF1sw5kbbIhgbu4qB2m-FJfw_CnHfp-LvsXOSgae-j6dgxdHV32bcOQoYMos/s1600/MBR.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="487" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxc4_m2uV8EjNK9H48tQ33-Z1ZZU8B0gOpFe1EgWOhyphenhyphen-7SQoWBBFttp5z6MnYIR73bzZcjhyOrYpvBK1_XF1sw5kbbIhgbu4qB2m-FJfw_CnHfp-LvsXOSgae-j6dgxdHV32bcOQoYMos/s1600/MBR.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Master Boot Record is the name given to the first sector (typically 512 bytes) of a physical disk. Technet states that the MBR is "the most important data structure on the disk". The MBR itself contains boot code, a disk signature, the partition table, and an end of sector marker which is always 0x55AA.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For a detailed breakdown of the MBR please see the poster above.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: x-large;"><b>Windows Boot Order</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
Before diving into the MBR's boot code, it is important to review the boot order for Windows Operating Systems.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
1. The BIOS and CPU initiate the Power-on self-test (POST)</div>
<div class="separator" style="clear: both; text-align: left;">
2. The BIOS searches for a boot device (HDD, Floppy, CD, etc.)</div>
<div class="separator" style="clear: both; text-align: left;">
3. The BIOS reads the first sector of the device (Master Boot Record) into memory, and transfers CPU execution to that memory address.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now that we have covered the boot process, lets look at what happens once the CPU transfers execution to the MBR.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-size: x-large;">Boot Code</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
The goal of the Master Boot Record's boot code is to find the bootable partition and transfer execution to it. To find the bootable partition the following checks must occur:</div>
<div>
<br />
1. Search for an active partition (where the partition status is 0x80 or "Bootable")<br />
2. Checks that no other partitions are marked as bootable<br />
3. If partition is the only bootable partition, then the boot code will read the partition's Volume Boot Record (first sector, 512 bytes, of the partition) and transfer CPU execution to that memory address.<br />
4. The VBR is checked for the proper end signature (0xAA55).<br />
<br />
<b><span style="font-size: large;">Errors</span></b><br />
If steps 2 - 4 fail then an execution is halted and an error message is displayed. Below are the error messages for each step.<br />
<br />
Step 2: If another partition is marked as bootable, the message "Invalid partition table" is displayed.<br />
Step 3: If there is a problem loading the VBR, the message "Error loading operating system" is displayed.<br />
Step 4: If the end signature is not present, the message "Missing operating system" is displayed.</div>
<div>
<div>
<br /></div>
<div>
Now that the we have covered how the boot code interacts with the partition table, lets talk about the structure of the partition table and its entries.<br />
<br /></div>
</div>
<div style="clear: both; text-align: left;">
<b><span style="font-size: x-large;">Partition Table</span></b></div>
<div style="text-align: left;">
The partition table is a 64 byte structure made up of 4 0x10 (16) byte partition entries. The fixed size of the partition table limits the OS to 4 partitions, but modern OS have built in the capability for many more partitions through a concept called extended partitions.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Below I will cover the important values contained within a partition entry.<br />
<br /></div>
<b><span style="font-size: large;">Partition Status</span></b><br />
<div>
The 1st byte in every partition entry represents the Partition Status (whether the partition is bootable or not). The Partition Status field has two acceptable values, these values are 0x00 (Non-Bootable) and 0x80 (Bootable).</div>
<div>
<br /></div>
<div>
It is important to note that only one partition can be marked as bootable per disk. If this condition is not met, the "Invalid partition table" error will be thrown by the boot code.<br />
<br />
<b><span style="background-color: white; font-size: large;"> Partition Types</span></b><br />
<br />
The 5th byte of the partition table represents the type of file system the partition is using. A list of partition type ids can be found <a href="http://www.win.tue.nl/~aeb/partitions/partition_types-1.html"><span style="color: blue;">here</span></a>. This value helps the operating system determine which file system device driver to load on startup.<br />
<br />
It is worth noting that NTFS partitions will have an id of 0x07.<br />
<br />
<b><span style="background-color: white; font-size: large;"> Cylinder Head Sector (CHS) Addressing</span></b><br />
The operating system uses Cylinder Head Sector (CHS) Addressing to determine the location of the volume. Bytes 2 - 4 and 6 - 8 represent the volume start address and end address respectively. The three bytes representing the CHS address are broken up such that the cylinder value is 10 bits, the head value is 8 bits, and the sector value is 6 bits. Since disks are formatted with 512 byte sectors this addressing scheme only allows for a maximum addressable size of 7.8 GB. As hard drive sizes increased, Logical Block Addressing (LBA) was introduced allowing much larger address ranges.<br />
<br />
<b><span style="background-color: white; font-size: large;"> Partition Location</span></b><br />
<div>
Most modern disks use the "Relative Starting Sector" and "Total Sectors" values to determine the location of volumes. Each of these values are 4 bytes in size, and this allows for a maximum addressable size of right around 2 TB.<br />
<br />
This limit is only exceeded by the introduction of the Guid Partition Table (GPT), which I will write about at a future date.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b><span style="background-color: white; font-size: x-large;"> Bootkits</span></b></div>
<div style="text-align: left;">
<br />
MBR boot code executes before the Operating System is loaded, and thus executes in Ring 0 without the normal Operating System protections. This fact makes the MBR a viable location for malicious code in the form of bootkits. I have begun research to identify a hash value for the MBR code section for a number of Windows operating systems and popular unix boot loader LILO and GRUB. These hash values/signatures should help identify when the code section of the MBR has been tampered with, which could lead to bootkit detection.<br />
<br />
NOTE: I admit this is not a full featured solution as a bootkit could easily detect disk IO and return false data, but at this time there are only a few publicly release bootkits that have been found to do this. </div>
<div style="text-align: left;">
<br />
<b><span style="font-size: x-large;"> PowerForensics Cmdlets</span></b><br />
<div>
PowerForensics currently has two cmdlets that deal specifically with the MBR. This portion of the post will explain the cmdlets and go through a few example use cases.<br />
<br /></div>
<span style="font-size: large;"><b style="background-color: white;"> Get-MBR</b></span><br />
<div>
Get-MBR is a cmdlet that parses the Master Boot Record data structure contained within the first sector of the device specified. Get-MBR requires the use of the -Path parameter which takes the <a href="https://msdn.microsoft.com/en-us/library/aa365247(v=vs.85).aspx#win32_device_namespaces"><span style="color: blue;">Win32 Device Namespace</span></a> (ex. \\.\PHYSICALDRIVE0) for the device from which the MBR should be parsed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-0ZM9aCnkNKgix5-53ZRNWR1LW1sM58Ofr88ejp7PuG13HWKUUc5Co-FW47xwT5w-MycZEALDXGU8Zm-DEmu1r8qs4tExhtUZ-jqVN2RFmU4FyW3OM8OkE9lGby3le-380XGs-9jc4mo/s1600/GetMBR.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-0ZM9aCnkNKgix5-53ZRNWR1LW1sM58Ofr88ejp7PuG13HWKUUc5Co-FW47xwT5w-MycZEALDXGU8Zm-DEmu1r8qs4tExhtUZ-jqVN2RFmU4FyW3OM8OkE9lGby3le-380XGs-9jc4mo/s1600/GetMBR.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<b>InvokeIR.PowerForensics.MasterBootRecord Object</b><br />
The output of Get-MBR is a InvokeIR.PowerForensics.MasterBootRecord object. The MasterBootRecord object has four readonly properties:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9WU1CxiljsanCXYvuCA7SMYQyX-qllWVUHyXKAwuN5oYDVKtNduCVZh7oN8QGnSJhEyKbbwTuLZ-ahCU8vaCcUfQsOORuFKgCH8eAZAKVHFbGhyr69AvSzhbt3VPL-YKWI6cY8ShIDMs/s1600/MasterBootRecord.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9WU1CxiljsanCXYvuCA7SMYQyX-qllWVUHyXKAwuN5oYDVKtNduCVZh7oN8QGnSJhEyKbbwTuLZ-ahCU8vaCcUfQsOORuFKgCH8eAZAKVHFbGhyr69AvSzhbt3VPL-YKWI6cY8ShIDMs/s1600/MasterBootRecord.PNG" width="400" /></a></div>
<br />
1) DiskSignature - the 4 byte hex value that identifies the disk to the operating system<br />
2) BootCode - a byte array of the MBR boot code<br />
3) MBRSignature - a string representing the signature associated with the BootCode byte array (The 4) MBRCodeArea is hashed and compared to a list of known MBR code signatures, benign and malicious. The string identifies which, if any, signature the BootCode matches).<br />
5) PartitionTable - an array of InvokeIR.PowerForensics.PartitionEntry objects<br />
<ul>
</ul>
<br />
Below is an example of Get-MBR being run against \\.\PHYSICALDRIVE0 and being asked to return all properties (by default Get-MBR only returns MBRSignature and DiskSignature to console).<br />
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjeKHlhvBVVL-z4v6b5Mc8hufxjmcWVRhq7Pk7d96S5y7QvdcoEqJR0e64bavqNDZfibbhHnALwGDNb1HNRp_QE5cglhmU6DX9j2-d-CL_QGF0kKIx1kS5_Nd41wX13hHHYqt9XVKwrdk/s1600/unnamed+(2).png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjeKHlhvBVVL-z4v6b5Mc8hufxjmcWVRhq7Pk7d96S5y7QvdcoEqJR0e64bavqNDZfibbhHnALwGDNb1HNRp_QE5cglhmU6DX9j2-d-CL_QGF0kKIx1kS5_Nd41wX13hHHYqt9XVKwrdk/s1600/unnamed+(2).png" width="640" /></a><br />
<b style="background-color: white;">InvokeIR.PowerForensics.PartitionEntry Object</b><br />
The InvokeIR.PowerForensics.PartitionEntry object represents an entry in the MBR partition table. Each PartitionEntry object has four readonly properties:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg98v5aaC0ewcZs1L98DZwNtRX8YEaljTIkVRq3rtF_7D8kxYmKWvlkRpgSGuATPMu-NlDh3HoQtYj6CIHwlpg1CuTf62IkJaXRHT-mViWJhAwOy5sJMTwoRKj5Gp4wG467VwzY3R_x_Uo/s1600/partitionentry.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg98v5aaC0ewcZs1L98DZwNtRX8YEaljTIkVRq3rtF_7D8kxYmKWvlkRpgSGuATPMu-NlDh3HoQtYj6CIHwlpg1CuTf62IkJaXRHT-mViWJhAwOy5sJMTwoRKj5Gp4wG467VwzY3R_x_Uo/s1600/partitionentry.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div style="text-align: left;">
<br /></div>
1) Bootable - a bool indicating whether the partition is bootable<br />
2) StartSector - the offset from the beginning of the disk to the beginning of the volume counting by sectors<br />
3) EndSector - the offset from the beginning of the disk to the end of the volume counting by sectors<br />
4) SystemID - a string defining the volume type (NTFS, FAT, etc.)<br />
<ul>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
Here I am using the Select-Object cmdlet to expand the PartitionTable property of the MasterBootRecord object.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1IU2RO4DKPUx9on1wuD5ms6sjaLUdrxo8LQh36HYehvz2NjBcUWubyJuyY3qJa2ApFxNuhOhpg-M7GF1OpAzZYQJsoO3R2VRmdAWPXaeAVgFBAjaE4nVOP00tZe08H9RT4CzDxhE61C4/s1600/unnamed+(1).png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1IU2RO4DKPUx9on1wuD5ms6sjaLUdrxo8LQh36HYehvz2NjBcUWubyJuyY3qJa2ApFxNuhOhpg-M7GF1OpAzZYQJsoO3R2VRmdAWPXaeAVgFBAjaE4nVOP00tZe08H9RT4CzDxhE61C4/s1600/unnamed+(1).png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="clear: both; text-align: left;">
<b><span style="font-size: large;">Introducing the -AsBytes Switch Parameter</span></b></div>
<div style="clear: both; text-align: left;">
While developing PowerForensics I wanted to make each cmdlet as flexible as possible. I realized that returning the raw bytes for a data structure may be just as appealing as returning an object representing the data structure. With this in mind, I have added a switch parameter to each cmdlet that parses a data structure called -AsBytes. When the -AsBytes parameter is used, the cmdlet returns the raw bytes representing the structure instead of the expected object.</div>
<div style="clear: both; text-align: left;">
<br /></div>
<div style="clear: both; text-align: left;">
Below is an example of Get-MBR being used with the -AsBytes switch parameter. In this example, I passed the output to Lee Holmes' Format-Hex cmdlet.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio2zT6dIsJuFHvA_biw5kM3MAtSx3ZyyFmgUp1GmYApPans6aLGM9d-kAzTgAIbi0oragc72degUYuHvm0RIR9kYSSDauG3j6pPFEeljgYJoC3dgG6RSpbcU0hkIKeG9_Tj0OPkNxWpbU/s1600/GetMBRAsBytes.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio2zT6dIsJuFHvA_biw5kM3MAtSx3ZyyFmgUp1GmYApPans6aLGM9d-kAzTgAIbi0oragc72degUYuHvm0RIR9kYSSDauG3j6pPFEeljgYJoC3dgG6RSpbcU0hkIKeG9_Tj0OPkNxWpbU/s1600/GetMBRAsBytes.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="clear: both; text-align: left;">
This example shows the -AsBytes switch parameter to save the MBR data structure's raw bytes to a file.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-umNFCceC3eqkN7MN2olrEMiqeO4yExZcRgCBkgbVlUWjK1k5dNygnxdNvaUx4xfbNfMeOOLYTBPjlMrcbfE2iCVyZgaHIYF_uvmKpzPdI5E8vke_YccRVZ_uJnbiNwEZpdrg_CO0Xxo/s1600/MBR.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="449" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-umNFCceC3eqkN7MN2olrEMiqeO4yExZcRgCBkgbVlUWjK1k5dNygnxdNvaUx4xfbNfMeOOLYTBPjlMrcbfE2iCVyZgaHIYF_uvmKpzPdI5E8vke_YccRVZ_uJnbiNwEZpdrg_CO0Xxo/s1600/MBR.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<b><span style="font-size: large;"> Get-PartitionTable</span></b><br />
The Get-PartitionTable cmdlet is functionally the same as Get-MBR, but instead of returning an MBR object it returns an array of non-empty PartitionEntry objects.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIqCFv7dyZe7NNNzG7Lx0KGIlqS0AE5Tpr3VISuTR31kjA2UzYfc_q6mz372Tgz2sPDxGHvhOATUX150PSsBXwOe8nuoD8SYJYy3Udcs4t5cKsxUEdC0cOBfCdxL9s1WP5cvzxEMsouxc/s1600/GetPartitionTable.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIqCFv7dyZe7NNNzG7Lx0KGIlqS0AE5Tpr3VISuTR31kjA2UzYfc_q6mz372Tgz2sPDxGHvhOATUX150PSsBXwOe8nuoD8SYJYy3Udcs4t5cKsxUEdC0cOBfCdxL9s1WP5cvzxEMsouxc/s1600/GetPartitionTable.PNG" width="400" /></a></div>
<br />
<b><span style="font-size: x-large;"> Future Work</span></b><br />
<div>
Currently PowerForensics does not have support for extended partitions or the UEFI Guid Partition Table (GPT). I plan on adding support for these structures in the very near future.<br />
<br />
My next post will break down the GUID Partition Table (GPT), which is a newer alternative to the Master Boot Record.<br />
<br /></div>
</div>
<div style="text-align: left;">
<span style="font-size: x-large;"><b> References</b></span></div>
<div style="text-align: left;">
<a href="https://technet.microsoft.com/en-us/library/cc977219.aspx"><span style="color: blue;">Technet - Disk Concepts and Troubleshooting (Master Boot Record)</span></a><br />
<a href="http://www.bandwidthco.com/whitepapers/datarecovery/vanalysis/partition/mbr/Master%20Boot%20Record%20and%20Partition%20Table.pdf"><span style="color: blue;">Mark E. Donaldson - Master Boot Record and Partition Table</span></a></div>
<div style="text-align: left;">
<a href="http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion"><span style="color: blue;">Symantec - Master Boot Record Bootkit Infographic</span></a><br />
<a href="http://www.uefi.org/sites/default/files/resources/2_4_Errata_B.pdf"><span style="color: blue;">UEFI Specification - Guid Partition Table structure</span></a></div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com10tag:blogger.com,1999:blog-443344754704959046.post-31531235469053263762015-04-24T11:09:00.000-07:002016-02-18T10:58:00.694-08:00On the Forensic Trail - Preparing for our Journey<div style="line-height: normal; margin: 0in 0in 0pt;">
<span style="font-family: 'times new roman', serif; font-size: 12pt;">About a month ago, I </span><a href="http://www.invoke-ir.com/2015/03/parse-mft-in-powershell.html" style="font-family: 'times new roman', serif; font-size: 12pt;"><span style="color: blue;">posted</span></a><span style="font-family: 'times new roman', serif; font-size: 12pt;"> about a PowerShell module I wrote called PowerForensics. At the time, the module was nothing more than a proof of concept, but I wanted to show the DFIR community that PowerShell is a viable option for scalable deep dive disk analysis.</span></div>
<br />
<div style="line-height: normal; margin: 0in 0in 0pt;">
<span style="font-family: "times new roman" , "serif"; font-size: 12pt;">Over the past month I have updated PowerForensics from a single DLL to a proper PowerShell module. The module now includes a module manifest; default object, formats, and types; and XML-based help for each cmdlet.</span></div>
<br />
<div style="line-height: normal; margin: 0in 0in 0pt;">
<span style="font-family: "times new roman" , "serif"; font-size: 12pt;">Developing PowerForensics has led to research and understanding of file system structures (mainly NTFS at this point) and file formats for forensic artifacts.<span style="mso-spacerun: yes;"> </span>I believe this research has made me a better analyst/hunter, and hope that the DFIR community can benefit from this data being centralized.</span></div>
<br />
<div style="line-height: normal; margin: 0in 0in 0pt;">
<span style="font-family: "times new roman" , "serif"; font-size: 12pt;">This is the first part of a multi-part series called "On the Forensic Trail".<span style="mso-spacerun: yes;"> </span>The purpose of the series is to introduce you to the capabilities of PowerForensics, but also to help build forensic literacy by breaking down each artifact.</span></div>
<br />
<div style="line-height: normal; margin: 0in 0in 0pt;">
<span style="font-family: "times new roman" , "serif"; font-size: 12pt;">This post will help you get PowerForensics up, running, and prepared to follow future posts.</span><br />
<span style="font-family: "times new roman" , "serif"; font-size: 12pt;"><br /></span></div>
<span style="font-size: x-large;"><b>
Installing PowerForensics</b></span><br />
Please refer to my new post regarding <a href="http://www.invoke-ir.com/2016/02/installing-powerforensics.html">PowerForensics Installation</a><br />
<br />
<span style="font-size: large;"><b>Loading the Module into the PowerShell Session</b></span><br />
Open PowerShell or PowerShell_ISE as administrator and import the module into the current session.<br />
<br />
NOTE: Many of PowerForensics’ cmdlets require administrator privilege to run.<br />
<br />
The syntax for importing the PowerForensics module is shown below.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqGtadAiKce9wlTjHUAuqDGTigelmZF2Hzmsluvfj7I9k8hKPOqjMhVTqKoEBmsKfglNNvjjXZyMxpNzqHmq2QCR0gxkXrW4IzcoP8aW8z4hgAzJ81GBowQDn7is34mY6o9_bwe-9mC2Y/s1600/unnamed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="25" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqGtadAiKce9wlTjHUAuqDGTigelmZF2Hzmsluvfj7I9k8hKPOqjMhVTqKoEBmsKfglNNvjjXZyMxpNzqHmq2QCR0gxkXrW4IzcoP8aW8z4hgAzJ81GBowQDn7is34mY6o9_bwe-9mC2Y/s640/unnamed.png" width="640" /></a></div>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">If the above cmdlet gives you an error, verify that you followed the instructions for </span><a href="https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx"><span style="color: blue;">installing a PowerShell module</span></a><span style="background-color: white;">.</span><br />
<br />
Use the Get-Command cmdlet with the –Module parameter to list the cmdlets that come with the module.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqDlzft4yCSkKoqll-m_kvylClV2PslcL_YVkTJ3SBThvtCGqf1PcgTVW9Lx1kYPJNXRRWeAQm-UIvJj8NmFy1syFfKcU3RoJS5px174_6ZVKkrqN1jgmHoJnX9mZF3fzLn-_ndkROqwo/s1600/Screenshot+2016-02-17+07.51.29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="521" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqDlzft4yCSkKoqll-m_kvylClV2PslcL_YVkTJ3SBThvtCGqf1PcgTVW9Lx1kYPJNXRRWeAQm-UIvJj8NmFy1syFfKcU3RoJS5px174_6ZVKkrqN1jgmHoJnX9mZF3fzLn-_ndkROqwo/s640/Screenshot+2016-02-17+07.51.29.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<b><span style="font-size: large;">
Cmdlet Help</span></b><br />
<div>
Each PowerForensics cmdlet has help associated with it, which can be retrieved with the Get-Help cmdlet. Help includes a description of the cmdlet’s function, syntax, output objects, and usage examples.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="clear: both; text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy1pLuHWVCaq9VMm8Ie7xkTw88EqDkTNpGB1qYXZHhlvZVOtF9gor7i_69fqMTKVepSLP0677oBpbemfF80dxeiXbsXD78qw5jrstbF3aBmx_C7QzbFcOnYDT1S8nrIr5qa7mFoyRqogw/s1600/Screenshot+2016-02-17+07.52.23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy1pLuHWVCaq9VMm8Ie7xkTw88EqDkTNpGB1qYXZHhlvZVOtF9gor7i_69fqMTKVepSLP0677oBpbemfF80dxeiXbsXD78qw5jrstbF3aBmx_C7QzbFcOnYDT1S8nrIr5qa7mFoyRqogw/s640/Screenshot+2016-02-17+07.52.23.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<b style="font-size: xx-large;">Conclusion</b></div>
<div style="line-height: normal; margin: 0in 0in 6pt;">
<span style="font-family: "times new roman" , "serif"; font-size: 12pt;">You should now be ready to use PowerForensics.<span style="mso-spacerun: yes;"> </span>Stay tuned, in my next post I will dive into the Master Boot Record and the applicable PowerForensics cmdlets.</span></div>
<div style="text-align: center;">
<br /></div>
<br />Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com4tag:blogger.com,1999:blog-443344754704959046.post-15831347516217933952015-03-07T20:37:00.001-08:002015-04-29T15:33:57.080-07:00Parse the MFT in PowerShell<br />
<div><i>[This post has been deprecated. During the development of PowerForensics, I have decided to move away from the Sleuth Kit naming convention in favor of the artifact's true names (ex. Get-IStat has become Get-MFTRecord and Get-ICat has become Get-ContentRaw. For a better explanation of PowerForensic's capabilities please follow my <a href="http://www.invoke-ir.com/search/label/On%20the%20Forensic%20Trail"><span style="color: blue;">"On the Forensics Trail" series</span></a>.]</i><br />
<br />
<br />
<br />
Over the past year or so I have been thinking about the best way to implement a Digital Forensic framework from within PowerShell. Recently, I wrote a PowerShell cmdlet in C# to parse the Windows Prefetch file for useful forensic artifacts, but I quickly realized that accessing files directly is not forensically sound. </div><br />
<div>During my search for solutions, I came across clymb3r's blog <a href="https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/"><span style="color: blue;">post</span></a> about his Invoke-Ninjacopy cmdlet and thought that I could use this methodology for my Forensic framework. One of the components of Invoke-Ninjacopy is a DLL that parses the NTFS file system, and upon reviewing the <a href="http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib"><span style="color: blue;">DLL project</span></a> I decided that porting it to a C# assembly library would be a very logical starting point for PowerForensics. With the help of Brian Carrier's File System Forensics book, for context, I was able to reproduce the NTFS parsing code in C#. </div><br />
<div>PowerForensics works by opening a read handle to the logical volume (such as the C Drive), and parsing the NTFS structures within the volume's raw bytes.</div><br />
<div>NOTE: PowerShell must be run as administrator to access the Volume's file handle.</div><br />
<div>The rest of this post describes some of the initial capabilities presented by PowerForensics.</div><br />
<span style="font-size: large;"><b>Get-IStat</b></span><br />
<div>While writing the code for PowerForensics, I realized that I was starting to reproduce some of the functionality inherent in The Sleuth Kit, so I decided to maintain a similar naming convention to those tools (ex. Get-FSStat, Get-IStat, Get-ICat) for continuity purposes.</div><br />
Get-IStat is a cmdlet that can be used to return the MFT Entry for a specified file. The file can be specified by its Path or via its Index Number (what record it is in the MFT). Additionally, the investigator can specify what Logical Volume they want to investigate through the VolumeName parameter (Remember that the volume must be using NTFS as its file system).<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFs8kM26319NpKowoHPRXI5-bmNj8F7_rrBm9l1Tvhdoo73MsMJzBXjt_08yvEC429_mhKXE0b4ILtbDllLZk5mpKnk-bcUR2UfLKJfKg1EDlgVXBrLGr58jXf9j0RfNiXktnx9Ww9fGA/s1600/get-istat.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFs8kM26319NpKowoHPRXI5-bmNj8F7_rrBm9l1Tvhdoo73MsMJzBXjt_08yvEC429_mhKXE0b4ILtbDllLZk5mpKnk-bcUR2UfLKJfKg1EDlgVXBrLGr58jXf9j0RfNiXktnx9Ww9fGA/s1600/get-istat.PNG" height="304" width="640" /></a></div><br />
<span style="font-size: large;"><b>FileRecord Object</b></span><br />
<div><br />
Get-IStat returns a custom FileRecord object. This object is built into PowerForensics, and represents a File Record in the Master File Table. In the context of this post the important properties of the FileRecord object are the RecordNumber, the record's index into the MFT, and the Attribute Array, the records attribute objects. </div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEievTR9B2y7mCxvYoVuHjYnIclPh19uh9og5_N796JV0fGC9oNrgbRD9COzaRnjrptJKXs8fzpRrrhGlAsheQZI4tVG0BH72RcJtwp4GtsBOGoA1eWfzxIXMUB0PH32Sh2NrkkiOp2rf5I/s1600/FileRecord.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEievTR9B2y7mCxvYoVuHjYnIclPh19uh9og5_N796JV0fGC9oNrgbRD9COzaRnjrptJKXs8fzpRrrhGlAsheQZI4tVG0BH72RcJtwp4GtsBOGoA1eWfzxIXMUB0PH32Sh2NrkkiOp2rf5I/s1600/FileRecord.PNG" height="136" width="640" /></a></div><br />
Upon drilling down into the attribute array, we can see the STANDARD_INFORMATION and FILE_NAME attributes (there are more that didn't make the screenshot). Each attribute contains information that proves invaluable during a forensic investigation. For example, an investigator can use the timestamps from the STANDARD_INFORMATION and FILE_NAME attributes for timeline analysis or comparison for evidence of timestomping.<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQn9wn07og3uaeht_mFGt-ThiY-VwwUmsIDPsL7_xdd1XCoROVRBRmLTyBtLYc_27CsnfOgOTJfmCfe86fBDMOpkxoUQB6-fUAVbL-fQA8EhjMJWN8YLE4zs2HRuQe94cd4xMN6wEmQDw/s1600/FileRecordAttribute.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQn9wn07og3uaeht_mFGt-ThiY-VwwUmsIDPsL7_xdd1XCoROVRBRmLTyBtLYc_27CsnfOgOTJfmCfe86fBDMOpkxoUQB6-fUAVbL-fQA8EhjMJWN8YLE4zs2HRuQe94cd4xMN6wEmQDw/s1600/FileRecordAttribute.PNG" height="408" width="640" /></a></div><br />
<span style="font-size: large;"><b>Get-ICat</b></span><br />
<div><br />
Great! Now we have the ability to read the MFT by parsing the raw bytes of the volume. What if we were able to make a copy of the contents of the file via the raw disk?</div><div><br />
</div><div>PowerForensics includes the Get-ICat cmdlet, which parses the DATA attribute in the file's MFT Record and outputs the contents of the file in the form of a byte array. This byte array can be saved to a variable, and used as input to the Add-Content cmdlet to be output to a file (NOTE: Add-Content must be used with the Encoding parameter set to "byte").</div><br />
NOTE: Get-ICat has not yet implemented all of the functionality of TSK's icat command.<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik6JoclOGSkJ2cUIa3WDeuJFt9MZoDhw8jK5E3F832Ac5PRiiQ6C3a5rEhXB1tduMDRGB23Tqo7EJeoFkZMknQuOtW-Ry635Izweqe13ppcAmfZrt1-1-WnvDlkHpKDmqsaAagiI__t0g/s1600/Get-IStat.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik6JoclOGSkJ2cUIa3WDeuJFt9MZoDhw8jK5E3F832Ac5PRiiQ6C3a5rEhXB1tduMDRGB23Tqo7EJeoFkZMknQuOtW-Ry635Izweqe13ppcAmfZrt1-1-WnvDlkHpKDmqsaAagiI__t0g/s1600/Get-IStat.PNG" height="41" width="640" /></a></div><br />
Once we copy cmd.exe's raw bytes to a new file we can use a MD5 hashing function (shown below) to ensure our dumped file is the same as the original.<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpptv80-emic3NNw8BQr83TuOwmPuKOAydz2KIV3-KKgsW5ba3Gi-i6M7eTd9xVfAVx7MD1cAklHchPA3DdvAPbfXhNpIpS5OhmXHHjprTODb_YfOSGWpfb04c40MOd1dOAs8ze7O3bXw/s1600/Get-MD5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpptv80-emic3NNw8BQr83TuOwmPuKOAydz2KIV3-KKgsW5ba3Gi-i6M7eTd9xVfAVx7MD1cAklHchPA3DdvAPbfXhNpIpS5OhmXHHjprTODb_YfOSGWpfb04c40MOd1dOAs8ze7O3bXw/s1600/Get-MD5.PNG" height="76" width="640" /></a></div><br />
Below you can see that both C:\Windows\System32\cmd.exe (the original) and C:\Users\Public\Desktop\cmd (our copy using PowerForensics) have the same MD5 hash:<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOK0Zedn5nZCkjZDzk7f86Ql_5XGjbw3-60LlgrXDztmzWTRxFc0FoO-rXuqtegCA1N0oeTmT9A3qVFcCh2DkUjaF3KnfiW1Xb9mAPmQ_OwqCyby-iE9HQ1Hv6QRx19-9uPG3Lh0y3EgE/s1600/cmdcomparison.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOK0Zedn5nZCkjZDzk7f86Ql_5XGjbw3-60LlgrXDztmzWTRxFc0FoO-rXuqtegCA1N0oeTmT9A3qVFcCh2DkUjaF3KnfiW1Xb9mAPmQ_OwqCyby-iE9HQ1Hv6QRx19-9uPG3Lh0y3EgE/s1600/cmdcomparison.PNG" height="88" width="640" /></a></div><br />
What about files that are locked by the Operating System like the registry hives? Because PowerForensics is accessing the raw bytes on the HDD and parsing the Master File Table itself we are able to export these locked files while the OS is using them.<br />
<br />
Below you will see that I am unable to use the System.IO.File ReadAllBytes method to read the SAM registry hive "because it is being used by another process". <br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtg4SfcPnJnZOxvDmjatoiC6BpakCYetDZ14MZ2-nLw7-w9DBD_yWDFtYB0mhJyKe9MYZlm2a-2aRiodLfJmfQ62joFQziujoEQMKGU65NvRE7MUDvc42dDb0CBq8xGp667clQVLqIAhI/s1600/SAMfail.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtg4SfcPnJnZOxvDmjatoiC6BpakCYetDZ14MZ2-nLw7-w9DBD_yWDFtYB0mhJyKe9MYZlm2a-2aRiodLfJmfQ62joFQziujoEQMKGU65NvRE7MUDvc42dDb0CBq8xGp667clQVLqIAhI/s1600/SAMfail.PNG" height="108" width="640" /></a></div><br />
Here we use Get-IStat to view the FileRecord object belonging to the SAM hive. Notice that DATA attribute's NonResident property is set to True. This means that the file's contents are too large for the MFT Record, which is 1024 bytes, and is stored elsewhere on the disk. Conveniently, that other location is contained within the StartCluster and EndCluster Arrays. We are able to multiply the StartCluster and EndCluster values by the size of cluster (typically 4096 bytes), to find the actual bytes on disk containing the file contents. These properties are used by Get-ICat to output a byte array containing the file's contents.<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXwMls0RhFSp9xSZguzK_Av-t3CBWmitK65OHPp5jDR8q0ujzOiBbTyYcq5QBUmtZ_l7-C7JPtR9DIy7V1Uma_l65nNVfJVR6PLGyd7N-KDfTHN12Ym8Lnq3dYYyXMdzQnoXY2SaK7P7Q/s1600/DATA.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXwMls0RhFSp9xSZguzK_Av-t3CBWmitK65OHPp5jDR8q0ujzOiBbTyYcq5QBUmtZ_l7-C7JPtR9DIy7V1Uma_l65nNVfJVR6PLGyd7N-KDfTHN12Ym8Lnq3dYYyXMdzQnoXY2SaK7P7Q/s1600/DATA.PNG" height="406" width="640" /></a></div><br />
Below we use Get-ICat and Add-Content to output the SAM file to our Desktop.<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLi5WNXpdx5-HI1bBO69Zn26z0RiNKhNAz7L9qZ1_t1QBWvQCdAn0aWDVKTk-io2cfQBhFXj1H3z67B7Qzt4XzZKc2PVstDsQ_2vOrK8Nhdap6UHPFEpHxFVdLL4wMkBR12TNjsG91ctE/s1600/ICatSAM.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLi5WNXpdx5-HI1bBO69Zn26z0RiNKhNAz7L9qZ1_t1QBWvQCdAn0aWDVKTk-io2cfQBhFXj1H3z67B7Qzt4XzZKc2PVstDsQ_2vOrK8Nhdap6UHPFEpHxFVdLL4wMkBR12TNjsG91ctE/s1600/ICatSAM.PNG" height="41" width="640" /></a></div><br />
Although we cannot hash the original SAM file (because of the error discussed above), we can throw the outputted SAM file into a Hex Editor and see the registry hive file header. Imagine when we add registry parsing to PowerForensics...<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSHa7_NuDuLwe5HY3_TTrfl7GotupMntOZRzofLTaJJPANatVerYVYGeiqlGB44mgIKoG315pRXVoWO5yyIeBPOWxvdeUcQ-7nrgc73fHuMu5k2Xw26gZIJgiKZZFyu4BE3C2GM3SR_rM/s1600/SAMHeader.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSHa7_NuDuLwe5HY3_TTrfl7GotupMntOZRzofLTaJJPANatVerYVYGeiqlGB44mgIKoG315pRXVoWO5yyIeBPOWxvdeUcQ-7nrgc73fHuMu5k2Xw26gZIJgiKZZFyu4BE3C2GM3SR_rM/s1600/SAMHeader.PNG" height="168" width="400" /></a></div><br />
You can download the source code to PowerForensics on my <a href="https://github.com/Invoke-IR/PowerForensics"><span style="color: blue;">github</span></a>. To use PowerForensics within PowerShell download the dll in the <a href="http://powerforensics/Invoke-IR.PowerForensics/bin/Debug/Invoke-IR.PowerForensics.dll"><span style="color: blue;">repo</span></a> and use the Import-Module cmdlet within PowerShell (Ex. Import-Module <pathToDLL>).<br />
<br />
I'm excited to hear your feedback and suggestions for further development.Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com0tag:blogger.com,1999:blog-443344754704959046.post-4832834443543635172014-04-06T00:38:00.000-07:002014-04-06T00:40:03.662-07:00A 10 Second Journey Presentation<iframe allowfullscreen="" frameborder="0" height="400" mozallowfullscreen="" src="http://prezi.com/embed/7nxz7gjucbnd/?bgcolor=ffffff&lock_to_path=1&autoplay=0&autohide_ctrls=0&features=undefined&disabled_features=undefined" webkitallowfullscreen="" width="550"></iframe>Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com2tag:blogger.com,1999:blog-443344754704959046.post-59656508311243540132014-03-05T21:06:00.001-08:002015-04-29T15:40:25.151-07:00Windows 8 Prefetch 101<br />
<br />
In preparation for my presentation on the Windows Prefetch this Friday I made this poster to help understand the Prefetch file structure. Let me know what you think!<br />
<br />
Find the high resolution version on my imgur <a href="http://imgur.com/riuljsK">http://imgur.com/riuljsK</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRnVpQwdr-AJlIzpZ3jYLuv9XZitPCvpWR1v8NfvSiYJkqJX-nqyYCTS0WZO4RxpekASJ9e4OEeDRsPcQ3xqA85MSy0WrcwennhCbayEbhF3muWffhoDKHSvOZpbmgZOFtc16LMliGAAE/s1600/Prefetch8101low.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRnVpQwdr-AJlIzpZ3jYLuv9XZitPCvpWR1v8NfvSiYJkqJX-nqyYCTS0WZO4RxpekASJ9e4OEeDRsPcQ3xqA85MSy0WrcwennhCbayEbhF3muWffhoDKHSvOZpbmgZOFtc16LMliGAAE/s1600/Prefetch8101low.png" height="410" width="640" /></a></div>
<br />Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com0tag:blogger.com,1999:blog-443344754704959046.post-70610580047316534442013-11-17T15:55:00.000-08:002015-04-24T09:31:10.424-07:00Presenting at SANS Institute's DFIRCON!<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIILh56pBvFvgaDawtRdDM9TW6Dku_O70x7yid6YIZhYCLmO6zEmvbPP_YLIm2oOeyvyn3lXsWUuaNiMo18gn5QHxLzsJOFqlwdmaRV2GasYJ6E96IFlI5DQNx3C3Nd2q-bogzvWqbXXc/s1600/dfircon.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIILh56pBvFvgaDawtRdDM9TW6Dku_O70x7yid6YIZhYCLmO6zEmvbPP_YLIm2oOeyvyn3lXsWUuaNiMo18gn5QHxLzsJOFqlwdmaRV2GasYJ6E96IFlI5DQNx3C3Nd2q-bogzvWqbXXc/s400/dfircon.jpg" height="226" width="400" /></a></div><br />
<h3></h3><br />
I am pleased to announce that I will be presenting my research on the Windows 8 Prefetch at SANS Institute's DFIRCON. The conference will be held in Monterey, CA from March 5th to March 10th 2014. If you have not had a chance to see the line up that will be at this conference please check out the <a href="https://www.sans.org/event-downloads/32740/brochure.pdf">brochure</a>. Thanks to Chad Tilbury and Rob Lee for giving me the opportunity to present this information to the broader audience, and to those who have read my blog and spread my research.Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com0tag:blogger.com,1999:blog-443344754704959046.post-90477357290196767412013-10-27T20:06:00.000-07:002015-04-29T15:46:50.785-07:00malsysprocThis weekend I was working on some memory analysis using Volatility, and I came across a sample that had a malicious process named svchost.exe. Now if you have read Mandiant's M-Trends report, then you know that <a href="https://www.mandiant.com/blog/m-trends-advanced-persistent-threat-malware/" style="background-color: white;">svchost.exe is the most common name of malware found</a>.<b> </b>If you have spent any amount of time working with Windows forensics or incident response, then you are very familiar with the reason why malware authors name their process svchost.exe. In a normal Windows installation there are approximately 6-10 svchost processes running at any given time. In this particular sample, it was fairly easy for me to spot the malicious process because it was exhibiting behavior that was abnormal for its name. However, if an analyst does not have a familiarity with what behavior is "normal", then it may be difficult to determine the nature of this seemingly common process. By then end of the analysis I had run quite a few plugins just to get the information I needed to determine the intent of this process, and I began wondering if there was some way to tie these commands together. I first looked into writing a bash script to run multiple plugins automatically and parsing out specific information from each output, but after a few minutes Googling I realized writing my own plugin would be much cleaner. This post describes the information I learned along the way, and will discuss the features (present and future) of the plugin I wrote.<br />
<br />
<b><span style="font-size: large;">Volatility Documentation</span></b><br />
Upon setting out on my journey to learn how to write my own Volatility plugin, I stumbled upon the official <a href="https://code.google.com/p/volatility/wiki/DeveloperGuide22"><span style="color: blue;">developer's guide</span></a> for Volatility 2.2. This guide gives you all of the information you need to start writing your first plugin. I also found a few blog posts useful, <a href="http://gleeda.blogspot.com/2011/04/whats-difference-brief-volatility-14.html"><span style="color: blue;">one</span></a> from <span style="color: blue;"><a class="g-profile" href="http://plus.google.com/104115008251750028679" target="_blank">+Jamie Levy</a> </span>and <a href="http://blog.commandlinekungfu.com/2010/12/episode-127-making-difference.html"><span style="color: blue;">one</span></a> from Command Line Kung Fu where MHL shows how writing a new plugin might be a million times easier than parsing the output of multiple plugins.<br />
<br />
<b><span style="font-size: large;">malsysproc</span></b><br />
I wrote the malsysproc plugin to be an automated method of looking at the behaviors of system processes to look for malware hiding in plain sight. Initially malsysproc looks at processes named svchost and lsass and determines if the process is legitimate. This plugin will also look for processes named similarly to svchost and lsass such as lssas or scvhost. <br />
<br />
The first test ran against each process is to check that the name of the process is actually what is expected. I wanted to ensure the plugin doesn't overlook the lookalikes, so I initially look for processes that match a regular expression. The regular expression is very simple, and it looks for characters to be switched around. If a process does have letters switched around it will fail the name test.<br />
<br />
While looking for processes named lsass.exe I keep track of each process I find, and if I find more than one lsass.exe I notify the analyst.<br />
<br />
After running the name test, it is important to ensure that the process is running from the expected path. Often times hackers will name their malware for a native Windows process, but they will put it in a different directory like a temp folder. This check that the path matches the path of the native Windows process (C:\windows\system32\ for both lsass.exe and svchost.exe).<br />
<br />
One way to spot a malicious svchost process is to run Volatility's pstree plugin. pstree shows a graphical representation of each process' parent-child relationship. svchost.exe should always be a child of services.exe, and if it isn't then we have a clear indicator of wrong doing. Similarly, lsass.exe should be the child of wininit.exe for systems running Vista or better, or winlogon.exe for systems running XP or older.<br />
<br />
Time is another valuable method to use when looking for malware posing as system processes. In this plugin, I compare each system process' creation time to that of its parent, and if the system process was created more than 10 seconds after its parent it is flagged. I have not done extensive testing on this test yet, but on the 3 memory samples I ran the plugin against it hasn't had any false positives.<br />
<br />
Sometimes the Operating System gives system processes a higher base priority than that of normal user processes. In his <span style="color: blue;"><a href="http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html"><span style="color: blue;">analysis of Stuxnet</span></a> </span>MHL notices that although Stuxnet uses the process hollowing technique to inject itself into a real lsass.exe process, it fails to properly set the base priority level of the process. This allows us to pick out the imposter lsass.exe processes. Unfortunately, svchost processes run at the default base priority level, so this technique cannot be used to find malicious svchost processes.<br />
<br />
Lastly, I compare the command line arguments of each system process to a list of expect arguments. If the process was run without or with incorrect expected arguments this test will flag the process as being suspicious.<br />
<br />
A few future additions will be adding tests for process owner, unexpected network connections, looking for dll injection, and unexpected child processes.<br />
<br />
Check out the code <a href="https://github.com/Invoke-IR/Volatility"><span style="color: blue;">here</span></a>. Copy the file to your volatility/plugins directory, and it will be automatically added to your plugins list.<br />
<b style="font-size: x-large;"><br /></b>
<b style="font-size: x-large;">Examples</b><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLwt8YV7EZijAs5gS-3DWgQmdMd1i8K4HWIJln0XFg45i_8tcLUQ83qOg63sDjpaYifZBXwuNmvjbLpRiPTNhDSltkGvBSCa39EnX6HbBLMnyGowTedUuZyLixX0vVAFc7a3gBDMcJ4_U/s1600/Screen+Shot+2013-10-27+at+9.50.33+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLwt8YV7EZijAs5gS-3DWgQmdMd1i8K4HWIJln0XFg45i_8tcLUQ83qOg63sDjpaYifZBXwuNmvjbLpRiPTNhDSltkGvBSCa39EnX6HbBLMnyGowTedUuZyLixX0vVAFc7a3gBDMcJ4_U/s640/Screen+Shot+2013-10-27+at+9.50.33+PM.png" height="236" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">An example of running malsysproc against an image running a malicious svchost.exe process. This process was not running out of the C:\WINDOWS\system32\ directory, did not have the correct parent process, was started much later than the other svchost.exe processes, and did not have appropriate command line parameters.</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSthRxgBWdxtlTiXth2rg2azIDAi3LA94t-ePzOu-gtvqSiJhwsIG_JoXCOxkOb5kI3yYur6WdD3OKL8hVoh93VqQwFvOsIyqL7bUscGMk1lMeK3jlokuIvhArYcF37o_IoKBvcpDSwac/s1600/Screen+Shot+2013-10-27+at+9.51.19+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSthRxgBWdxtlTiXth2rg2azIDAi3LA94t-ePzOu-gtvqSiJhwsIG_JoXCOxkOb5kI3yYur6WdD3OKL8hVoh93VqQwFvOsIyqL7bUscGMk1lMeK3jlokuIvhArYcF37o_IoKBvcpDSwac/s640/Screen+Shot+2013-10-27+at+9.51.19+PM.png" height="226" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">An example of malsysproc when run against a stuxnet memory image. Because multiple lsass.exe process were found the plugin warns the analyst that this is not normal behavior. Also, these processes do not have the correct parent process, they were started later than expected, their base priority level was at the default instead of being elevated, and they appear to have an unexpected command line (in this case it seems they have extra '\' characters to escape the '\' characters in the path itself.</td></tr>
</tbody></table>
There you have it. I found a problem, researched solutions, learned the interface, and produced my first plugin in about an hour of work. I plan to follow this post up with more detail on what a plugin requires, and how you can write your own. Thanks for reading!<br />
<br />
If you have any questions, comments, or concerns please let me know at jared@invoke-ir.com.Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com2tag:blogger.com,1999:blog-443344754704959046.post-26599311416459806912013-09-21T22:53:00.002-07:002015-04-29T15:43:29.297-07:00What's New in the Prefetch for Windows 8??I am currently working on a PowerShell module that will provide a remote forensic capability for forensicators and incident responders alike. I know many tools that parse file based forensic artifacts (Ex: Prefetch), but none of these tools parse remote artifacts. Remote parsing provides defenders with many advantages, including a capability called Least Frequency of Occurrence (LFO). If a defender can aggregate data from every prefetch file on every host in a large network, they can use LFO to spot anomalies, which may in turn point out malicious activity.<br />
<br />
<h3>
</h3>
<br />
While creating a cmdlet, to parse Windows Prefetch files, I realized that there were many inconsistencies between the format of prefetch files on <a href="http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format">Windows XP</a> and <a href="http://www.forensicswiki.org/wiki/Prefetch">Windows 7</a>. I also realized that little research had been done regarding the structure of Windows 8 prefetch files, and assumed there would be small inconsistencies with this version as well. I am writing a blog series to describe the methodology I used to learn Windows 8 prefetch file format, and to document some of the interesting finds along the way.<br />
<br />
<h3>
</h3>
<br />
<b><span style="font-size: large;">What is Prefetch?</span></b><br />
Simply put, application prefetching is used to store information about frequently used applications to help Windows load them more quickly in the future. This information is stored in "prefetch" files found in the %systemroot%\Prefetch\ directory. At any given time the system can keep up to 128 (Windows XP/2003/Vista/7/2008) or 1024 (<a href="https://twitter.com/EricRZimmerman/status/334316855168733184">Windows 8/8.1/2012</a>) individual prefetch files (Each one correlates to a single application). These files contain information about the application like how many times it was run, when was it last run, what path it was run from, what external files it loaded in its first 10 seconds of execution, etc.<br />
<br />
<h3>
</h3>
<br />
<b><span style="font-size: large;">Understanding the Prefetch File Format (Windows 8)</span></b><br />
<br />
<i>This series of examples is using a cmd.exe prefetch file from Windows 8</i><br />
<br />
<h3>
</h3>
<br />
<b>File Signature (Offset: 0x00 8-bytes)</b><br />
<br />
<h3>
</h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGr2yOHUqRMWwuI_Yia2vYO-9TKloWc8VFTl8kHGYBO9URe02xZbUnwXYxvZHlEbuXFtEnsaWlrWuY3_-6LtSiSxsRqXNGSB0RdAZlAD33cyBCljEKC1a7krxWUvzNZprBehv9S8HtmgU/s1600/Header.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGr2yOHUqRMWwuI_Yia2vYO-9TKloWc8VFTl8kHGYBO9URe02xZbUnwXYxvZHlEbuXFtEnsaWlrWuY3_-6LtSiSxsRqXNGSB0RdAZlAD33cyBCljEKC1a7krxWUvzNZprBehv9S8HtmgU/s400/Header.png" height="115" width="400" /></a></div>
<br />
<h3>
</h3>
<br />
The first value found in the data structure is the File Signature at Offset 0x00. The signature is a 8-byte value containing (0x1A,0x00,0x00,0x00,0x53,0x43,0x43,0x41), the first of which represents the OS (0x11 = XP, 0x17 = 7, 0x1A = 8). The ASCII representation of the final 4 bytes is SCCA, which is commonly recognized as the <a href="http://www.garykessler.net/library/file_sigs.html">Prefetch File Signature</a>.<br />
<br />
<h3>
</h3>
<br />
<b>Application Name (Offset: 0x10 60-bytes)</b><br />
<br />
<h3>
</h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYn1AiYYVUFX7nifwHlkefkZcUhVYhQi7jTSNMg3IYCpZwknnNeyOZi14K9gY4OWJSY7XBijJ245kDZYkQLSJCfaKk-gx6mswRsJxQBxgxjbO71zF4sh39HzEzJpZiBd-D80G0XzjOKg4/s1600/ApplicationName.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYn1AiYYVUFX7nifwHlkefkZcUhVYhQi7jTSNMg3IYCpZwknnNeyOZi14K9gY4OWJSY7XBijJ245kDZYkQLSJCfaKk-gx6mswRsJxQBxgxjbO71zF4sh39HzEzJpZiBd-D80G0XzjOKg4/s400/ApplicationName.png" height="115" width="400" /></a></div>
<br />
<h3>
</h3>
<br />
Next, at Offset 0x10, we see a Unicode Formatted String that says "CMD.EXE". This value represents the name of the application for which this prefetch record has been created. This name can/should be compared to the name of the prefetch file itself to ensure the file name has not been tampered with. One important detail is that this value is represented in 60 bytes, to allow for variable lengths of application names. The standard is for the application name to be terminated by Unicode NULL (0x0000).<br />
<br />
<h3>
</h3>
<br />
<b>File Path Hash (Offset: 0x4C 4-bytes)</b><br />
<br />
<h3>
</h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP1MrapoVZfEBThoWpm81M3y9qREQCPfjkMz9sR4EImPltu0nLjO2M729A22eZtdHBOq2_yv0SRmxhkSgE9onfr6KaZhJpBl6-NFce1N01u80XjxNwQCEYC3x0j9N25k6qeHqJYTTn9zc/s1600/PathHash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP1MrapoVZfEBThoWpm81M3y9qREQCPfjkMz9sR4EImPltu0nLjO2M729A22eZtdHBOq2_yv0SRmxhkSgE9onfr6KaZhJpBl6-NFce1N01u80XjxNwQCEYC3x0j9N25k6qeHqJYTTn9zc/s400/PathHash.png" height="115" width="400" /></a></div>
<br />
<h3>
</h3>
<br />
Have you ever wondered about those 8 random hex values in name of prefetch files? Interestingly enough the value is a hash of the application's file path. Remember earlier I said that one prefetch file is created for each application run? Well...that is not entirely truthful. A more precise explanation is that one prefetch file is created per application from a specific file path. When cmd.exe is run from C:\Windows\system32 one prefetch record is created. However, if I copy cmd.exe to C:\Windows and execute it, a second prefetch file will be created.<br />
<br />
From a detection/investigation perspective this hash can be useful in finding malware hiding in plain sight. Often times attackers will name their malware as common Windows applications, putting their version in a different directory than the real thing (Ex: Placing svchost in C:\Windows instead of C:\Windows\system32). If they are careless and execute the malware without cleaning up their tracks, there will be a conspicuous second prefetch record for svchost that will provide investigators with some attack details.<br />
<br />
Similarly to the application name, the file path hash is stored inside the prefetch file. This can again be used to check for simple manipulation of the prefetch file name. <br />
<br />
NOTE: The majority of non-unicode values are stored in <a href="http://www.cs.umd.edu/class/sum2003/cmsc311/Notes/Data/endian.html">Little Endian</a>, so when parsing/reading the values make sure you flip the bytes.<br />
<br />
<b><span style="font-size: large;">Application Run Count (Offset: 0x0D 4-bytes) </span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVrFHM1IkEyRgbTqkAjQYj-uN35vlwVdDXjgiTHIpmzF_Iuh03VjTzupzKoGcyIWiXDefEuyFR6kjmPxUY8IqAegMvfX4TPjnr642JuNDv1QDk6LVaGxMhGKcIF2umdYDXBhPM_58eDjs/s1600/RunCount.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVrFHM1IkEyRgbTqkAjQYj-uN35vlwVdDXjgiTHIpmzF_Iuh03VjTzupzKoGcyIWiXDefEuyFR6kjmPxUY8IqAegMvfX4TPjnr642JuNDv1QDk6LVaGxMhGKcIF2umdYDXBhPM_58eDjs/s400/RunCount.png" height="63" width="400" /></a></div>
<br />
One of the more useful pieces of information found in the prefetch file is the run count, found at Offset 0xD0). The run count tells a forensicator how many times the application has been executed. Remember this value is stored in Little Endian, so this example shows the run count to be one.<br />
<br />
<b><span style="font-size: large;">Last Access Timestamp (Offset: 0x80 8-bytes)</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh34QyISlgTnHw6fqZ3PZr8rtd7Jh28Go2WrVTg9c30yP6Xw_SWsRB-ETRuTsaTW2jrhewiaEF51ClZKsfPhhEDHZpBoV6RGd8hHabvgEd9pzGYy_fnSZnYydE_uT3RAUnfYQhSjvPejNY/s1600/Timestamp1.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh34QyISlgTnHw6fqZ3PZr8rtd7Jh28Go2WrVTg9c30yP6Xw_SWsRB-ETRuTsaTW2jrhewiaEF51ClZKsfPhhEDHZpBoV6RGd8hHabvgEd9pzGYy_fnSZnYydE_uT3RAUnfYQhSjvPejNY/s400/Timestamp1.bmp" height="63" width="400" /></a></div>
<br />
The last really useful piece of information found in the main section of the prefetch file is the last accessed timestamp. This value is of extreme importance during an investigation because it tells the investigator when the program was last executed. This value is stored as a "<a href="http://msdn.microsoft.com/en-us/library/ms724290(VS.85).aspx">FILETIME</a>" object, which is describe by Microsoft as being "the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC)". There are plenty of way to turn the hex value into an actual time (Ex: the hex editor I'm using automatically converts hex timestamps to the actual time, or you can use PowerShell to convert the value with <a href="http://msdn.microsoft.com/en-us/library/system.datetime.fromfiletime.aspx">.NET</a>).<br />
<br />
<b><span style="font-size: large;">Christmas coming early...Thanks Microsoft!</span></b><br />
Some of you may be familiar with the file structure of a prefetch file in previous versions of Windows. If you are you are probably asking why the run count (Offset 0xD0 isn't directly following the timestamp (Offset 0x80) like it always has. Well my friends, this is because Microsoft has decided to throw us a bone for whatever reason. Prefetch files in Windows 8 contain not one timestamp, not two timestamps, but 8 Last File Accessed Timestamps! Below I show a quick demonstration of how the Windows 8 prefetch files store the 8 timestamps.<br />
<br />
<b><span style="font-size: large;">2 Timestamps</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpOwVizFX67ksxNc-6UdbyerS_soNwftNBX3EcHMmsgAjFWIkq3FFqSWb7kG_QFzt_WaMMaZzY11Az3D1Ou6vquh1gcAvRgXsF0W5uz0T2pPu33JmK5F1VSRUAsKM8h6dqwPrTs7HPQ1U/s1600/Timestamp2.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpOwVizFX67ksxNc-6UdbyerS_soNwftNBX3EcHMmsgAjFWIkq3FFqSWb7kG_QFzt_WaMMaZzY11Az3D1Ou6vquh1gcAvRgXsF0W5uz0T2pPu33JmK5F1VSRUAsKM8h6dqwPrTs7HPQ1U/s400/Timestamp2.bmp" height="63" width="400" /></a></div>
<br />
Above is a screen shot of the same CMD.EXE prefetch file, except I ran the application an extra time to increase the run count (0xD0) to two times. The important thing to notice is that the original timestamp has been shifted over to Offset 0x88, and the most recent timestamp has moved in to the 0x80 position. Well this is interesting, but what about the other 64 bytes between the 2nd timestamp and the run count value?<br />
<br />
<b><span style="font-size: large;">8 Timstamps</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaj0xDlNWoc_r0xgdmP3RNUJPwHiQOgUBSZd0nrPkFadFJLjRFMVh2uUQixd7DfGOK1zLsosFh0j6duEJG6ft77Zn-u7_a2MgBRQr4Df-Zo2zJdEfSGTaQsEUCiZl9nYuBCJVvejYhO7I/s1600/Timestamp8.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaj0xDlNWoc_r0xgdmP3RNUJPwHiQOgUBSZd0nrPkFadFJLjRFMVh2uUQixd7DfGOK1zLsosFh0j6duEJG6ft77Zn-u7_a2MgBRQr4Df-Zo2zJdEfSGTaQsEUCiZl9nYuBCJVvejYhO7I/s400/Timestamp8.bmp" height="65" width="400" /></a></div>
<br />
After some trial and error testing I was able to determine that the Windows 8 prefetch files will store the 8 most recent last accessed timestamps. Notice in the screenshot that the original time is still there, but it has been moved all the way down to the basement (Offset: 0xB8). It is interesting to note that there is still 16 bytes of 0's. What ever comes of that space?<br />
<br />
<b><span style="font-size: large;">What happens after 8?!?</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgShXqaGb3AZDCep3bYbQ8uqxE-FPAYNFeBpYyURHHhDwjCPp7IX7SzSj5bIUZ4eDyij1Hz-7cJZzhT3mHYsxxueFnT_-33lgvnHbF2ZjknAptFyy9vUYkRRwcOWNuxpZAImaeiuOlcSpg/s1600/Timestamp10.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgShXqaGb3AZDCep3bYbQ8uqxE-FPAYNFeBpYyURHHhDwjCPp7IX7SzSj5bIUZ4eDyij1Hz-7cJZzhT3mHYsxxueFnT_-33lgvnHbF2ZjknAptFyy9vUYkRRwcOWNuxpZAImaeiuOlcSpg/s400/Timestamp10.bmp" height="65" width="400" /></a></div>
<br />
Well that is a good question. I have noticed that those 0's are changed after the timestamp slots a filled, but I have yet to determine what the value represents (If anyone knows or figures it out please let me know). I am assuming it has something to do with the timestamps because the values seem to only appear after the 8 timestamp values have been created. <br />
<br />
<b><span style="font-size: large;">Conclusion</span></b><br />
Well this concludes the first portion of my foray into the Windows 8 Prefetch File Structure. My next post will discuss the different sections contained within prefetch files, and what information can be found in each section.Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com6tag:blogger.com,1999:blog-443344754704959046.post-62062519703765294712013-08-15T19:43:00.003-07:002015-04-29T15:45:23.848-07:00R2D2 Memory Sample Analysis<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjeN2v3OeZqIA6VoJTLAPb_O2GWaYyzp4sZyWjLU1GJCxIb12TR7qIvRrVuFC5eZUXhg_drhrF_ngJc0me4g5uqIQMwm3ehD7GM-2wQ6LQtksWhZnxLKukGAAn73_tNortjsp8bRpX87k/s1600/images.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjeN2v3OeZqIA6VoJTLAPb_O2GWaYyzp4sZyWjLU1GJCxIb12TR7qIvRrVuFC5eZUXhg_drhrF_ngJc0me4g5uqIQMwm3ehD7GM-2wQ6LQtksWhZnxLKukGAAn73_tNortjsp8bRpX87k/s1600/images.jpg" height="200" width="121" /></a></div>
<b><span style="font-size: x-large;"><br /></span></b>
<b><span style="font-size: x-large;">
Introduction</span></b><br />
One of the skills I have been learning over the past year and a half or so is memory analysis.<br />
<br />
For those of you that don't know the Volatility's Google Code page has made quite a few memory samples available for test analysis. I stumbled upon them this evening, and I figured I'd try to tear one apart for an hour or so, and see where that got me.<br />
<br />
The sample I decided to begin with, at random, was the one titled R2D2 (cool sounding name)<br />
<br />
For my analysis I used Volatility 2.2 and SANS' Ubuntu SIFT Workstation VM.<br />
<br />
<br />
<b><span style="font-size: x-large;">
Setup</span></b><br />
Personally I don't like to look at long command lines, so the first order of business during memory analysis is to set up my Volatility environment variables (VOLATILITY_LOCATION & VOLATILITY_PROFILE). Initially the profile (OS/Service Pack/Architecture) is not known, so I settle for setting the location with the following command:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY1ygvSs2snwcyuSyD0sIrXQHCk24RXnnaM4gbWq0m4Y9UG-Afu96-NpX0fxzs054F7MXy-RJkv9NMCjTD9MuypTmI8BBpjlUetLrHLWfgZ_8d0Na8rOSYREX-gBPHxS0IvQIFAzgkF0g/s1600/volatility_location.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY1ygvSs2snwcyuSyD0sIrXQHCk24RXnnaM4gbWq0m4Y9UG-Afu96-NpX0fxzs054F7MXy-RJkv9NMCjTD9MuypTmI8BBpjlUetLrHLWfgZ_8d0Na8rOSYREX-gBPHxS0IvQIFAzgkF0g/s1600/volatility_location.png" height="12" width="640" /></a></div>
<br />
Once the location is set we can start using Volatility! The great news is that Volatility already knows what image we want to analyze because of the variable we just set. The first plugin that should be run during memory analysis is imageinfo. imageinfo provides us with the image's profile, which is a cruicial piece of information when using Volatility. Specifying an image tells Volatility what data structures to expect when parsing the image. To execute the imageinfo plugin you simply type:<br />
<br />
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk5qKFo6MjlL3nrLqOZxYYNrnRkS5jkq5WI9zDEDjZVWBpEQqSLe81qITB6gX-y9FbEOwS-3laxSnaD2HBR5HF-ldhURmzuM2P57PTIq-mUsXtKikOypNDMbHmr9aNAzP8vqEGys29fEE/s1600/imageinfo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk5qKFo6MjlL3nrLqOZxYYNrnRkS5jkq5WI9zDEDjZVWBpEQqSLe81qITB6gX-y9FbEOwS-3laxSnaD2HBR5HF-ldhURmzuM2P57PTIq-mUsXtKikOypNDMbHmr9aNAzP8vqEGys29fEE/s1600/imageinfo.png" height="218" width="640" /></a></div>
</div>
<br />
Now that we have found the suggested profile we can specify our VOLATILITY_PROFILE environment variable:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimRCaSzJiJEwR9f1XkV1-GAY4GPVqoH90v_yKq9Y7NTioMcWamXtOPi9YLEcNAXCQ4g56cXF_8Nh4WKq-JSfv3WRmrOAlYhOT3gvm_DgOQTw0z-tkm8iu6dbybGuI9kyOx481zPj6epBY/s1600/volatility_profile.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimRCaSzJiJEwR9f1XkV1-GAY4GPVqoH90v_yKq9Y7NTioMcWamXtOPi9YLEcNAXCQ4g56cXF_8Nh4WKq-JSfv3WRmrOAlYhOT3gvm_DgOQTw0z-tkm8iu6dbybGuI9kyOx481zPj6epBY/s1600/volatility_profile.png" height="12" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<b><span style="font-size: x-large;">
Analysis </span></b><br />
Ok, we have handled all the necessary setup, and now it is time to roll up our sleeves and dig into some R2D2 memory analysis. I like to start my analysis looking for low hanging fruit (processes, network connections, services, and drivers). These artifacts are the most tangible artifacts, and we tend to have the most experience with them. I began with the pstree plugin to see a hierarchical view of the processes relative to their parent process:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyiS23RtRYb4kmjXja6O8d1v4XChpuTxMCNQ4zjENc_WD9CPmr8CP-10oCkne7mhkHO6ngqQUsdlO_W2lA3Ed50EwRwHGgA5-mipBs3IntST4ciGozL2LncydaUL-F83T_iS5koeHXJnI/s1600/pstree.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyiS23RtRYb4kmjXja6O8d1v4XChpuTxMCNQ4zjENc_WD9CPmr8CP-10oCkne7mhkHO6ngqQUsdlO_W2lA3Ed50EwRwHGgA5-mipBs3IntST4ciGozL2LncydaUL-F83T_iS5koeHXJnI/s1600/pstree.png" height="316" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
Initially nothing stuck out from the process tree, so I moved on to psxview. The psxview plugin queries process data structures using 4 or 5 different methods. The output contains a list of processes, and tells the analyst whether each method was successful in detecting the process or not. For example, if a process is found using the pslist method (follows the linked list from one EPROCESS structure to another), but not using the psscan method (search for EPROCESS structures regardless of linked list), then it is a good indication the system has been manipulated (possibly by a rootkit using DKOM techniques). You can use the psxview plugin like so:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvTZeTNwUlCI_kfs5zZB9Gj0GVgwrXhWo2AcS0RRRhDlH9gs4ZS3XdetUiGx3EXHHSsTkzMgU3kl_KSl7V6iVmKQzTWeOWUgbU-ILI9r4a2uWcEE9MtsXWC8m90U_fWRt5KcEqjwU8cAc/s1600/psxview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvTZeTNwUlCI_kfs5zZB9Gj0GVgwrXhWo2AcS0RRRhDlH9gs4ZS3XdetUiGx3EXHHSsTkzMgU3kl_KSl7V6iVmKQzTWeOWUgbU-ILI9r4a2uWcEE9MtsXWC8m90U_fWRt5KcEqjwU8cAc/s1600/psxview.png" height="416" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
This sample appears to have no hidden processes.</div>
<br />
It is always a good idea to see what network traffic was occurring at the time of the memory capture. The connscan plugin will parse connection information from the image.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ5Zu_J01NmvnfIOlTZS8mDKi5RQwBFXhFjQNUfIMe2L7sy-H_Vw-97rMtT_ZqLmen-9rbmLQrXwwBBkS4TDWzU73JYDvTu9OK1im9aS97v_B2UgeV3tJyX1riy1JNiLxrTIlbpeko9wQ/s1600/connscan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ5Zu_J01NmvnfIOlTZS8mDKi5RQwBFXhFjQNUfIMe2L7sy-H_Vw-97rMtT_ZqLmen-9rbmLQrXwwBBkS4TDWzU73JYDvTu9OK1im9aS97v_B2UgeV3tJyX1riy1JNiLxrTIlbpeko9wQ/s1600/connscan.png" height="86" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
It appears there was an established connection from the <b>localhost</b> on local port <b>1026</b> to <b>172.16.98.1</b> on port <b>6666</b>. This connection was established by<b> PID 1956</b> or <b>explorer.exe</b> (correlated from pstree output). This connection is suspicious because <b>explorer.exe</b> does not typically make network connections, so this connection lets us know that <b>explorer.exe</b> is probably our process of interest.<br />
<br />
Using the output of pstree we see that cmd.exe is a child process of explorer.exe, and it might be nice to see what commands were issued to that cmd shell. One cool plugin is the cmdscan (or consoles for Windows 7 and Server 2008). The cmdscan plugin parses the command history buffer located in csrss.exe (or conhost.exe on Windows 7 and Server 2008), and returns any commands that remain in the memory buffer. Below is the command line usage for the cmdscan:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyHpDLZtVBrKtiF_PBHYmzO40GSrFv2QjsbQiLhgsWrt6WceERFbmCrO9nipVvPaJh56wUtn0t3nOYkX4vcSoRa8CLJBrwWmenFF_FKusFYv2QBQ5ezQUJE2kDWhgziWBdyj0C3J1HAE/s1600/cmdscan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyHpDLZtVBrKtiF_PBHYmzO40GSrFv2QjsbQiLhgsWrt6WceERFbmCrO9nipVvPaJh56wUtn0t3nOYkX4vcSoRa8CLJBrwWmenFF_FKusFYv2QBQ5ezQUJE2kDWhgziWBdyj0C3J1HAE/s1600/cmdscan.png" height="168" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
In the command history buffer were two commands "<b>sc query malwar</b>" and "<b>sc query malware</b>" (Just what we were looking for!). It appears the attacker was checking on the registration details for a service named <b>malware</b>. At this point the service name is a good indicator of malicious activity, but I've seen some pretty strange things in the past.<br />
<br />
To enumerate that service information we can check the <b>HKLM\SYSTEM\ControlSet001\Services</b> registry key for the "<b>malware</b>" service's registration details. We have to first find the virtual memory address of the System hive, which we can do using the hivelist plugin.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh-8DDpFdYsC_GJPQl6hKxUy-FIsY9sBQohh7kmNUloOAO5rqQGKzyJ-qRhotWMBdjKAWMs0BlW8TJF6ga1yqJ8xVpFVt_wS9Fk3ZzYl40cqrMl2ZQYuLYmRAEz-WfZJDdmthIxPSo3yw/s1600/hivelist.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh-8DDpFdYsC_GJPQl6hKxUy-FIsY9sBQohh7kmNUloOAO5rqQGKzyJ-qRhotWMBdjKAWMs0BlW8TJF6ga1yqJ8xVpFVt_wS9Fk3ZzYl40cqrMl2ZQYuLYmRAEz-WfZJDdmthIxPSo3yw/s1600/hivelist.png" height="266" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once we have the virtual address (<b>0xe1018388</b>) we can enumerate the key <b>ControlSet001\Services\malware </b>using the printkey plugin.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNmdzAtRzFsSbvhwiQJvLVLPJzVPn8azAvAy8OhlJWF1lepR3UMEvqAQV4s-UcngTzw0yQi_OZSW992yMN74F_Q_zLM1XeP1dvmUXMJT2QEtc27-9_XlLCvdvWX0xpu6vf6wBG61ssYP0/s1600/printkey-malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNmdzAtRzFsSbvhwiQJvLVLPJzVPn8azAvAy8OhlJWF1lepR3UMEvqAQV4s-UcngTzw0yQi_OZSW992yMN74F_Q_zLM1XeP1dvmUXMJT2QEtc27-9_XlLCvdvWX0xpu6vf6wBG61ssYP0/s1600/printkey-malware.png" height="188" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Looking at the malware service we notice the service's image path was <b>C:\WINDOWS\system32\drivers\winsys32.sys </b>with a start type of 1 which according to <span style="color: blue;"><a href="http://support.microsoft.com/kb/103000">Microsoft</a> </span>"represents a driver to be loaded at kernel initialization", or what appears to be the persistence mechanism.<br />
<br />
Now we need to learn more about this apparent driver, and maybe even grab a copy of it for ourselves. Using Volatility's svcscan we can gather more information about the "<b>malware</b>" service.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDXEwAV76jaAuW5sh0Z_k22WtjfGeEgr0dv0Mtn_klITagO3bQ3_9qWZeFD7JSvoRb799Qbiy2gkZJ5iAu1R0DLPgA88dA1lyHcTCXSJyL6G9l3QLDqNGPWXqXTOupkflpU0zWgc-FdLw/s1600/svcscan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDXEwAV76jaAuW5sh0Z_k22WtjfGeEgr0dv0Mtn_klITagO3bQ3_9qWZeFD7JSvoRb799Qbiy2gkZJ5iAu1R0DLPgA88dA1lyHcTCXSJyL6G9l3QLDqNGPWXqXTOupkflpU0zWgc-FdLw/s1600/svcscan.png" height="200" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
The results show that the driver associated with this service is recognized as <b>\driver\malware</b>. We can now work toward grabbing a copy of the running driver. We must execute a driverscan to access the starting memory address of the driver.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk0lRxUjsaRTlsGKMRyAj7wMh4rRhlANBXQLdLx7sffAnU5COkqxPxEZ_Ec8Vx-Luq4tRcickzw0Mj_48xQcgzxLdh1FFzDHvA5le3J2fT6CdbJp_MOzXO8XrPm08jy419tNYAFhjCaN0/s1600/driverscan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk0lRxUjsaRTlsGKMRyAj7wMh4rRhlANBXQLdLx7sffAnU5COkqxPxEZ_Ec8Vx-Luq4tRcickzw0Mj_48xQcgzxLdh1FFzDHvA5le3J2fT6CdbJp_MOzXO8XrPm08jy419tNYAFhjCaN0/s1600/driverscan.png" height="38" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
Once the address is obtained (<b>0xf9eb4000</b>) we can use moddump to dump the driver at the address specified using the -b parameter.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMA_rmaz0N76ePxMy88IUaDdzEsChpKL_7cfsKXjZ_k0EXQtAo1D3BjaWw2Ck49hFhttaJDAb0b4NcFovH63yKLKQJlI-6I0cqMcqkoYDKBfMF7cRYAIDlm0QXa1P2OEb2DRHNbJ6rcSQ/s1600/moddump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMA_rmaz0N76ePxMy88IUaDdzEsChpKL_7cfsKXjZ_k0EXQtAo1D3BjaWw2Ck49hFhttaJDAb0b4NcFovH63yKLKQJlI-6I0cqMcqkoYDKBfMF7cRYAIDlm0QXa1P2OEb2DRHNbJ6rcSQ/s1600/moddump.png" height="62" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
We now have a copy of the suspected malicious driver (<b>winsys32.sys)</b>, which we can pass to Virus Total (if we think it has been seen before) or our reverse engineers. I submitted the driver to Virus Total, and it was flagged by 14/35 anti-virus programs as the R2D2 backdoor.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp5d4UePMqfE3XwTO7HbevxS8MZUjrkb92mVn2FZiH8URYKHVssDBiOteMbKKsJ8S5DDxA0mKGxYedPK7iuDhnOd2OFa8j714JPXaNc4iCLI4z3ypwrh4LXPvTOPlAfxGfVSUZb_FWz_U/s1600/winsys32.sysVT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp5d4UePMqfE3XwTO7HbevxS8MZUjrkb92mVn2FZiH8URYKHVssDBiOteMbKKsJ8S5DDxA0mKGxYedPK7iuDhnOd2OFa8j714JPXaNc4iCLI4z3ypwrh4LXPvTOPlAfxGfVSUZb_FWz_U/s1600/winsys32.sysVT.png" height="438" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
We can perform rudimentary analysis of the driver using the strings utility.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifpka3KOjHwCrF8Twd8frjEDTMXRsU28MXs-qN-UA_OEKys5dBCoxcwg9NQT6-K1UugF2v3HFMHK3n73Y2DIAA3woQdJKrhr4vQ5PqMgDa-v7gcg7FaSpdB-y4alYLTCK3c4quS95pH3w/s1600/strings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifpka3KOjHwCrF8Twd8frjEDTMXRsU28MXs-qN-UA_OEKys5dBCoxcwg9NQT6-K1UugF2v3HFMHK3n73Y2DIAA3woQdJKrhr4vQ5PqMgDa-v7gcg7FaSpdB-y4alYLTCK3c4quS95pH3w/s1600/strings.png" height="48" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Below is an example of view the ascii strings contained within the malicious file.</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8PCOkCwuuHMATaNFszq-3pYGxedTXjH1z5qVfUHUtU9l1qrXjCDzxq5ygHeRCWn2BYzD6ARzMlVA8Zp9ikHxcEyD9-avFy8ccgZxzblfUIWiDMbsGrtifkFSw44r2NFHunKI_-vmYRMc/s1600/driverstrings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8PCOkCwuuHMATaNFszq-3pYGxedTXjH1z5qVfUHUtU9l1qrXjCDzxq5ygHeRCWn2BYzD6ARzMlVA8Zp9ikHxcEyD9-avFy8ccgZxzblfUIWiDMbsGrtifkFSw44r2NFHunKI_-vmYRMc/s1600/driverstrings.png" height="640" width="498" /></a></div>
<div style="text-align: center;">
<br /></div>
Earlier we found a suspicious network connection coming from <b>explorer.exe</b>. We know <b>explorer.exe</b> to be a legitimate process, so we may want to look for dll injection as a possible avenue of infection. We can list <b>explorer.exe</b>'s loaded modules using the dlllist plugin.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtbj9wKmTUW0G_dAZBIW-UeHgCVbQLcolujFdKpPNAtWpV2l5nWH5lBw23zJyfent3iLQVI1QEeOfyyevQuZ7DYrm1H07D3EVcuA_1-V9QfBYnaevlUaHKQpy2nxDde_PunSu8ffgMQT0/s1600/dlllist.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtbj9wKmTUW0G_dAZBIW-UeHgCVbQLcolujFdKpPNAtWpV2l5nWH5lBw23zJyfent3iLQVI1QEeOfyyevQuZ7DYrm1H07D3EVcuA_1-V9QfBYnaevlUaHKQpy2nxDde_PunSu8ffgMQT0/s1600/dlllist.png" height="640" width="608" /></a></div>
<div style="text-align: center;">
<br /></div>
One module (<b>mfc42ul.dll</b>) seems to stand out because its virtual address is so different than other modules (<b>0x10000000 vs 0x70000000</b>). I am unsure if this is a valid indicator of dll injection or just a coincidence, but I submitted the module to Virus Total, and the dll was flagged as being associated with the same R2D2 backdoor. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxosFw922UvDNG-RWQ0RFwcLGTMToHmvWf2jUbBfXlWQosl5Qt6oNzGXmQcY5Kruq-UiooRKnx-y9ZWhT6CcjUjlkl53xd7Px1-RIVSQJUB5be4N2ugwblWP3IxofAsEzBTu9XjWx5rfw/s1600/moddumpdll.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxosFw922UvDNG-RWQ0RFwcLGTMToHmvWf2jUbBfXlWQosl5Qt6oNzGXmQcY5Kruq-UiooRKnx-y9ZWhT6CcjUjlkl53xd7Px1-RIVSQJUB5be4N2ugwblWP3IxofAsEzBTu9XjWx5rfw/s1600/moddumpdll.png" height="62" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixdON3wAb4hPrsIOLd0pllJJRnPjpKcT80fxyUwNOQZUm0TLXgQea-lIlS3Fi_LDJokYscq-FU0-HMm5VMugdcEHdVc-nrsqYDAxMvFeFgeNAne20f9NbMA7HsSV77eAGP_6CP043tyKI/s1600/mfcVT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixdON3wAb4hPrsIOLd0pllJJRnPjpKcT80fxyUwNOQZUm0TLXgQea-lIlS3Fi_LDJokYscq-FU0-HMm5VMugdcEHdVc-nrsqYDAxMvFeFgeNAne20f9NbMA7HsSV77eAGP_6CP043tyKI/s1600/mfcVT.png" height="440" width="640" /></a></div>
<br />
<br />
NOTE: In the ascii strings output of the malicious driver (<b>winsys32.sys</b>) we find references to the malicious module (<b>mfc42ul.dll</b>).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8PCOkCwuuHMATaNFszq-3pYGxedTXjH1z5qVfUHUtU9l1qrXjCDzxq5ygHeRCWn2BYzD6ARzMlVA8Zp9ikHxcEyD9-avFy8ccgZxzblfUIWiDMbsGrtifkFSw44r2NFHunKI_-vmYRMc/s1600/driverstrings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8PCOkCwuuHMATaNFszq-3pYGxedTXjH1z5qVfUHUtU9l1qrXjCDzxq5ygHeRCWn2BYzD6ARzMlVA8Zp9ikHxcEyD9-avFy8ccgZxzblfUIWiDMbsGrtifkFSw44r2NFHunKI_-vmYRMc/s1600/driverstrings.png" height="640" width="498" /></a></div>
<br />
We perform some quick triage of the dll and notice some strings that indicate HTTP functionality, and we also see a string "<b>C3P0-r2d2-POE</b>" which appears to be the string that got this malware its name.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPS9HzOZjKKooonhS6Mos3BUbq0fgqKjyQB_-MbGrJmeEV5lQnpe6e_UkmbrvEwFOFW8JGaJiN4gztQTytmQpskR3pqSE-whO1elXegGXEDvBUOuHc1rTGIOhN_fp7H7DtCxS9E2jVp2k/s1600/stringsdll.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPS9HzOZjKKooonhS6Mos3BUbq0fgqKjyQB_-MbGrJmeEV5lQnpe6e_UkmbrvEwFOFW8JGaJiN4gztQTytmQpskR3pqSE-whO1elXegGXEDvBUOuHc1rTGIOhN_fp7H7DtCxS9E2jVp2k/s1600/stringsdll.png" height="22" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQirji9xSE03gvR_zo9YXdWh5vwIxGU32cDY_8NzIqCXgbEAA2JLfYhXUWQ63ZAYgxx0u7lrC-5h-6TuK0fXmns9fwd7tOvMxxE0xpzdymOxzSr3ASa6Lszag0azpLcsFVb3zakExtxV4/s1600/dllstringsr2d2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQirji9xSE03gvR_zo9YXdWh5vwIxGU32cDY_8NzIqCXgbEAA2JLfYhXUWQ63ZAYgxx0u7lrC-5h-6TuK0fXmns9fwd7tOvMxxE0xpzdymOxzSr3ASa6Lszag0azpLcsFVb3zakExtxV4/s1600/dllstringsr2d2.png" height="640" width="254" /></a></div>
<div style="text-align: center;">
<br /></div>
That wraps up my analysis of the R2D2 backdoor. Upon completion of my analysis, I stumbled upon evild3ad's blog post documenting his analysis of the same sample. Please check <a href="http://www.evild3ad.com/1136/volatility-memory-forensics-federal-trojan-aka-r2d2/"><span style="color: blue;">it</span></a> out!<br />
<br />
If anyone has additional details I missed, or has any feedback to improve my methodology it would be greatly appreciated.<br />
<br />
<div style="text-align: center;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com5tag:blogger.com,1999:blog-443344754704959046.post-81747671046068140192013-07-29T20:38:00.002-07:002015-04-29T15:48:02.440-07:00PowerShell IntroBefore covering how Incident Responders can leverage Windows PowerShell, I thought it would be appropriate to provide a small introduction for those who are not familiar with all the cool things that can be done through PowerShell.<br />
<br />
<b>What is PowerShell:</b><br />
Windows PowerShell is Microsoft's answer to our cries for a better scripting environment and command shell. Scripting in PowerShell is much more intuitive than batch, and although PowerShell does have some Microsoft centric quirks it more closely resembles other interpreted languages like Python. Microsoft has made the entire .NET framework available through PowerShell, which allows a great deal of flexibility to those who want to take on development. Through PowerShell, Microsoft without a doubt opened many doors for Forensicators and Incident Responders.<br />
<br />
PowerShell introduces two features which make scripting significantly more easy. The first feature is tab completion, those readers familiar with unix will understand how nice tab completion can be. If you do not know the exact command syntax all you have to do is press tab and PowerShell will do the work for you. The second, and in my opinion most important, feature is the object oriented nature of PowerShell. PowerShell commands (Cmdlets) return .NET objects, which can be manipulated to display the desired results. These new features alone make scripting in PowerShell easier and more logical than batch or VB scripting. <br />
<br />
<b>PowerShell History:</b><br />
To better understand Windows PowerShell's origins refer to Jeffrey Snover's <a href="http://blogs.msdn.com/b/powershell/archive/2007/03/19/monad-manifesto-the-origin-of-windows-powershell.aspx"><span style="color: blue;">Monad Manifesto</span></a>. The manifesto describes Monad platform, one part of which was the Monad Shell. The Monad Shell is the brainchild which would eventually morph into PowerShell.<br />
<b><br /></b>
<b>Availability:</b><br />
PowerShell version 2.0 is available on Windows 7 and Windows Server 2008 by default. Depending on your patching you may have version 2.0 if you are running Windows XP SP3, Windows Vista SP1, or Windows Server 2003 SP2. If you have a pre Windows 7 host that does not have PowerShell you can find the appropriate patches <a href="http://support.microsoft.com/kb/968929"><span style="color: blue;">here</span></a>. PowerShell version 3.0 is available on Windows 8 and Windows Server 2012, and version 4.0 will be introduced with Windows 8.1 Beta and Windows Server 2012 R2. To learn more about the additions to PowerShell in version <a href="http://powershell.org/wp/2012/12/11/new-powershell-3-0-video-training-course/"><span style="color: blue;">3.0</span></a> and <a href="http://powershell.org/wp/2013/06/05/more-powershell-v4-and-dsc-details/"><span style="color: blue;">4.0</span></a> click the links embedded in their version numbers.<br />
<b><br /></b>
<b>Environments:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg691g31tuK8e4Qh7SAx_UAHgkzSPa3cy6Np1rparfWNU72MxgrIYoghNpm-R3NhwG_nFhEEFBCpj0vIdZL6v4IeaA6kCF5cQuhnY3Q8NkDRGwb4HqunsMlXlOL6e0wWdKOreggZliQA28/s1600/PowerShell.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg691g31tuK8e4Qh7SAx_UAHgkzSPa3cy6Np1rparfWNU72MxgrIYoghNpm-R3NhwG_nFhEEFBCpj0vIdZL6v4IeaA6kCF5cQuhnY3Q8NkDRGwb4HqunsMlXlOL6e0wWdKOreggZliQA28/s1600/PowerShell.PNG" /></a></div>
<div style="text-align: center;">
<br /></div>
PowerShell provides users two main environments, the Command Line Interface (CLI) and the Integrated Scripting Environment (ISE). <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg90lJKATRaAMrCwbgfrjqEhjeycdrLkZt-56fzp9638aNSf1hnpMhPpbn08tR0F_LBo1IUpHUMKnf5Lv60KWyv0sqbMMfWky5OG6fVcwxkTj3s9kJzcdXKypztZrMd-WW363_Ya_gIPws/s1600/PS.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg90lJKATRaAMrCwbgfrjqEhjeycdrLkZt-56fzp9638aNSf1hnpMhPpbn08tR0F_LBo1IUpHUMKnf5Lv60KWyv0sqbMMfWky5OG6fVcwxkTj3s9kJzcdXKypztZrMd-WW363_Ya_gIPws/s640/PS.png" height="395" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Windows PowerShell (CLI)</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjH2xBZwViJk1SqP2b7fiIezo7yc9Zk5GEzYMI4A7blhyphenhyphenwfJqQP8-Rju16_wgHWZfxtvBcHRPB0Txy4HkpWIO380B0Msgx14cvvpKpMSVH921isbfljHQZo0Ekn7VNNEFpW0QRl9ZHwDo/s1600/PSISE.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjH2xBZwViJk1SqP2b7fiIezo7yc9Zk5GEzYMI4A7blhyphenhyphenwfJqQP8-Rju16_wgHWZfxtvBcHRPB0Txy4HkpWIO380B0Msgx14cvvpKpMSVH921isbfljHQZo0Ekn7VNNEFpW0QRl9ZHwDo/s640/PSISE.PNG" height="390" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Windows PowerShell ISE</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
The CLI is your go to interface for PowerShell. You can treat it exactly the same as the Windows Command Shell (in fact if you enter a native Windows command, PowerShell will automatically spawn a Command Shell and execute the command for you). The CLI's utility begins to run out when you want to introduce logic or use more than one line which is why Microsoft gives us the ISE. The ISE is enabled by default on Windows 7, but on Server 2008 you must <a href="http://www.jonathanmedd.net/2011/02/powershell-ise-not-installed-by-default-in-windows-server-2008-r2.html"><span style="color: blue;">install the Windows PowerShell Integrated Scripting Environment (ISE) feature</span></a>. The ISE provides, as the name implies, an environment that is fairly useful for writing, testing, and debugging scripts. As seen in the picture above the ISE has three windows. The window on the right is the script pane, where users can author scripts using some niceties like tab completion. The bottom left window is the console pane which has practically identical use as the Windows PowerShell CLI. The top left windows is the output pane, which is where output is written by default (PowerShell supports many different outputs such as: text, csv, html, and xml)<br />
<b><br /></b>
<b>Cmdlet Naming Convention:</b><br />
All PowerShell cmdlets follow a standard naming convention which is called the verb-noun convention. Each cmdlet name will consist of a verb followed by a dash (-) and a singular noun. Some example cmdlet names are <b>Get-Process</b>,<b> Stop-Service</b>,<b> Set-Variable</b>,<b> </b>and <b>New-Object</b>. <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms714428%28v=vs.85%29.aspx">MSDN has a list of each approved verb and its meaning</a>.<br />
<b><br /></b>
<b>3 Cmdlets to Rule them All:</b><br />
There are three cmdlets that will enable new users to use every other cmdlet available in Windows PowerShell. <br />
<br />
The first cmdlet every PowerSheller should know is <b>Get-Command</b>. This cmdlet returns a list of every cmdlet available in the current shell. <b>Get-Command </b>can be used alone, or if you are looking for a specific type of cmdlet you can the -Verb parameter to specifically look for cmdlets that perform a certain action, and -Noun which will show all cmdlets pertaining to a specific type of object. <br />
<br />
The second important cmdlet is <b>Get-Help</b> which is the equivalent of Linux's man command. This cmdlet returns the help file which contains syntax, parameter descriptions, and usage examples.<br />
Once you have found the cmdlet you want to use, and have determined the proper syntax it is important to understand what output you will receive. <br />
<br />
As mentioned earlier PowerShell is object oriented, so each cmdlet will return an object with a series of properties and methods. The cmdlet <b>Get-Member</b> accepts an object as a parameter, and will return the properties and methods of the object. The most common syntax for <b>Get-Member </b>is <span style="font-family: Courier New, Courier, monospace; font-style: italic;">Get-Process | Get-Member</span><span style="font-family: Times, Times New Roman, serif; font-style: italic;"> </span><span style="font-family: Times, Times New Roman, serif;">which will provide the output of <b>Get-Process</b> as the input object for <b>Get-Member</b>. </span><br />
<br />
<b>PS Drives:</b><br />
One final feature readers should be aware of is how PowerShell deals with structured system data. PowerShell has a feature known as PSDrives through which it treats structured system data (i.e. the Windows Registry) as if it were the file system. Additionally, PSDrives do not require single letter names, so you can name you data drive "Data" instead of "D:\".<br />
<br />
To enumerate all PSDrives on the system use the cmdlet <b>Get-PSDrive</b>. Below is some example output of the Get-PSDrive cmdlet. As you can see there are many PSDrives available in the current PowerShell session such as the Local Machine and Current User registry hives, as well as, shell variables and aliases. PowerShell treats all data as items, and the PSDrive concept allows administrators to learn one method that will work for files, registry, environment variables, etc.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuKWhmV_j8Wara0RD6GHjSVW7INm8JZuOb8XV3dM9Z_hfvfQTjDoGZIupVP20J_wHAZAf9IMD63gyfluzDj5fwEZlrkeRpInsIAY5InmiYxx_VxZ92G0mHEYLdJmqY_SQ3kzSBRbEa0z8/s1600/psdrive.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuKWhmV_j8Wara0RD6GHjSVW7INm8JZuOb8XV3dM9Z_hfvfQTjDoGZIupVP20J_wHAZAf9IMD63gyfluzDj5fwEZlrkeRpInsIAY5InmiYxx_VxZ92G0mHEYLdJmqY_SQ3kzSBRbEa0z8/s640/psdrive.png" height="302" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<div style="text-align: center;">
<br /></div>
<b>Further Reading:</b><br />
For those interested in learning a little more in depth about PowerShell basics there is an excellent book written by Don Jones called <a href="http://www.amazon.com/Learn-Windows-PowerShell-Month-Lunches/dp/1617291080/ref=sr_1_1?ie=UTF8&qid=1375156409&sr=8-1&keywords=powershell"><i><span style="color: blue;">Learn Windows PowerShell 3 in a Month of Lunches</span></i></a>. Don Jones is one of, if not the most, respected minds in regard to PowerShell, and he does an excellent job introducing this application to readers through a series of 1 hour lessons or lunches (I read it over a weekend because I was in a hurry to learn as much as possible).
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com1tag:blogger.com,1999:blog-443344754704959046.post-69124359295638630472013-07-25T21:14:00.002-07:002013-10-02T18:59:57.589-07:00SANS FOR 508 Advanced Computer Forensics and Incident Response Review<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1DYz8s9Lyo5jA5Lr-4EzvU0rN6gh61DmwEhjgHfV3_mz6ifj18yyRt-HtdWtow-ollEJnWZl3jCeNgUo95WkUc6Pl1dJisjFgJ9m55hS26LQpamYMgDGLwhYXN_58F8zWxj5fy_AKhcQ/s1600/14379.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1DYz8s9Lyo5jA5Lr-4EzvU0rN6gh61DmwEhjgHfV3_mz6ifj18yyRt-HtdWtow-ollEJnWZl3jCeNgUo95WkUc6Pl1dJisjFgJ9m55hS26LQpamYMgDGLwhYXN_58F8zWxj5fy_AKhcQ/s1600/14379.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
Last week I was lucky enough to attend the <a href="http://www.sans.org/course/advanced-computer-forensic-analysis-incident-response">FOR 508: Advanced Computer Forensics and Incident Response</a> course at SANS' Digital Forensics and Incident Response Summit, as a work study student. The course (508) was taught by Chad Tilbury (<a href="http://www.forensicmethods.com/">Check him out!</a>), and is the brain child of SANS Fellow Rob Lee. Not only was Chad one of if not the best instructor I have had in the Computer Security field, but the course material is second to none. 508 is without a doubt worth the time and money you (or your employer) will invest in it.<br />
<br />
<b>The Concept:</b><br />
508 has recently been retooled to focus on battling the much maligned Advanced Persistent Threat (APT). The class motto is "APT is in your network, start hunting". The APT focus makes it 100% relevant to not just forensic investigators, but to anyone wanting to learn to defend their network. This course is up to date with the latest forensics techniques, in fact, Chad introduced us to tools that were still in beta and methodologies that are still being researched!<br />
<br />
<b>The Material:</b><br />
SANS recommends that students attend <a href="http://www.sans.org/course/computer-forensic-investigations-windows-in-depth">FOR 408: Computer Forensic Investigations - Windows In-Depth</a> before attending 508 (they recommend it for a reason), but if you have a forensics background or are willing to put in a little overtime you should be able to catch up enough to take 508 (508 has more direct application to my needs, although I look forward to attending 408 in the future). Rob Lee says the expectation of 508 students is that they understand conversational forensics (can speak to different forensics artifacts and tools). This course is a smorgasbord of valuable skills and information for incident responders, system administrators, and forensicators alike.
<br />
<br />
On day 1 they cover the physical layers of the file system (from the physical platters to the file name layer that contains file names and a directory structure), and how to properly mount images for analysis (e.g. read only). Just when you think the first day couldn't cover any more information the class jumps into the exciting world of Enterprise Analysis and Live System Incident Response (my favorite!!). This portion teaches students about domain authentication, how to secure domain administrator credentials, and many methods of accessing system information on remote of hosts (Many of my future blog posts will revolve around utilizing PowerShell for "Live System 'Enterprise' Incident Response" for lack of a better term).
<br />
<br />
Day 2 is spent covering memory forensics. SANS offers a course on <a href="http://www.sans.org/course/windows-memory-forensics-in-depth">Memory Forensics</a> that is currently 5 days long and covers the details of memory (memory structures and such), but 508 offers a very practical lesson in how to implement memory forensics TODAY. Students will learn how to acquire memory, as well as, how to provide in depth analysis of the memory once acquired (Day 1 offers insight into a method of analyzing memory without having to first complete the acquisition process...which is awesome!). Memory forensics is absolutely necessary when combating APT as it is one of the best, if not only, methods to detect rootkits (<a href="http://jessekornblum.com/publications/ijde06.html">See SANS instructor and FOR 526 author Jesse Kornblum's paper regarding the rootkit paradox</a>). The best part of Day 2 is that it doesn't focus on one method of analyzing memory. Instead 508.2 spends the time to teach students the pros and cons to different tools, and even different methods of using the same tool.
<br />
<br />
Day 3 is dedicated to timeline analysis. No one should be considered a forensicator or incident responder if they do not have an intimate knowledge of timeline analysis (Specifically using log2timeline). Log2timeline came out of a <a href="http://computer-forensics.sans.org/community/papers/gcfa/mastering-super-timeline-log2timeline_5028">GCFA Gold Paper written by Kristinn Guðjónsson</a>, and the community has never looked back. Log2timeline is really a cultural shift in the way we perform investigations, as it aggregates almost every forensic artifact into one timeline that truly tells the story of actions taken on a machine. This is where that 408 knowledge comes in handy... if you do not know how to interpret a specific artifact, then you lose fidelity in your timeline (possibly the opportunity to spot malicious activity).
<br />
<br />
Day 4 and 5 begin with XP Restore Point and Volume Shadow Copy analysis which can be harnessed for some really cool stuff. We can use these snapshots to add fidelity and depth to our timeline, and we can use them to recover deleted files. Next, Chad covered deep dive forensics (This is where the class dives into the weeds of file system analysis). The class dives into $MFT analysis which introduces us to a second set of timestamps ($STDINFO), and new artifacts like the NTFS TriForce (<a href="http://hackingexposedcomputerforensicsblog.blogspot.com/search/label/triforce">David Cowen's baby</a>). These artifacts will not be presented in any other course! Day 5 wraps up with methods and techniques of finding unknown malware. Assuming anti-virus fails to detect a threat, what are some methods we can use for detection? FOR 508 introduces and spends half a day discussing the concept of malware funneling which is the process of reducing data through a series of automated tasks until you have a small enough data set that you can perform manual analysis (<a href="https://www.sans.org/webcasts/finding-unknown-malware-95614">SANS instructor Alissa Torres has an excellent webinar on the subject</a>).
<br />
<br />
<b>The Lab (Day 6):</b><br />
The last day of the class is spent in on a team exercise. The team investigates a set of hosts that were part of an intrusion, however this is not your normal everyday exercise....this is where it gets interesting!<br />
<b> </b><br />
Rob Lee went all out on this course developing it around an "as real as it gets" scenario. The scenario is about an R&D firm that makes a great discovery, only to be hacked by APT. Students are given four hosts to conduct forensic investigations to determine what happened. Questions like the initial infection vector, when the initial infection occurred, what data was lost, and the current state of the network can be answered.
<br />
<br />
When we talk about this lab it is important to understand the level of detail used to create this virtual network. Not only did the network have 100s of hosts and 1000s of users, Rob Lee went out of his way to ensure this network was as real looking as possible (He basically lived with multiple personalities over the course of a year to ensure the systems were used as they would be in a real domain environment). He hired a professional Red Team and trained them up to act like APT, he hired domain architects to build the domain in a professional/secure manner, and he even loaded the systems with some of the <a href="http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results">latest security tools</a>. You will not find a lab this extensive anywhere else!<br />
<br />
<b>Overall:</b><br />
All in all this course is so relevant and so practical that there is no reason not to put this one on your wishlist. If you are serious about finding bad guys in your network, cause lets face it they are there, then this course has your name on it. I learned more about forensics in one week than I have learned over the past three years!<br />
<br />
<br />
<br />
<br />
<b>Bonus:</b><br />
At the DFIR Summit in Austin Rob Lee and his Forensicating Cohorts at SANS introduced, for the first time in the United States, a new version of SANS' famous <a href="http://www.sans.org/netwars">NetWars</a>. Following along with the 508 labs they have created a forensic version of NetWars which tests students on basic forensic artifacts, timeline, registry, file system, and memory analysis. Anyone that has participated in NetWars will agree that it is terrific learning environment and is worth the investment of time.<br />
<br />
I was lucky enough to earn my <a href="http://computer-forensics.sans.org/community/lethal-forensicator">Lethal Forensicator Coin</a> by placing first in this NetWars competition at the DFIR Summit.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMvrQJ2WQFsaa_KqXiIwKf3XqMLmD84t7CMWuHAWag6OLfBmlQtJVjiX7VzI2o9KWGuc4aKeycmYdZXhflyMkbEFZpvcgjJ7HJPqVZqadBqTo5A65T6Lu_As6vmXdhWeULfJeDDEAh5Zs/s1600/forensics_coin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMvrQJ2WQFsaa_KqXiIwKf3XqMLmD84t7CMWuHAWag6OLfBmlQtJVjiX7VzI2o9KWGuc4aKeycmYdZXhflyMkbEFZpvcgjJ7HJPqVZqadBqTo5A65T6Lu_As6vmXdhWeULfJeDDEAh5Zs/s1600/forensics_coin.png" /></a></div>
Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com0tag:blogger.com,1999:blog-443344754704959046.post-26383754067072609782013-07-20T12:10:00.003-07:002015-04-24T10:58:58.941-07:00Welcome to Invoke-IR<h3>
</h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm-UCipyO7vKBvDJQoE5sisnpEembGhbnIMNgsnAzr2cPvqflsglvR4R2hrqwwAeW9dO5CFYWRnXJ1FOk92YSMrFbp7jIxHH0B8ev3VncsaRDP24wpnJpGkp4bHSk7tntgXWE__q8vWy4/s1600/InvokeIRbig1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm-UCipyO7vKBvDJQoE5sisnpEembGhbnIMNgsnAzr2cPvqflsglvR4R2hrqwwAeW9dO5CFYWRnXJ1FOk92YSMrFbp7jIxHH0B8ev3VncsaRDP24wpnJpGkp4bHSk7tntgXWE__q8vWy4/s320/InvokeIRbig1.png" height="137" width="320" /></a></div>
<br />
<h3>
</h3>
<br />
Welcome to Invoke-IR, the blog where I (Jared Atkinson) will discuss Digital Forensics and Incident Response using Windows PowerShell. Windows PowerShell is an excellent application that solves many of the complaints we all have about the native Windows command shell. Unfortunately many system administrators, incident responders, and forensicators are not familiar enough with Windows PowerShell to understand its use. Through Invoke-IR (the name is a PowerShell pun) I will introduce readers to PowerShell itself, some resources that will provide a deeper understanding of PowerShell and digital forensics, and how we can apply PowerShell to Incident Response.<br />
<br />
Some topics I plan on covering in the near future are:<br />
1) Intro to PowerShell<br />
2) PowerShell Remoting<br />
3) Windows Logon and Authentication (How it relates to PowerShell)<br />
4) Dealing with Event Logs in PowerShell<br />
5) Handling the Windows Registry through PowerShell<br />
... and much much more<br />
<br />
Thank you for visiting Invoke-IR and I am looking forward to reading your comments and questions.Anonymoushttp://www.blogger.com/profile/00418494025739956012noreply@blogger.com0