Monday, April 25, 2016

Book Review: Windows Registry Forensics 2E

 I had the opportunity to read Harlan Carvey’s second edition of windows registry forensics through a kindle purchase and a hard copy that Harlan was awesome enough to give away when I asked for his feedback on my first blog post. (Thanks Harlan!) Given that a short review is available on Amazon I wanted to expand on that review further.

In the first chapter Harlan lays out,
            -The structure of the registry and nomenclature
-Analysis concepts and examples of how the operating system (Windows) uses the registry.
            -Location of registry hives (SYSTEM,SOFTWARE, NTUSER, USRCLASS, etc.)
            -Registry redirection and virtualization (32bit vs 64bit OS architecture impact)

The takeaway from this chapter is for the analyst to understand how the registry structured, where things are as these bits of information will be useful in later chapters. Harlan sprinkles in some anecdotes (see tip, note and warning sections)

In chapter two a brief overview of tools such as Microsoft’s regedit, Mitec Windows Registry Recovery, Registry Explorer, AutoRuns, Mandiant’s shimcache parser, Userassist (Stevens) and Regripper. Deleted keys and values are also discussed along with a perl tool called reglack by Jolanta Thomassen. The main takeaway that I got from this chapter is that there are many tools out there that can help you view or parse the registry but the analyst must choose what tool to use based on the analysis at hand.

In chapter 3 the concept of artifact categories is discussed along with analysis of the Security, SAM, SYTEM, SOFTWARE and AmCache hives.

In this section/hive we can find the audit policy settings of a computer. How is this useful? Well this would help in identifying the reason why certain event Ids are not seen if you retrieved a copy of the event logs and would be a great place to start and review before attempting to run tools that parse out specific event IDs from the event logs.

Another key from this hive is the last write time of the policy\secrets key which could indicate possible use of the GSecDump (credential theft tool). Granted this needs further context from other time stamped sources of information but could provide a pivot point to use when hunting for this tool on endpoints.

In this hive we can find
              -Local user information details
                           Account creation, last login
              -Local group memberships
              users are presented in SID format
How is this useful? As in the case of finding the audit policy we can use this information to profile a system. For example, what user accounts are members of the local administrators groups? Finding suspicious non-standard local user accounts.

The anecdotes in this section are quite useful.

Some key takeaways from this section/hive
     -System Name
              Make sure you are analyzing the right system
     -Prefetch settings
          Is it enabled?
     -ShimCacher (Appcompat)
       The application compatibility feature in windows keeps tracks of executable that require                      shimming for compatibility reasons and stores information in the registry.
      -Windows services
      Information such as file paths and services names is recorded in this hive an attention to non-               standard paths can help in identifying suspicious services.
      -Legacy_*Keys (Windows XP)
       Can be used to correlate when a service starts and stops, to be used in conjunction with other              keys that provide service info.

Other useful information is found in this section and I’ll stop here so that future readers of the book can explore.

In this section/hive we can find the following takeaways
          What user profiles are on the system (local and domain)
      -Windows version
          Are we dealing with windows XP, 7, 8, 10?
       -Installed Software
          uninstall key
        -Run Key
         Used by legitimate and malicious programs as persistence mechanism. The executable will                 start at system start up. (Be mindful of registry redirection)
        -Image File Execution Options
         You can add a “debugger value” to another program, attackers like to use this for the sticky                 keys method of persistence.

Again I will stop here and allow future readers to explore.

An overview is provided of the AmCache artifact and I will leave it to future readers to explore J

Chapter four discusses the NTUSER and USRCLASS hives, key takeaways
    -User Assist Keys
          Keeps track of items that are double clicked through explorer.
   -Program Compatibility Assistant
            Similar to shimcache
    -Run Keys
Note that these executable(s) are launched when a user logs in unlike those found under the   Software registry hive

-File Acces
Several keys are discussed that provide information on files accessed by the user profile, also keywords used in searches through windows explorer.

-File Association
Useful when finding artifacts of a suspicious extension type, this key can provide information on how the system is configured to handle the extension type. ie. is .mp4 handled by windows media player or VLC?


I may be wrong in my understanding and please excuse if this explanation is wrong. This artifact has to do with windows explorer and in relation to windows size and usability. This information is stored in the NTUSER hive (XP) and USRCLASS (Win 7+) and can help in identifying folder traversal, control panel applet access and FTP artifacts.
Chapter five discusses regripper and explains what it is and how to use it. Note that throughout the previous chapters several regripper plugins are discussed which hopefully will allow you to use the tool based on your analysis needs.

I really enjoyed the book and definitely recommend it to anyone in the DFIR field as a must read. Especially if you have seen presentations at conferences discussing shimcache, shellbags, and stories of how incident responders were able to figure out what the attacker did on a system. Pay close attention to setting analysis goals and on chapters three and four as these will help in that regard. This book will assist in strengthening your DFIR skills and some of this information once understood can help you start hunting for evil in your environment.

TL;DR… from my Amazon review

“The book provides a detailed discussion on the structure of the registry, its keys and relevancy to digital forensics & incident response (DFIR). The author also focuses on presenting examples and use cases on how the reader can leverage information in the registry as part of an analysis. Discussion of tools is given and the tools presented are free and some are open source which you can modify if you understand the programming language they are written to fit your needs. The author dedicates a chapter on regripper, a tool that he wrote to parse registry hives and serves as a mini manual. After reading the previous chapters, hopefully the reader will understand the flexibility of the tool and how one can expand functionality. Overall the author does a great job in presenting the information, although short (191 pages) the content is targeted at what can bring value to the reader/analyst. I recommend to all who work in the DFIR field or are starting to.”

Friday, April 22, 2016

BSides NOLA and Threat Hunting

Last weekend my wife and I had a chance to head to Bsides in New Orleans. There was a mixture of presentations but the ones I liked most were around hunting and what to look for on endpoints. Devon Kerr presented artifacts mapped to Mandiant’s attack lifecycle while Wesley Riley from RSA presented on what artifacts to collect if your budget is slim. Michael Gough’s presentation was also along these lines but focusing on windows audit logging and what event IDs are of value plus a new tool called Log+MD which helps to audit systems by comparing the audit policy to recommended settings found on Michael’s website
What really struck a chord with me is the artifacts that were mentioned, for example
-Scheduled tasks
-Auto start entry points
-Registry Hives

Among others….these are artifacts that most in the DFIR field recognize. Why are they mentioned repeatedly?
Because THEY WORK. They are useful if you are trying to find suspicious or malicious behavior on an endpoint. But in order for these artifacts to be relevant it’s not about running a tool whether commercial or open source and analyzing the output or trusting the logic of said tool to flag maliciousness. No, it is the analyst’s responsibility to understand the artifacts. Through this understanding the analyst will choose the artifacts sources relevant to the investigation they are performing.
As Wesley mentioned in his presentation, the best tool in a cyber security organization is a highly motivated analyst. Which is why it is important if you are starting out in this field, read and reread material that is available on some of these artifacts and DFIR in general. Tool specific training will only get you so far.
I will be posting learning materials in a separate page that I have found useful for DFIR work.

Keep on the good fight! Until next time...

Monday, April 4, 2016

The Curious Case Of The Chan Pelana Device

Last year around July a buddy of mine sent me an email regarding curious message he saw after unlocking his pc (Win7) in the morning. The pc had been left on overnight. He wasn’t sure what this chan pelana device was or how it got installed on his system and a quick google search did not turn up any meaningful results.

So I collected the event logs (Application,System and Security) and registry hives (System, Software, Security, Ntuser, Usrclass, etc.) from the system among other files to further help out. My analysis goals were
  • Identify what Chan Pelana was
  • Identify the approximate time of when it was installed
  • Identify whether this was a malicious event or not

Why start with these sources?
Well, the system event log would contain events related to plug and play activity, services and other system related activity. The system registry hive contains configuration information for services and drivers to name a few. As the registry hives contain time stamps I may find one related to driver installation activity.
To create the micro timeline I used Harlan Carvey’s wevtx batch script and regtime.exe to get the time stamps from the system registry hive.

F:\analysis\user-pc\> wevtx logs\*system ntfs\events
Regtime -r registry\SYSTEM -m HKLM/SYSTEM_ >> ntfs\events
Parse -f ntfs\events -o > ntfs\event_tln.txt

As my friend's time zone is EST and the tools output to UTC I kept that in mind as I looked through the output. The excerpt below is from the micro timeline. I pivoted on events that occurred during the overnight time frame he gave which would put these events happening around 11:00 PM EST.
Fri Jul 24 03:04:33 2015 Z
  EVTX     Server            - Microsoft-Windows-DriverFrameworks-UserMode/10002;user-pc.ent.acme.corp,S-1-5-18,WpdMtpDriver,{AAAE762B-A6A2-4C45-B5D8-9A83AFB6BB70},1.9.0,true
  REG                        - M... HKLM/SYSTEM_ControlSet001/Control/Class/{EEC5AD98-8080-425F-922A-DABF3DE3F69A}
  EVTX     Server            - Microsoft-Windows-DriverFrameworks-UserMode/10000;user-pc.ent.acme.corp,S-1-5-18,USB\VID_04E8&PID_6860\03157DF3EB6F073F,1.9.0

Fri Jul 24 03:04:34 2015 Z
  EVTX     Server            - Microsoft-Windows-UserPnp/20003;user-pc.ent.acme.corp,S-1-5-18,WUDFRd,system32\DRIVERS\WUDFRd.sys,USB\VID_04E8&PID_6860\03157DF3EB6F073F,true,true,0
  REG                        - M... HKLM/SYSTEM_ControlSet001/Enum/USB/VID_04E8&PID_6860/03157df3eb6f073f/Device Parameters/WpdMtpDriver
  EVTX     Server            - Microsoft-Windows-UserPnp/20003;user-pc.ent.acme.corp,S-1-5-18,WinUsb,system32\DRIVERS\WinUsb.sys,USB\VID_04E8&PID_6860\03157DF3EB6F073F,false,true,0

  EVTX     Server            - Microsoft-Windows-DriverFrameworks-UserMode/10100;user-pc.ent.acme.corp,S-1-5-18,0

The following information stood out…
WpdMtpDriver - MTP device, cellphone, camera, mp3 payer
03157DF3EB6F073F- possible serial number
HKLM/SYSTEM_ControlSet001/Enum/USB/VID_04E8&PID_6860/03157df3eb6f073f/Device Parameters/WpdMtpDriver -Registry key being modified

It seems I was possibly dealing with an USB device that uses the media transfer protocol, to further validate this I looked up a presentation by Nicole Ibrahim on MTP devices. (link) Page 15 of the PDF slide deck explains the process that happens when an MTP device is inserted and the plug and play events seen in the system event log seem to match. On Page 23 the sub key that I saw in my micro timeline was a child of one that was modified in Nicole’s testing. (CurrentControlSet\Enum\USB\)
I then loaded the system registry hive to Eric Zimmerman’s registry explorer and navigated to the key ControlSet001/Enum/USB/VID_04E8&PID_6860/03157df3eb6f073f to see what other information I could find.

The devicedesc value denotes a string data value of “SM-G920W8” and our FriendlyName value contains a string data value of Chan Pelana. Aha! A match to what my friend had seen. A quick google search for the “SM-G920W8” string turned up a hit to a Samsung cell phone model for the Canadian market.

So let’s recap on the analysis goals
  • Identify what Chan Pelana was
    • A Canadian Samsung cell phone.
  • Identify the approximate time of when it was installed
    • Without the my next best source was the windows event log and registry timestamps and based on these the install approximately occurred on Fri Jul 24 03:04:34 2015 UTC
  • Identify whether this was a malicious event or not
    • I contacted my friend with my findings and as it turned out they had visitors from Canada and one of them happened to plug their phone to my friend’s computer to charge during the night. So that ruled out the malicious component.

And that concludes the curious case of Chan Pelana.

Hello World....

   Over the past couple of years I have been soaking in all information I could get in regards to digital forensics and its specific application to incident response as well as malware analysis. I have also been working in the field for the past couple of years and while I have sat on the sidelines in regards to blogging I thought it best to start sharing my experiences where I can. The purpose of this blog is to share analysis techniques, links, and tools. I’m not sure about being an expert as in the DFIR field there is a lot to learn and at times changes but just maybe one day I’ll reach that level but for the time being I consider myself an experienced learner. I hope that what I share can help someone else no matter what their experience level is. Enough rambling… let’s start J