Despite being written in 2006, Chris Ries’ paper Inside Windows Rootkits is still surprisingly relevant.  About the only thing missing is a discussion of new(er) x64 mitigation techniques like Kernel Mode Code Signing and Kernel Patch Protection (aka PatchGuard).  Few resources have explained rootkit internals so simply.  As an example, Figure 2 from the paper neatly ties together the rootkit hooking universe:

Figure 2, Inside Windows Rootkits by Chris Ries

Figure 2: Potential places to intercept a call to the FindNextFile function, Inside Windows Rootkits by Chris Ries

The original PDF is a little hard to find these days, but here are a couple of links:

http://www.scribd.com/doc/74418240/Chris-Ries-Inside-Windows-Rootkits

http://thehackademy.net/madchat/vxdevl/library/Inside%20Windows%20Rootkits.pdf

 

 

With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface.  This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.

You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box): Continue Reading…

Microsoft Targeted AttackMicrosoft Trustworthy Computing recently released several installments in their Targeted Attacks Video Series.  While the short videos are largely low-tech, the accompanying documents provide detailed mitigation strategies.  Mike Pilkington wrote an excellent review of the 282 page Best Practices for Securing Active Directory document on the SANS Forensics blog.  The Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques deck is also worth a read. Interestingly, Microsoft lists common mitigation techniques like “smart cards and multi-factor authentication” and “jump servers” as having only minimal effectiveness.

Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe.  It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge.   Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics.  There is good reason for this.  Memory can be extremely fickle, with layouts and structures changing on a whim.   As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch.  The fact that we have free tools such as Volatile Systems Volatility and Mandiant Redline supporting memory images of arbitrary size from (nearly) every modern version of Windows is nothing short of miraculous.

Nowhere is it more obvious how far the memory analysis field has come than looking at the recent innovations in Mac and Linux memory forensics.  Examiners of these less popular platforms have had to sit patiently for years as Windows memory forensics moved from being feasible for OS internals experts to being approachable for the masses.  Against all odds, Linux memory analysis has recently seen rapid innovations.  If support for the various Windows versions came slowly, imagine the complexity posed by the myriad flavors of Linux and the long list of possible kernel versions.  It turns out that the Volatility framework is particularly well suited to tackle this Hydra with its abstraction layers facilitating everything from different image formats to swappable OS profiles to rapid plugin development.

Continue Reading…

Jul 3

A nice introduction to reflective DLL injection.

In case you missed it over on the SANS Computer Forensics blog, we recently updated our memory forensics cheat sheet. Not a lot has changed other than updating a few parameter options, adding Michael Cohen’s WinPmem (live memory analysis with Volatility!), and reflecting a few of the changes in the upcoming 2.3 Volatility release (including body file format in Jamie Levy’s timeliner plugin)

MemoryForensicsCheatSheet

(click for PDF)

Jun 11

The GUI control panel is a long-standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features.  It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes).  From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:

  • Firewall changes made for unauthorized software (firewall.cpl)
  • User account additions / modifications (nusrmgr.cpl)
  • Turning off System Restore / Volume Shadow Copies (sysdm.cpl)
  • System time changes (timedate.cpl)
  • Interaction with third-party security software applets

While identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time.  Context provided by other artifacts may provide further information.  As an example, imagine you were reviewing control panel usage on a system and came across Figure 1.

Brutus Password Cracker

Figure 1: Sample Userassist Output

Context is critical, and, while access to the Windows Security Center might not normally be particularly interesting, the fact that it was accessed immediately following the execution of a known (router) password cracking tool might make all the difference.

Continue Reading…

PlugX Malware Progression

Amanda Stewart at the FireEye blog dissected the PlugX malware remote access tool (RAT).  Of particular interest is this beautiful graphic showing the attack progression.  With decoys, DLL sideloading, encrypted payloads, process injection, and new payload retrieval, this attack pretty much has it all!

Last year I covered the free Encrypted Disk Detector (EDD) tool and challenged the community to help crowdsource its development [link].   Thank you to all that took part in the experiment.  Magnet Forensics announced today that Encrypted Disk Detector version 2 is available [get it here].

Survey Results

In addition to encouraging additional development of EDD, a side benefit of the project was to get an idea of the most popular disk encryption products being deployed.  Figure 1 provides the survey results, with Checkpoint Full Disk Encryption, Symantec Endpoint Encryption, and Sophos (formerly Utimaco) Safeguard rounding out the top three.   I think many of us could have guessed that big players like Symantec and Sophos would be near the top, but I was surprised to see products like BestCrypt and SecureDoc pull ahead of Credant Technologies (now owned by Dell).

EDD Survey Results

Figure 1: EDD Survey Results

Continue Reading…