Book Image

Practical Windows Forensics

Book Image

Practical Windows Forensics

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.
Table of Contents (20 chapters)
Practical Windows Forensics
About the Authors
About the Reviewers

Postmortem analysis

Before performing the live analysis, we acquired the evidence. These were the memory and the hard drive. Let's see what we can get from this evidence.

Memory analysis

The memory is the working space for the operating system, and we can get many traces of any malware that ran within the system from the memory analysis. In this section, we will use the volatility framework to analyze the dumped memory file and try to get the same information that we got from the live analysis.

To get information about the profile of the memory file, we can use the imageinfo plugin:

From the output, the image profile that we will use is Win7SP0x64. Then, let's list the running processes and the network connections, as we discussed in the memory analysis chapter:

We will notice the two explorer.exe processes, but we can't see any hidden processes. There are two processes named dllhost.exe, which can be found in the psscan plugin's output only. However, these two processes were exited and their structures were still in memory, and they can be found by psscan plugin, as we can see from the output of the psscan plugin:

Then, we can filter, based on the malicious connections that can be found in the system using the netscan plugin:

We will find explorer.exe process's listening connections on port 37337. So, let's focus on this process.

Let's dump this process and search for any interesting strings that can identify its function:

If we run the strings 2256.dmp | more command, it will show many strings in the process dump file. Some of these strings, such as Run and Runonce, should make us think about registry keys. To list the registry keys in memory, we can use the hivelist plugin:

Now, we have the locations of the opened hives in memory. We can browse through these hives in memory using the printkey plugin with the virtual offset of the registry hive.

We can try different hives, but let's try the ntuser.dat hive of the system user. Check Software\Microsoft\Windows\CurrentVersion\Run:

We can find the unknown executable in the memory as well. Now, let's try to scan for all opened files in memory and filter on this filename:

Then, convert the body file to the timeline file using the following command:

mactime -b mft.body > mft.tmline

The output will be a timeline of all the activities in the system. If we tried to filter based on the suspicious executable filename, we can get the same sequence that we got from investigating the prefetch files during live analysis:

Then, we can try to recover the latest_report.pdf.exe from the hard disk image. Actually, the malware deleted that file and created the epqe.exe instead. But, what if we wanted to get this file and couldn't recover that file from the hard disk.

Network analysis

The network traffic is the most volatile evidence. For our scenario here, we dumped the network traffic during the attack simulation to a pcap file.

To analyze the network traffic, we will use the Networkminer tool that is installed within the Wine environment in our Linux analysis virtual machine.

Networkminer will parse the pcap file and view detailed information about the domain:

It will also export the downloaded file with detailed information:

From the network traffic, we can export and analyze the first latest_report.pdf.exe executable file.

Timeline analysis

In this section, we will create a complete timeline of all the activities in the hard disk from the acquired disk image using log2timeline and the Plaso framework.

We will run all the parsers of Windows 7 against the acquired image. However, first, we need to get the offset of the C: partition in image using mmls tool from TSK:

Then, we will use this offset with log2timeline. The process of generating the body file will take a long time because it parses the whole volume for any event mentioned in Win7 parsers:

Once this is finished, we can use the tool to view parts of the body file on our choice with the command line, as we did in the timeline analysis in Chapter 5, Timeline.

Or, we can convert the timeline body file into a CSV formatted file in order to view it with any spreadsheet program. The conversion will take some time to complete:

Once the conversion finishes, you can open the new file in, for example, Excel:

Then, we can use the Excel filtering tools to filter the output based on our needs, such as showing the prefetch analysis of the malicious files: