Cheers from Denver! And Prefetch/Registry Goodness

I am getting ready to return back to Blighty, and I have thoroughly enjoyed myself in Denver. Not only because I was able to go to the FOR526 (Windows Memory Forensics In-Depth) Beta class, but also because Denver is a pretty kick ass city! Great beer, great food, friendly people, and epic mountains.... and some snow!

Today is our last posting before I get to the meat of our investigation... the memory dump. People will be shocked when you see all we can get from a memory dump :) 

Registry
Harlan Carvey is the godfather of the registry. He has contributed a lot to the community in terms of research, developments, and creation of tools. He talks about a lot of other pertinent topics in forensics too, highly recommend a visit to his blog. He created a tool called RegRipper, which parses thru a registry hive and looks for interesting artifacts which are generally useful in a forensic investigation. (I never recommend just trying to parse thru the registry blind... its just not a good idea).

So what is doing these searches? Well so glad you asked! When you download Harlan's tool you can also download all these awesome plugins, 235 to be exact. Here is a screenshot of me perusing the list. 

Well I know I am interested in autoruns... but if one checks, it is an NTUSER.DAT plugin, I did not grab NTUSER.DAT did I? Shame on me! It's now gone forever! Well, unless I can extract from memory! (Thats a hint). 

Well let's try another plugin, #60 'findexes' sounds promising.  Let's try it on the System hive:

First off we see exactly what this plugin is doing, searching the hive for any binary data starting with the characters MZ (the header for an executable). We have some hits, but none match out time frame... sheesh this could take forever. Wouldn't it be great if there was a way to run all the plugins associated with a hive all at the same time?! Well funny you should ask! You can! I will show you this using the GUI version of RegRipper (more than one way to skin a cat!). Its pretty self-explanatory:

The options in the 'plugin' dropbox can be modified to whatever plugins work for that hive.  You could open up the 'system-all' file and remove or add any compatible RegRipper plugin you wish. I for example added the findexes to mine.  You could create your own plugin-list (e.g. searching only for persistence) if you wanted too.

I am going to open up my output in Notepad++ and search for all instances of Oct 30 and see if we can see anything within that time frame.

 

devclass v.20100901 (System) 
Get USB device info from the DeviceClasses keys in the System hive

Tue Oct 30 09:16:59 2012 (UTC)
    Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_8.02,17387318C8507EF4&0
   
Tue Oct 30 09:16:59 2012 (UTC)
    ParentIdPrefix: 8&2fbb6782&0&RM

The parentIDPrefix is a key unique to each USB key inserted into the machine (its how these things get tracked). Check out the article from Hak5.

----------------------------------------
svc v.20080610 (System) 
Lists services/drivers in Services key by LastWrite times, short format

Tue Oct 30 09:17:53 2012Z,Micorsoft Windows Service,Micorsoft Windows Service,\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxhmnhtj.sys,Kernel driver,Disabled,
Tue Oct 30 09:16:59 2012Z,USBSTOR,USB Mass Storage Driver,system32\DRIVERS\USBSTOR.SYS,Kernel driver,Manual,

  
Again we see the USB being invoked right before infection, and then we see a new malicious file pxhmnhtj.sys being started as a kernel level (thats bad mkay?) driver (however its disabled at the time the registry was grabbed). From where you ask-- the TEMP folder!

The software hive has potentially some other interesting tidbits:

----------------------------------------
userinit v.20080328
(Software) Gets UserInit value

Microsoft\Windows NT\CurrentVersion\Winlogon
LastWrite Time Tue Oct 30 09:17:47 2012 (UTC)

    Userinit -> C:\WINDOWS\system32\userinit.exe,,C:\Documents and Settings\Administrator\Local Settings\Application Data\agrsahog\ijjfkkxw.exe

Per references, content should be %SystemDrive%\system32\userinit.exe,  

 ----------------------------------------
schedagent v.20100817
(Software) Get SchedulingAgent key contents

Microsoft\SchedulingAgent
LastWrite Time Tue Oct 30 10:04:00 2012 (UTC)

OldName      = CONSULTA-142832
LogPath      = %SystemRoot%\SchedLgU.Txt
MaxLogSizeKB = 32
TasksFolder  = %SystemRoot%\Tasks
LastTaskRun  = 2012-10-30 10:04:01

Note: LastTaskRun time is written in local system time, not GMT

 So remember that userinit registry key we saw before? There it is! 
 
Prefetch
So remember we saw windows.pf in the 1st blog posting. Well let's see if we can glean any more juicy tidbits from prefetch. Enter PFDump, another tool from Mike Spohn.

Again, the usage is quite simple. Give it an input directory, in our case the prefetch folder I grabbed, and if wanted the computer name. How did I grab that? There is a regripper plugin for it called compname :) All thats left to do is throw the file into your favourite analyst tool. I tried to clean it up a tad so its a bit more legible. We really do not see anything new here, our two suspicious files showing last access time close to our timeframe. However, what I thought was interesting was the create time... it looks like the file was created 6 hours after the file was last accessed! Very strange... if anything its a flag that something is not ok. We can also see from PFDump the number of times an executable was run (both 1 on our cases) and the full path the executable ran from.

 At this point I would have uploaded all the files I recovered from the Temp folder  to VirusTotal (or heck ran them in my own sandbox). Heck even a hash search turns up badness I would also run strings on them as well as the two prefetch files and any other files I was able to extract. But what fun is that?! Where is that dead horse?! Memory forensics next!