±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35883
New Yesterday: 3 Visitors: 139

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

counter anti-forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

hogfly
Senior Member
 

counter anti-forensics

Post Posted: Oct 11, 06 00:08

So last night I started doing a little work on detecting the anti-forensics tools generated by the metasploit project.

I have to say I haven't gotten very far but I started with timestomp.

Timestomp demonstrates that you can't trust MAC times or even MACE times by offering the ability to replace all 4 timestamps.

My method:
Create a file C:\timestomp_test.txt.
Enter some text in to the file
plug in my USB key
Run timestomp -z "Friday 10/06/2006 5:55:55 PM" from USB key
load the helix (windows side) CD.
acquire the ram with the following command:
dd if=\\.\physicalmemory of=E:\image.dd bs=512 conv=noerror --md5sum --verifymd5 --md5out=E:\image.dd.md5 --log=E:\audit.log

audit.log contents:
Total physical memory reported: 392688 KB
Copying physical memory...
Physical memory in the range 0x00002000-0x00012e00 could not be read.
Physical memory in the range 0x147d5000-0x147d5e00 could not be read.
D:\IR\FAU\dd.exe:
Stopped reading physical memory:

The parameter is incorrect.
\eb8af96259f3b554fc170337fc289a60 [\\\\.\\PhysicalMemory] *E:\\image.dd

Verifying output file...
\eb8af96259f3b554fc170337fc289a60 [E:\\image.dd] *E:\\image.dd
The checksums do match.
The operation completed successfully.

Output E:\image.dd (402583552 bytes)
786296+0 records in
786296+0 records out

Once the dd completed I pulled the plug and imaged the hard disk.

At this point asked myself what traces does it leave? I searched with FTK 1.62 and X-ways 13.3 SR-1. Pertaining to the execution of timestomp I couldn't find much. The best source of information was the prefetch file and RAM. Other than that I found traces in the MFT logfile and more prefetch information in drive free space. I'm sure there are other locations that indicate the execution of the program and I'm sure there are other traces to be found...ideas?

What I found to be somewhat interesting are the entries within the prefetch file. All are file mappings to dll's used in modifying time.

This got me thinking about execution of programs in general and I started to wonder if one could create a signature of executed programs based on the contents of the prefetch file(perhaps based on call order?) or the signature of the file in memory as it executes. i.e, can a signature be created based on the Process & Thread combinations? I suppose this would be the EPROCESS and ETHREAD information from RAM.

Anyways you can download the ram dump from here:
devilduckie.parallax.cornell.edu
The md5 is of the uncompressed ram dump.

I'd appreciate it if someone more knowledgable in memory analysis could take a look and let me know what they find.  
 
  

skip
Senior Member
 

Re: counter anti-forensics

Post Posted: Oct 11, 06 02:00

- hogfly
So last night I started doing a little work on detecting the anti-forensics tools generated by the metasploit project.

I have to say I haven't gotten very far but I started with timestomp.

Timestomp demonstrates that you can't trust MAC times or even MACE times by offering the ability to replace all 4 timestamps.

My method:
Create a file C:\timestomp_test.txt.
Enter some text in to the file
plug in my USB key
Run timestomp -z "Friday 10/06/2006 5:55:55 PM" from USB key


One of the wonders of the metasploit project is what they call the meterpreter. Which is a environment though which you can load and run modules or access libraries (or load your own libraries for that matter).


Make a base line list of running threads and processes...

You may find it interesting to crack a running process and load in the meterpreter.
Then dump memory and look at the processes and threads

Then using the meterpreter use some of the given modules, such as Sam or Sys.

Then dump memory and look at the processes and threads.

----
Now if you are using the new beta version of the metasploit I believe you can load timestomp as a module.
make sure that when you "use" the module you include the -d options, which will keep the module Timestomp from being uploaded and stored on the remote disk.

Then use it to change all the Times for whatever files you wish.

During the writing of this post I was trying to test this...but alas I have run out of time.
I was having some difficulty with version 3 of the framework. And getting the meterpreter to inject into the remote system.

Perhaps I'll have more specifics for you tomorrow (schedule permitting).


Skip  
 
  

keydet89
Senior Member
 

Re: counter anti-forensics

Post Posted: Oct 11, 06 02:29

One place you may want to look is in the UserAssist key for the user account that you ran timestomp under...  
 
  

hogfly
Senior Member
 

Re: counter anti-forensics

Post Posted: Oct 11, 06 02:49

Unfortunately there's nothing of value there in this case. Timestomp was executed from within cmd.exe (which shows up) but timestomp.exe does not.  
 
  

keydet89
Senior Member
 

Re: counter anti-forensics

Post Posted: Oct 11, 06 05:19

Right...the stuff you see in the UserAssist is handled through the shell...  
 

Page 1 of 1