Last changed: 12.07.2019
Forensics
During malware analysis it can be required to analyze the disk of an infected machine or even its memory while the malware is running.
Disk analysis
sleuthkit
With the open source tool sleuthkit
you can examine partitions and contained
files in a disk image without having to mount them. Deleted files which are still
in the $MFT
are also displayed.
mmls image.dd
fls -pro <partition_offset> image.dd > file_listing.txt
grep -f iocs.txt file_listing.txt
istat -o <partition_offset> image.dd <inum>
icat -o <partition_offset> image.dd <inum> > malware.exe
fsstat -o <partition_offset> image.dd
timestamp analysis
fls -r -m C: /mnt/ewf/ewf1 > bodyfile.txt
mactime -d -b bodyfile.txt -z CEST <YYYY-MM-DD to start> > timeline.txt
scalpel
Some deleted files which are removed from the directory tree as well can still
be recovered by carving. With scalpel
you can select or create file headers
and footers and extract all matching data to files.
mkdir out
vim /etc/scalpel/scalpel.conf
scalpel -o out image.dd
binwalk
binwalk some_file
binwalk --dd=".*" some_file
mount partition from disk image
To mount a specific partition from a disk image you have to find its position first. To avoid modification of the image file you should mount them read only.
fdisk -l disk_image.dd
mount -o ro,loop,offset=$((512 * <START>)),sizelimit=$((512 * <SECTORS>)) disk_image.dd /mnt/part_X
Alternativly use losetup
with the partscan
option (-P
)
losetup -fP disk_image.dd --show
mount -o ro /dev/loop0p1 /mnt/part_1
When you are done unmount the disk
umount /mnt/part_1
losetup -d /dev/loop0
Expert Witness Disk Image Format (EWF)
Many forensic aquisition tools use the compressed ewf
file format for output.
The following commands can be used to mount them.
ewfmount image.E01 /mnt/ewf/
ls -l /mnt/ewf/
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/win
Volume Shadow Copy Service (VSS)
Windows volume shadow copies can contain older versions or deleted files.
vshadowinfo -o <partition_offset> image.dd
vshadowmount /mnt/ewf/ewf1 /mnt/vss
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/vss/vss1 /mnt/win_vss1
mount lvm volumes
vgscan --cache
vgchange -ay <VOLUME_GROUP>
lvs
mount -o ro,loop /dev/<VOLUME_GROUP/<VOLUME> /mnt/lvm_volume
Other tools to show lvm information are lvmdiskscan
and lvmdisplay
.
bitlocker encryption
If the windows system is up and running and you can print its encryption status.
manage-bde -status
manage-bde -protectors c: -get
Get-BitlockerVolume
(Get-BitlockerVolume -MountPoint c:).KeyProtector
To check the encryption parameters of a partition you can use dislocker
or
the tools from libbde
.
losetup -Pf disk.raw --show
lsblk -f /dev/loop0
bdeinfo /dev/loop0p2
dislocker-metadata -V /dev/loop0p2
Now you can unlock the encrypted volume with the matching recovery key or password.
mkdir unlocked
dislocker -V /dev/loop0p2 -pXXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX -r -- unlocked
mount -o ro unlocked/dislocker-file /mnt/unlocked_disk_ro
If you have neither recovery key nor password you could try to crack it with
hashcat
.
bitlocker2john disk.raw | grep '$bitlocker$0$' > bitlocker.hash
hashcat -m 22100 bitlocker.hash wordlist
dislocker -V /dev/loop0p2 -upassword -r -- unlocked
You could then create a copy of the disk image and replace the encrypted partition.
cp disk.raw disk_decrypted.raw
losetup -Pf disk_decrypted.raw
dd if=unlocked/dislocker-file of=/dev/loop1p2 status=progress
When you are done unmount everything.
umount /mnt/unlocked_disk_ro
umount dislocker
losetup -D
To enable bitlocker without a TPM you have to activate and configure the corresponding group policy.
Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives
Virtual Disk Images (vdi/vmdk)
Converting and mounting virual disk can be needed when analyzing them.
convert to virtual disk
xmount --in raw image.dd --cache /tmp/image.overlay --out vdi /tmp/virtual_disk
VBoxManage convertdd /dev/sdb test.vdi --format VDI
convert from virtual disk
VBoxManage clonehd image.vmdk image.raw --format raw
qemu-img convert -f vmdk -O raw image.vmdk image.raw
mount a virtual disk
A virtual disk can be mounted without conversion with qemu-nbd
. To do so
read-only use the following commands.
modprobe nbd
qemu-nbd -r -c /dev/nbd1 image.vmdk
mount -o ro /dev/nbd1p1 /mnt/partition1
umount /mnt/partition1
qemu-nbd -d /dev/nbd1
File analysis
Windows has builtin tools to calculate hashes or to decode base64.
hashsum
certutil -hashfile malware.exe MD5
(Get-FileHash malware.exe -Algorithm md5).Hash
base64
certutil -encode test.txt test.base64
certutil -decode test.base64 test.txt
base64 (powershell)
[Convert]::ToBase64String([Encoding]::UTF8.GetBytes("test123"))
[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("dGVzdDEyMw=="))
alternate data streams
getfattr -n ntfs.streams.list -R .
verify file signatures
The windows SDK containts signtool
which can be used to verify the signature
of a PE file.
signtool verify /pa /v program.exe
Alternativly, in Sysinternals
there is sigcheck[64].exe
sigcheck.exe -accepteula program.exe
find malicious files
The Sysinternals
can also be used to scan for unsigned binaries on disk or
unsigned dlls loaded by processes
sigcheck.exe -u -e c:\windows\*
listdll -u *
Another way to find malicious files is to scan with autoruns
, which is also
from `Sysinternals. Here you can select the following filters in the options to
ease the search.
- hide Microsoft entries and
- verify code signatures
Windows Event Logs
The windows event logs can be found in c:\windows\system32\winevt\logs
. They
can be parsed with parse-evtx
parse-evtx Security.evtx | sed 's/,/,\n/g' | grep -e "Record " -e EventID -e tUserName -e IpAddress -e LogonType | tr -d '\r\n' | sed 's/,Record #/,\nRecord #/g' | column -s, -t