Last changed: 12.07.2019

Forensics

During malware analysis it can be required to analyze the disk of an infected machine or even its memory while the malware is running.

Disk analysis

sleuthkit

With the open source tool sleuthkit you can examine partitions and contained files in a disk image without having to mount them. Deleted files which are still in the $MFT are also displayed.

mmls image.dd
fls -pro <partition_offset> image.dd > file_listing.txt
grep -f iocs.txt file_listing.txt
istat -o <partition_offset> image.dd <inum>
icat -o <partition_offset> image.dd <inum> > malware.exe

fsstat -o <partition_offset> image.dd

timestamp analysis

fls -r -m C: /mnt/ewf/ewf1 > bodyfile.txt
mactime -d -b bodyfile.txt -z CEST <YYYY-MM-DD to start> > timeline.txt

scalpel

Some deleted files which are removed from the directory tree as well can still be recovered by carving. With scalpel you can select or create file headers and footers and extract all matching data to files.

mkdir out
vim /etc/scalpel/scalpel.conf
scalpel -o out image.dd

binwalk

binwalk some_file
binwalk --dd=".*" some_file

mount partition from disk image

To mount a specific partition from a disk image you have to find its position first. To avoid modification of the image file you should mount them read only.

fdisk -l disk_image.dd
mount -o ro,loop,offset=$((512 * <START>)),sizelimit=$((512 * <SECTORS>)) disk_image.dd /mnt/part_X

Alternativly use losetup with the partscan option (-P)

losetup -fP disk_image.dd --show
mount -o ro /dev/loop0p1 /mnt/part_1

When you are done unmount the disk

umount /mnt/part_1
losetup -d /dev/loop0

Expert Witness Disk Image Format (EWF)

Many forensic aquisition tools use the compressed ewf file format for output. The following commands can be used to mount them.

ewfmount image.E01 /mnt/ewf/
ls -l /mnt/ewf/
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/win

Volume Shadow Copy Service (VSS)

Windows volume shadow copies can contain older versions or deleted files.

vshadowinfo -o <partition_offset> image.dd
vshadowmount /mnt/ewf/ewf1 /mnt/vss
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/vss/vss1 /mnt/win_vss1

mount lvm volumes

vgscan --cache
vgchange -ay <VOLUME_GROUP>
lvs
mount -o ro,loop /dev/<VOLUME_GROUP/<VOLUME> /mnt/lvm_volume

Other tools to show lvm information are lvmdiskscan and lvmdisplay.

bitlocker encryption

If the windows system is up and running and you can print its encryption status.

manage-bde -status
manage-bde -protectors c: -get
Get-BitlockerVolume
(Get-BitlockerVolume -MountPoint c:).KeyProtector

To check the encryption parameters of a partition you can use dislocker or the tools from libbde.

losetup -Pf disk.raw --show
lsblk -f /dev/loop0
bdeinfo /dev/loop0p2
dislocker-metadata -V /dev/loop0p2

Now you can unlock the encrypted volume with the matching recovery key or password.

mkdir unlocked
dislocker -V /dev/loop0p2 -pXXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX -r -- unlocked
mount -o ro unlocked/dislocker-file /mnt/unlocked_disk_ro

If you have neither recovery key nor password you could try to crack it with hashcat.

bitlocker2john disk.raw | grep '$bitlocker$0$' > bitlocker.hash
hashcat -m 22100 bitlocker.hash wordlist
dislocker -V /dev/loop0p2 -upassword -r -- unlocked

You could then create a copy of the disk image and replace the encrypted partition.

cp disk.raw disk_decrypted.raw
losetup -Pf disk_decrypted.raw
dd if=unlocked/dislocker-file of=/dev/loop1p2 status=progress

When you are done unmount everything.

umount /mnt/unlocked_disk_ro
umount dislocker
losetup -D

To enable bitlocker without a TPM you have to activate and configure the corresponding group policy.

Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives

Virtual Disk Images (vdi/vmdk)

Converting and mounting virual disk can be needed when analyzing them.

convert to virtual disk

xmount --in raw image.dd --cache /tmp/image.overlay --out vdi /tmp/virtual_disk
VBoxManage convertdd /dev/sdb test.vdi --format VDI

convert from virtual disk

VBoxManage clonehd image.vmdk image.raw --format raw
qemu-img convert -f vmdk -O raw image.vmdk image.raw

mount a virtual disk

A virtual disk can be mounted without conversion with qemu-nbd. To do so read-only use the following commands.

modprobe nbd
qemu-nbd -r -c /dev/nbd1 image.vmdk
mount -o ro /dev/nbd1p1 /mnt/partition1
umount /mnt/partition1
qemu-nbd -d /dev/nbd1

File analysis

Windows has builtin tools to calculate hashes or to decode base64.

hashsum

certutil -hashfile malware.exe MD5
(Get-FileHash malware.exe -Algorithm md5).Hash

base64

certutil -encode test.txt test.base64
certutil -decode test.base64 test.txt

base64 (powershell)

[Convert]::ToBase64String([Encoding]::UTF8.GetBytes("test123"))
[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("dGVzdDEyMw=="))

alternate data streams

getfattr -n ntfs.streams.list -R .

verify file signatures

The windows SDK containts signtool which can be used to verify the signature of a PE file.

signtool verify /pa /v program.exe

Alternativly, in Sysinternals there is sigcheck[64].exe

sigcheck.exe -accepteula program.exe

find malicious files

The Sysinternals can also be used to scan for unsigned binaries on disk or unsigned dlls loaded by processes

sigcheck.exe -u -e c:\windows\*
listdll -u *

Another way to find malicious files is to scan with autoruns, which is also from `Sysinternals. Here you can select the following filters in the options to ease the search.

• hide Microsoft entries and
• verify code signatures

Windows Event Logs

The windows event logs can be found in c:\windows\system32\winevt\logs. They can be parsed with parse-evtx

parse-evtx Security.evtx | sed 's/,/,\n/g' | grep -e "Record " -e EventID -e tUserName -e IpAddress -e LogonType | tr -d '\r\n' | sed 's/,Record #/,\nRecord #/g' | column -s, -t