|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 12.07.2019

Forensics


During malware analysis it can be required to analyze the disk of an infected machine or even its memory while the malware is running.

Disk analysis


sleuthkit

With the open source tool sleuthkit you can examine partitions and contained files in a disk image without having to mount them. Deleted files which are still in the $MFT are also displayed.

mmls image.dd
fls -pro <partition_offset> image.dd > file_listing.txt
grep -f iocs.txt file_listing.txt
istat -o <partition_offset> image.dd <inum>
icat -o <partition_offset> image.dd <inum> > malware.exe

fsstat -o <partition_offset> image.dd

Expert Witness Disk Image Format (EWF)

Many forensic aquisition tools use the compressed ewf file format for output. The following commands can be used to mount them.

ewfmount image.E01 /mnt/ewf/
ls -l /mnt/ewf/
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/win

Volume Shadow Copy Service (VSS)

Windows volume shadow copies can contain older versions or deleted files.

vshadowinfo -o <partition_offset> image.dd
vshadowmount /mnt/ewf/ewf1 /mnt/vss
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/vss/vss1 /mnt/win_vss1

timestamp analysis

fls -r -m C: /mnt/ewf/ewf1 > bodyfile.txt
mactime -d -b bodyfile.txt -z CEST <YYYY-MM-DD to start> > timeline.txt

Virtual Disk Images (vdi/vmdk)


Converting and mounting virual disk can be needed when analyzing them.

convert to virtual disk

xmount --in raw image.dd --cache /tmp/image.overlay --out vdi /tmp/virtual_disk
VBoxManage convertdd /dev/sdb test.vdi --format VDI

convert from virtual disk

VBoxManage clonehd image.vmdk image.raw --format raw
qemu-img convert -f vmdk -O raw image.vmdk image.raw

mount a virtual disk

modprobe nbd
qemu-nbd -r -c /dev/nbd1 image.vmdk
mount -o ro /dev/nbd1p1 /mnt/partition1

File analysis


Windows has builtin tools to calculate hashes or to decode base64.

hashsum

certutil -hashfile malware.exe MD5

base64

certutil -encode test.txt test.base64
certutil -decode test.base64 test.txt

base64 (powershell)

[convert]::tobase64string([text.encoding]::utf8.getbytes("test123"))
[text.encoding]::utf8.getstring([convert]::frombase64string("dGVzdDEyMw=="))

verify file signatures

signtool verify /pa /v program.exe

Memory analysis


The open source tool volatility can be used to analyze memory dumps.

volatility --info
volatility <PLUGIN> -h

dump memory from virtualbox

vboxmanage debugvm 'VM Name' dumpvmcore --filename memory.elf
volatility -f memory.elf imageinfo
volatility -f memory.elf vboxinfo

extract binary from memory image

volatility -f memory.elf --profile=Win7SP1x64 pslist | grep evil.exe
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> -D . procdump
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> -D . procdump -m
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> -D . memdump
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> dlllist | grep evil.dll
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> -b <BASE> dlldump -D .

volatility -f memory.elf --profile=Win7SP1x64 modules
volatility -f memory.elf --profile=Win7SP1x64 -b <BASE> -D . moddump
volatility -f memory.elf --profile=Win7SP1x64 unloadedmodules

get binary filesize

readpe -S evil.exe | grep Pointer -B 1

console history

volatility -f memory.elf --profile=Win7SP1x64 consoles
volatility -f memory.elf --profile=Win7SP1x64 cmdscan

file system information

volatility -f memory.elf --profile=Win7SP1x64 mftparser

data carving

The strings tool offers a parameter to print file offsets of its findings.

strings -td | grep NEEDLE

bulk_extractor carves files for known patterns and generates a report which can be opened in BEViewer.

bulk_extractor memory.image -o dump_directory
BEViewer

Other carving tools to mention are photorec and foremost.

Some plugins of volatility also do carving for known kernel objects.

volatility -f memory.elf --profile=Win7SP1x64 psscan
volatility -f memory.elf --profile=Win7SP1x64 netscan
volatility -f memory.elf --profile=Win7SP1x64 filescan
volatility -f memory.elf --profile=Win7SP1x64 hivescan
volatility -f memory.elf --profile=Win7SP1x64 mutantscan -s

dump cleartext credentials from crashdump

A memory image can be converted to a crashdump with volatility

volatility -f memory.elf --profile=Win7SP1x64 raw2dmp -O memory.dmp

This crashdump can be opened in windbg. To dump cleartext credentials the mimikatz dll has to be loaded.

.load /path/to/mimilib.dll
!process 0 0 lsass.exe
.process /r /p <ADDRESS>
!mimikatz

analysing kernel objects in volshell


_KDDEBUGGER_DATA64

The Kernel Debugging Data Block (KDBG) virtual address can be found with volatilitys imageinfo or kdbgscan plugins.

dt('_KDDEBUGGER_DATA64', <VIRTUAL ADDRESS>)

Interesting content:

Volatility plugins:

volatility -f memory.elf --profile=Win7SP1x64 pslist
volatility -f memory.elf --profile=Win7SP1x64 modules

_EPROCESS

dt('_LIST_ENTRY', <PsActiveProcessHead>)
dt('_EPROCESS', <Flink>-0x188)

Interesting content:

_PEB

cc(pid=<PID>)
dt('_PEB', <VIRTUAL ADDRESS)

Interesting content:

Volatility plugins:

volatility -f memory.elf --profile=Win7SP1x64 sessions

_PEB_LDR_DATA

Interesting content:

Volatility plugins:

volatility -f memory.elf --profile=Win7SP1x64 -p <PID> dlllist

_RTL_USER_PROCESS_PARAMETERS

Interesting content:

The content of the environment variables can be displayed with

db(<ENV_ADDRESS>, <ENV_SIZE>)

Volatility plugins:

volatility -f memory.elf --profile=Win7SP1x64 -p <PID> cmdline
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> envars