Friday, April 18, 2008

Windows Memory Analysis

Recently I got the chance to use EnCase Enterprise's ability to acquire physical memory over the network. This is a great feature and it is nice to see that Guidance is starting to catch up with other products that already offered this feature namely Mandiant's Intelligent Response and Techopathway's Pro Discover. I had made an EnScript to parse these data dumps for current and exited processes from XP machines last summer and I have finally got the OK to release it to the public. This EnScript will take a physical memory dump, be it done with either of the aforementioned products or with good old dd and makes bookmarks of the processes data. The bookmarks will list the process id, parent process id, process start time, and process end time. If the process has exited it will display a (X) by the bookmark folder name. I based the XP off the DFRWS memory image and created a Win2K EnScript before the XP one so it is listed here to just in case there are still 2K users out there. The XP EnScript has the option to export the results to an excel file. I will be trying to add future capability to this EnScript so stay tuned and give me feedback on what you would like to see added to it.

Windows Memory Analysis (XP)
Windows Memory Analysis (2K)

Wednesday, April 9, 2008

Luhn Algorithm EnScript

After seeing a long list of posts in the forums on credit card finder module I wanted to post an EnScript I made up for some recent cases with an overwhelming amount of credit card hits with the EnCase credit card finder module. For those of you that do not know what this algorithm is I would explain it here but it is already on Wikipedia so look there. This EnScript reduces the amount of credit card number hits dramatically, from tens of thousands to hundreds. The basics of this EnScript are it looks at search hits already created by the module and then creates bookmarks of valid credit cards. Quick note is that you have to have the search hits you want to have analyzed blue checked. Have fun.

Credit Hit Analysis

Tuesday, April 8, 2008

PEvil Carver

Alright it has been a while but here is a EnScript I talked about before in some forums and I have gotten some more questions about it so I am going to post it to let all have access to it.

So you might ask "What is the PEvil Carver EnScript"? Hopefully what this EnScript will do for you is find that evil program that is on your machine but you just can not find it through traditional forensic analysis, i.e. anti-forensic techniques are not allowing you to find it. This script takes an intelligent approach to finding PE type files (.dll, .exe, ocx, to name a few) from unallocated clusters (but you can search other unstructured data types) and does not just look for the "MZ" signature. This intelligent approach starts with finding that good old "MZ" signature but goes further to find the "PE" signature that follows it after a variable amount of space specified in the Image_Dos_Header. If these two signatures are present this script will start bookmarking and carving the PE file based on the data that is stored within the PE file structure. It will also look on the local system for files that already have the same hash and not export it if it is on the local system to cut down on false hits. The PE files are exported to an EnCase LEF file that can be added to a case and then mounted with VFS and then scanned with AV or other malware finding tools such as Mandiant's Red Curtian. The bookmarks also contain a plethora of data on the PE file itself. It parses out the Image_DOS_Header, Image_Optional_Header, Image_File_Header, and each sections Image_Section_Header. Looking at the data within these headers can help you identify if the PE file found is evil or not, the data here is much like PEiD. The hash and size of the file is also included in the bookmarks and a search can be done on the size or hash of the PE file to see if it is evil or not based on previously known indicators. Other features are that you can limit the size of the PE file to be exported, in initial testing PE files of significant size (1-2GB) were found in unallocated space and traditionally evil PE files are probably not of that size and what to keep a low profile. There is also an option to limit the size of PE files exported, as mentioned already must "Evil" programs will not want to have a big presence so limiting the size of these will produce better results. Some recent tests done with this EnScript reveal you can extract full PE's from memory dumps that match NSRL hashes and files have been identified that are known evil program from unstructured data found with Red Curtain and AV. Here is the EnScript, enjoy it and please as always give feedback. Thanks to Nick Harbour for the suggestion to make this script and just as a side not I will always provide the source code to how these EnScripts work, it is important to all forensic professionals to know what the tools they use do and not just point and click and get answers but know how they got those answers.

PEvil Carver