Tuesday, April 8, 2008

PEvil Carver

Alright it has been a while but here is a EnScript I talked about before in some forums and I have gotten some more questions about it so I am going to post it to let all have access to it.

So you might ask "What is the PEvil Carver EnScript"? Hopefully what this EnScript will do for you is find that evil program that is on your machine but you just can not find it through traditional forensic analysis, i.e. anti-forensic techniques are not allowing you to find it. This script takes an intelligent approach to finding PE type files (.dll, .exe, ocx, to name a few) from unallocated clusters (but you can search other unstructured data types) and does not just look for the "MZ" signature. This intelligent approach starts with finding that good old "MZ" signature but goes further to find the "PE" signature that follows it after a variable amount of space specified in the Image_Dos_Header. If these two signatures are present this script will start bookmarking and carving the PE file based on the data that is stored within the PE file structure. It will also look on the local system for files that already have the same hash and not export it if it is on the local system to cut down on false hits. The PE files are exported to an EnCase LEF file that can be added to a case and then mounted with VFS and then scanned with AV or other malware finding tools such as Mandiant's Red Curtian. The bookmarks also contain a plethora of data on the PE file itself. It parses out the Image_DOS_Header, Image_Optional_Header, Image_File_Header, and each sections Image_Section_Header. Looking at the data within these headers can help you identify if the PE file found is evil or not, the data here is much like PEiD. The hash and size of the file is also included in the bookmarks and a search can be done on the size or hash of the PE file to see if it is evil or not based on previously known indicators. Other features are that you can limit the size of the PE file to be exported, in initial testing PE files of significant size (1-2GB) were found in unallocated space and traditionally evil PE files are probably not of that size and what to keep a low profile. There is also an option to limit the size of PE files exported, as mentioned already must "Evil" programs will not want to have a big presence so limiting the size of these will produce better results. Some recent tests done with this EnScript reveal you can extract full PE's from memory dumps that match NSRL hashes and files have been identified that are known evil program from unstructured data found with Red Curtain and AV. Here is the EnScript, enjoy it and please as always give feedback. Thanks to Nick Harbour for the suggestion to make this script and just as a side not I will always provide the source code to how these EnScripts work, it is important to all forensic professionals to know what the tools they use do and not just point and click and get answers but know how they got those answers.

PEvil Carver


raa said...


Thanks for a great EnScript.
I did however run into an error when running your EnScript.

Here is the error.

Any thoughts?

Location of PointerToRawData : 636
Size of PE : 1036288
Error: Internal Error, PEvilCarver(595,8)
Name: PEvilCarver
Status: Error
Start: 06/30/08 11:26:17AM
Stop: 06/30/08 12:01:57PM
Time: 0:35:40

seanmcl said...

I get two Warnings with EnCase 6.12:

Unnecessary initializer, ForensicKb\PEvilCarver(127,4)

Unnecessary initializer, ForensicKb\PEvilCarver(576,7)

The program then exits, almost immediately, writing a 5 kb file. Given that there was 160 Gbytes of disk to scan, I'm wondering what gives?

seanmcl said...

Ahh, I see. The warnings occur if you don't select one or more entries. I should read the source code more often.

The error occurs when you make selections (EnCase 6.12).