Monday, August 16, 2010

Good Malware Blogs and Job Posting

I just got done with my morning blog roll reading and wanted to link to a couple of good entries. The first was by Zynamics talking about creating better malware signatures:

It specifically talks about creating signatures with their product VxClass. If you have not had a chance to use or see this product I suggest you do. The second blog entry worth re-posting was one from Nick Harbour at Mandiant. His post talks about finding command and control functions in malware, specifically focusing on the COM point of view, here is a link to the post:

Finally I would like to advertise a couple of positions that are open at my current work place. My team is looking for forensicators, incident responders, red teamers and malware analysts. If you are interested in the job apply at the link below:

Tuesday, August 10, 2010

$MFT Parsing EnScript

There is a considerable amount of forensic goodness in the $MFT on NTFS partitioned disks. What is a $MFT? Well the $MFT is the master file table on NTFS partitions that is a kind of database that keeps track of all the files on the partition including its location and metadata about the file. I am not going to delve into the depths of the format of NTFS because it has already been explained in numerous books like File System Forensics by Brain Carrier. What I am going to do is quickly summarize the "goodness" available in the $MFT and how you can extract this data with a EnScript I have authored.

The $MFT contains an entry for every file and directory on a partition including itself. Important metadata with in a $MFT are the name of the file, inode number, standard information attribute, file name attributes and data attribute. The size of a $MFT record is 1024 bytes. Below is an example of a $MFT record:

The header of a $MFT record is "FILE0". A $MFT record entry can contain the contents of a file if the size of the file fits into the allotted size for data attribute. Below is a $MFT record broken down into what I think are its important parts.

The standard information attribute (SIA) will contain the file times most people are used to seeing on the file system such as created, last written, last accessed and last modified. These times can also be easily changed by the attacker, the "worst" forensic problem ever until now because now you will know about the file information attribute (FIA). The FIA stores dates associated with the file's name and parent directory. These dates cannot be altered using Windows API calls like the SIA can. The meta data kept in the file information attribute consists of the file name creation date, file name modified date, file name last written and file name last accessed. Comparing the SIA to the FIA can detect the dreaded timestomping but be aware of the number of times this happens on a non-compromised or purposely altered system so stick to time windows when doing this type of analysis. To find all these times you are going to have to parse them by hand, wait no you don't there's a script for that below:


The EnScript I created, inspired by Keith Gould, will parse the important information mentioned above for you and provide you with a tab separated text file you can open up in Excel or parse with your favorite awk command. Don't worry I am not forgetting about the $MFT slack section mentioned above in the important parts, I will go over it in the next post.