I just got done with my morning blog roll reading and wanted to link to a couple of good entries. The first was by Zynamics talking about creating better malware signatures:
http://blog.zynamics.com/2010/08/13/privatesigs/
It specifically talks about creating signatures with their product VxClass. If you have not had a chance to use or see this product I suggest you do. The second blog entry worth re-posting was one from Nick Harbour at Mandiant. His post talks about finding command and control functions in malware, specifically focusing on the COM point of view, here is a link to the post:
http://blog.mandiant.com/archives/1396
Finally I would like to advertise a couple of positions that are open at my current work place. My team is looking for forensicators, incident responders, red teamers and malware analysts. If you are interested in the job apply at the link below:
http://www.hr.lanl.gov/JobListing/SingleJobAd.aspx?JobNumber=217724
Monday, August 16, 2010
Tuesday, August 10, 2010
$MFT Parsing EnScript

There is a considerable amount of forensic goodness in the $MFT on NTFS partitioned disks. What is a $MFT? Well the $MFT is the master file table on NTFS partitions that is a kind of database that keeps track of all the files on the partition including its location and metadata about the file. I am not going to delve into the depths of the format of NTFS because it has already been explained in numerous books like File System Forensics by Brain Carrier. What I am going to do is quickly summarize the "goodness" available in the $MFT and how you can extract this data with a EnScript I have authored.
The $MFT contains an entry for every file and directory on a partition including itself. Important metadata with in a $MFT are the name of the file, inode number, standard information attribute, file name attributes and data attribute. The size of a $MFT record is 1024 bytes. Below is an example of a $MFT record:

The header of a $MFT record is "FILE0". A $MFT record entry can contain the contents of a file if the size of the file fits into the allotted size for data attribute. Below is a $MFT record broken down into what I think are its important parts.

MFTParser.EnScript
The EnScript I created, inspired by Keith Gould, will parse the important information mentioned above for you and provide you with a tab separated text file you can open up in Excel or parse with your favorite awk command. Don't worry I am not forgetting about the $MFT slack section mentioned above in the important parts, I will go over it in the next post.
Subscribe to:
Posts (Atom)