Chapter 1     Malware Incident Response

Description: Memoryze is a physical memory acquistion and analysis tool for Windows systems. Unlike other memory acquisition tools, memoryze allows the digital investigator to perform advanced analysis of memory from a live subject system, or from an acquired memory dump.  Memoryze officially supports memory acquisition from the following operating systems:

The official Memoryze User Guide (version 1.4.2900 as of this writing) is available from http://www.mandiant.com/products/free_software/memoryze/.

Helpful Switches:

Helpful Switches:

Description: The MoonSols Memory Toolkit (MMT) is a physical memory acquisition, conversion and analysis took kit that is available in  Professional (commercial) and Community (freeware) versions.  Included in the MMT is Win32dd, a command-line based tool used to acquire physical memory images. 

 
-The Community edition of Win32dd supports memory acquisition from the following Windows operating systems: Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bit Editions.

-The Community edition of win64dd supports memory acquisition from the following operating systems:
 Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 64-bit (x64) Editions.

-The Professional editions of Win32dd and Win63dd support memory acquisition from all Windows operating systems.

In the figure below, we used Win32dd community edition to acquire a physical memory image from a subject system:

E:\WinIR\memory\MMT>win32dd.exe /r /f E:\WinIR\memory\MMT\memdump.mem

win32dd - 1.3.1.20100417 - (Community Edition)
Kernel land physical memory acquisition
Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net>
Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com>

  Name                        Value
  ----                        -----
  File type:                  Raw memory dump file
  Acquisition method:         PFN Mapping
  Content:                    Memory manager physical memory block

  Destination path:           E:\WinIR\memory\MMT\memdump.mem

  O.S. Version:               Microsoft Windows XP Professional (build 2600)
  Computer name:              KIM-MRKTG-WS5

    Physical memory in use:         16%
    Physical memory size:       1052144 Kb (   1027 Mb)
    Physical memory available:   882732 Kb (    862 Mb)

    Paging file size:           1346160 Kb (   1314 Mb)
    Paging file available:      1278972 Kb (   1248 Mb)

    Virtual memory size:        2097024 Kb (   2047 Mb)
    Virtual memory available:   2084016 Kb (   2035 Mb)

    Extented memory available:        0 Kb (      0 Mb)

    Physical page size:         4096 bytes
    Minimum physical address:   0x0000000000001000
    Maximum physical address:   0x00000000403FF000

    Address space size:         1077936128 bytes (1052672 Kb)

    --> Are you sure you want to continue? [y/n] y

    Acquisition started at:     [11/10/2010 (DD/MM/YYYY) 23:17:11 (UTC)]

    Processing....Done.

    Acquisition finished at:  [2010-10-11 (YYYY-MM-DD) 23:18:46 (UTC)]
    Time elapsed:             1:34 minutes:seconds (94 secs)

            Created file size:          1077936128 bytes (   1028 Mb)

Helpful Switches:

Description: Another tool to consider implementing while collecting subject system details is NII Consulting’s DumpWin, a multipurpose utility that can assist in collecting general system information among other items, such as a list of all software installed on the system, shares present, startup programs, active processes, list and status of services, list of local Group Accounts and User Accounts, among other things, as shown in the tool menu, below

E:\WinIR\Sysinfo>DumpWin.exe

DumpWin v2.00 (Windows NT/2K)

Network Intelligence India Pvt. Ltd.

http://www.nii.co.in

Arjun Pednekar (arjunp@nii.co.in)

Parameters :

         -i : List installed Programs.          -d : Drive Information.

         -s : System Information.               -m : Check for Modem Drivers.

         -h : List shares present.              -t : List Startup Programs.

         -p : List active Processes.            -v : List of Services.

         -g : List Local Group Accounts         -u : List User Accounts.

         -l : dumpACL                           -n : Account Lockout Policy

         -a : All of above.

Helpful Switches:

Description: A useful tool for identifying logged-in users is the Microsoft Query User utility, or quser, which reveals logged-in users, the time and date of logon time, and the session type and state among other details, as seen in below.

Quser

USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME

>Kim                  console             0  Active        .  3/18/2008 8:15 AM

Description: Another helpful utility to identify users logged onto a system is Netusers, which provides the digital investigator with the ability to query a subject system for users logged on locally to the system, as well as the last logon date of each user account, as seen below.

Querying with Netusers
E:\WinIR\Users>netusers.exe /local
-------------------------------------------------------------------------------
Current users logged on locally at KIM-MRKTG-WS5:
-------------------------------------------------------------------------------
KIM-MRKTG-WS5\Kim                 
-------------------------------------------------------------------------------


E:\WinIR\Users>netusers.exe /local /history
-------------------------------------------------------------------------------
History of users logged on locally at KIM-MRKTG-WS5:          Last Logon:
-------------------------------------------------------------------------------
KIM-MRKTG-WS5\Kim                                            2008/03/18 8:15
-------------------------------------------------------------------------------
The command completed successfully.

Helpful Switches:

Description:  Pmon is very similar to that of the top command in *Nix systems, providing for a real-time granular look at the statistics relating to running processes such as memory usage and duration.

Helpful Switches:

Description:  Procinterrogate allows the digital investigator to identify all DLLs imported by running processes, but also gives the investigator the ability to query individual processes by PID using the –pid switch. Further, the procinterrogate output provides the entry point address of each loaded module, as shown in the output excerpt below:

 E:\WinIR\Processes>procinterrogate.exe -pid 864
ProcInterrogate Version 0.0.1 by Kirby Kuehl vacuum@users.sourceforge.net
------------------------------------------------------------------------
C:\WINDOWS\system32\spoolsv.exe (Process ID: 864)

        Entry Point  Base       Size       Module
        0x00401000   0x00400000 001CE000   C:\WINDOWS\temp\spoolsv\spoolsv.exe
        0x7C913156   0x7C900000 000B0000   C:\WINDOWS\system32\ntdll.dll
        0x7C80B436   0x7C800000 000F4000   C:\WINDOWS\system32\kernel32.dll
        0x77DD70D4   0x77DD0000 0009B000   C:\WINDOWS\system32\ADVAPI32.dll
        0x77E76284   0x77E70000 00091000   C:\WINDOWS\system32\RPCRT4.dll
        0x71B2124A   0x71B20000 00012000   C:\WINDOWS\system32\MPR.dll
        0x77D50EB9   0x77D40000 00090000   C:\WINDOWS\system32\USER32.dll
        0x77F163CA   0x77F10000 00046000   C:\WINDOWS\system32\GDI32.dll
        0x77C01135   0x77C00000 00008000   C:\WINDOWS\system32\VERSION.dll
        0x71AD1039   0x71AD0000 00009000   C:\WINDOWS\system32\WSOCK32.dll
    [excerpt]

Helpful Switches:

Helpful Switches:

Description:  GUI and CLI tool Serviwin, which when used with the /stext ><log file name> switch, provides a detailed description of each individual service

Helpful Switches:

Helpful Switches:

Helpful Switches:

Helpful Switches:

Helpful Switches:

Helpful Switches:

Description:  Recall that when a program is executed, the Windows operating system creates a “prefetch” file that enables speedier subsequent access to the program. Embedded within the Prefetch files are the most recent time a program was executed (bytes 120–128) and the number of times it was executed (bytes 144–148).  This embedded information can be extracted manually, or using a tool like Windows File Analyzer. The figure below shows Windows File Analyzer being used to view the Prefetch information on a subject system. Another approach to viewing this information is to mount the forensic duplicate using a tool like MountImage Pro and directing Windows File Analyze to read the Prefetch folder on the mounted drive, as discussed in Chapter 3. The rightmost column shows the number of times the executable was run, but this number is not incremented when an executable is automatically run from an autostart location when the system boots

Description:  StartupRun is an alternative GUI and command-line utility available from Nirsoft for displaying applications that are loaded automatically when Windows boot up, including the registry key associated with program.  Using StartupRun to query our subject system we can identify an autorun location for the suspect process spoolsv, as shown in the output, below:

==================================================
Item Name           : spoolsv
Type                : Registry -> Machine Run
Command             : "C:\Windows\temp\spoolsv\spoolsv.exe"
Disabled            : No
Product Name        : mIRC
File Version        : 6.03
Description         : mIRC
Company             : mIRC Co. Ltd.
Location            :      HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsFile  
                           \CurrentVersion\Run

Created Date   : 10/12/2010 9:21:46 PM
==================================================

Helpful Switches:

Helpful Switches:

Description:  Hfind is a command-line utility included in the Foundstone Forensic Toolkit 2.0—a collection of freeware command-line utilities that allow the digital investigator to investigate a subject system (NTFS file system only) for metadata and artifacts.   In particular, Hfind can be used to scan the target system for hidden files.  If hidden files are detected, HFind lists the last access times to the files.  Querying our subject system (targeting what we have learned through our investigation to be a suspicious directory) with HFind we discover numerous hidden files, as shown in the output below:

 E:\WinIR\Hiddenfiles\ForensicToolkit20>HFind.exe C:\WINDOWS\Temp
Searching...
C:\WINDOWS\Temp\spoolsv
  a.reg                         14/10/2010 05:52:36
  aliases.ini                           14/10/2010 05:52:36
  com.mrc                               14/10/2010 05:52:37
  control.ini                           14/10/2010 05:52:39
  Desktop.ini                           14/10/2010 05:52:36
C:\WINDOWS\Temp\spoolsv\download
  ident.txt                             14/10/2010 05:52:36
C:\WINDOWS\Temp\spoolsv\logs
  mirc.ico                              14/10/2010 05:52:36
  mirc.ini                              14/10/2010 05:57:28
  popups.txt                            14/10/2010 05:52:36
  remote.ini                            14/10/2010 05:52:39
  run.bat                               14/10/2010 05:52:36
  servers.ini                           14/10/2010 05:52:36
C:\WINDOWS\Temp\spoolsv\sounds
  spoolsv.exe                           14/10/2010 05:52:39
  users.ini                             14/10/2010 05:52:37
Finished

Helpful Switches:

Helpful Switches:

Helpful Switches:

Name:  Pasco

Description: Nirsoft offers a variety of free dual functional GUI/command line tools that can extract and help resconstruct the web browsing history on a subject system.  Some of these tools include:

-IEHistoryView-Extracts information from the history file (index.dat) of Internet Explorer; stores only one record for every Web page visit.

-IECacheviewer-Similar to IEHistoryView, the cache file stores multiple records for every Web page, including all images and other files loaded by the Web page.

-IECookieView- Extracts the content of all cookie files stored by Internet Explorer.

-MozillaHistoryView-extracts the details of all browsing history stored by Mozilla Firefox

-MozillaCacheView-extracts the details of all cache files stored by Mozilla Firefox

-MozillaCookieView-extracts the content of all cookie files stored by Mozilla Firefox

-FavoritesView-Extracts list of Favorites/Bookmarks

-ChromeCacheView-extracts the details of all cache files stored by Google Chrome Web browser

-OperaCacheView-extracts the details of all cache files stored by Opera Web browser.

-MyLastSearch-Scans the cache files for the four web browsers (IE, Mozilla, Opera, and Chrome) and extracts recent search queries made from the subject system.

Description:  FGET is a command-line utility that can acquire files from local and remote subject systems. 

-Using FGET from our trusted live response tool kit locally on a subject, we can quickly acquire a suspicious file by invoking the tool using the "–extract" switch, identifying the target file and the location of where to copy the file, as shown in the output below:

E:\WinIR\Extraction\FGET>FGET.exe -extract c:\WINDOWS\Temp\spoolsv\spoolsv.exe        E:\WinIR\Extraction\Evidence\spoolsv.exe

-= FGET v1.0 - Forensic Data Acquisition Utility - (c)HBGary, Inc 2010 =-

[+] Extracting File From Volume ...SUCCESS!

-FGET is also intended for acquisition of files over a network, with varying degrees of difficulty and system preparation.  To use FGET on remote systems, the local acquisition system must have a repository directory created (by default the directory is C:\FGETREPOSITORY). 

-Using the remote acquition capabilities of FGET we can copy the suspicious file from the subject system over the network from our analysis system, as shown in the output below.  Note that FGET places the target files in the FGETREPOSITORY directory, and in turn, in an auto-generated subdirectory name to comport with the target system IP address in an effort to easily parse acquisition results.

 E:\WinIR\Extraction\FGET>FGET.exe -scan 192.168.79.130 -extract     c:\WINDOWS\Temp\spoolsv\spoolsv.exe
-= FGET v1.0 - Forensic Data Acquisition Utility - (c)HBGary, Inc 2010 =-
[+] Operation STARTED for: "Forensic Get 1.0" ...
[+] Actions: REPORT
************************************************
[+] Setting maximum scanner thread count to: 1
[+] Capturing Machine: "192.168.79.130"
The command completed successfully.

[+] Authentication to C$Successful!
A subdirectory or file C:\FGETREPOSITORY\192.168.79.130 already exists.
        1 file(s) copied.
[+] Scanned: 1 of 1 nodes. (1 active scan threads)
        1 file(s) copied.scan threads to finish ...
[+] Copied file locally to: "C:\FGETREPOSITORY\192.168.79.130\"
[!] Evidence Acquisition Completed for Host: "192.168.79.130" in 1 seconds @ Wed     Oct 13 20:02:48 2010
[+] Machine: "192.168.79.130" Successfully Captured


************************************************
[+] Operation FINISHED for: "Forensic Get 1.0" ...
************************************************
[!] Attempted Node Checks: 1
[!] Pingable Nodes: 1
[!] Authenticated: 1

[S] Successful: 1
  - SUCCESS: 192.168.79.130
[+] Scan completed in 2 seconds

Helpful Switches:

      Local System Commands

     Remote System Commands