Join Us!

counter anti-forens...
 
Notifications
Clear all

counter anti-forensics  

  RSS
hogfly
(@hogfly)
Active Member

So last night I started doing a little work on detecting the anti-forensics tools generated by the metasploit project.

I have to say I haven't gotten very far but I started with timestomp.

Timestomp demonstrates that you can't trust MAC times or even MACE times by offering the ability to replace all 4 timestamps.

My method
Create a file C\timestomp_test.txt.
Enter some text in to the file
plug in my USB key
Run timestomp -z "Friday 10/06/2006 55555 PM" from USB key
load the helix (windows side) CD.
acquire the ram with the following command
dd if=\\.\physicalmemory of=E\image.dd bs=512 conv=noerror –md5sum –verifymd5 –md5out=E\image.dd.md5 –log=E\audit.log

audit.log contents
Total physical memory reported 392688 KB
Copying physical memory…
Physical memory in the range 0x00002000-0x00012e00 could not be read.
Physical memory in the range 0x147d5000-0x147d5e00 could not be read.
D\IR\FAU\dd.exe
Stopped reading physical memory

The parameter is incorrect.
\eb8af96259f3b554fc170337fc289a60 [\\\\.\\PhysicalMemory] *E\\image.dd

Verifying output file…
\eb8af96259f3b554fc170337fc289a60 [E\\image.dd] *E\\image.dd
The checksums do match.
The operation completed successfully.

Output E\image.dd (402583552 bytes)
786296+0 records in
786296+0 records out

Once the dd completed I pulled the plug and imaged the hard disk.

At this point asked myself what traces does it leave? I searched with FTK 1.62 and X-ways 13.3 SR-1. Pertaining to the execution of timestomp I couldn't find much. The best source of information was the prefetch file and RAM. Other than that I found traces in the MFT logfile and more prefetch information in drive free space. I'm sure there are other locations that indicate the execution of the program and I'm sure there are other traces to be found…ideas?

What I found to be somewhat interesting are the entries within the prefetch file. All are file mappings to dll's used in modifying time.

This got me thinking about execution of programs in general and I started to wonder if one could create a signature of executed programs based on the contents of the prefetch file(perhaps based on call order?) or the signature of the file in memory as it executes. i.e, can a signature be created based on the Process & Thread combinations? I suppose this would be the EPROCESS and ETHREAD information from RAM.

Anyways you can download the ram dump from here
ftp//devilduckie.parallax.cornell.edu
The md5 is of the uncompressed ram dump.

I'd appreciate it if someone more knowledgable in memory analysis could take a look and let me know what they find.

Quote
Posted : 11/10/2006 1:08 am
skip
 skip
(@skip)
Member

So last night I started doing a little work on detecting the anti-forensics tools generated by the metasploit project.

I have to say I haven't gotten very far but I started with timestomp.

Timestomp demonstrates that you can't trust MAC times or even MACE times by offering the ability to replace all 4 timestamps.

My method
Create a file C\timestomp_test.txt.
Enter some text in to the file
plug in my USB key
Run timestomp -z "Friday 10/06/2006 55555 PM" from USB key

One of the wonders of the metasploit project is what they call the meterpreter. Which is a environment though which you can load and run modules or access libraries (or load your own libraries for that matter).

Make a base line list of running threads and processes…

You may find it interesting to crack a running process and load in the meterpreter.
Then dump memory and look at the processes and threads

Then using the meterpreter use some of the given modules, such as Sam or Sys.

Then dump memory and look at the processes and threads.

—-
Now if you are using the new beta version of the metasploit I believe you can load timestomp as a module.
make sure that when you "use" the module you include the -d options, which will keep the module Timestomp from being uploaded and stored on the remote disk.

Then use it to change all the Times for whatever files you wish.

During the writing of this post I was trying to test this…but alas I have run out of time.
I was having some difficulty with version 3 of the framework. And getting the meterpreter to inject into the remote system.

Perhaps I'll have more specifics for you tomorrow (schedule permitting).

Skip

ReplyQuote
Posted : 11/10/2006 3:00 am
keydet89
(@keydet89)
Community Legend

One place you may want to look is in the UserAssist key for the user account that you ran timestomp under…

ReplyQuote
Posted : 11/10/2006 3:29 am
hogfly
(@hogfly)
Active Member

Unfortunately there's nothing of value there in this case. Timestomp was executed from within cmd.exe (which shows up) but timestomp.exe does not.

ReplyQuote
Posted : 11/10/2006 3:49 am
keydet89
(@keydet89)
Community Legend

Right…the stuff you see in the UserAssist is handled through the shell…

ReplyQuote
Posted : 11/10/2006 6:19 am
Share: