How can I tell when...
 
Notifications
Clear all

How can I tell when a hidden partition was created?

kurt2121
(@kurt2121)
Junior Member

I was looking at a drive that ran Windows XP home which had quite a nasty rootkit infection. (ZeroAccess). Unfortunately the drive is currently unbootable. So anyway, I was trying to determine when this infection took hold. Most of the infected files (the dropper and downloaders) were giving me a creation date in Jan 2012. How accurate is this? Is the date in these files a good indicator of when the machine was infected? Or does malware like that change the dates of these things usually?

There was also a hidden partition which MBR anti-rootkit had identified as Alureon.E.VBR.. I read this may be part of the ZeroAccess infection, but I don't know for sure. Is there a way to figure out when the partition was created? What could I do to get more information about what this partiton had on it? Would a hex editor tell me anything? Keep in mind, I can't boot it and can only access the files from plugging it into my laptop. Also I'm a noob!

Thank you!

Quote
Topic starter Posted : 08/07/2017 11:33 am
jaclaz
(@jaclaz)
Community Legend

If the (main) volume is NTFS you can find a lot of things in the filesystem, particularly the $logfile, but also the "plain" NTFS various dates may help.

Whether this is easy/feasible for a "noob" is another thing, some general idea on how filesystems and particularly NTFS might be needed.
And definitely using a hex/disk editor needs some more knowledge/experience.

Same goes for the "hidden" partition, IF it has been created/formatted on the machine, there is probably - even if not NTFS - the creation date of the root directory and of the files on it (if it is - I believe this kind of malware use this latter method - a dd image of a volume deployed then the date would not make any sense because it could be weeks, or months or years earlier than the date the infection happened).

Check Joakim's tools here
https://github.com/jschicht/Mft2Csv/wiki/Mft2Csv
https://github.com/jschicht/LogFileParser
(there are a few more tools, but these are the two that likely will produce some useful data).

jaclaz

ReplyQuote
Posted : 08/07/2017 1:51 pm
kurt2121
(@kurt2121)
Junior Member

If the (main) volume is NTFS you can find a lot of things in the filesystem, particularly the $logfile, but also the "plain" NTFS various dates may help.

Whether this is easy/feasible for a "noob" is another thing, some general idea on how filesystems and particularly NTFS might be needed.
And definitely using a hex/disk editor needs some more knowledge/experience.

Same goes for the "hidden" partition, IF it has been created/formatted on the machine, there is probably - even if not NTFS - the creation date of the root directory and of the files on it (if it is - I believe this kind of malware use this latter method - a dd image of a volume deployed then the date would not make any sense because it could be weeks, or months or years earlier than the date the infection happened).

Check Joakim's tools here
https://github.com/jschicht/Mft2Csv/wiki/Mft2Csv
https://github.com/jschicht/LogFileParser
(there are a few more tools, but these are the two that likely will produce some useful data).

jaclaz

Thanks jaclaz!

So what about the creation dates of droppers and things like that? Would the creation date of malware and dropper files and whatever change or is at assumable something definitely infected you at that time. I mean, I can't see the need for droppers to be recreated after the infection takes hold, but I've been wrong plenty of times.

ReplyQuote
Topic starter Posted : 17/07/2017 10:03 am
jaclaz
(@jaclaz)
Community Legend

So what about the creation dates of droppers and things like that?

It doesn't work like this. 😯

I mean, the creation date of a dropper (whatever it is) is only one of the many, many pieces of the puzzle.

You don't know (exactly) WHAT happened.
You don't know (exactly) HOW the malware behaves (usually, let alone how it behaved specifically on the given machine).
You don't know (exactly) WHEN something (or the contrary of it) happened.

The whole point of the investigation is to look for and find as many pieces of the puzzle as you can and re-assemble them in such a way that you can make sense of the whole puzzle picture, even if it has many holes.

There is not a single piece (or at least it is unlikely) big enough to help you understand the whole picture without other pieces, each and every piece of info you can gather is useful to form and support a hypothesis (or to deny it).

jaclaz

ReplyQuote
Posted : 17/07/2017 2:27 pm
Share:
Share to...