I was recently doing some forensic research on a laptop which had been formatted and factory-reinstalled (using the preinstalled HPA partition it shipped with), and then used normally by another user for six months prior to collection. I wasn't really expecting to be able to recover much of anything from before the format, but it's always worth a look. My initial examination showed that even unallocated space had been largely overwritten during the six month post reinstall period. Even the fragments I was able to recover from file slack were largely useless. Then I got some very confusing keyword search hits from data in hiberfil.sys, the Windows hibernation file, and my Odyssey began.
The reason these hits were confusing was that they appeared to reference data from before the format, yet they occurred almost exactly in the middle of the 3GB+ hibernation file, andthat filehad been written to (whichI at first assumedmeant completely overwritten) only
SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time.
Keeping track of all the samples on your plate can become cumbersome and at times, next to impossible; that's where projects like Viper come in. Viper is "a framework to store, classify and investigate binary files." The following article, contributed by David Westcott, explains how to get started with this tool.
Examining static properties of suspicious files is a good starting point for malware analysis. This effort allows you to perform an initial assessment of the file without even infecting a lab system or studying its code. Let's take a look at several free Windows tools that are useful for extracting such meta data from potentially-malicious executables.
A key component of any investigation is the type of data exfiltrated. If sensitive data is on a compromised machine, risk is increased significantly. Also, there is a patch work of legislation covering various types of data which is considered sensitive (http://www.reyrey.com/regulations/). In general, social security and credit card numbers are at the top of the concern list. Since many states have encryption exemptions, a forensicator needs to know, does any media storage in the case have sensitive data in the clear?
Data can be encrypted by system administrators/DBAs or by attackers. Attackers usually encrypt data as part of the staging process prior to data exfiltation. Attackers commonly password protected and compressed the data as a .rar file. With strong passwords (32+ character pass-phrases) .rar files can be difficult to almost impossible to open with normal computing power.
Using a cross