SANS Digital Forensics and Incident Response Blog: Author - johnmccash

Timestamped Registry & NTFS Artifacts from Unallocated Space

Frequently, while following up a Windows investigation, I will add certain filenames or other string values to my case wordlist and subsequently find these strings embedded in binary data of one type or another in unallocated space. Close examination of the surrounding data structures has shown that these are often old MFT entries, INDX structures, or registry keys or values. The thing that makes these things very interesting from a forensic perspective is that all of them but registry values incorporate Windows timestamps. (All timestamps referenced in this article are 64bit Windows filetime values.) Even registry values often follow closely after their parent keys in the registry, which do have associated timestamps. Once I'd noticed these key facts, it occurred to me that it would be useful to use the timestamp values to work backward to other associated data, and hence the genesis of this

...


Arbitrary Code Execution on Examiner Systems via File Format Vulnerabilities

I attended ThotCon 0x1 on Friday, April 23rd, and watched a talk where the presenters disclosed and demonstrated an exploit embedded in a disk image that triggered arbitrary code execution when the same malicious file was examined using either EnCase or FTK. I'd like to talk a bit about this and it's implications, as well as a few things that we, as a community, might want to do in response.

The specific vulnerability in question appeared to actually exist in the Outside-In component, and was not triggered until the malicious file was actually viewed inside EnCase or FTK. The presenters stated that the vulnerability had been initially reported to Guidance and Access Data more than 3 versions of EnCase ago. Thinking back now, I was assuming they meant they had notified before 6.14, but it's possible that they were counting point releases.

When triggered, the exploit seemed

...


'Free Download Manager' Log Extraction

Recently I worked on a case that required I reverse engineer some file formats used by the 'Free Download Manager' application. This is a popular download management application available from www.freedownloadmanager.org.

The version of the application I analyzed stores its logs under 'userprofile\\Application Data\\Free Download Manager'. It uses a number of files to handle different logs and track various in-process tasks. Here's a list of the files I found there:

  • dlmgrsi.sav - This is actually a short executable of some description. Not sure what it's for.
  • downloads.his.sav - Log file using the following format: Starts with the null-terminated header "FDM Downloads History". Then 8 bytes of unknown data, followed by a list of records as follows,

...


Windows Scheduler (at job) Forensics

This information may be useful to people responding to compromise incidents involving Windows. Typically these days, when a job is scheduled for execution later, possibly every day, week, or month, it's done via a GUI tool or 'schtasks'. However , you can still use the original command line 'at' tool. This utility also allows such jobs to be scheduled over the network if admin credentials are possessed, which makes it quite useful to an attacker for post exploitation activities. When cleaning up after something like this, it's useful to know a bit about what it does under the hood, including the formats of the associated .job file, and the structure and location of associated log entries.

[caption id="attachment_11626" align="aligncenter" width="745" caption="Figure 1: A scheduled

...


MIAT for Symbian & Windows Mobile Forensics

I recently became interested in mobile device forensics. This area covers a lot of ground, but a particularly interesting subfield is the forensics of Windows Mobile. As far as I was able to discover, not much has been written about this, which makes it perfect for a blog posting.

After a significant amount of Google research, I found a paper presented at the 2008 DFRWS conference. In it, the authors discuss a Mobile Internal Acquisition Tool, MIAT. They created this tool for extracting files from Smartphones running Symbian or Windows Mobile, and saving them to removable media. Another reference to the same work is presented here.

I was unable to locate a download site for the tool, so I contacted one of the presenters, Alessandro Distefano, as

...