Monday, June 15, 2015

Disk forensics

Hard disk forensics are not my forte... I've been pretty spoiled with memory forensics, but what about when someone hands you a tower and wants you to figure out what a miscreant may have done? Well... You've gotta fall back to good ol' hard disc forensics. This is going to be a collection of useful links and steps that helped me through the process.

First off, of course you want to create a bit by bit copy of the harddrive, to "preserve evidence." Even if you're not planning to build a case, and have no need of forensically sound evidence, it's a good habit to get into. I have a StarTech dock that will duplicate disks, but you can use a dd in Linux as well, provided you have enough free hard drive space to house the source drive.

Where to from there? I found this site:
that provides a good list of places on the drive to go poking around for potentially useful information. Depending on how much you know about what you're looking for, some may stick out as more useful than others.

I tend to do most of my analysis on a Linux machine, which can make some of those tasks a little interesting. I ended up just copying the ntuser.dat file (HKCU registry hive) to a Windows 7 virtual machine so that I could load it up in regedit. If there's a slick tool for viewing Windows registries within the Linux kernel, I'd love to hear about them. A quick/lazy google didn't turn anything up ;)

Another useful little toy for disk forensics is creating a timeline. The output from this is insanely verbose, however, so unless you have a pretty good idea of what kind of time frame you're looking for, just browsing it hoping to stumble across something is a waste of time. You can do this one of two ways...
Simply run fls -l -p -r [sourcedrive] > output.file
or you can do this (the method I used to use, output ends up formatted slightly differently)
fls -r -m "[mountpoint]" [sourcedrive] > fls-body.file
mactime -b fls-body.file -d > mactimeout.csv

autopsy can help too, but mostly I find that the most useful for deleted files. I haven't tried to learn the sleuthkit cli way of browsing deleted files yet.

Through this (although unrelated to the drive I was looking at), I learned about an interesting little quirk of the NTFS file system that I had not heard about before. It's called Alternate Data Streams (ADS.) These little suckers are the ultimate in data hiding, and I'm surprised more modern malware doesn't try to use this. I'll post some links about them below, but basically it's metadata for the file that cannot be seen by any conventional means. And you can store ANYTHING there. Zip file, exe, movies, 80 gigs of junk data, you name it, and windows explorer will not indicate that it exists. You could store an entire library of hidden files in the metadata for a single file (or directory, or mount point.) The only potential problem, is that if that file/folder gets deleted, all the hidden data is lost as well.

There's a pretty good practical guide to them here:
And if you have powershell 3.0, they become easier to read/manipulate, there's a guide about that here:

No comments:

Post a Comment