Thursday, May 23, 2013

MoVP II - 2.3 - Creating Timelines with Volatility

A common computer forensic investigative methodology is creating timelines.  Timelines help establish events that took place on the machine prior to investigation.  There are various artifacts in Windows memory that can be used to construct a timeline.  This blogpost will cover timeline creation and usage.

Creating a Timeline

The following plugins have the ability to output in Sleuthkit bodyfile format:
The output of these plugins can be combined in order to create a timeline of memory artifacts.  Two of these plugins (mftparser and shellbags) are more specific in their output and only include artifacts that are described by their names.  The third plugin, timeliner, includes various artifacts such as:
In order to create a timeline using all of the above plugins, use the following commands:

$ ./vol.py --plugins=contrib/plugins -f [sample] timeliner --output=body --output-file=timeliner.txt -R
$ ./vol.py -f [sample] mftparser -C --output=body --output-file=mft.txt
$ ./vol.py -f [sample] shellbags --output=body --output-file=shellbags.txt

Then you can put it all together:

$ cat timeliner.txt mft.txt shellbags.txt >> bodyfile.txt
$ mactime -b bodyfile.txt -d > mactime.txt

Analyzing an Example Timeline

We'll look at a generated timeline from a sample that was obtained from the Forensic Challenge for the GRRCon conference (http://t.co/m0JCvrnV) by Jack Crook (twitter: @jackcr website: http://www.handlerdiaries.com/). 


There is also a previous writeup on our blog: http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html by MHL and Andrew.

We are able to find the exploit file from the timeline:

$ grep -i ".pf" grrcon_mft |egrep -i '(doc|ppt|xls|pdf)' | grep -i exe
(FN) 0x14c42000|[MFT FILE_NAME] WINDOWS\Prefetch\SWING-MECHANICS.DOC[1].EXE-013CEA10.pf|12024|---a-------I---|0|0|512|1335578362|1335578362|1335578362|1335578362

Now we can search for events near when the exploit happened:

$ mactime -b grrcon_body.txt –d | less –I

To search in the document type:

/swing

Now we should see:

Fri Apr 27 2012 21:59:22,512,macb,---a-------I---,0,0,12024,[MFT FILE_NAME] WINDOWS\Prefetch\SWING-MECHANICS.DOC[1].EXE-013CEA10.pf
Fri Apr 27 2012 21:59:22,512,macb,---a-------I---,0,0,12024,[MFT FILE_NAME] WINDOWS\Prefetch\SWING-~1.PF
Fri Apr 27 2012 21:59:22,512,macb,---a-------I---,0,0,12024,[MFT STD_INFO] WINDOWS\Prefetch\SWING-~1.PF
Fri Apr 27 2012 21:59:22,352,macb,---a-----------,0,0,12026,[MFT FILE_NAME] WINDOWS\system32\svchosts.exe
Fri Apr 27 2012 21:59:22,352,m..b,---a-----------,0,0,12026,[MFT STD_INFO] WINDOWS\system32\svchosts.exe
Fri Apr 27 2012 21:59:22,344,.a..,---a-----------,0,0,23251,[MFT STD_INFO] WINDOWS\system32\msvfw32.dll
Fri Apr 27 2012 21:59:22,352,.a..,---a-----------,0,0,479,[MFT STD_INFO] WINDOWS\system32\avicap32.dll

Scrolling down we see someone trying to figure out the network:

Fri Apr 27 2012 21:59:49,488,mac.,---a-------I---,0,0,11854,[MFT STD_INFO] WINDOWS\Prefetch\IPCONF~1.PF
Fri Apr 27 2012 21:59:49,360,.a..,---a-----------,0,0,23434,[MFT STD_INFO] WINDOWS\system32\ipconfig.exe
Fri Apr 27 2012 21:59:56,472,macb,---a-------I---,0,0,12018,[MFT FILE_NAME] WINDOWS\Prefetch\NET.EXE-01A53C2F.pf
Fri Apr 27 2012 21:59:56,472,macb,---a-------I---,0,0,12018,[MFT FILE_NAME] WINDOWS\Prefetch\NETEXE~1.PF
Fri Apr 27 2012 21:59:56,472,macb,---a-------I---,0,0,12018,[MFT STD_INFO] WINDOWS\Prefetch\NETEXE~1.PF
Fri Apr 27 2012 21:59:56,344,.a..,---a-----------,0,0,23222,[MFT STD_INFO] WINDOWS\system32\net.exe
Fri Apr 27 2012 22:00:06,344,.a..,---a-----------,0,0,23131,[MFT STD_INFO] WINDOWS\system32\ping.exe

And a bit below that we see the creation of a folder called “systems” and then some new files:

Fri Apr 27 2012 22:01:03,472,macb,-------------D-,0,0,12029,[MFT FILE_NAME] WINDOWS\system32\systems
Fri Apr 27 2012 22:01:03,472,...b,---------------,0,0,12029,[MFT STD_INFO] WINDOWS\system32\systems
Fri Apr 27 2012 22:01:03,832,m.c.,---------------,0,0,29,[MFT STD_INFO] WINDOWS\system32
Fri Apr 27 2012 22:01:07,832,.a..,---------------,0,0,29,[MFT STD_INFO] WINDOWS\system32
Fri Apr 27 2012 22:01:43,416,macb,---a-----------,0,0,12030,[MFT FILE_NAME] WINDOWS\system32\systems\f.txt
Fri Apr 27 2012 22:01:43,416,macb,---a-----------,0,0,12030,[MFT STD_INFO] WINDOWS\system32\systems\f.txt
Fri Apr 27 2012 22:01:54,368,macb,---a-----------,0,0,12031,[MFT FILE_NAME] WINDOWS\system32\systems\g.exe
Fri Apr 27 2012 22:01:54,368,m.cb,---a-----------,0,0,12031,[MFT STD_INFO] WINDOWS\system32\systems\g.exe
Fri Apr 27 2012 22:02:05,368,macb,---a-----------,0,0,12032,[MFT FILE_NAME] WINDOWS\system32\systems\p.exe
Fri Apr 27 2012 22:02:05,368,...b,---a-----------,0,0,12032,[MFT STD_INFO] WINDOWS\system32\systems\p.exe
Fri Apr 27 2012 22:02:06,368,m...,---a-----------,0,0,12032,[MFT STD_INFO] WINDOWS\system32\systems\p.exe
Fri Apr 27 2012 22:02:17,368,macb,---a-----------,0,0,12033,[MFT FILE_NAME] WINDOWS\system32\systems\r.exe
Fri Apr 27 2012 22:02:17,368,m.cb,---a-----------,0,0,12033,[MFT STD_INFO] WINDOWS\system32\systems\r.exe

We can use this to `grep` for files in the “systems” folder:

$ grep -i systems grrcon_body.txt | grep -i exe | awk '{print $4}'
WINDOWS\system32\systems\w.exe|11978|---a-----------|0|0|360|1335578558|1335578558|1335578558|1335578558
WINDOWS\system32\systems\w.exe|11978|---a-----------|0|0|360|1335578559|1335578559|1335578559|1335578558
WINDOWS\system32\systems\g.exe|12031|---a-----------|0|0|368|1335578514|1335578514|1335578514|1335578514
WINDOWS\system32\systems\g.exe|12031|---a-----------|0|0|368|1335579014|1335578514|1335578514|1335578514
WINDOWS\system32\systems\p.exe|12032|---a-----------|0|0|368|1335578525|1335578525|1335578525|1335578525
WINDOWS\system32\systems\p.exe|12032|---a-----------|0|0|368|1335579196|1335578526|1335578698|1335578525
WINDOWS\system32\systems\r.exe|12033|---a-----------|0|0|368|1335578537|1335578537|1335578537|1335578537
WINDOWS\system32\systems\r.exe|12033|---a-----------|0|0|368|1335578939|1335578537|1335578537|1335578537
WINDOWS\system32\systems\sysmon.exe|12034|---a-----------|0|0|344|1335578546|1335578546|1335578546|1335578546
WINDOWS\system32\systems\sysmon.exe|12034|---a-----------|0|0|344|1335579140|1335578547|1335578547|1335578546
[snip]


We have prefetch files that show that some of these executables ran and we know what time they ran from the timestamps associated with them:

Fri Apr 27 2012 22:03:03      472 macb ---a-------I--- 0        0        12035    [MFT FILE_NAME] WINDOWS\Prefetch\W.EXE-0A1E603F.pf
                              472 macb ---a-------I--- 0        0        12035    [MFT FILE_NAME] WINDOWS\Prefetch\WEXE-0~1.PF
                              472 ...b ---a-------I--- 0        0        12035    [MFT STD_INFO] WINDOWS\Prefetch\WEXE-0~1.PF
Fri Apr 27 2012 22:03:28      472 macb ---a-------I--- 0        0        12036    [MFT FILE_NAME] WINDOWS\Prefetch\G.EXE-24E91AA8.pf
                              472 macb ---a-------I--- 0        0        12036    [MFT FILE_NAME] WINDOWS\Prefetch\GEXE-2~1.PF
                              472 macb ---a-------I--- 0        0        12036    [MFT STD_INFO] WINDOWS\Prefetch\GEXE-2~1.PF
Fri Apr 27 2012 22:04:18      472 mac. ---a-------I--- 0        0        12035    [MFT STD_INFO] WINDOWS\Prefetch\WEXE-0~1.PF
Fri Apr 27 2012 22:05:03      472 macb ---a-------I--- 0        0        12040    [MFT FILE_NAME] WINDOWS\Prefetch\P.EXE-04500029.pf
                              472 macb ---a-------I--- 0        0        12040    [MFT FILE_NAME] WINDOWS\Prefetch\PEXE-0~1.PF
                              472 ...b ---a-------I--- 0        0        12040    [MFT STD_INFO] WINDOWS\Prefetch\PEXE-0~1.PF
Fri Apr 27 2012 22:08:46      608 mac. rh------------- 0        0        10850    [snip]
[MFT FILE_NAME] WINDOWS\Prefetch\R.EXE-19834F9B.pf
                              472 macb ---a-------I--- 0        0        12049    [MFT FILE_NAME] WINDOWS\Prefetch\REXE-1~1.PF
                              472 macb ---a-------I--- 0        0        12049    [MFT STD_INFO] WINDOWS\Prefetch\REXE-1~1.PF
Fri Apr 27 2012 22:09:01      472 mac. ---a-------I--- 0        0        12049    [MFT STD_INFO] WINDOWS\Prefetch\REXE-1~1.PF
[snip]

We can also prove that these executables ran by examining the prefetch hash.  You can use a python script I wrote a while back for this:

$ python prefetch_hash.py -x -p "\device\harddiskvolume1\WINDOWS\system32\systems\r.exe"
R.EXE-19834F9B.pf
$ python prefetch_hash.py -x -p "\device\harddiskvolume1\WINDOWS\system32\systems\p.exe"
P.EXE-4500029.pf
$ python prefetch_hash.py -x -p "\device\harddiskvolume1\WINDOWS\system32\systems\w.exe"
W.EXE-A1E603F.pf
$ python prefetch_hash.py -x -p "\device\harddiskvolume1\WINDOWS\system32\systems\g.exe"
G.EXE-24E91AA8.pf

We can see staging taking place here along with documents:

Fri Apr 27 2012 22:07:10,456,macb,-------------D-,0,0,12041,[MFT FILE_NAME] WINDOWS\system32\systems\1
Fri Apr 27 2012 22:07:10,456,...b,---------------,0,0,12041,[MFT STD_INFO] WINDOWS\system32\systems\1
Fri Apr 27 2012 22:07:38,432,macb,---a-----------,0,0,12044,[MFT FILE_NAME] WINDOWS\system32\systems\1\CONFID~3.PDF
Fri Apr 27 2012 22:07:38,432,macb,---a-----------,0,0,12044,[MFT FILE_NAME] WINDOWS\system32\systems\1\confidential3.pdf
Fri Apr 27 2012 22:07:38,432,macb,---a-----------,0,0,12044,[MFT STD_INFO] WINDOWS\system32\systems\1\CONFID~3.PDF
Fri Apr 27 2012 22:07:44,432,macb,---a-----------,0,0,12045,[MFT FILE_NAME] WINDOWS\system32\systems\1\CONFID~4.PDF
Fri Apr 27 2012 22:07:44,432,macb,---a-----------,0,0,12045,[MFT FILE_NAME] WINDOWS\system32\systems\1\confidential4.pdf
Fri Apr 27 2012 22:07:44,432,macb,---a-----------,0,0,12045,[MFT STD_INFO] WINDOWS\system32\systems\1\CONFID~4.PDF
Fri Apr 27 2012 22:07:48,432,macb,---a-----------,0,0,12046,[MFT FILE_NAME] WINDOWS\system32\systems\1\CO20EF~1.PDFFri Apr 27 2012 22:07:48,432,macb,---a-----------,0,0,12046,[MFT FILE_NAME] WINDOWS\system32\systems\1\confidential5.pdf
Fri Apr 27 2012 22:07:48,432,macb,---a-----------,0,0,12046,[MFT STD_INFO] WINDOWS\system32\systems\1\CO20EF~1.PDF

We’ll consider the exfiltration complete at the end of a file transfer- in this case it is an ftp connection:

Fri Apr 27 2012 22:10:14,0,macb,---------------,0,0,-1,[SOCKET] PID:4 172.16.150.20:1365 6(TCP) offset: 0x0x82228518
Fri Apr 27 2012 22:10:14,368,.a..,---a-----------,0,0,12031,[MFT STD_INFO] WINDOWS\system32\systems\g.exe
Fri Apr 27 2012 22:11:03,344,.a..,---a-----------,0,0,1818,[MFT STD_INFO] WINDOWS\system32\drivers\etc\services
Fri Apr 27 2012 22:11:03,344,.a..,---a-----------,0,0,22706,[MFT STD_INFO] WINDOWS\system32\ftp.exe
Fri Apr 27 2012 22:11:13,472,macb,---a-------I---,0,0,12052,[MFT FILE_NAME] WINDOWS\Prefetch\FTP.EXE-0FFFB5A3.pf
Fri Apr 27 2012 22:11:13,472,macb,---a-------I---,0,0,12052,[MFT FILE_NAME] WINDOWS\Prefetch\FTPEXE~1.PF
Fri Apr 27 2012 22:11:13,472,macb,---a-------I---,0,0,12052,[MFT STD_INFO] WINDOWS\Prefetch\FTPEXE~1.PF

The following documents in red were exfiltrated:

Fri Apr 27 2012 22:07:38      432 macb ---a----------- 0        0        12044    [MFT FILE_NAME] WINDOWS\system32\systems\1\CONFID~3.PDF
                              432 macb ---a----------- 0        0        12044    [MFT FILE_NAME] WINDOWS\system32\systems\1\confidential3.pdf
                              432 macb ---a----------- 0        0        12044    [MFT STD_INFO] WINDOWS\system32\systems\1\CONFID~3.PDF
Fri Apr 27 2012 22:07:44      432 macb ---a----------- 0        0        12045    [MFT FILE_NAME] WINDOWS\system32\systems\1\CONFID~4.PDF
                              432 macb ---a----------- 0        0        12045    [MFT FILE_NAME] WINDOWS\system32\systems\1\confidential4.pdf
                              432 macb ---a----------- 0        0        12045    [MFT STD_INFO] WINDOWS\system32\systems\1\CONFID~4.PDF
Fri Apr 27 2012 22:07:48      432 macb ---a----------- 0        0        12046    [MFT FILE_NAME] WINDOWS\system32\systems\1\CO20EF~1.PDF
                              432 macb ---a----------- 0        0        12046    [MFT FILE_NAME] WINDOWS\system32\systems\1\confidential5.pdf
                              432 macb ---a----------- 0        0        12046    [MFT STD_INFO] WINDOWS\system32\systems\1\CO20EF~1.PDF

It may be a little difficult to tell just from the timeline, but it looks like these files may have been compressed using RAR and ftp’d out:

Fri Apr 27 2012 22:07:44      [snip]
                              432 macb ---a----------- 0        0        12046    [MFT FILE_NAME] WINDOWS\system32\systems\1\confidential5.pdf
                              432 macb ---a----------- 0        0        12046    [MFT STD_INFO] WINDOWS\system32\systems\1\CO20EF~1.PDF
Fri Apr 27 2012 22:08:46      608 mac. rh------------- 0        0        10850    [MFT STD_INFO] Documents and Settings\binge\APPLIC~1
                              344 macb -------------D- 0        0        12048    [MFT FILE_NAME] Documents and Settings\binge\Application Data\WinRAR
                              344 m.cb --------------- 0        0        12048    [MFT STD_INFO] Documents and Settings\binge\Application Data\WinRAR
                              472 macb ---a-------I--- 0        0        12049    [MFT FILE_NAME] WINDOWS\Prefetch\R.EXE-19834F9B.pf
                              472 macb ---a-------I--- 0        0        12049    [MFT FILE_NAME] WINDOWS\Prefetch\REXE-1~1.PF
                              472 macb ---a-------I--- 0        0        12049    [MFT STD_INFO] WINDOWS\Prefetch\REXE-1~1.PF
Fri Apr 27 2012 22:08:59      360 .a.. -hsa----------- 0        0        10905    [MFT STD_INFO] Documents and Settings\binge\Application Data\desktop.ini
                              368 .a.. ---a----------- 0        0        12033    [MFT STD_INFO] WINDOWS\system32\systems\r.exe

                              344 .a.. --------------- 0        0        12048    [MFT STD_INFO] Documents and Settings\binge\Application Data\WinRAR
Fri Apr 27 2012 22:09:01      472 mac. ---a-------I--- 0        0        12049    [MFT STD_INFO] WINDOWS\Prefetch\REXE-1~1.PF
Fri Apr 27 2012 22:10:14        0 macb --------------- 0        0        -1       [SOCKET] PID:4 172.16.150.20:1365 6(TCP) offset: 0x0x82228518
                              368 .a.. ---a----------- 0        0        12031    [MFT STD_INFO] WINDOWS\system32\systems\g.exe
Fri Apr 27 2012 22:11:03      344 .a.. ---a----------- 0        0        1818     [MFT STD_INFO] WINDOWS\system32\drivers\etc\services
                              344 .a.. ---a----------- 0        0        22706    [MFT STD_INFO] WINDOWS\system32\ftp.exe
Fri Apr 27 2012 22:11:13      472 macb ---a-------I--- 0        0        12052    [MFT FILE_NAME] WINDOWS\Prefetch\FTP.EXE-0FFFB5A3.pf
                              472 macb ---a-------I--- 0        0        12052    [MFT FILE_NAME] WINDOWS\Prefetch\FTPEXE~1.PF
                              472 macb ---a-------I--- 0        0        12052    [MFT STD_INFO] WINDOWS\Prefetch\FTPEXE~1.PF

Conclusion

As we can see there is value in creating timelines from memory artifacts.  In this case we can see when the attacker first got on the machine, when they ran various tools, when they took things from the machine and what they took.  We hope you enjoyed this post and that you will find the timelining capability useful in your investigations!  If you have any questions, please feel free to reach out to me by email or by twitter (@gleeda)

No comments:

Post a Comment