44con london 2015: ntfs analysis with powerforensics

NTFS Analysis with PowerShellJared Atkinson

Veris Group’s Adaptive Threat Division

@jaredcatkinson

○Jared Atkinson□Hunt Capability Lead for Adaptive Threat

Division○Leads the service line responsible for proactive

detection and response to advanced threats in Fortune 100 commercial environments

□Adjunct Lecturer at Utica College□Developer of PowerForensics, Uproot IDS,

and WMIEventing□Researcher of forensic artifact file formats

○Makes really cool posters :-)□History

○U.S. Air Force Hunt (2011 - 2015)○GCFA, GREM, and more

Intro to PowerShell“Microsoft’s [Digital Forensic] platform”

-obscuresec with some liberties…

What is PowerShell○Task-based command-line shell and

scripting language ○Built on the .NET Framework

□Cmdlets for performing common system administration tasks

□Consistent design□Powerful object manipulation capabilities□Extensible interface

○Independent software vendors and enterprise developers can build custom tools and utilities to administer their software.

□Full access to the Windows API

Response

PowerForensicsOld Dog, New Tricks

Detection Investigation

Requirements○Centralized forensic toolset○Forensically sound

□Parse raw disk structures□Don’t alter NTFS timestamps

○Can execute on a live host○Operationally fast

□Collect forensic data in seconds or minutes○Modular capabilities

□Cmdlets perform discrete tasks and can be tied together for more complicated tasks

○Capable of working remotely□At the proof of concept stage

Forensically Sound?

“A forensically sound duplicate is obtained in a manner that does not materially alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented, and should be justified to the extent

applicable.” - Richard Bejtlich and Harlan Carvey

Forensics Toolbox

Fast?!?

Understanding ModulesExtensibility for the win!

Download PowerForensics

http://download.powerforensics.invoke-ir.comOR

https://www.github.com/Invoke-IR/PowerForensics

Unblock-File

○PowerShell v3 gives us Unblock-FileUnblock-File -Path "$env:UserProfile\Downloads\PowerForensics-

master.zip"

○Can also “Unblock” via the file’s properties dialog

□Best to Unblock the zip before extraction

○Unblocking will remove the Zone.Identifier Alternate Data Stream

PSModulePath○PSModulePath

○Naming Convention

More details: https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx

Import-Module

Import-Module -Name PowerForensics Get-Command -Module PowerForensics

PowerForensics Install Demo

Invoke-DD○One Cmdlet to rule them all

□Underlying API is basis for all of PowerForensics○Allows raw access to Physical Drive or Logical Volume□Uses Platform Invoke to call CreateFile Windows API

□Opens a file handle to \\.\PHYSICALDRIVEX or Logical Volume

□Reads from file handle via FileStream object□Warning: Must read in Sector increments (BlockSize must be a multiple of 512)

$InFile = ‘\\.\PHYSICALDRIVE0’Invoke-DD –InFile $InFile –Offset 0 –BlockSize 512 –

Count 1

Invoke-DD Demo

Boot SectorsWhere the action begins…

Master Boot Record

○1st Sector of the Disk□Also referred to as the Boot Sector

○Boot Code□Locate Partition Table□Find 1st “Bootable” partition□Determine partition Logical Cluster Number□Pass execution to first sector of partition (Volume Boot Record)

○Partition Table□Space for 4 partitions by default□“Extended Partitions” allow for additional partitions above 4

Get-MBR○Cmdlet to parse the MBR and return MasterBootRecord

objects○Use WMI to list available Devices:

$Devices = Get-WmiObject –Class Win32_DiskDrive

○Run Get-MBR against one of the returned drives:Get-MBR –Path $Devices[0].DeviceID

Boot Kits○Attackers can alter MBR Boot Code

□ Code runs in Ring 0 (before the OS Loads)○Set-MasterBootRecord

□Proof of concept written by Matt Graeber (@mattifestation)

□Allows a user with administrator privilege to overwrite the Master Boot Record with arbitrary code

○Get-MBR takes known Boot Code into account and detects any changes (tampering)

MBR Bootkit Demo

MBR Boot Code

(Pre Infection)

MBR Boot Code (Post

Infection)

MBR Boot Code (Post

Infection)

GUID Partition Table

○Replacement Boot Sector format for MBR□UEFI compliant devices must support GPT□Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility

○Alternative to Legacy Master Boot Record□Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility

□Allows for increased partition sizes (2 TiB -> 8 ZiB)

□Supports many primary partitions (MBR supports 4)

□Creates Primary and Backup partition table for redundancy

Get-GPT○Cmdlet to parse the GPT and return GuidPartitionTable

objects○Use WMI to list available Devices:

Get-WmiObject –Class Win32_DiskDrive○Run Get-GPT against one of the returned drives:

Get-GPT –Path \\.\PHYSICALDRIVE1○Warning: Get-GPT will error if device is MBR formatted○If Get-MBR is run against a GPT formatted device,

then Get-MBR will return the information about the Protective MBR

Get-BootSector○Format agnostic Cmdlet to parse Boot Sectors (MBR or

GPT)○Use WMI to list available Devices:

Get-WmiObject –Class Win32_DiskDrive○Run Get-BootSector against one of the returned

drives:Get-BootSector –Path \\.\PHYSICALDRIVE0 Get-Bootsector –Path \\.\PHYSICALDRIVE1

○Format agnostic Cmdlet to return MBR/GPT PartitionTable objects

○MBR formatted deviceGet-PartitionTable –Path \\.\PHYSICALDRIVE2

○GPT formatted deviceGet-PartitionTable –Path \\.\PHYSICALDRIVE1

Get-PartitionTable

NTFS System Files

NTFS System Files

# Filename # Filename0 $MFT 8 $BadClus1 $MFTMirr 9 $Secure2 $LogFile 10 $UpCase3 $Volume 11 $Extend4 $AttrDef $ObjId5 Root Directory (.) $Quota6 $Bitmap $Reparse7 $Boot $UsnJrnl

Volume Boot Record

$Boot (7)○1st Sector of partition

□Location of partition is pointed to by the Partition table (MBR of GPT)

○Loads the BOOTMGR Loader○Defines partition attributes

□ Bytes per Sector□Sectors per Cluster□Total Sectors□Location of MFT□Size of MFT Record□Size of INDX Structure

Get-VolumeBootRecord

○Cmdlet to parse the VBR and return VolumeBootRecord objects○Execute Cmdlet with “VolumeName” parameter$VBR = Get-VolumeBootRecord –VolumeName \\.\C:

○Often useful to pair with low level cmdlets like Invoke-DD

Master File Table

$MFT (0)○NTFS file table

□First file present on NTFS partition□Contains at least one entry for every file, on an NTFS Volume, including itself

□As files are added the MFT grows□When files are deleted, the MFT marks the file’s record as unallocated so a new file can take its place

○Each record contains file metadata□MACB Timestamps□File name details (name, path, hard links)□Location of Data

Get-FileRecord○Cmdlet to parse the MFT and return FileRecord

objects○Three different ways to use:

1) Get all MFT Records$mft = Get-FileRecord -VolumeName \\.\C:

2) Get a FileRecord by pathGet-FileRecord –Path C:\Windows\

notepad.exe 3) Get a FileRecord by Record Number/Index value

Get-FileRecord -VolumeName \\.\C: -Index 0

Temporal Funneling

○Large amounts of data may not be relevant to our case□Temporal Funneling/Pivoting allows analysts to reduce noise & focus on artifacts associated with the investigation

$mft = Get-FileRecord$start = New-Object DateTime(2015,08,21,13,05,00) $end = New-Object DateTime(2015,08,21,14,05,00) $mft | ? {($_.BornTime -gt $start) –and ($_.BornTime –lt $end)}

Temporal Funneling Demo

MFT Attributes

Type

Name Type

Name

0x10 $STANDARD_INFORMATION

0x90 $INDEX_ROOT

0x20 $ATTRIBUTE_LIST 0xA0 $INDEX_ALLOCATION0x30 $FILE_NAME 0xB0 $BITMAP0x40 $OBJECT_ID 0xC0 $REPARSE_POINT0x50 $SECURITY_DESCRIPTOR 0xD0 $EA_INFORMATION0x60 $VOLUME_NAME 0xE0 $EA0x70 $VOLUME_INFORMATION 0xF0 $PROPERTY_SET0x80 $DATA 0x100 $LOGGED_UTILITY_STREAM

Recover Deleted File Demo

Access SAM Hive Demo

Get-ContentRaw

○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk□Finds the file’s MFT Record and the main $DATA Stream

□Outputs the contents of the file to Standard Out○Different Encoding Options

□ASCII □Unicode □Bytes

Get-ContentRaw –Path C:\Windows\system32\config\SAM

Copy-FileRaw○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk□Finds the file’s MFT Record and the main $DATA Stream

□Creates a copy of the specified file without accessing the file itself$Path = C:\Windows\system32\config\SAM$Destination = C:\temp\SAMCopy-FileRaw –Path $Path –Destination

$Destination

Alternate Data Streams

○NTFS allows files to store data in multiple “$DATA” attributes□These additional $DATA attributes are commonly referred to as Alternate Data Streams (ADS)

○Attackers have found ways to hide and even execute malware from ADS□Windows legitimately uses ADS to identify files downloaded from the internet (Zone.Identifier)

○PowerShell added ADS compatibility to many cmdlets, but did not add the ability to recursively list all files with ADS

Get-AlternateDataStrea

m○Cmdlet to easily find and list Alternate Data Streams on NTFS

○Use cases:1) List all Alternate Data Streams $ads = Get-AlternateDataStream2) List files downloaded via Internet Explorer

$ads | Where-Object {$_.StreamName –eq ‘Zone.Identifier’}

3) List Alternate Data Streams for a specific fileGet-AlternateDataStream –Path ‘C:\$Extend\

$UsnJrnl’

4) List Alternate Data Streams not created by the Internet Explorer

$asd | Where-Object {$_.StreamName –ne ‘Zone.Identifier’}

Alternate Data Streams Demo

Get-ChildItemRaw○Cmdlet to parse $INDEX_ROOT and

$INDEX_ALLOCATION attributes to output a directory’s contents□Lists system and hidden files□Output object has a RecordNumber parameter

Get-ChildItemRawGet-ChildItemRaw –Path C:\Windows\

Get-ChildItemRaw Demo

Get-FileRecordIndex

○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION attributes and returns a file’s MFT Record Number□Starts with the root directory’s MFT entry (index 5) and works through the tree until the requested files index can be found

□Can be teamed with Get-FileRecord$rnumber = Get-FileRecordIndex –Path C:\Windows\

notepad.exeGet-FileRecord –VolumeName \\.\C: -Index $rnumber

Get-FileRecordIndex Demo

$UsnJrnl○NTFS Change Journaling

□Keeps track of changes to files or directories in a volume

□Changes are documented with the filename, timestamp of change, and description of change

□Can be leveraged by backup utilities (ex Volume Shadow Service)

○Two named data streams:□$MAX: UsnJrnl metadata (first entry number, maximum size of journal, etc.)

□$J: Contains the actual Journal entries

$UsnJrnl Reasons

BASIC_INFO_CHANGE INDEXABLE_CHANGECLOSE NAMED_DATA_EXTEND

COMPRESSION_CHANGE NAMED_DATA_OVERWRITEDATA_EXTEND NAMED_DATA_TRUNCATION

DATA_OVERWRITE OBJECT_ID_CHANGEDATA_TRUNCATION RENAME_NEW_NAME

EA_CHANGE RENAME_OLD_NAMEENCRYPTION_CHANGE REPARSE_POINT_CHANGE

FILE_CREATE SECURITY_CHANGEFILE_DELETE STREAM_CHANGE

HARD_LINK_CHANGE

Get-UsnJrnlInformation

○Cmdlet to parse the UsnJrnl’s $MAX Data Stream

○Returns Metadata about the UsnJrnlGet-UsnJrnlInformation –VolumeName \\.\C:

Get-UsnJrnl○Cmdlet to parse the UsnJrnl’s $J Data Stream○Use Cases:

□Get all UsnJrnl Entries$usn = Get-UsnJrnl –VolumeName \\.\C:

□Get the most recent UsnJrnl entry for C:\temp\helloworld.txt$r = Get-FileRecord –Path C:\temp\

helloworld.txt$usn = $r.Attribute[0].UpdateSequenceNumberGet-UsnJrnl –VolumeName \\.\C: -USN $usn

File Creation & Modification Demo

UsnJrnl ADS Demo

Artifacts

Prefetch

Get-Prefetch○Cmdlet to parse the Windows Prefetch binary file format

○Use Cases:□Get all Prefetch objects from files in the “\Windows\Prefetch” directory

Get-Prefetch –VolumeName \\.\C:□Get the Prefetch object from the file specified by the Path

parameterGet-Prefetch –Path C:\Windows\Prefetch\CMD.EXE-

01C678D0.pf□Another option is looking for .pf file operations in the UsnJrnl

Get-UsnJrnl | ? {$_.FileName –like “*.pf”}

Prefetch Demo

Get-ScheduledJobRaw

○Cmdlet to parse the Scheduled (At) Job binary file format○Use Cases:

□Get all ScheduledJob objects from files in the “\Windows\Tasks” directory

Get-ScheduledJobRaw –VolumeName \\.\C:□Get the ScheduledJob object from the file specified by the Path

parameterGet-ScheduledJobRaw -Path C:\Windows\Tasks\At1.job

Moving Forward○More artifacts!!

□Registry support□ESE database support

○Organic Remoting (more robust)○Support for alternate file systems

□Windows: FAT12, FAT16, FAT32, exFAT□Linux: Ext2, Ext3, Ext4□Mac: HFS+

○Online documentation (Open API)○WMI Provider with Events○Community Involvement!!!

@jaredcatkinsonhttps://github.com/Invoke-IR/PowerForensics

https://github.com/Invoke-IR/PowerForensics_Source

Any questions?

Extra Slides!!!

$Volume (3)○File containing metadata about its partition/volume○Made up of two special attributes $VOLUME_NAME and $VOLUME_INFORMATION□Two cmdlets: Get-VolumeName and Get-VolumeInformation

Get-VolumeName –VolumeName \\.\C:

Get-VolumeInformation –VolumeName \\.\C:

$AttrDef (4)○System file that contains details about all file attributes available to the volumeGet-AttrDef –VolumeName \\.\C:

$Bitmap (6)$BadClus (8)

○NTFS has two files to tell the File System what Clusters can be used

○File contents are bit fields where each bit represents a specific cluster□$Bitmap: Each bit represents whether the associated cluster is allocated by the file system

□$BadClus: Each bit represents whether the associated cluster is corrupted or not

Get-BitmapGet-BadClus

○Cmdlet to parse bit fields contained within their respective files ($BITMAP and $BADCLUS)

○Use cases:□Parse the $BITMAP file to determine if the specified cluster is allocated

Get-Bitmap –VolumeName \\.\C: -Cluster 1000

□Parse the $BADCLUS file to report on any clusters that have been marked as corrupt by the file system

Get-BadClus –VolumeName \\.\C: