Author: randrada

Comae Hibr2bin

Posted on by randrada

Hibernation File Decompression using Comaetoolkit- Hibr2bin.exe

Download ComaeToolkit
Try it yourself

Hibr2bin.exe is a hibernation file decompression tool and is part of comaetoolkit by comae known now as part of Magnet Forensics.

What is Hibernation File?

Hibernation file is a compressed copy of Random Access Memory(RAM, it is created when the system is in hibernation mode and its size is equal to the size of RAM that is installed in the system.

The Hibernation file is in a form of Hiberfil.sys that can be located in the root folder of the drive where the operating system is installed. This is used to store a copy of the system memory on the hard disk when the system is in hibernation mode.

To download the toolkit, sign-up for Magnet Idea Lab and an email verification will be sent to the email provided.

Hibernation File

Posted on by randrada

Live Forensics: Hibernation File

Lab Requirements

  •  
Live Forensics_ Hiberfil.sys.pdf

In this demo, we will explore different ways how to perform live forensics and acquire artifacts that can aid the investigator even though acquiring the memory image of the system is not feasible.

We will be tackling about a Windows source artifact that can even replace a full memory image of the system for analysis, called Hibernation File.

 

BulkExtractor

Posted on by randrada

Memory Analysis using Digital Corpora - BulkExtractor

Download BulkExtractor
Try it yourself

Read Lab Instruction

Download Sample

BulkExtractor is a command-line tool that carve data such as URLs, emails, and PDF files.

Windows Memory contains rich and valuable information that can be used as source artifact for gathering evidences and by having enough knowledge how to parse the data can be helpful for the investigator to perform their tasked.

Related Topic

Volatility UserAssist

Posted on by randrada

Memory Analysis using Volatility - Userasssist

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time-efficient and quick manner.

UserAssist a volatility plugin that is used to print userassist registry keys and information.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Related Blog Post:

https://www.eyehatemalwares.com/incident-response/blog-ir/phishing-ir-approach/

Plugins

Phishing IR Approach

Posted on by randrada

Phishing Incident Detection and Response:
Identifying Email and Document Existence using Memory Forensics

Lab Goal

    • Identify Email Subject
    • Identify Document Name
    • Identify Timestamps
    • Identify Sender Name
    • Identify Launched Programs
    • List Available Detection Method

Tools Used

Read Lab Instruction

Download Sample

Click here to view Phishing_Incident_Detection_Response

Because employees are the most vulnerable targets for an organization, giving attackers the ability to compromise their targets by preying on human weakness like emotions. For this reason, adversaries plan their assaults intelligently by using phishing attacks.

In this demo, we will tackle about different approach on how to detect and respond to a phishing incident using a memory forensics tool.

Scenario: What if due to fear of getting sanctioned by the organization, an employee trashed a possible phishing email after he/she clicked and downloaded the potential suspicious attachment.

Now, as the analyst we are tasked to perform Incident Response and Digital Forensics on the machine and find some useful evidence of email existence.

Mactime

Posted on by randrada

Memory Timeline Analysis using Sleauthkit - mactime

Download Sleauthkit 4.11.1
Learn about mactime
Download Strawberry Perl for Windows

Read Lab Instruction

Download Sample

mactime creates an ASCII timeline of file all activity. This tool can be used to detect anomalous behavior and be able to reconstruct events, its output is a .txt format that contains reconstructed activity.

Why Timeline?

Reconstructing the events can play an important role during the investigation, because it allows the investigator to rebuild the activities happened before and after the event was first detected. It allows the investigator to have a bird’s eye view of the activities done by a certain malware or a threat actors and used this to construct a systematize action.

Related Topic

To be able to use this tool, first we must install Perl.

On Strawberry Perl’s website, download perl that suits your Windows Architecture.

Next, download Sleauthkit. (As of, Sleauthkit’s version is currently 4.11.1)

 

Next, extract Sleauthkit.zip to C:\ drive.

Then, browse to the C:\Sleauthkit\bin directory and then copy it.

Now, go to Environment Variables and add the copied directory to Path variable.

In this demo, we will use a sample body file to be processed by mactime using the -b parameter.

Then, we save the output in a .txt format named mac_timeline.txt

Command: mactime.pl -b body.txt > mac_timeline.txt

Volatility timeliner

Posted on by randrada

Memory Analysis using Volatility - timeliner

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

timeliner – a volatility plugin that is used to create timeline for various artifacts found in the memory.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins
It is essential for any digital investigator to know when the incident initially happened and which files are to responsible for the system’s unusual modifications.
 
Referring to the image below, we can see that the timeliner plugin provides the timestamp, process name, file name, and path for every artifacts volatility found in the memory.
 

MiTec Registry Recovery

Posted on by randrada

Malware Dynamic Analysis with MiTec Windows Registry Recovery

Try it Yourself
Download Tool
Click here to view MiTec Use Cases

MiTec Windows Registry Recovery is an application that allows to read files containing Windows 9x,NT,2K,XP,2K3,7,8 and 10 registry hives. It extracts many useful information about configuration and windows installation settings of host machine.

Dynamic Analysis Tool Lists

ShellBags Artifacts

Posted on by randrada

Windows Forensics: Shellbags - System Browsing Artifacts

Lab Requirements

    •  

In this demo, we will explore different ways how to analyze and investigate shellbags artifacts.

We will be creating a directory named “Malicious” to perform this task.

 

In this demo, we will tackle the first approach on how to extract registry hives on a Windows system.

We will be using a tool called “Windows Live Response” with the “Triage” option to gather all volatile data.

After successful execution, a directory named “Endpoint Artifacts” will be created which contains the registry hives that can be used later to extract shellbags entries.

— 

Inside LiveResponseData > CopiedFiles > Registry directory we expect to see these Registry Hives:

      • <User>_NTUSER.dat
      • <User>_USRCLASS.dat

Next, using MiTec Windows Registry Recovery tool we can inspect the extracted hives for shellbags entries.

Shellbags Registry Location can be found at:

    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\Bags
    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\BagMRU
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  •  
  • By using MiTec Windows Registry Recovery tool, we now able to check shellbags entries and in this case we can see our “malicious” directory in Analyst_USRCLASS.dat registry hive.
  •  
  • Learn and Download MiTec Registry Recovery:

In this approach, we will extract shellbags entries from the registry of the live system.

To do this, we will be using SBECmd.exe from EZ tool.

Command: SBECmd.exe -l –csv <target_dir>

What the command does is it process the registry of the live system to look for shellbag entries then dumping the output inside the declared target directory in csv format.

Learn and Download SBECmd here: https://www.eyehatemalwares.com/incident-response/eztools/sbecmd/

After successful execution, we use Timeline Explorer from EZ tools to view the extracted artifacts.

In this case, we can see our “Malicious” directory with its details such as:

Let’s try some GUI-based analysis.

First, locate the extracted registry hives(e.g. Analyst_USRCLASS.dat)

Next, open the registry hive inside ShellbagExplorer

If successful, we can then all see the Shellbag entries from the selected hive.

Note: When this tool detect that the selected hive is dirty, it won’t process the hive. To force the tool to process press SHIFT then select the target hive.

Learn and Download the tool here: https://www.eyehatemalwares.com/incident-response/eztools/shellbag-explorer/

Firt, open regedit.exe and browse these registry keys:

Shellbags Registry Location can be found at:

    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\Bags
    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\BagMRU
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

LinuxBrowserHistory

Posted on by randrada

How to Extract Browser History in Linux Systems

Linux tools used in this demo.

    • cat
    • netcat
    • ls
    •  

Lab Requirements

    •  

In this demo, we will be extracting firefox browser history.

Scenario: You are tasked to perform live forensics on a Linux-based system to gather its browser history.

Firefox browser history can be found at: ~/.Mozilla/firefox/<dir>/places.sqlite

In this step, we run “cat” command and pipe to “>” operator to save it to disk.

Command: cat ~/.mozilla/firefox/*/places.sqlite > browser_history.txt

In this case, we use “*” so it will search to all available directory for “places.sqlite” rather than manually searching each directory.

Since we will be using a Windows box to analyze our file, we will be using “netcat” for both Linux and Windows system to perform the transfer.

To do this, we can run netcat command from out Linux Box.

Command: netcat -w 2 <listener_windowsIP> <port> < browser_hist.txt

This put out Linux box to an idle mode waiting for the netcat listener.

Next, we setup our netcat listener from our Windows machine.

Command: ncat -l 4444 > browser_history.txt

After successful execution, we can now confirm our file when we open it to our text editor tool “notepad”.

In this step, we will be using bstrings.exe from EZ tools to do the work for us.

To do this, open cmd prompt and Run As Admin and run the following commands:

    • bstrings.exe -f browser_history.txt -p
    • bstrings.exe -f browser_history –lr url3986 > browser_history_after.txt 

Learn and Download bstrings here: https://www.eyehatemalwares.com/incident-response/eztools/bstrings/

Why bstrings? Examining raw data from our dumped file “places.sqlite” takes a lot of work if we do it manually.

In this step, we can finally compare both raw browser_history.txt and browser_history_after.txt

In this case, we can see that the strings that doesn’t match the regex URL pattern from bstrings.exe are removed and only presented us only the URL format.

Browser history can reveal artifacts that can help the analyst during investigation, it can reveal information such as C2C server and also, this approach doesn’t limit to Firefox browser only, as an Analyst we can leverage this approach to investigate other browser’s history.