Detecting File Opening and Deletion using Memory Forensics

Scenario: You are tasked with the investigation of a disgruntled employee that was accused of accessing and deleting a confidential file.

Approach: Carving Artifacts for Deleted File

This approach answers the question(s):

What is the accessed file’s name?

      • Confidential.txt

What is the file name after being deleted?

      • $R9DLA6G.txt

Was the file opened? How so?

      • Yes, confidential.txt.lnk file was found.
      • Yes, CONFID~1.LNK was found.

When was the file created, accessed, modified and deleted?

      • Creation: 2022-07-17 UTC+0000
      • Modified: 2022-07-17 1:27:14 UTC+0000
      • MFT Altered: 2022-07-17 01:28:29 UTC+0000
      • Access Date: 2022-07-17 01:25-26 UTC+0000

Below are the detailed step-by-step analysis taken to extract valuable information from the given memory sample.

#note: Use a separate isolated machine to perform this task.

Tools Used

In this lab, we are going to mimic a scenario that someone opened and deleted a confidential file.

To begin, we will be creating a sample text file and name it “Credential.txt”.

We assume that the file was opened and deleted.

The image below is the creation of text file, then opening it, deleting it and finally clearing the recycle bin.

#note: When a disgruntled employee or an attacker accessed a file there is a possibility that they will delete it.

In order to proceed with the investigation, we will need to capture the volatile memory of the endpoint where the file was stored.

In our case, we will use AccessData FTK Imager.

To capture memory using this tool,

First, click the memory icon.

Next, choose the destination folder.

Optional, we can capture the “pagefile.sys” or create an “AD1 File

Finally, hit “Capture Memory

– –

Now, we capture the volatile memory. We can now proceed to Step 3: Extracting $MFT Entries.

Assuming we already have already acquired the volatile memory.

Now, we can extract the $MFT Entries found on that image.

– –

Steps:

First, we need to use a memory analysis tool.

In our case, we use Volatility with mftparser plugin.

Next, run the following syntax:

In Windows: vol.exe -f <mem_dump> –profile=<OS> mftparser –output-file=mft.txt -D <dir>

In Linux: python vol.py -f <mem_dump> –profile=<OS> mftparser –output-file=mft.txt -D <dir>

After, executing this command it will create a mft.txt inside the working directory and it extract all the $mft entries file inside mftentries directory.

Note: This syntax extract all the $mft entries found on the memory in a verbose mode. We can use also use the output body file using –output-file=body if the analyst prefer to have only a single file of the collected entries.

– –

After successfully extracting the $mft entries, we can then search for the file of interest using a search tool.

We can perform this task by runnin the following syntax: findstr -i “confidential” mftentries\*.dmp

In Windows: findstr -i “sometext” dir\*.dmp

In Linux: grep -i “sometext” dir

Now, we can see that the keyword we searched was found at $mft entry file.0x266cdc00.data0.dmp

– –

Now, we found the string of interest we can now proceed to Step 4: Digging Deep.

 

After performing string search to the extracted $mft entries, we can now proceed to dig deeper with our investigation.

Since the keyword we searched was found in one of the address inside mftentries directory.

We have 2 option to view the data of this entry:

– –

Option 1: We can use Volatility mftparser with -o (offset) option to dump the data in our terminal.

We can run the following syntax to dump the data:

In Windows: vol.exe -f <mem_dump> –profile=<OS> mftparser -o <offset_addr>

In Linux: python vol.py -f <mem_dump> –profile=<OS> mftparser -o <offset_addr>

#note: Copy the offset address from the result of findstr command.

– –

Option 2: We can use a string extracting tool like BinTexT to view the data inside.

We can do Option 2 by dragging the $mft entry to text extraction tool like BinTexT as seen from the previous step.

– –

After performing Option 1, we can now see the data inside the target $mft entry.

We can also see the file name after being deleted.

From here, we can then answer the question: “What is the file name after being deleted?A: $R9DLA6G.txt

From here, we can then answer the question: “When was the file accessed, modified and deleted?A:

      • Creation: 2022-07-17 UTC+0000
      • Modified: 2022-07-17 1:27:14 UTC+0000
      • MFT Altered: 2022-07-17 01:28:29 UTC+0000
      • Access Date: 2022-07-17 01:25-26 UTC+0000
#Note: Since the time we created a file and at the same time deleted it, that explains we have the same date and time. In a real incident, this data might be different or even altered.

From the previous step, we identified the file name after it was deleted and the date/time artifacts

Now, in this step we will answer the question:

Was the file opened? How so?

What is the accessed file’s name?

To do this task,

– –

First, we need to open the mft.txt which contains the verbose mode of $mft entries extraction.

Next, we will search for the file name itself.

In our case, we are interested with the string “Confidential” since it gives us a result when finding strings from the extracted $mft entries.

– –

After a few search, we land of this data: CONFID~1.LNK and Confidential.txt.lnk

From this data, we can see the file name Confidential.txt and .lnk file which is a shortcut file created when the file was opened.

We can see from this evidence source that our confidential file was accessed because of the .LNK file was created.