Sector size and MFT FILE Record size

May 4, 2012 in Forensic Analysis

This is a quick post to clarify a very common misconception about sizes of a sector and a single MFT FILE record on NTFS file system.

The most common values associated with these 2 parameters are:

  • 512 bytes – for a sector
  • 1024 bytes – for a single MFT FILE record

It turns out that new large drives are often seen by OS as having a sector size that is larger than 512 bytes and as a result, the MFT FILE record size is often also larger. This is not a big issue and many forensic tools handle it properly, but seeing many people explicite calling out these ‘hard wired’ values, I thought I will make an attempt to clarify it a bit.

A side effect of this is that $MFT size may quickly grow to many GiBs.

I do not work with hardcore file carving on daily basis, so I am pretty sure that someone who does could (and I hope will) offer a more in-depth explanation of what’s going on under the hood (e.g. whether the 4096 is a virtual sector made out of 8 ‘old-school’ physical sectors that are 512 bytes, etc.).

On a practical level, one can confirm the size of the sector and cluster as well as MFT FILE record size using e.g. fsutil tool in Windows.

For a drive with a 512-bytes long sector, you may get a result like this:

fsutil fsinfo ntfsinfo c:
[...]
Bytes Per Sector  :               512  <- sector size
Bytes Per Cluster :               4096 <- cluster size = 8 sectors
Bytes Per FileRecord Segment    : 1024 <- MFT FILE Record size = 2 sectors
[...]

For a drive with 4096 bytes long sectors, the fsutil can give the following result:

fsutil fsinfo ntfsinfo g:
[...]
Bytes Per Sector  :               4096 <- sector size
Bytes Per Cluster :               4096 <- cluster size = 1 sector
Bytes Per FileRecord Segment    : 4096 <- MFT FILE Record size
                                          = 1 sector = 1 cluster
[...]

 

The values for a logical volume can be read from BPB (BIOS Parameter Block)  – a decent explanation on encoding used to preserve the value of FILE record size can be found here.

This is an example of a FILE record on such a large drive:

000000000 46 49 4C 45 30 00 09 00 27 25 00 02 00 00 00 00 FILE0...'%......
000000010 01 00 01 00 48 00 01 00 68 01 00 00 00 10 00 00 ....H...h.......
000000020 00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 ................
000000030 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000040 00 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 ............`...
000000050 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H.......
000000060 B9 78 C5 A0 47 51 CB 01 B9 78 C5 A0 47 51 CB 01 .x..GQ...x..GQ..
000000070 B9 78 C5 A0 47 51 CB 01 B9 78 C5 A0 47 51 CB 01 .x..GQ...x..GQ..
000000080 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000090 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
0000000A0 00 00 00 00 00 00 00 00 30 00 00 00 70 00 00 00 ........0...p...
0000000B0 00 00 18 00 00 00 02 00 52 00 00 00 18 00 01 00 ........R.......
0000000C0 05 00 00 00 00 00 05 00 B9 78 C5 A0 47 51 CB 01 .........x..GQ..
0000000D0 B9 78 C5 A0 47 51 CB 01 B9 78 C5 A0 47 51 CB 01 .x..GQ...x..GQ..
0000000E0 B9 78 C5 A0 47 51 CB 01 00 40 00 00 00 00 00 00 .x..GQ...@......
0000000F0 00 40 00 00 00 00 00 00 06 00 00 00 00 00 00 00 .@..............
000000100 08 03 24 00 4D 00 46 00 54 00 4D 00 69 00 72 00 ..$.M.F.T.M.i.r.
000000110 72 00 00 00 00 00 00 00 80 00 00 00 48 00 00 00 r...........H...
000000120 01 00 40 00 00 00 01 00 00 00 00 00 00 00 00 00 ..@.............
000000130 03 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
000000140 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 .@.......@......
000000150 00 40 00 00 00 00 00 00 11 04 02 00 00 00 00 00 .@..............
000000160 FF FF FF FF 00 00 00 00 20 00 00 00 20 02 00 00 ........ ... ...
000000170 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ...
000000180 80 00 00 00 48 00 00 00 01 00 40 00 00 00 01 00 ....H.....@.....
000000190 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 ................
0000001A0 40 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 @........@......
0000001B0 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 .@.......@......
0000001C0 11 04 02 00 00 00 00 00 FF FF FF FF 00 00 00 00 ................
0000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 ................
000000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000002A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000002B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000002C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000002F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000003A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000003B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000003D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000003E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000003F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 ................
000000400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000004A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000004B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000004C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000004D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000004E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000004F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000005A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000005B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000005C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000005D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000005E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000005F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 ................
000000600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000006A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000006B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000006C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000006D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000006E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000006F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000007A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000007B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000007C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000007D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000007E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000007F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 ................
000000800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000008A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000008B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000008C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000008D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000008E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000008F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000900 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000910 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000920 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000930 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000950 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000960 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000970 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000980 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000990 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000009A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000009B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000009C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000009D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000009E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000009F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 ................
000000A00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000AA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000AB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000AC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000AD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000AE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000AF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000BA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000BB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000BC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000BD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000BE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000BF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 ................
000000C00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000CA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000CB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000CC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000CD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000CE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000CF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000DA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000DB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 ................
000000E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000EA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000EB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000EC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000ED0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000EE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000EF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000FA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000FB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000FD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 ................

Comments Off

The Curious Case of the Forensic Artifact

May 2, 2012 in Forensic Analysis, Tips & Tricks

Back in March Harlan asked on Twitter if anyone has any information about a Registry value called TrapPollTimeMilliSecs. It triggered my interest and I decided to do some research.

If you run a quick google search on it, you will find lots of AV reports listing it. At this stage it is tempting to quickly draw a conclusion that it might be used by malware. I was not convinced though and researched it further. Few minutes later I was able to provide some (hopefully) reasonable explanation what creates it.

It crossed my mind today that it may be beneficial to explain what I did, so that it will be easier for other investigators to find out what is the source of similar artifacts (if a similar question pops up in the future).

The location

The TrapPollTimeMilliSecs REG_DWORD value is a located under the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters

and is by default set to

TrapPollTimeMilliSecs = 15000 (0x3a98)

but it doesn’t necessarily exist on a typical system.

The explanation

The TrapPollTimeMilliSecs registry value is set/queried by a DLL called inetmib1.dll, and more precisely, by its exported API called SnmpExtensionInit API. This API is used by only two executables:

  • arp.exe
  • netstat.exe

(it could be also used by other tools of course, but these are the only ones that popped up during the research on OS-specific files only)

Once I found out what .exes are responsible for the artifact, I quickly verified it dynamically:

One important thing to note is that the value is created only if these executables are ran from elevated cmd.exe (on systems requiring it).

According to Microsoft’s information about SnmpExtensionInit:

The Microsoft SNMP service calls the SnmpExtensionInit function to initialize the SNMP extension agent DLL. This function is an element of the SNMP Extension Agent API.

I would assume both netstat and arp being network utilities use the functions to talk SNMP to devices on the network, but my knowledge on SNMP internals is too limited to conclude anything here. Still, this is most likely enough information to rule out this artifact from the investigation (and especially if there are prefetch files for arp.exe and netstat.exe on the system).

The recipe

Prerequisites:

  • Generate strings for all files inside your windows and system32 directory e.g. use simple extension e.g. *.s to store the strings
  • Best to keep them as a copy of all files, together with the strings so you can play with the files w/o risking destroying your Windows/system32 directory by accident (shouldn’t normally happen, because of Windows File Protection/ACLs, but well… always work on a copy of the evidence :) )
  • if you have more Windows versions available, run strings on all versions and keep them in separated directories as well

Once you have it in place do as follows:

  • Search (grep/findstr) all *.s for the string you are looking for e.g. TrapPollTimeMilliSecs
  • This will narrow down the scope to the list of DLLs/EXEs that create the artifact
  • Load the suspected binaries into Disassembler e.g.  IDA Pro a.k.a. the god of all disassemblers
  • Find references to string (can be multiple occurrences)
  • Skim/analyze the code to confirm the data is used by registry functions (and maybe how)
  • Profit (or create meme)

For a very specific (unique name) value it is a pretty quick procedure, a few minutes or so.

Apart from playing around with OS binaries, you may also download ReactOS – grepping its source code is one of the best way to understand internal workings of Windows and find how certain artifacts are created (notably, they may be not 100% compatible with Windows, but may give you hints where and what to search for).

Comments Off

Forensic Riddle #11 – Answer

May 2, 2012 in Forensic Riddles - Answers

The answer to the #11 is simple – it was an open-ended question really as it could be any executable file really that is dependent on configuration, config file, etc. I wanted to draw your attention to one type of executables specifically though – a type that I touched on in my recent post i.e. Installers. Their stub is always the same and based on their source code – the behavior depends on the installed application and user choices’. I told you it was easy ;)

 

Comments Off

File Formats ZOO – Installers

April 30, 2012 in File Formats ZOO

Continuing on my previous post I am adding some more information about file signatures.

First, the illustration :)

One of the types of Portable Executable file format that is not so often discussed are installers. For these who don’t know, in most cases a typical installer for Windows is a standalone Portable Executable file with some extra data appended to it (with a notable exception of .msi files that are containers handles by the Windows Installer).

The installer file usually contains two parts. The first part is a standalone setup file that is unique and identical across all installers created with the same version of the (installation) packager/wizard/script. The second part is the actual software that is about to be installed – often preserved in a compressed/encrypted way. The most popular installers include Nullsoft Scriptable Install System (NSIS) and Inno Setup, but there are literally hundreds of them available.

Let me say here that ‘installer’ is a very wide term and can include pretty much any .exe file with any file appended to its end and in some cases – files embedded inside the main .exe (either directly as a data/encrypted data, or as a resource embedded within a resource section). Many well-known formats are used as an appended data. So, one can find .exes with appended JPG files, Flash Movies, other .exe files and many other variants. One very popular type of installers (even if they don’t necessarily classify as a software installer) are self extracting archives e.g. RarSFX, CABSFX, 7ZSFX, etc. All of these are treated here equally ==> .exe + something appended to it.

From a forensic perspective, determining that some .exe is an installer could help in data reduction as long as we can confirm the installer has been executed on the investigated system. All you have to do is to extract the installer and run it in a test environment. The collected artifacts can be then removed from the local copy of the evidence e.g. by a file name. If you remember my preaching post a few days ago on speeding up case processing – deleting files created by a confirmed installer could be a good thing to do /as long as the installer itself is out of scope/. Let’s not overlook this possibility as removing thousands of small files created by software packages often present on the investigated systems could be a very good data reduction technique. Whether it is Java Runtime Environment, Microsoft Visual Studio, Adobe software, or any other large package, we could save a lot of time simply removing these from our view. While I am saying this, I must emphasize that this is a very unexplored area and needs both more research and new tools. Still, any data reduction technique available to an examiner is more than needed and whoever gets it right and gets there first will be cracking cases in no time.

MZ...PE... I.n.s.t.a.l.l.S.h.i.e.l.d.

InstallShield Installer. Contains no appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
62 29 00 00 00 00 00 00 00 00 50 45 00 00 4C 01  b)........PE..L.
00 23 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E  .#...C.o.m.p.a.n
00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 49  .y.N.a.m.e.....I
00 6E 00 73 00 74 00 61 00 6C 00 6C 00 53 00 68  .n.s.t.a.l.l.S.h
00 69 00 65 00 6C 00 64 00 20 00 53 00 6F 00 66  .i.e.l.d. .S.o.f
MZ...PE... _winzip_ …

A self extracting WinZip32 executable. Contains stub (archive extractor) and a typical Zip file. There is no appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 F0 A4 F5 47 00 00 00 00  PE..L......G....
00 00 00 00 E0 00 03 01 0B 01 08 00 00 E0 00 00  ................
...
[section table]
2E 74 65 78 74 00 00 00 B4 D5 00 00 00 10 00 00  .text...........
00 E0 00 00 00 10 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 00  .... ..`.rdata..
42 29 00 00 00 F0 00 00 00 30 00 00 00 F0 00 00  B).......0......
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40  ............@..@
2E 64 61 74 61 00 00 00 DC 54 00 00 00 20 01 00  .data....T... ..
00 20 00 00 00 20 01 00 00 00 00 00 00 00 00 00  . ... ..........
00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00  ....@....rsrc...
88 91 00 00 00 80 01 00 00 A0 00 00 00 40 01 00  .............@..
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40  ............@..@
5F 77 69 6E 7A 69 70 5F 00 30 0A 00 00 20 02 00  _winzip_.0... ..
00 30 0A 00 00 E0 01 00 00 00 00 00 00 00 00 00  .0..............
00 00 00 00 40 00 00 42                          ....@..B
MZ...PE... | … dbload

A perl script converted into an executable with a perl2exe utility.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 1C B2 B8 3B 00 00 00 00  PE..L......;....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 10 00 00  ................
[Appended data]
64 62 6C 6F 61 64 20 31 2E 30 20 73 69 67 6E 61  dbload 1.0 signa
74 75 72 65 0D 0A 0D 0A 80 80 80 80 80 80 80 80  ture............
MZ...PE... | !sfx!.

Self extracting WinAce installer/archive.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 DE 01 00  ................
[Appended data]
21 73 66 78 21 00 53 03 00 00 00 01 B8 AF 00 00  !sfx!.S.........
01 00 00 00 11 00 00 00 06 00 00 00 14 00 00 00  ................
MZ...PE... | 7z

Self extracting 7z installer/archive. Contains stub (archive extractor) and a typical 7z archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 49 B5 57 47 00 00 00 00  PE..L...I.WG....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 92 01 00  ................
[Appended data]
37 7A BC AF 27 1C 00 02 E1 AB 8F 68 7E DB C6 00  7z..'......h~...
00 00 00 00 26 00 00 00 00 00 00 00 37 1C 2D 11  ....&.......7.-.
MZ...PE... | BZh

Self extracting Bzip2 installer/archive. Contains stub (archive extractor) and a typical Bzip2 archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 B4 CE 3D 3C 00 00 00 00  PE..L.....=<....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 A0 01 00  ................
[Appended data]
42 5A 68 39 31 41 59 26 53 59 75 91 99 30 00 02  BZh91AY&SYu..0..
D9 7F FF FF DF FB FF E3 F5 FF FF FF FF FF FF FF  ...............
MZ...PE... | CWS

Macromedia Flash Player. Contains stub (flash player) and a typical compressed Flash file (CWS).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 06 00 38 AD 57 3F 00 00 00 00  PE..L...8.W?....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 00 0C 00  ................
...
[Appended data]
43 57 53 07 5E 9A 01 00 78 9C BC 3B 5B 90 1C D5  CWS.^...x..;[...
75 67 7A 7A 66 7A DF 0F AD 34 7A EC 4A 42 12 82  ugzzfz...4z.JB..
MZ...PE... | FWS

Macromedia Flash Player. Contains stub (flash player) and a typical Flash file (FWS).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 FD 8A 49 37 00 00 00 00  PE..L.....I7....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 30 03 00  .............0..
[Appended data]
46 57 53 04 ED A0 03 00 70 00 09 C4 00 00 FA 00  FWS.....p.......
00 0C 54 00 43 02 FF FF FF 00 06 44 0B 06 00 00  ..T.C......D....
MZ...PE... | … IFCM

Microsoft Help 2.x.

4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00  MZ..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00  PE..L...........
00 00 00 00 E0 00 01 20 0B 01 00 00 00 00 00 00  ....... ........
[Appended data]
49 46 43 4D 01 00 00 00 00 20 00 00 00 00 10 00  IFCM..... ......
FF FF FF FF FF FF FF FF 09 00 00 00 00 00 00 00  ................…
MZ...PE... | Inno Setup

Inno Setup installer.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8F 81 0B 01 02 19 00 90 00 00  ................
[Appended data]
49 6E 6E 6F 20 53 65 74 75 70 20 53 65 74 75 70  Inno Setup Setup
20 44 61 74 61 20 28 35 2E 31 2E 31 33 29 00 00   Data (5.1.13)..
MZ...PE... | MZ

An executable with the appended data that probably contains another executable. It may be either a custom installer or a wrapper.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 0E 04 00  ................
[Appended data]
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
MZ...PE... | Rar!

A self extracting WinRar executable. Contains stub (archive extractor) and a typical Rar file.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 E6 68 F2 46 00 00 00 00  PE..L....h.F....
00 00 00 00 E0 00 0F 01 0B 01 05 00 00 40 01 00  .............@..
[Appended data]
52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00  Rar!.....s......
00 00 00 00 83 59 7A 00 80 23 00 6E 00 00 00 6E  .....Yz..#.n...n
MZ... PE... | SQ5SFX

Squeez self-extracting executable.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 BA 1F 9F 48 00 00 00 00  PE..L......H....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 C0 00 00  ................
[Appended data]
53 51 35 53 46 58 CE B0 01 00 05 00 00 00 C7 0C  SQ5SFX..........
00 00 5B 64 65 73 63 72 69 70 74 69 6F 6E 5D 0D  ..[description].
MZ... PE... | sRBV... ResJ

AWinstall Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 94 AD EF 47 00 00 00 00  PE..L......G....
00 00 00 00 E0 00 03 01 0B 01 09 00 00 C6 01 00  ................
[Appended data]
73 52 42 56 06 68 1F 00 16 68 1F 00 06 03 00 00  sRBV.h...h......
52 65 73 4A 7F FF FB 81 C1 79 91 46 DE D1 BB 72  ResJ.....y.F...r
MZ...PE... | Smart Install Maker

Installer created with Smart InstallMaker.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 62 01 00  .............b..
[Appended data]
53 6D 61 72 74 20 49 6E 73 74 61 6C 6C 20 4D 61  Smart Install Ma
6B 65 72 20 76 2E 20 35 2E 30 30 00 30 00 30 00  ker v. 5.00.0.0.
MZ...PE... | SZDD

Executable with appended file being SZDD archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 05 00 CE F8 9B 3E 00 00 00 00  PE..L......>....
00 00 00 00 E0 00 0E 01 0B 01 04 14 00 0C 01 00  ................
...
[Appended data]
53 5A 44 44 88 F0 27 33 41 6D F0 A3 01 00 FF 49  SZDD..'3Am.....I
54 53 46 03 00 00 00 F5 60 F5 F0 01 F5 F0 33 15  TSF.....`.....3.
MZ...PE... | wwgT

Installer created with Install Creator.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 C0 9F C2 41 00 00 00 00  PE..L......A....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 30 01 00  .............0..
[Appended data]
77 77 67 54 29 48 35 14 01 00 6E 02 00 00 F2 06  wwgT)H5...n.....
00 00 01 78 DA AD 94 4F 68 13 41 14 C6 DF EE 6C  ...x...Oh.A....l
MZ...PE... | 0xA3 HK

AutoIt or AutoHotkey script.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 A2 3E 49 47 00 00 00 00  PE..L....>IG....
00 00 00 00 E0 00 23 01 0B 01 08 00 00 70 03 00  ......#......p..
[Appended data]
A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D  .HK..lJ..LS...H}
41 55 33 21 45 41 30 36 F0 6B 89 18 C1 BC 11 F7  AU3!EA06.k......
MZ...PE... | 0xEF 0xBE 0xAD 0xDE nsisinstall

Old version of Nullsoft Installer. Note characteristic hex string “DEADBEEF” (0xEFBEADDE) at the beginning of the appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 85 A8 25 3A 00 00 00 00  PE..L.....%:....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 60 00 00  .............`..
[Appended data]
EF BE AD DE 6E 73 69 73 69 6E 73 74 61 6C 6C 00  ....nsisinstall.
0D F0 AD 0B 2C 13 00 00 D1 46 09 00 44 46 58 20  ....,....F..DFX
MZ... PE... |  …0xEF 0xBE 0xAD 0xDE... NullsoftInst

Nullsoft Installer. Note characteristic hex string “DEADBEEF” (0xEFBEADDE) at the beginning of the appended data. In some cases, versions of Nullsoft Installer can be found inside the manifest (in the resources of PE executable).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 1A 5A A0 49 00 00 00 00  PE..L....Z.I....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 5C 00 00  .............\..
00 00 00 00 EF BE AD DE 4E 75 6C 6C 73 6F 66 74  ........Nullsoft
49 6E 73 74 1D 27 02 00 33 90 17 00 5D 00 00 80  Inst.'..3...]...
MZ...PE... | … PK

A self extracting Zip executable. Contains stub (archive extractor) and a Zip file.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 5A F5 36 48 00 00 00 00  PE..L...Z.6H....
00 00 00 00 E0 00 03 01 0B 01 08 00 00 00 01 00  ................
[End of file]
50 4B 05 06 00 00 00 00 04 00 04 00 EF 00 00 00  PK..............
FF 99 48 01 00 00 00 00 00 00 00 00 50 15 00 00  ..H.........P...
MZ... PE...  | … Wise

WISE Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 3F 6C D8 3B 00 00 00 00  PE..L...?l.;....
00 00 00 00 E0 00 0F 05 0B 01 06 00 00 22 00 00  ............."..
[Appended data]
57 69 73 65 20 49 6E 73 74 61 6C 6C 61 74 69 6F  Wise Installatio
6E 20 57 69 7A 61 72 64 2E 2E 2E 00 ED 5B CD 8F  n Wizard.....[..
MZ...PE... | … ESIV

VISE Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 05 00 49 E3 5E 37 00 00 00 00  PE..L...I.^7....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 C0 00 00  ................
...
[End of file]
DA E1 E1 47 47 DA DA E1 E1 47 47 DA DA E1 E1 47  ...GG....GG....G
8F D9 A8 DE F4 9C 03 FF 45 53 49 56 00 10 01 00  ........ESIV....

Comments Off

File Formats ZOO

April 30, 2012 in File Formats ZOO

In 2009 my wife drawn a lovely illustration for my upcoming book about malware analysis. Unfortunately, I couldn’t complete the book (for various reasons) and her work never saw it to the printer. I really liked that illustration though and have been always thinking that I will find a way to use it one day. Today is the day and I present it to you, together with a short information on some most popular file formats. File formats is a topic that has been discussed so many times that it is not even worth mentioning, yet I do hope that while skimming the short information below, you will still find something new there. I have more interesting file signatures to come and will publish them when I complete binary snapshots. Illustration will be there too :)

0×00 0×00 0×01 0×00

Windows Icon file (*.ico).

00 00 01 00 01 00 20 20 10 00 00 00 00 00 E8 02  ……  ……..

00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00  ……(… …@.

0×00 0×00 0×01

Mpg movie (*.mpg, *.mpe, *.mpeg).

00 00 01 BA 21 00 01 00 0F 80 0D F9 00 00 01 BB  .!………..

00 0C 80 0D F9 07 E1 FF B8 C0 20 B9 E0 28 00 00  ………. ..(..

0×00 0×01 0×00 0×00 Standard Jet DB

Microsoft Access database  (*.mdb, *.accdb).

00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74  ….Standard Jet

20 44 42 00 00 00 00 00 B5 6E 03 62 60 09 C2 55   DB……n.b`..U

. . 0x0D 0x0A

Python compiler script  (*.pyc).

D1 F2 0D 0A 7E 74 F3 47 63 00 00 00 00 00 00 00  ....~t.Gc…….

00 0B 00 00 00 40 00 00 00 73 FD 00 00 00 64 00  …..@…s….d.

0x1F 0x8B

Tar archive compressed using gzip (*.tgz).

1F 8B 08 00 03 83 74 3A 02 03 EC 3C FD 73 DB 36  ……t:…<.s.6

B2 FD D5 FC 2B 30 8E A6 B6 72 16 15 F9 2B 17 B9  ….+0…r…+..

!<arch>

Library file (*.lib).

21 3C 61 72 63 68 3E 0A 2F 20 20 20 20 20 20 20  !<arch>./

20 20 20 20 20 20 20 20 31 31 32 36 39 34 35 34          11269454

!<arch>.debian-binary

Debian software package (*.deb).

21 3C 61 72 63 68 3E 0A 64 65 62 69 61 6E 2D 62  !<arch>.debian-b

69 6E 61 72 79 20 20 20 31 32 30 36 36 34 30 32  inary   11066402

%PDF

PDF document File (*.pdf).

25 50 44 46 2D 31 2E 33 0D 25 E2 E3 CF D3 0D 0A  %PDF-1.3.%……

36 20 30 20 6F 62 6A 0D 3C 3C 20 0D 2F 4C 69 6E  6 0 obj.<< ./Lin

.RMF

RMVB movie (*.rm, *.rmvb).

2E 52 4D 46 00 00 00 12 00 01 00 00 00 00 00 00  .RMF…………

00 07 50 52 4F 50 00 00 00 32 00 00 00 1C FD E0  ..PROP…2……

0& 0xB2 u

ASF or WMV movie (*.asf, *.wmv).

30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C  0&.u.f…….b.l

85 02 00 00 00 00 00 00 05 00 00 00 01 02 A1 DC  …………….

7z

7Zip archive (*.7z).

37 7A BC AF 27 1C 00 03 11 05 8F B2 13 00 00 00  7z..’………..

00 00 00 00 54 00 00 00 00 00 00 00 8F 51 A0 B5  ….T……..Q..

?_

Old Windows Help format (*.hlp).

3F 5F 03 00 0C 01 00 00 FF FF FF FF 1B 39 00 00  ?_………..9..

FC 00 00 00 F3 00 00 00 00 6C 03 21 00 01 00 21  ………l.!…!

BM

Bitmap file (*.bmp).

42 4D 38 00 1B 00 00 00 00 00 36 00 00 00 28 00  BM8…….6…(.

00 00 00 03 00 00 40 02 00 00 01 00 20 00 00 00  ……@….. …

BZh

Archive compressed using Bzip2 (*.bz, *.bz2, *.bzip2).

42 5A 68 39 31 41 59 26 53 59 B6 0D 89 62 00 8F  BZh91AY&SY…b..

C8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ……………….

CWS

Compressed Flash movie (*.swf).

43 57 53 08 AD C6 00 00 78 9C E4 BD 07 5C 13 CB  CWS…..x….\..

F7 28 3E 1B 12 B2 81 D0 41 50 83 62 07 41 11 EC  .(>…..AP.b.A..

d8:announce

Torrent file (*.torrent).

64 38 3A 61 6E 6E 6F 75 6E 63 65 33 39 3A 68 74  d8:announce39:ht

74 70 3A 2F 2F 74 6F 72 72 65 6E 74 2E 75 62 75  tp://torrent.ubu

FLV

Flash Video file (*.flv).

46 4C 56 01 05 00 00 00 09 00 00 00 00 12 00 01  FLV.…………

C2 00 00 00 00 00 00 00 02 00 0A 6F 6E 4D 65 74  ………..onMet

…ftyp

Quicktime movie (*.mov).

00 00 00 20 66 74 79 70 71 74 20 20 20 05 03 00  … ftypqt   …

71 74 20 20 00 00 00 00 00 00 00 00 00 00 00 00  qt  …………

From: <Saved by Windows Internet Explorer>

MIME HTML archive which may contain various files saved in a MIME format (*.mht).

46 72 6F 6D 3A 20 3C 53 61 76 65 64 20 62 79 20  From: <Saved by

57 69 6E 64 6F 77 73 20 49 6E 74 65 72 6E 65 74  Windows Internet

20 45 78 70 6C 6F 72 65 72 20 37 3E 0D 0A 53 75   Explorer 7>..Su

GIF87a

Picture saved in GIF 87a format (*.gif).

47 49 46 38 37 61 59 00 6D 00 F7 00 00 00 00 00  GIF87aY.m…….

00 00 40 00 00 80 00 00 FF 00 20 00 00 20 40 00  ..@……. .. @.

GIF89a

Picture saved in GIF 89a format (*.gif).

47 49 46 38 39 61 01 00 01 00 80 00 00 FF FF FF  GIF89a……….

00 00 00 21 F9 04 01 00 00 00 00 2C 00 00 00 00  …!…….,….

ID3

Mp3 music file (*.mp3).

49 44 33 03 00 00 00 00 06 46 54 45 4E 43 00 00  ID3……FTENC..

00 01 40 00 00 00 00 00 00 00 00 00 02 00 00 00  ..@………….

IDA1

The database of IDA Pro disassembler (*.ida).

49 44 41 31 00 00 3E 00 00 00 43 60 01 00 48 E0  IDA1..>…C`..H.

01 00 00 00 00 00 4D 20 02 00 DD CC BB AA 01 00  ……M ……..

II

Image saved in TIFF (Intel) file format (*.tif, *.tiff).

49 49 2A 00 18 CA 34 00 2C 30 33 35 37 3B 34 35  II*…4.,0357;45

39 38 38 3D 38 37 3C 35 34 39 33 31 36 31 2F 34  988=87<5493161/4

ISC(

InstallShield Cabinet File (*.cab). Requires a separate installer called setup.exe.

49 53 63 28 0C 60 00 01 00 00 00 00 00 02 00 00  ISc(.`……….

00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00  …………….

ITSF

Windows Help File (*.chm).

49 54 53 46 03 00 00 00 60 00 00 00 01 00 00 00  ITSF….`…….

40 62 C0 46 09 04 00 00 10 FD 01 7C AA 7B D0 11  @b.F…….|.{..

KGB_arch

Archive file created by KGB compression utility (*.kgb).

4B 47 42 5F 61 72 63 68 20 2D 33 0D 0A 32 35 30  KGB_arch -3..250

30 33 32 09 72 65 61 64 6D 65 2E 74 78 74 0D 0A  032.readme.txt..

L 0×00 0×00 0×00

Windows shortcut file (*.lnk).

4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00  L……………

00 00 00 46 CB 40 00 00 20 00 00 00 F4 AA 17 AE  …F.@.. …….

L 0×01 0×05

Object file (*.obj).

4C 01 05 00 67 20 93 45 76 0A 00 00 3C 00 00 00  L...g .Ev…<…

00 00 00 00 2E 74 65 78 74 00 00 00 00 00 00 00  …..text…….

MM

Image saved in TIFF (Motorola) file format (*.tif, *.tiff).

4D 4D 00 2A 00 00 0D 32 81 FF CD FF FB FF FF FE  MM.*…2……..

01 FF FD FA FE 06 FF FE FE FF FE FE FF FF FE FD  …………….

…moov

Quicktime movie (*.mov).

00 00 41 DE 6D 6F 6F 76 00 00 00 6C 6D 76 68 64  ..A.moov…lmvhd

00 00 00 00 BD 38 15 59 BD 38 15 59 00 00 02 58  …..8.Y.8.Y…X

MP+

Musepack Audio File (*.mpc).

4D 50 2B 07 81 35 00 00 00 00 C0 5F 00 00 00 00  MP+..5….._….

00 00 00 00 00 00 C0 80 F7 07 02 73 5A 3B 8B 80  ………..sZ;..

MSCF

Microsoft Cabinet File  (*.cab).

4D 53 43 46 00 00 00 00 8E 07 3E 00 00 00 00 00  MSCF……>…..

2C 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00  ,……………

MZ

Windows/DOS executable (*.exe, *.dll, *.sys, *.cpl, *.ocx, and others).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ…………..

B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ……..@…….

OggS

Music file saved in OggS format (*.ogg).

4F 67 67 53 00 02 00 00 00 00 00 00 00 00 67 0B  OggS……….g.

00 00 00 00 00 00 46 7D C7 F2 01 1E 01 76 6F 72  ……F}…..vor

PK

Zip Archive;  used by Java (e.g. JAR files) and Microsoft Office 2007 (*.zip, *.jar, *.docx, and others).

50 4B 03 04 14 00 02 00 00 00 F8 43 36 38 00 00  PK………C68..

00 00 00 00 00 00 00 00 00 00 16 00 00 00 45 78  …………..Ex

Rar!

Rar Archive (*.rar, *.r00, *.r01, …, part1.rar, part2.rar, …).

52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00  Rar!…..s……

00 00 00 00 31 A3 74 C0 90 2E 00 3F F9 3B 00 00  ….1.t….?.;..

regf

Windows registry file (*.dat, *.<no extension>).

72 65 67 66 01 00 00 00 01 00 00 00 00 00 00 00  regf…………

00 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00  …………….

RIFF…ACON

Animated cursor (*.cur).

52 49 46 46 50 3A 00 00 41 43 4F 4E 4C 49 53 54  RIFFP:..ACONLIST

46 00 00 00 49 4E 46 4F 49 4E 41 4D 0B 00 00 00  F…INFOINAM….

RIFF…AVI

AVI movie  (*.avi).

52 49 46 46 88 51 5A 01 41 56 49 20 4C 49 53 54  RIFF.QZ.AVI LIST

46 01 00 00 68 64 72 6C 61 76 69 68 38 00 00 00  F…hdrlavih8……

SZDD

A file compressed with Microsoft program compress.exe  (*.??_ e.g. *.ex_ for compressed *.exe).

53 5A 44 44 88 F0 27 33 41 65 00 74 00 00 FF 4D  SZDD..’3Ae.t…M

5A 90 00 03 00 00 00 7D 04 F5 F0 FF FF 00 00 B8  Z……}……..

0×60 0xEA

Arj archive (*.arj).

60 EA 2E 00 22 0B 01 0A 10 00 02 EB EB BC 86 3A  `...”……….:

EB BC 86 3A 00 00 00 00 00 00 00 00 00 00 00 00  …:…………

0×78 0×01

DMG image for Mac (*.dmg).

78 01 ED 9D 0B 80 1D 55 7D FF 67 E6 3E F7 BE 76  x..….U}.g.>..v

49 78 04 44 5C F3 8F 2B 41 B2 5D 48 08 81 50 59  Ix.D\..+A.]H..PY

{\rtf

Document saved in Rich Text Format (RTF) (*.rtf).

7B 5C 72 74 66 31 5C 61 64 65 66 6C 61 6E 67 31  {\rtf1\adeflang1

30 32 35 5C 61 6E 73 69 5C 61 6E 73 69 63 70 67  025\ansi\ansicpg

0x7F ELF

Linux executable  (*.<no extension>, *.so).

7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00  .ELF…………

02 00 03 00 01 00 00 00 00 81 04 08 34 00 00 00  …………4…

0×89 PNG

An image saved in PNG format (*.png).

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52  .PNG……..IHDR

00 00 03 D5 00 00 02 78 08 02 00 00 00 E4 DD 57  …….x…….W

0xCA 0xFE 0xBA 0xBE (CAFEBABE)

Java file (*.class) or Mac Mach-O Universal binary (*.app).

CA FE BA BE 00 00 00 32 00 C0 0A 00 30 00 6A 09  …….2….0.j.

00 2F 00 6B 07 00 6C 08 00 6D 0A 00 03 00 6E 09  ./.k..l..m….n.

0xD0  0xCF  0×11 0xE0 (D0CF11E)

Compound OLE file from Microsoft  (*.doc, *.xls, *.msi, and others).

D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00  …………….

00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00  ……..>…….

0xED 0xAB 0xEE 0xDB

Red Hat Package Manager File (*.rpm).

ED AB EE DB 03 00 00 00 00 01 74 75 78 70 61 69  ….……tuxpai

6E 74 2D 30 2E 39 2E 32 30 2D 31 2E 66 38 5F 66  nt-0.9.20-1.f8_f

0xEF 0xBB 0xBF

Text encoded in UTF8 (*.txt, *.utf8, and others).

EF BB BF 54 68 69 73 20 69 73 20 61 20 73 69 6D  …This is a sim

70 6C 65 20 74 65 78 74 20 66 69 6C 65 20 2E 2E  ple text file ..

0xFF 0xD8…JFIF

Picture saved in a JPEG format (*.jpg, *.jpe, *.jpeg).

FF D8 FF E0 00 10 4A 46 49 46 00 01 02 00 00 64  ……JFIF…..d

00 64 00 00 FF FE 00 12 41 64 6F 62 65 20 49 6D  .d……Adobe Im

0xFE 0xFF

Text encoded in UTF16BE (*.txt, and others).

FE FF 00 54 00 68 00 69 00 73 00 20 00 69 00 73  …T.h.i.s. .i.s

00 20 00 61 00 20 00 73 00 69 00 6D 00 70 00 6C  . .a. .s.i.m.p.l

0xFF 0xFE

Text encoded in UTF16LE (*.txt, and others).

FF FE 54 00 68 00 69 00 73 00 20 00 69 00 73 00  ..T.h.i.s. .i.s.

20 00 61 00 20 00 73 00 69 00 6D 00 70 00 6C 00   .a. .s.i.m.p.l.

 

Comments Off

Forensic Riddle #11

April 27, 2012 in Forensic Riddles

It’s been a while since I posted a riddle, so here is a new one – this should be an easy one:

Two different Windows executables have been executed on the same version of Windows system and under identical (ideal) conditions. Dynamic analysis shown that each of them produces completely different artefacts  on a test system, but the in-depth code analysis shown that they have an identical source code. What files are these?

 

 

Comments Off

Speeding up case processing

April 20, 2012 in Preaching

A few years back I was looking at a data from my first forensic case: few images, hundreds of thousands files and only a very limited time to look through it. Like many before me I found it overwhelming and hard to manage.

I started a typical (and painful) journey through evidence playing around with data filtering using various criteria e.g. date, size, file extensions, I also tried hiding some of the data, and manually go through its subsets (e.g. by just looking at specific folders) and of course did some simple timeline analysis as well.

I thought there must be a better way to walk through this mess than just clicking through a graphical user interface (GUI).

As many investigators before me and always wanting to automate things I soon started toying around with various optimization ideas. I ended up developing various one-off, quick and dirty scripts and solutions with the aim of speeding up my analysis. Some of them worked, some of them were complete non-sense. Here and in the future posts, I will demonstrate (I love using this big-mouth word :) ) some of them. At least, these that worked for me :) .

For starters, a couple of general optimization ideas – later I will come back to more specific examples:

  • Obvious ones first
    • Invest in hardware – bigger, faster, more
    • Invest in software, but do it wisely (better more hardware with no expensive software, than less hardware with more expensive software)
    • Experiment, read and pick up new techniques from others
    • Automate stuff
    • Benchmark everything you can
  • Exit your comfort zone and:
    • Learn to program; this will enable you to code stuff, often, even smallest snippets of code can do lots of magic
    • Move from GUI to command line (CLI); it is just faster & often OS-independent (+Linux CLI tools are faster); I am a Windows guy and it was EXTREMELY difficult to break through; I had a good Linux mentor though at that time and thanks to him I made a huge progress in adopting at least CLI interface and tools (this is actually funny, because in the past I was finding it really hard to change from CLI to GUI after I moved from DOS to Windows; what a sweet irony….)
    • Move from CLI to use your own scripts/tools; it is faster and is also a way to automate and instrument things to work for you; even the best grep or CLI caterpillar (as I call endless list of CLI commands separated by pipes) cannot do what a simple script with a state machine/regexes can do
    • Work on mounted data instead of data loaded into application (maybe it is subjective, but to me it always worked faster – I will come back to it in the future)
    • Work on the same data on as many boxes as you can; at times, I have been working on the same data on 6 different machines via RDP and later combining data into one report; it is VERY HARD to manage, you will lose your mind, but it gives you an edge as you can simultaneously do different things (run strings on the whole image on one system, extract files on second, run multiple AV on another, and so on and so forth)
    • Use data in raw DD format for analysis – if all fancy tools fail, you can quickly switch to CLI and save the day (it happened to me lots of times); Raw data also allows to run strings over it, so later if you need to grep for stuff, you can search within extracted strings reducing search time; (instead of DD you can also of course mount images)
    • Divide work into steps that can be batch processed and/or processed simultaneously and independently; examples include:
      • Once you extract all .exe/.dll/etc. you can run AV over them, you can also run PE tools that highlight ‘funny’ stuff like high entropy, suspicious APIs, etc.
      • Look at logical drives separately; don’t run massive searches on the whole evidence in one go on one system; in case something breaks, you can at least preserve some part of work done, and it  easier to restart on a subset of data than on the whole evidence
    • Actively search, collect and install tools; don’t just bookmark pages – when time is important (and it always is), having proper tools at hand saves a lot of time [downloading time, installation, etc.]
  • Change the mindset and don’t just look at data – act on it
    • Get a full copy of evidence data to your workstation on a local drive
    • When you walk through it, analyze something and if it is not important  – delete it e.g. walking through folders/files that you have already seen:  just remove them; this way you can get rid of a lot of noise
    • Use better file explorer e.g. Total Commander, FAR to walk through content of files (I strongly advice NOT to use CLI for walking through files – Total Commander with a Quick Preview on allows to walk through many files in no time);
  • As mentioned earlier – benchmark – both tools and ideas; it can’t be stressed enough; just because strings/grep work, doesn’t mean they are the fastest; your regex may be also wrong and as programmers know – not everything can be searched for using regex; state machine or some fancy dedicated algorithm is often a much better option, not to mention a script that at least partially understands file format being scanned and can choose to ignore e.g. certain file types
  • Certain things in forensics are done, because ‘everyone does so’, even if it doesn’t make sense in certain cases, examples include:
    • Calculating hashes of all files (it is a good idea ONLY if you will actually use them)
    • Running clean tools from read-only media (malware can obviously hook/patch/disable these when they are loaded from a file to memory)
    • Scanning with multiple AV systems (custom malware is omnipresent; let’s face the facts: AV will never detect them)

That’s it for now. This is to a great extent a subjective list of mine and should not be treated as a silver bullet. What worked for me & for my cases may not work for you. And quite frankly – forensics analysis is very often less sexy as an outsider may think – it is struggling against time, customer expectations and… fatigue. If faster case processing can at least reduce the workload it is definitely worth thinking of.

Go ahead and create your own subjective list.

Comments Off

HMFT – Yet Another $MFT extractor

April 16, 2012 in HMFT, Software Releases

HMFT is a simple tool that extracts $MFT from a given drive or a disk image to a file in any location (including removable drive).

Extracting $MFT directly from a live system or even from an image is always a pain. Most of the tools available on the internet are GUI-driven, and GUI option is not always available (e.g. to remote users); such GUI-driven tools are also often not very ‘portable’ as they are bundled with other components and are written in a high-level language so the file size often goes to a few hundred KiBs, if not MiBs . As such, getting them on a target system may be annoying to say the least. There are of course good command line tools available as well, but they are often private, paid-only, or offering a limited functionality in its free version (not to mention the file size).

Now, don’t get me wrong – this is not to boo at other tools – they are often excellent and very useful. Also, apart from extracting $MFT they often offer a lot of other functionality e.g. parsing various file systems, extracting files by name, etc. They are just written for a different purpose.

Interestingly, the MFT extraction can be easily achieved within less than 1KB of code; HMFT is still far from an optimal size, but since it is written in X86 assembly and packed with UPX it ‘weights’ only 4KiB and I have no plans on optimizing it further. It is also quite fast and if you are lucky, extracting $MFT file should be a matter of seconds up to few minutes (it will take longer if for $MFT extracted from removable drives or if systems is under performing during the operation). HMFT reads NTFS directly and tries its best to parse its structure. It doesn’t rely on any 3rd party library, and doesn’t use commonly used FSCTL_* commands to retrieve data – it’s all plain Read/Write from the list of clusters that $MFT occupies.

Once extracted, $MFT can be parsed with analyzeMFT, mft.pl, or other scripts.

Note:

  • For images, only images of volumes (logical drives) are supported at the moment.
  • As mentioned, while parsing NTFS is a major pain in general, extracting $MFT alone is relative simple, so I hope it will work OK. Still,  if you try it and for some reason something doesn’t work, please let me know and I will try to fix it.

Usage:

hmft.exe [drive] [output filename]

f.ex.:

Download HMFT here.

Comments Off

Update

April 15, 2012 in Hexacorn

It’s been a while since I wrote anything here. This is due to me being on holidays and moving to a new place right after coming back. I finally settled down in a new apartment and looking forward to play with some new ideas.

So, here is a short update:

  • I fixed a silly bug in HAPI – I mixed up CR & LF characters in the output and it looked awkward to say the least, not to mention potential parsing issues; Thx to Pedro L. for spotting this and notifying me
  • HAPI may occasionally print some strings that look like non-API, e.g. ‘version’; this is not a bug, but a feature ;) it turns out that there is such an API exported by one of the Microsoft DLLs ; since I don’t want to miss any API, I made a trade off and include all of them; still… I use some little heuristics to prevent printing many of them, but some of them will sometimes go through; so, please always verify the output manually; and for the curious – some Microsoft programmers decided to name certain APIs using one, or two characters; I dunno why do you do stuff like this, but there are legitimate system DLLs exporting functions named ‘u’, ‘vo’, etc.
  • Discovered recently that Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5; these files are still handled by DeXRAY since it relies on a XRAYS technique that searches and extracts encrypted executables without needing to know a specific key; but if you parse VBN files yourself, knowing that 0xA5 is being used may help you to save some time

Comments Off

Good Alternate Data Streams (ADS)

March 26, 2012 in Forensic Analysis

While ADS is not widely supported/used by many apps (maybe with a notable exception of malware :) ), it can be still used for some interesting purposes. In this short article, I describe a few legitimate uses of ADS by Windows programs that I know of.

If you know some others or if you spot any mistake, please let me know. Thanks.

This post is loosely based on this Microsoft list, but it contains some more details and looks at these streams from a ‘forensic angle’.

:$DATA

Standard ADS representing a content of the file.

:$WIMMOUNTDATA

This one is referenced by wimgapi.dll, wimserv.exe and recimg.exe (win8), but I don’t have more information about it.

:TASKICON_%d

This one is referenced by ieframe.dll (win8).

:Zone.Identifier

This is a name of a stream generated by Microsoft applications when user saves files to the local file system from a different security zone (e.g. Internet -> Disk).

The content of the file is just an information about the original Zone the file comes from:

Good news: presence of the stream confirms (in a ‘most likely’  CYA fashion) the file has been downloaded from the internet.

Bad news: Interestingly enough, some malware samples attempt to delete the :Zone.Identifier ADS attached to their executables immediately after they are executed – I guess it’s  because they want to:

  • remove the ‘flag’ from the file that highlights it as ‘downloaded from internet’ – yet another subtle anti-forensics in action
  • ensure that next time the file is launched (either via autostart entry or manually), it doesn’t pop up the ‘Are you surely sure you want to run this highly insecure program downloaded from the internetz’ message box

The code responsible for creating the :Zone.Identifier ADS is present in multiple system DLLs because the functionality is provided via IZoneIdentifier interface. The actual code adding stream is present in shell32.dll. (note: this and other code references is my best guess based on a quick grepping exercise on strings exported from all OS DLLs within system32 directory)

:favicon

This is a less known ADS that is being used by Internet Explorer. It acts as a cache and stores the favicon of the web site that has been bookmarked by the user.

It can be stored in files Page.url:favicon:$DATA; newer versions of IE appear to be also using format Page.website:favicon:$DATA

The content is just an .ico file – it can be extracted from a live system using ‘more’ command:

Previewing the extracted icon in Irfanview (and resizing it since it’s 16×16 pixels) shows the following picture (in my example BMI bookmark):

as shown in the properties window:

The good news: from a forensic perspective it could be an interesting information to provide in a final report if the user activities are discussed. Presence of this ADS indicates that the site the favicon refers to has been added most likely manually by the user (of course, ‘most likely’ in a CYA fashion since we can’t exclude 100% the possibility of malware adding it).

The bad news: if you want to experiment with this feature, I must warn you that various versions of IE are buggy when it comes to preserving the favicons. So, they may not be present on all versions of IE. I have not done an extensive study as I don’t have various versions of IE at hand, but quick & dirty experiments show that bookmarks I added under IE8 preserve :favicon stream, the IE9 doesn’t. Again, this is best to be tested for the particular version of IE.

Again, good news is that if you find it on the analyzed system, you may get some clues from it. And if you don’t find it, well – one less artifacts to look at ;)

If you want to play around, use procmon and use filter Path Containsfavicon

Code responsible for :favicon ADS can be found in ieframe.dll

:OECustomProperty

This is a stream created by Microsoft Outlook Express/Windows Mail. I don’t have an example at hand.

The code is stored in inetcomm.dll.

:Encryptable

Attached to Thumbs.db files and created when pictures are viewed in Thumbnail mode.

The same directory enumerated for ADS before thumbnail and after turning into Thumbnail mode

The code is stored in thumbcache.dll.

Document Properties Stream Name

This is a ‘garbage’ ADS one can see immediately after playing around with properties of a file stored inside a folder. The most known ADS is probably  ‘{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}‘ (you can often see it in Procmon output).

Creating these is easy – one needs to e.g. change the title in the file properties box:

The same directory enumerated for ADS before the and after changing the title:

AFP_AfpInfo and AFP_Resource

Macintosh streams as explained on Microsoft web site. I don’t have more info about this one.

{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

XPRESS Stream is used during remote differential compression as explained on Microsoft web site. XPRESS is a compression algorithm and streams appear to be using when the compressed data is being downloaded. I don’t have more info about this one and at the moment I don’t know how to create a demo (show its creation on the system). Googling around, one can come across similarly named streams e.g.

  • {59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
  • {59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

1 Comment »

← Previous Entries