The Curious Case of the Forensic Artifact

May 2, 2012 in Forensic Analysis, Tips & Tricks

Back in March Harlan asked on Twitter if anyone has any information about a Registry value called TrapPollTimeMilliSecs. It triggered my interest and I decided to do some research.

If you run a quick google search on it, you will find lots of AV reports listing it. At this stage it is tempting to quickly draw a conclusion that it might be used by malware. I was not convinced though and researched it further. Few minutes later I was able to provide some (hopefully) reasonable explanation what creates it.

It crossed my mind today that it may be beneficial to explain what I did, so that it will be easier for other investigators to find out what is the source of similar artifacts (if a similar question pops up in the future).

The location

The TrapPollTimeMilliSecs REG_DWORD value is a located under the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters

and is by default set to

TrapPollTimeMilliSecs = 15000 (0x3a98)

but it doesn’t necessarily exist on a typical system.

The explanation

The TrapPollTimeMilliSecs registry value is set/queried by a DLL called inetmib1.dll, and more precisely, by its exported API called SnmpExtensionInit API. This API is used by only two executables:

  • arp.exe
  • netstat.exe

(it could be also used by other tools of course, but these are the only ones that popped up during the research on OS-specific files only)

Once I found out what .exes are responsible for the artifact, I quickly verified it dynamically:

One important thing to note is that the value is created only if these executables are ran from elevated cmd.exe (on systems requiring it).

According to Microsoft’s information about SnmpExtensionInit:

The Microsoft SNMP service calls the SnmpExtensionInit function to initialize the SNMP extension agent DLL. This function is an element of the SNMP Extension Agent API.

I would assume both netstat and arp being network utilities use the functions to talk SNMP to devices on the network, but my knowledge on SNMP internals is too limited to conclude anything here. Still, this is most likely enough information to rule out this artifact from the investigation (and especially if there are prefetch files for arp.exe and netstat.exe on the system).

The recipe

Prerequisites:

  • Generate strings for all files inside your windows and system32 directory e.g. use simple extension e.g. *.s to store the strings
  • Best to keep them as a copy of all files, together with the strings so you can play with the files w/o risking destroying your Windows/system32 directory by accident (shouldn’t normally happen, because of Windows File Protection/ACLs, but well… always work on a copy of the evidence :))
  • if you have more Windows versions available, run strings on all versions and keep them in separated directories as well

Once you have it in place do as follows:

  • Search (grep/findstr) all *.s for the string you are looking for e.g. TrapPollTimeMilliSecs
  • This will narrow down the scope to the list of DLLs/EXEs that create the artifact
  • Load the suspected binaries into Disassembler e.g.  IDA Pro a.k.a. the god of all disassemblers
  • Find references to string (can be multiple occurrences)
  • Skim/analyze the code to confirm the data is used by registry functions (and maybe how)
  • Profit (or create meme)

For a very specific (unique name) value it is a pretty quick procedure, a few minutes or so.

Apart from playing around with OS binaries, you may also download ReactOS – grepping its source code is one of the best way to understand internal workings of Windows and find how certain artifacts are created (notably, they may be not 100% compatible with Windows, but may give you hints where and what to search for).

Share this :)

Comments are closed.