You are browsing the archive for Forensic Analysis.

Beyond good ol’ Run key, Part 30

April 26, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

Many laptops come with preinstalled packages that enhance user experience by responding to gestures and shortcuts available via a touchpad. One of the most popular packages offering such functionality comes from Synaptics. My old laptop has it preinstalled as well and… that’s how this post was born.

While exploring the options of the program I discovered that you can associate a lot of various actions with buttons and areas/zones of the touchpad. Turns out that one such interesting action is… running an arbitrary program :)

synaptics1Clicking the Configure button allows us to choose the path to the program:

synaptics2Same goes for the right button (and also zones shown at the bottom of the left pane):

synaptics3Once I configured these I was able to launch the program of my choice by just playing with the touchpad.

I must mention that it is not a vulnerability – it is just a flexibility offered by the program allowing user to define what they want to do with their computer. But of course it could be abused as a persistence mechanism.

The place in the Registry where these paths are stored is shown below:

  • HKCU\Software\Synaptics\SynTPEnh\PlugInConfig\TouchPadPS2

synaptics4The information about what action should be triggered is stored here:

  • HKCU\Software\Synaptics\SynTP\TouchPadPS2
    • LeftButtonAction = if equal 0 the default touchpad action is overridden with the action of the plugin defined by the next 2 entries below (LeftButtonPlugInID & LeftButtonPlugInActionID)
    • LeftButtonPlugInID = changed to ‘SynTP’
    • LeftButtonPlugInActionID = if this ActionID is equal to 5 then it is program execution

synaptics5Right button (and other buttons, if present)  as well as zones all have similar set of settings (again, their actual availability depends on a touchpad model/hardware/); the respective registry entries are:

  • TopLeftCornerPlugInID=
  • TopRightCornerPlugInID=
  • BottomLeftCornerPlugInID=
  • BottomRightCornerPlugInID=
  • LeftButtonPlugInID=
  • MiddleButtonPlugInID=
  • RightButtonPlugInID=
  • UpButtonPlugInID=
  • DownButtonPlugInID=
  • 2FingerTapPlugInID=
  • 3FingerTapPlugInID=
  • ExButton1PlugInID=
  • ExButton2PlugInID=
  • ExButton3PlugInID=
  • ExButton4PlugInID=
  • ExButton5PlugInID=
  • ExButton6PlugInID=
  • ExButton7PlugInID=
  • ExButton8PlugInID=
  • PressToSelectPlugInID=
  • Button5PlugInID=
  • ButtonModePlugInID=
  • 3FingerPressPlugInID=
  • PalmOnPadPlugInID=
  • 2FingerDoubleTapPlugInID=

and each of them have the respective ‘ActionID’ settings e.g.:

  • TopRightCornerPlugInID -> TopRightCornerPlugInActionID

The chance we will come across it on real cases are pretty low, but just adding it here for completeness.

Introducing filighting and the future of DFIR tools, part 3 – more examples

April 11, 2015 in Clustering, Forensic Analysis, Visualisation

I have been toying around with the script trying it on various folders and the results are quite promising.

Here is a bunch of examples – screenshots + interactive demos. Note that some JSON files may take a long time to load so please be patient.

  • Opera 26
    • Quite a nice graph – all files had at least one reference

cluster_opera26

  • Firefox 35
    • Quite a nice graph as well – all files had at least one reference

cluster_firefox

  • Office 15
    • There is so many files that it is not very readable
    • BUT out of 3K+ files, only 17 didn’t have any reference!

cluster_office15

  • Notepad ++
    • Probably the worst case I have seen so far – lots of clusters and orphaned files

cluster_notepadplus

  • VMWare 11
    • Not too bad, lot of files are referenced, just a few stand out

cluster_vmware