You are browsing the archive for Software Releases.

Introducing filighting and the future of DFIR tools, part 2

April 11, 2015 in Clustering, Forensic Analysis, Software Releases, Visualisation

In my yesterday’s post I described a simple clustering algorithm that could be used to group files that contain references to each other. Today I am posting the source code of the program that generated the data in my last post, together with a demo that shows how powerful such clustering could be if combined with proper visualization techniques.

In the example I have shown, I used a relatively small folder where Total Commander was installed. The resulting cluster looks like this:

cluster1You can play with it interactively here.

Imagine that someone adds files to the Total Commander folder. Since they are not referenced by any other file in this folder, they will create separate clusters. After adding 3 such files:

  • orphan1.txt
  • orphan2.txt
  • orphan3.txt

we get the following clusters:

cluster2You can play with it interactively here (you need to drag the orphans away to get the same result as shown on the screenshot).

Finally, we can imagine that a hacker of malware creates a couple of files that are perhaps referencing each other. An example could be:

  • config.bin
  • keystrokes.txt
  • malware.exe – referencing keystrokes.txt and config.bin

If we now cluster this directory, we will get something like this:

cluster3The ‘malware’ files clearly stand out.

You can play with it interactively here (again, you need to drag the nodes away to get the same result as shown on the screenshot).

For more examples see part 3.

I believe there is a lot of opportunities in leveraging clustering to reduce the amount of data we need to analyze and to improve user experience by introducing new ways to look at data. There are a lot of visualization techniques that are not used in forensic software today and it is a pity. Clustering adds an extra dimension on top of a timeline and structure imposed by the organization of a file system – we can only hope that forensic software of the future will take this into account.

For inspiration and really amazing examples of visualization go to https://github.com/mbostock/d3/wiki/Gallery. I used the very same script to create the interactive demos referenced by this post.

The source code of the filighter script that generates these clusters is here.

Detecting APT remnants in $MFT

February 18, 2015 in Compromise Detection, Forensic Analysis, HCD, Malware Analysis, Software Releases

In a post from 2012 I introduced a simple tool that was scanning $MFT for traces of flame.

Today i decided to update the list of file names the tool recognizes to include:

  • the latest in many APT campaigns – credit goes to kbandla @ https://github.com/kbandla/APTnotes/
  • some tools typically used by hackers (their full and short file names)
  • ‘stashed data’ file names e.g. ‘1.rar’
  • other file names commonly used by hackers [lots of generic names]

This is an experimental tool so do not jump if you see something in RED (well, you should not anyway, cuz it could mean you got pwned).

Just assess it and take it from there – look for the file names highlighted by HCD on your drive. If you can’t find it, use a forensic tool to export a full list of file names. p.s. I will add a feature to include full paths in future versions – code is ready, but needs some more polishing.

In any case, if you you see something red you should probably look at your system anyway… If you find bugs, or False Positives pls let me know. Thanks.

Download the tool from here.

Example:

HCD ran on the system where DoubleFantasy installer was executed previously; system also contains various reversing tools e.g. ollydbg.exe and bintext.exe:

pic

Last, but not least, I am aware of some bugs, but better have something than nothing to fight clowns writing malware for governments…

What’s next?

If you suspect something ‘funny’ you can use the following tools to extract a full filelist from $MFT:

Another way to test your system is by running LOKI by Florian Roth – a tool that scans your system for IOCs (Indicators Of Compromise) for many well-known APT campaigns.