You are browsing the archive for Tips & Tricks.

Doing things faster

November 25, 2013 in Tips & Tricks

Every once in a while I ask myself a question – what can I do to work faster?

I strongly believe that complacency a.k.a. resting on one’s laurels is the biggest enemy of the productivity; therefore, once in a while I go on a journey to hunt for the tips and tweaks that can improve my work environment. These come in a variety of forms – better hardware, newer software, alternative software, or… changing habits.

Here is a bunch of tips that you may find useful  – some are old, some are new, but these are tested and work in practice (note: these are all workstation- and Windows-centric). This is a direct continuation of my 2 older posts on how to speed up case processing and obviously, some repetitions are unavoidable :)

Here it goes…

  • See more
    • Use at least two computer screens; I can’t imagine working with a single screen anymore. Whether it is a programming, forensic analysis or reversing session – it’s always good to have more space for information
  • See less
    • If you do a lot of multitasking, use virtual desktops – there are lots of programs that help creating virtual desktops, but the one that IMHO nails it is VirtuaWin
    • If you use multiple computers, use RDP instead of separate screens
    • If you work at night, use f.lux
  • Multiple computers
    • If you must use multiple computers, you can use Synergy to share one keyboard and mouse
  • Speeding-up data transfers
    • Invest in fast CPU, more memory
    • Invest in SSD, USB 3.0
  • Killer-apps
    • Kill your Windows Explorer – this is the worst GUI interface to work with files; use Total Commander, or FAR
    • Use PureText to copy & paste text w/o formatting
    • Use Sizer to resize any window to an exact, predefined size – this is handy when you write reports and want to use normalized screenshots’ sizes
    • Migrate most of your tools to their portable versions; it’s very handy when you change the computer or travel (can always have the most up to date version of your software/settings w/o relying on cloud)
  • Virtualization
    • Build a fresh clone of your ‘working’ image once in a while – not only a good chance to update software, but also set up/fix settings that you find annoying (if you catch yourself doing the same thing over and over again after you revert to a snapshot -> fix the image!)
    • Move the most frequently used images to SSD drive
    • Turn the speaker off for all virtual machines – this is pretty annoying and the link I provide allows to disable it for all images
  • SSD optimization
    • Remove hibernation file – if you don’t use hibernation, just run powercfg -H OFF – this may give you a few good GiBs back
    • Remove pagefile.sys file – if you have enough memory, you don’t need pagefile
    • Use junctions – for some reason Microsoft drops tones of rarely used files on the %SystemDrive% e.g. inside %SystemRoot%\Installer or %SystemDrive%\ProgramData\ or their subfolders – these files can’t be simply deleted, but they ‘steal’ the precious SSD space; in order to gain that space back, you can use junctions to move all this rarely used stuff to a slower partition (use mklink)
    • Install less-often used software to other partitions
    • Do a clean up once in a while
  • Regionalization
    • Change date/time format to YYYY-MM-DD hh:mm:ss in both Regional Setting of your OS and forensic software e.g. Encase; it makes a HUGE difference when you look at timelines
  • Fonts
  • Reading
    • If you read PDFs, swap Acrobat with Sumatra
  • .NET decompiling
    • ilspy does it pretty well
  • Regedit
    • Add Favorites to most commonly used registry keys – you can use RegJump from Sysinternals to quickly navigate to the specific key
  • IDA, Hex-Rays Decompiler & OllyDbg
    • Build a habit of collecting plugins and scripts – sometimes even if not immediately useful, a source code of an existing script/plug-in can save you a lot of time of coding;  Hex-Rays Plug-In Contest is a good start to pick up a few plugins (note: some of them crash randomly – it’s not a production-ready code, so best is to have them disabled by default and enable when you need it; some of these plugins also slow down the decompiling)
  • Procmon/Regmon/Filemon
    • Build a list of filters and save it
    • Add highlighting for operations that modify stuff (e.g. write operation)
  • Process Explorer
    • Let’s face it – it has to be retired as it’s way behind Process Hacker
    • If you really need to use it – if you use a 64-bit system Process Explorer (which always starts as a 32-bit process) extracts the 64-bit version of Process Explorer and then runs it; you can extract this 64-bit version directly from the 32-bit .exe and rename it as procexp.exe; the alternative way is to run Process Explorer 32-bit, then copy the 64-bit version from the Temp folder – next time you run procexp.exe, you will run the 64-bit version directly – always one process less to run
  • Temp folder
    • Clean up temp. folder regularly; some forensic software drops large files into your temp and it just stays there
  • Chrome cache
    • If you use Chrome and download large files – the temp/cache files end up stored in the program’s directory forever; it’s a good habit to have a look at it once in a while and remove it (look for a ‘File System’ folder)

Finding Alternate Data Streams (ADS) with HMFT

October 4, 2012 in Compromise Detection, Forensic Analysis, HMFT, Malware Analysis, Tips & Tricks

Finding Alternate Data Streams  (ADS) on the whole drive may be quite time consuming so in this quick post I will show you how to do it faster with HMFT.

As you probably know, the latest version of HMFT supports listing of basic attributes directly from $MFT – from both images and live systems. Amongst the features it currently supports is showing type of attribute and its name. Turns out, that this is enough information to find out what named DATA streams are hidden inside the FILE records – and this is essentially what ADSs are.

So…

First, let’s test how HMFT shows ADS-related data:

  • First let’s create a few sample ADSs
echo > f:\test
echo > f:\test:ads
echo > f:\test:ads2
echo > f:\test:ads3
  • Next, we run hmft over the drive and saving it to a file
hmft -l f: f_mft.txt
  • Finally, let’s see the content of the file – scroll down to see file name, first unnamed DATA attribute that is then followed by 3 named DATA attributes – ADS names:
  [FILE]
    SignatureD                    = 1162627398
    OffsetToFixupArrayW           = 48
    NumberOfEntriesInFixupArrayW  = 3
    LogFileSequenceNumberQ        = 4204637
    SequenceValueW                = 1
    LinkCountW                    = 1
    OffsetToFirstAttributeW       = 56
    FlagsW                        = 1
    UsedSizeOfMFTEntryD           = 448
    AllocatedSizeOfMFTEntryD      = 1024
    FileReferenceToBaseRecordQ    = 0
    NextAttributeIdD              = 6
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 16
      LengthOfAttributeD       = 96
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 0
      FlagsW                   = 0
      AttributeIdentifierW     = 0
      --
      SizeOfContentD          = 72
      OffsetToContentW        = 24
      --
        MFTA_STANDARD_INFORMATION
            CreationTimeQ         = 129938289425003390
            ModificationTimeQ     = 129938289502223390
            MFTModificationTimeQ  = 129938289502223390
            AccessTimeQ           = 129938289425003390
            FlagsD                = 32
            MaxNumOfVersionsD     = 0
            VersionNumberD        = 0
            ClassIdD              = 0
            OwnerIdD              = 0
            SecurityIdD           = 261
            QuotaQ                = 0
            USNQ                  = 0
            CreationTime (epoch)    = 1349355342
            ModificationTime (epoch)  = 1349355350
            MFTModificationTime (epoch)  = 1349355350
            AccessTime (epoch)           = 1349355342
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 48
      LengthOfAttributeD       = 104
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 0
      FlagsW                   = 0
      AttributeIdentifierW     = 2
      --
      SizeOfContentD          = 74
      OffsetToContentW        = 24
      --
        MFTA_FILE_NAME
            ParentID6             = 5
            ParentUseIndexW       = 5
            CreationTimeQ         = 129938289425003390
            ModificationTimeQ     = 129938289425003390
            MFTModificationTimeQ  = 129938289425003390
            AccessTimeQ           = 129938289425003390
            CreationTime (epoch)    = 1349355342
            ModificationTime (epoch)  = 1349355342
            MFTModificationTime (epoch)  = 1349355342
            AccessTime (epoch)           = 1349355342
            AllocatedSizeQ        = 0
            RealSizeQ             = 0
            FlagsD                = 32
            ReparseValueD         = 0
            LengthOfNameB         = 4
            NameSpaceB            = 3
     FileName = test
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 40
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 1
      --
      SizeOfContentD          = 13
      OffsetToContentW        = 24
      --
        MFTA_DATA
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 48
      NonResidentFlagB         = 0
      LengthOfNameB            = 3
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 3
      --
      SizeOfContentD          = 13
      OffsetToContentW        = 32
      --
        MFTA_DATA
    AttributeName = ads
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 48
      NonResidentFlagB         = 0
      LengthOfNameB            = 4
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 4
      --
      SizeOfContentD          = 13
      OffsetToContentW        = 32
      --
        MFTA_DATA
    AttributeName = ads2
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 48
      NonResidentFlagB         = 0
      LengthOfNameB            = 4
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 5
      --
      SizeOfContentD          = 13
      OffsetToContentW        = 32
      --
        MFTA_DATA
    AttributeName = ads3

 

  • Knowing all this, we can quickly put together a perl script that can walk through the data and pick up all ADS from the output file:
use strict;
my $f='';
my $l='';
while (<>)
{
  s/[\r\n]+//g;
  $f = $1 if /FileName = (.+)$/;
  print "$f:$1\n" if ($l =~ /MFTA_DATA/&&/AttributeName = (.+)$/);
  $l = $_;
}
  • Save it as ads.pl
  • Run it using the following syntax
perl ads.pl <hmft output>

e.g.:

perl ads.pl f_mft.txt

The output for the example file system is:

$Repair:$Config
test:ads
test:ads2
test:ads3

I suggest you running a test on your local drives  – you are probably going to be quite surprised :-)

Not only you may find plenty of files with ADS, but you may also get to know less-known good ADSs – many of them I have listed previously and a few more e.g. internal ADSs used by OS:

  • $Info in $UpCase:$Info
  • $Config in $Repair:$Config
  • $Max in $UsnJrnl:$Max

and also MAC-related streams (resource forks) added by Safari  (kinda equivalents of IE’s Zone.Identifier)

  • com.apple.quarantine
  • com.apple.metadata:kMDItemWhereFroms

Note on a small bug here: with a larger number of ADSs the ads.pl script will show incorrect entries as ADS attributes that don’t fit within one FILE record will be stored elsewhere and w/o FILENAME attribute, hence the associated file name will be incorrect. Some may be also stored under ATTRIBUTE_LIST that is not supported by HMFT yet.